firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Pix rulebase/policy analysis (Brian Loe)
2. Re: Pix rulebase/policy analysis (Michael Cox)
3. Re: Pix rulebase/policy analysis (Richard Golodner)
4. DH key exchange: conspiracy theory (Kowsik)
5. Re: VPN suggestions wanted (AMuse The Sane)
----------------------------------------------------------------------
Message: 1
Date: Thu, 20 Sep 2007 16:16:07 -0500
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0709201416s108cd86eo5775356042c977e6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 9/19/07, jacob c <jctx09@yahoo.com> wrote:
> 3) What is the method to see what rules are being hit the most so I can
> rearrange the rules in the most logical, efficient order?
This is the only one I can answer, and I'm interested in the answers you get.
en> sh <access-list>
This will print the access list with a hit count at the end of each rule.
------------------------------
Message: 2
Date: Thu, 20 Sep 2007 13:47:16 -0500
From: Michael Cox <michael@wanderingbark.net>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <200709201347.17701.michael@wanderingbark.net>
Content-Type: text/plain; charset="iso-8859-1"
I'll try to help on a couple. Comments below.
Regards,
Michael
On Wednesday 19 September 2007 09:11, jacob c wrote:
> I'm a newbie to the PIX line but these questions would apply to other
> firewalls as well. I have some questions that I hope you guys can
> assist me with.
>
> Two Questions:
> 1) What is the best/easiest way to document a current policy?
> Spreadsheet?? I would like to know what ports (services) are open and
> to where? Also duplicates, etc.? Would it be best just to put it in a
> spreadsheet? Is there a tool for this?
> 2) Once an audit/analysis has been made, what is a good way to make
> the new changes, if there are many? Would it best just to download
> the config and modify it offline?
> 3) What is the method to see what rules are being hit the most so I
> can rearrange the rules in the most logical, efficient order?
What code are you running? Beginning with 7.0, iirc, access lists are
always compiled. This means that they aren't searched sequentially but
in more of a tree structure. Beginning with 6.2, this was an option
that could be turned on. So, depending on your code, rule order in your
config may or may not be an issue at all in terms of efficiency on the
box.
> 4) Is there standard Analysis checklist to go by when reviewing a
> PIX firewall policy?
One place to start if you haven't seen it already is the Center for
Internet Security. They have benchmarks for the entire config, not just
the policy. Any given policy, of course, may vary widely from the next
based on organizational needs, so it's hard to come up with a standard
checklist that's detailed in terms of the policy.
http://www.cisecurity.org/bench_cisco.html
> Any help is highly appreciated.
> Thank you,
>
>
> ---------------------------------
> Check out the hottest 2008 models today at Yahoo! Autos.
------------------------------
Message: 3
Date: Thu, 20 Sep 2007 13:03:30 -0400
From: "Richard Golodner" <rgolodner@infratection.com>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <002601c7fba8$2b8c21f0$600a0a0a@Antares>
Content-Type: text/plain; charset="us-ascii"
1- A spreadsheet is a good way to keep track of the current rule set
you have applied to the Pix. It must be maintained and kept up to date. For
determining what services are being allowed, or blocked look at the
running-configuration. You could also use NMAP to see what services you are
running. This will show you what the public network sees.
2- It is never a real good idea to jeopardize the current
configuration by making changes in real time. Copy it to a text editor and
make the changes, then apply it to your Pix. MAKE SURE YOU HAVE A BACKUP OF
YOU R CURRENT FUNCTIONING CONFG!
3- Check your logging application top see what rules are being tested
the most. Also look at your ACL's hit counts.
4- I am unaware of a standard analysis checklist.
Hope this helps a little, Richard Golodner
_____
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of jacob
c
Sent: Wednesday, September 19, 2007 10:12 AM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Pix rulebase/policy analysis
I'm a newbie to the PIX line but these questions would apply to other
firewalls as well. I have some questions that I hope you guys can assist me
with.
Two Questions:
1) What is the best/easiest way to document a current policy? Spreadsheet??
I
would like to know what ports (services) are open and to where? Also
duplicates,
etc.? Would it be best just to put it in a spreadsheet? Is there a tool for
this?
2) Once an audit/analysis has been made, what is a good way to make the new
changes, if there are many? Would it best just to download the config and
modify
it offline?
3) What is the method to see what rules are being hit the most so I can
rearrange the rules in the most logical, efficient order?
4) Is there standard Analysis checklist to go by when reviewing a PIX
firewall
policy?
Any help is highly appreciated.
Thank you,
_____
Check
<http://us.rd.yahoo.com/evt=51201/*http:/autos.yahoo.com/new_cars.html;_ylc=
X3oDMTE5NWVzZGVyBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDYXV0b3MtbmV3Y2Fy%0d%
0a> out the hottest 2008 models today at Yahoo! Autos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070920/9d055323/attachment-0001.html
------------------------------
Message: 4
Date: Tue, 18 Sep 2007 22:14:52 -0700
From: Kowsik <kowsik@gmail.com>
Subject: [fw-wiz] DH key exchange: conspiracy theory
To: firewall-wizards@honor.icsalabs.com
Message-ID:
<7db9abd30709182214o48453779s69692af06c79af56@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
K.
ps: I work for Mu.
------------------------------
Message: 5
Date: Fri, 21 Sep 2007 15:29:44 -0700
From: AMuse The Sane <amuse@foofus.com>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46F445D8.8070700@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I've had great luck with OpenVPN and Linux (Debian) on the Soekris
Net4801 series device.
With a VPN accelerator (Warning: Only works well with FreeBSD!) the
throughput was more than acceptable for a T1/ADSL/Cable setup plus LAN
at a cost of about $300 per unit. I even have a DD image online of the
1GB flash card that serves as its primary drive.
There's also a "in the box" project called m0n0wall based on FreeBSD
that targets this hardware directly:
tandernam wrote:
> I'm doing some work with a small company (about a dozen employees)
> that needs to make their remote access more reliable. I'm looking to
> set up a (new) VPN for them (the old one is a hack job). I'm looking
> for suggestions on a solution, something fairly simple to set up that
> I can just plug between their intranet and the interweb. Reliability
> is key. I'm mostly looking for a hardware solutions (just because I
> think it would be easier to set up and more reliable), but I'd be very
> interested to hear from anyone who is running a good small-scale
> (please don't start talking about radius servers...) software gateway.
> They're currently running NAT off their soho modem/router on a DSL.
> Suggestions and recommendations would be most appreciated.
>
> Cheers,
>
> -tander
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 17, Issue 18
************************************************
5 comments:
школьницу порно онлайн http://free-3x.com/ порно школные фото free-3x.com/ онлайн порно школьници [url=http://free-3x.com/]free-3x.com[/url]
[url=http://firgonbares.net/][img]http://firgonbares.net/img-add/euro2.jpg[/img][/url]
[b]speed up windows xp, [url=http://firgonbares.net/]buy windows xp professional software[/url]
[url=http://firgonbares.net/][/url] i need to buy software where to buy photoshop software
oem software installation [url=http://firgonbares.net/]cd cover - adobe acrobat pro 9[/url] microsoft software management
[url=http://firgonbares.net/]store software reviews[/url] discount software house legit
[url=http://firgonbares.net/]game software for sale[/url] adobe creative suite 4 full torrent
point sale software [url=http://firgonbares.net/]reasons to use quarkxpress 7[/b]
[url=http://sunkomutors.net/][img]http://sunkomutors.net/img-add/euro2.jpg[/img][/url]
[b]microsoft oem software ms office, [url=http://sunkomutors.net/]filemaker pro 9 education[/url]
[url=http://sunkomutors.net/][/url] software price lists itunes for windows xp
p6 software price [url=http://sunkomutors.net/]nero 9 templates not installing[/url] nero 9 uninstaller
[url=http://sunkomutors.net/]student discounts on adobe creative suite premium 3[/url] buy microsoft server software
[url=http://sunkomutors.net/]legal to buy oem software[/url] nero 9 best price
buy retail software [url=http://sunkomutors.net/]university software discounts[/b]
[url=http://sunkomutors.net/][img]http://sunkomutors.net/img-add/euro2.jpg[/img][/url]
[b]educational software prices, [url=http://sunkomutors.net/]student discount for software[/url]
[url=http://sunkomutors.net/][/url] have to buy software where to buy adobe software
software reseller directory [url=http://sunkomutors.net/]student discount on software[/url] Suite X4 Retail Price
[url=http://sunkomutors.net/]Express 4 Mac[/url] child educational software
[url=http://sunkomutors.net/]of photoshop to buy[/url] academic software projects
academic referencing software [url=http://sunkomutors.net/]software similar to macromedia[/b]
[url=http://akreoplastoes.net/][img]http://rastimores.net/img-add/euro2.jpg[/img][/url]
[b]cheap software store, [url=http://rastimores.net/]software macromedia shockwave 10[/url]
[url=http://rastimores.net/][/url] illegal software canada commerce store offers software
design software to buy [url=http://rastimores.net/]buy it now software[/url] you buy photoshop
[url=http://rastimores.net/]buy software cds[/url] can i get photoshop cs3 for a non intel mac
[url=http://rastimores.net/]educational software design[/url] buy software products
cheap software microsoft [url=http://rastimores.net/]windows vista serial[/url][/b]
Post a Comment