Search This Blog

Sunday, September 23, 2007

firewall-wizards Digest, Vol 17, Issue 19

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Pix rulebase/policy analysis (James)
2. Re: VPN suggestions wanted (tandernam)
3. Re: Pix rulebase/policy analysis (Richard Golodner)


----------------------------------------------------------------------

Message: 1
Date: Sat, 22 Sep 2007 12:56:22 +1000
From: James <jimbob.coffey@gmail.com>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<343aa4f80709211956s5ee8b2e9k36775b0328649fa1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 9/21/07, Richard Golodner <rgolodner@infratection.com> wrote:
> 1- A spreadsheet is a good way to keep track of the current rule set
> you have applied to the Pix. It must be maintained and kept up to date. For

Personally I would rather the config be self documenting. Add remarks
to the access-list entries if that is important to you but I don't see
how a spreadsheet
adds any value over and above the live rulebase and you always have
the problem of
version drift with 2 "sources of truth". Your source of truth is the
live config.

>
> 2- It is never a real good idea to jeopardize the current
> configuration by making changes in real time. Copy it to a text editor and
> make the changes, then apply it to your Pix.

I prefer the syntax validation of configuring at the command line rather than
writing lines of text in an editor that gets blasted in with syntax
errors and you have
to go and fix the whole thing and in some cases it can be confiusing
which commands were applied and which weren't. Also with compiled
acls these days set your mode to manual commit and you can rejig the
rulebase as much as you like (with syntax verification) and when you
are happy with the ruleset order then commit the changes

MAKE SURE YOU HAVE A BACKUP OF
> YOU R CURRENT FUNCTIONING CONFG!

Yep. RANCID is the ticket, forget tftp backups. Why vendors allow a
firewall config
to be transferred in plain text is beyond me.


just my 2c
--
jac


------------------------------

Message: 2
Date: Sat, 22 Sep 2007 13:58:02 -0400
From: tandernam <tandernam@gmail.com>
Subject: Re: [fw-wiz] VPN suggestions wanted
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<fffafbbb0709221058n4ed3ef23wf5311e939d5757d1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Thanks for all the responses. Hamachi is interesting because it looks
like it uses a mediation server to punch through any firewalling/NAT
going on. For the rest of you running software VPN, what is your
networking setup like? Do you just have the box sitting behind the
modem/router in the DMZ?

On 9/19/07, Michael T. Babcock <mike@triplepc.com> wrote:
> On 9/15/07, *tandernam* < tandernam@gmail.com
> <mailto:tandernam@gmail.com>> wrote:
> >
> > interested to hear from anyone who is running a good small-scale
> > (please don't start talking about radius servers...) software gateway.
> > They're currently running NAT off their soho modem/router on a DSL.
> >
>
> We run many small VPN servers on Linux + OpenSWAN. OpenSWAN does the
> job well, its an IPSec implementation with good stability in the field.
> We configure our tunnels manually but there are several bootable CD type
> distributions that offer a firewall + IPSec tunneling solution for
> running off PC-type hardware with a web interface.
>
> I can't recommend any personally, I don't use them.
>
> Our sites are mostly DSL and/or cable modem and/or wireless and/or
> optical connections to the Internet with small (under 50 user) LANs,
> usually with a primary site with a fixed IP address and road-warrior
> style dynamic IP remote sites connecting in a star topology.
> (Personally, I'd love every site to have a fixed IP address for
> simplicity but its not always available or cost efficient).
>
> --
> Michael T. Babcock
>
>


------------------------------

Message: 3
Date: Sat, 22 Sep 2007 16:55:49 -0400
From: "Richard Golodner" <rgolodner@infratection.com>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <003201c7fd5a$f4badf40$600a0a0a@Antares>
Content-Type: text/plain; charset="US-ASCII"

My suggestions were based on the fact that he describes himself as
new to the Pix. You make very good points regarding the text editor, but I
have never had a problem using one.
Version drift is also a concern, but hopefully there is only one
person actually making the changes to the device and maintaining the
documentation. Even at some of the larger SPs I have worked at there was one
person devoted to this task.
Obviously you are a much younger person than me as you demonstrate
insight into current technologies that an old man like me is just too lazy
to incorporate. LOL!
Be cool, Richard

-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of James
Sent: Friday, September 21, 2007 10:56 PM
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Pix rulebase/policy analysis

On 9/21/07, Richard Golodner <rgolodner@infratection.com> wrote:
> 1- A spreadsheet is a good way to keep track of the current rule set
> you have applied to the Pix. It must be maintained and kept up to date.
For

Personally I would rather the config be self documenting. Add remarks
to the access-list entries if that is important to you but I don't see
how a spreadsheet
adds any value over and above the live rulebase and you always have
the problem of
version drift with 2 "sources of truth". Your source of truth is the
live config.

>
> 2- It is never a real good idea to jeopardize the current
> configuration by making changes in real time. Copy it to a text editor and
> make the changes, then apply it to your Pix.

I prefer the syntax validation of configuring at the command line rather
than
writing lines of text in an editor that gets blasted in with syntax
errors and you have
to go and fix the whole thing and in some cases it can be confiusing
which commands were applied and which weren't. Also with compiled
acls these days set your mode to manual commit and you can rejig the
rulebase as much as you like (with syntax verification) and when you
are happy with the ruleset order then commit the changes

MAKE SURE YOU HAVE A BACKUP OF
> YOU R CURRENT FUNCTIONING CONFG!

Yep. RANCID is the ticket, forget tftp backups. Why vendors allow a
firewall config
to be transferred in plain text is beyond me.


just my 2c
--
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 19
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)