Search This Blog

Thursday, September 06, 2007

firewall-wizards Digest, Vol 17, Issue 3

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Do you permit X11 via proxy firewall? (Skough Axel U/IT-S)
2. Re: Do you permit X11 via proxy firewall? (Behm, Jeffrey L.)
3. Re: Do you permit X11 via proxy firewall? (K K)
4. Re: Do you permit X11 via proxy firewall? (Paul Melson)
5. Re: Managing multiple Cisco Pix's (Paul Melson)
6. Re: Do you permit X11 via proxy firewall? (ArkanoiD)
7. Re: Managing multiple Cisco Pix's (dlang@diginsite.com)


----------------------------------------------------------------------

Message: 1
Date: Wed, 5 Sep 2007 18:51:42 +0200
From: "Skough Axel U/IT-S" <axel.skough@scb.se>
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>,
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <7D5607434F895540B2A717820399633D3FDD92@exs13.scb.intra>
Content-Type: text/plain; charset="iso-8859-1"

Why skould one desire the allowance of a computer from unsecure network to control the keyboard and screen on a computer on inside? Possibly for service purposes remotely, but such traffic should regulary be protected in a far better manner, for example using encrypted tunneling techniques and/or some type of purely private network, not controlled by the firewall but rather working as extensions to the local secured network!

I would strongly recommend total blocking of the X11 ports through a firewall regardless of the vendor!

Regards / Axel

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of
ArkanoiD
Sent: den 5 september 2007 17:38
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Do you permit X11 via proxy firewall?


And, if yes, how do you implement it?
Using legacy X11 proxies that perform uninspected (though authorized)
circuit relays, similar to TIS/NAI x-gw? Using something similar to
xorg's xfwp (which does not seem to be compatible with older X servers)?

Or is x11 firewall support just a useless tradition?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Wed, 5 Sep 2007 10:50:09 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D19637A3@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

We *used* to allow X11 via Gauntlet's x-gw, when I was handed the
firewall as part of my new security position...

Then when Gauntlet started getting passed around from vendor to vendor,
and was ultimately replaced, we decided that X11 wasn't the best thing
to be allowing through. Oh, and the new firewall didn't use proxying, so
it was an easy "choice." We weren't about to open up a packet filter to
handle that beast.

Jeff

On Wednesday, September 05, 2007 10:38 AM, ArkanoiD said:

>And, if yes, how do you implement it?
>Using legacy X11 proxies that perform uninspected (though authorized)
>circuit relays, similar to TIS/NAI x-gw? Using something similar to
>xorg's xfwp (which does not seem to be compatible with older X
servers)?
>
>Or is x11 firewall support just a useless tradition?


------------------------------

Message: 3
Date: Wed, 5 Sep 2007 13:40:02 -0500
From: "K K" <kkadow@gmail.com>
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID:
<dc718edc0709051140j7a778851xd0fda4020f65fd5b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 9/5/07, ArkanoiD <ark@eltex.net> wrote:
> And, if yes, how do you implement it?
. . .
> Or is x11 firewall support just a useless tradition?

If you already permit SSH, then X11 can trivially be tunneled in SSH.
Well, technically, any protocol can run inside SSH (if you have the
latest OpenSSH), but X is particularly well-supported.


On 9/5/07, Skough Axel U/IT-S <axel.skough@scb.se> wrote:
> Why should one desire the allowance of a computer from unsecure network to control the keyboard and screen on a computer on inside?
> I would strongly recommend total blocking of the X11 ports through a firewall regardless of the vendor!

What about the issue of permitting *outbound* connections from
internal hosts to access X11 on the "outside" of the firewall,
including on your DMZ? Perhaps X has been superseded by VNC, RDP, and
Citrix, and is no longer a consideration for firewall policies?

Kevin


------------------------------

Message: 4
Date: Wed, 5 Sep 2007 17:02:50 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>,
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <003101c7f000$1f6f69d0$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> And, if yes, how do you implement it?

No, that's what 'ssh -X' is for.

PaulM


------------------------------

Message: 5
Date: Wed, 5 Sep 2007 17:12:34 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Managing multiple Cisco Pix's
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <003201c7f001$7b87cf40$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> In effect we are going to end up with two separate devices, but that we
will want to have matching rulesets
> on. My question, therefore, is - what software is available for managing
multiple Pix units, and (if you've
> any experience of it) is it any good?

Just to be clear, you are going to have 2 firewalls. One through which all
traffic will pass, and another through which no traffic will pass. Until
the former breaks, in which case all traffic will manually be switched over
to the latter. Correct so far?

If you're comfortable with the command interface and manually editing
configs (as opposed to using PDM from a web browser), then I would recommend
Kiwi CatTools* for managing configurations.

PaulM

* http://www.kiwisyslog.com/kiwi-cattools-overview/

------------------------------

Message: 6
Date: Thu, 6 Sep 2007 03:27:48 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070905232747.GA27422@eltex.net>
Content-Type: text/plain; charset=us-ascii

That's most practical, almost everyone is doing that.
So we can declare x11 gateways officially dead, i guess.

On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
> > And, if yes, how do you implement it?
>
> No, that's what 'ssh -X' is for.

------------------------------

Message: 7
Date: Wed, 5 Sep 2007 16:09:15 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Managing multiple Cisco Pix's
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.63.0709051608450.2908@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Wed, 5 Sep 2007, Paul Melson wrote:

>> In effect we are going to end up with two separate devices, but that we
> will want to have matching rulesets
>> on. My question, therefore, is - what software is available for managing
> multiple Pix units, and (if you've
>> any experience of it) is it any good?
>
> Just to be clear, you are going to have 2 firewalls. One through which all
> traffic will pass, and another through which no traffic will pass. Until
> the former breaks, in which case all traffic will manually be switched over
> to the latter. Correct so far?
>
> If you're comfortable with the command interface and manually editing
> configs (as opposed to using PDM from a web browser), then I would recommend
> Kiwi CatTools* for managing configurations.
>
> PaulM
>
> * http://www.kiwisyslog.com/kiwi-cattools-overview/


this looks interesting, is there something similar that doesn't require a
windows PC?

David Lang


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 3
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)