Search This Blog

Friday, September 07, 2007

firewall-wizards Digest, Vol 17, Issue 4

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. NuFW and multiuser hosts (ArkanoiD)
2. Re: Do you permit X11 via proxy firewall? (dlang@diginsite.com)
3. Re: Managing multiple Cisco Pix's (James)
4. Re: Do you permit X11 via proxy firewall? (Jim Seymour)
5. Re: Managing multiple Cisco Pix's (Aaron Smith)
6. Managing multiple Cisco PIX's (Stefan avgoustakis)
7. Re: Managing multiple Cisco Pix's (Timothy Shea)


----------------------------------------------------------------------

Message: 1
Date: Thu, 6 Sep 2007 09:16:46 +0400
From: ArkanoiD <ark@eltex.net>
Subject: [fw-wiz] NuFW and multiuser hosts
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20070906051646.GA14587@eltex.net>
Content-Type: text/plain; charset=us-ascii

There is a firewall, NuFW, which primary feature is to differentiate
users in multiuser hosts networking environment.

Do you find it useful? Acutally use it? Or ever seen someone who does?


------------------------------

Message: 2
Date: Wed, 5 Sep 2007 16:48:46 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.63.0709051643090.2908@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Thu, 6 Sep 2007, ArkanoiD wrote:

> That's most practical, almost everyone is doing that.
> So we can declare x11 gateways officially dead, i guess.
>
> On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
>>> And, if yes, how do you implement it?
>>
>> No, that's what 'ssh -X' is for.

why is tunneling X through firewalls noticably safer then just doing packet
filtering to allow it through?

if the only answer is becouse it prevents someone from intercepting and
tinkering with the TCP datastream then it's only relavent in some situations and
you are saying that in others it's perfectly safe to just do packet filtering.

remember, just becouse everyone is doing it, it may not be safe.

remember almost everyone thinks that firewalls are just packet filters and have
no business actually looking at the packets that they let through.

David Lang


------------------------------

Message: 3
Date: Thu, 6 Sep 2007 14:35:42 +1000
From: James <jimbob.coffey@gmail.com>
Subject: Re: [fw-wiz] Managing multiple Cisco Pix's
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<343aa4f80709052135o3755cbbfvfd3492f2d9ea8f3a@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> >
> > If you're comfortable with the command interface and manually editing
> > configs (as opposed to using PDM from a web browser), then I would recommend
> > Kiwi CatTools* for managing configurations.
> >
> > PaulM
> >
> > * http://www.kiwisyslog.com/kiwi-cattools-overview/
>
>
> this looks interesting, is there something similar that doesn't require a
> windows PC?

If you are nix inclined the best console you can use (IMHO) is KDE's Konsole.
It has a tabbed interface but the kicker is you can open 1 tab to one device
1 tab to another and select "send input to all" so anything you type
in 1 tab is also
sent in the second.

You can get it working on cygwin if you have to and the KDE guys were
supposed to be
doing a native port to windows but it seems to have stagnated.

--
jac


------------------------------

Message: 4
Date: Thu, 6 Sep 2007 08:23:18 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20070906122318.E9AE5E158@jimsun.linxnet.com>


"Paul Melson" <pmelson@gmail.com> wrote:
>
> > And, if yes, how do you implement it?
>
> No, that's what 'ssh -X' is for.

That's what we do. I cannot imagine, in this day and age, allowing
something like X through/across a border defense, naked.

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

Message: 5
Date: Wed, 05 Sep 2007 17:49:21 -0600
From: Aaron Smith <smitha@byui.edu>
Subject: Re: [fw-wiz] Managing multiple Cisco Pix's
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <1189036161.28500.1.camel@natal.byui.edu>
Content-Type: text/plain

On Wed, 2007-09-05 at 16:09 -0700, dlang@diginsite.com wrote:
> this looks interesting, is there something similar that doesn't require a
> windows PC?

http://www.shrubbery.net/rancid/

@@ron


------------------------------

Message: 6
Date: Thu, 6 Sep 2007 20:15:48 +0200
From: "Stefan avgoustakis" <steavg@gmail.com>
Subject: [fw-wiz] Managing multiple Cisco PIX's
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<b535a69f0709061115x41117d93y579108de57abf3cd@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi James,

You can use the Cisco ADSM software (comes free with PIX or ASA) to manage
your PIX. Although only one firewall at the time.
If you want do have a centralized - policy based management solution with
provisioning etc. you should have a look at the Cisco Security Manager.

http://www.cisco.com/en/US/products/ps6121/index.html (ASDM)
http://www.cisco.com/en/US/products/ps6498/index.html (CSM)

Hope this helps,

cheers,

stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070906/75683055/attachment-0001.html


------------------------------

Message: 7
Date: Wed, 5 Sep 2007 20:11:49 -0500
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Managing multiple Cisco Pix's
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <FDBC2AF6-87B3-4596-955F-86482E035EC8@tshea.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Incorrect.

Pix 7.x and above support "active-active" which allows both firewalls
to handle traffic versus the traditional active-passive in which all
connections are sent through one firewall until something triggers a
failover event. Think of this as Pix's version of load balancing but
this can also be used in situations were asynchronous routing
conditions exist in which case the pix would sync its config and
state information over the network. I was looking at this at my last
full time position before I left.

What I don't understand from the original e-mail is why he chose not
to use the multiple context support? This is required for active-
active. Otherwise he would need some other device to handle load
balancing between the two firewalls (CSS or BigIP). So in essence -
he has two different firewall configs to deal with. For only two pix
firewalls I just handle it by command line. For new changes I create
a text file with the change and apply it to both firewalls and the
changed is archived.

t.s

On Sep 5, 2007, at 4:12 PM, Paul Melson wrote:

>> In effect we are going to end up with two separate devices, but
>> that we
> will want to have matching rulesets
>> on. My question, therefore, is - what software is available for
>> managing
> multiple Pix units, and (if you've
>> any experience of it) is it any good?
>
> Just to be clear, you are going to have 2 firewalls. One through
> which all
> traffic will pass, and another through which no traffic will pass.
> Until
> the former breaks, in which case all traffic will manually be
> switched over
> to the latter. Correct so far?
>
> If you're comfortable with the command interface and manually editing
> configs (as opposed to using PDM from a web browser), then I would
> recommend
> Kiwi CatTools* for managing configurations.
>
> PaulM
>
> * http://www.kiwisyslog.com/kiwi-cattools-overview/
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 4
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)