firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Isolating internal servers behind firewalls (ArkanoiD)
2. Re: Firewall Testing (ArkanoiD)
3. Re: IPv6 support in firewalls (Fetch, Brandon)
4. Re: Isolating internal servers behind firewalls (Marcus J. Ranum)
5. Re: Do you permit X11 via proxy firewall? (fwd)
(dlang@diginsite.com)
6. Re: Do you permit X11 via proxy firewall? (dlang@diginsite.com)
7. Re: Isolating internal servers behind firewalls
(dlang@diginsite.com)
8. Re: Isolating internal servers behind firewalls (L Cubed)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Sep 2007 21:34:06 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070910173406.GA2114@eltex.net>
Content-Type: text/plain; charset=us-ascii
I am yet to see a firewall capable of intelligent SMB filtering.
Quite simple requirement (say, allow file sharing and deny other potentilly
dangerous rpc's) and nobody meets it. Except maybe Solsoft NSM which is
rather dead than alive.
On Mon, Sep 10, 2007 at 08:09:17AM -0500, Behm, Jeffrey L. wrote:
>
> How many new exploits come in via chargen nowadays, which you could
> block vs. how many come in via Microsoft networking (Ports 445, 137,
> 139, etc.), which you would have open, if you want file shares to work.
>
------------------------------
Message: 2
Date: Mon, 10 Sep 2007 21:38:47 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Firewall Testing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070910173847.GB2114@eltex.net>
Content-Type: text/plain; charset=us-ascii
On Sun, Sep 09, 2007 at 09:04:54AM -0700, Shahin Ansari wrote:
>
> Greetings-
>
> I have some questions regarding firewall testing:
>
> 1- Seems I am losing some syslog messages. I have kiwi on a xp pc,
> and most of time it is running at 100% so I know it is running full
> speed, and it is overloaded. My Goal is to capture the critical
> messages, and I am thinking of rate-limiting the other categories
> which I do not care about in hope to see the more critical messages.
> Any other suggestions?
Switch to BSD system with syslog-ng?
Send critical messages via tcp, while letting non-critical ones flow via udp?
------------------------------
Message: 3
Date: Mon, 10 Sep 2007 16:17:27 -0400
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<AA8E89377DCB1C498CF19E343CA49D8E23F327@NYEXCHSVR01.texpac.com>
Content-Type: text/plain; charset="us-ascii"
Not really an "approved" business use, but I learned the hard way that
Yahoo Fantasy Sports (yeah, yeah...tell me about it later...) requires
the use of JS.
:(
I was using a prolific hosts file to block a whole lot of ad content
from operators and ended up having to remote the pair of
js1/js2.yahoo.com resolutions to get their newest version to work.
Sad but true...JS has now invaded fantasy football!
-Back to lurk mode
Brandon
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
ArkanoiD
Sent: Wednesday, August 29, 2007 1:01 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IPv6 support in firewalls
Sure this applies to "receiving documents from outside" case only,
not for internal document flow. BTW, back to the firewalls: are there
any reasonable "whitelists" of sites that use JS, really do need it to
work properly and known to behave well? Looks like every organization
deploying scripting languages control on the firewall creates one
from the scratch, which may be quite long process. I guess there
should be some "annotated template"?
On Wed, Aug 29, 2007 at 12:29:26PM -0400, Paul D. Robertson wrote:
>
> > Yes. Most people need Google Documents and Ajax. Actually using
Google Documents
> > is safer than installing local "Office" pack.
>
> That depends heavily on your trust model, document propagation risk
and
> how valuable the documents themselves are. I'd like to see your
strategy
> for document protection and recovery from Google Docs for a
just-laid-off
> employee. I'd like to see you stop them from "sharing" a copy of the
> document with themselves at home... While it's not easy to do, you
*can*
> build an environment where a local office package keeps the documents
in a
> reasonably controlled environment where employees can't e-mail them
> directly, dump them to removable media, etc.
>
> Put the documents on a Web site accessible from anywhere on the planet
> with reusable credentials and you pretty-much kill the idea of
document
> control at all, let alone keeping the honest people honest or a
credential
> exposure from providing the whole farm instead of just a pig.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
------------------------------
Message: 4
Date: Mon, 10 Sep 2007 17:15:34 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.cybertrust.com>
Message-ID: <6.2.0.14.2.20070910171013.0348a718@ranum.com>
Content-Type: text/plain; charset="us-ascii"
ArkanoiD wrote:
>I am yet to see a firewall capable of intelligent SMB filtering.
There was some research in collaborative cross-firewall filesystems
in the early 1990's. It was based on NFS with extensions ;) and
some of us annoying bleepards kept coming up with cunning ways
to propagate executable content in spite of its best attempt to
prevent it. Turns out that there's just an inordinate number of
applications that can be tricked into doing things if you can alter
their dotfiles or inputs. It was this system that resulted in Paul
and my formulating the saying "A firewall that lets you run NFS
through it is like a seatbelt that's designed to let your face reach
the dashboard."
SMB, of course, is much much worse than NFS.
All that said, then, the only "intelligent" SMB filtering is
the 100% solution you get from a pair of wire cutters.
mjr.
------------------------------
Message: 5
Date: Mon, 10 Sep 2007 09:30:39 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall? (fwd)
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <Pine.LNX.4.63.0709100930201.7253@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Thu, 6 Sep 2007, jason@tacorp.com wrote:
>> why is tunneling X through firewalls noticeably safer then just doing packet
>> filtering to allow it through?
>>
>> if the only answer is becouse it prevents someone from intercepting and
>> tinkering with the TCP datastream then it's only relavent in some situations
>> and
>> you are saying that in others it's perfectly safe to just do packet
>> filtering.
>
> Perhaps, it's not about safety but rather manageability. It's a lot
> easier to manage that traffic if it's done as part of a single application
> rather than as a whole protocol suite and multiple ports.
>
> If I recall correctly, X11 is one of those protocols that tries to
> negotiate ports rather than just using a fixed few. This may be a bit of a
> hassle which may cause errors or having ports open that don't need to be.
X11 uses port 6000 for the first display on a computer, 6001 for the second,
etc. but since almost nothing uses multiple displays nowdays port 6000 should
be the only thing you need (multiple monitors with one desktop across them
count as one display)
David Lang
> I know it's lame to use the 'it's easier this way' excuse rather than just
> doing it right, but there is defiantly some benefit to having something
> that's easy to manage over something that's not.
>
> Jason
>
>>
>> remember, just becouse everyone is doing it, it may not be safe.
>>
>> remember almost everyone thinks that firewalls are just packet filters and
>> have
>> no business actually looking at the packets that they let through.
>>
>> David Lang
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 6
Date: Mon, 10 Sep 2007 09:31:00 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <Pine.LNX.4.63.0709100930440.7253@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Fri, 7 Sep 2007, ArkanoiD wrote:
> On Wed, Sep 05, 2007 at 04:48:46PM -0700, dlang@diginsite.com wrote:
>> On Thu, 6 Sep 2007, ArkanoiD wrote:
>>
>>> That's most practical, almost everyone is doing that.
>>> So we can declare x11 gateways officially dead, i guess.
>>>
>>> On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
>>>>> And, if yes, how do you implement it?
>>>>
>>>> No, that's what 'ssh -X' is for.
>>
>> why is tunneling X through firewalls noticably safer then just doing packet
>> filtering to allow it through?
>
> Because it ensures proper endpoint authentication, encryption and ensures
> (well, to some extent) that no malicious connections will be made through
> the tunnel. At least does it better as packet filtering rules are static.
>
> The same rationale applies for x11 gateways: most of them present a kind
> of confirmation dialog for every new client connection.
I agree with the value of the authorization/authentication. encryption can be
valuble in some environments, in others it just eats up CPU cycles.
>> if the only answer is becouse it prevents someone from intercepting and
>> tinkering with the TCP datastream then it's only relavent in some situations
>> and
>> you are saying that in others it's perfectly safe to just do packet
>> filtering.
>>
>> remember, just becouse everyone is doing it, it may not be safe.
>
> It is not, as nothing is safe, but sometimes it is acceptable risk ;-)
I agree, however I see a mindset creeping in that if you just encrypt it then
it must be safe, and so I question statements like 'X is unsafe, but if you
tunnel it through SSH then it's safe'
by the way, for those who are new to X, it allows programs to communicate with
each other, even from different machines if they share a display. for a trivial
example of this take two linux boxes, configure them to both use the same
display (through whatever mechanism, including through SSH). then try to
startup firefox on both machines (ideally, pass it a URL to start with)
what you will find is that when you try to start it up on the second machine it
detects that you already have it running on the first machine and instruct that
copy of firefox to open a window to the URL you told the second machine to
display.
David Lang
>> remember almost everyone thinks that firewalls are just packet filters and
>> have
>> no business actually looking at the packets that they let through.
>
> Not us ;-)
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 7
Date: Mon, 10 Sep 2007 14:03:53 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.63.0709101402380.7253@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 10 Sep 2007, ArkanoiD wrote:
> I am yet to see a firewall capable of intelligent SMB filtering.
>
> Quite simple requirement (say, allow file sharing and deny other potentilly
> dangerous rpc's) and nobody meets it. Except maybe Solsoft NSM which is
> rather dead than alive.
the raptor firewall would do this, by symantec has just about killed it off
(they are down to only their appliance version)
I think the sidewinder firewall has some capabilities in this area as well, but
I haven't dug into it yet.
David Lang
> On Mon, Sep 10, 2007 at 08:09:17AM -0500, Behm, Jeffrey L. wrote:
>>
>> How many new exploits come in via chargen nowadays, which you could
>> block vs. how many come in via Microsoft networking (Ports 445, 137,
>> 139, etc.), which you would have open, if you want file shares to work.
>>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 8
Date: Mon, 10 Sep 2007 16:10:56 -0500
From: "L Cubed" <lllcubed@gmail.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<52c121940709101410m621e984ct824aab65fb6117af@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 9/10/07, ArkanoiD <ark@eltex.net> wrote:
>
> I am yet to see a firewall capable of intelligent SMB filtering.
>
> Quite simple requirement (say, allow file sharing and deny other
> potentilly
> dangerous rpc's) and nobody meets it. Except maybe Solsoft NSM which is
> rather dead than alive.
>
>
I'm curious.
If there were a MS RPC protocol enforcing proxy (something NOT made by MS
itself), how many would be interested to the point of wanting to beta test
and provide input into it's operation?
-LCubed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070910/e363f285/attachment.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 17, Issue 9
***********************************************
No comments:
Post a Comment