firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. NAT sanity check (David Steele)
2. Re: Pix rulebase/policy analysis (Avishai Wool)
----------------------------------------------------------------------
Message: 1
Date: Thu, 1 Nov 2007 21:24:24 -0400
From: "David Steele" <steeled3@gmail.com>
Subject: [fw-wiz] NAT sanity check
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<140c247a0711011824v28b3e4edp650b800d391236c5@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I'm hoping someone can provide a sanity check on the following configuration
- i.e.: will it work?
I've got a /29 public network, addresses (say) .2 to .6, with default
gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the
remaining addresses for NAT'd services on the other side of the firewall?
I ask as I'm certain I've done this in the past, but I'm a few years out of
doing firewall work and my current technical contact reckons this won't work
- that the default gate will ARP for the address and the .2 firewall won't
respond; and that furthermore the only way to use the addresses would be to
put a different subnet between the default gateway and the firewall and
route the /29 network to the firewall (which I agree will work, but...)
Also, would it work if the firewall was a PIX?
TIA
--
_______________________________
David Steele
<insert sig line witticism here>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071101/cc0af63e/attachment-0001.html
------------------------------
Message: 2
Date: Thu, 1 Nov 2007 22:26:05 +0200
From: "Avishai Wool" <yash@acm.org>
Subject: Re: [fw-wiz] Pix rulebase/policy analysis
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8a9b1fe30711011326n6db686a2x845d9bbbf07756c5@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
if you are willing to use a commercial solution, check out www.algosec.com.
it does everything you asked about, and then some: risk assessment with
builtin knowledgebase, what is open, rule usage statistics & reordering,
change tracking, SOX compliance - all in a convenient web-based report.
it's WAY better than a spreadsheet ...
Disclaimer: I've been working on firewall analysis for many years,
both in academia and industry, and
I'm affiliated with AlgoSec, so I'm biased.
HTH,
Avishai
On 9/19/07, jacob c <jctx09@yahoo.com> wrote:
> I'm a newbie to the PIX line but these questions would apply to other
> firewalls as well. I have some questions that I hope you guys can assist me
> with.
>
> Two Questions:
> 1) What is the best/easiest way to document a current policy? Spreadsheet??
> I
> would like to know what ports (services) are open and to where? Also
> duplicates,
> etc.? Would it be best just to put it in a spreadsheet? Is there a tool for
> this?
> 2) Once an audit/analysis has been made, what is a good way to make the new
> changes, if there are many? Would it best just to download the config and
> modify
> it offline?
> 3) What is the method to see what rules are being hit the most so I can
> rearrange the rules in the most logical, efficient order?
> 4) Is there standard Analysis checklist to go by when reviewing a PIX
> firewall
> policy?
> Any help is highly appreciated.
> Thank you,
>
> ________________________________
> Check out the hottest 2008 models today at Yahoo! Autos.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 1
***********************************************
6 comments:
It's really a great and useful piece of info. I am satisfied that you shared this helpful info with us. Please keep us informed like this. Thank you for sharing.
Also visit my blog; get a home equity loan with bad credit
Asking questions are genuinely pleasant thing if
you are not understanding anything completely, but this piece
of writing presents good understanding yet.
My blog post; private krankenkasse f�r studenten
Asking questions are genuinely pleasant thing if you are not understanding
anything completely, but this piece of writing presents good understanding yet.
Here is my weblog ... private krankenkasse f�r studenten
Hey I know this is off topic but I was wondering if
you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
I've been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.
Also visit my web-site ... Email Console
Very great post. I just stumbled upon your blog and wanted to say that I've really loved surfing around your blog posts. After all I will be subscribing on your feed and I hope you write once more very soon!
Feel free to visit my web blog :: Günstige Reisen Türkei
I found your weblog on yahoo and read a few of the posts.
pleasant operate! I just added you to my Google News Reader.
My site :: Suggested Webpage
Post a Comment