Search This Blog

Friday, November 23, 2007

firewall-wizards Digest, Vol 19, Issue 17

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
2. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
3. Re: Firewalls that generate new packets.. (Paul D. Robertson)
4. Re: Opinions wanted... (Timothy Shea)
5. Re: Opinions wanted... (Dave Piscitello)
6. Re: Firewalls that generate new packets.. (Dave Piscitello)
7. Re: Firewalls that generate new packets.. (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Nov 2007 15:34:37 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071121153252.04091a70@ranum.com>
Content-Type: text/plain; charset="us-ascii"

lordchariot@embarqmail.com wrote:
>Let's say I need to cross the US-Canada border. If I drive, I get to the
>border crossing, show my passport, talk to the guard and explain where/why
>I'm going and usually just continue with a 'Have a Nice Visit' Comment. If
>they are a 'Deep Inspection' border guard, sometimes they open the trunk to
>take a peak inside, but since I'm not that suspicious, I've never had my
>luggage opened despite the fact I could easily have smuggled contraband.

...and...
If they are an "intrusion prevention" border guard, they stop you
if you have one of those yellow signs in the window that says
"Terrorist Inside."

mjr.

------------------------------

Message: 2
Date: Fri, 23 Nov 2007 09:34:28 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071123093023.04450150@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Dave Piscitello wrote:
>What IOS, PIX, etc. have in common is The Brand.

One of my favorite IT riddles is: "Name a security product that Cisco has developed."

OK, OK... just joking. Actually, aside from the IOS router, I keep trying to think
if there is ANY product Cisco has developed... Not that I am saying growth by
acquisition is bad. Cisco buys the best (or at least in the top 5, usually) that is
available. But it is amazing how Network Guys go from "You are not sticking
a PC as a single point of failure in my network!" to seeing the Cisco logo and
deciding it's OK.

mjr.

------------------------------

Message: 3
Date: Fri, 23 Nov 2007 17:07:23 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711231706380.5052-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 19 Nov 2007, Paul Melson wrote:

> and has a miniscule share of the total firewall market. Of course, Cisco,
> Check Point, and most of their competitors have proxies. Proxy firewalls
> are dead. Long live proxy firewalls.

But if my experience with Internet-enabled software vendors is anywhere
near common, nobody's enablign the proxies.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 4
Date: Fri, 23 Nov 2007 08:33:00 -0600
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Opinions wanted...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <AE49BC74-62EF-4AFB-819E-06DA4E224080@tshea.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

IMHO - if you haven't used either platform before and only 3 firewalls
- either solution will require an equal amount of training to
understand and my guess is that the VAR who is recommending against
checkpoint will make more money if you buy checkpoint versus sidewinder.

That being said - for your type of application I would lean toward
CheckPoint Secure Platform (SPLAT) versus Sidewinder or Checkpoint
running on Nokia and my reasoning is that I can normally use what ever
hardware platform my server teams support versus buying an all in one
appliance solution (checkpoint nokia, sidewinder).

t.s

On Nov 21, 2007, at 10:40 AM, Kurt Buff wrote:

> All,
>
> I've been working with Watchguards at my current employer for quite a
> while, but we're looking to replace them.
>
> We've received a recommendation from one firm for Sidewinders (a 410
> and a couple of 110s for the branch offices).
>
> We've received a recommendation against the Sidewinders from another
> firm saying that they are too complex to manage easily, and require
> extensive training to understand - they recommend Checkpoint instead.
>
> Neither seems to be completely out of our price range, so it would
> seem to come down to concerns regarding initial implementation and
> ongoing management.
>
> Are the Sidewinders that much more complex than Checkpoints?
>
> Is one "better" (for whatever that might mean to you) than the other -
> that is, if you have experience with both, which would you prefer, and
> why?
>
> I, of course, am excited to be learning a new platform, and want to
> move away from some of the quirkiness of the ancient Fireboxes we
> have, but want to make a reasonable recommendation to management.
>
>
> Thanks,
>
> Kurt
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 5
Date: Fri, 23 Nov 2007 18:06:33 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Opinions wanted...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <47475CF9.708@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

We might be able to offer better insights if we understood why you were
replacing your current firewalls.

Tim's comment re: common server platform is a good example of one
motivation. In his situation, he's (presumably) confident that his
server team can secure the underlying platform as well as an appliance
solution (claims to) secure its product. Your motivation might be
performance, issues with feature set of proxies, desire for an
application level security feature you currently don't have, IPv6
support, etc.

Nothing against VARs, but I would trust a security decision to security
professionals. If the VAR has some and they can provide a security basis
to support their recommendation, terrific. If not, then money may be
the motive and that's not always the best motive where security comes
into play.

I'd suggest you sit with your security team and anyone in your company
who might have some insight into long term business objectives that will
influence security requirements (e.g., VOIP). Identify the security
objectives the current firewall cannot satisfy. Identify any new
security objectives you expect you'll need to satisfy for whatever
"business horizon" you can see.

Use the list you come up with rather than a VAR's recommendation or even
the well-intentioned suggestions from posters here. Fact is, you
probably shouldn't share all the security requirements that might help
us help you choose the most appropriate firewall on a mailing list anyway:-)

Timothy Shea wrote:
> IMHO - if you haven't used either platform before and only 3 firewalls
> - either solution will require an equal amount of training to
> understand and my guess is that the VAR who is recommending against
> checkpoint will make more money if you buy checkpoint versus sidewinder.
>
> That being said - for your type of application I would lean toward
> CheckPoint Secure Platform (SPLAT) versus Sidewinder or Checkpoint
> running on Nokia and my reasoning is that I can normally use what ever
> hardware platform my server teams support versus buying an all in one
> appliance solution (checkpoint nokia, sidewinder).
>
> t.s
>
> On Nov 21, 2007, at 10:40 AM, Kurt Buff wrote:
>
>> All,
>>
>> I've been working with Watchguards at my current employer for quite a
>> while, but we're looking to replace them.
>>
>> We've received a recommendation from one firm for Sidewinders (a 410
>> and a couple of 110s for the branch offices).
>>
>> We've received a recommendation against the Sidewinders from another
>> firm saying that they are too complex to manage easily, and require
>> extensive training to understand - they recommend Checkpoint instead.
>>
>> Neither seems to be completely out of our price range, so it would
>> seem to come down to concerns regarding initial implementation and
>> ongoing management.
>>
>> Are the Sidewinders that much more complex than Checkpoints?
>>
>> Is one "better" (for whatever that might mean to you) than the other -
>> that is, if you have experience with both, which would you prefer, and
>> why?
>>
>> I, of course, am excited to be learning a new platform, and want to
>> move away from some of the quirkiness of the ancient Fireboxes we
>> have, but want to make a reasonable recommendation to management.
>>
>>
>> Thanks,
>>
>> Kurt
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071123/edabfafb/attachment-0001.bin


------------------------------

Message: 6
Date: Fri, 23 Nov 2007 21:09:22 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <474787D2.6010101@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

Not certain what you mean when you limit the discussion to
Internet-enabled software vendors but I am pretty certain that everyone
who runs an SSL VPN is running a proxy of some sort.

Aren't many VoIP-aware firewalls glorified SIP proxies that try to make
SIP secure in the absence of anything in the session initiation protocol
that one might consider a security feature? If I recall, SIP is one of
the many IETF protocols that has a "Security" section that says, "yep,
there are security issues with this protocol but hey, never let security
stand in the way of a disruptive technology..."


Paul D. Robertson wrote:
> On Mon, 19 Nov 2007, Paul Melson wrote:
>
>> and has a miniscule share of the total firewall market. Of course, Cisco,
>> Check Point, and most of their competitors have proxies. Proxy firewalls
>> are dead. Long live proxy firewalls.
>
> But if my experience with Internet-enabled software vendors is anywhere
> near common, nobody's enablign the proxies.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>

http://www.fluiditgroup.com/blog/pdr/
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071123/073b342a/attachment-0001.bin


------------------------------

Message: 7
Date: Sat, 24 Nov 2007 00:04:33 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711232349290.5052-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; FORMAT=flowed

On Fri, 23 Nov 2007, Dave Piscitello wrote:

> Not certain what you mean when you limit the discussion to
> Internet-enabled software vendors but I am pretty certain that everyone
> who runs an SSL VPN is running a proxy of some sort.

I didn't say "Internet-enabled software vendors" because I meant
"applications that at some point in their life, but after their initial
design were given grafted-on Intenret-based functionality."

Specifically, in the last couple of years I've dealt with ERP/CRM,
Shipping and Financial Services (Payroll) vendors who've all been
unpleasantly surprised when software they've had fielded for anywhere from
six months to six years doesn't work when presented with an HTTP proxy
_even though there are provisions in their applicaiton code for setting
up a proxy_.

In every case, whatever brain damaged code was used to invoke proxy
support ended up doing direct DNS lookups and trying to connect directly
to the vendor's systems- and it took lots of packet traces to "prove"
their software didn't work as advertised (and in every case there was the
immediate request to "remove the firewall" or "open ports" to be met with
"the network isn't architected that way and won't be modified thusly.")

In the case of the ERP/CRM system, the code was "validated" by a third
pary service provider who obviously dropped the ball in whatever "testing"
they did because the proxy code functioned in "test your connectivity"
mode but not in "send your data" mode. It took two days to bypass the
vendor's phone firewall known as "technical support" which was neither
technical nor supportive.

It's pretty clear to me that where there's a proxy/filter choice to be
made, the default is "filter/NAT" enough of the time that vendors are
shocked when their code is questioned because "it works for everybody
else" just fine. Heck, I had one major shipping vendor punt to dial-up
rather than work with a vendor to fix their offering.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 17
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)