Search This Blog

Sunday, November 25, 2007

firewall-wizards Digest, Vol 19, Issue 20

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Bill McGee (bam))
2. Re: Opinions wanted... (Cat Okita)
3. Re: Firewalls that generate new packets.. (Dave Piscitello)
4. Re: How to find hidden host within LAN (Crispin Cowan)
5. Re: How to find hidden host within LAN (Mark)
6. Re: How to find hidden host within LAN (Jim Seymour)


----------------------------------------------------------------------

Message: 1
Date: Sun, 25 Nov 2007 08:31:07 -0800
From: "Bill McGee (bam)" <bam@cisco.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>, "Firewall Wizards
Security Mailing List" <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<A0A653F4CB702442BFBF2FAF02C031E902A32191@xmb-sjc-21e.amer.cisco.com>
Content-Type: text/plain; charset="us-ascii"

Yes, PIX/ASA has a different OS tham IOS. That's on purpose. Lots of folks have policies which require that their security is different from their infrastructure. Of course, we also offer the IOS Firewall, which is another Enterprise-Class firewall with full routing functionality.

The biggest advantage with these solutions, based on thousands of interviews with customers, is how fully they integrate with the network. The ability to collect and share information with the network, detect and respond to events across the entire network, and dynamically adjust the security of virtually every device in the network, globally, based on real time event information is something no other solution can even pretend to approach. Integration, adaptability, and collaboration with the network is why the Cisco firewall solutions are bought by more organizations than the next several competitors combined.


Bill McGee
Senior Marketing Manager
Security Solutions
Cisco Systems, Inc.

-----Original Message-----
From: Paul D. Robertson [mailto:paul@compuwar.net]
Sent: Sunday, November 25, 2007 07:42 AM Pacific Standard Time
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewalls that generate new packets..

On Mon, 19 Nov 2007, ArkanoiD wrote:

> Which always made me wonder: Pix have almost nothing common with IOS
> routers except Cisco label on it. For ASA, things chaged a bit, but the
> "firewall" part of the device is still the same.

Sure, it has plenty of things in common:

It's a network device, just like the routers are.
It's sold to the same people.
It's sold by the same people.

My pictures have nothing to do with IT or INFOSEC, but I make most of my
sales to the same customers. Most of that is the sales opportunity- the
last two on my list- but I'd like to think at least part of it is that
they know the level of quality they'll get from me in anything I sell
them.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071125/8a1d0756/attachment-0001.html


------------------------------

Message: 2
Date: Sun, 25 Nov 2007 12:48:23 -0500 (EST)
From: Cat Okita <cat@reptiles.org>
Subject: Re: [fw-wiz] Opinions wanted...
To: chris@blask.org, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20071125124730.Y63953@gecko.reptiles.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 23 Nov 2007, Chris Blask wrote:
> o If you want something reliable and hard to screw up I'd
> recommend PIX (call it ASA if you like), functionally much
> like WG and with all the advantages of being supported by
> The Borg. Your employers are much more likely to find a
> replacement for you who knows Cisco inside out than someone
> who knows Sidewinder, and marginally more so than CP
> (whether you find that to be good or bad is your call...).

Given the sheer number of posts with PIX problems to firewall-wizards,
I'd have to say that "hard to screw up" wouldn't be my first choice of
ways to describe PIXen.

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."


------------------------------

Message: 3
Date: Sun, 25 Nov 2007 13:20:50 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4749BD02.1010807@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

I believe this goes into the "proxies rawk" folder alongside my posts.

I really would like to see a thorough analysis of the performance of an
application layer policy enforcement using strictly stateful inspection
techniques versus the same policy enforced using strictly proxy
techniques. I am not certain this could be done using any COTS firewalls
today b/c the implementations have blurred the distinctions (my
opinion). But perhaps that's good b/c people are paying less attention
to the rhetoric and posturing than they did 10 years ago.


Patrick M. Hausen wrote:
> Hello,
>
> On Fri, Nov 23, 2007 at 05:07:23PM -0500, Paul D. Robertson wrote:
>> On Mon, 19 Nov 2007, Paul Melson wrote:
>>
>>> and has a miniscule share of the total firewall market. Of course, Cisco,
>>> Check Point, and most of their competitors have proxies. Proxy firewalls
>>> are dead. Long live proxy firewalls.
>> But if my experience with Internet-enabled software vendors is anywhere
>> near common, nobody's enablign the proxies.
>
> Absolutely correct. Because at least for one of these vendors
> the proxies are riddled with bugs, i.e. protocol violations or,
> to the customer, arbitrary restrictions, and, additionally,
> performance plummets faster than <insert favorite comparison>.
>
> These proxies are (IMHO) just a check item for people who buy
> products based on check lists.
>
> You need to design a firewall for use of proxies as your main
> line of defense from the ground up. Fortunately current CPU
> speeds and RAM capacities show the "stateful packet filters
> are faster" argument not to be true anymore. At least not
> if implemented on general purpose hardware.
>
> The product with the "miniscule share of the total firewall market"
> can easily support Gigabit speeds.
>
> Of course I'm biased, but I happen to have a customer with
> about 14.000 seats running both Checkpoint and Secure Computing.
> You should talk to their IT staff.
>
> They introduced Checkpoint firewalls when your "high end" ALG
> was Gauntlet on a Sun E450. A current Sidewinder runs circles
> around these boxes. With much more thorough protocol inspection
> than Gauntlet ever had. Sorry, ^inspection^enforcement. ;-)
>
> Kind regards,
> Patrick M. Hausen
> Leiter Netzwerke und Sicherheit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071125/f6e09751/attachment-0001.bin


------------------------------

Message: 4
Date: Sun, 25 Nov 2007 11:29:39 -0800
From: Crispin Cowan <crispin@crispincowan.com>
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: "desant1@tin.it" <desant1@tin.it>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <4749CD23.6010303@crispincowan.com>
Content-Type: text/plain; charset=ISO-8859-1

desant1@tin.it wrote:
> In the last week i notice in the iptables logs that a host within
> my lan is doing a lot of traffic.
> The destination/source address of the
> packets and the used port suggest that this host is using peerToPeer
> application (emule or similar).
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
> there is no host within my lan with this Mac address.
> I can't
> traceroute it.
> Can someone help me to find this hidden host?
>
Even if you *could* ping it, how would that help you find it?When you
have a misbehaving node on a network, finding it is always a game of
"Marco Polo" :(

What you could do is set your firewall to block that IP address, and
wait for someone to yell. Sort of a game of "Marco-whack-on-the-head
Polo" :-)

Crispin

--
Crispin Cowan, Ph.D.

http://crispincowan.com/~crispin
CEO, Mercenary Linux

http://mercenarylinux.com/

Itanium. Vista. GPLv3. Complexity at work

------------------------------

Message: 5
Date: Sun, 25 Nov 2007 14:57:27 -0500
From: "Mark" <firewalladmin@bellsouth.net>
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: <desant1@tin.it>, "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000001c82f9d$680d9270$2003a8c0@357magnum>
Content-Type: text/plain; charset="us-ascii"

Is the IP address within a valid range on your network or are we talking
about a foreign IP altogether?

Sounds like someone might have a personal firewall setup on their computer.
You can completely block that host from Internet access in IPTables by using
his mac and ip address. You should find out soon enough who it is when they
call the helpdesk complaining that they have no Internet access.

Depending on your LAN setup you may be able to check your mac tables on your
switches and narrow down your search from their. You can also see what
manufacturer made the network card (assuming it is not spoofed) here:

http://www.coffer.com/mac_find/


Good luck.

Mark


-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
desant1@tin.it
Sent: Sunday, November 25, 2007 9:42 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] How to find hidden host within LAN

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my
LAN.
In the last week i notice in the iptables logs that a host within
my lan is doing a lot of traffic.
The destination/source address of the
packets and the used port suggest that this host is using peerToPeer
application (emule or similar).
The problem is that i'm not able to
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and
there is no host within my lan with this Mac address.
I can't
traceroute it.
Can someone help me to find this hidden host?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 6
Date: Sun, 25 Nov 2007 11:40:33 -0500 (EST)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: firewall-wizards@listserv.icsalabs.com
Cc: desant1@tin.it
Message-ID: <20071125164033.59D21E158@jimsun.linxnet.com>


"desant1@tin.it" <desant1@tin.it> wrote:
[snip]
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
> there is no host within my lan with this Mac address.
> I can't
> traceroute it.
> Can someone help me to find this hidden host?

Have you tried traceroute'ing with "-I"? (Use ICMP echo instead of UDP
datagrams.) Tho you said it doesn't ping, so that'll probably not help
you.

You can try nmap'ing it (with -P0, since it doesn't ping) to try to
find out what it is via fingerprinting (with -O).

You could examine your network switches and the like to find out what
port the offending MAC address is seen on.

If all else fails: Simply block it at the firewall. If I see something
misbehaving on my network, and I regard it as a non-threat, I'll simply
take away its connectivity. That usually results in the offending
owner/operator coming to complain to me ;).

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 20
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)