firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: How to find hidden host within LAN (Kurt Buff)
2. Re: Opinions wanted... (Kurt Buff)
3. Re: Opinions wanted... (Kurt Buff)
4. Re: How to find hidden host within LAN (mailinglist@krausam.de)
5. Re: Cisco firewall appliance choice (Dan)
6. Re: How to find hidden host within LAN (Avishai Wool)
7. Re: Firewalls that generate new packets.. (Paul D. Robertson)
8. Re: Opinions wanted... (dlang@diginsite.com)
----------------------------------------------------------------------
Message: 1
Date: Sun, 25 Nov 2007 12:42:25 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: "desant1@tin.it" <desant1@tin.it>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711251242k3fe5ec08k8bd012f2e3653c84@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Nov 25, 2007 6:42 AM, desant1@tin.it <desant1@tin.it> wrote:
> Hi everybody
> I'm using RH ES4 with iptables as gateway/firewall for my
> LAN.
> In the last week i notice in the iptables logs that a host within
> my lan is doing a lot of traffic.
> The destination/source address of the
> packets and the used port suggest that this host is using peerToPeer
> application (emule or similar).
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
> there is no host within my lan with this Mac address.
> I can't
> traceroute it.
> Can someone help me to find this hidden host?
Are your switches managed? Can you pin down the MAC address to a switch port?
Is it coming over a wireless connection? If so, can you simply deny
that MAC address and see who complains?
Does that IP address do *anything* else on your LAN, and do you log
other activity, or can you put a network capture utility
(wireshark/tcpdump/other) to record anything else that this host is
talking to? if so you should be able to note and correlate login
activity with IP address.
------------------------------
Message: 2
Date: Sun, 25 Nov 2007 12:36:10 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Opinions wanted...
To: chris@blask.org, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711251236j46bbe75ucf0542d48ee289e6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Nov 23, 2007 6:54 AM, Chris Blask <chris@blask.org> wrote:
> Hey Kurt!
>
<snip>
> The real answer is "whatever work for you is best", but
> I'll toss my opinions on the plate for what they are worth.
> Keep in mind that I don't actually manage any of these
> things, so others on the list will have more tactical
> thoughts than I do.
That's always the correct answer - but since I have experience with
none of them, and can't peer into the future, I'm asking questions. :)
> o Sidewinder has arguably the "best security" if you can
> figure it out. It's a true security geek's firewall,
> application proxies and roots deep in US gov't use. Still
> popular afaik among military types and hard-core technical
> users.
>
> o Checkpoint can also be as complicated as you like, but
> by nature a simpler firewall with a much larger user base
> and more intended for the Great Unwashed. While I spent a
> decade being their #1 competitor, I have always said that
> anyone would be fine choosing them if they wanted to.
>
> o If you want something reliable and hard to screw up I'd
> recommend PIX (call it ASA if you like), functionally much
> like WG and with all the advantages of being supported by
> The Borg. Your employers are much more likely to find a
> replacement for you who knows Cisco inside out than someone
> who knows Sidewinder, and marginally more so than CP
> (whether you find that to be good or bad is your call...).
>
> I'm rife with biases here, so take it for what it is worth.
Thanks. While I have no opinion on PIS/ASA, due to lack of experience
with them, I wonder about the cost/benefit ratio, as I've found Cisco
equipment usually rather pricier than I wanted for the value received.
And, I'm sure the VARs recommending Checkpoint and Sidewinder have
their own axes to grind as well, but for now those are the two under
consideration, and muddying the waters with Cisco is just going to
slow down the process.
Thanks for the insight.
Kurt
------------------------------
Message: 3
Date: Sun, 25 Nov 2007 12:27:47 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Opinions wanted...
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711251227hf012796w48a37cdddd7f3c45@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Nov 24, 2007 6:29 AM, ArkanoiD <ark@eltex.net> wrote:
> Because firewall *IS* complex thing to operate.
Of course. As I tell people all the time - Computers are the most
complex things ever devised by mankind, and if you expect to be able
to use them at all effectively without learning a ton, you're setting
yourself up for failure and frustration.
> If you stick to
> "reasonable heuristics and defaults" as Checkpoint offers,
> your firewall is just not operated at all as its configuration
> does represent Checkpoint's view on network security policy, not
> yours. That's why i always say "if Checkpoint is ok for you,
> better get training or outsource your firewall administration
> completely". There are too many configuration issues that are
> far from being transparent and if you care exactly WHAT does
> your firewall do Checkpoint is extremely hard to operate.
Indeed. I'm hoping that my company will get the money together for
training, though if necessary I'll study it on my own - whichever way
it goes, I'll have good experience, and will learn what the company is
willing to invest in keeping me once having learned - the more they
pay for training, the more I'm willing to stay.
The question is more about the differential between Checkpoint and
Sidewinder than any absolute measure of complexity.
------------------------------
Message: 4
Date: Sun, 25 Nov 2007 16:54:49 +0100
From: mailinglist@krausam.de
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <200711251654.49156.mailinglist@krausam.de>
Content-Type: text/plain; charset="iso-8859-15"
> and i can find his mac address througth ARP,
If you use Managed Switches, you should be able to show the mac-address-table,
and see on which switch and port your filesharer is connected.
> I can't
> traceroute it.
Traceroute only shows Hops (Routers) if the host is in the same lan,
traceroute is the same as ping.
> Can someone help me to find this hidden host?
If you have unmanaged switches, and not much traffic, a very simple way would
be to generate some traffic to this host (hping3) and look which switchports
are flashing.
Or the hard way, pull some plugs.
--
Micha Krause
Jabber: SMS-King@jabber.org
Email: Micha@krausam.de
------------------------------
Message: 5
Date: Sun, 25 Nov 2007 22:21:30 +0200
From: Dan <method@b.astral.ro>
Subject: Re: [fw-wiz] Cisco firewall appliance choice
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4749D94A.8000202@b.astral.ro>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Brian Loe wrote:
> If you had a customer with their mind set on replacing their limited
> PIX 505 with another Cisco device, for good or evil, which would you
> go with? I'm not all that well versed with the ASA devices and the
> software restrictions that come with them. In short, unless the price
> difference is huge - and that doesn't appear to be the case - then I
> see no benefit of any ASA over the various 500 series PIXen and an
> unrestricted license (not to include some of the addons that appear to
> be available with the ASAs like AV and IPS). Anyone here have an
> opinion?
>
> The customer is a small office: 50 desktops, 15-20 servers, will be
> using SIP, many peer-to-peer VPNs with customers, uses their PIX for
> remote access for employees.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
Hi ,
Differences between PIX and ASA is that ASA has some security modules :
AIP SSM (Advanced Inspection and Prevention) ans CSC (Content Security
and Control), that PIX doesnt have.
The capabilities for the PIX hardware are :
Connection capabilities for the PIX 515E are as follows:
? Maximum clear-text throughput?188 Mbps
? Maximum throughput (3DES)?63 Mbps with VAC
? Maximum throughput (3DES)?140 Mbps with VAC+
? Maximum throughput (AES-128)?135 Mbps with VAC+
? Maximum throughput (AES-256)?140 Mbps with VAC+
? Maximum concurrent connections?130,000
? Maximum concurrent VPN peers?2000
Connection capabilities for the PIX 525 are as follows:
? Maximum clear-text throughput?330 Mbps
? Maximum throughput (3DES)?72 Mbps with VAC
? Maximum throughput (3DES)?155 Mbps with VAC+
? Maximum throughput (AES-128)?165 Mbps with VAC+
? Maximum throughput (AES-256)?170 Mbps with VAC+
? Maximum concurrent connections?280,000
? Maximum concurrent VPN peers?2000
I think that a 515E could be ok.
------------------------------
Message: 6
Date: Sun, 25 Nov 2007 22:12:04 +0200
From: "Avishai Wool" <yash@acm.org>
Subject: Re: [fw-wiz] How to find hidden host within LAN
To: "desant1@tin.it" <desant1@tin.it>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8a9b1fe30711251212w666da850g82bc04db83c475c@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
if you ping do you get something like "host unknown" (means ethernet
can't find the MAC) or or just no answer (he may have a firewall
dropping icmp) ?
> there is no host within my lan with this Mac address.
that you know of...
FYI, changing MAC addresses is pretty easy, and if the host is a VM
then the internal MAC is totally emulated and software based...
> I can't
> traceroute it.
> Can someone help me to find this hidden host?
I assume you don't have a fancy switch that lets you trace ethernet ports...
if he keeps transmitting, you can try the old "binary search": it's
disruptive but will work disconnect half your net and check which "side"
he's on. Repeat recursively ...
if your switch is not very dumb, and does not blindly forward every packet
on every port, you may be able to use a sniffer (ethereal) on different sides
of the switch to see where he's coming from(?)
Have fun,
Avishai
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
------------------------------
Message: 7
Date: Sun, 25 Nov 2007 16:56:42 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Bill McGee (bam)" <bam@cisco.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.44.0711251653490.16056-100000@bat.clueby4.org>
Content-Type: TEXT/Plain; charset=US-ASCII
On Sun, 25 Nov 2007, Bill McGee (bam) wrote:
> Yes, PIX/ASA has a different OS tham IOS. That's on purpose. Lots of
> folks have policies which require that their security is different from
> their infrastructure. Of course, we also offer the IOS Firewall, which
> is another Enterprise-Class firewall with full routing functionality.
Come on Bill, that's about the biggest load of revisionist history since
someone tried to hand Checkpoint an award for inventing the firewall! PIX
has a different OS becauase it was an acquired product- and it started on
a different platform (x86) with a different OS (Phoenix.) While Cisco's
been IOSing it over time it started different because it wasn't a Cisco
product.
> Senior Marketing Manager
Marketing spin? Sheesh!
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 8
Date: Fri, 23 Nov 2007 14:19:01 -0800 (PST)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Opinions wanted...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.63.0711231402290.26009@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Fri, 23 Nov 2007, Timothy Shea wrote:
> IMHO - if you haven't used either platform before and only 3 firewalls
> - either solution will require an equal amount of training to
> understand and my guess is that the VAR who is recommending against
> checkpoint will make more money if you buy checkpoint versus sidewinder.
either that or the VAR doesn't understand sidewinder, or only has a few people
who do.
> That being said - for your type of application I would lean toward
> CheckPoint Secure Platform (SPLAT) versus Sidewinder or Checkpoint
> running on Nokia and my reasoning is that I can normally use what ever
> hardware platform my server teams support versus buying an all in one
> appliance solution (checkpoint nokia, sidewinder).
I definantly prefer the more open solution to an appliance, but if you would
actually use the proxies that Sidewinder makes available, the difference in
security is probably worth the decrease in flexibility.
the checkpoint has some application layer checks, but you have to go out of your
way to enable them, and enabling them has a significant impact on the
performance of the box.
the Sidewinder has packet filtering in addition to the proxies, but you have to
go out of your way a little bit to use it (and their training heavily emphisises
the use of proxies, with packet filtering being a last resort)
I just got back from the Sidewinder training and I was happier with it then I've
been with any other vendor training I've been to in quite a while. the training
moves pretty fast, but besides covering the 'here's how to navigate the GUI'
basics that all vendors cover, they go a lot more in depth about what's
happening, and how to troubleshoot when things don't work. for me this wasn't
new but it was a good solid, but fast introduction to things (if the class moves
fast enough they have a 2 hour lab on tcpdump in the lesson plans for example)
David Lang
> t.s
>
> On Nov 21, 2007, at 10:40 AM, Kurt Buff wrote:
>
>> All,
>>
>> I've been working with Watchguards at my current employer for quite a
>> while, but we're looking to replace them.
>>
>> We've received a recommendation from one firm for Sidewinders (a 410
>> and a couple of 110s for the branch offices).
>>
>> We've received a recommendation against the Sidewinders from another
>> firm saying that they are too complex to manage easily, and require
>> extensive training to understand - they recommend Checkpoint instead.
>>
>> Neither seems to be completely out of our price range, so it would
>> seem to come down to concerns regarding initial implementation and
>> ongoing management.
>>
>> Are the Sidewinders that much more complex than Checkpoints?
>>
>> Is one "better" (for whatever that might mean to you) than the other -
>> that is, if you have experience with both, which would you prefer, and
>> why?
>>
>> I, of course, am excited to be learning a new platform, and want to
>> move away from some of the quirkiness of the ancient Fireboxes we
>> have, but want to make a reasonable recommendation to management.
>>
>>
>> Thanks,
>>
>> Kurt
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 21
************************************************
No comments:
Post a Comment