firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and
PacSec Dojo's (Dragos Ruiu)
2. Re: NAT order help (kevin horvath)
3. Re: 2nd Life (Brian Loe)
4. Re: NAT order help (Avishai Wool)
5. Re: 2nd Life (Paul D. Robertson)
6. Re: 2nd Life (Keith A. Glass)
7. Re: NAT order help (kevin horvath)
----------------------------------------------------------------------
Message: 1
Date: Thu, 8 Nov 2007 21:23:17 -0700
From: Dragos Ruiu <dr@kyx.net>
Subject: [fw-wiz] CanSecWest 2008 CFP (deadline Nov 30, conf Mar
26-28) and PacSec Dojo's
To: firewall-wizards@honor.icsalabs.com
Message-ID: <200711082023.18196.dr@kyx.net>
Content-Type: text/plain; charset="us-ascii"
I'd like to congratulate Adam Laurie for winning the second Powerbook
from the Pwn_to_Own contest as the prize for the best speaker rated
by the audience for his presentation on RFID at CanSecWest 2007.
We will have a similar prize for the best speaker at CanSecWest 2008,
prize TBD (but we promise it will be cool - depending on what we find
trawling though the electronics shops in Akihabara this year :).
**
The Security Masters Dojo courses available at PacSec in Tokyo
on November 27/28 2007 have been updated. The final list is:
Ultimate Web Hacking - Yeng-Min Chen (Japanese)
Reverse Engineering - Yuji Ukai (Japanese)
The Exploit Laboratory - Saumil Shah (English)
Advanced Honeypot Tactics - Thorsten Holz (English)
Advanced Linux Hardening - Andrea Barisani (English)
Bugfinding with the Immunity Debugger - Nicolas Waisman & Kostya
Kortchinski (English)
Practical 802.11 Wi-Fi (In)Security - Cedric Blancher (English)
**
CanSecWest 2008 CALL FOR PAPERS
VANCOUVER, Canada -- The ninth annual CanSecWest applied technical
security conference - where the eminent figures in the
international security industry will get together share best
practices and technology - will be held in downtown Vancouver at
the the Mariott Renaissance Harbourside on March 26-28, 2008. The
most significant new discoveries about computer network hack
attacks and defenses, commercial security solutions, and pragmatic
real world security experience will be presented in a series of
informative tutorials.
The CanSecWest meeting provides international researchers a
relaxed, comfortable environment to learn from informative
tutorials on key developments in security technology, and
collaborate and socialize with their peers in one of the world's
most scenic cities - a short drive away from one of North
America's top skiing areas.
The CanSecWest conference will also feature the availability of
the Security Masters Dojo expert network security sensei
instructors, and their advanced, and intermediate, hands-on
training courses - featuring small class sizes and practical
application excercises to maximize information transfer.
We would like to announce the opportunity to submit papers, and/or
lightning talk proposals for selection by the CanSecWest technical
review committee. This year we will be doing one hour talks, and
some shorter 20/30 minute talk sessions.
Please make your paper proposal submissions before November 30th,
2007.
Some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible
for travel and accomodations for the speakers. If you have a
proposal for a tutorial session then please email a synopsis of
the material and your biography, papers and, speaking background
to _secwest08_@cansecwest.com (please remove _'s). Only
slides will be needed for the March paper deadline, full text does
not have to be submitted - but will be accepted if available.
The CanSecWest 2008 conference consists of tutorials on technical
details about current issues, innovative techniques and best
practices in the information security realm. The audiences are a
multi-national mix of professionals involved on a daily basis with
security work: security product vendors, programmers, security
officers, and network administrators. We give preference to
technical details and new education for a technical audience.
The conference itself is a single track series of presentations in
a lecture theater environment. The presentations offer speakers
the opportunity to showcase on-going research and collaborate with
peers while educating and highlighting advancements in security
products and techniques. The focus is on innovation, tutorials,
and education instead of product pitches. Some commercial content
is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best practices
instruction or detailing significant new technology in the
products.
Paper proposals should consist of the following information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal address,
phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
description.
6. Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines
ready.
8. Will you have full text available or only slides?
9. Please list any other publications or conferences where this
material has been or will be published/submitted.
Please include the plain text version of this information in your
email as well as any file, pdf, sxw, ppt, or html attachments.
Please forward the above information to _secwest08_@cansecwest.com
(remove _'s) to be considered for placement on the speaker
roster, or have your lightning talk scheduled.
You can find more information at:
http://pacsec.jp and http://cansecwest.com
The Vancouver Dojos will be held on March 24/25 and will
be announced shortly.
cheers.
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007
http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
------------------------------
Message: 2
Date: Thu, 8 Nov 2007 10:30:47 -0500
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] NAT order help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0711080730s3b47d7b5i210464f65092e44b@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
static
On Nov 6, 2007 5:32 AM, sivakumar <siva_itech@yahoo.com> wrote:
>
> Hi,
>
> access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
>
> static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
>
> Please tell me which statement will take precedence - policy NAT ot Static
> NAT..
>
> --
> View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> Sent from the Firewall Wizards mailing list archive at Nabble.com.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 3
Date: Thu, 8 Nov 2007 09:47:00 -0600
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] 2nd Life
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0711080747g76a05026j3b29a9a1f4db1570@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On Nov 6, 2007 3:49 PM, DRISCOLL, ROBERT <ROBDRI@safeco.com> wrote:
> Hello,
>
> I wanted to get some feedback on a request to allow Second Life through
> our network. I was hoping that perhaps someone has experience with this
> application and can let me know what steps they took to mitigate the risks.
>
I'm sorry I can't offer any technical advice on this subject but I am dying
to know what the possible business purpose for such access is?! If your
posting e-mail address is an indication of the company you're doing this
for... well, I'll keep that in mind when it comes to my next insurance
purchase (I like the teensurance idea)!
I'd feel bad if you got in trouble using your company e-mail address when
posting here, and especially posting such comments. However, if you do get
in trouble I think you'll have grounds for a lawsuit - after all, they would
be recognizing the problem of you letting it be known that they have games
running on their network which means they'd be recognizing how bad of an
idea such access is. Unless, of course, there's some very interesting
business need for it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071108/10e29940/attachment-0001.html
------------------------------
Message: 4
Date: Fri, 9 Nov 2007 15:58:21 +0200
From: "Avishai Wool" <yash@acm.org>
Subject: Re: [fw-wiz] NAT order help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8a9b1fe30711090558g736ab630m6fbe09ede13a814@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
sivakumar
first, AFAIK they are not in conflict since the translate-from
address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
second, I think they are processed in order
google for "cisco pix command reference" and follow the
links to your pix version - I looked at
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
for ASA 7.2
HTH,
Avishai
On 11/6/07, sivakumar <siva_itech@yahoo.com> wrote:
>
> Hi,
>
> access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
>
> static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
>
> Please tell me which statement will take precedence - policy NAT ot Static
> NAT..
>
> --
> View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> Sent from the Firewall Wizards mailing list archive at Nabble.com.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
------------------------------
Message: 5
Date: Fri, 9 Nov 2007 09:04:43 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] 2nd Life
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711090901060.1467-100000@bat.clueby4.org>
Content-Type: TEXT/Plain; charset=US-ASCII
On Tue, 6 Nov 2007, DRISCOLL, ROBERT wrote:
> Hello,
>
> I wanted to get some feedback on a request to allow Second Life through
> our network. I was hoping that perhaps someone has experience with this
> application and can let me know what steps they took to mitigate the
> risks.
>
> Management is pushing pretty hard for this and they have persuaded our
> Risk Management group to move forward with a possible solution. So
> simply denying this is not an option.
I've always been a big fan of "walk your behind over to that PC in the
corner that's not on the internal network to do that thing I don't like."
>
> I was hoping to use a bastion host setup behind a firewall, running
> either Citrix or Remote Desktop. But I haven't tested network
> performance for the client application or performance issues with
> multiple users accessing the same machine.
Make them budget one extra machine per user, that way it'll be easy to
implement and they'll get to do a cost/benefit analysis too.
>
> Of course direct client access appears to be a gaping hole as second
> life requires...
> TCP/443
> TCP/12043
> UDP/12035-12036
> UDP/13000-13050
>
> Then depending on whether or not we are forced to allow voice traffic
> through
> TCP/80
> TCP/443
> TCP/21002
> UDP/12000-13000
> UDP/5060
> UDP/5062
At that point, what's the reason for having a firewall?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/
------------------------------
Message: 6
Date: Fri, 09 Nov 2007 15:06:21 +0000
From: "Keith A. Glass" <salgak@speakeasy.net>
Subject: Re: [fw-wiz] 2nd Life
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.icsalabs.com>
Message-ID: <W20573492761521194620781@webmail2>
Content-Type: text/plain; charset="iso-8859-1"
> -----Original Message-----
> From: Brian Loe [mailto:knobdy@gmail.com]
> Sent: Thursday, November 8, 2007 03:47 PM
> To: 'Firewall Wizards Security Mailing List'
> Subject: Re: [fw-wiz] 2nd Life
> I'm sorry I can't offer any technical advice on this subject but I am dying
> to know what the possible business purpose for such access is?! If your
> posting e-mail address is an indication of the company you're doing this
> for... well, I'll keep that in mind when it comes to my next insurance
> purchase (I like the teensurance idea)!
It's currently trendy for companies to establish a presence in Second Life for their company. That requires access to the game, etc. I think it's a waste of time and effort, but for some reason, the press is in love with Second Life. And so, to generate good press, some outfits establish a presence there.
Think of it as WOW for Accountants (evil grin)
------------------------------
Message: 7
Date: Fri, 9 Nov 2007 10:17:48 -0500
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] NAT order help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0711090717kf8a1ebcq5e5d0f3cb93b65a4@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
> first, AFAIK they are not in conflict since the translate-from
> address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
they are. the access list for static pat stipulates the 10 net just
as the static nat. Static nat wins over static pat.
>
> second, I think they are processed in order
You are thinking as if its an access list (permit or deny) but it
works more like routing where the more specific statement wins if they
are the same type of translation. Since they aren't and one is static
nat then it has more precedence.
NOTE: i havent worked on the ASA just alot with the pix but it should
be the same, but maybe not so please go to CCO to verify. If you have
a lab the best way to learn is to just test it out if unsure.
The oder of operation for pix (which should be the same for the ASA
since I believe they use the same code base) is as follows:
Order of NAT Commands Used to Match Local Addresses (could only find
this for the pix 6.3 so it could possibly have changed since this)
The firewall matches local traffic to NAT commands in the following order:
1. nat 0 access-list (NAT exemption)?In order, until the first match.
For example, you could have overlapping local/destination addresses in
multiple nat commands, but only the first command is matched.
2. static (static NAT)?In order, until the first match. Because you
cannot use the same local address in static NAT or static PAT
commands, the order of static commands does not matter. Similarly, for
static policy NAT, you cannot use the same local/destination address
and port across multiple statements.
3. static {tcp | udp} (static PAT)?In order, until the first match.
Because you cannot use the same local address in static NAT or static
PAT commands, the order of static commands does not matter. Similarly,
for static policy NAT, you cannot use the same local/destination
address and port across multiple statements.
4. nat nat_id access-list (policy NAT)?In order, until the first
match. For example, you could have overlapping local/destination ports
and addresses in multiple nat commands, but only the first command is
matched.
5. nat (regular NAT)?Best match. The order of the NAT commands does
not matter. The nat statement that best matches the local traffic is
used. For example, you can create a general statement to translate all
addresses (0.0.0.0) on an interface. If you also create a statement to
translate only 10.1.1.1, when 10.1.1.1 makes a connection, the
specific statement for 10.1.1.1 is used because it matches the local
traffic best.
On Nov 9, 2007 8:58 AM, Avishai Wool <yash@acm.org> wrote:
> sivakumar
>
> first, AFAIK they are not in conflict since the translate-from
> address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> second, I think they are processed in order
>
> google for "cisco pix command reference" and follow the
> links to your pix version - I looked at
>
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
>
> for ASA 7.2
>
> HTH,
> Avishai
>
> On 11/6/07, sivakumar <siva_itech@yahoo.com> wrote:
> >
> > Hi,
> >
> > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> >
> > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> >
> > Please tell me which statement will take precedence - policy NAT ot Static
> > NAT..
> >
> > --
> > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
>
> --
> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
>
http://www.algosec.com
> ******* Firewall Management Made Smarter ******
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 3
***********************************************
No comments:
Post a Comment