firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: 2nd Life (ArkanoiD)
2. Re: 2nd Life (Dave Piscitello)
3. Re: 2nd Life (DRISCOLL, ROBERT)
4. Pix Inbound NAT (sivakumar)
5. Re: NAT order help (Avishai Wool)
----------------------------------------------------------------------
Message: 1
Date: Sun, 11 Nov 2007 17:14:26 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] 2nd Life
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>
Message-ID: <20071111141426.GA6174@eltex.net>
Content-Type: text/plain; charset=koi8-r
I bet there are hundreds of people in that companies who would certainly
bring much more benefit if they played WoW.
On Sat, Nov 10, 2007 at 02:21:50PM -0500, R. DuFresne wrote:
> >
> >> I, for one, hope the insurance company in question is not one with
> >> which I'm insured, not the one in which I hold stock, and not one in
> >> which my 401k is invested. If I found it was any of those, it would
> >> quickly become *not* one of those.
> >
> > I'll take the opposite tack- I'd rather my insurance companies *did* ask
> > here (and were looking at at least limiting it to some sort of terminal
> > service) rather than just opening things up to the world without asking
> > anyone. Who knows what the ones who don't know/care about the risks are
> > doing?
>
>
>
> Any of you out there with companies willing to hire me to play WOW all
> day, I'm certainly interested. And willing to telecommute to lower costs
> all around.
>
> Thanks,
>
> Ron DuFresne
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
>
http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
> -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFHNgTRst+vzJSwZikRAnwPAKDYIetsSVVgGyVkRpcmxH1vkjuZsgCbBNZF
> 4Xv2WdMUSp9eKc/cANlO+ac=
> =hwwY
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
------------------------------
Message: 2
Date: Mon, 12 Nov 2007 10:01:44 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] 2nd Life
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <47386AD8.6090404@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
Did I respond to this?
2nd-life is the contrapositive of what I look for in a virtual world. I
want to escape to a fantasy world that's different from the real world.
2nd-lifers seems like a copy of this world where you have more control
and influence.
I'd rather be a toon in World of Warcraft:-)
Scott Pinzon wrote:
> I don't know if there is any room left to question management's decision
> to enter Second Life, but I found Wired's recent article eye-opening.
> Coca-Cola spent a lot to build a sizable "Virtual Thirst Pavilion" in
> Second Life.... and according to Wired, had 27 individual visitors in 3
> months. For more in a similar vein, check out "How Madison Avenue is
> Wasting MIllions on a Deserted Second Life."
> http://www.wired.com/techbiz/media/magazine/15-08/ff_sheep?currentPage=all
>
> Apologies for not answering the technical question, but I'm with those
> who are asking "Why does an insurance company need Second Life?" If it
> can be used to cut travel costs by virtual conferencing, okay. But if
> they think they're getting massive exposure to potential customers,
> maybe the place should be called Second Thought.
>
> *D. Scott Pinzon, CISSP, NSA-IAM*
> Editor-in-Chief, LiveSecurity Service
> WatchGuard Technologies, Inc.
>
>
>
> ------------------------------------------------------------------------
> *From:* firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] *On Behalf
> Of *Bonny_Allen@doh.state.fl.us
> *Sent:* Friday, November 09, 2007 8:06 AM
> *To:* firewall-wizards@listserv.cybertrust.com
> *Subject:* Re: [fw-wiz] 2nd Life
>
> I second that Timothy. Its obvious the poster "knobody" is unaware
> of the current trend, right or wrong, to perceive SL as a likely
> business tool - IMHO a parallel to all the politicians using MySpace
> and Facebook to attempt to reach voters. I am aware of
> industries that are using it to recruit and businesses that use it
> to conduct job interviews.
>
> It is always good to Google if one finds oneself lacking knowledge
> about, say "possible business uses of Second Life" before publicly
> making off the cuff negative (a kinda nasty to boot) remarks about
> another person's place of business. Examples I found:
>
>
http://www.digitalfutureblog.org.nz/digital-strategy-v2/using-second-life-as-a-business-tool/
>
>
http://blog.worldvillage.com/games/a_second_life_quick_start_powerful_business_tools_for_the_sl_newcomer.html
>
>
> Best,
>
> - Bonny
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* firewall-wizards-bounces@listserv.cybertrust.com
> [mailto:firewall-wizards-bounces@listserv.cybertrust.com] *On Behalf
> Of *Timothy Shea
> *Sent:* Friday, November 09, 2007 9:44 AM
> *To:* Firewall Wizards Security Mailing List
> *Subject:* Re: [fw-wiz] 2nd Life
>
> Your comments are troubling. What possible reason do you have to
> put down another organization or a person based on something you
> don't like? The guy is trying to do a job and your comments are
> helpful.
>
> I have worked for companies that have valid business reasons for all
> sorts of stupid and lame things. In the case of Second Life - one
> of the organizations I helped out in the last year had a
> marketing presence on Second Life. I have helped out or worked for
> organizations that an approved segment of the user base actively
> cruised porn sites. Why? Because they many of their best customers
> operated such sites (always paid on time and usually in cash).
>
> So please spare us your moral outrage.
>
> t.s
>
>
> On Nov 8, 2007, at 9:47 AM, Brian Loe wrote:
>
>>
>>
>> On Nov 6, 2007 3:49 PM, DRISCOLL, ROBERT <ROBDRI@safeco.com
>> <mailto:ROBDRI@safeco.com>> wrote:
>>
>> Hello,
>>
>> I wanted to get some feedback on a request to allow Second
>> Life through our network. I was hoping that perhaps someone
>> has experience with this application and can let me know what
>> steps they took to mitigate the risks.
>>
>>
>> I'm sorry I can't offer any technical advice on this subject but I
>> am dying to know what the possible business purpose for such
>> access is?! If your posting e-mail address is an indication of the
>> company you're doing this for... well, I'll keep that in mind when
>> it comes to my next insurance purchase (I like the teensurance idea)!
>>
>> I'd feel bad if you got in trouble using your company e-mail
>> address when posting here, and especially posting such comments.
>> However, if you do get in trouble I think you'll have grounds for
>> a lawsuit - after all, they would be recognizing the problem of
>> you letting it be known that they have games running on their
>> network which means they'd be recognizing how bad of an idea such
>> access is. Unless, of course, there's some very interesting
>> business need for it.
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> <mailto:firewall-wizards@listserv.icsalabs.com>
>>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071112/e314c961/attachment-0001.bin
------------------------------
Message: 3
Date: Sun, 11 Nov 2007 22:27:50 -0800
From: "DRISCOLL, ROBERT" <ROBDRI@SAFECO.com>
Subject: Re: [fw-wiz] 2nd Life
To: <firewall-wizards@listserv.icsalabs.com>,
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<EC2E6563897D7943A9CB1143B9243EA003E9B293@psmrdcex17.psm.pin.safeco.com>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071111/f02a49e8/attachment-0001.html
------------------------------
Message: 4
Date: Mon, 12 Nov 2007 01:57:30 -0800 (PST)
From: sivakumar <siva_itech@yahoo.com>
Subject: [fw-wiz] Pix Inbound NAT
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <13547961.post@talk.nabble.com>
Content-Type: text/plain; charset=us-ascii
Hi,
I just want to allow flows from Outside to Inside on Pix ver 6.3. I'm
totally confused since it doesn't allow me to perform the operation. Please
check the configs below and guide me if its wrong.
interface inside securtiy level 100
interface outside securtiy level 60
access-list out2in permit tcp 1.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-group out2in in interface inside
nat(inside) 0 access-list out2in outside ----> is that outside required n
tell me y it is used?
And further should i need to apply this to my Outside interface or inside
interface. i want the addresses to be sent as such without Natting to my
internal network.
--
View this message in context: http://www.nabble.com/Pix-Inbound-NAT-tf4737527.html#a13547961
Sent from the Firewall Wizards mailing list archive at Nabble.com.
------------------------------
Message: 5
Date: Mon, 12 Nov 2007 00:09:02 +0200
From: "Avishai Wool" <yash@acm.org>
Subject: Re: [fw-wiz] NAT order help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8a9b1fe30711111409t3ba70e66r6c9709244f23c8b1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 11/9/07, kevin horvath <kevin.horvath@gmail.com> wrote:
> > first, AFAIK they are not in conflict since the translate-from
> > address is different (10.0.0.0 != 1.1.1.2), so the order is irrelevant (?)
>
> they are. the access list for static pat stipulates the 10 net just
> as the static nat. Static nat wins over static pat.
well, actually, according to the cisco jargon at
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1202525
these are BOTH "static nat" - the 2nd one is regular old
static nat and the 1st, with the access-list, is called "policy nat".
to qualify for the term "static pat" you would need the extra "tcp" or "udp"
keyword just after the (inside,outside).
>
> >
> > second, I think they are processed in order
>
> You are thinking as if its an access list (permit or deny) but it
> works more like routing where the more specific statement wins if they
> are the same type of translation. Since they aren't and one is static
> nat then it has more precedence.
[snip - they are both the same type so I think the nat precedence
rules you listed
are not too relevant]
I still say the statements seem non-conflicting, because the "mapped_ip"
[the IP address right after the (inside,outside)] is different. Reading
the Cisco docs, my understanding is that if a packet comes into the PIX
with a ip.destination of "mapped_ip" (or in the "mapped_ip" subnet)
then the pix translates that ip.destination
to what the "static" command tells it to - namely the "real_ip" in
regular static nat.
in sivakumar's example. the mapped_ip is 1.1.1.2 in the 1st static,
and 10.0.0.0 in the 2nd, so there is no conflict. Am I wrong?
However, I am confused about one thing in the policy nat. here is the exaple:
access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0
instead of just a real_ip subnet (as in the regular static),
the access-list in fact
has a subnet in the source field (10.0.0.0/8) and ANOTHER subnet in the
destination field (1.1.1.1/32)... so when a packet comes into the PIX
with ip.dest=1.1.1.2, how is it translated? using the source (10.0.0.0) or
the destination (1.1.1.1) in the ACL?
moreover, let's assume that the translate-to ip is the ACL's destination
(1.1.1.1 in this example) - what does the OTHER (source)
field do?
Can any PIX mavens out there shed some light?
PIXes are so weird.
Avishai
>
> >
> > On 11/6/07, sivakumar <siva_itech@yahoo.com> wrote:
> > >
> > > Hi,
> > >
> > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > >
> > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > >
> > > Please tell me which statement will take precedence - policy NAT ot Static
> > > NAT..
> > >
> > > --
> > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@listserv.icsalabs.com
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> >
> >
> > --
> > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> >
http://www.algosec.com
> > ******* Firewall Management Made Smarter ******
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 8
***********************************************
No comments:
Post a Comment