Search This Blog

Thursday, December 06, 2007

firewall-wizards Digest, Vol 20, Issue 3

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. [Fwd: Cisco Pix 515e ERROR: % Invalid input detected at '^'
marker] (Jesse DeGarmo)
2. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Marcus J. Ranum)
3. Re: Rule authentication in PIX (Brian Loe)
4. Re: Question on Cisco ASA's... do all the features slow it
down? (ChrisSerafin)
5. Re: Question on Cisco ASA's... do all the features slow it
down? (Brett Cunningham)
6. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Frank Knobbe)


----------------------------------------------------------------------

Message: 1
Date: Mon, 03 Dec 2007 15:39:43 -0600
From: Jesse DeGarmo <jdegarmo@kshs.org>
Subject: [fw-wiz] [Fwd: Cisco Pix 515e ERROR: % Invalid input detected
at '^' marker]
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4754779F.4000603@kshs.org>
Content-Type: text/plain; charset="iso-8859-1"

Please discard my last email. I was forgetting to go into the configure
terminal mode. Feel pretty stupid.

-------- Original Message --------
Subject: Cisco Pix 515e ERROR: % Invalid input detected at '^' marker
Date: Sun, 02 Dec 2007 21:51:36 -0600
From: Jesse DeGarmo <jdegarmo@kshs.org>
To: firewall-wizards@listserv.icsalabs.com

I have a Cisco Pix 515e that when we upgraded the software from 6.3 to
7.0 we are getting (ERROR: % Invalid input detected at '^' marker) any
time we try and enter a command to add a new rule for an access list or
change the asdm image file. Any suggestions would be helpful.

pix515e#access-list external_access extended permit tcp any host
165.201.138.6 eq smtp

access-list external_access extended permit tcp any host 165.201.138.6
eq smtp
^
ERROR: % Invalid input detected at '^' marker.


pix515e#asdm image flash:/asdm-523.bin

asdm image flash:/asdm-523.bin
^
ERROR: % Invalid input detected at '^' marker

--
Jesse G. DeGarmo
System Administrator
Kansas State Historical Society
6425 SW 6th Avenue
Topeka, KS 66615-1099
785-272-8681 x 242
785-272-8682 fax
jdegarmo@kshs.org


--
Jesse G. DeGarmo
System Administrator
Kansas State Historical Society
6425 SW 6th Avenue
Topeka, KS 66615-1099
785-272-8681 x 242
785-272-8682 fax
jdegarmo@kshs.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071203/04bcddcb/attachment-0001.html


------------------------------

Message: 2
Date: Wed, 05 Dec 2007 13:29:49 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071205132854.0361ce00@ranum.com>
Content-Type: text/plain; charset="us-ascii"


>No comment on the rest of this message, but as someone who has had the
>unique, uh, "privilege" of writing significant code on an NPU (the
>IXP2400), I find this particular assertion amusing.

The 2400 is pretty low level compared to something like a Seaway...
but... Yeah...

>I will do you the favor of "truing up" your quip:

I shall then stand corrected. :) Thank you.

mjr.

------------------------------

Message: 3
Date: Wed, 5 Dec 2007 11:29:21 -0600
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] Rule authentication in PIX
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0712050929k3f930e64kce1e2ffacb6935ff@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

So its clear RDP after authentication? Is that a requirement?

On Dec 3, 2007 9:34 AM, Alejandro Ezequiel Fern?ndez Preda
<quequiel@ciudad.com.ar> wrote:
>
>
> Hi everyone,
>
> I was asked to implement an authentication rule for RDP on a Cisco PIX.
> Custommers should https / ssh / telnet to the firewall first for
> authentication and then connect to the RDP server behind it with the
> standard RDP Client.
> I've searched through Cisco and it seems Cut-Through Authentication proxy
> could do it but I'm not sure if it only applies for the known protocols or
> for any protocol. Has anyone implemented this type of authentication? any
> tips/examples/links would be very helpfull.


------------------------------

Message: 4
Date: Wed, 05 Dec 2007 10:35:26 -0600
From: ChrisSerafin <chris@chrisserafin.com>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4756D34E.2040606@chrisserafin.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

ASA's have a bunch more memory. I have a cluster of 2 5510 running a
HUGE web company with no ill effects. Basic static NAT, remote VPN...

Chris Serafin
chris@chrisserafin.com

John G. wrote:
> hello list,
>
> we are currently running Cisco PIX 515E's with 128 Megs of RAM. the
> problem is their CPU's are getting up to high 80% usage. gone through
> a bunch of troubleshooting things and i think it is just time to upgrade.
>
> my question is do the IDS/IPS features of the ASA make it kinda slow?
> i would hate to have us upgrade to these devices just to find us in
> the same spot. what do people think of the ASA's as compared to the
> vaunted PIX?
>
> we were thinking of getting this model: Cisco ASA5510-SEC-BUN-K9
>
> thanks much,
> jg
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

------------------------------

Message: 5
Date: Wed, 5 Dec 2007 14:07:55 -0600
From: "Brett Cunningham" <cssniper22@gmail.com>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<63e59b100712051207v2a512d70m3c8b970423f09b19@mail.gmail.com>
Content-Type: text/plain; charset=WINDOWS-1252

The IPS feature does slow it down. Of course the more you do with the
packets, the slower it will get. I'd still recommend the ASA with the
SSM though. For the 5510, here is the specs:

Feature

Firewall throughput Up to 300 Mbps

Concurrent threat mitigation throughput (firewall + IPS services)
? Up to 150 Mbps with AIP-SSM-10
? Up to 300 Mbps with AIP-SSM-20


VPN throughput Up to 170 Mbps

(see: http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html)


If 150 Mbps is okay, go with the SSM-10. Otherwise, the SSM 20 hardly
slows it down.

I think the ASA is a huge leap from the PIX and would suggest the ASA
over the PIX.

On 12/4/07, John G. <isaac737@gmail.com> wrote:
> hello list,
>
> we are currently running Cisco PIX 515E's with 128 Megs of RAM. the problem
> is their CPU's are getting up to high 80% usage. gone through a bunch of
> troubleshooting things and i think it is just time to upgrade.
>
> my question is do the IDS/IPS features of the ASA make it kinda slow? i
> would hate to have us upgrade to these devices just to find us in the same
> spot. what do people think of the ASA's as compared to the vaunted PIX?
>
> we were thinking of getting this model: Cisco ASA5510-SEC-BUN-K9
>
> thanks much,
> jg
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

Message: 6
Date: Wed, 05 Dec 2007 22:04:12 -0600
From: Frank Knobbe <frank@knobbe.us>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1196913852.15925.29.camel@localhost>
Content-Type: text/plain; charset="us-ascii"

On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> [...] In pure CS terms,
> "doing layer 7 stuff" comes pretty close to rocket science. Read
> Varghese, and remember that without actual algorithms, you crash into
> the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any
...etc...

...then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.

And yes, I'm aware that we've been able to permit/deny *specific
applications* access to the Internet since at least the mid-nineties
(that's when I worked *cough*last*cough* with MS Proxy server and custom
Winsock proxy assignments for applications). I'm sure there are probably
other proxy-based firewalls that have similar capabilities.

But the article seems to refer to non-proxy, inline firewalls/IPS
doodads. For those, application recognition may be ground breaking news.
If the market will accept them remains to be seen. (CxO: My
mobile-tunnlier-gadget can get to the Internet. Make it work! :)

Cheers,
Frank


--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071205/5e25565a/attachment-0001.pgp


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 3
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)