firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(david@lang.hm)
2. Re: Rule authentication in PIX
(Alejandro Ezequiel Fern?ndez Preda)
----------------------------------------------------------------------
Message: 1
Date: Thu, 6 Dec 2007 13:50:48 -0800 (PST)
From: david@lang.hm
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0712061346500.9507@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Wed, 5 Dec 2007, Frank Knobbe wrote:
> On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> > [...] In pure CS terms,
> > "doing layer 7 stuff" comes pretty close to rocket science. Read
> > Varghese, and remember that without actual algorithms, you crash into
> > the speed of SRAM. Even on a fancy multicore whizz-bang NPU.
>
> Besides the question of how hard/accurate it is to perform
> protocol-application-correlation, one also has to consider the impact on
> the average administrator.
>
> If we start seeing firewalls where your rule set reads like:
>
> allow $internal_net Mozilla $external_net port_80
> deny $internal_net InternetExplorer $external_net port_80
> allow $internal_net gnome-meeting $external_net port_any
> ...etc...
>
> ...then I would consider it breaking new ground. If the end-user of
> firewalls can create their policies based on application rather than
> just IP-Port pairs, then it's a shift from current network firewalls.
I'm not sure you really want to try and tell the difference between
Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall
(especially since some of these can be configured to lie and claim that
they are others to work around broken websites)
what you need to be able to do is to enforce valid HTTP, and work to
detect the common ways of tunneling other things across it.
if you are running on the client machine you can try to figure out what
application is running and make decisions on that (see App Armor for
Linux, and personal firewalls for Windows), but once you are off the
client systems you can't make more then an educated guess about what
application is generating the network traffic.
David Lang
> And yes, I'm aware that we've been able to permit/deny *specific
> applications* access to the Internet since at least the mid-nineties
> (that's when I worked *cough*last*cough* with MS Proxy server and custom
> Winsock proxy assignments for applications). I'm sure there are probably
> other proxy-based firewalls that have similar capabilities.
>
> But the article seems to refer to non-proxy, inline firewalls/IPS
> doodads. For those, application recognition may be ground breaking news.
> If the market will accept them remains to be seen. (CxO: My
> mobile-tunnlier-gadget can get to the Internet. Make it work! :)
>
> Cheers,
> Frank
>
------------------------------
Message: 2
Date: Thu, 6 Dec 2007 16:00:19 -0300
From: Alejandro Ezequiel Fern?ndez Preda <quequiel@ciudad.com.ar>
Subject: Re: [fw-wiz] Rule authentication in PIX
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <108101c8383a$3f20c530$0d0aa8c0@Cecilia>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Right, just RDP's own encryption after the user authenticates against the
firewall. Nevermind, I finally found how to do it, the problem was trying to
do it through PDM.
Regards,
Alejandro
----- Original Message -----
From: "Brian Loe" <knobdy@gmail.com>
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Sent: Wednesday, December 05, 2007 2:29 PM
Subject: Re: [fw-wiz] Rule authentication in PIX
So its clear RDP after authentication? Is that a requirement?
On Dec 3, 2007 9:34 AM, Alejandro Ezequiel Fern?ndez Preda
<quequiel@ciudad.com.ar> wrote:
>
>
> Hi everyone,
>
> I was asked to implement an authentication rule for RDP on a Cisco PIX.
> Custommers should https / ssh / telnet to the firewall first for
> authentication and then connect to the RDP server behind it with the
> standard RDP Client.
> I've searched through Cisco and it seems Cut-Through Authentication proxy
> could do it but I'm not sure if it only applies for the known protocols or
> for any protocol. Has anyone implemented this type of authentication? any
> tips/examples/links would be very helpfull.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 20, Issue 4
***********************************************
No comments:
Post a Comment