Search This Blog

Wednesday, December 12, 2007

firewall-wizards Digest, Vol 20, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: OpenBSD pf users? (Jim O'Gorman)
2. Re: OpenBSD pf users? (Paul Melson)
3. Re: Question on Cisco ASA's... do all the features slow it
down? (John G.)
4. Black Hat Briefings Call for Papers (jmoss)
5. Re: OpenBSD pf users? (Joshua Hill)
6. Re: OpenBSD pf users? (Matthew Franz)
7. Re: OpenBSD pf users? (Robby Cauwerts)


----------------------------------------------------------------------

Message: 1
Date: Tue, 11 Dec 2007 11:39:08 -0600
From: "Jim O'Gorman" <jogorman@gmail.com>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<d63aedc60712110939w1411916fk8fc4aac75578df32@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I have used it and like the platform. Main thing to remember is it simply a
statefull packet filter and nothing more. If that is what your needs
require, it is a great platform.

Thanks
Jim

On Dec 9, 2007 8:33 AM, Wim Lamotte <Wim.Lamotte@uhasselt.be> wrote:

> Hi,
>
> I was wondering if any of the fw-wiz members is currently using the pf
> firewall on OpenBSD. We are considering this platform as an alternative to
> our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which
> we
> have had many problems (cluster not stable, SIP traversal problems,
> SmartDefense unpredictable, high license costs, ...)
>
> If anyone has evaluated the OpenBSD pf platform in the past, and concluded
> that there were good reasons not to use it, I would also be very
> interested
> to know what these reasons were.
>
> Thanks,
>
> Wim
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
Jim
jameso@elwood.net
jogorman@gmail.com
http://www.elwood.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071211/6052f7d1/attachment-0001.html


------------------------------

Message: 2
Date: Tue, 11 Dec 2007 11:29:58 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0712110829i3b1fb0eav27028a65eaebe97a@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Dec 9, 2007 9:33 AM, Wim Lamotte <Wim.Lamotte@uhasselt.be> wrote:
> If anyone has evaluated the OpenBSD pf platform in the past, and concluded
> that there were good reasons not to use it, I would also be very interested
> to know what these reasons were.

My primary complaint about OpenBSD is the lack of IPSec VPN support in
current releases. (Not that releases with IPSec in the kernel had
good support to begin with.)

But as far as pf goes, I use it at home and have for years.
Ironically, I switched to it after completing my CCSA/CCSE certs, when
I had been running Check Point NG-AI as my home firewall for practice.
I switched from my P2/450 with 256MB RAM and PCI 10/100 NICs running
SPLAT to a P/166 with 64MB RAM and 10Mbps ISA NICs running OpenBSD and
pf, and found pf to be faster on a 4Mbps cable modem. It's also easy
to script changes to pf.conf, and it's been very stable in my
experience. If I didn't have a need for VPN or content filtering, I
would consider it as a contender for an enterprise firewall.

PaulM


------------------------------

Message: 3
Date: Tue, 11 Dec 2007 10:56:22 -0800
From: "John G." <isaac737@gmail.com>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<363532d30712111056v568e3563md6551f529ae09210@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

greetings and salutations. peace to the nations.

well, i don't understand really what you mean by the packet sizes and first
match vs. last match. i am more a firewall apprentice than firewall wizard.

what i can definitely agree with is the performance data that a certain
company from the Bay Area says their firewalls can do around 200
Megabits/second. we are seeing 80% CPU load on the firewall (watched via
Nagios and Cacti) when we push around 10 Megabits/second.

how is this even a useful metric is my question? 200 Megabits/second with a
default ALLOW ANY to ANY ruleset on both in and out?? :P

-jg

On Dec 10, 2007 9:42 PM, Carson Gaspar <carson@taltos.org> wrote:

> jacob c wrote:
> > 1) Firewall performance figures from all vendors are highly overrated on
> > the datasheets.
>
> If you want to get a certain firewall company to complain to your senior
> management that you're being "mean" and try and get you fired, demand 64
> byte packet last-match performance numbers (as opposed to the 1500+ byte
> first match numbers they'll try and give you). Also be very careful to
> ask about behaviour when this limit is exceeded. It was very informative
> to see which vendors were packet rate limited and which were bit rate
> limited. The performance scaling with ruleset size was also interesting.
> Sadly I don't know of any vendors that publish this data openly. I do
> know that you can tell a good one by their reaction when you ask for it.
>
> (And, no, I'm not making this up. But I'll refrain from naming names
> since they can afford to sue me out of existence.)
>
> --
> Carson
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071211/f2b0f107/attachment-0001.html


------------------------------

Message: 4
Date: Tue, 11 Dec 2007 12:48:17 -0800
From: "jmoss" <jmoss@blackhat.com>
Subject: [fw-wiz] Black Hat Briefings Call for Papers
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <000801c83c37$28513e60$78f3bb20$@com>
Content-Type: text/plain; charset="us-ascii"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy Holidays Firewall Wizards from Black Hat! Before the silly season
enters full swing I'd like to make a couple announcements:

BRIEFINGS AND TRAININGS
http://www.blackhat.com/
Black Hat is proud to be holding Trainings and Briefings in Washington D.C.,
Amsterdam, Las Vegas, Japan, and a mystery location in 2008. Please mark
your calendars!

NEW: An enhancement to all Black Hat Briefings allows all attendees greater
access to each presenter. Immediately following each session the presenters
are available for an additional hour to take questions in a break out room.
This allows you to not only have in depth conversations but also meet other
attendees interested in the same topics you are.

DC 2008 Briefings & Training
February 18-21, Westin Washington DC City Center
Focusing on Wireless and Offensive security techniques with a larger
training lineup.
New trainings include Defend the Flag by Microsoft, Side Channel Analysis
and Countermeasures by Riscure, and TCP/IP Weapons School: Black Hat Edition
by TaoSecurity.

Europe 2008 Briefings & Training
Now with three tracks per day of presentations and larger training lineup.
March 25-28, Moevenpick Hotel Amsterdam City Centre, the Netherlands New
trainings include Understanding Stealth Malware by Joanna Rutkowska and
Alexander Tereshkin, Side Channel Analysis and Countermeasures by Riscure,
and Exploits 101 by Allen Harper.

USA 2008 Briefings & Training
This is the big one, thousands of people, 25+ training classes, seven tracks
of presentations, BoF break outs, and more!
August 2-7, Caesars Palace Las Vegas

CALL for PAPERS
https://cfp.blackhat.com/
Black Hat is always looking for new and unique research, demonstrations and
tools. If you have something you or your team would like to present please
keep the following dates in mind.

D.C. 2008 Briefings CfP closes January 4
Europe 2008 Briefings CfP closes February 1
USA 2008 Briefings CfP will open February 1
Japan 2008 Briefings CfP will open May 1

RSS Announcements and Updates, News and more:
http://www.blackhat.com/BlackHatRSS.xml

TO REGISTER:
https://www.blackhat.com/html/bh-registration/bh-registration.html
To register for trainings or briefings please visit our registration site.
Register early to take advantage of price discounts!

We are working to launch the new Black Hat site this weekend, as well as
release audio and video of several past conferences before the new year.
Lots of changes are in the works for the new year!

Jeff Moss
Black Hat


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
Charset: us-ascii

wsBVAwUBR173kUqsDNqTZ/G1AQgLEgf/WGdKbAT0S0zJm2n83M4BuUiUPHkoNx6n
/pbgcGQa27I9dwxm0bdYCTS20gsjqK+RdjyPKUtF7d6DHX9xYfXUGRjASAHPQT5c
XZ0AFk+m5h6PhZxRYvaKi0IlI2NIMNIzxv9R4+/t15yGllmjdgDcX++9AzsX00dO
/YBjsIwO0HiOpoauMkVfKh2ScvRjpEylJMIKIHosWDsC4RCk17IJYelu5nJEd255
hCAZo1S3Q6jcqKK4FKbL3ufCCLZ2knwwRiiHdqeHH1b5mmHxyOXbfQkUqqOhkDbv
bckygFdgQ1v+a+DShL3+3t4MHraDT1tDzPwhxlIWbPIm2GXaQ0vQBA==
=CJ6J
-----END PGP SIGNATURE-----


------------------------------

Message: 5
Date: Tue, 11 Dec 2007 10:10:42 -0800
From: Joshua Hill <josh-lists@untruth.org>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20071211101042.A30771@chiba.halibut.com>
Content-Type: text/plain; charset=us-ascii

On Tue, Dec 11, 2007 at 11:29:58AM -0500, Paul Melson wrote:
> My primary complaint about OpenBSD is the lack of IPSec VPN support in
> current releases. (Not that releases with IPSec in the kernel had
> good support to begin with.)

Hmmm... I'm running several VPNs on 4.1, and I don't see anything in the
change logs between 4.2 (the current released version) and 4.1 about
removing IPSec support. Did you miss the change in 3.8 to ipsecctl
(and it's ipsec.conf file) from ipsecadm?

Josh


------------------------------

Message: 6
Date: Tue, 11 Dec 2007 11:55:54 -0600
From: "Matthew Franz" <mdfranz@gmail.com>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<33acb3db0712110955v1cac0f76v6a8ed8ba3c800588@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi,

Assuming a stateful packet filter is fine, what sort of PPS and
throughput requirements do you have?

There have been some past discussions on the topic at:

http://groups.google.com/group/bit.listserv.openbsd-pf/topics

http://lists.freebsd.org/pipermail/freebsd-pf/

- mdf

On Dec 9, 2007 8:33 AM, Wim Lamotte <Wim.Lamotte@uhasselt.be> wrote:
> Hi,
>
> I was wondering if any of the fw-wiz members is currently using the pf
> firewall on OpenBSD. We are considering this platform as an alternative to
> our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which we
> have had many problems (cluster not stable, SIP traversal problems,
> SmartDefense unpredictable, high license costs, ...)
>
> If anyone has evaluated the OpenBSD pf platform in the past, and concluded
> that there were good reasons not to use it, I would also be very interested
> to know what these reasons were.
>
> Thanks,
>
> Wim
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
Matthew Franz
http://www.threatmind.net/


------------------------------

Message: 7
Date: Tue, 11 Dec 2007 21:54:44 +0100
From: "Robby Cauwerts" <robby@cauwerts.be>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<2ca18af0712111254t311540f7l9f08953406234f2e@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Dec 9, 2007 3:33 PM, Wim Lamotte <Wim.Lamotte@uhasselt.be> wrote:

> Hi,
>
> I was wondering if any of the fw-wiz members is currently using the pf
> firewall on OpenBSD. We are considering this platform as an alternative to
> our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which
> we
> have had many problems (cluster not stable, SIP traversal problems,
> SmartDefense unpredictable, high license costs, ...)
>
> If anyone has evaluated the OpenBSD pf platform in the past, and concluded
> that there were good reasons not to use it, I would also be very
> interested
> to know what these reasons were.
>

Hi Wim,

What matters is the experience of the guys who will be managing your
firewalls.
Do they have the experience with *nix systems?
If you go for OpenBSD you will not need to only manage you firewall setup
(rules/natting/vpn/...) but also the underlying OS.

OpenBSD supports up to two release, and there is a new release every two
months, which means that you will need to upgrade your system every year.
If you have the experience you can do this with you eyes closed, if not ...

With OpenBSD you will probably need to install/patch/upgrade (a lot) third
party software to get some more functionalities (mrtg, external logging,
OpenVPN,...)
If you have the experience you can do this with you eyes closed, if not ...

With CheckPoint on Nokia maintaining your firewall can be done (or at least
it should be) with a couple clicks.
Even a junior admin can do this (with his eyes closed...).

What happens when the *nix guru who has installed and highly tuned OpenBSD
for your needs leaves your company?
Check Point admins can be found everywhere (but this doesn't mean that they
are all skilled) but it is more difficult to find someone with OpenBSD
experience.

OpenBSD has proven to be a rock solid firewall and will probably have all
the features you need.
(carp, ipsec VPNs, VPNs for road warriors,...) Okay, you don't get the fancy
Smartdefense updates/headaches.

With OpenBSD you pay nothing (consider a donation) for the software, but you
will need to pay the experienced administrator.
With Check Point you pay a fortune for the licenses but a junior admin can
manage most of the firewall.

If you want something cheaper with a nice gui and easy to update/maintain
you could also consider a Netscreen.

Good luck with your choice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071211/9e0a7cbe/attachment.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 7
***********************************************

No comments: