Security World: firewall-wizards digest, Vol 1 #1628

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. RE: Opinion: Worst interface ever. (Eugene Kuznetsov)
2. RE: Cisco PIX Version 6.3(3) SMTP Problem (David M. Nicksic)
3. RE: Opinion: Worst interface ever. (Paul D. Robertson)
4. Re: Cisco PIX Version 6.3(3) SMTP Problem (Gregory Hicks)
5. Re: Cisco PIX Version 6.3(3) SMTP Problem (Devdas Bhagat)
6. RE: Cisco PIX Version 6.3(3) SMTP Problem (Hammerle, Tye)
7. Re: Cisco PIX Version 6.3(3) SMTP Problem (Paul Robertson)
8. Re: Cisco PIX Version 6.3(3) SMTP Problem (hermit921)
9. Re: Firewall Log Analysis - Computer vs. Human (Kevin)

--__--__--

Message: 1
From: "Eugene Kuznetsov" <eugene@datapower.com>
To: "'Mark Teicher'" <mht3@earthlink.net>,
"'Paul D. Robertson'" <paul@compuwar.net>
Cc: <firewall-wizards@icsalabs.com>
Subject: RE: [fw-wiz] Opinion: Worst interface ever.
Date: Wed, 6 Jul 2005 09:11:57 -0400

> I recall this argument all to well during the early days of
> implementing firewalls. Customers used to go gaga over some X11
> based UI from some vendor versus a curses based ui, that was simple
> to use and less than 7 or 8 config options and a customer's firewalls
> was up and protecting their network from the baddies.

Exactly... The sad reality is that many (even majority) of people charged
with buying "security products" today will choose a provably insecure
solution (e.g., known exploits) with a "prettier/easier" UI over one that
has better security attributes but less attractive. This gets progressively
worse as you move from Layer2/3 security to Layer7 & up application security
or identity management.

Of course, a great commercial product should and does have both. But the
interesting question for the professional is that if you have a vendor
evaluation matrix that looks like this:

Vendor: UI: Security:
AliceBox B- A
MalloryBox A+ C

What is the choice that gets made? Sadly, it's MalloryBox, almost always.
Because, you know, you can *SEE* what's wrong with AliceBox, while the
security parameters are "subtle" and "subjective".

Before anyone else says it: obviously there's a point where a UI can be so
bad that it compromises the security achievable with it. Paul's example may
fit into that case, but I think it's important to stand up for security as
the first and dominant criteria.

\\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
\\ DataPower Technology, Inc. : Web Services security
\\ http://www.datapower.com : XML-aware networks

--__--__--

Message: 2
Date: Wed, 06 Jul 2005 08:06:11 -0700
From: "David M. Nicksic" <dnicksic@mossbaygroup.com>
Subject: RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
To: "'Paul D. Robertson'" <paul@compuwar.net>
Cc: <firewall-wizards@honor.icsalabs.com>

Thank you for your comments about Postini, that is most helpful.

-----Original Message-----
From: Paul D. Robertson [mailto:paul@compuwar.net]
Sent: Wednesday, July 06, 2005 5:51 AM
To: David M. Nicksic
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

On Tue, 5 Jul 2005, David M. Nicksic wrote:

> I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> Postini is employed. I want to deny all SMTP traffic unless it comes from
> one of the Postini servers. Can the PIX be configured to accomplish this?
>

Almost any firewall can, however you'll be out of e-mail if the provider
has to put up a new server because of an attack, failure, problem or
address change. It's probably better to configure your mail server to
reject based on forward/reverse lookups, since you're dealing with one
zone, you'll be able to cache the lookups pretty well.

Note that Postini rejects mail if your server isn't reachable by it- so
it's not all that resilient if you're under attack or having server
issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
than
outsource something as critical as e-mail.

Paul
[1] Theoretically most things will retry, but you may want to test
critical pager/cell/alert stuff to make sure it won't just give up if
you're under conditions where contacting you becomes important.
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 3
Date: Wed, 6 Jul 2005 12:11:08 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Mark Teicher <mht3@earthlink.net>
Cc: Eugene Kuznetsov <eugene@datapower.com>,
firewall-wizards@icsalabs.com
Subject: RE: [fw-wiz] Opinion: Worst interface ever.

On Tue, 5 Jul 2005, Mark Teicher wrote:

> You may want call technical support ahead of time and schedule lots
> of offline time to configure it properly or all your email might end
> up in /dev/null. :(

I'll reiterate that things are functioning fine once I get a rule that
works the way I expect it to (I've been tcpdumping and testing as I make
changes to the rules.) The box (a major plus) will not allow the traffic
when I have it seemingly configured correctly, but not to its liking- so
I think from a security perspective the box is doing the right thing-
we're just not speaking the same language, or the initial configuration
has some issues[1]. Once the rules are in place, I get fully functional,
including over reboots.

Watchguard has been good in getting hold of me and I have a support call
scheduled for this afternoon- we'll see how that goes, but so far they've
done all the right things and none of the wrong ones.

Paul
[1] Which if it is true, is something else that'll need to be addressed.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 4
Date: Wed, 6 Jul 2005 10:00:57 -0700 (PDT)
From: Gregory Hicks <ghicks@cadence.com>
Reply-To: Gregory Hicks <ghicks@cadence.com>
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
To: dnicksic@mossbaygroup.com, paul@compuwar.net
Cc: firewall-wizards@honor.icsalabs.com

> From: "Paul D. Robertson" <paul@compuwar.net>
> To: "David M. Nicksic" <dnicksic@mossbaygroup.com>
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
> Date: Wed, 6 Jul 2005 08:51:15 -0400 (EDT)
>
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
>
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes
from
> > one of the Postini servers. Can the PIX be configured to accomplish
this?
> >
> [...snip...]
>
> Note that Postini rejects mail if your server isn't reachable by it-

Paul/David:

The above statement is not 100% true.

Postini spools mail if the server is not reachable - up to a limit.
THEN it starts refusing connections - which is not the same as
"rejecting" because the mail is still spooled on the sender's machine.
It is possible to configure Postini to page, notify, whatever you
during the period of time the server is unreachable.

When the server(s) come back online, Postini can automatically deliver
the "spooled" mail at a rate less than "normal" or wait for admin
intervention before starting mail delivery again. (Personally, I opted
for "notification" and "automatic unspooling"...)

I would think it advisable to have multiple mail servers configured
that do the receiving though just as you would have multiple DNS
servers... And for the same reason: availability...

> it's not all that resilient if you're under attack or having server
> issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
> than
> outsource something as critical as e-mail.

For a home or SMALL business, I'd rather run my own mail scanner as
well. For a medium to large business, I'd almost rather outsource the
spam suppression.

Regards,
Gregory Hicks

[Disclaimer - just a Postini customer...]

>
> Paul
> [1] Theoretically most things will retry, but you may want to test
> critical pager/cell/alert stuff to make sure it won't just give up if
> you're under conditions where contacting you becomes important.
>
----------------------------------------------------------------------------
-
> Paul D. Robertson "My statements in this message are personal
opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

---------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3479
San Jose, CA 95134 | Internet: ghicks@cadence.com

I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

--__--__--

Message: 5
Date: Wed, 6 Jul 2005 22:57:30 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>

On 06/07/05 08:51 -0400, Paul D. Robertson wrote:
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
>
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes from
> > one of the Postini servers. Can the PIX be configured to accomplish this?
> >
>
> Almost any firewall can, however you'll be out of e-mail if the provider
> has to put up a new server because of an attack, failure, problem or
> address change. It's probably better to configure your mail server to
> reject based on forward/reverse lookups, since you're dealing with one
> zone, you'll be able to cache the lookups pretty well.
>
I would ask Postini for the network where their recipient verificaion
will come from. Then allow connections to port 25 of my mailserver from
only that subnet, and block everything else.

> Note that Postini rejects mail if your server isn't reachable by it- so
> it's not all that resilient if you're under attack or having server
> issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
> than outsource something as critical as e-mail.

Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
loss. Use amavisd-new instead.

As I understand it, Postini should cache recipient information, so you
will have a slightly better chance if your server goes under attack. I
concur with Paul's suggestion, though I would recommend Postfix +
Amavisd-new + Clamav + SpamAssassin on your Unix of choice.

Devdas Bhagat

--__--__--

Message: 6
From: "Hammerle, Tye" <Tye.F.Hammerle@snapon.com>
To: "'David M. Nicksic'" <dnicksic@mossbaygroup.com>,
"'Paul D. Robertson'" <paul@compuwar.net>
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
Date: Wed, 6 Jul 2005 11:27:37 -0500

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C58247.5E8DDBA0
Content-Type: text/plain

Postini can spool mail if your gateway is unreachable. Talk to your support
rep.

tye

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of David M.
Nicksic
Sent: Wednesday, July 06, 2005 10:06 AM
To: 'Paul D. Robertson'
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

Thank you for your comments about Postini, that is most helpful.

On Tue, 5 Jul 2005, David M. Nicksic wrote:

> I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> Postini is employed. I want to deny all SMTP traffic unless it comes
> from one of the Postini servers. Can the PIX be configured to
> accomplish this?
>

Almost any firewall can, however you'll be out of e-mail if the provider has
to put up a new server because of an attack, failure, problem or address
change. It's probably better to configure your mail server to reject based
on forward/reverse lookups, since you're dealing with one zone, you'll be
able to cache the lookups pretty well.

Note that Postini rejects mail if your server isn't reachable by it- so it's
not all that resilient if you're under attack or having server issues[1].
Personally, I'd rather run Mailscanner on a Postfix instance than outsource
something as critical as e-mail.

Paul
[1] Theoretically most things will retry, but you may want to test critical
pager/cell/alert stuff to make sure it won't just give up if you're under
conditions where contacting you becomes important.
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

------_=_NextPart_001_01C58247.5E8DDBA0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2658.2">
<TITLE>RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem</TITLE>
</HEAD>
<BODY>

Postini can spool mail if your gateway is =
unreachable. Talk to your support rep.

tye

-----Original Message-----
 From: firewall-wizards-admin@honor.icsalabs.com [<A =
HREF=3D"mailto:firewall-wizards-admin@honor.icsalabs.com">mailto:firewal=
l-wizards-admin@honor.icsalabs.com</A>] On Behalf Of David M. =
Nicksic

Sent: Wednesday, July 06, 2005 10:06 AM
 To: 'Paul D. Robertson'
 Cc: firewall-wizards@honor.icsalabs.com
 Subject: RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP =
Problem

Thank you for your comments about Postini, that is =
most helpful.

DN

-----Original Message-----
 From: Paul D. Robertson [<A =
HREF=3D"mailto:paul@compuwar.net">mailto:paul@compuwar.net</A>] 
 Sent: Wednesday, July 06, 2005 5:51 AM
 To: David M. Nicksic
 Cc: firewall-wizards@honor.icsalabs.com
 Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP =
Problem

On Tue, 5 Jul 2005, David M. Nicksic wrote:

> I am using a PIX 520 v 6.3.3 and having a spam =
problem. A spam service 
 > Postini is employed. I want to deny all SMTP =
traffic unless it comes 
 > from one of the Postini servers. Can the PIX be =
configured to 
 > accomplish this?
 >

Almost any firewall can, however you'll be out of =
e-mail if the provider has to put up a new server because of an attack, =
failure, problem or address change.  It's probably better to =
configure your mail server to reject based on forward/reverse lookups, =
since you're dealing with one zone, you'll be able to cache the lookups =
pretty well.

Note that Postini rejects mail if your server isn't =
reachable by it- so it's not all that resilient if you're under attack =
or having server issues[1].  Personally, I'd rather run =
Mailscanner on a Postfix instance than outsource something as critical =
as e-mail.

Paul
 [1] Theoretically most things will retry, but you =
may want to test critical pager/cell/alert stuff to make sure it won't =
just give up if you're under conditions where contacting you becomes =
important.

---------------------------------------------------------------=
-------------
 -
 Paul D. Robertson      =
"My statements in this message are personal opinions
 paul@compuwar.net       which =
may have no basis whatsoever in fact."

_______________________________________________
 firewall-wizards mailing list =
firewall-wizards@honor.icsalabs.com
 <A =
HREF=3D"http://honor.icsalabs.com/mailman/listinfo/firewall-wizards" =
TARGET=3D"_blank">http://honor.icsalabs.com/mailman/listinfo/firewall-wi=
zards</A>

</BODY>
</HTML>
------_=_NextPart_001_01C58247.5E8DDBA0--

--__--__--

Message: 7
Date: Wed, 6 Jul 2005 13:56:39 -0400 (EDT)
From: Paul Robertson <proberts@patriot.net>
To: Devdas Bhagat <devdas@dvb.homelinux.org>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

On Wed, 6 Jul 2005, Devdas Bhagat wrote:

> Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
> loss. Use amavisd-new instead.

That was a while back- the Mailscanner folks have changed to implement
things in the way Wieste suggested, and it now uses a hold queue to do
processing. Unless i've missed something in the meantime, it looks to be
fully functional with Postfix now.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."

--__--__--

Message: 8
Date: Wed, 06 Jul 2005 11:13:39 -0700
To: firewall-wizards@honor.icsalabs.com
From: hermit921 <hermit921@yahoo.com>
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

At 10:56 AM 7/6/2005, Paul Robertson wrote:
>On Wed, 6 Jul 2005, Devdas Bhagat wrote:
>
> > Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
> > loss. Use amavisd-new instead.
>
>That was a while back- the Mailscanner folks have changed to implement
>things in the way Wieste suggested, and it now uses a hold queue to do
>processing. Unless i've missed something in the meantime, it looks to be
>fully functional with Postfix now.
>
>Paul D. Robertson

We have been using MailScanner for nearly 2 years, with no problems. We
read the docs online, but decided a single postfix instance with a hold
queue made more sense. Now they recommend our approach.

hermit921

--__--__--

Message: 9
Date: Wed, 6 Jul 2005 13:27:46 -0500
From: Kevin <kkadow@gmail.com>
Reply-To: Kevin <kkadow@gmail.com>
To: firewall-wizards@icsalabs.com
Subject: Re: [fw-wiz] Firewall Log Analysis - Computer vs. Human
Cc: Adrian Grigorof <adi@grigorof.com>

Another approach is to look at what are the things that a computer can
do a lot better than a human?

Computers don't get bored, nor do they get tired of the sentinel that
continually "cries wolf" and just start ignoring future alarms. Software
can exactly count the rate of connections or other events, and track
trends in these rates over very short of very long time periods.

On 7/5/05, Adrian Grigorof <adi@grigorof.com> wrote:
> We are trying to develop a log analyzer that would "replicate" a human's
> approach to log analysis - by that I mean the fact that a human can
> correlate information in the log with other factors (like - "hmm, the log
> says that the firewall was restarted at 12:03 PM"... oh, yeah, it was tha=
t
> UPS failure yesterday around noon). For this particular example, the log
> analyzer could say in the report: "12:03 PM - Firewall restarted - Possib=
le
> power failure, power disconnection or manual restart" - a bit vague I agr=
ee
> but it is better than nothing - and in fact, this is what the firewall
> admin would go through, right? Thinking, "Why would there be a restart? I
> did not restart it.. anything happened at noon? The UPS failure!".

This type of "event correlation" is definitely something that can be (has b=
een?)
written into a program.=20

> Or for example, instead of saying IP 123.123.123.123 was denied for proto=
col
> TCP/8543 and let the firewall admin worry about it maybe the analyzer sho=
uld
> do a bit of analysis, check the "history", see that this protocol is not
> something commonly used, it's not one of the common worms and decide to
> report that it is in fact a stray TCP packet caused by Internet latency (=
TCP
> port higher than 1024, not a "known protocol", coming from an IP address
> that is typically accessed by internal IPs via HTTP - all this informatio=
n
> is should be obtainable from the logs).

Better yet, if your logs are _really_ complete, the analyzer could look bac=
k
through the history of TCP connections, determine that port 8543 was
recently used as the local source of a connection out towards port 80 of
the host 123.123.123.123, and determine that it is safe to ignore a stray
ACK/RST packet from that host, within a reasonable window.

I've found in log analysis that it's usually not difficult to write a progr=
am to
summarize and strip out the "noise", so the human analyst can concentrate
on the unusual events; not just denied attempts, but also permitted action=
s
where the connection rate or throughput is significantly higher or lower th=
an
the baseline, or the sources and destination (or pattern of src/dst) differ
from the norm, sort of like 'traffic analysis" in the old school spycraft s=
ense.

> Now, the question is, what are the things (in your opinion) that only a
> human can do?

A human can interpret a sequence of seemingly random actions and make
a good guess as to the existence and intent of the human on the other end.

Beyond that, humans are hardwired for pattern recognition (sometimes too
well, seeing patterns where none actually exist).

One way to look at event analysis is to approach it like the "machine visio=
n"
problem -- it's really difficult to write software that recognizes objects =
in a
cluttered visual field, much less to approach the ability of a person in
that regard. That doesn't stop programmers from writing software to do
edge detection and image enhancement, or video motion alarm detection
software for CCTV security systems.

Kevin Kadow

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

Security World

Wednesday, July 06, 2005

firewall-wizards digest, Vol 1 #1628 - 9 msgs

No comments:

Post a Comment