Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco PIX Version 6.3(3) SMTP Problem (Devdas Bhagat)
2. Re: Cisco PIX Version 6.3(3) SMTP Problem (Devdas Bhagat)
3. Re: Opinion: Worst interface ever. (Ian Rae)
4. Watchguard update (Paul D. Robertson)
5. Re: Firewall Log Analysis - Computer vs. Human (Devdas Bhagat)
6. RE: Watchguard update (Behm, Jeffrey L.)
7. Re: Cisco PIX Version 6.3(3) SMTP Problem (Paul D. Robertson)
8. Re: Cisco PIX Version 6.3(3) SMTP Problem (Devdas Bhagat)
9. Re: Cisco PIX Version 6.3(3) SMTP Problem (Paul D. Robertson)
--__--__--
Message: 1
Date: Wed, 6 Jul 2005 23:58:41 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 06/07/05 13:56 -0400, Paul Robertson wrote:
> On Wed, 6 Jul 2005, Devdas Bhagat wrote:
>
> > Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
> > loss. Use amavisd-new instead.
>
> That was a while back- the Mailscanner folks have changed to implement
> things in the way Wieste suggested, and it now uses a hold queue to do
> processing. Unless i've missed something in the meantime, it looks to be
> fully functional with Postfix now.
>
The problem with mailscanner is that it directly touches Postfix queue
files, rather than using a standard Postfix supplied interface. The
queue file format is liable to change without notice, and that is when
mailscanner breaks.
Wedding my scanner to my MTA version is not exactly what I would want to do.
Devdas Bhagat
--__--__--
Message: 2
Date: Thu, 7 Jul 2005 00:03:15 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 06/07/05 10:00 -0700, Gregory Hicks wrote:
<snip>
> For a home or SMALL business, I'd rather run my own mail scanner as
> well. For a medium to large business, I'd almost rather outsource the
> spam suppression.
Why?
If you use a properly configured set of systems rejecting spam at the
very edge, you can reject most of your spam without even hitting the
content filters. Filter out specific file extensions as well, and you
have very few things to really worry about (zipped viruses mostly).
Using DNSBLs effectively is a nice way of blocking a lot of spam.
Another trick is to block systems which helo as a domain you host, or
the hostname/domain name of your system. Add in sender NS and MX checks
for valid MX IP addresses, and you lose a crapload of spam just like
that. And a check on proper ESMTP pipelining usage.
Devdas Bhagat
--__--__--
Message: 3
Date: Wed, 06 Jul 2005 14:42:52 -0400
From: Ian Rae <irae@syntenic.com>
Subject: Re: [fw-wiz] Opinion: Worst interface ever.
To: firewall-wizards@icsalabs.com
Organization: Syntenic Inc.
Was expecting a more technical discussion for my introduction to this
mailing list but while we're on the topic of touchie-feelies:
Watchguard OS
I don't know pre 8.0 Watchguard well but I like Fireware 8.0 functionality
and interface a lot, and when that has failed us for certain operations
the CLI has not failed us. The Gold release was missing routes for the HA
fuctionality on the X2500 platform (a somewhat critical omission I should
add) and it was a pretty quick correction via CLI. Based on our
requirements I doubt I would ever use the non-fireware code so I can't
contribute there. I believe they will try to bring the fireware code to
their entire product line but currently it is only available on the CORE
and PEAK series.
Watchguard Support
We learned quite quickly that standard Watchguard support is sub par due
in part to the fact that it seems to be outsourced to India. We found that
to get good support you either need to appeal to your local Sales Engineer
or become a certified partner which gets you superior support from
engineers in North America.
We are heavy Netscreen users and are (so far) very happy with Watchguard's
competing solutions. We're looking forward to working with the Firebox
Peak product in the near future.
-I
On Wed, 06 Jul 2005 12:11:08 -0400, Paul D. Robertson <paul@compuwar.net>
wrote:
> On Tue, 5 Jul 2005, Mark Teicher wrote:
>
>> You may want call technical support ahead of time and schedule lots
>> of offline time to configure it properly or all your email might end
>> up in /dev/null. :(
>
> I'll reiterate that things are functioning fine once I get a rule that
> works the way I expect it to (I've been tcpdumping and testing as I make
> changes to the rules.) The box (a major plus) will not allow the traffic
> when I have it seemingly configured correctly, but not to its liking- so
> I think from a security perspective the box is doing the right thing-
> we're just not speaking the same language, or the initial configuration
> has some issues[1]. Once the rules are in place, I get fully functional,
> including over reboots.
>
> Watchguard has been good in getting hold of me and I have a support call
> scheduled for this afternoon- we'll see how that goes, but so far they've
> done all the right things and none of the wrong ones.
>
> Paul
> [1] Which if it is true, is something else that'll need to be addressed.
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--
Ian Rae
Syntenic Inc.
514-277-2654
txt: iantxt@syntenic.com
--__--__--
Message: 4
Date: Wed, 6 Jul 2005 15:28:39 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Watchguard update
I just spent an hour on the phone with Watchguard support. Apparently, we
had NAT all FUBARed. The option that sounds like PAT (Enable
service-based NAT) isn't; after a few changes and a reboot, it looks like
things are good to go. So, our big wrong turn that made things go
downhill was in the NAT config, and though some things worked, the
Watchguard terminology is a little strange- I'm going to go back through
the docs and see where things land with the new config in hand.
Having talked to Tech support and the PM for the interface, I do get the
impression that these folks care more about the right thing than a lot of
companies I've dealt with. While I still think the interface needs
significant work, it's offset by one of the most positive vendor
experiences I've had in a while.
Some other comments:
I've heard quite a few times, from different sources that the product is
great for folks who don't do firewalls, and not so great for those who do-
unfortunately, I think I'm likely to be cleaning up more of those in the
future than I have in the past. I hope they can strike a happier balance.
Apparently I caught their call center vendor on the day from hell, so the
"transfer me to where I don't wanna go" thing was a one-time issue that
just jumped in to drive my blood pressure a few points higher.
I was under the assumption that the ITAR thing was mostly fixed, but WG
keeps all their encrypted images online, and not in shipping product. I'm
not sure if this is an artifact, or if we collectively need to beat
Commerce about the head- Linux kernels with IPSec are downloadable from
all over the planet, it's time we[1] got over that.
I'm still grumpy about three physical interfaces that I can't use (it
would have made life a lot easier if I had one more interface,) but I
understand the market dynamics involved in making large users part from
more money than small users.
I'd like to thank everyone who gave me feedback, assistance and offers of
tech support both on and off list.
Thanks,
Paul
[1] The royal US-based we.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 5
Date: Thu, 7 Jul 2005 01:31:24 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Firewall Log Analysis - Computer vs. Human
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 05/07/05 12:23 -0400, Adrian Grigorof wrote:
> Hi all,
>
> We are trying to develop a log analyzer that would "replicate" a human's
> approach to log analysis - by that I mean the fact that a human can
> correlate information in the log with other factors (like - "hmm, the log
Hmmm, Marcus had a thread on the loganalysis[1] list, asking what
information could be gleaned from the logs. That thread would be a good
starting point for a correlation engine of this type.
In general, if it gets logged, it can be correlated to some extent. The
problem most often is that there is no logging infrastructure for such
correlation.
> says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
> UPS failure yesterday around noon). For this particular example, the log
> analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
> power failure, power disconnection or manual restart" - a bit vague I agree
> but it is better than nothing - and in fact, this is what the firewall
> admin would go through, right? Thinking, "Why would there be a restart? I
And there could be any other reason, which would be extremely
misleading. IMHO, it is better not to attempt to correlate with vague
information which leads the administrator down the wrong track.
Humans are good at ignoring things that cry wolf too often.
> did not restart it.. anything happened at noon? The UPS failure!". Or for
What happens if the failure was due to something else, like someone
tripping over the power cable, or just a system failure and none of your
possibilities were correct?
If you log more data and then filter, then you can do useful correlations.
"Show me all events that happened in this time range relating to the
firewall", with a predefined dependency for the firewall on the UPS.
The complex problem is getting the human being to define the dependency
of the firewall on the UPS in the first place.
Devdas Bhagat
--__--__--
Message: 6
Subject: RE: [fw-wiz] Watchguard update
Date: Wed, 6 Jul 2005 16:05:37 -0500
From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: "Paul D. Robertson" <paul@compuwar.net>,
<firewall-wizards@honor.icsalabs.com>
On Wednesday, July 06, 2005 2:29 PM, Paul D. Robertson spake:
>Having talked to Tech support and the PM for the interface, I do get
the
>impression that these folks care more about the right thing than a lot
of
>companies I've dealt with. While I still think the interface needs
>significant work, it's offset by one of the most positive vendor
>experiences I've had in a while.
It's good to see that the good side of the story came out as well.
Hopefully, your good experience with their support line is not just=20
because they caught wind of your earlier, um, rant(?) about=20
their product on such a widely-read mailing list...
Jeff
--__--__--
Message: 7
Date: Wed, 6 Jul 2005 17:10:28 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Devdas Bhagat <devdas@dvb.homelinux.org>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
On Thu, 7 Jul 2005, Devdas Bhagat wrote:
> On 06/07/05 10:00 -0700, Gregory Hicks wrote:
> <snip>
> > For a home or SMALL business, I'd rather run my own mail scanner as
> > well. For a medium to large business, I'd almost rather outsource the
> > spam suppression.
>
> Why?
> If you use a properly configured set of systems rejecting spam at the
> very edge, you can reject most of your spam without even hitting the
> content filters. Filter out specific file extensions as well, and you
> have very few things to really worry about (zipped viruses mostly).
[Devil's advocate]
It helps to have someone else eat the bandwidth costs.
[/Devil's advocate]
I'm not really a big fan of outsourcing core infrastructure, and I feel
e-mail is too critical to outsource- others seem to think not having to
deal with it is a bonus- reasonable folks differ.
However, I will say this:
Even without doing huge RBL stuff, there's enough spam out there to do
wonders just blocking on user name and the common domain stuff.
> Using DNSBLs effectively is a nice way of blocking a lot of spam.
> Another trick is to block systems which helo as a domain you host, or
> the hostname/domain name of your system. Add in sender NS and MX checks
> for valid MX IP addresses, and you lose a crapload of spam just like
> that. And a check on proper ESMTP pipelining usage.
I've got a customer who's business was dying from dictionary attacks via
e-mail. They run FBSD and had Sendmail on their mail server with some
rejection stuff hacked in. Load average on their primary MX was going
over 230, and the secondary was up over 100 during peak attacks. They
were at the point they couldn't do business and were looking at a $15,000
mail server upgrade in the hopes that they could stave off the spam attacks.
I spent ~45m each on their two MX boxen upgrading from Sendmail to
Postfix, and implementing basic rejections. Load average hasn't gone
above 1.0 since I did the changes about two months ago. They average
about 1.2 million rejected messages in a 24 hour period, and their
legitimate mail gets through just fine. Peak rejections in a day have
been 2.4M, with rates of 65 rejections/second sustained for an hour at a
time (thanks Jim, pflogsumm rocks!)
No OS upgrades, no hardware upgrades, and the primary MX "handles" the
rejections fast enough that the secondary doesn't get loaded up during
attacks. I guess if I was a smarter consultant, I'd have made it so I had
to do something every week to "tune" it, but I prefer solving new
problems to continuing to tilt at old ones.
Generally what's left over is easy to filter with just about anything, so
I'd say my experience mirrors yours in that basic protections nail the
majority of the bad stuff. For my personal stuff, I just run it all
through Mailscanner and clean out the rejected piles from time to time.
I've updated my rules three times this year. I've seen about 20 spam
messages that didn't get caught by filters, I used to see 3x that a day
on *good* days.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 8
Date: Thu, 7 Jul 2005 03:38:49 +0530
From: Devdas Bhagat <devdas@dvb.homelinux.org>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
Reply-To: Devdas Bhagat <devdas@dvb.homelinux.org>
On 06/07/05 17:10 -0400, Paul D. Robertson wrote:
> On Thu, 7 Jul 2005, Devdas Bhagat wrote:
>
> > On 06/07/05 10:00 -0700, Gregory Hicks wrote:
> > <snip>
> > > For a home or SMALL business, I'd rather run my own mail scanner as
> > > well. For a medium to large business, I'd almost rather outsource the
> > > spam suppression.
> >
> > Why?
> > If you use a properly configured set of systems rejecting spam at the
> > very edge, you can reject most of your spam without even hitting the
> > content filters. Filter out specific file extensions as well, and you
> > have very few things to really worry about (zipped viruses mostly).
>
> [Devil's advocate]
> It helps to have someone else eat the bandwidth costs.
> [/Devil's advocate]
>
> I'm not really a big fan of outsourcing core infrastructure, and I feel
> e-mail is too critical to outsource- others seem to think not having to
> deal with it is a bonus- reasonable folks differ.
>
This depends on a lot of factors. In particular, the skillset of the
administrator. Email administration does not take so much time, as
skill.
Email is possibly the most complex piece of application infrastructure
out there. IMHO, a good email administrator knows IP routing, DNS, SMTP,
POP3, IMAP, LDAP and/or SQL, HTTP, Unix system tuning, Perl/Shell
scripting, possibly NFS, procmail/maildrop/other MDA, log analysis,
and then some more administrative skills. Oh, and reasonable people
skills too.
Such people are not easy to locate, or cheap.
> However, I will say this:
>
> Even without doing huge RBL stuff, there's enough spam out there to do
> wonders just blocking on user name and the common domain stuff.
>
http://nixcartel.org/~devdas/minute.png just to contrast with your
numbers below. These systems are CPU bound.
About half that is DNSBL, a quarter is unknown user and the rest is
other checks. And that graph is from last August. There is no major
content filtering (only some header, mime_header and body checks).
> > Using DNSBLs effectively is a nice way of blocking a lot of spam.
> > Another trick is to block systems which helo as a domain you host, or
> > the hostname/domain name of your system. Add in sender NS and MX checks
> > for valid MX IP addresses, and you lose a crapload of spam just like
> > that. And a check on proper ESMTP pipelining usage.
>
> I've got a customer who's business was dying from dictionary attacks via
> e-mail. They run FBSD and had Sendmail on their mail server with some
> rejection stuff hacked in. Load average on their primary MX was going
> over 230, and the secondary was up over 100 during peak attacks. They
> were at the point they couldn't do business and were looking at a $15,000
> mail server upgrade in the hopes that they could stave off the spam attacks.
>
Was this an "accept everything and then bounce" setup? People should
know better than to leave systems like that on the Internet today.
> I spent ~45m each on their two MX boxen upgrading from Sendmail to
> Postfix, and implementing basic rejections. Load average hasn't gone
> above 1.0 since I did the changes about two months ago. They average
> about 1.2 million rejected messages in a 24 hour period, and their
> legitimate mail gets through just fine. Peak rejections in a day have
> been 2.4M, with rates of 65 rejections/second sustained for an hour at a
> time (thanks Jim, pflogsumm rocks!)
>
Nice. If you have the time, plug in mailgraph there, it generates pretty
graphs.
> No OS upgrades, no hardware upgrades, and the primary MX "handles" the
> rejections fast enough that the secondary doesn't get loaded up during
> attacks. I guess if I was a smarter consultant, I'd have made it so I had
> to do something every week to "tune" it, but I prefer solving new
> problems to continuing to tilt at old ones.
>
Do they really need the secondary? Spammers tend to attack secondaries
far more often than primaries, and most secondary MX servers serve no
useful purpose today.
> Generally what's left over is easy to filter with just about anything, so
> I'd say my experience mirrors yours in that basic protections nail the
> majority of the bad stuff. For my personal stuff, I just run it all
> through Mailscanner and clean out the rejected piles from time to time.
>
> I've updated my rules three times this year. I've seen about 20 spam
> messages that didn't get caught by filters, I used to see 3x that a day
> on *good* days.
>
I wish I was that lucky. I get about 40 UBE a day sent to my forwarding
accounts. Stuff sent directly here doesn't make it through though.
Devdas Bhagat
--__--__--
Message: 9
Date: Wed, 6 Jul 2005 18:39:03 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Devdas Bhagat <devdas@dvb.homelinux.org>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
On Thu, 7 Jul 2005, Devdas Bhagat wrote:
> This depends on a lot of factors. In particular, the skillset of the
> administrator. Email administration does not take so much time, as
> skill.
Yes, but unless you're having problems, it's pretty much a fire and forget
thing.
> http://nixcartel.org/~devdas/minute.png just to contrast with your
> numbers below. These systems are CPU bound.
> About half that is DNSBL, a quarter is unknown user and the rest is
> other checks. And that graph is from last August. There is no major
> content filtering (only some header, mime_header and body checks).
Nice, the system I talked about delivers between 20,000 and 35,000
messages per day. I'm considering graphing it out, but haven't had the
time to parse the message I get and lump it into something useful.
> Was this an "accept everything and then bounce" setup? People should
> know better than to leave systems like that on the Internet today.
It wasn't. I've got one of those, it's just fine- though pre-mailfilter,
I was considering locking it down by recipient.
> Nice. If you have the time, plug in mailgraph there, it generates pretty
> graphs.
They're not big on graphs, which is why I hope to work with them a lot
more in the future!
> Do they really need the secondary? Spammers tend to attack secondaries
> far more often than primaries, and most secondary MX servers serve no
> useful purpose today.
>
Unfortunately, they do- they're a service provider.
> > Generally what's left over is easy to filter with just about anything, so
> > I'd say my experience mirrors yours in that basic protections nail the
> > majority of the bad stuff. For my personal stuff, I just run it all
> > through Mailscanner and clean out the rejected piles from time to time.
> >
> > I've updated my rules three times this year. I've seen about 20 spam
> > messages that didn't get caught by filters, I used to see 3x that a day
> > on *good* days.
> >
> I wish I was that lucky. I get about 40 UBE a day sent to my forwarding
> accounts. Stuff sent directly here doesn't make it through though.
Oh, I have accounts that aren't that good, but I don't control the
mailserver on those, or I don't set the policy. But this account has been
doing pretty well.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
Nice information about Watchguard support.
ReplyDelete