Wednesday, August 31, 2005

firewall-wizards digest, Vol 1 #1655 - 10 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: PIX denying SSH Access - until I run PDM? (Tichomir Kotek)
2. Re: PIX denying SSH Access - until I run PDM? (Greg Padden)
3. RE: Layer 2 firewalls ... (Paul Melson)
4. firewall rule lifecycle management (Michael Cox)
5. RE: firewall rule lifecycle management (Bruce Smith)
6. Re: firewall rule lifecycle management (Skip Carter)
7. Re: firewall rule lifecycle management (Joe Matusiewicz)
8. Re: Layer 2 firewalls ... (Dale W. Carder)
9. Re: firewall rule lifecycle management (Kevin)
10. Re: firewall rule lifecycle management (Christoph Haas)

--__--__--

Message: 1
Date: Tue, 30 Aug 2005 12:48:38 +0200
From: Tichomir Kotek <tichomir.kotek@lynx.sk>
To: firewall-wizards@honor.icsalabs.com
Cc: Paul Pershing <streamfile@gmail.com>
Subject: Re: [fw-wiz] PIX denying SSH Access - until I run PDM?

Paul Pershing wrote:
> Hi,

Hi,

> The odd part is that I discovered through trial and error that if
> access the PIX via PDM after the failed SSH attempt - even if the PDM
> connection is not completed - I can then attach via SSH.

I observerd the same weird behavior. Somehow I figured out that
before connecting with ssh one must generate certificate on pix.
("show ca mypubkey rsa " to verify if you have any)

BUT using pdm pix auto-generates self-signed certificate automagically
(I think even connecting to https generates one) and after that ssh
is working fine.
before using ssh do not forget to "ca generate rsa key 1024"
"ca save all" to save those keys to permanent storage.

> This is such a bizarre problem that I've been reluctant to post it;
> but I've encountered it so many times now that my curiousity has
> gotten the better of me!

hope that helps

tk

--__--__--

Message: 2
Date: Tue, 30 Aug 2005 07:34:21 -0500
From: Greg Padden <paddeng@biostat.wisc.edu>
Reply-To: paddeng@biostat.wisc.edu
To: Paul Melson <pmelson@gmail.com>
Cc: "'Paul Pershing'" <streamfile@gmail.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] PIX denying SSH Access - until I run PDM?

Nope, you need to issue the command (in config mode) ca save all.

If you don't save the CA cert, you get a new one every reboot. And you
don't generate a new CA until you fire up the https interface.

Paul Melson wrote:

>I have a hunch that you may have an 'aaa authentication' rule that's causing
>this problem. Would you be willing to post the output of 'show aaa' from a
>PIX with this affliction? Of course, sanitize it to prevent any unnecessary
>disclosures such as user names or public IP addresses.
>
>PaulM
>
>-----Original Message-----
>Subject: [fw-wiz] PIX denying SSH Access - until I run PDM?
>
>The symptom is that a few weeks will pass since I last logged onto the fw
>using ssh; and I'll attempt to; but instead of being prompted for a
>userid/password the client will simply sit there and stare at me while doing
>nothing - no errors. If I'm using Kermit (usual) it'll just sit on the blank
>black screen until it times out. Other clients produce similar behavior.
>
>The odd part is that I discovered through trial and error that if access the
>PIX via PDM after the failed SSH attempt - even if the PDM connection is not
>completed - I can then attach via SSH.
>
>This is such a bizarre problem that I've been reluctant to post it; but I've
>encountered it so many times now that my curiousity has gotten the better of
>me!
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

--__--__--

Message: 3
From: "Paul Melson" <pmelson@gmail.com>
To: "'Andrew K. Adams'" <akadams@psc.edu>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Layer 2 firewalls ...
Date: Tue, 30 Aug 2005 09:52:36 -0400

If we're talking about the same thing, layer 2 firewalls are just bridges
that inspect packets and act on them, much the same way a typical network
firewall would. You can still perform NAT and its subsets (PAT,
port-forwarding, etc.) with a bridging firewall. (OK, *some* bridging
firewalls perform NAT, others can't and are junk. )

The main drawback that I am aware of is a lack of flexibility in network
architecture surrounding bridges and thus, bridging firewalls. If you want
to use routed networks on both sides of your firewall, it must be in the
physical path between two routers. This can make fail-over and
load-balancing designs more complicated than they otherwise might be if the
firewall were a layer 3 hop that could be inserted into a route.

Anyway, I don't know how much I buy into the advantage of non-addressed
interfaces. If the goal is to keep an attacker from being able to send
packets directly to the firewall interfaces while traffic still passes
across them, you can use ACLs to filter that traffic on a typical firewall.
(Check Point has branded this the "stealth rule." Sounds better than the
"duuhrrr rule.") Also, if there's a bug in your firewall code, that bug can
likely still be exploited by passing that packet across the bridge. I'm
still not sure what I've gained, but now I have a firewall I can't ping. ;)

PaulM

-----Original Message-----
Subject: [fw-wiz] Layer 2 firewalls ...

Is anyone aware of any *disadvantages* of layer 2 firewalls?

Current marketing seems to be pushing layer 2 firewalls mostly, as far as I
can tell, to reduce the possibility of the device being compromised (no ip
address.) And it seems to me, that any network using a media of Ethernet
could (and should?) be doing this, unless of course, they needed the device
to perform layer 3 or 4 utility (e.g., NAT), additionally.

I readily admit that I don't possess "link layer" expertise, and thus, I
suspect that I must be missing something further, if layer 2 firewalls are
indeed a trade-off.

--__--__--

Message: 4
From: Michael Cox <michael@wanderingbark.net>
To: firewall-wizards@honor.icsalabs.com
Date: Tue, 30 Aug 2005 10:25:02 -0500
Subject: [fw-wiz] firewall rule lifecycle management

Hi all.

Question: What do those of you in large environments do to manage your
rulesets in terms of removing access that is no longer required? We get
lots of requests to add access, but are almost never told when
something can be removed. This is a large corporation with lots of
subcontractors, B2B, etc., and we're looking for ideas on how others
get a handle on this (or does anybody?).

Thanks in advance!
Michael

--__--__--

Message: 5
From: "Bruce Smith" <bruce_the_loon@tiscali.co.za>
To: "'Michael Cox'" <michael@wanderingbark.net>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] firewall rule lifecycle management
Date: Tue, 30 Aug 2005 20:09:12 +0200

Hi

From my PIX experience, clear rule counters every month. After a while, look
for the rules that have zero counts and then remove them. Can be scripted
and searched with grep.

Bruce

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Michael Cox
Sent: Tuesday, August 30, 2005 5:25 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] firewall rule lifecycle management

Hi all.

Question: What do those of you in large environments do to manage your
rulesets in terms of removing access that is no longer required? We get
lots of requests to add access, but are almost never told when
something can be removed. This is a large corporation with lots of
subcontractors, B2B, etc., and we're looking for ideas on how others
get a handle on this (or does anybody?).

Thanks in advance!
Michael
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 6
To: firewall-wizards@honor.icsalabs.com
Cc: Michael Cox <michael@wanderingbark.net>
Subject: Re: [fw-wiz] firewall rule lifecycle management
Date: Tue, 30 Aug 2005 12:03:37 -0700
From: Skip Carter <skip@taygeta.com>

> Question: What do those of you in large environments do to manage your
> rulesets in terms of removing access that is no longer required? We get
> lots of requests to add access, but are almost never told when
> something can be removed. This is a large corporation with lots of
> subcontractors, B2B, etc., and we're looking for ideas on how others
> get a handle on this (or does anybody?).

We once provided an external firewall audit and in reviewing the special
access rules such as those described above, we noticed that one remote
location that had special access to Victoria's Secret (the client was
NOT any sort of retailer)! It turned out that the IP address once
belonged to a genuine business partner, who later gave up the address
which ultimately ended up in the possession of Victoria's Secret.

They now use a formal written change control procedure to help
manage this problem. We will see how well that works next audit.

Perhaps periodic external review is the best way.

Skip

--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip@taygeta.net
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940

--__--__--

Message: 7
Date: Tue, 30 Aug 2005 15:08:33 -0400
To: Michael Cox <michael@wanderingbark.net>,
firewall-wizards@honor.icsalabs.com
From: Joe Matusiewicz <joem@nist.gov>
Subject: Re: [fw-wiz] firewall rule lifecycle management

At 11:25 AM 8/30/2005, Michael Cox wrote:
>Hi all.
>
>Question: What do those of you in large environments do to manage your
>rulesets in terms of removing access that is no longer required? We get
>lots of requests to add access, but are almost never told when
>something can be removed. This is a large corporation with lots of
>subcontractors, B2B, etc., and we're looking for ideas on how others
>get a handle on this (or does anybody?).

Once a year we get the diverse groups in a room and review the rules. It's
a long meeting and you will always hear the words "that box doesn't exist
anymore".

-- Joe

--__--__--

Message: 8
Date: Tue, 30 Aug 2005 14:29:14 -0500
From: "Dale W. Carder" <dwcarder@doit.wisc.edu>
To: "Andrew K. Adams" <akadams@psc.edu>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Layer 2 firewalls ...

I doubt that there's much gained from the marketing material,
but some pluses for layer-2 firewalls include not having to
renumber end stations during integration and the ability to
pass through non-ipv4 or non-unicast traffic easily.

The downsides are that you better know your layer 2. Not everyone
thinks about layer 2 because it usually just "works". You need
to be careful about vlans, stp roots, bpdu's and other fun stuff
when layer2 firewalls bridge lans.

Dale

----------------------------------
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
http://net.doit.wisc.edu/~dwcarder

--__--__--

Message: 9
Date: Tue, 30 Aug 2005 23:44:04 -0500
From: Kevin <kkadow@gmail.com>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] firewall rule lifecycle management
Cc: Michael Cox <michael@wanderingbark.net>

On 8/30/05, Michael Cox <michael@wanderingbark.net> wrote:
> Question: What do those of you in large environments do to manage your
> rulesets in terms of removing access that is no longer required?

This can be a real problem, especially for services which are only
used for quarterly or biannual reports, if that often.

We're just now migrating a number of B2B rules to new firewalls,
and in this process we're discovering that fully half of the current
rules are no longer used; in many cases the source or destination
IP address no longer exists, often the employee listed as the
contact on the original request is no longer with the company.

Last week I was trying to track down a port and determined that the
vendor offering the B2B service had been bought out, no longer
exists under the original name. But the service is still running,
I wonder if they know? (legacy firewall policies cut both ways!)

> We get lots of requests to add access, but are almost never told when
> something can be removed. This is a large corporation with lots of
> subcontractors, B2B, etc., and we're looking for ideas on how others
> get a handle on this (or does anybody?).

Our Sidewinder G2 firewalls offers fields for an end time and date
under the "authentication" settings for each rule, and we are starting
to request a termination date for all "short term" requests and
entering this into the firewall. The vendor also offers an add-on
reporting tool which can provide rule-based reports showing
unused rules in the active firewall policy. I haven't tried this yet,
as the "Security Reporter" only runs on Windows.

It should be interesting to see what happens six months down the road,
when these rules start to expire...

Kevin Kadow
--
Moderator, Unofficial Sidewinder Firewall Users group:
http://groups.yahoo.com/group/sidewinder-users/

--__--__--

Message: 10
Date: Wed, 31 Aug 2005 14:29:54 +0200
From: Christoph Haas <email@christoph-haas.de>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] firewall rule lifecycle management

Hi, Michael...

On Tue, Aug 30, 2005 at 10:25:02AM -0500, Michael Cox wrote:
> Question: What do those of you in large environments do to manage your
> rulesets in terms of removing access that is no longer required? We get
> lots of requests to add access, but are almost never told when
> something can be removed. This is a large corporation with lots of
> subcontractors, B2B, etc., and we're looking for ideas on how others
> get a handle on this (or does anybody?).

"We" are also a large company (50,000 employees, worldwide subsidiaries).
There is a form on dead trees that we want to have signed before we
grant any access/change any firewall rule. This is to make sure most
people switch on their brains before they want anything. And by signing
the form they become responsible for the machines in question in case
they get hacked.

That very form contains an expiry date. New accesses are only allowed up
to a duration of one year. Many accesses are only needed for a test so
they are activated for a week or a month. Since we have a counter on
every form we can more or less easily "expire" them by looking through
old ones. The comment field in our firewall rules corresponds to the
numers on the forms.

I'm currently working on digital forms so that the users can extend that
period. If they don't react we will get an information that the rule can
be deleted. (Sorry, this isn't open-source since the company is paying
me to do it.)

In addition we have an internal revision department that checks our
rulebase every now and then. Although I have to be honest... they don't
understand every detail. And neither do we. Often the administrators of
the servers do not even know what they do. But that's where theory
differs from reality. :)

This may not be the greatest solution. But it works for us so far.

Regards
Christoph
--
~
~
~
".signature" [Modified] 3 lines --100%-- 3,41 All

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments:

Post a Comment