firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Best way to block incoming connections from open http proxy
servers? (Chris Smith)
2. Re: HIPS experience (Paul Melson)
3. PIX - acl breaks implicit outbound rule (Richard Shaw)
4. Netscreen to Cisco IOS tunneling (J. Oquendo)
5. Re: HIPS experience (stursa@695online.com)
----------------------------------------------------------------------
Message: 1
Date: Mon, 21 May 2007 14:16:29 -0700
From: "Chris Smith" <csmith@1pointe.com>
Subject: [fw-wiz] Best way to block incoming connections from open
http proxy servers?
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<BBB5E2BE7794B94481346ED929C8C0AC1064C7@drevil.1pointe.local>
Content-Type: text/plain; charset="us-ascii"
Hi All.
What's the recommended way to maintain a list of public, open http
proxies and block them from making inbound connections to an http server
with iptables?
I have linblock http://www.dessent.net/linblock/ which I use for a few
other lists. Is there a regularly updated list out there for open http
proxies that can be used for this purpose?
I'm hoping I can retrieve a text file with the IP's every day with a
cron job and let linblock update an IPTables chain. Perhaps there's a
better way?
csmith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070521/df0fce12/attachment-0001.html
------------------------------
Message: 2
Date: Mon, 21 May 2007 07:30:51 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0705210430g45f3a7abk7fee2b26f12e7f82@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 5/18/07, stursa@695online.com <stursa@695online.com> wrote:
> Checkpoint has a very similar (i.e. behavioral, not signature-based HIPS)
> known as "Integrity Secure Client". The management center is stand-alone,
> costs about $3k IIRC. The client licenses cost less as well. For an
> additional fee you get point-and-click access to a big database of events
> and software, so it's much easier to determine whether a particular .exe
> is safe.
This was originally ZoneLabs' Integrity, and at one point in time was
the only way to enforce host security policy w/ the Cisco VPN3K. It
never worked with Check Point until after the acquisition. To be
honest, I'm a little surprised that after several releases the Cisco
ASA/VPN3K support is still there.
PaulM
------------------------------
Message: 3
Date: Tue, 22 May 2007 14:08:09 +0100
From: "Richard Shaw" <richard@aggress.net>
Subject: [fw-wiz] PIX - acl breaks implicit outbound rule
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<aa7e63a0705220608x5dfc4108rc34185e1ca5696de@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi There,
I'm trying to get successful two way communication over a selected port
range between 2 hosts on different interfaces.
Interface 1 (100) ------------ Interface 2 (90)
host1 (10.0.1.11) ------------ host2 (10.0.5.2)
I've already put in a static route so host1 can get down to host2, however I
need host2 to be able to open a connection back through on selected ports.
I've been able to get it semi-working by applying the following:
static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255
access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
10.0.5.200 eq port-range
access-group Interface2toInterface1 in interface Interface2
However, it replaces the implicit outbound rule for Interface2 and breaks
all other outbound traffic on the interface. My question is, what can I
append to the above access group to put the outbound rule back in?
Any thoughts or suggestions would be super useful
Thanks!
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070522/643dfead/attachment-0001.html
------------------------------
Message: 4
Date: Tue, 22 May 2007 09:00:25 -0400
From: "J. Oquendo" <sil@infiltrated.net>
Subject: [fw-wiz] Netscreen to Cisco IOS tunneling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4652E969.60003@infiltrated.net>
Content-Type: text/plain; charset="iso-8859-1"
Good morning (afternoon) all,
Have the following question in regards to a tunnel I'm trying to
established between a Netscreen and a 3845:
#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version
12.4(6)T1, RELEASE SOFTWARE (fc3)
...
ROM: Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version
12.3(11)T5, RELEASE SOFTWARE (fc1)
My network information:
My VPN Peer address:
10.10.53.98
My ACL Host range:
10.10.53.192/30
Client's Netscreen Peer address:
10.15.179.238
---
Their networks:
Customer Pre-shared key:
secret
PHASE 1 proposal: DH group2-3des-md5
PHASE 2 proposal: PFS group2-esp-3des-md5
Client's ACL host range:
10.10.178.192/30
My configs:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address 10.15.179.238
crypto ipsec transform-set predefined esp-3des esp-md5-hmac
crypto map defined 10 ipsec-isakmp
set peer 10.15.179.238
set transform-set predefined
set pfs group2
match address 112
access-list 112 permit ip 208.50.53.98 0.0.0.7 63.79.178.192 0.0.0.3
Question... Since I have a constant 20+Mpbs on one of my interfaces, I'm
reluctant to have an outage...
interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
If I apply the crypto map predefined to this interface, would it drop
all traffic non encrypted?
interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
crypto map predefined
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070522/3f72c9b6/attachment-0001.bin
------------------------------
Message: 5
Date: Wed, 23 May 2007 12:57:00 -0400 (EDT)
From: stursa@695online.com
Subject: Re: [fw-wiz] HIPS experience
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <35743.69.1.110.133.1179939420.webmail@mail.695online.com>
Content-Type: text/plain;charset=iso-8859-1
Paul Melson said:
> On 5/18/07, stursa@695online.com <stursa@695online.com> wrote:
>> Checkpoint has a very similar (i.e. behavioral, not signature-based
>> HIPS)
>> known as "Integrity Secure Client". The management center is
>> stand-alone,
>> costs about $3k IIRC. The client licenses cost less as well. For an
>> additional fee you get point-and-click access to a big database of
>> events
>> and software, so it's much easier to determine whether a particular .exe
>> is safe.
>
> This was originally ZoneLabs' Integrity, and at one point in time was
> the only way to enforce host security policy w/ the Cisco VPN3K. It
> never worked with Check Point until after the acquisition. To be
> honest, I'm a little surprised that after several releases the Cisco
> ASA/VPN3K support is still there.
Not sure if you mean releases of Integrity or releases of Cisco SW. WRT
Cisco, I just checked our 3020 and it's still in there. It's running 4.7,
rel 10 March 2005.
In the next week we're taking delivery of a new 3020, presumably with
latest software. I'll look and see if the support is still there.
I also checked our ASA, which is running 7.2(1), 31 May 2006. It likewise
appears to still support Integrity.
--
Scott L. Stursa
CCNA, MCSA, Security+
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 13, Issue 10
************************************************
No comments:
Post a Comment