Friday, May 25, 2007

firewall-wizards Digest, Vol 13, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Securing Wireless with ASA-5510 (Charlie Quick)
2. Re: PIX - acl breaks implicit outbound rule (James)
3. Re: Best way to block incoming connections from open
httpproxy servers? (lordchariot@embarqmail.com)
4. Re: PIX - acl breaks implicit outbound rule (Richard Shaw)
5. can iptables block incoming http connections from open proxy
servers? (White Hat)


----------------------------------------------------------------------

Message: 1
Date: Wed, 16 May 2007 08:48:53 -0700
From: "Charlie Quick" <charlieq@ironclad.com>
Subject: Re: [fw-wiz] Securing Wireless with ASA-5510
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<0CC4611B670ADC418AC6063D1268B956B76C9E@icladmail.iclad.com>
Content-Type: text/plain; charset="us-ascii"

Thanks for all the responses; I will let you know how it goes.

-Charlie

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Paul Murphy
Sent: Tuesday, May 15, 2007 2:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Securing Wireless with ASA-5510

Charlie,

You should be able to create multiple vlans on your switch and
corresponding vlans on your firewall. Tag (trunk) the uplink to your
firewall. Your vlans will be configured as virtual interfaces on your
firewall.

Paul Murphy


"Charlie Quick"

<charlieq@ironcla

d.com>
To
Sent by:
<firewall-wizards@listserv.icsalabs
firewall-wizards- .com>

bounces@listserv.
cc
icsalabs.com


Subject
[fw-wiz] Securing Wireless with

05/15/2007 09:41 ASA-5510

AM

Please respond to

Firewall Wizards

Security Mailing

List

<firewall-wizards

@listserv.icsalab

s.com>

Hi All,

I have an ASA 5510 and a 3500 XL switch. I have a Linksys AP, no routing
on
it; I want to secure it so that only internet can be accessed. How can
this be done with vlans and access-lists?
Does the asa support vlan routing?

Currently, the Linksys is sitting on the switch and anyone who connects
has
access to the internal network. Eventually, I will get a Cisco aironet
that
supports multiple ssid and set up vlans via guest and employee.

-Charlie

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Fri, 25 May 2007 21:02:20 +1000
From: James <jimbob.coffey@gmail.com>
Subject: Re: [fw-wiz] PIX - acl breaks implicit outbound rule
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<343aa4f80705250402p62d62446n97c8a7b8ea59c7c7@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 5/22/07, Richard Shaw <richard@aggress.net> wrote:
>
> Hi There,
>
> I'm trying to get successful two way communication over a selected port
> range between 2 hosts on different interfaces.
>
> Interface 1 (100) ------------ Interface 2 (90)
>
> host1 (10.0.1.11) ------------ host2 (10.0.5.2)
>
> I've already put in a static route so host1 can get down to host2, however I
> need host2 to be able to open a connection back through on selected ports.

If they are "directly connected" subnets you won't need a static route.

>
> I've been able to get it semi-working by applying the following:
>
> static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255

Depending on version of pix code >= 7.0 you can remove the need to nat
everything/anything by typing no nat-control. (about time cisco)

> access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
> 10.0.5.200 eq port-range
> access-group Interface2toInterface1 in interface Interface2
>
> However, it replaces the implicit outbound rule for Interface2 and breaks
> all other outbound traffic on the interface. My question is, what can I
> append to the above access group to put the outbound rule back in?

Because int2 < int1 (security level) you need an acl to permit any access.
I don't think there is an implicit rule from low sec to hi sec.

--
jac


------------------------------

Message: 3
Date: Thu, 24 May 2007 00:49:01 -0400
From: <lordchariot@embarqmail.com>
Subject: Re: [fw-wiz] Best way to block incoming connections from open
httpproxy servers?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000001c79dbe$d96ee8e0$0201a8c0@lordchariot.com>
Content-Type: text/plain; charset="us-ascii"


Trying to enumerate the bad IP addresses with open proxies is a loosing
battle. I have school kids setting up their own https anonymous proxies to
get past the school's filtering system. And they are on a DHCP address with
dynamicDNS which they reset every night so it's different the next day when
they go to school.
Way too much maintenance for me.
Their may be some comprehensive lists of proxies out there, but none that I
find very well-maintained.

Are you trying to prevent external users from anonymizing themselves when
they hit your site?
You might be able to do it with a reverse proxy of some sort that looks at
various characteristics of the request headers and have rules to restrict if
there are X-Proxy-Via: or are missing a standard User-Agent: headers.

Explain why you are trying to block them and we might have some other ideas.


________________________________

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Chris
Smith
Sent: Monday, May 21, 2007 17:16
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Best way to block incoming connections from open httpproxy
servers?

Hi All.

What's the recommended way to maintain a list of public, open http proxies
and block them from making inbound connections to an http server with
iptables?

I have linblock http://www.dessent.net/linblock/ which I use for a few other
lists. Is there a regularly updated list out there for open http proxies
that can be used for this purpose?

I'm hoping I can retrieve a text file with the IP's every day with a cron
job and let linblock update an IPTables chain. Perhaps there's a better
way?

csmith


------------------------------

Message: 4
Date: Thu, 24 May 2007 09:11:09 +0100
From: "Richard Shaw" <richard@aggress.net>
Subject: Re: [fw-wiz] PIX - acl breaks implicit outbound rule
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<aa7e63a0705240111p70c0ce41lbc20d14b5bb0ba03@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Cheers Paul,

Yeah the most obvious solution was in fact the correct solution. I put the
rule back in manually and all appeared fine. But then the whole PIX hung
and I had to reboot it, whoops :)

On 5/23/07, Paul Melson <pmelson@gmail.com> wrote:
>
> > However, it replaces the implicit outbound rule for Interface2 and
> breaks
> all other outbound traffic on
> > the interface. My question is, what can I append to the above access
> group to put the outbound rule
> > back in?
>
> As far as I know, you can't. You will need to explicitly declare the
> previously implied rule:
>
> access-list Interface2toInterface1 deny ip 10.0.5.0 netmask 255.255.255.0
> 10.0.0.0 255.0.0.0 any
> access-list Interface2toInterface1 permit ip 10.0.5.0 netmask
> 255.255.255.0
> any
>
>
> PaulM
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070524/46cdda34/attachment-0001.html


------------------------------

Message: 5
Date: Thu, 24 May 2007 19:24:15 -0700
From: "White Hat" <whitehat237@gmail.com>
Subject: [fw-wiz] can iptables block incoming http connections from
open proxy servers?
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<111367f50705241924h450127ect8cac89a4e1a13dcb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi List,

How can I block people from making http connections to an internal
webserver when they are using open http proxies?

While I think that open http proxies are an excellent tool for surfing
the web anonymously and I often use them, they also present me with a
big problem.

I run a small forum, and don't have a good way of keeping users who
are banned for flaming, not following the rules, and other bad conduct
on the forums from returning and re-registering new accounts when
using open http proxies.

The web server is a Gentoo linux box and has packet filtering
(netfilter code), etc built into the kernel. I have the iptables
userspace ebuild installed.

At the moment, I've added rules to the proxies chain which is checked
by the input chain to stop inbound connections from proxy servers
based on the source ports being used by the remote proxy server.
However, this does not seem to be working at the moment.

For example.

iptables -N proxies
iptables -A INPUT -j proxies
iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP

I also have rules for all of the other common proxy server ports in
place in the proxies chain.

I'm guessing that this does not work because the source port is randomized.

To test this I configured firefox to use an open http proxy running
squid on port 3128 and then connected to the remote site with
wireshark running on the web server.

In the packet dump, the http traffic does not come from or go to port
3128. It seems that this port is never used for incoming our outgoing
source or destination ports.

My next thought is to use the excellent linblock perl script to just
load lists of IP's of known proxy servers into iptables, and then
setup a cron job to automate the whole thing every so often, but after
thinking about this for a bit, I'm wondering how I'm going to keep up
with the changes. Often times a proxy will be there one day and gone
the next and another system will replace it. The web server has
limited amounts of ram, and it would be exhausted after trying to load
x amount of addresses. Can snort be used to detect incoming
connections from open http proxy servers? Is there a pre-processor
that can be turned on to kick off an alert to the alert file?

I'm also having trouble finding an updated proxy list that I can use
with linblock. One of my favorite sites, bluetack, no longer has
anyone maintaining the proxy list.

I'm wondering, what's the best way to keep people using proxy servers
from connecting to the site. Is there a good way to do this with out
having to load thousands of rules to block each particular proxy?

I would greatly appreciate advice on how to handle this situation,
especially from forum admin types who have experience with this
problem.

WhiteHat237


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 13, Issue 12
************************************************

No comments:

Post a Comment