firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Bridge with transparent proxy (Dale W. Carder)
2. Re: Bridge with transparent proxy (Mathew Want)
3. Re: HIPS experience (Paul Melson)
4. Re: HIPS experience (Kristian Hermansen)
----------------------------------------------------------------------
Message: 1
Date: Wed, 16 May 2007 10:42:21 -0500
From: "Dale W. Carder" <dwcarder@doit.wisc.edu>
Subject: Re: [fw-wiz] Bridge with transparent proxy
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070516154221.GB4605@doit.wisc.edu>
Content-Type: text/plain; charset=us-ascii
Hi Jorge,
Thus spake Jorge Augusto Senger (jorge@br10.com.br) on Wed, May 16, 2007 at 09:42:18AM -0300:
>
> I'm loosing my mind trying to configure a bridge with transparent proxy.
> Here is the scenario, very simple:
>
> [ INTERNET ] <--- eth0 ---> [ BRIDGE ] <--- eth1 ---> [ LAN ]
>
> Well, the bridging functions are working fine. The traffic is passing
> trough and I can filter using iptables and ebtables.
> But, I can't use -j REDIRECT to some local port. When I put a rule
> redirecting traffic on www port to local proxy port, the counters shows
> packets passing trough, but nothing happens.
> Wondering if it was a squid problem, I tryed to redirect the traffic in
> some high port (8000) to port 22 on localhost. Nothing happened too.
>
> About my machine:
>
> Debian Sarge
> Kernel 2.6.18 (compiled with all bridge modules)
> Iptables 1.3.6 (patched with L7)
>
> Rules:
>
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
> - --ip-destination-port 80 -j redirect --redirect-target ACCEPT
>
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
> - -j REDIRECT --to-port 3128
You probably don't want -i br0. br0 is a "virtual" interface on
the bridge. (Think BVI or SVI if you are familiar with Cisco IOS)
Here's an example from a production system:
/usr/local/sbin/brctl addbr br3670
/usr/local/sbin/brctl stp br3670 off
/usr/local/sbin/brctl addif br3670 eth1
/usr/local/sbin/brctl addif br3670 eth0
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
------------------------------
Message: 2
Date: Thu, 17 May 2007 09:55:51 +1000
From: "Mathew Want" <mathew.want@ac3.com.au>
Subject: Re: [fw-wiz] Bridge with transparent proxy
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <03fd01c79815$bbc6eda0$6f00cacb@MATHEW>
Content-Type: text/plain; charset="us-ascii"
Jorge,
I think the issue may be here.
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
> - -j REDIRECT --to-port 3128
I am not certain but I think that you do not want to NAT here as the proxy
will already put the external address on the packet when it issues the proxy
connection. It may be getting confused as you are trying to NAT the packet
to the external address of the box before handing the packet to SQUID.
Just my AU$0.02.
--
Regards,
Mathew Want
------------------------------
Message: 3
Date: Wed, 16 May 2007 15:02:48 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <012501c797ec$cc296750$f902fea9@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"
> I am looking for feedback from those that have rolled out HIPS (host
intrusion prevention).
> I am looking for both server and desktop based and would be interested in
which vendor was
> chosen and why. This far I have looked at SANA, Determina, and about to
look at ISS and
> Macafee. On the destop we are running xp sp2 with NAV, so I am wondering
if I want to use
> hips that supply firewall/av capability. SANA seems to have alot of bells
and whistles but
> is a/confusing b/takes a while to train (esp on servers)
I've done several HIPS server roll-outs, all Entercept/McAfee. I was only
involved in one comparo project, and it was Okena Stormwatch (now Cisco)
heads up against Entercept (now McAfee) and there was really no competition.
I've not looked at SANA or Determina beyond their cut sheets.
But here is my advice in rolling out HIPS, especially on servers.
1. Benchmark performance on the servers. For Windows, using System Monitor
is fine. Use the following Perf Objects:
Processor / % Processor Time
Memory / Pages/sec
Memory / Available Mbytes
Physical Disk / % Disk Time
Compare performance with and without HIPS. Note where servers need more
hardware to accomidate HIPS. Also keep an eye out for performance
conflicts. HIPS is invasive and can screw things up. This can be
especially true of vendor A's HIPS product trying to cohabitate with vendor
B's AV product.
2. Plan time for deployment and plan 4x that time for initial tuning. One
thing Entercept did shortly before McAfee acquired them was to create a kind
of step-up policy configuration. From deployment you can turn on their
'high' level events and then medium, and low and so on. And you can do this
in a way that keeps you from being deluged with events from the time you
turn on the agent. Of course, I think this probably also leads to most
deployments never 'stepping up' to more detailed detection. Plan to 'step
up' and expect to spend lots of time tuning. If your HIPS vendor doesn't
have a tiered protection/logging policy like Entercept does, well, make that
6x as much time.
3. When creating policy, logically group and deploy by application and
function, not by OS version. A Win2K3 server running WebSphere is more like
a Win2K server running Jboss than it is like a Win2K3 domain controller.
Group them together because their policy and tuning should be similar. (Of
course, a Solaris server running J2EE should not be tuned the same as a
Win2K server running Jboss.)
PaulM
------------------------------
Message: 4
Date: Tue, 15 May 2007 22:05:00 -0400
From: "Kristian Hermansen" <kristian.hermansen@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<fe37588d0705151905q54309650m2bef9494d85eb1fd@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 5/15/07, "Mike LeBlanc" <mlinfosec@comcast.net> wrote:
> Would love to hear nay feedback form the list on these or other products.
Have you considered Cisco Security Agent? This is the de facto
standard amongst corporations/governments with highly valuable assets.
Although, the costs are also quite reasonable for both Desktop and
Server licensing. CSA protects against Zero Day attacks, which is
something many products claim, but few actually do.
http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
List of attacks stopped on Day Zero, in default CSA policy
configuration, and requiring no user interaction after installation
(takes 30-60 minutes to install):
Bagle
SQL Snake
Blaster
JPEG/GDI+
Bugbear
MyDoom
Code Red
Nimda
Debploit
Pentagone/Gonner
Fizzer
Sasser
Gator/Gain
Sircam
Hotbar
Sobig
SQL Slammer
Zotob
Here's a company write-up on how they benefited from CSA deployment:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_case_study0900aecd8033ab2f.shtml
--
Kristian Hermansen
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 13, Issue 7
***********************************************
No comments:
Post a Comment