firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: New to Cisco PIX/ ASA (ArkanoiD)
2. Re: IPS Content filtering techniques (Skough Axel U/IT-S)
3. CSA Question (Carric Dooley)
4. contacts at Secure Computing? (Dave Piscitello)
5. IPv6 support in firewalls (Dave Piscitello)
6. Re: Cisco FWSM/ASA Question (Farrukh Haroon)
----------------------------------------------------------------------
Message: 1
Date: Mon, 6 Aug 2007 09:42:38 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] New to Cisco PIX/ ASA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070806054238.GA13622@eltex.net>
Content-Type: text/plain; charset=us-ascii
Being not a PIX expert, as i see no one answers, no, you do not need
a reverse rule if the protocol is known and does not require strange callbacks.
If it does, it is hard to say how your configuration does look like ;-)
On Wed, Aug 01, 2007 at 06:41:53PM -0400, Keith A. Glass wrote:
>
> I've managed Gauntlets, Checkpoints, Netscreens, and SonicWalls in the
> past.
>
>
> I'm a bit confused with the in and outs of the ASA firewalls.
>
>
> I'm setting up at HA pair, my Eth0/0 is my interior interface, trust
> level 100, Eth 0/1 and 0/2 are my IP and State heatbeats, and Eth 1/0
> is my external interface, trust level 1.
>
>
> Am I correct in my understanding that if I want two-way traffic,
> traffic is not blocked to a lower trust level, so I need only write a
> rule to pass the traffic between the endpoints from the external
> interface to the internal interface, and the reply traffic is taken
> care of ?? Or do I have to write a reverse rule, from the internal
> interface to the external as well ???
>
> email protected and scanned by AdvascanTM - keeping email useful -
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Wed, 15 Aug 2007 15:35:24 +0200
From: "Skough Axel U/IT-S" <axel.skough@scb.se>
Subject: Re: [fw-wiz] IPS Content filtering techniques
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: Panahi Behzad U/IT-S <behzad.panahi@scb.se>
Message-ID: <7D5607434F895540B2A717820399633D3FDD65@exs13.scb.intra>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Does really nobody know anything about a Web proxy product filtering on MIME Content-Type setting and capable to omit this check when the MIME Content-Length setting in force appears to be zero? The RFC 2616 states that the Content-Type header statement can be omitted in this situation and, indeed, it has no meaning as the data section is declared to be of length zero.
Otherwise the data section should of course be in general be assumed to be of type "application/octet-stream" but when no data section is present it is obviously no problem in bypassing the Content-Type check! Thus, there are no data to prevent entering for in this situation, but the packet in force may have othre meanings such as redirect etc.
I would appreciate any comments in this matter!
Best regards
Axel Skough
Research & Development
Information Technology
Statistics Sweden
Box 24300
SE-10451 Stockholm
S W E D E N
Visitor's address:
Karlav?gen 100, Stockholm, Sweden
E-mail: axel.skough@scb.se
Fax: +46 8 5069 4599
SMS: +46 70 577 1727
No rights may be derived from the contents of this e-mail message.
The information in this e-mail message is intended only for the addressee. Statistics Sweden cannot vouch for the correctness and completeness of the contents of e-mail messages, nor for the timely receipt thereof.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Tue, 21 Aug 2007 09:06:34 -0400 (EDT)
From: Carric Dooley <carric@com2usa.com>
Subject: [fw-wiz] CSA Question
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<Pine.LNX.4.44.0708210904550.30705-100000@fatty.com2usa.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
I have been looking thru the Cisco site and I'm wondering if anyone knows
if you can configure the CSA to disable network interfaces, for instance
if it's attcked, or shut down.
--
Carric Dooley
COM2:Interactive Media USA
http://www.com2usa.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------
Message: 4
Date: Tue, 14 Aug 2007 11:48:08 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] contacts at Secure Computing?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46C1CEB8.8040307@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
Anyone have contacts in Secure Computing for the SnapGear and Cyberguard
product lines?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070814/a67a5de2/attachment-0001.vcf
------------------------------
Message: 5
Date: Wed, 15 Aug 2007 13:39:04 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46C33A38.6010002@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
I suppose I should begin by answering "why the interest in IPv6?"
question. Simply put, we are running out of IPv4 addresses (yeah, I
know, the Sky is Falling, NAT will save us forever...). Based on current
consumption rates, some folks speculate that the remaining addresses
not yet distributed by IANA will be exhausted by 2009.
More importantly, the space is horribly fragmented and it's becoming
increasingly difficult for RIRs to acquire and allocate large numbers of
IP addresses in contiguous blocks.
Whether you believe IPv4 address exhaustion is imminent or not, I choose
to consider a related concern. I'm not convinced we can even meet the
modest (that's as polite as I can be) security baseline we achieve with
IPv4 security products with available IPv6 security products. What
little I've learned in the short time I've spent asking security
companies about IPv6 support isn't encouraging.
What do I want from you?
If you who have IPv6 in a production environment and are willing to
share some information about the firewall you're (presumably) using to
enforce security policy, please contact me offline? I've begun a study
of the state of security preparedness for IPv6 and would like to learn
what firewall you're using, how the feature set compares to IPv4, etc.
I'm mostly interested in commercial firewall software and appliances but
if you're using FreeBSD or other open source solution I'd be curious to
learn how large a user population you are supporting, hardware
considerations, etc.
If I get enough information, I'll post a summary message to the list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070815/875fe319/attachment-0001.bin
------------------------------
Message: 6
Date: Mon, 6 Aug 2007 11:06:24 +0300
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Cisco FWSM/ASA Question
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0708060106i20c06952l3f95c80617dc49e7@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Mathew
On which zone is the Domain Controller and on which zone is the Client?
Is there a possibility that another DNS Server is responding to requests?
As per the Cisco Documentations:
106007
Error Message %FWSM-2-106007: Deny inbound UDP from
outside_address/outside_port to
inside_address/inside_port due to DNS {Response|Query}.
Explanation This is a connection-related message. This message is logged
if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host
probably is set up as a caching name server. Add an *access-list* command
statement to permit traffic on UDP port 53. If the outside port number is
53, a DNS server was probably too slow to respond, and the query was
answered by another server.
Since everything is allowed, it cannot be a ACL issue.
Regards
Farrukh
On 7/27/07, Matthew Watkins <matt@idnet.net> wrote:
>
> I'm investigating a problem with Windows clients computers situated
> behind a pair of redundant firewall services modules (installed in a
> Cisco Catalyst 6513 switch). There's a new domain controller on one
> VLAN, and our Windows/PC clients sit on another. Both networks are
> routed through the FWSM, and general network connectivity seems fine.
>
> The firewall blades are running the latest version of the FWSM/ASA code:
>
> FWSM Firewall Version 3.1(6)
>
> Basically, my Mac laptop running OS X seems to connect to all parts
> of the network without problems. It can mount shares, resolve DNS
> etc... However, the Windows desktop clients seem unable to logon to
> the domain when booted up behind the firewall. Initially, I thought
> the problem might be related to DNS protocol inspection, since we
> were seeing the log messages below:
>
> Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com %
> FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to
> 172.29.6.2/1026 due to DNS Response
>
> I've subsequently removed DNS inspection from the global default
> rules, but it hasn't made any difference. This is a new site which we
> are in the process of building, so the access-lists for both networks
> are currently wide open:
>
> access-list PERMISSIVE extended permit ip any any
> access-group PERMISSIVE in interface inside
> access-group PERMISSIVE in interface office-wired
> access-group PERMISSIVE in interface office-dmz
>
> We've created a stripped down domain user account, with no DFS shares
> or home drive mappings, and this user account can successfully login
> to the domain. Our servers are all running Win2K3. Any ideas what the
> problem might be? I'm not seeing messages in the logs, and I'm a bit
> confused about the possible cause...
>
> Any ideas gratefully received!
>
> - Matt
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070806/6dc460f9/attachment.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 3
***********************************************
No comments:
Post a Comment