Wednesday, August 22, 2007

firewall-wizards Digest, Vol 16, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Cisco ACS alternative (Jason)
2. Re: IPv6 support in firewalls (Marcus J. Ranum)
3. Re: Cisco ACS alternative (Aaron Smith)
4. Re: CSA Question (Kristian Erik Hermansen)
5. Re: IPv6 support in firewalls (Shahin Ansari)
6. Re: IPv6 support in firewalls (Darren Reed)


----------------------------------------------------------------------

Message: 1
Date: Wed, 22 Aug 2007 08:54:17 -0400
From: Jason <jasonisnow@gmail.com>
Subject: Re: [fw-wiz] Cisco ACS alternative
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1de866020708220554j7c6e63bcmef5ff2070c5916db@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

There's a server called "tac-plus" in Linux that you could check out; it may
provide support for downloadable ACL's, not sure.

Here's a link on Cisco's website with some basic information:

http://www.cisco.com/warp/public/480/tacplus.shtml

Here's a link to the Debian packages:

http://packages.debian.org/stable/net/tac-plus

On 8/15/07, Pedro Henrique Morsch Mazzoni <phmazzoni@gmail.com> wrote:
>
> Hi everyone!
>
> Anyone knows a alternative to Cisco Secure ACS?
> I need a AAA that can work with downloadables ACL?s.
>
> Tks,
> Pedro Mazzoni
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


--
-->j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070822/85342866/attachment-0001.html


------------------------------

Message: 2
Date: Wed, 22 Aug 2007 13:16:51 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20070822130954.04ae35d0@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Dave Piscitello wrote:
>I suppose I should begin by answering "why the interest in IPv6?"
>question. Simply put, we are running out of IPv4 addresses (yeah, I
>know, the Sky is Falling, NAT will save us forever...). Based on current
> consumption rates, some folks speculate that the remaining addresses
>not yet distributed by IANA will be exhausted by 2009.

This prediction was made before, if I recall correctly. In 1994. Except
that we were going to run out, uh, in 1999. Yes, the sky is falling, but
it appears to be falling fairly slowly and gently. :)

Perhaps something better than IPv6 will still come along. You know,
like what a few of us suggested back in 1992 - namely doubling
the address size, left-filling with zeroes, and bumping the
version number? ;) Of course everyone screamed that that would
never work because the backbone routers would need gigabytes
of memory and nobody could do something crazy like that. Or
invent CIDR routing or spanning trees or any of the other network
tricks that have come up since 1992 that would have made the
idea workable, practical, and in place and functioning by now...

But, to your real point:
> I'm not convinced we can even meet the
>modest (that's as polite as I can be) security baseline we achieve with
>IPv4 security products with available IPv6 security products. What
>little I've learned in the short time I've spent asking security
>companies about IPv6 support isn't encouraging.

It shouldn't be. Let's see - it took HOW long to even sort out the
most obvious DOS vectors in V4, which was a vastly simpler
protocol. The recent rumblings about problems in V6 indicate
that finding flaws in V6 will be a lot like hunting Passenger
Pigeons was in the 1700's: point your shotgun at the sky and
pull the trigger and several will fall at your feet.

It's a hell of a price to pay for bigger address spaces and
the ego-boost of the IETFniks who get to say they worked on
the next big protocol, huh?

mjr.

------------------------------

Message: 3
Date: Tue, 21 Aug 2007 16:43:46 -0600
From: Aaron Smith <smitha@byui.edu>
Subject: Re: [fw-wiz] Cisco ACS alternative
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <1187736226.10682.0.camel@natal.byui.edu>
Content-Type: text/plain; charset=utf-8

We use Identity Engines for RADIUS. It beats the pants off ACS. Don't
know if it supports d'loadable ACLs directly, but you can enter VSAs
that might do the trick.

@@ron

On Wed, 2007-08-15 at 10:18 -0300, Pedro Henrique Morsch Mazzoni wrote:
> Hi everyone!
>
> Anyone knows a alternative to Cisco Secure ACS?
> I need a AAA that can work with downloadables ACL?s.
>
> Tks,
> Pedro Mazzoni
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 4
Date: Tue, 21 Aug 2007 19:29:32 -0400
From: "Kristian Erik Hermansen" <kristian.hermansen@gmail.com>
Subject: Re: [fw-wiz] CSA Question
To: firewall-wizards@listserv.icsalabs.com
Cc: Marcus Gavel <mgavel@cisco.com>
Message-ID:
<fe37588d0708211629t62b2f2ape7ad005684518075@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 8/21/07, Carric Dooley <carric@com2usa.com> wrote:
> I have been looking thru the Cisco site and I'm wondering if anyone knows
> if you can configure the CSA to disable network interfaces, for instance
> if it's attcked, or shut down.

I work on the Cisco Security Agent team, and I do know that there is a
"Network Lock" mode, which will disallow all new connections. I
believe we also added some new features for disabling wireless devices
in a recent release. I am unsure if there is a way to define a rule
such as "if rootkit is detected, disable all interfaces". I am cc'ing
Marcus Gavel who who should be able to get you an answer...
--
Kristian Erik Hermansen


------------------------------

Message: 5
Date: Wed, 22 Aug 2007 14:51:51 -0700 (PDT)
From: Shahin Ansari <zohal52@yahoo.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <99488.66131.qm@web30704.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Greetings-
Let me start by saying it is honor to be able to view your postings. I have read Marcus book on security, and it has been an immense help. Now to my point:
- How is it that ( I have heard ) Asia PAC counties like China have converted to IPv6 already? Given all the security issues you mention ...

- Some purpose having every device support both stack, what are some of the issues you can run into with this? CPU ?

Regards-
Sean

"Marcus J. Ranum" <mjr@ranum.com> wrote:
Dave Piscitello wrote:
>I suppose I should begin by answering "why the interest in IPv6?"
>question. Simply put, we are running out of IPv4 addresses (yeah, I
>know, the Sky is Falling, NAT will save us forever...). Based on current
> consumption rates, some folks speculate that the remaining addresses
>not yet distributed by IANA will be exhausted by 2009.

This prediction was made before, if I recall correctly. In 1994. Except
that we were going to run out, uh, in 1999. Yes, the sky is falling, but
it appears to be falling fairly slowly and gently. :)

Perhaps something better than IPv6 will still come along. You know,
like what a few of us suggested back in 1992 - namely doubling
the address size, left-filling with zeroes, and bumping the
version number? ;) Of course everyone screamed that that would
never work because the backbone routers would need gigabytes
of memory and nobody could do something crazy like that. Or
invent CIDR routing or spanning trees or any of the other network
tricks that have come up since 1992 that would have made the
idea workable, practical, and in place and functioning by now...

But, to your real point:
> I'm not convinced we can even meet the
>modest (that's as polite as I can be) security baseline we achieve with
>IPv4 security products with available IPv6 security products. What
>little I've learned in the short time I've spent asking security
>companies about IPv6 support isn't encouraging.

It shouldn't be. Let's see - it took HOW long to even sort out the
most obvious DOS vectors in V4, which was a vastly simpler
protocol. The recent rumblings about problems in V6 indicate
that finding flaws in V6 will be a lot like hunting Passenger
Pigeons was in the 1700's: point your shotgun at the sky and
pull the trigger and several will fall at your feet.

It's a hell of a price to pay for bigger address spaces and
the ego-boost of the IETFniks who get to say they worked on
the next big protocol, huh?

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



---------------------------------
Pinpoint customers who are looking for what you sell.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070822/cd536320/attachment-0001.html


------------------------------

Message: 6
Date: Wed, 22 Aug 2007 12:56:27 -0700
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>, dave@corecom.com
Message-ID: <46CC94EB.10707@reed.wattle.id.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Marcus J. Ranum wrote:
> Dave Piscitello wrote:
> >I suppose I should begin by answering "why the interest in IPv6?"
> >question. Simply put, we are running out of IPv4 addresses (yeah, I
> >know, the Sky is Falling, NAT will save us forever...). Based on current
> > consumption rates, some folks speculate that the remaining addresses
> >not yet distributed by IANA will be exhausted by 2009.
>
> This prediction was made before, if I recall correctly. In 1994. Except
> that we were going to run out, uh, in 1999. Yes, the sky is falling, but
> it appears to be falling fairly slowly and gently. :)
>
> Perhaps something better than IPv6 will still come along. You know,
> like what a few of us suggested back in 1992 - namely doubling
> the address size, left-filling with zeroes, and bumping the
> version number? ;)
..

It's not just this, people today want to deploy/build large scale IP
networks where 10/8 isn't enough, not to mention giving those
addresses visibility to the Internet.

The only way that they can plan to do this is by specifying
that IPv6 is used - there is no other alternative.

Anyone want to start a pool/tab on when the sky will reach the ground? :)


> But, to your real point:
> > I'm not convinced we can even meet the
> >modest (that's as polite as I can be) security baseline we achieve with
> >IPv4 security products with available IPv6 security products. What
> >little I've learned in the short time I've spent asking security
> >companies about IPv6 support isn't encouraging.
>
> It shouldn't be. Let's see - it took HOW long to even sort out the
> most obvious DOS vectors in V4, which was a vastly simpler
> protocol. The recent rumblings about problems in V6 indicate
> that finding flaws in V6 will be a lot like hunting Passenger
> Pigeons was in the 1700's: point your shotgun at the sky and
> pull the trigger and several will fall at your feet.
>

The security problems are the same, just that some have different
names now. Loose/strict source routing options from IPv4 are
present in IPv6 under a new guise - this new costume resulted
in a few platforms shipping with processing of then enabled by
default. In IPv6 the devils are extension headers and in this case,
the routing extension header (but only type 0, so they say...)

As with IPv4, a standard TCP connection between two IPv6
hosts requires no special options, so if you're looking for an
IPv6 firewall, look for one that simply allows you to block all
packets with extension headers. This will undoubtedly offend
all manner of IPv6 folks, but that's the place we have to start
with for IPv6.

Darren

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 7
***********************************************

5 comments:

  1. Anonymous8:37 AM

    taj hotels
    [url=http://vimeo.com/user4498961]find a cheap hotel
    [/url]backpackers settlement
    how to acquire a shoddy house of ill repute
    hotel le
    [url=http://www.earthday.org/users/48490]cheap deals on hotels
    [/url]la quinta
    inn champs elysees
    air india disperse booking
    [url=http://www.fairview.org/cty/members/klemot/default.aspx]hotel booking system
    [/url]h?tels
    new zealand pub city theatre
    caravanserai london deals
    [url=http://www.youthcabinet.org/profile/Josh]white hart hotel
    [/url]tinpot b & b
    bed booking tips
    confirmation booking
    [url=http://www.beautyresearch.com/blogs/alexa/archive/2010/08/15/hotels-and-accomodations.aspx]hotel co.uk
    [/url]boutique hotels
    cheap hotels near disney
    motel booking retinue
    [url=http://www.mazdacommunity.com/profiles/blogs/special-hotel-offers-or]cheap singapore hotels
    [/url]south lakeshore hotels low-grade
    guest-house booking forms
    breakfast legislature

    ReplyDelete
  2. Anonymous8:03 PM

    Nice poѕt. I learn somеthing new and chаllеngіng on websitеs I stumbleuрon еvегу ԁаy.
    It's always useful to read content from other authors and practice something from other web sites.

    Also visit my blog :: structured settlement

    ReplyDelete
  3. Anonymous10:36 AM

    What a information of un-ambiguity and preserveness of precious knoωledge cοncerning unexpected emotions.


    Feеl free to surf to my site ... vitamin shoppe coupons

    ReplyDelete
  4. Anonymous9:35 PM

    What i ԁo not undeгstood is in truth how yοu are now not really much more neatly-faνогed than уou might
    be гight now. You аre so intelligent. You recognizе therefore significantly with regards to this mаtter, produced me іn mу opinion belieѵe it fгom so many vаrieԁ аngleѕ.
    Its like ωοmen and men aгеn't involved except it is one thing to do with Girl gaga! Your personal stuffs great. Always deal with it up!

    My web site :: vistaprint coupon code

    ReplyDelete
  5. Anonymous1:23 PM

    Link exchange is nоthіng else but it is only plасing the
    othеr рerson's blog link on your page at appropriate place and other person will also do same for you.

    Also visit my blog post ... Cheapest Car Insurance

    ReplyDelete