Wednesday, September 26, 2007

firewall-wizards Digest, Vol 17, Issue 21

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Issue with replacing SonicWall VPN with Cisco ASA VPN devices
(Behm, Jeffrey L.)
2. Checkpoint - Out of state packet (saudi sans)
3. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (Brett Cunningham)
4. Re: Issue with replacing SonicWall VPN with Cisco ASA VP N
devices (Nathan C. Smith)
5. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (Robby Cauwerts)


----------------------------------------------------------------------

Message: 1
Date: Tue, 25 Sep 2007 09:03:03 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA
VPN devices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D196383E@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"


Hello Wizards,

Our network team is replacing the client's SonicWall devices with Cisco
ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
were basically used as VPN endpoints in remote offices to be
concentrated back to the corporate HQ. All traffic not destined for the
local LAN in the remote offices was sent to the corporate office via the
"Route all traffic through this SA" functionality in the SonicWall. This
worked well for the environment, but now there is the need to replace
these devices, and Cisco ASA devices have been chosen.

They are now trying to duplicate that functionality via the Cisco
devices, but in talking with Cisco TAC, they say such a configuration is
not possible, and even if it were, it would not be a security best
practice. Implementation of the Cisco device has broken all Internet
connectivity from the remote offices, since the only traffic allowed out
to/from the Internet is through HQ (with the exception of the site to
site VPN traffic to allow connectivity between remote offices and HQ).
Remote offices can see everything on the HQ LAN, because the Cisco
device is configured with IP information that allows it to route traffic
to HQ.

I can see some of Cisco's arguments regarding it not being a security
best practice, but in the scenario of centralized management and
monitoring of Internet-bound traffic, has anyone successfully configured
the Cisco devices to mimic the "Route all traffic through this SA"
functionality present in the SonicWall devices? I understand they could
open up the Cisco devices to allow traffic out from each office, but
that would require monitoring every remote office, and deviates from the
centralized monitoring/management path we are currently traversing. I
haven't personally been involved in this implementation, but was
approached by the network team due to my security background, so I can
get more details from the network team if necessary.

We are simply trying to mimic in the Cisco devices the "Route all
traffic through this SA" functionality present in the SonicWall devices.

Thoughts?

Jeff


------------------------------

Message: 2
Date: Tue, 25 Sep 2007 19:51:13 +0530
From: "saudi sans" <saudisans@gmail.com>
Subject: [fw-wiz] Checkpoint - Out of state packet
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<74fb60700709250721p6c075356h33b6af1c94bfe2a0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

We are having Nokia Checkpoint in load balancing mode.

In the Checkpoint logs we get DROP packets messages "TCP packet out of
state: First packet isn't SYN;".It looks like out-of-state packets are
getting dropped. I am NOT worried about this.

What is worrying is source IP of the packets is of the Firewall
interface itself. The destination address/port is of the server
protected by the Firewall.

I am trying to investigate how can we get packets with source IP as
Firewall interface.

My doubts:

1. When Checkpoint encounters an out-of-state packet and DROP it, does
it log the message with source-IP as of the Firewall.

2. Assuming the Firewall is configured properly, what are the other
instances when we get DROP traffic logs with source-address as of the
Firewall interface


Am I totally on the wrong direction in this investigation?


------------------------------

Message: 3
Date: Tue, 25 Sep 2007 19:20:34 -0500
From: "Brett Cunningham" <cssniper22@gmail.com>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<63e59b100709251720w2661d514o62fd86087445480d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Never used a SonicWall, but you should be able to tunnel all traffic
through the vpn. To match the traffic, it's as simple as:

(on roho asa) access-list to_hq ip any any
(on hq asa) access-list to_ro ip any any

Nothing else is required provided that the vpn is up and the subnet of
the roho lan is different than the hq subnet.


On 9/25/07, Behm, Jeffrey L. <BehmJL@bv.com> wrote:
>
> Hello Wizards,
>
> Our network team is replacing the client's SonicWall devices with Cisco
> ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
> were basically used as VPN endpoints in remote offices to be
> concentrated back to the corporate HQ. All traffic not destined for the
> local LAN in the remote offices was sent to the corporate office via the
> "Route all traffic through this SA" functionality in the SonicWall. This
> worked well for the environment, but now there is the need to replace
> these devices, and Cisco ASA devices have been chosen.
>
> They are now trying to duplicate that functionality via the Cisco
> devices, but in talking with Cisco TAC, they say such a configuration is
> not possible, and even if it were, it would not be a security best
> practice. Implementation of the Cisco device has broken all Internet
> connectivity from the remote offices, since the only traffic allowed out
> to/from the Internet is through HQ (with the exception of the site to
> site VPN traffic to allow connectivity between remote offices and HQ).
> Remote offices can see everything on the HQ LAN, because the Cisco
> device is configured with IP information that allows it to route traffic
> to HQ.
>
> I can see some of Cisco's arguments regarding it not being a security
> best practice, but in the scenario of centralized management and
> monitoring of Internet-bound traffic, has anyone successfully configured
> the Cisco devices to mimic the "Route all traffic through this SA"
> functionality present in the SonicWall devices? I understand they could
> open up the Cisco devices to allow traffic out from each office, but
> that would require monitoring every remote office, and deviates from the
> centralized monitoring/management path we are currently traversing. I
> haven't personally been involved in this implementation, but was
> approached by the network team due to my security background, so I can
> get more details from the network team if necessary.
>
> We are simply trying to mimic in the Cisco devices the "Route all
> traffic through this SA" functionality present in the SonicWall devices.
>
> Thoughts?
>
> Jeff
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Tue, 25 Sep 2007 18:47:44 -0000
From: "Nathan C. Smith" <nathan.smith@ipmvs.com>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VP N devices
To: 'Firewall Wizards Security Mailing List'
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <E10143BCF174D211BB2E00805FCBDD2307731F93@DSMEXCH>
Content-Type: text/plain


>
> Thoughts?
>
> Jeff
>

Call Juniper and them show you how they can one-up Cisco and beat their
prices?

Seriously: I can't believe for a minute that this isn't possible, unless you
need to add another license to the Cisco pile. ("for a few dollars more I
can install this little blue button to getcha down") Another question is
why wasn't the new config tested and proven before the old implementation
was removed?

-Nate


------------------------------

Message: 5
Date: Wed, 26 Sep 2007 10:12:25 +0200
From: "Robby Cauwerts" <robby@cauwerts.be>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<2ca18af0709260112l4e2b89a4me5dc1951e0af43a3@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On 9/25/07, Behm, Jeffrey L. <BehmJL@bv.com> wrote:
>
>
> Hello Wizards,
>
> Our network team is replacing the client's SonicWall devices with Cisco
> ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
> were basically used as VPN endpoints in remote offices to be
> concentrated back to the corporate HQ. All traffic not destined for the
> local LAN in the remote offices was sent to the corporate office via the
> "Route all traffic through this SA" functionality in the SonicWall. This
> worked well for the environment, but now there is the need to replace
> these devices, and Cisco ASA devices have been chosen.
>

Search for Easy Vpn.
http://www.cisco.com/en/US/products/ps6635/prod_brochure09186a00800a4b36.html
This is designed for quick/easy setups of remote offices.
With Cisco Easy vpn all traffic not for the local lan is routed through the
vpn tunnel, unless you configure split tunneling.

Br.
Robby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070926/82b79631/attachment-0001.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 21
************************************************

No comments:

Post a Comment