Thursday, September 27, 2007

firewall-wizards Digest, Vol 17, Issue 23

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (robbie.jacka@regions.com)
2. Re: Issue with replacing SonicWall VPN with Cisco ASA VP N
devices (J. Oquendo)
3. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (Joe S)
4. Re: Issue with replacing SonicWall VPN with Cisco ASA VPN
devices (Anthony)


----------------------------------------------------------------------

Message: 1
Date: Wed, 26 Sep 2007 11:10:42 -0500
From: robbie.jacka@regions.com
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: michael@wanderingbark.net
Cc: "Behm, Jeffrey L." <BehmJL@bv.com>,
firewall-wizards@listserv.icsalabs.com,
firewall-wizards-bounces@listserv.icsalabs.com
Message-ID:
<OF9CA84738.9DE032CE-ON86257362.0058B581-86257362.0058DEF9@asocorp.ASO.AMSOUTH.COM>

Content-Type: text/plain; charset=US-ASCII

The biggest possible issue is hairpinning the internet-bound traffic inside
of the 5520, not tunneling the traffic back from the 5505s. PIX 6.x has
traditionally had a problem with this, if I recall correctly, and I'm not
sure that it's been fixed in PIX 7.x/ASA code

Robbie


Michael Cox
<michael@wanderin
gbark.net> To
Sent by: firewall-wizards@listserv.icsalabs.
firewall-wizards- com
bounces@listserv. cc
icsalabs.com "Behm, Jeffrey L." <BehmJL@bv.com>
Subject
Re: [fw-wiz] Issue with replacing
09/26/2007 09:25 SonicWall VPN with Cisco ASA VPN
AM devices


Please respond to
Firewall Wizards
Security Mailing
List
<firewall-wizards
@listserv.icsalab
s.com>


For clarification, are there clients connecting to the 5505's, or is it
just a site-to-site setup?

In any case, what you want to do should be possible. When you define the
ACL for what traffic goes down the tunnel from the branch to the hub,
simply do "permit ip <LAN network address> <LAN netmask> any". Reverse
this on the hub.

I'm stumped as to why they think this is a security issue.

Maybe TAC didn't understand what you want to do (or maybe I don't).

Regards,
Michael

On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:
> Hello Wizards,
>
> Our network team is replacing the client's SonicWall devices with
> Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
> devices were basically used as VPN endpoints in remote offices to be
> concentrated back to the corporate HQ. All traffic not destined for
> the local LAN in the remote offices was sent to the corporate office
> via the "Route all traffic through this SA" functionality in the
> SonicWall. This worked well for the environment, but now there is the
> need to replace these devices, and Cisco ASA devices have been
> chosen.
>
> They are now trying to duplicate that functionality via the Cisco
> devices, but in talking with Cisco TAC, they say such a configuration
> is not possible, and even if it were, it would not be a security best
> practice. Implementation of the Cisco device has broken all Internet
> connectivity from the remote offices, since the only traffic allowed
> out to/from the Internet is through HQ (with the exception of the
> site to site VPN traffic to allow connectivity between remote offices
> and HQ). Remote offices can see everything on the HQ LAN, because the
> Cisco device is configured with IP information that allows it to
> route traffic to HQ.
>
> I can see some of Cisco's arguments regarding it not being a security
> best practice, but in the scenario of centralized management and
> monitoring of Internet-bound traffic, has anyone successfully
> configured the Cisco devices to mimic the "Route all traffic through
> this SA" functionality present in the SonicWall devices? I understand
> they could open up the Cisco devices to allow traffic out from each
> office, but that would require monitoring every remote office, and
> deviates from the centralized monitoring/management path we are
> currently traversing. I haven't personally been involved in this
> implementation, but was approached by the network team due to my
> security background, so I can get more details from the network team
> if necessary.
>
> We are simply trying to mimic in the Cisco devices the "Route all
> traffic through this SA" functionality present in the SonicWall
> devices.
>
> Thoughts?
>
> Jeff
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Wed, 26 Sep 2007 15:18:01 -0400
From: "J. Oquendo" <sil@infiltrated.net>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VP N devices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46FAB069.5020506@infiltrated.net>
Content-Type: text/plain; charset="iso-8859-1"

Nathan C. Smith wrote:
>
>> Thoughts?
>>
>> Jeff
>>
>
> Call Juniper and them show you how they can one-up Cisco and beat their
> prices?

If this is the case contact Stonesoft and have them show you their works
while you're at it. Maybe you can chuck those NS20's etal on eBay.

Matter or preference:

Stonesoft (Ease of use, Support, LCO (lowest cost of ownership)
Netscreen (Ease of use CLI wise... Support? ... Won't go there)
Cisco (Lesser of the evils listed below)
Astaro||iptables||ipfw||ipf (familiarity)
Checkpoint (only if absolutely necessary)
Sonicwall (mines is nothing more than a placemat right now)

I responded offlist to the initial reply with VRF
http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd805f0bd6.shtml


--
====================================================
J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070926/054bf27d/attachment-0001.bin


------------------------------

Message: 3
Date: Wed, 26 Sep 2007 15:00:00 -0700
From: "Joe S" <js.lists@gmail.com>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<f2c294a10709261500l30924ca8y84e1fc26ccd899ea@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Maybe Cisco is concerned about traffic generated by some kind of worm
propagating through your network. It could innundate your core router.

I'd call Cisco again, but speak to someone else.


On 9/26/07, Brett Cunningham <cssniper22@gmail.com> wrote:
> Thanks for the correction Michael, that's what I meant but not what I said.
>
> I don't think it would be a security issue... I'd be interested to
> hear if anyone can come up with an idea of why it would be.
>
> On 9/26/07, Michael Cox <michael@wanderingbark.net> wrote:
> > For clarification, are there clients connecting to the 5505's, or is it
> > just a site-to-site setup?
> >
> > In any case, what you want to do should be possible. When you define the
> > ACL for what traffic goes down the tunnel from the branch to the hub,
> > simply do "permit ip <LAN network address> <LAN netmask> any". Reverse
> > this on the hub.
> >
> > I'm stumped as to why they think this is a security issue.
> >
> > Maybe TAC didn't understand what you want to do (or maybe I don't).
> >
> > Regards,
> > Michael
> >
> > On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:
> > > Hello Wizards,
> > >
> > > Our network team is replacing the client's SonicWall devices with
> > > Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
> > > devices were basically used as VPN endpoints in remote offices to be
> > > concentrated back to the corporate HQ. All traffic not destined for
> > > the local LAN in the remote offices was sent to the corporate office
> > > via the "Route all traffic through this SA" functionality in the
> > > SonicWall. This worked well for the environment, but now there is the
> > > need to replace these devices, and Cisco ASA devices have been
> > > chosen.
> > >
> > > They are now trying to duplicate that functionality via the Cisco
> > > devices, but in talking with Cisco TAC, they say such a configuration
> > > is not possible, and even if it were, it would not be a security best
> > > practice. Implementation of the Cisco device has broken all Internet
> > > connectivity from the remote offices, since the only traffic allowed
> > > out to/from the Internet is through HQ (with the exception of the
> > > site to site VPN traffic to allow connectivity between remote offices
> > > and HQ). Remote offices can see everything on the HQ LAN, because the
> > > Cisco device is configured with IP information that allows it to
> > > route traffic to HQ.
> > >
> > > I can see some of Cisco's arguments regarding it not being a security
> > > best practice, but in the scenario of centralized management and
> > > monitoring of Internet-bound traffic, has anyone successfully
> > > configured the Cisco devices to mimic the "Route all traffic through
> > > this SA" functionality present in the SonicWall devices? I understand
> > > they could open up the Cisco devices to allow traffic out from each
> > > office, but that would require monitoring every remote office, and
> > > deviates from the centralized monitoring/management path we are
> > > currently traversing. I haven't personally been involved in this
> > > implementation, but was approached by the network team due to my
> > > security background, so I can get more details from the network team
> > > if necessary.
> > >
> > > We are simply trying to mimic in the Cisco devices the "Route all
> > > traffic through this SA" functionality present in the SonicWall
> > > devices.
> > >
> > > Thoughts?
> > >
> > > Jeff
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@listserv.icsalabs.com
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Wed, 26 Sep 2007 19:33:27 -0500
From: Anthony <ez4me2c3d@gmail.com>
Subject: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco
ASA VPN devices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "Behm, Jeffrey L." <BehmJL@bv.com>,
firewall-wizards-bounces@listserv.icsalabs.com,
michael@wanderingbark.net
Message-ID: <46FAFA57.40709@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Robbie,
The ASA code 7.x has addressed VPN hairpinning with the
same-security-traffic permit intra-interface command.
I've done it several times with great success. And with proper ACLs and
routes you can direct the traffic where ever you want.

Jeff,
What you are trying to do is possible on the ASAs. You're basically
setting up a hub/spoke vpn model with l2l's between HQ and remote
offices. Cisco.com has documents on how to set this up.

References:
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807f9a89.shtml
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
General Configuration Examples
http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html

Anthony


robbie.jacka@regions.com wrote:
> The biggest possible issue is hairpinning the internet-bound traffic inside
> of the 5520, not tunneling the traffic back from the 5505s. PIX 6.x has
> traditionally had a problem with this, if I recall correctly, and I'm not
> sure that it's been fixed in PIX 7.x/ASA code
>
> Robbie
>
>
>
>
> Michael Cox
> <michael@wanderin
> gbark.net> To
> Sent by: firewall-wizards@listserv.icsalabs.
> firewall-wizards- com
> bounces@listserv. cc
> icsalabs.com "Behm, Jeffrey L." <BehmJL@bv.com>
> Subject
> Re: [fw-wiz] Issue with replacing
> 09/26/2007 09:25 SonicWall VPN with Cisco ASA VPN
> AM devices
>
>
> Please respond to
> Firewall Wizards
> Security Mailing
> List
> <firewall-wizards
> @listserv.icsalab
> s.com>
>
>
>
>
>
>
> For clarification, are there clients connecting to the 5505's, or is it
> just a site-to-site setup?
>
> In any case, what you want to do should be possible. When you define the
> ACL for what traffic goes down the tunnel from the branch to the hub,
> simply do "permit ip <LAN network address> <LAN netmask> any". Reverse
> this on the hub.
>
> I'm stumped as to why they think this is a security issue.
>
> Maybe TAC didn't understand what you want to do (or maybe I don't).
>
> Regards,
> Michael
>
> On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:
>
>> Hello Wizards,
>>
>> Our network team is replacing the client's SonicWall devices with
>> Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
>> devices were basically used as VPN endpoints in remote offices to be
>> concentrated back to the corporate HQ. All traffic not destined for
>> the local LAN in the remote offices was sent to the corporate office
>> via the "Route all traffic through this SA" functionality in the
>> SonicWall. This worked well for the environment, but now there is the
>> need to replace these devices, and Cisco ASA devices have been
>> chosen.
>>
>> They are now trying to duplicate that functionality via the Cisco
>> devices, but in talking with Cisco TAC, they say such a configuration
>> is not possible, and even if it were, it would not be a security best
>> practice. Implementation of the Cisco device has broken all Internet
>> connectivity from the remote offices, since the only traffic allowed
>> out to/from the Internet is through HQ (with the exception of the
>> site to site VPN traffic to allow connectivity between remote offices
>> and HQ). Remote offices can see everything on the HQ LAN, because the
>> Cisco device is configured with IP information that allows it to
>> route traffic to HQ.
>>
>> I can see some of Cisco's arguments regarding it not being a security
>> best practice, but in the scenario of centralized management and
>> monitoring of Internet-bound traffic, has anyone successfully
>> configured the Cisco devices to mimic the "Route all traffic through
>> this SA" functionality present in the SonicWall devices? I understand
>> they could open up the Cisco devices to allow traffic out from each
>> office, but that would require monitoring every remote office, and
>> deviates from the centralized monitoring/management path we are
>> currently traversing. I haven't personally been involved in this
>> implementation, but was approached by the network team due to my
>> security background, so I can get more details from the network team
>> if necessary.
>>
>> We are simply trying to mimic in the Cisco devices the "Route all
>> traffic through this SA" functionality present in the SonicWall
>> devices.
>>
>> Thoughts?
>>
>> Jeff
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 23
************************************************

No comments:

Post a Comment