firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Firewalls that generate new packets.. (ArkanoiD)
2. Re: Firewalls that generate new packets.. (John Adams)
3. Re: static nat for inside returning traffic (kevin horvath)
4. Re: Firewalls that generate new packets.. (Matthew Hannigan)
5. Active-Active Single-context Failover on an ASA 5550
(Keith A. Glass)
6. Re: Firewalls that generate new packets.. (Paul Melson)
7. Re: static nat for inside returning traffic (Robert Fenech)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Nov 2007 01:27:00 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071114222700.GA9543@eltex.net>
Content-Type: text/plain; charset=koi8-r
Well, what do you actually mean?
There are plenty of ways to alter packets. Any routing device does, and
a firewall generally does even more. A firewall may also:
Terminate and initiate VPN connections, extracting packet from encapsulation
envelopes
Change header, sripping or altering some data, doing, say, tcp resequencing
Change data portion
Terminate and initiate whole connection on clients behalf (like proxy firewalls do)
Something else that did not come to my mind yet
On Wed, Nov 14, 2007 at 02:58:37PM +1100, Kelly Robinson wrote:
>
> Some firewalls, after receiving a packet, generate a new packet and
> populate it with data from the original, rather than forwarding the
> same packet that was received. What are the advantages and
> disadvantages of this approach? And does anyone have any examples of
> any firewalls that do this on the market?
>
>
>
> Thanks
>
>
>
> - k
>
> email protected and scanned by AdvascanTM - keeping email useful -
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Wed, 14 Nov 2007 15:56:08 -0800
From: John Adams <jna@retina.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <DDF2DFAF-6F1F-42EA-A0EE-57DA3B1C8ECB@retina.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
One issue that happened many years ago was that certain Windows TCP/
IP implementations would allocate the packet in memory and then write
the outgoing data into the allocated space.
The remainder of the packet (MTU - data_length) would contain
whatever garbage was lying around the sending computer's memory
space. Over time, this would leak large portions of memory out the
network port.
A firewall that copied data into a fresh, initialized packet would
avoid this information leak.
I can't see any disadvantages to using this approach. Packets with
improper length and header information would be truncated or dropped
by the firewall, and that's probably a good thing.
-j
On Nov 13, 2007, at 7:58 PM, Kelly Robinson wrote:
> Some firewalls, after receiving a packet, generate a new packet and
> populate it with data from the original, rather than forwarding the
> same packet that was received. What are the advantages and
> disadvantages of this approach? And does anyone have any examples
> of any firewalls that do this on the market?
>
> Thanks
>
> - k
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Wed, 14 Nov 2007 20:28:51 -0500
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] static nat for inside returning traffic
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0711141728v450e3b43i17c6925ca9cd191f@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Yes if you want access to an inside host from traffic initiated from
the outside then you must have either a static nat, static pat, or nat
exemption. Regular nat or pat will only allow traffic from a higher
security interface to a lower security interface, but not initiated
from the outside (lower security) to the inside (higher security).
On Nov 13, 2007 6:45 PM, Shahin Ansari <zohal52@yahoo.com> wrote:
> Greetings-
> I come across an issue which I can not explain and need your help please.
> I was trying to provide access to an inside host from outside. I put in a
> 1:1 static nat for the outside host, made sure there is a route for both
> hosts, and updated the outside interface access-list. But there was no
> connection. I also did not see any message in the logs. Just fyi, this was
> pix platform running 6.3(x). What seems to have fixed the issue was an
> static for the inside host. Which I did not think I need since there is a
> default nat statement on my inside interface translating everything to an
> global address. Any thoughts?
> Sean
>
>
> ________________________________
> Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it
> now.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 4
Date: Thu, 15 Nov 2007 11:42:18 +1100
From: Matthew Hannigan <mlh@zip.com.au>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071115004218.GC2730@localhost.localdomain>
Content-Type: text/plain; charset=us-ascii
On Wed, Nov 14, 2007 at 02:58:37PM +1100, Kelly Robinson wrote:
> Some firewalls, after receiving a packet, generate a new packet and populate
> it with data from the original, rather than forwarding the same packet that
> was received. What are the advantages and disadvantages of this approach?
> And does anyone have any examples of any firewalls that do this on the
> market?
I guess all proxying fireawalls like the original fwtk do this.
Advantage:
Your firewall is more trusted not to do funky stuff
that might upset internal servers.
Directly concomitant disadvantage:
The packet may not be an entirely faithful
version of the original (besides the obvious
source addr/port)
------------------------------
Message: 5
Date: Fri, 16 Nov 2007 15:41:49 +0000
From: "Keith A. Glass" <salgak@speakeasy.net>
Subject: [fw-wiz] Active-Active Single-context Failover on an ASA 5550
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <W271562098085751195227709@webmail2>
Content-Type: text/plain; charset="utf-8"
I'm attempting to create an Active-Active failover configuration on a pair of ASA 5550s.
Problem is, when I try clustering them up, I see the unconfigured secondary come up and take over the cluster, replacing the ruleset on the primary with the basic clustering setup config of the secondary
Basic config is 10.x.y.z /28 as internal, 10.x.y.a/240 as external, with the State failovers on 192.168.10.10/.11 /24 and LAN Failovers as 192.168.20.10/.11 /24
Failovers are cabled with crossovers. and the int and ext addresses as on the switch.
Any suggestions ???? Any idea what I'm doing wrong ??
Keith
------------------------------
Message: 6
Date: Wed, 14 Nov 2007 22:00:57 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0711141900n48603e00s355e6f7074dbea56@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Nov 13, 2007 10:58 PM, Kelly Robinson <caliana1989@gmail.com> wrote:
> Some firewalls, after receiving a packet, generate a new packet and populate
> it with data from the original, rather than forwarding the same packet that
> was received. What are the advantages and disadvantages of this approach?
> And does anyone have any examples of any firewalls that do this on the
> market?
Your first statement is a bit ambiguous. Are you talking specifically
about IP reassembly? Because in a sense, any packet that has
undergone NAT translation is a "new" packet because it has changed
(albeit just 2-3 fields of the IP header) from the time it arrived to
the time it was forwarded on.
So the upside to firewalls that do IP reassembly (like iptables, pf,
and most of the commercial "stateful firewall" products) as well as
proxy firewalls is that they serve to normalize traffic to one degree
or another. They reduce the amount of control an external attacker
has over the packets that are passed to your network through the
firewall.
The downside is that this can break crappy protocols (or even normal
protocols in the case of a misconfigured firewall).
PaulM
------------------------------
Message: 7
Date: Wed, 14 Nov 2007 19:43:54 +0100
From: "Robert Fenech" <robertfenech@gmail.com>
Subject: Re: [fw-wiz] static nat for inside returning traffic
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<ee7b3f4e0711141043s12acbea5y65a65e6f5b6d3bb7@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Sean,
I might be wrong but if you want to connect to an internal host from
an external source you have to configure your PIX with static NAT and
create appropriate access-rule entries. Hiding your internal host
behind the PIX's external interface IP or any another global IP (PAT)
to that
matter would not work.
However one thing you can do is port forwarding, whereby connections
originating from an external source destined to the PIX's external
interface IP (or any other global IP) on a specific port are forwarded
to a specific internal host.
On Nov 14, 2007 12:45 AM, Shahin Ansari <zohal52@yahoo.com> wrote:
> Greetings-
> I come across an issue which I can not explain and need your help please.
> I was trying to provide access to an inside host from outside. I put in a
> 1:1 static nat for the outside host, made sure there is a route for both
> hosts, and updated the outside interface access-list. But there was no
> connection. I also did not see any message in the logs. Just fyi, this was
> pix platform running 6.3(x). What seems to have fixed the issue was an
> static for the inside host. Which I did not think I need since there is a
> default nat statement on my inside interface translating everything to an
> global address. Any thoughts?
> Sean
>
>
> ________________________________
> Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it
> now.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 12
************************************************
No comments:
Post a Comment