Sunday, November 25, 2007

firewall-wizards Digest, Vol 19, Issue 18

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Opinions wanted... (ArkanoiD)
2. Re: Opinions wanted... (Chris Blask)
3. How to find hidden host within LAN (desant1@tin.it)
4. Re: Firewalls that generate new packets.. (Patrick M. Hausen)
5. Cisco firewall appliance choice (Brian Loe)
6. Re: Opinions wanted... (Kurt Buff)
7. Re: Opinions wanted... (Kurt Buff)


----------------------------------------------------------------------

Message: 1
Date: Sat, 24 Nov 2007 17:29:17 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Opinions wanted...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071124142916.GA11782@eltex.net>
Content-Type: text/plain; charset=koi8-r

Because firewall *IS* complex thing to operate. If you stick to
"reasonable heuristics and defaults" as Checkpoint offers,
your firewall is just not operated at all as its configuration
does represent Checkpoint's view on network security policy, not
yours. That's why i always say "if Checkpoint is ok for you,
better get training or outsource your firewall administration
completely". There are too many configuration issues that are
far from being transparent and if you care exactly WHAT does
your firewall do Checkpoint is extremely hard to operate.

On Wed, Nov 21, 2007 at 08:40:51AM -0800, Kurt Buff wrote:
> All,
>
> I've been working with Watchguards at my current employer for quite a
> while, but we're looking to replace them.
>
> We've received a recommendation from one firm for Sidewinders (a 410
> and a couple of 110s for the branch offices).
>
> We've received a recommendation against the Sidewinders from another
> firm saying that they are too complex to manage easily, and require
> extensive training to understand - they recommend Checkpoint instead.
>
> Neither seems to be completely out of our price range, so it would
> seem to come down to concerns regarding initial implementation and
> ongoing management.
>
> Are the Sidewinders that much more complex than Checkpoints?
>
> Is one "better" (for whatever that might mean to you) than the other -
> that is, if you have experience with both, which would you prefer, and
> why?
>
> I, of course, am excited to be learning a new platform, and want to
> move away from some of the quirkiness of the ancient Fireboxes we
> have, but want to make a reasonable recommendation to management.
>
>
> Thanks,
>
> Kurt
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com

>
>

------------------------------

Message: 2
Date: Fri, 23 Nov 2007 06:54:30 -0800 (PST)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] Opinions wanted...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <102374.93002.qm@web33813.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Hey Kurt!

--- Kurt Buff <kurt.buff@gmail.com> wrote:
> All,

> I've been working with Watchguards at my current employer
for quite a while, but we're looking to replace them.

> We've received a recommendation from one firm for
Sidewinders (a 410 and a couple of 110s for the branch
offices).

> We've received a recommendation against the Sidewinders
from another firm saying that they are too complex to
manage easily, and require extensive training to understand
- they recommend Checkpoint instead.

The real answer is "whatever work for you is best", but
I'll toss my opinions on the plate for what they are worth.
Keep in mind that I don't actually manage any of these
things, so others on the list will have more tactical
thoughts than I do.

o Sidewinder has arguably the "best security" if you can
figure it out. It's a true security geek's firewall,
application proxies and roots deep in US gov't use. Still
popular afaik among military types and hard-core technical
users.

o Checkpoint can also be as complicated as you like, but
by nature a simpler firewall with a much larger user base
and more intended for the Great Unwashed. While I spent a
decade being their #1 competitor, I have always said that
anyone would be fine choosing them if they wanted to.

o If you want something reliable and hard to screw up I'd
recommend PIX (call it ASA if you like), functionally much
like WG and with all the advantages of being supported by
The Borg. Your employers are much more likely to find a
replacement for you who knows Cisco inside out than someone
who knows Sidewinder, and marginally more so than CP
(whether you find that to be good or bad is your call...).

I'm rife with biases here, so take it for what it is worth.

-cheers!

-chris


> Neither seems to be completely out of our price range, so
it would seem to come down to concerns regarding initial
implementation and ongoing management.

> Are the Sidewinders that much more complex than
Checkpoints?

> Is one "better" (for whatever that might mean to you)
than the other - that is, if you have experience with both,
which would you prefer, and why?

> I, of course, am excited to be learning a new platform,
and want to move away from some of the quirkiness of the
ancient Fireboxes we have, but want to make a reasonable
recommendation to management.

> Thanks,

> Kurt

------------------------------

Message: 3
Date: Sun, 25 Nov 2007 15:42:13 +0100 (GMT+01:00)
From: "desant1@tin.it" <desant1@tin.it>
Subject: [fw-wiz] How to find hidden host within LAN
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <11677422a38.desant1@tin.it>
Content-Type: text/plain;charset="UTF-8"

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my
LAN.
In the last week i notice in the iptables logs that a host within
my lan is doing a lot of traffic.
The destination/source address of the
packets and the used port suggest that this host is using peerToPeer
application (emule or similar).
The problem is that i'm not able to
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and
there is no host within my lan with this Mac address.
I can't
traceroute it.
Can someone help me to find this hidden host?


------------------------------

Message: 4
Date: Sat, 24 Nov 2007 00:08:35 +0100
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071123230832.GA28797@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1

Hello,

On Fri, Nov 23, 2007 at 05:07:23PM -0500, Paul D. Robertson wrote:
> On Mon, 19 Nov 2007, Paul Melson wrote:
>
> > and has a miniscule share of the total firewall market. Of course, Cisco,
> > Check Point, and most of their competitors have proxies. Proxy firewalls
> > are dead. Long live proxy firewalls.
>
> But if my experience with Internet-enabled software vendors is anywhere
> near common, nobody's enablign the proxies.

Absolutely correct. Because at least for one of these vendors
the proxies are riddled with bugs, i.e. protocol violations or,
to the customer, arbitrary restrictions, and, additionally,
performance plummets faster than <insert favorite comparison>.

These proxies are (IMHO) just a check item for people who buy
products based on check lists.

You need to design a firewall for use of proxies as your main
line of defense from the ground up. Fortunately current CPU
speeds and RAM capacities show the "stateful packet filters
are faster" argument not to be true anymore. At least not
if implemented on general purpose hardware.

The product with the "miniscule share of the total firewall market"
can easily support Gigabit speeds.

Of course I'm biased, but I happen to have a customer with
about 14.000 seats running both Checkpoint and Secure Computing.
You should talk to their IT staff.

They introduced Checkpoint firewalls when your "high end" ALG
was Gauntlet on a Sun E450. A current Sidewinder runs circles
around these boxes. With much more thorough protocol inspection
than Gauntlet ever had. Sorry, ^inspection^enforcement. ;-)

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de

http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285


------------------------------

Message: 5
Date: Sat, 24 Nov 2007 17:45:10 -0600
From: "Brian Loe" <knobdy@gmail.com>
Subject: [fw-wiz] Cisco firewall appliance choice
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0711241545v5666e979v81f90f938b3279b4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

If you had a customer with their mind set on replacing their limited
PIX 505 with another Cisco device, for good or evil, which would you
go with? I'm not all that well versed with the ASA devices and the
software restrictions that come with them. In short, unless the price
difference is huge - and that doesn't appear to be the case - then I
see no benefit of any ASA over the various 500 series PIXen and an
unrestricted license (not to include some of the addons that appear to
be available with the ASAs like AV and IPS). Anyone here have an
opinion?

The customer is a small office: 50 desktops, 15-20 servers, will be
using SIP, many peer-to-peer VPNs with customers, uses their PIX for
remote access for employees.


------------------------------

Message: 6
Date: Sat, 24 Nov 2007 09:20:06 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Opinions wanted...
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711240920s58217b43w580041e7d97b8479@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

The advantage of a standard hardware platform doesn't really exist for
us, sad to say, though we do show a preference for Dell. It is an
interesting perspective however - I'll definitely make that something
we look at.

On Nov 23, 2007 6:33 AM, Timothy Shea <tim@tshea.net> wrote:
> IMHO - if you haven't used either platform before and only 3 firewalls
> - either solution will require an equal amount of training to
> understand and my guess is that the VAR who is recommending against
> checkpoint will make more money if you buy checkpoint versus sidewinder.
>
> That being said - for your type of application I would lean toward
> CheckPoint Secure Platform (SPLAT) versus Sidewinder or Checkpoint
> running on Nokia and my reasoning is that I can normally use what ever
> hardware platform my server teams support versus buying an all in one
> appliance solution (checkpoint nokia, sidewinder).
>
> t.s
>
>
> On Nov 21, 2007, at 10:40 AM, Kurt Buff wrote:
>
> > All,
> >
> > I've been working with Watchguards at my current employer for quite a
> > while, but we're looking to replace them.
> >
> > We've received a recommendation from one firm for Sidewinders (a 410
> > and a couple of 110s for the branch offices).
> >
> > We've received a recommendation against the Sidewinders from another
> > firm saying that they are too complex to manage easily, and require
> > extensive training to understand - they recommend Checkpoint instead.
> >
> > Neither seems to be completely out of our price range, so it would
> > seem to come down to concerns regarding initial implementation and
> > ongoing management.
> >
> > Are the Sidewinders that much more complex than Checkpoints?
> >
> > Is one "better" (for whatever that might mean to you) than the other -
> > that is, if you have experience with both, which would you prefer, and
> > why?
> >
> > I, of course, am excited to be learning a new platform, and want to
> > move away from some of the quirkiness of the ancient Fireboxes we
> > have, but want to make a reasonable recommendation to management.
> >
> >
> > Thanks,
> >
> > Kurt
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 7
Date: Sat, 24 Nov 2007 09:42:20 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Opinions wanted...
To: dave@corecom.com, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711240942n56214ad1ybd2e20b1146c3bce@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Nov 23, 2007 3:06 PM, Dave Piscitello <dave@corecom.com> wrote:
> We might be able to offer better insights if we understood why you were
> replacing your current firewalls.

Obsolescence (the current firewalls are EOL) and a perceived need to
more sophisticated capabilities.

> Tim's comment re: common server platform is a good example of one
> motivation. In his situation, he's (presumably) confident that his
> server team can secure the underlying platform as well as an appliance
> solution (claims to) secure its product. Your motivation might be
> performance, issues with feature set of proxies, desire for an
> application level security feature you currently don't have, IPv6
> support, etc.
>
> Nothing against VARs, but I would trust a security decision to security
> professionals. If the VAR has some and they can provide a security basis
> to support their recommendation, terrific. If not, then money may be
> the motive and that's not always the best motive where security comes
> into play.
>
> I'd suggest you sit with your security team and anyone in your company
> who might have some insight into long term business objectives that will
> influence security requirements (e.g., VOIP). Identify the security
> objectives the current firewall cannot satisfy. Identify any new
> security objectives you expect you'll need to satisfy for whatever
> "business horizon" you can see.

I *am* the security team Scary, isn't it? At the very least, it scares
me, when I stop to think about it. I think that's a good thing,
really, as it makes me confident of my ignorance, and I try not to
take anything for granted.

That said, I've worked with the IT Director, and we're making our best
effort at predicting the needs/requirements for our environment for
the next few years. We have a fair but assuredly incomplete picture of
what we expect to do near to mid term, and are trying to arrange for a
solution that will work for us.

But - I recognize that what we're doing isn't terribly sophisticated.
I've monitored this list, and many others for a *long* time
(greatcircle.com, anyone?), so have confidence that either product
will do what we need it to do given proper care and feeding. However,
I also recognize that these products are different, and those
differences may prove crucial to our operations. Unfortunately, we
don't have the time or manpower or sophistication to make a good
comparison ourselves. Hiring a consultant to make a recommendation
might not be a bad approach, but our best effort at the moment is to
pick two VARs with broad product lines, meet with them to describe our
situation, and ask our best questions and get their best
recommendations.


Checkpoint is more widely deployed that Sidewinder (or at least *way*
more talked about), but my recollections of talk on various lists,
this one in particular, plus other reading, leads me to believe that
it's a serious contender, and worthy of consideration. However, war
stories, or distillations thereof, from actual experience are at least
as valuable as any list of competing marketing bullet points.

Kurt


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 18
************************************************

No comments:

Post a Comment