Saturday, December 01, 2007

firewall-wizards Digest, Vol 20, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Paul Melson)
2. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Kristian Erik Hermansen)
3. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(william fitzgerald)
4. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(ArkanoiD)
5. Re: First there was Personal Firewall Day...
(lordchariot@embarqmail.com)
6. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Jim Seymour)


----------------------------------------------------------------------

Message: 1
Date: Fri, 30 Nov 2007 10:17:45 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <002501c83364$29913ef0$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> I notice that Nir Zuk is a primary source for this article, as well.
> It sounds like some P.R. agency has done a good job pimping* a certain
start-up that is getting > ready to "ramp"** a product. :) I have no idea if
the product is any good or not but using a
> network processor to do layer-7 stuff is not exactly rocket science!

I don't mean to pick on Dark Reading or suggest that they have cornered the
market on interviewing shills, but any time you publish company press
releases as 'news'[1] you're under suspicion in my book. (To be clear, I'm
calling Mr. Zuk a shill.)

Additionally, if you have this problem:

Then the user mistakenly checks a box that allows eMule to share its hard
drive. "That's very easy to do. Some eMule clients have that as a default,"
he says. "Now your user's entire computer has opened up your network to
share with the Internet. Anyone can execute a search and find files on your
network."

Buying a new firewall will not save you. Taking away local admin rights
from your users, however, is a good start. And there's nothing to buy.

PaulM

[1] http://www.darkreading.com/section.asp?section_id=297


------------------------------

Message: 2
Date: Fri, 30 Nov 2007 09:31:33 -0500
From: "Kristian Erik Hermansen" <kristian.hermansen@gmail.com>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<fe37588d0711300631t1f5852d8wf9a76266c0bc72fc@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Nov 30, 2007 8:12 AM, George Capehart <capegeo@opengroup.org> wrote:
> Some light reading for the weekend . . . Thought it'd stir the pot a
> bit more for the "Firewalls that generate new packets . . ." thread. ;>
>
> http://www.darkreading.com/document.asp?doc_id=140121&f_src=drweekly

You're talking about a layer7 firewall. I almost worked for Palo Alto
networks. They have some bright guys over there, mainly founders of
Netscreen. They have great VC backing from the big guys, and it could
become more mainstream, but it's not really anything new. Standard
layer3/4 firewalling is insufficient these days, but as soon as you
start tunneling data over ssh/ssl, then layer7 fw doesn't matter
anyways. However, it will be interesting to see just how many bugs
are introduced into these new devices. There is no way a company
could implement all the common protocols properly, because even some
vendors don't know how they work :-)
--
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."


------------------------------

Message: 3
Date: Fri, 30 Nov 2007 13:49:49 +0000
From: william fitzgerald <wfitzgerald@tssg.org>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <475014FD.9060404@tssg.org>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

in realtion to this article, p2p apps (eg. emule) can and are blocked
(within reason!) using deep packet inspection and l7 approaches.

in using iptbales, the ipp2p plugin called http://www.ipp2p.org/ can be
used.

Marcus J. Ranum wrote:
> George Capehart wrote:
>> Some light reading for the weekend . . . Thought it'd stir the pot a
>> bit more for the "Firewalls that generate new packets . . ." thread. ;>
>>
>> http://www.darkreading.com/document.asp?doc_id=140121&f_src=drweekly
>
> George, since when does "stirring the pot" consist of kicking a tiger
> in the b*lls?? Because that was my immediate reaction on reading
> that article!!! I started prowling my cage looking for something to
> chomp!
>
> "Next Generation firewalls"? Gosh, oh, golly - it sounds like what
> they're calling "Next Generation firewalls" are kinda sorta like
> "what firewalls were supposed to do all along."
>
> I notice that Nir Zuk is a primary source for this article, as well.
> It sounds like some P.R. agency has done a good job pimping*
> a certain start-up that is getting ready to "ramp"** a product. :)
> I have no idea if the product is any good or not but using a
> network processor to do layer-7 stuff is not exactly rocket
> science!
>
> I think Kelly Higgins is interviewing me next week. I'll make sure to
> drag this article up as a topic. :)
>
> mjr.
> --
> * not a marketing buzz word
> ** a token marketing buzzword
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org

www.linkedin.com/in/williamfitzgerald

www.ryze.com/go/wfitzgerald

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHUBT9Icwlebz1MmwRAr4SAJ0b9I0PTYQ/gQUW9pue8+SezkDV+wCfekuB
1n7AJoIpUziEBBi8JJVqveY=
=N3rp
-----END PGP SIGNATURE-----


------------------------------

Message: 4
Date: Sat, 1 Dec 2007 03:54:57 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20071201005457.GA22575@eltex.net>
Content-Type: text/plain; charset=koi8-r

I was pushed several years ago into implementing the
"universal heuristic proxy" in openfwtk - like something that
gets diverted socket (from packet filter or socks)
and starts proper application proxy
justifying which one to run using port number and protocol
pattern heuristics. I felt it is not a good idea - cannot
really figure out why, but i just felt that way, so i stick
with default port number binding as usual. Maybe i am wrong.
Seems that others bumped into same idea, no surprise as it
is pretty obvious. Must be almost the only way to handle p2p
properly if you need it for some reason.

------------------------------

Message: 5
Date: Fri, 30 Nov 2007 18:47:04 -0500
From: <lordchariot@embarqmail.com>
Subject: Re: [fw-wiz] First there was Personal Firewall Day...
To: <dave@corecom.com>, "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <8F0975105D874141984B36FEF211CA8E@lordchariot.com>
Content-Type: text/plain; charset="us-ascii"

Here's the ASCII banner for our emails.

+----+
--|-->X|
+----+
Disable your
DEFAULT OUTBOUND POLICY
day.

Now who's going to register and host the domain 'IdiotFirewallAdmins.org'?

> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On
> Behalf Of Dave Piscitello
> Sent: Friday, November 30, 2007 4:52 PM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] First there was Personal Firewall Day...
>
> Wouldn't it be nice to try to sponsor
>
> "Disable your DEFAULT ANY OUTBOUND policy" Day?
>
> Would it be that hard to generate buzz about this?
>
>

------------------------------

Message: 6
Date: Sat, 1 Dec 2007 10:20:05 -0500 (EST)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20071201152005.82853E158@jimsun.linxnet.com>


"Paul Melson" <pmelson@gmail.com> wrote:
>
[snip]
>
> Additionally, if you have this problem:
>
> Then the user mistakenly checks a box that allows eMule to share its hard
> drive. "That's very easy to do. Some eMule clients have that as a default,"
> he says. "Now your user's entire computer has opened up your network to
> share with the Internet. Anyone can execute a search and find files on your
> network."
>
> Buying a new firewall will not save you.

That all depends on how you define "save." If we're not talking
laptops [1]; you don't regard random, uncontrolled sharing w/in your
"secure" LAN a problem [2]; and the new firewall stops such things, by
default, from getting outside your "secure" LAN [3], it will indeed
"save" you.

[1] Which opens up a whole new can of worms, discussed here in
the past
[2] Where I work it's disallowed, btw.
[3] Ours do

> Taking away local admin rights
> from your users, however, is a good start. And there's nothing to buy.
[snip]

Sometimes, for whatever reason, that's not possible. And as anybody
who's ever herded cats can tell you: Getting engineering departments to
behave is a non-trivial exercise. Nonetheless: We do that where we
can.

So we do both. I've always called it "defense in depth."

I also train my users [4] and we "prohibit" traditionally "unsafe"
applications [5], such as IM clients, MS OutLook and MS Explorer.

[4] Contrary to what most here seem to have experienced, I've found
end-user training to be relatively effective.
[5] Why in Fluffy's name *anybody* allows ActiveTrojan and
executable attachments through their corporate firewalls is,
and always has been, completely beyond me.

Allow me to present an example of the possible effectiveness of that
last bit. Several years ago, not long after WinXP was shipping, by
default, I reluctantly gave in to my wife's wishes and bought her an MS
Windows box for Christmas. The first thing I did, upon installation,
was:

. Remove MS Outlook Express from the desktop and menu
. Remove MSN Messenger from the desktop and menu
. Turn off *all* "active" anything in MS Internet Explorer
. Used MS IE to go to mozilla.org, download and install Mozilla
. Remove MS IE from the desktop and menu
. Download and install Pegasus Mail
. "De-installed" file and printer sharing
. Configure the appropriate inbound and outbound deny rules
into the router
. Add the necessary content checks to the mailserver

Then I instructed her on (relatively) safe 'net behaviour. *Then* she
got to start playing with her Christmas present :).

At some point I installed Spybot S&D and showed her how to use and
update it.

That computer was used on the 'net regularly for a number of years
before one of her correspondents insisted my wife was sending her
infected JPEGs. I finally installed AV on it. It came up clean. To
make sure, I ran three other AV programs against the entire disk from a
TRK CD. Clean as a whistle.

It wasn't a firewall that saved her PC. (Tho perhaps my router rules
helped. And the email gateway undoubtedly helped.) It wasn't AV
software. (She had none until recently.) It was informed, responsible
behaviour and not using risky applications.

Yes, what works in one, isolated, one-on-one case, with an intelligent,
well-informed user who *can* exercise disipline, does not necessarily
an Effective Corporate Exercise make. But, as I said: I've done much
the same at work, and it's helped there, too. So far ;).

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 1
***********************************************

No comments:

Post a Comment