Search This Blog

Tuesday, December 25, 2007

firewall-wizards Digest, Vol 20, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Anyone have any informed opinions on the watchguard product
line? (AMuse)
2. Re: Eggs in one basket (VPN in Firewall, UTM) (Boozy Walker)
3. PIX access-list help (Brian Blater)
4. Re: Anyone have any informed opinions on the watchguard
product line? (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Tue, 18 Dec 2007 12:47:47 -0800
From: AMuse <amuse@foofus.com>
Subject: [fw-wiz] Anyone have any informed opinions on the watchguard
product line?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <476831F3.5050403@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


Hi all! A friend of mine asked if I would recommend the Watchguard
products for their small business.

I checked the product literature
(http://www.watchguard.com/products/x550e.asp) and found what I consider
to be dubious claims ("True zero day protection"? Really?) but that's
pretty standard for security vendors' marketdroids.

Does anyone have an informed opinion on whether these products are any
good, that I can pass along to my friend?


------------------------------

Message: 2
Date: Wed, 19 Dec 2007 15:18:24 +0000
From: Boozy Walker <boozywalker@dsl.pipex.com>
Subject: Re: [fw-wiz] Eggs in one basket (VPN in Firewall, UTM)
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <47693640.7010306@dsl.pipex.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi Bill,

It all depends on how much VPN traffic you have I suppose. If you are
pushing huge amounts of encrypted traffic between sites then yes, a
dedicated VPN device would make sense but if you are only talking a few
connected sites and what I would class as "normal" amounts of encrypted
traffic then utilising your firewalls VPN functionality would be ok.

Most firewalls these days have VPN capabilities but I wouldn't class them as
UTMs - UTMs tend to be the "cheaper" (or cost efficient) boxes that do
Anti-Spam, Malware, AV, Content checking and so on. I've never been a fan
of these as they tend to promise much yet in reality deliver little (e.g
limited functionality or degraded performance when you enable all of the
features).

IMHO, I would prefer to have distributed services that are designed to do
the job you want. I have been using StoneGate fw/vpn appliances (from
Stonesoft) for a couple of years now and to be honest I couldn't think of
using anything else. They allow me to have multiple ISP connections (all
used at the same time) to load balance traffic and even load balanced vpn
connections between all my sites which obviously helps with performance and
resilience. For my mobile users they now have an SSL product (seperate box
but I prefer this) which allows me to provide client-less access from any
platform. The nice thing about this setup though is although the fw/vpn and
ssl boxes are physically seperate, the management, logs and reporting tool
is centralised so I can manage everything from one place (which I suppose
could be classed as UTM...???)

As for controlling asscess (partners and vendors), I use the SSL device as
this lets me publish applications based upon the authenticating user. That
way they only get access to what I allow them to see.

Rgds

Brian Walker

Bill Stout-2 wrote:

> >
> > Hello all,
> >
> > I'm evaluating an existing VPN infrastructure, and am looking at
> > replacement options that can support IPSEC and SSL.
> >
> > Currently VPN appliances are used for site-site and remote access. One of
> > the options is to make use of the VPN capabilties of existing (SYN/ACK
> > semantic type) firewalls.
> >
> > What is the current opinion of adding more services to a firewall vs.
> > deploying standalone VPN appliances?
> >
> > Also, what is the current best practice as far as controlling who can get
> > to what via the VPN? (e.g.contractors, vendors)
> >
> > Thank,
> >
> > Bill Stout
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
>
-- View this message in context:

http://www.nabble.com/Eggs-in-one-basket-%28VPN-in-Firewall%2C-UTM%29-tp13982292p14418500.html

Sent from the Firewall Wizards mailing list archive at Nabble.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071219/6b6e91d5/attachment-0001.html


------------------------------

Message: 3
Date: Fri, 21 Dec 2007 11:02:13 -0500
From: "Brian Blater" <brb.lists@gmail.com>
Subject: [fw-wiz] PIX access-list help
To: "FW Wiz" <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7743536a0712210802j768b89cch327f69161df8a8cf@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian


------------------------------

Message: 4
Date: Mon, 24 Dec 2007 11:57:16 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Anyone have any informed opinions on the
watchguard product line?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0712241154460.23721-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 18 Dec 2007, AMuse wrote:

> Does anyone have an informed opinion on whether these products are any
> good, that I can pass along to my friend?

They work well enough, VPN setup is a little weird if you're doing
site-to-site (at least I ended up dropping back and punting to OpenVPN at
one customer.)

The nice thing is that the HTTP proxy does MIME type filtering, which
stops a lot of junk if you don't open it up wide.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 10
************************************************

No comments: