firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Question on Cisco ASA's... do all the features slow it down?
(John G.)
2. Cisco Pix 515e ERROR: % Invalid input detected at '^' marker
(Jesse DeGarmo)
3. Re: Firewall Administration Survey (jdgorin@computer.org)
4. Rule authentication in PIX (Alejandro Ezequiel Fern?ndez Preda)
5. Re: First there was Personal Firewall Day... (Matthew Hannigan)
6. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Thomas Ptacek)
----------------------------------------------------------------------
Message: 1
Date: Tue, 4 Dec 2007 12:06:50 -0800
From: "John G." <isaac737@gmail.com>
Subject: [fw-wiz] Question on Cisco ASA's... do all the features slow
it down?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<363532d30712041206s5b09f552xef5110ee0b80f8f9@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
hello list,
we are currently running Cisco PIX 515E's with 128 Megs of RAM. the problem
is their CPU's are getting up to high 80% usage. gone through a bunch of
troubleshooting things and i think it is just time to upgrade.
my question is do the IDS/IPS features of the ASA make it kinda slow? i
would hate to have us upgrade to these devices just to find us in the same
spot. what do people think of the ASA's as compared to the vaunted PIX?
we were thinking of getting this model: Cisco ASA5510-SEC-BUN-K9
thanks much,
jg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071204/d66fbee4/attachment-0001.html
------------------------------
Message: 2
Date: Sun, 02 Dec 2007 21:51:36 -0600
From: Jesse DeGarmo <jdegarmo@kshs.org>
Subject: [fw-wiz] Cisco Pix 515e ERROR: % Invalid input detected at
'^' marker
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <47537D48.9050608@kshs.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I have a Cisco Pix 515e that when we upgraded the software from 6.3 to
7.0 we are getting (ERROR: % Invalid input detected at '^' marker) any
time we try and enter a command to add a new rule for an access list or
change the asdm image file. Any suggestions would be helpful.
pix515e#access-list external_access extended permit tcp any host
165.201.138.6 eq smtp
access-list external_access extended permit tcp any host 165.201.138.6
eq smtp
^
ERROR: % Invalid input detected at '^' marker.
pix515e#asdm image flash:/asdm-523.bin
asdm image flash:/asdm-523.bin
^
ERROR: % Invalid input detected at '^' marker
--
Jesse G. DeGarmo
System Administrator
Kansas State Historical Society
6425 SW 6th Avenue
Topeka, KS 66615-1099
785-272-8681 x 242
785-272-8682 fax
jdegarmo@kshs.org
------------------------------
Message: 3
Date: Mon, 03 Dec 2007 13:19:54 +0100
From: jdgorin@computer.org
Subject: Re: [fw-wiz] Firewall Administration Survey
To: firewall-wizards@listserv.cybertrust.com
Cc: mchapple@nd.edu
Message-ID: <1196684394.4753f46aaa991@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1
Hi Mike,
That kind of survey was done by Avishai Wool between 2000 and 2001 and published
in Computer June 2004 [1]. But it was only about CheckPoint FW-1 rules. The
results showed that rulesets complexity, default implicit rules and
configuration, and specific rules for the firewall adminitration were the most
common sources of error.
I fear that the situation is not going better today...
To connect this message to the rolling other threads: consequences of rule
configuration error in a packet filter (stateful or not) can be more dreadful
than configuration error in a proxy.
ie: to open access to a network vs to open acces to a protocol and a small group
of hosts.
JDG
"Reality is that which, when you stop believing in it, doesn't go away."
Philipp K. Dick
________________________________
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Mike
Chapple
Sent: Tuesday, November 27, 2007 7:06 PM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Firewall Administration Survey
Dear Colleague,
Would you please consider taking a few minutes to participate in a survey of
firewall administration practices?
We are conducting this survey as part of an academic research project designed
to analyze the frequency of firewall configuration errors and identify potential
causes for those errors. The results will contribute to a research paper we are
submitting for publication in a peer-reviewed academic forum. We will maintain
strict anonymity of any data you provide during the survey.
The survey is available at:
http://www.nd.edu/~mchapple/survey/
The target audience for the survey is anyone involved in the administration of a
firewall rulebase in a production environment. If you know of others that may
be suitable participants, please forward this invitation along to them.
At the conclusion of the research study, we will be happy to share the results
with any interested participants.
Thank you in advance for your time.
Mike Chapple
------------------------------
Message: 4
Date: Mon, 3 Dec 2007 12:34:34 -0300
From: Alejandro Ezequiel Fern?ndez Preda <quequiel@ciudad.com.ar>
Subject: [fw-wiz] Rule authentication in PIX
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <0d9301c835c2$01f99300$0d0aa8c0@Cecilia>
Content-Type: text/plain; charset="iso-8859-1"
Hi everyone,
I was asked to implement an authentication rule for RDP on a Cisco PIX. Custommers should https / ssh / telnet to the firewall first for authentication and then connect to the RDP server behind it with the standard RDP Client.
I've searched through Cisco and it seems Cut-Through Authentication proxy could do it but I'm not sure if it only applies for the known protocols or for any protocol. Has anyone implemented this type of authentication? any tips/examples/links would be very helpfull.
Regards,
Alejandro Fern?ndez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071203/1c99c581/attachment-0001.html
------------------------------
Message: 5
Date: Mon, 3 Dec 2007 08:22:41 +1100
From: Matthew Hannigan <mlh@zip.com.au>
Subject: Re: [fw-wiz] First there was Personal Firewall Day...
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: dave@corecom.com
Message-ID: <20071202212241.GB13796@localhost.localdomain>
Content-Type: text/plain; charset=us-ascii
On Fri, Nov 30, 2007 at 06:47:04PM -0500, lordchariot@embarqmail.com wrote:
> Here's the ASCII banner for our emails.
>
> +----+
> --|-->X|
> +----+
> Disable your
> DEFAULT OUTBOUND POLICY
> day.
>
> Now who's going to register and host the domain 'IdiotFirewallAdmins.org'?
>
This lacks brevity and clarity as a slogan.
1. For a start, people don't HAVE a default outbound policy,
they merely completely _lack_ a policy (to their understanding)
2. A outbould policy might be there and be a deny by default!
3. There's too many negatives and conditionals: disable, deny, default,..
Anyone who can understand the phrase probably
has a default deny already.
How about ..
Stop network leaks day!
or
The enemy could be inside already!
Don't let them escape.
Anyone got some more?
------------------------------
Message: 6
Date: Tue, 4 Dec 2007 15:12:14 -0600
From: "Thomas Ptacek" <tqbf@matasano.com>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1df0a410712041312y174aacb0w7d696d018e2828d1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 11/29/07, Marcus J. Ranum <mjr@ranum.com> wrote:
> I have no idea if the product is any good or not but using a
> network processor to do layer-7 stuff is not exactly rocket
> science!
No comment on the rest of this message, but as someone who has had the
unique, uh, "privilege" of writing significant code on an NPU (the
IXP2400), I find this particular assertion amusing. In pure CS terms,
"doing layer 7 stuff" comes pretty close to rocket science. Read
Varghese, and remember that without actual algorithms, you crash into
the speed of SRAM. Even on a fancy multicore whizz-bang NPU.
I will do you the favor of "truing up" your quip:
"I have no idea if the product is any good or not, but using an FPGA
regexer to do simple string matches at layer-7 is not exactly rocket
science!"
Too true, too true.
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 20, Issue 2
***********************************************
No comments:
Post a Comment