Search This Blog

Monday, December 29, 2008

firewall-wizards Digest, Vol 32, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: accessing SMTP server via the translated address
(Kevin Horvath)
2. LayerOne 2009 - Call For Papers (LayerOne Call For Papers)
3. Re: accessing SMTP server via the translated address
(Lucas Thompson)
4. Re: Windows dynamic ARP (Christoph Mayer)


----------------------------------------------------------------------

Message: 1
Date: Fri, 19 Dec 2008 10:19:24 -0500
From: "Kevin Horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0812190719q5bda200fld77dd96829dadfce@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Look into DNS doctoring with the static command and dns keyword.
Since, from what I understand, you are trying to access an internal IP
by its public DNS name then you will have to do this or split your DNS
(one for internal resolution and one for external). In the previous
trains of code this was done with the alias command. Hope this helps.

Kevin

On Fri, Dec 12, 2008 at 9:14 PM, Chris Myers <clmmacunix@charter.net> wrote:
> You cannot do it conventionally. The firewall sees it as a spoofed address.
> You cannot go out to the internet and back in the same interface for a
> stateful connection. The state table sees the packet out of state. Why do
> you want to go to the outside address, since you are on the same subnet? You
> should be accessing this from L2. I also would get your SMTP server to a DMZ
> and off your inside, as this is insecure. You are leaving your whole inside
> network open to attack if the SMTP server is compromised. You could get a
> proxy on the outside to point to your SMTP server for SMTP traffic. That way
> a state can be created with a SYN from the proxy to your SMTP IP. Another
> is same-security-traffic permit {inter-interface | intra-interface} using
> the intra-interface, but this renders the spoofing useless and with the
> possibility of a compromise, now the possibility of the attacker spoofing
> your subnet for everything on the network he/she attacks. A log nightmare
> and hard to determine what is legitimate traffic vs. malicious. It is new
> and I have not used it a lot, since I do not have those configurations in
> front of me I cannot say conclusively this will work.
>
> Thank You,
> Chris Myers
> clmmacunix@charter.net
> John 1:17
> For the Law was given through Moses; grace and truth were realized through
> Jesus Christ.
>
> Go Vols!!!!
> On Dec 12, 2008, at 3:17 AM, Rudy Setiawan wrote:
>
> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
>
> From my workstation I tried to access 216.15.4.4 port 25 or ping
>
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP.
> I am able to access port 25 and ping the IP from anywhere in the world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

Message: 2
Date: Fri, 19 Dec 2008 15:50:56 -0800
From: "LayerOne Call For Papers" <layeronecfp@gmail.com>
Subject: [fw-wiz] LayerOne 2009 - Call For Papers
To: "Layer One" <layeronecfp@gmail.com>
Message-ID:
<956f3b8e0812191550t2fbf4b66td6477a673c5f7c55@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

*LayerOne 2009 Security Conference
Call for Papers
*
May 23 & 24, 2009
Anaheim, California (Anaheim Marriott)
http://layerone.info/

The sixth annual LayerOne security conference is now accepting submissions
for topic and speaker selection. As always, we are interested seeing a broad
range of pertinent topics, and encourage all submissions. Some of our past
presentations have included:

- Virtualization
- Forensics / Anti-Forensics Techniques
- Hardware Hacking (GSM, Proximity Cards, Access Control Systems)
- Law / Legal Issues
- Malware
- VoIP
- Cryptographic Cracking Using FPGA Technology

We would love to see the same breadth and depth of submissions as we have in
previous years, so if you have an idea you're on the fence about - please
send it in! For a complete list of past presentations, click
here<http://layerone.info/?page_id=3>
.

Please be sure to include the following information in your submission:

- Presentation name
- A one-sentence synopsis of your topic
- A longer one to three paragraph synopsis or short outline of what you plan
on covering
- Names, email addresses and URLs of the presenter(s)
- A short (single-paragraph) biography of the presenter(s)

Once everything is ready to go, please email your submission to cfp [at]
layerone [dot] info no later than April 1, 2009. You will receive notice no
later than April 15, 2008 to let you know if your talk has been accepted.

As we have a single presentation track, please bear in mind that speaking
slots are limited to one hour. While presenters typically divide the hour
into separate presentation and Q&A sessions, you may structure your time
however you see fit. If you think your presentation will run longer, or have
any special requirements, please include this information in your submission
and we will do our best to accommodate you.

Note: If the presentation is based upon code or a particular technique, the
presenter must be one of the developers of the code or technique and be
prepared to perform a demonstration.

We look forward to reviewing your submissions, and anticipate another great
line-up for this year's conference. Once again, if you have any questions
about your submission, please email cfp [at] layerone [dot] info. Thank you
for your interest, and we look forward to seeing you there!

Sincerely,
-The LayerOne Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20081219/f2633bc4/attachment-0001.html>

------------------------------

Message: 3
Date: Fri, 19 Dec 2008 10:35:25 -0800
From: "Lucas Thompson" <lucas.thompson@gmail.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<ee7ec9e70812191035s5e18db54i48ffa5badc66568d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I don't think this is necessarily the case. Some devices support this
kind of configuration and others do not. Cisco seems to have a
specific term for it -- 'hairpinning', and it is apparently supported
in later versions of PIX. I don't know enough about PIX specifically,
but if you google this term you'll find discussions on the subject.
Then you don't have to worry about splitting the DNS.


On Fri, Dec 12, 2008 at 6:14 PM, Chris Myers <clmmacunix@charter.net> wrote:
> You cannot do it conventionally. The firewall sees it as a spoofed address.
> You cannot go out to the internet and back in the same interface for a
<snip..>


------------------------------

Message: 4
Date: Thu, 25 Dec 2008 19:34:36 +0100
From: Christoph Mayer <mayer@tm.uka.de>
Subject: Re: [fw-wiz] Windows dynamic ARP
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4953D23C.3050100@tm.uka.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

On Thu, Dec 4, 2008 at 12:08 PM, James <jimbob.coffey at gmail.com> wrote:
> On Thu, Nov 27, 2008 at 3:51 AM, Mike O'Connor <mjo at dojo.mi.org>
wrote:
>> :Does anyone know a way to turn OFF dynamic ARP on Windows? I'd like to
>> :set up a network where static ARP entries are the only way to
>> :communicate.
>
> More IDS than IPS but Xarp will at least report any changes.
> If you control the environment you could static map any unused ip
> space on each host and then use the Xarp Static preserve filter but a
> pretty horrible cludge when al you want is a layer 2 packet filter to
> prevent an arp request or reply leaving your hosts.

> Actually an easier way would be to use the requestedresponse filter in
> Xarp. This only allows a response if your host generated a request.
> If you are static mapping ip to mac you should never generate a
> request.


Unfortunately XArp can't really 'filter' (drop) the packets, but alert
you. I am currently working on a Linux port where writing a network
driver for filtering is easier than on Windows. Still, XArp is the best
solution as firewalls seldom do ARP filtering and those that do perform
ARP filtering have very primitive filters.

If you want to get an overview of mechanisms available for ARP attack
detection, you can have a look at a (yet incomplete) presentation I once
started: http://www.chrismc.de/development/xarp/arp_security_tools.html
(http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)

Best regards,
Chris
--
Dipl.-Inform. Christoph P. Mayer
Institute of Telematics, University of Karlsruhe (TH)
Zirkel 2, 76128 Karlsruhe, Germany
Phone: +49 721 608 6415, Email: mayer@tm.uka.de
Web: http://www.tm.uka.de/~mayer/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 32, Issue 11
************************************************

No comments: