firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Multiple Outside IPs on Cisco PIX 6.3.3 (Josiah Bryan)
2. Residential Gateway vulnerabilities (Ken Fox)
3. Re: Windows dynamic ARP (Christoph Mayer)
4. PIX515 failover (Meindert Uitman)
5. Cisco ASA firewall: SQLnet inspection: buffer limit
(Haim [Howard] Roman)
6. Re: Cisco ASA firewall: SQLnet inspection: buffer limit
(Chuck Swiger)
7. Re: Cisco ASA firewall: SQLnet inspection: buffer limit
(Chris Myers)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Jan 2009 12:01:17 -0500
From: Josiah Bryan <jbryan@productiveconcepts.com>
Subject: [fw-wiz] Multiple Outside IPs on Cisco PIX 6.3.3
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <496CC8DD.1080105@productiveconcepts.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Rather new to the advanced pix configs - I've been doing basic pix
config/maint for the past 3 years.
I've got 13 public IPs that are coming in thru a cable modem to my PIX.
The fist IP is routing correctly, but I can't seem to figure out how to
get the PIX to accept any of the other IPs that I've bought.
Now, I'm used to the linux (redhat background) method if adding an alias
to an interface, eg:
ifconfig eth0:0 1.2.3.4
ifconfig eth0:1 5.6.7.8
.. and so on and so forth.
Basically, is an equivalent operation possible with the PIX? (Running
PIX ver 6.3(3))
(Of course, I'd like to be able to do static translation based on
incoming IP, but I think I've got that line covered: "static
(inside,outside) tcp 1.2.3.4 smtp 10.0.1.51 smtp netmask 255.255.255.255
0 0").
How do I add multiple "aliases" (for lack a better term) to the outside
interface?
Thanks in advance for your patience and advice.
Regards,
Josiah Bryan
--
Josiah Bryan
IT Manager
Productive Concepts, Inc.
jbryan@productiveconcepts.com
(765) 964-6009, ext. 224
------------------------------
Message: 2
Date: Mon, 12 Jan 2009 15:21:37 -0500
From: "Ken Fox" <kenfox@starlinx.com>
Subject: [fw-wiz] Residential Gateway vulnerabilities
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <CEEELPMPEHOLOBPOOABLAEHGHIAA.kenfox@starlinx.com>
Content-Type: text/plain; charset="iso-8859-1"
Folks -
Does anyone have a good source of information on vulnerabilities in OTS
residential gateways?
Specifically DLINK & NETGEAR?
no new news here but I was getting flooded with inbound traffic so I
powered my cable modem down for a while. within 25 seconds of power up with
a NEW IP address, I was getting scanned again. Oh, and the best part is that
the source IP was 10.10.10.10....
-- Ken
------------------------------
Message: 3
Date: Fri, 09 Jan 2009 09:04:24 +0100
From: Christoph Mayer <mayer@tm.uka.de>
Subject: Re: [fw-wiz] Windows dynamic ARP
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49670508.8010602@tm.uka.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>> Unfortunately XArp can't really 'filter' (drop) the packets, but alert you.
>
> I am sure you will correct me Chris (You did write the tool after all
> ;-) but I was under the impression the requestedresponse filter
> actually dropped a response to the host Xarp is running on if the host
> didn't issue an arp request ?
Unfortunately I was not able to write an NDIS driver for Windows that
could really "drop" packets. The name of the filters might be a bit
misleading, but it is stated clearly in the manual etc. As my first
intent was to really drop packets, the names of the filters did arise.
>> I am currently working on a Linux port where writing a network driver for
>
> wouldn't arptables
> http://ebtables.sourceforge.net/arptables-man.html
> be able to handle the linux side of things ?
I will look into this. The XArp filters work very much on dynamic data,
therefore pure static tables don't quite fit into the design. For
example the requestedresponse filter keeps state of requests and these
have to time out after some seconds. I think that's quite hard to
implement using static tables.
>> If you want to get an overview of mechanisms available for ARP attack
>> detection, you can have a look at a (yet incomplete) presentation I once
>> started: http://www.chrismc.de/development/xarp/arp_security_tools.html
>> (http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)
>
> You could also possibly include Cisco's Dynamic Arp Inspection (DAI)
> in your line up of products. Sounds good on paper....
Thanks, I will include this!
Best regards,
Chris
------------------------------
Message: 4
Date: Thu, 15 Jan 2009 11:39:54 +0100
From: "Meindert Uitman" <meindert.uitman@avic.nl>
Subject: [fw-wiz] PIX515 failover
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <003d01c976fd$9ad25990$d0770cb0$@uitman@avic.nl>
Content-Type: text/plain; charset="iso-8859-1"
Hi there,
Cisco states that a failover config need the same hardware for both nodes. I
have two 515's. RAM, SW version, interfaces and licences are no problem, but
processor types are different. Does anyone have experience with such a
config when set for failover? I do not need the stateful failover option.
Thanks in advance,
Meindert.
.- ...- .. -.-. AVIC B.V.
Koeweistraat 3
4181 CD Waardenburg
The Netherlands
tel: +31(0)418674644
fax: +31(0)418674111
Mobile: +31(0)622744718
e-mail: meindert.uitman@avic.nl
DISCLAIMER:
The information contained in this communication is confidential and may
Be legally privileged. It is intended solely for the use of the individual
or
entity to whom it is addressed and others authorised to receive it. If you
are not the intended recipient you are hereby notified that any disclosure,
copying, distribution or taking any action in reliance of the contents of
this information is strictly prohibited and may be unlawful.?Avic is neither
liable for the proper and complete transmission of the information
contained in this communication nor for any delay in its receipt.
------------------------------
Message: 5
Date: Thu, 15 Jan 2009 13:27:14 +0200
From: "Haim [Howard] Roman" <roman@jct.ac.il>
Subject: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer limit
To: firewall-wizards@listserv.cybertrust.com
Cc: Mike Tewner <tewner@gmail.com>, Avraham Shir-el
<avraham@jct.ac.il>, Yonah Russ <me@yonahruss.com>
Message-ID: <496F1D92.5080308@jct.ac.il>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Some friends have a Cisco ASA firewall, firmware version 8.0.4. Behind
the firewall is a Oracle database.
This firewall has an SQLnet inspection feature. However, the packet
reassembly buffer has a limit of 8 kbytes. Many of the SQL queries are
bigger than this, and they get blocked. Is there a way to increase
this? (not sure how big they need). In the meantime, they have to
disable this feature.
Thanks
--
-------------------------------------------------
Haim (Howard) Roman
Computer Center, Jerusalem College of Technology
roman@jct.ac.il
------------------------------
Message: 6
Date: Thu, 15 Jan 2009 11:45:03 -0800
From: Chuck Swiger <chuck@codefab.com>
Subject: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer
limit
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Mike Tewner <tewner@gmail.com>, Avraham Shir-el
<avraham@jct.ac.il>, Yonah Russ <me@yonahruss.com>
Message-ID: <B8D15270-1380-47F9-9E0A-E6E603406624@codefab.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Hi--
On Jan 15, 2009, at 3:27 AM, Haim [Howard] Roman wrote:
> Some friends have a Cisco ASA firewall, firmware version 8.0.4.
> Behind the firewall is a Oracle database.
>
> This firewall has an SQLnet inspection feature. However, the packet
> reassembly buffer has a limit of 8 kbytes. Many of the SQL queries
> are bigger than this, and they get blocked. Is there a way to
> increase this? (not sure how big they need). In the meantime, they
> have to disable this feature.
The typical solution to accessing a database behind a firewall is to
set up a VPN connection, and not to disable the firewall.
Permitting the entire Internet to access your database means you are
trusting Oracle's security. Even if you don't care about the
integrity of your data, you'd also put the machine running Oracle
itself at risk of compromise as well:
Regards,
--
-Chuck
------------------------------
Message: 7
Date: Thu, 15 Jan 2009 17:47:33 -0600
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer
limit
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Yonah Russ <me@yonahruss.com>, Mike Tewner <tewner@gmail.com>,
Avraham Shir-el <avraham@jct.ac.il>,
firewall-wizards@listserv.cybertrust.com
Message-ID: <348ACF25-73C2-4190-B225-4DBDEE01ADBB@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"
Haim,
Sorry, this is long. Are you running v1 or v2? Run the 'show service-
policy' to see if you are getting drops or reset-drops. There is one
instance of a reset for the sqlnet involving the command structure in
SQL. I do not see a data size issue with the inspection, except for a
zero data payload following the REDIRECT command, but I am still
looking. You might try removing inspection for sqlnet from global and
put your own service-policy on the ingress interface for the traffic
using a range of ports if you see that it is not reset-drops, but
drops only for this traffic. Check the logs if you are running syslog.
Hope this helps. Attributed material from Cisco Systems, http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html
The SQL*Net protocol consists of different packet types that the
security appliance handles to make the data stream appear consistent
to the Oracle applications on either side of the security appliance.
The default port assignment for SQL*Net is 1521. This is the value
used by Oracle for SQL*Net, but this value does not agree with IANA
port assignments for Structured Query Language (SQL). Use the class-
map command to apply SQL*Net inspection to a range of port numbers.
The security appliance NATs all addresses and looks in the packets for
all embedded ports to open for SQL*Net Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately
follow REDIRECT packets with a zero data length will be fixed up.
The packets that need fix-up contain embedded host/port addresses in
the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and
Marker) will not be scanned for addresses to NAT nor will inspection
open dynamic connections for any embedded ports in the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be
scanned for ports to open and addresses to NAT, if preceded by a
REDIRECT TNSFrame type with a zero data length for the payload. When
the Redirect message with data length zero passes through the security
appliance, a flag will be set in the connection data structure to
expect the Data or Redirect message that follows to be NATed and ports
to be dynamically opened. If one of the TNS frames in the preceding
paragraph arrive after the Redirect message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change
IP, TCP lengths, and readjust Sequence Numbers and Acknowledgment
Numbers using the delta of the length of the new and old message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types
(Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all
packets will be scanned for ports and addresses. Addresses will be
NATed and port connections will be opened.
Examples
You enable the SQL*Net inspection engine as shown in the following
example, which creates a class map to match SQL*Net traffic on the
default port (1521). The service policy is then applied to the outside
interface.
**Here is also where you can mark the port range [port [-port] ] -
meaning you can use range 1521-2000
hostname(config)# class-map sqlnet-port
hostname(config-cmap)# match port tcp eq 1521
hostname(config-cmap)# exit
hostname(config)# policy-map sqlnet_policy
hostname(config-pmap)# class sqlnet-port
hostname(config-pmap-c)# inspect sqlnet
hostname(config-pmap-c)# exit
hostname(config)# service-policy sqlnet_policy interface outside
To enable SQL*Net inspection for all interfaces, use the global
parameter in place of interface outside.
Thank You,
Chris Myers
clmmacunix@charter.net
John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.
Go Vols!!!!
On Jan 15, 2009, at 5:27 AM, Haim [Howard] Roman wrote:
> Some friends have a Cisco ASA firewall, firmware version 8.0.4.
> Behind the firewall is a Oracle database.
>
> This firewall has an SQLnet inspection feature. However, the packet
> reassembly buffer has a limit of 8 kbytes. Many of the SQL queries
> are bigger than this, and they get blocked. Is there a way to
> increase this? (not sure how big they need). In the meantime, they
> have to disable this feature.
>
> Thanks
>
> --
> -------------------------------------------------
> Haim (Howard) Roman
> Computer Center, Jerusalem College of Technology
> roman@jct.ac.il
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090115/da9a1583/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090115/da9a1583/attachment.tiff>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 33, Issue 2
***********************************************
No comments:
Post a Comment