Friday, January 16, 2009

firewall-wizards Digest, Vol 33, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. ASA 8.0(4) -- Privilege Level to Create Users (Todd Simons)
2. Re: Residential Gateway vulnerabilities (sai)
3. Re: Cisco ASA firewall: SQLnet inspection: buffer limit
(Morrow Long)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Jan 2009 09:35:02 -0500
From: "Todd Simons" <tsimons@delphi-tech.com>
Subject: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<6BEB7C2F4C712045AA210FC242934F7506FD17B1@NJ-EXCHANGE1.AD.dti>
Keywords: disclaimer
Content-Type: text/plain; charset="us-ascii"

Hello All

We have an ASA hosting connections for our Avaya VPN enabled IP phones.
I need to give access to a junior admin to create local user accounts on
the ASA. Is there a privilege level, or a custom level that I can
build to allow these commands to be entered by the jr admin without
giving him access to the whole ASA config:

username <username> password <password>

username <username> attributes

vpn-group-policy <GrpPolicyName>

service-type remote-access

Thanks,

~Todd


## Scanned by Delphi Technology, Inc. ##
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090116/015e0d03/attachment-0001.html>

------------------------------

Message: 2
Date: Fri, 16 Jan 2009 11:01:52 +0500
From: sai <sonicsai@gmail.com>
Subject: Re: [fw-wiz] Residential Gateway vulnerabilities
To: kenfox@starlinx.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<41d04d600901152201l5e44e300s2626f5933fe29563@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I prefer to put the modem into transparent mode and do the
firewalling/NAT using something with more firepower. IPCop (Linux) and
m0n0wall (FreeBSD) are both excellent, free and need relatively low
end hardware. Also quite easy and quick to setup.

sai


2009/1/13 Ken Fox <kenfox@starlinx.com>:
>
> Folks -
>
> Does anyone have a good source of information on vulnerabilities in OTS
> residential gateways?
>
> Specifically DLINK & NETGEAR?
>
> no new news here but I was getting flooded with inbound traffic so I
> powered my cable modem down for a while. within 25 seconds of power up with
> a NEW IP address, I was getting scanned again. Oh, and the best part is that
> the source IP was 10.10.10.10....
>
> -- Ken
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 3
Date: Fri, 16 Jan 2009 07:06:16 -0500
From: Morrow Long <morrow.long@yale.edu>
Subject: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer
limit
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Mike Tewner <tewner@gmail.com>, Avraham Shir-el
<avraham@jct.ac.il>, Chuck Swiger <chuck@codefab.com>, Yonah Russ
<me@yonahruss.com>
Message-ID: <4c58250ef01f37996f08213a95b5aa0a@yale.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Jan 15, 2009, at 2:45 PM, Chuck Swiger wrote:
> The typical solution to accessing a database behind a firewall is to
> set up a VPN connection, and not to disable the firewall.
>
> Permitting the entire Internet to access your database means you are
> trusting Oracle's security. Even if you don't care about the
> integrity of your data, you'd also put the machine running Oracle
> itself at risk of compromise as well:

But what about the case where a web server on the DMZ network and
interface on a 3 (or more) interface
firewall accesses an Oracle database server which is located on a
higher security level network protected
by a different interface on the same firewall?

The SQL query will also have to go through the firewall to go from the
DMZ WWW server to the DB server --
I don't believe most experts would argue that the WWW server should
build a VPN connection to the
database server on the more secure network. In most cases you do not
want the public facing Web server
to have unrestricted access to all of the ports on the DB server nor
unrestricted access to the network it is on.

Morrow

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 33, Issue 5
***********************************************

at

No comments:

Post a Comment