Search This Blog

Saturday, January 17, 2009

firewall-wizards Digest, Vol 33, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: ASA 8.0(4) -- Privilege Level to Create Users
(Christopher J. Wargaski)
2. Interface Errors on a Cisco ASA 5520 (David Blahut)
3. Re: Residential Gateway vulnerabilities (AMuse)
4. Re: Interface Errors on a Cisco ASA 5520 (Christopher J. Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Jan 2009 10:18:44 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: tsimons@delphi-tech.com
Message-ID:
<17065120901160818x4a7dc60bs3e6eec3d1c11d1db@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hey Todd--

Yes, there is. However, by giving the permission to someone to add/modify
users, they can modify their own privilege level. So this is sort of a
security through obscurity thing.

Try this:

privilege cmd level 5 mode exec command configure
privilege show level 5 mode configure command username
privilege cmd level 5 mode configure command configure
privilege cmd level 5 mode configure command username
privilege clear level 5 mode configure command username
privilege clear level 5 mode configure command configure

username jradmin password my-pass privilege 5

On Fri, Jan 16, 2009 at 8:35 AM, Todd Simons <tsimons@delphi-tech.com>wrote:

> Hello All
>
>
>
> We have an ASA hosting connections for our Avaya VPN enabled IP phones. I
> need to give access to a junior admin to create local user accounts on the
> ASA. Is there a privilege level, or a custom level that I can build to
> allow these commands to be entered by the jr admin without giving him access
> to the whole ASA config:
>
>
>
> username <username> password <password>
>
> username <username> attributes
>
> vpn-group-policy <GrpPolicyName>
>
> service-type remote-access
>
>
>
> Thanks,
>
> ~Todd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090116/06ab95a5/attachment-0001.html>

------------------------------

Message: 2
Date: Fri, 16 Jan 2009 12:15:52 -0500
From: David Blahut <dablahut@vassar.edu>
Subject: [fw-wiz] Interface Errors on a Cisco ASA 5520
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4970C0C8.8050203@vassar.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

All-

I just put into production a pair of Cisco ASA 5520s with a Cisco 2970
switch between the two. I am seeing no buffer, input errors, and
overrun errors on the active outside and inside interfaces (output is
error free). I have all interfaces on the ASAs and the switch hard
coded to 1000Mbps and full duplex, TAC wasn't much help and Google
doesn't have much to offer on the subject. Given that speed and duplex
mismatch usually manifest itself as CRC and or collisions this seems
more like an input buffer size issue, but I am not sure.

By the way, the load is about 40Mbps right now and the error counters
seem to increase in burst (no increase since I first checked it at about
9 this morning).

Any ideas?

Thanks,
David


------------------------------

Message: 3
Date: Fri, 16 Jan 2009 08:17:50 -0800
From: AMuse <amuse@foofus.com>
Subject: Re: [fw-wiz] Residential Gateway vulnerabilities
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: kenfox@starlinx.com
Message-ID: <4970B32E.90806@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Probably been discussed (to death) before, but I really like the Soekris
series of boxes. Very low power requirement, inexpensive (compared to
other gear), good performance and can really run! m0n0wall distributes
a flash image on a flash card specifically for their hardware.

I have Debian on mine as a home router, with iptables, openvpn,
fail2ban, dhcp3-server and a few other nifty packages. From my
experience the VPN will push about 8Mb/sec - which is more than the
downstream limit on my cable and WAY more than the upstream.

Soekries link: http://www.soekris.com/

sai wrote:
> I prefer to put the modem into transparent mode and do the
> firewalling/NAT using something with more firepower. IPCop (Linux) and
> m0n0wall (FreeBSD) are both excellent, free and need relatively low
> end hardware. Also quite easy and quick to setup.
>
> sai
>
>
> 2009/1/13 Ken Fox <kenfox@starlinx.com>:
>
>> Folks -
>>
>> Does anyone have a good source of information on vulnerabilities in OTS
>> residential gateways?
>>
>> Specifically DLINK & NETGEAR?
>>
>> no new news here but I was getting flooded with inbound traffic so I
>> powered my cable modem down for a while. within 25 seconds of power up with
>> a NEW IP address, I was getting scanned again. Oh, and the best part is that
>> the source IP was 10.10.10.10....
>>
>> -- Ken
>>
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Fri, 16 Jan 2009 12:21:26 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Interface Errors on a Cisco ASA 5520
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120901161021u5e628031n121a6f94069befda@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

David--
Can you post a snipped of the interface statistics?

Also, look at the interface statistics for the upstream and downstream
switch or router.


On Fri, Jan 16, 2009 at 11:15 AM, David Blahut <dablahut@vassar.edu> wrote:

> All-
>
> I just put into production a pair of Cisco ASA 5520s with a Cisco 2970
> switch between the two. I am seeing no buffer, input errors, and overrun
> errors on the active outside and inside interfaces (output is error free).
> I have all interfaces on the ASAs and the switch hard coded to 1000Mbps and
> full duplex, TAC wasn't much help and Google doesn't have much to offer on
> the subject. Given that speed and duplex mismatch usually manifest itself
> as CRC and or collisions this seems more like an input buffer size issue,
> but I am not sure.
>
> By the way, the load is about 40Mbps right now and the error counters seem
> to increase in burst (no increase since I first checked it at about 9 this
> morning).
>
> Any ideas?
>
> Thanks,
> David
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090116/388274fb/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 33, Issue 6
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)