firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Cisco ASA firewall: SQLnet inspection: buffer limit
(Chris Myers)
2. Re: Interface Errors on a Cisco ASA 5520 (David Blahut)
----------------------------------------------------------------------
Message: 1
Date: Fri, 16 Jan 2009 16:58:03 -0600
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer
limit
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Yonah Russ <me@yonahruss.com>, Mike Tewner <tewner@gmail.com>,
Avraham Shir-el <avraham@jct.ac.il>, Chuck Swiger <chuck@codefab.com>,
Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <11A9D9CB-2422-4CF2-AD3D-436F517A6FDF@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"
Although I would not argue the VPN solution being secure. The reason
most do not do this is because thousands of web queries would take
forever to process to a SQL server due to the encryption. It would
have to be done at the client level as well, since you cannot
terminate a LAN2LAN on a host, or an ISA server. This may have been a
bad presumption on my part, but who said this was a database to a
webserver. I see no indication that this is a public facing box on the
internet. There are no IP addresses and no interfaces indicating so.
This could be two firewalls deep for layered protection and could have
a proxy front end, or a back-end frame-relay.
Thank You,
Chris Myers
clmmacunix@charter.net
John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090116/0209a155/attachment-0001.tiff>
-------------- next part --------------
Go Vols!!!!
On Jan 16, 2009, at 6:06 AM, Morrow Long wrote:
> On Jan 15, 2009, at 2:45 PM, Chuck Swiger wrote:
>> The typical solution to accessing a database behind a firewall is
>> to set up a VPN connection, and not to disable the firewall.
>>
>> Permitting the entire Internet to access your database means you
>> are trusting Oracle's security. Even if you don't care about the
>> integrity of your data, you'd also put the machine running Oracle
>> itself at risk of compromise as well:
>
> But what about the case where a web server on the DMZ network and
> interface on a 3 (or more) interface
> firewall accesses an Oracle database server which is located on a
> higher security level network protected
> by a different interface on the same firewall?
>
> The SQL query will also have to go through the firewall to go from
> the DMZ WWW server to the DB server --
> I don't believe most experts would argue that the WWW server should
> build a VPN connection to the
> database server on the more secure network. In most cases you do
> not want the public facing Web server
> to have unrestricted access to all of the ports on the DB server nor
> unrestricted access to the network it is on.
>
> Morrow
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Fri, 16 Jan 2009 15:22:53 -0500
From: David Blahut <dablahut@vassar.edu>
Subject: Re: [fw-wiz] Interface Errors on a Cisco ASA 5520
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4970EC9D.9040104@vassar.edu>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
All the interface counters on the 2970 are holding steady at zero.
*****snip*****
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
MAC address 0019.e8d9.65d6, MTU 1500
IP address 10.0.2.254, subnet mask 255.255.255.0
75470149 packets input, 85638459632 bytes, *36635 no buffer*
Received 0 broadcasts, 0 runts, 0 giants
*32081 input errors, 0 CRC, 0 frame, 32081 overrun, 0 ignored, 0
abort*
0 L2 decode drops
54815945 packets output, 14582208506 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/33) software (0/0)
output queue (curr/max packets): hardware (0/45) software (0/0)
Traffic Statistics for "outside":
75456180 packets input, 84247395544 bytes
54815945 packets output, 13513354970 bytes
1229667 packets dropped
1 minute input rate 3482 pkts/sec, 3765959 bytes/sec
1 minute output rate 2563 pkts/sec, 615114 bytes/sec
1 minute drop rate, 48 pkts/sec
5 minute input rate 3173 pkts/sec, 3494452 bytes/sec
5 minute output rate 2360 pkts/sec, 632499 bytes/sec
5 minute drop rate, 59 pkts/sec
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
MAC address 0019.e8d9.65d7, MTU 1500
IP address 10.0.1.1, subnet mask 255.255.255.0
53083032 packets input, 14467412251 bytes, *57 no buffer*
Received 24 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
78602459 packets output, 86261688947 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33) software (0/0)
output queue (curr/max packets): hardware (0/232) software (0/0)
Traffic Statistics for "inside":
53080231 packets input, 13433139678 bytes
78602459 packets output, 84817722165 bytes
105636 packets dropped
1 minute input rate 2464 pkts/sec, 593880 bytes/sec
1 minute output rate 3621 pkts/sec, 3820938 bytes/sec
1 minute drop rate, 6 pkts/sec
5 minute input rate 2266 pkts/sec, 523832 bytes/sec
5 minute output rate 3365 pkts/sec, 3565026 bytes/sec
5 minute drop rate, 9 pkts/sec
****snip****
-d
Christopher J. Wargaski wrote:
> David--
>
> Can you post a snipped of the interface statistics?
>
> Also, look at the interface statistics for the upstream and
> downstream switch or router.
>
>
> On Fri, Jan 16, 2009 at 11:15 AM, David Blahut <dablahut@vassar.edu
> <mailto:dablahut@vassar.edu>> wrote:
>
> All-
>
> I just put into production a pair of Cisco ASA 5520s with a Cisco
> 2970 switch between the two. I am seeing no buffer, input errors,
> and overrun errors on the active outside and inside interfaces
> (output is error free). I have all interfaces on the ASAs and the
> switch hard coded to 1000Mbps and full duplex, TAC wasn't much
> help and Google doesn't have much to offer on the subject. Given
> that speed and duplex mismatch usually manifest itself as CRC and
> or collisions this seems more like an input buffer size issue, but
> I am not sure.
>
> By the way, the load is about 40Mbps right now and the error
> counters seem to increase in burst (no increase since I first
> checked it at about 9 this morning).
>
> Any ideas?
>
> Thanks,
> David
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> <mailto:firewall-wizards@listserv.icsalabs.com>
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090116/c58d1568/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 33, Issue 7
***********************************************
No comments:
Post a Comment