Search This Blog

Tuesday, May 05, 2009

firewall-wizards Digest, Vol 37, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA (Lordsporkton)
2. Re: Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA (orca)
3. Handling large log files (Nate Hausrath)
4. Re: Handling large log files (Marcin Antkiewicz)
5. Re: Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA
(Jeremy Sutton)


----------------------------------------------------------------------

Message: 1
Date: Tue, 5 May 2009 09:02:30 -0700
From: "Lordsporkton" <lordsporkton@gmail.com>
Subject: Re: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>, <jsutton@techgooroos.com>
Message-ID: <001a01c9cd9a$e72be100$b583a300$@com>
Content-Type: text/plain; charset="iso-8859-1"

Out of curiousity, how did you deal with the srcid and dstid?

Last I worked on a Netgear FVS318 it wanted to use name based IDs for the
VPN, and I have never been able to get named based vpns to work on a cisco
router.

Would you mind posting up both sides of this config if you have found a way
to do this?

As far as your question:

Is one end on a dynamic IP?

Are you using a range or a network on the FVS side when you define
interesting traffic?

Is PFS turned on, on either side? I remember the FVS turning it on by
default and the cisco turning it off by default.

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Ove
Fagerheim
Sent: Monday, May 04, 2009 10:47 PM
To: jsutton@techgooroos.com; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA

If you have checked all the policy parameters, including timeouts, it might
be a NAT problem.

Ove Fagerheim

Helgelandskraft AS

-----Opprinnelig melding-----
Fra: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] P? vegne av Jeremy
Sutton
Sendt: 4. mai 2009 17:39
Til: firewall-wizards@listserv.icsalabs.com
Emne: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA

I have a client using a FVS318 v1 firmware 2.4 router trying to connect to a
Cisco ASA. I am the administrator of the Netgear but the administrator of
the Cisco ASA can't get his end configured to communicate with the Netgear.
P1 establishes but P2 does not. Anyone have any suggestions I can pass
along to him. The FVS318 connects fine to another FVS318 but not to his
Cisco. Any help will be greatly appreciated. Thank you!

Jeremy Sutton
President
Tech Gooroos Technology Consulting, Inc.
p: 919-373-4414
c: 919-413-2463
f: 919-510-6254
<http://www.nextdaypc.com/main/default.aspx?&rsmainid=ND0113116>

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.287 / Virus Database: 270.12.18/2096 - Release Date: 05/04/09
17:51:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090505/26d5af32/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 5 May 2009 12:23:15 -0700
From: orca <klrorca@hotmail.com>
Subject: Re: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <COL117-W38402CCAA64B13D541D78EA5690@phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"


Jeremy,

If the ASA side is using the ASDM it likes to turn on PFS (Perfect Forward Secrecy), which is almost always overlooked, and will cause a P2 failure.

-----Opprinnelig melding-----

Fra: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] P? vegne av
Jeremy Sutton

Sendt: 4. mai 2009 17:39

Til: firewall-wizards@listserv.icsalabs.com

Emne: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA

I have a client using a FVS318
v1 firmware 2.4 router trying to connect to a Cisco ASA. I am the
administrator of the Netgear but the administrator of the Cisco ASA can't get
his end configured to communicate with the Netgear. P1 establishes but P2
does not. Anyone have any suggestions I can pass along to him. The
FVS318 connects fine to another FVS318 but not to his Cisco. Any help
will be greatly appreciated. Thank you!

Jeremy Sutton

President

Tech Gooroos Technology Consulting, Inc.

p: 919-373-4414

c: 919-413-2463

f: 919-510-6254

No virus
found in this incoming message.

Checked by AVG - www.avg.com

Version: 8.5.287 / Virus Database: 270.12.18/2096 - Release Date: 05/04/09
17:51:00

_________________________________________________________________
Hotmail? has a new way to see what's up with your friends.
http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090505/1c56a26a/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 5 May 2009 18:41:13 -0400
From: Nate Hausrath <hausrath@gmail.com>
Subject: [fw-wiz] Handling large log files
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<87e3982b0905051541j44ee663ci4628b06a9e29f80e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hello everyone,

I have a central log server set up in our environment that would
receive around 200-300 MB of messages per day from various devices
(switches, routers, firewalls, etc). With this volume, logcheck was
able to effectively parse the files and send out a nice email. Now,
however, the volume has increased to around 3-5 GB per day and will
continue growing as we add more systems. Unfortunately, the old
logcheck solution now spends hours trying to parse the logs, and even
if it finishes, it will generate an email that is too big to send.

I'm somewhat new to log management, and I've done quite a bit of
googling for solutions. However, my problem is that I just don't have
enough experience to know what I need. Should I try to work with
logcheck/logsentry in hopes that I can improve its efficiency more?
Should I use filters on syslog-ng to cut out some of the messages I
don't want to see as they reach the box?

I have also thought that it would be useful to cut out all the
duplicate messages and just simply report on the number of times per
day I see each message. After this, it seems likely that logcheck
would be able to effectively parse through the remaining logs and
report the items that I need to see (as well as new messages that
could be interesting).

Are there other solutions that would be better suited to log volumes
like this? Should I look at commercial products?

Any comments/criticisms/suggestions would be greatly appreciated!
Please let me know if I need to provide more information. Again, my
lack of experience in this area causes me hesitant to make a solid
decision without asking for some guidance first. I don't want to
spend a lot of time going in one direction, only to find that I was
completely wrong.

Thanks!
Nate


------------------------------

Message: 4
Date: Tue, 5 May 2009 22:31:32 -0500
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] Handling large log files
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ed5f2120905052031k3fe51b8dq684334fb2efd4efb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> I have a central log server set up in our environment that would
> receive around 200-300 MB of messages per day from various devices
> (switches, routers, firewalls, etc). ?With this volume, logcheck was
> able to effectively parse the files and send out a nice email. ?Now,
> however, the volume has increased to around 3-5 GB per day and will
> continue growing as we add more systems. ?Unfortunately, the old
> logcheck solution now spends hours trying to parse the logs, and even
> if it finishes, it will generate an email that is too big to send.

Hi Nate,

I will offer a few general suggestions. You should be able to reclaim some
capacity from the system with review of the overall logging architecture and
your rule/reporting configuration. Harness the project's mailing list, and try
to profile your system in the hope of identifying easily addressed bottlenecks.

- log volume increase by an order of magnitude usually means that the
complexity of the environment quadruples. At this point, a 10% increase
in the size of your environment adds an equivalent of the original log flow.
I assume that, with adding more machines, the environment is getting more
standardized, but might have to look for a bigger tool.

- unless you have already done so, I would try to optimize the
ruleset. Make sure
that the logs go through as few regular expressions as posisble. With GB/day
of text, the cost of the extra evaluations compounds. Following the same logic,
investigate potential rewriting the most used, or the most expensive
rules. Try to
squeeze as much capacity from your install as possible.

- profile the machines, make sure that disk/network IO keeps up, that CPUs are
not running at 100% at all times, etc. This will let you identify
bottlenecks, and
further extend the live of your current system.

- scrap the existing reports. Write down the list of requirements, and
the nice-to-haves,
the scope and the needed level of details, and write new reports (you
should be able
to reuse most of the original work).

- see if the architecture can be improved. Can you use multiple log
servers? Is there
a logical way of segmenting the log traffic - OS to box 1, db
transactions to box 2, etc.?
Post to the project's mailing list, there should be people who use it
for larger installations,
and willing/able to provide specific suggestions.

- commercial tools should be able to keep up with 2gb/day without much
effort, but
every one will take considerable time to set up and tune. The vendors
will claim that it's
2 day setup and a week of rule setup, etc, but I would consider
planning for a quarter long
mid-intensity project. The end result should be useful dashboards and
reports that make
sense. I would set aside at least $20k, but that will be very
dependent on your environment.
Some products have reporting/integration plugins costing that much.

My team logs 2-3gb through Splunk, with no performance issues of any
kind (nice box
8cores/8gb ram). With a bit of careful planning, I expect to put quite
a bit more through it
in the near future.

--
Marcin Antkiewicz


------------------------------

Message: 5
Date: Tue, 5 May 2009 20:11:40 -0400
From: "Jeremy Sutton" <jsutton@techgooroos.com>
Subject: Re: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <E1BA00D4533B4D3AB9731E0BDC5BF3FA@dtg1>
Content-Type: text/plain; charset="iso-8859-1"

Thank you for your response! The ASA is configured by a 3rd party and they
finally got in contact with Cisco and they fixed the ASA for them. I will
look and see if they happened to turn on PFS. Thank you again!

_____

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of orca
Sent: Tuesday, May 05, 2009 3:23 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: Re: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA

Jeremy,

If the ASA side is using the ASDM it likes to turn on PFS (Perfect Forward
Secrecy), which is almost always overlooked, and will cause a P2 failure.

-----Opprinnelig melding-----
Fra: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] P? vegne av Jeremy
Sutton
Sendt: 4. mai 2009 17:39
Til: firewall-wizards@listserv.icsalabs.com
Emne: [fw-wiz] Netgear FVS318 v1 Firmware 2.4 VPN to Cisco ASA

I have a client using a FVS318 v1 firmware 2.4 router trying to connect to a
Cisco ASA. I am the administrator of the Netgear but the administrator of
the Cisco ASA can't get his end configured to communicate with the Netgear.
P1 establishes but P2 does not. Anyone have any suggestions I can pass
along to him. The FVS318 connects fine to another FVS318 but not to his
Cisco. Any help will be greatly appreciated. Thank you!

Jeremy Sutton
President
Tech Gooroos Technology Consulting, Inc.
p: 919-373-4414
c: 919-413-2463
f: 919-510-6254
<http://gfx2.hotmail.com/mail/w3/ltr/i_safe.gif>

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.287 / Virus Database: 270.12.18/2096 - Release Date: 05/04/09
17:51:00

_____

Hotmail? has a new way to see what's up with your friends. Check it out.
<http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutor
ial_WhatsNew1_052009
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090505/09cff1c0/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 37, Issue 5
***********************************************

No comments: