firewall-wizards Digest, Vol 43, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. OT, sorta: Breaking pipes? (Kurt Buff)
2. Re: secure firewall rule management program (Matthias Leu)
3. Re: secure firewall rule management program (Morty Abzug)

----------------------------------------------------------------------

Message: 1
Date: Tue, 27 Oct 2009 11:48:52 -0700
From: Kurt Buff <kurt.buff@gmail.com>
Subject: [fw-wiz] OT, sorta: Breaking pipes?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860910271148h79d1b49dlf551fbb71fab3651@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at the end of the URL!

For those sites that we have a business case for end-user access, I
make an exception.

IT manager now considers this an annoyance, and wants justification
for the not allowing URLs with the character through the proxy. I tell
him it violates the RFCs that I'm aware of (1738 and 2396 - 3986
doesn't really deal with it, AFAICT) and he wants me to
quantify/qualify the risk, and wants me to consider allowing that
character universally. I told him (as I believe to be correct) that
you can't do that without turning off the proxy entirely, which would
be foolish in the extreme.

Aside from what we (the manager and I) already know (that the pipe is
used in scripting/shells/etc. to redirect output from one program to
another) are there any other risks of which I'm not aware, or any
specific attacks that I can point to that have or do use this
character? I would think that our current understanding on this would
be sufficient justification for keeping things the way they are, but
apparently not.

This is really silly, and frustrating for me, though I suppose many of
you have fought the same (kinds of) battle, but any insight would
help.

Thanks,

Kurt

------------------------------

Message: 2
Date: Wed, 28 Oct 2009 11:52:01 +0100
From: Matthias Leu <mleu@aerasec.de>
Subject: Re: [fw-wiz] secure firewall rule management program
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4AE82251.90701@aerasec.de>
Content-Type: text/plain; charset=ISO-8859-15

Hi Morty,
have you had a look at Tufin SecureTrack and SecureChange Workflow?
It's not free, but quite good and I think your requirements are fulfilled.

It runs on Linux and is written by security professionals.
SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
Fortinet,...).
Each 'save' gives a new revision, no 'install' necessary. So reports,
and above all, alerts are generated before installing the new version on
the firewalls.
Expired rules can be found, rule usage is based on logging - also the
use of objects within rules is documented, so not only unused rules but
also unused objects can be found. I found out that esp. finding these
objects is important and not so easy without a tool.
Based on logging an automatic policy generation is possible, offering
many parameters for the suggested rulebase. Further on, many different
types of reports and audits (also PCI-DSS) can be configured and run.
Users can be defined as admin or as simple user with different roles and
therefore rights.
Tufin SecureChange Workflow offers a very open and individually
configrable system. Many different workflows can be defined. These
workflows need to be followed. Many different roles can be defined, e.g.
admin, end user (requestor), approver, implementer, dispatcher etc. You
are very free in defining users and workflows.
The request can be checked agains compliance alerts and rules for
business continuity from Tufin SecureTrack. So when a user requests a
'forbidden connection', an alert is generated. For sure, existing rules
as well as objects can be considered.

We work with this software since a longer time now, it's good. Have a
look at www.tufin.com

Best regars,
Matthias
--
AERAsec Network Services and Security GmbH HRB: 133265 M?nchen
Wagenberger Strasse 1 UStID: DE-209125001
D-85662 Hohenbrunn, Germany
Tel. +49 8102 895 190 Fax. +49 8102 895 199
Sitz der Ges.: D-85662 Hohenbrunn, Gesch?ftsf?hrer: Dr. Matthias Leu
http://www.aerasec.de http://www.fw-1.eu
PGP Public Key: http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc

------------------------------

Message: 3
Date: Fri, 30 Oct 2009 07:04:53 -0400
From: Morty Abzug <morty+fw-wiz@frakir.org>
Subject: Re: [fw-wiz] secure firewall rule management program
To: Matthias Leu <mleu@aerasec.de>
Cc: firewall-wizards@listserv.icsalabs.com
Message-ID: <20091030110453.GH28579@red-sonja>
Content-Type: text/plain; charset=us-ascii

On Wed, Oct 28, 2009 at 11:52:01AM +0100, Matthias Leu wrote:

> have you had a look at Tufin SecureTrack and SecureChange Workflow?

Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
and at Algosec (mentioned by one of our managers and by Rainer). The
current versions of both products fail to meet several of our
dealbreaking requirements. Both products are relatively new. We're
hopeful that a future version of one or both products will be what we
want.

- Morty

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest, Vol 43, Issue 1
***********************************************