firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. port scanning activity going up recently? (Ken Fox)
2. Message Labs (Brian Loe)
3. Re: OT, sorta: Breaking pipes? (Kurt Buff)
4. Re: secure firewall rule management program (Lan Li)
5. Re: Network design change (pkc_mls)
6. Re: Network design change (sai)
----------------------------------------------------------------------
Message: 1
Date: Fri, 13 Nov 2009 12:16:21 -0500
From: "Ken Fox" <kenfox@starlinx.com>
Subject: [fw-wiz] port scanning activity going up recently?
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <MAEDICLIAEDPMBCLHKGJKEJLCNAA.kenfox@starlinx.com>
Content-Type: text/plain; charset=iso-8859-1
Hi all -
Has anyone else noticed a recent spike in port scan activity over the last
few days?
I've been seeing some interesting traffic where multiple source addresses
are probing a number of the same high order destination ports from a small
set of source ports with a number of different but specific packet sizes.
e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
egg: source port 3268 -> dest port 50592 packet size 48, 60, 64, and 52
Is there some botnet out there that I haven't heard about?
thanks -- ken
------------------------------
Message: 2
Date: Tue, 10 Nov 2009 15:06:06 -0600
From: Brian Loe <knobdy@gmail.com>
Subject: [fw-wiz] Message Labs
To: firewall-wizards@listserv.cybertrust.com
Message-ID:
<3c4611bc0911101306j74e73b56m86a4fa147e34abf9@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Anyone here using message labs? Have you received notice that you MUST
open up your firewall for 8 or so networks?
------------------------------
Message: 3
Date: Tue, 10 Nov 2009 12:27:05 -0800
From: Kurt Buff <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] OT, sorta: Breaking pipes?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860911101227h28d80650v9001480d8c0bd86@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Sat, Nov 7, 2009 at 07:34, Chris Myers <clmmacunix@charter.net> wrote:
> Do you use Perl at all with CGI scripts? If so, this is just an example of
> what might be done with anything written with custom scripts. In this case,
> it is a specific vendor, but it could happen to anyone who does not code
> diligently.
>
> http://www.kb.cert.org/vuls/id/496064
We don't use perl/cgi here, but the example is instructive.
This issue at hand is for web browsing by clients - the newish manager
believes that it's just too annoying to add exceptions for the
misbehaving web sites. Of course, it's not just the pipe character.
It's also the other unsafe/unwise characters, and the URLs that are
longer than 1024 characters, etc.
At some point we may be hosting a web site locally, but that hasn't happened.
This is really an education issue, so anything that I can add to the
ammunition pile is helpful.
Kurt
------------------------------
Message: 4
Date: Tue, 10 Nov 2009 15:46:35 -0600
From: "Lan Li" <lanli@athenasecurity.net>
Subject: Re: [fw-wiz] secure firewall rule management program
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <5E09DF937A5A4FEFB87D152E5940E581@LLL>
Content-Type: text/plain; charset="us-ascii"
Athena Security also provides a cleanup tool/basic ops tool. Works with
Cisco, Check Point and Netscreen firewalls. Available for eval download at
http://www.athenasecurity.net/firepac_trial.html
Lan Li
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Marcin
Antkiewicz
Sent: Thursday, November 05, 2009 10:52 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] secure firewall rule management program
> Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
> and at Algosec (mentioned by one of our managers and by Rainer). The
> current versions of both products fail to meet several of our
> dealbreaking requirements. Both products are relatively new. We're
> hopeful that a future version of one or both products will be what we
> want.
Hi Morty,
we are looking at the same, but we are looking for a cleanup/basic ops
support tool right now.
Would you mind sharing the dealbreaking requirements? I am wondering now
what, if anything we have missed.
--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091110/ede77313/attachment-0001.html>
------------------------------
Message: 5
Date: Thu, 12 Nov 2009 12:38:39 +0100
From: pkc_mls <pkc_mls@yahoo.fr>
Subject: Re: [fw-wiz] Network design change
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4AFBF3BF.4080002@yahoo.fr>
Content-Type: text/plain; charset=ISO-8859-1
shadow floating a ?crit :
> Hi All,
> My company has two sites in to 2 different locations that are
> connected via high speed link at the core layer ( I've attached a
> link to the diagram :
> http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
> explanation)
> in each site I've 1 DMZ , the network team wants to connect the DMZ
> switches in both sites for better performance and "security" - the
> link under investigation is shown in red in the picture - via high
> speed link without passing at all by the core network layer, as they
> say that will aid more in the replication between server A and backup
> server A in the DMZs and also this will help if any of the 2 firewalls
> had failure to access both DMZs from any firewall.
> Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.
If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.
do the DMZ share the same network addresses ?
if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow trafic between the DMZs.
The performance can be also an issue, so it depends on the replication
traffic basically.
If you can replicate when there is less traffic, the existing firewall
can be enough. If you can't, it's perhaps time to upgrade the firewalls.
>
> appreciating your great help and advice
> thanks alot
>
> Regards,
> Nad
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 6
Date: Sat, 14 Nov 2009 17:00:41 +0500
From: sai <sonicsai@gmail.com>
Subject: Re: [fw-wiz] Network design change
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<205fa3940911140400w704d8f10rc564182a030180bf@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
not good from a security point of view.
I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.
2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level gives you just one DMZ. my way, the
replication connection has to go through firewalls (which might be a problem
if you have low end firewalls) but so does the attacker (and remember that
the dmz is there because the attacker is going to get there some day).
sai
On Tue, Nov 10, 2009 at 8:58 PM, shadow floating
<nadengine@googlemail.com>wrote:
> Hi All,
> My company has two sites in to 2 different locations that are
> connected via high speed link at the core layer ( I've attached a
> link to the diagram :
> http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
> explanation)
> in each site I've 1 DMZ , the network team wants to connect the DMZ
> switches in both sites for better performance and "security" - the
> link under investigation is shown in red in the picture - via high
> speed link without passing at all by the core network layer, as they
> say that will aid more in the replication between server A and backup
> server A in the DMZs and also this will help if any of the 2 firewalls
> had failure to access both DMZs from any firewall.
> Is that better from security point of view?
>
> appreciating your great help and advice
> thanks alot
>
> Regards,
> Nad
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091114/63b4452b/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 43, Issue 4
***********************************************
No comments:
Post a Comment