Search This Blog

Thursday, April 28, 2011

firewall-wizards Digest, Vol 57, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
2. Re: How to keep firewall rules clean and up-to-date (K K)
3. Re: Proxies, opensource and the general market: what's wrong
with us? (Magos?nyi ?rp?d)


----------------------------------------------------------------------

Message: 1
Date: Wed, 27 Apr 2011 17:20:17 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104271707540.940@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Thu, 28 Apr 2011, ArkanoiD wrote:

> On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:
>>
>> I think there is some room for a HTTP or XML firewall checker to be
>> implemented and satisfy a lot of needs (technical needs that is, when
>> management makes a decision that "all firewalls are going to be Cisco"
>> or even "all firewalls must be commercial appliances" that trumps all
>> technical issues), but right now I am not aware of any free tools in
>> these spaces, completely ignoring the 'learning modes' of many of the
>> commercial offerings.
>
> At the moment I am trying to offload non protocol-related http checks to external
> ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it
> is based on libxml2 and inherits all potential vulnerabilities (as it is a huge
> piece of code) and still there is a lack of automated tool that can be used to
> "formalize" "normal" xml flow to check for anomalies later. For several well-documented
> protocols it is not needed, but aiming at SOA it is probably a must :-(

I'm happy to hear of this work, is the prototype available somewhere?

>> openfwtk hasn't hit this yet for me as the key thing that I use FWTK
>> for is the authenticated proxies and the last I checked it doesn't have
>> an authsrv equivalent (or the ability for it's proxies to tie in to an
>> authentication source).
>
> You must be missing something, authsrv is the part that required several fixes, so it
> is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication
> sources may be checked against netperm-table (you may write rules that restrict authentication
> to a given proxy, or a given host), unix local socket is supported as transport to avoid writing
> complicated "loopback prevention" rules, etc etc.

yep, I did miss it. I'll have to take another look at it. does it use the
same over-the-wire protocol as the fwtk authsrv (so that I can use the
existing proxies?)

> I am thinking about adding radius and/or pam backends support, but still
> had no time to implement that.

there's a authsrv pam module floating around already for fwtk, and I
comissioned a tool as part of openradius that allows it to talk to authsrv
to do authentication (I've got a config to enable SNK tokens and plain
passwords, I don't know how it would work with other authentication
types), unfortunantly it looks as if openradius is dead as there has not
been a release in a long time (not even with the functionality that I
commissioned)

this is very definantly not the 'single API, similar code' situation that
you are saying that you want, but I'm not sure how much of a requirement
that is.

>> openfwtk also isn't the complete solution that
>> Arknoid painted it to be, for many things it just says 'use tool X',
>> which is a good thing to avoid re-inventing the wheel, but it doesn't
>> result in the firewall API that he is looking for.
>
> Unfortunately it still is not :-( Lack of resources, that's is.
> Reimplementing full IMSpector, GreenSQL and privoxy functionality is not
> non-trivial, it is just time consuming. Until that you need extra tools.
>
> There is noting wrong in the fact you need other tools that are outside
> OpenFWTK scope, though, like Prelude, log analyzers, etc.

I have no problem saying that things like log analysers are out of scope,
but (at least when initially released) the documentation was saying that
things like ssh and http were out of scope (and with telnet and FTP being
so insecure, I was remembering that you didn't implement them, leaving
little that would use authentication, which is probably why I was thinking
that authsrv wasn't implemented)

I actually don't have an objection to the firewall being a collection of
different tools gathered togeather (that's just good code re-use in the
best opensource tradition), it may require some tweaks to code, or some
scripts to create the appropriate config files for some of the tools, but
that is far better than having to completely re-write the tools.

David Lang


------------------------------

Message: 2
Date: Wed, 27 Apr 2011 20:16:59 -0400
From: K K <kkadow@gmail.com>
Subject: Re: [fw-wiz] How to keep firewall rules clean and up-to-date
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTimD0Vqg_kcO0nPFRf1nApVQGocu_w@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Recently I've been using Tufin and AlgoSec to audit firewall policies.

Both tools automate much of the grunt work in discovering what rules
are no longer being used, as well as identifying rules that are
redundant for one reason or another. I still end up manually going
through each IP address seen in a policy/object and validating whether
the server/service still exists.

Documenting each new policy entry, as they are created, is priceless.

Kevin


------------------------------

Message: 3
Date: Thu, 28 Apr 2011 08:05:20 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DB903A0.7020103@magwas.rulez.org>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2011-04-26 09:25, Tracy Reed wrote:
> Yes. Here we have a problem somewhat like the classical meaning of
> "hacker" vs
> the common meaning of "hacker". And this firewall vs packet filter debate may
> not even have that much legitimacy. I can find a number of people who still
> subscribe to the classical idea of a hacker but a few of the denizens of this
> mailing list are the only ones I know of who insist on issuing a correction
> when someone calls a packet filter a firewall. It just seems like pointless
> snobbery.
>
But it is not. Network perimeter defence is an industry seriously hit by
marketing bullshit from some vendors, who could not come out with a
decent firewall, so redefined the term to be applicable to their products.
Doing this they came out with a definition which goes against basic
security principles and empties the meaning of the word to the extent
which makes nearly pointless to have "firewalls".
This led to a state of affairs where there is practically no discussion
about a lot of important questions of network perimeter defense, because
the majority of the "firewall" people are kept in a darkness about the
issue to the extent that they do not have the background even to ask the
right questions.
This means that even though those same vendors now would be in the
position to implement actually meaningful features, they do not do it
because they have conditioned their consumers to not think about such
things.

When you see someone trying to correct this "firewall = packet filter"
nonsense, you actually see a vain attempt to correct these mistakes.
Because the first step is to meaningfully discuss something is to have
meaningful definitions.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 11
************************************************

No comments: