Search This Blog

Saturday, August 25, 2007

firewall-wizards Digest, Vol 16, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 support in firewalls (Steven M. Bellovin)
2. Re: Cisco PIX 501 Help (Fetch, Brandon)


----------------------------------------------------------------------

Message: 1
Date: Fri, 24 Aug 2007 11:57:09 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: mjr@ranum.com
Message-ID: <20070824155709.8DB5B7660E3@berkshire.machshav.com>
Content-Type: text/plain; charset=US-ASCII

On Thu, 23 Aug 2007 20:27:45 -0400
"Marcus J. Ranum" <mjr@ranum.com> wrote:

> Steven M. Bellovin wrote:
> >You can always send broadcast pings on
> >each LAN
>
> Does that work in V6? Sounds like a good DDoS amplifier - any place
> where "one packet goes out, zillions come back" is a really useful
> bit of asymmetry.
>
I said "broadcast ping", not "directed broadcast ping". The latter
would be dangerous indeed...


--Steve Bellovin, http://www.cs.columbia.edu/~smb


------------------------------

Message: 2
Date: Fri, 24 Aug 2007 17:22:03 -0400
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] Cisco PIX 501 Help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AA8E89377DCB1C498CF19E343CA49D8E23F160@NYEXCHSVR01.texpac.com>
Content-Type: text/plain; charset="us-ascii"

Any 6.x version of code will not allow a connection attempt from a
lower-security interface (outside in this case) directly to a
higher-security interface (inside).

7.0 you can configure a firewall in such a way.
However, the 501 cannot/will not run the 7.0 codebase (memory capacity
issue).

What you would be forced to do is static into a SSH "proxy" on the
inside and then connect back to the firewall or enable some other form
of "OS console" and then instantiate your SSH session to the firewall.

Not many options for remote management of OS6.x boxes but you can do it.

HTH,
Brandon

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
UxBoD
Sent: Monday, August 06, 2007 3:56 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Cisco PIX 501 Help

Hi,

Have just been given a couple of 501's to setup at work. Basic
configuration has been performed, and that is working fine. The question
I have is whether there is anyway to setup 100+ statics, one to one,
port mappings using object groups ? My IP setup is as follows :-

outside -> inside -> host
10.7.152.2 -> 10.6.0.200 -> 10.6.0.202

I have a application that uses 30 ports, plus X11, plus remove support
via PCanywhere. I have created the ACLs using object groups, but I
don't really fancy setting up individual TCP/UDP static entries.

If I use something like :-

static (inside,outside) interface 10.6.0.202 netmask 255.255.255.255 0 0

Then the outside interface SSH server will not work as all traffic gets
mapped through too the inside interface :( Obviously we need to support
via the outside interface, so is there anyway around it ?

Could I put the SSH on the inside interface and then do something like
:-

static (inside,outside) interface 2222 10.6.0.202 22 netmask
255.255.255.255 0 0

so that we just have to connect too port 2222 instead and that will map
it through so we can administer the PIX ?

I see on our IOS that we can use access-list on the static mapping, is
this a potential use ?

Hope my explanation makes sense ?

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 12
************************************************

No comments: