Search This Blog

Wednesday, August 26, 2009

firewall-wizards Digest, Vol 40, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Slow FTP transfers (Victor Williams)
2. Re: Slow FTP transfers (Farrukh Haroon)
3. Re: checkpoint authentication on external interface
(Jacson Querubin)
4. Re: firewall-wizards Digest, Vol 40, Issue 6 (Dan Ritter)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Aug 2009 21:11:16 -0500
From: Victor Williams <bwilliam13@windstream.net>
Subject: Re: [fw-wiz] Slow FTP transfers
To: aptgetd@gmail.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A934844.70107@windstream.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On any ASA's I've dealt with I've seen this behavior when inspection of
FTP was going on. Try shutting it off completely and see what happens.
If it speeds up and works fine, you know where the problem lies.

sky wrote:
> Hi,
>
> I'm having an issue when ftp'ing (default port mode) large file (50megs)
> to a remote server sitting behind FWSM. The transfer gets real slow and
> at times just timeouts.
>
> Now when I change ftp mode to passive the same file transfer works w/o
> any issues. Why?
>
> Have inspect ftp and mtu is set for 1500. I've checked for duplex
> settings as well which is good.
>
> Any thoughts will be great.
>
> regards
> sky
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>


------------------------------

Message: 2
Date: Tue, 25 Aug 2009 10:50:17 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Slow FTP transfers
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0908250050le4dab87q4c9785c2ed164746@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

Your problem could be due to your firewall blocking the IDENT protocol

Have a look at this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

It could also be related to PTR records for your DIP Pool (but highly
unlikely):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

Regards

Farrukh

On Mon, Aug 24, 2009 at 7:26 PM, Francois Yang <francois.y@gmail.com> wrote:

> I've seen slow traffic due to the firewall trying to do many things
> like checking for viruses, packet anomalies, etc...
> Maybe there's some checks that works better or worst depending if the
> ftp session is passive or not.
>
> Frank
>
>
> On Fri, Aug 21, 2009 at 7:43 AM, Behm, Jeff<jbehm@burnsmcd.com> wrote:
> > On Thursday, August 20, 2009 12:19 PM, sky said:
> >
> >>I'm having an issue when ftp'ing (default port mode) large file
> >>(50megs) to a remote server sitting behind FWSM. The transfer
> >>gets real slow and at times just timeouts.
> >
> >>Any thoughts will be great.
> >
> > Any sort of packet shaper/QoS device between the endpoints?
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
>
>
> --
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked. ? White House Cybersecurity
> Advisor, Richard Clarke
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090825/d984aeb3/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 25 Aug 2009 08:28:34 -0300
From: Jacson Querubin <spacial@gmail.com>
Subject: Re: [fw-wiz] checkpoint authentication on external interface
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<98c772660908250428o3e4154c0mbd971787e0ff5d09@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252

Frank,

The Checkpoint FW1 Gateways don't accept to apply the rule base from
external interface.

you can always do a fw monitor to see if it is droping or accepting the packets.

cheers

Jacson

On Mon, Aug 24, 2009 at 13:21, Francois Yang<francois.y@gmail.com> wrote:
> I have looked at the implied rules and I do have an explicit rule to
> deny all and I don't see anything that would allow this connection.
> I even created a rule to block this and put it at the top and still
> don't see any changes.
>
> To answer the other emails, Yes, I'm sure I could put an ACL in the
> front router to block access, but I was hoping to find a better
> solution.
>
> Frank
>
>>>
>>>
>>
>> Hi Frank,
>> Even if the daemon is listening on the port, you still have to go through
>> the rulebase to be able to connect.
>> You should verify if the ports are allowed either in implied or explicit
>> rules. (try to enable the logs on the implied rules
>> for a short time to get some logs about the auth).
>>
>> I recommend to use explicit rules and allow only from explicit sources.
>>
>> I agree it's better if the daemon accepts connections only on internal IPs,
>> but for this you have to ask checkpoint how to do.
>>>
>>> thanks
>>>
>>> Frank
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@listserv.icsalabs.com
>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>>
>>
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
>
>
> --
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked. ? White House Cybersecurity
> Advisor, Richard Clarke
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Tue, 25 Aug 2009 11:52:37 -0400
From: Dan Ritter <dsr@tao.merseine.nu>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20090825155237.GL23234@tao.merseine.nu>
Content-Type: text/plain; charset=us-ascii

On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld@intelligencia.com wrote:
> Yes, this is easy.
>
> You need an extra an extra address on the outside to create a static nat
> for.
> Then you need to allow the traffic to that IP address (udp/500,
> udp/4500, ESP) by way of an access-list.
>
> It would look something like below.
> 192.0.0.20 is an example outside address
> 10.5.5.5 is an example inside address (vpn terminating device)
> inside is assumed. It could be any other interface (for the static command)
>
> Configuration
> --------------------
> static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255
> access-list acl-outside-in permit udp any host 192.0.0.20 eq 500
> access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500
> access-list acl-outside-in permit esp any host 192.0.0.20
> access-group acl-outside-in in interface outside

Thanks, that looks plausible. I was half-expecting the PIX to
not want to permit esp to any host other than itself.

-dsr-


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 40, Issue 9
***********************************************

No comments: