Search This Blog

Wednesday, May 23, 2007

firewall-wizards Digest, Vol 13, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Best way to block incoming connections from open http proxy
servers? (Chris Smith)
2. Re: HIPS experience (Paul Melson)
3. PIX - acl breaks implicit outbound rule (Richard Shaw)
4. Netscreen to Cisco IOS tunneling (J. Oquendo)
5. Re: HIPS experience (stursa@695online.com)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 May 2007 14:16:29 -0700
From: "Chris Smith" <csmith@1pointe.com>
Subject: [fw-wiz] Best way to block incoming connections from open
http proxy servers?
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<BBB5E2BE7794B94481346ED929C8C0AC1064C7@drevil.1pointe.local>
Content-Type: text/plain; charset="us-ascii"

Hi All.

What's the recommended way to maintain a list of public, open http
proxies and block them from making inbound connections to an http server
with iptables?

I have linblock http://www.dessent.net/linblock/ which I use for a few
other lists. Is there a regularly updated list out there for open http
proxies that can be used for this purpose?

I'm hoping I can retrieve a text file with the IP's every day with a
cron job and let linblock update an IPTables chain. Perhaps there's a
better way?

csmith

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070521/df0fce12/attachment-0001.html


------------------------------

Message: 2
Date: Mon, 21 May 2007 07:30:51 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0705210430g45f3a7abk7fee2b26f12e7f82@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 5/18/07, stursa@695online.com <stursa@695online.com> wrote:
> Checkpoint has a very similar (i.e. behavioral, not signature-based HIPS)
> known as "Integrity Secure Client". The management center is stand-alone,
> costs about $3k IIRC. The client licenses cost less as well. For an
> additional fee you get point-and-click access to a big database of events
> and software, so it's much easier to determine whether a particular .exe
> is safe.

This was originally ZoneLabs' Integrity, and at one point in time was
the only way to enforce host security policy w/ the Cisco VPN3K. It
never worked with Check Point until after the acquisition. To be
honest, I'm a little surprised that after several releases the Cisco
ASA/VPN3K support is still there.

PaulM


------------------------------

Message: 3
Date: Tue, 22 May 2007 14:08:09 +0100
From: "Richard Shaw" <richard@aggress.net>
Subject: [fw-wiz] PIX - acl breaks implicit outbound rule
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<aa7e63a0705220608x5dfc4108rc34185e1ca5696de@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi There,

I'm trying to get successful two way communication over a selected port
range between 2 hosts on different interfaces.

Interface 1 (100) ------------ Interface 2 (90)

host1 (10.0.1.11) ------------ host2 (10.0.5.2)

I've already put in a static route so host1 can get down to host2, however I
need host2 to be able to open a connection back through on selected ports.

I've been able to get it semi-working by applying the following:

static (Interface1,Interface2) 10.0.5.200 10.0.1.11 netmask 255.255.255.255
access-list Interface2toInterface1 extended permit udp host 10.0.5.2 host
10.0.5.200 eq port-range
access-group Interface2toInterface1 in interface Interface2

However, it replaces the implicit outbound rule for Interface2 and breaks
all other outbound traffic on the interface. My question is, what can I
append to the above access group to put the outbound rule back in?

Any thoughts or suggestions would be super useful

Thanks!

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070522/643dfead/attachment-0001.html


------------------------------

Message: 4
Date: Tue, 22 May 2007 09:00:25 -0400
From: "J. Oquendo" <sil@infiltrated.net>
Subject: [fw-wiz] Netscreen to Cisco IOS tunneling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4652E969.60003@infiltrated.net>
Content-Type: text/plain; charset="iso-8859-1"

Good morning (afternoon) all,

Have the following question in regards to a tunnel I'm trying to
established between a Netscreen and a 3845:

#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version
12.4(6)T1, RELEASE SOFTWARE (fc3)
...

ROM: Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version
12.3(11)T5, RELEASE SOFTWARE (fc1)


My network information:

My VPN Peer address:
10.10.53.98

My ACL Host range:
10.10.53.192/30

Client's Netscreen Peer address:
10.15.179.238

---
Their networks:

Customer Pre-shared key:
secret

PHASE 1 proposal: DH group2-3des-md5
PHASE 2 proposal: PFS group2-esp-3des-md5

Client's ACL host range:
10.10.178.192/30

My configs:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address 10.15.179.238

crypto ipsec transform-set predefined esp-3des esp-md5-hmac

crypto map defined 10 ipsec-isakmp
set peer 10.15.179.238
set transform-set predefined
set pfs group2
match address 112

access-list 112 permit ip 208.50.53.98 0.0.0.7 63.79.178.192 0.0.0.3

Question... Since I have a constant 20+Mpbs on one of my interfaces, I'm
reluctant to have an outage...

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx

If I apply the crypto map predefined to this interface, would it drop
all traffic non encrypted?

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
crypto map predefined

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070522/3f72c9b6/attachment-0001.bin


------------------------------

Message: 5
Date: Wed, 23 May 2007 12:57:00 -0400 (EDT)
From: stursa@695online.com
Subject: Re: [fw-wiz] HIPS experience
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <35743.69.1.110.133.1179939420.webmail@mail.695online.com>
Content-Type: text/plain;charset=iso-8859-1


Paul Melson said:
> On 5/18/07, stursa@695online.com <stursa@695online.com> wrote:
>> Checkpoint has a very similar (i.e. behavioral, not signature-based
>> HIPS)
>> known as "Integrity Secure Client". The management center is
>> stand-alone,
>> costs about $3k IIRC. The client licenses cost less as well. For an
>> additional fee you get point-and-click access to a big database of
>> events
>> and software, so it's much easier to determine whether a particular .exe
>> is safe.
>
> This was originally ZoneLabs' Integrity, and at one point in time was
> the only way to enforce host security policy w/ the Cisco VPN3K. It
> never worked with Check Point until after the acquisition. To be
> honest, I'm a little surprised that after several releases the Cisco
> ASA/VPN3K support is still there.

Not sure if you mean releases of Integrity or releases of Cisco SW. WRT
Cisco, I just checked our 3020 and it's still in there. It's running 4.7,
rel 10 March 2005.

In the next week we're taking delivery of a new 3020, presumably with
latest software. I'll look and see if the support is still there.

I also checked our ASA, which is running 7.2(1), 31 May 2006. It likewise
appears to still support Integrity.

--
Scott L. Stursa
CCNA, MCSA, Security+


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 13, Issue 10
************************************************

No comments: