Search This Blog

Wednesday, December 26, 2007

firewall-wizards Digest, Vol 20, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Anyone have any informed opinions on the Watchguard
product line? (Richard Golodner)
2. Re: PIX access-list help (kevin horvath)
3. Re: PIX access-list help (Paul Melson)
4. Re: PIX access-list help (Avishai Wool)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Dec 2007 14:08:08 -0500
From: "Richard Golodner" <rgolodner@infratection.com>
Subject: Re: [fw-wiz] Anyone have any informed opinions on the
Watchguard product line?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <003501c84660$51f84910$600a0a0a@Antares>
Content-Type: text/plain; charset="us-ascii"

I have had a lot of experience with WG products and was quite
pleased with ease of set up, the ability to control logging and how easy it
was to add deny statements to the box. One of the drawbacks as Paul had
mentioned was the VPN feature set up for site to site and the versions I
have used only allowed up to 100 deny statements. This means a lot of
network aggregation in order to make sure you were not receiving traffic
from places you did not want.
There was also a nice GUI interface that showed in real time who was
attempting to attach to various devices on your network, which mad killing
the spammer attempts much easier. Be sure to do a whois or a trace route
before you include a deny statement since this can cause trouble if you need
transit from the network you just denied. Overall a pretty nice product, but
I still prefer the PIX or some of the other firewall feature sets built into
later versions of the IOS.

most sincerely, Richard

-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Paul
D. Robertson
Sent: Monday, December 24, 2007 11:57 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Anyone have any informed opinions on the watchguard
product line?

On Tue, 18 Dec 2007, AMuse wrote:

> Does anyone have an informed opinion on whether these products are any
> good, that I can pass along to my friend?

They work well enough, VPN setup is a little weird if you're doing
site-to-site (at least I ended up dropping back and punting to OpenVPN at
one customer.)

The nice thing is that the HTTP proxy does MIME type filtering, which
stops a lot of junk if you don't open it up wide.

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Mon, 24 Dec 2007 16:42:33 -0500
From: "kevin horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0712241342t15c3bd48x49cf230454d08d1f@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

if you want access to the internet to from any interface you need to
allow all traffic on the typical ports 80 and 443 and then deny
traffic to internal subnets/hosts that should be denied. The other
way to do this is to do a policy nat on the inside and allow only
traffic you want to be translated and all other traffic will just be
dropped. The latter will cause more cpu to used verse it just being
denied by an access list. Hope this helps. If you need more help
then post a sanitized copy of your acls and translations.

Kevin

On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists@gmail.com> wrote:
> I'm a little befuddled with PIX access lists and need some help and
> understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
> outside, inside, dmz. Up til now I have only been using the outside
> and inside interface. I have started configuring the dmz interface and
> have set it at security50 (outside = 0, inside = 100). I currently
> have only an access-list on the outside interface allowing some
> specific traffic in to the inside network. Right now the inside and
> dmz can talk to the internet just fine and the inside can talk to the
> dmz network fine. However, I want to implement an access-list on the
> dmz interface and this is where the problems start. If I assign an
> access list to the dmz port to allow smtp from a dmz host to the
> inside mail server I no longer have communication to the internet from
> the dmz and the inside cannot talk to the dmz because of the implicit
> deny of the access list.
>
> So, my main question, is there an access list command I can have that
> basically says "allow all communication from the dmz to the internet"
> and one that says "allow communication from the inside to the dmz"? I
> know I can add "access-list dmz permit ip host 192.168.1.1 any" and
> that solves the problem of getting to the internet, but then it opens
> all communication to the inside from this host and I don't want to do
> that. Since this is version 6.3(3) I can't use an out access-list
> which I think might solve the problem. I have enough memory to run
> version 7.x on this PIX, but I'm trying to tackle one problem at a
> time and I'm a little hesitant about doing the 7.x upgrade just yet.
>
> I have more questions, but I think I start here for now and ask the
> other questions when they are more relevant.
>
> Thanks for your help,
> Brian
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 3
Date: Tue, 25 Dec 2007 00:25:52 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0712242125i6e1e8aeq33d6e3018c3e3cf1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists@gmail.com> wrote:
> So, my main question, is there an access list command I can have that
> basically says "allow all communication from the dmz to the internet"
> and one that says "allow communication from the inside to the dmz"? I
> know I can add "access-list dmz permit ip host 192.168.1.1 any" and
> that solves the problem of getting to the internet, but then it opens
> all communication to the inside from this host and I don't want to do
> that. Since this is version 6.3(3) I can't use an out access-list
> which I think might solve the problem. I have enough memory to run
> version 7.x on this PIX, but I'm trying to tackle one problem at a
> time and I'm a little hesitant about doing the 7.x upgrade just yet.

The short answer to your question is that PIX access-lists are read,
per-interface, top-to-bottom:

access-list dmz_in deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list dmz_in permit ip 192.168.1.0 255.255.255.0 any
access-group dmz_in in interface dmz

If your internal network is 10.0.0.0/8 and your DMZ is 192.168.1.0/24,
this will prevent traffic from the DMZ to the inside, but allow
everything else.

PaulM


------------------------------

Message: 4
Date: Tue, 25 Dec 2007 00:11:13 +0200
From: "Avishai Wool" <yash@acm.org>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<8a9b1fe30712241411m18dafedene929d4ab3bccd87b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Brian,

You probably also need a "static (inside, dmz)" command to
configure the NAT for traffic from a lower security level (the dmz)
to the higher (== inside). You must have the "static" even if you
don't want to actually change the addresses - in that case
the "translate from" and "translate to" addresses will be the same.
the "static" informs the PIX which inside IP addresses are
at all visible from the dmz side.

I think Cisco removed the requirement to always have a "static" with v7.0
but in v6.3 you still need it.

HTH,
Avishai

On 12/21/07, Brian Blater <brb.lists@gmail.com> wrote:
> I'm a little befuddled with PIX access lists and need some help and
> understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
> outside, inside, dmz. Up til now I have only been using the outside
> and inside interface. I have started configuring the dmz interface and
> have set it at security50 (outside = 0, inside = 100). I currently
> have only an access-list on the outside interface allowing some
> specific traffic in to the inside network. Right now the inside and
> dmz can talk to the internet just fine and the inside can talk to the
> dmz network fine. However, I want to implement an access-list on the
> dmz interface and this is where the problems start. If I assign an
> access list to the dmz port to allow smtp from a dmz host to the
> inside mail server I no longer have communication to the internet from
> the dmz and the inside cannot talk to the dmz because of the implicit
> deny of the access list.
>
> So, my main question, is there an access list command I can have that
> basically says "allow all communication from the dmz to the internet"
> and one that says "allow communication from the inside to the dmz"? I
> know I can add "access-list dmz permit ip host 192.168.1.1 any" and
> that solves the problem of getting to the internet, but then it opens
> all communication to the inside from this host and I don't want to do
> that. Since this is version 6.3(3) I can't use an out access-list
> which I think might solve the problem. I have enough memory to run
> version 7.x on this PIX, but I'm trying to tackle one problem at a
> time and I'm a little hesitant about doing the 7.x upgrade just yet.
>
> I have more questions, but I think I start here for now and ask the
> other questions when they are more relevant.
>
> Thanks for your help,
> Brian
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer

http://www.algosec.com
******* Firewall Management Made Smarter ******


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 12
************************************************

No comments: