Search This Blog

Monday, August 24, 2009

firewall-wizards Digest, Vol 40, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PIX in multiple IPsec roles (Craig Van Tassle)
2. Re: PIX in multiple IPsec roles (Lordsporkton)
3. Re: Slow FTP transfers (Lordsporkton)
4. Re: Slow FTP transfers (Behm, Jeff)
5. Re: firewall-wizards Digest, Vol 40, Issue 6
(jamesworld@intelligencia.com)
6. Re: checkpoint authentication on external interface
(ml10110@adreyer.com)
7. Collaborative Network Forensics (kowsik)
8. Re: checkpoint authentication on external interface (pkc_mls)


----------------------------------------------------------------------

Message: 1
Date: Thu, 20 Aug 2009 23:50:32 -0500
From: Craig Van Tassle <craig@codestorm.org>
Subject: Re: [fw-wiz] PIX in multiple IPsec roles
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090820235032.76eb8a7f@dragon.codestorm.org>
Content-Type: text/plain; charset=US-ASCII

On Wed, 19 Aug 2009 13:52:53 -0400
Dan Ritter <dsr@tao.merseine.nu> wrote:

>
> Is there a plausible way to convince a PIX to pass through an
> IPsec tunnel to another device while simultaneously being an
> endpoint for a different tunnel?
>
> I have sites A, B, and C. Each has a PIX515E with tunnels to the
> other two sites.
>
> Now a vendor wants to establish a tunnel to a device inside
> PIX A. I seem to be lacking the right keywords to search for
> this.
>
> -dsr-
>
>

It sounds like your vendor wants a static nat to the their device on
the inside. Can you be a bit more verbose about the network setup. The
PIX should see this traffic as normal traffic. I usually use a unique
public IP for the NAT.

--
"An armed society is a polite society. Manners are good when one may
have to back up his acts with his life." Robert A. Heinlein

"Fear is the father of servitude, and the captor of man. There cannot
be slavery without fear, nor freedom with it."


------------------------------

Message: 2
Date: Thu, 20 Aug 2009 23:40:10 -0700
From: Lordsporkton <lordsporkton@gmail.com>
Subject: Re: [fw-wiz] PIX in multiple IPsec roles
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A8E414A.60402@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dan Ritter wrote:
> Is there a plausible way to convince a PIX to pass through an
> IPsec tunnel to another device while simultaneously being an
> endpoint for a different tunnel?
>
> I have sites A, B, and C. Each has a PIX515E with tunnels to the
> other two sites.
>
> Now a vendor wants to establish a tunnel to a device inside
> PIX A. I seem to be lacking the right keywords to search for
> this.
>
> -dsr-
>
>
>

I dont quite understand. this new tunnel you want to set up, will it go
from the outside internet to something inside pixA or will it go from
inside siteB or siteC to something inside siteA?

either way there should be no real problem that i can see, perhaps a
smaller mtu if the latter case. if the former case you may have to map
some services to the inside device.


------------------------------

Message: 3
Date: Thu, 20 Aug 2009 23:46:20 -0700
From: Lordsporkton <lordsporkton@gmail.com>
Subject: Re: [fw-wiz] Slow FTP transfers
To: aptgetd@gmail.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A8E42BC.6010109@gmail.com>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090820/a786418b/attachment-0001.html>

------------------------------

Message: 4
Date: Fri, 21 Aug 2009 07:43:30 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] Slow FTP transfers
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1217D5F18AEF15499BF1047D8F407D563005E0@kcm-exch-001.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"

On Thursday, August 20, 2009 12:19 PM, sky said:

>I'm having an issue when ftp'ing (default port mode) large file
>(50megs) to a remote server sitting behind FWSM. The transfer
>gets real slow and at times just timeouts.

>Any thoughts will be great.

Any sort of packet shaper/QoS device between the endpoints?


------------------------------

Message: 5
Date: Fri, 21 Aug 2009 11:27:48 -0500
From: <jamesworld@intelligencia.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090821162108.30000ADBE4@listserv.cybertrust.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed

Yes, this is easy.

You need an extra an extra address on the outside to create a static nat for.
Then you need to allow the traffic to that IP address (udp/500,
udp/4500, ESP) by way of an access-list.

It would look something like below.
192.0.0.20 is an example outside address
10.5.5.5 is an example inside address (vpn terminating device)
inside is assumed. It could be any other interface (for the static command)

Configuration
--------------------
static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255
access-list acl-outside-in permit udp any host 192.0.0.20 eq 500
access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500
access-list acl-outside-in permit esp any host 192.0.0.20
access-group acl-outside-in in interface outside

At 11:00 AM 8/21/2009, firewall-wizards-request@listserv.icsalabs.com wrote:
>Message: 1
>Date: Wed, 19 Aug 2009 13:52:53 -0400
>From: Dan Ritter <dsr@tao.merseine.nu>
>Subject: [fw-wiz] PIX in multiple IPsec roles
>To: firewall-wizards@listserv.icsalabs.com
>Message-ID: <20090819175253.GZ23234@tao.merseine.nu>
>Content-Type: text/plain; charset=us-ascii
>
>
>Is there a plausible way to convince a PIX to pass through an
>IPsec tunnel to another device while simultaneously being an
>endpoint for a different tunnel?
>
>I have sites A, B, and C. Each has a PIX515E with tunnels to the
>other two sites.
>
>Now a vendor wants to establish a tunnel to a device inside
>PIX A. I seem to be lacking the right keywords to search for
>this.
>
>-dsr-

------------------------------

Message: 6
Date: Fri, 21 Aug 2009 22:51:28 +0100
From: ml10110@adreyer.com
Subject: Re: [fw-wiz] checkpoint authentication on external interface
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A8F16E0.8050300@adreyer.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Francois Yang wrote:
> I hope the list can help me out or point me in the correct direction.
>
> In Checkpoint R65 splat when you turn ON Manual authentication, it
> turns ON port 259 and 900 on both internal and external interfaces.
> I was wondering if there's a way to turn it OFF on one interface and
> still keep it on the other.
> An example would be if you have an edge firewall and you don't want it
> to be visible from the outside but still need it for other functions.
> I tried to create a rule that would block anything from the outside to
> the firewall on those ports and that did nothing.
> Looking in tracker also showed nothing.
> I can connect to the login page but I can't see any logs.
> looking through the implied rules also showed nothing.
> So does anyone have any suggestions that would not kill my support
contract? :)

Check the content of $FWDIR/conf/fwauthd.conf and verify your settings
against the Check Point knowledgebase. You can also ask the Check Point
forum/community or in the CPUG for further clues..
If you have a support contract why don't you just ask your support company?


Achim

--
Achim Dreyer ||
Network Security Consultant || RHCE, RHCA, CCNA, CCSA, CCSE, CCSE+, CSCE
CAcert Assurer || JNCIS-FW


------------------------------

Message: 7
Date: Sun, 23 Aug 2009 15:03:20 -0700
From: kowsik <kowsik@gmail.com>
Subject: [fw-wiz] Collaborative Network Forensics
To: firewall-wizards@honor.icsalabs.com, focus-ids@securityfocus.com
Message-ID:
<7db9abd30908231503o29122148kafadb79f03c495b0@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

We took the recently published ITOC dataset and the CCTF captures from
Shmoo group (total of 15.0 GBytes, 26.3 million packets), indexed them
to enable contextual search and instant access to packets, not to
mention HN/Twitter-style one-liners attached to packets and searches
for a community oriented forensics application.

http://bit.ly/12I62D for the blog and
http://www.pcapr.net/forensics for the app

Enjoy,

K.
---
http://labs.mudynamics.com
http://twitter.com/pcapr


------------------------------

Message: 8
Date: Mon, 24 Aug 2009 09:58:03 +0200
From: pkc_mls <pkc_mls@yahoo.fr>
Subject: Re: [fw-wiz] checkpoint authentication on external interface
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A92480B.7050101@yahoo.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Francois Yang a ?crit :
> I hope the list can help me out or point me in the correct direction.
>
> In Checkpoint R65 splat when you turn ON Manual authentication, it
> turns ON port 259 and 900 on both internal and external interfaces.
> I was wondering if there's a way to turn it OFF on one interface and
> still keep it on the other.
> An example would be if you have an edge firewall and you don't want it
> to be visible from the outside but still need it for other functions.
> I tried to create a rule that would block anything from the outside to
> the firewall on those ports and that did nothing.
> Looking in tracker also showed nothing.
> I can connect to the login page but I can't see any logs.
> looking through the implied rules also showed nothing.
> So does anyone have any suggestions that would not kill my support contract? :)
>
>
Hi Frank,
Even if the daemon is listening on the port, you still have to go
through the rulebase to be able to connect.
You should verify if the ports are allowed either in implied or explicit
rules. (try to enable the logs on the implied rules
for a short time to get some logs about the auth).

I recommend to use explicit rules and allow only from explicit sources.

I agree it's better if the daemon accepts connections only on internal
IPs, but for this you have to ask checkpoint how to do.
> thanks
>
> Frank
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 40, Issue 7
***********************************************

No comments: