firewalls-request@list
s.gnac.net To: [EMAIL PROTECTED]
Sent by: cc:
firewalls-admin@lists. Fax to:
gnac.net Subject: Firewalls digest, Vol 1
#420 - 12 msgs
12/18/2001 02:01 PM
Please respond to
firewalls
Send Firewalls mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.gnac.net/mailman/listinfo/firewalls
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Firewalls digest..."
Today's Topics:
1. Guantlet v5.5 on Solaris 2.6 (joe volk)
2. Re: FW-1 ver 4.0 Security Policy Wizard (bearman851)
3. NIS+ across a firewall (Unix servers) (Carol Smith)
4. Re: NIS+ across a firewall (Unix servers) (Paul Robertson)
5. Re: Firewalls digest, Vol 1 #418 - 3 msgs (bearman851)
6. RE: Questions regarding Symantec Enterprise Firewall
([EMAIL PROTECTED])
7. Re: PIX logging setup help (Daniel Crichton)
8. Re: NIS+ across a firewall (Unix servers) (Carol Smith)
9. Re: NIS+ across a firewall (Unix servers) (Paul Robertson)
10. NAT ([EMAIL PROTECTED])
11. Re: NAT ([EMAIL PROTECTED])
12. Re: NAT (Matthias Leu)
--__--__--
Message: 1
Date: Mon, 17 Dec 2001 12:08:39 -0800 (PST)
From: joe volk <[EMAIL PROTECTED]>
Subject: Guantlet v5.5 on Solaris 2.6
To: [EMAIL PROTECTED]
Running Gauntlet V5.5 on Solaris 2.6, the HTTP proxy
seems to behave inconsistently. There is one site in
particular that I had not been able to reach (port 80)
from an internal machine. We have been noticing some
MTU-related problems and have been able to address
some of them by adjusting (lowering) MTU size to
something on the order of 1400 bytes on the internal
Windows clients.
The MTU tweak, however did not have an effect on this
particular site no matter how low I made it. I have
also tried to get to site with both PMTU discovery
turned on and off on the Solaris machine. My
perimeter router allows ICMP types 3&4 (fragmentation
needed).
I finally created a packet filter on the firewall and
made corresponding router change to allow port 80
traffic to pass directly from my internal NT
workstation to the web server and back. I was then
able to reach site instantly from my internal
workstation. I am also able to web to site from an
unproxied workstation off another router interface.
Is there some known issue with the Gauntlet HTTP
proxy?
Is there a parameter I can tweak for the HTTP proxy
itself?
What could I suggest to remote web site admin if fault
lies at remote end?
Could encryption be at fault as it exists between us
and remote end? This, however is the case for links
between us and many other sites with which we have no
problem.
Thanks.
Joe Volk
Embittered Browns fan.
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
--__--__--
Message: 2
Date: Mon, 17 Dec 2001 16:20:04 -0800
From: bearman851 <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: FW-1 ver 4.0 Security Policy Wizard
> Hello,
>
> Does anybody know how to invoke and or set up the Security Policy Wizard
> to create a simple rule base fpr FW-1 (ver 4.0)? I have a newly built NT
> 4.0 (sp4) server box running 128 meg at 200MHZ with 2 ethernet Nic cards
> ready for configuation for access to the internet on 1 Nic while the 2nd
> Nic connects to my internal network subnet supporting 3 Win98
> workstations. To begin setting my FW-1 box created, How does the Security
> Policy Wizard work?How do I know if I have this tool available on my
> current FW-1 NT box when 1st installed of off the CD? Do I need to order
> this tool as a separate package from Check point? Where is this tool
> located on GUI ? Help me here..I'm missing something here.
> Regards,
>
> Gerry
Hi Gerry,
Looks like you might be just getting started with Checkpoint? If not,
please disregard this message, but I know another subscriber that could use
this answer. I've not personally used the Policy editor wizard, but if you
can pull up the policy editor I'm going to guess that you have installed
both the management module and the firewall module on that same NT box. (I
would also encourage you to use SP 6a) Yes, I too found myself looking for
the GUI when first working with Checkpoint. I coughed that up to just
having a bad 2-days...
I searched the CD for the Gui client and couldn't find it for the life of
me. I eventually found it. The GUI is on the installation CD, it's under
a Windows directory, CPMgmtClnt-41, or whatever version your using. You'll
also want to be sure that you have the most recent service pack for the
firewall and the GUI. They need to match. After installing the GUI it
will ask you for the IP of the Management Station. You might also be able
to use the name of you box here. When configuring the firewall for the
first time you will need to create the firewall object. To due this simply
Click Manage/Network objects, New, Workstation. Give it the name of your
NT box and the outside IP. Define the firewall object (and I'm guessing
the management and firewall object are on that same NT box) by checking
VPN-1 & Firewall-1 box and the Management Station box. Also you will need
to make it a Gateway as opposed to a Host. Lastly, click the Interfaces
tab and click GET. It should populate the appropriate tables. You might
also want to make the firewall object color RED. I don't know why, but it
was a question on the Cert exam!
Hope this helps! (If not you than the other individual on the listserv)
Kevin
--__--__--
Message: 3
From: "Carol Smith" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: NIS+ across a firewall (Unix servers)
Date: Mon, 17 Dec 2001 21:22:40 -0500
Does anyone use NIS+ to go across a firewall to the dmz? If yes (or no)
what issues should I be concerned with?
Thanks
Carol
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
--__--__--
Message: 4
Date: Mon, 17 Dec 2001 22:25:23 -0500 (EST)
From: Paul Robertson <[EMAIL PROTECTED]>
To: Carol Smith <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: Re: NIS+ across a firewall (Unix servers)
On Mon, 17 Dec 2001, Carol Smith wrote:
> Does anyone use NIS+ to go across a firewall to the dmz? If yes (or no)
> what issues should I be concerned with?
I vote no:
As a general rule of thumb, I recommend against sharing authentication
credentials over a trust boundary. If a server gets compromised (and
generally systems in a DMZ are at higher risk to compromise) and
you're using the same credentials for internal services, VPN access, etc.
then your authentication realm is compromised. Seondly, if a compromise
in the DMZ works, it's possible to go from outside in if the NIS server
has a bug-- generally I like my firewall->DMZ traffic to be outbound.
A config oops on NIS+ to enable NIS compat mode will make your
encrypted password file obtainable externally- that can't be a good thing.
Password guessing and rpcbind worms aside, it just feels wrong.
[I have only played with NIS once, and it was a while ago, so I'm going to
make some assumptions- feel free to level-set them.]
Portmapper is probably the #1 vector into Solaris boxen, are you sure you
want to let traffic from your DMZ into that port in to your auth. server?
Letting the higher ports in seems to add to the potential damage.
I suppose /bin/login issues are also a factor.
Is there a particular reason you want the DMZ machines to be part of the
domain?
IMO NIS+ is too complex a beast to let inside from outside, and the trust
boundary issues are potentially bad.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
--__--__--
Message: 5
Date: Mon, 17 Dec 2001 20:54:10 -0800
From: bearman851 <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Firewalls digest, Vol 1 #418 - 3 msgs
Hello,
>
> Does anybody know how to invoke and or set up the Security Policy Wizard
> to create a simple rule base fpr FW-1 (ver 4.0)? I have a newly built NT
> 4.0 (sp4) server box running 128 meg at 200MHZ with 2 ethernet Nic cards
> ready for configuation to access to the internet on 1 Nic while the 2nd
> Nic connects to my internal network subnet supporting (3) Win98
> workstations. In setting up my FW-1 box, How does the Security
> Policy Wizard work? How do I know if I have this tool available on my
> current FW-1 NT box when installed of off the CD? Do I need to order
> this tool as a separate package from Checkpoint? Where is this tool
> located on GUI dropdown interface? Help me here..I know I'm missing
something > here. Please advise.
> Regards,
>
> Gerry
--__--__--
Message: 6
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: Questions regarding Symantec Enterprise Firewall
Date: Tue, 18 Dec 2001 10:59:18 +0200
Raptor supports LDAP. However usually running other software on Firewall is
considered as security breach. And Raptor tends to make this a bit more
difficult than other Firewall's because it has Vulture feature which kills
any unknown processes. Of course this feature can be configured.
Stonebeat has a version for Raptor too.
Just remember with HA that when you are using Proxy-firewall like Raptor
you
don't have any synchronization between firewall modules. So when traffic is
redistributed between the nodes any active connections has to be
re-established.
rgds,
Harri
> -----Original Message-----
> From: ext Chance Ellis [mailto:[EMAIL PROTECTED]]
> Sent: 17 December, 2001 20:04
> To: [EMAIL PROTECTED]
> Subject: Questions regarding Symantec Enterprise Firewall
>
>
> I appreciate everyone's thoughts and opinions on my
> PIX versus Raptor question.
>
> I have a couple of questions on authenitcation.
>
> With Raptor, is it possible to forward auth requests
> to an LDAP server or run a local copy of the LDAP
> directory on the Raptor box?
>
> Also, Could I get opinions about Radware? I need to do
> fault tolerance/redundancy and if I choose a product
> like Raptor I have to use a thrid party product.
> According to Raptor, they only support Radware. I have
> heard of others such as Stonebeat but I am wondering
> if it will work with Raptor?
>
> Thanks again for all of your help and advice!
>
> Chance Ellis
>
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
--__--__--
Message: 7
From: "Daniel Crichton" <[EMAIL PROTECTED]>
Organization: Computer Manuals Ltd.
To: "Timothy K. Cornelius" <[EMAIL PROTECTED]>
Date: Tue, 18 Dec 2001 09:41:32 -0000
Subject: Re: PIX logging setup help
Reply-To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
On 15 Dec 2001 at 10:17, Timothy K. Cornelius wrote:
> Setting up the logging was very simple and took about 15 minutes to do.
If
> anyone else want to setup logging for their Pix email me privately and I
> will show them. Or if I get enough response to this I will write a little
There is one problem I've found with the PIX log server software - it
relies on the PIX to set the time of the log entry (via the "logging
timestamp on" command) and so you need to make sure that the time is
correct on all of your PIX units. There are also very few options in the
logging server software. I use Kiwi Syslog Daemon which can handle more
than just the PIX logs and it handles the timestamping locally (so you can
combine logs from multiple PIX and be sure that the log entries have
correct relative times even if the server time is wrong). The Kiwi server
also allows you to create multiple logs based on the source and level (so
you could split the logs from the 2 PIX into separate logs on a single
server if you wanted, or have them combined and record all log lines but
also write all critical log lines to a separate file so you don't have to
grep them out of the main log). It has loads of features that make syslog
management much easier than with the Cisco software. This is my own
personal opinion, there are probably even better syslog servers for NT/2K
out there, but I've been using Kiwi since I first installed my PIX units
and have never looked back.
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate network!
http://computer-manuals.co.uk/affiliate/
--__--__--
Message: 8
From: "Carol Smith" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: NIS+ across a firewall (Unix servers)
Date: Tue, 18 Dec 2001 07:02:09 -0500
Thank you for your reply. We were looking to use NIS+ in the dmz for
user/paword/group admin consolidation. Root s not going to be under NIS+.
I was also looking into definitive information about the way rpc services
grabs a port and the implications for a firewall.
>From: Paul Robertson <[EMAIL PROTECTED]>
>To: Carol Smith <[EMAIL PROTECTED]>
>CC: <[EMAIL PROTECTED]>
>Subject: Re: NIS+ across a firewall (Unix servers)
>Date: Mon, 17 Dec 2001 22:25:23 -0500 (EST)
>
>On Mon, 17 Dec 2001, Carol Smith wrote:
>
> > Does anyone use NIS+ to go across a firewall to the dmz? If yes (or
no)
> > what issues should I be concerned with?
>
>I vote no:
>
>As a general rule of thumb, I recommend against sharing authentication
>credentials over a trust boundary. If a server gets compromised (and
>generally systems in a DMZ are at higher risk to compromise) and
>you're using the same credentials for internal services, VPN access, etc.
>then your authentication realm is compromised. Seondly, if a compromise
>in the DMZ works, it's possible to go from outside in if the NIS server
>has a bug-- generally I like my firewall->DMZ traffic to be outbound.
>
>A config oops on NIS+ to enable NIS compat mode will make your
>encrypted password file obtainable externally- that can't be a good thing.
>
>Password guessing and rpcbind worms aside, it just feels wrong.
>
>[I have only played with NIS once, and it was a while ago, so I'm going to
>make some assumptions- feel free to level-set them.]
>
>Portmapper is probably the #1 vector into Solaris boxen, are you sure you
>want to let traffic from your DMZ into that port in to your auth. server?
>Letting the higher ports in seems to add to the potential damage.
>
>I suppose /bin/login issues are also a factor.
>
>Is there a particular reason you want the DMZ machines to be part of the
>domain?
>
>IMO NIS+ is too complex a beast to let inside from outside, and the trust
>boundary issues are potentially bad.
>
>Paul
>
-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal
opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
--__--__--
Message: 9
Date: Tue, 18 Dec 2001 08:00:35 -0500 (EST)
From: Paul Robertson <[EMAIL PROTECTED]>
To: Carol Smith <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: Re: NIS+ across a firewall (Unix servers)
On Tue, 18 Dec 2001, Carol Smith wrote:
> Thank you for your reply. We were looking to use NIS+ in the dmz for
> user/paword/group admin consolidation. Root s not going to be under
NIS+.
If you really have to go there, I'd recommend either ssh with pre-shared
keys, or RADIUS.
>
> I was also looking into definitive information about the way rpc services
> grabs a port and the implications for a firewall.
Most firewalls don't understand RPC services, so you're left with opening
up a range of ports (for Solaris in the 32nnn range) as well as rpcbind.
The rpc program will grab an ephemeral port (which on Solaris will be
predictable if the machine config doesn't change and Sun never changes the
algorithm) then registers its name and port with rpcbind/portmapper.
Anything client-wise queries rpcbind, gets the port information and then
opens the connection. If your firewall understood RPC, then it could
dynamically open the ephemeral port associated with the service and let
that traffic happen- if it really understood it, it could make sure that
only one service was allowed. Possibly someone could do that with INSPECT
on FW-1, and Sidewinder used to advertise an RPC proxy service- but even
then, the risk is bad.
You'd still need to leave rpcbind open to
the DMZ- and that's a huge hole. If you leave high ports open, then
you're allowing DMZ servers to access basically *any* RPC service on the
NIS
master. The only two ways to expose your NIS server to more risk is to
(a) pipe anything to it via the firewall, or (b) move it to the DMZ.
A firewall's protection mechanism is based on what it blocks, allowing
historically compromised services from the outside in negates the value of
the firewall.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
--__--__--
Message: 10
Subject: NAT
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: Tue, 18 Dec 2001 17:01:24 +0100
Is it possible in CheckPoint FireWall-1 (v41.1sp5) to NAT the whole class C
to class C so that for instance IP 192.168.1.1 becomes 131.200.1.1 and
192.168.1.2 becomes 131.200.1.2 as so on. Is it possible only on specific
IP ?
Thanks,
Artur
--__--__--
Message: 11
Date: 18 Dec 2001 18:11:05 -0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: NAT
jaskdjalskdj
:q
:q
q
:quit
--__--__--
Message: 12
Date: Tue, 18 Dec 2001 18:36:59 +0100
From: Matthias Leu <[EMAIL PROTECTED]>
Organization: AERAsec Network Services and Security GmbH
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: NAT
Hi,
yes, it's possible. You will have to configure source static NAT. So one
internal Class C network will be translated to an official Class C network.
This works for any IP-Addresses - but the number of IP's have to be the
same
for each side.
Hope it helps,
best regards
Matthias
[EMAIL PROTECTED] wrote:
> Is it possible in CheckPoint FireWall-1 (v41.1sp5) to NAT the whole class
C
> to class C so that for instance IP 192.168.1.1 becomes 131.200.1.1 and
> 192.168.1.2 becomes 131.200.1.2 as so on. Is it possible only on specific
> IP ?
>
> Thanks,
> Artur
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
--
AERAsec Network Services and Security GmbH
Wagenberger Stra�e 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de
--__--__--
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
End of Firewalls Digest
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
