1. netscreen dip question. (GOH) Netscreen's fundamental Issues,
You may not find any answer rom Netscreen Co. Because their concept ofr NS 10 and Other products does not support that. It is not a code issues., calling to Netscreen may consume your time..... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 27, 2002 2:45 AM To: [EMAIL PROTECTED] Subject: Firewalls digest, Vol 1 #561 - 12 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Firewalls digest..." Today's Topics: 1. netscreen dip question. (bob bobing) 2. hardening of netware 5.0 (vishwas asemend) 3. RE: choice netscreen / sidewinder (Klaus Schulze) 4. RE: iFolder ([EMAIL PROTECTED]) 5. RE: Firewalls digest, Vol 1 #558 - 12 msgs ([EMAIL PROTECTED]) 6. RE: netscreen dip question. (Dell, Jeffrey) 7. Avantail as a firewall?? (Miorelli, Robert CORP) 8. Site to site VPN (Rick Brown) 9. RE: choice netscreen / sidewinder (Hudson Delbert J Contr 61 CS/SCBN) 10. Securing the FW-1 Firewall ([EMAIL PROTECTED]) 11. RE: netscreen dip question. (bob bobing) 12. Re: Site to site VPN (Adam Safier) --__--__-- Message: 1 Date: Mon, 25 Feb 2002 23:04:11 -0800 (PST) From: bob bobing <[EMAIL PROTECTED]> Subject: netscreen dip question. To: [EMAIL PROTECTED] well after almost a week of playing phone tag with netscreen support I'm going ask here, because i still don't have any answer. Using a netscreen 10 is there any way to setup a mip on the dmz? To the rest of the world this means a static nat (netscreen must have asked the linux folks for some names they dropped over masquerading (Yes that was a joke)). I basically i want to staticlly nat 2 ips on the dmz segment to 2 ips on the internal network. On 2.6.x this doesn't seem to be an option. Is this just a code issue, or is it a netscreen-10 issue? __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com --__--__-- Message: 2 Date: Mon, 25 Feb 2002 23:32:43 -0800 From: "vishwas asemend" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: hardening of netware 5.0 Does anyone is having any links/documents for the netware 5.0 hardening. Any suggestions will be appreciable Thanks and regds vish ------------------------------------------------------------ Get your free email from http://www.netjaal.com --------------------------------------------------------------------- Express yourself with a super cool email address from BigMailBox.com. Hundreds of choices. It's free! http://www.bigmailbox.com --------------------------------------------------------------------- --__--__-- Message: 3 From: "Klaus Schulze" <[EMAIL PROTECTED]> To: "'Gary Rose'" <[EMAIL PROTECTED]>, "'Clark, Steve'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Subject: RE: choice netscreen / sidewinder Date: Tue, 26 Feb 2002 10:20:34 +0100 If you need an easy to configure firewall (firewall plus proxy plus virusprotection) and VPN gateway, take Astaro Security Linux. Free evaluation download is on their webpage www.astaro.com Klaus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary Rose Sent: Monday, February 25, 2002 4:43 PM To: Clark, Steve Cc: '[EMAIL PROTECTED]' Subject: Re: choice netscreen / sidewinder Secure Systems (maker of SideWinder) also bought the Gauntlet proxy=20 firewall and VPN technology from NAI and are incorporating the two=20 products. http://www.nai.com/naicommon/aboutnai/press/pr_template.asp?PR=3D/PressMe= d ia/ 02132002-B.asp&Sel=3D1219 -Gary On Monday, February 25, 2002, at 06:59 AM, Clark, Steve wrote: > Never heard of sidewinder. Netscreens all the way. > > Steve Clark > Clark Systems Support, LLC > AVIEN Charter Member > "Who's watching your network?" > www.clarksupport.com > 301-610-9584 voice > 240-465-0323 Efax > =A0 > The data furnished in connection with this document is deemed by Clark > Systems Support, LLC., to contain proprietary and privileged=20 > information and shall not be disclosed or used for the benefit of=20 > others without the prior > written permission of Clark Systems Support, LLC. > > > -----Original Message----- > From: VINTROU, Gilles [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 25, 2002 9:34 AM > To: Firewalls (E-mail) > Subject: choice netscreen / sidewinder > > Hello folks > > I'd like to know which firewall / vpn to choose between netscreen 25=20 > and sidewinder 5.2 ? it must be easy to configure , vpn compliant and=20 > secure enough > > > Thanks for your answers > > GV > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED]=20 > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED]=20 > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 4 Subject: RE: iFolder Date: Tue, 26 Feb 2002 13:57:35 +0200 From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> This is a multi-part message in MIME format. ------_=_NextPart_001_01C1BEBC.C7DD2E98 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greg, I may be mistaken, but if I recall correctly, iFolder password is = transmited clear text, so that may be an issue, but I havn't worked with = it for a while (since I did the pre pre pre course from Novell) and it = may be different. Mike > -----Original Message----- > From: Greg S [SMTP:[EMAIL PROTECTED]] > Sent: =E2 =F4=E1=F8=E5=E0=F8 26 2002 0:49 > To: [EMAIL PROTECTED] > Subject: iFolder >=20 > Hi, >=20 >=20 > Does anyone know of any security vulnerablilities with Novell's = iFolder=20 > software? >=20 > Aside from the risks involved with opening a port through the = firewall, are=20 > there any additional risks with > allowing the iFolder service? >=20 > Thanks in advance, > Greg >=20 >=20 >=20 > _________________________________________________________________ > Get your FREE download of MSN Explorer at = http://explorer.msn.com/intl.asp. >=20 > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls ------_=_NextPart_001_01C1BEBC.C7DD2E98 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 eJ8+IiQLAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5wQAAAAAAADrAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEADAAAAFJFOiBpRm9sZGVyALYDAQWA AwAOAAAA0gcCABoADQA5ACMAAgBgAQEggAMADgAAANIHAgAaAA0AOQAjAAIAYAEBCYABACEAAAA3 MUMzN0VGNjY1QzM3MzQ5ODVCOUJEMjZGOTZCQjI3RABKBwEDkAYAAAkAADEAAAALAAIAAQAAAAMA JgAAAAAAAwAuAAAAAAADADYAAAAAAEAAOQCYLt3HvL7BAR4APQABAAAABQAAAFJFOiAAAAAAAgFH AAEAAAA3AAAAYz1VUzthPSA7cD1Jc3JhZWwgRmxpZ2h0IE11O2w9TkVQVFVORS0wMjAyMjYxMTU3 MzVaLTY4AAAeAHAAAQAAAAgAAABpRm9sZGVyAAIBcQABAAAAGwAAAAHBvk/TXNt2UGJk+kNphRhI 54TsN9oAGzXb4AAeABoMAQAAABYAAABNaWtlIEdsYXNzbWFuIC0gQWRtaW4AAAAeAB0OAQAAAAgA AABpRm9sZGVyAAIBCRABAAAApAMAAKADAADfBQAATFpGdVZTqdThAAVmYmlkBAAAZABygGNwZzEy NTIA+zwzNgHoAqQD4wIAY2jBCsBzZXQwIAcTAoNjDUEQxXBycQ7AES99swqACMggOwlvDqA1AoAl CoF2CJB3awuAZDSNDGBjAFALA2x0cgqxFwjQAEELYG4OgDAzM8kLpiBHCXBnLAqiCoQJCoBJIADA eSBiZVca8AQAAZBrCfAsGzB12wVABpAgGuAJcGMHQAMgIwWhHKF0bHkb8GlGWwbwBIEgCrAEEHcF sGTfHEAEIBggAHEbcHQJgB0ATGxlCsEfcHh0G/Bz/m8e8BFABUAbBQORBAEKUMcb9BrgEUB2bicF QB6B/xvAHrAD8CCgHEAFQAIQBcBaYSLAaAMQG1AoAJBu/mMbUBrgDZAesCCgG1ATAH8leAWgCHAR cCOwA2EHsG/0dmUc4CkhUR6xINcNkCcBIASQCfB0LhoqTWnnG8AaKhe7bGkPoRhxAUAdEwBvH3Ad YBJEMTYg6i0tQk8FEGcLgAdABdDhB5BzYWdlLUMaJixUDywhCxMsVRgVZmktMYw0NAFAK6AxODAB QKMM0DFTYiBGA2E6DIMGYhm0BgAgW1NNVERQOgnBZ2tzMXBALmgsYADAAxAuBaBtXZ8aJTKABmAC MDLmXCcWUHkDMCdmF2A28ABQN0A4nTbhNTbhNtE30CAyLSCFAdAwNxAwOjQ5NZdcVG8y5zEgCXB3 HNFzRkAroBuQcy5nLeBjjC5uEYA1mHViah1RfzLnHcUu7y//K4YLthozSGZpGhsaJERvB5EAcHmj AiAbUGtubwfgbxxgL0NRIGAFkAhxdBsgdnX+bDwQHxACYAMQH2AIkAQg+yNDJxQnBCAdxhokIHAB gOs7AAlwPxoqQQCQAQAmtJslUgUQczSAHEBudgbw8ycwIyVvcAnwC4AzoCQAznAJESCRA2B1ZyNw JVJ/OsYb8EgxR3UlUSWhREJh/mQNkEXQAiAt8UokI0IaJL8c0UPgS6IlUh3GEXByFuBrJMBIa1QR QG5KU07hdr8AcCTAGhUZ0kHvGnVfVn/fV49Yn1l7VFURgCBDcAhwsTKQUkVFJQBD4G4JAIdO8EQC BeBOIEV4C1AXBbAeESDBaAJAcDovhi8gIFzkLm1zbjVC1i8LgB1wLh5QcCkLWX/3YV9ZvwqARjrW GvFFoUuxvztiY007XxpCXYVmDC81Au8DgWejC4ACEC86xxokFGECAGrgHgA1EAEAAAA4AAAAPENB MDZDMjRGODlCQkVENDU4Q0M0N0JDNkM1MjUzMzAwNDQ4RDgxQE5FUFRVTkUuaWFhZG9tPgADAIAQ /////x8A8xABAAAAJAAAAFIARQAlADMAQQAgAGkARgBvAGwAZABlAHIALgBFAE0ATAAAAAsA9hAA AAAAQAAHMELxC7m8vsEBQAAIMPKQ38e8vsEBAwDxPwkEAAAeAPg/AQAAABYAAABNaWtlIEdsYXNz bWFuIC0gQWRtaW4AAAACAfk/AQAAAGEAAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089 SVNSQUVMIEZMSUdIVCBNVU5JQ0VQQUwgTFRELi9PVT1JQUEuR09WLklML0NOPVJFQ0lQSUVOVFMv Q049TUlLRUcAAAAAHgD6PwEAAAAVAAAAU3lzdGVtIEFkbWluaXN0cmF0b3IAAAAAAgH7PwEAAAAe AAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC4AAAADAP0/5wQAAAMAGUAAAAAAAwAaQAAA AAAeADBAAQAAAAYAAABNSUtFRwAAAB4AMUABAAAABgAAAE1JS0VHAAAAHgA4QAEAAAAGAAAATUlL RUcAAAAeADlAAQAAAAIAAAAuAAAACwBmgQggBgAAAAAAwAAAAAAAAEYAAAAADoUAAAAAAAADAH6B CCAGAAAAAADAAAAAAAAARgAAAABShQAAoQ8AAB4Af4EIIAYAAAAAAMAAAAAAAABGAAAAAFSFAAAB AAAABAAAADguMAAeALCBCCAGAAAAAADAAAAAAAAARgAAAAA4hQAAAQAAAAEAAAAAAAAAHgCxgQgg BgAAAAAAwAAAAAAAAEYAAAAAN4UAAAEAAAABAAAAAAAAAB4AsoEIIAYAAAAAAMAAAAAAAABGAAAA ADaFAAABAAAAAQAAAAAAAAADAMKBCCAGAAAAAADAAAAAAAAARgAAAAABhQAAAAAAAAsAx4EIIAYA AAAAAMAAAAAAAABGAAAAAAOFAAAAAAAAAwDMgQggBgAAAAAAwAAAAAAAAEYAAAAAEYUAAAAAAAAD ANGBCCAGAAAAAADAAAAAAAAARgAAAAAQhQAAAAAAAAMA2IEIIAYAAAAAAMAAAAAAAABGAAAAABiF AAAAAAAACwApAAAAAAALACMAAAAAAAMABhA0iANPAwAHEJ8CAAADABAQAAAAAAMAERAAAAAAHgAI EAEAAABlAAAAR1JFRyxJTUFZQkVNSVNUQUtFTixCVVRJRklSRUNBTExDT1JSRUNUTFksSUZPTERF UlBBU1NXT1JESVNUUkFOU01JVEVEQ0xFQVJURVhULFNPVEhBVE1BWUJFQU5JU1NVRSxCVQAAAAAC AX8AAQAAADgAAAA8Q0EwNkMyNEY4OUJCRUQ0NThDQzQ3QkM2QzUyNTMzMDA0NDhEODFATkVQVFVO RS5pYWFkb20+AFwS ------_=_NextPart_001_01C1BEBC.C7DD2E98-- --__--__-- Message: 5 From: [EMAIL PROTECTED] Date: Tue, 26 Feb 2002 9:21:19 +0000 To: [EMAIL PROTECTED] Subject: RE: Firewalls digest, Vol 1 #558 - 12 msgs Gilles, as a reseller of both Netscreen and Sidewinder, I would advise you as I advise all our potential customers=2E If you are planning to open inbound ports from the Internet to your internal network (or a DMZ) for almost any common service, HTTP, FTP etc=2E Then chose Sidewinder it is an application level proxy Firewall, which is the most secure currently available=2E If you are planning to only provide outbound services (with the exception of e-mail)=2E Then it's your call, Netscreen will do the job quite adequately, it is a stateful packet inspection Firewall which should be fine for outbound stuff=2E Adam Thompson Message: 2 From: "VINTROU, Gilles" <GVINTROU@EKIP=2EFR> To: "Firewalls (E-mail)" <firewalls@lists=2Egnac=2Enet> Subject: choice netscreen / sidewinder Date: Mon, 25 Feb 2002 15:33:38 +0100 Hello folks I'd like to know which firewall / vpn to choose between netscreen 25 and sidewinder 5=2E2 ? it must be easy to configure , vpn compliant and secure enough Thanks for your answers GV --__--__-- Message: 6 From: "Dell, Jeffrey" <[EMAIL PROTECTED]> To: 'bob bobing' <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: netscreen dip question. Date: Tue, 26 Feb 2002 06:51:23 -0500 This is a code issue. With version 3.1 you will be able to do this, but currently 3.1 is only for the Netscreen-25 and 50. -----Original Message----- From: bob bobing [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 2:04 AM To: [EMAIL PROTECTED] Subject: netscreen dip question. well after almost a week of playing phone tag with netscreen support I'm going ask here, because i still don't have any answer. Using a netscreen 10 is there any way to setup a mip on the dmz? To the rest of the world this means a static nat (netscreen must have asked the linux folks for some names they dropped over masquerading (Yes that was a joke)). I basically i want to staticlly nat 2 ips on the dmz segment to 2 ips on the internal network. On 2.6.x this doesn't seem to be an option. Is this just a code issue, or is it a netscreen-10 issue? __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 7 From: "Miorelli, Robert CORP" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Avantail as a firewall?? Date: Tue, 26 Feb 2002 10:17:24 -0500 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1BED8.B1D95BF0 Content-Type: text/plain; charset="iso-8859-1" We have been tasked with the job of letting authenticated users into our network via the internet. One possible solution is an Avantail system where they put their rack of gear on our site and operate the 'firewall' on our behalf. All users use their proprietary socks implementation. What we gain is Avantail managing the users for us (their help desk, etc.). We don't especially like this solution and are looking for alternatives before we commit to Aventail. Any other similar products out there that people can recommend? Any Avantail clients? Note that this is not our main firewall -- we have normal firewalls. This is for a class of authenticated users who need special access that we do not handle on our current firewall. Thanks for any suggestions. -->BoB Bob Miorelli United Technologies Network Services 25 Holly Drive Newington, CT 06111 E-mail: [EMAIL PROTECTED] Phone: (860) 665-1667 FAX: (860) 665-1790 ------_=_NextPart_001_01C1BED8.B1D95BF0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.19"> <TITLE>Avantail as a firewall??</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>We have been tasked with the job of letting authenticated users into our network</FONT> <BR><FONT SIZE=2>via the internet. One possible solution is an Avantail system where they put their</FONT> <BR><FONT SIZE=2>rack of gear on our site and operate the 'firewall' on our behalf. All users use</FONT> <BR><FONT SIZE=2>their proprietary socks implementation. What we gain is Avantail managing the users</FONT> <BR><FONT SIZE=2>for us (their help desk, etc.). We don't especially like this solution and are</FONT> <BR><FONT SIZE=2>looking for alternatives before we commit to Aventail. Any other similar products</FONT> <BR><FONT SIZE=2>out there that people can recommend? Any Avantail clients? Note that this is not</FONT> <BR><FONT SIZE=2>our main firewall -- we have normal firewalls. This is for a class of authenticated</FONT> <BR><FONT SIZE=2>users who need special access that we do not handle on our current firewall.</FONT> </P> <P><FONT SIZE=2>Thanks for any suggestions.</FONT> </P> <P><FONT SIZE=2>-->BoB</FONT> </P> <P><FONT SIZE=2>Bob Miorelli</FONT> <BR><FONT SIZE=2>United Technologies Network Services</FONT> <BR><FONT SIZE=2>25 Holly Drive</FONT> <BR><FONT SIZE=2>Newington, CT 06111</FONT> <BR><FONT SIZE=2>E-mail: [EMAIL PROTECTED]</FONT> <BR><FONT SIZE=2>Phone: (860) 665-1667</FONT> <BR><FONT SIZE=2>FAX: (860) 665-1790</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C1BED8.B1D95BF0-- --__--__-- Message: 8 Date: Tue, 26 Feb 2002 07:57:55 -0800 (PST) From: Rick Brown <[EMAIL PROTECTED]> Subject: Site to site VPN To: [EMAIL PROTECTED] I have to connect via VPN to another site and I need some advice/insight. Like everyone else, we have a set number of public IP addresses. The VPN is going to be two way (i.e. site A needs to access site B hosts and site B needs to access site A hosts). I'm a little fuzzy as to how to define the encryption domain. Our firewall is doing a HIDE NAT using the public address of the firewall. If I understand things, if I use my entire public range as the encryption domain, things should work but if a public system is compromised they could potentially get VPN access to the other site (right?). Would static mappings get around this and, if so, would I just define a portion of the public range as the encryption domain? I'd like to not have to do static mappings so that I don't use up a lot of IP addresses. Any help would be appreciated. Thanks. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com --__--__-- Message: 9 From: Hudson Delbert J Contr 61 CS/SCBN <[EMAIL PROTECTED]> To: "'Klaus Schulze'" <[EMAIL PROTECTED]>, "'Gary Rose'" <[EMAIL PROTECTED]>, "'Clark, Steve'" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: RE: choice netscreen / sidewinder Date: Tue, 26 Feb 2002 08:13:17 -0800 Klaus, the question is which of netscreen or sidewinder is a better choice. focus on the parameters of the discussion and quit brown nosing vendors. piranha.... -----Original Message----- From: Klaus Schulze [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 1:21 AM To: 'Gary Rose'; 'Clark, Steve' Cc: [EMAIL PROTECTED] Subject: RE: choice netscreen / sidewinder If you need an easy to configure firewall (firewall plus proxy plus virusprotection) and VPN gateway, take Astaro Security Linux. Free evaluation download is on their webpage www.astaro.com Klaus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary Rose Sent: Monday, February 25, 2002 4:43 PM To: Clark, Steve Cc: '[EMAIL PROTECTED]' Subject: Re: choice netscreen / sidewinder Secure Systems (maker of SideWinder) also bought the Gauntlet proxy=20 firewall and VPN technology from NAI and are incorporating the two=20 products. http://www.nai.com/naicommon/aboutnai/press/pr_template.asp?PR=3D/PressM= ed ia/ 02132002-B.asp&Sel=3D1219 -Gary On Monday, February 25, 2002, at 06:59 AM, Clark, Steve wrote: > Never heard of sidewinder. Netscreens all the way. > > Steve Clark > Clark Systems Support, LLC > AVIEN Charter Member > "Who's watching your network?" > www.clarksupport.com > 301-610-9584 voice > 240-465-0323 Efax > =A0 > The data furnished in connection with this document is deemed by = Clark > Systems Support, LLC., to contain proprietary and privileged=20 > information and shall not be disclosed or used for the benefit of=20 > others without the prior > written permission of Clark Systems Support, LLC. > > > -----Original Message----- > From: VINTROU, Gilles [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 25, 2002 9:34 AM > To: Firewalls (E-mail) > Subject: choice netscreen / sidewinder > > Hello folks > > I'd like to know which firewall / vpn to choose between netscreen 25=20 > and sidewinder 5.2 ? it must be easy to configure , vpn compliant and = > secure enough > > > Thanks for your answers > > GV > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED]=20 > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED]=20 > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 10 Subject: Securing the FW-1 Firewall To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Tue, 26 Feb 2002 16:17:09 +0000 Hi All, I have FW-1 on Nokia. I have implemented VRRP as part of the fw-1/Nokia failover solution, and therefore have both "real" and "virual" addresses for my interfaces. I have closed the firewall as best as I am allowed (I need to let some remote systems "ping"), but still the "real" IP address of each interface is being shown in traceroutes !! What have I missed ? - how do I make my fw-1 totally anonymous ? Just in case I missed anything else, what are the general guidelines for securing the fw-1 ?? I have all my management activity limited to a completely separate, secured lan and I only have specific rules (ie. the only "any" destinations I have are either for port 80 or for "drop" actions). I have anti-spoofing set as recommended, but i do not have SYNdefender active as yet. Anything else ? ............................. Cheers, Gordon --__--__-- Message: 11 Date: Tue, 26 Feb 2002 08:25:18 -0800 (PST) From: bob bobing <[EMAIL PROTECTED]> Subject: RE: netscreen dip question. To: [EMAIL PROTECTED] you would think that someone in support would have known this, and could have left me a voice mail saying that. thanks! --- "Dell, Jeffrey" <[EMAIL PROTECTED]> wrote: > This is a code issue. With version 3.1 you will be > able to do this, but > currently 3.1 is only for the Netscreen-25 and 50. > > -----Original Message----- > From: bob bobing [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 2:04 AM > To: [EMAIL PROTECTED] > Subject: netscreen dip question. > > > well after almost a week of playing phone tag with > netscreen support I'm going ask here, because i > still > don't have any answer. Using a netscreen 10 is there > any way to setup a mip on the dmz? To the rest of > the > world this means a static nat (netscreen must have > asked the linux folks for some names they dropped > over > masquerading (Yes that was a joke)). I basically i > want to staticlly nat 2 ips on the dmz segment to 2 > ips on the internal network. On 2.6.x this doesn't > seem to be an option. > > Is this just a code issue, or is it a netscreen-10 > issue? > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 12 From: "Adam Safier" <[EMAIL PROTECTED]> To: "Rick Brown" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: Re: Site to site VPN Date: Tue, 26 Feb 2002 12:41:50 -0500 Your encryption domain should be your hidden network - not your internet visible IP's. That would make your hidden IP's visible to the remote VPN site. Otherwise you are stuck with static NAT. The VPN gateway's external IP needs to be seen by the remote VPN gateway. Yes, if you have a VPN and one of the machines gets compromised at one end then the other end could be vulnerable. Use your rules to specify which individual systems may access which other systems using which protocols. That might help a little. Think of Site to Site VPN like a leased line, even though you are using the public network. Your rules are ACL's. User authentication still needs to occur on the internal network and I like to have an IDS to monitor for "friendly fire" (attacks from "trusted" users or business partners.) Adam Adam Safier Global Systems & Strategies, Inc (GSS) 7000 Security Blvd, Suite 300 Baltimore, Md. 21244 (443) 436-6393 (410) 281-9193 (Main) [EMAIL PROTECTED] ----- Original Message ----- From: "Rick Brown" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 26, 2002 10:57 AM Subject: Site to site VPN > I have to connect via VPN to another site and I need > some advice/insight. Like everyone else, we have a > set number of public IP addresses. The VPN is going > to be two way (i.e. site A needs to access site B > hosts and site B needs to access site A hosts). I'm a > little fuzzy as to how to define the encryption > domain. Our firewall is doing a HIDE NAT using the > public address of the firewall. If I understand > things, if I use my entire public range as the > encryption domain, things should work but if a public > system is compromised they could potentially get VPN > access to the other site (right?). Would static > mappings get around this and, if so, would I just > define a portion of the public range as the encryption > domain? I'd like to not have to do static mappings so > that I don't use up a lot of IP addresses. Any help > would be appreciated. Thanks. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > --__--__-- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
