RE: how to build a pix firewall out of a PC box. [7:18335]
No. Like I said, the problem is getting the right ISA flash card. I don't remember the exact model I tried, but I could not get it to work. The PIX bios is apparently coded to try a load itself from a particular memory address on the flash card. If the card you get does not support loading from that memory address it won't work. The easiest way around this would be to get the card from Cisco, but last I checked they were very expensive compared to generic cards. The poster I was replying to seemed to be saying they found a Cisco flash card for $100 and I was inquiring where they got it from. My opinion on this thread is the OP should post their instructions complete with the make and model of the ISA flash card they used. The only other information that would be useful is if someone knows a place selling _Cisco_ ISA flash cards for $100, or if someone has an ISA flash card that they know for a fact is the same as the one Cisco sells or that they know for a fact allows you to build a PIX. -Kent -Original Message- From: Russ Kreigh [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 08, 2001 7:18 AM To: Hundley, Kent; [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] http://calibri.net/isa-doc.jpg Like one of these??? BTW has anyone gotten instructinos yet??? I am STILL waiting. -Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hundley, Kent Sent: Saturday, September 08, 2001 1:33 AM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] Where did you get a quote for $100? The prices I have been quoted for the 16MB ISA flash card from Cisco were considerably more than that. I don't remember exactly what the price was but it was somewhere around $700-$800 if memory serves. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 4:16 PM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] well the flash card is only $100 dls, that pretty cheap versus going and buying a pix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Thursday, September 06, 2001 6:23 PM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] I have tried building the PIX from a PC in the past and the sticking point is getting the correct ISA flash card. Unless there is some magic you know of, the card has to support booting from certain memory addresses or it won't work. (or at least it didn't when I tried) The PIX actually loads its bios from the flash card, so without the correct flash card you won't get far. If you got your flash from a friend, did they get it from a PIX? If so, this is obviously "cheating" since the point of trying to build a PIX is that you don't have one to get the flash card from in the first place. If not, where did they get it and what is the manufacturer and model? Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean Young Sent: Wednesday, September 05, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] OK, I have been getting 256 emails for the past few days regarding how to build a PIX out of an old PC. Now for thos, who have all the spare parts, you just have to wait a tad longer until everyone in the group get their parts so that we can build the PIX together at once. Regarding the flash card, this is rather an old technology before the PCMCIA card the old machine use to store program instead of the hard-drive or other means. The flash card I am talking about is the one that looks like an old ISA video card that gets inserted into the ISA slot on the motherboard. Because PIX doesn't use hard-drive, this flash card is where the PIX IOS code resides. I don't know where to purchase it. I got this card from a friend of mine. Another thing, as I've mentioned before, the NICs have to be Intel Etherexpress model 82577 (one of those weird shape looking card) or the PIX will not work. Now these cards you can get on Ebay very cheaply. Regards, Mike Johnson [CCNP Security Specialist] >From: "Paul Jin" >Reply-To: "Paul Jin" >To: [EMAIL PROTECTED] >Subject: RE: how to build a pix firewall out of a PC box. [7:18335] >Date: Mon, 3 Sep 2001 18:06:45 -0400 > >Hey Mike, > >I am definitely interested. > >I am assuming than we can do this with almost any spare misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&a
RE: how to build a pix firewall out of a PC box. [7:18335]
Where did you get a quote for $100? The prices I have been quoted for the 16MB ISA flash card from Cisco were considerably more than that. I don't remember exactly what the price was but it was somewhere around $700-$800 if memory serves. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 4:16 PM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] well the flash card is only $100 dls, that pretty cheap versus going and buying a pix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Thursday, September 06, 2001 6:23 PM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] I have tried building the PIX from a PC in the past and the sticking point is getting the correct ISA flash card. Unless there is some magic you know of, the card has to support booting from certain memory addresses or it won't work. (or at least it didn't when I tried) The PIX actually loads its bios from the flash card, so without the correct flash card you won't get far. If you got your flash from a friend, did they get it from a PIX? If so, this is obviously "cheating" since the point of trying to build a PIX is that you don't have one to get the flash card from in the first place. If not, where did they get it and what is the manufacturer and model? Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean Young Sent: Wednesday, September 05, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: RE: how to build a pix firewall out of a PC box. [7:18335] OK, I have been getting 256 emails for the past few days regarding how to build a PIX out of an old PC. Now for thos, who have all the spare parts, you just have to wait a tad longer until everyone in the group get their parts so that we can build the PIX together at once. Regarding the flash card, this is rather an old technology before the PCMCIA card the old machine use to store program instead of the hard-drive or other means. The flash card I am talking about is the one that looks like an old ISA video card that gets inserted into the ISA slot on the motherboard. Because PIX doesn't use hard-drive, this flash card is where the PIX IOS code resides. I don't know where to purchase it. I got this card from a friend of mine. Another thing, as I've mentioned before, the NICs have to be Intel Etherexpress model 82577 (one of those weird shape looking card) or the PIX will not work. Now these cards you can get on Ebay very cheaply. Regards, Mike Johnson [CCNP Security Specialist] >From: "Paul Jin" >Reply-To: "Paul Jin" >To: [EMAIL PROTECTED] >Subject: RE: how to build a pix firewall out of a PC box. [7:18335] >Date: Mon, 3 Sep 2001 18:06:45 -0400 > >Hey Mike, > >I am definitely interested. > >I am assuming than we can do this with almost any spare misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19086&t=18335 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL - TCP established [7:17297]
Interesting, but I doubt many people are still running 10.x code. If they are, they _really_ need to consider upgrading as all but 10.3 is EOL and no doubt 10.3 will be EOL in the very near future. (this notice is from 1995) -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2001 10:51 AM To: [EMAIL PROTECTED] Subject: Re: ACL - TCP established [7:17297] have a look http://www.cisco.com/warp/public/707/2.html - Original Message - From: "Kent Hundley" To: ; "'Kent Hundley'" ; Sent: Saturday, September 01, 2001 12:03 AM Subject: RE: ACL - TCP established [7:17297] > From the context of the original question, I assumed the poster was talking > about using the 'established' keyword with a Cisco router access-list, not > the 'established' command on a Cisco PIX. One has nothing to do with the > other. > > However, you are correct about using the permit and permitfrom with the > established command on the PIX. It's just not relevant to what the poster > was asking. > > -Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 31, 2001 9:45 AM > To: Kent Hundley; [EMAIL PROTECTED] > Subject: Re: ACL - TCP established [7:17297] > > > it is highly recommended that u use permit to and permitfrom with the > established command > > - Original Message - > From: "Kent Hundley" > To: > Sent: Friday, August 31, 2001 12:45 AM > Subject: RE: ACL - TCP established [7:17297] > > > > First, there are security risks in everything. Nothing is 100% secure and > > given enough skill, time and effort any security countermeasure can be > > bypassed. What one person builds another person can break, etc., etc. > > > > Now, as to whether the ACK or RST flag can be manipulated, yes they can. > If > > one wants to, they can write code to create packets that have whatever > bits > > you want set, whatever options, whatever addresses, etc. > > > > If a machine recieves a packet with an ACK bit set that it does not have a > > session with, the stack should do something logical with it such as drop > the > > packet or send a RST. (I don't recall what the RFC says to do) > > > > However, IP stacks are just software written by humans and humans make > > mistakes. There's no guarantee that a stack won't do something illogical > > with an illogical packet, so yes, there's some risk involved. There's > also > > the fact that the 'established' command is only good for TCP streams, so > > lots of UDP attacks will not be blocked at all. > > > > HTH, > > Kent > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > phyrz > > Sent: Saturday, August 25, 2001 11:34 PM > > To: [EMAIL PROTECTED] > > Subject: ACL - TCP established [7:17297] > > > > > > When using the established key word at the end of an ACL statement, are > > there any security risks? > > > > Can the ACK or RST flag in a segment header be set from a source terminal > > to trick the ACL, making it look like the segment is responding to a > > request? > > If so, I would think that anything that received the segment would ignore > > it. Any thoughts? > > > > Phyrz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18336&t=17297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay acceptable DE packets [7:9746]
Michael, My comments are inline with **: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael L. Williams Sent: Monday, June 25, 2001 9:02 PM To: [EMAIL PROTECTED] Subject: Re: Frame Relay acceptable DE packets [7:9746] Kent. I have some questions they're inline "Kent Hundley" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Symon, > > Unfortunately, its not as simple as looking at the DE packets. Simply > looking at DE packets alone doesn't tell you anything really. The reason is > that if the FR cloud doesn't experience congestion, those DE packets will > get there just as well as the non-DE packets. Some carriers encourage their > customers to use 0K CIR because "we don't oversubscribe our network", so > _all_ packets are marked DE. (Sprint used to do this, don't know if they > still do or not) This is good.. I often heard that people would suggest 0 CIR so that they could oversubscribe the #*&$ out of their network =) Then when people's traffic didn't go through they could go "well we agreed to carry 0" ** Can't speak to that, the only carrier I have seen that recommended 0 CIR is ** Sprint, and it seemed to work fairly well at the time, this is circa 1997. ** They always claimed that they didn't over-subscribe they're network, so no ** reason to pay for CIR. Course, they're pricing for 0 CIR was inline with buying ** CIR from other carriers, so in the end from a cost point it was a bit of a ** wash. > If you see the FECN's spike without a corresponding spike in the DE, that > means your provider is experiencing congestion, but its on a backbone link > and not your link. This means the provider's links are over-subscribed and > your packets are likely getting dropped without being marked DE. If this happens, and you sniff both sides and show that you're sending more than you're receiving (i.e. you prove that you have packets being lost without being marked DE), isn't that a violation of your CIR agreement (assuming it's > 0)? Since nothing should get marked DE except for packets over CIR, I can see how the logic makes sense, but does this happen often? ** Yes, and no. It depends on how the carriers SLA's are written. A lot of ** SLA's are written such that you could lose quite a bit of traffic for very ** short periods of time and they would still be well within their SLA's. For ** example, if they guarantee %99.99 packet delivery and you transfer 1 Terabyte ** of data per month, they could still drop 10 Mbytes of traffic, which could ** cause problems depending on how much was dropped in a given period. ** CIR is "guaranteed" only if the subscriber is not over-subscribed, but even ** then if the carrier has an outage its probable that they will be ** over-subscribed for the duration of the outage. When the bits fill the ** queues, a switch must drop traffic, DE or not. ** ** IME, you usually only see consistent congestion on international links. ** Due to cost, it seems that every carrier is over-subscribed on the ** international links and some even mark every packet going across the link ** as DE regardless of CIR. (yes, I've seen it happen) This sort of thing ** is obviously not in keeping with the spirit of the CIR agreement, but again ** one needs to read SLA contracts very carefully as there are usually a lot ** of "weasel words" that benefit the carrier. ** ** In practice, FR seems to continue to work well and be cost effective, but ** it needs to be understood that sometimes packets will get dropped even if ** you don't exceed CIR. If this happens consistently, its definitely an issue ** to take up with the carrier. With the exception of outages, its definitely ** violating the spirit of agreements for a provider to oversubscribe their CIR. ** ** Regards, ** Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=10091&t=9746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200]
Your statement is incorrect. Context Based Access Control (CBAC) has been around since 11.2 on certain Cisco router platforms and does indeed keep state on connections through the router, much like the PIX. i.e. CBAC keeps track of src/dst IP addresses, src/dst port numbers and TCP sequence numbers, it also understands many multi-channel apps like FTP, CUSeeMe, VDOlive, etc and will dynamically open ports as needed for these apps. To the OP question: The main differentiating factors between the PIX and a Cisco with CBAC(i.e. FFS) are: 1) PIX is pre-hardened, no unecessary services. A router must be properly configured to remove all unecessary functions, but then you still cannot selectively remove things from the code itself, just change commands so there is always a chance that some service may still be active on the router. Not so on the PIX. In simple configurations, the PIX is much easier to get working than a similarly configured router, less room for error, easier to manage, etc. 2) PIX code is optimized for NAT/filtering services, theoretically the PIX should be faster than similar router hardware. The high-end PIXes are definitely faster than high-end CBAC routers. Mileage may vary on the lower end PIXes (i.e 506, 515) depending on the router its compared to. 3) PIX has 3rd party integration products to perform things like HTTP and email content checking, not so with the routers. 4) PIX can do stateful failover to a backup PIX, routers cannot. 5) It's easier to sell management on a security design that uses PIX vs a router because all they know is "we need a firewall". ;-) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Subba Rao Sent: Friday, June 15, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco IOS Firewall vc Cisco PIX Firewall [7:8200] On 0, Sam wrote: > Does anybody know the major differences between these two firewall > solutions? In this particular situation performance is not an issue. Is a > properly configured router using IOS firewall any less secure than using a > PIX? > > The Cisco PIX firewall performs stateful packet inspection/filtering. Cisco IOS firewall cannot do that. -- Subba Rao [EMAIL PROTECTED] http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8841&t=8200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
