firewall recommendations?

[Matt Hess]

I'm looking for a firewall that has a very high packet throughput rate, 
can handle minimal stun tasks, do server load balancing for http etc., 
handle many-to-one as well as bi-directional NAT and just plain works 
with high reliability/redundancy.


Suggestions off list would be wonderful.

Thanks.

needing switch options

[Matt Hess]

I need to find a few options for switches..
My requirements are based on heavy voip traffic so the switch needs to 
support a very high pps rate while not as much in the Gbps realms - 
we're using small codecs. We are looking at supporting > 1M subscribers.
Initially, we will be handling media but down the road most of the media 
will not need to be passed on/across our network.


I'd like to get some recommendations from the list as to vendor/models 
that have been deployed and excellent performance / cost has been achieved.


I've looked at the 3com 8807 and the 7757 kits already - I'm not sure 
they would fit the bill (low pps, fabric speed iffy, fabric fail-over 
time questionable - that's my impression from reading on their site).


Replies off list would probably be best and thanks in advance.

XO opinions

[Matt Hess]

I'd like to get opinions from people using XO's voip services as well as 
 opinions on any customer service they received for whatever service 
they had from XO.. offlist replies would probably be best for all.

image stream routers

[Matt Hess]

I'd like to get some feedback as to what people's experiences are (if 
any) with image stream routers.. specifically the industrial ones.


http://www.imagestream.com/
begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWire Networks
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Sr. Network Engineer
tel;work:303-458-5667 x 106
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

Re: Qwest PSTN problems / status page?

[Matt Hess]

Jay R. Ashworth wrote:

On Mon, Aug 22, 2005 at 03:16:01PM -0600, Mike Lewinski wrote:


We have been told they are currently experiencing a major outage and
"All calls are failing out-going" (which isn't true as I've made some
calls, but am seeing intermittent congestion returned on our PRIs)

I have also heard that it... "Seems to be on the public switching
network.Seattle can call out, Minneapolis & Ohio can't."



Qwest reportedly *just* signed a new union contract today; perhaps some
people didn't get the memo?




Considering the way some ds1 repeaters have just vanished from qwest 
central offices today - I'd have to agree with that thought.





http://news.google.com/news?q=qwest+-field

Cheers,
-- jra
begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWire Networks
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Sr. Network Engineer
tel;work:303-458-5667 x 106
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

Re: Qwest PSTN problems / status page?

[Matt Hess]

Their VoIP LD service is also affected.. from my initial understanding 
it affects a variety of inter-lata calls. Some inter-lata calls are down 
hard.. others are intermittent. This holds true for calls between latas 
where qwest is the ILEC. Ex: denver to somewhere in omaha (another qwest 
number).




Mike Lewinski wrote:

Is anyone aware of a network status page for Qwest PSTN.

We have been told they are currently experiencing a major outage and
"All calls are failing out-going" (which isn't true as I've made some
calls, but am seeing intermittent congestion returned on our PRIs)

I have also heard that it... "Seems to be on the public switching
network.Seattle can call out, Minneapolis & Ohio can't."

(We first noticed it WRT LD calls, and my first test was to OH and
that succeeded, so whatever it is clearly is intermittent).

Mike


begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWire Networks
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Sr. Network Engineer
tel;work:303-458-5667 x 106
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

Re: Active and available abuse desks [OT]

[Matt Hess]

Was told this was off-topic.. oops!
Off-list replies please, thanks.
Matt Hess wrote:
I'm curious as to what people feel is pro-active for the internet 
community as far as an available and active abuse desk goes.. As of late 
I run into more and more automated groups who I personally think are 
very wrong for forcing reports to come in via e-mail or web submission 
only.

The argument I have been presented is that those ISP's should not have 
to offer an actual human being on an abuse desk for non-customers as 
they make no money on it.

My take is that this is an inherent expense to having customers.. that 
expense is part of being involved with the internet and should be 
expected of a provider who wishes to be taken seriously in the internet 
community.

*dons flame retardant.. well, everything*
Matt Hess

Active and available abuse desks

[Matt Hess]

I'm curious as to what people feel is pro-active for the internet 
community as far as an available and active abuse desk goes.. As of late 
I run into more and more automated groups who I personally think are 
very wrong for forcing reports to come in via e-mail or web submission only.

The argument I have been presented is that those ISP's should not have 
to offer an actual human being on an abuse desk for non-customers as 
they make no money on it.

My take is that this is an inherent expense to having customers.. that 
expense is part of being involved with the internet and should be 
expected of a provider who wishes to be taken seriously in the internet 
community.

*dons flame retardant.. well, everything*
Matt Hess

Re: latest FCC rulings

[Matt Hess]

James Edwards wrote:
Wire centers serving more than 38,000 business lines or at least 4 fiber
based CLEC's (this means their own fiber, I think) do not have to offer
DS1 CO to CO loops to a CLEC. For DS3/Dark Fiber it is 24,000 business
lines or 3 fiber based CLEC's. This is interoffice transport, the CLEC's
transport between its colos, which they lease from the LEC per their
interconnect contract. It can be quite inexpensive. Why bother coloing
if you can't get good transport between the colos ?
 

Yes this is what I've gotten out of it.. facility feeder loops are still 
available but interoffice transport lines have been all but killed..
It would appear that the FCC's intention was to force the clecs to 
compete among themselves and leave the ilec out of the fray in large 
population centers.. which really makes no sense unless the fcc is 
attempting to stifle the business of clecs and limit them to less 
populated/rural areas.. hence, providing a quasi monopoly..

Much the same for customer loops from your colo.  

Unbundling, IIRC, is what the xLEC's got from the Telcom act. The loops 
and fiber. These unbundeled elements can only be accessed by colocation
with the LEC, for most cases.  For wire centers that meet the limits,
key here is it has to be both sides meetings the limits for interoffice
transport (CO to CO), a colocated CLEC cannot get ds1, ds3, and dark
fiber to build their network.

 

With these rulings I think they have all but killed the UNE platform.
We are in several Qwest CO's in New Mexico, this is one of the few times
it has been good to live in NM, in the context of telecommunications.
Fiber based xLEC's, not many, and we only have one city that can be
considered big.
The questions we had are work were about the business lines. Does it
include CLEC lines ? If is does not, business lines are where the LEC's
have seen a big decrease and any counts are suspect as they may be old.
So is the xLEC supposed to buy interoffice transport from the fiber
based folks in the colo ? Can they get loops, too ?
 

We asked the Colorado PUC and they have interpreted it to mean total 
business lines.. clecs and lecs totaled together.. funny thing is.. we 
checked out the line count at denver main at it was under the 38k line 
limit.. struck me as rather funny. It would appear that the FCC 
intention is for clecs to buy from other fiber clecs.. but at least out 
here in colorado it would appear very expensive to do that.. much more 
so then back haul loops would be.

I am not sure about how this effects DS0's. Voice and
HSDSL. DSL line share is gone so you have to do voice
to offer DSL, in the wholesale context.
What are they up too ? They limit competition in locations
where there are several major providers or a lot of business customers.
 

Well, in a nutshell my interpretation is that the ilecs have gone to the 
fcc and through many rounds of lobbying and somewhat shady filings.. 
(like qwest's recent filing to become completely deregulated) they have 
told the fcc that since this administration wants to see broadband grow 
and push out to more areas the fcc needs to get the clecs off their back 
and then the ilecs will build it for them.

The fcc has done so by really hurting the interoffice transport (back 
haul loops, dark fiber restrictions, death of UNE etc.). They really 
neutered the Telecommunications Act of 1996.. for some sick reason they 
think the clecs have an equal chance against the ilecs. Heck, 2 of the 
commissioners were against the rulings.. but who cares.. a simple 
majority needs to be held to pass the rules and screw the industry.. 
sounds like a bargain deal for the ilecs.. buy 3 commissioners, get 2 free.

I find commissioner Jonathan Adelstein's opinion on this a great help to 
laying it out as to what's about to happen..
(http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-255344A5.pdf)


begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWireNet
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Senior Network Engineer
tel;work:303-458-5667
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

latest FCC rulings

[Matt Hess]

I'm curious.. with the new fcc rulings out how are other clecs planning 
on coping with them?
I'd love to hear reactions or thoughts on the latest the fcc is throwing 
at the lecs.

(http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-255344A1.pdf)
Offlist is fine in case this is considered off-topic.
Matt Hess
begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWireNet
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Senior Network Engineer
tel;work:303-458-5667
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

e.root-servers.net we have a problem..

[Matt Hess]

If there is someone on here that is responsible for e.root-servers.net 
and if that person could ping me off list I'd appreciate it, thanks.

Interland.net noc contact

[Matt Hess]

Anyone have a contact for Interland.net's noc? I don't see them on the 
noc list.. (http://puck.nether.net/netops/) and the interland customer 
care (HA!) reps have no concept of what the word "proactive" means.

Drop me a line off list please.. thanks.
begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWireNet
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Senior Network Engineer
tel;work:303-458-5667
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

Re: pppoa and a tnt

[Matt Hess]

Yes, it does, thanks. Looks like we are going with 1483..
Christopher J. Wolff wrote:
Matt,
I don't remember seeing PPPoA in the 11.0 firmware.  Hope this helps.
Christopher
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Hess
Sent: Sunday, September 19, 2004 10:18 PM
To: [EMAIL PROTECTED]
Subject: pppoa and a tnt
Does anybody know if a max tnt supports ppp over atm?

pppoa and a tnt

[Matt Hess]

Does anybody know if a max tnt supports ppp over atm?

Re: Distributed Dictonary email slam

[Matt Hess]

I completely agree, indeed it does not.. which is why we have now 
dropped doing secondary mx for this domain.

Anyway.. thanks to all who responded on and off list.. gave me a few 
good ideas to tinker with..

Probably the most notable thing from this is the technical level with 
which spammers are now employing such a distributed network of spamming 
zombie type systems in a very directed manner.. and I always pictured 
them as drooling slobs that stare at blinking lights..
;)

Randy Bush wrote:
Impossible as the customer does not wish to give us a list.
You want to keep a list of valid accounts on the secondary so you can
refuse mail for non-existing accounts on the secondary too.

anyway, as they say, that does not scale
randy
---
Q: Because it reverses the logical flow of conversation.
A: Why is top posting frowned upon?

Re: Distributed Dictonary email slam

[Matt Hess]

Impossible as the customer does not wish to give us a list.
However, I have thought of that and created some perl foo to go 
through.. identify the queued junk and remove it completely from our 
queue .. thus no bounce and no delivery.

Christopher X. Candreva wrote:
On Sun, 5 Sep 2004, Matt Hess wrote:

source hosts.. Now being as we are a secondary mx I'm dropping their record
out of our email system as I write this, however, I am curious if other have
gone through or are currently going through something of this magnitude (12K
spam/dictionary msgs per hour destined to one domain and that's just what is

You want to keep a list of valid accounts on the secondary so you can refuse 
mail for non-existing accounts on the secondary too.

If you don't care about yourself -- relize that if, say, all of these mails 
have a return address forged from the same domain, you will be DOSing THAT 
site with the bounce messages.  This is enough for some people to block mail 
from you.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Distributed Dictonary email slam

[Matt Hess]

We are secondary mx for a specific domain that has been hammered since 
friday night. We've accumulated literally thousands of email messages in 
our queue while the primary mx at the customer site is out of service 
yet again. In looking at the queue it appears that it's one heck of a 
dictionary based slam. Interesting thing about this is that it is 
distributed.. entire dictionary destination addresses such as 
[EMAIL PROTECTED] come from one host (apparently with a trojan on it or 
otherwise) while [EMAIL PROTECTED] come from yet a different host.. and 
so on down the alphabet all the while constantly changing source hosts.. 
Now being as we are a secondary mx I'm dropping their record out of our 
email system as I write this, however, I am curious if other have gone 
through or are currently going through something of this magnitude (12K 
spam/dictionary msgs per hour destined to one domain and that's just 
what is getting past the blacklist checks). Normally I see my spam block 
daemon at around 10 - 15 concurrent requests.. right now it's tearing 
along at around 160 - 180 concurrent bad connections.

And of course a few suggestions to mitigate this would be appreciated.. 
I currently employ multiple blacklists such as spamcop.net, abuseat.org, 
spews level 1 and 2, and spamhaus, plus my own blocklists for china and 
korea to check on incoming email source addresses.

Re: Research - Valid Data Gathering vs. Annoying Other

[Matt Hess]

Robert Bonomi wrote:
<>*HOW* is one supposed to tell a 'benign' probe from a 'hostile' one,
when it is addressed to a machine that doesn't exist, or to a 'service'
that doesn't exist on an existant machine?
With all the 'overtly hostile' traffic out there, why on earth would 
anyone
consider that, with regard to 'unexpected'/'abnormal' traffic, there 
should
be _any_ 'expectation of innocence'?

Easy, they need to set the evil bit to 0
;)
begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWireNet
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Senior Network Engineer
tel;work:303-458-5667
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

OT? experience with time warner telecom?

[Matt Hess]

Apologies if this is off topic but we are looking at time warner telecom 
for an upstream connection and I would like to get some info as to 
people's experience with this group.. good or bad. Off-list is fine.. 
especially if this is indeed OT.

begin:vcard
fn:Matt Hess
n:Hess;Matt
org:LiveWire Networks
adr;dom:;;4577 Pecos St;Denver;CO;80211
email;internet:[EMAIL PROTECTED]
title:Sr. Network Engineer
tel;work:303-458-5667 x 106
tel;fax:303-458-5725
x-mozilla-html:FALSE
url:http://www.livewirenet.com/
version:2.1
end:vcard

Re: Blocking Win95 hosts [WAS: Lazy network operators - NOT]

[Matt Hess]

I think something like this would be best (safest?) used on collection 
mx hosts.. hosts that clients would not connect with to send mail.. just 
other servers delivering mail inward.. I personally can't imagine why 
someone would want to use a win95/98/Me system as a mta.. so this 
probably would be a rather interesting idea worth testing out. If 
nothing else the collateral in the above scenario would probably be very 
low.

And of course the fingerprint list they have has a quite a few systems 
from aix to zaurus.



Patrick W.Gilmore wrote:

On Apr 18, 2004, at 11:40 PM, Matt Hess wrote:


I was amused at this and decided to look real quick.. OpenBSD's pf can 
block on OS fingerprints.. effectively doing exactly what you are 
kidding about (at least I'd hope so.. well, maybe) even in the man 
page example they put:

# Do not allow Windows 9x SMTP connections since they are typically
# a viral worm. Alternately we could limit these OSes to 1 connection 
each.
block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \
  to any port smtp

The OS fingerprint list they have is rather extensive..



Ya know, I do not think that is such a bad idea.

Does anyone have any stats on the number of "real" MTAs that use Win9x? 
 Or of the "real" MTAs that show up as Win9x on this fingerprint?

Re: Lazy network operators - NOT

[Matt Hess]

I was amused at this and decided to look real quick.. OpenBSD's pf can 
block on OS fingerprints.. effectively doing exactly what you are 
kidding about (at least I'd hope so.. well, maybe) even in the man page 
example they put:

# Do not allow Windows 9x SMTP connections since they are typically
# a viral worm. Alternately we could limit these OSes to 1 connection each.
block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \
  to any port smtp
The OS fingerprint list they have is rather extensive..

:)

Mike Jezierski - BOFH wrote:

{sniped}

the damned operating system Micro$haft. If there was a blackhole list to 
block all Windows lUsers it would be more effective - granted that would 
also reduce email down to about 10% of the computing population.

No zombies on my Macintosh regards.

Re: Lazy network operators - NOT

[Matt Hess]

I haven't seen it mentioned yet but I believe that some may be looking 
for something like the lists at: http://www.blackholes.us/ and if it has 
been mentioned already  I apologize for the duplicate.



Doug White wrote:


:
:
:
: Lou Katz wrote:
: >
: > On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote:
: > >
: > > >Spamming is pervasive mainly due to the inattention or failure to
enforce
: > > >acceptable use policies by the service provider.
: > >
: > > I must point out that this statement is just flat wrong.
: > >
: > > Spamming exists because spamming works.  Why do spammers send
: > > out millions of emails?  Because thousands of people click, look at, and
: > > subscribe to services and products being spewed by the spammers.
: > >
: > > If spamming didn't sell products, spamming would die off.  We must
: > > educate the users to not do anything with spam but delete it.  As from
: > > the sucess of infomercials on television shows, that won't happen
: > > anytime soon.
: > >
: >
: > I think you are 'right on'. I offer this observation, first
: > triggered by a third-hand report from some sociologists:
:
: Perhaps you'd both care to provide a methodology whereby the same fools
: who respond to anatomical enlargement/improvement potions could be
: successfully educated as to the foibles of responding to spam? All 150
: million plus of them?
:
: And then perhaps compare that required effort and potential success to
: that of applying consistent global pressure on the 100 or so networks
: that host the compromised machines that are the unwitting gateways for
: almost all of today's spam. Unfortunately, in many cases, the networks
: do put enormous effort into disconnecting compromised boxes, but the
: numbers are overwhelming (240,000 on one network alone in the last 2
: weeks). That does not appear to be good enough any more.
:
: I'm with Paul.
:
: As Steve Bellovin has so frequently bleated: "Push the responsibility to
: the edges, where it belongs".
:
: -- 
Well, Paul did advance a methodology - blackhole them all 

I prefer to send a

550 IP blocked for USE - for resolution contact your service provider.

Educating the masses who feel anatomically lacking, would be an impossible task
for a server admin.
Blocking the provider will hit them in the pocketbook, and usually gets
attention at the highest executive level, when enough of their customers quit
them.
Remember it took AOL the loss of nearly 10 million subscribers to make them
move against spam  at all.  Of course, we don't all agree with their
methodology, but they are making the attempt.
If just a few admins block Comcast (At&T) they will likely be ignored.  If
thousands of them block Comcast - they will become more pro-active, I submit.
SBC-Yahoo has silently implemented spam filters that add X headers which the
recipient can filter against.  For instance I filter against X-overseas source
blah blah
As for doing something from a provider standpoint against those who will not
install an a/v solution because it slows down their machine - or interferes
with their MP3 files, or graphics editors, is another mountain to climb, but
climb it they must.
The individual mail server admin is a very small part of the big picture, but
is responsible for his users, and must do as needed to re-capture the users'
inbox for their legitimate use.
The job becomes even more difficult when not everyone can agree on what is spam
and what is legitimate.
Maybe more rejects like :  550  postage due for commercial message delivery.
:-)

Comcast Contact

[Matt Hess]

Can somebody at comcast.net with a clue about possible ip routing 
problems please contact me off-list.

Re: Oh where, oh where has Comcast gone

[Matt Hess]

Well, I do know, as a customer, they are going through a large att -> 
comcast.net transition period right now.. they even left a poorly 
thought out automated message on my answering machine to let me know 
that on june 30th they plan on royally screwing up everything.. now 
naturally they didn't say that but that message sure didn't leave much 
room for any hope of contacting support that week if need be..



John R Levine wrote:
I saw a bunch of mail to comcast.net bouncing, so I figured I'd check to
see if maybe their mail servers were misconfigured or something.  Holy
petunias, they've imploded into private network space.
It appears that the glue records in the GTLD servers are OK, but ns02 is
returning the 172.30 address which, since it's authoritative for itself,
overwrites the good data.  Tsk, tsk.  I suppose that's one way to cut down
the amount of spam they get.
$ dnsqr ns comcast.net
2 comcast.net:
76 bytes, 1+2+0+0 records, response, noerror
query: 2 comcast.net
answer: comcast.net 4929 NS ns01.jdc01.pa.comcast.net
answer: comcast.net 4929 NS ns02.jdc01.pa.comcast.net
$ dnsqr a ns01.jdc01.pa.comcast.net
1 ns01.jdc01.pa.comcast.net:
59 bytes, 1+1+0+0 records, response, noerror
query: 1 ns01.jdc01.pa.comcast.net
answer: ns01.jdc01.pa.comcast.net 4923 A 172.30.0.16
$ dnsqr a ns02.jdc01.pa.comcast.net
1 ns02.jdc01.pa.comcast.net:
59 bytes, 1+1+0+0 records, response, noerror
query: 1 ns02.jdc01.pa.comcast.net
answer: ns02.jdc01.pa.comcast.net 4919 A 172.30.0.17
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"More Wiener schnitzel, please", said Tom, revealingly.

Re: Mobile code security (was Re: rr style scanning of non-customers)

[Matt Hess]

why can't multibillion dollar companies figure that out? it does mystify
me :)
The only lame excuses I can come up with are possibly:
laziness, stupidity, ignorance, complacency, fear of non-compliance (but 
I think that's a stretch) and perhaps the raccoon mentality of 'it's new 
and shiny - I MUST have it'.

Beyond that I have no idea why groups continue to use a Microsoft Virus 
Run-Time Environment or even see the excuses above as legitimate 
justification.