Firewall Wizards mailing list archives
Re: VPN & Frame Routing (Zill, Greg)
From: "Chris Clamp" <chris.clamp () showads com au>
Date: Fri, 22 Feb 2002 09:48:07 +1100
Hi Greg, Most routers have a number of routing protocols on them that you could use, but what you would need to do here is set up a static route to send the default traffic out to the VPN, and redistribute this through a routing protocol (EIGRP,OSPF,etc) so that the static route is then known to all NOC sites. The IP address range that the financials, etc, are situated on, this address range would be known through the routing protocol, and traffic will head in the right direction. Hope this helps Cheers firewall-wizards-request () nfr com wrote:
Send firewall-wizards mailing list submissions to firewall-wizards () nfr com To subscribe or unsubscribe via the World Wide Web, visit http://list.nfr.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request () nfr com You can reach the person managing the list at firewall-wizards-admin () nfr com When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. VPN & Frame Routing (Zill, Greg) 2. Re: Netscreen 50 (Barney Wolff) 3. Netscreen 50 (Boni Bruno) 4. Disabling NIC whem modem is connected (Fabio G. Baptista) 5. RE: Auth + content filtering? (=?iso-8859-1?Q?Diaz_Perez_=B7_Juan_Carlos?=) 6. RE: Netscreen 50 (Bill Jaeger) 7. Re: Link from DMZ to Internal Apps (Joseph Steinberg) 8. Re: Link from DMZ to Internal Apps (R. DuFresne) --__--__-- Message: 1 Date: Mon, 18 Feb 2002 11:32:42 -0600 From: "Zill, Greg" <Greg.Zill () owh com> To: <firewall-wizards () nfr com> Subject: [fw-wiz] VPN & Frame Routing I would like to maintain both a frame connection and VPN connectivity = between two NOC sites, but not sure how to selectively, or otherwise, = make traffic take one path vs. the other. I have heard mention OSPF, but = know little about its implementation. The VPN would be used for active = directory primarily, while the frame would be used for financials. = Please advise. gregory w zill, mba Firewall Administrator Omaha World Herald Company Landmark Center --__--__-- Message: 2 Date: Mon, 18 Feb 2002 13:03:56 -0500 From: Barney Wolff <barney () databus com> To: Malcolm Joosse <malcolm () hotlinesupport com> Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Netscreen 50 What security policy are you trying to enforce? I may be ignorant, but this is the first I've heard of an ISP trying to firewall its total user population. Would a simple router ACL do what you want? Are DS3's so cheap that a one-time $10k is even noticeable compared to the monthly bill for bandwidth? On Mon, Feb 18, 2002 at 12:51:09PM +1100, Malcolm Joosse wrote:Hello All, I am new to this list, I tried searching the archives to find this info. We are a medium sized ISP in Australia. We run a Full 45Mb DS3 link. We are/were running Watchguard Firebox 2 and have found that since we upgraded the DS3 link to the full 45Mb our Firebox is having a hard time with all the traffic. While I cannot complain about the Watchguard products, we thought we would ask around about different firewall options. I have received many suggestions from my peers about different solutions. We were looking at: Watchguard Firebox 2500 - Seems like a office firewall and not a ISP firewall - Good pricing Cisco PIX - good product, VERY $$$$$ - out of our budget Netscreen 50 - Good features and good pricing - Top of the list *NIX/IPtables - To fiddley and hard to find admins GNAT - More suitable for a office enviroment ????? any other suggestions ? The Cost is a major part of this new purchase. I do not want to spend more than USD$10,000.00 as I have seen many products in this price range. We have been offered a netscreen 50 for evaluation, but as time is critical, I thought I would ask about the Netscreen to get a insight and avoid wasting time on testing something that is not suitable.-- Barney Wolff --__--__-- Message: 3 Date: Mon, 18 Feb 2002 11:39:01 -0800 From: "Boni Bruno" <bbruno () dsw net> To: firewall-wizards () nfr com Subject: [fw-wiz] Netscreen 50 Malcolm, Netscreen is a fine firewall with a lot of features for the money. However, the Netscreen 50 does not have device redundancy where as the NS 100 and above do have device redundancy with ms fail over. This is an important feature to consider for future expansion and obviously avoiding a single point of failure. The NS 100 is also 10K, but its replacement is the NS 204 which is around 12K. If you can afford a little more, the NS 204 offers much more growth and can easily be configured in a redundant manner in the future when your finances allows it. Plus you get an additional DMZ port on the NS204 (total of 4), and 8 ports total with the NS208 option, but the NS208 may be out of your price range. Cheers, -boni brunoMessage: 3 Date: Mon, 18 Feb 2002 12:51:09 +1100 From: "Malcolm Joosse" <malcolm () hotlinesupport com> To: <firewall-wizards () nfr com> Subject: [fw-wiz] Netscreen 50 Hello All, I am new to this list, I tried searching the archives to find this info. We are a medium sized ISP in Australia. We run a Full 45Mb DS3 link. We are/were running Watchguard Firebox 2 and have found that since we upgraded the DS3 link to the full 45Mb our Firebox is having a hard time with all the traffic. While I cannot complain about the Watchguard products, we thought we would ask around about different firewall options. I have received many suggestions from my peers about different solutions. We were looking at: Watchguard Firebox 2500 - Seems like a office firewall and not a ISP firewall - Good pricing Cisco PIX - good product, VERY $$$$$ - out of our budget Netscreen 50 - Good features and good pricing - Top of the list *NIX/IPtables - To fiddley and hard to find admins GNAT - More suitable for a office enviroment ????? any other suggestions ? The Cost is a major part of this new purchase. I do not want to spend more than USD$10,000.00 as I have seen many products in this price range. We have been offered a netscreen 50 for evaluation, but as time is critical, I thought I would ask about the Netscreen to get a insight and avoid wasting time on testing something that is not suitable. Regards Malcolm Joosse=20 Hotline Support (Total IT Solutions)=20--__--__-- Message: 4 From: "Fabio G. Baptista" <fbaptista () e-dablio com> To: 'Firewall Wizards' <firewall-wizards () nfr com> Date: Mon, 18 Feb 2002 17:01:27 -0300 Subject: [fw-wiz] Disabling NIC whem modem is connected Hi wizards, Is there a way to disable the NIC of a Windows based machine when the = modem is connect to the Internet ? I think that a machine connect to the internet via modem and plugged to = the internal LAN can be a security risk, while it is bypassing the = firewall.=20 Thanks, F=E1bio G. Baptista e-Dablio Project Management Tel.: + 55 21 3852-0650 http://www.e-dablio.com <http://www.e-dablio.com>=20 --__--__-- Message: 5 From: =?iso-8859-1?Q?Diaz_Perez_=B7_Juan_Carlos?= <JuanCarlos.Diaz () atosodsorigin com> To: Tamas FORJAN <tamas () 2fkft com>, firewall-wizards () nfr com Subject: RE: [fw-wiz] Auth + content filtering? Date: Mon, 18 Feb 2002 21:52:53 +0100 I think you should change the orther of your rules this way: Src Dst Srv Act PrivUsers@InternalNet Any http ClientAuth MP3Users@InternalNet Any http ClientAuth Any Any http->mp3filter Reject If this works please, let me know. HTH :) JUAN CARLOS D=CDAZ P=C9REZ-----Mensaje original----- De: Tamas FORJAN [SMTP:tamas () 2fkft com] Enviado el: domingo 17 de febrero de 2002 23:27 Para: firewall-wizards () nfr com Asunto: [fw-wiz] Auth + content filtering? =20 Hello, =20 I would like to know whether you know a way to implement HTTP file =accesscontrol based on file extensions and authentication. =20 Basically, what I would like to do is to set up different user groups =fordifferent kinds of file access. Not everybody should be able to =access MP3files, WMA files and such. My idea is to set up groups for those =peoplewho need access to these 'privileged' file types. =20 What I tried already was to set up resources to filter content, along =withpartially automatic client auth. My rulebase looked the following: =20 Src Dst Srv Act PrivUsers@InternalNet Any http ClientAuth Any Any http->mp3filter Reject MP3Users@InternalNet Any http ClientAuth =20 The result of the above is that PrivUsers can properly authenticate =andhave access, but no users in the MP3Users group can authenticate at all. =Theyreceive 3 different authentication windows from their browser, but at =theend, they receive the following error: =20 Error 401 FW-1 at wreport: Unauthorized to access the document. Authorization is needed for FW-1. The authentication required by FW-1 for tforjan is: unknown. Reason for failure of last attempt: =20 What worries me is the 'authentication required by FW-1 for tforjan =is:unknown.' clause, because this user has a defined authentication =scheme:FireWall-1 Password. =20 No matter how many rules you set up, only the first authentication =rulewill allow successful authentication. All the others will fail with the =abovemessage. =20 Do you have any idea why? =20 Do you have any idea how to implement the desired functionality in =anyother way? =20 Environment: Nokia IP440, IPSO 3.4.2, CP NG FP1. =20 Thank you. =20 -- FORJAN Tamas Technical Support 2F 2000 Szamitastechnikai es Szolgaltato Kft. http://www.2f.hu/ =20 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards--__--__-- Message: 6 From: "Bill Jaeger" <wlj () interNook net> To: "Malcolm Joosse" <malcolm () hotlinesupport com> Cc: <firewall-wizards () nfr com> Subject: RE: [fw-wiz] Netscreen 50 Date: Mon, 18 Feb 2002 16:23:37 -0500 Hi Malcolm, Unfortunately, I can't comment on the NetScreen as compared to the other firewalls. However, I wanted to point out that the GNAT Box firewalls are not limited to "office" applications. The higher end models (GB-Flash and GB-1000) may well meet your needs. Pricing is quite attractive, too. I believe that the list price on the GB-Flash is $1500 USD and the GB-1000 is $2700 USD. The GB-1000 is a 1RU appliance with 4x100Mbps Ethernet interfaces and an Intel Celeron 500MHz processor. The GB-Flash allows you to deploy the firewall on whatever Intel-based hardware platform you choose. You can find out more information at http://www.gnatbox.com . I've been using a GB-1000 for about 1.25 years to segregate 4 different 100Mbps full duplex network segments with a fairly rigid rule set. In doing so, I haven't noticed any significant performance degradation. I suspect that if it works OK in my environment, it should work OK in yours (but be sure to verify! ;) BTW, I have no relationship to GTA (the company that makes the GNAT Box) other than as a reasonably satisfied customer. Please let me know if you'd like additional info. -Bill-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Malcolm Joosse Sent: Sunday, February 17, 2002 8:51 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Netscreen 50 Hello All, I am new to this list, I tried searching the archives to find this info. We are a medium sized ISP in Australia. We run a Full 45Mb DS3 link. We are/were running Watchguard Firebox 2 and have found that since we upgraded the DS3 link to the full 45Mb our Firebox is having a hard time with all the traffic. While I cannot complain about the Watchguard products, we thought we would ask around about different firewall options. I have received many suggestions from my peers about different solutions. We were looking at: Watchguard Firebox 2500 - Seems like a office firewall and not a ISP firewall - Good pricing Cisco PIX - good product, VERY $$$$$ - out of our budget Netscreen 50 - Good features and good pricing - Top of the list *NIX/IPtables - To fiddley and hard to find admins GNAT - More suitable for a office enviroment ????? any other suggestions ? The Cost is a major part of this new purchase. I do not want to spend more than USD$10,000.00 as I have seen many products in this price range. We have been offered a netscreen 50 for evaluation, but as time is critical, I thought I would ask about the Netscreen to get a insight and avoid wasting time on testing something that is not suitable. Regards Malcolm Joosse Hotline Support (Total IT Solutions) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards--__--__-- Message: 7 From: "Joseph Steinberg" <joseph () whale-com com> To: <firewall-wizards () nfr com> Cc: <yamadog35 () yahoo com> Subject: Re: [fw-wiz] Link from DMZ to Internal Apps Date: Mon, 18 Feb 2002 23:15:31 -0500 For "external access to internal applications" in cases where a VPN is overkill, you may want to consider the e-Gap System, which was designed with securing that type of access in mind. http://www.whalecommunications.com/1900a.htm J Steinberg _.._ (_.-.\ Joseph Steinberg .-, ` Director of Technical Services .--./ / _.-""-. Whale Communications '-. (__..-" \ \ a | joseph () whale-com com ',.__. ,__.-'/ (201) 947-9177 x1511 '--/_.'----'` http://www.whalecommunications.com --__--__-- Message: 8 Date: Tue, 19 Feb 2002 01:05:16 -0500 (EST) From: "R. DuFresne" <dufresne () sysinfo com> To: "Marcus J. Ranum" <mjr () nfr com> Cc: Guess Who <yamadog35 () yahoo com>, firewall-wizards () nfr com Subject: Re: [fw-wiz] Link from DMZ to Internal Apps Organization: sysinfo.com It seems to me that there might well be an area here that is still ignored. Even with strict access and authentication mechinisms in place, in an environment whence there is this lax concept of data security, and considering that much of this data is personal for those people it is maintained upon, but, impersonal to those that use the data in the course of their work, the risk remains, that once the data has been scarfed up by one for their job, and especially those folks working from home, or in partnership relations via VPN's, how secure does that data then remain? An encrypted VPN tunnel only protects that data in transit, not once the data is parsed down to a users laptop or home machine, once it leaves the perimiter how secure remains the confidentiality of that data? Thus the mention by many about policies. Those policies, and HIPPA regulations, are required to deal with data leakage once the data has been 'securely' transmitted as well. Thanks, Ron DuFresne On Mon, 18 Feb 2002, Marcus J. Ranum wrote:Due to departure of more experienced security minds in our healthcare organization, I am faced with making inexperienced decisions on demands for external access to internal applications.One thing to get familiar with is HIPAA - it's a government guideline/standard "protecting the confidentiality and integrity of 'individually identifiable health information,' past, present or future." You should make sure that whatever access you're providing is OK under HIPAA...Our Web dev team just released a "portal" for these users that aggregates some of the info they need and we have this available on the outside via our DMZ environment, but, of course, they want more.Presumably the "portal" is using some kind of security, yes? Maybe SSL on the links at a minimum? ..?As more of our legacy internal apps move to Web, these users want us to simply "link" them to these internal apps from the externally available portal. This to me would appear to simply bring external users directly to the inside defeating the purpose of the separate web environment in the DMZ.Actually the fact that your organization is set up so that some bunch of Web Developers can just build and deploy a "portal" (whatever that is...) without having to interface with your security practitioners indicates to me that you're probably already in trouble, security-wise... Normally, I wouldn't recommend a strategy like this, but since it sounds like a plate of spaghetti has dropped in your lap. I'd recommend you pursue a vigorous offensive of butt-covering while you get spun up on healthcare security and computer security. You can use the "I am getting spun up on this stuff..." as a dodge to delay whatever insecure deployments you can until you learn enough so you can judge the wisdom or non-wisdom of any security-related deployments yourself. You've got what sounds to me like a potentially nasty situation. Any organization where the end users feel empowered to just deploy stuff and/or apply that kind of pressure on the security organization without any administrative checks and balances is almost guaranteed to have serious security failures. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --__--__-- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN & Frame Routing (Zill, Greg) Chris Clamp (Feb 21)