Firewall Wizards mailing list archives
TCP syncookies - firewall or host?
From: chris mr <chris.misztur () yahoo com>
Date: Mon, 9 Apr 2007 06:49:02 -0700 (PDT)
I think any traffic that "bypasses" the firewall and is handled inside a higher security zone could present a problem.
I would let the PIX handle pre-embryonic connections.
chris
----- Original Message ----
From: "firewall-wizards-request () listserv icsalabs com" <firewall-wizards-request () listserv icsalabs com>
To: firewall-wizards () listserv icsalabs com
Sent: Wednesday, April 4, 2007 9:34:09 AM
Subject: firewall-wizards Digest, Vol 12, Issue 1
Send firewall-wizards mailing list submissions to
firewall-wizards () listserv icsalabs com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request () listserv icsalabs com
You can reach the person managing the list at
firewall-wizards-owner () listserv icsalabs com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. TCP syncookies - firewall or host? (Florin Andrei)
2. Re: OT? New compromise. (Mike Barkett)
3. Re: TCP syncookies - firewall or host? (Florin Andrei)
4. Firewall surveyquestion (Steve orca)
5. Poll: Interested in feedback for layer 2 filtering
requirement for Solaris (Darren Reed)
6. Pix 535 - Filtering to VLANs? (James Burns)
7. Re: Firewall surveyquestion (rgolodner () infratection com)
----------------------------------------------------------------------
Message: 1
Date: Tue, 03 Apr 2007 13:13:56 -0700
From: Florin Andrei <florin () andrei myip org>
Subject: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
<firewall-wizards () listserv icsalabs com>
Message-ID: <4612B584.3040208 () andrei myip org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Speaking about SYN flood - where would you handle it, at the firewall
level, or at the host level?
Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU
cores (recent AMD64 CPUs), all of them behind the firewall
syncookies can be enabled either at the firewall level, or at the host
level. Also, all kinds of TCP parameters can be tweaked on the firewall
(intercept and connection limits) but also on the servers via the /proc
filesystem.
This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.
Pros and cons?
--
Florin Andrei
http://florin.myip.org/
------------------------------
Message: 2
Date: Sat, 31 Mar 2007 16:21:26 -0400
From: "Mike Barkett" <mbarkett () us checkpoint com>
Subject: Re: [fw-wiz] OT? New compromise.
To: <firewall-wizards () listserv cybertrust com>
Message-ID: <01fb01c773d2$2991b5d0$64c7630a@MAB43p>
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 30 Mar 2007 13:09:58 -0500 From: Frank Knobbe <frank () knobbe us> Subject: Re: [fw-wiz] OT? New compromise. To: Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com> Cc: firewall-wizards () listserv cybertrust com Message-ID: <1175278198.40136.36.camel@localhost> Content-Type: text/plain; charset="us-ascii" On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:On Windows /c:\netstat -an |find /i "listening"/There are tools like openports or the sysinternals set you mayWindows: netstat -aon Linux: netstat -apnOf course all these tools only work if the application uses the OS'es IP stack. Any decent rootkitted malware, that puts it's on packets on the wire and sniffs the responses promiscuously, won't show up in those lists. You can see the packets with tcpdump/sniffers, but won't be able to correlate them back to an application (unless you do some CPU utilization sample and correlate that with the observed network traffic, but you'd need to be able to see the app in the first place, so if it's hidden by a rootkit, that won't help you either). Just because nothing shows up in netstat doesn't mean that there isn't an application promiscuously listening for data to that port. Regards, Frank
True, a rootkit is one possible explanation. In this case the traffic has
already been spotted on the network and thus requires explanation at the
host. Therefore, a netstat showing nothing is just as informative as one
that shows something bogus, which is just as informative as one that shows
the actual running application. Every outcome requires further digging
anyway. It is just one more data point that is only as valuable as the
skill level of the security professional analyzing it.
-MAB
------------------------------
Message: 3
Date: Tue, 03 Apr 2007 14:43:26 -0700
From: Florin Andrei <florin () andrei myip org>
Subject: Re: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
<firewall-wizards () listserv icsalabs com>
Message-ID: <4612CA7E.7060602 () andrei myip org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Florin Andrei wrote:
This sounds like a job for the firewall, but on the other hand all those servers are very fast, there's a lot of them, and usually they're mostly idle. So I'm very tempted to dump that task on the servers.
OTOH, if I let the servers deal with it, wouldn't that fill up resources on the firewall real quick during an attack? So in that case, syncookies at the firewall level would be better. I will do some tests to trigger some issues that might occur in real life and see how each piece of equipment handles that, but until then I'd like to get a second opinion, so that's why I'm asking. -- Florin Andrei http://florin.myip.org/ ------------------------------ Message: 4 Date: Tue, 03 Apr 2007 23:01:02 +0000 From: "Steve orca" <klrorca () hotmail com> Subject: [fw-wiz] Firewall surveyquestion To: firewall-wizards () listserv icsalabs com Message-ID: <BAY106-F1818617875AE77BD2C84FCA5670 () phx gbl> Content-Type: text/plain; format=flowed Hey all, Anybody out there still using, or have seen in use, the Fortinet firewalls? If so what version? Thanks! -Steve _________________________________________________________________ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07 ------------------------------ Message: 5 Date: Wed, 04 Apr 2007 16:36:51 +1000 From: Darren Reed <Darren.Reed () Sun COM> Subject: [fw-wiz] Poll: Interested in feedback for layer 2 filtering requirement for Solaris To: firewall-wizards () listserv cybertrust com Message-ID: <024e01c77683$a204ded0$c7579e81@brunette> Content-Type: text/plain; charset="iso-8859-1" Dear Wizards, For many years IPFilter has been playing its part in filtering layer 3 (IP) packets... Now we're moving down the stack - to layer 2 packets - to provide protection for Xen instances, etc. While I personally have various needs and expectations about what happens with IP packets, I'm unsure about what requirements or expectations are with ethernet packets. What sort of functionality would you like to see layer 2 filtering on Solaris deliver? Will/do you need ethernet level "NAT"? Do you expect to see ethernet rules in ipf.conf? Do you have non-ethernet networks you want to filter at layer 2? Do you expect to always use the same ethernet device name with filters for layer 2 packets as for layer 3 packets? Or other more devious desires? Feedback welcome. Thanks, Darren -------------- next part -------------- An HTML attachment was scrubbed... URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/d073fb82/attachment-0001.html ------------------------------ Message: 6 Date: Wed, 04 Apr 2007 14:20:05 +0100 From: James Burns <james.burns () sunderland ac uk> Subject: [fw-wiz] Pix 535 - Filtering to VLANs? To: firewall-wizards () listserv icsalabs com Message-ID: <4613A605.3090507 () sunderland ac uk> Content-Type: text/plain; charset="windows-1252" Just a quick query... I'm using a pair of Pix 535's in a failover set. Is it possible to match traffic entering the outside interface, and subsequently put it into a VLAN on exiting the inside interface? Thanks in advance, James -- James Burns Network Advisor ? Student & Learning Support University of Sunderland web: www.sunderland.ac.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3281 bytes Desc: S/MIME Cryptographic Signature Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/4cb38614/attachment-0001.bin ------------------------------ Message: 7 Date: Wed, 04 Apr 2007 03:50:15 +0000 From: rgolodner () infratection com Subject: Re: [fw-wiz] Firewall surveyquestion To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv cybertrust com> Message-ID: <W5828212010182311175658615@webmail18> Content-Type: text/plain; charset="us-ascii" Jeez, it ws long ago, but I really liked it. I think it was a 60 or something close. Nice user interface, reporting tools and load balancing that worked great as i needed to be multi-homed at the time. VPN worked very well and was easy for road people to connect using Microsoft VPN connection with XP. If it was my business. I would always use a PIX, and a few more things I never did any hard core pen testing , but it was good at keeping internal assets hidden from he public. My 2cents, Richard
-----Original Message----- From: Steve orca [mailto:klrorca () hotmail com] Sent: Tuesday, April 3, 2007 07:01 PM To: firewall-wizards () listserv cybertrust com Subject: [fw-wiz] Firewall surveyquestion Hey all, Anybody out there still using, or have seen in use, the Fortinet firewalls? If so what version? Thanks! -Steve _________________________________________________________________ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/114cdece/attachment.html ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 12, Issue 1 *********************************************** ____________________________________________________________________________________ Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP syncookies - firewall or host? Florin Andrei (Apr 03)
- Re: TCP syncookies - firewall or host? Florin Andrei (Apr 03)
- Firewall surveyquestion Steve orca (Apr 03)
- <Possible follow-ups>
- Re: TCP syncookies - firewall or host? rgolodner (Apr 05)
- TCP syncookies - firewall or host? chris mr (Apr 09)