Security Basics mailing list archives
Re: where should I start? help!
From: "Jude Naidoo" <jude007 () jnaidoo fsnet co uk>
Date: Sat, 26 Jul 2003 17:05:36 +0100
Hi Jane What about other valid applications that could use either TCP or UDP 554 ?? It may be more work, but wouldn't access to the streaming servers be disallowed ? With most browser/streaming applications, you can change the proxy port or even the port to use for streaming audio/video. Pretty soon you could find yourself blocking loads of ports... Just my 2 cents worth... Jude ----- Original Message ----- From: "Jane Han" <janehan22 () yahoo com> To: "ALLEN, DONALD S (AIT)" <da1295 () sbc com>; <Gregory_DeGennaro () csaa com> Cc: <security-basics () securityfocus com> Sent: Friday, July 25, 2003 3:52 PM Subject: RE: where should I start? help!
Thank you so much for all your help. Finally, I found the problem. many streaming radio or video using port 554. If I want to block all streamimg radio or video on the PIX, can I use access-list 100 deny tcp any any eq 554 access-list 100 deny udp any any eq 554 Any other suggestions or concerns? Thanks again, Jane --- "ALLEN, DONALD S (AIT)" <da1295 () sbc com> wrote:Show Conns or show conns? Show Xlate or show xlate? And using the PDM web module are ways to get Pix information without a sniffer. -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: Thursday, July 24, 2003 9:08 AM To: Ben Hicks; security-basics () securityfocus com; Gregory_DeGennaro () csaa com Cc: security-basics () securityfocus com Subject: RE: where should I start? help! Thanks for all help. If I want to find all traffic on the PIX internal interface, what should I do? using sniffer? How do I position the sniffer? How can I span port on the PIX or I have to do spanning on the switch? Any suggestions or help will be highly appreciated. switch ---PIX---external router The exernal router serial interface status as follows: Serial0/0 is up, line protocol is up Hardware is DSCC4 Serial Internet address is a.b.c.d/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 24/255, rxload 235/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:05, output 00:00:01, output hang never Last clearing of "show interface" counters 1d23h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/100 (size/max) 30 second input rate 1424000 bits/sec, 230 packets/sec 30 second output rate 147000 bits/sec, 161 packets/sec 16859032 packets input, 2850828712 bytes, 0 no buffer Received 17055 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 13720059 packets output, 3084799197 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Thanks in advance, Jane --- Ben Hicks <ben () sequenced net> wrote:Hmm, So the firewall is performing the nat then. Just out of interest, what is the firewall doing? does it have any access lists on it ? Thanks, Ben -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 15 July 2003 16:20 To: Ben Hicks; security-basics () securityfocus com Subject: RE: where should I start? help! Ben, I appreciate your answer. I enabled the IP accounting and the IP accounting only shows the destination address as public address (NAT). Is there a way that I can trace this public IP address (NAT) to the internal private IP address? Thanks, Jane --- Ben Hicks <ben () sequenced net> wrote:The interface is very heavily utilised on the receiving of information - i.e persons downloading. Your interface (at the time of the snapshit) was very heavily utilised. 188/255 RX suggest that your link is about 75% utilised, which is very high. There are of course many other things that couldbeattirbuting to the problem, but I would start here. You could perhaps enable ip accounting to findoutwhich IP addresses are accessing the most amount of information. HTH Ben. -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 08 July 2003 15:41 To: security-basics () securityfocus com Subject: where should I start? help! Hi, all I am relatively new to this field. We have fullT1but the internet speed is very slow. Sometimes it's even slower than dial-up speedwhen downloadingfiles. E1 E0 E0 s0 Switch --- PIX ------Cisco 2600 Router------Internet (E1 and E0 are Ethernet Interface and S0 isserialinterface) (please see the following status ons0)Serial0/0 is up, line protocol is up Hardware is QUICC Serial Internet address is X.X.X.X/30 MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec, reliability 255/255, txload 26/255, rxload 188/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:00, outputhangnever Last clearing of "show interface" countersneverInput queue: 0/75/9199/0(size/max/drops/flushes);Total output drops: 3307 Queueing strategy: weighted fair Output queue: 0/1000/64/3307 (size/max total/threshold/drops) Conversations 0/57/256 (active/maxactive/maxtotal) Reserved Conversations 0/0 (allocated/max allocated) 30 second input rate 1510000 bits/sec, 235 packets/sec 30 second output rate 214000 bits/sec, 173 packets/sec 76598509 packets input, 1523011153 bytes, 0nobuffer Received 104544 broadcasts, 0 runts, 0giants,0 throttles 1 input errors, 0 CRC, 1 frame, 0 overrun,0ignored, 0 abort 66685034 packets output, 4044743843 bytes,0underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up I checked the S0 interface status on theinternet=== message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: where should I start? help! DeGennaro, Gregory (Jul 24)
- <Possible follow-ups>
- RE: where should I start? help! Jane Han (Jul 24)
- RE: where should I start? help! DeGennaro, Gregory (Jul 24)
- RE: where should I start? help! ALLEN, DONALD S (AIT) (Jul 24)
- RE: where should I start? help! Jane Han (Jul 24)
- RE: where should I start? help! Jane Han (Jul 25)
- Re: where should I start? help! Jude Naidoo (Jul 28)
- RE: where should I start? help! David Gillett (Jul 28)
- RE: where should I start? help! DeGennaro, Gregory (Jul 28)
- RE: where should I start? help! DeGennaro, Gregory (Jul 28)