Firewall Wizards mailing list archives
IPchains, Squid and GNATBOX
From: Alex Rodriguez <security () biocheck com>
Date: Tue, 27 Mar 2001 15:01:45 -0000
Hi guys, I am having problems sending attachments thru my Web-Based Email Site using Squid (web Cache). It used to work fine just before I added a firewall (gnatbox) just before the Web Cache. (Using ipchains too) If I bypass the Proxy It will just work Fine. Anybody have any idea what can be going on? Alex Rodriguez Network Security / MIS Managment Information System Division -----Original Message----- From: firewall-wizards-request () nfr com [SMTP:firewall-wizards-request () nfr com] Sent: Tuesday, March 27, 2001 1:01 PM To: firewall-wizards () nfr com Subject: firewall-wizards digest, Vol 1 #218 - 8 msgs Send firewall-wizards mailing list submissions to firewall-wizards () nfr com To subscribe or unsubscribe via the World Wide Web, visit http://www.nfr.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request () nfr com You can reach the person managing the list at firewall-wizards-admin () nfr com When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. Back onto reverse proxies (stuart.flisher) 2. re: firewall-1 diff (Norma Jean Schaefer) 3. Back onto reverse proxies (stuart.flisher) 4. Audit unprotected Internet connections via WAN (Dale Schartner) 5. Re: Access Control, Authentication, and Perimeter Security (Paul McNabb) 6. RE: Does blocking TCP DNS packets keep your Bind safe? (Adrian Brinton) 7. Re: end user to enterprise vpn appliances (Notaria Systems) 8. address translation/encryption timing question (Janz, George) --__--__-- Message: 1 From: "stuart.flisher" <stuart.flisher () btinternet com> To: <firewall-wizards () nfr net>, <firewall-wizards () nfr com> Date: Mon, 26 Mar 2001 13:29:17 +0100 charset="us-ascii" Subject: [fw-wiz] Back onto reverse proxies One of those discussions about reverse-proxies that does fit into the realm of security/firewalls. I have recently worked with two clients that have fronted a web server with a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL issues or load balancing issues - I ask the following: Does a reverse proxy add any value?? Consider that the web servers are part of a larger web application infrastructure with app servers, db servers, etc. There is no real web content on the web server as all the pages are dynamic, created by the app server. Isn't the web server, in this environment, already acting as a kind of proxy? Can we assume that the proxy server would be subject the same type of attacks as the web server, especially if the web server and proxy server were from the same company (e.g. Netscape)? Can we assume that the proxy server would just pass on traffic containing attacks to the web server anyway? If so this is the point of my case against. One point mentioned in a previous reverse proxy discussion was that if the traffic both sides was SSL then a compromise of the server would not allow sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it. A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks before it gets to the web server. If this is the only plus then why not use inline SSL termination devices (Alteon, BIG-IP, etc.) coz if your an SSL only site then you are going to need SSL hardware acceleration anyway. But I said I didn't want to get into that... :) Comments on the role of a reverse proxy in this scenario would be appreciated. Regards Stuart p.s. I have a security company in Dubai. If anyone good wants a job then let me know ;) --__--__-- Message: 2 From: Norma Jean Schaefer <NormaJean.Schaefer () KBI STATE KS US> To: "'firewall-wizards () nfr com'" <firewall-wizards () nfr com> Subject: re: [fw-wiz] firewall-1 diff Date: Mon, 26 Mar 2001 11:35:38 -0600 Miguel, I use a program called Firemon by Fishnet Security, Inc. (www.kcfishnet.com) It was just accepted as an OPSEC product by CheckPoint. I love it! It logs all changes that I make to objects, rules, properties, resources etc. from one policy install to the next. I'm using it heavily today as I'm cleaning up my rule base. Now, I have a starting point and then after I make all the rule changes I'm going to make I will push the policy and I will have a graphical representation of my changes. Very user friendly and intuitive. If I make a mistake, I consult firemon and find where I may have made an error or removed a rule or object that I shouldn't have. You can find the product and even get an eval at www.firemon.com. Best wishes, NJ --__--__-- Message: 3 From: "stuart.flisher" <stuart.flisher () btinternet com> To: <firewall-wizards () nfr net>, <firewall-wizards () nfr com> Date: Mon, 26 Mar 2001 13:29:17 +0100 charset="us-ascii" Subject: [fw-wiz] Back onto reverse proxies One of those discussions about reverse-proxies that does fit into the realm of security/firewalls. I have recently worked with two clients that have fronted a web server with a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL issues or load balancing issues - I ask the following: Does a reverse proxy add any value?? Consider that the web servers are part of a larger web application infrastructure with app servers, db servers, etc. There is no real web content on the web server as all the pages are dynamic, created by the app server. Isn't the web server, in this environment, already acting as a kind of proxy? Can we assume that the proxy server would be subject the same type of attacks as the web server, especially if the web server and proxy server were from the same company (e.g. Netscape)? Can we assume that the proxy server would just pass on traffic containing attacks to the web server anyway? If so this is the point of my case against. One point mentioned in a previous reverse proxy discussion was that if the traffic both sides was SSL then a compromise of the server would not allow sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it. A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks before it gets to the web server. If this is the only plus then why not use inline SSL termination devices (Alteon, BIG-IP, etc.) coz if your an SSL only site then you are going to need SSL hardware acceleration anyway. But I said I didn't want to get into that... :) Comments on the role of a reverse proxy in this scenario would be appreciated. Regards Stuart p.s. I have a security company in Dubai. If anyone good wants a job then let me know ;) --__--__-- Message: 4 Date: 26 Mar 2001 13:23:26 EST From: Dale Schartner <dschartner () usa net> To: <firewall-wizards () nfr com> Subject: [fw-wiz] Audit unprotected Internet connections via WAN Looking for recommended tools, procedures or advice. In a larger corporate enviroment, with somewhat complex TCP/IP WAN, a pri= mary firewall (PIX) for the global WAN is maintained by the central support gr= oup. The corporate policy is that "All Internet connections" must be through t= his firewall. However, there are several tempting ncentives/reasons, for a u= nit IT/business manager to set-up a separate Internet connection, bypassing t= he corporate Firewall/DMZ control environment (and possibly exposing the ent= ire internal network). = In a current firewall audit, I want to identify the existance of other such Internet connections. I'm more concerned about persistent connection= s with, for example, a rogue IIS server than a PC/modem dialing into AOL. Does anyone have any suggestions? ...especially interested if you've accomplished this type of testing. Dale Schartner, CISA dschartner () usa net =2E...Dale dschartner () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 --__--__-- Message: 5 Date: Mon, 26 Mar 2001 12:16:31 -0600 (CST) From: Paul McNabb <mcnabb () argus-systems com> To: Gary.R.Smith () motorola com, tommy () securify com Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Access Control, Authentication, and Perimeter Security
>Are there circumstances where access control and authentication should
take
>precedence over perimeter defenses? Yes, when you are putting together an e-brochure to promote an eSeminar
on
eSecurity, and you don't realize -- as you point out -- that
authentication
and access control are part of perimeter security. I think this happens
when
e-Marketers get too carried away with e-Hype without the right
e-xpertise.
Maybe they just aren't e-lite....
Of course it depends on how you define "perimeter defenses", but most people talk about perimeter defense as those mechanisms that separate the "inside computers" from the "outside computers" as opposed to those mechanisms that sit on and protect a single server. Usually firewalls and IDS are considered perimeter defenses (and yes, there can be an authentication component to a FW). Server-based security, such as auditing, trusted OSes, application level encryption, system hardening, and application identification and authentication are usually considered non-perimeter defenses. I don't know what the eWeek seminar is about, but if they are looking at a lot of technologies it certainly would be appropriate to make a distinction between the perimeter defenses and the server/application-based access control and authentication components. Not to claim that there isn't a lot of e-Hype out there... paul --------------------------------------------------------- Paul A. McNabb, CISSP Argus Systems Group, Inc. Senior Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" --------------------------------------------------------- --__--__-- Message: 6 Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe? Date: Mon, 26 Mar 2001 21:21:38 -0800 charset="iso-8859-1" From: "Adrian Brinton" <adrian () brinton to> To: <firewall-wizards () nfr com> I think you miss the point... I could go to any of my favorite '31337 warez' sites and download a nice easy to use exploit for BIND. Actually, I would have a choice of many, for many versions. I can't say the same is true for djbdns, regardless if one is better written, more secure, or whatever. Adrian Brinton -----Original Message----- From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com] Sent: Wednesday, March 21, 2001 11:18 AM To: firewall-wizards () nfr com Subject: RE: [fw-wiz] Does blocking TCP DNS packets keep your Bind safe?
since there are probably 100x more servers out there in the world=20 running BIND, the likelihood of seeing or finding bugs on the=20 platform, and the level of interest for people to design=20 exploits are both going to be way higher than for a relatively scarce product like djbdns.
security by obscurity. a valiant, but ineffective means of security. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards --__--__-- Message: 7 Reply-To: "Notaria Systems" <jwb () notariasystems com> From: "Notaria Systems" <johnblack () canada com> To: <firewall-wizards () nfr com> Subject: Re: [fw-wiz] end user to enterprise vpn appliances Date: Mon, 26 Mar 2001 17:32:46 -0500 Organization: Notaria charset="iso-8859-1" I am just about to begin an evaluation of a vpn/firewall appliance from eSoft known as Instagate-EX. I would be interested to hear if anyone else has experience with this product. I have searched as many firewall sites and discussion groups as I could find and turned up no content or comments about this company or product. I am just about to test it and should be able to report back in a few weeks. I was quite impressed with their literature/demo. It is not a high-end solution, but then, that's not what it is supposed to be. It has just the basics, which is usually what I need when I have 10 to 50 people in an office. They (eSoft) have kept the cost low, although some features like virus scanning are sold as a subscription (read - ongoing cost) From my understanding, it is an Intel box running Linux and their firewall/vpn/virus/filter product. The box is "sealed" and is configured and monitored with a browser interface. Any hardware feature changes require a return of the box. Features such as virus scanning are purchased via subscription and updated via the internet, which is good or bad depending on your operating point of view. For the same space I am looking into Perle IOLink Pro100 or the PureData RTX4000. I would certainly appreciate any/all comments on these products as well. These are slightly higher price. In the final analysis, I think the chosen box will have to prove to be reasonably secure, regardless of the price. I can give up bells, whistles, capacity, future expansion, and open source, but the appliance still needs to be secure. Thanks, John Black. ----- Original Message ----- From: "Adam Molaver" <adam () molaver org> To: <firewall-wizards () nfr com> Sent: Thursday, March 22, 2001 5:34 PM Subject: [fw-wiz] end user to enterprise vpn appliances
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am in the formative stages of identifying options for a customer in the way of VPN appliance devices for their staff to connect into their
office. <snip>
What are the other options for VPN appliance in a small environment (less than 30 concurrent users). I'm not sure the 515 is really up to the task for this many, but not having used one for client-to-site VPN's before, I'm unsure.. ahm
--__--__-- Message: 8 From: "Janz, George" <gjanz () anteon com> To: "'firewall-wizards () nfr com'" <firewall-wizards () nfr com> Date: Tue, 27 Mar 2001 08:14:59 -0500 charset="iso-8859-1" Subject: [fw-wiz] address translation/encryption timing question I have a customer site that is both Internet accessible and also accessible across a dedicated private T1. Our employees access the site via one of 2 methods. #1: a frame relay WAN - hub and spoke topology then thru a central managed T1 Internet connection or directly via the internet, some of our sites are connected to the our corporate offices by Checkpoint IKE site-to-site VPN (no frame). Additionally, many vendors access the site via the Internet, not just my company. #2 The customer has allowed us to connect 1 frame site to them via a dedicated T1. One frame relay connected site access the customer servers via this dedicated T1/ Because performance is better, the customer now wants to allow one of our VPN only sites to connect to them via the dedicated T1. They are adamant about restricting access via the dedicated T1 to only the 1 frame site and the 1 VPN only site. I accomplished this. I modified the encryption domain of the Frame hub site to include the networks of the customer's servers. I also included a dummy network. I use address translation at the VPN only site to intercept requests for the customer server and translate the customer server addresses into the dummy range. When the traffic reaches the frame hub site, I direct the dummy addresses to the checkpoint Firewall that is between us and the customer, and then translate the dummy addresses back to live ones. This all works fine. Our frame connected sites not allowed to use the dedicated T1, access the customer servers via the frame network find the servers via the Internet. The 1 VPNed site and the one frame site that are to utilize the dedicated T1 access the customer servers fine as well. I suspect I will have a problem with our other sites that are VPN only connected to the corporate office. This is because I have to include the customer server's live addresses in the corporate office's encryption domain. Since all sites have to connect to the corporate office, all sites will encrypt traffic to the customer servers since the addresses are in the COs encryption domain. I am trying to fins a way to force address translation to occur BEFORE encryption on the VPN only sites. If I could do this, I could use dummy networks only to represent the customer servers and therefore not confuse VPN only sites that access the customer servers via the Internet. --__--__-- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- IPchains, Squid and GNATBOX Alex Rodriguez (Mar 28)