pix and ssh

[Boni Bruno <bbruno () dsw net>]

I've seen certain version of Pix and Cisco Firewall Feature Set have
memory leaks with their ssh implementation
which has caused their devices to crash.  A software upgraded fixed the
problem.

-boni bruno

firewall-wizards-request () nfr com wrote:
> Send firewall-wizards mailing list submissions to
>         firewall-wizards () nfr com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://list.nfr.com/mailman/listinfo/firewall-wizards
> or, via email, send a message with subject or body 'help' to
>         firewall-wizards-request () nfr com
>
> You can reach the person managing the list at
>         firewall-wizards-admin () nfr com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewall-wizards digest..."
>
> Today's Topics:
>
>    1. pix and ssh (swapbox10467 () yahoo com)
>    2. Re: RES: [fw-wiz] Firewall Load Balance (paul)
>
> --__--__--
>
> Message: 1
> Date: 18 Apr 2002 16:56:00 -0000
> From: <swapbox10467 () yahoo com>
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] pix and ssh
>
> Anyone seen where you can crash a pix via ssh? I've
> been able to successfully crash a pix fw via an ssh
> client and am curious if anyone else has seen this.
>
> --__--__--
>
> Message: 2
> Date: Thu, 18 Apr 2002 14:58:36 -0400 (EDT)
> From: paul <paul () hessels ca>
> To: <firewall-wizards () nfr com>
> Cc: mahhy <mahhy () undertow ca>,
>         Marcelo Barbosa Lima <mblima () opencs com br>
> Subject: Re: RES: [fw-wiz] Firewall Load Balance
>
> The routing protocol doesn't really have anything to do with the
> actual load balancing.  The routing engine is what will tell you if you
> can do this or not.
>
> Most routing engines, the routing in the Linux kernel for instance, use
> ECMP[1].  Equal Cost Multi Pathing.  Basically the load balancing is done
> based on a src/dst ip pair, sometimes with src/dst port thrown in. ECMP is
> cheap vs per-packet load balancing, so its likely your router will
> use ECMP.
>
> If your router does ECMP with src/dst ip then your stateful firewall
> should work without any problems.
>
> If it uses src/dst port you can get into problems with things like active
> ftp.
>
> If it doesn't use ECMP, but uses per-packet load balancing, you are SOL.
>
> With ECMP the firewalls don't have to have the same connection tracking
> table.
>
> SIMPLE EXAMPLE:
>
> ECMP Should always chose the same paths.
>
>                   ----firewallA---WebFarmA
>            (ECMP)/
> internet---router
>                  \
>                   ----firewallB---WebFarmB
>
> COMPLEX EXAMPLE:
>
> There are, of course, more complex examples.  You can run into problems
> with dynamic load balancing and stateful firewalls... assuming you have two
> firewalls between four routers... a six pack if you will.  In this example
> I will assume all 6 machines are running Linux with zebra-ospf(including
> the firewalls).
>
> i\
> n \BGPpeerA
> t  }---------routerA---firewallA---routerC--WebFarmA
> e  }           |    \ /         \ /
> r  }           |    / \         / \
> n  }---------routerB---firewallB---routerD--WebFarmB
> r /BGPpeerB
> t/
>
> This gives you a load balanced, highly available connection... the problem
> arises if the different routers decide on different than expected return
> paths.  For instance, if the traffic path looks like this then your
> firewall won't be able to be stateful:
>
> BGPpeerB > routerB > firewallB > routerD > WebFarmB > routerD > firewallA
> > routerB
>
> What we did to solve this, hackish I'll admit, is to run NAT on the
> firewalls with the right of the diagram being internal address space.
> This ensures that the return path is the correct.  You could also force
> paths through network by setting local-prefs.... less hackish, but less
> load balanced... depending on what your two internet connections are sized
> too.
>
> DISCLAIMER:  I haven't had my coffee yet today... nor my donut.
>
> [1] There is a RFC about this.... done by the people at merit.
>
> On Thu, 18 Apr 2002, Marcelo Barbosa Lima wrote:
>
> > Thanks Rob, but I think that this doesn´t work very well. It´s important
> > that both Linux box have the same connection tracking table. OSPF does
> > load balance in packet traffic. It doen´t pay attetion in connection
> > before forward packets. I believe that some packets can be rejected in
> > the stateful firewall.
> >
> > -----Mensagem original-----
> > De: mahhy [mailto:mahhy () undertow ca]
> > Enviada em: quinta-feira, 18 de abril de 2002 09:18
> > Para: Marcelo Barbosa Lima
> > Cc: firewall-wizards () nfr com
> > Assunto: Re: [fw-wiz] Firewall Load Balance
> >
> > On Tue, 16 Apr 2002, Marcelo Barbosa Lima wrote:
> > >             Is it possible to implement an architecture of firewall
> > load
> > > balance using only two Linux Boxes? LVS permits to implement load
> > > balance to services. I want to offer load balance and high
> > availibility
> > > using Linux. Did anybody do it? Thanks,
> >
> > I currently do this at work.  Two Linux iptables firewalls, using the
> > High
> > Availability package from www.linux-ha.org.
> >
> > This allows the Primary Firewall to fail and the Secondary to take over.
> >
> > I know this isnt quite what you are looking for, as you would like to
> > load
> > balance over the two machines.
> >
> > My solution to this was to use OSPF on the firewalls, and a fairly
> > intelligent router behind the firewall.  It basically round robins any
> > outbound connections to the two machines (since in OSPF terms there are
> > two default routes).
> >
> > I'm sure there are other ways to achieve this as well.
>
> --
>
> yow
>
> --__--__--
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> End of firewall-wizards Digest
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards