Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: where should I start? help!

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 28 Jul 2003 09:59:14 -0700
  Blocking specific ports because they're "threats" sort of worked
okay around 1995.  In the Internet of the 21st century, it doesn't.

  The Right Way(TM) to define a firewall policy is to block all
traffic by default, and then open up what your organization actually 
needs.  That way, you can get away with ignoring new threats unless
they actually apply to stuff your organization does, instead of
constantly putting out fires each time the building catches.

David Gillett



-----Original Message-----
From: Jude Naidoo [mailto:jude007 () jnaidoo fsnet co uk]
Sent: July 26, 2003 09:06
To: Jane Han; ALLEN, DONALD S (AIT); Gregory_DeGennaro () csaa com
Cc: security-basics () securityfocus com
Subject: Re: where should I start? help!


Hi Jane

What about other valid applications that could use either TCP 
or UDP 554  ??

It may be more work, but wouldn't access to the streaming servers be
disallowed ? With most browser/streaming applications, you 
can change the
proxy port or even the port to use for streaming audio/video.

Pretty soon you could find yourself blocking loads of ports...

Just my 2 cents worth...


Jude


----- Original Message ----- 
From: "Jane Han" <janehan22 () yahoo com>
To: "ALLEN, DONALD S (AIT)" <da1295 () sbc com>; 
<Gregory_DeGennaro () csaa com>
Cc: <security-basics () securityfocus com>
Sent: Friday, July 25, 2003 3:52 PM
Subject: RE: where should I start? help!



Thank you so much for all your help.  Finally, I found
the problem.  many streaming radio or video using port
554.

If I want to block all streamimg radio or video on the
PIX,

can I use access-list 100 deny tcp any any eq 554
          access-list 100 deny udp any any eq 554

Any other suggestions or concerns?

Thanks again,

Jane


--- "ALLEN, DONALD S (AIT)" <da1295 () sbc com> wrote:

Show Conns or show conns?
Show Xlate or show xlate?

And using the PDM web module are ways to get Pix
information without a
sniffer.



-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com]
Sent: Thursday, July 24, 2003 9:08 AM
To: Ben Hicks; security-basics () securityfocus com;
Gregory_DeGennaro () csaa com
Cc: security-basics () securityfocus com
Subject: RE: where should I start? help!


Thanks for all help.  If I want to find all traffic
on
the PIX internal interface, what should I do?  using
sniffer?  How do I position the sniffer?  How can I
span port on the PIX or I have to do spanning on the
switch?

Any suggestions or help will be highly appreciated.


switch ---PIX---external router

The exernal router serial interface status as
follows: Serial0/0 is up, line
protocol is up
  Hardware is DSCC4 Serial
  Internet address is a.b.c.d/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 24/255, rxload
235/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:05, output 00:00:01, output hang
never
  Last clearing of "show interface" counters 1d23h
  Input queue: 0/75/0/0 (size/max/drops/flushes);
Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  30 second input rate 1424000 bits/sec, 230
packets/sec
  30 second output rate 147000 bits/sec, 161
packets/sec
     16859032 packets input, 2850828712 bytes, 0 no
buffer
     Received 17055 broadcasts, 0 runts, 0 giants, 0
throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0
ignored, 0 abort
     13720059 packets output, 3084799197 bytes, 0
underruns
     0 output errors, 0 collisions, 0 interface
resets
     0 output buffer failures, 0 output buffers
swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up


Thanks in advance,

Jane
--- Ben Hicks <ben () sequenced net> wrote:

Hmm, So the firewall is performing the nat then.

Just out of interest, what is the firewall doing?
does it have any access
lists on it ?

Thanks,

Ben



-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com]
Sent: 15 July 2003 16:20
To: Ben Hicks; security-basics () securityfocus com
Subject: RE: where should I start? help!


Ben,

I appreciate your answer.  I enabled the IP
accounting
and the IP accounting only shows the destination
address as public address (NAT).  Is there a way
that
I can trace this public IP address (NAT) to
the internal private IP address?

Thanks,

Jane

--- Ben Hicks <ben () sequenced net> wrote:

The interface is very heavily utilised on the
receiving of information - i.e
persons downloading.

Your interface (at the time of the snapshit) was
very heavily utilised.
188/255 RX suggest that your link is about 75%
utilised, which is very high.

There are of course many other things that could

be

attirbuting to the
problem, but I would start here.

You could perhaps enable ip accounting to find

out

which IP addresses are
accessing the most amount of information.

HTH

Ben.

-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com]
Sent: 08 July 2003 15:41
To: security-basics () securityfocus com
Subject: where should I start? help!


Hi, all

I am relatively new to this field.  We have full

T1

but the internet speed is very slow.
Sometimes it's even slower than dial-up speed

when downloading

files.
  E1 E0    E0         s0
Switch ---   PIX ------Cisco 2600
Router------Internet

(E1 and E0 are Ethernet Interface and S0 is

serial

interface) (please see the following status on

s0)


Serial0/0 is up, line protocol is up
  Hardware is QUICC Serial
  Internet address is X.X.X.X/30
  MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec,
     reliability 255/255, txload 26/255, rxload
188/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:02, output 00:00:00, output

hang

never
  Last clearing of "show interface" counters

never

  Input queue: 0/75/9199/0

(size/max/drops/flushes);

Total output drops: 3307
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/3307 (size/max
total/threshold/drops)
     Conversations  0/57/256 (active/max

active/max

total)
     Reserved Conversations 0/0 (allocated/max
allocated)
  30 second input rate 1510000 bits/sec, 235
packets/sec
  30 second output rate 214000 bits/sec, 173
packets/sec
     76598509 packets input, 1523011153 bytes, 0

no

buffer
     Received 104544 broadcasts, 0 runts, 0

giants,

0
throttles
     1 input errors, 0 CRC, 1 frame, 0 overrun,

0

ignored, 0 abort
     66685034 packets output, 4044743843 bytes,

0

underruns
     0 output errors, 0 collisions, 1 interface
resets
     0 output buffer failures, 0 output buffers
swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

I checked the S0 interface status on the

internet


=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com



--------------------------------------------------------------
------------
-



--------------------------------------------------------------
------------
--








--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: