Firewall Wizards mailing list archives
Re: insecurity in internet connection thro cable modems
From: Dave Mitchell <dmitchell () viawest net>
Date: Sun, 16 Feb 2003 20:13:16 -0700
Wes, You should be able to create an IKE autonegotiated IPSec tunnel on the Netscreen without issue. Using the pre-shared key is definately the easiest way to get IKE going. You do not need X509 certs to manage one via SSH. The only command you need is `set scs enable.` That will generate the pub/private rsa or dsa keys for needed for SSH. Also, it's not necessarily a great idea to be creating the CA cert on the PIX and then signing certs to be used for IPSec tunnels. You are leaving the possibility open for someone to compromise the firewall and giving them the ability to grab the private key for the CA cert off the filesystem. To each his own. -dave On Sun, Feb 16, 2003 at 05:44:29PM -0600, Noonan, Wesley wrote:
Freely admiting that I am not a netscreen expert (and thus, I could have missed something in the config or docs), I found that I was unable to get it to function and create keys without needing a certificate, which is a hassle for small shops that want a VPN and don't want to pay for a certificate that only has local significance. I also found their documentation to be lacking. This was true for setting up SSH connections to manage the device as well. With the PIX I can generate my own keys in 10 seconds with a single command and I am off and running. 10-11 commands later, the VPN is up. Like I said, I just kind of feel like netscreen is about where the PIX was 2 years ago. I happen to like the CLI of the PIX as well, but that probably has more to do with my router background than anything else. Beside, CLI preference is such a highly subjective situation anyway. HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com-----Original Message----- From: Dave Mitchell [mailto:dmitchell () viawest net] Sent: Sunday, February 16, 2003 11:39 To: Noonan, Wesley Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems Wes, GlobalPro makes it easier to maintain a fleet of Netscreens. I'm confused as to why you feel their VPN support is lacking? I've been able to interoperate Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, FreeSWAN; just to name some. Support for preshared keys, x509 certs, ldap auth, and securid auth make me feel that Netscreen's IPSec has quite a few features, not to mention higher throughput due to their ASIC's. -dave On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:Having used both, I strongly prefer a PIX. It is much easier to maintainabunch of PIXen than it is to maintain a bunch of netscreens. It's notthatthe netscreens are bad, it is just that the TCO is too high to try to maintain a "fleet" of them. In addition, I find their (netscreen) VPN support to be... well... lacking. It is a very convoluted process, muchlikethe PIX was 2 years ago. HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com-----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Saturday, February 15, 2003 12:56 To: firewall-wizards () honor icsalabs com Cc: Dave Mitchell Subject: Re: [fw-wiz] insecurity in internet connection thro cablemodemsDave,More than likely, natting a home network behind a linksys soho router would be sufficient.Yet another security policy that begins with "more than likely". What happens in the "likely" case when someone figures out where you areandwants to get at your stuff?Putting in PIX 501's at someones home would be insane. If you have to administer it, a small Netscreen is much easier than dealing with PIX.Gee Dave. Why would it be insane to use a PIX? To set up a PIX at home all you need is the PIX. You don't need a PCandthe setup disk that NetScreen ships. The 501 ships with a default "plug and play" configuration that formanyinstalls (including folks sitting behind a cable modem) requires no modification to get up and running. The PIX also supports Cisco AUS (Auto Update Server) so that security policy, operating system image, and configuration updates can besecurelydownloaded to the PIX from a central site without end userintervention.You said "a small Netscreen is much easier than dealing with PIX".Haveyou really tried both products? Could it be that you just don't like PIX? Or that you just don't know about the PIX? Liberty for All, Brian At 12:00 PM 2/15/2003 -0500, firewall-wizards-request () honor icsalabs comwrote:Message: 5 Date: Fri, 14 Feb 2003 14:03:11 -0700 From: Dave Mitchell <dmitchell () viawest net> To: "Perrymon, Josh L." <PerrymonJ () bek com> Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>, "'firewall-wizards () honor icsalabs com '" <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] insecurity in internet connection thro cablemodemsFor normal users I'd recommend some sort of appliance filter orfirewall.More than likely, natting a home network behind a linksys soho router would be sufficient. If you want to do VPNing and what not, I think a Netscreen 5 would be thebestfor the home firewall. Putting in PIX 501's at someones home would be insane. Ifyouhave to administer it, a small Netscreen is much easier than dealing with PIX. -dave On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:Yeah... I ( Security Professional ) would implement IPChains or aPIX@home... But don't you think Linux is completely out of the question for aregularend user????? I'm looking for an application based firewall for my VPN users.. So far ZONE ALARM is my choice.. I just wished I could integrateitwiththe PIX VPN client like the concentrator can. Any Ideas?? -JP -----Original Message----- From: Chapman, Justin T [mailto:JtChapma () bhi-erc com] Sent: Friday, February 07, 2003 11:29 AM To: 'firewall-wizards () honor icsalabs com ' Subject: RE: [fw-wiz] insecurity in internet connection thro cable modemsipchains is old ( for the previous Linux Kernel 2.2 ), iptables http://www.iptables.org would be a better choice.Agreed. If it's an option at all, choose iptables over ipchains.It'smoreflexable and it's a stateful packet filter, which makes for a"smarter"firewall. IPtables (and ipchains for that matter) can be a bitintimidatingto work with, especially if you're new to the syntax. If you'regoingto"rolll your own" firewall, I would suggest searchingGoogle/Freshmeat.netfor "iptables generator". There are plenty of scripts/webfrontends/guisthat make creating simple "consumer-grade" firewalls a snap. OnethatIparticularly like is a cgi-based one at: http://morizot.net/firewall/gen/ Good luck! --justinBrian Ford Consulting Engineer Corporate Consulting Engineering, Office of the Chief TechnologyOfficerCisco Systems, Inc. http://www.cisco.com e-mail: brford () cisco com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: insecurity in internet connection thro cable modems, (continued)
- Re: insecurity in internet connection thro cable modems staf wagemakers (Feb 07)
- Re: insecurity in internet connection thro cable modems rob . roberson (Feb 07)
- RE: insecurity in internet connection thro cable modems Symon Thurlow (Feb 07)
- RE: insecurity in internet connection thro cable modems Chapman, Justin T (Feb 07)
- RE: insecurity in internet connection thro cable modems Perrymon, Josh L. (Feb 14)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 14)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 15)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- Re: insecurity in internet connection thro cable modems stefmit (Feb 18)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 17)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 17)
- RE: insecurity in internet connection thro cable modems Scot Hartman (Feb 17)