Re: insecurity in internet connection thro cable modems

[Dave Mitchell <dmitchell () viawest net>]

Wes,
  You should be able to create an IKE autonegotiated IPSec tunnel on the 
Netscreen without issue. Using the pre-shared key is definately the easiest
way to get IKE going. You do not need X509 certs to manage one via SSH. The
only command you need is `set scs enable.` That will generate the pub/private
rsa or dsa keys for needed for SSH.

  Also, it's not necessarily a great idea to be creating the CA cert on the PIX
and then signing certs to be used for IPSec tunnels. You are leaving the possibility
open for someone to compromise the firewall and giving them the ability to grab the
private key for the CA cert off the filesystem.

To each his own.

-dave

On Sun, Feb 16, 2003 at 05:44:29PM -0600, Noonan, Wesley wrote:
> Freely admiting that I am not a netscreen expert (and thus, I could have
> missed something in the config or docs), I found that I was unable to get it
> to function and create keys without needing a certificate, which is a hassle
> for small shops that want a VPN and don't want to pay for a certificate that
> only has local significance. I also found their documentation to be lacking.
> This was true for setting up SSH connections to manage the device as well. 
>
> With the PIX I can generate my own keys in 10 seconds with a single command
> and I am off and running. 10-11 commands later, the VPN is up.
>
> Like I said, I just kind of feel like netscreen is about where the PIX was 2
> years ago. I happen to like the CLI of the PIX as well, but that probably
> has more to do with my router background than anything else. Beside, CLI
> preference is such a highly subjective situation anyway.
>
> HTH
>
> Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> wnoonan () bmc com
> http://www.bmc.com
>
>
> > -----Original Message-----
> > From: Dave Mitchell [mailto:dmitchell () viawest net]
> > Sent: Sunday, February 16, 2003 11:39
> > To: Noonan, Wesley
> > Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com
> > Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
> >
> > Wes,
> >   GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
> > confused
> > as to why you feel their VPN support is lacking? I've been able to
> > interoperate
> > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
> > FreeSWAN;
> > just to name some. Support for preshared keys, x509 certs, ldap auth, and
> > securid
> > auth make me feel that Netscreen's IPSec has quite a few features, not to
> > mention
> > higher throughput due to their ASIC's.
> >
> > -dave
> >
> >
> > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
> > > Having used both, I strongly prefer a PIX. It is much easier to maintain
> > a
> > > bunch of PIXen than it is to maintain a bunch of netscreens. It's not
> > that
> > > the netscreens are bad, it is just that the TCO is too high to try to
> > > maintain a "fleet" of them. In addition, I find their (netscreen) VPN
> > > support to be... well... lacking. It is a very convoluted process, much
> > like
> > > the PIX was 2 years ago.
> > >
> > > HTH
> > >
> > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> > > Senior QA Rep.
> > > BMC Software, Inc.
> > > (713) 918-2412
> > > wnoonan () bmc com
> > > http://www.bmc.com
> > >
> > >
> > > > -----Original Message-----
> > > > From: Brian Ford [mailto:brford () cisco com]
> > > > Sent: Saturday, February 15, 2003 12:56
> > > > To: firewall-wizards () honor icsalabs com
> > > > Cc: Dave Mitchell
> > > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
> > modems
> > > > Dave,
> > > >
> > > > > More than
> > > > > likely, natting a home network behind a linksys soho router would be
> > > > > sufficient.
> > > >
> > > > Yet another security policy that begins with "more than likely".  What
> > > > happens in the "likely" case when someone figures out where you are
> > and
> > > > wants to get at your stuff?
> > > >
> > > > > Putting in PIX 501's at someones home would be insane. If you have to
> > > > > administer
> > > > > it, a small Netscreen is much easier than dealing with PIX.
> > > >
> > > > Gee Dave.  Why would it be insane to use a PIX?
> > > >
> > > > To set up a PIX at home all you need is the PIX.  You don't need a PC
> > and
> > > > the setup disk that NetScreen ships.
> > > >
> > > > The 501 ships with a default "plug and play" configuration that for
> > many
> > > > installs (including folks sitting behind a cable modem) requires no
> > > > modification to get up and running.
> > > >
> > > > The PIX also supports Cisco AUS (Auto Update Server) so that security
> > > > policy, operating system image, and configuration updates can be
> > securely
> > > > downloaded to the PIX from a central site without end user
> > intervention.
> > > > You said "a small Netscreen is much easier than dealing with PIX".
> > Have
> > > > you really tried both products?  Could it be that you just don't like
> > > > PIX?  Or that you just don't know about the PIX?
> > > >
> > > > Liberty for All,
> > > >
> > > > Brian
> > > >
> > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
> > request () honor icsalabs com
> > > > wrote:
> > > > > Message: 5
> > > > > Date: Fri, 14 Feb 2003 14:03:11 -0700
> > > > > From: Dave Mitchell <dmitchell () viawest net>
> > > > > To: "Perrymon, Josh L." <PerrymonJ () bek com>
> > > > > Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>,
> > > > >         "'firewall-wizards () honor icsalabs com '"
> > > > > <firewall-wizards () honor icsalabs com>
> > > > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
> > modems
> > > > > For normal users I'd recommend some sort of appliance filter or
> > firewall.
> > > > > More than
> > > > > likely, natting a home network behind a linksys soho router would be
> > > > > sufficient. If you
> > > > > want to do VPNing and what not, I think a Netscreen 5 would be the
> > best
> > > > > for the home
> > > > > firewall. Putting in PIX 501's at someones home would be insane. If
> > you
> > > > > have to administer
> > > > > it, a small Netscreen is much easier than dealing with PIX.
> > > > >
> > > > > -dave
> > > > >
> > > > > On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
> > > > > > Yeah...  I ( Security Professional ) would implement IPChains or a
> > PIX
> > > > @
> > > > > > home...
> > > > > > But don't you think Linux is completely out of the question for a
> > > > regular
> > > > > > end user?????
> > > > > >
> > > > > > I'm looking for an application based firewall for my VPN users..
> > > > > > So far ZONE ALARM is my choice..  I just wished I could integrate
> > it
> > > > with
> > > > > > the PIX VPN client like the concentrator can.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Any Ideas??
> > > > > > -JP
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com]
> > > > > > Sent: Friday, February 07, 2003 11:29 AM
> > > > > > To: 'firewall-wizards () honor icsalabs com '
> > > > > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> > > > > > modems
> > > > > >
> > > > > >
> > > > > > > ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
> > > > > > > http://www.iptables.org would be a better choice.
> > > > > >
> > > > > > Agreed.  If it's an option at all, choose iptables over ipchains.
> > > > It's
> > > > > more
> > > > > > flexable and it's a stateful packet filter, which makes for a
> > > > "smarter"
> > > > > > firewall.  IPtables (and ipchains for that matter) can be a bit
> > > > > intimidating
> > > > > > to work with, especially if you're new to the syntax.  If you're
> > going
> > > > to
> > > > > > "rolll your own" firewall, I would suggest searching
> > > > Google/Freshmeat.net
> > > > > > for "iptables generator".  There are plenty of scripts/web
> > > > frontends/guis
> > > > > > that make creating simple "consumer-grade" firewalls a snap.  One
> > that
> > > > I
> > > > > > particularly like is a cgi-based one at:
> > > > > >
> > > > > > http://morizot.net/firewall/gen/
> > > > > >
> > > > > > Good luck!
> > > > > >
> > > > > > --justin
> > > >
> > > >
> > > > Brian Ford
> > > > Consulting Engineer
> > > > Corporate Consulting Engineering, Office of the Chief Technology
> > Officer
> > > > Cisco Systems, Inc.
> > > > http://www.cisco.com
> > > > e-mail: brford () cisco com
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards () honor icsalabs com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () honor icsalabs com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards