Firewall Wizards mailing list archives
Help- Nat-t
From: "Ralema Geno" <rgeno () datec net pg>
Date: Wed, 24 Nov 2004 14:55:50 +1000
Hi, Can someone assist me, I would like to know how NAT-Traversal is used and the best type of scenario it can be used for. I have read information, but I can't seem to quite get how it's supposed to work. Ok, If you have several VPN Clients and are configured on the Firewall none of them using nat-t, however one particular client has enabled nat-t on their end. But can't connect until my side is done? What should I do? Cheers Rale -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of firewall-wizards-request () honor icsalabs com Sent: Wednesday, 24 November 2004 3:00 AM To: firewall-wizards () honor icsalabs com Subject: firewall-wizards digest, Vol 1 #1463 - 6 msgs Send firewall-wizards mailing list submissions to firewall-wizards () honor icsalabs com To subscribe or unsubscribe via the World Wide Web, visit http://honor.icsalabs.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request () honor icsalabs com You can reach the person managing the list at firewall-wizards-admin () honor icsalabs com When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. Security of HTTPS (Alex Bihlmaier) 2. Re: Ethics & hiring (Mike Smith) 3. Re: Checkpoint NAT H.323 support (Rob Hughes) 4. Re: ASP/Hosting Architecture (Jian Zhen) 5. RE: Security of HTTPS (Ben Nagy) 6. RE: Security of HTTPS (Jean-Denis Gorin) --__--__-- Message: 1 Date: Fri, 19 Nov 2004 12:06:50 +0100 From: Alex Bihlmaier <thalunil () kallisti de> To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Security of HTTPS Good Morning. I am curious how strong the security of https can be. Is there some possibility of a MITM attack? Are there any papers out there outlining this aspect of security? //thalunil ---------------------------------------------------------------- kallisti.de webmail access - email on the road --__--__-- Message: 2 Date: Fri, 19 Nov 2004 15:13:00 -0500 (EST) From: Mike Smith <jmikesmith () yahoo com> To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Re: Ethics & hiring --- Bennett Todd <bet () rahul net> wrote:
Anti-virus companies are in a very, very awkward position. Their business is profitable solely because of the widespread problems with viruses; if it weren't for all the malware authors, they'd be out of business. They make their money on viruses.
I feel that there's something wrong with this argument. This would seem to be a core characteristic of any market that sells products that defend/protect you from Bad Things. Examples would include snow tires (snowstorms), portable generators (power blackouts), and, perhaps more relevant to the discussion, home security systems (burglars). Would there not be an incentive for manufacturers of any of these products to somehow increase the frequency of Bad Things to boost their sales? Is it just because viruses are easier to create than snowstorms, blackouts, or burglars that we view anti-virus vendors with such suspicion? I need convincing that anti-virus vendors are in a more awkward position than any other manufacturer of anti-Bad Thing products. ===== Mike Smith "Human history becomes more and more a race between education and catastrophe." H.G. Wells - The Outline of History ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca --__--__-- Message: 3 Subject: Re: [fw-wiz] Checkpoint NAT H.323 support From: Rob Hughes <rob () robhughes com> To: firewall-wizards () honor icsalabs com Date: Sat, 20 Nov 2004 17:39:19 -0600 On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
Hi people, I am new to the list and I hope you help me. I have a problem with FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to register (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on the Internet. I have already configured the VoIP domains (one for the gateway and another for the gatekeeper) in the FW, applied the last hotfix acumulator (HFA_11) and configured static NAT for the internal gateway to a public IP. The gatekeeper cannot respond because the IP inside the h225 payload isn't traslated, and I have confirmed it using the monitor inside de Firewall (fw monitor). Anybody know if Checkpoint really suports H.323 NAT? or can be a problem of mixconfiguration?
What does your rule look like? Specifically, what service are you using? Also, the CP docs have examples of how to set this up. Have you tried following those? But yes, it does (mostly) work. --__--__-- Message: 4 Date: Sun, 21 Nov 2004 20:28:33 -0800 From: Jian Zhen <jlz () zhen org> To: Chris Pugrud <chris () pugrud net> Cc: "Paul D. Robertson" <paul () compuwar net>, firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] ASP/Hosting Architecture Chris Pugrud (chris () pugrud net) [041118 13:16]:
The customer conenctions were encrypted because they left our zone of
control,
even though they were "private" point to point t1 lines. The IPSEC VPN's
were
done with Network Alchemy Hardware. Network Alchemy was aquired by Nokia
and I
hope the capabilities have been maintained. NA has a really phenominal automagical load balancing capabilty. I still have several boxes on my
shelf
that I purchased from the company.
Unfortunately, Network Alchemy's hardware, assuming you are talking about the CryptClusters, has been EOL'ed for quite a while now. My previous work place had a couple hundred of them and I thought they were one of the best VPN devices out there, probably still is. It's unfortunate that they are no longer available. However, I believe some of the functionalities were incoprated into their IPSO software/appliances. -- Jian Zhen <jlz () zhen org> Blog: http://www.trustpath.com/logmatters --__--__-- Message: 5 From: "Ben Nagy" <ben () iagu net> To: "'Alex Bihlmaier'" <thalunil () kallisti de>, <firewall-wizards () honor icsalabs com> Subject: RE: [fw-wiz] Security of HTTPS Date: Tue, 23 Nov 2004 09:24:45 +0100
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Alex Bihlmaier
[...]
I am curious how strong the security of https can be.
I don't know if this is a troll. If you're some super advanced crypto-protocol guy trying to send a minimalist email, I may have been fooled.
Is there some possibility of a MITM attack?
No. (Well..... Yes.) HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for TLS is: " The negotiation is reliable: no attacker can modify the negotiation communication without being detected by the parties to the communication." There are, sadly, still a lot of possible ways to introduce a MitM attack - almost all of these rely on browser bugs (not an SSL problem), the stupidness of the "trusted third party" model typified by commercial Certification Authorities (not really an SSL problem either), or total mis-use of the protocol to ignore server authentication (nobody does that although it is supported in theory). Basically, the model is fine, but the implementation is often sloppy enough to allow strange things to happen. The fact that most users are now trained to ignore certificate error warnings doesn't help.
Are there any papers out there outlining this aspect of security?
Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a FAQ like this one [3] which includes links through to higher level summaries. Cheers, ben [1] http://www.faqs.org/rfcs/rfc2246.html [2] http://wp.netscape.com/eng/ssl3/draft302.txt [3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/ --__--__-- Message: 6 Date: Tue, 23 Nov 2004 11:05:26 +0100 (CET) From: Jean-Denis Gorin <jdg_cnce2004 () yahoo fr> Subject: RE: [fw-wiz] Security of HTTPS To: firewall-wizards () honor icsalabs com, thalunil () kallisti de Lot of papers about SSL Man In the Middle attack. For example, on the SANS web site: http://www.sans.org/rr/whitepapers/threats/480.php Some kind of proxies use this to enable content filtering of HTTPS traffic... JDG
From Alex Bihlmaier Good Morning. I am curious how strong the security of https can
be.
Is there some possibility of a MITM attack? Are there any papers out there outlining this aspect of security? //thalunil
Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com --__--__-- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help- Nat-t Ralema Geno (Nov 27)