Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Help- Nat-t

From: "Ralema Geno" <rgeno () datec net pg>
Date: Wed, 24 Nov 2004 14:55:50 +1000
Hi,
Can someone assist me, I would like to know how NAT-Traversal is used and
the best type of scenario it can be used for.

I have read information, but I can't seem to quite get how it's supposed to
work.

Ok, If you have several VPN Clients and are configured on the Firewall none
of them using nat-t, however one particular client has enabled nat-t on
their end. But can't connect until my side is done?

What should I do?

Cheers
Rale

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of
firewall-wizards-request () honor icsalabs com
Sent: Wednesday, 24 November 2004 3:00 AM
To: firewall-wizards () honor icsalabs com
Subject: firewall-wizards digest, Vol 1 #1463 - 6 msgs

Send firewall-wizards mailing list submissions to
        firewall-wizards () honor icsalabs com

To subscribe or unsubscribe via the World Wide Web, visit
        http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
        firewall-wizards-request () honor icsalabs com

You can reach the person managing the list at
        firewall-wizards-admin () honor icsalabs com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

   1. Security of HTTPS (Alex Bihlmaier)
   2. Re: Ethics & hiring (Mike Smith)
   3. Re: Checkpoint NAT H.323 support (Rob Hughes)
   4. Re: ASP/Hosting Architecture (Jian Zhen)
   5. RE: Security of HTTPS (Ben Nagy)
   6. RE: Security of HTTPS (Jean-Denis Gorin)

--__--__--

Message: 1
Date: Fri, 19 Nov 2004 12:06:50 +0100
From: Alex Bihlmaier <thalunil () kallisti de>
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Security of HTTPS

Good Morning.



I am curious how strong the security of https can be.
Is there some possibility of a MITM attack?
Are there any papers out there outlining this aspect of security?



//thalunil



----------------------------------------------------------------
kallisti.de webmail access - email on the road

--__--__--

Message: 2
Date: Fri, 19 Nov 2004 15:13:00 -0500 (EST)
From: Mike Smith <jmikesmith () yahoo com>
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Re: Ethics & hiring

 --- Bennett Todd <bet () rahul net> wrote: 


Anti-virus companies are in a very, very awkward position. Their
business is profitable solely because of the widespread problems
with viruses; if it weren't for all the malware authors, they'd be
out of business. They make their money on viruses.


I feel that there's something wrong with this argument.  This would seem to
be
a core characteristic of any market that sells products that defend/protect
you
from Bad Things.  Examples would include snow tires (snowstorms), portable
generators (power blackouts), and, perhaps more relevant to the discussion,
home security systems (burglars).  Would there not be an incentive for
manufacturers of any of these products to somehow increase the frequency of
Bad
Things to boost their sales?  Is it just because viruses are easier to
create
than snowstorms, blackouts, or burglars that we view anti-virus vendors with
such suspicion?

I need convincing that anti-virus vendors are in a more awkward position
than
any other manufacturer of anti-Bad Thing products.

=====
Mike Smith

"Human history becomes more and more a race between education and
catastrophe."
                        H.G. Wells - The Outline of History

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

--__--__--

Message: 3
Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
From: Rob Hughes <rob () robhughes com>
To: firewall-wizards () honor icsalabs com
Date: Sat, 20 Nov 2004 17:39:19 -0600

On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:

Hi people,

I am new to the list and I hope you help me. I have a problem with
FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to register
(H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
the Internet. I have already configured the VoIP domains (one for the
gateway and another for the gatekeeper) in the FW, applied the last hotfix
acumulator (HFA_11) and configured static NAT for the internal gateway to
a public IP.
The gatekeeper cannot respond because the IP inside the h225 payload isn't
traslated, and I have confirmed it using the monitor inside de Firewall
(fw monitor).
Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
of mixconfiguration?



What does your rule look like? Specifically, what service are you using?
Also, the CP docs have examples of how to set this up. Have you tried
following those? But yes, it does (mostly) work.

--__--__--

Message: 4
Date: Sun, 21 Nov 2004 20:28:33 -0800
From: Jian Zhen <jlz () zhen org>
To: Chris Pugrud <chris () pugrud net>
Cc: "Paul D. Robertson" <paul () compuwar net>,
        firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] ASP/Hosting Architecture

Chris Pugrud (chris () pugrud net) [041118 13:16]:

The customer conenctions were encrypted because they left our zone of

control,

even though they were "private" point to point t1 lines. The IPSEC VPN's

were

done with Network Alchemy Hardware.  Network Alchemy was aquired by Nokia

and I

hope the capabilities have been maintained.  NA has a really phenominal
automagical load balancing capabilty.  I still have several boxes on my

shelf

that I purchased from the company.


Unfortunately, Network Alchemy's hardware, assuming you are talking about
the CryptClusters, has been EOL'ed for quite a while now. 

My previous work place had a couple hundred of them and I thought they were
one of the best VPN devices out there, probably still is. 

It's unfortunate that they are no longer available. 

However, I believe some of the functionalities were incoprated into their
IPSO software/appliances. 

-- 
Jian Zhen <jlz () zhen org>
Blog: http://www.trustpath.com/logmatters

--__--__--

Message: 5
From: "Ben Nagy" <ben () iagu net>
To: "'Alex Bihlmaier'" <thalunil () kallisti de>,
        <firewall-wizards () honor icsalabs com>
Subject: RE: [fw-wiz] Security of HTTPS
Date: Tue, 23 Nov 2004 09:24:45 +0100


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Alex Bihlmaier

[...]

I am curious how strong the security of https can be.


I don't know if this is a troll. If you're some super advanced
crypto-protocol guy trying to send a minimalist email, I may have been
fooled.


Is there some possibility of a MITM attack?


No.

(Well..... Yes.)

HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for
TLS is:

" The negotiation is reliable: no attacker can modify the 
negotiation communication without being detected by the 
parties to the communication."

There are, sadly, still a lot of possible ways to introduce a MitM attack -
almost all of these rely on browser bugs (not an SSL problem), the
stupidness of the "trusted third party" model typified by commercial
Certification Authorities (not really an SSL problem either), or total
mis-use of the protocol to ignore server authentication (nobody does that
although it is supported in theory). 

Basically, the model is fine, but the implementation is often sloppy enough
to allow strange things to happen. The fact that most users are now trained
to ignore certificate error warnings doesn't help.


Are there any papers out there outlining this aspect of security?


Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a
FAQ like this one [3] which includes links through to higher level
summaries.

Cheers,

ben

[1] http://www.faqs.org/rfcs/rfc2246.html
[2] http://wp.netscape.com/eng/ssl3/draft302.txt
[3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/


--__--__--

Message: 6
Date: Tue, 23 Nov 2004 11:05:26 +0100 (CET)
From: Jean-Denis Gorin <jdg_cnce2004 () yahoo fr>
Subject: RE: [fw-wiz] Security of HTTPS
To: firewall-wizards () honor icsalabs com, thalunil () kallisti de


Lot of papers about SSL Man In the Middle attack. For
example, on the SANS web site:
  http://www.sans.org/rr/whitepapers/threats/480.php

Some kind of proxies use this to enable content
filtering of HTTPS traffic...

  JDG


From Alex Bihlmaier

Good Morning.



I am curious how strong the security of https can

be.

Is there some possibility of a MITM attack?
Are there any papers out there outlining this aspect
of security?



//thalunil




        

        
                
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés
pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur
http://fr.messenger.yahoo.com


--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: