Nabble - Firewall (securityfocus.com)

What kind of firewall do you use? And why?

2009-06-15T23:37:19Z

Pros: I love Mil Firewall because it has real time network activity monitoring and good filtering rules for ports and addresses. Cons: Unfortunately it's not free. :(

Re: iptables limit speed of SAMBA

2008-07-02T23:18:25Z

2008/7/2 yuan shijiang <yshijiang@...>:
> iptables -A OUTPUT -p tcp -o eth0- -s 192.168.1.0/24 --sport 445 -m
> hashlimit --hashlimit 20/sec --hashlimit-mode dstip --hashlimit-name
> samba -j ACCEPT
> iptables -A OUTPUT -p tcp -o eth0- -s 192.168.1.0/24 --sport 445 -j REJECT

If you REJECT a packet isn't that going to close the connection?

Last time I needed to do linux traffic shaping I used the tc stuff
described here: http://lartc.org/howto/

The HOWTO is pretty scary, but there's an example script here:
http://lartc.org/howto/lartc.cookbook.ultimate-tc.html

cheers,
Jamie
--
Jamie Riden / jamesr@... / jamie@...
UK Honeynet Project: http://www.ukhoneynet.org/

iptables limit speed of SAMBA

2008-07-01T18:18:24Z

iptables -A OUTPUT -p tcp -o eth0- -s 192.168.1.0/24 --sport 445 -m
hashlimit --hashlimit 20/sec --hashlimit-mode dstip --hashlimit-name
samba -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0- -s 192.168.1.0/24 --sport 445 -j REJECT

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-30T16:55:40Z

HI alll

its for sure TOTALLY Wronge to make a Allow Full control Access to the internet

but as I understand that Qaisar for test to see if there is a problem in his rule

but even so .. the connection will fail .as ISA Server is blocking the APP named as Outlook

so the rule should be ISA Allow the Outlook abd limit its connection to be using Only POP3 and SMTP

Thanks

Faris Mlaeb

Technical Manager

Network Administrator

--- On Fri, 6/27/08, Thor (Hammer of God) <thor@...> wrote:

From: Thor (Hammer of God) <thor@...>
Subject: RE: Help to remove blocking of MS outlook through ISA 2004
To: firewalls@...
Date: Friday, June 27, 2008, 7:57 AM

Wow. I'm not saying this to be mean spirited, but when you create rules to "allow all" in order to fix mail access from Outlook, things have gone horribly wrong. You now no longer have a firewall in ISA -- you now have what we call "a router."

t

From: Qaisar Naseem [mailto:qaisarn@...]
Sent: Friday, June 27, 2008 6:48 AM
To: Faris Mlaeb
Cc: Thor (Hammer of God); firewalls@...
Subject: Re: Help to remove blocking of MS outlook through ISA 2004

Dear Mr. Faris.

Thanks a lot. I did the same what you have and solved the problem.

Thanks again.

Qaisar

On Tue, Jun 24, 2008 at 2:20 AM, Faris Mlaeb <farisnt@...> wrote:

HI

This is normal for ISA and you can fix this by going to:

Open the ISA Server Console and expand the Configuration, and select General, and then Click on "Define Firewall Client Settings", You will have a new Window for the "Firewall Client Settings"
Click on the Application Tab and from the list select Outlook
You will notice that its like this:
Outlook Disable 1
change the value to be
Outlook Disable 0

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

----- Original Message ----
From: Thor (Hammer of God) <thor@...>
To: Qaisar Naseem <qaisarn@...>; firewalls@...
Sent: Monday, June 23, 2008 5:33:33 PM
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

What protocols are you using to connect to the server? I'm assuming you are talking about an internal Outlook client connecting to an external server. What kind of ISA client is the host? Are you using SNAT or FWC? A little infoz, please.

t

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Qaisar Naseem
Sent: Friday, June 20, 2008 9:02 AM
To: firewalls@...
Subject: Help to remove blocking of MS outlook through ISA 2004

Hi,

I am using Windows server 2003 network with ISA 2004 as proxy. I am having problem in passing MS outlook requests. Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem. Outlook configuration is quite OK as when I by pass proxy, it works fine.

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-27T07:57:45Z

Wow. I'm not saying this to be mean spirited, but when you create rules to "allow all" in order to fix mail access from Outlook, things have gone horribly wrong. You now no longer have a firewall in ISA -- you now have what we call "a router."

From: Qaisar Naseem [mailto:qaisarn@...]
Sent: Friday, June 27, 2008 6:48 AM
To: Faris Mlaeb
Cc: Thor (Hammer of God); firewalls@...
Subject: Re: Help to remove blocking of MS outlook through ISA 2004

Dear Mr. Faris.

Thanks a lot. I did the same what you have and solved the problem.

Thanks again.

Qaisar

On Tue, Jun 24, 2008 at 2:20 AM, Faris Mlaeb <farisnt@...> wrote:

This is normal for ISA and you can fix this by going to:

Open the ISA Server Console and expand the Configuration, and select General, and then Click on "Define Firewall Client Settings", You will have a new Window for the "Firewall Client Settings"
Click on the Application Tab and from the list select Outlook
You will notice that its like this:
Outlook Disable 1
change the value to be
Outlook Disable 0

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

----- Original Message ----
From: Thor (Hammer of God) <thor@...>
To: Qaisar Naseem <qaisarn@...>; firewalls@...
Sent: Monday, June 23, 2008 5:33:33 PM
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

What protocols are you using to connect to the server? I'm assuming you are talking about an internal Outlook client connecting to an external server. What kind of ISA client is the host? Are you using SNAT or FWC? A little infoz, please.

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Qaisar Naseem
Sent: Friday, June 20, 2008 9:02 AM
To: firewalls@...
Subject: Help to remove blocking of MS outlook through ISA 2004

Hi,

I am using Windows server 2003 network with ISA 2004 as proxy. I am having problem in passing MS outlook requests. Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem. Outlook configuration is quite OK as when I by pass proxy, it works fine.

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

Re: Help to remove blocking of MS outlook through ISA 2004

2008-06-27T06:48:24Z

Dear Mr. Faris.

Thanks a lot. I did the same what you have and solved the problem.

Thanks again.

Qaisar

On Tue, Jun 24, 2008 at 2:20 AM, Faris Mlaeb <farisnt@...> wrote:

HI

This is normal for ISA and you can fix this by going to:

Open the ISA Server Console and expand the Configuration, and select General, and then Click on "Define Firewall Client Settings", You will have a new Window for the "Firewall Client Settings"
Click on the Application Tab and from the list select Outlook
You will notice that its like this:
Outlook Disable 1
change the value to be
Outlook Disable 0

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

----- Original Message ----
From: Thor (Hammer of God) <thor@...>
To: Qaisar Naseem <qaisarn@...>; firewalls@...
Sent: Monday, June 23, 2008 5:33:33 PM
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

What protocols are you using to connect to the server? I'm assuming you are talking about an internal Outlook client connecting to an external server. What kind of ISA client is the host? Are you using SNAT or FWC? A little infoz, please.

t

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Qaisar Naseem
Sent: Friday, June 20, 2008 9:02 AM
To: firewalls@...
Subject: Help to remove blocking of MS outlook through ISA 2004

Hi,

I am using Windows server 2003 network with ISA 2004 as proxy. I am having problem in passing MS outlook requests. Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem. Outlook configuration is quite OK as when I by pass proxy, it works fine.

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

Re: Recommendations

2008-06-27T00:32:58Z

On Wed, Jun 25, 2008 at 07:55:31PM +0300, Paolo Supino wrote:
> -----BEGIN PGP SIGNED MESSAGE----- ~

> How much of a turnkey solution
> are you looking for? If you have the time to sit down do some
> development and integration than using PF on OpenBSD would give you
> an awesome solution... ~ I don't think it will be a very big
> project, look at integrating usernames/IP addresses (or anything
> else) with PF's anchors ...
>

Thanks to you, Daniel and Rick for responding. I will certainly look
at the PF-solution on openbsd.

Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

"For I am not ashamed of the gospel of Christ: for it
is the power of God unto salvation to every one that
believeth; to the Jew first, and also to the Greek."
Romans 1:16

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-26T21:45:06Z

Sorry, but if you had to create an All outbound from int to ext, then you've done something wrong on your rule. The firewall client is great, but it is not a necessity -- of course, you would want it to ensure authenticated access to rules based on domain membership for non-web traffic, but that's another story.

ISA blocks all traffic by default. If you allow POP3 from the client to the server, it works, and without the need for adding the "enable" tag in the FWC config (without question).

Least Privilege dictates that you only allow what you need, only to where you need it, and only to those that need it. Enabling outlook.exe itself for all access is overkill and unnecessary. If you POP3 rule didn't work, you either had an authentication problem, or didn't create the rule properly (like you used POP3 Server instead of POP3 or something like that). The logs will tell you everything you need to know in order to troubleshoot that.

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Faris Mlaeb
Sent: Thursday, June 26, 2008 9:25 AM
To: firewalls@...; Thor (Hammer of God)
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

Hi
As it seem .. and even if he dont have Firewall Client installed, he should install it
I have Such a problem where client in my network have a problem can not connect to a POP3 Server using MS Outlook
I had Create a Rule that allow POP3 and also a Rule to Allow ALLOUTBOUND TRAFFIC From Internal To External To All Users, But as it seem that ISA Server is configured to Block the Connection for Outlook what ever the Portocol that is being sent to the external as its in ISA Server (( OutLook disable 1))
Anyway
As Qaisar Naseem says ((Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem)), so it seem that enabling so will help
Anyway .. do you have a Better method for enabling this and Allowing the outlook to connect to the external without having to change it from ISA

Thanks alot

--- On Wed, 6/25/08, Thor (Hammer of God) <thor@...> wrote:

From: Thor (Hammer of God) <thor@...>
Subject: RE: Help to remove blocking of MS outlook through ISA 2004
To: firewalls@...
Date: Wednesday, June 25, 2008, 11:49 AM

A couple of things:

One, you don't know that he is running a firewall client. Secondly it is never recommended to just enable full access to an overall application when you can more finely restrict access based on protocol.   The client may simply be using POP3 -- it would be silly to just "allow Outlook" as an application to all of your firewall clients when you can just allow POP3 (or whatever it is) to only the clients that need it.

t

From: listbounce@... [mailto:listbounce@...] On Behalf Of Faris Mlaeb
Sent: Monday, June 23, 2008 2:20 PM
To: Thor (Hammer of God); Qaisar Naseem; firewalls@...
Subject: Re: Help to remove blocking of MS outlook through ISA 2004

HI

This is normal for ISA and you can fix this by going to:

Open the ISA Server Console and expand the Configuration, and select General, and then Click on "Define Firewall Client Settings", You will have a new Window for the "Firewall Client Settings"
Click on the Application Tab and from the list select Outlook
You will notice that its like this:
Outlook  Disable  1
change the value to be
Outlook  Disable  0

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

----- Original Message ----
From: Thor (Hammer of God) <thor@...>
To: Qaisar Naseem <qaisarn@...>; firewalls@...
Sent: Monday, June 23, 2008 5:33:33 PM
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

What protocols are you using to connect to the server? I'm assuming you are talking about an internal Outlook client connecting to an external server. What kind of ISA client is the host? Are you using SNAT or FWC? A little infoz, please.

t

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Qaisar Naseem
Sent: Friday, June 20, 2008 9:02 AM
To: firewalls@...
Subject: Help to remove blocking of MS outlook through ISA 2004

Hi,

I am using Windows server 2003 network with ISA 2004 as proxy. I am having problem in passing MS outlook requests. Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem. Outlook configuration is quite OK as when I by pass proxy, it works fine.

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-26T09:25:21Z

Thanks alot

--- On Wed, 6/25/08, Thor (Hammer of God) <thor@...> wrote:

From: Thor (Hammer of God) <thor@...>
Subject: RE: Help to remove blocking of MS outlook through ISA 2004
To: firewalls@...
Date: Wednesday, June 25, 2008, 11:49 AM

A couple of things:

One, you don't know that he is running a firewall client. Secondly it is never recommended to just enable full access to an overall application when you can more finely restrict access based on protocol.   The client may simply be using POP3 -- it would be silly to just "allow Outlook" as an application to all of your firewall clients when you can just allow POP3 (or whatever it is) to only the clients that need it.

t

From: listbounce@... [mailto:listbounce@...] On Behalf Of Faris Mlaeb
Sent: Monday, June 23, 2008 2:20 PM
To: Thor (Hammer of God); Qaisar Naseem; firewalls@...
Subject: Re: Help to remove blocking of MS outlook through ISA 2004

HI

This is normal for ISA and you can fix this by going to:

Open the ISA Server Console and expand the Configuration, and select General, and then Click on "Define Firewall Client Settings", You will have a new Window for the "Firewall Client Settings"
Click on the Application Tab and from the list select Outlook
You will notice that its like this:
Outlook  Disable  1
change the value to be
Outlook  Disable  0

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

----- Original Message ----
From: Thor (Hammer of God) <thor@...>
To: Qaisar Naseem <qaisarn@...>; firewalls@...
Sent: Monday, June 23, 2008 5:33:33 PM
Subject: RE: Help to remove blocking of MS outlook through ISA 2004

What protocols are you using to connect to the server? I'm assuming you are talking about an internal Outlook client connecting to an external server. What kind of ISA client is the host? Are you using SNAT or FWC? A little infoz, please.

t

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

From: listbounce@... [mailto:listbounce@...] On Behalf Of Qaisar Naseem
Sent: Friday, June 20, 2008 9:02 AM
To: firewalls@...
Subject: Help to remove blocking of MS outlook through ISA 2004

Hi,

I am using Windows server 2003 network with ISA 2004 as proxy. I am having problem in passing MS outlook requests. Even I created a firewall rule to allow all outbound traffic to external, but unable to solve the problem. Outlook configuration is quite OK as when I by pass proxy, it works fine.

--
Qaisar Naseem
Network Admin
Express News TV
+923457263848

Re: Recommendations

2008-06-25T22:59:14Z

HI,
From the problem you described, I find the customized accounting
program is the main issue. You may want to upgrade/re-develop the
program to make it charge by userid+source ip. If this will satisfy
your requirement, then it is not necessary to change the firewall.
Anyway if you change the firewall, I guess you still need to make
changes to the accounting program.

regards,
Rick

--
Information (In)Security @ Where It Matters - http://blog.rickzhong.com

On Thu, Jun 26, 2008 at 12:56 AM, Daniel Clemens
<daniel.clemens@...> wrote:

>
>
>
> On Jun 24, 2008, at 1:40 AM, Johann Spies wrote:
>
>> We have to either renew the licence on our Checkpoint Firewall-1 NG
>> (and upgrade it) or change to another software solution for our
>> firewall setup.
>
> I would upgrade. Keep things simple with what you already know.
>
>>
>>
>> Our approximately 25000 users pay for internet, some of them use a
>> pay-as-you-go-system. At the moment the accounting is done by custom
>> programs that reads the active connections in the FW-memory. We have
>> two problems with the present setup:
>>
>> 1. FW-1 does not connect the user and the traffic in memory or always
>> in the logs. Only the source IP. So it is impossible for us to
>> handle accounting for different users using the same IP.
>>
>> 2. FW-1 does not end active connections immediately after a user has
>> logged off.
>
>
> 1) What would be an acceptable connection teardown timeout value?
> 2) active connections will timeout or tear down within minutes of a
> connection.
>
>>
>> We are in a process of evaluating different options. One of them is
>> NuFw - an open source product.
>>
>> Any recommendations of other products you know of will be appreciated.
>>
>> Regards
>> Johann
>> --
>> Johann Spies Telefoon: 021-808 4036
>> Informasietegnologie, Universiteit van Stellenbosch
>>
>> "Children, obey your parents in the Lord: for this is
>> right." Ephesians 6:1
>>
>
>

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-25T11:49:47Z

A couple of things:

One, you don't know that he is running a firewall client. Secondly it is never recommended to just enable full access to an overall application when you can more finely restrict access based on protocol. The client may simply be using POP3 -- it would be silly to just "allow Outlook" as an application to all of your firewall clients when you can just allow POP3 (or whatever it is) to only the clients that need it.

From: listbounce@... [mailto:listbounce@...] On Behalf Of Faris Mlaeb
Sent: Monday, June 23, 2008 2:20 PM
To: Thor (Hammer of God); Qaisar Naseem; firewalls@...
Subject: Re: Help to remove blocking of MS outlook through ISA 2004

This is normal for ISA and you can fix this by going to:

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

Hi,

Re: Recommendations

2008-06-25T09:56:54Z

On Jun 24, 2008, at 1:40 AM, Johann Spies wrote:

> We have to either renew the licence on our Checkpoint Firewall-1 NG
> (and upgrade it) or change to another software solution for our
> firewall setup.

I would upgrade. Keep things simple with what you already know.

>
>
> Our approximately 25000 users pay for internet, some of them use a
> pay-as-you-go-system. At the moment the accounting is done by custom
> programs that reads the active connections in the FW-memory. We have
> two problems with the present setup:
>
> 1. FW-1 does not connect the user and the traffic in memory or always
> in the logs. Only the source IP. So it is impossible for us to
> handle accounting for different users using the same IP.
>
> 2. FW-1 does not end active connections immediately after a user has
> logged off.

1) What would be an acceptable connection teardown timeout value?
2) active connections will timeout or tear down within minutes of a
connection.

>
> We are in a process of evaluating different options. One of them is
> NuFw - an open source product.
>
> Any recommendations of other products you know of will be appreciated.
>
> Regards
> Johann
> --
> Johann Spies Telefoon: 021-808 4036
> Informasietegnologie, Universiteit van Stellenbosch
>
> "Children, obey your parents in the Lord: for this is
> right." Ephesians 6:1
>

Re: Recommendations

2008-06-25T09:55:31Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

~ How much of a turnkey solution are you looking for? If you have the
time to sit down do some development and integration than using PF on
OpenBSD would give you an awesome solution...
~ I don't think it will be a very big project, look at integrating
usernames/IP addresses (or anything else) with PF's anchors ...

- --
ttyl
Paolo

Johann Spies wrote:
| We have to either renew the licence on our Checkpoint Firewall-1 NG
| (and upgrade it) or change to another software solution for our
| firewall setup.
|
| Our approximately 25000 users pay for internet, some of them use a
| pay-as-you-go-system. At the moment the accounting is done by custom
| programs that reads the active connections in the FW-memory. We have
| two problems with the present setup:
|
| 1. FW-1 does not connect the user and the traffic in memory or always
| in the logs. Only the source IP. So it is impossible for us to
| handle accounting for different users using the same IP.
|
| 2. FW-1 does not end active connections immediately after a user has
| logged off.
|
| We are in a process of evaluating different options. One of them is
| NuFw - an open source product.
|
| Any recommendations of other products you know of will be appreciated.
|
| Regards
| Johann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhieIIACgkQRrCnED/jZ/h86ACfbhk082MPunvUCddSnayhzymV
qWEAoJKRe46OIK1l9fs6Hqnh+SMbsLVA
=EMSk
-----END PGP SIGNATURE-----

Recommendations

2008-06-23T23:40:43Z

We have to either renew the licence on our Checkpoint Firewall-1 NG
(and upgrade it) or change to another software solution for our
firewall setup.

Our approximately 25000 users pay for internet, some of them use a
pay-as-you-go-system. At the moment the accounting is done by custom
programs that reads the active connections in the FW-memory. We have
two problems with the present setup:

1. FW-1 does not connect the user and the traffic in memory or always
in the logs. Only the source IP. So it is impossible for us to
handle accounting for different users using the same IP.

2. FW-1 does not end active connections immediately after a user has
logged off.

We are in a process of evaluating different options. One of them is
NuFw - an open source product.

Any recommendations of other products you know of will be appreciated.

Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

"Children, obey your parents in the Lord: for this is
right." Ephesians 6:1

Re: Help to remove blocking of MS outlook through ISA 2004

2008-06-23T14:20:09Z

This is normal for ISA and you can fix this by going to:

and on the Firewall client on the user PC make sure that you click on Detect Now Or simply restart your Computer

This work for me perfect

Have a nice time

Note that if the value is not present .. then simply create it

Faris Mlaeb

Technical Manager

Network Administrator

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

Hi,

RE: Help to remove blocking of MS outlook through ISA 2004

2008-06-23T07:33:33Z

-----------

Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas 2008.
There are also some other great NGS classes lead by world-class researchers and trainers available.

http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

Hi,

Help to remove blocking of MS outlook through ISA 2004

2008-06-20T09:01:50Z

Hi,

Re: Can phase 2 proxy-id be modified on SonicWall VPN's?

2008-06-12T13:08:29Z

Hi,
I've run into, believe it or not, the exact same issue, to the letter. I was wondering if you had any luck, since this was so long ago.

RE: virtual firewalls -- compliance

2008-06-11T20:29:13Z

See "Santa Claus, Unicorns, and PCI Compliant Products"

There's no such thing as a "PCI Compliant" product (excepting PEDs).

Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval.

Strange... A google search on " site:www.icsalabs.com PCI Stonesoft" gets nothing.

Stonesoft is ICSA labs certified - it is not a PCI compliant product as there is no such thing. ICSA is testing Web Application Firewalls for PCI-DSS standards compatibility - this is not the same thing.
http://www.icsalabs.com/icsa/topic.php?tid=8913$2e2258c8-68384de7$d1d5-02872c54

Notice that Stonesoft is not a WAF.

I do not even know of a PCI "Product capability assurance report" for stonesoft. If there is it is really new - that is after this email.

Next, Stonbesoft is ONLY ICSA certified in NAT mode and NOT bridge mode. If you read the report you will see: "The StoneGate was a router-based product that packet filtered network services inbound and outbound. While the Stonegate does supports an IP only bridging mode, the product was configured in NAT mode for inbound and outbound services "

On top of this, there are issues that have to be addressed when installing it to make it pass a PCI audit. In the ICSA test there where a number of issues that Stonesoft needed to fix:
"The following logging criteria violations were found by the Network Security Lab team during testing and addressed by Stonesoft Inc:
. The product did not log certain ICMP messages sent directly to or through it.
. The product did not log certain raw IP Protocols directed to or through it.
. The product allowed TCP packets inbound and outbound without a properly established TCP
. session for RSSP services.
. The product was susceptible to a variety of trivial Denial-of-Service attacks.
. The product incorrectly terminated TCP connections when sent spoofed/invalid RST packets."

So it is NOT PCI compliant. It may be setup within a control framework that could be PCI compliant, this is NOT the same thing.

Regards,
Craig Wright GSE

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright@...
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@....

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
-----Original Message-----

From: listbounce@... [mailto:listbounce@...] On Behalf Of styler
Sent: Wednesday, 11 June 2008 10:40 PM
To: firewalls@...
Subject: Re: virtual firewalls -- compliance

All,

Just wanted to throw this in - we're using a virtual firewall from Stonesoft
(see link) in our environment:

http://www.stonesoft.com/en/products_and_solutions/solutions/technology_solutions/virtual_environments/

It's been certified by ICSA labs as PCI compliant and multiple virtual
firewalls can be centrally managed. I've also heard that they're IPS
product will certified for use soon.

Sam
Firewall Administrator

Terry-7 wrote:

>
> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
>

--
View this message in context: http://www.nabble.com/virtual-firewalls----compliance-tp17157866p17776593.html
Sent from the Firewall (securityfocus.com) mailing list archive at Nabble.com.

Re: virtual firewalls -- compliance

2008-06-11T05:40:11Z

All,

Just wanted to throw this in - we're using a virtual firewall from Stonesoft (see link) in our environment:

http://www.stonesoft.com/en/products_and_solutions/solutions/technology_solutions/virtual_environments/

It's been certified by ICSA labs as PCI compliant and multiple virtual firewalls can be centrally managed. I've also heard that they're IPS product will certified for use soon.

Sam
Firewall Administrator

Terry-7 wrote:

Hello all,

I am throwing around the idea of using linux firewalls in vmware for
customer environments. The customers may or may not have
HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
of you have experience heading down this route? PCIDSS doesn't
explicitly state problems with virtual firewalls, it seems to focus on
the logic of the rules.

Thanks!

Which gateway solution to choose?

2008-06-10T16:40:32Z

Hi All,

We are in the process of reviewing our entire Security Gateway (3 Gateway Point)

We are trying to replace MailMarshal and N2H2 with a hardware base solution

Issues on

Primary

Email Filtering (Anti-Virus, Spam, Reporting etc)
Web Filtering
Hardware Base

Secondary

A Firewall, IDS, Proxy, NAC or a VPN included would be a bonus.

Below are the two products that we are reviewing at the moment

1. Sophos Enterprise Security & Control

Sophos PureMessage for Notes/Domino ES1000 (Hardware)
Sophos Web Application WS1000 (Hardware)
Sophos Integrated Network Access Control (NAC)
Sophos Enterprise Anti-virus & Client Firewall ( We are already using this product)

2. Smoothwall (Hardware)

Firewall
Web content Filtering
Email Security
VPN Gateway
Intrusion Detection (IDS)
Internal Firewall
Load Balancer

Please keep in mind with budget cost since the Sophos product is great, but it will cost us over $40K, where compare with SmoothWall $15K est

I would like to know from people's opinion on the products above, such as is advantages, disadvantages they've come across or any other products they can recommend as well.

Cheers

Re: virtual firewalls -- compliance

2008-05-20T15:19:35Z

One more note on this topic.

In doing some searches I found the following PCI discussion regarding
2.2.1 (single use of machine):
http://forum.aegenis.com/archive/index.php?t-61.html

I know this won't settle the argument :) but hopefully it will continue
the discussion (offline?) where people can determine what is needed to
accept virtualization for both firewalls and production servers in
compliant environments.

David

firewall configuration framework

2008-05-20T13:44:01Z

Dear friends,

in order to reduce some time settings network firewalls i wrote a
framework i would like your comments on. Of course, i did not to pass
the ideia of being a lazy professional, but there are settings all the
same everywhere. For instance, rule to prevent packets incoming with a
source address different from that of the interface network (IP
spoofing attack).

I am using openbsd, so for filter rules, the last match wins, for
packet rewrite (nat/rdr) the first match winds. Do you have any
suggestions on what i could improve. I am working on OpenBSD 4.3 and
here you got my /etc/pf.conf. Any another rule is loaded by usage of a
loaded externally, from a file.
I am providing /etc/pf.conf file and two other to be loaded with a
load firewall directive, they are: /etc/pf/feif and /etc/pf/fiif_0.

Any comments and suggestions are highly appreciated.

# /etc/pf.conf
#
# Macros
#
########

EIF = ""
IIF_0 = ""
IIF_1 = ""
IIF_2 = ""

########
#
# Tables
#
########

table <rfc1918> persist const { 10/8 172.16/12 192.168/16 }
table <net> persist { $IIF_0:network $IIF_1:network $IIF_2:network }
table <badhosts> persist

#########
#
# Options
#
#########

set loginterface $EIF
set skip on lo0
set debug misc
set state-policy if-bound
set block-policy return

#######################
#
# Traffic Normalization
#
#######################

scrub out on $EIF max-mss 1452

##########
#
# Queueing
#
##########

#############
#
# Translation (first match wins). Only appliable if $EIF is a public address.
#
#############

nat-anchor "ftp-proxy/*"

nat-anchor neif on $EIF
nat-anchor niif_0 on $IIF_0
nat-anchor niif_1 on $IIF_1
nat-anchor niif_2 on $IIF_2

rdr-anchor "ftp-proxy/*"

rdr-anchor reif on $EIF
rdr-anchor riif_0 on $IIF_0

rdr-anchor riif_1 on $IIF_1
rdr-anchor riif_2 on $IIF_2

##################
#
# Packet Filtering (last match wins)
#
##################

# let's block everything by default
block log all

anchor "ftp-proxy/*"

anchor feif on $EIF
anchor fiif_0 on $IIF_0
anchor fiif_1 on $IIF_1
anchor fiif_2 on $IIF_2

# default on loopback interface
block in log on !lo0 from (lo0:network)

# default on each internal interface (private address)
block in log on $IIF_0 from ($IIF_0:broadcast)
block in log on !$IIF_0 from ($IIF_0:network)
block in log on !$IIF_0 to ($IIF_0:broadcast)
block in log on $IIF_0 to 127/8 ! tagged RDR_0

block in log on $IIF_1 from ($IIF_1:broadcast)
block in log on !$IIF_1 from ($IIF_1:network)
block in log on !$IIF_1 to ($IIF_1:broadcast)
block in log on $IIF_1 to 127/8 ! tagged RDR_1

block in log on $IIF_2 from ($IIF_2:broadcast)
block in log on !$IIF_2 from ($IIF_2:network)
block in log on !$IIF_2 to ($IIF_2:broadcast)
block in log on $IIF_2 to 127/8 ! tagged RDR_2

# default on external interface (public address)
block in log on !$EIF from ($EIF)
block in log on $EIF to 127/8 ! tagged RDR

# default general rules
block in log from 255.255.255.255
block in log to 0/8

# /etc/pf/feif
#
# Macros
#
########

EIF = ""

# this host itself
pass in log to ($EIF) ! tagged RDR
pass out log from ($EIF) ! tagged NAT

pass out log proto tcp from ($EIF) to any port { www https } tagged NAT

# /etc/pf/fiif_0
#
# Macros
#
########

IIF_0 = ""

# this host itself
pass in log from ($IIF_0:network) to { ($IIF_0) ($IIF_0:broadcast) }
pass out log from ($IIF_0) to ($IIF_0:network)

pass in log proto tcp from ($IIF_0:network) to !($IIF_0) port { www https }
pass in log proto tcp from ($IIF_0:network) to (lo0:0) port 8021 tagged RDR_0

Re: virtual firewalls -- compliance

2008-05-20T06:23:54Z

I would disagree with the premise that virtual servers conflict with the
single function requirement because the function of a virtual server is
to provide virtualized servers and as such is a logical equivalent of
mainframe logical partitions (a less mature equivalent, but similar model).

Yes i will agree that current virtualization is nowhere as mature as
mainframe logical partitions. However giving the need and path the
technology is going those controls will advance to such a point that
virtualization will have similar acceptance as logical partitions
currently do.

I would also point out that you can get mainframe based virtualization
from IBM and that shared hosting and mainframe systems are able to be
meet the intent of PCI and other compliant requirements.

So i basically see the host virtualization server as having one primary
service which is to run controlled virtualized servers, each of those
virtual servers would then have its own host requirements.

For it to meet the various compliance requirements the host server will
need to have extensive controls to mitigate the risks inherent to
virtualization, but i believe that the intent of the control
requirements can be met with existing tools and technologies.

As for the exploits out there...there will always be exploits and the
cat-n-mouse game between hackers and IT personnel but there is also the
balance between security and cost. I know many readers of this list
subscribe to a zero tollerance policy, but not every ecommerce site is
going to spend 2000+ per month plus 50k in hardware to sell online.

In fact if we follow the model of single use and prior exploits people
would have to use dedicated equipment for: Firewalls, Load Balancers,
Switches, Routers, Web Servers, Database Servers, DNS servers, etc...
Just about everything in the past has had exploits, but does that mean
we can't use them in a compliant environment? Or does it mean that we
are unable to use them in a hosted environment? Does that mean that we
have to get rid of all mainframes if they are providing virtual
configurations or not the same function on all logical partitions? How
about databases? With the use of stored procedures databases are more
than storage repositories, they are actually part of the applications
that use them. If we have multiple applications, all doing extensive
stored procedures and application hooks, does that mean we can't use
them in a compliant environment because it is not single function or
that an exploit in one application could effect the others?

So what is the solution? Totally secure the environment to a point where
operations and security cost more than the environment brings in, or
find a combination of best practices that allows a business to hopefully
make more than it costs to operate.

From an assessors viewpoint, i do not think that anyone can say
virtualization is plug-n-play accepted it will come down to
configuration standards, expertise of the team, tools and techniques in
use and how the assessment of these controls goes (the same controls
could be in use in multiple companies, but the level of expertise of the
staff and the deployment and use of tools can vary widely).

Like it was said before, it will come to a judges ruling if there was
negligence or incompetence involved in a compromise. Just saying broadly
that there are risks and possible exploits for a system do not make
someone negligent in their duties by deploying such a system.

So how about instead of just dissing the idea and looking for why it
can't be done, we instead have a discussion on how did these other
technologies become accepted for hosting use and what will it take to
meet the intent of the compliance requirements.

Regards
David M. Zendzian

PS And yes I have a vested interest in this as I am a Managing Partner
with ZZ Servers, a Business Hosting provider that provides not only
virtual firewalls but also virtual servers that are commonly used in
combination with collocated and leased services. I also am QSA
certified and would rather spend my time working with partners on how to
best secure and understand their environment than tell them that they
"can't do that" and to just close up shop or go out & spend 100K for a
"Real" solution :-D

Craig Wright wrote:

> From a compliance perspective, separate devices is just that. It does not matter if virtual hosts do or do not work, the are the same device and thus are a single device with multiple purposes.
>
> Whether you can or if it will work is irrelevant. This is something where a breach is decided in court. As usch all that matters is how a judge will read this.
>
> Craig
>
>
> Craig Wright
> Manager, Risk Advisory Services
>
> Direct : +61 2 9286 5497
> Craig.Wright@...
> +61 417 683 914
>
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> http://www.bdo.com.au/
>
> The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
>
> Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@....
>
> BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
> -----Original Message-----
>
> From: Dan Lynch [mailto:DLynch@...]
> Sent: Tuesday, 13 May 2008 2:53 AM
> To: Craig Wright; Terry; firewalls@...
> Subject: RE: virtual firewalls -- compliance
>
> I find this discussion interesting from a slightly different angle than
> the perspective of PCI or other standards compliance.
>
> I tend to agree with Craig's view that there is inadequate segregation
> between guests running on different VMs of the same host, whether they
> be application servers or virtualized security appliances. There are
> multiple demonstrated guest breakout techniques for nearly all
> virtualization technologies.
>
> Still, let me directly quote the supervisor of our Windows admin team:
>
>
>> "Department of Homeland Security and NSA have
>> certified the VMware virtual switch and OS as being
>> equivalent to physical separation."
>>
>
> He's referring to ESX3 -- the platform on which his group hopes to run
> multiple virtualized DMZ-based public Windows Server 2003 web servers,
> with the host OS directly connected to a private internal network. This
> is a strategy on which I requested comments from the list only a few
> weeks ago.
>
> Thoughts?
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
>
>
>> -----Original Message-----
>> From: listbounce@...
>> [mailto:listbounce@...] On Behalf Of Craig Wright
>> Sent: Friday, May 09, 2008 4:51 PM
>> To: Terry; firewalls@...
>> Subject: RE: virtual firewalls -- compliance
>>
>>
>> PCI-DSS v1.1 states at 1.4
>> "Prohibit direct public access between external networks and
>> any system component that stores cardholder data"
>>
>> A virtual system is a direct access. You have trusted and
>> untrusted on the same component. HIPAA is worse. You have a
>> number of hosts at different levels shared. This is a law
>> suit waiting to occur.
>>
>> Other standards are the same. All I have to say is this is a
>> BAD idea. BAD!
>>
>> Regards,
>> Craig Wright (GSE-Compliance)
>>
>>
>> Craig Wright
>> Manager, Risk Advisory Services
>>
>> Direct : +61 2 9286 5497
>> Craig.Wright@...
>> +61 417 683 914
>>
>> BDO Kendalls (NSW-VIC) Pty. Ltd.
>> Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney
>> NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/
>>
>> The information in this email and any attachments is
>> confidential. If you are not the named addressee you must not
>> read, print, copy, distribute, or use in any way this
>> transmission or any information it contains. If you have
>> received this message in error, please notify the sender by
>> return email, destroy all copies and delete it from your system.
>>
>> Any views expressed in this message are those of the
>> individual sender and not necessarily endorsed by BDO
>> Kendalls. You may not rely on this message as advice unless
>> subsequently confirmed by fax or letter signed by a Partner
>> or Director of BDO Kendalls. It is your responsibility to
>> scan this communication and any files attached for computer
>> viruses and other defects. BDO Kendalls does not accept
>> liability for any loss or damage however caused which may
>> result from this communication or any files attached. A full
>> version of the BDO Kendalls disclaimer, and our Privacy
>> statement, can be found on the BDO Kendalls website at
>> http://www.bdo.com.au/ or by emailing mailto:administrator@....
>>
>> BDO Kendalls is a national association of separate
>> partnerships and entities. Liability limited by a scheme
>> approved under Professional Standards Legislation.
>> -----Original Message-----
>>
>> From: listbounce@...
>> [mailto:listbounce@...] On Behalf Of Terry
>> Sent: Friday, 9 May 2008 5:37 AM
>> To: firewalls@...
>> Subject: virtual firewalls -- compliance
>>
>> Hello all,
>>
>> I am throwing around the idea of using linux firewalls in
>> vmware for customer environments. The customers may or may
>> not have HIPAA/PCI/sOX/etc requirements. This is in the
>> planning stages. Any of you have experience heading down
>> this route? PCIDSS doesn't explicitly state problems with
>> virtual firewalls, it seems to focus on the logic of the rules.
>>
>> Thanks!
>>
>>
>>
>
>
>

Re: Cisco 501 Pix

2008-05-19T15:19:50Z

I have a similar setup except my setup looks like this:
cable modem --> pix --> wrt54gs.

My setup works very nicely. I had to do some routing because I have different subnets. You may need to put some routes on your Linksys (they don't route very well). It may not be a bad idea to switch them around (put the Pix behind the cable modem and put the Linksys hehind the Pix). Besides being the better first line of defense, the Pix will give you more control over your NATing or PATing and routing.

If everything works as it should, you'll see the right kind of traffic and be protected by 2 firewalls.

Re: virtual firewalls -- compliance

2008-05-12T22:25:41Z

On Thu, May 8, 2008 at 3:37 PM, Terry <td3201@...> wrote:
> Hello all,
>
> I am throwing around the idea of using linux firewalls in
> vmware for customer environments. The customers may or may
> not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning
> stages. Any of you have experience heading down this route?
> PCIDSS doesn't explicitly state problems with virtual
> firewalls, it seems to focus on the logic of the rules.

<soap box>
Personally, I hate using specs to try and define the level of security.
They tend to reflect the lowest common denominator and motivate
organizations to "audit well" rather than perform a true risk analysis
and deploy a security solution which matches that business need.
</soap box>

The above specs are general enough that a pass/fail is going to depend
on who is doing the analysis. For example as you mentioned above,
section 1 of PCI does not define a required architecture for a firewall.
So if you are running virtual it's going to depend on the auditor's
interpretation of PCI as to whether you pass/fail. Of course these days
auditing is a commodity. If you don't like the results you get from one
auditor, simply bring in another. There is nothing in PCI that says you
can't do that. ;-)

I think the bigger question here is "Is vitalizing a perimeter device a
good idea for our environment?". It certainly has some pluses in that it
can reduce hardware costs and simplify management. I can see where
vitalization would be attractive to anyone selling a managed security
solution. This is why you are seeing companies like Fortinet, Juniper,
Cisco, Checkpoint, etc. moving their higher end products into this
arena.

When we start asking ourselves "is it safe?" however I think the answer
changes a bit. If I'm running two virtual firewalls for two different
clients, I'm relying on bug free software to maintain that separation.
Personally I have yet to see a single vendor prove they can write code
well enough for that.

In my travels I've seen clients get whacked because they have relied on
VLANs to segregate their DMZ and internal network (which can be argued
is a "virtual system" because its nothing more than multiple virtual
switches running on a single piece of hardware). So now let's move that
problematic technology to the underlying architecture of the firewall...
and what could possibly go wrong. ;-)

So the bottom line is I would rely on a risk assessment rather than a
specification to decide if it's a good idea. If from a business
perspective the benefits outweigh the potential security risks, you are
good to go. If you decide virtual systems introduces too much of a risk
exposure, avoid the implementation.

HTH,
Chris

RE: virtual firewalls -- compliance

2008-05-12T14:24:13Z

From a compliance perspective, separate devices is just that. It does not matter if virtual hosts do or do not work, the are the same device and thus are a single device with multiple purposes.

Whether you can or if it will work is irrelevant. This is something where a breach is decided in court. As usch all that matters is how a judge will read this.

Craig

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright@...
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@....

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
-----Original Message-----

From: Dan Lynch [mailto:DLynch@...]
Sent: Tuesday, 13 May 2008 2:53 AM
To: Craig Wright; Terry; firewalls@...
Subject: RE: virtual firewalls -- compliance

I find this discussion interesting from a slightly different angle than
the perspective of PCI or other standards compliance.

I tend to agree with Craig's view that there is inadequate segregation
between guests running on different VMs of the same host, whether they
be application servers or virtualized security appliances. There are
multiple demonstrated guest breakout techniques for nearly all
virtualization technologies.

Still, let me directly quote the supervisor of our Windows admin team:

>"Department of Homeland Security and NSA have
> certified the VMware virtual switch and OS as being
> equivalent to physical separation."

He's referring to ESX3 -- the platform on which his group hopes to run
multiple virtualized DMZ-based public Windows Server 2003 web servers,
with the host OS directly connected to a private internal network. This
is a strategy on which I requested comments from the list only a few
weeks ago.

Thoughts?

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce@...
> [mailto:listbounce@...] On Behalf Of Craig Wright
> Sent: Friday, May 09, 2008 4:51 PM
> To: Terry; firewalls@...
> Subject: RE: virtual firewalls -- compliance
>
>
> PCI-DSS v1.1 states at 1.4
> "Prohibit direct public access between external networks and
> any system component that stores cardholder data"
>
> A virtual system is a direct access. You have trusted and
> untrusted on the same component. HIPAA is worse. You have a
> number of hosts at different levels shared. This is a law
> suit waiting to occur.
>
> Other standards are the same. All I have to say is this is a
> BAD idea. BAD!
>
> Regards,
> Craig Wright (GSE-Compliance)
>
>
> Craig Wright
> Manager, Risk Advisory Services
>
> Direct : +61 2 9286 5497
> Craig.Wright@...
> +61 417 683 914
>
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney
> NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/
>
> The information in this email and any attachments is
> confidential. If you are not the named addressee you must not
> read, print, copy, distribute, or use in any way this
> transmission or any information it contains. If you have
> received this message in error, please notify the sender by
> return email, destroy all copies and delete it from your system.
>
> Any views expressed in this message are those of the
> individual sender and not necessarily endorsed by BDO
> Kendalls. You may not rely on this message as advice unless
> subsequently confirmed by fax or letter signed by a Partner
> or Director of BDO Kendalls. It is your responsibility to
> scan this communication and any files attached for computer
> viruses and other defects. BDO Kendalls does not accept
> liability for any loss or damage however caused which may
> result from this communication or any files attached. A full
> version of the BDO Kendalls disclaimer, and our Privacy
> statement, can be found on the BDO Kendalls website at
> http://www.bdo.com.au/ or by emailing mailto:administrator@....
>
> BDO Kendalls is a national association of separate
> partnerships and entities. Liability limited by a scheme
> approved under Professional Standards Legislation.
> -----Original Message-----
>
> From: listbounce@...
> [mailto:listbounce@...] On Behalf Of Terry
> Sent: Friday, 9 May 2008 5:37 AM
> To: firewalls@...
> Subject: virtual firewalls -- compliance
>
> Hello all,
>
> I am throwing around the idea of using linux firewalls in
> vmware for customer environments. The customers may or may
> not have HIPAA/PCI/sOX/etc requirements. This is in the
> planning stages. Any of you have experience heading down
> this route? PCIDSS doesn't explicitly state problems with
> virtual firewalls, it seems to focus on the logic of the rules.
>
> Thanks!
>
>

RE: virtual firewalls -- compliance

2008-05-12T09:53:01Z

I find this discussion interesting from a slightly different angle than
the perspective of PCI or other standards compliance.

I tend to agree with Craig's view that there is inadequate segregation
between guests running on different VMs of the same host, whether they
be application servers or virtualized security appliances. There are
multiple demonstrated guest breakout techniques for nearly all
virtualization technologies.

Still, let me directly quote the supervisor of our Windows admin team:

>"Department of Homeland Security and NSA have
> certified the VMware virtual switch and OS as being
> equivalent to physical separation."

He's referring to ESX3 -- the platform on which his group hopes to run
multiple virtualized DMZ-based public Windows Server 2003 web servers,
with the host OS directly connected to a private internal network. This
is a strategy on which I requested comments from the list only a few
weeks ago.

Thoughts?

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

Re: virtual firewalls -- compliance

2008-05-12T00:37:18Z

Hi,

Are you a service provider trying to provide secure access to your
customers using a virtual firewall ?

If so, you need to consider the following:
- Whether to use OS-based virtualization (OpenVZ type) or
hyper-visor based virtualization ( Xen/VmWare type)
- performance implications of virtual firewalls. They tend to be
lower compared to physical devices due to binary
translation/instruction conversion.
- Usage of Intel-VT/AMD-V as underlying hardware
- inter-VM access control issues.

Thanks,
Babu

At 01:07 AM 5/9/2008, Terry wrote:

>Hello all,
>
>I am throwing around the idea of using linux firewalls in vmware for
>customer environments. The customers may or may not have
>HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
>of you have experience heading down this route? PCIDSS doesn't
>explicitly state problems with virtual firewalls, it seems to focus on
>the logic of the rules.
>
>Thanks!

********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.

Intoto Inc.

RE: virtual firewalls -- compliance

2008-05-11T12:39:02Z

Hi,
You do not need to specifically ban Something (Such as this).

Virtual hosts are ok as long as they are Single purpose devices.

PCI does not allow running dns and web on the Same Component -let alone separate Security Zones

So this is a big no no to which I would add the phrase "Contribitory Negligence" to any "Security professional" that Could even think of doing this.

Regards,
Craig Wright GSE-Compliance

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright@...
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au<http://www.bdo.com.au/>

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au<http://www.bdo.com.au/> or by emailing administrator@...<mailto:administrator@...>.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.

-----Original Message-----

From: "Erik Harrison" <eharrison@...>
To: "Terry" <td3201@...>
Cc: "firewalls@..." <firewalls@...>
Sent: 12/05/08 3:20 AM
Subject: Re: virtual firewalls -- compliance

That's an interesting problem. For PCI - at least in my interpretation (please correct me if you do these assessments for a living) - as long as the VM parent, or the linux VM children are not controlled or accessed by other customers and you as the provider (or whoever manages the box) adhere to the DSS requirements, it should audit well. It's about segregation, logical or physical, as long as a client doesnt have access to break out and tamper with config which could alter their segregation, I think it's fine.

Now, if you're going to host multiple customers behind those firewalls, you'll want to VLAN each of them and probably not share a netblock among them - again for isolation purposes.

But again.. I'm not specialized in this area. If you find the answer to this, please let me know. I'd love to get this straight as well.

On Thu, May 8, 2008 at 3:37 PM, Terry <td3201@...<mailto:td3201@...>> wrote:
Hello all,

I am throwing around the idea of using linux firewalls in vmware for
customer environments. The customers may or may not have
HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
of you have experience heading down this route? PCIDSS doesn't
explicitly state problems with virtual firewalls, it seems to focus on
the logic of the rules.

Thanks!

Re: virtual firewalls -- compliance

2008-05-10T18:35:48Z

I've been thinking about this one for a while as I have both a hosting
service & do PCI work on an almost daily basis.

What I have come to conclude is that you will most likely want to put
your firewall devices (virtual or otherwise) on different physical
hardware from the other application servers you are running. You will
also want to be sure that the external firewall segments are plugged
into different switches from your internal segments (different physical
devices are better than VLANs)

Now you can set it up having your firewalls as just another virtual
machine, but life will be easier to show separation of duties, "one
primary use" (yes vmware/xen/etc will all have multiple servers
together, and it depends on the assessor validating your environment,
but I personally feel that firewall and networking devices are
definitely different functions that application/web/db/mail/... servers
and as such I recommend that firewall devices be on different physical
devices from your other application servers.

I would also like to point out that within the virtual host server, you
will find that both network & server requirements are both mixed
together as you are most likely brining multiple vlans into the host
server and then allocating access to each vlan (bridges under xen, etc)
to each virtual server. As such, you now have network & server
characteristics combined into a single device.

This will make it more difficult to show that each component is properly
configured, maintained & monitored. You will need to be sure to have all
of your documentation in order and use as many tools as possible to
standardize how each function is maintained and securely monitored.

Also, will the virtual host machine be maintained by the same core team
as the firewall / database / web / mail / etc services?

And you mentioned PCI doesn't specifically mention virtual firewalls,
that is true, but it does specify firewall/router/server configuration
standards, policies, change management, security monitoring and a host
of other requirements that will need to be met even if you have only one
customer needing to have compliant services.

Good luck
David M. Zendzian
Managing Partner
ZZ Servers, LLC: http://www.zzservers.com

PS you may want to consider other platforms if you are reselling
virtualization ;)

Terry wrote:

> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
>

Re: virtual firewalls -- compliance

2008-05-10T16:18:45Z

That's an interesting problem. For PCI - at least in my interpretation (please correct me if you do these assessments for a living) - as long as the VM parent, or the linux VM children are not controlled or accessed by other customers and you as the provider (or whoever manages the box) adhere to the DSS requirements, it should audit well. It's about segregation, logical or physical, as long as a client doesnt have access to break out and tamper with config which could alter their segregation, I think it's fine.

Now, if you're going to host multiple customers behind those firewalls, you'll want to VLAN each of them and probably not share a netblock among them - again for isolation purposes.

But again.. I'm not specialized in this area. If you find the answer to this, please let me know. I'd love to get this straight as well.

On Thu, May 8, 2008 at 3:37 PM, Terry <td3201@...> wrote:

Hello all,

I am throwing around the idea of using linux firewalls in vmware for
customer environments. The customers may or may not have
HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
of you have experience heading down this route? PCIDSS doesn't
explicitly state problems with virtual firewalls, it seems to focus on
the logic of the rules.

Thanks!

Re: virtual firewalls -- compliance

2008-05-10T07:08:37Z

I may be old fashioned, but for me (and the environment I admin) firewalls need to be dedicated systems, running on dedicated hardware with discreet physical network interfaces. While I'm all for virtualization of application servers, in a security role I can't support the concept of a security device sharing it's hardware with any other applications in a production environment, as the benefits (space, power, hvac, cost savings, etc) are outweighed by the additional possible attack vectors that would be introduced by the host system and neighboring VM's. Also, while I am not aware of any specific reference to this in the various regulatory requirements, one of the questions asked of me in a recent HIPAA audit was something to the effect of "do any of your network perimeter devices serve any purpose other than that of security and access control?"

Just my opinion though :-)

Cheers!

Ron

>>> Terry <td3201@...> 5/8/2008 3:37 PM >>>
Hello all,

I am throwing around the idea of using linux firewalls in vmware for
customer environments. The customers may or may not have
HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
of you have experience heading down this route? PCIDSS doesn't
explicitly state problems with virtual firewalls, it seems to focus on
the logic of the rules.

Thanks!

CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the use of the intended recipient(s) only and may contain information that is privileged, confidential, and prohibited from unauthorized disclosure under applicable law. If you are not the intended recipient of this message, any dissemination, distribution, or copying of this message is strictly prohibited. If you received this message in error, please notify the sender by reply email and destroy all copies of the original message and attachments.

Re: virtual firewalls -- compliance

2008-05-10T07:02:59Z

Terry wrote:

> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>

I'm pretty sure that none of the aforementioned requirements explicitly
denies running your firewalls in virtualization. However, unless the
purpose of the firewall is strictly to manage the traffic in and out of
virtual servers on the same host the firewall is on, I would strongly
advocate not virtualizing your firewall.

Virtualization has obvious wonderful performance and cost benefits, but
placing your security devices into it has the potential to greatly
increase their exposure. There was an excellent presentation done at
last years SANSFire which demonstrated multiple ways to jump from a
virtual guest to the host...and therefore have the ability to do
anything you want to any guest on that system.

So unless this is for a lab environment, spend a few extra bucks and buy
hardware for your firewalls. You'll be glad you did.

Re: virtual firewalls -- compliance

2008-05-09T17:00:03Z

That is true that it doesn't say anything about whether the firewalls
need to be physical devices or not. The only thing I would be wary of
is what is coming down in the next version which is supposed to be out
in a couple of months.
On May 8, 2008, at 12:37 PM, Terry wrote:

> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!