tag:old.nabble.com,2006:forum-393Nabble - Firewall Discussions2009-12-15T04:01:40Ztag:old.nabble.com,2006:post-26797076Re: Analyzing a Cisco firewalls connection table2009-12-15T04:01:40Z2009-12-15T04:01:40ZTim EThanks for the Feedback Paul.<br><br>The binary only tool doesn't connect to a firewall at all. It requires no connection and can be ran 100% within a sandbox. It simply takes data from your firewall. I find that binaries tend to be more user friendly rather than saying install python, wx.python..etc.<br>
<br>But I do agree with you. This was a sneak peak that I wanted feedback on. I had always planned to make this open source much like my other project tpcat (a packet capture analyzer <a href="http://sourceforge.net/projects/tpcat/" target="_top" rel="nofollow">http://sourceforge.net/projects/tpcat/</a>)<br>
<br>Anyhoo. Updated binary and source available here:<br><a href="http://sourceforge.net/projects/ciscoconnection/" target="_top" rel="nofollow">http://sourceforge.net/projects/ciscoconnection/</a><br><br>It will run on all modern systems all you need to do is install python and wx.python. I've tested it on Windows/OSX/Linux. <br>
<br>Thanks again all. <br>-Tim Eberhard<br><br><div class="gmail_quote">On Mon, Dec 14, 2009 at 8:22 AM, Paul D. Robertson <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26797076&i=0" target="_top" rel="nofollow">paul@...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Thu, 10 Dec 2009, Tim Eberhard wrote:<br>
<br>
> It is in .exe format and is completely virus free. It requires no internet<br>
> connection. Please give it a try and give me some feedback good/bad/ugly.<br>
> You can download a copy here: <a href="http://performanceclassifieds.net/CCA.rar" target="_blank" rel="nofollow">performanceclassifieds.net/CCA.rar</a><br>
<br>
</div>Feedback:<br>
<br>
1. I'm not sure how someone is supposed to evaluate a binary-only tool<br>
that wants to connect to their firewall- the potential for malice is<br>
large, and it's difficult to imagine someone with firewall issues setting<br>
up an appropriate sandbox.<br>
<br>
2. Why do people insist on archiving using rar instead of zip? I can't<br>
imagine letting a RAR file through a content filter, heck I don't even<br>
like to allow .zips!<br>
<br>
3. Windows-only tools aren't very useful to me (one of the reasons I'm<br>
moving away from firewalls like Watchguard that require a Windows box to<br>
administer.)<br>
<br>
Paul<br>
-----------------------------------------------------------------------------<br>
Paul D. Robertson "My statements in this message are personal opinions<br>
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26797076&i=1" target="_top" rel="nofollow">paul@...</a> which may have no basis whatsoever in fact."<br>
Moderator: Firewall-Wizards mailing list<br>
Art: <a href="http://PaulDRobertson.imagekind.com/" target="_blank" rel="nofollow">http://PaulDRobertson.imagekind.com/</a><br>
<br>
_______________________________________________<br>
firewall-wizards mailing list<br>
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26797076&i=2" target="_top" rel="nofollow">firewall-wizards@...</a><br>
<a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_blank" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>
</blockquote></div><br>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26797076&i=3" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26787484Re: Analyzing a Cisco firewalls connection table2009-12-14T15:20:57Z2009-12-14T15:20:57ZCarson GasparPaul D. Robertson wrote:
<br><br>> 2. Why do people insist on archiving using rar instead of zip? I can't
<br>> imagine letting a RAR file through a content filter, heck I don't even
<br>> like to allow .zips!
<br><br>RAR has a much better compression ration than ZIP. And _anything_ has to
<br>be better as a file format than ZIP is. I've written a ZIP file
<br>validation tool for use in email attachment scanning, and it isn't
<br>pretty (the filename is in 2 places - which do you use?). There are at
<br>least 2 corner cases where you can't reliably parse the ZIP file at all
<br>(Hint: _never_ put ZIP magic numbers inside comments if you want to get
<br>your data back...)
<br><br>Of course I haven't looked at RAR's file format, so it's possible that
<br>it's even worse. But that would take effort...
<br><br>--
<br>Carson
<br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26787484&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26778549Re: Analyzing a Cisco firewalls connection table2009-12-14T06:22:33Z2009-12-14T06:22:33ZPaul D. RobertsonOn Thu, 10 Dec 2009, Tim Eberhard wrote:
<br><br>> It is in .exe format and is completely virus free. It requires no internet
<br>> connection. Please give it a try and give me some feedback good/bad/ugly.
<br>> You can download a copy here: performanceclassifieds.net/CCA.rar
<br><br>Feedback:
<br><br>1. I'm not sure how someone is supposed to evaluate a binary-only tool
<br>that wants to connect to their firewall- the potential for malice is
<br>large, and it's difficult to imagine someone with firewall issues setting
<br>up an appropriate sandbox.
<br><br>2. Why do people insist on archiving using rar instead of zip? I can't
<br>imagine letting a RAR file through a content filter, heck I don't even
<br>like to allow .zips!
<br><br>3. Windows-only tools aren't very useful to me (one of the reasons I'm
<br>moving away from firewalls like Watchguard that require a Windows box to
<br>administer.)
<br><br>Paul
<br>-----------------------------------------------------------------------------
<br>Paul D. Robertson "My statements in this message are personal opinions
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26778549&i=0" target="_top" rel="nofollow">paul@...</a> which may have no basis whatsoever in fact."
<br> Moderator: Firewall-Wizards mailing list
<br> Art: <a href="http://PaulDRobertson.imagekind.com/" target="_top" rel="nofollow">http://PaulDRobertson.imagekind.com/</a><br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26778549&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26778401Related established connections, and hosts that utilize TCP syn cookies2009-12-11T10:14:18Z2009-12-11T10:14:18ZFW WIZ<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5C548490%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5C548490%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5C548490%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml">
<p class="MsoPlainText">My question is about tracking related, established
connections, and how they relate to client-server connections when the server
utilizes TCP SYN cookies</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">When a remote server is utilizing TCP syncookies in its
stack and a client makes the initial TCP connection, supplies the working
secret function, and receives the rebuilt SYN, where does the
connection originate from? Does this connection originate from the
server that replied to the initial connection request, or from the host that
sent the initial TCP SYN? </p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">How is this interpreted by Netfilter when allowing, all
outbound traffic by default and when filtering outbound traffic by default but
allowing ingress and egress related established connections. </p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">Is this treated as a related or an established
connection? Will the packet be allowed to traverse the filter if the
server is attempting to establish the connection with the originating
workstation? </p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">If the connection is seen as having originated from the
server, will Netfilter determine that the connection did not originate from a
trusted interface, address, port, etc, and filter it?</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">Would it be better to create a rule with iptables to
track the connection, perform criteria checking, and match the outbound packet
with the incoming rebuilt connection from the server when it replies?</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">The results that I’m finding suggests that the connection
is considered to have originated from the workstation that sent the original
TCP SYN, making most of my other questions not applicable, but I wanted to get
insight from others here.</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">What are your thoughts?</p>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26778401&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26778424Analyzing a Cisco firewalls connection table2009-12-10T16:50:39Z2009-12-10T16:50:39ZTim EAll,<br><br>After searching around for something to do this for me I ended up coming up short (I found one proof of concept that was old and I couldn't get to work) so I ended up writing one on my own.<br><br>Several years ago I did the same for Netscreen firewalls and I wrote a program called NSSA - Netscreen Session Analyzer. It's been used by people all over the world and people seem to get a lot of use out of it. <br>
<br>Given the success I had releasing NSSA I am also going to go ahead and release CCA - Cisco Connection Analyzer. This is a *very* beta release that I've honestly only tested on a single 5540 ASA running 7.2 code. Other hardware (Pix, FWSM..etc) and other versions of software MAY not work.. but I would love to hear if it doesn't so I can get it working.<br>
<br>I encourage you Cisco guys to check it out. There are some useful reports you can generate and better help you understand whats going through the firewall real time. We often use this to troubleshoot abnormal connection levels or high CPU. <br>
<br>It is in .exe format and is completely virus free. It requires no internet connection. Please give it a try and give me some feedback good/bad/ugly. You can download a copy here: <a href="http://performanceclassifieds.net/CCA.rar" target="_top" rel="nofollow">performanceclassifieds.net/CCA.rar</a><br>
<br>Thanks all,<br>-Tim Eberhard<br><br>Here is an example of the output:<br><br><br>Top 10 Source IP addresses:<br>Number of Connections - IP Address<br>4 - 192.141.224.77 (21.05 Percent) <br>1 - 192.236.83.33 (5.26 Percent) <br>
1 - 192.234.184.23 (5.26 Percent) <br>1 - 192.231.21.53 (5.26 Percent) <br>1 - 192.230.242.122 (5.26 Percent) <br>1 - 192.216.159.103 (5.26 Percent) <br>1 - 192.211.159.77 (5.26 Percent) <br>
1 - 192.196.151.143 (5.26 Percent) <br>1 - 192.174.95.192 (5.26 Percent) <br>1 - 192.151.229.169 (5.26 Percent) <br><br>Top 10 Destination IP addresses: <br>Number of Connections - IP Address<br>
5 - 90.80.240.218 (26.32 Percent) <br>5 - 90.80.225.61 (26.32 Percent) <br>2 - 90.80.246.64 (10.53 Percent) <br>2 - 90.80.240.217 (10.53 Percent) <br>1 - 90.80.246.96 (5.26 Percent) <br>
1 - 90.80.246.35 (5.26 Percent) <br>1 - 90.80.246.155 (5.26 Percent) <br>1 - 90.80.246.125 (5.26 Percent) <br>1 - 90.80.225.39 (5.26 Percent) <br><br>Top 10 Source Ports::<br>Number of Connections - Port - Possible Service<br>
6 - 8502 (Not listed) (31.58 Percent) <br>1 - 50001 (Not listed) (5.26 Percent) <br>1 - 3085 (pcihreq PCIHReq) (5.26 Percent) <br>1 - 3084 (itm-mccs ITM-MCCS) (5.26 Percent) <br>1 - 3080 (stm_pproc stm_pproc) (5.26 Percent) <br>
1 - 3062 (ncacn-ip-tcp ncacn-ip-tcp) (5.26 Percent) <br>1 - 25821 (Not listed) (5.26 Percent) <br>1 - 20595 (Not listed) (5.26 Percent) <br>1 - 1188 (hp-webadmin HP Web Admin) (5.26 Percent) <br>
1 - 1069 (cognex-insight COGNEX-INSIGHT) (5.26 Percent) <br><br>Top 10 Destination Ports: <br>Number of Connections - Port - Possible Service<br>7 - 80 (World Wide Web HTTP) (36.84 Percent) <br>5 - 4035 (wap-push-http WAP Push OTA-HTTP port) (26.32 Percent) <br>
2 - 49252 (Not listed) (10.53 Percent) <br>1 - 50000 (Not listed) (5.26 Percent) <br>1 - 49259 (Not listed) (5.26 Percent) <br>1 - 49258 (Not listed) (5.26 Percent) <br>1 - 49254 (Not listed) (5.26 Percent) <br>
1 - 49253 (Not listed) (5.26 Percent) <br><br>Top 10 Protocols Used: <br>Number of Connections - Protocols<br>12 - TCP (63.16 Percent) <br>7 - UDP (36.84 Percent) <br><br>Top 10 TCP Flag State: <br>Number of connections - TCP Flag <br>
12 - (Up) U (28.57 Percent) <br>12 - ( initial SYN from outside ) B (28.57 Percent) <br>5 - ( Outbound Data ) O (11.9 Percent) <br>5 - ( inbound data ) I (11.9 Percent) <br>4 - ( inside FIN ) f (9.52 Percent) <br>
2 - ( outside FIN ) F (4.76 Percent) <br>1 - ( inside acknowledged FIN ) r (2.38 Percent) <br>1 - ( outside acknowledged FIN ) R (2.38 Percent) <br><br>7 - UB <br>7 - - <br>1 - UfrIOB <br>1 - UfIOB <br>
1 - UfFRIOB <br>1 - UfFIOB <br>1 - UIOB <br><br>Top 10 Talkers by total bandwidth: <br><br>Source IP: 192.234.184.23 -- Destination IP: 90.80.240.218 <br>Bytes Transfered: 113952 Uptime: 20m19s -Bytes/sec: 93.48<br>
<br>Source IP: 11.181.137.65 -- Destination IP: 90.80.246.125 <br>Bytes Transfered: 38609 Uptime: 10m19s -Bytes/sec: 62.37<br><br>Source IP: 192.148.19.11 -- Destination IP: 90.80.246.64 <br>Bytes Transfered: 10994 Uptime: 46s -Bytes/sec: 239.0<br>
<br>Source IP: 192.141.224.77 -- Destination IP: 90.80.240.217 <br>Bytes Transfered: 6925 Uptime: 14m18s -Bytes/sec: 8.07<br><br>Source IP: 11.44.153.246 -- Destination IP: 90.80.240.218 <br>Bytes Transfered: 4590 Uptime: 1m5s -Bytes/sec: 70.62<br>
<br>Source IP: 192.151.229.169 -- Destination IP: 90.80.240.218 <br>Bytes Transfered: 3707 Uptime: 19s -Bytes/sec: 195.11<br><br>Source IP: 192.174.95.192 -- Destination IP: 90.80.246.96 <br>Bytes Transfered: 941 Uptime: 32s -Bytes/sec: 29.41<br>
<br>Source IP: 192.141.109.162 -- Destination IP: 90.80.246.35 <br>Bytes Transfered: 941 Uptime: 1m0s -Bytes/sec: 15.68<br><br>Source IP: 192.236.83.33 -- Destination IP: 90.80.225.39 <br>Bytes Transfered: 751 Uptime: 1m20s -Bytes/sec: 9.39<br>
<br>Source IP: 192.141.224.77 -- Destination IP: 90.80.225.61 <br>Bytes Transfered: 595 Uptime: 2m44s -Bytes/sec: 3.63<br><br><br>Top 10 Talkers by bytes a second: <br><br>Source IP: 192.148.19.11 -- Destination IP: 90.80.246.64 <br>
Bytes Transfered: 10994 Uptime: 46s -Bytes/sec: 239.0<br><br>Source IP: 192.151.229.169 -- Destination IP: 90.80.240.218 <br>Bytes Transfered: 3707 Uptime: 19s -Bytes/sec: 195.11<br><br>Source IP: 192.234.184.23 -- Destination IP: 90.80.240.218 <br>
Bytes Transfered: 113952 Uptime: 20m19s -Bytes/sec: 93.48<br><br>Source IP: 11.44.153.246 -- Destination IP: 90.80.240.218 <br>Bytes Transfered: 4590 Uptime: 1m5s -Bytes/sec: 70.62<br><br>Source IP: 11.181.137.65 -- Destination IP: 90.80.246.125 <br>
Bytes Transfered: 38609 Uptime: 10m19s -Bytes/sec: 62.37<br><br>Source IP: 192.174.95.192 -- Destination IP: 90.80.246.96 <br>Bytes Transfered: 941 Uptime: 32s -Bytes/sec: 29.41<br><br>Source IP: 192.141.109.162 -- Destination IP: 90.80.246.35 <br>
Bytes Transfered: 941 Uptime: 1m0s -Bytes/sec: 15.68<br><br>Source IP: 192.236.83.33 -- Destination IP: 90.80.225.39 <br>Bytes Transfered: 751 Uptime: 1m20s -Bytes/sec: 9.39<br><br>Source IP: 192.141.224.77 -- Destination IP: 90.80.240.217 <br>
Bytes Transfered: 6925 Uptime: 14m18s -Bytes/sec: 8.07<br><br>Source IP: 192.141.224.77 -- Destination IP: 90.80.225.61 <br>Bytes Transfered: 595 Uptime: 2m44s -Bytes/sec: 3.63<br><br><br><br><br>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26778424&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26702784Re: Using linux firewalls for PCI compliant infrastructure2009-12-08T13:40:35Z2009-12-08T13:40:35ZJoe S-3On Thu, Nov 26, 2009 at 6:08 PM, Anton Chuvakin <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26702784&i=0" target="_top" rel="nofollow">anton@...</a>> wrote:
<br>> First things first: in PCI DSS, a firewall is a firewall is a
<br>> firewall. There is no preference to free or commercial ones. The only
<br>> criteria is "stateful" (somewhere in 1.1, if I recall correctly)
<br><br>If it blocks, it's a firewall. That's the goal, right?
<br><br>Keep it simple.
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26702784&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26541235Re: Using linux firewalls for PCI compliant infrastructure2009-11-26T18:08:21Z2009-11-26T18:08:21ZAnton Chuvakin> We are using linux-based servers as firewalls for PCI compliant
<br>> infrastructure. During audits it has been OK so far but security
<br>> people internally have suggested that maybe a commercial product would
<br>> be better suited for PCI infrastructure (as it is pretty critical).
<br><br>First things first: in PCI DSS, a firewall is a firewall is a
<br>firewall. There is no preference to free or commercial ones. The only
<br>criteria is "stateful" (somewhere in 1.1, if I recall correctly)
<br><br>> What do you think, would a commercial firewall provide a tangible
<br>> improvement in security?
<br><br>Too close to being a religious debate.
<br><br>> Is anyone else using linux-based firewalls for PCI (or otherwise
<br>> sensitive) infrastructure?
<br><br>Yes, I've seen people use iptables in 1.1 and in 1.4 (as personal firewall)
<br><br>--
<br>Dr. Anton Chuvakin
<br>Site: <a href="http://www.chuvakin.org" target="_top" rel="nofollow">http://www.chuvakin.org</a><br>Blog: <a href="http://www.securitywarrior.org" target="_top" rel="nofollow">http://www.securitywarrior.org</a><br>LinkedIn: <a href="http://www.linkedin.com/in/chuvakin" target="_top" rel="nofollow">http://www.linkedin.com/in/chuvakin</a><br>Twitter: @anton_chuvakin
<br>Google Voice: 510-771-7106
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541235&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26541224Re: Message Labs2009-11-26T16:01:43Z2009-11-26T16:01:43ZA-47Then you have probably correctly set it up, or, you have just allowed all SMTP traffic at your gateway.<br><br>Found the pdf from MessageLabs:<br><br><a href="http://images.messagelabs.com/EmailResources/ImplementationGuides/Subnet_IP.pdf" target="_top" rel="nofollow">http://images.messagelabs.com/EmailResources/ImplementationGuides/Subnet_IP.pdf</a><br>
<br>Think about it, in order to filter your email, you must change your MX records to direct inbound mail to MessageLabs, they in turn forward it (after processing/filtering/recording/archiving.. whatever else you pay them to do) to you. In order to maximise the functionality, and get the most for your dollar, it is a good idea to stop anyone else from being able to bypass this process by allowing them to send mail directly to your server.<br>
<br>The guide lists the IP ranges that you should accept email from, and, in your email from MessageLabs, you would have received an IP or domain address to forward outbound mail to. This should also be locked down at your gateway so your users (should they become infected or malicious), can't spam others abusing your good online name.<br>
<br clear="all">A<br><br>\ /<br>Putting the F in BOFH!<br>
<br><br><div class="gmail_quote">2009/11/16 shane brennan <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541224&i=0" target="_top" rel="nofollow">wiserwaylander@...</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi<br>
<br>
We use it in work. havent received any notification like that<br>
<font color="#888888"><br>
Shane<br>
</font><div><div></div><div class="h5"><br>
<br>
On Tue, Nov 10, 2009 at 9:06 PM, Brian Loe <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541224&i=1" target="_top" rel="nofollow">knobdy@...</a>> wrote:<br>
> Anyone here using message labs? Have you received notice that you MUST<br>
> open up your firewall for 8 or so networks?<br>
> _______________________________________________<br>
> firewall-wizards mailing list<br>
> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541224&i=2" target="_top" rel="nofollow">firewall-wizards@...</a><br>
> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_blank" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>
><br>
_______________________________________________<br>
firewall-wizards mailing list<br>
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541224&i=3" target="_top" rel="nofollow">firewall-wizards@...</a><br>
<a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_blank" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>
</div></div></blockquote></div><br>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541224&i=4" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26541209Re: Using linux firewalls for PCI compliant infrastructure2009-11-26T11:22:24Z2009-11-26T11:22:24ZKurt BuffOn Tue, Nov 24, 2009 at 14:37, Siim Põder <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541209&i=0" target="_top" rel="nofollow">siim@...</a>> wrote:
<div class='shrinkable-quote'><br>> Hi
<br>>
<br>> We are using linux-based servers as firewalls for PCI compliant
<br>> infrastructure. During audits it has been OK so far but security
<br>> people internally have suggested that maybe a commercial product would
<br>> be better suited for PCI infrastructure (as it is pretty critical).
<br>>
<br>> I'm personally very happy with the iptables firewalls - we can use all
<br>> the standard components for firewalls that we use for everything else
<br>> (including standard administration methods, patching and so forth).
<br>>
<br>> What do you think, would a commercial firewall provide a tangible
<br>> improvement in security?
<br>> Is anyone else using linux-based firewalls for PCI (or otherwise
<br>> sensitive) infrastructure?
<br>>
<br>> Thanks,
<br>> Siim
</div><br>Following on from a couple of other posts, you could potentially use
<br>fwbuilder (<a href="http://www.fwbuilder.org/" target="_top" rel="nofollow">http://www.fwbuilder.org/</a>) as a front end, and argue that
<br>the results are equivalent to some number of commercial offerings, for
<br>which fwbuilder makes equivalent configurations.
<br><br>Kurt
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26541209&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26524687Re: Using linux firewalls for PCI compliant infrastructure2009-11-25T16:05:49Z2009-11-25T16:05:49ZSkip CarterOn Wed, 25 Nov 2009 00:37:07 +0200
<br>Siim Põder <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524687&i=0" target="_top" rel="nofollow">siim@...</a>> wrote:
<br><div class='shrinkable-quote'><br>>
<br>> We are using linux-based servers as firewalls for PCI compliant
<br>> infrastructure. During audits it has been OK so far but security
<br>> people internally have suggested that maybe a commercial product would
<br>> be better suited for PCI infrastructure (as it is pretty critical).
<br>>
<br>> I'm personally very happy with the iptables firewalls - we can use all
<br>> the standard components for firewalls that we use for everything else
<br>> (including standard administration methods, patching and so forth).
<br>>
<br>> What do you think, would a commercial firewall provide a tangible
<br>> improvement in security?
<br>> Is anyone else using linux-based firewalls for PCI (or otherwise
<br>> sensitive) infrastructure?
</div><br>You could have your cake and eat it too by purchasing a shrink-wrap
<br>Linux firewall. I have a client that had a regulatory requirement
<br>to use an ICSA certified firewall and was able to satisfy that
<br>requirement with one of those commercial Linux firewalls.
<br><br><br>--
<br> Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
<br> Taygeta Scientific Inc. e-mail: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524687&i=1" target="_top" rel="nofollow">skip@...</a>
<br> 1340 Munras Ave., Suite 314 WWW: <a href="http://www.taygeta.com" target="_top" rel="nofollow">http://www.taygeta.com</a><br> Monterey, CA. 93940
<br><br><br><br><br><br><br><br><br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26524687&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26518752Re: Using linux firewalls for PCI compliant infrastructure2009-11-25T07:40:04Z2009-11-25T07:40:04ZMarcin Antkiewicz>> I am. For PCI. No problem. Did the people who suggested something
<br>>> commercial provide any good quantifiable reasons or was it simply
<br>>> cargo-cult network security?
<br><br>It's not cargo cult or, at least, it does not have to be. Commercial solutions
<br>are normalized, or at least appear as such to the general population, such as
<br>your auditors. From your perspective it might, rightfully, seem like a misplaced
<br>effort, while the security folks could report to many masters and have another
<br>set of requirements (cost of compliance vs. your more technical metrics).
<br><br>Before I get shot: I am not arguing that the audit score is a measure
<br>of security.
<br><br>My wild guess is that your security folks believe that a WAF, or
<br>whatever they want
<br>to put in, would make the auditors happy, therefore it would address one of the
<br>risks they are facing. On technical field, WAFs are double edged sword and
<br>lure people into a band-aid treadmill, where they fix countless symptoms
<br>(XSS patches) rather than the often dangerous and hard to address
<br>disease (SDLC).
<br><br>At the same time, the audit risk is far more tangible and predictable
<br>than whatever
<br>might happen due to scraping your custom system in favor of buying
<br>some off-the-shelf
<br>wonder. I would call this a substandard risk management, but many
<br>companies seems
<br>to thrive on such approach....
<br><br>Again, just playing the devil's advocate here.
<br><br>--
<br>Marcin Antkiewicz
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26518752&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26518744Re: Using linux firewalls for PCI compliant infrastructure2009-11-25T05:41:06Z2009-11-25T05:41:06ZVictor Williams-3I generally believe that is due to lack of knowledge. If the knowledge of the solution rests in you alone, and you quit, get hit by a truck, get swine flu and are out of commission, etc, then they have no one to go back and get support from other than you and whatever they can find on the iptables website or some other Google search. Most management want a very defined support structure in place.<br>
<br>I am in the weird position of being a manager/director, but also being a person that has to do hands-on upkeep of the systems I oversee management and security of. I could have rolled my own solution from the top down...from "stateful firewall" to "application firewall" to load balancer, etc. I opted for all relatively well-known solutions (some retail, some open source)because if I decided to leave the organization, they wouldn't be stuck.<br>
<br>The few managers above me were generally more tuned in to spending dollars on solutions with a commercial support structure vs spending time on a free solution that required them to have a RHCE or other Linux guru on hand to figure out.<br>
<br>That all being said, I don't see an overall difference in the quality of products in what you're using vs others that are commercial. There are open source ways to do everything you need (where PCI is concerned) from the edge all the way back to the core router/switch. It's just a matter of risk in my opinion. The risk isn't really in what you're using...it's if all of that knowledge rests in one place and could be unavailable to the rest of the organization if one person left...at least that's what I'd be thinking about from a management perspective.<br>
<br>In the organization I work in (online retailer), we've implemented a mix, based on which product(s) were the most widely and easily supported. DNS, SFTP/FTPS, PKI, Firewalls, load-balancers, web, etc. Some of them are open source solutions, some are proprietary/retail, based on risk and knowledge of on-hand stuff. I don't see any of them as better/worse. The main question asked was, "Do we have the personnel on staff to keep this infrastructure up-to-date and running in an optimal manner?"<br>
<br>You should make the worriers aware that a bunch of commercial vendors are using open source products in their offerings. If they modify the open source, it's going back to the community (it's supposed to), in which case it's going to be available to everyone else (it should be).<br>
<br><br><div class="gmail_quote">On Wed, Nov 25, 2009 at 1:39 AM, Siim Põder <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26518744&i=0" target="_top" rel="nofollow">siim@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi<br>
<div class="im"><br>
Tracy Reed wrote:<br>
> I am. For PCI. No problem. Did the people who suggested something<br>
> commercial provide any good quantifiable reasons or was it simply<br>
> cargo-cult network security?<br>
<br>
</div>IMO, mostly the latter (the cargo cult one):<br>
1) Commercial vendors are sometimes certified to be secure<br>
2) Lot's of people are using commercial firewalls for critical<br>
infrastructure and hence they are better tested<br>
3) Commercial vendor can be pushed to produce patches for problems<br>
<br>
We currently have iptables on central firewalls and mod_security doing<br>
application level filtering on webservers themselves. It was suggested<br>
that a firewall doing SSL termination and content inspection would be<br>
better because it would have better application-level rulesets<br>
(namely, protection from common DOS bots was mentioned).<br>
<br>
Generally, I dont think they make a very good case. However, I<br>
promised to ask if there are any other shops using open source<br>
firewalls out there. Maybe they are just worried to be on the boat<br>
alone :)<br>
<br>
Thanks for your comments!<br>
<div><div></div><div class="h5"><br>
Siim<br>
_______________________________________________<br>
firewall-wizards mailing list<br>
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26518744&i=1" target="_top" rel="nofollow">firewall-wizards@...</a><br>
<a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_blank" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>
</div></div></blockquote></div><br>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26518744&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26512521Re: Using linux firewalls for PCI compliant infrastructure2009-11-24T23:39:01Z2009-11-24T23:39:01ZSiim Põder-3Hi
<br><br>Tracy Reed wrote:
<br>> I am. For PCI. No problem. Did the people who suggested something
<br>> commercial provide any good quantifiable reasons or was it simply
<br>> cargo-cult network security?
<br><br>IMO, mostly the latter (the cargo cult one):
<br>1) Commercial vendors are sometimes certified to be secure
<br>2) Lot's of people are using commercial firewalls for critical
<br>infrastructure and hence they are better tested
<br>3) Commercial vendor can be pushed to produce patches for problems
<br><br>We currently have iptables on central firewalls and mod_security doing
<br>application level filtering on webservers themselves. It was suggested
<br>that a firewall doing SSL termination and content inspection would be
<br>better because it would have better application-level rulesets
<br>(namely, protection from common DOS bots was mentioned).
<br><br>Generally, I dont think they make a very good case. However, I
<br>promised to ask if there are any other shops using open source
<br>firewalls out there. Maybe they are just worried to be on the boat
<br>alone :)
<br><br>Thanks for your comments!
<br><br>Siim
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26512521&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26505486Re: Using linux firewalls for PCI compliant infrastructure2009-11-24T16:09:26Z2009-11-24T16:09:26ZPaul D. RobertsonOn Wed, 25 Nov 2009, Siim Põder wrote:
<br><br>> Hi
<br>>
<br>> We are using linux-based servers as firewalls for PCI compliant
<br>> infrastructure. During audits it has been OK so far but security
<br>> people internally have suggested that maybe a commercial product would
<br>> be better suited for PCI infrastructure (as it is pretty critical).
<br><br>Have them articulate *why* they think it would be better-suited in terms
<br>of the DSS standard. Have them articulate what security features they
<br>think are missing in your current infrastructure, then you can make an
<br>informed analysis of how to implement those features (be it with Linux or
<br>what have you.) The term "commercial firewall" still probably encompasses
<br>over a hundred devices from I dunno- more than fifty vendors- so how
<br>anyone who's got any clue about security can make that an argument without
<br>detail is beyond me. If they're just looking to spend money, I'd be happy
<br>to do a security review! ;)
<br><br>> What do you think, would a commercial firewall provide a tangible
<br>> improvement in security?
<br><br>The security policy instituted by the firewall is the biggest thing that
<br>impacts security. Second is the layers you're doing security at, but then
<br>you have to do apples-to-apples comparisons, and fewer and fewer products
<br>are doing high-level filtering that's meaningful these days. Finally,
<br>many commercial firewalls are fancy VPN management interfaces and GUIs
<br>over Linux systems. But first of all, you need to decide what your policy
<br>is, what protections it provides and what your largest threats are, then
<br>you need to apply that to the PCI-DSS standard and see where you're at.
<br>Every time I do it, I find that I'm much better off spending time on OSSEC
<br>on my PCI-compliant hosts than firewall rules.
<br><br>> Is anyone else using linux-based firewalls for PCI (or otherwise > sensitive)
<br>> infrastructure?
<br>>
<br><br>Yes, lots of people are.
<br><br>Paul
<br>-----------------------------------------------------------------------------
<br>Paul D. Robertson "My statements in this message are personal opinions
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26505486&i=0" target="_top" rel="nofollow">paul@...</a> which may have no basis whatsoever in fact."
<br> Moderator: Firewall-Wizards mailing list
<br> Art: <a href="http://PaulDRobertson.imagekind.com/" target="_top" rel="nofollow">http://PaulDRobertson.imagekind.com/</a><br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26505486&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26505500Re: Using linux firewalls for PCI compliant infrastructure2009-11-24T16:03:40Z2009-11-24T16:03:40ZTracy Reed-3On Wed, Nov 25, 2009 at 12:37:07AM +0200, Siim Põder spake thusly:
<br>> Is anyone else using linux-based firewalls for PCI (or otherwise
<br>> sensitive) infrastructure?
<br><br>I am. For PCI. No problem. Did the people who suggested something
<br>commercial provide any good quantifiable reasons or was it simply
<br>cargo-cult network security?
<br><br>--
<br>Tracy Reed
<br><a href="http://tracyreed.org" target="_top" rel="nofollow">http://tracyreed.org</a><br><br /> <br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26505500&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>attachment0</strong> (196 bytes) <a href="http://old.nabble.com/attachment/26505500/0/attachment0" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26505420Using linux firewalls for PCI compliant infrastructure2009-11-24T14:37:07Z2009-11-24T14:37:07ZSiim Põder-3Hi
<br><br>We are using linux-based servers as firewalls for PCI compliant
<br>infrastructure. During audits it has been OK so far but security
<br>people internally have suggested that maybe a commercial product would
<br>be better suited for PCI infrastructure (as it is pretty critical).
<br><br>I'm personally very happy with the iptables firewalls - we can use all
<br>the standard components for firewalls that we use for everything else
<br>(including standard administration methods, patching and so forth).
<br><br>What do you think, would a commercial firewall provide a tangible
<br>improvement in security?
<br>Is anyone else using linux-based firewalls for PCI (or otherwise
<br>sensitive) infrastructure?
<br><br>Thanks,
<br>Siim
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26505420&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26395321Re: Message Labs2009-11-16T02:36:52Z2009-11-16T02:36:52ZA-47Yeah, its if you are using their mail-filtering service, for them to
<br>be able to send you mail you have to allow the ip ranges.
<br><br>Most people will lock down the router to only accept email from the
<br>hosted security provider.. to reduce spam.
<br><br>Aaron
<br><br>\ /
<br>Putting the F in BOFH!
<br><br><br><br>2009/11/11 Brian Loe <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395321&i=0" target="_top" rel="nofollow">knobdy@...</a>>:
<br>> Anyone here using message labs? Have you received notice that you MUST
<br>> open up your firewall for 8 or so networks?
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395321&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395321&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26395308Re: port scanning activity going up recently?2009-11-15T14:11:35Z2009-11-15T14:11:35ZNate Itkin-3<br>-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA256
<br><br>Overall illicit activity looks to be down slightly.
<br>see: <a href="http://www.dshield.org/submissions.html" target="_top" rel="nofollow">http://www.dshield.org/submissions.html</a> (select sources, targets,
<br>and reports for 2009)
<br><br>Cheers,
<br>Nate Itkin
<br><br>On Fri, Nov 13, 2009 at 12:16:21PM -0500, Ken Fox wrote:
<div class='shrinkable-quote'><br>> Hi all -
<br>> Has anyone else noticed a recent spike in port scan activity over the last
<br>> few days?
<br>> I've been seeing some interesting traffic where multiple source addresses
<br>> are probing a number of the same high order destination ports from a small
<br>> set of source ports with a number of different but specific packet sizes.
<br>> e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
<br>> egg: source port 3268 -> dest port 50592 packet size 48, 60, 64, and 52
<br>> Is there some botnet out there that I haven't heard about?
<br>> thanks -- ken
</div><br><br>-----BEGIN PGP SIGNATURE-----
<br>Version: GnuPG v1.4.6 (GNU/Linux)
<br><br>iQEVAwUBSwB6mjCWEYiadXeZAQiI/Qf/YcDpdRG9QKfHxrQV7nKrLx9DUUuKhEA6
<br>mHLrtmmTQwtbJARIlErtdgal9EuJxGFnrAAKWYaPjaIUDj/21AZ03x06pRX6tKWD
<br>LNLm0jOPZZBom4rnMyssDQ96tqN/9pnrLHEd8wr6D3DzgT0X33KifDKEkhgv40l8
<br>Q4jhvJBGrgZcqPPCH7MMGhLX7qVYNWLDAyIf11uROlb8FRiRlW7Qholn4Baor40/
<br>tEB6SuuFh7SoH76My2rCv94Co62Q7NqT9tMZrBf8jzeeG/SveUv6ymhORX75XLZi
<br>KEXPTjj0G+1tiQYdkXLBIK75xta9V0fdc9UEf8OCMJHO3/bvMbfK0g==
<br>=u9Ix
<br>-----END PGP SIGNATURE-----
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395308&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26395284Re: Message Labs2009-11-15T06:18:09Z2009-11-15T06:18:09Zshane brennan-2Hi
<br><br>We use it in work. havent received any notification like that
<br><br>Shane
<br><br><br>On Tue, Nov 10, 2009 at 9:06 PM, Brian Loe <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395284&i=0" target="_top" rel="nofollow">knobdy@...</a>> wrote:
<br>> Anyone here using message labs? Have you received notice that you MUST
<br>> open up your firewall for 8 or so networks?
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395284&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26395284&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359507Re: Network design change2009-11-14T04:00:41Z2009-11-14T04:00:41ZSai-5not good from a security point of view. <br><br>I would prefer to connect the routers, at the internet cloud level not the DMZ level. I'd have the 2 core switches connected as you have.<br><br>2 reasons:<br>[1] gives me redundant internet connectivity in case one of the isps goes down (assuming multiple isps and routing that can handle one link going down)<br>
[2] the DMZs should be separate. the more segments you have the better. connecting the 2 at switch level gives you just one DMZ. my way, the replication connection has to go through firewalls (which might be a problem if you have low end firewalls) but so does the attacker (and remember that the dmz is there because the attacker is going to get there some day).<br>
<br>sai<br><br><br><div class="gmail_quote">On Tue, Nov 10, 2009 at 8:58 PM, shadow floating <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359507&i=0" target="_top" rel="nofollow">nadengine@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi All,<br>
My company has two sites in to 2 different locations that are<br>
connected via high speed link at the core layer ( I've attached a<br>
link to the diagram :<br>
<a href="http://img18.imageshack.us/img18/77/questionhk.jpg" target="_blank" rel="nofollow">http://img18.imageshack.us/img18/77/questionhk.jpg</a> for ease of<br>
explanation)<br>
in each site I've 1 DMZ , the network team wants to connect the DMZ<br>
switches in both sites for better performance and "security" - the<br>
link under investigation is shown in red in the picture - via high<br>
speed link without passing at all by the core network layer, as they<br>
say that will aid more in the replication between server A and backup<br>
server A in the DMZs and also this will help if any of the 2 firewalls<br>
had failure to access both DMZs from any firewall.<br>
Is that better from security point of view?<br>
<br>
appreciating your great help and advice<br>
thanks alot<br>
<br>
Regards,<br>
Nad<br>
_______________________________________________<br>
firewall-wizards mailing list<br>
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359507&i=1" target="_top" rel="nofollow">firewall-wizards@...</a><br>
<a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_blank" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>
</blockquote></div><br>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359507&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359456port scanning activity going up recently?2009-11-13T09:16:21Z2009-11-13T09:16:21ZKen FoxHi all -
<br><br> Has anyone else noticed a recent spike in port scan activity over the last
<br>few days?
<br><br> I've been seeing some interesting traffic where multiple source addresses
<br>are probing a number of the same high order destination ports from a small
<br>set of source ports with a number of different but specific packet sizes.
<br><br> e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
<br> egg: source port 3268 -> dest port 50592 packet size 48, 60, 64, and 52
<br><br> Is there some botnet out there that I haven't heard about?
<br><br>thanks -- ken
<br><br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359456&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359494Re: Network design change2009-11-12T03:38:39Z2009-11-12T03:38:39Zpkcshadow floating a écrit :
<div class='shrinkable-quote'><br>> Hi All,
<br>> My company has two sites in to 2 different locations that are
<br>> connected via high speed link at the core layer ( I've attached a
<br>> link to the diagram :
<br>> <a href="http://img18.imageshack.us/img18/77/questionhk.jpg" target="_top" rel="nofollow">http://img18.imageshack.us/img18/77/questionhk.jpg</a> for ease of
<br>> explanation)
<br>> in each site I've 1 DMZ , the network team wants to connect the DMZ
<br>> switches in both sites for better performance and "security" - the
<br>> link under investigation is shown in red in the picture - via high
<br>> speed link without passing at all by the core network layer, as they
<br>> say that will aid more in the replication between server A and backup
<br>> server A in the DMZs and also this will help if any of the 2 firewalls
<br>> had failure to access both DMZs from any firewall.
<br>> Is that better from security point of view?
</div>If it's possible, I'd rather use a link between both firewalls
<br>to connect the DMZ.
<br><br>If you connect directly the dmz switches, and if someone can get access
<br>to your dmz, he will get access to the other one as well, as there won't
<br>be any filtering between the DMZs.
<br><br>do the DMZ share the same network addresses ?
<br><br>if not, just use an unused interface on each fw, connect both via a
<br>link, then create some routes to allow trafic between the DMZs.
<br><br>The performance can be also an issue, so it depends on the replication
<br>traffic basically.
<br><br>If you can replicate when there is less traffic, the existing firewall
<br>can be enough. If you can't, it's perhaps time to upgrade the firewalls.
<br><div class='shrinkable-quote'><br>>
<br>> appreciating your great help and advice
<br>> thanks alot
<br>>
<br>> Regards,
<br>> Nad
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359494&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>
</div><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359494&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359480Re: secure firewall rule management program2009-11-10T13:46:35Z2009-11-10T13:46:35ZLan Li<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Athena Security also provides a
cleanup tool/basic ops tool. Works with Cisco, Check Point and Netscreen
firewalls. Available for eval download at <a href="http://www.athenasecurity.net/firepac_trial.html" target="_top" rel="nofollow">http://www.athenasecurity.net/firepac_trial.html</a><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Lan Li<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>-----Original Message-----<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>From:
<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359480&i=0" target="_top" rel="nofollow">firewall-wizards-bounces@...</a><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>[<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359480&i=1" target="_top" rel="nofollow">firewall-wizards-bounces@...</a>]
On Behalf Of Marcin Antkiewicz<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Sent: Thursday, November 05, 2009
10:52 PM<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>To: Firewall Wizards Security
Mailing List<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Subject: Re: [fw-wiz] secure
firewall rule management program<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> Thanks! We're looking
both at Tufin (mentioned by Rainer Ginsberg) <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> and at Algosec (mentioned by
one of our managers and by Rainer). The <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> current versions of both
products fail to meet several of our <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> dealbreaking requirements.
Both products are relatively new. We're <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> hopeful that a future version
of one or both products will be what we <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>> want.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Hi Morty,<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>we are looking at the same, but we
are looking for a cleanup/basic ops support tool right now.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Would you mind sharing the
dealbreaking requirements? I am wondering now what, if anything we have missed.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>--<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Marcin Antkiewicz<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>_______________________________________________<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>firewall-wizards mailing list<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359480&i=2" target="_top" rel="nofollow">firewall-wizards@...</a><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
<br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359480&i=3" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359468Message Labs2009-11-10T13:06:06Z2009-11-10T13:06:06ZBrian Loe-2Anyone here using message labs? Have you received notice that you MUST
<br>open up your firewall for 8 or so networks?
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359468&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26359474Re: OT, sorta: Breaking pipes?2009-11-10T12:27:05Z2009-11-10T12:27:05ZKurt BuffOn Sat, Nov 7, 2009 at 07:34, Chris Myers <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359474&i=0" target="_top" rel="nofollow">clmmacunix@...</a>> wrote:
<br>> Do you use Perl at all with CGI scripts? If so, this is just an example of
<br>> what might be done with anything written with custom scripts. In this case,
<br>> it is a specific vendor, but it could happen to anyone who does not code
<br>> diligently.
<br>>
<br>> <a href="http://www.kb.cert.org/vuls/id/496064" target="_top" rel="nofollow">http://www.kb.cert.org/vuls/id/496064</a><br><br>We don't use perl/cgi here, but the example is instructive.
<br><br>This issue at hand is for web browsing by clients - the newish manager
<br>believes that it's just too annoying to add exceptions for the
<br>misbehaving web sites. Of course, it's not just the pipe character.
<br>It's also the other unsafe/unwise characters, and the URLs that are
<br>longer than 1024 characters, etc.
<br><br>At some point we may be hosting a web site locally, but that hasn't happened.
<br><br>This is really an education issue, so anything that I can add to the
<br>ammunition pile is helpful.
<br><br>Kurt
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26359474&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26290186Re: Network design change2009-11-10T07:58:04Z2009-11-10T07:58:04Zshadow floating Hi All,
<br> My company has two sites in to 2 different locations that are
<br> connected via high speed link at the core layer ( I've attached a
<br> link to the diagram :
<br><a href="http://img18.imageshack.us/img18/77/questionhk.jpg" target="_top" rel="nofollow">http://img18.imageshack.us/img18/77/questionhk.jpg</a> for ease of
<br>explanation)
<br> in each site I've 1 DMZ , the network team wants to connect the DMZ
<br> switches in both sites for better performance and "security" - the
<br> link under investigation is shown in red in the picture - via high
<br> speed link without passing at all by the core network layer, as they
<br> say that will aid more in the replication between server A and backup
<br> server A in the DMZs and also this will help if any of the 2 firewalls
<br> had failure to access both DMZs from any firewall.
<br> Is that better from security point of view?
<br><br> appreciating your great help and advice
<br> thanks alot
<br><br> Regards,
<br> Nad
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26290186&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26290150Re: OT, sorta: Breaking pipes?2009-11-07T07:34:06Z2009-11-07T07:34:06ZChris Myers-3Do you use Perl at all with CGI scripts? If so, this is just an
<br>example of what might be done with anything written with custom
<br>scripts. In this case, it is a specific vendor, but it could happen to
<br>anyone who does not code diligently.
<br><br><a href="http://www.kb.cert.org/vuls/id/496064" target="_top" rel="nofollow">http://www.kb.cert.org/vuls/id/496064</a><br><br>Thank You,
<br><br>Chris Myers
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26290150&i=0" target="_top" rel="nofollow">clmmacunix@...</a>
<br><br>John 1:17
<br>For the Law was given through Moses; grace and truth were realized
<br>through Jesus Christ.
<br><br><br><br /> <br /> Go Vols!!!!
<br><br>On Oct 27, 2009, at 1:48 PM, Kurt Buff wrote:
<br><div class='shrinkable-quote'><div class='shrinkable-quote'><br>> All,
<br>>
<br>> At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
<br>> not as fully trained on it as I'd like to be.
<br>>
<br>> However, I'm seeing more complaints from end-users who are
<br>> encountering web sites that issue URLs with the pipe/vertical bar -
<br>> "|" - character embedded in them. The Sidewinder proxy denies it, as
<br>> is proper. The latest occurrence is a really stupid State government
<br>> web site that actually puts the pipe character at the end of the URL!
<br>>
<br>> For those sites that we have a business case for end-user access, I
<br>> make an exception.
<br>>
<br>> IT manager now considers this an annoyance, and wants justification
<br>> for the not allowing URLs with the character through the proxy. I tell
<br>> him it violates the RFCs that I'm aware of (1738 and 2396 - 3986
<br>> doesn't really deal with it, AFAICT) and he wants me to
<br>> quantify/qualify the risk, and wants me to consider allowing that
<br>> character universally. I told him (as I believe to be correct) that
<br>> you can't do that without turning off the proxy entirely, which would
<br>> be foolish in the extreme.
<br>>
<br>> Aside from what we (the manager and I) already know (that the pipe is
<br>> used in scripting/shells/etc. to redirect output from one program to
<br>> another) are there any other risks of which I'm not aware, or any
<br>> specific attacks that I can point to that have or do use this
<br>> character? I would think that our current understanding on this would
<br>> be sufficient justification for keeping things the way they are, but
<br>> apparently not.
<br>>
<br>> This is really silly, and frustrating for me, though I suppose many of
<br>> you have fought the same (kinds of) battle, but any insight would
<br>> help.
<br>>
<br>> Thanks,
<br>>
<br>> Kurt
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26290150&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a></div></div><br />_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26290150&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>pastedGraphic.tiff</strong> (24K) <a href="http://old.nabble.com/attachment/26290150/0/pastedGraphic.tiff" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26290165Re: secure firewall rule management program2009-11-05T20:52:16Z2009-11-05T20:52:16ZMarcin Antkiewicz> Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
<br>> and at Algosec (mentioned by one of our managers and by Rainer). The
<br>> current versions of both products fail to meet several of our
<br>> dealbreaking requirements. Both products are relatively new. We're
<br>> hopeful that a future version of one or both products will be what we
<br>> want.
<br><br>Hi Morty,
<br><br>we are looking at the same, but we are looking for a cleanup/basic ops support
<br>tool right now.
<br><br>Would you mind sharing the dealbreaking requirements? I am wondering now
<br>what, if anything we have missed.
<br><br>--
<br>Marcin Antkiewicz
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26290165&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26223859Re: secure firewall rule management program2009-10-30T04:04:53Z2009-10-30T04:04:53ZMordechai T. Abzug-4On Wed, Oct 28, 2009 at 11:52:01AM +0100, Matthias Leu wrote:
<br><br>> have you had a look at Tufin SecureTrack and SecureChange Workflow?
<br><br>Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
<br>and at Algosec (mentioned by one of our managers and by Rainer). The
<br>current versions of both products fail to meet several of our
<br>dealbreaking requirements. Both products are relatively new. We're
<br>hopeful that a future version of one or both products will be what we
<br>want.
<br><br>- Morty
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26223859&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26223837Re: secure firewall rule management program2009-10-28T03:52:01Z2009-10-28T03:52:01ZMatthias LeuHi Morty,
<br>have you had a look at Tufin SecureTrack and SecureChange Workflow?
<br>It's not free, but quite good and I think your requirements are fulfilled.
<br><br>It runs on Linux and is written by security professionals.
<br>SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
<br>OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
<br>Fortinet,...).
<br>Each 'save' gives a new revision, no 'install' necessary. So reports,
<br>and above all, alerts are generated before installing the new version on
<br>the firewalls.
<br>Expired rules can be found, rule usage is based on logging - also the
<br>use of objects within rules is documented, so not only unused rules but
<br>also unused objects can be found. I found out that esp. finding these
<br>objects is important and not so easy without a tool.
<br>Based on logging an automatic policy generation is possible, offering
<br>many parameters for the suggested rulebase. Further on, many different
<br>types of reports and audits (also PCI-DSS) can be configured and run.
<br>Users can be defined as admin or as simple user with different roles and
<br>therefore rights.
<br>Tufin SecureChange Workflow offers a very open and individually
<br>configrable system. Many different workflows can be defined. These
<br>workflows need to be followed. Many different roles can be defined, e.g.
<br>admin, end user (requestor), approver, implementer, dispatcher etc. You
<br>are very free in defining users and workflows.
<br>The request can be checked agains compliance alerts and rules for
<br>business continuity from Tufin SecureTrack. So when a user requests a
<br>'forbidden connection', an alert is generated. For sure, existing rules
<br>as well as objects can be considered.
<br><br>We work with this software since a longer time now, it's good. Have a
<br>look at www.tufin.com
<br><br>Best regars,
<br>Matthias
<br>--
<br>AERAsec Network Services and Security GmbH HRB: 133265 München
<br>Wagenberger Strasse 1 UStID: DE-209125001
<br>D-85662 Hohenbrunn, Germany
<br>Tel. +49 8102 895 190 Fax. +49 8102 895 199
<br>Sitz der Ges.: D-85662 Hohenbrunn, Geschäftsführer: Dr. Matthias Leu
<br><a href="http://www.aerasec.de" target="_top" rel="nofollow">http://www.aerasec.de</a> <a href="http://www.fw-1.eu" target="_top" rel="nofollow">http://www.fw-1.eu</a><br>PGP Public Key: <a href="http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc" target="_top" rel="nofollow">http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc</a><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26223837&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26223811OT, sorta: Breaking pipes?2009-10-27T11:48:52Z2009-10-27T11:48:52ZKurt BuffAll,
<br><br>At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
<br>not as fully trained on it as I'd like to be.
<br><br>However, I'm seeing more complaints from end-users who are
<br>encountering web sites that issue URLs with the pipe/vertical bar -
<br>"|" - character embedded in them. The Sidewinder proxy denies it, as
<br>is proper. The latest occurrence is a really stupid State government
<br>web site that actually puts the pipe character at the end of the URL!
<br><br>For those sites that we have a business case for end-user access, I
<br>make an exception.
<br><br>IT manager now considers this an annoyance, and wants justification
<br>for the not allowing URLs with the character through the proxy. I tell
<br>him it violates the RFCs that I'm aware of (1738 and 2396 - 3986
<br>doesn't really deal with it, AFAICT) and he wants me to
<br>quantify/qualify the risk, and wants me to consider allowing that
<br>character universally. I told him (as I believe to be correct) that
<br>you can't do that without turning off the proxy entirely, which would
<br>be foolish in the extreme.
<br><br>Aside from what we (the manager and I) already know (that the pipe is
<br>used in scripting/shells/etc. to redirect output from one program to
<br>another) are there any other risks of which I'm not aware, or any
<br>specific attacks that I can point to that have or do use this
<br>character? I would think that our current understanding on this would
<br>be sufficient justification for keeping things the way they are, but
<br>apparently not.
<br><br>This is really silly, and frustrating for me, though I suppose many of
<br>you have fought the same (kinds of) battle, but any insight would
<br>help.
<br><br>Thanks,
<br><br>Kurt
<br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26223811&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-26052344Re: secure firewall rule management program2009-10-23T05:58:31Z2009-10-23T05:58:31ZAvishai Wool-2Mordechai,
<br><br>AlgoSec FireFlow does pretty much exactly what you need.
<br>It is definitely topology aware and can tell you which firewalls
<br>you should modify to meet a change request.
<br>It has rule expiration built in.
<br>Supports Check Point, Cisco, Juniper, Fortinet.
<br><br><a href="http://www.algosec.com" target="_top" rel="nofollow">http://www.algosec.com</a><br><br>Avishai
<br><br>disclaimer: I'm AlgoSec CTO & Co-Founder so I'm biased.
<br><br><br><br>On 9/3/09, Mordechai T. Abzug <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26052344&i=0" target="_top" rel="nofollow">morty+fw-wiz@...</a>> wrote:
<div class='shrinkable-quote'><br>> Anyone have suggestions for a good, secure webified firewall rule
<br>> management program? I.e. the kind of thing where users submit
<br>> requests for firewall holes and there's support for workflow so that a
<br>> requested rule goes to an approver for approval, and if approved, it
<br>> then goes to an implementer for implementation. COTS or free is fine.
<br>>
<br>> Requirements:
<br>>
<br>> * Secure code! The firewall request system should not itself be a
<br>> security hole.
<br>>
<br>> * The system should allow users to submit rule requests, to be
<br>> approved by designated "approvers", and if approved, implemented by
<br>> designated "implementers".
<br>>
<br>> * Awareness of firewall topology. I.e. the product needs to be aware
<br>> of which firewalls a given request traverses so this information can
<br>> be available to approvers and implementers.
<br>>
<br>> * The system should include a notion of rule expiration, with
<br>> attendant workflow.
<br>>
<br>> * The system should support change requests to existing rules, with
<br>> attendant approver/implementer workflow.
<br>>
<br>> * The ability to abstract users into departments or projects,
<br>> ie. instead of the rule for the accounting web server belonging to
<br>> an individual, it belongs to "accounting". Even better if an
<br>> individual can submit for multiple projects, ie. a sysadmin who
<br>> works for both accounting and marketing can annotate "this rule
<br>> belongs to accounting" and the like.
<br>>
<br>> * Sane role/permissions scheme, ie. user from department 1 can't
<br>> modify rule requests for department 2, and the like.
<br>>
<br>> Desirements:
<br>>
<br>> * The ability to export rulesets into popular firewall formats
<br>>
<br>> * The ability to import existing rules from popular firewall formats
<br>>
<br>> * The ability to search for IPs in rules using CIDR specifications
<br>>
<br>> * COTS or free. We have some budget, but if there is something free,
<br>> we certainly won't complain.
<br>>
<br>> [People who have been around a while might remember that I asked this
<br>> question some years ago. Unfortunately, there were no answers other
<br>> than some private, "yes, we'd like that too."]
<br>>
<br>> - Morty
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26052344&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>
</div>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26052344&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-25891416Re: Palo Alto Networks2009-10-13T06:46:20Z2009-10-13T06:46:20ZCassell, Damon Z.> I remember it didn't have a central management, so having a few of
<br>> those boxes may be ok, but when you're looking at 20+ clusters, it
<br>> becomes time consuming to manage.
<br><br>Palo Alto does have central management by using an additional product called Panorama.
<br><br><a href="http://www.paloaltonetworks.com/products/panorama.html" target="_top" rel="nofollow">http://www.paloaltonetworks.com/products/panorama.html</a><br><br>One observation on the topic of management; the Palo Alto logging scheme seemed clunky, especially with a lot of logging enabled. If you are a frequent user of, say, Check Point SmartView Tracker then you might be annoyed with a web-based viewer and have some trouble with the query capabilities. Maybe the experience improves when you spend more time with the product, but it was an initial concern. Look at this in your own environment if logs are important to you...
<br><br>Again, this may have changed with PanOS 3.
<br><br>Damon
<br><br><br>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25891416&i=0" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-25881571Re: Palo Alto Networks2009-10-09T09:27:36Z2009-10-09T09:27:36ZPaul Hutchings-2Thanks all.
<br><br>Frank, We would only be looking at one unit so management shouldn't
<br>be an issue. You mentioned "home grown apps" and giving them a
<br>definition, this will hopefully all be clear once I have a units GUI
<br>in front of me, but presumably if you need/want it to the PA boxes
<br>can also act as dumb stateful firewalls i.e. "Simply allow port XYZ
<br>from X to Y"?
<br><br>Arkanoid, I've learned not to trust the marketing hence lurking on
<br>technical forums and lists like this. Also (again may become clear
<br>when in front of one) but how does the SSL inspection/MITM actually
<br>work i.e. what would I need to change on my clients and could it also
<br>be used to apply inspection to inbound SSL traffic to look for
<br>nasties i.e. Outlook Web Access?
<br><br>As a general question, what strategies are people taking these days
<br>regards "layering" firewalls? We currently use a back to back
<br>approach with a dumb stateful firewall at our perimeter almost as a
<br>"doorman" so that only the ports we need to allow in get in, and then
<br>we get a little smarter i.e. does it conform to RFCs etc. at the LAN
<br>edge firewall. I'm wondering if the general consensus is that this
<br>is still a sensible idea?
<br><br>Paul
<br><br>On 8 Oct 2009, at 20:47, Francois Yang wrote:
<br><div class='shrinkable-quote'><br>> I've worked with them before and they're pretty good.
<br>> easy setup and maintenance, good integration with Active Directory,
<br>> good application detection engine.
<br>> Over all it's a good product, but you have to test it in your own
<br>> environment to see if it fits.
<br>> here are the draw backs that I can remember. all firewalls have some
<br>> kind of issues.
<br>> here are the issues I see and maybe they have been fixed by now. I
<br>> don't know it's been a while.
<br>> I remember it didn't have a central management, so having a few of
<br>> those boxes may be ok, but when you're looking at 20+ clusters, it
<br>> becomes time consuming to manage.
<br>> Application detection engine would automatically drop the traffic of
<br>> unknown apps into a low priority pool. So if you have home grown apps
<br>> which requires alot of bandwidth, you need to make sure you find it
<br>> and give it a definition or work with their team to create custom rule
<br>> otherwise it will crawl.
<br>> I'm sure there's more pros and cons, but that's all I can think of.
<br>> Let me know if you have more questions.
<br>>
<br>> Frank
<br>>
<br>>
<br>>
<br>> On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881571&i=0" target="_top" rel="nofollow">paul@...</a>>
<br>> wrote:
<br>>> Getting one of their boxes on eval for a couple of weeks. Quite a
<br>>> broad and
<br>>> generic question I know, but does anyone have any experience(s)
<br>>> they wish to
<br>>> share?
<br>>>
<br>>> Cheers,
<br>>> Paul
<br>>> _______________________________________________
<br>>> firewall-wizards mailing list
<br>>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881571&i=1" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>>
<br>>
<br>>
<br>>
<br>> --
<br>> If you spend more on coffee than on IT security, you will be hacked.
<br>> What's more, you deserve to be hacked. — White House Cybersecurity
<br>> Advisor, Richard Clarke
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881571&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a></div>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881571&i=3" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>tag:old.nabble.com,2006:post-25881554Re: Slow FTP transfers2009-10-08T15:05:06Z2009-10-08T15:05:06Znoc opsHi Chris,
<br><br>There are no tracking module(s) that I know of. These servers are
<br>located behind FWSM.
<br><br>I haven't tried different server but active mode seems to cause
<br>intermittent problem whereas passive mode seems to be the work around.
<br><br><br>regards,
<br>sky
<br><br><br>Chris Smith wrote:
<div class='shrinkable-quote'><br>> Sky does the device that the ftp server sits behind have any kind of ftp connection tracking module?
<br>>
<br>> What happens with a different ftp server behind the same firewall using active mode and the same 50 MB file?
<br>>
<br>> This test will at least tell you if the firewall is the issue.
<br>>
<br>> Perhaps it could be an issue with the ftp server or the tcp stack on the host OS?
<br>>
<br>> Have you tried starting the service in a debug mode?
<br>>
<br>> Hope this helps.
<br>>
<br>> ----- Original Message -----
<br>> From: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=0" target="_top" rel="nofollow">firewall-wizards-bounces@...</a> <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=1" target="_top" rel="nofollow">firewall-wizards-bounces@...</a>>
<br>> To: Firewall Wizards Security Mailing List <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=2" target="_top" rel="nofollow">firewall-wizards@...</a>>
<br>> Sent: Wed Oct 07 14:49:41 2009
<br>> Subject: Re: [fw-wiz] Slow FTP transfers
<br>>
<br>> Hi,
<br>>
<br>> I've looked at every possible aspect of this connection based on the
<br>> feedback I've received w/ no avail.
<br>>
<br>> FSWM module is running v1.1(4) and CATOS v7.6(16).
<br>>
<br>> Any further insight will be appreciated.
<br>>
<br>>
<br>> regards,
<br>> sky
<br>>
<br>> sky wrote:
<br>>> Hi,
<br>>>
<br>>> I'm having an issue when ftp'ing (default port mode) large file (50megs)
<br>>> to a remote server sitting behind FWSM. The transfer gets real slow and
<br>>> at times just timeouts.
<br>>>
<br>>> Now when I change ftp mode to passive the same file transfer works w/o
<br>>> any issues. Why?
<br>>>
<br>>> Have inspect ftp and mtu is set for 1500. I've checked for duplex
<br>>> settings as well which is good.
<br>>>
<br>>> Any thoughts will be great.
<br>>>
<br>>> regards
<br>>> sky
<br>>>
<br>>>
<br>>>
<br>>> _______________________________________________
<br>>> firewall-wizards mailing list
<br>>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=3" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br>>>
<br>> _______________________________________________
<br>> firewall-wizards mailing list
<br>> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=4" target="_top" rel="nofollow">firewall-wizards@...</a>
<br>> <a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a></div>_______________________________________________
<br>firewall-wizards mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=25881554&i=5" target="_top" rel="nofollow">firewall-wizards@...</a>
<br><a href="https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards" target="_top" rel="nofollow">https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards</a><br><p>From forum: <a href="http://old.nabble.com/Firewall-Wizards-f397.html" embed="fixTarget[397]" target="_top" >Firewall Wizards</a></p>