[fw-wiz] Help- Nat-t
From: Ralema Geno (rgeno_at_datec.net.pg)
To: <email@example.com> Date: Wed, 24 Nov 2004 14:55:50 +1000
Can someone assist me, I would like to know how NAT-Traversal is used and
the best type of scenario it can be used for.
I have read information, but I can't seem to quite get how it's supposed to
Ok, If you have several VPN Clients and are configured on the Firewall none
of them using nat-t, however one particular client has enabled nat-t on
their end. But can't connect until my side is done?
What should I do?
[mailto:firstname.lastname@example.org] On Behalf Of
Sent: Wednesday, 24 November 2004 3:00 AM
Subject: firewall-wizards digest, Vol 1 #1463 - 6 msgs
Send firewall-wizards mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
1. Security of HTTPS (Alex Bihlmaier)
2. Re: Ethics & hiring (Mike Smith)
3. Re: Checkpoint NAT H.323 support (Rob Hughes)
4. Re: ASP/Hosting Architecture (Jian Zhen)
5. RE: Security of HTTPS (Ben Nagy)
6. RE: Security of HTTPS (Jean-Denis Gorin)
Date: Fri, 19 Nov 2004 12:06:50 +0100
From: Alex Bihlmaier <email@example.com>
Subject: [fw-wiz] Security of HTTPS
I am curious how strong the security of https can be.
Is there some possibility of a MITM attack?
Are there any papers out there outlining this aspect of security?
kallisti.de webmail access - email on the road
Date: Fri, 19 Nov 2004 15:13:00 -0500 (EST)
From: Mike Smith <firstname.lastname@example.org>
Subject: [fw-wiz] Re: Ethics & hiring
--- Bennett Todd <email@example.com> wrote:
> Anti-virus companies are in a very, very awkward position. Their
> business is profitable solely because of the widespread problems
> with viruses; if it weren't for all the malware authors, they'd be
> out of business. They make their money on viruses.
I feel that there's something wrong with this argument. This would seem to
a core characteristic of any market that sells products that defend/protect
from Bad Things. Examples would include snow tires (snowstorms), portable
generators (power blackouts), and, perhaps more relevant to the discussion,
home security systems (burglars). Would there not be an incentive for
manufacturers of any of these products to somehow increase the frequency of
Things to boost their sales? Is it just because viruses are easier to
than snowstorms, blackouts, or burglars that we view anti-virus vendors with
I need convincing that anti-virus vendors are in a more awkward position
any other manufacturer of anti-Bad Thing products.
"Human history becomes more and more a race between education and
H.G. Wells - The Outline of History
Post your free ad now! http://personals.yahoo.ca
Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
From: Rob Hughes <firstname.lastname@example.org>
Date: Sat, 20 Nov 2004 17:39:19 -0600
On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
> Hi people,
> I am new to the list and I hope you help me. I have a problem with
> FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to register
> (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
> the Internet. I have already configured the VoIP domains (one for the
> gateway and another for the gatekeeper) in the FW, applied the last hotfix
> acumulator (HFA_11) and configured static NAT for the internal gateway to
> a public IP.
> The gatekeeper cannot respond because the IP inside the h225 payload isn't
> traslated, and I have confirmed it using the monitor inside de Firewall
> (fw monitor).
> Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
> of mixconfiguration?
What does your rule look like? Specifically, what service are you using?
Also, the CP docs have examples of how to set this up. Have you tried
following those? But yes, it does (mostly) work.
Date: Sun, 21 Nov 2004 20:28:33 -0800
From: Jian Zhen <email@example.com>
To: Chris Pugrud <firstname.lastname@example.org>
Cc: "Paul D. Robertson" <email@example.com>,
Subject: Re: [fw-wiz] ASP/Hosting Architecture
Chris Pugrud (firstname.lastname@example.org) [041118 13:16]:
> The customer conenctions were encrypted because they left our zone of
> even though they were "private" point to point t1 lines. The IPSEC VPN's
> done with Network Alchemy Hardware. Network Alchemy was aquired by Nokia
> hope the capabilities have been maintained. NA has a really phenominal
> automagical load balancing capabilty. I still have several boxes on my
> that I purchased from the company.
Unfortunately, Network Alchemy's hardware, assuming you are talking about
the CryptClusters, has been EOL'ed for quite a while now.
My previous work place had a couple hundred of them and I thought they were
one of the best VPN devices out there, probably still is.
It's unfortunate that they are no longer available.
However, I believe some of the functionalities were incoprated into their
-- Jian Zhen <email@example.com> Blog: http://www.trustpath.com/logmatters --__--__-- Message: 5 From: "Ben Nagy" <firstname.lastname@example.org> To: "'Alex Bihlmaier'" <email@example.com>, <firstname.lastname@example.org> Subject: RE: [fw-wiz] Security of HTTPS Date: Tue, 23 Nov 2004 09:24:45 +0100 > -----Original Message----- > From: email@example.com > [mailto:firstname.lastname@example.org] On Behalf > Of Alex Bihlmaier [...] > I am curious how strong the security of https can be. I don't know if this is a troll. If you're some super advanced crypto-protocol guy trying to send a minimalist email, I may have been fooled. > Is there some possibility of a MITM attack? No. (Well..... Yes.) HTTPS relies on SSL / TLS. One of the three fundamental design goals for TLS is: " The negotiation is reliable: no attacker can modify the negotiation communication without being detected by the parties to the communication." There are, sadly, still a lot of possible ways to introduce a MitM attack - almost all of these rely on browser bugs (not an SSL problem), the stupidness of the "trusted third party" model typified by commercial Certification Authorities (not really an SSL problem either), or total mis-use of the protocol to ignore server authentication (nobody does that although it is supported in theory). Basically, the model is fine, but the implementation is often sloppy enough to allow strange things to happen. The fact that most users are now trained to ignore certificate error warnings doesn't help. > Are there any papers out there outlining this aspect of security? Start with the SSL spec.  Then read the TLS RFC . You might also try a FAQ like this one  which includes links through to higher level summaries. Cheers, ben  http://www.faqs.org/rfcs/rfc2246.html  http://wp.netscape.com/eng/ssl3/draft302.txt  http://www.faqs.org/faqs/computer-security/ssl-talk-faq/ --__--__-- Message: 6 Date: Tue, 23 Nov 2004 11:05:26 +0100 (CET) From: Jean-Denis Gorin <email@example.com> Subject: RE: [fw-wiz] Security of HTTPS To: firstname.lastname@example.org, email@example.com Lot of papers about SSL Man In the Middle attack. For example, on the SANS web site: http://www.sans.org/rr/whitepapers/threats/480.php Some kind of proxies use this to enable content filtering of HTTPS traffic... JDG >From Alex Bihlmaier > > Good Morning. > > > > I am curious how strong the security of https can be. > Is there some possibility of a MITM attack? > Are there any papers out there outlining this aspect > of security? > > > > //thalunil > Vous manquez d’espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com --__--__-- _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards