[fw-wiz] Help- Nat-t

From: Ralema Geno (rgeno_at_datec.net.pg)
Date: 11/24/04

  • Next message: Luis Maria Sainz Caballero: "RE: [fw-wiz] Checkpoint NAT H.323 support"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 24 Nov 2004 14:55:50 +1000
    
    

    Hi,
    Can someone assist me, I would like to know how NAT-Traversal is used and
    the best type of scenario it can be used for.

    I have read information, but I can't seem to quite get how it's supposed to
    work.

    Ok, If you have several VPN Clients and are configured on the Firewall none
    of them using nat-t, however one particular client has enabled nat-t on
    their end. But can't connect until my side is done?

    What should I do?

    Cheers
    Rale

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
    firewall-wizards-request@honor.icsalabs.com
    Sent: Wednesday, 24 November 2004 3:00 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: firewall-wizards digest, Vol 1 #1463 - 6 msgs

    Send firewall-wizards mailing list submissions to
            firewall-wizards@honor.icsalabs.com

    To subscribe or unsubscribe via the World Wide Web, visit
            http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    or, via email, send a message with subject or body 'help' to
            firewall-wizards-request@honor.icsalabs.com

    You can reach the person managing the list at
            firewall-wizards-admin@honor.icsalabs.com

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of firewall-wizards digest..."

    Today's Topics:

       1. Security of HTTPS (Alex Bihlmaier)
       2. Re: Ethics & hiring (Mike Smith)
       3. Re: Checkpoint NAT H.323 support (Rob Hughes)
       4. Re: ASP/Hosting Architecture (Jian Zhen)
       5. RE: Security of HTTPS (Ben Nagy)
       6. RE: Security of HTTPS (Jean-Denis Gorin)

    --__--__--

    Message: 1
    Date: Fri, 19 Nov 2004 12:06:50 +0100
    From: Alex Bihlmaier <thalunil@kallisti.de>
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Security of HTTPS

    Good Morning.

    I am curious how strong the security of https can be.
    Is there some possibility of a MITM attack?
    Are there any papers out there outlining this aspect of security?

    //thalunil

    ----------------------------------------------------------------
    kallisti.de webmail access - email on the road

    --__--__--

    Message: 2
    Date: Fri, 19 Nov 2004 15:13:00 -0500 (EST)
    From: Mike Smith <jmikesmith@yahoo.com>
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Re: Ethics & hiring

     --- Bennett Todd <bet@rahul.net> wrote:
    >
    > Anti-virus companies are in a very, very awkward position. Their
    > business is profitable solely because of the widespread problems
    > with viruses; if it weren't for all the malware authors, they'd be
    > out of business. They make their money on viruses.

    I feel that there's something wrong with this argument. This would seem to
    be
    a core characteristic of any market that sells products that defend/protect
    you
    from Bad Things. Examples would include snow tires (snowstorms), portable
    generators (power blackouts), and, perhaps more relevant to the discussion,
    home security systems (burglars). Would there not be an incentive for
    manufacturers of any of these products to somehow increase the frequency of
    Bad
    Things to boost their sales? Is it just because viruses are easier to
    create
    than snowstorms, blackouts, or burglars that we view anti-virus vendors with
    such suspicion?

    I need convincing that anti-virus vendors are in a more awkward position
    than
    any other manufacturer of anti-Bad Thing products.

    =====
    Mike Smith

    "Human history becomes more and more a race between education and
    catastrophe."
                            H.G. Wells - The Outline of History

    ______________________________________________________________________
    Post your free ad now! http://personals.yahoo.ca

    --__--__--

    Message: 3
    Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
    From: Rob Hughes <rob@robhughes.com>
    To: firewall-wizards@honor.icsalabs.com
    Date: Sat, 20 Nov 2004 17:39:19 -0600

    On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
    > Hi people,
    >
    > I am new to the list and I hope you help me. I have a problem with
    > FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to register
    > (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
    > the Internet. I have already configured the VoIP domains (one for the
    > gateway and another for the gatekeeper) in the FW, applied the last hotfix
    > acumulator (HFA_11) and configured static NAT for the internal gateway to
    > a public IP.
    > The gatekeeper cannot respond because the IP inside the h225 payload isn't
    > traslated, and I have confirmed it using the monitor inside de Firewall
    > (fw monitor).
    > Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
    > of mixconfiguration?
    >

    What does your rule look like? Specifically, what service are you using?
    Also, the CP docs have examples of how to set this up. Have you tried
    following those? But yes, it does (mostly) work.

    --__--__--

    Message: 4
    Date: Sun, 21 Nov 2004 20:28:33 -0800
    From: Jian Zhen <jlz@zhen.org>
    To: Chris Pugrud <chris@pugrud.net>
    Cc: "Paul D. Robertson" <paul@compuwar.net>,
            firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] ASP/Hosting Architecture

    Chris Pugrud (chris@pugrud.net) [041118 13:16]:
    > The customer conenctions were encrypted because they left our zone of
    control,
    > even though they were "private" point to point t1 lines. The IPSEC VPN's
    were
    > done with Network Alchemy Hardware. Network Alchemy was aquired by Nokia
    and I
    > hope the capabilities have been maintained. NA has a really phenominal
    > automagical load balancing capabilty. I still have several boxes on my
    shelf
    > that I purchased from the company.

    Unfortunately, Network Alchemy's hardware, assuming you are talking about
    the CryptClusters, has been EOL'ed for quite a while now.

    My previous work place had a couple hundred of them and I thought they were
    one of the best VPN devices out there, probably still is.

    It's unfortunate that they are no longer available.

    However, I believe some of the functionalities were incoprated into their
    IPSO software/appliances.

    -- 
    Jian Zhen <jlz@zhen.org>
    Blog: http://www.trustpath.com/logmatters
    --__--__--
    Message: 5
    From: "Ben Nagy" <ben@iagu.net>
    To: "'Alex Bihlmaier'" <thalunil@kallisti.de>,
    	<firewall-wizards@honor.icsalabs.com>
    Subject: RE: [fw-wiz] Security of HTTPS
    Date: Tue, 23 Nov 2004 09:24:45 +0100
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com 
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf 
    > Of Alex Bihlmaier
    [...]
    > I am curious how strong the security of https can be.
    I don't know if this is a troll. If you're some super advanced
    crypto-protocol guy trying to send a minimalist email, I may have been
    fooled.
    > Is there some possibility of a MITM attack?
    No.
    (Well..... Yes.)
    HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for
    TLS is:
    " The negotiation is reliable: no attacker can modify the 
    negotiation communication without being detected by the 
    parties to the communication."
    There are, sadly, still a lot of possible ways to introduce a MitM attack -
    almost all of these rely on browser bugs (not an SSL problem), the
    stupidness of the "trusted third party" model typified by commercial
    Certification Authorities (not really an SSL problem either), or total
    mis-use of the protocol to ignore server authentication (nobody does that
    although it is supported in theory). 
    Basically, the model is fine, but the implementation is often sloppy enough
    to allow strange things to happen. The fact that most users are now trained
    to ignore certificate error warnings doesn't help.
    > Are there any papers out there outlining this aspect of security?
    Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a
    FAQ like this one [3] which includes links through to higher level
    summaries.
    Cheers,
    ben
    [1] http://www.faqs.org/rfcs/rfc2246.html
    [2] http://wp.netscape.com/eng/ssl3/draft302.txt
    [3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/
    --__--__--
    Message: 6
    Date: Tue, 23 Nov 2004 11:05:26 +0100 (CET)
    From: Jean-Denis Gorin <jdg_cnce2004@yahoo.fr>
    Subject: RE: [fw-wiz] Security of HTTPS
    To: firewall-wizards@honor.icsalabs.com, thalunil@kallisti.de
    Lot of papers about SSL Man In the Middle attack. For
    example, on the SANS web site:
      http://www.sans.org/rr/whitepapers/threats/480.php
    Some kind of proxies use this to enable content
    filtering of HTTPS traffic...
      JDG
    >From Alex Bihlmaier
    > 
    > Good Morning.
    > 
    > 
    > 
    > I am curious how strong the security of https can
    be.
    > Is there some possibility of a MITM attack?
    > Are there any papers out there outlining this aspect
    > of security?
    > 
    > 
    > 
    > //thalunil
    > 
    	
    	
    		
    Vous manquez d’espace pour stocker vos mails ? 
    Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
    Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
    Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés
    pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur
    http://fr.messenger.yahoo.com
    --__--__--
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    End of firewall-wizards Digest
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Luis Maria Sainz Caballero: "RE: [fw-wiz] Checkpoint NAT H.323 support"

    Relevant Pages

    • Re: Full-Time SSL: Performance vs. Usability???
      ... > that has a rather odd design philosophy with respect to SSL: ... They will pre-optimise for performance problems that may ... even at the expense of security. ... If you enforce HTTPS for the entire site, new pages will be added under ...
      (microsoft.public.dotnet.security)
    • RE: SSL over Port 80 when 443 is defined???
      ... | https for the entire server however a testing application that we have ... | http and https is enforced. ... SSL, set SSL required in Master Properties (in IIS console, rightclick the ... TechNet Security Best Practices: ...
      (microsoft.public.inetserver.iis.security)
    • [NEWS] Transparent Cache Engine and Content Engine TCP Relay Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The default configuration of the proxy ... The following Cisco Cache Engine and Content Engine products are affected ... of supported protocols such as FTP and HTTPS. ...
      (Securiteam)
    • [NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
      ... Get your security news from a reliable source. ... condition in the Microsoft Secure Sockets Layer (SSL) library. ... the PCT 1.0 protocol is disabled by default. ...
      (Securiteam)
    • Re: is HTTPS crackable
      ... (willing to question HTTPS protocal security prior to questioning ... OWA55/Kiosk security), not necessary Microsoft's strategy. ... > public Internet access by a kiosk, ... > about downloading and installing the self-signed certificate. ...
      (microsoft.public.inetserver.iis.security)