[fw-wiz] TCP syncookies - firewall or host?



I think any traffic that "bypasses" the firewall and is handled inside a higher security zone could present a problem. I would let the PIX handle pre-embryonic connections.

chris


----- Original Message ----
From: "firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx" <firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx>
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, April 4, 2007 9:34:09 AM
Subject: firewall-wizards Digest, Vol 12, Issue 1


Send firewall-wizards mailing list submissions to
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
firewall-wizards-owner@xxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. TCP syncookies - firewall or host? (Florin Andrei)
2. Re: OT? New compromise. (Mike Barkett)
3. Re: TCP syncookies - firewall or host? (Florin Andrei)
4. Firewall surveyquestion (Steve orca)
5. Poll: Interested in feedback for layer 2 filtering
requirement for Solaris (Darren Reed)
6. Pix 535 - Filtering to VLANs? (James Burns)
7. Re: Firewall surveyquestion (rgolodner@xxxxxxxxxxxxxxxx)


----------------------------------------------------------------------

Message: 1
Date: Tue, 03 Apr 2007 13:13:56 -0700
From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
Subject: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <4612B584.3040208@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Speaking about SYN flood - where would you handle it, at the firewall
level, or at the host level?

Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU
cores (recent AMD64 CPUs), all of them behind the firewall

syncookies can be enabled either at the firewall level, or at the host
level. Also, all kinds of TCP parameters can be tweaked on the firewall
(intercept and connection limits) but also on the servers via the /proc
filesystem.

This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.

Pros and cons?

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 2
Date: Sat, 31 Mar 2007 16:21:26 -0400
From: "Mike Barkett" <mbarkett@xxxxxxxxxxxxxxxxx>
Subject: Re: [fw-wiz] OT? New compromise.
To: <firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx>
Message-ID: <01fb01c773d2$2991b5d0$64c7630a@MAB43p>
Content-Type: text/plain; charset="us-ascii"

Date: Fri, 30 Mar 2007 13:09:58 -0500
From: Frank Knobbe <frank@xxxxxxxxx>
Subject: Re: [fw-wiz] OT? New compromise.
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Cc: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <1175278198.40136.36.camel@localhost>
Content-Type: text/plain; charset="us-ascii"

On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:
On Windows
/c:\netstat -an |find /i "listening"/

There are tools like openports or the sysinternals set you may

Windows: netstat -aon
Linux: netstat -apn

Of course all these tools only work if the application uses the OS'es IP
stack. Any decent rootkitted malware, that puts it's on packets on the
wire and sniffs the responses promiscuously, won't show up in those
lists. You can see the packets with tcpdump/sniffers, but won't be able
to correlate them back to an application (unless you do some CPU
utilization sample and correlate that with the observed network traffic,
but you'd need to be able to see the app in the first place, so if it's
hidden by a rootkit, that won't help you either).

Just because nothing shows up in netstat doesn't mean that there isn't
an application promiscuously listening for data to that port.

Regards,
Frank


True, a rootkit is one possible explanation. In this case the traffic has
already been spotted on the network and thus requires explanation at the
host. Therefore, a netstat showing nothing is just as informative as one
that shows something bogus, which is just as informative as one that shows
the actual running application. Every outcome requires further digging
anyway. It is just one more data point that is only as valuable as the
skill level of the security professional analyzing it.

-MAB



------------------------------

Message: 3
Date: Tue, 03 Apr 2007 14:43:26 -0700
From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
Subject: Re: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <4612CA7E.7060602@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Florin Andrei wrote:

This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.

OTOH, if I let the servers deal with it, wouldn't that fill up resources
on the firewall real quick during an attack? So in that case, syncookies
at the firewall level would be better.

I will do some tests to trigger some issues that might occur in real
life and see how each piece of equipment handles that, but until then
I'd like to get a second opinion, so that's why I'm asking.

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 4
Date: Tue, 03 Apr 2007 23:01:02 +0000
From: "Steve orca" <klrorca@xxxxxxxxxxx>
Subject: [fw-wiz] Firewall surveyquestion
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <BAY106-F1818617875AE77BD2C84FCA5670@xxxxxxx>
Content-Type: text/plain; format=flowed

Hey all,

Anybody out there still using, or have seen in use, the Fortinet firewalls?
If so what version?

Thanks!

-Steve

_________________________________________________________________
Exercise your brain! Try Flexicon.
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07



------------------------------

Message: 5
Date: Wed, 04 Apr 2007 16:36:51 +1000
From: Darren Reed <Darren.Reed@xxxxxxx>
Subject: [fw-wiz] Poll: Interested in feedback for layer 2 filtering
requirement for Solaris
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <024e01c77683$a204ded0$c7579e81@brunette>
Content-Type: text/plain; charset="iso-8859-1"

Dear Wizards,

For many years IPFilter has been playing its part in filtering layer 3 (IP) packets...

Now we're moving down the stack - to layer 2 packets - to provide protection for Xen instances, etc. While I personally have various needs and expectations about what happens with IP packets, I'm unsure about what requirements or expectations are with ethernet packets.

What sort of functionality would you like to see layer 2 filtering on Solaris deliver?
Will/do you need ethernet level "NAT"?
Do you expect to see ethernet rules in ipf.conf?
Do you have non-ethernet networks you want to filter at layer 2?
Do you expect to always use the same ethernet device name with filters for layer 2 packets as for layer 3 packets?
Or other more devious desires?

Feedback welcome.

Thanks,
Darren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/d073fb82/attachment-0001.html

------------------------------

Message: 6
Date: Wed, 04 Apr 2007 14:20:05 +0100
From: James Burns <james.burns@xxxxxxxxxxxxxxxx>
Subject: [fw-wiz] Pix 535 - Filtering to VLANs?
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <4613A605.3090507@xxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="windows-1252"

Just a quick query...

I'm using a pair of Pix 535's in a failover set. Is it possible to match
traffic entering the outside interface, and subsequently put it into a
VLAN on exiting the inside interface?

Thanks in advance,
James

--
James Burns

Network Advisor ? Student & Learning Support
University of Sunderland

web: www.sunderland.ac.uk


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3281 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/4cb38614/attachment-0001.bin

------------------------------

Message: 7
Date: Wed, 04 Apr 2007 03:50:15 +0000
From: rgolodner@xxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] Firewall surveyquestion
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx>
Message-ID: <W5828212010182311175658615@webmail18>
Content-Type: text/plain; charset="us-ascii"

Jeez, it ws long ago, but I really liked it. I think it was a 60 or something close. Nice user interface, reporting tools and load balancing that worked great as i needed to be multi-homed at the time. VPN worked very well and was easy for road people to connect using Microsoft VPN connection with XP. If it was my business. I would always use a PIX, and a few more things I never did any hard core pen testing , but it was good at keeping internal assets hidden from he public.
My 2cents, Richard

-----Original Message-----
From: Steve orca [mailto:klrorca@xxxxxxxxxxx]
Sent: Tuesday, April 3, 2007 07:01 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Firewall surveyquestion

Hey all,

Anybody out there still using, or have seen in use, the Fortinet firewalls?
If so what version?

Thanks!

-Steve

_________________________________________________________________
Exercise your brain! Try Flexicon.
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/114cdece/attachment.html

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 12, Issue 1
***********************************************



____________________________________________________________________________________
Expecting? Get great news right away with email Auto-Check.
Try the Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html _______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages