Re: [fw-wiz] firewall-wizards Digest, Vol 25, Issue 2



I do not know about a Cisco Security Manager clone, but have you looked
PCONSOLE, you can get it free at:
http://www.ka.sara.nl/home/walter//pconsole/

Since your using SSH anyways, your can use pconsole to simultaneously
connect to say 10 ASA's, type what you need to, and submit the changes.
10 is just an arbitrary number, it's a really nice Linux tool. As long
as your comfortable with Linux, this may be a nice way to go. It not
only addresses ASA firewalls, you can use it to connect to switches,
routers, Unix systems, etc. It can save you a lot of time...

Regards,

boni bruno




3. Cisco Security Manager clone? (Mike Davis)
------------------------------

Message: 3
Date: Wed, 30 Apr 2008 11:01:45 -0400
From: Mike Davis <mdavis@xxxxxxx>
Subject: [fw-wiz] Cisco Security Manager clone?
To: "'firewall-wizards@xxxxxxxxxxxxxxxxxxxxx'"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID:

<4009CF9A6B939540A8A8D80C32BF6A963FAB677222@xxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

This is my first posting so be gentle ;-)

I have an environment that is all Cisco based firewalls for my edge
protection and site to site vpns. I have a little over 100 remote sites
running on ASA 5505's with an AES Tunnel to both the primary (HQ) and
secondary (DR ) sites. It is working quite nicely and has been for
years now but the problem I have is this... all my remote site firewalls
are not centrally managed in the sense that I can make one change in a
console and push it globally to all my remote firewalls so that when a
change is required, I have to log into each and every one (I use SSH)
and make the changes.
I know that Cisco Security Manager will allow me to do that but at the
100K pricetag I was quoted from Cisco with the blink of an eye... I just
cannot put that into my budget.

Does anyone know of or can recommend any freeware or low-cost-ware
application that will allow me to monitor and make global config changes
without having to SSH to each one? The ability to segregate into groups
and manage based upon groups would certainly be a plus as well but not a
requirement.

Thanks in advance!

Mike Davis

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20
080430/8bb1803c/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 30 Apr 2008 15:49:40 -0400
From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
Subject: Re: [fw-wiz] 10Gb Firewalls
To: km4@xxxxxxxxxxxx, Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>, Razeor
<razeor@xxxxxxxxx>
Message-ID: <6.2.0.14.2.20080430153229.02a396b8@xxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Kerry Milestone wrote:
Other than that, I guess the theories for firewalling are the same
whether it be 100Mb or 10Gb - the device just needs to handle it.

Um, no.

If you're letting 10Gb/sec through, there's no way you're doing any
layer-7 analysis. If all you're doing is mostly below layer-7 then
there's not much need for a "firewall" - you're really just using your
firewall to implement something that's hardly more useful than a router
ACL. I'm emphatically not saying router ACLs are bad - far from it - but
you need to understand that most of the interesting action in security,
nowadays, is taking place at layer-7.*

For situations where "wire speed" is necessary, wire is the only
technology that'll cut it. So, what you need to do is identify which
services offer layer-7 security controls that you're comfortable with,
and which can be addressed at layer-4, or whatever other layer.

One useful conceptual framework is the "security stack"** - basically
think of your security problems in detail in terms of where you're going
to apply your controls: at what layer of the stack:

7) Policy
6) Practices
5) Applications
4) Proxies
3) IP Filtering and router ACLs
2) IP Stack Termination
1) Physical and VLAN/MAC filtering

Arguably, there should be a layer 8 entitled "making it someone else's
problem" (i.e.: risk arbitrage or indemnification)

Anyway, let's suppose your problem is that you need to do "wire speed
firewalling" of a web server. You can look at your applications mix and
decide that you'll address security for everything except DNS and
HTTP/SSL at security stack layer-3. Then you'll deal with HTTP/SSL at
security stack layer-5 by locking down the server, chrooting it, and
running on SElinux with restricted privs on your http/ssl daemon. And,
perhaps you'll deal with DNS at security stack layer-6 by having someone
responsible for keeping their ear to the ground for new DNS vulns and
being prepared to react rapidly. That's just an example - I wouldn't
recommend addressing DNS at security stack layer-6, but you get the
idea.
The point is to think about what services are going to bypass straight
into your network (and why) and which are going to force-terminate at an
application. Basically, it's just a doctrine of security design -- and
"design" is what gets left out of security critical systems all too
often. In fact "put a firewall in"
is a security 'design' with vastly less attention to detail than a
well-reasoned pieces/parts implementation where you've looked at each
protocol and decided where in the computer security stack to deal with
it. Last, but not least, you can layer defenses at multiple layers in
the security stack (aka: "defense
in depth") This approach is not a panacea; it's simply an
organizing principle I've found useful when trying to explain "letting
HTTP straight in through your firewall to Microsoft IIS is suicide" to
executives.

Bandwidth is not a property of security. It's a side-effect.

mjr.
(* and above)
(** this brilliant idea is not mine. I've forgotten whose it was, or I'd
credit.)



------------------------------

Message: 5
Date: Wed, 30 Apr 2008 15:52:35 -0400
From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
Subject: Re: [fw-wiz] 10Gb Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <6.2.0.14.2.20080430155011.02a61a38@xxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

dgorin@xxxxxxxxxxxx wrote:
- Full security come as no traffic flow (look at the Ultimate Firewall

TM of Marcus J. Ranum)

Sorry, I've discontinued that. It's an "Intrusion Prevention System"
now. See:
http://www.ranum.com/security/computer_security/papers/a1-firewall/index
.html
for the petabyte-capable version.

My diesel-powered firewall is here:
http://www.ranum.com/fun/bsu/ultimatefirewall/index.html

mjr.



------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 25, Issue 2
***********************************************


This message has been scanned for malware by SurfControl plc. www.surfcontrol.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Why hasnt Symantec addressed nastier Messenger spoofs
    ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
    (comp.security.misc)
  • Re:RE : suggestions on a good firewall
    ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
    (Security-Basics)
  • [NEWS] Cisco ASA Multiple Failover DoS Vulnerabilities
    ... Get your security news from a reliable source. ... and bypass Cisco ASA firewall. ... In an Active/Standby configuration: ... This causes the standby firewall to ARP for the IP address of each active ...
    (Securiteam)