[fw-wiz] TCP syncookies - firewall or host?

[chris mr <chris.misztur@yahoo.com>]

I think any traffic that "bypasses" the firewall and is handled inside a higher security zone could present a problem.  I would let the PIX handle pre-embryonic connections.

 

chris

----- Original Message ----
From: "firewall-wizards-request@listserv.icsalabs.com" <firewall-wizards-request@listserv.icsalabs.com>
To: firewall-wizards@listserv.icsalabs.com
Sent: Wednesday, April 4, 2007 9:34:09 AM
Subject: firewall-wizards Digest, Vol 12, Issue 1

Send firewall-wizards mailing list submissions to
    firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
    https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
    firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
    firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

   1. TCP syncookies - firewall or host? (Florin Andrei)
   2. Re: OT? New compromise. (Mike Barkett)
   3. Re: TCP syncookies - firewall or host? (Florin Andrei)
   4. Firewall surveyquestion (Steve orca)
   5. Poll: Interested in feedback for layer 2 filtering
      requirement for Solaris (Darren Reed)
   6. Pix 535 - Filtering to VLANs? (James Burns)
   7. Re: Firewall surveyquestion (rgolodner@infratection.com)


----------------------------------------------------------------------

Message: 1
Date: Tue, 03 Apr 2007 13:13:56 -0700
From: Florin Andrei <florin@andrei.myip.org>
Subject: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
    <firewall-wizards@listserv.icsalabs.com>
Message-ID: <4612B584.3040208@andrei.myip.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Speaking about SYN flood - where would you handle it, at the firewall
level, or at the host level?

Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU
cores (recent AMD64 CPUs), all of them behind the firewall

syncookies can be enabled either at the firewall level, or at the host
level. Also, all kinds of TCP parameters can be tweaked on the firewall
(intercept and connection limits) but also on the servers via the /proc
filesystem.

This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.

Pros and cons?

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 2
Date: Sat, 31 Mar 2007 16:21:26 -0400
From: "Mike Barkett" <mbarkett@us.checkpoint.com>
Subject: Re: [fw-wiz] OT? New compromise.
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <01fb01c773d2$2991b5d0$64c7630a@MAB43p>
Content-Type: text/plain;    charset="us-ascii"

> Date: Fri, 30 Mar 2007 13:09:58 -0500
> From: Frank Knobbe <frank@knobbe.us>
> Subject: Re: [fw-wiz] OT? New compromise.
> To: Firewall Wizards Security Mailing List
>     <firewall-wizards@listserv.icsalabs.com>
> Cc: firewall-wizards@listserv.cybertrust.com
> Message-ID: <1175278198.40136.36.camel@localhost>
> Content-Type: text/plain; charset="us-ascii"
>
> On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:
> > > > On Windows
> > > > /c:\netstat -an |find /i "listening"/
>
> > > There are tools like openports or the sysinternals set you may
>
> > Windows: netstat -aon
> > Linux: netstat -apn
>
> Of course all these tools only work if the application uses the OS'es IP
> stack. Any decent rootkitted malware, that puts it's on packets on the
> wire and sniffs the responses promiscuously, won't show up in those
> lists. You can see the packets with tcpdump/sniffers, but won't be able
> to correlate them back to an application (unless you do some CPU
> utilization sample and correlate that with the observed network traffic,
> but you'd need to be able to see the app in the first place, so if it's
> hidden by a rootkit, that won't help you either).
>
> Just because nothing shows up in netstat doesn't mean that there isn't
> an application promiscuously listening for data to that port.
>
> Regards,
> Frank


True, a rootkit is one possible explanation.  In this case the traffic has
already been spotted on the network and thus requires explanation at the
host.  Therefore, a netstat showing nothing is just as informative as one
that shows something bogus, which is just as informative as one that shows
the actual running application.  Every outcome requires further digging
anyway.  It is just one more data point that is only as valuable as the
skill level of the security professional analyzing it.

-MAB



------------------------------

Message: 3
Date: Tue, 03 Apr 2007 14:43:26 -0700
From: Florin Andrei <florin@andrei.myip.org>
Subject: Re: [fw-wiz] TCP syncookies - firewall or host?
To: Firewall Wizards Security Mailing List
    <firewall-wizards@listserv.icsalabs.com>
Message-ID: <4612CA7E.7060602@andrei.myip.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Florin Andrei wrote:
>
> This sounds like a job for the firewall, but on the other hand all those
> servers are very fast, there's a lot of them, and usually they're mostly
> idle. So I'm very tempted to dump that task on the servers.

OTOH, if I let the servers deal with it, wouldn't that fill up resources
on the firewall real quick during an attack? So in that case, syncookies
at the firewall level would be better.

I will do some tests to trigger some issues that might occur in real
life and see how each piece of equipment handles that, but until then
I'd like to get a second opinion, so that's why I'm asking.

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 4
Date: Tue, 03 Apr 2007 23:01:02 +0000
From: "Steve orca" <klrorca@hotmail.com>
Subject: [fw-wiz] Firewall surveyquestion
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <BAY106-F1818617875AE77BD2C84FCA5670@phx.gbl>
Content-Type: text/plain; format=flowed

Hey all,

Anybody out there still using, or have seen in use, the Fortinet firewalls?
If so what version?

Thanks!

-Steve

_________________________________________________________________
Exercise your brain! Try Flexicon.
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07



------------------------------

Message: 5
Date: Wed, 04 Apr 2007 16:36:51 +1000
From: Darren Reed <Darren.Reed@Sun.COM>
Subject: [fw-wiz] Poll: Interested in feedback for layer 2 filtering
    requirement for Solaris
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <024e01c77683$a204ded0$c7579e81@brunette>
Content-Type: text/plain; charset="iso-8859-1"

Dear Wizards,

For many years IPFilter has been playing its part in filtering layer 3 (IP) packets...

Now we're moving down the stack - to layer 2 packets - to provide protection for Xen instances, etc.  While I personally have various needs and expectations about what happens with IP packets, I'm unsure about what requirements or expectations are with ethernet packets.

What sort of functionality would you like to see layer 2 filtering on Solaris deliver?
Will/do you need ethernet level "NAT"?
Do you expect to see ethernet rules in ipf.conf?
Do you have non-ethernet networks you want to filter at layer 2?
Do you expect to always use the same ethernet device name with filters for layer 2 packets as for layer 3 packets?
Or other more devious desires?

Feedback welcome.

Thanks,
Darren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/d073fb82/attachment-0001.html

------------------------------

Message: 6
Date: Wed, 04 Apr 2007 14:20:05 +0100
From: James Burns <james.burns@sunderland.ac.uk>
Subject: [fw-wiz] Pix 535 - Filtering to VLANs?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4613A605.3090507@sunderland.ac.uk>
Content-Type: text/plain; charset="windows-1252"

Just a quick query...

I'm using a pair of Pix 535's in a failover set. Is it possible to match
traffic entering the outside interface, and subsequently put it into a
VLAN on exiting the inside interface?

Thanks in advance,
James

--
James Burns

Network Advisor ? Student & Learning Support
University of Sunderland

web: www.sunderland.ac.uk


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3281 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/4cb38614/attachment-0001.bin

------------------------------

Message: 7
Date: Wed, 04 Apr 2007 03:50:15 +0000
From: rgolodner@infratection.com
Subject: Re: [fw-wiz] Firewall surveyquestion
To: "Firewall Wizards Security Mailing List"
    <firewall-wizards@listserv.cybertrust.com>
Message-ID: <W5828212010182311175658615@webmail18>
Content-Type: text/plain; charset="us-ascii"

Jeez, it ws long ago, but I really liked it. I think it was a 60 or something close. Nice user interface, reporting tools and load balancing that worked great as i needed to be multi-homed at the time. VPN worked very well and was easy for road people to connect using Microsoft VPN connection with XP. If it was my business. I would always use a PIX, and a few more things I never did any hard core pen testing , but it was good at keeping internal assets hidden from he public.
My 2cents, Richard

>-----Original Message-----
>From: Steve orca [mailto:klrorca@hotmail.com]
>Sent: Tuesday, April 3, 2007 07:01 PM
>To: firewall-wizards@listserv.cybertrust.com
>Subject: [fw-wiz] Firewall surveyquestion
>
>Hey all,
>
>Anybody out there still using, or have seen in use, the Fortinet firewalls?
>If so what version?
>
>Thanks!
>
>-Steve
>
>_________________________________________________________________
>Exercise your brain! Try Flexicon.
>http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070404/114cdece/attachment.html

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 12, Issue 1
***********************************************

---

No need to miss a message. Get email on-the-go 
with Yahoo! Mail for Mobile. Get started.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards