January 19, 2014

Checking my connection table...











On my ASA in the office I use Cisco ASDM (Adaptive Security Device Manager) on an ASA 5500 to implement a screening policy for my office network.


An ASDM Connection table
When I check ASDM and the ASA I always look at the connection table. That tells me what traffic is being permitted through the firewall.  In the screen capture above I looked at the destination IP addresses.  Immediately one connection jumps out; 1 MB of traffic between one of my computers and a 74.125.x.x address.  It turns out I walked away from the computer while logged into a service at Google and that IP traces back to there.

February 18, 2009

Trend ProtectLink for Routers & SECaaS

Many outlets (Reuters, PC World, TweakTown, etc,...) are reporting that Trend is going to e developing and selling Security as a Service (SECaaS?) via it's ProtectLink Protect Gateway offering. I found the best description of the offer at the Cisco site. With this new software on your Internet router Trend will be able to push updates whenever they become available. Is this a great thing? In my opinion potentially yes! It's a great thing because most everyone I know NEVER looks at the software on their Internet gateway device unless it's broken.

If the software offered by Trend is stable (and I have to think that Linksys is going to make sure that it is) and the Linksys hardware has enough processing power to find and knock down threats (that's a whole other story) then this will be tremendously helpful for many Internet connected; Internet reliant businesses. And I said BUSINESSES because no matter what the start up costs this IS NOT going t be cheap. What about shared Internet settings (community centers, public wifi hotspots, etc,...)? Any kind of Firewalling or filtering in a public setting is not easy to explain to users. If you block one person from downloading a "funny picture" (no matter the malware behind it) you create the potential for a Constitutionally guaranteed (at least in the eyes of the blocked party) infringement event.

This should be interesting.

August 18, 2008

Telnet is still the most wide-open port

News out of DefCon earlier this month that Telnet is still the most wide open port that Fyodor and the folks at the NMAP Project found when scanning the Internet. The rest of the list shouldn't be a big surprise: HTTP, HTTPS, and SSH.

August 08, 2008

SourceForge Project: FWBuilder

If you have requirements to convert Linux Firewall rules over to the PIX, ASA, or IOS you probably want to look at the SourceForge (open source) project Firewall Builder. From the project summary "Object-oriented GUI and set of compilers for various firewall platforms. Currently implemented compilers for iptables, ipfilter, OpenBSD pf, ipfw, Cisco PIX firewall and routers access lists.". At the FW Builder do org site they added: "Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations.". Sounds pretty interesting. Version 3.0 beta was announced on July 15th.

Labels: , , ,

August 06, 2008

BlackHat 2008 News...

It's Wednesday evening here in New York and so far the news from the Black Hat conference in Las Vegas has been... well, quiet. TGDaily said this and CNet puts it all in a portal here.

August 05, 2008

Check Everything...

OK. Here is a really good post from Firewall-Wizards mail list.

The question:

I'm having some issues with FTP traffic through our Cisco PIX 515E.

Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to the server (5 MB/s+). However when attempts were made to download files from the server speeds average about 300 KB/s, rapidly fluctuating between 30KB/s and 600 KB/s. Downloading the same file to a server outside our firewall resulted in speeds of about 6MB/s.

Looking at the firewall: the default inspection scheme is enabled, and the FTP inspection is turned on. The FTP server requires active transfer mode, and everything works, albeit slowly. After turning off FTP inspection connections to the FTP server did not work until enabling passive mode, but that didn't change the speeds at all.

I should probably also mention that the PIX is not doing any NAT. All the workstations and servers here have Internet routable IP addresses (206.75.x.x).

Any suggestions?

A really good answer:

Many years ago we had a similar problem. Traffic moving one way (I forget if it was uploads or downloads) After weeks of troubleshooting, I inspected and replaced the network cable. Turns out one wire wasn't making complete contact and the slow speed was actually the result of retransmitting bad packets.

Recently we had a similar problem with traffic in both directions. Completely random. We replaced the firewall, server, etc. We were running a wireless T1. The internet provider insisted that the connection tested fine. Throughout the spring the problem became worse until one (windy) day last week when our connection became unusable. The internet provider came out and discovered trees had grown about 1/2 mile away in the path of the wireless tower. Over the spring the leaves grew in and on windy days caused havoc on the TCP transmissions.

Both incidents taught me never to rule out the lower layers when it comes to networking.

We used packet captures in both cases during the troubleshooting process.

The Firewall Wizards Archive.

August 04, 2008

Cisco PIX End of Sale Announcement

As of July 28, 2008, Cisco PIX Security Appliance platforms/bundles are no longer being sold. Customers can still purchase accessories and licenses until January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013. Follow this link to the announcement on the Cisco web site.

For a Q&A regarding the End of Sale see: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/qa_eos_for_sale_for_cisco_pix_products_customer.html

Any questions about PIX End of Sale? Post your questions to the PIX Firewall Group at Yahoo! here.

December 22, 2007

My New Firewall...

I've been quiet for several months now. I have actually been writing but not posting. The big reason for the silence is that I've been slowly converting my own Firewall from a PIX 501 over to an ASA 5505. While that may not seem much of a leap to many readers I decided to look at the transition from several points of view; converting from the 501 automagically and starting from scratch. I also upgraded my Internet service from a single DHCP from a cable modem to a higher bandwidth cable connection that provides 5 fixed IP addresses. I look forward to sharing this experience with interested readers over the next weeks and months.