"On the Firewall" is a online journal on the subject of network Firewalls and all things Internet security.
May 20, 2007
Filering ICMP in IPv6
See RFC 4890 titled "Recommendations for Filtering ICMPv6 Messages in Firewalls".
November 25, 2006
The Great Firewall of Canada?
I saw this interesting post this moring (courtesy of digg). It seems that a group (the majority of) Canadian ISPs have agreed to implement a "Clean Feed" type content filtering solution that would inspect and filter traffic coming to and from their customers. The objective of the Canadian project seems to to be completely legit; in that these ISPs are tyring to protect their customers from content that the government would otherwise find illegal. The target here as I read it is to filter kiddie porn and otehr such badness.
Things to look at to learn more about Clean Feeds include cybertip.ca , the Internet Watch Foundation in the UK, and the Censorware Project.
Technical note: This content filtering technology used to be something that could be enabled on a Firewall. I recently learned that security feature images on some routers now (or soon will) have similar capabilities.
Things to look at to learn more about Clean Feeds include cybertip.ca , the Internet Watch Foundation in the UK, and the Censorware Project.
Technical note: This content filtering technology used to be something that could be enabled on a Firewall. I recently learned that security feature images on some routers now (or soon will) have similar capabilities.
November 10, 2006
I'm Down
It has been and will be quiet here for a little while while my body undergoes some surgically assisted repairs.
September 28, 2006
modsecurity & Web Application Firewalls
Browsing the security news the other day I noticed that Thinking Stone, the commercial company behind the other wise open source web application Firewall modsecurity has been acquired (by Breach Security) .
If I got it right this guy (Ivan Ristic) has created just about the perfect answer to the "how do I defend my web servers" problem. modescurity is a "intrusion detection and prevention" system for web apps that can easily be deployed (with it's own Apache server).
He also has a great answer to yet another problem; how do I check what's going on in an SSL tunnel?. Given that modsecurity deploys on Apache the external clients SSL sessions terminate on the modsecurity box. Very neat.
I think the only objection one could throw in front of modsecurity is the inevitable "does it scale"? It looks like it has a nice GUI and the web site shows some good reports. Seems like if you deploy this and run into a performance barrier you would need to add additional modsecurity servers; scaling them like additional web servers. It would be interesting to figure out if the management and reporting scales?
If I got it right this guy (Ivan Ristic) has created just about the perfect answer to the "how do I defend my web servers" problem. modescurity is a "intrusion detection and prevention" system for web apps that can easily be deployed (with it's own Apache server).
He also has a great answer to yet another problem; how do I check what's going on in an SSL tunnel?. Given that modsecurity deploys on Apache the external clients SSL sessions terminate on the modsecurity box. Very neat.
I think the only objection one could throw in front of modsecurity is the inevitable "does it scale"? It looks like it has a nice GUI and the web site shows some good reports. Seems like if you deploy this and run into a performance barrier you would need to add additional modsecurity servers; scaling them like additional web servers. It would be interesting to figure out if the management and reporting scales?
August 27, 2006
PIX unintentional Password Mod Vulnerability
Earlier this week Cisco posted a security advisory regarding a vulnerability in the PIX Firewall. The short of it is that if you store passwords locally and change the configuration there is a chance that the passwords will not be written to flash memory correctly. The outcome is that you will be locked out of your PIX.
The vulnerability affects all PIX running version v7 code [up to and including v7.0(5) and v7.1 up to and including v7.1(2.4)]. If you are running v6 PIX OS you are fine. If you are running an ASA appliance you are running v7 code. This also impacts the v3.1(x or any) train of the Firewall Service Module. If you are using RADIUS or TACACS+ and have configured your PIX for remote authentication (usernames and passwords are defined on the AAA or ACS server) it looks like you are OK also.
The data affected is the passwords stored by either the passwd, username, or enable password commands. This data can be corrupted during a crash or if two users are trying to change the configuration using any management console (CLI, ADSM, PDM) at the same time. The trigger is when you save the password (write memory or equivalent). Apparently this bug writes some other, non random value into flash memory.
So if you were already really smart and using RADIUS or TACACS+ and an ACS server you are OK. Otherwise you may need plan for some network down time and to re-read those the PIX password recovery procedure.
My take on this is that there is very little room for an attacker to exploit this vulnerability. This is the type of problem that causes the Firewall Admin to hurt themselves by corrupting the locally stored password through normal use or maintenance.
The vulnerability affects all PIX running version v7 code [up to and including v7.0(5) and v7.1 up to and including v7.1(2.4)]. If you are running v6 PIX OS you are fine. If you are running an ASA appliance you are running v7 code. This also impacts the v3.1(x or any) train of the Firewall Service Module. If you are using RADIUS or TACACS+ and have configured your PIX for remote authentication (usernames and passwords are defined on the AAA or ACS server) it looks like you are OK also.
The data affected is the passwords stored by either the passwd, username, or enable password commands. This data can be corrupted during a crash or if two users are trying to change the configuration using any management console (CLI, ADSM, PDM) at the same time. The trigger is when you save the password (write memory or equivalent). Apparently this bug writes some other, non random value into flash memory.
So if you were already really smart and using RADIUS or TACACS+ and an ACS server you are OK. Otherwise you may need plan for some network down time and to re-read those the PIX password recovery procedure.
My take on this is that there is very little room for an attacker to exploit this vulnerability. This is the type of problem that causes the Firewall Admin to hurt themselves by corrupting the locally stored password through normal use or maintenance.
August 05, 2006
Great Port List Reference
I saw this list of TCP and UDP port numbers (from Wikipedia) up on digg this afternoon. Good stuff with good references.
July 31, 2006
The Surf At Work Page...
Just when I was starting to think that there was nothing good on digg anymore I came across this post about "How to Bypass Firewall Restrictions A.K.A. The Surf At Work Page". This is great stuff. The point of this paper is to explain the use of encrypted tunneling as a means of getting through a Firewall or filtered environment. The paper was originally written in 2002 and last updated in March of 2006 but the principles[ that are put forward here are all correct all still work. All Firewall Admins should read this paper. This is the type of stuff that can get through your Firewalls and filters.
July 04, 2006
Breaking the Great Firewall of China?
CNet dot com reports that a group of computer experts have broken the Firewalls used by the Chinese government to restrict IP traffic going in and out of the country. Interestingly enough the attack is launched from the outside. To their additional credit the team from the University of Cambridge reported their findings to the Chinese Computer Emergency Response Team.
Subscribe to:
Posts (Atom)