"On the Firewall" is a online journal on the subject of network Firewalls and all things Internet security.
August 06, 2008
BlackHat 2008 News...
It's Wednesday evening here in New York and so far the news from the Black Hat conference in Las Vegas has been... well, quiet. TGDaily said this and CNet puts it all in a portal here.
August 05, 2008
Check Everything...
OK. Here is a really good post from Firewall-Wizards mail list.
The question:
I'm having some issues with FTP traffic through our Cisco PIX 515E.
Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to the server (5 MB/s+). However when attempts were made to download files from the server speeds average about 300 KB/s, rapidly fluctuating between 30KB/s and 600 KB/s. Downloading the same file to a server outside our firewall resulted in speeds of about 6MB/s.
Looking at the firewall: the default inspection scheme is enabled, and the FTP inspection is turned on. The FTP server requires active transfer mode, and everything works, albeit slowly. After turning off FTP inspection connections to the FTP server did not work until enabling passive mode, but that didn't change the speeds at all.
I should probably also mention that the PIX is not doing any NAT. All the workstations and servers here have Internet routable IP addresses (206.75.x.x).
Any suggestions?
A really good answer:
Many years ago we had a similar problem. Traffic moving one way (I forget if it was uploads or downloads) After weeks of troubleshooting, I inspected and replaced the network cable. Turns out one wire wasn't making complete contact and the slow speed was actually the result of retransmitting bad packets.
Recently we had a similar problem with traffic in both directions. Completely random. We replaced the firewall, server, etc. We were running a wireless T1. The internet provider insisted that the connection tested fine. Throughout the spring the problem became worse until one (windy) day last week when our connection became unusable. The internet provider came out and discovered trees had grown about 1/2 mile away in the path of the wireless tower. Over the spring the leaves grew in and on windy days caused havoc on the TCP transmissions.
Both incidents taught me never to rule out the lower layers when it comes to networking.
We used packet captures in both cases during the troubleshooting process.
The Firewall Wizards Archive.
The question:
I'm having some issues with FTP traffic through our Cisco PIX 515E.
Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to the server (5 MB/s+). However when attempts were made to download files from the server speeds average about 300 KB/s, rapidly fluctuating between 30KB/s and 600 KB/s. Downloading the same file to a server outside our firewall resulted in speeds of about 6MB/s.
Looking at the firewall: the default inspection scheme is enabled, and the FTP inspection is turned on. The FTP server requires active transfer mode, and everything works, albeit slowly. After turning off FTP inspection connections to the FTP server did not work until enabling passive mode, but that didn't change the speeds at all.
I should probably also mention that the PIX is not doing any NAT. All the workstations and servers here have Internet routable IP addresses (206.75.x.x).
Any suggestions?
A really good answer:
Many years ago we had a similar problem. Traffic moving one way (I forget if it was uploads or downloads) After weeks of troubleshooting, I inspected and replaced the network cable. Turns out one wire wasn't making complete contact and the slow speed was actually the result of retransmitting bad packets.
Recently we had a similar problem with traffic in both directions. Completely random. We replaced the firewall, server, etc. We were running a wireless T1. The internet provider insisted that the connection tested fine. Throughout the spring the problem became worse until one (windy) day last week when our connection became unusable. The internet provider came out and discovered trees had grown about 1/2 mile away in the path of the wireless tower. Over the spring the leaves grew in and on windy days caused havoc on the TCP transmissions.
Both incidents taught me never to rule out the lower layers when it comes to networking.
We used packet captures in both cases during the troubleshooting process.
The Firewall Wizards Archive.
August 04, 2008
Cisco PIX End of Sale Announcement
As of July 28, 2008, Cisco PIX Security Appliance platforms/bundles are no longer being sold. Customers can still purchase accessories and licenses until January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013. Follow this link to the announcement on the Cisco web site.
For a Q&A regarding the End of Sale see: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/qa_eos_for_sale_for_cisco_pix_products_customer.html
Any questions about PIX End of Sale? Post your questions to the PIX Firewall Group at Yahoo! here.
For a Q&A regarding the End of Sale see: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/qa_eos_for_sale_for_cisco_pix_products_customer.html
Any questions about PIX End of Sale? Post your questions to the PIX Firewall Group at Yahoo! here.
December 22, 2007
My New Firewall...
I've been quiet for several months now. I have actually been writing but not posting. The big reason for the silence is that I've been slowly converting my own Firewall from a PIX 501 over to an ASA 5505. While that may not seem much of a leap to many readers I decided to look at the transition from several points of view; converting from the 501 automagically and starting from scratch. I also upgraded my Internet service from a single DHCP from a cable modem to a higher bandwidth cable connection that provides 5 fixed IP addresses. I look forward to sharing this experience with interested readers over the next weeks and months.
May 28, 2007
More STUN & ICE
The Eyeball Firewall product has apparently implemeted STUN and ICE. They have a good explanation of the technology here.
May 23, 2007
Security Metrics dot org
If you have been to the RSA conference over the past couple of years you may have heard of a speaker named Andrew Jaquith from the Yankee Group (and prior to that one of the founders at security firm @stake). Andrew did a great presentation back at RSA 2005 that was about security vendors claims. It was a great presentation (luckily my company was not included). Andrew has been busy working on this Security Metrics dot org site and a conference called MetriCon.
May 22, 2007
Google Online Security Blog
The folks over at Google just launched an online security blog.
"Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post."
"Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post."
Home Firewall: Opening ports for XBox to PC communications
From XBox help and support: Xbox 360: Firewall ports that you must open when you connect an Xbox 360 console to a Windows Media Center-based computer. These rules are applied on a local (home) router between the XBox and the PC.
A separate article on Firewall rules that need to be modifed on the Windows Media PC itself (assumes ICF or otehr PC based Firewall).
A separate article on Firewall rules that need to be modifed on the Windows Media PC itself (assumes ICF or otehr PC based Firewall).
Subscribe to:
Posts (Atom)