Firewall Wizards

Draft paper submission deadline is extended: ISP-10

Fri, 05 Feb 2010 16:08:18 GMT

Posted by James Heralds on Feb 05

Draft paper submission deadline is extended: ISP-10

The 2010 International Conference on Information Security and Privacy
(ISP-10) (website:
http://www.PromoteResearch.org<http://www.promoteresearch.org/>)
will be held during 12-14 of July 2010 in Orlando, FL, USA. ISP is an
important event in the areas of information security, privacy, cryptography
and related topics.

The conference will be held at the same time and location where...

Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP

Thu, 04 Feb 2010 17:37:20 GMT

Posted by endrazine on Feb 04

Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
http://hackitoergosum.org

Hackito Ergo Sum conference will be held from April 8th to 10th 2010 in
Paris, France.
It is part of the series of conference "Hacker Space Fest" taking place
since 2008 in France and all over Europe.

HES2010 will focus on hardcore computer security, insecurity,
vulnerability analysis, reverse engineering, research and hacking.

INTRO
The goal of this...

Re: Is it possible to control access between clients on same LAN with a firewall?

Thu, 28 Jan 2010 10:55:44 GMT

Posted by pkc_mls on Jan 28

William Fitzgerald a écrit :

this is exactly the point.
there are some firewalls that can do layer2 filtering. (bridge mode,
transparent mode, layer2).

this is another option, but you can have some difficulties to find a
local firewall
on a printer.

you should check in the dd-wrt doc or ask the dd-wrt mailing list if it
can be configured with bridge interface
on the LAN.

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 16:02:12 GMT

Posted by Paul D. Robertson on Jan 27

I'm going to give you the non-firewall, imperfect but quick and easy
solution because with my quick reading of the postings I've approved, I
didn't see anyone suggest it yet- and it works no matter what you're using
as a router, assuming that it operations normally, and someone hasn't been
too clever in making it work...

Supernet the router, so use something like say 10.10.0.0/255.255.0.0 as
the "internal" network on the router....

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 16:01:02 GMT

Posted by William Fitzgerald on Jan 27

Hi everyone,

Thanks for the constructive feedback.

I'll read into the proposed areas such as private vlans and the possible
configurations of vlans within dd-wrt.

I now know what some of the terminology used is (private vlan etc) in
order to hone in on the correct types of documentation to read.

kind regards,
Will.

PS: This reply may not get to you for some time, as I seem to need
moderator approval to post to the list.

Pete.LeMay wrote:

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 15:46:06 GMT

Posted by Will Brickles on Jan 27

Using DD-WRT, what comes to mind immediately is to put your devices into separate VLANs and then use iptables to
restrict traffic between the VLANs. I don't know how flexible DD-WRT is when it comes to VLANs, but it might be your
best bet on such a platform. A configuration guide for VLANs I came across is at
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160 - it sounds as if you are already familiar with iptables.

Using other (much more...

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 15:42:02 GMT

Posted by K K on Jan 27

Yes.
The most transparent (to the host) technique is what Cisco calls
"private VLAN", see:
http://en.wikipedia.org/wiki/Private_VLAN

There are other approaches to get the same results, all require either
a firewall with lots of interfaces (real or virtual) or a very smart
switch.

Kevin

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 05:25:56 GMT

Posted by Paul Melson on Jan 26

With DD-WRT you can assign a different VLAN to each interface of the
router and then use iptables rules to manage traffic between devices.
This requires either a high degree of customization of your router or
the use of static IP addressing on some of the VLANs. Which for a
home network may not be so bad. Keep in mind that if you uplink other
switches to the router that the firewall cannot protect two devices
connected to that switch from each...

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 05:24:55 GMT

Posted by Mark on Jan 26

Will:

The issue here is that computers on the same LAN do not forward packets to
the default gateway (your firewall), but use ARP and layer 2 to communicate.
The firewall never even pays attention to this traffic. The fact that the
firewall and switch are occupying the same physical device (your WRT54G)
makes no nevermind (as we say in the south). Even if you could make your
firewall filter the traffic, in essence you would be creating a...

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 05:23:55 GMT

Posted by Eric Gearhart on Jan 26

You sound like you might already know this, but I may as well
summarize it for the audience. Normally in "production networks" you
separate different servers on a network based on their purpose... for
example, application servers go into an "application VLAN," database
servers go into a "database VLAN," and publicly accessible servers go
in their own separate DMZ (preferably they also hang off their own
separate...

Re: Is it possible to control access between clients on same LAN with a firewall?

Wed, 27 Jan 2010 05:22:53 GMT

Posted by arvind doraiswamy on Jan 26

VLAN's on L3 switches is what instantly springs to mind. Alternatively
as you suggest ACL's on the L3 switch itself between all the machines
on that switch is another option.

How about something like this though? Say the LAN is 192.168.0.0/24.
The machines all have their gateway set to 192.168.3.1(switch). Don't
have any routes on the switch apart from a default one pointing to the
firewall which can be on another network (172.16.3.1) - one port...

Is it possible to control access between clients on same LAN with a firewall?

Tue, 26 Jan 2010 05:42:18 GMT

Posted by William Fitzgerald on Jan 25

Dear all,

I was just wondering how people control access amongst machines on the
same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another
network, the firewall will not protect machines behind the...

Re: Juniper NSM and secure log forwarding

Wed, 20 Jan 2010 18:12:59 GMT

Posted by Trey Darley on Jan 20

Thanks, Jon. I'll just pipe it via stunnel.

Cheers,
--Trey

Re: Juniper NSM and secure log forwarding

Wed, 20 Jan 2010 18:11:50 GMT

Posted by Jon on Jan 20

Trey,

There is no built-in function in NSM to send encrypted syslog. You would
need to either write it to a file locally and use a 3rd party method to
syslog it, or use a VPN tunnel between the two servers. As you know, NSM is
running on Linux or Solaris, so either of the above should be possible.

Regards,
Jon

Re: Juniper NSM and secure log forwarding

Wed, 20 Jan 2010 00:50:30 GMT

Posted by Trey Darley on Jan 19

Hi, Jon -

Thanks for the response. I see that I wasn't entirely clear. I was aware
that incoming logs from managed devices enter NSM via the encrypted SSP.
Also, clearly I was misinformed about the role that postgreSQL plays in
NSM internals.

It's this bit I'm wondering about. What if I want to export firewall
logs via encrypted syslog. Is there a Juniper knowledgebase article I
missed somewhere along the way or do I need to roll my own...