Firewall Wizards

Re: secure firewall rule management program

Thu, 05 Nov 2009 22:57:53 GMT

Posted by Morty Abzug on Nov 05

Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
and at Algosec (mentioned by one of our managers and by Rainer). The
current versions of both products fail to meet several of our
dealbreaking requirements. Both products are relatively new. We're
hopeful that a future version of one or both products will be what we
want.

- Morty

Re: secure firewall rule management program

Thu, 05 Nov 2009 22:56:50 GMT

Posted by Matthias Leu on Nov 05

Hi Morty,
have you had a look at Tufin SecureTrack and SecureChange Workflow?
It's not free, but quite good and I think your requirements are fulfilled.

It runs on Linux and is written by security professionals.
SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
Fortinet,...).
Each 'save' gives a new revision, no 'install' necessary. So reports,
and above all, alerts...

OT, sorta: Breaking pipes?

Thu, 05 Nov 2009 22:55:33 GMT

Posted by Kurt Buff on Nov 05

All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at...

Re: secure firewall rule management program

Sun, 25 Oct 2009 22:10:43 GMT

Posted by Avishai Wool on Oct 25

Mordechai,

AlgoSec FireFlow does pretty much exactly what you need.
It is definitely topology aware and can tell you which firewalls
you should modify to meet a change request.
It has rule expiration built in.
Supports Check Point, Cisco, Juniper, Fortinet.

http://www.algosec.com

Avishai

disclaimer: I'm AlgoSec CTO & Co-Founder so I'm biased.

Re: Palo Alto Networks

Wed, 14 Oct 2009 13:46:38 GMT

Posted by Cassell, Damon Z. on Oct 14

Palo Alto does have central management by using an additional product called Panorama.

http://www.paloaltonetworks.com/products/panorama.html

One observation on the topic of management; the Palo Alto logging scheme seemed clunky, especially with a lot of
logging enabled. If you are a frequent user of, say, Check Point SmartView Tracker then you might be annoyed with a
web-based viewer and have some trouble with the query capabilities. Maybe...

Re: Palo Alto Networks

Tue, 13 Oct 2009 21:49:39 GMT

Posted by Paul Hutchings on Oct 13

Thanks all.

Frank, We would only be looking at one unit so management shouldn't
be an issue. You mentioned "home grown apps" and giving them a
definition, this will hopefully all be clear once I have a units GUI
in front of me, but presumably if you need/want it to the PA boxes
can also act as dumb stateful firewalls i.e. "Simply allow port XYZ
from X to Y"?

Arkanoid, I've learned not to trust the marketing hence...

Re: Slow FTP transfers

Tue, 13 Oct 2009 21:48:18 GMT

Posted by sky on Oct 13

Hi Chris,

There are no tracking module(s) that I know of. These servers are
located behind FWSM.

I haven't tried different server but active mode seems to cause
intermittent problem whereas passive mode seems to be the work around.

regards,
sky

Chris Smith wrote:

Re: Palo Alto Networks

Fri, 09 Oct 2009 13:54:15 GMT

Posted by ArkanoiD on Oct 09

Ah, and it does SSL MITM as well. I do not have any hands-on experience, though.

(going to publish a whitepaper on "benevolent" SSL MITM proxy soon which fixes several
SSL security problems ;-)

Re: Palo Alto Networks

Fri, 09 Oct 2009 13:52:46 GMT

Posted by ArkanoiD on Oct 09

The idea itself is quite good for some cases (do not rely on port numbers, use
traffic signatures *instead*). Though it sounds much as "giving up application control" ;-)

The marketing bullshit is awful, though. There is a dozen whitepapers with amazingly little
useful technology details but too many buzzwords about "next generation".

Despite that, it seems to be quite decent product with (still DPI-driven) L7 inspection,...

Re: Palo Alto Networks

Fri, 09 Oct 2009 13:51:30 GMT

Posted by Paul Hutchings on Oct 09

Fair question. At present we have an application aware firewall,
technically it is a proxy but it doesn't cache/we have no need to
cache. Of course whilst it's smart enough to know whether what's
passing through it is valid/rfc compliant http/ftp/https and so on,
it has no idea if it's Skype, MSN Messenger, Webex and so on. That's
the key area that I'm interested in, combined with the integrated
spyware/malware/virus filtering.

As...

Re: Palo Alto Networks

Fri, 09 Oct 2009 13:50:17 GMT

Posted by Francois Yang on Oct 09

I've worked with them before and they're pretty good.
easy setup and maintenance, good integration with Active Directory,
good application detection engine.
Over all it's a good product, but you have to test it in your own
environment to see if it fits.
here are the draw backs that I can remember. all firewalls have some
kind of issues.
here are the issues I see and maybe they have been fixed by now. I
don't know it's been a while.
I remember it...

Palo Alto Networks

Thu, 08 Oct 2009 18:17:45 GMT

Posted by Paul Hutchings on Oct 08

Getting one of their boxes on eval for a couple of weeks. Quite a
broad and generic question I know, but does anyone have any experience
(s) they wish to share?

Cheers,
Paul

Re: asa 5505 vpn ipsec l2l problem

Thu, 08 Oct 2009 18:16:33 GMT

Posted by craig . wilson on Oct 08

If you have tunnel interfaces setup on each end can you ping those addresses? They should work even if your not
passing anything into the tunnel.

Sent from my BlackBerry® wireless device

-----Original Message-----
From: Eric Gearhart <eric () nixwizard net>
Date: Mon, 5 Oct 2009 21:45:33
To: Firewall Wizards Security Mailing List<firewall-wizards () listserv icsalabs com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem

Re: asa 5505 vpn ipsec l2l problem

Thu, 08 Oct 2009 17:00:52 GMT

Posted by Farrukh Haroon on Oct 08

I don't know if you got my older email, here it is again:

Run these three debugs
debug crypto engine
debug crypto isakmp 127
debug crypto ipsec 127
and then see if you get any more meaningful debugs.

Its better to clear both Phase 1 and Phase 2 before you run the debugs (just
in case the SAs are already established).

Also try removing the crypto map from the interface and re-applying it!

Please also check the logging levels on your ASA 'show...

Re: asa 5505 vpn ipsec l2l problem

Thu, 08 Oct 2009 16:59:26 GMT

Posted by Eric Gearhart on Oct 08

I think this was previously mentioned by Paul Melson... try to use IP
addresses in your IPsec interesting traffic ACL... I agree with him, that
having specific ports in ACL1 is the problem, as far as I know

So ACL1 is now:
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp...