Encrypted RPC and firewalling

[Lasse Birnbaum Jensen]

hi all

I would like to know how you guys handle encypted rpc across firewalls. 

We utilize an ASA platform and the DCERPC inspection cant handle encrypted RPC 
(which is standard in most windows 2008 and default in all communication in 
exchange 2010). Ciscos says: disable encryption or create "allow any" rules.

Do you limit the RPC port range on the windows systems and make "holes" in the 
firewall for these or do you disable RPC encryption ? 

Please share your knowledge in this area.

Best regards 

Lasse Birnbaum Jensen
Network administrator, IT-Service
University of Southern Denmark

Email: la...@sdu.dk


smime.p7s
Description: S/MIME cryptographic signature

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[William Herrin]

On Thu, Nov 10, 2011 at 1:01 AM, Randy Bush  wrote:
>> 1) The concept of Inter-RIR transfers is a bad idea.  Insuring
>>    "compatible" rules between RIR's will always be difficult at
>>    best.
>
> no need to coordinate rules/policies at all.  what we suggested in a/p
> three years back was simple.  seller must abide by seller's local
> selling policy and buyer must abide by buyer's local receiving policy.

Randy,

Such a process creates a back-door requirement that participating
registries race to the bottom eliminating eligibility requirements for
address recipients. Failure to do so leaves their own registrants at
an unfair disadvantage when trying to get addresses. The approach is,
unfortunately, more simpleminded than it is simple.

But really this discussion belongs on the ARIN PPML where your input
would be most welcome.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Encrypted RPC and firewalling

[Valdis . Kletnieks]

On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
> I would like to know how you guys handle encypted rpc across firewalls.

You can always just set the firewall to ban RPC in general, whether or not it's
encrypted (while you're there, close off ports 137-139 and other chucklehead
stuff like that), and just make the user who's outside the firewall VPN in.  
That's
a nice, simple, well-understood configuration that almost all software and even
most users can handle.

(We don't actually do a big monolithic firewall box - but pretty much
everything has an iptables ruleset loaded that says "if your source IP isn't
inside our 2 /16s, your packets go bye bye".  And there's a nice PPTP-based VPN
solution in place that even a humanities professor emeritus can use ;)



pgpaHyiUhlzKZ.pgp
Description: PGP signature

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Valdis . Kletnieks]

On Thu, 10 Nov 2011 07:39:15 EST, William Herrin said:
> Such a process creates a back-door requirement that participating
> registries race to the bottom eliminating eligibility requirements for
> address recipients.

When was the last time this industry turned down a chance to have
a race to the bottom?







pgp1vJJ3K6hSP.pgp
Description: PGP signature

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Randy Bush]

>> no need to coordinate rules/policies at all.  what we suggested in a/p
>> three years back was simple.  seller must abide by seller's local
>> selling policy and buyer must abide by buyer's local receiving policy.
> 
> Such a process creates a back-door requirement that participating
> registries race to the bottom eliminating eligibility requirements for
> address recipients. Failure to do so leaves their own registrants at
> an unfair disadvantage when trying to get addresses.

i am sure the americans who think all address space should righfully be
theirs can dream up paranoid scenarios for anything.  but dear canute,
the tide is coming, get over it or get wet.

they do not sell enough enough anti-nausea meds here for me to read the
arin ppml list.

randy

Re: Firewalls - Ease of Use and Maintenance?

[Jimmy Hess]

On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard  wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
> As I said, it's not a pf problem.  Commercial firewalls will do all this
> sort of thing off the shelf.  It's a pain to have to write scripts to do  
> this manually.

Ah... the high cost of  'free' products,  you have to do some
scripting, or pay another organization to support it / do scripting
work for you.  The advantage is... you _can_ do a small amount of
scripting or programming to add minor additional required
functionality.   And a very large number commercial firewalls do not
have config synchronization, except,  perhaps between a failover pair,
anyways.

Anyways...   I can see synchronizing blacklists on a firewall,   or
having a firewall configured to fetch certain 'drop' rules from a
HTTPS URL.Otherwise:  the thought of  mass synchronization of
lots of firewalls can be bad in that it creates a single point of
system compromise;  supposing  the synchronization source  machine
were compromised,  one dirty rule inserted by an intruder followed by
a kick off of the sync mechanism,  and then actions to break
it/prevent further syncing, defeats the security of the entire
deployment

--
-JH

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[CJ Aronson]

So Randy.. Are you in favor or opposed to 2011-1?

Thanks!
Cathy

On Thu, Nov 10, 2011 at 6:28 AM, Randy Bush  wrote:

> >> no need to coordinate rules/policies at all.  what we suggested in a/p
> >> three years back was simple.  seller must abide by seller's local
> >> selling policy and buyer must abide by buyer's local receiving policy.
> >
> > Such a process creates a back-door requirement that participating
> > registries race to the bottom eliminating eligibility requirements for
> > address recipients. Failure to do so leaves their own registrants at
> > an unfair disadvantage when trying to get addresses.
>
> i am sure the americans who think all address space should righfully be
> theirs can dream up paranoid scenarios for anything.  but dear canute,
> the tide is coming, get over it or get wet.
>
> they do not sell enough enough anti-nausea meds here for me to read the
> arin ppml list.
>
> randy
>
>

RE: Encrypted RPC and firewalling

[Matthew Huff]

Also,

Most enterprises that support Exchange remote access use RPC over HTTPS which 
is encrypted and easy to allow on the firewall.


Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-460-4139


> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Thursday, November 10, 2011 7:51 AM
> To: Lasse Birnbaum Jensen
> Cc: nanog@nanog.org
> Subject: Re: Encrypted RPC and firewalling
> 
> On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
> > I would like to know how you guys handle encypted rpc across
> firewalls.
> 
> You can always just set the firewall to ban RPC in general, whether or
> not it's encrypted (while you're there, close off ports 137-139 and
> other chucklehead stuff like that), and just make the user who's
> outside the firewall VPN in.  That's a nice, simple, well-understood
> configuration that almost all software and even most users can handle.
> 
> (We don't actually do a big monolithic firewall box - but pretty much
> everything has an iptables ruleset loaded that says "if your source IP
> isn't inside our 2 /16s, your packets go bye bye".  And there's a nice
> PPTP-based VPN solution in place that even a humanities professor
> emeritus can use ;)

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Randy Bush]

> So Randy.. Are you in favor or opposed to 2011-1?

against

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[William Herrin]

On Thu, Nov 10, 2011 at 8:28 AM, Randy Bush  wrote:
> i am sure the americans who think all address space should righfully be
> theirs can dream up paranoid scenarios for anything.  but dear canute,
> the tide is coming, get over it or get wet.

Randy,

You're fortunate that you speak for a minority. If you didn't, we'd
tell the bunch of you to go to hell instead of valiantly seeking to
improve the situation in which APNIC finds itself.


> they do not sell enough enough anti-nausea meds here for me to read the
> arin ppml list.

It's your privilege to make uneducated snipes from afar.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Randy Bush]

> You're fortunate that you speak for a minority.

actually, that time has passed.  you're the minority.  there are more
non-americans than american rir members, there are more legacy holders
than arin junior vigilantes, ...

observe how the american 'global' proposal flew.

randy

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Leo Bicknell]

In a message written on Thu, Nov 10, 2011 at 02:28:50PM +0100, Randy Bush wrote:
> i am sure the americans who think all address space should righfully be
> theirs can dream up paranoid scenarios for anything.  but dear canute,
> the tide is coming, get over it or get wet.

I believe you have made an incorrect assumption as to why some folks
are against transfers.  Quite frankly, if it made you (and the rest
of the world) happier I would support a proposal to reclaim all
unused legacy space in the ARIN region and divide 100% of it among
the other RIR's.  We'd be better off without it.

The real problem is, if people spent even 10% of the time spent
arguing over how to buy/sell/trade/swap IPv4 space deploying IPv6
space we wouldn't be havng this discussion, as no one would need
any more IPv4 space at this point since we would all be removing
it from our network.

The tide is coming.  The tide is wet.  The tide is full of IPv6 water.
Get over it.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpd351RisYgl.pgp
Description: PGP signature

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Randy Bush]

> The real problem is, if people spent even 10% of the time spent
> arguing over how to buy/sell/trade/swap IPv4 space deploying IPv6
> space we wouldn't be havng this discussion, as no one would need
> any more IPv4 space at this point since we would all be removing
> it from our network.
> 
> The tide is coming.  The tide is wet.  The tide is full of IPv6 water.
> Get over it.

i am a measurement type.  it's a stretch to call things even slightly
damp.  not that i am happy with this.  we deployed in the '90s.

randy

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

The other high cost of "free" that people sometimes overlook is 
liability. Many organizations want/need someone to hold the fire to in 
the event of an issue. I believe in open source and am an advocate of 
open source computing (this email is from my Debian (NOT UBUNTU) laptop 
and my BSD workstation is right beside it), but at an organizational 
level, if I had an open source FW and a vulnerability was allowed to get 
thru it and compromise customer or confidential data, my management 
would be looking to the vendor for answers. If I told them "it's open 
source, there is no "vendor"" it would not go over well. Why? Because 
the liability is now assumed by my company. So when the customer sues 
it's on me. Or (and we see these on a regular basis) when the patent 
troll contacts us about his patent that the open source product is 
violating and wants compensation the liability stops at my company. IF I 
am using a vendor supported platform, I can take that to my vendor and 
discuss options. Many (not all) large businesses have agreements with 
vendors that go well beyond NDAs. Agreements about liability. 
Healthcare/Financial/Defense all have these kinds of agreements. I'm not 
saying it's fair. It's just how the world works. For that reason there 
are some areas where open source is smart while there are other areas (a 
firewall you depend on to protect you) where open source may put you and 
your employer at risk. You have to consider that. Or... Some of us do.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 07:36 AM, Jimmy Hess wrote:

On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard  wrote:
   

On 09/11/2011 19:07, C. Jon Larsen wrote:
As I said, it's not a pf problem.  Commercial firewalls will do all this
sort of thing off the shelf.  It's a pain to have to write scripts to do  this 
manually.
 

Ah... the high cost of  'free' products,  you have to do some
scripting, or pay another organization to support it / do scripting
work for you.  The advantage is... you _can_ do a small amount of
scripting or programming to add minor additional required
functionality.   And a very large number commercial firewalls do not
have config synchronization, except,  perhaps between a failover pair,
anyways.

Anyways...   I can see synchronizing blacklists on a firewall,   or
having a firewall configured to fetch certain 'drop' rules from a
HTTPS URL.Otherwise:  the thought of  mass synchronization of
lots of firewalls can be bad in that it creates a single point of
system compromise;  supposing  the synchronization source  machine
were compromised,  one dirty rule inserted by an intruder followed by
a kick off of the sync mechanism,  and then actions to break
it/prevent further syncing, defeats the security of the entire
deployment

--
-JH

   

Re: Firewalls - Ease of Use and Maintenance?

[Richard Kulawiec]

On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
> The other high cost of "free" that people sometimes overlook is
> liability. 

Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.

---rsk

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

OK. Right off the bat you know I can't and won't. But in some places it 
is common practice to make sure agreements are in place to make sure all 
parties are protected based on how a product is expected/designed to 
perform. I can't say more than that. Realize I'm speaking about things 
that are solely on the vendor. Not "Did you configure the ACL properly?"


What you can Google is the names of companies who have settled out of 
court against various trolling lawsuits vs the names of companies that 
are still in litigation. There is a mix of both manufacturer/vendor and 
end customer. It all depends on the case.


This shouldn't surprise you. If Toyota makes a defective brake and you 
slam into someone else, your insurance covers you. Eventually, if the 
issue scales out to the point that it is obvious that Toyota made a 
defective brake and it is not your fault, some insurance companies 
collectively will go to the government or directly to the manufacturer 
for compensation. This is no different. If you sell me a FW and it 
catches on fire thru no fault of my own and then the public finds out 
that FWs are catching on fire all over the place, it's a good bet that 
that FW vendor will be getting some lawsuits. If a FW vendor reports a 
product to work a certain way and instead thru a massive vulnerability 
or development oversight it does not the same applies. Software. 
Hardware. Physical (fire). Logical (vulnerability). I'm not saying that 
it happens all the time and I'm not even saying it's a general practice. 
What I'm saying is it happens. And depending on your business vertical 
it could be a very real consideration.


COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:

I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
say I block HTTPS. I block 443. I test it by telnetting from the 
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A month 
later our CEO is surfing the Internet. Thru a development oversight in 
the product, when I NAT or PAT him to the Internet his source port is 
not pulled from the Ephemeral range but is instead sourced as port 443. 
He of course goes to sites riddled with Malware because that's what CEOs 
do. They click on links. So the Malware website initiates a new TCP 
session to destination port 443 with his NATted IP. The state table has 
an entry for that IP and 443 and even though this is a new TCP session 
the FW lets it thru. The malware site bad guys are able to retrieve 
confidential information about a merger and publish it. The other 
company that we were merging with sues us because the information is 
leaked to the public and adversely impacted their stock value. 
Everything in the above paragraph is able to be documented thru 
forensics and it is indisputable that the FW was properly configured and 
should have blocked it but didn't. The FW did NOT perform as 
advertised/designed. This is NOT the fault of me or my company. If a few 
thousand dollars is at stake nothing may come of this. If tens or 
hundreds of millions of dollars are at stake I promise you that our 
lawyers will be contacting the manufacturer whose product did not 
perform as advertised. They will compensate (in one way or another) us 
for our losses. It's a big ugly world full of lots of lawyers.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 09:14 AM, Richard Kulawiec wrote:

On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
   

The other high cost of "free" that people sometimes overlook is
liability.
 

Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.

---rsk


   

Re: Firewalls - Ease of Use and Maintenance?

[Leo Bicknell]

In a message written on Thu, Nov 10, 2011 at 10:14:26AM -0500, Richard Kulawiec 
wrote:
> Please point to an instance (case citation, please) where a commercial
> firewall vendor has been successfully litigated against -- that is, held
> responsible by a court of law for a failure of their product to provide
> the functionality that it's claimed to provide.

Unsuccessful litigation has costs as well.  Patent trolls have sued
end-users in a number of cases for both commerical and open source
software.  In many cases they lose, but someone still has to shell
out a pile of cash for the lawyers to defend.

Just ask folks like AutoZone or DaimlerChrysler how much it cost to use
Linux when they were sued by SCO and had to defend themselves.  Sure,
they prevailed, but I bet tens of thousands of dollars were spent on
litigation.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpbQ0M69u8Ss.pgp
Description: PGP signature

Re: Firewalls - Ease of Use and Maintenance?

[Jay Ashworth]

 Original Message -
> From: "Leo Bicknell" 

> Just ask folks like AutoZone or DaimlerChrysler how much it cost to use
> Linux when they were sued by SCO and had to defend themselves. Sure,
> they prevailed, but I bet tens of thousands of dollars were spent on
> litigation.

Sure.  But compare that to the millions they would have spent using SCO... :-)

Cheers,
-- jra
[1]Yes, I realize AutoZone may have been paying for their Linux distro...
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: Firewalls - Ease of Use and Maintenance?

[Peter Kristolaitis]

Your hypothetical scenario assumes you're the only organization 
compromised by the flaw (or one of very few), and not #3972 on the list, 
in which case the company could go bankrupt before a court can hear your 
case, and the "liability protection" they offered you is worth the 
electrons it's printed on.It's great if you're a Fortune 50 and have 
the legal, political and financial clout to be #1 on the lawsuit list, 
but nearly worthless for most organizations.


- Peter


On 11/10/2011 10:39 AM, -Hammer- wrote:
OK. Right off the bat you know I can't and won't. But in some places 
it is common practice to make sure agreements are in place to make 
sure all parties are protected based on how a product is 
expected/designed to perform. I can't say more than that. Realize I'm 
speaking about things that are solely on the vendor. Not "Did you 
configure the ACL properly?"


What you can Google is the names of companies who have settled out of 
court against various trolling lawsuits vs the names of companies that 
are still in litigation. There is a mix of both manufacturer/vendor 
and end customer. It all depends on the case.


This shouldn't surprise you. If Toyota makes a defective brake and you 
slam into someone else, your insurance covers you. Eventually, if the 
issue scales out to the point that it is obvious that Toyota made a 
defective brake and it is not your fault, some insurance companies 
collectively will go to the government or directly to the manufacturer 
for compensation. This is no different. If you sell me a FW and it 
catches on fire thru no fault of my own and then the public finds out 
that FWs are catching on fire all over the place, it's a good bet that 
that FW vendor will be getting some lawsuits. If a FW vendor reports a 
product to work a certain way and instead thru a massive vulnerability 
or development oversight it does not the same applies. Software. 
Hardware. Physical (fire). Logical (vulnerability). I'm not saying 
that it happens all the time and I'm not even saying it's a general 
practice. What I'm saying is it happens. And depending on your 
business vertical it could be a very real consideration.


COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:

I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
say I block HTTPS. I block 443. I test it by telnetting from the 
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A 
month later our CEO is surfing the Internet. Thru a development 
oversight in the product, when I NAT or PAT him to the Internet his 
source port is not pulled from the Ephemeral range but is instead 
sourced as port 443. He of course goes to sites riddled with Malware 
because that's what CEOs do. They click on links. So the Malware 
website initiates a new TCP session to destination port 443 with his 
NATted IP. The state table has an entry for that IP and 443 and even 
though this is a new TCP session the FW lets it thru. The malware site 
bad guys are able to retrieve confidential information about a merger 
and publish it. The other company that we were merging with sues us 
because the information is leaked to the public and adversely impacted 
their stock value. Everything in the above paragraph is able to be 
documented thru forensics and it is indisputable that the FW was 
properly configured and should have blocked it but didn't. The FW did 
NOT perform as advertised/designed. This is NOT the fault of me or my 
company. If a few thousand dollars is at stake nothing may come of 
this. If tens or hundreds of millions of dollars are at stake I 
promise you that our lawyers will be contacting the manufacturer whose 
product did not perform as advertised. They will compensate (in one 
way or another) us for our losses. It's a big ugly world full of lots 
of lawyers.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 09:14 AM, Richard Kulawiec wrote:

On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:

The other high cost of "free" that people sometimes overlook is
liability.

Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.

---rsk

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

Look the thread was about considerations for various firewalls. 
Eventually it spun off to be considerations and issues with Open Source 
options. I was merely pointing out a consideration that some folks have 
to take into account. You don't have to like it, agree with it, or even 
believe it. But it does happen and it is out there. I was just pointing 
it out. Take it for what you want but arguing it is pointless. It's out 
there for some of us.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 10:04 AM, Peter Kristolaitis wrote:
Your hypothetical scenario assumes you're the only organization 
compromised by the flaw (or one of very few), and not #3972 on the 
list, in which case the company could go bankrupt before a court can 
hear your case, and the "liability protection" they offered you is 
worth the electrons it's printed on.It's great if you're a Fortune 
50 and have the legal, political and financial clout to be #1 on the 
lawsuit list, but nearly worthless for most organizations.


- Peter


On 11/10/2011 10:39 AM, -Hammer- wrote:
OK. Right off the bat you know I can't and won't. But in some places 
it is common practice to make sure agreements are in place to make 
sure all parties are protected based on how a product is 
expected/designed to perform. I can't say more than that. Realize I'm 
speaking about things that are solely on the vendor. Not "Did you 
configure the ACL properly?"


What you can Google is the names of companies who have settled out of 
court against various trolling lawsuits vs the names of companies 
that are still in litigation. There is a mix of both 
manufacturer/vendor and end customer. It all depends on the case.


This shouldn't surprise you. If Toyota makes a defective brake and 
you slam into someone else, your insurance covers you. Eventually, if 
the issue scales out to the point that it is obvious that Toyota made 
a defective brake and it is not your fault, some insurance companies 
collectively will go to the government or directly to the 
manufacturer for compensation. This is no different. If you sell me a 
FW and it catches on fire thru no fault of my own and then the public 
finds out that FWs are catching on fire all over the place, it's a 
good bet that that FW vendor will be getting some lawsuits. If a FW 
vendor reports a product to work a certain way and instead thru a 
massive vulnerability or development oversight it does not the same 
applies. Software. Hardware. Physical (fire). Logical 
(vulnerability). I'm not saying that it happens all the time and I'm 
not even saying it's a general practice. What I'm saying is it 
happens. And depending on your business vertical it could be a very 
real consideration.


COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:

I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
say I block HTTPS. I block 443. I test it by telnetting from the 
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A 
month later our CEO is surfing the Internet. Thru a development 
oversight in the product, when I NAT or PAT him to the Internet his 
source port is not pulled from the Ephemeral range but is instead 
sourced as port 443. He of course goes to sites riddled with Malware 
because that's what CEOs do. They click on links. So the Malware 
website initiates a new TCP session to destination port 443 with his 
NATted IP. The state table has an entry for that IP and 443 and even 
though this is a new TCP session the FW lets it thru. The malware 
site bad guys are able to retrieve confidential information about a 
merger and publish it. The other company that we were merging with 
sues us because the information is leaked to the public and adversely 
impacted their stock value. Everything in the above paragraph is able 
to be documented thru forensics and it is indisputable that the FW 
was properly configured and should have blocked it but didn't. The FW 
did NOT perform as advertised/designed. This is NOT the fault of me 
or my company. If a few thousand dollars is at stake nothing may come 
of this. If tens or hundreds of millions of dollars are at stake I 
promise you that our lawyers will be contacting the manufacturer 
whose product did not perform as advertised. They will compensate (in 
one way or another) us for our losses. It's a big ugly world full of 
lots of lawyers.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 09:14 AM, Richard Kulawiec wrote:

On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:

The other high cost of "free" that people sometimes overlook is
liability.

Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, 
held

responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.

---rsk

TwTelecom engineer offlist

[Eric Germann]

Anyone with twtelecom who can contact me off list about a possible congestion 
issue at one of your handoffs?

Thanks

EKG

Re: Firewalls - Ease of Use and Maintenance?

[Jonathan Lassoff]

On Wed, Nov 9, 2011 at 12:44 PM, Nick Hilliard  wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
>>
>> put the main portion of the conf in subversion as an include file and
>> factor out local differences in the configs with macros that are defined
>> in
>> pf.conf
>>
>> Easy.
>
> As I said, it's not a pf problem.  Commercial firewalls will do all this
> sort of thing off the shelf.  It's a pain to have to write scripts to do
> this manually.

Agreed. This is rather a pain to have to do manually each time (either
scp'ing or scripting). It's unfortunate that there's not a
conventional script or mechanism for doing this.

I have plenty of scripts from past commercial work that do this, but
they're sadly tied up license-wise.

I've had good luck, pf-wise, with creating a ruleset that is just
identical between hosts. By keeping the interface naming/numbering
scheme consistent across two hosts, the same configuration can just
"work" on both.

Cheers,
jof

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[David Conrad]

Bill,

On Nov 10, 2011, at 5:48 AM, William Herrin wrote:
> On Thu, Nov 10, 2011 at 8:28 AM, Randy Bush  wrote:
>> i am sure the americans who think all address space should righfully be
>> theirs can dream up paranoid scenarios for anything.  but dear canute,
>> the tide is coming, get over it or get wet.
> You're fortunate that you speak for a minority.

I don't think Randy speaks for anyone but himself. Some may, however, agree 
with him.

> If you didn't, we'd
> tell the bunch of you to go to hell instead of valiantly seeking to
> improve the situation in which APNIC finds itself.

Seriously?

It is this sort of attitude that resulted in me giving up in disgust with the 
whole RIR circus.  Well that and a curious note from ARIN counsel (at the 
direction of ARIN's board) to my then corporate counsel purportedly "expressing 
concern" about statements I made in a personal capacity on NANOG. Quite 
amusing, actually, but still disgusting.

A tiny dose of reality: 
- The Internet (and world population as a whole) is growing most rapidly in the 
Asia/Pacific region. 
- There are companies who demand IPv4 addresses for which the combined yearly 
budgets of all the RIRs amounts to little more than a small fraction of what 
those companies spend on their lawyers alone.
- APNIC no longer has IPv4 addresses to meet that demand.
- There now at least 4 different organizations offering IPv4 addresses for sale 
(addrex.net, kalorama.com, tradeipv4.com, ipv4marketgroup.com) who are now 
participating in an estimated at $6 - $8 Billion market (and that's just legacy 
space).

And you believe the couple of hundred folks who participate in ARIN are going 
to stand in the way of those business interests?  I might gently suggest it 
would probably be more useful to figure out how the new market players and the 
"legacy" RIRs can coexist in a way that doesn't do severe damage to the 
Internet than it is to discuss how to rearrange the deck chairs in ever more 
intricate designs in order to try to maintain unjustifiable monopolies.

I might suggest that but as I said, I gave up in disgust.  Tell King Canute's 
advisors I said "hi".

Regards,
-drc

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Nick Hilliard]

On 10/11/2011 16:59, David Conrad wrote:

Tell King Canute's advisors I said "hi".


My OCD is screaming at me to point out that King Knut was attempting to 
show his advisers that even he couldn't control the tides.


Nick

Re: Firewalls - Ease of Use and Maintenance?

[Richard Kulawiec]

On Thu, Nov 10, 2011 at 08:30:46AM -0800, Jonathan Lassoff wrote:
> > As I said, it's not a pf problem. ?Commercial firewalls will do all this
> > sort of thing off the shelf. ?It's a pain to have to write scripts to do
> > this manually.
> 
> Agreed. This is rather a pain to have to do manually each time (either
> scp'ing or scripting). It's unfortunate that there's not a
> conventional script or mechanism for doing this.

I don't see why this is a problem.   I've been using tools like make, RCS
(or CVS or subversion), perl, and rsync to maintain all kinds of unified
and diverse configurations on small and large numbers of systems for many
years.  It's simple, it's scalable, it's easy to write, it's portable,
it's robust (provided you pay attention to command exit codes), and it
allows easy integration between disparate configuration files.  (As an
example of that last: I can cause changes in pf.conf to be synchronized
with appropriately-matching changes in sendmail.cf or named.conf.  Use of
"make"  ensures that they're kept in a consistent state.  Of course, if I
make a mistake, they're consistently wrong: but that's highly desirable.)

Yes, you have to understand the interrelationships between all these
moving parts to write the scripts/makefiles; but that's a good thing.
And the payoff is that you get FAR more flexibility than any commercial
product.  And it's free (modulo your time investment...and you'd be
investing time anyway, trying to make some vendor's setup do what you want).

---rsk

Re: Firewalls - Ease of Use and Maintenance?

[Richard Kulawiec]

On Thu, Nov 10, 2011 at 09:39:29AM -0600, -Hammer- wrote:
> OK. Right off the bat you know I can't and won't. 

Right.  I know you can't and won't.   I can't either.  So we can
summarily dismiss all the concerns about liability because they
have no relationship to reality.  You will not be suing BigFirewallCo,
no matter how horribly their product fails, no matter how bad the damage is,
no matter how obvious to all of us the failure is, no matter how culpable
we might all agree they are, because (a) your pockets aren't as deep
as BigFirewallCo's, and (b) you'd probably lose anyway (c) after 11 years
and a lot of billable hours for everyone's attorneys.  (s/you/I/ and
everyone else, unless we happen to work for a Fortune 50 company...and
probably not even then.)

When it comes to security, I think it's better to rely on software
engineering than litigation.

---rsk

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

WOW. You really are naive

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 12:12 PM, Richard Kulawiec wrote:

On Thu, Nov 10, 2011 at 09:39:29AM -0600, -Hammer- wrote:
   

OK. Right off the bat you know I can't and won't.
 

Right.  I know you can't and won't.   I can't either.  So we can
summarily dismiss all the concerns about liability because they
have no relationship to reality.  You will not be suing BigFirewallCo,
no matter how horribly their product fails, no matter how bad the damage is,
no matter how obvious to all of us the failure is, no matter how culpable
we might all agree they are, because (a) your pockets aren't as deep
as BigFirewallCo's, and (b) you'd probably lose anyway (c) after 11 years
and a lot of billable hours for everyone's attorneys.  (s/you/I/ and
everyone else, unless we happen to work for a Fortune 50 company...and
probably not even then.)

When it comes to security, I think it's better to rely on software
engineering than litigation.

---rsk

   

Firewalls - Ease of Litigation and Subrogation

[Jay Ashworth]

- Original Message -
> From: "Richard Kulawiec" 

> Right. I know you can't and won't. I can't either. So we can
> summarily dismiss all the concerns about liability because they
> have no relationship to reality. You will not be suing BigFirewallCo,
> no matter how horribly their product fails, no matter how bad the damage is,
> no matter how obvious to all of us the failure is, no matter how culpable
> we might all agree they are, because (a) your pockets aren't as deep
> as BigFirewallCo's, and (b) you'd probably lose anyway (c) after 11 years
> and a lot of billable hours for everyone's attorneys. (s/you/I/ and
> everyone else, unless we happen to work for a Fortune 50 company...and
> probably not even then.)

Yeah, Rich, but come on: you and I -- and even his managers -- know that while
that is true (that no one's actually going to sue anyone, and likely legally
cannot anyway), that *still* won't keep Pointy Haired Bosses from making that
*capability* a firm requirement.

That's why their hair is pointy.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: Firewalls - Ease of Litigation and Subrogation

[-Hammer-]

You guys are hilarious. OK. I give up. It never happens. I'll leave this 
thread alone.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 12:19 PM, Jay Ashworth wrote:

- Original Message -
   

From: "Richard Kulawiec"
 
   

Right. I know you can't and won't. I can't either. So we can
summarily dismiss all the concerns about liability because they
have no relationship to reality. You will not be suing BigFirewallCo,
no matter how horribly their product fails, no matter how bad the damage is,
no matter how obvious to all of us the failure is, no matter how culpable
we might all agree they are, because (a) your pockets aren't as deep
as BigFirewallCo's, and (b) you'd probably lose anyway (c) after 11 years
and a lot of billable hours for everyone's attorneys. (s/you/I/ and
everyone else, unless we happen to work for a Fortune 50 company...and
probably not even then.)
 

Yeah, Rich, but come on: you and I -- and even his managers -- know that while
that is true (that no one's actually going to sue anyone, and likely legally
cannot anyway), that *still* won't keep Pointy Haired Bosses from making that
*capability* a firm requirement.

That's why their hair is pointy.

Cheers,
-- jra
   

Re: Firewalls - Ease of Use and Maintenance?

[Valdis . Kletnieks]

On Thu, 10 Nov 2011 12:12:21 CST, -Hammer- said:
> WOW. You really are naive

I think Rich has been around long enough that he gets called a *lot* of things
(many of them non-complimentary), but this is the first time this century
anybody's called him *naive*... ;)



pgpe1XQ1ubv8i.pgp
Description: PGP signature

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

OK. Maybe I jumped to hard. But to tell me that what I'm referring to 
has never happened (even though I've participated) just because he 
hasn't heard of it is not the best way to approach an argument. When 
these things happen, there are agreements in place so it's not 
discussed. Especially when it's settled out of court. If you want some 
fun reading on the subject google Walker Digital or Leon Stambler.


Again, I never said it happens to everyone. But it does happen and some 
of us have to consider it. I didn't realize it would come under such 
scrutiny just because it isn't widely published.


Again, I'll try and leave this thread alone.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 12:24 PM, valdis.kletni...@vt.edu wrote:

On Thu, 10 Nov 2011 12:12:21 CST, -Hammer- said:
   

WOW. You really are naive
 

I think Rich has been around long enough that he gets called a *lot* of things
(many of them non-complimentary), but this is the first time this century
anybody's called him *naive*... ;)

   

Re: Firewalls - Ease of Use and Maintenance?

[Joe]

Litigation? Wow. 

To answer the OP:

Any of the Cisco, Juniper, Sonic, Fortinet, etc can be easy to use to maintain. 
But I'd make sure you have a good understanding of what you intend to do, and 
what products will satisfy your needs. Demo's are a good idea. One person's 
definition of easy may not match someone else's.

If you know what you're doing and want to roll your own, then go with what 
you're most comfortable with (linux, bad, etc). Your subject indicates you 
aren't comfortable with rolling your own, so there is no point to the side 
debate going on in this thread.

Side point: For what it's worth, I use PF on OpenBSD because I like the clean 
and easy to read syntax. To me, that is *easier* to use, than trying to figure 
out some point-click GUI. The take away from this is, "what does ease of use 
mean to you"?

Hope that helps.

Re: Firewalls - Ease of Use and Maintenance?

[-Hammer-]

I changed my mind. I want to clear this up. Here is an example of where 
a patent troll skipped over the manufacturer and went straight for the 
end customer. There are dozens of these attacking all verticals and 
manufacturers alike for various reasons.


http://dockets.justia.com/docket/texas/txedce/2:2008cv00471/113504/

So a customer buys a product that contains a technology. Then the 
customer is sued for possessing said technology. You don't think the 
customer (Merrill Lynch / BofA / Citigroup / etc) isn't gonna take that 
lawsuit and call the manufacturer up and tell them they are gonna eat 
it? You don't think a financial institution or a healthcare organization 
would attempt to recuperate the costs? You don't think that after the 
fact agreements are put in place so that frivolous lawsuits like this 
are appropriately handled between the manufacturer and the customer in 
the future? When millions of dollars are at stake? You don't have to 
like it. But you should be a little more objective.


I am not speaking of specific cases I'm involved in. I just googled a 
few things and found some results


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/10/2011 12:24 PM, valdis.kletni...@vt.edu wrote:

On Thu, 10 Nov 2011 12:12:21 CST, -Hammer- said:
   

WOW. You really are naive
 

I think Rich has been around long enough that he gets called a *lot* of things
(many of them non-complimentary), but this is the first time this century
anybody's called him *naive*... ;)

   

Security Contact from k12.fl.us

[Nathan Eisenberg]

Please contact me off-list.

RE: Security Contact from broward.k12.fl.us (was: Security Contact from k12.fl.us)

[Nathan Eisenberg]

It was pointed out to me that 'k12.fl.us' is not an organization, but rather a 
container.  Clarification - I'm looking for a security contact from 
broward.k12.fl.us

Nathan Eisenberg

> -Original Message-
> From: Nathan Eisenberg
> Sent: Thursday, November 10, 2011 2:07 PM
> To: NANOG list
> Subject: Security Contact from k12.fl.us
> 
> Please contact me off-list.

Re: Firewalls - Ease of Use and Maintenance?

[Jack Bates]

On 11/10/2011 12:24 PM, valdis.kletni...@vt.edu wrote:

I think Rich has been around long enough that he gets called a*lot*  of things
(many of them non-complimentary), but this is the first time this century
anybody's called him*naive*...;)


Given that all of humankind is naive, it would be redundant. The other 
things are much more entertaining.



Jack

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Randy Bush]

> And you believe the couple of hundred folks who participate in ARIN
> are going to stand in the way of those business interests?  I might
> gently suggest it would probably be more useful to figure out how the
> new market players and the "legacy" RIRs can coexist in a way that
> doesn't do severe damage to the Internet than it is to discuss how to
> rearrange the deck chairs in ever more intricate designs in order to
> try to maintain unjustifiable monopolies.

arin control-freak vigilante insanity overwhelmed what's good for the
internet long ago.

randy

Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)

[Brett Watson]

On Nov 10, 2011, at 6:56 AM, Leo Bicknell wrote:

> The tide is coming.  The tide is wet.  The tide is full of IPv6 water.
> Get over it.

Awesome, so you've solved the multi-homing issues with v6? The RA/DHCPv6 
issues? (I'll just leave it at those three).

-b