This213 Sep 14, 2005   3:21 PM GMT

Taking this one step at a time: 1. You mention the ?appliance? is behind stateful firewalls. If this is the case, you should be able to view, and block by port, the unwanted traffic coming into and going out of your network. 2. I would guess that the heavy inbound traffic was a probe. I would further guess that whoever it was found a hole through to your network and exploited either the ?appliance? or one of the other machines on the network ? which then flooded your network with outbound traffic. In this case, you need to figure out which machine was compromised and fix it. 3. You should be running some sort of firewall on the appliance, just to be on the safe side ? but your real security ought to come from your border firewalls ? which seems to not be the case. No matter how you look at it now, the fact is that the border firewalls didn?t do the job they were designed for, which means you need to thoroughly go over their configuration and fix the issue so it doesn?t happen again. I would guess that either someone on your network downloaded a virus, adware, spyware or you're running an open mail proxy. Either way, your border firewalls can tell you exactly what the issue is - and which machine is doing it.

0 pointsBadges:

Layer9 Sep 14, 2005   4:06 PM GMT

This question is way to broad and generalized. You don't tell us the appliance even. For all we can tell you may be talking about a blender. Can you be more specific? Give us the make and model of the appliance, and the nature of the intrusion.

0 pointsBadges:

Astronomer Sep 14, 2005   6:31 PM GMT

The appliance is a mcafee e500 antivirus/antispam machine. As installed, it checked all incoming email for the exchange server and web traffic for our main web proxy. There are firewall rules allowing any IP to reach it using SMTP. It could initiate HTTP traffic to outside but outside systems can't initiate traffic to it. One of the things we learned about it earlier this year is you can telnet to port 25 on it and craft emails from any domain/to any domain without authentication. I don't know if this has any bearing on the problem or not. I believe the heavy traffic coming in was a download to turn it into a server. I don't know how it would work as a traditional server since it had to initiate the HTTP traffic going out. Judging by the number of outbound connections last friday, it was serving many clients. Once I had redirected our proxy to directly access the internet, I checked the statistics on the switch port used by the appliance. They hadn't changed by much. I was then able to block HTTP/HTTPS outgoing from the appliance. This killed the massive incoming traffic yesterday. We checked the volumes of traffic on our proxy before and after redirecting it. It was averaging 800K and peaked once at 1.5M. It is throttled to a maximum of 2M. The traffic that saturated our pipe from/to this appliance averaged around 3.5M. Our exchange server and this proxy are the only systems that were configured to use the appliance. SMTP is not sent back out thru the appliance. The traffic to our exchange server averages 20K and this matched the appliance traffic after I blocked web traffic. I have little doubt the compromised system is the appliance itself. We did fix it friday when we used the mcafee ISO to rebuild it from scratch. I believe it was compromised again by tuesday. We have no control over the actual OS on the appliance. I don't know if it has a firewall or not. Since we only had port 25 open to this box, my best guess is the compromise came in by that port. Since this is our official MX presence on the internet, I don't see any way the firewalls could have prevented this access. The appliance is definitly not configured as an open mail proxy as confirmed by mcafee support. When we connected a monitor to the appliance to rebuild it, the screen was full of these messages: EXT2-fs warning:maximal mount count reached, running e2fsck is recommended EXT2-fs warning: check time reached, running e2fsck is recommended.

15 pointsBadges:

petkoa Sep 16, 2005   5:23 AM GMT

Hi, I'm reading this forum on a 3-day basis, so excuse me for the late comment... You said: > I was then able to block HTTP/HTTPS outgoing > from the appliance. This killed the massive > incoming traffic yesterday. Based on this observation, I wonder are there any restrictions who can use the appliance as a web-proxy from outside your LAN? If there is some configuration options for such restriction, they should be activated; otherwise, your sollution (to enforce them on the borderline firewall) is OK. As about the warnings, > EXT2-fs warning:maximal mount count reached, > running e2fsck is recommended > EXT2-fs warning: check time reached, > running e2fsck is recommended they might simply reflect the default configuration of the appliance filesystem. Do it actually have a harddisk? If not, the filesystem used for building the CD/DVD image of the OS was not properly set to prevent the kernel bitching about the e2fsck... BR, Petko

3,140 pointsBadges:

Astronomer Sep 16, 2005   12:26 AM GMT

We have never allowed any outside IPs to use this system for web access of any kind. Our firewall is default disallow. I would have had to add a rule to allow external access for HTTP just like I added a rule for SMTP to reach this box. The only addresses we allow HTTP access from outside are the public web services. The closest we came to allowing outside users to get to this box is with our VPN clients. Since the pix is our VPN server, clients who want to surf the internet while they are VPNed into our net need to use the squid proxy server to get back out. The squid proxy used to run thru the antivirus appliance. As for the appliance itself, it is aware of our internal networks, but I don't know if that is used to determine who it will listen to for HTTP. The HTTP configuration is just about what ports it listens to. As for the drive configuration, it's a hardware mirror using hot swap SCSI. To re-build the box, what we do is download the configuration, boot from the CD, reboot when it's done, use web to attach to the default IP, install patches, and upload the configuration. They have done a good job of hiding everything from us. Since I notified the vendor via email and phone recorder about the second compromise, the only response I have recieved has been an email asking if I have seen any issues since re-imaging the appliance. I responded to it with "Haven't you been getting my emails?" My speculation here is they know about the problem but don't have a fix yet. Meanwhile, I'm hanging out to dry with a compromised box that is supposed to protect me. I told my manager this is the big downside to using appliances. We know nothing about how the system works and are totally dependant on the vendor. rt

15 pointsBadges:

Layer9 Sep 16, 2005   12:40 AM GMT

You said "One of the things we learned about it earlier this year is you can telnet to port 25 on it and craft emails from any domain/to any domain without authentication. I don't know if this has any bearing on the problem or not" This cleary indicates the SMTP service running on this appliance is OPEN TO RELAY. I would venture to say that the unexplained traffic you are seeing is the 10s of thousands of emails your appliance is SPAMMING to the world. I would close up SMTP RELAY before looking any further. Chris Weber Layer9corp.com

0 pointsBadges:

Layer9 Sep 16, 2005   12:51 AM GMT

P.S If you want to know for sure I would put a protocol analyzer on the outside of the appliance. If you don't have a protocol you can download Ethereal for free. Ethereal will run on most Unix based systems including Linux. If you want to be sure what is going on with your equipment a sniffer is the surest way to go. Just look at the packets and you will know for sure what is going on. Also Petcoa is correct. fsck is the Unix File System Checker, so it's likely there is a problem with the appliances image as well. But I would bet your unexplained traffic will turn out to be SMTP relay traffic. Chris Weber Layer9corp.com

0 pointsBadges:

Astronomer Sep 16, 2005   1:46 PM GMT

I used ethereal first thing when we saw the traffic volumes with MRTG. The traffic was HTTP. Our firewall rules don't allow the appliance to initiate SMTP connections to the outside. It can only listen and respond. Given the number of spambots on campus before I installed the firewall, I'm very careful about letting SMTP out of the college. There are only three addresses allowed to send SMTP to the outside. This has even caused us problems since our email doesn't come from our MX address, (the appliance IP). My long term fix for these issues will be a pair of linux systems in the DMZ running as DNS servers and email relays. This will resolve the issue of the MX addresses and protect the poor appliance from any harm coming from the outside. rt

15 pointsBadges:

Layer9 Sep 16, 2005   2:03 PM GMT

You said earlier that you can telnet to the appliance and build an SMTP message from anyone to anyone. If what YOU said is correct, then you are open to relay. I am only going on what you said, which is of course all I have to go on. If what you said earlier about telnetting to port 25 and building messages from and to anyone, then you are indeed open to relay. As for the HTTP traffic, what does it say in the decodes? If you have packet captures of the traffic then you have the answers right there. What do they tell you? Chris Weber Layer9corp.com

0 pointsBadges:

Astronomer Sep 16, 2005   4:37 PM GMT

If you look at what I said, I can craft an email from any domain to any domain after telnetting to port 25 without authentication. I didn't say the email would get there. With our current architecture, it would have to be relayed by our exchange server to get out to any other domain. Needless to say, our exchange server isn't configured to be an open relay. If the appliance was set up to handle both incoming and outgoing email, I would be very concerned about the anonymous telnet login being used to send spam from our official MX server and domain to anywhere. The issue that led to this discovery was spam coming into our domain claiming to be from our domain. I was shocked to learn I could telnet to our antispam appliance and create an email from my email address at my domain and send it to myself. We also created emails from other domains and sent them to me. I called the vendor to find out how to stop accepting email from the outside that represented itself as coming from our domain. They told me there was no way to stop this with their appliance and there was no way to prevent an unauthenticated telnet connection to port 25 on it. What do you want me to look for in the decodes? I don't claim to be an expert with ethereal. The captures lasted 1 minute. I checked the IPs of the largest volume clients with nslookup. About half didn't resolve. The first massive download came from a system in qwest.com. The clients were all over the map. Several were from yahoo.com but not a majority. The main thing I used the capture for was to find out which addresses to firewall.

15 pointsBadges:

Sonyfreek Sep 16, 2005   11:48 PM GMT

I'd take the box apart to see if there's a hard drive inside to make an image of it. If you have a physical hard drive, you'll obviously want to run fsck to fix the drive problems after obtaining a "forensic backup" of it. It'd also let you fix the spam relay and potentially add a host firewall ruleset to the system so that you can prevent your unwanted traffic. However, this appliance sounds like a poorly designed and configured "security" product. You'd be safer to get a computer with two NICS in it and install your favorite flavor of *NIX on it and other applications that you plan on using the computer for. It sounds like you're not a stranger to *NIX environments. Install only those applications that you need and dedicate a computer to a certain function. For example, a proxy server should have a hardened OS, squid, and a host firewall on it. I hate appliances because they have too many risks as more applications run on them. Even if it's secure today, if you didn't pay for support, you might not get tomorrows update. Anyhow, I didn't help you solve the problem with the appliance, but it sounds like someone's attacking it because it's a low hanging fruit. You're better off without it. Be secure, SF

0 pointsBadges:

Layer9 Sep 17, 2005   1:25 PM GMT

I did read your post. Since this is an SMTP server, (which any SMTP anti-virus filtering appliance is) I can assure it can send email. You may have it configured to forward to your Exchange server, but that does not mean it SMTP messages are blocked to the internet from the appliance. Now if you are saying that you have configured an address specific outbound ACL on a separate firewall that specifically blocks SMTP messages from "leaving" your network from this appliance, then ok, but I doubt you have done this. SMTP Anti-virus filtering gateways appliances are by their very nature, SMTP servers as well. Your appliance IS listening on TCP 25 to the outside for SMTP traffic, so anyone CAN telnet to it. And since SMTP is open inbound, and considering that you don't even know if it's been breached, I doubt you have taken the tedious and complicated step of configuring outbound ACL's to block SMTP from that device only. Therefore it is likely that IF your SMTP gateway appliance has been comprimised then you are probably sending out SPAM. After all, if someone hacks your Email Gateway they are likely to use it for Email. Now I can't teach you the art of protocol analysis in a web posting, (nor would I want to) but I would do the following. 1.Make sure your protcol analyzer is attached to a SPAN port on your switch on the OUTSIDE of your network and make sure port spanning is enabled on your switch. (if you don't have SPAN features you can use a little Hub in to connect your sniffer to, just remmeber this will impact network performance). 2. Set a filter on the sniffer to capture only SMTP traffic. 3. Examine the SMTP traffic and look for foriegn source and destiantion addresses. This will let you know if that is the issue. If you don't see SMTP suspect traffic then do a general sniff on the outside of the appliance. Look at the HTTP traffic you are talking about. Where is it from? Where is it going? Are there TCP repeated connection attempts? How about TCP zero windows? What flags are in the headers? Are these SYN packets? If so are they being answered or are they half open connections? How many of them are there? When do they come in the most? What is in the HTTP DATA decodes? What other traffic is there with them? Answer these questions and you will be getting somewhere.

0 pointsBadges:

Layer9 Sep 17, 2005   1:26 PM GMT

I did read your post. Since this is an SMTP server, (which any SMTP anti-virus filtering appliance is) I can assure it can send email. You may have it configured to forward to your Exchange server, but that does not mean it SMTP messages are blocked to the internet from the appliance. Now if you are saying that you have configured an address specific outbound ACL on a separate firewall that specifically blocks SMTP messages from "leaving" your network from this appliance, then ok, but I doubt you have done this. SMTP Anti-virus filtering gateways appliances are by their very nature, SMTP servers as well. Your appliance IS listening on TCP 25 to the outside for SMTP traffic, so anyone CAN telnet to it. And since SMTP is open inbound, and considering that you don't even know if it's been breached, I doubt you have taken the tedious and complicated step of configuring outbound ACL's to block SMTP from that device only. Therefore it is likely that IF your SMTP gateway appliance has been comprimised then you are probably sending out SPAM. After all, if someone hacks your Email Gateway they are likely to use it for Email. Now I can't teach you the art of protocol analysis in a web posting, (nor would I want to) but I would do the following. 1.Make sure your protcol analyzer is attached to a SPAN port on your switch on the OUTSIDE of your network and make sure port spanning is enabled on your switch. (if you don't have SPAN features you can use a little Hub in to connect your sniffer to, just remmeber this will impact network performance). 2. Set a filter on the sniffer to capture only SMTP traffic. 3. Examine the SMTP traffic and look for foriegn source and destiantion addresses. This will let you know if that is the issue. If you don't see SMTP suspect traffic then do a general sniff on the outside of the appliance. Look at the HTTP traffic you are talking about. Where is it from? Where is it going? Are there TCP repeated connection attempts? How about TCP zero windows? What flags are in the headers? Are these SYN packets? If so are they being answered or are they half open connections? How many of them are there? When do they come in the most? What is in the HTTP DATA decodes? What other traffic is there with them? Answer these questions and you will be getting somewhere. Chris Weber Layer9corp.com

0 pointsBadges:

Astronomer Sep 19, 2005   1:57 PM GMT

Chris: You are partially right about the firewall. I don't have a rule explictly to block SMTP coming from the appliance. Instead of explicitly denying the appliance, I have three rules allowing SMTP to go out from our old email server, our new email server, and the firewall used by our cisco instructor. As should be clear, none of these match the appliance in question. All other outgoing SMTP traffic is explicitly blocked. My ethereal captures are done on a span port for the VLAN used to communicate with the internet. The only other device on this VLAN is the pix. This port is behind both firewalls so I can't see what they have already filtered out from the outside. When I checked my dump for SMTP to/from this appliance, there were three messages. Two were spam related, and one appears legitimate. All were incoming and were properly responded to by the appliance. The HTTP traffic looks like I'm seeing the middle of a bunch of file downloads. There are dozens of sessions, even in just the high traffic part of the conversation list. Be aware, this traffic has ceased since I blocked HTTP traffic from the appliance. I am looking at a one minute capture from last week. Thanks for the suggestions. rt

15 pointsBadges:

Astronomer Sep 20, 2005   4:42 PM GMT

While I don't know for sure that this appliance has been cracked, that is currently my best guess. The second level support from the vendor responded yesterday and wanted to discuss the issue. This morning he gave a somewhat plausible explanation for the large download recorded by his diagnostic but not for the upload to many internet clients. Therefore, I want to consider other alternatives. Can you recommend other antivirus/antispam appliances? We are considering pulling the plug but will need to have something in place. I don't want anyone to violate the rules of this forum so I would only like to hear from actual users. Thanks.

15 pointsBadges:

Sonyfreek Sep 20, 2005   6:39 PM GMT

I suggested before that you should dedicate your functions onto a single computer versus using an appliance to do it all. An ss like an all-in-one-printer. If the scanner breaks, you lost the whole machine and have to buy something new. Now, you might be making the same mistake again after your SMTP server broke/got hacked, whatever. It's the same thing people do all of the time. New Orleans gets destroyed by a Category 5 hurricane and we talk about rebuilding it... Although they may make the levees hold water in case of a class 5 hurricane, it's still a bad idea. The trade towers get knocked down by terrorists, so we immediately discuss rebuilding them. It's still going to be tall and so it might hold up to an airplane attack, it won't hold up to tomorrows planes. Don't promulgate bad ideas to make them your achilles heal. Sorry if the last paragraph offends anyone. I'm not trying to get down on unfortunate events. Instead, I'm trying to make a point by pointing out fallacies in peoples ideologies. An appliance, in my opinion, is one of these bad ideas. Learn from other peoples mistakes and make more informed future decisions. With all of that said, I'd suggest you build your own hardened operating system (Windows, linux, whatever way you swing) and put up to date software that you can patch. Don't put your trust in a vendor that likes to hide everything behind a nice web interface (which could be the root cause of vulnerability itself (ie: default passwords, buffer overflows, etc)). There are literally thousands of sites to help you lock down your OS and applications like www.nsa.gov/snac, www.nist.gov, www.cis.com, plus a plethora of others. Don't have time? I understand that, neither does anyone else. All that an attacker needs is one vulnerability but you have to protect against them all. See if you can get additional help - this could come from the student body, outside consultants, or even hiring more people. Justifying the position won't be easy, but show them what someone has done to your appliance and affix a few other attack vectors and scenarios and you will have their attention. You should do some further investigation to see if your system/network were involved in a larger scale network attack. Make a forensic backup of the current media in the appliance just in case an investigation is required. If you find something suspicious (attacks from China, Russia, etc) you should notify the authorities in case this appliance or your network was involved in a much larger investigation that you are not aware of. You can use the following as a guideline to incident response: csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter12.html Hope this helps, SF

0 pointsBadges:

Layer9 Sep 20, 2005   11:59 PM GMT

We use a product made by Symantec called Symantec Mail Security for SMTP. It is a simple anti-virus, anti-spam server application that can be run on any Windows or Solaris based system. It accepts email for your domain, screens for viruses, SPAM, etc, then forwards it on to your mail server. This way our email server never accepts connections from the web and also stops viruses before they reach the server, as well as SPAM. It's easy to install and manage and really cheap. If you want to know more about it email me offline at cw@layer9corp.com. There are other appliances out there as well, but for the money and ease of use and installtion, you can't beat the Symantec gateway product. You already have a PIX, which gives you a great Firewall, VPN Endpoint Solution, and if it's configured correct, a great IDS. Why spend a fortune on Mail Security? Anyway this is just one of several similar products but it's the one we use like you asked. Regards Chris Weber Layer9corp.com

0 pointsBadges:

petkoa Sep 21, 2005   9:25 AM GMT

Hi, In the initial post you said: > ...and all web traffic from our internal web > proxy went thru it... and then yesterday: > The HTTP traffic looks like I'm seeing the > middle of a bunch of file downloads. There are > dozens of sessions, even in just the high > traffic part of the conversation list. Is it possible that some p2p-clients on your LAN found their way out through the firewall disguised as http traffic? You know, they are so "smart" and ubiquotous... As to your last quetion, about an alternative, I'd agree with SF and Chris that it's better to have an OS with a host firewall, proxy and virus scanner so you can investigate things which happen, than to have some untouchable "black box". BR Petko

3,140 pointsBadges:

Astronomer Sep 21, 2005   1:21 PM GMT

Thanks for all the feedback. I agree in principal with building a box. In this environment, we have only 8 in our IT staff for nearly 2000 nodes. Also, I am a temp here. I need to chose a solution my successor can work with. There has already been considerable pushback with the few unix/linux solutions I have implemented. Given the knowledge level of the rest of the team, an appliance is unfortunately the logical solution at this time. After getting feedback from the other colleges in the area, we have decided to test out a barracuda appliance. Thanks again. rt

15 pointsBadges:

Layer9 Sep 21, 2005   2:00 PM GMT

I am not necessarily opposed to an appliance. After all the PIX is an appliance and it is a great product. The important thing is that you don't just buy appliances for your client and then start learning about them. If I were to recommend an appliance to a firm it would be one that I had extensive experience with and new what it could and could not do. Appliances can be fine in the hands of a knowledgeable and skillful administrator. But in the hands of an inexperienced user, they can be a disaster, which is what you are facing now. I would not buy an appliance for a client or recommend one that I new very little about. Given your expressed level of experience for you and your staff, I would go with something simple like the Symantec product. It's ease of use and simple install make it a perfect fit. And being IMB compatible based, it builds upon knowledge you already posess. But if you insist on trying another appliance, I would make the vendor put one in your environment for a month so you can test it out and make sure it's what you need. Most appliance vendors like MailXtreme do this, so I am surprised you have not gone this route. On another note, you mention that your orginization is 2000 users. I am not trying to be critical here but it is somewhat disconcerting, at least if I was your client, that you are in a tech room trying to figure out how to secure their email. Is there no senior staff at this place that can make these decisions? 2000 users is a significant orginization and you would think that they would not be trusting their infastructure security to anything other than a senior engineer who knows the industry inside and out. Could this be an example of why so many US firms are constantly being hacked by the Chinese? Chris Weber Layer9corp.com

0 pointsBadges:

Sonyfreek Sep 22, 2005   7:46 PM GMT

I'd argue associating PIX and great together. It's mediocre considering that the IOS is not publicly scrutinized and that it takes about as much programming to setup a PIX as it would to configure a *BSD with pf or ipfw. I've also had the experience when working with a PIX that if you changed the interface configuration, you had to reboot it for the settings to take place. Maybe it was the PIXOS Version or a problem with that PIX, but if that's normal - that's abnormal... I have loved every Cisco product I've ever used from their switches to their routers, layer 3 switches, even the old AGS+ systems were good. I just cannot get with the PIX, sorry. SF

0 pointsBadges:

Layer9 Sep 22, 2005   8:22 PM GMT

As the owner of a firm that specializes in servicing and supporting the PIX, and with personally more than 15 years configuring them, I can tell you that it is hands down the best Layer 4 firewall on the market today for the money. PIX IOS is a simple IOS to learn, and once it is learned the knowledge builds upon itself as you do more and more advanced configurations and applications. In 15 years I have never had a PIX "hacked" in a production environment, and the PIX can provide VPN Endpoint Services, IPSEC Virtual Circuits, Stateful Inspection, OSPF support, a configurable IDS with montioring capabilities, logging, and the list goes on and on. In the hands of the right engineer, the PIX is a solid, sophisticated security appliance. Most problems associated with the PIX I have found are due to the users lack of experience or understanding of the it and the underlying IOS. Chris Weber Layer9corp.com

0 pointsBadges:

Layer9 Sep 22, 2005   8:38 PM GMT

P.S Not to be too picky with the last comment (nothing personal but I don't respect it when admins want to down a product when it is clear they simply aren't skilled with it)but a few more comments. The PIX IOS is closed because in order to truly be secure, you need to restrict access to the IOS code. Opening the code invites exploits. Just take a look at a Free BSD vulnerability listing on a website like SANS one time. They go on for pages and pages and pages. Then go look up the vulnerabilties on the PIX, there is only one or two weaknesses listed and ALL of them have been long been corrected in newer IOS versions. Keeping the PIX code private has obviously helped to keep it secure. And as for the rebooting issue? In 15 years I have NEVER seen a configuration issue when you needed to reboot a PIX. I do recall however that this was a common issue with early PIX admins who did not understand that you needed to clear the NAT translations on the Interface you just configured when making certain changes. Instead these inexperienced admins would "reboot" the PIX in order to make the changes they just made take effect, and then blame the PIX when their bosses asked them why the network went down. I know because I managed some of them. Of course the rebooting "worked" for them because it cleared the NAT translations. But a simple "clear xlate" from a command prompt would have accomplished the same thing without downing anything. Like I said, if you know the PIX, it is a 1st rate security appliance. Chris Weber Layer9corp.com Chris Weber Layer9corp.com

0 pointsBadges:

Layer9 Sep 22, 2005   10:17 PM GMT

BTW, When I say inexperienced I mean of course inexperienced with the PIX. I am sure you have solid knowledge with BSD and whatever else you work with and I don't mean any dispargement of your skills. We all have our specialties. Chris Weber Layer9corp.com

0 pointsBadges:

Sonyfreek Sep 26, 2005   6:50 PM GMT

Anyone who has had a hacked firewall probably wasn't working for very long. I've configured PIXes, BSDi, FreeBSD, OpenBSD, Mandrake, and (unfortunately) Microsoft firewalls and never had one "hacked." It's simply not a good measure of a good firewall since most firewalls can easily be transversed. Why would one hack at a firewall when I can go around poorly designed rules and websites behind them? How many times has your firewall been transversed from insiders and outsiders that you know about? How efficient is your logging? Then being closed source doesn't protect it from exploits. They still exist. What happens when, say, Cisco gets their code spilled out (extranetted) on the Internet for anyone to peruse or buy and look for exploits (wait! that recently happened). How safe do you feel that only a handful of people were ensuring that it's "secure" versus the Internet-wide community looking at it to find exploits? If the PIX code was put on the Internet, you know the list would be much larger (therefore meaning that it's not as secure as you'd hoped it was). Now, maybe the code is... The PIX is the hardest of these firewalls that I've had to configure and it's insecure by default allowing connection from the inside to the the DMZ or outside interfaces if no ACL has been configured on the interface. Sorry, I think the access-list rules are a terrible way to implement security for a firewall. I've implemented plenty of them on routers and with the PIX and hate using them. The only thing I like about the PIX is that you can save the configuration and run show commands from any mode and don't have to go back to priviledged exec like most Cisco hardware. I use mine as an expensive NAT box... However, I think that creating extensive access lists is inefficient and prone to error. With other firewall implementations, you don't have to wipe out your whole ruleset when you want to change it (yes, you can use a named access list and do the NO form of the command to delete a line, but its inefficient). Have fun with your PIX. I use the others as doorstops. SF

0 pointsBadges:

Sonyfreek Sep 26, 2005   9:39 PM GMT

Just so we are comparing apples to apples, I did a quick Bugtraq search of vulnerabilities: FreeBSD 5.3 - 28 total vulnerabilities (not the latest version) Number affecting a machine running as a firewall - potentially 9 if running an AMD64. It may be less than this, but I did a quick perusal of what would be considered a bug in the minimal install for a firewall. Pix Firewall 6.3.2 - 2. This is not astronomical on the FreeBSD side of things considering it is open source code. No one in their right mind would install the libraries, ports, and the entire FreeBSD system on their firewall and consider it secure (which could contain all 28 vulnerabilities). All you need is the basic setup and man pages if you please. SF

0 pointsBadges:

Layer9 Sep 27, 2005   1:43 AM GMT

I really should not even respond to this one as we are way off track and this guy obviously just wants to criticize and slander products he demonstrably knows little about, but since I already stated I was the owner of a business that specializes in the PIX, and this person calling themselves, sonyfreek, (nice kiddy scripter handle) decided it would be a good idea to disrespect a great product because of his clear lack of skill with it I am going to say a few words. It is just amateur to insult a mainstream product in one of these forums, especially when it was not even the topic. So I am going to add a few words, and forgive me if I am harsh, but I have had my fill of admins who think they know it all about the PIX, but really know just enough to really screw one up. First your name is cute, but when you denounce products that thousands and thousands of businesses use throughout the world,products that have awards and praise from some of the best minds in the business, you might try using your real name and website, so people know who you are, instead of skulking behind a juvenile moniker. In answer to you logging question (or insinuation)of course we monitor our logs, we are a security firm. We log at trap level 7 (hurry go look that one up) and we run concurrent IDS systems including, yes, Unix based IDS systems and of course being core engineers (many of us came from the big telecoms)we track at the packet level using protocol analyzers with custom filters. We even have licensed Private Investigators that physically investigate incidents we deem to be serious. And as for the closed or open source issue, I won't address that again.I already did, and you apparently don't get it. Let me know when you publish your ATM pincode so people can let you know what vulnerabilities are in it. Of course, anyone who thinks there are 28 known vulnerabilities for BSD, well, we?ll just keep that to ourselves. (hint, try getting your data from somewhere other than Bugtraq,). It?s apparent you just don?t know how to build out a PIX correctly, you even said so yourself when you told us how you used to have to reboot it, and then sat there and said, bad PIX, bad PIX. No real Cisco engineer has ever had to do that with a PIX to make a simple configuration change. But you did, which clearly demonstrates your lack of experience with it as it is a common issue with Junior PIX Admins and well documented on Cisco's website. Oh and by the way, ACL?s in the PIX are only a part of it?s Stateful Inspection process. The PIX is NOT a router, or a gnat box, but to you it probably is. I saw a chimpanzee once use a Violin as a bat. He beat the heck out of that Violin, but it did not mean the Violin was faulty. The Chimp simply did not have the proper technical skills to use it as it was designed to be used. No we see engineers in the field all the time working on the PIX who should not be working on the PIX. Of course we are fine with that. Cleaning up messes from admins who install equipment they are not trained on accounts for about 60 percent of our business. In fact, we consider you guys our best friends. Chris Sorry about going off track, but I?m done with this one astronomer. I forgot what the original question was anyway.

0 pointsBadges:

Layer9 Sep 27, 2005   3:22 AM GMT

BTW, For anyone reading this, the current version of the PIX IOS is 7.0(2), and you won't find it published on the Internet. Sonyfreak is giving you old news. Also the command is not run show, it is show run, and if you were as experienced with the PIX as you indicate, then you would most likely have used the old, write term command, not the well known show run. Show run works with later versions of the IOS, but those engineers among us who have been configuring the PIX for 10 plus years or better hsve hard coded into our brains that old write terminal command. Show run was not available in the early versions of the PIX IOS and wri t was became part of our vocabulary. Little tell tale signs like that and the unneeded reboot illuminate your lack of any long term, serious professional experience with the PIX. You may have instslled or managed one or two, but you are clearly no expert with it, which is not a bad thing, unless of course you are bad mouthing it to the world. P.S It's not the vulnerabilites that are not published and that few people are aware of, that you need to worry about. Worry about the ones that are published. They are the ones that will end up being used against your network 99.9 percent of the time. Chris Weber Layer9corp.com

0 pointsBadges:

Astronomer Sep 27, 2005   10:23 AM GMT

I think we have drifted way off the subject here so I thought I might add a few last comments. My current design uses an openbsd firewall on the outside and a pix on the inside. I consider them both to be secure devices. The bsd box is more flexible in what can be done. The pix has many more bells and wistles. The pix is considerably easier for our techs to manage. It also protects them better from some types of errors. Overall, I believe they both have their place. I like the bsd better but the learning curve was considerably steeper. There are times to use a box you can be intimately familiar with, and times when an appliance is a better choice. I would hesitate to criticize choices made by someone else unless that choice resulted in a series of intractable problems that other solutions would easily avoid. I would characterize that last sentence as what led to my initial question. We had a series of issues that the vendor had no fix for and this finally convinced us to change vendors. When the vendor of a network security device criticizes you for not having his device behind a NATting firewall to protect it, I believe something is wrong. (In case you are wondering, some of us do use public addresses internally because of policy decisions made well above us). I believe the best choice for the issue in question in my current environment is an appliance. Personally, I would prefer an open box, but looking at the technical level of my team, their current load, and my status as a temp, I need to choose what they can manage after I am gone. rt

15 pointsBadges: