VPN

Windows

L2TP

SSH tunnel

Firewall Links

Hardware

Zeroshell

pfSense

  • pfSense homepage
    FreeBSD based mini firewall distribution
  • default password: admin / pfsense
  • show routing table: netstat -r
  • restart openvpn: disable, wait about 1min (to clear routing table), then enable again
  • by default the openvpn client will pull settings from server
  • openvpn to use tap mode, add command line option: tap

Monowall

Vyatta

Juniper Netscreen Firewall

OpenVPN

ISA Server 2006

  • Database path: ISA 2006\ADAMData\
  • ChangeStorageServer.vbs: Change array to use the current server as Primary Storage Server
  • Setup failed while registering ISA Server filters.
    • *** This problem could happen if there is a SQL Server installed at the same server
    • Can happen at both ISA Server 2004 SP2 update and ISA 2006
    • Related to Web Filter priority in ISA Server 2004 SP2

General

General Rules

  • Deny All is usually the best default rule
  • Handle ICMP carefully, block/limit from all outside
  • Fragmented packets can create DoS attacks
  • Source address filtering must always base on network interface
  • Always do logging, log archiving, or write to write only media
  • DNS TCP 53 is only used for zone transfer, in general can block the traffic
  • MSN, NetMeeting maybe better to have an application gateway because they are using dynamic ports
  • Screened Host is the intranet server after firewall (after port forwarding)
  • Screened Network / DMZ is the network segment after firewall

Interesting

  • Dynamic Packet Filtering (for Outlook-Exchange, Windows Messenger, etc?)
  • Sometimes static outbound mapping (port forwarding) maybe needed for outgoing traffic (Firewall outgoing ip always same for certain intranet IP group)
  • Some firewall products can do:
    • time-based filtering
    • access base on username (Microsoft ISA?)
    • bandwidth quota
    • Intrusion detection, logging, reporting and fire an alarm. Or even dynamic adjust the policy.
      • Zone transfer attempts
      • Address scans
      • Port scans
      • Ping-of-death DoS attack attempts
  • NAT-D (Detect) and NAT-T (Transversal) is needed to support IPSec over NAT gateways
  • PPTP does not protect the IP header while IPSec do. So IPSec/L2TP need NAT-D/NAT-T at gateway.
  • Any tool to evaluate Firewall effectiveness?
  • ICSA Lab (certify commercial Firewall products)