Hardware

• Linksys WRT160N
• Juniper Netscreen SSG5 ( Support )
• whirlpool: Juniper SSG5 detail specs
• Juniper Forum

• Zeroshell homepage
• Zeroshell main forum
• default password: admin / zeroshell
• $SCRIPTS path: /root/kerbynet.cgi/scripts/

• pfSense homepage
  FreeBSD based mini firewall distribution
• default password: admin / pfsense
• show routing table: netstat -r
• restart openvpn: disable, wait about 1min (to clear routing table), then enable again
• by default the openvpn client will pull settings from server
• openvpn to use tap mode, add command line option: tap

• Basic Accounts:
  

  root: root user for setup advanced settings
  vyatta: admin user use to config router
  

• Config location: /opt/vyatta/etc/config/config.boot
• vyatta Community Edition Firewall
• Install vyatta to harddisk
  

  Boot from CD
  Login: root
  Password: vyatta
  # install-system
  

• Vyatta Basic Setup example
  LAN IP, DHCP, Basic NAT
• Basic Operations
  "connect interface pppoe1" to manually start the pppoe1 interface
• Show similar function of router commands in different platforms
• Negative feedback for Vyatta and pfSense on load-balancing and DMZ setup at 2008-07

• Reset Netscreen config
  

  unset all (Yes)
  reset (No, then Yes)
  

• Database path: ISA 2006\ADAMData\
• ChangeStorageServer.vbs: Change array to use the current server as Primary Storage Server
• Setup failed while registering ISA Server filters.
  • *** This problem could happen if there is a SQL Server installed at the same server
  • Can happen at both ISA Server 2004 SP2 update and ISA 2006
  • Related to Web Filter priority in ISA Server 2004 SP2

• Deny All is usually the best default rule
• Handle ICMP carefully, block/limit from all outside
• Fragmented packets can create DoS attacks
• Source address filtering must always base on network interface
• Always do logging, log archiving, or write to write only media
• DNS TCP 53 is only used for zone transfer, in general can block the traffic
• MSN, NetMeeting maybe better to have an application gateway because they are using dynamic ports
• Screened Host is the intranet server after firewall (after port forwarding)
• Screened Network / DMZ is the network segment after firewall

• Dynamic Packet Filtering (for Outlook-Exchange, Windows Messenger, etc?)
• Sometimes static outbound mapping (port forwarding) maybe needed for outgoing traffic (Firewall outgoing ip always same for certain intranet IP group)
• Some firewall products can do:
  • time-based filtering
  • access base on username (Microsoft ISA?)
  • bandwidth quota
  • Intrusion detection, logging, reporting and fire an alarm. Or even dynamic adjust the policy.
    • Zone transfer attempts
    • Address scans
    • Port scans
    • Ping-of-death DoS attack attempts
• NAT-D (Detect) and NAT-T (Transversal) is needed to support IPSec over NAT gateways
• PPTP does not protect the IP header while IPSec do. So IPSec/L2TP need NAT-D/NAT-T at gateway.
• Any tool to evaluate Firewall effectiveness?
• ICSA Lab (certify commercial Firewall products)