 tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | reply to sk1939
Re: Russians said by sk1939:I have a Firewall/VPN (SSG5) that is set to "Route" rather than "NAT" for the "Untrust" or interface facing the external network. Basically, what it's doing is rather than doing NAT overload, it just routes between the two networks.
what this is doing is equivalent to the "nat0" function on an asa. to move from lower to higher security zones requires a nat statement -- even if no nat'ing goes on. to work around this -- you set up nat0 or "nat exemptions" on the device for it to "nat but not really" those specified networks.
the key is to know whether the traffic is solicited (i.e. a trusted device is requesting the traffic to come in) or unsolicited (someone's just trying to break in). once you're there -- you can police as normal.
i'm not too good with screenos anymore (i've been slowly forgetting it since the srx line runs pure junos), but i believe that you can just set up filtering lists both inbound and outbound that prevents the russian netblocks from coming in (which is a pretty safe bet -- unless you need to conduct business with russian domains). it may also pay to look at team-cymru for up to date bogon and unallocated route filtering.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
sk1939Premium
join:2010-10-23
Washington, DC
kudos:9 Reviews:
 ·T-Mobile US
| Well that makes sense then.
It's unsolicited, nothing that goes on in the network has anything to do with any domain in Eastern Europe.
I really want to block the entirety of Eastern Europe, but I can't think of an easy way to create a rule to block that many various IP's.
Funny you mention the SRX line, I'm thinking of replacing the SSG with an SRX100or MAG2600 for VPN/IPS performance. There is a TippingPoint 1200E in place right now for IPS, but it's sheer overkill for a 25/25 Metro-E connection. |
|
tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | said by sk1939:I really want to block the entirety of Eastern Europe, but I can't think of an easy way to create a rule to block that many various IP's.
look at the registry entries for the rir that handles europe. you'll get a good idea of the blocks allocated.
Funny you mention the SRX line, I'm thinking of replacing the SSG with an SRX100or MAG2600 for VPN/IPS performance.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
sk1939Premium
join:2010-10-23
Washington, DC
kudos:9 Reviews:
·T-Mobile US
1 edit | I was referring more to the entry of the giant list of IP addresses into the SSG.
I'll get a price quote for the 240 and see, but we have more Cisco gear than not on the remote sites. There are only a handful of SSG5's floating around. Also I just notice that the 240 is 4x the cost, so I'll have to take that into consideration as well. |
|
| reply to sk1939
said by sk1939:I really want to block the entirety of Eastern Europe, but I can't think of an easy way to create a rule to block that many various IP's.
Your "Russians" subject line caught my eye, and I noticed you would like to block traffic based upon geography. Astaro will do that, if you are interested in moving to another appliance. My only experience with Astaro is on my home network, but I absolutely love it. I was using Untangle because of Astaro's 10 IP limit for free home use, but they have since then changed the license to 50 IP's for home use and I switched. I love Astaro's reports and change tracking.
No, I am not an Astaro employee or reseller; just an enthusiastic user. |
|
