J D McDorce
Premium
join:2001-12-29
Westland, MI
| [Nexland] New Firmware
As noted in the following article, Symantec has released new firmware for the Nexland firewall appliances: »www.eweek.com/article2/0,1759,1747047,00.asp
The following is a direct link to the firmware for the Nexland Pro100/ Pro400 / Pro800 / Pro800turbo series at Symantec's site: »www.symantec.com/techsupp/enterp···les.html |
|
Need BB
join:2001-12-21
Westwood, MA | Thanks, would never knew about it if there was no post! |
|
Need BB
join:2001-12-21
Westwood, MA | What are the differences between the all and app firmwares? |
|
Peterg1
Premium
join:2001-12-29 | All resets your configuration to default. App retains them all.
Peter |
|
KAIFS
V I P
Premium,MVM
join:2001-01-11
CHEEEESE WI
 ·AT&T Midwest
edit:
January 3rd, @05:59PM
| reply to J D McDorce
Has anyone tried it and can comment in detail on it?
very interested!!!
release notes indicate:
Corrections Included in this Release:
Issue 1 - Denial of service caused by a fast UDP port scan
A fast map UDP port scan against all ports (i.e. 1-65535) on the WAN interface of the firewall will cause the firewall to lock up and stop responding. Turning the power off and on will reset the firewall.
Issue 2 - Filter bypass on WAN interface
A UDP port scan against the WAN interface of the firewall from a source port of UDP 53 bypasses filter on WAN interface and exposes the tftpd, snmpd and isakmp active services. All other ports are reported as closed.
Issue 3 - Default read/write community string on SNMP service
The default read/write community string used by the firewall is public, allowing an attacker to collect and alter the firewall's configuration. By combining this with issue 2 mentioned above, an attacker is able to exploit this against the WAN interface by sending SNMP GET/SET requests whose source port is UDP 53. The administrative interface for the firewall does not allow the operator to disable the service nor change the community strings. |
|
Need BB
join:2001-12-21
Westwood, MA
| reply to Peterg1
Well I get "PID not matched" error on my pro100. Is this because the file is for the pro400 even though it says pro100/400?
--
Hacking the D-link 900+ at:»home.earthlink.net/~mlampie/Powe···00+.html |
|
KAIFS
V I P
Premium,MVM
join:2001-01-11
CHEEEESE WI | reply to J D McDorce
do we have to change jumpers for firmware upgrade via nxtftpw utility?
mine keeps timing out for whatever reason.... |
|
Peterg1
Premium
join:2001-12-29
| reply to KAIFS
said by KAIFS  :Has anyone tried it and can comment in detail on it? very interested!!! I have flashed my Pro 800 and it was uneventful as always. I have not tested whether the fixes actually work but I assume they do.
That all being said, I do not believe that this fix addresses other problems that the Nexland line have had, inter alia, operability with certain cablemodem systems.
If one looks at the sister Symantec line (100, 200 etc) you will see that there have been other fixes which, from the release notes for the new Nexland firmware were not implemented. And the differences between the Nexland and Symantec were very small (ability to function as a VPN endpoint, supposed SPI capability although same processing power and memory).
I made a usenet post on this here:
»tinyurl.com/5hclq
Peter |
|
KAIFS
V I P
Premium,MVM
join:2001-01-11
CHEEEESE WI
·AT&T Midwest
| reply to J D McDorce
I have 800 pro turbo and so far can't update. can someone tell me if jumpers on the back have to be in certain order for a firmware upgrade or not?
--
Bush told us he would create jobs - he just didn't tell us they would be in China, India and the Philippines. |
|
Need BB
join:2001-12-21
Westwood, MA
| reply to Peterg1
Well we need to find out how to change the device id, so we can flash the Symantec firmware on the nexland.
--
Hacking the D-link 900+ at:»home.earthlink.net/~mlampie/Powe···00+.html |
|
Need BB
join:2001-12-21
Westwood, MA | jumpers 1&2 have to be down. I am p*ssed that this doesn't work with the pro100! |
|
Peterg1
Premium
join:2001-12-29
| reply to KAIFS
said by KAIFS :do we have to change jumpers for firmware upgrade via nxtftpw utility? mine keeps timing out for whatever reason.... Here is the proper procedure:
1. Power off the unit (the manual says pull the plug which I assume may be somewhat different than turning off the power switch).
2. Flip DIP switch 1 & 2 to the ON position (DOWN).
3. Put the power plug back into the unit
4. Navigate to where you downloaded nxtftpw and double-click it.
You will get a dialog box and select the firmware to flash and the address of the router (normally 192.168.0.1).
Press PUT and you will see it make several "tries" which is normal.
Once you get a success message return the dip switches to normal (the up position), power down the router and then power it up again.
Peter |
|
Peterg1
Premium
join:2001-12-29
| reply to Need BB
said by Need BB :Well we need to find out how to change the device id, so we can flash the Symantec firmware on the nexland. There was quite a detailed thread on this forum a few months ago and someone did look into this in depth and tried various experiments. It simply did not work. You will find this with a search.
I think we just have to be satisfied with small mercies and accept what Symantec has given us.
Peter |
|
KAIFS
V I P
Premium,MVM
join:2001-01-11
CHEEEESE WI | reply to J D McDorce
thanks a bunch, it worked and it was almost immediate in my case. did the app one |
|
Need BB
join:2001-12-21
Westwood, MA | Well almost got the firmware to work except I get a wrong block number error. |
|
Need BB
join:2001-12-21
Westwood, MA
| Well I got the regular 6U for the Pro400 modded to the Pro100 to work. The Pro100 is different from the Symantec line. I just changed the hex in the beginning!
--
Hacking the D-link 900+ at:»home.earthlink.net/~mlampie/Powe···00+.html |
|
Peterg1
Premium
join:2001-12-29
| reply to J D McDorce
Somewhat off-topic but definitely of interest to me at least, is that I started searching the forums here for mentions of Nexland. I then saw someone mention Hotbrick and stated that this was started by ex-Nexland staff.
Hotbrick are at www.hotbrick.com and it was really interesting to look at their products. Pricing is very competitive - much cheaper than what we paid for our Nexland Products (I have the Pro 800) and they state that they offer SPI (which Nexland did not) and the WAN speeds, at least for the LB2 which interests me a lot is up to 55 Mbps which is far higher than what we had with our Nexlands' which were a max of 8 Mbps. I downloaded the manual and far greater configurability than we have now with apparently great reporting capabilities. It also seems to be made of metal like my Pro 800 (I hate plastic).
Here is a review of the LB2 (came out a few days ago):
»www.guru3d.com/article/network/161/
All in all, looks very interesting to me as being a step up from the D-Link/Linksys/SMC stuff which I will not use but below the cost say of Watchguard, Sonicwall etc. I also see that there has been a firmware upgrade as of December 2004 which is heartening.
Anyhow, this looks definitely near the top of my list to investigate for my next router. As it stands now, in Vancouver I am using Telus DSL 2.5 Mbps and I did try the competing Shaw Cable for a brief while but one of the firmware bugs with the Nexland reared its head. I received packet loss with the Nexland in the chain but none when I took the Nexland out. I also note that Hotbrick have a decent distibution network already with an office in Canada and the Netherlands at least and many websites selling their products.
Peter |
|
KAIFS
V I P
Premium,MVM
join:2001-01-11
CHEEEESE WI
·AT&T Midwest
| what these things have been lacking, at least in my case, is a multi-NAT translations. I have two dsl connections at home, one dynamic, another 5-static IPs. None of these dual WAN routers allow me translate all 5 IPs on one of the WANs... Just a wishful thinking here  .
--
Bush told us he would create jobs - he just didn't tell us they would be in China, India and the Philippines. |
|
Kirby Smith
join:2001-01-26
Derry, NH
 ·Verizon FIOS
| I believe my Xincom 502 can translate them to the DMZ. I didn't see any way to get them onto the LAN. But then, I may have missed something.
I suspect that you would need a command language router, such as the Zyxel 35 or 70 or various Cisco offerings. Unfortunately, they cost a bunch more than a 502.
You may want to ask the question in the Networking forum.
kirby |
|
danweber
Premium
join:1999-07-09
Pompano Beach, FL | reply to Peterg1
Funny, it looks just like a Xincom 502 and even the config menus are almost the same. Now who is building it and who is re-branding it only? |
|
