From firewalls-owner Fri Sep 1 05:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23523 for firewalls-outgoing; Fri, 1 Sep 1995 05:21:57 -0700 Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23516 for ; Fri, 1 Sep 1995 05:21:53 -0700 Received: from faraday.imonics.com (faraday.imonics.com [205.139.210.246]) by imonics.com (8.6.12/8.6.12) with SMTP id IAA14587 for ; Fri, 1 Sep 1995 08:20:26 -0400 From: James Brigman - Imonics Development Received: by faraday.imonics.com (5.x/SMI-SVR4) id AA00605; Fri, 1 Sep 1995 08:20:21 -0400 Date: Fri, 1 Sep 1995 08:20:21 -0400 Message-Id: <9509011220.AA00605@faraday.imonics.com> To: firewalls@greatcircle.com Subject: Re: Linux distributions X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 31 Aug 1995, Andrew Foss wrote: > I've a need for a Linux bastion host to relay mail. The only distribution > I've worked with is Yggdrasil?sp? > Does anyone with more Linux experience than I, have any preference for one > version over another? If so, where can I get it, I'm not on any Linux > mailing lists. Personal Experiences: - yggdrasil lags some of the other releases - their mscdex driver never worked with Mitsumi 4x IDE cdrom - this information applies to the "fall 94" release of yggdrasil - Avoid the "fall 94" Yggdrasil release Now using Slackware (1.2.3 kernel) and Red Hat - Both install very differently - Good success with both - Red Hat comes with some pretty nice tools - Slackware=PHT April 1995 and Red Hat "Mother's Day" Release - New Red Hat in the works. I haven't run a firewall with either, but there are active discussions on the mailing lists for both. URL: www.redhat.com and www.pht.com. Gud Luk... From firewalls-owner Fri Sep 1 06:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24429 for firewalls-outgoing; Fri, 1 Sep 1995 06:00:38 -0700 Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA24414 for ; Fri, 1 Sep 1995 06:00:35 -0700 Received: from faraday.imonics.com (faraday.imonics.com [205.139.210.246]) by imonics.com (8.6.12/8.6.12) with SMTP id IAA15195 for ; Fri, 1 Sep 1995 08:59:09 -0400 From: James Brigman - Imonics Development Received: by faraday.imonics.com (5.x/SMI-SVR4) id AA00624; Fri, 1 Sep 1995 08:59:04 -0400 Date: Fri, 1 Sep 1995 08:59:04 -0400 Message-Id: <9509011259.AA00624@faraday.imonics.com> To: firewalls@greatcircle.com Subject: Re: Linux distributions X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > James Brigman - Imonics Development wrote this: > > > > - Slackware=PHT April 1995 and Red Hat "Mother's Day" Release > > Hi -- I've run various Slackware releases for a couple of years and > haven't heard of "PHT". What does that stand for? > > Thanks! > -Bill > > -- > Bill Heiser, Individual, Inc., Network Services > billh@individual.com (home: bill@bh.org, http://www.bh.org/) Bill: "PHT" is Pacific Hi-Tech. They are a distributor of a very inexpensive two CD-ROM version of Slackware. They also have a nice reprint of the Matt Welsh documentation. Please forgive the bandwidth: I have no connection to PHT commercial or otherwise....JKB From firewalls-owner Fri Sep 1 06:30:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25206 for firewalls-outgoing; Fri, 1 Sep 1995 06:25:00 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25199; Fri, 1 Sep 1995 06:24:57 -0700 Message-Id: <199509011324.GAA25199@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA278111325; Fri, 1 Sep 1995 09:15:25 -0400 Date: Fri, 1 Sep 1995 09:15:25 -0400 From: gary flynn To: gary@habanero.jmu.edu, isdmill@gatekeeper.ddp.state.me.us Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > > to putting locks on building doors rather than gates across > > heavily traveled roads. Then the communications infrastructure > > can be upgraded and used as intended...as a communications highway. > > Problems with firewall throughput go away. > > [...] > > > Is anyone else excited about this product or am I missing something? > > I'm not familiar with this particular product. That said, I'd like to > address a couple of point that you make about it. > > First, there's the possibility that people will not use the product, or > that their product will not fit all type, styles, and rev levels of > computer on your network. Once one of the systems on your network is > compromised it becomes a safe staging area for attacks on the rest of > your network. Which leads us to ... > Policy should take care of what people use. If policy is ignored, then you won't have much security no matter what you do. The product is limited to winsock, hpux, and SCO right now but good products have a habit of being rapidly ported. If the critical systems are protected individually, its less disasterous if a non-critical system gets compromised. This isn't true of a "soft chewy center". > Second, the whole reason people put the soft chewy center in the middle > of a very hard shell is so there is a single access point to be > administered. It's one thing to get a good security person to > manage/monitor the firewall through which all traffic flows. It's > another thing altogether (usually thought impossible in any sizeable > installation) to try and have many administrators adequately secure their > systems. > Hannah is centrally administered although you have to install the product on all the platforms. So there is a central security administrator. Software distribution, installation, and configuration managment mechanisms and policies need to exist for network/node management anyway, so the addition of one more product shouldn't negate the overall concept. gary From firewalls-owner Fri Sep 1 07:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25898 for firewalls-outgoing; Fri, 1 Sep 1995 06:53:12 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25891 for ; Fri, 1 Sep 1995 06:53:09 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via ESMTP; Fri, 1 Sep 1995 09:51:28 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.6.12/res.client.cf-3.7) id JAA02782; Fri, 1 Sep 1995 09:51:26 -0400 Date: Fri, 1 Sep 1995 09:51:26 -0400 Message-Id: <199509011351.JAA02782@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, teck@ms.mimos.my Subject: Re: comparison study between DES and RSA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Lee Hooi Teck wrote: >I am looking into network security currently and found that most of the >products use either DES or RSA for authentication and encryption. > >Is there any info or document that has mentioned the pros and cons of >this two type of cryptosystems? How is these technologies being used in >digital signature? > >Hope that there is info for the export issue on these two systems as well. There are three recent books which cover cryptosystems, digital signatures and related material in some detail : 1. "Applied Cryptography" by Bruce Schnier (sp?) 2. "Network Security - PRIATE Communication in a PUBLIC World", by Charles Kaufman, Radia Perlman and MIke Speciner 3. and Stallings new book which has a title which looks something like "Network and Internetwork Security" - Morrow From firewalls-owner Fri Sep 1 07:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25605 for firewalls-outgoing; Fri, 1 Sep 1995 06:45:03 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25590; Fri, 1 Sep 1995 06:44:58 -0700 Message-Id: <199509011344.GAA25590@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA280182528; Fri, 1 Sep 1995 09:35:29 -0400 Date: Fri, 1 Sep 1995 09:35:29 -0400 From: gary flynn To: alan@mid.net, isdmill@gatekeeper.ddp.state.me.us Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, gary@habanero.jmu.edu, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan wrote: > -dm-] > -dm-] On Thu, 31 Aug 1995, gary flynn wrote: > -dm-] > gflynn] This Hannah product looks like what I've been looking for. It puts > gflynn] "network security" where it belongs...on the nodes. I liken this > gflynn] to putting locks on building doors rather than gates across > gflynn] heavily traveled roads. Then the communications infrastructure > gflynn] can be upgraded and used as intended...as a communications highway. > gflynn] Problems with firewall throughput go away. > > Sure, let's just open up the bloody borders of our country to anyone, we > wouldn't want to impede any travel, would we? Heavan forbid Iraqis should > actually have to stop at the border to our country, we should allow > them and all others to come in unimpeded. Geez. > Then again if you have to go through customs in every day affairs across the neighborhood, it makes getting work done a bit tedious. Not to mention the inefficiencies in upgrading to newer, faster communications technology, protocols, or products. If they can't access anything once inside the border, whats the harm? The whole point is protecting assets. But enough with the highway analogy. Given that a network is a group of interconnected computing devices, then "network security" doesn't necessary mean data communications security. It means the resources connected to the data communications are secure. I think it would be better to secure the resources in some central way than to impede the data communications. If the node is protected from access and its communications with other nodes are authenticated and encrypted, doesn't this solve the problem? > gflynn] Is anyone else excited about this product or am I missing something? > -dm-] > -dm-] I'm not familiar with this particular product. That said, I'd like to > -dm-] address a couple of point that you make about it. > -dm-] > -dm-] Second, the whole reason people put the soft chewy center in the middle > -dm-] of a very hard shell is so there is a single access point to be > -dm-] administered. It's one thing to get a good security person to > -dm-] manage/monitor the firewall through which all traffic flows. It's > -dm-] another thing altogether (usually thought impossible in any sizeable > -dm-] installation) to try and have many administrators adequately secure their > -dm-] systems. > > Quite obviously, one that thinks individual host security should have > more emphasis than network security has never tried to implement such a > policy. More clearly, one who thinks indiv. hosts are more important > than network security has no concept of time=money. > I thought the intention of "network security" was to protect individual hosts. Implementation of host based security is hampered by the necessity to administer hosts with inherently poor security. If good products are embedded into the operating systems of the hosts, the implementation should prove much easier and more effective. Gary Flynn Network Manager James Madison University > -- > Alan Hannan Email: alan@mid.net > Network Systems Administrator Voice: (402) 472-0239 > MIDnet, Lincoln NOC Office Fax: (402) 472-0240 > > " [sometimes] the game of outsmarting the supervisor is > more interesting than the work itself " - Quinn Mills > From firewalls-owner Fri Sep 1 07:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26706 for firewalls-outgoing; Fri, 1 Sep 1995 07:18:32 -0700 Received: from yage.tembel.org (yage.tembel.org [206.43.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA26699 for ; Fri, 1 Sep 1995 07:18:26 -0700 Received: by yage.tembel.org (Smail3.1.29.1 #9) id m0soWtu-000DPEC; Fri, 1 Sep 95 14:16 GMT Message-Id: From: shields@tembel.org (Michael Shields) Subject: Re: HannaH from SecureWare Inc. To: gary@habanero.jmu.edu (gary flynn) Date: Fri, 1 Sep 1995 14:16:57 +0000 (GMT) Cc: gary@habanero.jmu.edu, firewalls-digest@GreatCircle.COM In-Reply-To: from "gary flynn" at 1995-09-01 10:00:21 X-Dogma: Microsoft is not the answer. Microsoft is the question. No is the answer. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1066 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My (admitedly limited) understanding of Kerberos leads me > to believe the following: > > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. This is true, but it's necessary when you replace the authentication mechanism at the protocol level. Is HannaH providing link-layer encryption on a host-to-host level? > 2. Kerberos doesn't encrypt the data. Hannah can. Kerberos can. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This is too vague. Kerberos works by having a ticket-granting ticket, a sort of master metaticket, which is sent from the Kerberos server encrypted in the user's passphrase. If the user can decrypt it (by giving the correct passphrase), he can get tickets which authenticate him to various services. If you describe the "certificate diskette" I can see how it compares. -- Shields. From firewalls-owner Fri Sep 1 07:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26528 for firewalls-outgoing; Fri, 1 Sep 1995 07:09:59 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA26521 for ; Fri, 1 Sep 1995 07:09:50 -0700 Message-Id: <199509011409.HAA26521@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA282694021; Fri, 1 Sep 1995 10:00:21 -0400 Date: Fri, 1 Sep 1995 10:00:21 -0400 From: gary flynn To: gary@habanero.jmu.edu, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Cc: firewalls-digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > > Kerberos. It's been available for many years, it's an open standard, > it's cross-platform, it's extensible, it's featureful, and the protocol > has been formally proven. > > I don't see what HannaH provides that Kerberos doesn't, except that > it's proprietary. > -- > Shields. > My (admitedly limited) understanding of Kerberos leads me to believe the following: 1. Kerberos requires modification of each application that its to be used with. Hence limited support. Hannah allows the use of any application using standard winsock or socket library calls on supported platforms. 2. Kerberos doesn't encrypt the data. Hannah can. 3. Hannah's "certificate diskette" for each user solves some problems that Kerberos has on desktop machines. gary From firewalls-owner Fri Sep 1 08:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26459 for firewalls-outgoing; Fri, 1 Sep 1995 07:06:33 -0700 Received: from POWERED.ZOO.CS.YALE.EDU (ZOO-GW.CS.YALE.EDU [128.36.0.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA26452 for ; Fri, 1 Sep 1995 07:06:29 -0700 Received: from FROG.ZOO2.CS.YALE.EDU by POWERED.ZOO.CS.YALE.EDU (5.67b/res.host.cf-3.5) with SMTP id AA38296; Fri, 1 Sep 1995 10:05:05 -0400 Received: by FROG.ZOO2.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.5) id AA14448; Fri, 1 Sep 1995 10:04:51 -0400 Date: Fri, 1 Sep 1995 10:04:51 -0400 (EDT) From: "Rev. Ben" To: Lee Hooi Teck Cc: firewalls@greatcircle.com Subject: Re: comparison study between DES and RSA In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Fri, 1 Sep 1995, Lee Hooi Teck wrote: > Hi, Hi Lee. > I am looking into network security currently and found that most of the > products use either DES or RSA for authentication and encryption. They're usually coupled for reasons below. > Is there any info or document that has mentioned the pros and cons of > this two type of cryptosystems? How is these technologies being used in > digital signature? DES and RSA are complimentary cryptosystems. RSA was invented to be a Public Key Algorithm. This means that it is assymettric--i.e. that a different key is used for decryption(private key) than for encryption(public key). RSA is very slow, but is used primarily for the secure exchange of keys to faster symettric block ciphers. RSA keys can also be an arbitrary length in order to make it as secure as you like. RSA derives its security from the difficulty of doing a discrete logarithm in a finite field. DES is a symmetric block cipher that uses the same key in both encryption and decryption. It can be very fast to implement in hardware, and derives its security, not from the difficulty of discrete but from being a secure cryptosystem. The key is 56 bits long(8 bytes with the high bit stripped). > Hope that there is info for the export issue on these two systems as well. You can get them both off-shore(out of the US)--try hacktic.nl or a yahoo search off shore. > Thanks in advance for the help. Certainly. Ben. ____ Ben Samman..............................................samman@cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf@clark.net http://www.netresponse.com/zldf PGP encrypted mail welcomed--finger samman@cs.yale.edu for public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta3 iQB1AwUBMEcS/b5ALmeTVXAJAQGLbAL/d/+be65OJgUgDGSzL1u7n0ikIB8Z4zpO GixYKTLdVKDKsnhlhT2XRV4Tj+BedV6sMyRPiq87TnC8kOivoC0Qx52U4eNUvVol zT60E6yXSJxEs/Aum1ckATFaJQ5Ic7+N =Co9C -----END PGP SIGNATURE----- From firewalls-owner Fri Sep 1 08:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29439 for firewalls-outgoing; Fri, 1 Sep 1995 08:25:29 -0700 Received: from phillipe.jmu.edu (phillipe.jmu.edu [134.126.71.226]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA29427; Fri, 1 Sep 1995 08:25:20 -0700 Received: by phillipe.jmu.edu (1.37.109.4/16.2) id AA05741; Fri, 1 Sep 95 11:22:21 -0400 Date: Fri, 1 Sep 1995 11:22:21 -0400 (EDT) From: Charles Cooley To: Alan Hannan Cc: David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. In-Reply-To: <199508312229.RAA29405@gaijin.mid.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should know better than to get into my supervisor's discussion with his boss on the CC: list, but ... Legend: alan] is Alan Hannan -dm-] is David Miller gflynn] is Gary Flynn -dm-] I'm not familiar with this particular product. That said, I'd like to -dm-] address a couple of point that you make about it. ... -dm-] Second, the whole reason people put the soft chewy center in the middle -dm-] of a very hard shell is so there is a single access point to be -dm-] administered. It's one thing to get a good security person to -dm-] manage/monitor the firewall through which all traffic flows. It's -dm-] another thing altogether (usually thought impossible in any sizeable -dm-] installation) to try and have many administrators adequately secure -dm-] their systems. Troy had strong walls and a decent army and so believed they were safe. A more vigilent night watch, was called for since the city was surrounded. "Soft chewy centers" behind a single line of defense are very dangerous. gflynn] This Hannah product looks like what I've been looking for. It puts gflynn] "network security" where it belongs...on the nodes. I liken this gflynn] to putting locks on building doors rather than gates across gflynn] heavily traveled roads. Then the communications infrastructure gflynn] can be upgraded and used as intended...as a communications highway. gflynn] Problems with firewall throughput go away. alan] Sure, let's just open up the bloody borders of our country to anyone, we alan] wouldn't want to impede any travel, would we? Heavan forbid Iraqis alan] should actually have to stop at the border to our country, we should alan] allow them and all others to come in unimpeded. Geez. While I agree that firewalls are an important defense to provide overall site security, it's not enough. The impression that I am getting from the two responses to Gary's message, is that firewall and other network security are significantly more important than individual host security mechanisms. The national border analogy provides a natural counter argument. Even countries with strong a strong military and secure borders, still maintain an internal police force and in larger communities individuals make sure that their door is locked. HannaH is designed to provide the "internal" security that most firewall based security strategies don't address. A significant portion of the security breaches are not from "foreigners" but from discontented and anti-social "natives" in the electronic world. gflynn] Is anyone else excited about this product or am I missing something? alan] Quite obviously, one that thinks individual host security should have alan] more emphasis than network security has never tried to implement such a alan] policy. More clearly, one who thinks indiv. hosts are more important alan] than network security has no concept of time=money. I believe that HannaH should be viewed as an alternative to Virtual LAN security schemes instead of firewalls and one of the complaints about Virtual LANs is maintainability. If you want to talk about time and money and their relation to the size of the network, don't forget that a larger network means a larger center. One of HannaH's advantages is that it provides a mechinism to provide security based on the identity of a person rather than a host. The old Internet concept of host is out of date. Hosts were multi-user systems owned and MANAGED by organizations and individual people were authenticated by those hosts. With the proliferation of PC class systems, many systems connected to networks are single user systems. The old assumptions about security (like the "secure" ports below 512/1024) can be vary dangerous. On our campus, we are already doing packet filtering at the routers, and eavesdrop protection, etc. at the hubs. In our environment, the same network and even the same machine may be used by students, faculty and staff for any number of different tasks. A mixed population which can not be phyically separated poses a problem that is significantly more complex than the "us" vs "them" situation. Charles Cooley Network Analyst From firewalls-owner Fri Sep 1 08:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29391 for firewalls-outgoing; Fri, 1 Sep 1995 08:23:16 -0700 Received: from yage.tembel.org (yage.tembel.org [206.43.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA29383 for ; Fri, 1 Sep 1995 08:23:06 -0700 Received: by yage.tembel.org (Smail3.1.29.1 #9) id m0soXuT-000DS5C; Fri, 1 Sep 95 15:21 GMT Message-Id: From: shields@tembel.org (Michael Shields) Subject: Re: HannaH from SecureWare Inc. To: gary@habanero.jmu.edu (gary flynn) Date: Fri, 1 Sep 1995 15:21:35 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "gary flynn" at 1995-09-01 10:29:39 X-Dogma: Microsoft is not the answer. Microsoft is the question. No is the answer. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2677 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think I'll save us both some time and just point you at > their web page. There is a white paper there that seems > fairly comprehensive. With your understanding of Kerberos, > you may be able to draw better comparisons than if I > try and send you second hand information. I would appreciate > your opinion of the product if you get a chance to look > at it, though. > > www.sware.com/papers/hannah Based on that white paper, an analysis: HannaH requires key distribution on read-only floppies, which contain a key "wrapped" (encrypted) in the user's password. This is a primitive attempt at two-factor authentication, but since floppies can be copied, it seems a poor one. It also rules out many portables which have no floppy drives. Finally, as long as you require the user to carry something, why not something like a smart token, which can prove that the user holds it? HannaH provides authorization and logging mechanisms. Kerberos, per se, does not; it only provides authentication and integrity. While this isn't necessarily a bad architecture, taking access control out of the hands of the protocol does break many assumptions in protocols designed for Internet use. I think that because of this, many common applications will have to be modified for HannaH anyway. HannaH claims transparency. I don't what mechanism they use, so I ca'n't comment on if it is robust when communicating with non-HannaH endpoints. HannaH only protects TCP. Kerberos protects anything. I don't see a formal description of the HannaH protocol. Is it proprietary? Kerberos is public, and has even been formally proven. HannaH works "in direct opposition to many security efforts in the networking standards communities" (their words!). Because of this I don't know if the protocol is secure. Kerberos allows a tree or mesh of servers for distributed management. Kerberos allows redundant servers. HannaH seems to have one per "organization" and no inter-realm communication. The list at the end of the "what is unique about HannaH?" section seems to boil down to "HannaH doesn't have clear abstraction boundaries and thus is better than these individual services that do one thing each". This isn't clear thinking. Overall, I'd say as a first impression, that HannaH tries to be many things but doesn't convince me it does any of them especially well. It will probably find some market as a package solution but seems inferior to Kerberos plus management tools. (Kerberos could use someone to package it up as a security solution, since it's an excellent protocol.) I'd appreciate a comparison of HannaH vs. IPSEC by someone who knows about IPSEC. -- Shields. From firewalls-owner Fri Sep 1 09:02:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29252 for firewalls-outgoing; Fri, 1 Sep 1995 08:17:00 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA29240; Fri, 1 Sep 1995 08:16:56 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id LAA05189; Fri, 1 Sep 1995 11:10:04 -0400 Date: Fri, 1 Sep 1995 11:10:03 -0400 (EDT) From: David Miller Subject: Re: HannaH from SecureWare Inc. To: gary flynn cc: gary@habanero.jmu.edu, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com In-Reply-To: <199509011318.JAA27684@gatekeeper.ddp.state.me.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Sep 1995, gary flynn wrote: > > > > > This Hannah product looks like what I've been looking for. It puts > > > "network security" where it belongs...on the nodes. I liken this > > > to putting locks on building doors rather than gates across > > > heavily traveled roads. Then the communications infrastructure > > > can be upgraded and used as intended...as a communications highway. > > > Problems with firewall throughput go away. > > > > [...] > > > > > Is anyone else excited about this product or am I missing something? > > First, there's the possibility that people will not use the product, or > > that their product will not fit all type, styles, and rev levels of > > computer on your network. Once one of the systems on your network is > > compromised it becomes a safe staging area for attacks on the rest of > > your network. Which leads us to ... > > > > Policy should take care of what people use. If policy is ignored, then > you won't have much security no matter what you do. The product is That may be a justification, but it's not reality. There's a big difference between passively not following a policy by putting up a new product (Win 95 maybe) for which no security piece yet exists, and actively not following policy by a user maliciously establishing an outbound tcp connection to a remote host and passing all your confidential data out. Putting up a firewall secures the systems within which are run by well meaning but ignorant people. (From the external network, of course, not from all possible attacks). > limited to winsock, hpux, and SCO right now but good products have a > habit of being rapidly ported. If the critical systems are protected > individually, its less disasterous if a non-critical system gets > compromised. This isn't true of a "soft chewy center". And what happens when users try something different? BTW "winsock" is an API, not a particular product. It's like saying TCP instead of SCO. Those systems running winsock could be windows, or NT servers, on win95 products. Could be running twinsock, for that matter. > > > Second, the whole reason people put the soft chewy center in the middle > > of a very hard shell is so there is a single access point to be > > administered. It's one thing to get a good security person to > > manage/monitor the firewall through which all traffic flows. It's > > another thing altogether (usually thought impossible in any sizeable > > installation) to try and have many administrators adequately secure their > > systems. > > > > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. If you say so. I rather like the earlier analogy to letting the Iraqis roar down the highway because all the houses are locked. --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Fri Sep 1 09:30:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01436 for firewalls-outgoing; Fri, 1 Sep 1995 09:03:39 -0700 Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA01421 for ; Fri, 1 Sep 1995 09:03:30 -0700 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA20412; Fri, 1 Sep 1995 11:18:20 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA20408; Fri, 1 Sep 1995 11:18:19 -0500 Received: from hector.sctc.com (hector.sctc.com [172.17.192.85]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA16935; Fri, 1 Sep 1995 11:02:05 -0500 Received: (from stockwel@localhost) by hector.sctc.com (8.6.12/8.6.9) id LAA07632; Fri, 1 Sep 1995 11:02:03 -0500 Date: Fri, 1 Sep 1995 11:02:03 -0500 From: Ted Stockwell Message-Id: <199509011602.LAA07632@hector.sctc.com> To: shields@tembel.org (Michael Shields) Cc: firewalls@GreatCircle.COM Subject: Re: FW: Programming Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: shields@tembel.org (Michael Shields) > Date: Fri, 1 Sep 1995 01:52:10 (GMT) > > > It is a pain to always check for "NULL" after attempting to allocate memory > > and to check for buffer overflows. Makes code downright hard to read since > > the flow of the program is cluttered with error checks. Yet, I depend on all > > this 'extra' code to make sure that people can't crash my firewall by > > overflowing memory with long lines, enormous mail recipient lists, busted > > network packets, and such. We all depend on our vendors doing reliable error > > handling and "failing safely". > > In something like allocating memory, where a failure is always fatal, > you can easily write an xmalloc() that is that a wrapper which either > returns a non-NULL pointer or dies. Then always call that instead of > straight malloc(). This is fairly easy. if a malloc() failure is fatal to the program, then denial of service attacks on long running daemons become easier. Flood them until they choke on memory resources and then they're gone. When possible, you want to fail the single transaction that depleted memory, but keep running -- resources may become available later when the system is less busy. (Obviously, there are applications where this is not possible/desireable.) > I always check *every* system call and most library routines as well. > It's part of my negative-space philosophy to coding -- you want to > disallow all the actions that are not part of what you want to accomplish. > It works beautifully. Maybe we can get launch a successful crusade to rewrite every useful piece of code with such good practices. But until that time, you need other security mechanisms to secure this useful, but less trustworthy, legacy code. -- Ted Stockwell, stockwel@sctc.com, Sidewinder From firewalls-owner Fri Sep 1 09:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02333 for firewalls-outgoing; Fri, 1 Sep 1995 09:17:27 -0700 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA02324; Fri, 1 Sep 1995 09:17:23 -0700 Message-Id: <199509011615.KAA23389@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id KAA23389; Fri, 1 Sep 1995 10:15:41 -0600 Subject: Re: HannaH from SecureWare Inc. To: cooleycd@jmu.edu (Charles Cooley) Date: Fri, 1 Sep 95 10:15:39 MDT Cc: alan@mid.net, isdmill@gatekeeper.ddp.state.me.us, gary@habanero.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com In-Reply-To: ; from "Charles Cooley" at Sep 1, 95 11:22 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. I think there are two things being said here. First of all, firewalls provide more bang for the buck in terms of security. You can provide much more security with much less staff effort by building a firewall than you can by attempting to secure each individual host. The second point is that complete security on an individual host basis is nearly impossible to achieve if you have a decent-sized LAN. (In our own case, we have about 20 different identifiable groups that want to interoperate relatively freely with each other (and well over 1000 hosts), but have differing amounts of sysadmin time and skill available. To expect every host on our LAN to be adequately secured under these conditions is, at best, unrealistic). The second of these points implies that a firewall is really mandatory unless we're willing to impose security restrictions even upon connections between hosts on our own LAN. I do NOT think that the presence of a firewall implies that individual host security can therefore be totally neglected. But by concentrating the security effort on a perimeter defense, then internally securing hosts based on the importance of security to that particular host and staff time available, one can do the best possible job in a situation where infinite resources to devote to security are not available. > A significant portion of the > security breaches are not from "foreigners" but from discontented and > anti-social "natives" in the electronic world. That hasn't been our experience here, although I grant that in the commercial environment this tends to be true. But dealing with internal security threats is a completely different and much more difficult job. --Greg From firewalls-owner Fri Sep 1 10:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03434 for firewalls-outgoing; Fri, 1 Sep 1995 09:46:50 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03420 for ; Fri, 1 Sep 1995 09:46:37 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13852; Fri, 1 Sep 95 12:18:00 -0400 Date: Fri, 1 Sep 95 12:17:59 -0400 Message-Id: <9509011618.AA13852@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Security Paradigms (was HannaH) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >One of HannaH's advantages is that it provides a mechinism to provide >security based on the identity of a person rather than a host. The old >Internet concept of host is out of date. Hosts were multi-user systems >owned and MANAGED by organizations and individual people were >authenticated by those hosts. With the proliferation of PC class >systems, many systems connected to networks are single user systems. >The old assumptions about security (like the "secure" ports below 512/1024) >can be vary dangerous. Charles hits on a very important point: in the daze of old when sysadmins were men and smelled like....sorry rong parable. In the day of the mainframe, it was in a glass room and had things like "system consoles". Users were often numbered in the thousands but limited in what they could do. In the beginning this was not a matter of security, rather a matter of keeping user "B" from crashing the system when user "A" was 72 hours into a 73 hour Hydracode run. The operators/sysadmins were highly trained individuals who may have gone to week-long schools on things like "device drivers", "networking","basic system management", "advanced system management" partly paid by the company but mostly supplied as part of the multi-million dollar system lease. Today we have about the same number of users but *each one* has full "system privilege" over a U$3,000 machine that *might* come with a tutorial written for illiterates. These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD TO TRAIN THEM. We do not have the resources, or the time, or the "lost productivity" such training would entail. Besides if we did they would immediately command 40% more pay. As a result, we have had to move security off the host/node to "somewhere else". In most cases this is at the firewall/network/subnet level where it again becomes managable with available resources. I do not see HannaH as a "user level" mechanism. I do see it as a potentially valuable system for a trusted host on a Bastien Network designed to make sensitive information available to customers via the Internet. This is not a blue sky problem, it is a real one I face daily. But the point is that we do not have the *luxury* of NOT having a "soft chewy center", it is the reality of the 90's that unless you are a well funded government agency, you can't afford a hardened compartmented center where every node can be trusted. We do what we can with what we have and to me, HannaH sounds like it could be a valuable tool. Warmly, Padgett From firewalls-owner Fri Sep 1 10:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05660 for firewalls-outgoing; Fri, 1 Sep 1995 10:28:26 -0700 Received: from ix6.ix.netcom.com (ix6.ix.netcom.com [199.182.120.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA05632 for ; Fri, 1 Sep 1995 10:28:21 -0700 Received: from by ix6.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id KAA23363; Fri, 1 Sep 1995 10:24:13 -0700 Date: Fri, 1 Sep 1995 10:24:13 -0700 Message-Id: <199509011724.KAA23363@ix6.ix.netcom.com> From: clp2@ix.netcom.com (Carol pollard ) Subject: Firewall Requirements Document To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- Begin Forwarded Message From: clp2@ix.netcom.com (Carol pollard ) Subject: Firewall Requirements Document To: firewall@greatcircle.com After monitoring this maillist, I get the impression that the majority of firewall implementations are managed by the network technician experts. Being a security risk analyst, I certainly see why. For whatever reasons, it was decided that our firewall design and implementation project would be lead by our security staff...me!! Obviously, I've had to learn as much about networking as possible and now have a greater appreciation for their responsibility and knowledge! I've been in the process of documenting our requirements for firewall, but most of them are from a security perspective. Is anyone willing to share with me their process for developing a requirements document, that covers both security-related and networking-related issues. Should requirement documents for firewalls be detailed or at a high level? Are we actually taking the time to document requirements?? We don't do anything without a requirements doc, but usually the person writing the doc has been deemed the "expert". We have our policy, but it's at a very high level. Any help or examples of firewall requirements would be greatly appreciated. Carol ---- End Forwarded Message From firewalls-owner Fri Sep 1 10:38:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04727 for firewalls-outgoing; Fri, 1 Sep 1995 10:06:03 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA04719 for ; Fri, 1 Sep 1995 10:05:58 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA14898; Fri, 1 Sep 1995 19:03:54 +0200 Received: from ahqp14.ansf.alcatel.fr ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA03029; Fri, 1 Sep 95 19:06:29 +0200 Message-Id: <9509011706.AA03029@istans.ansf.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Fri, 1 Sep 1995 19:09:21 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: comparison study between DES and RSA Reply-To: Kare.Presttun@ansf.alcatel.fr Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Lee Hooi Teck > Date: Fri, 1 Sep 1995 11:18:21 +0800 > Subject: comparison study between DES and RSA > > Hi, > > I am looking into network security currently and found that most of the > products use either DES or RSA for authentication and encryption. > > Is there any info or document that has mentioned the pros and cons of > this two type of cryptosystems? How is these technologies being used in > digital signature? > Go to www.rsa.com and pick up their Crypto FAQ. Go to www.eff.org and pick up another Cryto FAQ, and political stuff. Go to csrc.ncsl.nist.gov and find out what is going on in the key escrow area. There you can also pick up their official statement regarding export (csl bulletin 02-95). There is a lot of other interesting documents there too, like the security FIPS, Good reading. > Hope that there is info for the export issue on these two systems as well. > > Thanks in advance for the help. > > teck Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Fri Sep 1 11:00:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06890 for firewalls-outgoing; Fri, 1 Sep 1995 10:53:14 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06880 for ; Fri, 1 Sep 1995 10:53:10 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA23579; Fri, 1 Sep 1995 10:51:12 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08138; Fri, 1 Sep 1995 11:51:15 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07790; Fri, 1 Sep 1995 11:51:15 -0600 Message-Id: <9509011751.AA07790@future.incog.com> To: gary flynn Cc: shields@yage.tembel.org, firewalls-digest@GreatCircle.COM Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 10:00:21 EDT." <199509011409.HAA26521@miles.greatcircle.com> Date: Fri, 01 Sep 1995 11:51:14 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As with most things in the security arena there is no ONE right solution for everyone. A firewall may be a perfectly fine solution for some organizations and some type of end system security may work for others. If you are a site with hundreds or thousands of end systems, trying to maintain a single centralized control over all these machines would probably be impossible and would definately be a nightmare. Gary Flynn wrote: > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. It is very true that Kerberos requires that each end application be kerberized as SSL and socks requires each application to be modified. One of Hannah failings is that it only supports TCP applications. They say it will support UDP in a future release, but that is easy to do, except that they're key negotiation will be a terrible overhead to pay for small udp packets exchanges. Also what it won't support are things like IP multicast, as will none of the above. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This only solves the problem for PC's or single user desktop machines. Hannah still is only machine based authentication no matter how you wrap it. This doesn't solve the multiuser desktop authentication problem. (There isn't a diskette slot on a VT100.) The "certificate diskette" is yet another potential problem. Since the private key is decrypted off the disk and stored in the end system it is available to be read by anything running on system (especially on PCs) and when the diskette is removed does the private key get removed or does the system maintain its identity/Distingushed Name. It can't check for the presence of the diskette on every packet or it would be too slow to be usable. In addition the private key (though encrypted) on the certificate diskette is copyable. geoff From firewalls-owner Fri Sep 1 11:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06903 for firewalls-outgoing; Fri, 1 Sep 1995 10:53:18 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06889 for ; Fri, 1 Sep 1995 10:53:13 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA23581; Fri, 1 Sep 1995 10:51:14 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08139; Fri, 1 Sep 1995 11:51:21 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07796; Fri, 1 Sep 1995 11:51:21 -0600 Message-Id: <9509011751.AA07796@future.incog.com> To: gary flynn Cc: shields@yage.tembel.org, firewalls-digest@GreatCircle.COM Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 10:00:21 EDT." <199509011409.HAA26521@miles.greatcircle.com> Date: Fri, 01 Sep 1995 11:51:21 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As with most things in the security arena there is no ONE right solution for everyone. A firewall may be a perfectly fine solution for some organizations and some type of end system security may work for others. If you are a site with hundreds or thousands of end systems, trying to maintain a single centralized control over all these machines would probably be impossible and would definately be a nightmare. Gary Flynn wrote: > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. It is very true that Kerberos requires that each end application be kerberized as SSL and socks requires each application to be modified. One of Hannah failings is that it only supports TCP applications. They say it will support UDP in a future release, but that is easy to do, except that they're key negotiation will be a terrible overhead to pay for small udp packets exchanges. Also what it won't support are things like IP multicast, as will none of the above. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This only solves the problem for PC's or single user desktop machines. Hannah still is only machine based authentication no matter how you wrap it. This doesn't solve the multiuser desktop authentication problem. (There isn't a diskette slot on a VT100.) The "certificate diskette" is yet another potential problem. Since the private key is decrypted off the disk and stored in the end system it is available to be read by anything running on system (especially on PCs) and when the diskette is removed does the private key get removed or does the system maintain its identity/Distingushed Name. It can't check for the presence of the diskette on every packet or it would be too slow to be usable. In addition the private key (though encrypted) on the certificate diskette is copyable. geoff From firewalls-owner Fri Sep 1 11:35:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08408 for firewalls-outgoing; Fri, 1 Sep 1995 11:18:20 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08401 for ; Fri, 1 Sep 1995 11:18:13 -0700 Message-Id: <199509011818.LAA08401@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA008448927; Fri, 1 Sep 1995 14:08:47 -0400 Date: Fri, 1 Sep 1995 14:08:47 -0400 From: gary flynn To: mulligan@incog.com Subject: Re: HannaH from SecureWare Inc. Cc: firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From mulligan@future.incog.com Fri Sep 1 13:43 EDT 1995 > > As with most things in the security arena there is no ONE right solution > for everyone. A firewall may be a perfectly fine solution for some > organizations and some type of end system security may work for others. > If you are a site with hundreds or thousands of end systems, trying to > maintain a single centralized control over all these machines would > probably be impossible and would definately be a nightmare. > > One of Hannah failings is that it only supports TCP applications. They > say it will support UDP in a future release, but that is easy to do, > except that they're key negotiation will be a terrible overhead to pay > for small udp packets exchanges. Also what it won't support are things > like IP multicast, as will none of the above. > True, it has some limitations. Some will be solved, some may not. But for our users of mainline applications, it seems to cover the bases pretty well. > > 3. Hannah's "certificate diskette" for each user solves > > some problems that Kerberos has on desktop machines. > > This only solves the problem for PC's or single user desktop machines. > Hannah still is only machine based authentication no matter how you wrap > it. This doesn't solve the multiuser desktop authentication problem. > (There isn't a diskette slot on a VT100.) > The bulk of our machines are PCs. I probably should have made that clear. > The "certificate diskette" is yet another potential problem. Since the > private key is decrypted off the disk and stored in the end system it is > available to be read by anything running on system (especially on PCs) > and when the diskette is removed does the private key get removed or > does the system maintain its identity/Distingushed Name. It can't check > for the presence of the diskette on every packet or it would be too slow > to be usable. In addition the private key (though encrypted) on the > certificate diskette is copyable. > I'd put this in the class of "please remember to logoff the system when you are done and before leaving your terminal/PC". The user needs to "unsecure" the desktop before leaving. This may imply turning it off or Hannah may have some procedure to "unauthenticate". The diskette is a threat but physical security addresses that. Thank you for your comments. These exchanges have been very useful. gary From firewalls-owner Fri Sep 1 11:44:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07945 for firewalls-outgoing; Fri, 1 Sep 1995 11:09:43 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA07922 for ; Fri, 1 Sep 1995 11:09:37 -0700 From: gary@habanero.jmu.edu Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14211; Fri, 1 Sep 95 14:08:11 -0400 Date: Fri, 1 Sep 95 14:08:10 -0400 Message-Id: <9509011808.AA14211@uvs1.orl.mmc.com> To: firewalls-owner@greatcircle.com, firewalls%greatcircle.com@uvs1.dnet.mmc.com Subject: Re: Security Paradigms (was HannaH) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost > productivity" such training would entail. Besides if we did they would > immediately command 40% more pay. > > As a result, we have had to move security off the host/node to "somewhere > else". In most cases this is at the firewall/network/subnet level where it > again becomes managable with available resources. > What about the case where most of the users are non-technical and don't mess with things like what winsock compliant stack they're running. In this case, these things are provided centrally. If they don't mess with them, then they'll work. A malicious user messing with them won't be able to communicate with the hosts that have the same protection. A user that inadvertently overwrites the "secure stack" with an "unsecure stack" also won't be able to communicate and which will result in a helpdesk call. We're not trying to prevent communications with non-secure hosts. We're trying to secure communications between authorized users and critical hosts. Hence, again, if the vast majority of people use the centrally provided software on the desktop, the vast majority will have secure communications. The desktops are mostly PCs and there are a limited number of critical hosts. The manpower to administer the critical hosts is available. Administration of the PCs, in the Hannah case, simply means providing the winsock replacement or shim (I think). This can be handled through the standard desktop software configuration mechanism which may be file server installation, configuration managment software, helpdesk personnel, etc. gary > I do not see HannaH as a "user level" mechanism. I do see it as a potentially > valuable system for a trusted host on a Bastien Network designed to make > sensitive information available to customers via the Internet. This is not > a blue sky problem, it is a real one I face daily. > > But the point is that we do not have the *luxury* of NOT having a "soft > chewy center", it is the reality of the 90's that unless you are a well > funded government agency, you can't afford a hardened compartmented center > where every node can be trusted. We do what we can with what we have and > to me, HannaH sounds like it could be a valuable tool. > > Warmly, > Padgett > > From firewalls-owner Fri Sep 1 11:59:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07695 for firewalls-outgoing; Fri, 1 Sep 1995 11:05:56 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07668; Fri, 1 Sep 1995 11:05:48 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24366; Fri, 1 Sep 1995 11:03:47 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08294; Fri, 1 Sep 1995 12:03:48 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07811; Fri, 1 Sep 1995 12:03:49 -0600 Message-Id: <9509011803.AA07811@future.incog.com> To: Charles Cooley Cc: Alan Hannan , David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 11:22:21 EDT." Date: Fri, 01 Sep 1995 12:03:49 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Cooley wrote: > While I agree that firewalls are an important defense to provide overall > site security, it's not enough. The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. A combination of host and perimeter security is necessary. Just because people install firewalls doesn't mean that they get rid of passwords, but HannaH does seems to have some design flaws and mentioned in previous messages. > I believe that HannaH should be viewed as an alternative to Virtual LAN > security schemes instead of firewalls and one of the complaints about > Virtual LANs is maintainability. As I mentioned earlier, one of the failings of HannaH is lack of support for IP multicasting which will become much more significant for LANs as more conferencing, phone, video software is distributed. > One of HannaH's advantages is that it provides a mechinism to provide > security based on the identity of a person rather than a host. The old > Internet concept of host is out of date. Hosts were multi-user systems > owned and MANAGED by organizations and individual people were > authenticated by those hosts. With the proliferation of PC class > systems, many systems connected to networks are single user systems. > The old assumptions about security (like the "secure" ports below 512/1024) > can be vary dangerous. If you assume that the systems connecting to the net are single user systems, there is no difference between host authentication and user authentication as long as I have to authenticate myself to the end system. HannaH also doesn't solve the multiuser desktop problem. geoff From firewalls-owner Fri Sep 1 12:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08981 for firewalls-outgoing; Fri, 1 Sep 1995 11:33:14 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08972; Fri, 1 Sep 1995 11:33:10 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24969; Fri, 1 Sep 1995 11:31:21 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08415; Fri, 1 Sep 1995 12:31:23 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07836; Fri, 1 Sep 1995 12:31:24 -0600 Message-Id: <9509011831.AA07836@future.incog.com> To: gary flynn Cc: isdmill@gatekeeper.ddp.state.me.us, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 09:15:25 EDT." <199509011324.GAA25199@miles.greatcircle.com> Date: Fri, 01 Sep 1995 12:31:23 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. Oh and this points to another potential problem, they have combined the administrative system with the Certification Authority. This is very very bad. The CA is the box that holds the very sensitive CA private key and having this box on the network just begs to have that key compromised - then anyone and everyone can sign certificates saying they are anyone. All security is lost, the war is lost, the count is 10 and your out. Key management/negotiation overhead is another very critical issue. Their document doesn't mention the protocol used to do this negotiation. What about support for different encryption mechanisms. In addition I haven't heard anything about the actual protocols. They certainly aren't open and publically available. What about interoperability with other systems. They don't seems to be talking with any standards groups. On the other hand there are systems being developed and available that provide much the same functionality (end to end encryption and authentication) without some of the drawbacks (key management overhead, lack of support to multiple encryption techniques, private/closed proprietary protocol, lack of multi-protocol support) such as SKIP and others being worked on in the IPSEC working group. geoff From firewalls-owner Fri Sep 1 12:27:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07688 for firewalls-outgoing; Fri, 1 Sep 1995 11:05:54 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07666; Fri, 1 Sep 1995 11:05:47 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24360; Fri, 1 Sep 1995 11:03:44 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08293; Fri, 1 Sep 1995 12:03:43 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07805; Fri, 1 Sep 1995 12:03:43 -0600 Message-Id: <9509011803.AA07805@future.incog.com> To: Charles Cooley Cc: Alan Hannan , David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 11:22:21 EDT." Date: Fri, 01 Sep 1995 12:03:43 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Cooley wrote: > While I agree that firewalls are an important defense to provide overall > site security, it's not enough. The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. A combination of host and perimeter security is necessary. Just because people install firewalls doesn't mean that they get rid of passwords, but HannaH does seems to have some design flaws and mentioned in previous messages. > I believe that HannaH should be viewed as an alternative to Virtual LAN > security schemes instead of firewalls and one of the complaints about > Virtual LANs is maintainability. As I mentioned earlier, one of the failings of HannaH is lack of support for IP multicasting which will become much more significant for LANs as more conferencing, phone, video software is distributed. > One of HannaH's advantages is that it provides a mechinism to provide > security based on the identity of a person rather than a host. The old > Internet concept of host is out of date. Hosts were multi-user systems > owned and MANAGED by organizations and individual people were > authenticated by those hosts. With the proliferation of PC class > systems, many systems connected to networks are single user systems. > The old assumptions about security (like the "secure" ports below 512/1024) > can be vary dangerous. If you assume that the systems connecting to the net are single user systems, there is no difference between host authentication and user authentication as long as I have to authenticate myself to the end system. HannaH also doesn't solve the multiuser desktop problem. geoff From firewalls-owner Fri Sep 1 12:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08970 for firewalls-outgoing; Fri, 1 Sep 1995 11:33:09 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08963; Fri, 1 Sep 1995 11:33:05 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24966; Fri, 1 Sep 1995 11:31:15 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08412; Fri, 1 Sep 1995 12:31:21 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07829; Fri, 1 Sep 1995 12:31:21 -0600 Message-Id: <9509011831.AA07829@future.incog.com> To: gary flynn Cc: isdmill@gatekeeper.ddp.state.me.us, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 09:15:25 EDT." <199509011324.GAA25199@miles.greatcircle.com> Date: Fri, 01 Sep 1995 12:31:21 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. Oh and this points to another potential problem, they have combined the administrative system with the Certification Authority. This is very very bad. The CA is the box that holds the very sensitive CA private key and having this box on the network just begs to have that key compromised - then anyone and everyone can sign certificates saying they are anyone. All security is lost, the war is lost, the count is 10 and your out. Key management/negotiation overhead is another very critical issue. Their document doesn't mention the protocol used to do this negotiation. What about support for different encryption mechanisms. In addition I haven't heard anything about the actual protocols. They certainly aren't open and publically available. What about interoperability with other systems. They don't seems to be talking with any standards groups. On the other hand there are systems being developed and available that provide much the same functionality (end to end encryption and authentication) without some of the drawbacks (key management overhead, lack of support to multiple encryption techniques, private/closed proprietary protocol, lack of multi-protocol support) such as SKIP and others being worked on in the IPSEC working group. geoff From firewalls-owner Fri Sep 1 12:30:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10657 for firewalls-outgoing; Fri, 1 Sep 1995 11:59:49 -0700 Received: from bee.uspnet.usp.br (bee.uspnet.usp.br [143.107.253.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10350; Fri, 1 Sep 1995 11:54:22 -0700 Received: from caju (caju.larc.usp.br [143.107.111.2]) by bee.uspnet.usp.br (8.6.10/SPARC10-CCE2.0)id PAA07418 Received: from jabuticaba.larc.usp.br by caju (5.0/SMI-SVR4) id AA19599; Fri, 1 Sep 1995 15:23:37 +0300 Received: (from mlrodrig@localhost) by jabuticaba.larc.usp.br (8.6.12/8.6.9) id OAA03757; Fri, 1 Sep 1995 14:36:29 -0300 Date: Fri, 1 Sep 1995 14:36:26 -0300 (EST) From: Marcelo Lopes Rodrigues To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM Subject: Re: Use of Remote Authentication: tacacs/radius/etc... In-Reply-To: <199508312303.QAA06065@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 412 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David wrote: > In addition to TACACS and RADIUS, there is now TACACS+. You'll need to be > running IOS 10.3(3) or later to get this. TACACS+ is a complete rewrite of > TACACS. It is a big step ahead of both TACACS and RADIUS. (Yes, I am > biased.) So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 , Second Quarter 1995, pag. 13) Marcelo L. Rodrigues mlrodrig@larc.usp.br From firewalls-owner Fri Sep 1 12:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11305 for firewalls-outgoing; Fri, 1 Sep 1995 12:09:51 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA11297; Fri, 1 Sep 1995 12:09:48 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id MAA26332; Fri, 1 Sep 1995 12:07:41 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08590; Fri, 1 Sep 1995 13:07:49 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07943; Fri, 1 Sep 1995 13:07:47 -0600 Message-Id: <9509011907.AA07943@future.incog.com> To: gary flynn Cc: mulligan@incog.com, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, isdmill@gatekeeper.ddp.state.me.us, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:44:37 EDT." <199509011852.LAA25720@incog.com> Date: Fri, 01 Sep 1995 13:07:47 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > The Hannah documents indicate that the management workstation and > certificate authority are two different machines. Actually it says that the CA and management gui are separate applications and it just so happens that today you must run the CA on Windows95 and the management gui on HPUX or SCO. > Do products exist? Where can I find more information on these? SKIP for Solaris (which wont do you much good if you are running windows) is freely available now and documentation of SKIP is available at http://skip.incog.com. You would need to check out the ipsec list to find out about other alternatives. geoff From firewalls-owner Fri Sep 1 12:50:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09894 for firewalls-outgoing; Fri, 1 Sep 1995 11:44:01 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09880 for ; Fri, 1 Sep 1995 11:43:57 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA25284; Fri, 1 Sep 1995 11:42:17 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08418; Fri, 1 Sep 1995 12:42:20 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07846; Fri, 1 Sep 1995 12:42:20 -0600 Message-Id: <9509011842.AA07846@future.incog.com> To: gary flynn Cc: mulligan@incog.com, firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:08:47 EDT." <199509011816.LAA24628@incog.com> Date: Fri, 01 Sep 1995 12:42:20 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > True, it has some limitations. Some will be solved, some may not. But > for our users of mainline applications, it seems to cover the bases > pretty well. So for you, in your specific environment, it may be an OK solution. There have been a number of concerns raised, though. > The bulk of our machines are PCs. I probably should have made that > clear. Again for your environment it may work, but what about the other systems that your PC users may want to communicate with securely. You need interoperability. > > > The "certificate diskette" is yet another potential problem. Since the > > private key is decrypted off the disk and stored in the end system it is > > available to be read by anything running on system (especially on PCs) > > and when the diskette is removed does the private key get removed or > > does the system maintain its identity/Distingushed Name. It can't check > > for the presence of the diskette on every packet or it would be too slow > > to be usable. In addition the private key (though encrypted) on the > > certificate diskette is copyable. > > > > I'd put this in the class of "please remember to logoff the system > when you are done and before leaving your terminal/PC". The user > needs to "unsecure" the desktop before leaving. This may imply > turning it off or Hannah may have some procedure to "unauthenticate". > The diskette is a threat but physical security addresses that. No the threat is also that if I can copy your diskette and guess or bute force your password (users always use good passwords) or I can grab the decypted private key from the PC itself then I can become you. Obviously if you think that it meets your needs (as you seem to) then use it. geoff From firewalls-owner Fri Sep 1 13:00:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11548 for firewalls-outgoing; Fri, 1 Sep 1995 12:14:03 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA11538 for ; Fri, 1 Sep 1995 12:13:58 -0700 Received: from airtechsms.co.uk by eros.britain.eu.net with UUCP id ; Fri, 1 Sep 1995 19:57:00 +0100 Received: by airtechsms.co.uk (Smail3.1.28.1 #1) id m0soRBf-00000jC; Fri, 1 Sep 95 09:10 BST Date: Fri, 1 Sep 1995 09:10:54 +0100 (BST) From: Martin Hepworth X-Sender: max@airtechs To: Alex Sharpe cc: "'firewalls-owner'" Subject: Re: Placement of WWW Server - any thoughts? In-Reply-To: <3044F9DE@bass.rssi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Aug 1995, Alex Sharpe wrote: > > We are installing a Web Server that we want to give the world access to, but > are not sure of our security architecture yet. We are kicking around > several ideas including the idea of only allowing HTTP to pass through our > FIREWALL if it is destined for the Web server. We are considering doing > this by filtering on the Web Server's IP address and HTTP port number. > > What do you think? What are the residual risks? > > Alex.Sharpe@rssi.com > The 'normal' and most secure place to put your W3 server is in the DMZ that way no HTTP stuff comes into your network, unless you've someone on the inside surfing. That's also the best? place to put any ftp server -- if it doesn't need to be on your side of the firewall don't put it there! MGH ------------------------------------------------------------------ Martin Hepworth, email work: max@airtechsms.co.uk Racal-Airtech, UK email home: mgh@cityscape.co.uk Voice: +44(0)1844 201800 http://www.gold.net/users/ef67/ FAX: +44(0)1844 201832 PGP Key on request All opinions are mine, mine, all mine................ From firewalls-owner Fri Sep 1 13:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09897 for firewalls-outgoing; Fri, 1 Sep 1995 11:44:03 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09885 for ; Fri, 1 Sep 1995 11:43:58 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA25286; Fri, 1 Sep 1995 11:42:17 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08419; Fri, 1 Sep 1995 12:42:22 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07852; Fri, 1 Sep 1995 12:42:22 -0600 Message-Id: <9509011842.AA07852@future.incog.com> To: gary flynn Cc: mulligan@incog.com, firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:08:47 EDT." <199509011816.LAA24628@incog.com> Date: Fri, 01 Sep 1995 12:42:22 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > True, it has some limitations. Some will be solved, some may not. But > for our users of mainline applications, it seems to cover the bases > pretty well. So for you, in your specific environment, it may be an OK solution. There have been a number of concerns raised, though. > The bulk of our machines are PCs. I probably should have made that > clear. Again for your environment it may work, but what about the other systems that your PC users may want to communicate with securely. You need interoperability. > > > The "certificate diskette" is yet another potential problem. Since the > > private key is decrypted off the disk and stored in the end system it is > > available to be read by anything running on system (especially on PCs) > > and when the diskette is removed does the private key get removed or > > does the system maintain its identity/Distingushed Name. It can't check > > for the presence of the diskette on every packet or it would be too slow > > to be usable. In addition the private key (though encrypted) on the > > certificate diskette is copyable. > > > > I'd put this in the class of "please remember to logoff the system > when you are done and before leaving your terminal/PC". The user > needs to "unsecure" the desktop before leaving. This may imply > turning it off or Hannah may have some procedure to "unauthenticate". > The diskette is a threat but physical security addresses that. No the threat is also that if I can copy your diskette and guess or bute force your password (users always use good passwords) or I can grab the decypted private key from the PC itself then I can become you. Obviously if you think that it meets your needs (as you seem to) then use it. geoff From firewalls-owner Fri Sep 1 13:09:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10349 for firewalls-outgoing; Fri, 1 Sep 1995 11:54:13 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10342; Fri, 1 Sep 1995 11:54:08 -0700 Message-Id: <199509011854.LAA10342@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA012271077; Fri, 1 Sep 1995 14:44:37 -0400 Date: Fri, 1 Sep 1995 14:44:37 -0400 From: gary flynn To: mulligan@incog.com Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, isdmill@gatekeeper.ddp.state.me.us, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From mulligan@future.incog.com Fri Sep 1 14:23 EDT 1995 > Gary wrote: > > Hannah is centrally administered although you have to install the > > product on all the platforms. So there is a central security > > administrator. Software distribution, installation, and configuration > > managment mechanisms and policies need to exist for network/node > > management anyway, so the addition of one more product shouldn't > > negate the overall concept. > > Oh and this points to another potential problem, they have combined the > administrative system with the Certification Authority. This is very > very bad. The CA is the box that holds the very sensitive CA private > key and having this box on the network just begs to have that key > compromised - then anyone and everyone can sign certificates saying > they are anyone. All security is lost, the war is lost, the count is 10 > and your out. > The Hannah documents indicate that the management workstation and certificate authority are two different machines. > Key management/negotiation overhead is another very critical issue. > Their document doesn't mention the protocol used to do this negotiation. > What about support for different encryption mechanisms. > > In addition I haven't heard anything about the actual protocols. They > certainly aren't open and publically available. What about > interoperability with other systems. They don't seems to be talking > with any standards groups. > > On the other hand there are systems being developed and available that > provide much the same functionality (end to end encryption and > authentication) without some of the drawbacks (key management overhead, > lack of support to multiple encryption techniques, private/closed > proprietary protocol, lack of multi-protocol support) such as SKIP and > others being worked on in the IPSEC working group. > Do products exist? Where can I find more information on these? thanks, gary From firewalls-owner Fri Sep 1 13:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15706 for firewalls-outgoing; Fri, 1 Sep 1995 13:04:57 -0700 Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA15693 for ; Fri, 1 Sep 1995 13:04:53 -0700 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA21750; Fri, 1 Sep 1995 16:00:01 +0500 Received: from cc:Mail by smtpinet.aspensys.com id AA809996857 Fri, 01 Sep 95 16:07:37 EST Date: Fri, 01 Sep 95 16:07:37 EST From: jmeritt@smtpinet.aspensys.com (Meritt, Jim) Message-Id: <9508018099.AA809996857@smtpinet.aspensys.com> Cc: firewalls@greatcircle.com Subject: how to close socket content-length: 147 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On a standard sun box using /etc/services and inetd, how would you stop traffic from being passed through a port? Jim Meritt From firewalls-owner Fri Sep 1 13:36:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17446 for firewalls-outgoing; Fri, 1 Sep 1995 13:19:52 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA17427 for ; Fri, 1 Sep 1995 13:19:47 -0700 Received: from wittsend.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.16) via UUCP id AA06995 ; Fri, 1 Sep 95 16:18:23 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Fri, 1 Sep 95 15:54 EDT Message-Id: Subject: Re: HannaH from SecureWare Inc. To: firewalls@greatcircle.com Date: Fri, 1 Sep 1995 15:54:00 -0400 (EDT) From: "Michael H. Warfield" In-Reply-To: <9509011907.AA07943@future.incog.com> from "mulligan@future.incog.com" at Sep 1, 95 01:07:47 pm X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1205 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mulligan@future.incog.com enscribed thusly: > Gary wrote: > > The Hannah documents indicate that the management workstation and > > certificate authority are two different machines. > Actually it says that the CA and management gui are separate > applications and it just so happens that today you must run the CA on > Windows95 and the management gui on HPUX or SCO. WHAT?!?!?! The CA must run on Windows 95!?!?! Well there goes any chance of any security what so ever! Somebody must be absolutely dreaming to place any security product on Windows 95. I MIGHT accept windows NT. At least that does have security features, even if they are untried and have not yet stood the test of time. To place a critical piece of security code on Windows 95, an aledged operating system riddled with bugs by Microsoft's own admission, is shear insanity! My interest in this product is now total history! > geoff -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Fri Sep 1 16:00:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA24288 for firewalls-outgoing; Fri, 1 Sep 1995 15:43:04 -0700 Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA24281 for ; Fri, 1 Sep 1995 15:43:00 -0700 Received: by colin.muc.de via suspension id <41450-2>; Sat, 2 Sep 1995 00:41:12 +0200 Received: from en by colin.muc.de with UUCP id <41447-2>; Fri, 1 Sep 1995 23:33:53 +0200 Received: by en.muc.de (Sendmail5.67a8/IDA-1.5) id AA00587; Fri, 1 Sep 1995 09:50:24 +0200 Date: Fri, 1 Sep 1995 09:50:24 +0200 From: "Ralf S. Engelschall" Message-Id: <199509010750.AA00587@en.muc.de> To: firewalls@greatcircle.com Subject: Re: DNS forwarding problem Newsgroups: sdm.lists.firewalls Organization: Engelschall (EN) Privat, Dachau/Munich, Germany Reply-To: rse@en.muc.de X-Newsreader: TIN [version 1.2 PL2] X-Charset: ASCII X-Char-Esc: 29 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 31 Aug 1995 01:16:55 +0200 in sdm.lists.firewalls you wrote: > [...] > You then configure all your clients INCLUDING THE BASTION/GATEWAY to resolve > using the internal nameserver. > [...] > The really weird part is that when the bastion/gateway wants to resolve an > internet name, it asks the internal, which forwards back to the bastion/gateway > which does the resolution and sends the answer back along the same path. I cannot understand WHY the bastion has to resolve via the internal nameserver. I run my bastion host via a /etc/resolv.conf which points to its local nameserver. And this works fine. The bastion only needs to resolv the name of the internal bastion and this name is in his DNS. Are there any _REAL_ security concerns about resolving the outer bastion host NOT via the internal bastion host? Ralf S. Engelschall rse@en.muc.de http://www.muc.de/~rse From firewalls-owner Fri Sep 1 17:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26994 for firewalls-outgoing; Fri, 1 Sep 1995 16:58:26 -0700 Received: from rudolph.cs.utk.edu (RUDOLPH.CS.UTK.EDU [128.169.92.87]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA26964 for ; Fri, 1 Sep 1995 16:58:20 -0700 Received: from LOCALHOST.cs.utk.edu by rudolph.cs.utk.edu with SMTP (cf v2.11c-UTK) id TAA11927; Fri, 1 Sep 1995 19:56:55 -0400 Message-Id: <199509012356.TAA11927@rudolph.cs.utk.edu> To: firewalls@greatcircle.com Subject: linux vs. *bsd for secure networking system Date: Fri, 01 Sep 1995 19:56:54 -0400 From: Paul McMahan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I know that the linux vs. (free|net)bsd question is the subject of ongoing debates outside the realm of firewalls, but I'm interested specifically in the security aspects of these operating systems. I'm debating about which OS to use on a firewall machine and I need to know specifics about which OS is a better platform for effective security. Please advise. Paul McMahan From firewalls-owner Fri Sep 1 17:09:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26176 for firewalls-outgoing; Fri, 1 Sep 1995 16:42:32 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA26163 for ; Fri, 1 Sep 1995 16:42:27 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id QAA26096; Fri, 1 Sep 1995 16:40:28 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma026094; Fri Sep 1 16:40:01 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id QAA18381; Fri, 1 Sep 1995 16:37:36 -0700 Date: Fri, 1 Sep 1995 16:37:36 -0700 From: Brian Murrell Message-Id: <199509012337.QAA18381@mocha.bctel.net> To: firewalls@GreatCircle.COM, rse@en.muc.de Subject: Re: DNS forwarding problem X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I cannot understand WHY the bastion has to resolve via the internal > nameserver. I run my bastion host via a /etc/resolv.conf which points to its > local nameserver. And this works fine. The bastion only needs to resolv the > name of the internal bastion and this name is in his DNS. Because typically people who run split DNS do so to hide the internal namespace from the world. Thusly only machines which query the internal DNS (typically internal machines and NOT external machines) can see the internal hosts. By telling the bastion to resolve using the internal nameserver, it sees both the inside world and outside world. It should, as it (and only it) lives in both worlds. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Fri Sep 1 19:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29937 for firewalls-outgoing; Fri, 1 Sep 1995 19:01:27 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA29930 for ; Fri, 1 Sep 1995 19:01:23 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id WAA14456 for Firewalls@GreatCircle.COM; Fri, 1 Sep 1995 22:17:54 -0400 From: "Marcus J. Ranum" Message-Id: <199509020217.WAA14456@switchblade.iwi.com> Subject: snprintf() To: Firewalls@GreatCircle.COM Date: Fri, 1 Sep 1995 22:17:54 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 3100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Powell writes: >If you want to launch a crusade, then start with the C language programming >books. Eradicate their use of sprintf, sscanf, gets, and other IO functions >that are inherently flawed. If you want to start a crusade, ask rather why people are writing mission critical software in a programming language that is not type or allocation safe, which has virtually no runtime controls, and which requires programmers to manually maintain memory allocation. That's like doing dentistry with a crowbar: you can do it, but it's a sloppy, and somewhat risky tool for spots where you need a delicate touch. The unfortunate fact is that if you want to develop something (like the fwtk) that people can use on common platforms, then it's not likely to be well-recieved if you write it in a safe programming language like Modula-3 or something that would probably produce more robust executables. So C is the language of choice - but let's not kid ourselves that it's the right language. It's the *available* language. For example (believe it or not!) I saberized the toolkit thoroughly, and V1.0 was completely run for quite a while on my Sparc, under the interpreter checking for runtime errors. *BUT* of course you never find them all because some parts of the system don't get stressed enough and even saber-C doesn't check the internals of library routines like syslog(). The formalists[*] hold a particularly rigorous view of the problem. Namely: you should be able to build components on top of other components you trust, which run on an O/S you trust and then we would not have these kinds of little problems. But: who will step forward and do a complete design review of stdio? [Chris, don't answer that!] and who will check Chris' implementation? And who will make sure the vendors all adopt it? And *THEN* there's all the other code and dbm and resolv and -- the list goes on. Who will do the security code review of X11R6? What about MOTIF? I will stop there because I just ate. In the short term, there are some measures we can take but they're draconian. One *could* simply take sprintf() et al out of libc -- that's what shared libraries are for! Or you can replace the program with something that does the right thing. It is instructive to replace system() on your machine with a library routine that calls abort() if it detects that it is running as euid < 100. BSDI machines do this cute thing: . cat > x.c main() { gets(0); } . make x cc -O2 x.c -o x . x warning: this program uses gets(), which is unsafe. ^C . The gets() library routine has been programmed to HUMILIATE itself when you use it! If one's sprintf() did the same thing, it would get fixed pretty quickly as users tired of seeing that crud on their screen. mjr. [*The formalists are an obscure religious sect that is on the verge of exctinction, whose surviving members are mostly in hiding protecting the One Perfect Program, which happens to be a provably correct version of "hello.c" - if you assume the compiler's code generator and optimizer work right.] From firewalls-owner Fri Sep 1 19:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA00686 for firewalls-outgoing; Fri, 1 Sep 1995 19:29:16 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA00672 for ; Fri, 1 Sep 1995 19:29:12 -0700 Received: from montgomery.com by relay1.UU.NET with SMTP id QQzfjt14693; Fri, 1 Sep 1995 22:27:56 -0400 Message-ID: Date: 1 Sep 1995 19:24:39 -0800 From: "Kenneth Kron" Subject: snprintf.c and SunOS 5.4 To: firewalls@GreatCircle.COM, "Patrick Powell" X-Mailer: Mail*Link SMTP-MS 3.0.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to #include For anyone else doing this you can either define HAVE_STDARG_H or HAVE_VARARGS_H, both work under SunOS 5.x, of course stdarg.h provides more type checking. Kenneth Kron INS Network Security Consultant kkron@montgomery.com From firewalls-owner Sat Sep 2 07:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09565 for firewalls-outgoing; Sat, 2 Sep 1995 07:16:47 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA09558 for ; Sat, 2 Sep 1995 07:16:43 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16782; Sat, 2 Sep 95 09:49:25 -0400 Date: Sat, 2 Sep 95 09:49:24 -0400 Message-Id: <9509021349.AA16782@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: snprintf(), SMURF, & Jules Own Version... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites (Hi Marcus 8*): > If you want to start a crusade, ask rather why people are >writing mission critical software in a programming language that >is not type or allocation safe, which has virtually no runtime >controls, and which requires programmers to manually maintain >memory allocation. Naah, fact is that if companies advertise for C++ programmers, they are not going to get people who understand bounds checking like us Mil-Std-1815 weenies (see: the DoD does have a sense of humour 8*). > The formalists[*] hold a particularly rigorous view of >the problem. Namely: you should be able to build components >on top of other components you trust, which run on an O/S >you trust and then we would not have these kinds of little problems. And then there are those assembly & machine code programmers who do not trust anything they did not write themselves (heck the BIOS on the first IBM PC-ATs did not even meet IBM's own spec and that was less than 64k). >[*The formalists are an obscure religious sect that is on the >verge of exctinction, whose surviving members are mostly in hiding >protecting the One Perfect Program, which happens to be a provably >correct version of "hello.c" - if you assume the compiler's code >generator and optimizer work right.] No assumptions permitted: back in the days of MacDac vs SoftTech when compiler mfrs had real *marketeers* (and hospitality suites at shows 8*) and Mil-Std-1750A was a coprocessor in search of a processor we used to do code checks v/v the same thing in pure assembly. Compilers were actually validated and the source was available (if you had the right contacts at the LCF). Disassemblers were something written in an afternoon (have a printout here somewhere of the 680x program used by the first GM car computers - Delco claimed it was "proprietary" despite being in a million cars). Of course considering what we were paid for, it was "rocket science". Besides a *real* programmer wouldn't bother with hello.c, he/she/it/other would have written a VAX device driver to intercept every print banner, bump up the priority, and insert a picture of Crusader Rabbit *that worked* (maybe 20% of the people who took the VAX "Device Drivers" course could actually write one by the end of the week). Of course now I spend my time trying to figure out why group ID assignments do not work properly when passed to an access server in IOS 10.3 (& creating Rags the Tiger banners that also send an alarm to the admin pager on strobes to port 79 of the router 8*). (ob firewalls) Warmly, Padgett From firewalls-owner Sat Sep 2 09:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10941 for firewalls-outgoing; Sat, 2 Sep 1995 08:44:22 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA10934 for ; Sat, 2 Sep 1995 08:44:16 -0700 From: cjolley@iac.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16981; Sat, 2 Sep 95 11:42:52 -0400 Date: Sat, 2 Sep 95 11:42:52 -0400 Message-Id: <9509021542.AA16981@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: re: snprintf(), SMURF, & Jules Own Version... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another group of programmers who spend no time doing bounds checking or worrying about allocation and deallocation of memory are those who write code for an environment where the hardware enforces bounds checking and the operating system handles all the details regarding allocation and deallocation of _all_ system resources. And, since that environment doesn't have (and doesn't need) an assembly language, even the highly skilled system programmers can't code detours around such features. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Sat, 2 Sep 1995 padgett@tccslr.dnet.mmc.com wrote: > mjr rites (Hi Marcus 8*): > > If you want to start a crusade, ask rather why people are > >writing mission critical software in a programming language that > >is not type or allocation safe, which has virtually no runtime > >controls, and which requires programmers to manually maintain > >memory allocation. > > Naah, fact is that if companies advertise for C++ programmers, they are not > going to get people who understand bounds checking like us Mil-Std-1815 > weenies (see: the DoD does have a sense of humour 8*). > > > The formalists[*] hold a particularly rigorous view of > >the problem. Namely: you should be able to build components > >on top of other components you trust, which run on an O/S > >you trust and then we would not have these kinds of little problems. > > And then there are those assembly & machine code programmers who do not > trust anything they did not write themselves (heck the BIOS on the first > IBM PC-ATs did not even meet IBM's own spec and that was less than 64k). > > >[*The formalists are an obscure religious sect that is on the > >verge of exctinction, whose surviving members are mostly in hiding > >protecting the One Perfect Program, which happens to be a provably > >correct version of "hello.c" - if you assume the compiler's code > >generator and optimizer work right.] > > No assumptions permitted: back in the days of MacDac vs SoftTech when > compiler mfrs had real *marketeers* (and hospitality suites at shows 8*) > and Mil-Std-1750A was a coprocessor in search of a processor we used to do > code checks v/v the same thing in pure assembly. Compilers were actually > validated and the source was available (if you had the right contacts at > the LCF). Disassemblers were something written in an afternoon (have a > printout here somewhere of the 680x program used by the first GM car > computers - Delco claimed it was "proprietary" despite being in a million > cars). Of course considering what we were paid for, it was "rocket science". > > Besides a *real* programmer wouldn't bother with hello.c, he/she/it/other > would have written a VAX device driver to intercept every print banner, > bump up the priority, and insert a picture of Crusader Rabbit *that worked* > (maybe 20% of the people who took the VAX "Device Drivers" course could > actually write one by the end of the week). > > Of course now I spend my time trying to figure out why group ID assignments > do not work properly when passed to an access server in IOS 10.3 (& creating > Rags the Tiger banners that also send an alarm to the admin pager on strobes > to port 79 of the router 8*). (ob firewalls) > Warmly, > Padgett > From firewalls-owner Sat Sep 2 10:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA11763 for firewalls-outgoing; Sat, 2 Sep 1995 09:40:25 -0700 Received: from roble.com (roble.com [204.188.93.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA11756 for ; Sat, 2 Sep 1995 09:40:22 -0700 Received: by roble.com (4.1/SMI-4.1/roble) id AA10160; Sat, 2 Sep 95 09:38:59 PDT Date: Sat, 2 Sep 1995 09:17:59 -0700 (PDT) From: Roger Marquis Subject: Subject: Re: using suns/sunos for gateway host(s) To: Firewalls@GreatCircle.COM In-Reply-To: <199508301706.KAA28357@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > According to ~The Firewall Book~, things like IP forwarding and IP source > routing should be disabled on gateway hosts used to construct a firewall. > > I called sun tech support, and not surprisingly they didn't have a clue how to > modify the 4.1.3 kernel to acheive this. It's unlikely you spoke with Sun tech support. You probably spoke with an operator. If you had spoke with an engineer they would have given you a service order number. Any Sun engineer could tell you how to disable ip-forwarding, they all have access to Sunsolve. > If anyone could give me some pointers, I'd appreciate it. If you have a Sun support contract, or a Sunsolve CD, search for ip_forwarding. I found detailed procedures for 4.0, 4.1, and 5.x. You might also checkout the "Practical Guide to Solaris Security". It has a number of recommendations you won't find in Bellovin and Cheswick's book. Also, check out ftp://ftp.nec.com/pub/security, ftp://info.cert.org, and ftp://sunsite.unc.edu for more info on SunOS firewalls and utilities like tripwire, tcp_wrappers, npasswd, and cops. Roger Marquis From firewalls-owner Sat Sep 2 11:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13006 for firewalls-outgoing; Sat, 2 Sep 1995 10:39:26 -0700 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12999 for ; Sat, 2 Sep 1995 10:39:23 -0700 Received: from relay.imsi.com by wintermute.imsi.com id NAA23728 for ; Sat, 2 Sep 1995 13:38:01 -0400 Received: from lorax.imsi.com by relay.imsi.com id NAA27224 for ; Sat, 2 Sep 1995 13:38:00 -0400 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA07170; Sat, 2 Sep 95 13:37:59 EDT Resent-Message-Id: <9509021737.AA07170@lorax.imsi.com> Message-Id: <9509021737.AA07170@lorax.imsi.com> To: Ted Stockwell , shields@tembel.org (Michael Shields) Cc: firewalls@greatcircle.com Subject: Re: FW: Programming Reply-To: rens@imsi.com Date: Sat, 02 Sep 1995 13:17:15 -0400 From: Rens Troost Resent-To: firewalls@greatcircle.com Resent-Date: Sat, 02 Sep 1995 13:37:59 -0400 Resent-From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Sed: >> In something like allocating memory, where a failure is always fatal, >> you can easily write an xmalloc() that is that a wrapper which either >> returns a non-NULL pointer or dies. Then always call that instead of >> straight malloc(). This is fairly easy. XtMalloc lets you do this by default, and you can override the error behavior to give you more intelligent error handling, although freeing memory afer brk() is always dicey unless you use an expensive heap compaction approach. Xt is great for programming all sorts of things, only a small part of which are windowing apps. -Rens From firewalls-owner Sat Sep 2 12:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA13892 for firewalls-outgoing; Sat, 2 Sep 1995 11:49:44 -0700 Received: from NYC.Heuristicrat.COM (NYC.Heuristicrat.COM [204.242.208.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA13885 for ; Sat, 2 Sep 1995 11:49:40 -0700 Received: (smap@localhost) by NYC.Heuristicrat.COM (8.6.11/8.6.5) id OAA10103; Sat, 2 Sep 1995 14:48:04 -0400 Received: from gigi.nyc.heuristicrat.com(192.54.131.10) by NYC.Heuristicrat.COM via smap (V1.3) id sma010101; Sat Sep 2 14:48:03 1995 Received: by gigi.NYC.Heuristicrat.COM (4.1/SMI-4.1) id AA03042; Sat, 2 Sep 95 14:48:03 EDT Date: Sat, 2 Sep 95 14:48:03 EDT From: chuck@NYC.Heuristicrat.COM (Chuck Ocheret) Message-Id: <9509021848.AA03042@gigi.NYC.Heuristicrat.COM> To: rens@imsi.com, shields@tembel.org, stockwel@sctc.com Subject: Re: FW: Programming Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Xt is great for programming all sorts of things, only a small part of which are windowing apps. Definitely true, and even though I feel strongly about that (check out http://www.heuristicrat.com/papers/USENIX/AppDev.html) I wouldn't use Xt to write firewall code. ~chuck Chuck Ocheret ---------------------------------------------------------- Heuristicrats Research, Inc. +1 (914) 722-0245 [voice] 46 Andrea Lane, Suite 202 +1 (914) 722-0249 [fax] Scarsdale, NY 10583 chuck@NYC.Heuristicrat.COM From firewalls-owner Sat Sep 2 12:02:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA13973 for firewalls-outgoing; Sat, 2 Sep 1995 11:59:12 -0700 Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA13966 for ; Sat, 2 Sep 1995 11:59:08 -0700 Received: by magneto.bosch.com; id OAA23750; Sat, 2 Sep 1995 14:54:22 -0400 Received: from cyber.rbus(198.168.2.2) by magneto via smap (V1.3) id sma023748; Sat Sep 2 14:54:02 1995 Received: by inet.rbus; id OAA27630; Sat, 2 Sep 1995 14:55:58 -0400 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma027628; Sat Sep 2 14:55:54 1995 Received: by mail.fh.rbus; id OAA03825; Sat, 2 Sep 1995 14:54:44 -0400 Date: Sat, 2 Sep 1995 14:54:44 -0400 Message-Id: <199509021854.OAA03825@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: "Christopher L. Werner" Subject: Re: Use of Remote Authentication: tacacs/radius/etc... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:36 PM 9/1/95 -0300, Marcelo Lopes Rodrigues wrote: > >So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 >, Second Quarter 1995, pag. 13) > Well, large ISP's like Merit in Michigan are looking to RADIUS as the protocol of choice for dial-up authentication for a large network. Although you can get more information on the project from http://www.merit.edu, I can briefly say that they have over 150 member and affiliate organizations and will have every Elementary and Secondary school in the state as customers within a year. (timing logistics more than anything). We're talking millions of users, all which can dial into PPP based Network Access Servers (NAS -Livingston Portmasters) and authenticate using RADIUS to UNIX, VMS, NT, and Novell and have regulated, auditable, authentication using RADIUS encryption, UNIX password files, Kerberos, or TACACS. Merit is one of several big users who have been bugging Cisco to adapt the RADIUS protocol as an alternative to Livingston. Cisco's reaction to that market (Merit hopes to be so successful that many other large ISP's will use the same scheme and you can authenticate back to your local authorization server from any NAS nation/world-wide :-) ) and activity on the RADIUS standard committee may have something to do with it... -------------------------------------------------------------------- Opinions expressed are mine and not those of my employer. -------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Dr. (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Sat Sep 2 14:32:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15675 for firewalls-outgoing; Sat, 2 Sep 1995 13:42:39 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA15662 for ; Sat, 2 Sep 1995 13:42:36 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/8.6.12) with SMTP id PAA29162; Sat, 2 Sep 1995 15:40:50 -0500 Date: Sat, 2 Sep 1995 15:40:50 -0500 Message-Id: <199509022040.PAA29162@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: rse@en.muc.de, firewalls@GreatCircle.COM From: lpierce@intex.net (S. Lane Pierce) Subject: Re: DNS forwarding problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:50 AM 9/1/95 +0200, rse@en.muc.de wrote: >On 31 Aug 1995 01:16:55 +0200 in sdm.lists.firewalls you wrote: >> [...] >> You then configure all your clients INCLUDING THE BASTION/GATEWAY to resolve >> using the internal nameserver. >> [...] >> The really weird part is that when the bastion/gateway wants to resolve an >> internet name, it asks the internal, which forwards back to the bastion/gateway >> which does the resolution and sends the answer back along the same path. > >I cannot understand WHY the bastion has to resolve via the internal >nameserver. I run my bastion host via a /etc/resolv.conf which points to its >local nameserver. And this works fine. The bastion only needs to resolv the >name of the internal bastion and this name is in his DNS. > >Are there any _REAL_ security concerns about resolving the outer bastion host >NOT via the internal bastion host? [.sig snipped] There is not so much a security concern here. The question is, "Does the bastion require knowledge of internal hosts that are not listed in its files?". If not then the bastion should be configured to ask itsself. This prevents a successfull cracker from obtaining additional information about the inside hosts. If so then he must be configured to ask the inside server else the info could not be obtained. Is this clear as mud? Good luck. ---------------------------- S. Lane Pierce lpierce@intex.net From firewalls-owner Sat Sep 2 15:01:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18400 for firewalls-outgoing; Sat, 2 Sep 1995 14:51:12 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA18386 for ; Sat, 2 Sep 1995 14:51:06 -0700 Received: from histar2.ezunx.com by scruz.net (8.6.9/1.34) id OAA27846; Sat, 2 Sep 1995 14:49:43 -0700 Date: Sat, 2 Sep 95 14:41:50 PDT From: Rich Subject: Large-Mixed-OS FW access problem To: firewalls@greatcircle.com X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Got a perhaps unusual problem that perhaps I can get a few suggestions or help with. I have a network with a very large mix of OS's, and with over 6000 users who require Internet access. The problem is this - Over 60% of the users will have to use DYNAMIC IP addresses, since there are not enough to go around, AND they are running OS/2, WFW, Apple, and a few other mixtures of OS/nos stacks. The remaining 40% will be using static IP addresses and mostly will be running WFW, but also some other mixed OS/nos base. We have a single Internet connection. Oh, and we want to authorize access with username, not ip addresses (for obvious reasons, the dhcp/bootp people). Normally, access to the net should be pretty straight forward, but maybe I am just not thinking straight today. I can't figure out a good way to set up authorization host(s) to handle all the necessary accesses. Yes, I know I am going to have some throughput issues with such large numbers, but that is one of the reasons we want a single access point, for the security and management issues. Comments, suggestions? Firewall recommendations? proxy/bastion suggestions? ADVANCE Rich Fitzgerald (408) 456-0430 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Sat Sep 2 15:35:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19841 for firewalls-outgoing; Sat, 2 Sep 1995 15:23:07 -0700 Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24768 for ; Fri, 1 Sep 1995 16:01:58 -0700 Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id SAA26334 for ; Fri, 1 Sep 1995 18:50:51 -0401 Received: by shlep.sware.com (5.65/2.0) from neptune.sware.com id AA14364; Fri, 1 Sep 95 18:50:15 -0400 Received: by neptune.sware.com (5.65/2.1) from localhost id AA05261; Fri, 1 Sep 95 18:51:03 -0400 Message-Id: <9509012251.AA05261@neptune.sware.com> From: "Mark W. Reardon" X-Mailer: SecureMail [2.1.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: HannaH from SecureWare Inc. To: firewalls-digest@GreatCircle.COM Date: Fri, 01 Sep 95 18:51:02 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBxjCCAXACFFjVVBsGH5SnHa42KUiEyt0AAAAAMA0GCSqGSIb3DQEBAgUAMFkx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NTA1 MTExMzUzNDVaFw05ODA1MTAxMzUzNDVaMHMxCzAJBgNVBAYTAlVTMRgwFgYDVQQK Ew9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYD VQQLEw5FbmdpbmVlcmluZyBDQTEYMBYGA1UEAxMPTWFyayBXLiBSZWFyZG9uMFkw CgYEVQgBAQICAgQDSwAwSAJBDdoErtN8vyza47fIQHiy1DCvMBhr9Wc3ByPJ/9Ek rKojJnyXDYzQh0JX3oOLZ0ITBCnbBM69w0DTs4aSJTQjqEcCAwEAATANBgkqhkiG 9w0BAQIFAANBAJcyeNNIi4blzo1SjWV2sXfRQ9uhNHZ4t89hZLbCjaRYvoXjW1Uv XYCLO/YG1flFrXp5xOzd04+2OcLsw9RViDk= Issuer-Certificate: MIIBkzCCAT0CFEbO5h6/SKxULWrq4aExKoYAAAAAMA0GCSqGSIb3DQEBAgUAMEAx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMB4XDTk1MDUwODIwMjAxNloXDTk3MDUwNzIwMjAxNlow WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UE CxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYE VQgBAQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFy x5qzn098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0B AQIFAANBALtOOv3SWxy+/VEvvY6j06wUNQRhqbtX5g8HgOwPgvoqcrRl939lcOcx X7q8YB5bVVTow4PsFfnorV5gsOBwnf4= MIC-Info: RSA-MD5,RSA, ANBJA9k1rs8MWI2SJ1E6qO+XYsSNWbjNBK3wcslMwtCMHobUrf3zLuFxzWarDgaY s/A6GBr9UekszKI+UtFTX0c= SecureWare really doesn't see Hannah as a replacement for firewalls. As some of the respondents have pointed out, a node-based solution may be more difficult to administer and scale to a large number of platforms. We've tried to make HannaH scalable by including centralized administration for distributed environments. A node based solution is a problem if it is not available on ALL of the platforms that you want to protect. We will address this problem over time as we offer HannaH on additional platforms or other vendors offer compatible products since HannaH protocols are published for anyone to implement. A firewall is a very valid perimeter solution that is a great choke point between the "inside" and the "outside". However, there are many environments that firewalls alone simply cannot address. Some of the environments would benefit from a combined HannaH/firewall solution, which we are currently pursuing. Some could be addressed by firewalls alone, and others are simply inappropriate for HannaH. We have tried to describe some of the target markets for HannaH in a white paper that you can grab off our web page. If you have further questions about HannaH in a specific environment, you can contact SecureWare directly. Let me re-iterate, however, that HannaH is not the network security panacea. It fills an important gap and advances the state of the art in security products and (we hope) will be applicable to a wide range of environments for which there is simply no solution today. That said, I would like to give a few brief responses to some of the comments made in the most recent postings to the list. On Thu, 31 Aug 1995, Gary Flynn wrote: > [...] > Problems with firewall throughput go away. Again, it depends on the environment. You can provide access to some applications on the "inside" directly without having to go through a firewall. You can combine HannaH with a firewall to provide protected access to the firewall and then go through your traditional proxy to get inside. If you are, for example, a large retail chain and want to have your stores post their inventory figures to a central machine over the Internet, HannaH would work just fine and you wouldn't need a firewall for that application. Just one example, . . . >[...] > I'd think the only problem would be possible incompatibilty bugs > with the standard API but if the API stays generally stable, those > bugs would eventually get worked out. > HannaH doesn't modify the API used for communications, it instead installs below it so that no application modifications are required. This was one of the original requirements for HannaH since we did not want to get in the business of telling other software vendors that they need to rewrite the applications to make them use HannaH. On Thu, 31 Aug 1995, David Miller wrote: > First, there's the possibility that people will not use the product, or > that their product will not fit all type, styles, and rev levels of > computer on your network. Once one of the systems on your network is > compromised it becomes a safe staging area for attacks on the rest of > your network. Which leads us to ... These are very valid points. Initially, HannaH is not being offered on all computing platforms. It cannot secure those platforms that it isn't running on. While it does allow connections from non-HannaH host, they are not secure. We recommend that HannaH systems are configured to enforce the level of security required for the environment that it is in. For example, the types of connections allowed to a non-HannaH host might be restricted to a specific set of hosts and applications. A non-HannaH host can only give you spoofable IP addresses and port numbers, and that's all HannaH can go on. > Second, the whole reason people put the soft chewy center in the middle > of a very hard shell is so there is a single access point to be > administered. It's one thing to get a good security person to > manage/monitor the firewall through which all traffic flows. It's > another thing altogether (usually thought impossible in any sizeable > installation) to try and have many administrators adequately secure their > systems. This is a good analogy and it helps to point out that there are different needs that are addressed by HannaH and Firewalls. Firewalls are perimeter protection, and one of the problems they have is authenticating the remote party. If a Firewall has HannaH running, HannaH can provide that strength. This replaces identification of remote users by IP address, with something a lot harder to forge, the remote user's cryptographically authenticated identity. Also, Firewalls do nothing against the internal attacks. That is a problem that can be addressed by securing sensitive information on HannaH systems by only allowing connections through secure, encrypted pipes. Then, even the communications between two computers in the payroll department are secured from the network trouble shooter's sniffer. Lastly, though a node level solution, HannaH is designed with a centralized management concept. Once installed, all systems level security is configured and monitored from a central management work station. Ease of management has been a primary concern from the out set of HannaH. This includes both Access Control and Audit Information. We don't think of HannaH as a replacement for Firewalls, it is instead a complimentary tool. In addition, some businesses may have decided that a Firewall is too expensive for some application, i.e., the mobile user calling the office, the one or two computer remote office. HannaH, since it is a software solution, addresses these needs in a different way that may be more affordable. Finally, Alan Hannan wrote in response to Gary Flynn and David Miller: >>[...] > Sure, let's just open up the bloody borders of our country to anyone, we > wouldn't want to impede any travel, would we? Heavan forbid Iraqis should > actually have to stop at the border to our country, we should allow > them and all others to come in unimpeded. Geez. > >>[...] > Quite obviously, one that thinks individual host security should have > more emphasis than network security has never tried to implement such a > policy. More clearly, one who thinks indiv. hosts are more important > than network security has no concept of time=money. We are not advocating individual host security over network security or the other way around. Both have their strengths and weaknesses. In the security for Security First Network Bank, the first Internet bank, SecureWare used filtering routers, Firewalls, Hannah, and other techniques such as secure operating systems. Clearly, strong security means analyzing the entire network and each computer on it for weakness. Then each of those weaknesses has to be addressed. HannaH and Firewalls are complimentary tools to be used in such an exercise. There have also been posted a few comments made regarding UDP and Kerberos. I am not a Kerberos expert and so I went to some of the other people within SecureWare that have studied it. They provided these short comments: - ---------- Beginning of Message ----------- Kerberos: Hannah is similar to Kerberos in many ways. Probably the major differences include: - Hannah uses public key cryptography for authentication and key management whereas Kerberos uses symmetric key management techniques that require an on-line "ticket-granting-service". The use of public key cryptography: - makes Hannah more robust, - eliminates security problems associated with mutually suspicious users having to trust a common entity, - allows Hannah to scale better, particularly simplifying controlled interoperability between disparate organizations. - Hannah is installed in a system below the API (it transparently replaces the Winsock layer for Windows XX, and resides within the protocol stack for Unix). Unlike Kerberos which requires that you modify an application to obtain security, Hannah is completely transparent to applications. Web browsers, X, SMTP, ftp, telnet, rcp, rsh, etc... are all secured without modification. ALSO, because Hannah is below the API, the security administrator has the option of MANDATING security, such that it cannot be bypassed by any user or application. This cannot be done using Kerberos. UDP: Hannah will support UDP in an early point release. Key management will not impose much of a burden upon UDP applications, for the key management process retains a security state for recent datagram sessions. Of course, if a session consists of a single datagram there will be a substantial hit, but that is the price paid for strong authentication. Multicast: With the addition of UDP support, Hannah will support multicast using manual key management. Multiuser Hannah and certificate diskettes: Key material for users need not reside on a protected floppy. On those systems with adequate access control, it can reside in a local file. Hannah also supports the use of smart cards, including the National Security Agency's Fortezza Card. There are plans for Hannah to supports multiuser operation on Unix systems using either file-based or smart card key repositories. Logging out: On all systems, key material is protected within a special Cryptographic Subsystem and is not accessible to an application. It is deactivated (or destroyed) when the user logs out. Perhaps a point release should include a screen saver option that automatically deactivates the key material after an appropriate interval of inactivity. Of course, the ultimate level of protection provided the key material depends upon the overall security of the underlying platform. That is why Hannah is offered on platforms including military grade B-level operating systems. - ---------- End of Message ----------- I hope these are informative. Mark - ------------------------------------------------------------------------------- Mark Reardon | SecureWare, Inc. | WWW is http://www.secureware.com (404)315-6296 | 2957 Clairmont Rd., Ste. 200 | email is mwr@sware.com ext. 134 | Atlanta, GA 30329-1647 | This letter was created using SecureMail. If you do not have a PEM reader, please ignore the privacy headers. -----END PRIVACY-ENHANCED MESSAGE----- From firewalls-owner Sat Sep 2 16:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20275 for firewalls-outgoing; Sat, 2 Sep 1995 15:39:45 -0700 Received: from zeus.ci.ua.pt (zeus.ci.ua.pt [193.136.80.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA20260 for ; Sat, 2 Sep 1995 15:39:40 -0700 Received: by zeus.ci.ua.pt (1.37.109.16/16.2) id AA173114955; Sun, 3 Sep 1995 00:35:55 +0100 From: Fernando Cozinheiro Message-Id: <199509022335.AA173114955@zeus.ci.ua.pt> Subject: RADIUS... Where is it? To: firewalls@greatcircle.com Date: Sun, 3 Sep 1995 00:35:55 +0100 (PST) Cc: cooker@zeus.ci.ua.pt (Fernando Cozinheiro) Reply-To: Fernando.Cozinheiro@ua.pt Organization: Universidade de Aveiro, Portugal X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 635 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear friends: I'm seeing several references about Radius on this list... Could anyone from where can I get any document describing it and the package itself? Thanks in advance. -- Fernando Cozinheiro http://sweet.ua.pt/~cooker/ System & Network Administrator Email: cooker@ci.ua.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Universidade de Aveiro Phone: Centro de Informatica UA: +351 34 370200/Ext.2254 3810 Aveiro CIUA: +351 34 370345 Portugal Telefax: +351 34 370214 From firewalls-owner Sat Sep 2 17:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA21419 for firewalls-outgoing; Sat, 2 Sep 1995 16:34:33 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA21412 for ; Sat, 2 Sep 1995 16:34:30 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id OAA22595; Sat, 2 Sep 1995 14:16:51 -0700 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA06266; Sat, 2 Sep 95 16:29:20 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA04163; Sat, 2 Sep 95 16:30:08 -0700 Date: Sat, 2 Sep 95 16:30:08 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9509022330.AA04163@abulafia.genmagic.com> To: Rich Cc: firewalls@GreatCircle.COM Subject: Large-Mixed-OS FW access problem In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk my nickel's worth, now that I've bailed from our MIS department due to political differences with new management. :-) if you haven't already, go to non-internic-assigned addresses. Take 10.*.*.*, we're using it. :-) "raf" == Rich writes: raf> Over 60% of the users will have to use DYNAMIC IP addresses, raf> since there are not enough to go around, AND they are running raf> OS/2, WFW, Apple, and a few other mixtures of OS/nos stacks. Put the DYNAMIC addresses in their own subnet range. We did this by having 10-bit subnets and putting dynamics in their own chunk of that. Then do massive sets of automated reverse entries for *everything* in that range. (Yes it's annoying, but then you can just chunk things into that range and not worry about it.) raf> We have a single Internet connection. Oh, and we want to raf> authorize access with username, not ip addresses (for obvious hm. Dunno on that one. raf> I know I am going to have some throughput issues with such large raf> numbers, but that is one of the reasons we want a single access raf> point, for the security and management issues. proxy/cache the WWW stuff and that'll help more than one would expect. (URL's get passed around the office and suddenly half the company wants to see what's so funny about www.micros0ft.com.) dual-router with bastion/proxy hosts for various services. It's easier to handle having machines on the internet and proxy stuff this way. (ex: Our external www server is in the DMZ and is considered a 'hostile' system by the routers. This means we can spend less time/effort securing the server and more time securing the mail gateway.) be prepared to spend a large amount of money. If the tightwads in accounting refuse, only provide the services you can afford to provide securely. This usually helps them budge, as the users complain to you, you explain "it's all the money I'm allowed to spend". (That, or departments that can business justify intenret access will offer funds from their budgets.) Failing that, ask accounting how much it will cost if someone from a competitor starts reading the CEO's mail. Then show them how it's done. :-) From firewalls-owner Sat Sep 2 22:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24408 for firewalls-outgoing; Sat, 2 Sep 1995 21:43:13 -0700 Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA24401 for ; Sat, 2 Sep 1995 21:43:10 -0700 Received: by ncelec.com (5.4R3.10/200.2.1.5) id AA05496; Sat, 2 Sep 1995 21:39:22 -0700 From: "Mike Culver-Support" Message-Id: <9509022139.ZM5494@ncelec.com> Date: Sat, 2 Sep 1995 21:39:21 -0700 X-Mailer: Z-Mail Lite (3.2.0 26may94) To: firewalls@greatcircle.com Subject: Frame-Relay Net Connections Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We all know (and some of us even agree) that a bastion host on a DMZ is the best way to protect yourself from the net. Anyone have a suggestion for sites that connect to their service provider via a Frame Relay connection? In this case, there is a virtual circuit to the service provider, but the circuit runs thru a common interface on a router that also serves WAN sites that are oart of the internal network. This is a fairly common connection method! From firewalls-owner Sat Sep 2 23:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA26177 for firewalls-outgoing; Sat, 2 Sep 1995 23:17:41 -0700 Received: from dogbert.ipa.net (dogbert.ipa.net [205.218.170.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA26170 for ; Sat, 2 Sep 1995 23:17:37 -0700 Received: (from darren@localhost) by dogbert.ipa.net (8.6.12/8.6.9) id BAA09831; Sun, 3 Sep 1995 01:25:09 -0500 From: "Darren K. Bolding" Message-Id: <199509030625.BAA09831@dogbert.ipa.net> Subject: Re: RADIUS... Where is it? To: Fernando.Cozinheiro@ua.pt Date: Sun, 3 Sep 1995 01:25:08 -0500 (CDT) Cc: firewalls@GreatCircle.COM, cooker@zeus.ci.ua.pt In-Reply-To: <199509022335.AA173114955@zeus.ci.ua.pt> from "Fernando Cozinheiro" at Sep 3, 95 00:35:55 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1311 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the previous message, Fernando Cozinheiro said: > > Dear friends: > > I'm seeing several references about Radius on this list... > > Could anyone from where can I get any document describing it and the > package itself? > > Thanks in advance. > > -- > Fernando Cozinheiro http://sweet.ua.pt/~cooker/ > System & Network Administrator Email: cooker@ci.ua.pt > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Universidade de Aveiro Phone: > Centro de Informatica UA: +351 34 370200/Ext.2254 > 3810 Aveiro CIUA: +351 34 370345 > Portugal Telefax: +351 34 370214 > You can find out about the Livingston implementation of Radius at http://www.livingston.com/products/dts_radius.htm Merit's web archive is at: http://home.merit.edu/webstuff/radius/ There is a fair bit of Radius tweaking going on, the Livingston Portmaster mailing list is an innapropriate place to discuss it (IMHO), but seems a popular one nonetheless. -- -- Darren Bolding Senior network engineer darren@bolding.org -- -- Internet Partners of America 1-800-785-4091 X106 darren@ipa.net -- -- ISP design and implementation. WAN, UNIX and Security consulting -- From firewalls-owner Sun Sep 3 01:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA27135 for firewalls-outgoing; Sun, 3 Sep 1995 00:48:32 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA27128 for ; Sun, 3 Sep 1995 00:48:27 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id IAA13998; Sun, 3 Sep 1995 08:46:51 +0100 (BST) From: Steve Kennedy Message-Id: <199509030746.IAA13998@ford.gbnet.org> Subject: Re: Use of Remote Authentication: tacacs/radius/etc... To: cwerner@fh.us.bosch.com (Christopher L. Werner) Date: Sun, 3 Sep 1995 08:46:50 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509021854.OAA03825@mail.fh.rbus> from "Christopher L. Werner" at Sep 2, 95 02:54:44 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Christopher L. Werner > At 02:36 PM 9/1/95 -0300, Marcelo Lopes Rodrigues wrote: > >So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 > >, Second Quarter 1995, pag. 13) > Well, large ISP's like Merit in Michigan are looking to RADIUS as the protocol > of choice for dial-up authentication for a large network. Although you can Beware of the RADIUS implementations from Livingston and Merit. There is a serious bug in the socket handling code (I think) that causes the server to get confused under heavy load. Demon Internet found this when they installed their version of the RADIUS server, they have fixed it (being an ISP with a large dial-up community does tend to stress test these things though). Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Sun Sep 3 13:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06946 for firewalls-outgoing; Sun, 3 Sep 1995 12:38:49 -0700 Received: from mailer.gu.se (mailer.gu.se [130.241.150.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA06939 for ; Sun, 3 Sep 1995 12:38:45 -0700 Received: from mail2gsv.gu.se (mail2gsv.gu.se [193.10.79.11]) by mailer.gu.se (8.6.10/8.6.10) with ESMTP id VAA20687 for ; Sun, 3 Sep 1995 21:37:23 +0200 Received: from gsv.gu.se (mail2gu.gsv.se [146.21.73.101]) by mail2gsv.gu.se (8.6.11/8.6.9) with ESMTP id VAA11428 for ; Sun, 3 Sep 1995 21:17:48 +0200 Received: from pc_emi_18 (pc_emi_18 [146.21.73.218]) by gsv.gu.se (8.6.11/8.6.11) with SMTP id VAA29975 for ; Sun, 3 Sep 1995 21:37:23 +0200 Message-Id: <199509031937.VAA29975@gsv.gu.se> X-Sender: harald@146.21.73.101 X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Date: Sun, 03 Sep 1995 21:20:25 +0100 To: firewalls@greatcircle.com From: harald@emi.gu.se (Harald Astrand) Subject: DNS forwarding problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have problems getting the DNS to work using internal roots on our network. The internal root servers are set up with a named.boot file: primary . db.root forwarders x.x.x.x The x.x.x.x host is the firewall machine on a separate C-net. On the firewall I have a regular (non-root) name-server. When I try to reach out-side host with nslookup from the internal root I get the following error-message: can't find x.y.z: Non-existant domain. I guess this is because the internal root thinks itself as authoritive of everything and sees no need for forwarding the request to the firewall. Is there a way to get this working and still using internal root? (We use HP-UX and have SOCKS running on the firewall). Any help would be very appreciated. Regards Harald -------------------------------------------------------------------- Harald Åstrand Email: EMI, Sahlgrenska Hospital Tel. +46 (0)31 - 60 26 82 Röda Stråket 4 Fax. +46 (0)31 - 60 23 83 S-413 45 Göteborg Memo: GVS.KOMMUN.VSCHAD Sweden From firewalls-owner Sun Sep 3 13:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07192 for firewalls-outgoing; Sun, 3 Sep 1995 13:05:17 -0700 Received: from ki1.chemie.fu-berlin.de (ki1.Chemie.FU-Berlin.DE [160.45.24.21]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA07185 for ; Sun, 3 Sep 1995 13:05:11 -0700 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 3 Sep 95 22:03 MEST Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0spLGP-0007SWC; Sun, 3 Sep 95 22:03 MET DST X-Sender: maass@odb.rhein-main.de Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 3 Sep 1995 22:10:23 +0200 To: "Roy Schonberg (919) 541-6084" From: maass@thinkfish.rhein-main.de (Joerg Maass) Subject: Re: Digital Firewall for Ultrix Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Roy, >Anyone know anything about this product? > >Other than one SPD from DEC I can't seem to find out much about how it works or >how well. This is a product made up of a software/consultancy bundle plus documentation and training. A turnkey solution, basically. It comes in several possible configurations, depending on your requirements. Additional services are available. Mail me at Joerg.Maass@frs.mts.dec.com for more info. Kind regards Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Sep 3 14:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08827 for firewalls-outgoing; Sun, 3 Sep 1995 13:51:33 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA08820 for ; Sun, 3 Sep 1995 13:51:29 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa17275; 3 Sep 95 21:10 +0100 Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa09758; 3 Sep 95 21:08 +0100 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id VAA24588; Sun, 3 Sep 1995 21:10:52 +0100 From: Karl Strickland Message-Id: <199509032010.VAA24588@bagpuss.demon.co.uk> Subject: Re: syslog overruns and TIS smap To: Julian Assange Date: Sun, 3 Sep 1995 21:10:52 +0100 (BST) Cc: dtynan@fws.ilo.dec.com, firewalls@greatcircle.com In-Reply-To: <199508312008.GAA17374@suburbia.net> from "Julian Assange" at Sep 1, 95 06:08:01 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1215 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > Julian Assange wrote: > > > > > > What happens if I mknod a new hd block device within the chrooted area under > > > TIS? > > > > You'd need 'root' permission to do that. You don't need root to make > > an inbound connection to an inside host, however. > > - Der > > True, but but obtaining root isn't necessarily such a hard thing to do. My > point is that a number of people have stated that despite obtaining root in > a chrooted() enviroment your still protected. The way I have seen chroot() > calls implimented is the kernel merely sets the processes root inode to > the inode of the directory passed as the argument. If this is the only > protection involved you can break out with a mknod. You're quite right. On BSD4.4, you can bump up your security level so that sensitive devices such as mounted disks & /dev/kmem cannot be opened for write. But - as you say - without that, you're screwed. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From firewalls-owner Sun Sep 3 14:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09125 for firewalls-outgoing; Sun, 3 Sep 1995 14:16:58 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA09118 for ; Sun, 3 Sep 1995 14:16:55 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA20292; Sun, 3 Sep 95 17:16:10 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9509032216.AA20292@hawksbill.sprintmrn.com> Subject: Re: Frame-Relay Net Connections To: mculver@ncelec.com (Mike Culver-Support) Date: Sun, 3 Sep 1995 17:16:09 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9509022139.ZM5494@ncelec.com> from "Mike Culver-Support" at Sep 2, 95 09:39:21 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1016 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > We all know (and some of us even agree) that a bastion host on a DMZ is the > best way to protect yourself from the net. > > Anyone have a suggestion for sites that connect to their service provider via a > Frame Relay connection? In this case, there is a virtual circuit to the service > provider, but the circuit runs thru a common interface on a router that also > serves WAN sites that are oart of the internal network. > It shouldn't be, that's for sure. :-) there is absolutely no reason to forsake any amount of security for frame-relay; it should should interface with your network in the same manner as any private line, in this case. - paul _______________________________________________________________________________ Paul Ferguson Dulcius Ex Asperis US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Sep 3 15:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09740 for firewalls-outgoing; Sun, 3 Sep 1995 14:43:51 -0700 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA09733 for ; Sun, 3 Sep 1995 14:43:47 -0700 Received: from bagpuss.demon.co.uk by gate.demon.co.uk id aa25571; 2 Sep 95 2:31 GMT-60:00 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id CAA11087; Sat, 2 Sep 1995 02:30:38 +0100 From: Karl Strickland Message-Id: <199509020130.CAA11087@bagpuss.demon.co.uk> Subject: Re: linux vs. *bsd for secure networking system To: Paul McMahan Date: Sat, 2 Sep 1995 02:30:38 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <199509012356.TAA11927@rudolph.cs.utk.edu> from "Paul McMahan" at Sep 1, 95 07:56:54 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1004 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello, > > I know that the linux vs. (free|net)bsd question is the subject of > ongoing debates outside the realm of firewalls, but I'm interested > specifically in the security aspects of these operating systems. Remember, if you go for Linux, you have to decide *which* linux to go for - there are at least 7 different distributions - some of which are very different. And then, when a hole is discovered, you have to find patches that work with your obscure distribution & version. FreeBSD has controlled releases, and is developed in a controlled, structured manner; all security-related changes to the system must undergo peer review before a commit is made. This alone would put FreeBSD higher up my list. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From firewalls-owner Sun Sep 3 23:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA19472 for firewalls-outgoing; Sun, 3 Sep 1995 22:33:27 -0700 Received: from jpmgate1.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA19465 for ; Sun, 3 Sep 1995 22:33:24 -0700 Received: from tcpg01a.ny.jpmorgan.com by jpmgate1.jpmorgan.com (8.6.12/fma-120691.2); id BAA10453; Mon, 4 Sep 1995 01:32:05 -0400 Received: from smtpgwprod.ny.jpmorgan.com (smtpgwprod.ny.jpmorgan.com [146.149.86.21]) by tcpg01a.ny.jpmorgan.com (8.6.10/8.6.12) with SMTP id BAA17918 for ; Mon, 4 Sep 1995 01:31:57 -0400 Message-ID: Date: 4 Sep 1995 01:32:20 U From: "NY Global UNIX GW" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.1 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #513 Sent: Sun, Sep 3, 1995 1:09 AM To: Rattray, A. On Server: NY Support (L-Z) Date: Mon, Sep 4, 1995 1:32 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Sep 4 00:30:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA20981 for firewalls-outgoing; Mon, 4 Sep 1995 00:14:59 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA20964 for ; Mon, 4 Sep 1995 00:14:55 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA24396 for Firewalls@greatcircle.com; Mon, 4 Sep 95 02:35:54 -0400 Apparently-To: Message-Id: Date: 4 Sep 1995 01:44:39 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #513 Sent: Sun, Sep 3, 1995 1:36 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, Sep 4, 1995 1:44 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Sep 4 07:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04477 for firewalls-outgoing; Mon, 4 Sep 1995 07:24:29 -0700 Received: from blkbox.com (blkbox.com [198.64.53.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA04470 for ; Mon, 4 Sep 1995 07:24:25 -0700 From: wyer@telecheck.com Received: from TeleCheck.com by blkbox.COM id aa03015; 4 Sep 95 9:20 CDT Received: from localhost by TeleCheck.com; (5.65/1.1.8.2/01Apr95-0611PM) id AA22869; Mon, 4 Sep 1995 09:21:43 -0500 Message-Id: <9509041421.AA22869@TeleCheck.com> X-Mailer: exmh version 1.6.2 7/18/95 To: firewalls@greatcircle.com Cc: wyer@telecheck.com Subject: Re: Frame-Relay Net Connections In-Reply-To: paul@hawksbill.sprintmrn.com's message of Sun, 03 Sep 95 17:16:09 -0500. <9509032216.AA20292@hawksbill.sprintmrn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 04 Sep 95 09:21:43 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> paul@hawksbill.sprintmrn.com supposedly said: > > > > > We all know (and some of us even agree) that a bastion host on a DMZ is th e > > best way to protect yourself from the net. > > > > Anyone have a suggestion for sites that connect to their service provider via a > > Frame Relay connection? In this case, there is a virtual circuit to the se rvice > > provider, but the circuit runs thru a common interface on a router that al so > > serves WAN sites that are oart of the internal network. > > > > It shouldn't be, that's for sure. :-) > > there is absolutely no reason to forsake any amount of security for > frame-relay; it should should interface with your network in the same > manner as any private line, in this case. > > - paul -------------------- A fairly easy and functional solution, if you have the hardware, is to use Frame Relay switching. For the link that we're bringing up, I simply routed the inbound PVC from our Sprintnet link back out another serial port on our router, through a Synch Modem Eliminator and into a dedicated router. This accomplishes two of our goals: 1. Provide a throttle for Internet traffic by adjusting speed on Modem Eliminator 2. Prevent access to primary Frame Relay router from the internet. We accomplished this with Cisco routers plugged in back-to-back and the frame-relay route command. +--------------------------------------+--------------------------------------+ | Brett Wyer | snail: 5251 Westheimer Road | | Manager, Systems Support | 5th Floor | | TeleCheck International, Inc. | Houston, TX 77056 | | (713) 439-6474 | i-net: wyer@TeleCheck.com | +--------------------------------------+--------------------------------------+ | Stated opinions are my own and do not in any way reflect the opinion of my | | employer. | +-----------------------------------------------------------------------------+ From firewalls-owner Mon Sep 4 16:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA11607 for firewalls-outgoing; Mon, 4 Sep 1995 16:05:15 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA11466 for ; Mon, 4 Sep 1995 16:04:55 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfui12240; Mon, 4 Sep 1995 19:03:31 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA19584; Mon, 4 Sep 95 18:56:00 EDT Date: Mon, 4 Sep 1995 18:55:58 -0400 (EDT) From: Sick Puppy Subject: Nasty hackerz having busy weekend To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are presently some dudes (quite possibly nasty hackerz) in 198.6.1.1, CACHE00.NS.UU.NET, who are doing what looks like slow Satan scans of a variety of different systems on the Internet, including some firewalls. The probes vary from 20 seconds apart to about one minute apart. They have been having a very busy weekend. I respectfully suggest that you firewalls dudes check your logs and look very carefully for possible intrusions. I wanted to be holier than thou and bark at UU.net but I can't find a phone number for them. So I am going to send this mail then pee on a tree. Sorry if this doesn't follow netiquette, but I don't know about that cause I am only a dawg. Sick Puppy, the Cat_Eating_Dawg SniffMeister of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Mon Sep 4 19:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA14090 for firewalls-outgoing; Mon, 4 Sep 1995 18:45:53 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA14083 for ; Mon, 4 Sep 1995 18:45:49 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfus20461; Mon, 4 Sep 1995 21:44:28 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA22596; Mon, 4 Sep 95 21:36:58 EDT Date: Mon, 4 Sep 1995 21:36:57 -0400 (EDT) From: Sick Puppy Subject: Re: Nasty hackerz having busy weekend To: firewalls@GreatCircle.com In-Reply-To: <9509050054.AA05445@tis.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My sniff and a lick to all those who responded so promptly to a yelp for help. You can scratch real good if you know where the fleas are. The appropriate d00dz have now been informed. Sick Puppy, the Cat_Eating_Dawg clueless country dawg -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Mon Sep 4 23:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA18014 for firewalls-outgoing; Mon, 4 Sep 1995 23:21:03 -0700 Received: from arl-img-5.compuserve.com (arl-img-5.compuserve.com [198.4.7.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA18007 for ; Mon, 4 Sep 1995 23:21:01 -0700 Received: by arl-img-5.compuserve.com (8.6.10/5.950515) id CAA16104; Tue, 5 Sep 1995 02:19:30 -0400 Date: 05 Sep 95 02:17:35 EDT From: "matt (IEZ AG)" <100632.1345@compuserve.com> To: firewalls-mailing-list Subject: firewall with only one IP address ??? Message-ID: <950905061735_100632.1345_BHL70-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, we have one question: Our firm now wants to connect to the internet, but we will get only one official IP-address. First, we believed this would be no problem because we'll use the 10.0.0.0 net as our internal network and we will be able to manage the connections over proxies. So we hoped a firewall could do two things: protect our privat network and connect every internal host against the internet. But unfortunatly, our router just needs our only official IP-address, and the firewall can only get a 10.x.y.z address. The problem is that the firewall behind the router cannot perform the connection between internet and our private net because it isn't available directly from the internet, or are we wrong? Is there another possibility to install the proxies? Ok, we could use a LINUX workstation both as the router and application gateway, but we're not very happy with this idea for several reasons. First we'll try to ask you, does anyone has any other good idea? TIA rolf matt From firewalls-owner Tue Sep 5 00:32:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA18644 for firewalls-outgoing; Tue, 5 Sep 1995 00:29:40 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA18637 for ; Tue, 5 Sep 1995 00:29:35 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id RAA06677; Tue, 5 Sep 1995 17:23:16 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma006673; Tue Sep 5 17:23:06 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA12116; Tue, 5 Sep 1995 17:28:38 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9509050728.AA12116@citecub.citec.qld.gov.au> Subject: Re: firewall with only one IP address ??? To: 100632.1345@compuserve.com (matt) Date: Tue, 5 Sep 95 17:28:36 EST Cc: firewalls@greatcircle.com In-Reply-To: <950905061735_100632.1345_BHL70-1@CompuServe.COM>; from "matt" at Sep 5, 95 2:17 am X-Mailer: ELM [version 2.3 PL11] content-length: 1343 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi all, > > we have one question: > Our firm now wants to connect to the internet, but we will get only > one official IP-address. First, we believed this would be no problem > because we'll use the 10.0.0.0 net as our internal network and we > will be able to manage the connections over proxies. > So we hoped a firewall could do two things: protect our privat network > and connect every internal host against the internet. > But unfortunatly, our router just needs our only official > IP-address, and the firewall can only get a 10.x.y.z address. This should not be required. Your ISP should provide an IP address for the link from their router to yours. Then you use your allocated IP on the firewall net and the 10.*.*.* behind the bastion. A picture: Assume: ISP uses net a.b.c for connections You have been allocated f.g.h Single homed bastion ISP network ------------------- | | ISP router a.b.c.d | | | | a.b.c.e Your router f.g.h.1 | | f.g.h net ------------------ | | | | f.g.h.2 f.g.h.3 bastion router 10.0.0.1 | | V inside net Of course there are many ways to build your firewall but none of them should require you to use your allocated net on the ISP-side of your router. Colin From firewalls-owner Tue Sep 5 02:00:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19667 for firewalls-outgoing; Tue, 5 Sep 1995 01:37:38 -0700 Received: from virgo.ai.net (virgo.ai.net [198.69.44.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA19658 for ; Tue, 5 Sep 1995 01:37:31 -0700 Received: from aries.ai.net (aries.ai.net [198.69.44.1]) by virgo.ai.net (8.6.11/8.6.12) with ESMTP id EAA17660; Tue, 5 Sep 1995 04:53:39 -0400 Received: (from nc@localhost) by aries.ai.net (8.6.11/8.6.12) id EAA14904; Tue, 5 Sep 1995 04:35:42 -0400 Date: Tue, 5 Sep 1995 04:35:42 -0400 (EDT) From: Network Coordinator To: Colin Campbell cc: matt <100632.1345@compuserve.com>, firewalls@GreatCircle.COM Subject: Re: firewall with only one IP address ??? In-Reply-To: <9509050728.AA12116@citecub.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course there are many ways to build your firewall but none of them > should require you to use your allocated net on the ISP-side of your > router. I think the gentleman is saying that he has only *1* IP Address. Not an IP net. -Jerry. From firewalls-owner Tue Sep 5 05:00:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21633 for firewalls-outgoing; Tue, 5 Sep 1995 04:39:16 -0700 Received: from victoria.schnet.edu.au (victoria.schnet.edu.au [203.2.135.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA21626 for ; Tue, 5 Sep 1995 04:39:11 -0700 Received: (from lukeh@localhost) by victoria.schnet.edu.au (8.6.9/8.6.9) id VAA23596 for firewalls@greatcircle.com; Tue, 5 Sep 1995 21:37:39 +1000 Date: Tue, 5 Sep 1995 21:37:39 +1000 From: Luke Howard Message-Id: <199509051137.VAA23596@victoria.schnet.edu.au> To: firewalls@greatcircle.com Subject: syslog() and TIS on Nextstep Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone has had any experience compiling the firewall toolkit under Nextstep (not an ideal platform for this kinda stuff I know, but we're using it for reasons outside my control). I've managed to get it to compile, after changing a couple of things in Makefile.config and firewall.h, and it appears to work fine. I'm not sure to what extent Nextstep is vulnerable to the syslog() problem - I tried one of the few programs floating around that tests for the vulnerability, and I get seg. faults when 8k or more is passed to it. (NS3.3 on i486) I modified smap.c to not accept to/from lines >1024 bytes, and I linked the entire toolkit against newlog-1.0, which supposedly does bounds checking on syslog() - getting it to compile on Nextstep was a bit awkward (had to grab sys/cdefs.h off FreeBSD, define STDERR_FILENO or something I can't quite remember :)) but it (again) appears to be working fine. Does anyone have any comments on this? I'm admiteddly a newbie when it comes to C :) regards, luke. From firewalls-owner Tue Sep 5 06:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA22196 for firewalls-outgoing; Tue, 5 Sep 1995 05:41:00 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA22182 for ; Tue, 5 Sep 1995 05:40:56 -0700 Received: from cdgco6.cdg-co.FR.DHL.COM by gateway1.DHL.COM id aa19784; 5 Sep 95 5:39 PDT Received: from cdgco4.cdg-co.fr.DHL.COM by cdgco6.cdg-co.fr.DHL.COM with SMTP (DHLGMS 4.07-DSI) id AA199314697; Tue, 5 Sep 1995 14:38:17 +0200 Received: by cdgco4.cdg-co.fr.DHL.COM (DHLGMS 4.07-DSI) id AA29572; Tue, 5 Sep 1995 14:39:17 +0200 Message-Id: <9509051239.AA29572@cdgco4.cdg-co.fr.DHL.COM> From: Pascal MELCHIOR Date: Tue, 5 Sep 1995 14:39:17 +0200 To: firewalls@greatcircle.com Subject: USING SOCKS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk %UNIPLEX %TO firewalls@greatcircle.com %FROM pmelchio %SYSTEM DHLNET %SUBJECT USING SOCKS %VERIFY y %REGISTERED y %DATE 05/09/95 14:39 %REFERENCE 345634 OBJECT: using SOCKS We have some PC with a Netscape client, and we want to use The SOCKS software on a HPUX machine.~ Is it possible to mask the name of the DNS server to the client PC, if I define this line in the include/socks.h file :~ #define SOCKS_DEFAULT_NS "a.b.c.d" ? The PCs have a resolv.cfg file without the global DNS server, they can resolve only our own machines.~ See the picture : .... .... .... . . . . . . .... .... .... . . . . . . ........................................................ PC SOCKS SERVER DNS SERVER ip = a.b.c.d The PC has A SOCKS server configuration.~ The SOCKS server is compiled with #define SOCKS_DEFAULT_NS "a.b.c.d" in the include/socks.h. Is it possible for the PC to resolve an ip address in this configuration ?~ If it is not, for which kind of configuration the SOCKS_DEFAULT_NS is necessary ? Thanks for your cooperation ----------------------------------------- | Pascal MELCHIOR | | E-mail: pmelchio@cdg-co.fr.DHL.COM | ----------------------------------------- %UEND From firewalls-owner Tue Sep 5 07:30:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA23904 for firewalls-outgoing; Tue, 5 Sep 1995 07:07:21 -0700 Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA23897 for ; Tue, 5 Sep 1995 07:07:16 -0700 Received: from services by services (SMI-8.6/SMI-SVR4) id JAA08657; Tue, 5 Sep 1995 09:06:52 -0500 Date: Tue, 5 Sep 1995 09:06:49 -0500 (CDT) From: "Frank K. Senter" X-Sender: fsenter@services To: Paul Ferguson cc: Mike Culver-Support , firewalls@greatcircle.com Subject: Re: Frame-Relay Net Connections In-Reply-To: <9509032216.AA20292@hawksbill.sprintmrn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think Mike's original question was understood: He wants to build a bastion-host firewall, possibly at his headquarters location. His problem is that he has one frame relay interface at this site, multiple PVCs of which most go to other company sites, and one PVC built to communicate with the public Internet. Because all of these logical circuits are bundled on one physical cable, its kind of difficult for Mike to plug his bastion host in the middle. The question didn't relate to the security level of frame relay--just how the heck do you plugumitz together. Mike, I think you are going to have to break down and purchase an additional router interface--perhaps even another router if you want a firewall with two routers and a DMZ between them. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Tue Sep 5 07:32:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA23894 for firewalls-outgoing; Tue, 5 Sep 1995 07:07:10 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA23886 for ; Tue, 5 Sep 1995 07:07:07 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA19926; Tue, 5 Sep 1995 09:03:54 -0500 Message-Id: <199509051403.JAA19926@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 05 Sep 1995 09:14:13 -0500 To: "matt (IEZ AG)" <100632.1345@compuserve.com>, firewalls-mailing-list From: lpierce@intex.net (S. Lane Pierce) Subject: Re: firewall with only one IP address ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt- Are you sure you only get 1 host address or 1 network address? Usually 1 class c network address is assigned, this will yield 254 host addresses. Your outside router and any host on the DMZ (ones that you want directly accessable from the Internet) must have a "NIC sanctioned" ip. Check with your provider. Good luck. At 02:17 AM 9/5/95 EDT, matt (IEZ AG) wrote: >Hi all, > >we have one question: >Our firm now wants to connect to the internet, but we will get only >one official IP-address. First, we believed this would be no problem >because we'll use the 10.0.0.0 net as our internal network and we >will be able to manage the connections over proxies. >So we hoped a firewall could do two things: protect our privat network >and connect every internal host against the internet. >But unfortunatly, our router just needs our only official >IP-address, and the firewall can only get a 10.x.y.z address. >The problem is that the firewall behind the router cannot perform >the connection between internet and our private net because it isn't >available directly from the internet, or are we wrong? >Is there another possibility to install the proxies? >Ok, we could use a LINUX workstation both as the router and application >gateway, but we're not very happy with this idea for several reasons. >First we'll try to ask you, does anyone has any other good idea? [.sig snipped] S. Lane Pierce lpierce@intex.net From firewalls-owner Tue Sep 5 07:48:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24224 for firewalls-outgoing; Tue, 5 Sep 1995 07:17:06 -0700 Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA24217 for ; Tue, 5 Sep 1995 07:17:02 -0700 Received: from mike_pc by ncelec.com (5.4R3.10/200.2.1.5) id AA17254; Tue, 5 Sep 1995 07:12:46 -0700 Date: Tue, 5 Sep 1995 07:12:46 -0700 Message-Id: <9509051412.AA17254@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Frank K. Senter" From: Mike Culver Subject: Re: Frame-Relay Net Connections Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 AM 9/5/95 -0500, you wrote: >I don't think Mike's original question was understood: He wants to build >a bastion-host firewall, possibly at his headquarters location. His >problem is that he has one frame relay interface at this site, multiple >PVCs of which most go to other company sites, and one PVC built to >communicate with the public Internet. Because all of these logical >circuits are bundled on one physical cable, its kind of difficult for >Mike to plug his bastion host in the middle. The question didn't relate >to the security level of frame relay--just how the heck do you plugumitz >together. > >Mike, I think you are going to have to break down and purchase an >additional router interface--perhaps even another router if you want a >firewall with two routers and a DMZ between them. Thanks for clarifying the situation. Ain't always that easy. In this instance, one reason (though by far not the main reason) I don't want to purchase a separate line is that the local telco (US West) has been running FIVE MONTHS lead time on new circuits! From firewalls-owner Tue Sep 5 08:30:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26734 for firewalls-outgoing; Tue, 5 Sep 1995 08:24:38 -0700 Received: from rugrat.glyphic.com (ns.glyphic.com [205.164.126.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA26727 for ; Tue, 5 Sep 1995 08:24:35 -0700 Received: from [205.164.126.163] by rugrat.glyphic.com with smtp (Smail3.1.28.1 #1) id m0spzpm-000Gv8C; Tue, 5 Sep 95 08:22 PDT X-Sender: markl@rugrat.glyphic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 5 Sep 1995 08:24:47 -0700 To: "matt (IEZ AG)" <100632.1345@compuserve.com> From: markl@glyphic.com (Mark Lentczner) Subject: Re: firewall with only one IP address ??? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Ok, we could use a LINUX workstation both as the router and application >gateway, but we're not very happy with this idea for several reasons. I used to run our net this way: *=====+===(Ethernet)===+=====* | | Workstation(s) Linux ------(ppp)------ Big Bad Internet | Workstation(s) -----(ppp)----+ It worked fine. I had one (and only one) valid IP address. Everything on the Ethernet used "net 10". In this config, there is no need for a router, as there is NO routing. Note that the Linux box is not routing at all: All packets to/from the Internet must leave/arrive from processes on the Linux box. Linux is especially nice for this application because of the Masqurade patch option, which is sort of a kernel level appliction gateway: You can have Linux automatically renumber and forward packets to/from the internal network from/to the internet. The Internet machines think they are talking to the Linux box, but they are really connecting to the internal machines. This only works for connections established from the internal network - which is typically what you want: Your users can WWW out, but no one can WWW (or Telnet, FTP, etc...) in. I ran normal application gateway apps on Linux for a number of services as well. - Mark ------------------- Mark Lentczner Glyphic Technology 1209 Villa Street Mtn. View, CA 94041 415/964-5311 markl@glyphic.com http://www.glyphic.com/ From firewalls-owner Tue Sep 5 09:00:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA27959 for firewalls-outgoing; Tue, 5 Sep 1995 08:54:48 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA27952 for ; Tue, 5 Sep 1995 08:54:29 -0700 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id LAA22986 for ; Tue, 5 Sep 1995 11:48:46 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id LAA18424; Tue, 5 Sep 1995 11:56:08 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: DNS forwarding problem Date: 5 Sep 1995 11:56:06 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 35 Distribution: milkyway Message-ID: <42hrum$hvl@metis.milkyway.com> References: <199509031937.VAA29975@gsv.gu.se> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199509031937.VAA29975@gsv.gu.se>, Harald Astrand wrote: >The internal root servers are set up with a named.boot file: > >primary . db.root >forwarders x.x.x.x > >The x.x.x.x host is the firewall machine on a separate C-net. > >On the firewall I have a regular (non-root) name-server. >When I try to reach out-side host with nslookup from the internal root I get >the following error-message: > >can't find x.y.z: Non-existant domain. > >I guess this is because the internal root thinks itself as authoritive of Do not make it authoritative for the root. forwarders should get it access to the root name servers, so no problem. Where you get into trouble is when you have extended (multiple layers of delegation) DNS servers. I looked into making "sortlist" sort the forwaders line as well (so that DNS servers that are "internal" get preference before ones that are external) I have not done this yet. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Tue Sep 5 09:34:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA28571 for firewalls-outgoing; Tue, 5 Sep 1995 09:21:05 -0700 Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA28564 for ; Tue, 5 Sep 1995 09:21:02 -0700 Received: from localhost by wasp.eng.ufl.edu (8.6.9/4.2) id MAA28686; Tue, 5 Sep 1995 12:19:30 -0400 Message-Id: <199509051619.MAA28686@wasp.eng.ufl.edu> To: Firewalls@GreatCircle.COM Subject: S/key "key" program for MacIntosh? Date: Tue, 05 Sep 1995 12:19:29 -0400 From: Andy Wilcox Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject line says it all. I've checked the s/key archive on ftp.bellcore.com but they've got source and PC binaries - no Mac. I'd appreciate any pointers, thanks, Andy From firewalls-owner Tue Sep 5 10:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA29818 for firewalls-outgoing; Tue, 5 Sep 1995 09:57:04 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA29811 for ; Tue, 5 Sep 1995 09:57:00 -0700 Received: from joplin.bwh.harvard.edu (joplin.bwh.harvard.edu [134.174.81.45]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA19389; Tue, 5 Sep 1995 12:53:32 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by joplin.bwh.harvard.edu (8.6.9) id MAA13875; Tue, 5 Sep 1995 12:47:36 -0400 Message-Id: <199509051647.MAA13875@joplin.bwh.harvard.edu> Subject: Re: HannaH from SecureWare Inc. To: mwr@sware.com (Mark W. Reardon) Date: Tue, 5 Sep 1995 12:47:36 -0400 (EDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <9509012251.AA05261@neptune.sware.com> from "Mark W. Reardon" at Sep 1, 95 06:51:02 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 828 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Reardon wrote: | Logging out: | On all systems, key material is protected within a special Cryptographic | Subsystem and is not accessible to an application. It is deactivated | (or destroyed) when the user logs out. Perhaps a point release should | include a screen saver option that automatically deactivates the key | material after an appropriate interval of inactivity. Of course, the | ultimate level of protection provided the key material depends upon the | overall security of the underlying platform. That is why Hannah is | offered on platforms including military grade B-level operating systems. Thats very interesting. How do you protect memory on a PC running Windows? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Sep 5 11:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01659 for firewalls-outgoing; Tue, 5 Sep 1995 11:01:16 -0700 Received: from gatekeeper.b400.cbe.ab.ca (GateKeeper.B400.CBE.AB.CA [164.166.2.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA01650 for ; Tue, 5 Sep 1995 11:01:11 -0700 Received: (from smap@localhost) by gatekeeper.b400.cbe.ab.ca (8.6.11/8.6.9) id LAA29730 for ; Tue, 5 Sep 1995 11:55:38 -0600 Received: from iss100.b400.cbe.ab.ca(164.166.4.1) by gatekeeper.b400.cbe.ab.ca via smap (V1.3) id sma029725; Tue Sep 5 11:55:20 1995 Received: from net02 (Net02.B400.CBE.AB.CA) by CBE.AB.CA (PMDF V4.3-13 #5915) id <01HUWZX3C4Q88ZH5L3@CBE.AB.CA>; Tue, 05 Sep 1995 12:01:22 -0700 (MST) Date: Tue, 05 Sep 1995 11:58:39 -0600 From: netmgr02@cbe.ab.ca (Glen Larwill) Subject: Talk Proxy??? X-Sender: netmgr02@iss100.b400.cbe.ab.ca To: firewalls@greatcircle.com Message-id: <01HUWZX3D7B68ZH5L3@CBE.AB.CA> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 X-Mailer: Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone created a Talk proxy that works with the TIS FWTK? We have a large number of users that are complaining becuase our firewalls cannot handle Talk. Any help would be greatly appreciated. Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ Network Programmer Analyst _/ _/_/_/_/ _/_/_/ Calgary Board of Education _/ _/ _/ _/ Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ From firewalls-owner Tue Sep 5 11:31:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02630 for firewalls-outgoing; Tue, 5 Sep 1995 11:22:53 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA02622 for ; Tue, 5 Sep 1995 11:22:50 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id OAA18306; Tue, 5 Sep 1995 14:21:17 -0400 From: Howard Berkowitz Message-Id: <199509051821.OAA18306@clark.net> Subject: Re: Talk Proxy??? To: netmgr02@cbe.ab.ca (Glen Larwill) Date: Tue, 5 Sep 1995 14:21:16 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <01HUWZX3D7B68ZH5L3@CBE.AB.CA> from "Glen Larwill" at Sep 5, 95 11:58:39 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 534 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Has anyone created a Talk proxy that works with the TIS FWTK? We have a > large number of users that are complaining becuase our firewalls cannot > handle Talk. > Any help would be greatly appreciated. On a closely related topic of proxies (admittedly for compatibility rather than security), is anyone aware of a proxy between a conventional telnet application such as talk, and the TDD protocol for hearing-impaired users? Even better, a server for such? Has anyone implemented TDD directly as a firewall service? Howard From firewalls-owner Tue Sep 5 11:32:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02506 for firewalls-outgoing; Tue, 5 Sep 1995 11:20:22 -0700 Received: from posaune.tamu.edu (POSAUNE.TAMU.EDU [128.194.177.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA10072 for ; Mon, 4 Sep 1995 13:59:17 -0700 From: dhess@net.tamu.edu Received: by posaune.tamu.edu (NX5.67e/NX3.0M) id AA09157; Mon, 4 Sep 95 15:57:45 -0500 Message-Id: <9509042057.AA09157@posaune.tamu.edu> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) Date: Mon, 4 Sep 95 15:57:43 -0500 To: academic-firewalls@net.tamu.edu, firewalls@greatcircle.com Subject: New mailing list for Drawbridge users Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Due to requests for one, I've set up a new mailing list for Drawbridge users. To subscribe send a note to majordomo@net.tamu.edu and put subscribe drawbridge in the body of the message. The address for the list is drawbridge@net.tamu.edu. Note that this used to be the alias for contacting the authors. To contact the authors now, use drawbridge-owner@net.tamu.edu. Here is the welcome file for the list: ---------------- Welcome to the drawbridge mailing list.... What is Drawbridge? Drawbridge is a copyrighted but freely distributable bridging IP filter with a powerful syntax and good performance. It uses a PC with either two Ethernet cards or two FDDI cards to perform the filtering. It is composed of three different tools: Filter, Filter Compiler and Filter Manager. The latest distribution is version 2.0 which is a major overhaul of Filter. This list is for the users of the TAMU Drawbridge security package and is intended for the discussion of any issues relating to Drawbridge. This list will also be the first place that any announcements and bug reports concerning Drawbridge will appear. Messages intended for the list should be addressed to drawbridge@net.tamu.edu. Subscription updates should be addressed to the Majordomo list manager at majordomo@net.tamu.edu. If you need assistance, send a message to drawbridge-owner@net.tamu.edu ---------------- Dave --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University From firewalls-owner Tue Sep 5 12:04:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03043 for firewalls-outgoing; Tue, 5 Sep 1995 11:38:00 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA03035; Tue, 5 Sep 1995 11:37:56 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 5 Sep 1995 11:37:05 -0800 To: netmgr02@cbe.ab.ca (Glen Larwill), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Talk Proxy??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:58 AM 9/5/95, Glen Larwill wrote: >Has anyone created a Talk proxy that works with the TIS FWTK? We have a >large number of users that are complaining becuase our firewalls cannot >handle Talk. Don't hold your breath. Talk is an annoyingly convoluted mess of a protocol. Before you're done, you've had to both send and receive arbitrary UDP packets through your firewall, all to negotiate (for an outgoing talk session) an incoming TCP connection from a random external port number to a random internal port number. There are 6 parties involved in establishing a talk session: two users, two servers, and two clients. For the purpose of this illustration, we'll call these the "local" and "remote" user/server/client, and abbreviate them LU/LS/LC/RU/RS/RC. We'll assume that the local user is the one initiating the 'talk' request. Here are the steps you go through: 1) Local User (LU) initiates talk program, tells it what remote user they want to talk to. 2) Local Client (LC) contacts Remote Server (RS) using UDP to page Remote User (RU) 3) While waiting for RU to respond, LC contacts Local Server (LS) using UDP to tell it to expect the incoming call from the Remote Client (RC), and to tell it what port number LC is expecting the incoming TCP connection on. 4) Meanwhile, back at the ranch, RU starts RC. 5) RC contacts LS using UDP, and learns what TCP pport LC is listening for incoming TCP connection on. 6) Finally, RC opens a TCP connection to LC, and users begin talking. Note what you have going across your firewall here: A) UDP packets from >1024 on local to 517/518 (oh, yeah, did I forget to mention that there are two different incompatible versions of talk?) on remote, and back. B) UDP packets from >1024 on remote to 517/518 on local, and back. C) TCP from >1024 on remote to >1024 on local. The protocol probably _could_ be proxied, but it would be difficult, and I don't think anyone's done it yet. >From a protocol/port standpoint, IRC is simpler; it simply involves a single TCP connection from client to server, at least until you start using Direct Client Connection (DCC) mode. However, IRC has had a number of problems with poorly designed and unsafe clients and servers. I might contemplate running a strictly-internal IRC client/server net, but running an IRC client talking to external servers, or running an IRC server that external clients or servers could talk to, would make me very nervous. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Tue Sep 5 12:05:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02664 for firewalls-outgoing; Tue, 5 Sep 1995 11:23:17 -0700 Received: from longtail.ibl.bm (longtail.ibl.bm [199.172.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA02632 for ; Tue, 5 Sep 1995 11:23:09 -0700 Received: from [199.172.252.28] (dial28.ibl.bm [199.172.252.28]) by longtail.ibl.bm (8.6.11/8.6.11) with SMTP id PAA00461 for ; Tue, 5 Sep 1995 15:27:26 -0300 Date: Tue, 5 Sep 1995 15:27:26 -0300 X-Sender: TELECOMS@mail.ibl.bm Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: TELECOMS@ibl.bm (TELECOMS) Subject: Firewall-1 - Is it as good as it appears to be? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have just completed some preliminary testing of Firewall-1 product, version 1.2 , by Checkpoint Technologies, and I was impressed overall with the entire product. I accessed the following areas , and here are my comments. 1) User Friendliness - I found that one of the good things about this product was its ease of use, whether defining your security rules or defining your network environment. 2) Security/User Authentication - This was definitely one of its strong points. I am particurlarly interested in comments with its interface with the SecurID access card. I basically found that once you secuirty rules were defined , Firewall-1 did exactly what it was supposed to do. 3) Central Administration - Even though I did not have the opportunity to test the administration of multiple firewalls, I am interested in any feedback other users have regarding this matter. 4) Reporting/Alerting/Auditing - This is an area I had high regard for. I found the online log viewer especially powerful and flexible, the online alerting mechanism a handy but important tool, and the auditing mechanism thorough. Even though there were no standard reports already produced, it was easy enough to customise exactly the information you needed. 5) Bugs/Loopholes/Inconsistencies - To date I have not been aware of any problems with this version. 6) Performance - I would also welcome any comments regarding this issue using Solaris 2.4 . Please forward any comments other users may have with Firewall-1 in the afforementioned areas and maybe any other issues you may feel would be helpful knowing about this product. Thanking you in advance Dwayne From firewalls-owner Tue Sep 5 12:35:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03892 for firewalls-outgoing; Tue, 5 Sep 1995 12:01:20 -0700 Received: from galileo.tracor.com (galileo.tracor.com [131.189.101.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA03884 for ; Tue, 5 Sep 1995 12:01:13 -0700 Received: from brazos.sdd.tracor.com by galileo.tracor.com (8.6.5/1.34) id NAA01741; Tue, 5 Sep 1995 13:59:36 -0500 Received: (from plupa@localhost) by brazos.sdd.tracor.com (8.6.12/8.6.12) id NAA09193 for Firewalls@GreatCircle.COM; Tue, 5 Sep 1995 13:59:32 -0500 Date: Tue, 5 Sep 1995 13:59:32 -0500 From: Paul Lupa X4184 Message-Id: <199509051859.NAA09193@brazos.sdd.tracor.com> To: Firewalls@GreatCircle.COM Subject: FTP Proxy not working with Netscape X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have installed the TIS firewall kit but I now have a problem with Proxies on Netscape. The HTTP proxy works fine, I can manually get thru the the telnet and ftp proxy, but netscape does not get thru. The logs from the proxy show activity, but the logs do not show a denial. Help would be appreciated. I will summarize. Paul Lupa ------------------ Tracor Applied Sciences Internet: Paul_Lupa@tracor.com 6500 Tracor Ln MS 27-17 Voice: (512) 929-4184 Austin, Texas 78725 FAX: (512) 929-4163 ----- End Included Message ----- From firewalls-owner Tue Sep 5 13:30:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07377 for firewalls-outgoing; Tue, 5 Sep 1995 13:09:15 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA07370 for ; Tue, 5 Sep 1995 13:09:12 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id PAA00775; Tue, 5 Sep 1995 15:59:24 -0400 Date: Tue, 5 Sep 1995 15:59:23 -0400 (EDT) From: David Miller Subject: Re: FTP Proxy not working with Netscape To: Paul Lupa X4184 cc: Firewalls@GreatCircle.COM In-Reply-To: <199509051859.NAA09193@brazos.sdd.tracor.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Sep 1995, Paul Lupa X4184 wrote: I think this should be a FAQ. AND it should be on fwtk-users, not firewalls. > I have installed the TIS firewall kit but I now have a problem with Proxies on > Netscape. The HTTP proxy works fine, I can manually get thru the the > telnet and ftp proxy, but netscape does not get thru. The logs from > the proxy show activity, but the logs do not show a denial. > > Help would be appreciated. I will summarize. The most common problem is expecting netscape to use ftp-gw. It doesn't. Point the proxy to the httpd-gw and you'll be cooking with gas:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Sep 5 13:32:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07807 for firewalls-outgoing; Tue, 5 Sep 1995 13:26:37 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA07800 for ; Tue, 5 Sep 1995 13:26:34 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Tue, 05 Sep 1995 20:00:06 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;938:950905200006] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #514 Message-Id: <938*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509051449.HAA24879*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Tue Sep 5 15:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10932 for firewalls-outgoing; Tue, 5 Sep 1995 14:59:46 -0700 Received: from UnixServer.doulosgeri.com (UnixServer.doulosgeri.com [199.72.163.25]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA10925 for ; Tue, 5 Sep 1995 14:59:40 -0700 Received: from ralph by UnixServer.doulosgeri.com with SMTP (8.6.12/25-eef) id RAA01223; Tue, 5 Sep 1995 17:57:43 GMT Message-Id: <199509051757.RAA01223@UnixServer.doulosgeri.com> Comments: Authenticated sender is From: "Marius" Organization: Doulos Productions To: Karl Strickland Date: Tue, 5 Sep 1995 17:56:28 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: linux vs. *bsd for secure networking system Reply-to: Marius@doulosgeri.com CC: firewalls@greatcircle.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ahh, but in defense of Linux, the distribution isn't really all that important. If you get a Linux distribution, you should only consider it as the base that you work around. The kernel itself is the same, and you can get any file from any distribution off of some of the many Linux related FTP sites. You can also get files they aren't distributed or that are just written off of FTP sites. Centralization is nice, but with Linux, one of the main advantages is that it isn't centralized. If you look in the right places, which are easy to find if you talk to others in Linux mailing lists or newsgroups, you can get stuff to do practically anything you could imagine. It also has a nice set of HOWTO's and FAQ's they are easily accessible off of the web, and most CD-ROM distributions (if you go that route) contain the HOWTO's and FAQ's. Linux has its strong and weak points, just like everything else does, but I just wanted to say a few words in its defense... > From: Karl Strickland > Subject: Re: linux vs. *bsd for secure networking system > To: Paul McMahan > Date: Sat, 2 Sep 1995 02:30:38 +0100 (BST) > Cc: firewalls@greatcircle.com > > Hello, > > > > I know that the linux vs. (free|net)bsd question is the subject of > > ongoing debates outside the realm of firewalls, but I'm interested > > specifically in the security aspects of these operating systems. > > Remember, if you go for Linux, you have to decide *which* linux to go for - > there are at least 7 different distributions - some of which are very > different. And then, when a hole is discovered, you have to find patches > that work with your obscure distribution & version. > > FreeBSD has controlled releases, and is developed in a controlled, structured > manner; all security-related changes to the system must undergo peer review > before a commit is made. > > This alone would put FreeBSD higher up my list. > -- > ------------------------------------------+----------------------------------- > Mailed using ELM on FreeBSD | Karl Strickland > PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk > | > > Marius@doulosgeri.com No opinions expressed by the author are shared by Doulos Productions, The Third Wave, or any affiliated parties. The author doesn't see why not... Finger root@doulosgeri.com for PGP public key. From firewalls-owner Tue Sep 5 16:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA11581 for firewalls-outgoing; Tue, 5 Sep 1995 15:41:16 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA11574 for ; Tue, 5 Sep 1995 15:41:10 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA23382; Wed, 6 Sep 1995 08:35:08 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma023314; Wed Sep 6 08:34:56 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA12780; Wed, 6 Sep 1995 08:40:17 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9509052240.AA12780@citecub.citec.qld.gov.au> Subject: Re: FTP Proxy not working with Netscape To: plupa@sparky.sdd.tracor.com (Paul Lupa X4184) Date: Wed, 6 Sep 95 8:40:15 EST Cc: firewalls@greatcircle.com In-Reply-To: <199509051859.NAA09193@brazos.sdd.tracor.com>; from "Paul Lupa X4184" at Sep 5, 95 1:59 pm X-Mailer: ELM [version 2.3 PL11] content-length: 1270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You have probably configured the proxies in netscape the same way I did when I first started playing. You have configured the proxies to point to the ftp-gw, haven't you? It does not work. The Netscape config must point the FTP to the http-gw, not the ftp-gw. Thus your Netscape proxy config should look like this: FTP Proxy: bastion 80 Gopher Proxy: bastion 70 ** HTTP Proxy: bastion 80 ** I have the http-proxy listening on ports 70, for gopher and 80 for http. As far as I know Netscape does not support telnet via proxies - the PC version just kicks off whatever telnet application is available under windows. Then you just telnet to the bastion as you normally would. Colin > I have installed the TIS firewall kit but I now have a problem with Proxies on > Netscape. The HTTP proxy works fine, I can manually get thru the the > telnet and ftp proxy, but netscape does not get thru. The logs from > the proxy show activity, but the logs do not show a denial. > > Help would be appreciated. I will summarize. > > Paul Lupa > ------------------ > Tracor Applied Sciences Internet: Paul_Lupa@tracor.com > 6500 Tracor Ln MS 27-17 Voice: (512) 929-4184 > Austin, Texas 78725 FAX: (512) 929-4163 > From firewalls-owner Tue Sep 5 16:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12361 for firewalls-outgoing; Tue, 5 Sep 1995 16:22:31 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12352 for ; Tue, 5 Sep 1995 16:22:28 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfyb14882; Tue, 5 Sep 1995 19:21:07 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA15350; Tue, 5 Sep 95 19:13:32 EDT Date: Tue, 5 Sep 1995 19:13:31 -0400 (EDT) From: Sick Puppy Subject: Re: Nasty hackerz having busy weekend *** False alarm To: firewalls@GreatCircle.com In-Reply-To: <9509052003.AA25868@dns-primary.montgomery.com.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Now you all may recall that ever since Bellcore gave me a lick in the head with a two by four because I was chasing their chickens, I have not been in full possession of my faculties. Most recently I told you all that there was a fox in the chicken coop at UUnet and it turns out there was nothing of the kind. I apologize to UUnet for saying there was nasty hackerz in their system. I trusted a stupid firewall that was completely wrong. What was really happening is that a VERY fast firewall was connecting to their name server and then timing out before it received a response from the UUnet name server. This happens to be the same firewall machine that one firewall expert said had been attacked by aliens. Anyway, the name server responded to the firewall at normal speed, but slower than the VERY fast firewall expected, and the firewall squawked that it had been hacked. The vendor concerned has a later software release that does not have this problem. To be fair to UUnet, they really provide superior service compared to one of the other Internet service providers that I previously had the misfortune to deal with, and UUnet responded to and diagnosed this incident very quickly. You see what I got for trusting a stupid firewall? If I had put a Network General Notebook Sniffer on the Internet connection, it would have shown me in 10 to 15 minutes that the VERY fast firewall was seeing the normal name server as a slow server. In Dawg and Sniffers we trust, all others pay cash. (Dawg is Gwad spelled backwards). Cowboy Jeff, who also had a hand in this fiasco, is going to feel my fangs in his eminent posterior. And to end on a lighter note, those of you who are into scatalogical jokes should play with the word Starship in the tag lines. The rest of you had better not bother. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Tue Sep 5 16:32:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12259 for firewalls-outgoing; Tue, 5 Sep 1995 16:13:06 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12246 for ; Tue, 5 Sep 1995 16:12:55 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id AAA16554 for firewalls@greatcircle.com; Wed, 6 Sep 1995 00:11:20 +0100 (BST) From: Steve Kennedy Message-Id: <199509052311.AAA16554@ford.gbnet.org> Subject: Re: Use of Remote Authentication: tacacs/radius/etc... (fwd) To: firewalls@greatcircle.com Date: Wed, 6 Sep 1995 00:11:19 +0100 (BST) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here are details of the Livingston/Merit/Ascend RADIUS problems ... According to Jim Segrave (jes@demon.net) > According to William Bulley > > Merit is a large ISP (serving the State of Michigan with thousands if not > > millions of dial-up users) and we use the Merit version of RADIUS heavily. > > I would be very interested in understanding this "serious bug in the socket > > handling code" in the Merit version of RADIUS. Thank you! > > Regards, > > web... [stuff deleted] > We weren't using the Merit code, we were using code taken from > Ascend's modifications to the Livingstone reference > implementations. However, I have pulled down a copy of the Merit code > and the same problem is there as well. There are two issues here, one > flawed, the other fatally wrong and they brought our system to a > complete halt at 18:00 when several hundred users attempted to log in > within a 10 minute period (BT in the UK drops the call charges > significantly on weekday nights at 6PM, so many of our users, who have > home accounts, wait for the drop in charges). > The Ascend/Livingstone code spawns a process per Radius request. The > parent process notes the child pid and, when the child completes, the > SIGCHLD is caught and used to mark the request as completed. After a > short timeout, the request is deleted from memory. If the child fails > to complete in a reasonable period of time (default is 30 seconds), > the parent sends a kill to the child and deletes the request. The > server limits itself to a certain number of child processes - 100 in > this case. > If the parent fails to catch the SIGCHLD, one of these 100 slots for > processing is gone for the next 30 seconds. The signal handler in the > Ascend, Livingstone and Merit implementations use signal(), not one of > the most reliable methods - cf. 'Advanced Programming in the Unix > Environment' by W. Richard Stevens, chapter 10 for details. This alone > can cause SIGCHLDs to be lost and starve the server of process slots > for incoming requests. > The above is merely an annoyance however. > More serious problems occur if you look at the SIGCHLD handler. First > off, it traverses and alters the global_acct_q and the > global_request_q, even though the signal may have interrupted code > which is traversing and altering the same queue. > Even worse than that, on line 1618 of the source I got from merit.edu, > I find a call to free(). That's exciting to say the least - I'm not > aware of any requirement that free and malloc be interruptible and > re-entrant. The results of this one are usually fatal. > The fix I made with the Ascend code was to move the entire body of the > SIGCHLD handler out of the signal handler and into the main event > loop. SIGCHLD now is a simple minded handler: > > sig_atomic_t dead_child = 0; > > void sigchild (int signal) > { > dead_child = 1; > } > > and in the main loop: > > while (1) > { > set up fd_set and select on socket(s) > > if ((res = select (...)) < 0) > { > if (errno != EINTR) > { > syslog (...); > } > > if (dead_child) > do_sigchild (); > > continue; > } > > rest of main loop > } > > > void > do_sigchild (void) > { > sigset_t set, oldset; > > sigemptyset (&set); > sigaddset (&set, SIGCHLD); > if (sigprocmask (SIG_BLOCK, &set, &oldset) < 0) > { > syslog (....); > } > > do the child death stuff here, with SIGCHLD blocked > > > dead_child = 0; > sigemptyset (&set); > sigaddset (&set, SIGCHLD); > if (sigprocmask (SIG_BLOCK, &set, &oldset) < 0) > { > syslog (....); > } > } > > > After which, using a single server with a large collection of small > flat files representing our customer base of 40000 hosts, I ran 50 > processes, each sending an authentication request for a randomly > chosen user, delaying one second and doing it again. Over the course > of an 8 hour run a single Sparcstation 10 handled 500.000 such > requests at an average of 18 requests/second without a single error - > there were some deliberate non-users thrown in as well. > The original Ascend code died repeatedly in the face of less than 100 > requests at this rate. At lower rates, it seemed to survive, but I was > logging a lot of requests dropped because all 100 process slots were > still in use, and a lot of kills being sent to non-existant > processes. Sooner or later, it almost invariably dumped core, > presumably when a malloc or free was interrupted by a SIGCHLD. Please note this came from Jim Seagrave who has been developing the RADIUS code at Demon Internet Ltd NOT myself. I am just posting this FYI so hopefully others wont be caught by this. Regards Steve Kennedy -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Tue Sep 5 20:00:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16070 for firewalls-outgoing; Tue, 5 Sep 1995 19:47:40 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA16063 for ; Tue, 5 Sep 1995 19:47:26 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA07700; Wed, 6 Sep 95 12:13:40 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA17739; Wed, 6 Sep 1995 12:06:36 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9509060236.AA17739@bunya.awadi> Subject: Re: linux vs. *bsd for secure networking system To: Marius@doulosgeri.com Date: Wed, 6 Sep 1995 12:06:36 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199509051757.RAA01223@UnixServer.doulosgeri.com> from "Marius" at Sep 5, 95 05:56:28 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Marius: > >weak points, just like everything else does, but I just wanted to say >a few words in its defense... > A very reasonable response! And to redress Karl's omission - you can also go the path of NetBSD which, unlike FreeBSD, has ports to a whole gaggle of different machines - not just PC's. The ports that are running are listed on the WWW page at www.netbsd.org, ones I can remember are Mac, Suns, Amiga, some HP boxen - there are others. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Sep 6 00:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19347 for firewalls-outgoing; Tue, 5 Sep 1995 23:43:49 -0700 Received: from neptunus.rivm.nl (neptunus.rivm.nl [131.224.2.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA19340 for ; Tue, 5 Sep 1995 23:43:44 -0700 From: Rens.Schipper@rivm.nl Received: from ccmail.rivm.nl by neptunus.rivm.nl with SMTP (PP); Wed, 6 Sep 1995 08:41:05 +0200 Received: from cc:Mail by ccmail.rivm.nl id AA810402041; Wed, 06 Sep 95 08:39:42 CET Date: Wed, 06 Sep 95 08:39:42 CET Message-Id: <9508068104.AA810402041@ccmail.rivm.nl> To: netmgr02@cbe.ab.ca, firewalls@greatcircle.com Subject: Re: Talk Proxy??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Glen, You could make a fairly easy work-around. Let remote users do a TELNET session to an internal (or in the DMZ) server where they can logon. On this server you start a TALK session to a user-definable internal user@host.(Don't give them a shell!!) This way you have only the telnet protocol over the firewall and the performance of TCP. last but not least you can use all authentication techniques already available for your regular telnet session. Just a thought, Rens Schipper ______________________________ Reply Separator _________________________________ Subject: Re: Talk Proxy??? Author: Brent@GreatCircle.COM (Brent Chapman) at SMTP Date: 5/9/95 21:15 At 11:58 AM 9/5/95, Glen Larwill wrote: >Has anyone created a Talk proxy that works with the TIS FWTK? We have a >large number of users that are complaining becuase our firewalls cannot >handle Talk. From firewalls-owner Wed Sep 6 00:30:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA19604 for firewalls-outgoing; Wed, 6 Sep 1995 00:11:01 -0700 Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA19597 for ; Wed, 6 Sep 1995 00:10:50 -0700 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA17983 (5.67a/IDA-1.5 for ); Wed, 6 Sep 1995 15:09:31 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA26135; Wed, 6 Sep 95 15:07:16 MYT Date: Wed, 6 Sep 1995 14:46:05 +0800 (MYT) From: Tham Huei Hwan Subject: DNS problem on Netra i To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Any body have any idea what is going wrong on my Netra i Internet server. My Netra i is setup with the ip address 200.200.9.1 and with the domain name as abc.com.my My Internet Network Provider(INP) is jaring.my and the ip address is 192.228.128.20 When I use the nslookup command, its gives me the following messages: #nslookup *** Can't find server name for address 200.200.9.1: Non-existent domain Default Server: jaring.my Address: 192.228.128.20 >server 200.200.9.1 Default Server: [200.200.9.1] Address: 200.200.9.1 >set type=ns >abc.com.my Server: [200.200.9.1] Address: 200.200.9.1 *** No name server (NS) records available for abc.com.my Anyway, My server can access Internet and send E-mail without any problem and the outside world cannot send the E-mail to this server. Thank. From firewalls-owner Wed Sep 6 05:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA24003 for firewalls-outgoing; Wed, 6 Sep 1995 05:24:10 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23996 for ; Wed, 6 Sep 1995 05:24:07 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Wed, 06 Sep 1995 01:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;939:950906012001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #515 Message-Id: <939*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509052333.QAA12533*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Wed Sep 6 07:09:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24897 for firewalls-outgoing; Wed, 6 Sep 1995 06:41:22 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA24890 for ; Wed, 6 Sep 1995 06:41:18 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA28601; Wed, 6 Sep 95 08:59:38 CDT Received: by mnbp.network.com with Microsoft Mail id <304DA3E2@mnbp.network.com>; Wed, 06 Sep 95 08:36:34 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: Accounting System Date: Wed, 06 Sep 95 08:36:00 CDT Message-Id: <304DA3E2@mnbp.network.com> Encoding: 25 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Accounting System >Date: August 22, 1995 10:38PM > >Does anyone know a package that could make accounting the traffic, by >source and destinations (like CISCO routers do) but identifying the >service (FTP, TELNET, HTTP, etc.) > >Fernando Cozinheiro http://sweet.ua.pt/~cooker/ >System & Network Administrator Email: cooker@ci.ua.pt Yes. Packet Control Facility (PCF) runs on Network Systems routers and can be set up to provide you with those details. Check out the web site at http://www.network.com Greg Brennan ________________________________ Greg Brennan | Network Systems Corp. (Canadian Office) Manager, Business Partner Solutions | 5710 Timberlea Blvd., Suite 207 Internet: greg.brennan@network.com | Mississauga, Ontario L4W 4W1 Voice: (905) 629-0440 | "Secure Networks-On-Demand"TM Fax: (905) 629-0435 | http://www.network.com From firewalls-owner Wed Sep 6 08:32:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26197 for firewalls-outgoing; Wed, 6 Sep 1995 08:13:59 -0700 Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26190 for ; Wed, 6 Sep 1995 08:13:56 -0700 Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.6.11/8.6.4) id LAA28761 for firewalls@GreatCircle.COM; Wed, 6 Sep 1995 11:12:26 -0400 From: Jeff Murphy Message-Id: <199509061512.LAA28761@smurfland.cit.buffalo.edu> Subject: Re: FW: Accounting System To: firewalls@GreatCircle.COM Date: Wed, 6 Sep 1995 11:12:25 -0400 (EDT) In-Reply-To: <304DA3E2@mnbp.network.com> from "Greg Brennan" at Sep 6, 95 08:36:00 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 554 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone know a package that could make accounting the traffic, by >source and destinations (like CISCO routers do) but identifying the >service (FTP, TELNET, HTTP, etc.) there are several packages available to do this, include Netramet (which is an implementation of the internet accounting architecture). lists of available packages can be found on http://smurfland.cit.buffalo.edu/NetMan/index.html in "The Archives". here at UB, we wrote a small program based on libpcap (ftp.ee.llnl.gov) that does accounting based on port. From firewalls-owner Wed Sep 6 10:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27735 for firewalls-outgoing; Wed, 6 Sep 1995 09:36:10 -0700 Received: from uucp.intac.com (uucp.intac.com [198.6.114.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA27728 for ; Wed, 6 Sep 1995 09:36:06 -0700 Received: from cdssrv.UUCP (uucp@localhost) by uucp.intac.com (8.6.5/8.6.5) with UUCP id MAA07575 for greatcircle.com!firewalls; Wed, 6 Sep 1995 12:07:07 -0400 Received: from cdshpa.chesapeake.com by cdssrv.chesapeake.com id aa08840; 6 Sep 95 11:51 EDT Received: by cdshpa.chesapeake.com (1.37.109.4/16.2) id AA02949; Wed, 6 Sep 95 11:48:06 -0400 From: Matt Hagadorn Subject: Where to put Internet Services? To: firewalls@greatcircle.com Date: Wed, 6 Sep 95 11:48:05 EDT Reply-To: msh@chesapeake.com Mailer: Elm [revision: 70.85] Message-ID: <9509061151.aa08840@cdssrv.chesapeake.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading this list for a while and reading (and trying to understand) as much of the firewall books/materials I can get my hands on, but there's something I'm having difficulty grasping. My company is looking at getting a "real" connection to the Internet (surprise!) and since I'm the network guy I get to learn more than I ever wanted to know about firewalls. The part I don't understand is where you would place application services (WWW server and anon FTP server for outside customers to access) in the case of a dual-homed gateway or a screened-host firewall. In the case of a dual-homed firewall, I would assume the FTP and WWW server software would be directly on the firewall machine? Is this a security risk? Or do you just provide and incoming proxy on the firewall that points to an inside machine running the httpd or ftpd servers? In the case of the screened host implementation, do the services go on the bastion host, or does it simply offer an incoming proxy service to the real machine running the WWW or FTP software? I don't see configuring the router to allow incoming FTP or http traffic to a host other than the bastion, otherwise your no longer running a screened host type of firewall. Am I right? Any insights would be appreciated. Matt -- Matt Hagadorn Chesapeake Decision Sciences, Inc. email: msh@chesapeake.com From firewalls-owner Wed Sep 6 10:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA29374 for firewalls-outgoing; Wed, 6 Sep 1995 10:28:41 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA29367; Wed, 6 Sep 1995 10:28:37 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 6 Sep 1995 10:27:49 -0800 To: msh@chesapeake.com, firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Where to put Internet Services? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:48 AM 9/6/95, Matt Hagadorn wrote: >My company is looking at getting a "real" connection to the Internet >(surprise!) and since I'm the network guy I get to learn more than I ever >wanted to know about firewalls. The part I don't understand is where you >would place application services (WWW server and anon FTP server for outside >customers to access) in the case of a dual-homed gateway or a screened-host >firewall. > >In the case of a dual-homed firewall, I would assume the FTP and WWW server >software would be directly on the firewall machine? Is this a security risk? Yes, that's pretty much what folks usually do, and yes, it's a risk. In a nutshell, when (not if) someone breaks into your dual-homed host (via those services or others), you're hosed; the attackers will then have free access to your internal network. It generally doesn't take much (often just a little bit of packet sniffing) to leverage that into access to the internal systems. >Or do you just provide and incoming proxy on the firewall that points to >an inside machine running the httpd or ftpd servers? You could do that, but you're merely moving the problem, not eliminating it. >In the case of the screened host implementation, do the services go on the >bastion host, or does it simply offer an incoming proxy service to the real >machine running the WWW or FTP software? I don't see configuring the router >to allow incoming FTP or http traffic to a host other than the bastion, >otherwise your no longer running a screened host type of firewall. Am I right? Again, you could do it either way, but the problem remains: when someone compromises the bastion host, your internal network is completely exposed to it. This is why I strongly prefer screened subnet architectures to screened host or dual-homed host architectures. There's a measure of redundancy in a screened subnet architecture; even if an attacker utterly compromises the bastion host, they still have to get past the interior filtering system to attack the internal systems, and there's no strictly-internal traffic for them to snoop on while they're trying to figure out how to proceed. We discuss these and other related issues in some detail, complete with diagrams, in Chapter 4 of "Building Internet Firewalls"; see http://www.greatcircle.com/firewalls-book or send email to firewalls-book-info@greatcircle.com for more information about the book. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Wed Sep 6 13:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02039 for firewalls-outgoing; Wed, 6 Sep 1995 12:48:24 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA02032 for ; Wed, 6 Sep 1995 12:48:19 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzgbf11309; Wed, 6 Sep 1995 15:46:58 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA01981; Wed, 6 Sep 95 15:39:23 EDT Date: Wed, 6 Sep 1995 15:39:22 -0400 (EDT) From: Sick Puppy Subject: Windows NT servers in different networks and firewall To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just when we are all getting a warm snug feeling with TCP/IP, Windows NT jumps out to hit us over the head with its TCP/IP - IPX - NetBios multiple stack. Given the ease with which it is possible to do IP spoofing with commercially available software and a publicly available sniffer, I wonder what can be done to effectively firewall two Windows NT servers that each live in a different network but share a common user population between the two networks. The firewall would have to handle authentication, file and print services and rpc calls. Which vendors, if any, supply a firewall with these capabilities for Windows NT servers? Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Wed Sep 6 13:33:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02598 for firewalls-outgoing; Wed, 6 Sep 1995 13:14:55 -0700 Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02578 for ; Wed, 6 Sep 1995 13:14:49 -0700 Received: from iwdc1.office.rest.tasc.com by sun.aitc.rest.tasc.com (NX5.67d/NX3.0M-TASCnet-003) id AA09920; Wed, 6 Sep 95 16:06:27 -0500 Received: by AA03508wdc1.office.rest.tasc.com (4.1/SMI-4.1) id AA03508; Wed, 6 Sep 95 16:13:09 EDT Date: Wed, 6 Sep 95 16:13:09 EDT From: rebowes@iwdc1.office.rest.tasc.com (Bob Bowes) Message-Id: <9509062013.AA03508@AA03508wdc1.office.rest.tasc.com> To: firewalls@greatcircle.com, msh@chesapeake.com Subject: Re: Where to put Internet Services? Reply-To: rebowes@tasc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With a dual-homed firewall, your web page and ftp site can go in the demilitarized zone (between the two homes). With any other firewall (screening or proxy recommended), put these services on a machine outside the firewall. You can still place it behind the router. Don't put anything you don't want made public on this machine. Good luck on setting up your service! Bob Bowes From firewalls-owner Wed Sep 6 13:37:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02503 for firewalls-outgoing; Wed, 6 Sep 1995 13:11:53 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02496 for ; Wed, 6 Sep 1995 13:11:47 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA18891; Wed, 6 Sep 95 16:10:20 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9509062110.AA18891@hawksbill.sprintmrn.com> Subject: Re: Where to put Internet Services? To: msh@chesapeake.com Date: Wed, 6 Sep 1995 16:10:20 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9509061151.aa08840@cdssrv.chesapeake.com> from "Matt Hagadorn" at Sep 6, 95 11:48:05 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My company is looking at getting a "real" connection to the Internet > (surprise!) and since I'm the network guy I get to learn more than I ever > wanted to know about firewalls. The part I don't understand is where you > would place application services (WWW server and anon FTP server for outside > customers to access) in the case of a dual-homed gateway or a screened-host > firewall. > > In the case of a dual-homed firewall, I would assume the FTP and WWW server > software would be directly on the firewall machine? Is this a security risk? Big time. > Or do you just provide and incoming proxy on the firewall that points to > an inside machine running the httpd or ftpd servers? You can do that, or you could simply place them on the external perimeter network. It all depends on what value you place on these servers. If you want to minimize risk, then proxy services is the way to go. - paul _______________________________________________________________________________ Paul Ferguson Dulcius Ex Asperis US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Sep 6 14:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03041 for firewalls-outgoing; Wed, 6 Sep 1995 13:33:24 -0700 Received: from tigger.jvnc.net (tigger.jvnc.net [128.121.50.145]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA03034 for ; Wed, 6 Sep 1995 13:33:14 -0700 Received: from [192.67.239.213] (franklin-tty13.jvnc.net) by tigger.jvnc.net with SMTP id AA25127 (5.65c/IDA-1.4.4 for ip-atm@matmos.hpl.hp.com); Wed, 23 Aug 1995 14:16:59 -0400 Date: Wed, 23 Aug 1995 14:16:59 -0400 X-Sender: corecom@tigger.jvnc.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com, ip-atm@matmos.hpl.hp.com From: dave@corecom.com (David M. Piscitello) Subject: Call for papers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The following call for papers seems relevant to these lists, but as I did not see it posted here, I'm cross posting... regards, dave ------------ C A L L F O R P A P E R S 3rd annual NetWorld+Interop Engineers' Conference Las Vegas, Nevada April 3rd and 4th, 1996 GENERAL INFORMATION The NetWorld+Interop US Program Committee is pleased to solicit original technical papers for the 3rd annual Interop Engineers' Conference, held in conjunction with the NetWorld+Interop Conference and Exhibition, from April 1st through 5th, 1996. In order to focus discussion and interaction, this year the Engineers' Conference is focusing on six topic areas of interest in computer-communications: - Resource Management over Heterogeneous Networks - Cell-based Routing - Traffic management and the Future of Congestion Control - Distributed Applications Management - Video over Enterprise Networks - High-speed Packet Filtering and Firewalling A detailed description of each topic area appears below. This conference seeks to bring together research scholars, engineers, and vendors to address pragmatic engineering issues in the field of networking and distributed systems interoperability. It is an excellent forum for engineers and researchers to publish papers on solutions to today's engineering-related problems. PROCEDURES AND DEADLINES 1. Interested parties should submit abstracts of their papers by September 8, 1995 An abstract should be 500-1000 words in length and convey the key aspects of the paper. All abstracts should be submitted in ASCII. The program committee will indicate its acceptance (or not), no later than September 22, 1995. To submit an abstract, send a message To: engrconf@interop.com Subject: abstract (Do not have anything else in the Subject: line.) The message should contain your complete contact information (name, affiliation, postal address, telephone, facsimile, and e-mail) along with your abstract. An automated reply will confirm receipt of your abstract. 2. If an abstract is accepted, the author(s) should submit a first draft of their paper by December 31, 1995 A paper should be between 10 to 16 pages in length, and be written in technical english. All papers should be submitted either in ASCII or PostScript. The program committee will indicate its acceptance (with comments) or not, on January 19, 1996. 3. If a paper is accepted, the author(s) should submit the final copy of their paper, reflecting the comments of the program committee by February 23, 1996 All final copies will be published in the event proceedings. Upon receipt of the final copy, the program committee will inform the author(s) if their papers are to be presented at the event. A presentation should be 20-25 minutes, excluding questions. Note that although every author who submits a final copy of an accepted paper receives a complimentary admission to the Engineers' Conference as well as the N+I General Conference and Exhibition, there may not be sufficient speaking slots for each accepted paper. DESCRIPTION OF TOPICS 1. Resource Management over Heterogeneous Networks Papers in this topic area are expected to address issues related to providing bandwidth guarantees or bandwidth on demand solutions in heterogeneous networks, i.e., networks whose paths include a variety of high-speed transmission media and services (ATM, FDDI, cell- and frame-based public services, high-speed and legacy LANs). Subjects include, but are not limited to, traffic engineering and service provisioning, routing and resource reservation models, traffic profiles (observed and simulated), traffic shaping and management, and queueing models (effectiveness of models, observed and simulated). 2. Next Generation Cell-based Routing While the industry debates ATM vs. routing, researchers are beginning to develop next generation routers which combine the best of both technologies. So-called cell-based routers offer low latency and high performance of cell technology with the software robustness of existing routers. In addition, cell-based routers may provide support for services such as virtual routing, IP multicast, traffic management, along with support for non-internet services such as voice and real time video. Subjects include, but are not limited to, design issues for cell-based routers, implementation, and deployment experiences. 3. Traffic management and the Future of Congestion Control Papers in this topic area are expected to address the future of traffic management and congestion control with respect to the different problems associated with handling voice, video, and data. Papers should focus on emerging structures and technologies that address these issues. Subjects include, but are not limited to, network complexity, size, diversity, and gigabit speeds. 4. Distributed Applications Management Papers in this topic area are expected to address issues related to managing distributed applications running over a mixture of desktop and network operating systems on both local and wide area networks. Subjects include, but are not limited to, tracking desktop computer hardware and software inventory, providing pro-active alert notification of network and applications processes, interfaces to help-desk management software and network management consoles, gathering usage statistics of file, print, and applications services, managing redundant WAN links to distributed servers, and managing multiple network operating systems services. 5. Video over Enterprise Networks Network-based video products are available today, but no one would mistake current service for movie-theatre quality or face-to-face interaction. Improvements are needed in network capabilities and their use by video-based applications. Papers for this topic area will discuss research efforts to improve the basic technology of network-based video services and techniques for making them more accessible. Subjects include, but are not limited to, schemes for picture encoding, improvements in bandwidth use, methods for accommodating variable latency, integration for multi-media service, standards efforts for 21st century service, and access to video applications. 6. High-speed Packet Filtering and Firewalling Papers in this topic area are expected to address issues related to providing effective packet-filters and firewalls while sustaining very high transmission rates between a public internetwork and a private network. Authors are encouraged to demonstrate the effectiveness or limitations of current firewall techniques through observation and simulation, or to propose advanced packet-filtering techniques that may be implemented in routers or intermediate systems to obviate the need for application-level proxies and host processing. ####### David M. Piscitello Core Competence, Inc. 1620 Tuckerstown Road Dresher, PA USA 19025 dave@corecom.com 1.215.830.0692 From firewalls-owner Wed Sep 6 17:02:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA07173 for firewalls-outgoing; Wed, 6 Sep 1995 16:56:15 -0700 Received: from ucsdext.ucsd.edu (ucsdext.ucsd.edu [132.239.108.211]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA07166 for ; Wed, 6 Sep 1995 16:56:10 -0700 Received: from juju.adnc.com (robo13.adnc.com) by ucsdext.ucsd.edu (5.x/SMI-SVR4) id AA29136; Wed, 6 Sep 1995 16:50:09 -0700 Message-Id: <9509062350.AA29136@ucsdext.ucsd.edu> X-Sender: dschiffrin@popmail.ucsd.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 06 Sep 1995 17:01:58 -0700 To: lpierce@intex.net (S. Lane Pierce) From: David Schiffrin Subject: Re: firewall with only one IP address ??? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:14 AM 9/5/95 -0500, S. Lane Pierce wrote: >Matt- > >Are you sure you only get 1 host address or 1 network address? Usually 1 >class c network address is assigned, this will yield 254 host addresses. ------------snipped-------------->8 >Check with your provider. > >Good luck. > [more stuff snipped] many providers I've worked with have low cost connections which are restricted to one IP address (PPP style) often, Internic will issue a class c if requested, but the provider may charge $$ to advertise DNS into the assigned net-number. cheers -Dave -------------------------------------------------------------------------------- David Schiffrin dschiffrin@ucsd.edu From firewalls-owner Wed Sep 6 17:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07251 for firewalls-outgoing; Wed, 6 Sep 1995 17:01:59 -0700 Received: from ucsdext.ucsd.edu (ucsdext.ucsd.edu [132.239.108.211]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA07244 for ; Wed, 6 Sep 1995 17:01:54 -0700 Received: from robo13.adnc.com by ucsdext.ucsd.edu (5.x/SMI-SVR4) id AB29136; Wed, 6 Sep 1995 16:50:21 -0700 Message-Id: <9509062350.AB29136@ucsdext.ucsd.edu> X-Sender: dschiffrin@popmail.ucsd.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 06 Sep 1995 17:02:09 -0700 To: Tham Huei Hwan From: David Schiffrin Subject: Re: DNS problem on Netra i Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:46 PM 9/6/95 +0800, Tham Huei Hwan wrote: >HI, > >Any body have any idea what is going wrong on my Netra i Internet server. >My Netra i is setup with the ip address 200.200.9.1 and with the domain >name as abc.com.my >My Internet Network Provider(INP) is jaring.my and the ip address is >192.228.128.20 > >When I use the nslookup command, its gives me the following >messages: > >#nslookup >*** Can't find server name for address 200.200.9.1: Non-existent domain >Default Server: jaring.my >Address: 192.228.128.20 > > >>server 200.200.9.1 >Default Server: [200.200.9.1] >Address: 200.200.9.1 > > >>set type=ns >>abc.com.my >Server: [200.200.9.1] >Address: 200.200.9.1 > >*** No name server (NS) records available for abc.com.my > >Anyway, My server can access Internet and send E-mail without any problem >and the outside world cannot send the E-mail to this server. > I'd say your problem is that your provider's DNS server isn't advertising your ip addresses. jaring.my doesn't resolve 200.200.9.1 for me either. give them a call, I'm sure they can help in just a few moments. -------------------------------------------------------------------------------- David Schiffrin dschiffrin@ucsd.edu From firewalls-owner Thu Sep 7 05:32:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA15127 for firewalls-outgoing; Thu, 7 Sep 1995 05:29:28 -0700 Received: from linda.fdata.se (linda.fdata.se [159.72.248.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA15120 for ; Thu, 7 Sep 1995 05:29:24 -0700 Received: from WMX.WMDATA.SE (wmx.wmdata.se [164.9.179.100]) by linda.fdata.se (8.6.12/8.6.9) with SMTP id OAA04371 for ; Thu, 7 Sep 1995 14:24:46 +0200 X400-Received: by /PRMD=WMDATAWMX/ADMD=WMDATA/C=SE/; Relayed; Thu, 7 Sep 1995 14:27:34 +0100 Date: Thu, 7 Sep 1995 14:27:34 +0100 X400-Originator: Roberto.Piludu@STO4.wmdata.se X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=WMDATA/ADMD=WMDATA/C=SE/;0012400001517066000002] X400-Content-Type: P2-1988 (22) Content-Identifier: CSI NC V3.0 From: "Piludu, Roberto" Message-ID: <0004622A.MAI*/S=WMROPIL/OU=STO4/OU=WMDATA/O=MSMAIL/PRMD=WMDATA/ADMD=WMDATA/C=SE/@MHS> To: "'Firewalls'" Subject: SNA through firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm kind of new to this with firewalls so the question might be a bit strange, but suppose you have an AS400 behind a firewall that wants to talk to another on the outside. Are there any commercial firewalls that can talk SNA, or is there need for some sort of "converter" between TCP/IP and SNA. Any suggestions would be very grateful. Thanks /roberto From firewalls-owner Thu Sep 7 06:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15647 for firewalls-outgoing; Thu, 7 Sep 1995 06:31:16 -0700 Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15640 for ; Thu, 7 Sep 1995 06:31:13 -0700 Received: from taft.UUCP by uustar.starnet.net with UUCP id AA13371 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Thu, 7 Sep 1995 08:20:12 -0500 Received: (from nicholcs@localhost) by taft.AGEdwards.COM (8.6.9/8.6.9) id HAA13286; Thu, 7 Sep 1995 07:56:18 -0500 Date: Thu, 7 Sep 1995 07:46:36 -0500 (CDT) From: Chris S Nichols Subject: Cisco 2511s To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been sent a proposol from a vendor who wishes to allow remote access to a sent using a Cisco 2511 on the LAN. They want to allow a laptop using PPP dialin to a Cisco 2511 with a remote access port and use the PAP protocol which they claim will take care of security. They claim this can't be hacked.>:-() There proposal claims that a remote user dialing in with PPP would have to know the 2511 port IP address and then issues an authentication string via PAP(?) which provides security. My opinion is, no, you want remote access, you go through an authentication server and use a Security Dynamics card. What the heck is this PAP stuff and how much of a potential mess is this? TIA, Chris N From firewalls-owner Thu Sep 7 07:00:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15825 for firewalls-outgoing; Thu, 7 Sep 1995 06:42:50 -0700 Received: from mms (mms.mms-gmbh.de [193.103.159.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15818 for ; Thu, 7 Sep 1995 06:42:45 -0700 Message-Id: Comments: Authenticated sender is From: "Frank Heinzius" To: portmaster-users@livingston.com Date: Thu, 7 Sep 1995 15:43:15 +0000 Subject: Comparison RADIUS and TACACS+ Reply-to: frimp@mms-gmbh.de CC: firewalls@greatcircle.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! Does anybody have a comparison between the features of RADIUS and TACACS+? A feature table comparison would be perfect. I have customers who want to buy a Cisco Access Server, I want to sell them Livingston PortMasters. Despite this, Cisco and Livingston announced that they would integrate each others features into their machines. Thanks in advance, Frank -- ***** The expressed opinions are totally mine! ***** Frank M. Heinzius MMS Communication GmbH frimp@mms-gmbh.de Eiffestrasse 598 Phone: +49 40 2111105-0 Fax: +49 40 210 32 210 From firewalls-owner Thu Sep 7 08:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17287 for firewalls-outgoing; Thu, 7 Sep 1995 08:22:16 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17280 for ; Thu, 7 Sep 1995 08:22:11 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id KAA03038 for ; Thu, 7 Sep 1995 10:20:09 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id BAA05618; Sat, 2 Sep 1995 01:43:47 -0500 From: Alan Hannan Message-Id: <199509020643.BAA05618@gaijin.mid.net> Subject: Re: how to close socket To: jmeritt@smtpinet.aspensys.com (Meritt Jim) Date: Sat, 2 Sep 1995 01:43:47 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9508018099.AA809996857@smtpinet.aspensys.com> from "Meritt, Jim" at Sep 1, 95 04:07:37 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 837 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Meritt, Jim is rumored to have said: --> On a standard sun box using /etc/services and inetd, how would you --> stop traffic from being passed through a port? Any of the following there will work. #1 is the most simple, and most likely the one you will choose. Good luck. 1) Stop the service from being spawned by inetd: A) Comment out the entry in /etc/inetd.conf for the service you want to disallow. B) Restart inetd. 2) Control Access for the service using TCP Wrappers A) Find tcp wrappers. B) Install it. 3) Modify the binary/proxy/service to filter/disallow connections based upon proprietary configurations. -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 From firewalls-owner Thu Sep 7 09:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17686 for firewalls-outgoing; Thu, 7 Sep 1995 08:51:37 -0700 Received: from theory.tc.cornell.edu (THEORY.TC.CORNELL.EDU [132.236.98.174]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17672 for ; Thu, 7 Sep 1995 08:51:33 -0700 Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id LAA81693 for firewalls@greatcircle.com; Thu, 7 Sep 1995 11:50:05 -0400 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA01678; Thu, 7 Sep 95 11:45:53 -0400 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA07907; Thu, 7 Sep 1995 11:45:50 -0400 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Thu, 7 Sep 1995 11:45:49 -0400 (EDT) Message-Id: Date: Thu, 7 Sep 1995 11:45:49 -0400 (EDT) From: Steve Gaarder To: firewalls@greatcircle.com Subject: SLIP/PPP dialin on firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up Internet connections for our company's various offices using firewalls built from BSD/OS and the TIS firewall toolkit. I want to add a modem-based backup link so that the firewalls can communicate with each other if an Internet link goes down. To do this, I am thinking of installing a modem for SLIP or PPP on the firewall machine, and disabling any logins other than to the PPP/SLIP software. It seems to me that as long as I treat a SLIP/PPP connection the same as one from the Internet, I am not reducing security significantly. Am I missing anything? thanks, Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Thu Sep 7 09:03:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17612 for firewalls-outgoing; Thu, 7 Sep 1995 08:49:06 -0700 Received: from camelot.netmarket.com (camelot.netmarket.com [199.79.247.247]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17605 for ; Thu, 7 Sep 1995 08:49:03 -0700 Received: from tannis.netmarket.com (tannis.netmarket.com [172.16.1.10]) by camelot.netmarket.com (8.6.10/8.6.9) with ESMTP id LAA24386 for ; Thu, 7 Sep 1995 11:47:37 -0400 Received: from brigadoon.netmarket.com (brigadoon.netmarket.com [172.16.1.236]) by tannis.netmarket.com (8.6.10/8.6.10) with SMTP id LAA00594 for ; Thu, 7 Sep 1995 11:47:37 -0400 Received: by brigadoon.netmarket.com (5.x/client-1.5) id AA02642; Thu, 7 Sep 1995 11:47:35 -0400 Message-Id: <9509071547.AA02642@brigadoon.netmarket.com> From: hal@netmarket.com (Hal Pomeranz) Date: Thu, 7 Sep 1995 11:47:34 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: Brent Chapman to appear at BBLISA 9/13 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk August: Firewalls Date: Sept 13, 1995 Time: 7:00-9:00pm Location: MIT Building E51 Room 85 (formerly Room 012) 70 Memorial Drive Cambridge, MA Speaker: Brent Chapman Coordinator: Hal Pomeranz Brent Chapman, manager of the "Firewalls" Internet mailing list and coauthor of the new book "Building Internet Firewalls" (O'Reilly & Associates; due out in mid-September) will be talking about current topics in building and managing Internet firewall security systems. --------------------------------------------------------------------- Want to find out more about BackBayLISA? the monthly meetings? the mailing lists? Send mail to Need directions to the meeting? ftp them from, ftp.bblisa.org:/pub/bblisa/directions --------------------------------------------------------------------- From firewalls-owner Thu Sep 7 09:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA19029 for firewalls-outgoing; Thu, 7 Sep 1995 09:29:54 -0700 Received: from stilton.cisco.com (stilton.cisco.com [171.69.1.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA19022 for ; Thu, 7 Sep 1995 09:29:51 -0700 Received: from cisco.com (localhost.cisco.com [127.0.0.1]) by stilton.cisco.com (8.6.8+c/8.6.5) with ESMTP id JAA01942; Thu, 7 Sep 1995 09:28:16 -0700 Message-Id: <199509071628.JAA01942@stilton.cisco.com> To: Chris S Nichols Cc: firewalls@GreatCircle.COM Subject: Re: Cisco 2511s In-Reply-To: Your message of "Thu, 07 Sep 1995 07:46:36 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <1937.810491295.1@cisco.com> Date: Thu, 07 Sep 1995 09:28:16 -0700 From: David Carrel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, PAP is just one of the protocols used by PPP to convey authentication information. PAP has the drawback that it sends cleartext passwords. But it has the benefit that you can combine it with token cards like the SDI products. You cannot get the SDI cards to work with CHAP. The bit about having to know the IP address is bogus. IPCP negotiation will convey both IP addresses to any dialin client that authenticates properly. Even if it didn't, don't ever base security on obscurity. If they're planning to use fixed passwords with PAP, you may want to consider using CHAP instead as it doesn't transmit a cleartext password. (CHAP is available on all cisco gear.) You can use XTACACS or TACACS+ (and very shortly kerberos and RADIUS) for communicating to a remote authentication server. Dave ---------------------------------------------------------------------------- David Carrel | E-mail: carrel@cisco.com Security Development, cisco Systems | phone: (408) 526-5207 210 W. Tasman Drive | fax: (408) 526-4952 San Jose, CA 95134-1706 | ---------------------------------------------------------------------------- > I have been sent a proposol from a vendor who wishes to allow remote > access to a sent using a Cisco 2511 on the LAN. > > They want to allow a laptop using PPP dialin to a Cisco 2511 with a remote > access port and use the PAP protocol which they claim will take care of > security. They claim this can't be hacked.>:-() > > There proposal claims that a remote user dialing in with PPP would have > to know the 2511 port IP address and then issues an authentication string > via PAP(?) which provides security. > > My opinion is, no, you want remote access, you go through an authentication > server and use a Security Dynamics card. > > What the heck is this PAP stuff and how much of a potential mess is this? > > TIA, > > Chris N > From firewalls-owner Thu Sep 7 10:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA19169 for firewalls-outgoing; Thu, 7 Sep 1995 09:36:20 -0700 Received: from condor.messaging.cs.mci.com ([166.37.39.95]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA19162 for ; Thu, 7 Sep 1995 09:36:15 -0700 Received: by condor.messaging.cs.mci.com; id AB29293; Thu, 7 Sep 1995 10:32:24 -0600 Date: Thu, 7 Sep 1995 10:32:24 -0600 From: Mail Delivery Subsystem Subject: Returned mail: Unable to deliver mail Message-Id: <9509071632.AB29293@condor.messaging.cs.mci.com> To: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Sep 7 10:31:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20252 for firewalls-outgoing; Thu, 7 Sep 1995 10:22:00 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA20237 for ; Thu, 7 Sep 1995 10:21:54 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: KAA23295; Thu, 7 Sep 1995 10:19:46 -0700 Date: Thu, 7 Sep 1995 10:19:46 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199509071719.KAA23295@sjsinc.com> To: gaarder@actech.com Subject: Re: SLIP/PPP dialin on firewall? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven Gaarder writes: > > I am setting up Internet connections for our company's various offices > using firewalls built from BSD/OS and the TIS firewall toolkit. I want > to add a modem-based backup link so that the firewalls can communicate > with each other if an Internet link goes down. To do this, I am > thinking of installing a modem for SLIP or PPP on the firewall machine, > and disabling any logins other than to the PPP/SLIP software. It seems > to me that as long as I treat a SLIP/PPP connection the same as one from > the Internet, I am not reducing security significantly. Am I missing > anything? > My only comments here would be to use the mgetty portion of mgetty+sendfax (ftp://sunsite.unc.edu) to control the port. It allows a degree of modem port control that is not usually available in that it can restrict access to certain logins, certain phone numbers (if your modems and telco support Caller-ID), will launch programs based on user ID's (which can be a script to verify that the Internet connection is down before accepting a call), and many other features. Just remember to launch it from your /etc/ttytab file with the data-only flag, and watch the log files -- they grow very fast... My $0.03 worth (inflation has upped the value of advice).... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Thu Sep 7 11:15:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20969 for firewalls-outgoing; Thu, 7 Sep 1995 10:58:07 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA20955 for ; Thu, 7 Sep 1995 10:57:57 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA14895; Thu, 7 Sep 95 13:16:28 CDT Received: by mnbp.network.com with Microsoft Mail id <304F3195@mnbp.network.com>; Thu, 07 Sep 95 12:53:25 CDT From: Craig McLellan To: firewalls Subject: Looking for firm information Date: Thu, 07 Sep 95 12:52:00 CDT Message-Id: <304F3195@mnbp.network.com> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone on this list heard of the consulting firm Peter Davis and associates. Apparently they are present themselves as one of the leading security consulting firms in North America. Any feedback? RGRDS....clm From firewalls-owner Thu Sep 7 12:00:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA21926 for firewalls-outgoing; Thu, 7 Sep 1995 11:26:03 -0700 Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA21917 for ; Thu, 7 Sep 1995 11:25:56 -0700 Received: (from jerry@localhost) by freeside.fc.net (8.6.12/8.6.6) id NAA07276; Thu, 7 Sep 1995 13:22:58 -0500 From: Jeremy Porter Message-Id: <199509071822.NAA07276@freeside.fc.net> Subject: Re: Comparison RADIUS and TACACS+ To: frimp@mms.mms-gmbh.de Date: Thu, 7 Sep 1995 13:22:57 -0500 (CDT) Cc: portmaster-users@livingston.com, firewalls@greatcircle.com In-Reply-To: from "Frank Heinzius" at Sep 7, 95 03:43:15 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1107 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hi all! > >Does anybody have a comparison between the features of RADIUS and >TACACS+? A feature table comparison would be perfect. > >I have customers who want to buy a Cisco Access Server, I want to >sell them Livingston PortMasters. Despite this, Cisco and Livingston >announced that they would integrate each others features into their >machines. Why not wait until you can buy a product that does both radius and TACACS+? I understand there are people working on such things, in additions to Cisco's announced support for RADIUS. Supposedly all the free TACACS servers suck. I've never been forced to use one, because Cisco Access servers have such a tiny port density. (Although Cisco's will support OSPF and classless operation which Livingston's don't.) -- ------ Freeside Communciations, Inc. Texas's ISDN leader. ------ --- (512)-339-6094 P.O. Box 530264 Austin, TX 78753 --- ------ (sales: sales@fc.net, pricing: info@fc.net) ------ --------- jerry@fc.net ---------------------------------------- ------------ High Speed, Fault-tolerant Networking -------------- From firewalls-owner Thu Sep 7 12:10:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA22592 for firewalls-outgoing; Thu, 7 Sep 1995 11:46:47 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA22585 for ; Thu, 7 Sep 1995 11:46:44 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA25370; Thu, 7 Sep 1995 13:45:16 -0500 Date: Thu, 7 Sep 1995 13:45:16 -0500 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9509071845.AA25370@hosaka.smallworks.com> To: firewalls@GreatCircle.COM, taft!nicholcs@uustar.starnet.net Subject: Re: Cisco 2511s Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PAP (Password Authentication Protocol) is described in RFC1334, along with CHAP (Challenge Handshake Authentication Protocol). PAP is not a strong authentication method, CHAP is somewhat better. You can even use Security Dynamics cards via xtacacs and TACACS+, both of which the Cisco can 'speak' with great fluency. Jim From firewalls-owner Thu Sep 7 12:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA23935 for firewalls-outgoing; Thu, 7 Sep 1995 12:22:21 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA23928 for ; Thu, 7 Sep 1995 12:22:10 -0700 From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Thu, 7 Sep 1995 15:20 EDT Subject: Re: SNA through firewalls? Content-Length: 705 Content-Type: text/plain Message-ID: <304f46160.257e@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm kind of new to this with firewalls so the question might be a bit > strange, but suppose you have an AS400 behind a firewall that wants to > talk to another on the outside. Are there any commercial firewalls that > can talk SNA, or is there need for some sort of "converter" between > TCP/IP and SNA. Any suggestions would be very grateful. AS400's can directly speak TCP/IP now, and that's the approach that you'll probably want to use. Any good TCP/IP firewalling solution will work in that environment (although I don't know about proxying TN5250 :-). Chris Tyler chris@dejong.com Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Thu Sep 7 15:00:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27719 for firewalls-outgoing; Thu, 7 Sep 1995 14:41:43 -0700 Received: from utopia.hacktic.nl (utopia.hacktic.nl [194.109.9.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA27705 for ; Thu, 7 Sep 1995 14:41:39 -0700 Received: (from replay@localhost) by utopia.hacktic.nl (8.6.12/8.6.12) id XAA16451 for firewalls@greatcircle.com; Thu, 7 Sep 1995 23:40:07 +0200 Date: Thu, 7 Sep 1995 23:40:07 +0200 Message-Id: <199509072140.XAA16451@utopia.hacktic.nl> Subject: Firewall-1 concerns To: firewalls@greatcircle.com From: nobody@REPLAY.COM (Anonymous) Organization: RePLaY aND CoMPaNY UnLimited XComm: Replay may or may not approve of the content of this posting XComm: Report misuse of this automated service to Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently found out that the Firewall-1 product from Sun is actually written and developed by a company in Israel and that Sun does not have nor has access to the source code. I'm afraid that companies may look at the Sun firewall-1 product and think that Sun has inspected the code for trapdoor and such in the code that may have put there under orders from the Masad. In fact, I heard one person say that in looking at the binary there is very suspicious code. It turns out that Sun does not have the source and hasn't inspected it. hope that the US military and other sensitive agencies or companies with sensitive information aren't using this product for protection. It may be that the Masad has free reign to get into you network! Someone very concerned From firewalls-owner Thu Sep 7 15:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA28287 for firewalls-outgoing; Thu, 7 Sep 1995 15:10:00 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA28280 for ; Thu, 7 Sep 1995 15:09:57 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Thu, 07 Sep 1995 19:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;979:950907192001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #516 Message-Id: <979*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509071531.IAA17353*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Thu Sep 7 16:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA29406 for firewalls-outgoing; Thu, 7 Sep 1995 16:03:07 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA29399 for ; Thu, 7 Sep 1995 16:03:01 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id gc19077; 7 Sep 95 19:00 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 03:10:09 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 03:09:37 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 03:05:24 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 03:10:00 EDT Message-ID: <9509071900.gc19077@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 01:48:58 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 01:35:21 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 01:35:11 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfnx19337; Sun, 3 Sep 1995 01:15:40 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24562 for firewalls-digest-outgoing; Sat, 2 Sep 1995 22:01:01 -0700 Date: Sat, 2 Sep 1995 22:01:01 -0700 Message-Id: <199509030501.WAA24562@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #513 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Saturday, 2 September 1995 Volume 04 : Number 513 In this issue: snprintf.c and SunOS 5.4 re: snprintf(), SMURF, & Jules Own Version... re: snprintf(), SMURF, & Jules Own Version... Subject: Re: using suns/sunos for gateway host(s) Re: FW: Programming Re: FW: Programming Re: Use of Remote Authentication: tacacs/radius/etc... Re: DNS forwarding problem Large-Mixed-OS FW access problem Re: HannaH from SecureWare Inc. RADIUS... Where is it? Large-Mixed-OS FW access problem Frame-Relay Net Connections See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: "Kenneth Kron" Date: 1 Sep 1995 19:24:39 -0800 Subject: snprintf.c and SunOS 5.4 Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to From firewalls-owner Thu Sep 7 17:13:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA00680 for firewalls-outgoing; Thu, 7 Sep 1995 16:34:00 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA00673 for ; Thu, 7 Sep 1995 16:33:56 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bn20545; 7 Sep 95 19:31 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 03:04:29 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 03:03:00 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 02:59:27 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 03:04:00 EDT Message-ID: <9509071931.bn20545@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Thu Sep 7 18:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03068 for firewalls-outgoing; Thu, 7 Sep 1995 17:51:48 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA03061 for ; Thu, 7 Sep 1995 17:51:44 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id KAA15506 (8.6.12/IDA-1.6); Fri, 8 Sep 1995 10:50:12 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id KAA16123; Fri, 8 Sep 1995 10:50:07 +1000 From: Julian Assange Message-Id: <199509080050.KAA16123@suburbia.net> Subject: Re: Firewall-1 concerns To: nobody@REPLAY.COM (Anonymous) Date: Fri, 8 Sep 1995 10:50:05 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> from "Anonymous" at Sep 7, 95 11:40:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 769 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [...] > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned Back door? I PROMIS you there is no back door. -- +----------------------------------+-----------------------------------------+ | Julian Assange | "if you think the United States has | | | has stood still, who built the largest | | proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Thu Sep 7 19:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA04241 for firewalls-outgoing; Thu, 7 Sep 1995 19:15:12 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA04233 for ; Thu, 7 Sep 1995 19:15:08 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id jy20010; 7 Sep 95 19:29 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 02:44:03 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 02:43:55 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 02:54:37 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 02:44:00 EDT Message-ID: <9509071929.jy20010@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Thu Sep 7 22:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07138 for firewalls-outgoing; Thu, 7 Sep 1995 21:42:56 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA07131 for ; Thu, 7 Sep 1995 21:42:54 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id AAA29335; Fri, 8 Sep 1995 00:41:25 -0400 From: David Kovar Message-Id: <199509080441.AAA29335@nda.nda.com> Subject: Re: Firewall-1 concerns To: nobody@REPLAY.COM (Anonymous) Date: Fri, 8 Sep 1995 00:41:25 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> from "Anonymous" at Sep 7, 95 11:40:07 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 379 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned Someone seriously without a clue, is more like it. -David From firewalls-owner Thu Sep 7 22:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07802 for firewalls-outgoing; Thu, 7 Sep 1995 22:17:35 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA07795 for ; Thu, 7 Sep 1995 22:17:31 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id fn18331; 7 Sep 95 18:38 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 02:51:11 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 02:51:05 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 02:53:36 EDT Subject: MMUG mail warning Date: Sun, 3 Sep 95 02:51:00 EDT Message-ID: <9509071838.fn18331@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Thu Sep 7 22:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07861 for firewalls-outgoing; Thu, 7 Sep 1995 22:20:55 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA07854 for ; Thu, 7 Sep 1995 22:20:52 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bl18432; 7 Sep 95 18:40 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 02:56:56 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 02:55:45 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 02:57:28 EDT Subject: MMUG mail warning Date: Sun, 3 Sep 95 02:56:00 EDT Message-ID: <9509071840.bl18432@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Fri Sep 8 00:34:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09967 for firewalls-outgoing; Fri, 8 Sep 1995 00:20:59 -0700 Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA09958 for ; Fri, 8 Sep 1995 00:20:55 -0700 Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id QAA14019; Fri, 8 Sep 1995 16:17:25 +0900 Date: Fri, 8 Sep 1995 16:17:25 +0900 From: Chiaki Ishikawa Message-Id: <199509080717.QAA14019@gate.personal-media.co.jp> To: Firewalls@GreatCircle.Com Subject: S/Key for little endian machine Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 3958 Hello, a while ago, someone posted that a version of S/Key that runs correctly on little-endian machine such as Intel x86 CPU was available on Australian site. I found that the link to that site is very slow and the greeting message of ftp suggested that I might try other site before downloading it from there. In order to be nice to the Australian users, I am looking for a site in USA or possibly in Europe that has the same/similar S/Key source file. Anyone? This is the original mesage: From: "Daniel O'Callaghan" Date: Thu, 29 Jun 1995 09:32:29 +1000 (EST) Subject: Re: Has Skey been ported to Linux. On Wed, 28 Jun 1995, Paul Osterwald wrote: > I would appreciate this information as well. Try ftp.austin.unimelb.edu.au:/pub/Security skey built fine except that the endian-ness was wrong. I added the right flag for endian-ness. Danny -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Fri Sep 8 00:34:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09981 for firewalls-outgoing; Fri, 8 Sep 1995 00:23:35 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09974 for ; Fri, 8 Sep 1995 00:23:31 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id ez19031; 7 Sep 95 18:55 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 02:58:27 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 02:57:52 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 02:55:56 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 02:58:00 EDT Message-ID: <9509071855.ez19031@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Fri Sep 8 01:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09991 for firewalls-outgoing; Fri, 8 Sep 1995 00:29:38 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09984 for ; Fri, 8 Sep 1995 00:29:35 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bm19077; 7 Sep 95 18:57 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 03:04:44 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 03:04:17 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 03:00:33 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 03:04:00 EDT Message-ID: <9509071857.bm19077@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Fri Sep 8 02:00:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA12930 for firewalls-outgoing; Fri, 8 Sep 1995 01:35:40 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA12923 for ; Fri, 8 Sep 1995 01:35:33 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Fri, 08 Sep 1995 08:20:02 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;995:950908082002] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #517 Message-Id: <995*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509080735.AAA10119*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 04:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA15055 for firewalls-outgoing; Fri, 8 Sep 1995 03:51:53 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA15047 for ; Fri, 8 Sep 1995 03:51:48 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id ew20580; 7 Sep 95 19:34 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 03:12:56 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 03:12:37 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 03:04:17 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 03:12:00 EDT Message-ID: <9509071934.ew20580@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 01:48:58 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 01:35:21 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 01:35:11 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfnx19337; Sun, 3 Sep 1995 01:15:40 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24562 for firewalls-digest-outgoing; Sat, 2 Sep 1995 22:01:01 -0700 Date: Sat, 2 Sep 1995 22:01:01 -0700 Message-Id: <199509030501.WAA24562@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #513 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Saturday, 2 September 1995 Volume 04 : Number 513 In this issue: snprintf.c and SunOS 5.4 re: snprintf(), SMURF, & Jules Own Version... re: snprintf(), SMURF, & Jules Own Version... Subject: Re: using suns/sunos for gateway host(s) Re: FW: Programming Re: FW: Programming Re: Use of Remote Authentication: tacacs/radius/etc... Re: DNS forwarding problem Large-Mixed-OS FW access problem Re: HannaH from SecureWare Inc. RADIUS... Where is it? Large-Mixed-OS FW access problem Frame-Relay Net Connections See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: "Kenneth Kron" Date: 1 Sep 1995 19:24:39 -0800 Subject: snprintf.c and SunOS 5.4 Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to From firewalls-owner Fri Sep 8 04:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15314 for firewalls-outgoing; Fri, 8 Sep 1995 04:09:09 -0700 Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA15307 for ; Fri, 8 Sep 1995 04:09:05 -0700 Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id UAA15419; Fri, 8 Sep 1995 20:05:30 +0900 Date: Fri, 8 Sep 1995 20:05:30 +0900 From: Chiaki Ishikawa Message-Id: <199509081105.UAA15419@gate.personal-media.co.jp> To: Firewalls@GreatCircle.COM In-reply-to: <199509080735.AAA10119@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: Re: S/Key for little endian machine Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 3966 Thanks to the direct response from Daniel O'Callaghan" , I found out that all I need to change the S/KEY behavior is to define MPU8086 in cc command line. (This will take care of the endian problem. There are other tweakings necessary for Solaris 2.4 for X86 on iApx86.) -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Fri Sep 8 05:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16059 for firewalls-outgoing; Fri, 8 Sep 1995 04:51:14 -0700 Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA16052 for ; Fri, 8 Sep 1995 04:51:08 -0700 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id MAA02337 for ; Fri, 8 Sep 1995 12:26:11 +0100 Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id MAA22811; Fri, 8 Sep 1995 12:49:26 +0100 From: Danny Cox Date: Fri, 8 Sep 1995 12:45:48 +0100 Message-Id: <5290.9509081145@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: upgrade to commercial firewalls Cc: dannyc@gmap3 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Fri, 8 Sep 1995 04:47:26 -0700 Received: by datasrv.co.il id AA25207 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 8 Sep 1995 13:45:48 +0300 Date: Fri, 8 Sep 1995 13:45:46 +0300 (IDT) From: ORMAT Subject: Re: Firewall-1 concerns To: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 7 Sep 1995, Anonymous wrote: [snip] > I'm afraid that companies may look at the Sun firewall-1 product and > think that Sun has inspected the code for trapdoor and such in the code > that may have put there under orders from the Masad.In fact, I heard > one person say that in looking at the binary there is very suspicious > code. > > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned > 1. It's Mosad and not Masad 2. I wish someone would tell me about all those conspiracies I'm supposed to be a part of. 3. The question here is a legit one, how can you trust a firewall when you don't know what the code looks like? 4. Posting from an anon account won't stop the Masad from finding you, and now that you've blown their cover, I guess they'll have to kill you. Arik From firewalls-owner Fri Sep 8 05:22:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16135 for firewalls-outgoing; Fri, 8 Sep 1995 04:53:23 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA16128 for ; Fri, 8 Sep 1995 04:53:20 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma026764; Fri Sep 8 07:50:34 1995 Posted-Date: Fri, 8 Sep 1995 07:51:17 -0400 From: "Bryan D. Boyle" Message-Id: <9509080751.ZM23272@maverick.erenj.com> Date: Fri, 8 Sep 1995 07:51:17 -0400 In-Reply-To: David Kovar "Re: Firewall-1 concerns" (Sep 8, 12:41am) References: <199509080441.AAA29335@nda.nda.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: Firewall-1 concerns Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 8, 12:41am, David Kovar wrote: > Someone seriously without a clue, is more like it. Oh? I think his questioning is a good sign of a healthy respect and paranoia about security and where your protection mechanism comes from. "Trust us, we know what YOU need" is a pile of bull cookies from a vendor. I don't know about you, but I don't believe ANYTHING a vendor tells me unless they are able to 1) independently substantiate their claims 2) prove that independent review of their processes, code, and mechanisms withstood all known and projected attacks 3) allow open and auditable review of their program 4) not claim all sorts of protocol 'extensions and modifications' to supposedly allow non-securable portocols to pass 'securely'. It protocol is either secure or it is not. Securing a corporate network is no place to beta test someone's extensions to a transmission protocol. 5) Work to fit their solution into MY operation, not force MY operation to modify its processes to fit their view of the world. I don't have to buy from a vendor; the converse is not necessarily the case. I call the shots here. Now, it may be a cultural thing, but the Firewall-1 folks seem to think we are a bunch of oafs here, wet behind the ears, based on my dealings with them. They have never been able to meet any of the tests (regardless of the pretty gui) above. They get defensive, not cooperative, when pushed to substantiate any of the above. It is not a crystal-box solution, it is a textbook example of a black box solution that you are not supposed to understand how it works, what the pitfalls are, or even question whether or not it works properly. We will not even begin to discuss the OS it runs on...which seems to be the ongoing topic of CERT alerts du jour. These are just my observations, and not a secret to the long-time list members. -- Bryan D. Boyle | "It's when you think you've understood a problem #include | throughly that you are in real trouble..." EMAIL: bdboyle@erenj.com | -Pavel Chichikov ---------------------------------- -------------------- From firewalls-owner Fri Sep 8 08:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19449 for firewalls-outgoing; Fri, 8 Sep 1995 07:13:24 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19440 for ; Fri, 8 Sep 1995 07:13:21 -0700 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQzghs24194; Fri, 8 Sep 1995 10:11:56 -0400 Received: from rsca.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Fri, 8 Sep 1995 10:11:56 -0400 Received: by mailhub.rsca.com (8.6.9/rsca1.1f) id KAA21685; Fri, 8 Sep 1995 10:07:32 -0400 Date: Fri, 8 Sep 1995 10:07:32 -0400 From: Steve Marquess Message-Id: <199509081407.KAA21685@mailhub.rsca.com> To: dannyc@gmap.leeds.ac.uk, firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls Cc: uunet!gmap3!dannyc@gmap.leeds.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Danny Cox >Date: Fri, 8 Sep 1995 12:45:48 +0100 >To: firewalls@greatcircle.com >Subject: upgrade to commercial firewalls >Cc: uunet!gmap3!dannyc >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > >Management here seems to have a healthy attitude to security - bordering on >the paranoid if anything, but willing to spend the money, which is good. > >Just talking now with one of the senior managers .. our current situation is >that I've built a firewall router using SOCKS .. my next step may have been >to upgrade using the TIS fwtk stuff .. > >Interesting comment though from him, which in my naivete I'd not thought >about. If we get attacked and lose software/data etc, then who's liable ? >If we use freeware products, then noone is. If we use a commercial product, >then we can, I guess, sue the firewall supplier ... ? At least that was >his comment, and I'd be very interested to hear what you all think to this >concept. This is based on the idea that they'd be covered by their indemnity >insurance ... > >Thanks all, I appreciate your time, >Danny This exact same point has been raised repeatedly at my company, a large financial services firm with a "healthy bordering on paranoid" concern about security. The ability to assign blame in the event of problems is a very significant consideration in the acquisition of important systems and services. And if you think about it from the management point of view there is a certain logic to it: if we suffer a business loss due to the failure of "home grown" or "roll your own" (terms of disparagement here...) software then the blame must fall on those permitting/approving/performing that software development. If a commercially acquired and configured product failed then it's just "well, vendor X let us down again". A fairly common and believable situation here. The possibility of actually collecting financial damages seems to be less important than the exculpatory assignment of responsibility. I don't think anyone really thinks we could pry money out of a major vendor because of software defects, especially not for incidental damages. Keep in mind also that any significant decisions about deploying a firewall will be made by upper management, all business types far removed from any close appreciation of the technical nuances. With all the confusing and conflicting advice and information they get from vendors, trade rags, and in-house staff they really don't what to believe. Those of us in the boiler room are close to the issues and have definite opinions, but we are only a small piece of the real decision process. The bigger and better known the vendor the more powerful the attraction of this argument. Hence a strong predisposition to well known and well marketed products, with cost and product quality often very secondary considerations. Steve Marquess steve@tdg.rsca.com Residential Services Corp. of America 7445 New Technology Way (301) 815-6219 voice Frederick, MD 21701 (301) 815-6515 fax From firewalls-owner Fri Sep 8 08:31:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19837 for firewalls-outgoing; Fri, 8 Sep 1995 07:41:33 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19830 for ; Fri, 8 Sep 1995 07:41:30 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA12926 for GreatCircle.COM!firewalls; Fri, 8 Sep 1995 09:28:53 -0500 Received: by ris1.nmti.com (smail2.5) id AA00656; 8 Sep 95 09:04:30 CDT (Fri) Received: by sonic.nmti.com; id AA03877; Fri, 8 Sep 1995 09:31:08 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509081431.AA03877@sonic.nmti.com.nmti.com> Subject: Re: Firewall-1 concerns To: ormat1@zeus.datasrv.co.il (ORMAT) Date: Fri, 8 Sep 1995 09:31:07 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "ORMAT" at Sep 8, 95 01:45:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 217 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 3. The question here is a legit one, how can you trust a firewall when > you don't know what the code looks like? Please, let's not have that flame war again. I think everyone knows the pros and cons by now... From firewalls-owner Fri Sep 8 09:00:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21707 for firewalls-outgoing; Fri, 8 Sep 1995 08:46:02 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA21688 for ; Fri, 8 Sep 1995 08:45:57 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id IAA09003; Fri, 8 Sep 1995 08:34:48 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma009001; Fri Sep 8 08:34:45 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id IAA00508; Fri, 8 Sep 1995 08:32:15 -0700 Date: Fri, 8 Sep 1995 08:32:15 -0700 From: Brian Murrell Message-Id: <199509081532.IAA00508@mocha.bctel.net> To: firewalls@GreatCircle.COM, dannyc@gmap.leeds.ac.uk Subject: Re: upgrade to commercial firewalls Cc: gmap3!dannyc@uunet.uu.net X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? Oh goody. I'd love to see this one hashed out, although I think it'll be relevant to firewalls for a day or two tops. :-) > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... Good luck. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Fri Sep 8 09:03:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22435 for firewalls-outgoing; Fri, 8 Sep 1995 09:00:38 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22403 for ; Fri, 8 Sep 1995 09:00:25 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA13930; Fri, 8 Sep 1995 10:27:56 -0400 Date: Fri, 8 Sep 1995 10:27:56 -0400 From: Ted Doty Message-Id: <199509081427.KAA13930@kgbvax.network.com> To: steve@rsca.com, dannyc@gmap.leeds.ac.uk, firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls In-Reply-To: Mail from 'Steve Marquess ' dated: Fri, 8 Sep 1995 10:07:32 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Marquess writes: > >From: Danny Cox > > > >Interesting comment though from him, which in my naivete I'd not thought > >about. If we get attacked and lose software/data etc, then who's liable ? > >If we use freeware products, then noone is. If we use a commercial product, > >then we can, I guess, sue the firewall supplier ... ? At least that was > >his comment, and I'd be very interested to hear what you all think to this > >concept. This is based on the idea that they'd be covered by their indemnity > >insurance ... > > This exact same point has been raised repeatedly at my company, a large financial > services firm with a "healthy bordering on paranoid" concern about security. > The ability to assign blame in the event of problems is a very significant > consideration in the acquisition of important systems and services. And if [snip] So long as people keep thinking that a magic box will solve all their present and future security worries, assigning blame is a somewhat humorous exercise in futility. Also, as long as 80% (or whatever the current number is ... send your flames to /dev/null) of all "break-ins" are internal, and as long as only 5% (same comment as above) of all corporate security policies are detailed enough to actually implement something from, you probably are barking up the wrong tree. Most of the security consultants will tell you that a firewall will help, but your security is ultimately your own responsibility. Get a policy, implement it, track it, tell your users what it is, keep your eye on bugtraq, (...) and you'll be in pretty good shape. This doesn't mean that you won't get hacked, or that you won't lose data (you mean that disaster recovery isn't in your policy either?). Without the above, liability is probably hard to demonstrate. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Sep 8 09:31:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22977 for firewalls-outgoing; Fri, 8 Sep 1995 09:24:10 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22969 for ; Fri, 8 Sep 1995 09:24:07 -0700 Received: from paragon-systems.com (sundevil.paragon-systems.com [199.125.207.2]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id MAA29333; Fri, 8 Sep 1995 12:22:27 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01287; Fri, 8 Sep 95 12:25:18 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA00414; Fri, 8 Sep 1995 12:17:45 -0400 Date: Fri, 8 Sep 1995 12:17:45 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9509081617.AA00414@sandfiddler.paragon-systems.com> To: nobody@REPLAY.COM, proff@suburbia.net Subject: Re: Firewall-1 concerns Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It may be that the Masad has free reign to get into you network! To the guy who just woke up to the fact that FW-1 is Israeli code, don't feel stupid by yourself pal. If you can believe this, the Department of Defense Comptrollers Office just bought one of those things on the advise of one of the biggest and well known government information system security experts on the Beltway. Defense finance information being protected by Israeli code. In my view it ain't the MOSSAD (Ministry of State Security and Defense) you should be worried about. rmck From firewalls-owner Fri Sep 8 10:03:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23565 for firewalls-outgoing; Fri, 8 Sep 1995 09:42:24 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23557; Fri, 8 Sep 1995 09:42:19 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 8 Sep 1995 09:41:37 -0800 To: "Bryan D. Boyle" , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:51 AM 9/8/95, Bryan D. Boyle wrote: >We will not even begin to discuss the OS it runs on...which seems to be >the ongoing topic of CERT alerts du jour. That's the wrong way to interpret CERT advisories. CERT advisories are about security FIXES, not about security PROBLEMS, and the fixes are produced with the cooperation of the vendors in question. The fact that there are lots of CERT advisories for a given vendor doesn't (necessarily) mean that vendor is somehow less secure; it _does_ means that the vendor is more willing than others to cooperate with CERT in producing advisories (which I think is a feature, not a bug). -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Fri Sep 8 10:03:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23124 for firewalls-outgoing; Fri, 8 Sep 1995 09:30:27 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23117 for ; Fri, 8 Sep 1995 09:30:22 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10182; Fri, 8 Sep 95 12:15:19 -0400 Date: Fri, 8 Sep 95 12:15:18 -0400 Message-Id: <9509081615.AA10182@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Software concerns Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> 3. The question here is a legit one, how can you trust a firewall when >> you don't know what the code looks like? >Please, let's not have that flame war again. I think everyone knows the >pros and cons by now... Think this is an important issue and not necessarily a flame war. I personally would not buy security software from anyone unless at least one of the following conditions were met: 1) Can review the source code and verify that this matches the product. 2) Trust the vendor. 3) Product has been reviewed (as in 1) by someone trusted. (1) is obviously the most rigorous but also the most time consuming. (2) is more involved & generally requires being personally acquainted with the principals. Biggest problem is proving that they are free from outside interests/pressures. (3) being in the USA I would trust a review by the NSA and a very few others. Buying security is different from buying a wordprocessor and must be weighed against what is at risk and the effect on your customer base if an exception occurs. Obviously this is going to have different values for an .EDU as opposed to a DoD contractor (well maybe if the .EDU relies on grants...). Many remember WYSIWYG - my motto is WYDSIWGY "What you don't see is what gets you". Warmly, Padgett ps 10,000,000 lemmings can't be rong. From firewalls-owner Fri Sep 8 11:01:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA25395 for firewalls-outgoing; Fri, 8 Sep 1995 10:31:22 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA25388 for ; Fri, 8 Sep 1995 10:31:19 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id NAA00457; Fri, 8 Sep 1995 13:29:48 -0400 From: David Kovar Message-Id: <199509081729.NAA00457@nda.nda.com> Subject: Re: Firewall-1 concerns To: iceman@MBnet.MB.CA (Oliver Friedrichs) Date: Fri, 8 Sep 1995 13:29:48 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Oliver Friedrichs" at Sep 8, 95 12:22:09 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Someone seriously without a clue, is more like it. > > You have proof this isn't so ? No - it's a valid point, unless you want > to send me source code so I can check myself. > > - I reacted hastily and without thought. What I should have said is that this issue has been hashed, and rehashed many times on this list and that posting what appears to be flame-bait anonymously isn't going to help resolve the issue I appologize for my rash statement. -David From firewalls-owner Fri Sep 8 11:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26313 for firewalls-outgoing; Fri, 8 Sep 1995 10:56:53 -0700 Received: from sdwsys (lig.cinti.net [204.248.145.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA26297 for ; Fri, 8 Sep 1995 10:56:49 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0sr85L-0009yvC; Fri, 8 Sep 95 14:23 EDT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: linux vs. *bsd for secure networking system To: blymn@awadi.com.AU (Brett Lymn) Date: Fri, 8 Sep 1995 14:23:30 -0400 (EDT) Cc: Marius@doulosgeri.com, firewalls@greatcircle.com In-Reply-To: <9509060236.AA17739@bunya.awadi> from "Brett Lymn" at Sep 6, 95 12:06:36 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1571 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > According to Marius: > > > >weak points, just like everything else does, but I just wanted to say > >a few words in its defense... > > > > A very reasonable response! > > And to redress Karl's omission - you can also go the path of NetBSD > which, unlike FreeBSD, has ports to a whole gaggle of different > machines - not just PC's. The ports that are running are listed on > the WWW page at www.netbsd.org, ones I can remember are Mac, Suns, > Amiga, some HP boxen - there are others. Once you have installed a distribution and actually started using it, it doesn't make sense to think about distributions: I just update kernel, compiler, libraries, utilities, etc. as they are updated. Distributions are always behind the curve quite a bit. > Brett Lymn, Computer Systems Administrator, AWA Defence Industries > =============================================================================== > "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got > three hundred and sixty three elephants, fifty carts of forage, the > monsoon's about to break and we're wearing ... we're wearing ... sort > of things, like glass, only dark... dark glass things on our eyes..." > - Terry Pratchett "Moving Pictures". > > > -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From firewalls-owner Fri Sep 8 11:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26747 for firewalls-outgoing; Fri, 8 Sep 1995 11:17:23 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA26739 for ; Fri, 8 Sep 1995 11:17:18 -0700 Date: Fri, 8 Sep 1995 11:17:18 -0700 Message-Id: <199509081817.LAA26739@miles.greatcircle.com> X-Authentication-Warning: internet: Host perseids.milkyway.com claimed to be [192.168.77.77] From: "Hung Vu" Reply-To: "Hung Vu" To: dannyc@gmap.leeds.ac.uk Cc: firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ok .. so given that ... we have a need for a commercially available firewall > product. HELP! I don't even begin to know well, how to evaluate them .. Send a message to info@milkyway.com to request for more information on the Black Hole from Milkyway Networks Corporation. The Black Hole is currently being certified for an AL-1 security level from the Common Criteria which is recognized by the G-7 countries. Hung. From firewalls-owner Fri Sep 8 11:32:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA27087 for firewalls-outgoing; Fri, 8 Sep 1995 11:27:12 -0700 Received: from datasrv.co.il (zeus.datasrv.co.il [192.114.20.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA27080 for ; Fri, 8 Sep 1995 11:27:05 -0700 Received: by datasrv.co.il id AA14398 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 8 Sep 1995 20:25:15 +0300 Date: Fri, 8 Sep 1995 20:25:11 +0300 (IDT) From: ORMAT Subject: Re: Firewall-1 concerns To: Bob McKisson Cc: firewalls@greatcircle.com In-Reply-To: <9509081617.AA00414@sandfiddler.paragon-systems.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 1995, Bob McKisson wrote: [snip] > information being protected by Israeli code.In my view it ain't the > MOSSAD (Ministry of State Security and Defense) you should be worried > about. > > rmck > It's nice to see you found meaning in the letters of the word Mosad, but it's not even an english word (and defenatly not spelled with capital letters). The word is in hebrew and means 'firm' or 'agency'. I know this is off topic, but i just couldn't help myself. Arik From firewalls-owner Fri Sep 8 12:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26643 for firewalls-outgoing; Fri, 8 Sep 1995 11:13:19 -0700 Received: from pnh10.med.navy.mil ([164.167.53.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA26630 for ; Fri, 8 Sep 1995 11:13:11 -0700 Received: from mclo11 (mclo11.med.navy.mil) by pnh10.med.navy.mil with SMTP id AA03220 (5.65c/IDA-1.4.4 for ); Fri, 8 Sep 1995 13:57:31 -0400 Message-Id: <199509081757.AA03220@pnh10.med.navy.mil> X-Sender: pnh1rgr@mclo10.med.navy.mil Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 08 Sep 1995 14:07:10 -0400 To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com From: pnh1rgr@mclo10.med.navy.mil (Bob Resino) Subject: Re: Software concerns X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Snip] >3) Product has been reviewed (as in 1) by someone trusted. > >(1) is obviously the most rigorous but also the most time consuming. >(2) is more involved & generally requires being personally acquainted > with the principals. Biggest problem is proving that they are free > from outside interests/pressures. >(3) being in the USA I would trust a review by the NSA and a very few others. Don't know if I could trust them Padgett. DISA took NSA at there word about C2 WIN NT(AS) 3.5 and didn't look real close at the platform it was submitted on. DISA has now approved the installation of NT boxes on DISN. For more info, see the 4 Sept issue of Government Computer News. > >Buying security is different from buying a wordprocessor and must be weighed >against what is at risk and the effect on your customer base if an >exception occurs. Obviously this is going to have different values for >an .EDU as opposed to a DoD contractor (well maybe if the .EDU relies >on grants...). > >Many remember WYSIWYG - my motto is WYDSIWGY "What you don't see is what >gets you". > > Warmly, > Padgett > >ps 10,000,000 lemmings can't be rong. pps: ...nothing up my sleeve. Hey Rockie, watch me pull a rabbit out of my hat... B. Moose --------------------------------------------------------------- Bob Resino (RGR24) pnh1rgr@pnh10.med.navy.mil (804)398-7400 Healthcare Support Office Fax:(804)398-7265 Medical Construction Liaison Department Management Information / Data-telecommunciations Div (Code 55) 6500 Hampton Blvd "To be or not to be... Norfolk, VA 23707 What was the question ?" --------------------------------------------------------------- The opinions are mine, NOT those of the Navy or the Healthcare Support Office. If they happen to be the same, its got to be coincidence! From firewalls-owner Fri Sep 8 12:02:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA28099 for firewalls-outgoing; Fri, 8 Sep 1995 11:43:04 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA28083 for ; Fri, 8 Sep 1995 11:42:57 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA28078; Fri, 8 Sep 1995 14:41:30 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA08188; Fri, 8 Sep 1995 14:41:27 -0400 Message-Id: <9509081841.AA08188@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@GreatCircle.COM Date: Fri, 8 Sep 1995 14:40:28 -0500 Subject: Re: Firewall-1 concerns Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 8 Sep 95 at 9:31, Peter da Silva said: > > 3. The question here is a legit one, how can you trust a firewall when > > you don't know what the code looks like? > > Please, let's not have that flame war again. I think everyone knows the > pros and cons by now... Perhaps to be added to the FAQ...? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Fri Sep 8 12:28:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA28327 for firewalls-outgoing; Fri, 8 Sep 1995 11:50:06 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA28319 for ; Fri, 8 Sep 1995 11:49:58 -0700 From: dmurphy@coltrane.cwa.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10840; Fri, 8 Sep 95 14:48:21 -0400 Date: Fri, 8 Sep 95 14:48:20 -0400 Message-Id: <9509081848.AA10840@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlebeings, Two threads here ("Software concerns" and "Upgrade commercial firewalls") have both touched today on corporate decision-making wrt firewalls. Just as corp. decisions about HW in the '70's ("No one gets fired for buying IBM."), or desktop SW reached in the '90's ("No one gets fired for buying Microsoft.") kept, um, "sub-optimal" solutions (and vendors) alive past their prime, so today they're buying the "magic bullet" of firewalls as the solution to network security. Warmly Padgett, Almost-Esq., pointed out the "who can you trust" aspect of this behavior, albeit by counter-example. Steve Marquess pointed out the equally important "who can you blame" aspect, which we'd be foolish to overlook (info-sec is, after all, primarily about human, not mechanical, failures). And both aspects indicate that the answer lies, or will soon, in what *corporate auditors* collectively decide is a reasonably prudent business decision in this area. Nobody keeps corporate receipts in a cigar box in the receptionist's desk, in part because (in the US) that would violate the "reasonably prudent" standard of business behavior used to judge if a decision was just bad (management not liable to shareholders) or negligently stupid (management *personally* on the hook). Such legal decisions across the country get composted down into a set of "generally accepted" business practices, which are then enforced by the corporate auditors, whose "cold comfort" letter in the annual report tells shareholders that the corporate procedures they've looked at pass muster, and by later court decisions. So, have any of you big-business wage-slaves had corporate auditors come into your shop and ask questions (perceptive or otherwise) about firewalls and network security yet, and if so, would you be willing/able to share such stories with the list? Better yet, does anybody work for one of the Used-To-Be-Big-7 accounting firms and know what they're doing internally about this? +----------------------------------------------------------------------+ | Dan Murphy | CWA Comm Products | 401 Alberto Wy, Los Gatos, CA 95032 | | Vox: (408) 358-1529 | Fax: (408) 356-7061 | Email: dmurphy@cwa.com | +----------------------------------------------------------------------+ From firewalls-owner Fri Sep 8 12:30:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA29121 for firewalls-outgoing; Fri, 8 Sep 1995 12:08:17 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29113 for ; Fri, 8 Sep 1995 12:08:11 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10867; Fri, 8 Sep 95 14:52:01 -0400 Date: Fri, 8 Sep 95 14:52:01 -0400 Message-Id: <9509081852.AA10867@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "dmurphy@coltrane.cwa.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RE: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Warmly Padgett, Almost-Esq., pointed out the "who can you trust" aspect >of this behavior, albeit by counter-example. Steve Marquess pointed out >the equally important "who can you blame" aspect, which we'd be foolish to >overlook Have a few reasons for avoiding that aspect: 1) "Who you gonna blame" deals with revenge/recovery/CYA, something I have little time for. My purpose is to avoid the exception from happening in the first place (not always successful but have never seen finger- pointing to be useful except to demonstrate a need for training). 2) Just the first occupies far more than 40 hours a week. 3) Determining the "fall guy" is rarely a technical issue. >So, have any of you big-business wage-slaves had corporate auditors come >into your shop and ask questions (perceptive or otherwise) about >firewalls and network security yet, and if so, would you be willing/able >to share such stories with the list? Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? Training the auditors is sometimes part of my job, can be very handy for adopting unpopular/unfunded practices by having a department get giged for something that you just happen to have a no-brane solution. >From what I have seen, the "Big-7" is rapidly becoming a vast horde of "LLP"s - Limited Liability Partnerships with the parent company acting as matchmaker. Don't have to be a rocket scientist to translate that. Warmly, Padgett ps closest I've been lately to being a "shield bearer" is seeing a copy of Black's in a store yesterday. From firewalls-owner Fri Sep 8 12:35:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00116 for firewalls-outgoing; Fri, 8 Sep 1995 12:29:01 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29999 for ; Fri, 8 Sep 1995 12:28:48 -0700 From: ris1!nmti.com!peter@uuneo.neosoft.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10992; Fri, 8 Sep 95 15:27:19 -0400 Date: Fri, 8 Sep 95 15:27:19 -0400 Message-Id: <9509081927.AA10992@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: On Trusting Trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 3) Product has been reviewed (as in 1) by someone trusted. > (3) being in the USA I would trust a review by the NSA and a very few others. The "40 bit keys are all anyone needs" NSA? What's their incentive to encourage good firewalls? The Clipper Chip people? OK folks, imagine there was to be a firewall certification authority. Who would you want them to be? Who do you trust? From firewalls-owner Fri Sep 8 13:22:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00459 for firewalls-outgoing; Fri, 8 Sep 1995 12:35:00 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA00451 for ; Fri, 8 Sep 1995 12:34:56 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Fri, 08 Sep 1995 19:30:02 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;1014:950908193002] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #518 Message-Id: <1014*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509081803.LAA26470*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 13:31:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02777 for firewalls-outgoing; Fri, 8 Sep 1995 13:25:22 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA02769 for ; Fri, 8 Sep 1995 13:25:18 -0700 Received: from paragon-systems.com (sundevil.paragon-systems.com [199.125.207.2]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id QAA10176; Fri, 8 Sep 1995 16:23:42 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA02230; Fri, 8 Sep 95 16:26:37 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA00612; Fri, 8 Sep 1995 16:19:04 -0400 Date: Fri, 8 Sep 1995 16:19:04 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9509082019.AA00612@sandfiddler.paragon-systems.com> To: ormat1@zeus.datasrv.co.il Subject: Re: Firewall-1 concerns Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's nice to see you found meaning in the letters of the word Mosad, but > it's not even an english word (and defenatly not spelled with capital > letters). The word is in hebrew and means 'firm' or 'agency'. > > I know this is off topic, but i just couldn't help myself. Well, I was only half joking. Regardless, indeed you are absolutely right. An old Israeli friend of mine at the Pentagon just called to thank me for the publicity. His translation was somewhat different but you two are close enough. and enough said. rmck From firewalls-owner Fri Sep 8 13:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02140 for firewalls-outgoing; Fri, 8 Sep 1995 13:10:32 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02129 for ; Fri, 8 Sep 1995 13:10:18 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11038; Fri, 8 Sep 95 15:38:22 -0400 Date: Fri, 8 Sep 95 15:38:22 -0400 Message-Id: <9509081938.AA11038@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: On trusting trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> (3) being in the USA I would trust a review by the NSA and a very few others. >The "40 bit keys are all anyone needs" NSA? What's their incentive to >encourage good firewalls? The Clipper Chip people? Ok, you want the long form ? I would trust the NSA to follow their charter as currently directed by the political appointee that runs the place. One size need not fit all. Please notice that I said "I would trust..." did not say that any one else should, YOU have to make the decision who YOU are going to trust. Besides, not everyone on this list is in the USofA so some would probably be better served by asking the Mossad for advice. You have your phone numbers, I have mine. However, if I had a candidate FireWall and the NSA/NCSC had looked at it and when I asked they said something like "we know of no reason to exclude it from consideration" (don't expect to get an unclassified declaritive sentence from a NSA rep on duty beyond "it's a nice day"), it would probably stay in contention (same goes for engineers 8*). >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? I suspect that there is no one good answer to that since the question really is "who do you trust to put your interests at least as high as their own". For some lurkers, the answer might be "Emmanuel Goldstein", others "Arthur Anderson", "Kroll Associates", or "my mother" - and *in their context* each would be correct. Of course, if you add "who is *competant* to certify a firewall, then the list gets a whole lot shorter. Add "purely objectively" and we are down to zero (a shame but true). Magazines try to be objective but typically lack technical expertise and those tecchies on call are rarely unbiased. So it comes down to "of those who are competant and whose biases will probably coincide with those of my employer in this matter" and I said "the NSA is one". Warmly, Padgett ps "the buck stops here" From firewalls-owner Fri Sep 8 14:08:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03492 for firewalls-outgoing; Fri, 8 Sep 1995 13:36:47 -0700 Received: from lists (alfalfa.sips.state.nc.us [149.168.11.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA03485 for ; Fri, 8 Sep 1995 13:36:43 -0700 Received: from everett.pitt.cc.nc.us by lists (5.0/SMI-SVR4) id AA07143; Fri, 8 Sep 1995 16:30:37 +0500 Received: from EVERETT/SpoolDir by everett.pitt.cc.nc.us (Mercury 1.21); 8 Sep 95 16:40:37 EST5EDT Received: from SpoolDir by EVERETT (Mercury 1.21); 8 Sep 95 16:40:08 EST5EDT From: "Jim Leo" Organization: Pitt Community College To: firewalls@GreatCircle.com Date: Fri, 8 Sep 1995 16:39:59 EST5EDT Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Request for Information Reply-To: admin@everett.pitt.cc.nc.us Priority: urgent X-Mailer: Pegasus Mail for Windows (v2.01) Message-Id: content-length: 960 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gee, The last time I posted to this list, I got flamed but good... Now it seems that other people have the same concerns as I do about commercial firewall products. Nuff' said 'bout that... I need some help from the folks on the list. I have been 'tasked' with evaluating three (3) methods of security implementation and then writing an evaluation/report. The three are : 1. Proxy Servers 2. Packet Filtering 3. Fireswalls Don't ask me about #3. Suffice it to say 'they' are not exactly literate on topics such as these. I currently have the 'recommended' literature. However, now I have to setup my 'test bed' and then bludgeon it. What I need are recommendations from the list. I also need to know where to get a set of good 'bludgeons'.... Please respond directly. NOT to the list. All confidentiallity will be preserved.. They also want me to do a survey....... More Later... Over the barrel again Jim Leo voice (919) 321-4346 From firewalls-owner Fri Sep 8 14:15:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03981 for firewalls-outgoing; Fri, 8 Sep 1995 13:44:25 -0700 Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA03967 for ; Fri, 8 Sep 1995 13:44:20 -0700 Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id NAA00287 for greatcircle.com!Firewalls; Fri, 8 Sep 1995 13:32:43 -0600 From: Shawn Steele Message-Id: <9509081324.ZM24627@aob.org> Date: Fri, 8 Sep 1995 13:24:53 -0600 In-Reply-To: firewalls-digest-owner@greatcircle.com "Firewalls-Digest V4 #518" (Sep 8, 11:03am) References: <199509081803.LAA26470@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: upgrade to commercial firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Interesting comment though from him, which in my naivete I'd not > thought about. If we get attacked and lose software/data etc, then > who's liable ? > If we use freeware products, then noone is. If we use a commercial > product, then we can, I guess, sue the firewall supplier ... ? Ah, sue-happy america. I seriously doubt you'll find a supplier that doesn't have some sort of clause specifically disallowing any damages from using their product. (A friend recently had his house broken into, I doubt he could successfully sue the deadbolt manufacturer). It does give the someone an "it's not my fault" escape though, even if they misconfigured something, especially if managment doesn't know much about computer security. - shawn Shawn Steele Information Systems Administrator Association of Brewers (303) 447-0816 x 118 (voice) 736 Pearl Street (303) 447-2825 (fax) PO Box 1679 shawn@aob.org (e-mail) Boulder, CO 80306-1679 info@aob.org (aob info) U.S.A. http://www.aob.org/aob (web) Note: When replying to my messages, please include enough of my message so that I know what you're replying to! :-) From firewalls-owner Fri Sep 8 14:30:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA05909 for firewalls-outgoing; Fri, 8 Sep 1995 14:22:29 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA05894 for ; Fri, 8 Sep 1995 14:22:23 -0700 From: Brad.Powell@eng.sun.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11400; Fri, 8 Sep 95 17:19:22 -0400 Date: Fri, 8 Sep 95 17:19:22 -0400 Message-Id: <9509082119.AA11400@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com, dmurphy@coltrane.cwa.com Subject: Re: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Fri Sep 8 13:01:46 1995 >Subject: Corporate Audits Dan writes: >----------------------------------------------------------------------+ >| Dan Murphy | CWA Comm Products | 401 Alberto Wy, Los Gatos, CA 95032 | >| Vox: (408) 358-1529 | Fax: (408) 356-7061 | Email: dmurphy@cwa.com | >+----------------------------------------------------------------------+ >So, have any of you big-business wage-slaves had corporate auditors come >into your shop and ask questions (perceptive or otherwise) about >firewalls and network security yet, and if so, would you be willing/able >to share such stories with the list? Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? > I'll tell you one thing they better not be doing and thats trusting all their defences to *just* the firewall. Some of the ones I've talked with (that happened to -pass- their audit) have gone to an internal approach of also securing the desktops and enhancing the internal network. The four "A"'s Authentication Authorization Accountability Access control The firewall should be your best/strongest defence but it should *never* be your _only_ defence ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Fri Sep 8 15:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06852 for firewalls-outgoing; Fri, 8 Sep 1995 14:46:33 -0700 Received: from chum.hooked.net (chum.hooked.net [199.2.134.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA06845 for ; Fri, 8 Sep 1995 14:46:30 -0700 Received: (from ee@localhost) by chum.hooked.net (8.6.12/8.6.12) id OAA02362; Fri, 8 Sep 1995 14:45:06 -0700 Date: Fri, 8 Sep 1995 14:45:06 -0700 From: Eric Eigenfeld Message-Id: <199509082145.OAA02362@chum.hooked.net> To: firewalls@GreatCircle.COM Subject: mirrored fw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I am developing plans for a mirrored fw architecture. The client requires 2--->n locations, each with its own independently operating ,complete architectures that could assume control on demand. User base is quite large, and firewalls are already implemented and functioning in multiple locations. Throw in automatic mirroring of changes to internal and external web servers, a left handed monkey wrench for adjustments, and they're happy. Any experiences with mirrored firewalls? Thanks in advance, Eric Eigenfeld Director, Client Services National Data Management From firewalls-owner Fri Sep 8 15:02:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06345 for firewalls-outgoing; Fri, 8 Sep 1995 14:33:23 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA06275 for ; Fri, 8 Sep 1995 14:32:05 -0700 From: Brad.Powell@eng.sun.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11429; Fri, 8 Sep 95 17:30:21 -0400 Date: Fri, 8 Sep 95 17:30:20 -0400 Message-Id: <9509082130.AA11429@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com, ris1!nmti.com!peter@uuneo.neosoft.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: On Trusting Trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Fri Sep 8 13:18:06 1995 >From: ris1!nmti.com!peter@uuneo.neosoft.com >Date: Fri, 8 Sep 95 15:27:19 -0400 > >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? > I thought we already went through this last month :-( "Trust but verify independantly" is the common auditors approach. "Trust no one" is the common thinking on firewalls. Please don't get me wrong, its not that reputable firewall vendors and code writers are not striving for 100% safe. Its just that anyone can make a mistake (I'm probably making one right now by getting sucked into this) So how do you sleep at night? Well imho you sleep by first learning to live with a little risk and second by giving yourself more than one layer of protection. The "onion" approach to security. :-) Multiple layers, and not all the layers being equal or from the same vendor will give you a better chance at detecting intrusions, and a better change at stopping the intrusion before it costs you/your-company significant cost. Place your more sensative data ($$$) closer to the center of the onion and the "more public" (less $$$) closer towards the outside of the onion and you will start getting warm-n-fuzzy and be able to sleep better. The reason I use the onion model is because like an onion the more layers you make users peel away to get to the data they need the more they are going to cry about it :-). ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Fri Sep 8 15:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA07590 for firewalls-outgoing; Fri, 8 Sep 1995 15:23:04 -0700 Received: from nutpagw.nutec.tche.br ([200.17.171.89]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA07582 for ; Fri, 8 Sep 1995 15:22:49 -0700 From: silveira@nutecpa.nutec.tche.br Received: (from root@localhost) by nutpagw.nutec.tche.br (8.6.9/8.6.9) id UAA18328 for ; Fri, 8 Sep 1995 20:10:45 -0300 Received: from unknown(200.17.174.65) by nutpagw.nutec.tche.br via smap (V1.3) id sma018323; Fri Sep 8 20:10:29 1995 Received: from canario by nutecpa.nutec.tche.br id aa11625; 8 Sep 95 19:22 BRA Received: from dodo by canario.canario.nutecsp.br id aa27730; 8 Sep 95 18:44 BST MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Fri, 08 Sep 95 18:46:08 -0300 Subject: Re: Firewall-1 concerns To: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> X-Mailer: SPRY Mail Version: 04.00.06.14 Message-ID: <9509081844.aa27730@canario.canario.nutecsp.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 7 Sep 1995, nobody@replay.com (Anonymous) wrote: >I recently found out that the Firewall-1 product from Sun is actually >written and developed by a company in Israel and that Sun does not have >nor has access to the source code. [snip, snip, snip] >It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies >with sensitive information aren't using this product for protection. > Ignoring the fact that this poster didnt put his/her e-mail (which I think is not proper in a public forum), he/she may have raised a few interesting topics: - If it is true that Sun hasnt access to source (anybody from Sun with an official statement please jump in), how can it offer this solution to US customers, including the government? - Lets assume that a new attack is discovered and that FW-1 customers, without access to source, are compromised. Who can they hold liable for the damages, if anybody? Finally, on a broader issue, a question from me: How are contracts signed between the firewall provider and the customer with regard to the possibility of a successful attack? TIA, Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/4th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 From firewalls-owner Fri Sep 8 18:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11634 for firewalls-outgoing; Fri, 8 Sep 1995 17:55:25 -0700 Received: from junix.ju.edu (junix.ju.edu [204.29.160.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA11626 for ; Fri, 8 Sep 1995 17:55:22 -0700 Received: by junix.ju.edu (5.61/1.39) id AA16921; Fri, 8 Sep 95 20:52:02 -0400 From: ddill@junix.ju.edu (Daniel Dill) Message-Id: <9509090052.AA16921@junix.ju.edu> Subject: Re: upgrade to commercial firewalls To: dannyc@gmap.leeds.ac.uk (Danny Cox) Date: Fri, 8 Sep 1995 20:52:02 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <5290.9509081145@gmap.leeds.ac.uk> from "Danny Cox" at Sep 8, 95 12:45:48 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1021 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... > > Thanks all, I appreciate your time, > Danny > This is NOT personal, but... What about personal responsibility? Everyone else pays because a few companies are not willing to spend the time, effort, money to develop the necessary expertise. Regards, Daniel -- Daniel L. Dill Ultimately, the strongest argument for the people to retain the right to keep and bear ddill@junix.ju.edu arms, is to protect themselves against tyranny in government. --Thomas Jefferson From firewalls-owner Fri Sep 8 18:02:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11459 for firewalls-outgoing; Fri, 8 Sep 1995 17:44:42 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA11452 for ; Fri, 8 Sep 1995 17:44:38 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11877; Fri, 8 Sep 95 20:34:15 -0400 Date: Fri, 8 Sep 95 20:34:15 -0400 Message-Id: <9509090034.AA11877@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RFI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a) if you want a direct response, include your address in the body, not all of our mail readers provide the original header (I can't even do a reply - it would go to "firewalls-owner" so must FORW & retype the Subject:) b: Jim rites: >writing an evaluation/report. The three are : > 1. Proxy Servers > 2. Packet Filtering > 3. Fireswalls Is really 1) Packet Filter 2) Proxy Server 3) Application Filter and many today are really *all of the above". A firewall is "a collection of devices that enforce a security policy". and as such is certainly "all of the above" plus encryption/decryption, strong authentication, reconfiguration on exception, and alarming (quite). >Don't ask me about #3. Suffice it to say 'they' are not exactly >literate on topics such as these. So take the chance to educate - don't beat them over the head with it, just do it right. >They also want me to do a survey....... Of what ? Nodes ? Users ? Ferret & Iguana population ? Warmly, Padgett From firewalls-owner Fri Sep 8 18:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA12256 for firewalls-outgoing; Fri, 8 Sep 1995 18:22:01 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA12247 for ; Fri, 8 Sep 1995 18:21:57 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id UAA29151 for greatcircle.com!firewalls; Fri, 8 Sep 1995 20:12:04 -0500 Received: by ris1.nmti.com (smail2.5) id AA14409; 8 Sep 95 17:53:54 CDT (Fri) Received: by sonic.nmti.com; id AA14631; Fri, 8 Sep 1995 18:20:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509082320.AA14631@sonic.nmti.com.nmti.com> Subject: Re: On trusting trust To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Fri, 8 Sep 1995 18:20:28 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509081938.AA11038@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Sep 8, 95 03:38:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 611 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ok, you want the long form ? I would trust the NSA to follow their charter > as currently directed by the political appointee that runs the place. But the question was "who would you trust to check out a firewall". Past experience is that NSA doesn't really care about Security if it's not National. If your employer isn't the government, or if the firewall isn't protecting something the NSA thinks needs to be secret, I don't see any reason for them to care. If your employer is someone the NSA wants to keep tabs on (like, just about any large firm that works for the government) then all bets are off. From firewalls-owner Fri Sep 8 19:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA13499 for firewalls-outgoing; Fri, 8 Sep 1995 19:23:55 -0700 Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA13486; Fri, 8 Sep 1995 19:23:50 -0700 Received: (from lawnyc@localhost) by panix2.panix.com (8.6.12/8.6.12+PanixU1.1) id WAA19897; Fri, 8 Sep 1995 22:22:24 -0400 Date: Fri, 8 Sep 1995 22:22:21 -0400 (EDT) From: "John A. Young" To: Firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #518 In-Reply-To: <199509081803.LAA26470@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 1995 the firewalls-digest included: > From: Danny Cox > Date: Fri, 8 Sep 1995 12:45:48 +0100 > Subject: upgrade to commercial firewalls > > Management here seems to have a healthy attitude to security - bordering on > the paranoid if anything, but willing to spend the money, which is good. > > Just talking now with one of the senior managers .. our current situation is > that I've built a firewall router using SOCKS .. my next step may have been > to upgrade using the TIS fwtk stuff .. > > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... > > ------------------------------ > > From: Steve Marquess > Date: Fri, 8 Sep 1995 10:07:32 -0400 > Subject: Re: upgrade to commercial firewalls > > > > This exact same point has been raised repeatedly at my company, a large > financial > services firm with a "healthy bordering on paranoid" concern about security. > The ability to assign blame in the event of problems is a very significant > consideration in the acquisition of important systems and services. And if > you think about it from the management point of view there is a certain > logic to it: if we suffer a business loss due to the failure of "home grown" > or "roll your own" (terms of disparagement here...) software then the blame > must fall on those permitting/approving/performing that software development. > > If a commercially acquired and configured product failed then it's just "well, > vendor X let us down again". A fairly common and believable situation here. > The possibility of actually collecting financial damages seems to be less > important than the exculpatory assignment of responsibility. I don't think > anyone really thinks we could pry money out of a major vendor because of > software > defects, especially not for incidental damages. > > Keep in mind also that any significant decisions about deploying a firewall > will be made by upper management, all business types far removed from any > close appreciation of the technical nuances. With all the confusing and > conflicting advice and information they get from vendors, trade rags, and > in-house staff they really don't what to believe. Those of us in the > boiler room > are close to the issues and have definite opinions, but we are only a small > piece of the real decision process. > > The bigger and better known the vendor the more powerful the attraction of > this argument. Hence a strong predisposition to well known and well marketed > products, with cost and product quality often very secondary considerations. > > > ------------------------------ > > From: Brian Murrell > Date: Fri, 8 Sep 1995 08:32:15 -0700 > Subject: Re: upgrade to commercial firewalls > > > > Interesting comment though from him, which in my naivete I'd not thought > > about. If we get attacked and lose software/data etc, then who's liable ? > > Oh goody. I'd love to see this one hashed out, although I think it'll be > relevant to firewalls for a day or two tops. :-) > > > If we use freeware products, then noone is. If we use a commercial product, > > then we can, I guess, sue the firewall supplier ... ? At least that was > > his comment, and I'd be very interested to hear what you all think to this > > concept. This is based on the idea that they'd be covered by their > > indemnity insurance ... > > Good luck. > > b. > > > ------------------------------ > > From: Ted Doty > Date: Fri, 8 Sep 1995 10:27:56 -0400 > Subject: Re: upgrade to commercial firewalls > > Steve Marquess writes: > > >From: Danny Cox > > > > > > > > > > This exact same point has been raised repeatedly at my company, a large > > financial > > services firm with a "healthy bordering on paranoid" concern about security. > > The ability to assign blame in the event of problems is a very significant > > consideration in the acquisition of important systems and services. And if > > [snip] > > So long as people keep thinking that a magic box will solve all their > present and future security worries, assigning blame is a somewhat humorous > exercise in futility. Also, as long as 80% (or whatever the current number > is ... send your flames to /dev/null) of all "break-ins" are internal, and > as long as only 5% (same comment as above) of all corporate security > policies are detailed enough to actually implement something from, you > probably are barking up the wrong tree. > > Most of the security consultants will tell you that a firewall will help, > but your security is ultimately your own responsibility. Get a policy, > implement it, track it, tell your users what it is, keep your eye on > bugtraq, (...) and you'll be in pretty good shape. This doesn't mean that > you won't get hacked, or that you won't lose data (you mean that disaster > recovery isn't in your policy either?). > > Without the above, liability is probably hard to demonstrate. > - -- > > - - Ted Though this discussion sorely tempts me simply to post "Have gun, will travel", I must agree --as a lawyer-- with Steve, Brian and Ted that the only solace Danny's management can realistically find in the vendor's potential liability is that there will be an identifiable scapegoat to which everyone can point. Steve reminds me of those ancient days when Compaq was struggling to make it as a fledgling vendor of "clones" and the word generally going around was that "nobody ever got fired for buying IBM". If, as I've so often read here, "security by obscurity" is foolish, then I would add that "security by obscurity + litigation" is downright insane. Even if one is able to surmount the many obstacles to victory, including those described by Ted, it is virtually impossible to be made "whole". There will be elements of damage which even the most generous judge or jury will not adequately recompense, not to mention the astronomical expenses which we hired guns are wont to run up (over and above our almost invariably modest fees ). Also, a major litigation, in and of itself, tends to consume enormous chunks of management's time and energy which otherwise could have been put to much more productive use. In short, if, *despite* the best laid plans ..., the sky falls in, then litigation might sensibly be considered as a possible element of damage control. But, to base one's plans and choices on the availability of litigation is, IMNSHO, to court disaster. The place where a good lawyer can best help vis-a-vis a vendor is right at the start, when the purchase contract is being discussed. Even then, the lawyer's primary value can come from helping you be sure you have properly articulated your needs and that you get what is needed (e.g., access to source code) to satisfy yourself that they are being met -- and not from artfully drafting clauses to pin liability on the vendor if anything goes wrong. [soapbox mode: off] Regards, John . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * Providing user-friendly assistance : LawNYC@panix.com to techies and others, from NYC and : John A. Young, J.D. (Yale 1964) around the world, in dealing with : P.O. Box 4695 the problems, opportunities and : New York, NY 10185-4695 plain conundrums encountered when : Telephone (voice & fax) interfacing with the arcane worlds : (212) 765-2170 of business, law and property. * : (718) 875-0337 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzA2deMAAAEEANg3rhWjDOg6CUJ01zp6VaPc+Vebzh2cYuLrJCwXOwJS+mmF vhFuxHwe+sJrDxmEFMI5lsvQbSC9E5L7dUBqVvp4f5MeysnZ6u9h/Vc2TwbS8QSn hQmqBEaWcunsIN8RU2xTMT5B5Frr+uMhWL681e2L0mx11uc157fUcvRcULXFAAUR tCZKb2huIEEuIFlvdW5nLCBKLkQuIDxMYXdOWUNAcGFuaXguY29tPg== =7QlE -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Fri Sep 8 20:37:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA15177 for firewalls-outgoing; Fri, 8 Sep 1995 20:24:57 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA15170 for ; Fri, 8 Sep 1995 20:24:54 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Sat, 09 Sep 1995 03:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;1032:950909032001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #519 Message-Id: <1032*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509090231.TAA13602*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 21:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA16157 for firewalls-outgoing; Fri, 8 Sep 1995 21:13:00 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA16148 for ; Fri, 8 Sep 1995 21:12:55 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id AAA15521; Sat, 9 Sep 1995 00:32:57 -0400 From: "Marcus J. Ranum" Message-Id: <199509090432.AAA15521@switchblade.iwi.com> Subject: firewall certification authority To: firewalls@greatcircle.com Date: Sat, 9 Sep 1995 00:32:57 -0400 (EDT) Cc: rpower@mfi.com Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 6060 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? First ask if there should be one at all. Not all firewalls are the same; many have very different design goals and objectives. For a single authority to certify a firewall will imply a single authority imposing its idea of "correct design": a role NSA has adopted in the past with varying levels of success and questionable benefits to the community. This is a topic I've been wrestling with for a while. Implicit in the issue of "certification" is the matter of testing, and that's a really tough nut to crack. Before you can certify a firewall, you need to be able to measure it against some kind of yardstick and determine if it is adequate. Even the concept of adequacy is slippery to come to grips with. A firewall may be adequate from a security perspective but unable to do the job because of some special requirement, cost, or whatever. More importantly, a firewall needs to be correct FOR ITS PROPOSED USE and that needs to be taken into account when it is "certified." In the past I've given the example of a highly secure high assurance firewall for Email only, which can be easily implemented using a screening router and a UNIX machine. In some people's eyes that might not even be a "firewall" -- a rigid code for certification likely would not cover such an approach as "OK." The DOD computer security rules actually require that a system be considered in its entirety before being certified as acceptable, which was intended to permit someone to make a solid case that a particular approach was sound, without going through all the rigamarole. Unfortunately, it's turned into a bureaucratic trap door through which all manner of braindamaged nonsense can be certified as acceptable. So how do you test a firewall? I believe there are 2 approaches, which are not necessarily mutually exclusive or incompatible: 1) Programmed "checklist" testing 2) Design-oriented testing "Checklist" testing would amount to running SATAN++ against the firewall and failing it if SATAN++ found a hole. Do not pass go, do not collect $200. The problem with this approach is that it is very limited: a bug that we don't test for in SATAN++ could slice right through the firewall tomorrow and we'd have to invalidate the whole certification and recertify. The advantage of the "checklist" approach is that it's cheap, quick, easy, and it lets a vendor put a certification "seal of approval" on their product and everyone can get a quick set of warm fuzzies and tell their boss they have exercised due diligence. Design-oriented testing is when you walk into the room where the engineers who wrote the firewall sit, and start with the question: "Why do you think this firewall protects networks and itself effectively?" and go from there. Depending on the answers they give you, you then formulate a set of tests which propose to verify the properties they claim the firewall has. So, if I tell you my firewall works by testing the psychic *intent* in each packet, a test would be derived whereby we would send malicious packets at the firewall and see if they were blocked. Then we'd send the same packets without thinking nasty thoughts while we did it, and see if they went through. In other words, the test is a custom-tailored approach that matches the design of the system. The problem with design-oriented testing is that it's hard. It takes skills that are not presently common - I only know 5 people that I would believe could do a good job of this (incidentally, none of them work at NSA) -- it's expensive, slow, and it's hard to explain because to even explain or understand a serious red team review requires a pretty high level of expertise. I've heard scary stories of people doing "firewall testing" who do not understand UNIX. So, for example, they will tell you the firewall is insecure if the sendmail executable has not been deleted. So their checklist is maybe a little bit off. :) I've heard of other scary stories about people getting an auditor for a firewall and having a CNE appear. It's a networking problem, so who is better qualified than a Certified Network Engineer, right? If someone hired me to do a design-oriented test of a VMS firewall, that'd be pretty ridiculous, too - I'm a UNIX guru, and am completely unqualified to find a hole in a VMS product. The market is ripe right now for someone to come along and start certifying firewalls. NSA will probably do it for their customer base, which is government only. As such they will slant their "What is good" requirements to meet their political/technological agenda: NSA approved crypto only, and Fortezza. The question is: If someone starts certifying firewalls, will the certification have any intellectual integrity? I recently rather derisively dismissed an RFI from a large consulting company that wants to hire "firewall test consultants" and asked for a detailed writeup of the methodology used. (My response was a description of design-oriented testing) From the layout of the RFI it was pretty clear that they were building a laundry list and were canvassing other consultants to help fill out their own laundry list. Being certified on those terms should not make anyone sleep better at night. Big laundry lists are better than small laundry lists but if you were to look at the set of facts that SATAN1.0 tested for, there are at least 4 new things since it's release that have been discovered. If SATAN1.0 were your firewall test "methodology" you would be toast, right now. So: back to the original question "who should they be?" and "who do you trust?" "They" should be the top experts in the field for the particular type of firewall you are talking about. That means that if it's a VMS based firewall, it'd better be a VMS guy, not me, smb, or ches. We don't do VMS. :) If it's a router, then it should be someone who really knows routers. Etc. "Who do you trust?" - depends on what you've got to lose. mjr. From firewalls-owner Sat Sep 9 06:02:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21189 for firewalls-outgoing; Sat, 9 Sep 1995 05:33:34 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA21182 for ; Sat, 9 Sep 1995 05:33:31 -0700 From: smb@research.att.com Message-Id: <199509091233.FAA21182@miles.greatcircle.com> Received: by gryphon; Sat Sep 9 08:31:09 EDT 1995 To: Firewalls@GreatCircle.COM cc: dmurphy@coltrane.cwa.com Subject: Re: Corporate Audits Date: Sat, 09 Sep 95 08:31:08 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So, have any of you big-business wage-slaves had corporate auditors come into your shop and ask questions (perceptive or otherwise) about firewalls and network security yet, and if so, would you be willing/able to share such stories with the list? I'm not sure if I should name names or not -- it's not my place to do so -- but I know for certain that at least one large industrial outfit was barred by their auditors from connecting to the Internet until they had a heavy-duty firewall in place. From firewalls-owner Sat Sep 9 06:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21290 for firewalls-outgoing; Sat, 9 Sep 1995 05:51:50 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA21283 for ; Sat, 9 Sep 1995 05:51:45 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13022; Sat, 9 Sep 95 07:38:42 -0400 Date: Sat, 9 Sep 95 07:38:41 -0400 Message-Id: <9509091138.AA13022@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Who you gonna trust ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites: "bits and pieces" (what is an ASCII music symbol ?) >For a single authority to certify a >firewall will imply a single authority imposing its idea of >"correct design": a role NSA has adopted in the past with varying >levels of success and questionable benefits to the community. I must respectfully say that this is a simplistic view of a "certifying authority" and hold up the Society of Automotive Engineers (SAE) as another way. The multi-volume "SAE Handbook" covers a broad number of standards relating to automobiles. If you want to know what "5W-30" means, look at SAE J183. Similarly, each class of service (e.g. SMTP) would have a separate set of standards (the RFC is a place to start) and tests to certify that it does this and only this. One logical subtest would be an "overflow test". But this is not where the testing would start, rather it would begin just as the 7 layer model does, with the physical layer, defining the accaptable level and type of electrical/optical signals accepted and possibly suggesting action to occur if not reached or exceeded. > More importantly, a firewall needs to be correct FOR ITS >PROPOSED USE and that needs to be taken into account when it is >"certified." Exactly right but to do so, you must start at the bottom (well, until certain structures are certified to meet the requirements up to a point, then those systems using that structure may build on it in ways suported by that structure, and need only test the additions. > I believe there are 2 approaches, which are not necessarily >mutually exclusive or incompatible: > 1) Programmed "checklist" testing > 2) Design-oriented testing > "Checklist" testing would amount to running SATAN++ against >the firewall and failing it if SATAN++ found a hole. Do not pass go, >do not collect $200. Here I disagree. S*T*N is a "quick and dirty" test. That it succeeeds or does not succeed depends on a specific set of circumstances that are available from the node level. It does *nothing* to test the physical layer as I mentioned above yet to *certify*, it must. I suspect that the problem here (and on this list in general) is "when all you have is a hammer, everything starts to look like a nail". Certain elements, being inherantly unreachable from a workstation or notebook, are dismissed. Just as an example of one I have not seen addressed, is what does a firewall/ system combination do when given port address 32,793 ? Is a legitemate port number, yet I have heard tales of wrapping... S*T*N does not test it. Even the FWTK post strober does not reach that high. Some would say it is silly to go that far and it would be impractical unless sitting next to the device to test all 65k yet *they are there*. > The problem with this approach is that it is >very limited: a bug that we don't test for in SATAN++ could slice >right through the firewall tomorrow and we'd have to invalidate the >whole certification and recertify. The advantage of the "checklist" >approach is that it's cheap, quick, easy, and it lets a vendor put a >certification "seal of approval" on their product and everyone can >get a quick set of warm fuzzies and tell their boss they have >exercised due diligence. Exactly what I was getting at. Of course if the only reason for "certification" is to CYA then the above doesn't matter - just find a group in or around Washington with an impressive set of initials to sell you one. (BTW where can I buy a law degree ?). > Design-oriented testing is when you walk into the room where >the engineers who wrote the firewall sit, and start with the question: >"Why do you think this firewall protects networks and itself effectively?" >and go from there. This also leaves out too much. Where did they start their assumptions ? For what environment ? What is a Network (TCP/IP, IPX, Vines ) ? > I've heard scary stories of people doing "firewall testing" >who do not understand UNIX. So, for example, they will tell you the >firewall is insecure if the sendmail executable has not been deleted. "When you are a hammer..." - Sorry but the world does not revolve around UNIX. Some firewalls build on that as a base, more have a front end that *looks* sort of like UNIX because a lot of people are familiar with/ expect that syntax so get a "warm and fuzzy". Real engineers do not go by feelings (hunches & intuition now...). Of course real engineers spend a lot of time being bored while watching tests. >If someone hired me to do a design-oriented test of a VMS firewall, that'd >be pretty ridiculous, too - I'm a UNIX guru, and am completely unqualified to >find a hole in a VMS product. Am (or used to be 8*) qualified - have written enough VMS device drivers to say there is No Way I'd accept a VMS firewall. Ultrix or VaxElin (does it still exist ?) maybe but not VMS for the same reason I have my doubts about NT. Ring/privilege based systems are good so long as nothing crosses the rings. Once you start... This is the reason I prefer a collection of dumb, single-state machines. > The market is ripe right now for someone to come along and >start certifying firewalls. Yes, I saw the NCSA announcement. > NSA will probably do it for their customer >base, which is government only. As such they will slant their "What >is good" requirements to meet their political/technological agenda: Nothing wrong with that so long as you can be reasonably sure what their agenda is and that will be evident by an examination of their testing methodology which is another issue - I would not trust *any* cetificating authority which did not make its methodology available for examination. > I recently rather derisively dismissed an RFI from a large >consulting company that wants to hire "firewall test consultants" >and asked for a detailed writeup of the methodology used. (My response >was a description of design-oriented testing) From the layout of >the RFI it was pretty clear that they were building a laundry list >and were canvassing other consultants to help fill out their own >laundry list. LLPs (Limited Liability Partnerships) supplimented by a cast of captive consultants seem to be very attractive to the biggies nowadays, not so sure what is in it for a Really Good Consultant since nothing is guarenteed other than "we will steer business we don't want your way" and is evident that it will be Sayonara as soon as they build their stable of just-out-of-school (e.g. cheap) network guys on the reps of the LLPs (have been approached by some myself). > "Who do you trust?" - depends on what you've got to lose. True. Reminds me of the story a little while ago about a manager who was getting bonuses for spending almost nothing on security while stroking upper management. When asked what he would do if an incident occured said: "This year I'll just find another job, next year I'll have enough to retire..." Point I am trying to make is that a "security professional" must be concerned primarily with exception avoidance. Unfortunately, if you are successful, nothing happens, so why are you needed ? Run into this problem myself - we have these things called "metrics" essentially "what did you do this week". Minor flap was the winword.concept/ prank macro/wordmacro virus. Found out about it several weeks ago & put together an easy/effective defense (combination of "Prompt to save Normal" & "DisableAutoMacros". When the fuss started I sent out a note. So what are the metrics ? An hour for the note ? Could not list the hours spent the week before because then there was no problem (and might not be) - Research ? We have no budget for that. Of course I guess the fact that I still have a job indicates something... Meanwhile back on track: so what we need is an independent certifying authority like Underwriters or the SAE to create standards (no activity on the firewalls-standards list lately). Problem is that those who could set something like that up are not the people needed to do the work - why magazines/movies separate it: the publishers/producers bring the money in and the editors/directors decide how it goes out. Both are full time jobs requiring entirely different skills. Our trouble is that we have a lot of good directors and actors but the producers are mainly snake oil salesmen. Those who might be able to transition are tied down by job/family. I figure it would take a seed of U$10 million to get started and U$3 million a year for three years to produce anything meaningful - any takers ? Warmly, Padgett From firewalls-owner Sat Sep 9 12:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA24862 for firewalls-outgoing; Sat, 9 Sep 1995 12:03:19 -0700 Received: from mtldns.mtl.unisysgsg.com (mtldns.mtl.paramax.com [128.126.52.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA24855 for ; Sat, 9 Sep 1995 12:03:15 -0700 Received: from monsmtp.mtl.unisysgsg.com (monsmtp.mtl.paramax.com) by mtldns.mtl.unisysgsg.com (4.1/SMI-4.1) id AA10937; Sat, 9 Sep 95 14:38:07 EDT Received: by monsmtp.mtl.unisysgsg.com with Microsoft Mail id <3051E51E@monsmtp.mtl.unisysgsg.com>; Sat, 09 Sep 95 15:03:58 EDT From: "Belisle, Michel @ MON" To: firewalls Subject: Firewalls product Date: Sat, 09 Sep 95 15:00:00 EDT Message-Id: <3051E51E@monsmtp.mtl.unisysgsg.com> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a firewall comparison chart, a document that will compare most popular products, and identify what each can and can't do ? Michel Belisle, Information Technology, mbelisl@mtl.unisysgsg.com From firewalls-owner Sat Sep 9 12:32:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA25242 for firewalls-outgoing; Sat, 9 Sep 1995 12:19:00 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA25230; Sat, 9 Sep 1995 12:18:53 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 9 Sep 1995 12:18:15 -0800 To: smb@research.att.com, Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Corporate Audits Cc: dmurphy@coltrane.cwa.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:31 AM 9/9/95, smb@research.att.com wrote: > So, have any of you big-business wage-slaves had corporate > auditors come into your shop and ask questions (perceptive or > otherwise) about firewalls and network security yet, and if > so, would you be willing/able to share such stories with the > list? > >I'm not sure if I should name names or not -- it's not my place to do >so -- but I know for certain that at least one large industrial outfit >was barred by their auditors from connecting to the Internet until they >had a heavy-duty firewall in place. Which, if they're not VERY careful, merely means that the organization is going to have a dozen or more "underground" connections spring up at various sites and within various groups, each of which individually is probably fairly insecure. It's just too easy for somebody to go get a modem and phone line (or, heck, even an ISDN or frame relay line), and service from some local or national service provider. They'll be in place and in use and invaluable to the groups using them, and (alas) probably not properly secured. How to deal with this varies by organization. However, blanket "Thou shalt not connect to the Internet" directives are very difficult to enforce, and seldom have the desired effect. You've got to provide useful alternatives (like a useful connection through a properly secured central firewall). The key is, the USERS determine the definition of "useful"; if they determine that what you're offering doesn't meet their needs, they'll go around you. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Sat Sep 9 22:30:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA00517 for firewalls-outgoing; Sat, 9 Sep 1995 22:22:53 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA00510 for ; Sat, 9 Sep 1995 22:22:49 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id BAA18485 for firewalls@greatcircle.com; Sun, 10 Sep 1995 01:43:23 -0400 From: "Marcus J. Ranum" Message-Id: <199509100543.BAA18485@switchblade.iwi.com> Subject: rant on testing expands into white paper - To: firewalls@greatcircle.com Date: Sun, 10 Sep 1995 01:43:22 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 713 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The recent rant I posted here on testing firewalls, and "certifying" them addresses a topic I feel is very important for us all to think about. It's the whole problem of how to test something that is incredibly configurable, field-installable, customer-upgradeable, complex, and vitally important. Anyhow - I have a lot of opinions on the topic and I thought I'd get them off my chest by extending my previous mail into a short white paper. It's on: http://www.iwi.com/iw-pubs.html I hope it can serve as a trigger for further discussions. In fact, if anyone has any rebuttals or other testing-related white papers they'd like hyperlinked or posted on the 'web, I'd be happy to host them on my server. mjr. From firewalls-owner Sun Sep 10 01:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA01728 for firewalls-outgoing; Sun, 10 Sep 1995 00:42:56 -0700 Received: from aristo.tau.ac.il (aristo.tau.ac.il [132.66.32.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA01721 for ; Sun, 10 Sep 1995 00:42:50 -0700 Received: from radguard.co.il ([192.114.26.210]) by aristo.tau.ac.il with SMTP id AA01414 (5.67b/IDA-1.5 for ); Sun, 10 Sep 1995 10:41:12 +0300 Received: by radguard.co.il (4.1/SMI-4.1) id AA10129; Sun, 10 Sep 95 09:40:35 IDT Received: from elgamal.radguard.co.il(192.114.210.2) by gatekeeper.radguard.co.il via smap (V1.3) id sma010127; Sun Sep 10 09:40:14 1995 Received: by elgamal.radguard.co.il (4.1/SMI-4.1) id AA20958; Sun, 10 Sep 95 09:40:11 IDT Date: Sun, 10 Sep 95 09:40:11 IDT From: ronys@elgamal.radguard.co.il (Rony Shapiro) Message-Id: <9509100640.AA20958@elgamal.radguard.co.il> To: firewalls@greatcircle.com Subject: Re: Firewall-1 concerns Reply-To: ronys@radguard.co.il Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Recently, "Someone very concerned" posted (anonymously) to this mailing list regarding the Firewall-1 product. The poster was concerned that since the source code is not available to the reseller of the product, a trap door may have been installed. This is a valid point, but I don't understand why the poster would trust the reseller any more than he/she trusts (or doesn't trust, in this case) the developer! Indeed, for the truly concerned, even source code availability for the customer is insufficient (the compiler may be doctored to insert a trap door). So one can only wonder about the anonymous poster's _real_ motives: > I'm afraid that companies may look at the Sun firewall-1 product and > think that Sun has inspected the code for trapdoor and such in the code > that may have put there under orders from the Masad. In fact, I heard > one person say that in looking at the binary there is very suspicious > code. 1. And what assurances would we have that Sun (or the NSA) wouldn't insert a trap door if they had the sources? 2. The last sentence is a bit vague, perhaps the poster would care to elaborate? Notes: I am in no way connected with either Checkpoint (the company which wrote Firewall-1) or Sun. I am an (insulted) Israeli citizen. ----------------------------------------------------------------- Rony Shapiro | Phone : 972-3-6459556 RADGuard Ltd. | Fax : 972-3-6480859 8, Hanechoshet St. | E-mail: ronys@radguard.co.il Tel Aviv 69710 Israel From firewalls-owner Sun Sep 10 04:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA04281 for firewalls-outgoing; Sun, 10 Sep 1995 03:54:49 -0700 Received: from boombox.cyber.com.au (boombox.cyber.com.au [203.7.155.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA04273; Sun, 10 Sep 1995 03:54:38 -0700 Received: (from root@localhost) by boombox.cyber.com.au (8.6.8/8.6.6) with UUCP id UAA32223; Sun, 10 Sep 1995 20:53:07 +1000 Received: (from mikec@localhost) by phyto.cyber.com.au (8.6.9/8.6.9) id UAA02903; Sun, 10 Sep 1995 20:16:37 +1000 From: Mike Ciavarella Message-Id: <199509101016.UAA02903@phyto.cyber.com.au> Subject: Re: Interpreting CERT advisories To: Brent@greatcircle.com (Brent Chapman) Date: Sun, 10 Sep 1995 20:16:36 +1000 (EST) Cc: bdboyle@maverick.erenj.com, firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Sep 8, 95 09:41:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 471 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The fact that there are lots of CERT advisories for a given vendor > doesn't (necessarily) mean that vendor is somehow less secure; it _does_ > means that the vendor is more willing than others to cooperate with CERT > in producing advisories (which I think is a feature, not a bug). It's also a (very rough) indicator of the types of machines ppl have (and have access to). How many advisories or potential holes have been reported on net-connected MVS boxen? Mike From firewalls-owner Sun Sep 10 11:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08498 for firewalls-outgoing; Sun, 10 Sep 1995 11:24:51 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA08491 for ; Sun, 10 Sep 1995 11:24:47 -0700 Received: by pony-express.ims.advantis.com (5.67b/4.03) id AA21529; Sun, 10 Sep 1995 14:19:20 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma019222; Sun Sep 10 14:19:14 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA28764; Sun, 10 Sep 1995 14:23:15 -0400 Message-Id: <9509101823.AA28764@pangloss.ims.advantis.com> Subject: Re: mirrored fw To: ee@mailhost.hooked.net (Eric Eigenfeld) Date: Sun, 10 Sep 1995 14:23:14 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199509082145.OAA02362@chum.hooked.net> from "Eric Eigenfeld" at Sep 8, 95 02:45:06 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am developing plans for a mirrored fw architecture. The client requires > 2--->n locations, each with its own independently operating ,complete > architectures that could assume control on demand. User base is quite > large, and firewalls are already implemented and functioning in multiple > locations. > > Throw in automatic mirroring of changes to internal and external web > servers, a left handed monkey wrench for adjustments, and they're happy. > > Any experiences with mirrored firewalls? SUP for instance is a very nice tool for remote deployment. Basically anything that can do remote deployment with strong authentication should do the trick. But you probably not only need remote deployment, but also remote execution. SSH might do the trick for that part, then again, you might as well use SSH's rcp for remote deployment with SSH's rsh for remote execution. Or, you could completely kerberize your firewalls. Lotsa options. Almost anything will do. What exactly do the web servers have to do with your firewall management?... Maybe a little bit more explanation of what you were trying to accomplish in what kind of setup would be a great idea. :) And why are you mirroring them, for redundancy only or increased performance? Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz (914) 684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: (914) 684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Sun Sep 10 12:32:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA09360 for firewalls-outgoing; Sun, 10 Sep 1995 12:13:37 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA09353 for ; Sun, 10 Sep 1995 12:13:34 -0700 Received: by pony-express.ims.advantis.com (5.67b/4.03) id AA21127; Sun, 10 Sep 1995 15:08:09 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma016517; Sun Sep 10 15:08:06 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA27573; Sun, 10 Sep 1995 15:12:07 -0400 Message-Id: <9509101912.AA27573@pangloss.ims.advantis.com> Subject: Re: Firewall-1 concerns To: silveira@nutecpa.nutec.tche.br Date: Sun, 10 Sep 1995 15:12:06 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9509081844.aa27730@canario.canario.nutecsp.br> from "silveira@nutecpa.nutec.tche.br" at Sep 8, 95 06:46:08 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2445 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Finally, on a broader issue, a question from me: How are contracts signed > between the firewall provider and the customer with regard to the possibility > of a successful attack? Most companies are smart enough to disclaim all their responsibility for any kind of damages anyways. How much that'll hold water in a court of law is another question, especially with the general lack of competence in this field as far as the manifestations of justice are concerned. Usually, there's little hope that you can hold anybody liable, unless you can prove that they've implemented a certain shortcoming with intent, which in turn is (obviously) very difficult, if not impossible. Like, zzz sells company xxx a firewall product, takes over support and management of it with the intent to break into xxx's critical systems (a complete technical and social trojan so to speak :). That you can probably take to court with a reasonable chance of succeedind holding zzz responsible, assuming your contract does not disclaim liability and you can prove everything == *VERY* unlikely to happen. Otherwise, forget it. You can at the most fire your *own* employee, and potentially you can take the person to court. You're free to attempt holding anyone liable for anything (which is fortunately what many people try to do in the US and unfortunately, IMHO, way to many succeed in doing so), but I doubt you'll yield anything but lotsa attorney costs. Lastly, imagine international law becoming a part of this. Let's say, your box is in Russia, your alleged hacker pool is somewhere in the US, and your firewall manufacturer is Brazilian.. there's realistically speaking no way you're gonna catch anyone or hold anybody responsible. Unless you deal with something touching national security.... but to those kinds of things, the laws of gravity don't apply anyways. Anyways, I have yet to see a contract where the contractor signs over full responsibility for a firewall etc. Too many things have influence on security, such as internal policies, building security etc. There is usually not much of a contract safety-net, in my experience, many rely on the reputation alone. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz (914) 684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: (914) 684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Sun Sep 10 14:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA11507 for firewalls-outgoing; Sun, 10 Sep 1995 14:16:06 -0700 Received: from delfin.com (delfin.com [192.129.85.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA11500 for ; Sun, 10 Sep 1995 14:16:03 -0700 Received: from delfinsd.delfinsd.delfin.com ([192.187.198.1]) by delfin.com (4.1/SMI-4.1 - 6/21/93 ) id AA14944; Sun, 10 Sep 95 14:11:05 PDT Received: from felixpc (felixpc.delfinsd.delfin.com) by delfinsd.delfinsd.delfin.com (4.1/SMI-4.1) id AA03684; Sun, 10 Sep 95 14:15:49 PDT Message-Id: <9509102115.AA03684@delfinsd.delfinsd.delfin.com> X-Sender: felix@delfinsd-gw X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 10 Sep 1995 14:13:55 -0700 To: Firewalls@greatcircle.com From: Robin Felix Subject: Re: upgrade to commercial firewalls Cc: Shawn Steele Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:24 PM 9/8/95 -0600, Shawn Steele wrote: >> If we get attacked and lose software/data etc, then >> who's liable ? >> If we use freeware products, then noone is. If we use a commercial >> product, then we can, I guess, sue the firewall supplier ... ? > >Ah, sue-happy america. I seriously doubt you'll find a supplier that >doesn't have some sort of clause specifically disallowing any damages >from using their product. (A friend recently had his house broken >into, I doubt he could successfully sue the deadbolt manufacturer). It's not the suit that's important -- it's who is responsible for "making you whole" after a loss that's the major concern. The suit is a last resort, but the knowledge (or best guess) concerning who would win the suit is the ammunition you bring to negotiation. The deadbolt manufacturer above could probably be "persuaded" to help make you whole if the deadbolt did not perform as advertised or were defective in some way, as a suit would be more costly for them than paying your damages. Likewise, any disclaimer on a commercial firewall is only good insofar as it disclaims responsibility for loss if installed and properly configured and maintained. If the product has a serious defect that allowed you to be damaged despite its proper installation and maintenance, then that firewall manufacturer could face liability despite any words to the contrary on the package. I imagine that the original writer has business loss insurance. I'd look closely at the policy to see how that insurance, generally designed for physical loss, handles data loss. If that type of coverage is excluded and you're using a homegrown or public domain firewall you're on your own, having only the destroyer to find and "convince" to make you whole, a difficult task. If you're using a commercial firewall and the loss occurred through a defect, the firewall company could face liability despite disclaimers. If your loss is covered by your insurance, on the other hand, then the insurance company (which should be calculating its premiums based on your particular site's security plan and practices) would make you whole, then go forth to get restitution from appropriate persons who could include the destroyer and the commercial firewall vendor if the product did not perform to spec. It's really their choice -- you only have to worry about collecting payment from the insurance company by convincing them that you were implementing security in a reasonable fashion, or a fashion required by your particular insurance policy. Using a commercial product may or may not give you someone to go after depending on the circumstances, but if you're hanging out without insurance it probably would give you more options than if you build the firewall yourself. BTW, while it's true that damage from data loss is a serious concern, regular backups to inaccessible offline storage should minimize that damage to the data lost since the last backup. You are doing that, aren't you? ;-) -- Robin Felix; felix@delfin.com; felix@nosc.mil 619-291-2194(work), 619-291-5852(fax), 619-991-5081(alt) http://www.delfinsd.delfin.com/ From firewalls-owner Sun Sep 10 16:30:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA13828 for firewalls-outgoing; Sun, 10 Sep 1995 16:01:32 -0700 Received: from MUKLUK.HQ.DECUS.CA ([198.53.154.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA00133 for ; Sat, 9 Sep 1995 21:57:42 -0700 Received: by mukluk.hq.decus.ca (MX V3.3 VAX) id 14783; Sun, 10 Sep 1995 00:33:39 EST Date: Sun, 10 Sep 1995 00:29:26 EST From: "Rob Slade, the doting grandpa of Ryan Hoff" X-Comment: To: header was truncated; missing 2 entries. To: kaisaki@csmc.edu, cccf@email.teaser.com, orvis@llnl.gov, jhammock@clark.net, vcrouch@wic.ca, gen@stubbs.ucop.edu, pitzel@cs.sfu.ca, eccles@freenet.vancouver.bc.ca, myles@io.org, kms@northcoast.net, jb@paris7.jussieu.fr, vclib@uts.cc.utexas.edu, kehoe@fortuity.com, lloyd_uliana@mindlink.net, temetz@carleton.edu, susan@cyberstore.ca, mae@freenet.victoria.bc.ca, pd@nwavbbs.demon.co.uk, jon@stekt.oulu.fi, swanson@csmes.ncsl.nist.gov, wells@csmes.ncsl.nist.gov, pfratus@compubooks.com, reviews@reiters.com, rjames@fox.nstn.ns.ca, roswell@fox.nstn.ca, ecbs@sas.ab.ca, sanj@wordsworth.com, afinet@books.com, jkcohen@uci.edu, keithx@technical.powells.portland.or.us, michel.bauwens@dm.rs.ch, pandres@cln.etc.bc.ca, root@mag.mechnet.com, clovf@ruby.ils.unc.edu, shrike@shell.portal.com, rob.slade@f733.n153.z1.fidonet.org, steele@wolfe.net, cnews@libtech.com, johnl@mukluk.hq.decus.ca, mulholland@psc.org, robertbl@mukluk.hq.decus.ca, swart@shr.dec.com, elizabethm@mukluk.hq.decus.ca CC: brock@ucsub.colorado.edu, book-reviews@news.colorado.edu, misc-books-technical@cs.utexas.edu, alt-books-technical@cs.utexas.edu, biz-books-technical@cs.utexas.edu, risks@csl.sri.com, firewalls@greatcircle.com, comp-security-misc@cs.utexas.edu, techs@ulysses.sis.ualberta.ca, secsig-l@decus.ca, roberts@mukluk.hq.decus.ca X-VMSmail-To: @REVIEW X-VMSmail-CC: @BOKLSTRV,MX%"risks@csl.sri.com",MX%"firewalls@greatcircle.com",MX%"comp-security-misc@cs.utexas.edu",MX%"techs@ulysses.sis.ualberta.ca",MX%"secsig-l@decus.ca",ROBERTS Message-ID: <0099629C.F44652C0.14783@mukluk.hq.decus.ca> Subject: "Building Internet Firewalls" by Chapman/Zwicky Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I received a draft copy of this, so some details either aren't available or might have changed. Last word I had from the publisher, this is due for release on Tuesday - rms] BKBUINFI.RVW 950712 "Building Internet Firewalls", Chapman/Zwicky, 1995, 1-56592-124-0 %A Brent Chapman %A Elizabeth Zwicky %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1995 %G 1-56592-124-0 %I O'Reilly & Associates, Inc. %O 800-998-9938 707-829-0515 fax: 707-829-0104 nuts@ora.com %O 519-283-6332 800-528-9994 rick.brown@onlinesys.com %T "Building Internet Firewalls" Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) will continue to be seen as the classic reference with the seriously technical crowd. Chapman and Zwicky, however, have here created the first reference for the more normal run of system administrators: those whose lives do not revolve around hacking the UNIX kernel. Part one could almost stand as a separate book, itself. It is an introduction to firewalls. More, it is a very down-to-earth and practical guide to evaluating security needs and planning for security systems and practices. The writing is completely clear, and the explanations first-rate. Chapter four, on firewall architectures, is a perfect introduction for the manager who, while not having a technical background, must lead or administer a security project. Part two gets into more technical details of firewall construction and the communications needs for Internet services. The writing, though, is still clear and easily accessible to any intelligent reader. Part three covers maintenance and administrative work. Appendices list information and software resources as well as a brief introduction to TCP/IP basics. This is the first book which truly explains, to the non-specialist, the various factors and functions involved in firewall choice and construction. For those building their own and for those evaluating vendor proposals, this book is a must. copyright Robert M. Slade, 1995 BKBUINFI.RVW 950712 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into Rob_Slade@mindlink.bc.ca | trustworthiness." User rslade@freenet.vancouver.bc.ca| - Tony Buckland, UBC Security Canada V7K 2G6 | From firewalls-owner Sun Sep 10 18:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16354 for firewalls-outgoing; Sun, 10 Sep 1995 17:33:09 -0700 Received: from state-opera.comp.vuw.ac.nz (state-opera.comp.vuw.ac.nz [130.195.5.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16340 for ; Sun, 10 Sep 1995 17:33:03 -0700 X400-Received: by mta state-opera.comp.vuw.ac.nz in /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:19:51 +1200 X400-Received: by /PRMD=Postie/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:07:22 +1200 X400-Received: by /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:05:18 +1200 X400-Received: by /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Sun, 10 Sep 1995 17:29:26 +1200 Date: Sun, 10 Sep 1995 17:29:26 +1200 X400-Originator: firewalls-owner@GreatCircle.COM X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=NewZnet/ADMD=Synet/C=NZ/;<0099629C.F44652C0.14783@mukluk.] X400-Content-Type: P2-1984 (2) Content-Identifier: (l)l(r)q(l)r(r)B Alternate-Recipient: Allowed From: a Message-ID: <0099629C.F44652C0.14783@mukluk.hq.decus.ca> To: tolist@postie.synet.net.nz, cclist@postie.synet.net.nz Subject: "Building Internet Firewalls" by Chapman/Zwicky X-Comment: To: header was truncated; missing 2 entries. X-VMSmail-To: @REVIEW X-VMSmail-CC: @BOKLSTRV,MX%"risks@csl.sri.com",MX%"firewalls@greatcircle.com",MX%"comp-security-misc@cs.utexas.edu",MX%"techs@ulysses.sis.ualberta.ca",MX%"secsig-l@decus.ca",ROBERTS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Sep 11 00:30:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22177 for firewalls-outgoing; Mon, 11 Sep 1995 00:20:42 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA22168; Mon, 11 Sep 1995 00:20:38 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id QAA16163; Sun, 10 Sep 1995 16:04:05 -0700 Received: from abulafia.genmagic.com by genmagic (4.1/SMI-4.1/JBS) id AA01462; Mon, 11 Sep 95 00:10:18 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:Brent@GreatCircle.COM id AA14024; Mon, 11 Sep 95 00:10:29 -0700 Date: Mon, 11 Sep 95 00:10:29 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9509110710.AA14024@abulafia.genmagic.com> To: Mike Ciavarella Cc: Brent@GreatCircle.COM (Brent Chapman), bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re: Interpreting CERT advisories In-Reply-To: <199509101016.UAA02903@phyto.cyber.com.au> References: <199509101016.UAA02903@phyto.cyber.com.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "mikec" == Mike Ciavarella writes: mikec> It's also a (very rough) indicator of the types of machines ppl mikec> have (and have access to). How many advisories or potential mikec> holes have been reported on net-connected MVS boxen? How many MVS systems are plugged directly into the internet? How many are actually used for TCP/IP related services? (Where's my Mosaic for MVS? :-) IMHO, Suns get broken into all the time because: -- everybody has one to practice on -- they were designed with being useful in mind. --jet From firewalls-owner Mon Sep 11 01:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22327 for firewalls-outgoing; Mon, 11 Sep 1995 00:43:41 -0700 Received: from warrane.connect.com.au (warrane.connect.com.au [192.189.54.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA22320 for ; Mon, 11 Sep 1995 00:43:37 -0700 Received: from mailgate.UUCP (root@localhost) by warrane.connect.com.au with UUCP id RAA01674 (8.6.12/IDA-1.6 for GreatCircle.COM!Firewalls); Mon, 11 Sep 1995 17:41:35 +1000 Message-Id: Date: Mon, 11 Sep 95 16:36 EST X-Sender: schan@dev X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Stanley Chan Subject: Re: Firewalls-Digest V4 #518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1. It's Mosad and not Masad >2. I wish someone would tell me about all those conspiracies I'm supposed > to be a part of. >3. The question here is a legit one, how can you trust a firewall when > you don't know what the code looks like? >4. Posting from an anon account won't stop the Masad from finding you, > and now that you've blown their cover, I guess they'll have to kill you. > Well I think if we have to worry about a firewall's source code, I would spend my time worrying about all the kernels problem instead. How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who wrote UNIX os for sale and yet they never ever review their source code to you for certification. May be you can argue that the US Defense have looked at it. But how can people from outside the US trust it. How do we know that the code did not include a backdoor to let some one in secretly or download your secret documents in the system to a distant machine. Stanley Chan (System Administrator) E-mail schan@gcau.com.au (Ph 617-38771016 Fax 617-38771120) Snail Golden Casket Art Union Office Locked bag 7, Coorparoo DC Qld Australia 4151 From firewalls-owner Mon Sep 11 05:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26618 for firewalls-outgoing; Mon, 11 Sep 1995 05:13:15 -0700 Received: from bn.com ([161.221.10.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA26611 for ; Mon, 11 Sep 1995 05:13:13 -0700 Received: from mhs-gw.bn.com by bn.com (5.0/SMI-SVR4) id AA00600; Mon, 11 Sep 1995 08:11:26 +0500 Message-Id: <9509111211.AA00600@bn.com> From: VMIRAGLI@bn.com (Vincent Miragliotta) Date: Mon, 11 Sep 1995 08:04 EST To: firewalls@greatcircle.com Subject: Subscription content-length: 79 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not receiving any more mail from the Firewall Forum. Was I de-subscribed? From firewalls-owner Mon Sep 11 05:37:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26880 for firewalls-outgoing; Mon, 11 Sep 1995 05:28:41 -0700 Received: from zeus.danosi.dk (zeus.danosi.dk [193.88.50.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA26873 for ; Mon, 11 Sep 1995 05:28:33 -0700 Received: from notesgw.danosi.dk by zeus.danosi.dk (4.1/SMI-4.1) id AA06004; Mon, 11 Sep 95 14:25:40 +0200 Received: by notesgw.danosi.dk (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0077; Mon, 11 Sep 95 14:29:36 +0100 Message-Id: <9509111329.AA0077@notesgw.danosi.dk> Received: from DANOSI with "Lotus Notes Mail Gateway for SMTP" id 163E8F913BCEB771C125623400438A56; Mon, 11 Sep 95 14:29:35 To: firewalls From: Carsten Rhod Gregersen/DANOSI_Aarhus/DK Date: 11 Sep 95 14:23:26 Subject: Email guards Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for email guards, something like the TIS-TMEG email guard as a filter to sendmail or similar mail server programs (look at their www page for more info www.tis.com). Is TIS the only manufactor of such software ??? (I've spent quite some time surfing around, with no results) Regards Carsten Rhod Gregersen From firewalls-owner Mon Sep 11 06:30:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28167 for firewalls-outgoing; Mon, 11 Sep 1995 06:28:40 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28159 for ; Mon, 11 Sep 1995 06:28:34 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id XAA14374 (8.6.12/IDA-1.6 for ); Mon, 11 Sep 1995 23:27:09 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id XAA12886 for firewalls@greatcircle.com; Mon, 11 Sep 1995 23:27:01 +1000 Date: Mon, 11 Sep 1995 23:27:01 +1000 From: Julian Assange Message-Id: <199509111327.XAA12886@suburbia.net> To: firewalls@greatcircle.com Subject: wank worm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is off target, but what the heck. I am trying to locate specific information that was used in the Wank Worm circa mid 1989. In particular I am trying to locate the fortune cookie file that was included in it. I believe the fortunes were pull from the bsd fortune program. That said finding which versions of fortune where extant during that period and then finding an existing copy of that version now has become a little trying. If anyone on this list had person experiance with the worm at the time or can point me to ancient versions of fortune (oldest I could locate was bsd42/tahoe/reno) I'd certainly appreciate it. -Julian Assange (proff@suburbia.net) From firewalls-owner Mon Sep 11 06:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA27747 for firewalls-outgoing; Mon, 11 Sep 1995 06:07:00 -0700 Received: from OAG.STATE.TX.US (smtpgate.oag.state.tx.us [204.64.38.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA27740 for ; Mon, 11 Sep 1995 06:06:57 -0700 Received: from OCS-Message_Server by OAG.STATE.TX.US with Novell_GroupWise; Mon, 11 Sep 1995 08:10:15 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 11 Sep 1995 08:04:53 -0600 From: Richard Owen To: firewalls@greatcircle.com Subject: BOS: firewall certification authority -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with this concern. The National Research Council issued a report on sensitive but unclassified computing in the US entitled "Computers at Risk." In that report they suggested that an independent organization be formed, the Information Security Foundation. We are about a talking non-government organization under the direction and review of industry and the information security profession {of course with an interface to government). It is hoped that this organization would be given the authority to reduce export restrictions. As President of ISSA, I am very interested in seeing this happen. I have even proposed that ISSA would help to establish such an organization. IMPORTANT POINT: The ISF (now IISF) would not be part of ISSA. It is bigger than ISSA or any organization. The IISF needs to not only provide certification (firewalls, systems, people, etc.) and testing but standards development and research. ISSA currently has a committee that is trying to define the Generally Accepted System Security Principles (GSSP) as also called for in the Computers at Risk report. The IISF should be a place to pull all of our activities into a unified direction. This is what I have proposed to a working group of the President's National Security & Telecommunications Advisory Council. >>> Marcus J. Ranum 09/08/95 10:32pm >>> >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? First ask if there should be one at all. Not all firewalls are the same; many have very different design goals and objectives. For a single authority to certify a firewall will imply a single authority imposing its idea of "correct design": a role NSA has adopted in the past with varying levels of success and questionable benefits to the community. From firewalls-owner Mon Sep 11 07:00:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28231 for firewalls-outgoing; Mon, 11 Sep 1995 06:33:08 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28224 for ; Mon, 11 Sep 1995 06:33:04 -0700 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQzgss25704; Mon, 11 Sep 1995 09:31:44 -0400 Received: from brite.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Mon, 11 Sep 1995 09:31:44 -0400 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA03072; Mon, 11 Sep 95 08:31:35 -0500 Date: Mon, 11 Sep 95 08:27:57 CDT From: Shane Kinsch Subject: httpd compilation To: Firewall X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have another UNIX box that were trying denote as our web server and I guess my question is: Has anyone out there been able to compile cern's httpd for Interactive UNIX SysV Rel3.2 V3.01? Just curious because I need help! _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com UNIX TECHNICAL ENGINEER _/ _/ Wichita, KS USA "MIME is ok here" _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Sep 11 07:36:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA28910 for firewalls-outgoing; Mon, 11 Sep 1995 07:07:43 -0700 Received: from inet-gw-0.ey.ca (inet-gw-0.EY.CA [132.220.23.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA28903 for ; Mon, 11 Sep 1995 07:07:39 -0700 Received: (from stacy@localhost) by inet-gw-0.ey.ca (8.6.11/8.6.10) id KAA12701; Mon, 11 Sep 1995 10:05:03 -0400 Received: from server-001.ey.ca (server-001.EY.CA [132.220.12.5]) by inet-gw-0.ey.ca (8.6.11/8.6.10) with SMTP id WAA08340 for ; Sun, 10 Sep 1995 22:20:10 -0400 Message-Id: <9509110219.AA17961@server-001.ey.ca> From: stacy@ey.ca (Stacy L. Millions) To: dmurphy@coltrane.cwa.com Cc: Firewalls@greatcircle.com Subject: Re: Corporate Audits Date: Mon, 11 Sep 1995 01:57:31 GMT Reply-To: stacy@ey.ca Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 95 14:48:20 -0400, you wrote: >Gentlebeings, > Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? Well, I could tell you; but then I would have to kill you :-) Sorry, couldn't resist. Seriously, don't you think it would be of questionable ethics to discuss internal security policy for on of the 'Big-7' (or six or eight or however many after the last round of mergers, aquisitions and split ups :-). If we audited your books, would you like us discussing such matter. Or more appropriately, "if you could afford the lawyers that some of our clients can afford and we audited your books ....":-) I think you get the point. On the other hand, it would make a great series for 'Dilbert', wouldn't it? -stacy From firewalls-owner Mon Sep 11 07:43:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29329 for firewalls-outgoing; Mon, 11 Sep 1995 07:26:06 -0700 Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA29322 for ; Mon, 11 Sep 1995 07:25:58 -0700 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA09289; Mon, 11 Sep 1995 09:44:38 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA09285; Mon, 11 Sep 1995 09:44:37 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA08738; Mon, 11 Sep 1995 09:24:31 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA21560; Mon, 11 Sep 1995 09:24:30 -0500 From: Rick Smith Message-Id: <199509111424.JAA21560@shade.sctc.com> Subject: Re: BOS: firewall certification authority To: mjr@iwi.com Date: Mon, 11 Sep 1995 09:24:30 -0500 (CDT) Cc: firewalls@greatcircle.com, rpower@mfi.com In-Reply-To: <199509090432.AAA15521@switchblade.iwi.com> from "Marcus J. Ranum" at Sep 9, 95 00:32:57 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2028 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be worthwhile for us to consider how well/poorly various models of "certification" have worked in other industries or disciplines? I agree that the "Underwriters Laboratories" model won't work for computer devices, regardless if you're certifying "security" or "reliability" or some other global property. Computer based devices are just too complex compared with UL's typical device to test. Right now there's more of a "building inspector" flavor to computer security implementation. Somebody puts in a firewall (using better or worse techniques, experience, assumptions) and somebody else comes along and reviews it. The reviewer checks off compliance with building codes: a particular building may wildy exceed codes or, more often, will pass with perhaps a few things that must be changed. However, the building inspectors have a written set of standards to apply (for better or worse) while firewalls analysts (or whatever the title is) simply apply some undefined intuition and wrap it in convincing prose. Or worse, they run some canned procedure and document the results. I have only a superficial understanding of FDA rules for approving drugs, but it almost sounds like a similar problem. The interaction of drug and human body is supposed to be analyzed and quantified based on statistical "trials" as well as formal arguments regarding the drug's design and the drug company's procedures for developing such things. There's no expectation that a given drug will work for any patient. The riskier ones are administered under the watchful eye of a trained professional with periodic followup. But the resulting procedure is obscenely expensive and time consuming. Not too different from NCSC formal evaluations, actually. I don't believe we can specify a perfect solution for the problem. Can we specify something (anything?) that's better than nothing and produces the least amount of pain and misdirection on both the industry and our customers? Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Sep 11 08:32:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00821 for firewalls-outgoing; Mon, 11 Sep 1995 08:22:56 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA00814 for ; Mon, 11 Sep 1995 08:22:47 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18746; Mon, 11 Sep 95 11:19:17 -0400 Date: Mon, 11 Sep 95 11:19:16 -0400 Message-Id: <9509111519.AA18746@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Sounds like the politicians are gathering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone claiming to be the president of the ISSA (no signature) rites: >I agree with this concern. The National Research Council issued a >report on sensitive but unclassified computing in the US entitled >"Computers at Risk." In that report they suggested that an >independent organization be formed, the Information Security ^^^^^^^^^^^ >Foundation. > We are about a talking non-government organization >under the direction and review of industry and the information >security profession {of course with an interface to government). >It is hoped that this organization would be given the authority to >reduce export restrictions. Note that expertise in the subject does not seem to be a requirement (sorry but I have seen too many of these "executive-level" committees formed that spend years trying to figure out an agenda. Have walked out of meetings that I could see headed that way. Also really needs to be *International* organization & do not see how "authority to reduce export restrictions" plays - that is pure *politics*. IFIP might make a good parent but the real question is funding. SAE is funded by members and was created by engineers. Those funded by government grants tend to be politically correct. >IMPORTANT POINT: The ISF (now IISF) would >not be part of ISSA. It is bigger than ISSA or any organization. >The IISF needs to not only provide certification (firewalls, >systems, people, etc.) and testing but standards development and >research. Agree with this but is sounding more like a political plum by the moment & can see there are plenty of chiefs ready to run it. Warmly, Padgett ps not down on the concept, just want to be sure of the agenda. Have seen too many such "councils" in the past where the appointees were those who looked good on TV. From firewalls-owner Mon Sep 11 09:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01128 for firewalls-outgoing; Mon, 11 Sep 1995 08:34:32 -0700 Received: from OAG.STATE.TX.US (smtpgate.oag.state.tx.us [204.64.38.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA01107 for ; Mon, 11 Sep 1995 08:34:26 -0700 Received: from OCS-Message_Server by OAG.STATE.TX.US with Novell_GroupWise; Mon, 11 Sep 1995 10:37:25 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 11 Sep 1995 10:32:10 -0600 From: Richard Owen To: firewalls@GreatCircle.COM Subject: Re: BOS: firewall certification authority -Reply -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ISSA stands for the Information Systems Security Association. We are the non-profit organization for people involved in the protection of information assets (Computer Security, Data Security, EDP Security, etc.). In other words a collection of security managers, security administrators, data base administrators, edp auditors, disaster recovery personnel, system programmers, system designers, professors, etc. For example: I am the Information Security Administrator (manager) for the Texas Attorney General, my VP is a Data Security Manager for Wells Fargo, Membership Director is the VP of Data Security for First USA, etc. Of course, as pres, I would be very pleased to have my headquarters send you more info. IISF is the International Information Security Foundation - Name had to be changed because someone grabbed up the ISF name. The intent of IISF is still the same as noted in the Computers at Risk book. (establishe standards, certification, testing, coordination between public and private and between US and foreign) I see it as an opportunity for us to define our own destiny. Rich Owen >>> 09/11/95 08:57am >>> Please clue in the clueless. What is ISSA? What is IISF? Aside from reducing export restrictions, what is ISF supposed to do? Tenna Sakai (tws@wh.bayer.com) Bayer Research Center From firewalls-owner Mon Sep 11 09:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00549 for firewalls-outgoing; Mon, 11 Sep 1995 08:04:05 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA00539 for ; Mon, 11 Sep 1995 08:03:58 -0700 From: tws@wh.bayer.com Received: from wh.bayer.com by relay1.UU.NET with SMTP id QQzgsy21645; Mon, 11 Sep 1995 11:02:08 -0400 Received: from mrcs1 ([140.250.41.24]) by wh.bayer.com (8.6.12/8.6.12) with SMTP id KAA22859; Mon, 11 Sep 1995 10:56:53 -0400 Received: by mrcs1 (5.64/X1.00) id AA25265; Mon, 11 Sep 95 10:57:04 -0400 Date: Mon, 11 Sep 95 10:57:04 -0400 Message-Id: <9509111457.AA25265@mrcs1> To: Richard.Owen@OAG.STATE.TX.US, firewalls@GreatCircle.COM Subject: Re: BOS: firewall certification authority -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please clue in the clueless. What is ISSA? What is IISF? Aside from reducing export restrictions, what is ISF supposed to do? Tenna Sakai (tws@wh.bayer.com) Bayer Research Center > From: Richard Owen > To: firewalls@GreatCircle.COM > Subject: BOS: firewall certification authority -Reply > I agree with this concern. The National Research Council issued a > report on sensitive but unclassified computing in the US entitled > "Computers at Risk." In that report they suggested that an > independent organization be formed, the Information Security > Foundation. We are about a talking non-government organization > under the direction and review of industry and the information > security profession {of course with an interface to government). > It is hoped that this organization would be given the authority to > reduce export restrictions. > As President of ISSA, I am very interested in seeing this happen. > I have even proposed that ISSA would help to establish such an > organization. IMPORTANT POINT: The ISF (now IISF) would > not be part of ISSA. It is bigger than ISSA or any organization. > The IISF needs to not only provide certification (firewalls, > systems, people, etc.) and testing but standards development and > research. ISSA currently has a committee that is trying to define > the Generally Accepted System Security Principles (GSSP) as also > called for in the Computers at Risk report. The IISF should be a > place to pull all of our activities into a unified direction. This is > what I have proposed to a working group of the President's > National Security & Telecommunications Advisory Council. From firewalls-owner Mon Sep 11 09:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03101 for firewalls-outgoing; Mon, 11 Sep 1995 09:22:46 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA03090 for ; Mon, 11 Sep 1995 09:22:43 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA07815 for GreatCircle.COM!Firewalls; Mon, 11 Sep 1995 11:07:58 -0500 Received: by ris1.nmti.com (smail2.5) id AA01719; 11 Sep 95 10:17:29 CDT (Mon) Received: by sonic.nmti.com; id AA24311; Mon, 11 Sep 1995 10:44:13 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509111544.AA24311@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V4 #518 To: schan@gcau.com.au (Stanley Chan) Date: Mon, 11 Sep 1995 10:44:13 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Stanley Chan" at Sep 11, 95 04:36:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 375 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well I think if we have to worry about a firewall's source code, I would > spend my time worrying about all the kernels problem instead. > How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who > wrote UNIX os for sale and yet they never ever review their source code to > you for certification. http://freebsd.org/ http://netbsd.org/ http://bsdi.com/ From firewalls-owner Mon Sep 11 10:35:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05483 for firewalls-outgoing; Mon, 11 Sep 1995 10:12:34 -0700 Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA05474 for ; Mon, 11 Sep 1995 10:12:31 -0700 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id MAA05143; Mon, 11 Sep 1995 12:09:51 -0500 From: David Schnardthorst Message-Id: <199509111709.MAA05143@strydr.strydr.com> Subject: Re: Firewalls-Digest V4 #518 To: peter@nmti.com (Peter da Silva) Date: Mon, 11 Sep 1995 12:09:50 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509111544.AA24311@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 11, 95 10:44:13 am Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1768 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, Peter da Silva Says > >> Well I think if we have to worry about a firewall's source code, I would >> spend my time worrying about all the kernels problem instead. >> How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who >> wrote UNIX os for sale and yet they never ever review their source code to >> you for certification. > >http://freebsd.org/ >http://netbsd.org/ >http://bsdi.com/ Good Point, Trust is believing that the person in question is not going to mislead you. In a since, this whole discussion is turning into a situation where every firewall vendor is Guilty until proven innocent. If they are going to build a firewall product for people to purchase, do you believe they would risk putting a back door in the product on purpose. Even if they have the right statements saying that they are not responsible, if they put them in on purpose, and it is proven in court, they may still be liable. You have to trust them to do it right, or you should do it yourself. What other options are there. Who is to say that having a Firewall Certification Committee would make sure there are no problems with a firewall? They could be just like the vendor and falsify information, or let it pass through. Unless something comes up to disprove a vendors credibility, you have to trust them. ============================================================================ David Schnardthorst System Administrator * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Mon Sep 11 11:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07227 for firewalls-outgoing; Mon, 11 Sep 1995 10:56:31 -0700 Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA07205 for ; Mon, 11 Sep 1995 10:56:19 -0700 From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA10185; Mon, 11 Sep 95 12:53:09 CDT Received: from cc:Mail by smtp.bnr.com id AA810849184; Mon, 11 Sep 95 12:50:18 CST Date: Mon, 11 Sep 95 12:50:18 CST Message-Id: <9508118108.AA810849184@smtp.bnr.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com Subject: Re: Sounds like the politicians are gathering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree, but what it really sounds like is a layer of red tape that most engineers worth half their salt will walk around anyway. There is no way to develop a "certification" that is timely and fair to all vendors and users. I think real world testing is the best -- granted tiger team work doesn't seem to pay but with the attention the net is getting lately maybe their time has finally come. When there is a need, you create a service that people will pay for. I'd rather pay for expertise NOW than await some council to certify something. Mark ______________________________ Reply Separator _________________________________ Subject: Sounds like the politicians are gathering Author: ,padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) at internet Date: 9/11/95 11:19 AM Someone claiming to be the president of the ISSA (no signature) rites: >I agree with this concern. The National Research Council issued a >report on sensitive but unclassified computing in the US entitled >"Computers at Risk." In that report they suggested that an >independent organization be formed, the Information Security ^^^^^^^^^^^ >Foundation. > We are about a talking non-government organization >under the direction and review of industry and the information >security profession {of course with an interface to government). >It is hoped that this organization would be given the authority to >reduce export restrictions. Note that expertise in the subject does not seem to be a requirement (sorry but I have seen too many of these "executive-level" committees formed that spend years trying to figure out an agenda. Have walked out of meetings that I could see headed that way. Also really needs to be *International* organization & do not see how "authority to reduce export restrictions" plays - that is pure *politics*. IFIP might make a good parent but the real question is funding. SAE is funded by members and was created by engineers. Those funded by government grants tend to be politically correct. >IMPORTANT POINT: The ISF (now IISF) would >not be part of ISSA. It is bigger than ISSA or any organization. >The IISF needs to not only provide certification (firewalls, >systems, people, etc.) and testing but standards development and >research. Agree with this but is sounding more like a political plum by the moment & can see there are plenty of chiefs ready to run it. Warmly, Padgett ps not down on the concept, just want to be sure of the agenda. Have seen too many such "councils" in the past where the appointees were those who looked good on TV. From firewalls-owner Mon Sep 11 17:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16900 for firewalls-outgoing; Mon, 11 Sep 1995 17:07:31 -0700 Received: from mvmampc66.ciw.uni-karlsruhe.de (mvmampc66.ciw.uni-karlsruhe.de [129.13.110.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA16893 for ; Mon, 11 Sep 1995 17:07:24 -0700 Received: (from ig25@localhost) by mvmampc66.ciw.uni-karlsruhe.de (8.6.12/8.6.12) id CAA02771 for firewalls@greatcircle.com; Tue, 12 Sep 1995 02:06:01 +0200 Message-Id: <199509120006.CAA02771@mvmampc66.ciw.uni-karlsruhe.de> Subject: Re: Firewalls-Digest V4 #518 To: firewalls@greatcircle.com Date: Tue, 12 Sep 1995 02:06:01 +0200 (MET DST) In-Reply-To: <9509111544.AA24311@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 11, 95 10:44:13 am From: Thomas.Koenig@ciw.uni-karlsruhe.de (=?ISO-8859-1?Q?Thomas_K=F6nig?=) X-Mailer: ELM [version 2.4 PL24 ME7a] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Length: 492 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: >> How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who >> wrote UNIX os for sale and yet they never ever review their source code to >> you for certification. >http://freebsd.org/ >http://netbsd.org/ >http://bsdi.com/ While we're at it, you might also include http://www.linux.org/ :-) -- Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet. The joy of engineering is to find a straight line on a double logarithmic diagram. From firewalls-owner Mon Sep 11 17:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16938 for firewalls-outgoing; Mon, 11 Sep 1995 17:10:34 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16929 for ; Mon, 11 Sep 1995 17:10:30 -0700 Received: from pm1-28.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA27141; Mon, 11 Sep 95 19:05:23 -0400 Date: Mon, 11 Sep 95 19:05:23 -0400 Message-Id: <9509112305.AA27141@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Julian Assange From: frankw@in.net (Frank Willoughby) Subject: Re: wank worm Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I captured & analyzed the wank worm long ago ('89 sounds about right). The code was some of the *worst* spaghetti-code that I've seen in a long time. The fortune cookie in the wank worm was not a standard fortune cookie and had its own routines to generate the particular fortune. I doubt you want this particular fortune file for your program as the messages generated by the fortune cookie in the wank worm were obscene & vulgar. FWIW, I destroyed the code after the analysis. Out of curiousity, what problem are you trying to solve? I'm sure that other versions of the fortune cookie are still on the net somewhere. Is there a functionality in the fortune cookie that isn't present in later versions? Best Regards, Frank >I know this is off target, but what the heck. > >I am trying to locate specific information that was used in the Wank Worm >circa mid 1989. In particular I am trying to locate the fortune cookie file >that was included in it. I believe the fortunes were pull from the bsd >fortune program. That said finding which versions of fortune where extant >during that period and then finding an existing copy of that version now >has become a little trying. > >If anyone on this list had person experiance with the worm at the time or >can point me to ancient versions of fortune (oldest I could locate was >bsd42/tahoe/reno) I'd certainly appreciate it. > >-Julian Assange (proff@suburbia.net) > > > From firewalls-owner Mon Sep 11 19:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19249 for firewalls-outgoing; Mon, 11 Sep 1995 18:47:52 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA19242 for ; Mon, 11 Sep 1995 18:47:49 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQzgup25152; Mon, 11 Sep 1995 21:46:42 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA02640; Mon, 11 Sep 95 21:44:35 EDT Received: by bass.rssi.com with Microsoft Mail id <30550E83@bass.rssi.com>; Mon, 11 Sep 95 21:37:23 PDT From: Alex Sharpe To: "'firewalls distribution list'" Cc: "Sean W O'Neill" Subject: Encryption Add-ons to Firewall One? Date: Mon, 11 Sep 95 14:15:00 PDT Message-Id: <30550E83@bass.rssi.com> Encoding: 4 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know of an add-on to Firewall One that provides link encryption to designated IP Addresses? Or, products which can provide this function in a plug and play fashion. From firewalls-owner Mon Sep 11 19:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19097 for firewalls-outgoing; Mon, 11 Sep 1995 18:33:13 -0700 Received: from suc1a.Harris.COM (suc1a.harris.com [192.52.236.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA19089 for ; Mon, 11 Sep 1995 18:33:09 -0700 Received: from itp.corp.harris.com by suc1a.harris.com (5.0/SMI-SVR4) id AA11596; Mon, 11 Sep 1995 21:31:46 -0400 Received: from lazarus.corp.harris.com by itp.corp.harris.com (5.x/SMI-SVR4) id AA24956; Mon, 11 Sep 1995 21:30:44 -0400 Received: by lazarus.corp.harris.com (5.0/SMI-SVR4) id AA06140; Mon, 11 Sep 1995 21:32:10 -0400 Date: Mon, 11 Sep 1995 21:32:10 -0400 From: dave.conklin@Harris.COM (Dave Conklin) Message-Id: <9509120132.AA06140@lazarus.corp.harris.com> To: firewalls@greatcircle.com Subject: Looking for source route packet generator code. X-Sun-Charset: US-ASCII content-length: 183 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I'm looking for code that will generate source routed packets so that I may test my firewalls. Anyone with such a beast, please email. TIA. Dave Conklin dave.conklin@harris.com From firewalls-owner Mon Sep 11 22:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA23778 for firewalls-outgoing; Mon, 11 Sep 1995 21:40:19 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA23769 for ; Mon, 11 Sep 1995 21:40:15 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id XAA02572; Mon, 11 Sep 1995 23:34:41 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002567; Mon Sep 11 23:34:35 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA21207 (5.67b/IDA-1.5); Mon, 11 Sep 1995 23:43:32 -0500 Date: Mon, 11 Sep 1995 23:43:31 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Dave Conklin Cc: firewalls@greatcircle.com Subject: Re: Looking for source route packet generator code. In-Reply-To: <9509120132.AA06140@lazarus.corp.harris.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 11 Sep 1995, Dave Conklin wrote: > Hi. I'm looking for code that will generate source routed packets so > that I may test my firewalls. Anyone with such a beast, please email. The telnet in the BSD sources will source route if asked to. You ask it by the format of the destination, something like "telnet @hop1@hop2:dest", though you'd better look to be sure; it's not in the man page -- I had too look in the code to figure it out. And the source code is there if you're looking to write your own source routing pgm. - KH From firewalls-owner Mon Sep 11 22:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24735 for firewalls-outgoing; Mon, 11 Sep 1995 22:21:22 -0700 Received: from bob.dataserv.com (bob.dataserv.com [204.73.128.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA24728 for ; Mon, 11 Sep 1995 22:21:18 -0700 Received: (from smap@localhost) by bob.dataserv.com (8.6.10/Matt-1.1r1) id AAA00256 for ; Tue, 12 Sep 1995 00:22:08 -0500 Received: from unknown(204.73.140.230) by bob.dataserv.com via smap (V1.3) id sma000254; Tue Sep 12 00:21:45 1995 Received: from msmailgwy.dataserv.com ([204.73.140.229]) by gossip.dataserv.com (8.6.10/Matt-1.0d) with SMTP id AAA16592 for ; Tue, 12 Sep 1995 00:22:07 -0500 Received: by msmailgwy.dataserv.com with Microsoft Mail id <30551977@msmailgwy.dataserv.com>; Tue, 12 Sep 95 00:24:07 CDT From: Sam Howard To: "'Firewalls'" Subject: External Client Access Policy Date: Tue, 12 Sep 95 00:22:00 CDT Message-ID: <30551977@msmailgwy.dataserv.com> Encoding: 25 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. We here at dataserv are in the position that we will have to let some of our clients access our network (I say "have to" because I am an sysadm, not a sales person :) Does anyone have any "policy" statements that they'd be willing to share? We are looking to have people at our clients sign a "Network Access Agreement" stating things like: thou shalt not do bad things, etc, etc, but the verbiage on that is not anywhere near complete, so I thought I'd ask around for hints...anyone? How about things like an NDA, or Non-Compete (some of the vendors working at a client are direct competitors to us, which is kinda a sticky situation for us...) I seem to recall that some of this stuff might be archived somewhere, but I could not find a reference (we barely have Internet mail right now, so WWW sites are not useful to me at this point...I *can* ftp and telnet, tho). Thanks! Sam -- Sam.Howard@dataserv.com (MS-Mail GW...randomly wraps text lines) showard@dataserv.com (sometimes goes to unix...sometimes insane aliases sends it to MS-Mail anyways...) From firewalls-owner Tue Sep 12 05:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA01272 for firewalls-outgoing; Tue, 12 Sep 1995 04:51:25 -0700 Received: from nexus.ptech.com (aegis.ptech.com [165.166.50.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA01265 for ; Tue, 12 Sep 1995 04:51:21 -0700 Received: from felix by nexus.ptech.com (5.x/Piedmont Technology Group) id AA11587; Tue, 12 Sep 1995 07:49:23 -0400 Date: Tue, 12 Sep 1995 07:49:23 -0400 Message-Id: <9509121149.AA11587@nexus.ptech.com> X-Sender: jnb@ptech.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Alex Sharpe , "'firewalls distribution list'" From: jim.brown@ptech.com (Jim Brown) Subject: Re: Encryption Add-ons to Firewall One? Cc: "Sean W O'Neill" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hughes has a product called NetLock which should fit the bill. For more information, check out the rsa catalog at http://www.rsa.com. (I have no affiliation with either Hughes or RSA. :) jim At 02:15 PM 9/11/95 PDT, Alex Sharpe wrote: > >Anyone know of an add-on to Firewall One that provides link encryption to >designated IP Addresses? Or, products which can provide this function in a >plug and play fashion. > > _________ ___jnb___ From firewalls-owner Tue Sep 12 06:02:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02331 for firewalls-outgoing; Tue, 12 Sep 1995 05:35:10 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA02324 for ; Tue, 12 Sep 1995 05:35:07 -0700 Received: from rssi by relay2.UU.NET with SMTP id QQzgwg15987; Tue, 12 Sep 1995 08:33:49 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA02196; Tue, 12 Sep 95 08:32:05 EDT Received: by bass.rssi.com with Microsoft Mail id <3055A645@bass.rssi.com>; Tue, 12 Sep 95 08:24:53 PDT From: "Bradley E. Hubbard" To: "'smtp:firewalls@greatcircle.com'" Subject: IPX firewall? Date: Tue, 12 Sep 95 08:23:00 PDT Message-Id: <3055A645@bass.rssi.com> Encoding: 10 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm wondering if anyone knows of any firewall products that have been developed in and for an IPX environment? Thanks in advance, Brad Hubbard behubba@rssi.com From firewalls-owner Tue Sep 12 06:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02491 for firewalls-outgoing; Tue, 12 Sep 1995 05:43:12 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA02483 for ; Tue, 12 Sep 1995 05:43:09 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA15818; Tue, 12 Sep 1995 08:36:06 -0400 Date: Tue, 12 Sep 1995 08:36:06 -0400 (EDT) From: David Miller Subject: Re: Looking for source route packet generator code. To: Dave Conklin cc: firewalls@greatcircle.com In-Reply-To: <9509120132.AA06140@lazarus.corp.harris.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 11 Sep 1995, Dave Conklin wrote: > Hi. I'm looking for code that will generate source routed packets so > that I may test my firewalls. Anyone with such a beast, please email. Comes builtin to many of the bsd telnets. FreeBSD and bsd/os certaily have it. The catch is that it's only "documented" in the source code. Use it with a "telnet @host1@host2@host3.somewhere.dom" where host1 and host2 are the hosts to pass through. And you must type the "@"'s just as shown here:) Hope this helps, --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Sep 12 08:34:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05752 for firewalls-outgoing; Tue, 12 Sep 1995 08:25:14 -0700 Received: from dot.ability.net (dot.ability.net [205.197.67.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05730 for ; Tue, 12 Sep 1995 08:25:09 -0700 Received: from yakko.ability.net (dkrapf@yakko.ability.net [204.192.126.17]) by dot.ability.net (8.6.12/8.6.12) with ESMTP id LAA26058 for ; Tue, 12 Sep 1995 11:22:19 -0400 From: Don Krapf Received: (dkrapf@localhost) by yakko.ability.net (8.6.12/8.6.12) id LAA06616 for firewalls@greatcircle.com; Tue, 12 Sep 1995 11:22:26 -0400 Message-Id: <199509121522.LAA06616@yakko.ability.net> Subject: Re: firewall with only one IP address ??? To: firewalls@greatcircle.com (FireWalls List) Date: Tue, 12 Sep 1995 11:22:25 -0400 (EDT) In-Reply-To: <950905061735_100632.1345_BHL70-1@CompuServe.COM> from "matt" at Sep 5, 95 02:17:35 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 514 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk matt writes: > > Hi all, > > we have one question: > Our firm now wants to connect to the internet, but we will get only > one official IP-address. First, we believed this would be no problem > because we'll use the 10.0.0.0 net as our internal network and we > will be able to manage the connections over proxies. Why not buy access for a full network instead of a single address? You're not trying to hide a network behind a single address to avoid paying your ISP for routing to your network, are you? Don From firewalls-owner Tue Sep 12 10:04:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA07345 for firewalls-outgoing; Tue, 12 Sep 1995 09:36:22 -0700 Received: from netcomsv.netcom.com (uucp2.netcom.com [163.179.3.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA07330 for ; Tue, 12 Sep 1995 09:36:18 -0700 Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id JAA27653; Tue, 12 Sep 1995 09:27:41 -0700 Received: by compwr.com (4.1/) id AA01600; Tue, 12 Sep 95 09:24:35 PDT Date: Tue, 12 Sep 1995 09:24:34 -0700 (PDT) From: Ken Dayton X-Sender: kd@sparcB To: Firewalls@GreatCircle.Com Subject: Secure version of Sendmail Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: I have heard of a public domain version of sendmail (with source) that is available somewhere. Does anyone know where to get it? Thanks. Ken Dayton CommPower Inc., Camarillo CA From firewalls-owner Tue Sep 12 10:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA07705 for firewalls-outgoing; Tue, 12 Sep 1995 09:45:22 -0700 Received: from usasmtp.usagroup.org ([198.70.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA07698 for ; Tue, 12 Sep 1995 09:45:18 -0700 Received: from DOMAIN-E-Message_Server by usasmtp.usagroup.org with Novell_GroupWise; Tue, 12 Sep 1995 11:45:36 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 12 Sep 1995 11:42:18 -0600 From: Ed Hepker To: Firewalls@GreatCircle.COM Subject: Compuserve & Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody have any thoughts on the best way to allow employees to use Compuserve (we have a business requirement to do so) and prevent them from accessing the net through it? Obviously, this kind of access can kabosh the benefits of our firewall. I haven't found a decent way to do this yet, so any thoughts/experiences would be appreciated. Thanks in advance - Ed Hepker USA GROUP Indianapolis, Indiana ehepker@usasmtp.usagroup.org These comments do not represent or resemble any opinions currently or previously held by USA GROUP (or anyone else, for that matter). From firewalls-owner Tue Sep 12 10:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA08390 for firewalls-outgoing; Tue, 12 Sep 1995 10:08:56 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA08383 for ; Tue, 12 Sep 1995 10:08:51 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id MAA16098; Tue, 12 Sep 1995 12:07:10 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id MAA14465; Tue, 12 Sep 1995 12:07:10 -0500 From: Alan Hannan Message-Id: <199509121707.MAA14465@gaijin.mid.net> Subject: Re: firewall with only one IP address ??? To: dkrapf@ability.net (Don Krapf) Date: Tue, 12 Sep 1995 12:07:09 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509121522.LAA06616@yakko.ability.net> from "Don Krapf" at Sep 12, 95 11:22:25 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2317 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk matt> Hi all, matt> matt> we have one question: matt> Our firm now wants to connect to the internet, but we will get only matt> one official IP-address. First, we believed this would be no problem matt> because we'll use the 10.0.0.0 net as our internal network and we matt> will be able to manage the connections over proxies. Matt, this will work fine. krapf> Why not buy access for a full network instead of a single address? krapf> You're not trying to hide a network behind a single address to avoid krapf> paying your ISP for routing to your network, are you? Good heavans. Using an RFC1597 network makes sense for so many reasons, none of which you have even attempted to rebut. The amount of networks routed is a signficant issue. Many months ago, people grabbed address space and announced a tremendous amount of routes, to networks which they did not utilize very well. Accordingly, the equipment on the backbone was outdated, put to stress, and caused CIDR and other aggregation methods. To imply that one is "cheap" for being responsible with address space is silly. Also, we gain significant security advantages by putting our internal networks on RFC1597 networks. First, we lose the ability for internet sites to directly attack our internal hosts, as the routes are not propogated through the internet. Secondly, it gains us larger address space that we can use without registering or notifying anyone. Third, it gives one the ability to implement a /8 internal network structure within one's network. IMHO, using rfc1597 for internal networks protected by a firewall is a good thing, for the above reasons and others. So far as I can see, the only downside to using RFC1597 on an internal firewalled network is that IF someday one decides to do away with the firewall, then the company will incur moderately large renumbering costs. My thought is that this is a small risk, and even if it were to happen, it is likely bootp, dhcp, or some variant will have evolved far enough to make this a non-issue. $0.02 -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "The only way to make a man trustworthy is to trust him" - Henry Stimson From firewalls-owner Tue Sep 12 10:34:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09363 for firewalls-outgoing; Tue, 12 Sep 1995 10:30:27 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA09348 for ; Tue, 12 Sep 1995 10:30:20 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id MAA13967; Tue, 12 Sep 1995 12:27:36 -0500 Message-Id: <199509121727.MAA13967@psisa.com> Subject: Re: firewall with only one IP address ??? To: dkrapf@ability.net (Don Krapf) Date: Tue, 12 Sep 1995 12:27:35 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509121522.LAA06616@yakko.ability.net> from "Don Krapf" at Sep 12, 95 11:22:25 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2219 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > we have one question: > > Our firm now wants to connect to the internet, but we will get only > > one official IP-address. First, we believed this would be no problem > > because we'll use the 10.0.0.0 net as our internal network and we > > will be able to manage the connections over proxies. > > Why not buy access for a full network instead of a single address? You're > not trying to hide a network behind a single address to avoid paying your > ISP for routing to your network, are you? What's your point, Inquisitor? It's perfectly fine to "hide" several thousand machines behind one IP (or a couple in case you scale firewalls dynamically as we do). I do this here (see sig) for our client all the time. And when our client asked their provider for connectivity, they knew what they were getting. I mean, afterall this is not about IPs, this is about bandwidth. And everybody will wake up if you ask for a T3 with only one registered address. I mean, you're not going to connect a zillion users of a 28k8 dialup line.... get real and chill, and get a life since you won't stay long in biz with that attitude. Besides, it's pretty unbelievable if someone charges for routing my IPs, unless I expect them to do something very extravagant with it (like dynamic routing for multiple ports of entry for redundancy and providing network management via a NOC). I'm buying *connectivity*, and routing is a neccessity for it. It's like buying a new car and tires are considered a preferred customer option. Last point, it's simply not my provider's business to know how many IPs I'm using internally nor anything else. All you need is rock solid connectivity to the firewall. That's what one pays for. And telling a provider (as any other external company) about my network/system config usually violates security policies anyways. Maybe one should issue a public warning not to do business with disability.net. Dizzy from shaking my head, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 11:00:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA10472 for firewalls-outgoing; Tue, 12 Sep 1995 10:56:18 -0700 Received: from blob.best.net (blob.best.net [204.156.128.88]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA10457 for ; Tue, 12 Sep 1995 10:56:13 -0700 Received: from shell1.best.com (shell1.best.com [204.156.128.10]) by blob.best.net (8.6.12/8.6.5) with ESMTP id KAA09436 for ; Tue, 12 Sep 1995 10:54:49 -0700 Received: from best.com (yobie.vip.best.com [204.156.155.53]) by shell1.best.com (8.6.12/8.6.5) with SMTP id KAA17051 for ; Tue, 12 Sep 1995 10:54:37 -0700 Date: Tue, 12 Sep 1995 10:54:37 -0700 Message-Id: <199509121754.KAA17051@shell1.best.com> From: Yobie Benjamin To: firewalls@GreatCircle.COM Subject: Re: firewall with only one IP address ??? X-Mailer: ProntoIP [version 1.0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Agreed with Don: What's the deal? A class C will give you 256 IP addresses and most corporations can qualify for this. Maybe you should go to some of the larger ISPs if you're having a problem. From firewalls-owner Tue Sep 12 11:02:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09928 for firewalls-outgoing; Tue, 12 Sep 1995 10:39:34 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA09920 for ; Tue, 12 Sep 1995 10:39:29 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id MAA14128; Tue, 12 Sep 1995 12:36:47 -0500 Message-Id: <199509121736.MAA14128@psisa.com> Subject: Re: Secure version of Sendmail To: kd@compwr.com (Ken Dayton) Date: Tue, 12 Sep 1995 12:36:47 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Ken Dayton" at Sep 12, 95 09:24:34 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 654 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have heard of a public domain version of sendmail (with source) > that is available somewhere. Does anyone know where to get it? The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is quasi public domain (check the license out for details). Enjoy and drop me a note if you need help getting started. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 11:28:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA10097 for firewalls-outgoing; Tue, 12 Sep 1995 10:42:31 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA10090 for ; Tue, 12 Sep 1995 10:42:27 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: KAA14241; Tue, 12 Sep 1995 10:40:39 -0700 Date: Tue, 12 Sep 1995 10:40:39 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199509121740.KAA14241@sjsinc.com> To: firewalls@greatcircle.com Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken: > > I have heard of a public domain version of sendmail (with source) > that is available somewhere. Does anyone know where to get it? > "The source Luke, all answers are in the source...." The guys who write it hang out at: ftp://ftp.cs.berkeley.edu and one can "___ALWAYS___" find the latest release and bug-fixes here... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Tue Sep 12 11:34:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10792 for firewalls-outgoing; Tue, 12 Sep 1995 11:02:16 -0700 Received: from Disclosure.COM (di.disclosure.com [205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA10761 for ; Tue, 12 Sep 1995 11:02:06 -0700 From: gregg@smtpgate.Disclosure.COM Received: from smtpgate.disclosure.com by Disclosure.COM (4.1/SMI-4.1) id AA29369; Tue, 12 Sep 95 14:03:45 EDT Received: from cc:Mail by smtpgate.disclosure.com id AA810939662; Tue, 12 Sep 95 13:56:48 est Date: Tue, 12 Sep 95 13:56:48 est Message-Id: <9508128109.AA810939662@smtpgate.disclosure.com> To: Firewalls@Greatcircle.COM Subject: Re: Re: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jet - (J.Eric Townsend-jet@abulafia.genmagic.com) writes: ==> How many MVS systems are plugged directly into the internet? How many ==> are actually used for TCP/IP related services? (Where's my Mosaic for ==> MVS? :-) ==> IMHO, Suns get broken into all the time because: ==> -- everybody has one to practice on ==> -- they were designed with being useful in mind. ITEM 1: ==> IMHO, Suns get broken into all the time because: ==> -- everybody has one to practice on Excuse me?!? MVS has been *in production* since the late 70's; abundantly installed around the World. IMHO, plenty of time/opportunity for hackers to try hacking in. The reason you don't hear about hackers hacking MVS is because, well, you can't. Much too difficult. In the 9 MVS shops I've worked in all were protected by non-hackable security software called ACF2. Perhaps an employee could plant back doors thinking he/she could use them undetected in the future. Well, no can do. SMF records *everything* that occurs in MVS. So you turn off SMF recording. Difficult because to do so you must run "authorized." Which means your program must be in the link and apf lists; and adding your programs to those lists... well, it goes on and on. Now all of this isn't to say that someone couldn't write a program to, say, steal raw data straight from a disk via TCP/IP. But what thrill is that? Nay, hacking MVS (or trying to) is a waste of time. ITEM 2: ==> How many MVS systems are plugged directly into the internet? How many ==> are actually used for TCP/IP related services? Mine is. We receive data continously, all day long, via TCP/IP from a third party vendor (can't be more specific). I can FTP from my MVS to/from our UNIX. I have no idea of how *many* MVS machines there are on the internet, but a rough guess would be "alot." And I know that you know, MVS is the core backbone for Client Server. Who d'ya think the Server is? ==> (Where's my Mosaic for MVS? :-) It works like this: You download lots of MVS data to your unix/os2/windoze/dos whereupon it immediately populates Web pages, Mosaics, (whatever) and you use your unix/os2/windoze/dos presentation services (which really beat MVS's) to display the data. Bang! Zoom! Real client/server. ITEM 3: ==> IMHO, Suns ... ==> -- were designed with being useful in mind. Now I know you didn't *mean* this the way it sounds. :-) As a 14 year veteran of MVS all I can say is, UNIX is the latest and greatest and always will be. There simply is *** NO WAY *** a Sun box can match the throughput, data capacity, and multi-user capabilities of MVS. Right now there are some 536 users on my production system alone. We have three test and one development partitions that I didn't even check. And the users are doing *real* company work. If my MVS crashed (don't worry it won't, never does) the company may as well close for the day. Would your company shut down for the day if you lost your Sun box? I lurk on firewalls to learn; MVS and Unix have their futures tied together. On the internet, computers are supposed to be "open" to everybody, for free. Well MVS was never designed to be that way. So the bigdogs want to open up their systems "like the internet." So they buy Suns to put all the data "on the internet." But now they want security. Well they had security. But they want to give away the data. But with security. Well, what do they want? We (MVS) don't need firewalls. We have trusted security that has been around for 20+ years. (Eons in computer time.) We use a userid and password method to logon, with security based on the userid to object relationship. My wonderment is, why are Suns (Unix, etc) so desperately trying to do all the right things that MVS does, but in a catch-up kind of way. Do you take backups daily, weekly, monthly, yearly? ALL THE TIME? DAILY? NEVER MISS A DAY? Larry :-) From firewalls-owner Tue Sep 12 12:17:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA12508 for firewalls-outgoing; Tue, 12 Sep 1995 11:38:23 -0700 Received: from osshe.edu (OSSHE.EDU [140.211.10.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA12494 for ; Tue, 12 Sep 1995 11:38:10 -0700 Received: from sparky.oit.osshe.edu (sparky.OIT.OSSHE.EDU [140.211.71.3]) by osshe.edu (8.6.5/8.6.5) with ESMTP id LAA06533; Tue, 12 Sep 1995 11:36:28 -0700 Received: from ip-davin.oit.osshe.edu (ip-davin.oit.osshe.edu [140.211.84.203]) by sparky.oit.osshe.edu (8.6.12/8.6.12) with SMTP id LAA16592; Tue, 12 Sep 1995 11:34:06 -0700 Date: Tue, 12 Sep 1995 11:34:44 -0900 (PDT) From: Davin Petersen To: Christian Kuhtz cc: Ken Dayton , Firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail X-Sender: davin@mail.oit.osshe.edu In-Reply-To: <199509121736.MAA14128@psisa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995, Christian Kuhtz wrote: > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > quasi public domain (check the license out for details). Right! However stay away from anything less than 8.6.12. The other versions have security holes. Davin Petersen Oregon Institute of Technology Unix Admin/Student From firewalls-owner Tue Sep 12 12:36:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA14983 for firewalls-outgoing; Tue, 12 Sep 1995 12:27:28 -0700 Received: from armitage.cyberspace.com (armitage.cyberspace.com [199.2.48.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA14964 for ; Tue, 12 Sep 1995 12:27:23 -0700 From: billcurr@cyberspace.com Received: from case.cyberspace.com by armitage.cyberspace.com (4.1/SMI-4.1) id AA07736; Tue, 12 Sep 95 12:24:13 PDT Received: from 198.68.52.182 (PPP52-182.cyberspace.com) by case.cyberspace.com (4.1/SMI-4.1) id AA24905; Tue, 12 Sep 95 12:25:04 PDT Date: Tue, 12 Sep 95 12:25:03 PDT Message-Id: <9509121925.AA24905@case.cyberspace.com> Subject: Re: firewall with only one IP address ??? To: firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The bummer with that is, (as UUNET just informed me this morning) is if I ever switch providers or dump UUNET, they want their 256 IP adresses BACK. >Agreed with Don: > >What's the deal? A class C will give you 256 IP addresses and most >corporations can qualify for this. Maybe you should go to some of the >larger ISPs if you're having a problem. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Printmaker gone digital" billcurr@cyberspace.com http://www.cyberspace.com/billcurr -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Sep 12 13:13:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15030 for firewalls-outgoing; Tue, 12 Sep 1995 12:29:29 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA15023 for ; Tue, 12 Sep 1995 12:29:25 -0700 Received: from rssi by relay2.UU.NET with SMTP id QQzgxh24247; Tue, 12 Sep 1995 15:28:07 -0400 Received: from rapid.rssi.com by rssi (4.1/SMI-4.1) id AA04894; Tue, 12 Sep 95 15:26:06 EDT Received: by rapid.rssi.com (5.0/SMI-SVR4) id AA01068; Tue, 12 Sep 1995 15:28:00 +0500 Date: Tue, 12 Sep 1995 15:28:00 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9509121928.AA01068@rapid.rssi.com> To: BEHUBBA@bass.rssi.com, firewalls@greatcircle.com Subject: Re: IPX firewall? Content-Length: 204 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It should be noted that this firewall will be between two internal Novell segments. If anyone knows of something that can help us, it will be greatly appreciated. Brad Van Orden Rapid Systems Solutions From firewalls-owner Tue Sep 12 13:15:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA14617 for firewalls-outgoing; Tue, 12 Sep 1995 12:19:36 -0700 Received: from rock.cis.ufl.edu (rock.cis.ufl.edu [128.227.224.19]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA14607 for ; Tue, 12 Sep 1995 12:19:30 -0700 Received: by rock.cis.ufl.edu (8.6.12/cis.ufl.edu) id PAA15922; Tue, 12 Sep 1995 15:18:10 -0400 Message-Id: <199509121918.PAA15922@rock.cis.ufl.edu> From: seeger@cis.ufl.edu (F. L. Charles Seeger III) Date: Tue, 12 Sep 1995 15:18:10 -0400 In-Reply-To: gregg@smtpgate.Disclosure.COM <9508128109.AA810939662@smtpgate.disclosure.com> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Firewalls@GreatCircle.COM Subject: Re: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, but I skimmed over this in the original message. | ==> (Where's my Mosaic for MVS? :-) Well, it's neither Mosaic nor MVS, but there is a www MF client: www://www.nerdc.ufl.edu/pub/vm/www/index.html ftp://ftp.nerdc.ufl.edu/pub/vm/www/albert.vmarc132 This is the README for "Albert" version 1.3.x (formerly named UF-WWW). Albert is a fullscreen web browser from the University of Florida for IBM 3270 terminals (or emulations). Albert runs on IBM's VM/CMS mainframe operating system. Albert is essentially an Xedit macro that uses the the CERN linemode WWW client to get the source for files and then does its own formatting (including HTML parsing). ... A public-access demonstration is available on the Internet by making a tn3270 connection to nermvs.nerdc.ufl.edu. You'll be presented a menu, in which you should select (or type in the word) UFINFO. ... I don't know whether or not it is firewalls/socks/proxy friendly. 8-) Regards, Chuck From firewalls-owner Tue Sep 12 13:28:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15237 for firewalls-outgoing; Tue, 12 Sep 1995 12:31:51 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA15228 for ; Tue, 12 Sep 1995 12:31:46 -0700 Date: Tue, 12 Sep 1995 19:31:56 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id TAA06249 for firewalls@greatcircle.com; Tue, 12 Sep 1995 19:31:56 GMT Message-Id: <199509121931.TAA06249@real.com> To: firewalls@greatcircle.com Subject: Re: Secure version of Sendmail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Tue, 12 Sep 1995, Christian Kuhtz wrote: > > > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > > quasi public domain (check the license out for details). > > Right! However stay away from anything less than 8.6.12. The other > versions have security holes. and 8.6.12 doesnt use syslog? There is no secure version.. there are only more secure versions.. This is not totally the fault of any sendmail, as the case with syslog.. From firewalls-owner Tue Sep 12 13:32:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16345 for firewalls-outgoing; Tue, 12 Sep 1995 12:57:45 -0700 Received: from eagle.twinds.com (eagle.twinds.com [206.27.30.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA16332 for ; Tue, 12 Sep 1995 12:57:40 -0700 Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA117345758; Tue, 12 Sep 1995 15:55:58 -0400 Date: Tue, 12 Sep 1995 15:56:29 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: Davin Petersen Cc: Christian Kuhtz , Ken Dayton , Firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me for being dense but......... Since when did sendmail become secure? In case your wondering, I am *not* trying to start a Dr. Fred flame war. I'm just curious, what do you mean by secure? Or am I missing something? Has something new happened to sendmail that I don't know about? -arc Arley Carter Tradewinds Technologies, Inc ac@hawk.twinds.com www: http://www.twinds.com On Tue, 12 Sep 1995, Davin Petersen wrote: > On Tue, 12 Sep 1995, Christian Kuhtz wrote: > > > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > > quasi public domain (check the license out for details). > > Right! However stay away from anything less than 8.6.12. The other > versions have security holes. > > Davin Petersen > Oregon Institute of Technology > Unix Admin/Student > From firewalls-owner Tue Sep 12 13:42:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17338 for firewalls-outgoing; Tue, 12 Sep 1995 13:13:19 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA17331 for ; Tue, 12 Sep 1995 13:13:14 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id PAA18274; Tue, 12 Sep 1995 15:10:26 -0500 Message-Id: <199509122010.PAA18274@psisa.com> Subject: Re: Secure version of Sendmail To: ac@hawk.twinds.com (Arley Carter) Date: Tue, 12 Sep 1995 15:10:26 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Arley Carter" at Sep 12, 95 03:56:29 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1428 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Excuse me for being dense but......... Since when did sendmail become > secure? In case your wondering, I am *not* trying to start a Dr. Fred > flame war. I'm just curious, what do you mean by secure? > Or am I missing something? Has something new happened to sendmail that > I don't know about? Ask secure as an as complex program as Sendmail V8 can probably be (considering the history). At any rate, if you don't trust Sendmail V8, wrap it using SMAP from the TIS toolkit. Which is probably your best bet in that case anyways due to the nature of Sendmail. Your only chance is to try to stay as up to date as possible with regards to new releases of Sendmail V8 -- common sense IMHO. Eric Allman has done a fabulous job as far as security is concerned. MHO. Note: I'm talking specifically about Sendmail V8. Everything else is definitely a lot more than just a firehazard. Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 14:14:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA18742 for firewalls-outgoing; Tue, 12 Sep 1995 13:48:33 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA18733 for ; Tue, 12 Sep 1995 13:48:29 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id NAA17642; Tue, 12 Sep 1995 13:46:50 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma017639; Tue Sep 12 13:46:29 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id NAA19619; Tue, 12 Sep 1995 13:43:57 -0700 Date: Tue, 12 Sep 1995 13:43:57 -0700 From: Brian Murrell Message-Id: <199509122043.NAA19619@mocha.bctel.net> To: firewalls@GreatCircle.COM, billcurr@cyberspace.com Subject: Re: firewall with only one IP address ??? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The bummer with that is, (as UUNET just informed me this morning) is if I ever > switch providers or dump UUNET, they want their 256 IP adresses BACK. go get your own 256 host class c and then have uunet route