From firewalls-owner Fri Jan 31 23:55:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14922 for firewalls-outgoing; Fri, 31 Jan 1997 21:45:17 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA06392 for ; Fri, 31 Jan 1997 20:59:40 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id KAA08336; Fri, 31 Jan 1997 10:46:28 -0800 Received: from lestat.mc2-csr.com(204.107.238.150) by mycroft via smap (V1.3mjr) id sma008320; Fri Jan 31 10:45:56 1997 Received: from merlin.mc2-csr.com (merlin.mc2-csr.com [204.107.238.176]) by lestat.mc2-csr.com (8.7.3/8.7.3) with SMTP id NAA11814; Fri, 31 Jan 1997 13:31:23 -0500 (EST) Message-Id: <3.0.32.19970131133122.007c2760@mc2-csr.com> X-Sender: lglaze@mc2-csr.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 31 Jan 1997 13:31:25 -0500 To: Dave Schnardthorst , firewalls@GreatCircle.COM From: Larry Glaze Subject: Re: Rewriting User Names Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:00 AM 1/31/97 -0600, Dave Schnardthorst wrote: >I am currently running Sendmail-8.8.5 and would like to be able to rewrite >user names when sending out e-mail. > >Example: > > Incoming mail to myself could be aliased to daves@stryder.com. When > I send outgoing mail my return address currently shows ds3721@stryder.com. > The outgoing mail should show daves@stryder.com. > >Can somebody give me some examples as to how this might be accomplished. Check out http://www.mc2-csr.com/~lglaze and follow the virtual hosting link. The page you want is the first sendmail link. The second one goes into a different aspect of sendmail and virtual hosts, but it may also be useful to you. If you have any questions then just let me know (I wrote the pages and am currently using both configurations successfully). --------------------------------------------------------------------------- |0000,0000,8080Larry Glaze |0000,0000,8080 "...Life's a bummer..." | |0000,0000,8080System/Network Administrator |0000,0000,8080 --Smashing Pumpkins | |0000,0000,8080MC2 Cyberspace, Ltd |0000,0000,8080 | |0000,0000,8080http://www.mc2-csr.com/~lglaze |0000,0000,8080 lglaze@mc2-csr.com | --------------------------------------------------------------------------- | ffff,0000,0000All opinions are my own, as they should be! | --------------------------------------------------------------------------- From firewalls-owner Sat Feb 1 00:10:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14128 for firewalls-outgoing; Fri, 31 Jan 1997 21:37:06 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA06588 for ; Fri, 31 Jan 1997 21:00:12 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id KAA08698; Fri, 31 Jan 1997 10:53:08 -0800 Received: from gatekeep.us.landisgyr.com(206.175.68.122) by mycroft via smap (V1.3mjr) id sma008606; Fri Jan 31 10:52:50 1997 Received: by gatekeep.us.landisgyr.com; id NAA22977; Fri, 31 Jan 1997 13:51:44 -0500 (EST) Received: from mailrelay.us.landisgyr.com(204.207.1.11) by gatekeep.us.landisgyr.com via smap (3.2) id xma022919; Fri, 31 Jan 97 13:51:19 -0500 Received: from mailrelay.us.landisgyr.com by pfmsv4.us.landisgyr.com (PMDF V5.0-6 #10101) id <01IEV3927WKW008S3K@pfmsv4.us.landisgyr.com> for firewalls@greatcircle.com; Fri, 31 Jan 1997 12:45:19 -0600 (CST) Received: with PMDF-MR; Fri, 31 Jan 1997 12:48:55 -0600 (CST) MR-Received: by mta PFMSV1.MUAS; Relayed; Fri, 31 Jan 1997 12:48:55 -0600 MR-Received: by mta PFMSV1; Relayed; Fri, 31 Jan 1997 12:48:55 -0600 MR-Received: by mta PFMSV4; Relayed; Fri, 31 Jan 1997 12:45:12 -0600 Disclose-recipients: prohibited Date: Fri, 31 Jan 1997 12:48:55 -0600 (CST) From: Joav Kohn Subject: Re: Rewriting User Names In-reply-to: <199701311600.QAA04428@gollum.strydr.com> To: firewalls Message-id: <4055481231011997/A03557/PFMSV1/11B1FB303600*@MHS> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11B1FB303600 X400-MTS-identifier: [;4055481231011997/A03557/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Incoming mail to myself could be aliased to daves@stryder.com. When > I send outgoing mail my return address currently shows ds3721@stryder.com. > The outgoing mail should show daves@stryder.com. > > Can somebody give me some examples as to how this might be accomplished. > What you want to do is not so hard, just copy the following steps. It may look a little harder than it is if you don't know sendmail that well. First, create a list of address translations, like this: ds3721 daves real_name alias_name making sure that the lefthand column is unique. Then run 'makemap btree name_of_database < address_translation_list'. In your /etc/sendmail.cf file, add the following Kout btree /location_of_database/name_of_database Moutbound_mailer, P=[TCP], F=mDFMuX, S=12, R=22, A=IPC $h, E=\r\n S12 # rewrite outbound (sender's) addresses to proper format R$+<@$+>$* $1@$2$3 remove canocalization, then R$+@stryder.com $:$>31 $1@stryder.com rewrite if in groups R$+@$*stryder.com $@$1<@$2stryder.com> make canocical S31 R$+@stryder.com $:$(out $1 $) R$+ $:$1@stryder.com (for all you sendmail experts, it may be a little rought around the edges, but its from off the top of my head). Hope it helps, -joav From firewalls-owner Sat Feb 1 00:19:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA13811 for firewalls-outgoing; Fri, 31 Jan 1997 21:34:28 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA05782 for ; Fri, 31 Jan 1997 20:58:10 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id LAA09152; Fri, 31 Jan 1997 11:02:47 -0800 Received: from igate2.pabs.com(38.246.96.3) by mycroft via smap (V1.3mjr) id sma009104; Fri Jan 31 11:01:44 1997 Received: from igate2.pabs.com (daemon@localhost) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id OAA03652 for ; Fri, 31 Jan 1997 14:06:43 -0500 (EST) Received: from richey.pabs.com (richey.pabs.com [157.154.1.136]) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id OAA03646 for ; Fri, 31 Jan 1997 14:06:42 -0500 (EST) Received: from richey (richey@richey.pabs.com [157.154.1.136]) by richey.pabs.com (8.8.5/8.8.4) with SMTP id OAA21062; Fri, 31 Jan 1997 14:06:27 -0500 Message-ID: <32F242B2.27243F03@highmark.com> Date: Fri, 31 Jan 1997 14:06:26 -0500 From: Jim Richey X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.25 i586) MIME-Version: 1.0 To: Dave Schnardthorst CC: firewalls@GreatCircle.COM Subject: Re: Rewriting User Names References: <199701311600.QAA04428@gollum.strydr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Read the section in the documentation about using the genericstable. Dave Schnardthorst wrote: > > I am currently running Sendmail-8.8.5 and would like to be able to rewrite > user names when sending out e-mail. > > Example: > > Incoming mail to myself could be aliased to daves@stryder.com. When > I send outgoing mail my return address currently shows ds3721@stryder.com. > The outgoing mail should show daves@stryder.com. > > Can somebody give me some examples as to how this might be accomplished. > > Thanks > > -- > ============================================================================ > David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 > Stryder Communications, Inc. * Fax: (314)838-8527 > 869 St. Francois * E-Mail: ds3721@strydr.com > Florissant, MO 63031 * URL: http://www.strydr.com > ============================================================================ -- Jim Richey jrichey@highmark.com HighMark Inc. http://www.highmark.com From firewalls-owner Sat Feb 1 00:25:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA13122 for firewalls-outgoing; Fri, 31 Jan 1997 21:26:28 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA05156 for ; Fri, 31 Jan 1997 20:56:42 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id KAA07853; Fri, 31 Jan 1997 10:38:19 -0800 Received: from tanis.tiac.net(204.215.141.78) by mycroft via smap (V1.3mjr) id sma007791; Fri Jan 31 10:37:16 1997 Received: by cptech.com (5.x/SMI-SVR4) id AA01423; Fri, 31 Jan 1997 13:38:02 -0500 Date: Fri, 31 Jan 1997 13:38:02 -0500 From: dcosio@tanis.cptech.com (Dave Cosio) Message-Id: <9701311838.AA01423@cptech.com> To: Firewalls@GreatCircle.COM Subject: Dave From McGraw Hill X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave I lost your email, could you call me or email me I want to send the info you need. -Dave From firewalls-owner Sat Feb 1 00:37:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA17327 for firewalls-outgoing; Fri, 31 Jan 1997 21:56:57 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA16575 for ; Fri, 31 Jan 1997 21:54:46 -0800 (PST) From: harley@icrf.icnet.uk Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id MAA12560; Fri, 31 Jan 1997 12:07:21 -0800 Message-Id: <199701312007.MAA12560@mycroft.GreatCircle.COM> Received: from unknown(143.65.100.4) by mycroft via smap (V1.3mjr) id sma012318; Fri Jan 31 12:02:59 1997 Received: by europa.lif.icnet.uk; Fri, 31 Jan 1997 20:03:01 GMT Subject: RE: [NTSEC] ActiveX, MSIE and Quicken To: firewalls@GreatCircle.COM Date: Fri, 31 Jan 1997 20:03:01 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ActiveX components have the same characteristics of a virus. They are code > which is delivered from the outside, frequently without knowledge, which can > affect the long-term characteristics of the host system or other systems > and/or pass information back which may be considered proprietary or > sensitive. Actually, none of these are defining characteristics of a virus. All a virus has to do to -be- a virus is replicate. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sat Feb 1 00:40:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04765 for firewalls-outgoing; Fri, 31 Jan 1997 22:53:18 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA03635 for ; Fri, 31 Jan 1997 22:50:32 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA21608; Fri, 31 Jan 1997 22:10:41 -0800 Received: from diablo.cisco.com(171.68.223.106) by mycroft via smap (V1.3mjr) id sma021590; Fri Jan 31 22:10:10 1997 Received: from clonvick-pc.cisco.com (sj-dial-3-12.cisco.com [171.68.179.13]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id WAA01416; Fri, 31 Jan 1997 22:11:22 -0800 (PST) Message-Id: <2.2.32.19970201060829.00fded58@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 01 Feb 1997 00:08:29 -0600 To: Mark Thompson , Firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: ICMP Class 9; Code 0 in FW-1 Logs?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Mark, Slap a sniffer on the wire and see if it's ICMP Type 9 Code 0. This is described in RFC-1256 as the ICMP Router Discovery Message. If so, then you have a router out there sending IRDP advertisements. It was intended to provide hosts with the IP addresses of their neighboring routers. This is a good idea for dropping a host into a network and getting it to work right away. This is a bad idea for a firewall - which is why yours is ignoring it. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 07:31 PM 1/31/97 -0700, Mark Thompson wrote: >We're getting some logging that we can't explain in our FW-1 2.1 (solaris) >logs which I was hoping somebody out there might be able to help us >with: > >ICMP class 9 rejected; >ICMP code 0 rejected > >Does anybody have any idea what these classes and codes mean. Are >these FW-1'isms, or are they actually part of the ICMP spec? We had an >idea that they might be related to RIP traffic, but have (as of yet) been >unable to find proof. > >Thanks much, > >Mark. > >Mark Thompson >Manager of Network Services >The University of Lethbridge >Lethbridge, AB Canada > >thommd@cetus.mngt.uleth.ca >(403) 329-2689 > > From firewalls-owner Sat Feb 1 01:10:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA28540 for firewalls-outgoing; Fri, 31 Jan 1997 22:27:07 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA16902 for ; Fri, 31 Jan 1997 21:55:40 -0800 (PST) From: mcwilkin@twcable.com Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id MAA14124; Fri, 31 Jan 1997 12:37:16 -0800 Received: from unknown(205.138.118.193) by mycroft via smap (V1.3mjr) id sma014080; Fri Jan 31 12:35:36 1997 Received: from denmisf01.twcable.com (denmisf01.twcable.com [198.59.12.1]) by dencbis94.twcable.com (8.8.3/8.8.3) with ESMTP id NAA06994 for ; Fri, 31 Jan 1997 13:36:23 -0700 (MST) Received: from dencbis56 (dencbis56 [198.59.12.201]) by denmisf01.twcable.com (8.8.3/8.8.3) with SMTP id NAA10433 for ; Fri, 31 Jan 1997 13:36:22 -0700 (MST) Message-Id: <199701312036.NAA10433@denmisf01.twcable.com> Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Fri, 31 Jan 1997 13:42:44 +0000 Subject: Ident revisited X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all- I have a question re: ident. We have a strange problem. We drop all ident requests inbound silently at the firewall. First, we are running Solstice Firewall-1 2.1 on a Sparc 10 with Solaris 2.5 There is a site our users need to access but they can't. After we watched the packets we saw ident come in and we block it. But, instead of timing out and allowing us access, it closed our conn- ection! So, I figured that they might have it configured to require some sort of response. Here is where I get lost. I tried it from our internal name server and it timed out... But in- stead of sending FIN to close the connection it let us in. This is the only internal machine that can access that site. So, if we are dropping ident on the floor and(if) they require it... Why does this one work and all the others don't. This internal machine doesn't even run ident or service port 113 but that doesn;t matter since ident doesn;t even reach it! I really don't think they are requiring a response. It almost seems like the firewall is doing this. I didn't configure the firewall so I am not familiar with it... But, if someone can give me a place to look or something to try it would be appreciated. Also, since we have an internal/external DNS setup we have a * PTR on our external name server for reverse lookups. Mike Michael C. Wilkinson Time Warner Cable-IS mcwilkin@twcable.com From firewalls-owner Sat Feb 1 01:25:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA29222 for firewalls-outgoing; Fri, 31 Jan 1997 22:32:43 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA17539 for ; Fri, 31 Jan 1997 21:57:30 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id LAA11844; Fri, 31 Jan 1997 11:53:44 -0800 Received: from pan.ch.intel.com(143.182.246.24) by mycroft via smap (V1.3mjr) id sma010511; Fri Jan 31 11:28:40 1997 Received: from argus.intel.com by pan.ch.intel.com (8.8.4/10.0i); Fri, 31 Jan 1997 19:29:18 GMT Received: by argus.intel.com (8.8.4/10.0i); Fri, 31 Jan 1997 11:28:46 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <199701311928.LAA18993@argus.intel.com> Subject: Re: Firewall Consolidation To: asetton@lightech.com.ar Date: Fri, 31 Jan 97 11:28:46 PST Cc: firewalls@GreatCircle.COM In-Reply-To: <32F1C9B2.436E@lightech.com.ar> from "Adrian F. Setton" at Jan 31, 97 01:30:11 pm X-Mailer: ELM [version 2.4dev PL66] MIME-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello, > I'm looking for opinions about using the same firewall machine in > order to conect the same organization with multiple services. > For example, a Bank could use the same firewall in order to protect > the private network from the Web Servers that are in the DMZ, and in > order to give access to the Internet to the employees. > An argument is that perhaps we do not want to consolidate them for > performance reasons (we want to be able to isolate one service from > another, so the traffic from one does not affect the performance of > the second one). > Any idea about why this consolidation could be good or bad, will be > appreciated. I would keep them separate because: 1. Performance - If you are putting the DMZ as a segment off the firewall machine, as the firewall gets bogged down, performance for your internal users (to the Internet) and your external users of your web servers will suffer. 2. Robustness - If the DMZ firewall machine goes down, both your internal users will suffer as well as your external customers of your web servers. You want to minimize the number of angry phone calls at the same time. 3. Easier configuration - Rather than worry about both the web server and your users on the same machine's configuration, you think of them separately. Simpler configurations will reduce the chance of you making a mistake. Then again, if you don't have have enough money for more than one machine, well, you will have one machine. I don't think that would be a good idea. In either case, I think you want to make sure that one group or person is administering both machines. > -- > Adrian F. Setton > LighTech Voice: (54-1) 373-1141 > Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 > Buenos Aires e-mail: asetton@lightech.com.ar > Argentina URL: http://www.lightech.com.ar -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Sat Feb 1 03:25:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07315 for firewalls-outgoing; Sat, 1 Feb 1997 02:53:53 -0800 (PST) Received: from ravian.globalxs.nl (ravian.GlobalXS.nl [143.178.250.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA07259 for ; Sat, 1 Feb 1997 02:53:15 -0800 (PST) Received: from ns.globalxs.nl (Borg.startrek.GlobalXS.nl [143.178.243.49]) by ravian.globalxs.nl (8.7.4/8.7.3) with SMTP id LAA16582 for ; Sat, 1 Feb 1997 11:51:56 +0100 Message-Id: <3.0.32.19970201114932.00693214@globalxs.nl> X-Sender: pnefkens@globalxs.nl X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 01 Feb 1997 11:50:52 +0100 To: firewalls@GreatCircle.COM From: Patrick Nefkens Subject: Re: [Fwd: Re: MS Proxy as a firewall?] Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Luckly, an article >> in Infoworld or Communication Week a few weeks ago reviewed msproxy server >Is there anybody out there who has more information about this article ? >Thanks in advance. This article was published in Communications Week, January 20, 1997. It can be found at http://www.techweb.com. There you will have to search on the keyword "MS Proxy". Patrick "Cloggie" Nefkens Those who can, do. Those who can't, write the instructions. From firewalls-owner Sat Feb 1 04:17:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA05405 for firewalls-outgoing; Sat, 1 Feb 1997 02:21:06 -0800 (PST) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA05389 for ; Sat, 1 Feb 1997 02:20:31 -0800 (PST) Received: from negrita.nmac.ericsson.se (negrita.nmac.ericsson.se [130.100.187.78]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with SMTP id LAA20399 for ; Sat, 1 Feb 1997 11:19:15 +0100 (MET) Received: by negrita.nmac.ericsson.se (SMI-8.6/SMI-SVR4) id LAA01562; Sat, 1 Feb 1997 11:18:44 +0100 Date: Sat, 1 Feb 1997 11:18:44 +0100 From: etxrosd@nmac.ericsson.se (Robert Stahlbrand) Message-Id: <199702011018.LAA01562@negrita.nmac.ericsson.se> To: firewalls@GreatCircle.COM Subject: Re: Rewriting User Names Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: FrfX2PdBGzeQgK4fMDZ8Lg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I have got a problem with makemap! When I run: makemap outnames.db < outnames.db.txt the following error-messege appears: "makemap: Type btree not supported in this version" The same happens if I use hash-option instead of btree. I know that I had some trouble when I compiled makemap (sendmail ver. 8.8.5) and it couldn't generate manpages but what the heck was my thought. I don't need manpages for makemap (maybe I need now). I run sendmail on solaris 2.5. Is there someone else who are having the same problem? Is there anyone who can share a copy of the makemap binary for Solaris 2.5? ########################################################### # Robert Stahlbrand # # Network and System Administrator OPLab and NMAC domains # # # # Ericsson Telecom AB # # Box 333 # # 43184 Molndal # # Sweden # # +46 31 7476162 # # +46 31 7472942 (fax) # # # # robert@nmac.ericsson.se # ########################################################### > > Incoming mail to myself could be aliased to daves@stryder.com. When > > I send outgoing mail my return address currently shows ds3721@stryder.com. > > The outgoing mail should show daves@stryder.com. > > > > Can somebody give me some examples as to how this might be accomplished. > > > > What you want to do is not so hard, just copy the following steps. It may look > a little harder than it is if you don't know sendmail that well. > > First, create a list of address translations, like this: > > ds3721 daves > real_name alias_name > > making sure that the lefthand column is unique. > > Then run 'makemap btree name_of_database < address_translation_list'. > > In your /etc/sendmail.cf file, add the following > > Kout btree /location_of_database/name_of_database > > Moutbound_mailer, P=[TCP], F=mDFMuX, S=12, R=22, A=IPC $h, E=\r\n > > S12 > # rewrite outbound (sender's) addresses to proper format > R$+<@$+>$* $1@$2$3 remove > canocalization, then > R$+@stryder.com $:$>31 $1@stryder.com rewrite if in > groups > R$+@$*stryder.com $@$1<@$2stryder.com> make canocical > > S31 > R$+@stryder.com $:$(out $1 $) > R$+ $:$1@stryder.com > > (for all you sendmail experts, it may be a little rought around the edges, but > its from > off the top of my head). > > Hope it helps, > -joav > From firewalls-owner Sat Feb 1 10:28:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22754 for firewalls-outgoing; Sat, 1 Feb 1997 10:12:05 -0800 (PST) Received: from amdext.amd.com (amdext.amd.com [139.95.251.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA22745 for ; Sat, 1 Feb 1997 10:11:49 -0800 (PST) Received: from amdint.amd.com (amdint.amd.com [139.95.250.1]) by amdext.amd.com (8.8.4/8.8.4/AMD) with ESMTP id KAA19117; Sat, 1 Feb 1997 10:09:55 -0800 (PST) Received: from brahms.amd.com (brahms.amd.com [193.5.6.1]) by amdint.amd.com (8.8.4/8.8.4/AMD) with SMTP id KAA26862; Sat, 1 Feb 1997 10:09:54 -0800 (PST) Received: from zappa.amd.com by brahms.amd.com (4.1/AMDSN-1.18) id AA22065; Sat, 1 Feb 97 10:09:54 PST Received: from procyon.amd.com (kathryn) by zappa.amd.com (4.1/AMDC-1.20) id AA28003; Sat, 1 Feb 97 10:09:53 PST Message-Id: <3.0.32.19970201091209.006e15fc@brahms> X-Sender: chris@brahms X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 01 Feb 1997 09:12:21 -0800 To: gvc@ocsystems.com (G. Vincent Castellano), Firewalls@GreatCircle.COM From: Chris Martin Subject: Re: Protecting local news from Suck Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:45 PM 1/30/97 -0500, G. Vincent Castellano wrote: > ... >I have heard that there is a tool called 'suck' which is >designed to do just this. Is there such a tool? If so, >how can I be sure I'm safe from it? One approach would be to use a set of news servers internally for newsreading and distinct set of news servers externally exclusively for news relay. The internal news servers simply wouldn't feed internal groups out to the relay servers. This is generally considered to be better from a performance perspective as well -- especially if you have a number of external news peers. From firewalls-owner Sat Feb 1 11:10:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25272 for firewalls-outgoing; Sat, 1 Feb 1997 10:52:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA24590 for ; Sat, 1 Feb 1997 10:50:44 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id IAA25666; Sat, 1 Feb 1997 08:58:32 -0800 Received: from unknown(206.161.161.2) by mycroft via smap (V1.3mjr) id sma025662; Sat Feb 1 08:58:12 1997 Received: from 206.161.161.3 by northern-va.com with SMTP (Apple Internet Mail Server 1.1.1); Sat, 1 Feb 1997 13:04:06 +0000 Message-ID: <3110E43E.11E9@northern-va.com> Date: Thu, 01 Feb 1996 12:03:10 -0400 From: Ronald Ogle Reply-To: oglerr@northern-va.com Organization: RTO Consulting X-Mailer: Mozilla 3.0 (Macintosh; I; PPC) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall-1 to Sunscreen SPF-100 VPN References: <199702010925.BAA28232@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got some information from SUN on how to make a Virtual Private Network connection between a Firewall-1 2.1 machine and a Sunscreen SPF-100 machine. My question is does anyone else have a working VPN between these same two machines? Secondly, would you be willing to share the procedure on how you set it up? Thanks! -- Ronald R. Ogle RTO Consulting 15210 Crescent St. Dale City, VA 22193-1623 (703) 730-0451 oglerr@northern-va.com From firewalls-owner Sat Feb 1 11:49:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00563 for firewalls-outgoing; Sat, 1 Feb 1997 11:32:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA25988 for ; Sat, 1 Feb 1997 10:55:00 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id IAA24844; Sat, 1 Feb 1997 08:09:07 -0800 Message-Id: <199702011609.IAA24844@mycroft.GreatCircle.COM> Received: from unknown(130.184.252.196) by mycroft via smap (V1.3mjr) id sma024839; Sat Feb 1 08:08:27 1997 Received: from UAFSYSB.UARK.EDU by UAFSYSB.UARK.EDU (IBM VM SMTP V2R3) with BSMTP id 2255; Sat, 01 Feb 97 10:07:46 CST Received: from UAFSYSB.UARK.EDU (NJE origin SAMARAK@UAFSYSB) by UAFSYSB.UARK.EDU (LMail V1.2a/1.8a) with BSMTP id 2786; Sat, 1 Feb 1997 10:07:46 -0600 Date: Sat, 01 Feb 97 10:04:20 CST From: Steve Marak Subject: Blocking modems To: Firewalls mailing list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Random thought: would it be possible to insert a (hardware) filter >on incoming lines to block modem signalling frequencies? This would >not disturb voice traffic but might be an effective solution. Modern >modems This occurred to me about 6 years ago and I've been trying ever since to find a product/service/vendor who could implement it for me, with no luck. I've asked a lot of people at conferences and such, too. Usually their answer was that it seemed quite logical and surely someone *ought* to provide something, but they didn't know specifically of anything. Some of our AT&T contingent assured me that the newer high-end switches could be configured to do this, but so far none of the technical people seem to know how. If someone out here does know of something along this line, please include me in the reply if you don't post to the list. Apologies to the list at large for continuing this (at best tangential) topic - it's been a thorn in my side for a long time. Steve -- Steve Marak -- SAMARAK@UAFSYSB.UARK.EDU From firewalls-owner Sat Feb 1 12:25:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04535 for firewalls-outgoing; Sat, 1 Feb 1997 12:12:33 -0800 (PST) Received: from introtv01.intro.ch (introtv01.intro.ch [194.158.232.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA04468 for ; Sat, 1 Feb 1997 12:12:09 -0800 (PST) Received: by introtv01.intro.ch with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC1084.70DC1410@introtv01.intro.ch>; Sat, 1 Feb 1997 21:11:07 +0100 Message-ID: From: Krummenacher Kurt To: "'Firewalls@GreatCircle.COM'" Subject: Put me off Date: Sat, 1 Feb 1997 21:10:54 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please put out this list K.Krummenacher@spectraweb.ch From firewalls-owner Sat Feb 1 12:44:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05879 for firewalls-outgoing; Sat, 1 Feb 1997 12:26:58 -0800 (PST) Received: from psihost.memberville.com (memberville.com [38.234.19.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA05842 for ; Sat, 1 Feb 1997 12:26:38 -0800 (PST) Received: from x.memberville.com ([38.234.19.100]) by psihost.memberville.com (Netscape Mail Server v2.0) with SMTP id AAA7428 for ; Sat, 1 Feb 1997 15:22:05 -0500 Message-ID: <32F3A57F.D10@paragonfcu.org> Date: Sat, 01 Feb 1997 15:20:15 -0500 From: davew@memberville.com (Dave Weinstein) Reply-To: davew@paragonfcu.org Organization: Paragon Federal Credit Union X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Technologic's Interceptor Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are presently evaluating different firewall solutions, one of which is Technologic's Interceptor. Is it a good product? Can anyone please provide a little insight. Thanks in advance, David Weinstein VP of Information Systems and Technology From firewalls-owner Sat Feb 1 12:55:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06465 for firewalls-outgoing; Sat, 1 Feb 1997 12:33:15 -0800 (PST) Received: from firewall.harker.com (firewall.harker.com [192.102.231.125]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06455 for ; Sat, 1 Feb 1997 12:33:01 -0800 (PST) Received: from harker.harker.com (harker.harker.com [192.102.231.1]) by firewall.harker.com (8.6.9/8.6.12) with ESMTP id FAA21415; Sat, 1 Feb 1997 05:27:51 GMT Received: (from harker@localhost) by harker.harker.com (8.8.4/8.8.3) id MAA28549; Sat, 1 Feb 1997 12:34:07 -0800 (PST) Date: Sat, 1 Feb 1997 12:34:07 -0800 (PST) From: Robert Harker Message-Id: <199702012034.MAA28549@harker.harker.com> To: etxrosd@nmac.ericsson.se Subject: Re: Rewriting User Names Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The version of makemap you compiled seems not to support the new Berkeley "db" Library. Either get the library from: ftp://ftp.cs.berkeley.edu/ucb/4bsd/db.1.85.tar.gz Or you can use your existing makemap which probabily supports the vendors default "ndbm" database. Try: makemap dbm outnames < outnames This will create the ndbm database files: outnames.pag and outnames.dir (the two names can be the same) Word of warning, if your makemap command has been compiled with db support, then you will get db files even if you specify dbm as the database type. To build a ndbm file you must use the makedbm command. Hope this helps RLH > For info about our "Managing Internet Mail, Setting Up and Trouble < > Shooting sendmail and DNS" and a schedule of dates and locations, < > please send email to info@harker.com, or visit www.harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Network and Sysadmin Consulting San Jose, CA 95126 harker@harker.com 408-295-9432 From firewalls-owner Sat Feb 1 15:27:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18976 for firewalls-outgoing; Sat, 1 Feb 1997 15:13:38 -0800 (PST) Received: from unix1.sysnet.net (unix1.sysnet.net [206.142.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA18969 for ; Sat, 1 Feb 1997 15:13:25 -0800 (PST) Received: from [206.142.16.32] (appp13.sysnet.net [206.142.16.32]) by unix1.sysnet.net (8.8.4/8.6.12) with SMTP id TAA25825; Sat, 1 Feb 1997 19:49:02 -0500 (EST) Message-Id: <199702020049.TAA25825@unix1.sysnet.net> Subject: Re: Lower Prices and More NSA Testing Date: Sat, 1 Feb 97 18:12:53 -0400 x-sender: patton@mail.sysnet.net x-mailer: Claris Emailer 1.1 From: Matthew Patton To: "BeachCruiser" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >release of more test results as the X31 crew expands their commercial >firewall product evaluations. Gauntlet and Sidewinder just happened to be >the first two on the bench. Others are already in the queue. But has anybody read them? I just finished the TIS one and I'm VERY nonplussed. What's the value added of the X31's efforts? There's no new insight, and it was hardly what I'd consider rigorous. Indeed their testing basically boiled down to confirming that the firewall obeyed protocol conventions. So what? The trade rags do similar testing. There are an incredible number of TIS sites out there and if the features didn't work as advertised we've have known a LONG time ago. I'll read the sidewinder one next and I'm prepared to be yet again disappointed at the coverage. From firewalls-owner Sat Feb 1 16:40:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24288 for firewalls-outgoing; Sat, 1 Feb 1997 16:35:49 -0800 (PST) Received: from mailhost.netrunner.net (mailhost.netrunner.net [204.137.145.201]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24281 for ; Sat, 1 Feb 1997 16:35:37 -0800 (PST) Received: from jim.davocom.com ([205.164.226.41]) by mailhost.netrunner.net (8.7.5/8.7.5) with ESMTP id TAA17673; Sat, 1 Feb 1997 19:13:31 -0500 (EST) Message-ID: <32F3DA42.27E9@davocom.com> Date: Sat, 01 Feb 1997 19:05:23 -0500 From: Jim Canfield X-Sender: Jim Canfield X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: "K.M." CC: firewalls@GreatCircle.COM Subject: Re: Sidewinder vs. Cyberguard X-Priority: Normal References: <9701311502.AA10288@uc0009.wangfed.com> Content-Type: multipart/alternative; boundary="----------592E56445F600" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------592E56445F600 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii I am a relative novice in the arena of firewalls but am attempting to learn as much as I can. Monitoring this forum on basic fw issues to the most esoteric is exceptionally enlightening. I have been implementing L/WAN's for about 9 years and consider myself relatively well qualified in certain areas. Coming at the issue of firewalls as a small system integration house we researched what a firewall is and what is important. What is important as I see it is to keep the unwanted out while inconveniencing those who need access as little as possible.. First: How is security rated A1, B3, B2, B1, C2, C1 in the US, other similar grading scales in England/Germany and probably countless others worldwide. Then to find out what was the best achievable security rating for a product that is usable. The most secure, usable, firewall we have found to date is the Cyberguard As mentioned the products are B1 compliant (awaiting certification).... They are relatively easy to setup , nice GUI and it has built in the ablity for most "standard "(excuse the word) proxies and allows creation of probably anything you might need. It is priced competitively with Sidewinder, Raptor and the other high-end hardened O/S FW's available but as far as I know it is the only one that is B compliant. If you need to purchase a firewall, I do not see how anyone ever chooses anything other than the Cyberguard. Thanks for your time. Jim Canfield ------------592E56445F600 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii

I am a relative novice in the arena of firewalls but am attempting to learn as much as I can. Monitoring this forum on basic fw issues to the most esoteric is exceptionally enlightening. I have been implementing L/WAN's for about 9 years and consider myself relatively well qualified in certain areas.

Coming at the issue of firewalls as a small system integration house we researched what a firewall is and what is important. What is important as I see it is to keep the unwanted out while inconveniencing those who need access as little as possible..

First: How is security rated A1, B3, B2, B1, C2, C1 in the US, other similar grading scales in England/Germany and probably countless others worldwide. Then to find out what was the best achievable security rating for a product that is usable.

The most secure, usable, firewall we have found to date is the Cyberguard

As mentioned the products are B1 compliant (awaiting certification).... They are relatively easy to setup , nice GUI and it has built in the ablity for most "standard "(excuse the word) proxies and allows creation of probably anything you might need. It is priced competitively with Sidewinder, Raptor and the other high-end hardened O/S FW's available but as far as I know it is the only one that is B compliant.

If you need to purchase a firewall, I do not see how anyone ever chooses anything other than the Cyberguard.

Thanks for your time.

Jim Canfield

------------592E56445F600-- From firewalls-owner Sat Feb 1 18:29:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02436 for firewalls-outgoing; Sat, 1 Feb 1997 18:13:06 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA02426 for ; Sat, 1 Feb 1997 18:12:56 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA02207; Sat, 1 Feb 1997 21:09:11 -0500 From: Adam Shostack Message-Id: <199702020209.VAA02207@homeport.org> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken In-Reply-To: <41FDA823FC5AD011A0970000E8D5C667029335@mail.rc.on.ca> from Russ at "Jan 31, 97 07:04:44 am" To: Russ.Cooper@RC.on.ca (Russ) Date: Sat, 1 Feb 1997 21:09:11 -0500 (EST) Cc: firewalls@GreatCircle.COM, lists@reflections.mindspring.com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: | 1. If the default IE implementation existed on the exploited machine, | they were informed of the company name who signed the certificate, and | were asked to confirm acceptance of the object. In which case, they | chose to trust an untrustworthy company, why is that the fault of | Activex? | | 2. If they previously had told IE to accept all signed certificates, | then they chose to leave their machine wide open, again, why is that | ActiveX's fault? Lets say that the user is in class one, and makes a mistake. They've could have just accepted a malicious applet that changes their IE config into class two. Or perhaps it adds a trusted CA. (Or perhaps the attack is two pronged; the malicious code that changes the config file is a word virus.) There are subtle attacks. ActiveX is bad technology because it does not offer mechanisms for an organizations security officer to control what is happening in any way other than turning it off. Adam -- Pet peeve of the day: Security companies whose protocols dare not speak their name. Guilty company of the day is Security Dynamics. From firewalls-owner Sat Feb 1 18:41:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03429 for firewalls-outgoing; Sat, 1 Feb 1997 18:30:44 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA03227 for ; Sat, 1 Feb 1997 18:29:59 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.6/8.7.3) with SMTP id VAA01895; Sat, 1 Feb 1997 21:28:51 -0500 Date: Sat, 1 Feb 1997 21:28:51 -0500 (EST) From: Todd Graham Lewis To: Adam Shostack cc: Russ , firewalls@GreatCircle.COM Subject: Re: [NTSEC] ActiveX, MSIE and Quicken In-Reply-To: <199702020209.VAA02207@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Feb 1997, Adam Shostack wrote: > Russ wrote: > > | 2. If they previously had told IE to accept all signed certificates, > | then they chose to leave their machine wide open, again, why is that > | ActiveX's fault? > > Lets say that the user is in class one, and makes a mistake. > They've could have just accepted a malicious applet that > changes their IE config into class two. Or perhaps it adds a trusted > CA. Or maybe it fires up Frontpage and slaps the same thing on an internal web page. Etc., ad nauseum. Russ, when you continue to argue that "ActiveX/OLE has always been an insecure, crappy technology; the only difference is that it's now on the web", I really fail to see your point. Maybe you could fill me in. __ Todd Graham Lewis Mindspring Enterprises tlewis@mindspring.com From firewalls-owner Sat Feb 1 19:09:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03617 for firewalls-outgoing; Sat, 1 Feb 1997 18:37:27 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA03607 for ; Sat, 1 Feb 1997 18:37:10 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA02356; Sat, 1 Feb 1997 21:33:14 -0500 From: Adam Shostack Message-Id: <199702020233.VAA02356@homeport.org> Subject: Re: Secure Telneting into a internal network In-Reply-To: from Derrick 'Red 5' Cole at "Jan 30, 97 02:14:41 pm" To: derrick.cole@ssds.com Date: Sat, 1 Feb 1997 21:33:14 -0500 (EST) Cc: aharpham@cnweb.com, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Derrick 'Red 5' Cole wrote: | On Thu, 30 Jan 1997, Allen D. Harpham wrote: | > | > They use a windows based telnet package that they would like to use to | > access their hosts on the internal network over the internet. | | This is the behaviour purported by this "shim" idea. It situates itself | in the midst of the winsock stack, and "knows" (most likely via routes to | destinations using pseudo interfaces - as with swIPe) when to encrypt a | session and when not to. There are a couple of shims that sit above winsock now, rather than mucking with it. V-One makes one, theres another called VTCP. You point your network program to 127.0.0.1 on some port, and it wraps the connection in an 'secure pipe' to the firewall. V-One offers the nice ability to control where users connect to once they connect over this pipe. On the down side, you find yourself saying 'the V-One client server protocol' or 'the V-One online registration protocol' an awful lot, and they're both mouthfuls. Adam -- Pet peeve of the day: Security companies whose protocols dare not speak their name, because they don't have one. Guilty company of the day is now V-One. From firewalls-owner Sat Feb 1 19:11:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03473 for firewalls-outgoing; Sat, 1 Feb 1997 18:31:53 -0800 (PST) Received: from unix1.sysnet.net (unix1.sysnet.net [206.142.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA03466 for ; Sat, 1 Feb 1997 18:31:40 -0800 (PST) Received: from [206.142.16.36] (bppp2.sysnet.net [206.142.16.36]) by unix1.sysnet.net (8.8.4/8.6.12) with SMTP id XAA27088; Sat, 1 Feb 1997 23:07:18 -0500 (EST) Message-Id: <199702020407.XAA27088@unix1.sysnet.net> Subject: Re: Sidewinder vs. Cyberguard Date: Sat, 1 Feb 97 21:31:07 -0400 x-sender: patton@mail.sysnet.net x-mailer: Claris Emailer 1.1 From: Matthew Patton To: "Jim Canfield" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Canfield wrote: >The most secure, usable, firewall we have found to date is the >Cyberguard On what basis do you make this assertion? "secure" can mean a lot of things and a rubber stamp from NSA or it's equivalent doesn't mean a whole lot if buggy software can be trivially exploited. We could go on about "usable" but I'll let that one slide. In particular is the firewall configuration an EXACT match with the "certified/tested/evaluated" machine? NT has a C2 rating but it's not worth a damn. When was the last time you ran an NT box with no LAN, no floppy, and with a modified BIOS? Not exactly a useful product. Then again, assuming you duplicate this setup, place said machine nearish to a window. Electronic eavesdropping (for about $3000 and change) or outside observation does tend to degrade the usefulness of said rating does it not? >As mentioned the products are B1 compliant (awaiting certification).... whatever, see above. >They are relatively easy to setup , nice GUI and it has built in the Ah, the GUI. Remote manageable too I think I recall. What to say when the X11 session gets hijacked? You sure the box isn't running a braindamaged X11 server? Can you attack the logging facility thru DOS? What happens when you bog the machine down with hundreds of connections? Does it run out of VM and spontaneously reboot? How about the logs filling up the disk? What happens when this occurs and an exploit is then launched? Do you still have an audit trail? >ablity for most "standard "(excuse the word) proxies and allows creation >of probably anything you might need. So they know how to check off all of the feature boxes on the report card. Anybody can and everybody does that. IMO ratings, be they NSA/NCSA or whatever aren't worth much and deffinately not a price premium. I take far more comfort in people banging away at the available stuff and fixing the problems. Additionally, you really believe the vendor (or reviewer for that matter) went thru every single line of code specifically looking for possible exploits? Get real. All the ratings do is study the protection scheme and bless it as logical and OK at least in theory. Then with various degrees of persistance they try to prove you can't get around said protection. Holes and stack smashes by way of poorly written C and resolver libraries and DOS via SYN etc. aren't addressed. If they were we wouldn't be plagued with some of the problems we have now. From firewalls-owner Sat Feb 1 20:25:39 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13424 for firewalls-outgoing; Sat, 1 Feb 1997 20:19:41 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA13416 for ; Sat, 1 Feb 1997 20:19:28 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA23134; Sat, 1 Feb 1997 22:06:36 -0500 Date: Sat, 1 Feb 1997 22:06:30 -0500 (EST) From: Rabid Wombat To: "Starkweather, Mike" cc: "'firewalls@GreatCircle.COM'" Subject: Re: Highly available Internet connection In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Without two circuits, a local loop failure will take you down. You are much better off running two circuits, to two different ISPs, from two of your sites. Make sure you don't use two different ISPs that are both heavily dependant on the same MAE or NAP, or have heavily interdependant peering arangements, such that failure of a core router can still take out both. -r.w. On Wed, 29 Jan 1997, Starkweather, Mike wrote: > My company wants to move toward Electronic Commerce on the Internet. > One of the requirements would be a highly available, secure > connection. One of the ideas I have considered is two firewalls going > out over two routers to two wide area links to two ISPs. This is a > pretty brute force approach. > > Does anyone have any ideas to share on how we might build an Internet > connection that would approach 100 percent availability? > > Thanks for all your help. > > Mike Starkweather > Anheuser-Busch > From firewalls-owner Sat Feb 1 20:57:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA14180 for firewalls-outgoing; Sat, 1 Feb 1997 20:42:38 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA14164 for ; Sat, 1 Feb 1997 20:42:24 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC1099.5A732EB0@mail.rc.on.ca>; Sat, 1 Feb 1997 23:40:49 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C667029390@mail.rc.on.ca> From: Russ To: Adam Shostack , "'Todd Graham Lewis'" Cc: firewalls@GreatCircle.COM Subject: RE: [NTSEC] ActiveX, MSIE and Quicken Date: Sat, 1 Feb 1997 23:40:48 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To try and keep this on a Firewalls vein. The tunneling of anything over HTTP is, in my opinion, the crappy technology. That goes for Java applets or certificate authentication for that matter. I don't like the idea of combining diverse tasks within a single channel if its possible to avoid it, and it is possible, so the only reason its not being done is to USURP FIREWALLS. ActiveX as an Internet web surfing technology (i.e. interaction between non-cooperating trust environments), despite the ability for vendors to incorporate their bar codes on their packages, is just another implementation of that same crappy technology. BUT... The issue is whether or not there is to be a future technology that isn't crappy. I don't see how Firewall administrators can honestly say that they trust Java applets any more than you can say you trust ActiveX objects, when their coming from an untrusted source (even if that source has signed the applet with a trustable digital certificate). Now don't respond with the Java applets are more secure than ActiveX objects thing, please. Neither can be completely trusted to the extent necessary for a Firewall administrator to honestly say its OK to let it in. ActiveX has no security, and Java applets have lots of security, but neither provide sufficient control or reporting for a Firewall administrator to really know what's happening where, and the sandbox can't be trusted enough to say you don't need to care what a Java applet it doing, IMO. So neither technology are THE answer. Both technologies are demonstrations of future technology which will become AN answer. Whether either survive, or some hybrid or completely different technology emerges as THE answer is still to be seen. I argue that its been possible for applications to be installed on an OLE machine and do what these malicious ActiveX objects (or hypothetical objects) can do. It was required for them to be retrieved (in whatever fashion), installed (in a variety of fashions including Trojans), and invoked (again, covertly was not out of the question). So in the case of an ActiveX object from a web page, you are asked if you want to retrieve the object, whether or not it should be installed, and whether or not it should be invoked. The issue seems to be how easy that has become, but Windows 95 and NT 4.0 both implement a model that make that easy and somewhat hidden (a shortcut accessed across a network share could easily install itself without any notification whatsoever). ActiveX is a big word, it covers a whole spate of technologies, of which only one is its ability to be downloaded/installed/invoked from a web page. Disparaging ActiveX as a technology because of one aspect of it is like saying that Java applets are useless because they allow a reverse connection back to their originating machine. Its one part of the technology that needs to be replaced/improved. Since Windows HAS BECOME an ActiveX environment, from top to bottom, what's needed now is more emphasis on the environments security. Windows NT 4.0 represents, somewhat, the environment that all OLE-based platforms have to become. An environment where distributed computing is possible, but can also be implemented securely. But this discussion digresses into issues that shouldn't be debated here. Bottom line is that with so little interest by Firewall administrators in desktop security, their minds concreted in the idea that everything is going to be controlled at the company gates by the GateKeeper, its obvious that the Tunnellers will win and the GateKeepers will lose. With that goes the legacy systems that put bottlenecks on technology and innovation in favour of time-tested and proven security models. Fine, it'll work great for lots of implementations, but while those walls crumble and the GateKeeper continues to be assailed from his/her own charges, at some point the realization will hit them that desktop security and an integrated administration/security platform is the only model that can move forward with the technology. They say that a month on the web is the equivalent of a year for anything else. So if a new Internet product is in public beta for 5 months, that's supposed to be the equivalent of 5 years. Obviously from a security perspective this analogy doesn't work, since people aren't testing products 12 times faster than they used to...;-] But if IS decisions are being done at or near the pace of the Internet, clearly something has to give somewhere. The only way that can happen is to expand the scope of the GateKeeper from beyond the Firewall to include the desktop. If these new technologies are implemented with this in mind, it would be possible for a Firewall admin to probe, control, and enforce a security policy at the desktop through a server cooperating with the Firewall. ActiveX does make this possible, but the tools don't exist yet (or aren't widely known) so it seems impossible. So again I say it, block ActiveX objects if you can at your Firewall. But get your head out of the sand and realize that this very same technology could be put to valuable use in your environment to enhance your ability to implement and enforce your security policy, and it all could be done in total cooperation with your Firewall. All we have to do is force the vendors to deliver the products that could do this. This doesn't translate to a call for NT Firewalls (although light 'em if you have 'em). But if you think you can say that ActiveX is bad so take it way, you'll have to tell them to take away all your MS desktops as well. I'm sure many of you have been saying that for a while now, but the facts are in front of the majority of you and can be seen just by looking around your office. > Cheers, > Russ > R.C. Consulting, Inc. - NT/Internet Security Consulting > "Why does Plug-n-Play so often turn into Unplug-n-Pay?" From firewalls-owner Sat Feb 1 21:33:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15971 for firewalls-outgoing; Sat, 1 Feb 1997 21:08:59 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA15919 for ; Sat, 1 Feb 1997 21:08:41 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA23257; Sat, 1 Feb 1997 22:55:57 -0500 Date: Sat, 1 Feb 1997 22:55:52 -0500 (EST) From: Rabid Wombat To: Matthew Archibald cc: pyb@cadrus.fr, Firewalls@GreatCircle.COM Subject: Re: Internal modems ? In-Reply-To: <199701292016.MAA16951@plato.West.Sun.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 29 Jan 1997, Matthew Archibald wrote: > > > > Two methods will work here... > > > 1) Get a dialer like 'toneloc' or other wardialer > and run random checks against all known internal > phone numbers. > - If a modem answers you have a hit > - If it goes to voice or someone answers > they know you are checking, but hey, > that's what you want anyway > Actually, they *might* know *somebody* is checking; be interesting to find out if anyone reports what they hear ... my guess is that nobody will even mention it to the IS team. -r.w. From firewalls-owner Sat Feb 1 21:40:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA16550 for firewalls-outgoing; Sat, 1 Feb 1997 21:13:59 -0800 (PST) Received: from mail.primary.net (mail.primary.net [205.242.92.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA16492 for ; Sat, 1 Feb 1997 21:13:35 -0800 (PST) Received: from desktop (pn7-ppp-106.primary.net [205.242.93.106]) by mail.primary.net (8.8.5/+primary) with SMTP id XAA09705 for ; Sat, 1 Feb 1997 23:16:19 -0600 (CST) Message-ID: <32F421E1.2F0C@primary.net> Date: Sat, 01 Feb 1997 23:10:57 -0600 From: "Paul A. Murphy" X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! My company is looking into firewalls to protect our network that is connected with a T-1. Our company is migrating to NT as a standard and I am concerned that the NT Firewalls are generally less secure than the UNIX firewalls and am looking for material to make my case that the firewall be UNIX. I would appreciate any comments related to the UNIX vs NT debate. Thanks Paul Murphy St. Louis From firewalls-owner Sat Feb 1 21:55:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA19188 for firewalls-outgoing; Sat, 1 Feb 1997 21:39:00 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA19135 for ; Sat, 1 Feb 1997 21:38:43 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA23327; Sat, 1 Feb 1997 23:25:48 -0500 Date: Sat, 1 Feb 1997 23:25:43 -0500 (EST) From: Rabid Wombat To: Dave Cosio cc: firewalls@GreatCircle.COM Subject: Re: Dave at McGraw Hill In-Reply-To: <32F22D67.4A41@tanis.cptech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave's not here, man. ;) On Fri, 31 Jan 1997, Dave Cosio wrote: > Dave, > > I had problem with my mail and lost your address. > could you resend it. > > thanks > > -Dave Cosio > From firewalls-owner Sat Feb 1 22:08:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA16933 for firewalls-outgoing; Sat, 1 Feb 1997 21:19:26 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA16902 for ; Sat, 1 Feb 1997 21:19:13 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA23271; Sat, 1 Feb 1997 23:06:19 -0500 Date: Sat, 1 Feb 1997 23:06:14 -0500 (EST) From: Rabid Wombat To: Laura_Bohde@prenhall.com cc: "'firewalls@GreatCircle.COM'" , "Starkweather; Mike" Subject: Re: Highly available Internet connection In-Reply-To: <2F023040.@prenhall.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not very resistant to back-hoe fade ... On Wed, 29 Jan 1997 Laura_Bohde@prenhall.com wrote: > > We have two routers connected to the Internet configured > identically, as well as two hubs, two firewalls, and two > hubs on the other side. Then we installed Black Box > power on/off switches (one on each router, and one on > each hub at the other end). This way we can leave one > network up and the other powered off. If any device in > the "primary" network fails, with a simple phone call > (our help desk can even do this), one network can be > powered off and the other powered up. (this way all > equipment can actually have the same IP addresses too.) > > Hope this helps - > > Laura > From firewalls-owner Sat Feb 1 23:13:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27794 for firewalls-outgoing; Sat, 1 Feb 1997 22:58:15 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA27787 for ; Sat, 1 Feb 1997 22:58:04 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id XAA21095; Sat, 1 Feb 1997 23:56:29 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd21092aaa; Sat Feb 1 23:56:21 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id XAA01520; Sat, 1 Feb 1997 23:56:17 -0700 From: Bob Beck Message-Id: <199702020656.XAA01520@snouts.obtuse.com> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken To: Russ.Cooper@RC.on.ca (Russ) Date: Sat, 1 Feb 1997 23:56:15 -0700 (MST) Cc: adam@homeport.org, lists@reflections.mindspring.com, firewalls@GreatCircle.COM In-Reply-To: <41FDA823FC5AD011A0970000E8D5C667029390@mail.rc.on.ca> from "Russ" at Feb 1, 97 11:40:48 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To try and keep this on a Firewalls vein. The tunneling of anything over > HTTP is, in my opinion, the crappy technology. That goes for Java > applets or certificate authentication for that matter. I don't like the > idea of combining diverse tasks within a single channel if its possible > to avoid it, and it is possible, so the only reason its not being done > is to USURP FIREWALLS. Perhaps if you're using only a packet filter yes, but hopefully on a real firewall you're proxying your http, and there's nothing at all to "USURP". You recognize it, and deal with it in the proxy. Notwithstanding that, doing embedded "stuff" like this is normal, and doing evil with it is a lot older than http: ---------------------- oldvax%mail bigluser@sucker.org Subject: Hey Dude, Try this neat new script out.. #!/bin/sh [ insert hack here - trojan .login to mail me their password next time] [ etc. etc. ] From firewalls-owner Sun Feb 2 00:55:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA04631 for firewalls-outgoing; Sun, 2 Feb 1997 00:37:17 -0800 (PST) Received: from hamlin.cc.boun.edu.tr (hamlin.cc.boun.edu.tr [193.140.192.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA04613 for ; Sun, 2 Feb 1997 00:36:59 -0800 (PST) Received: from ReAlbi.cc.boun.edu.tr by hamlin.cc.boun.edu.tr (AIX 4.1/UCB 5.64/4.03) id AA61498; Sun, 2 Feb 1997 10:31:15 +0300 Message-Id: <32F4513E.3BA1440E@boun.edu.tr> Date: Sun, 02 Feb 1997 10:33:02 +0200 From: Can Baysal Organization: BUCC X-Mailer: Mozilla 3.01Gold (X11; I; Linux 1.3.20 i586) Mime-Version: 1.0 To: "'Firewalls@GreatCircle.COM'" Subject: Re: SATAN user group? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ferrell-1, Ema wrote: > > Hi all, > ..................... > P.S. For those who don't know SATAN stands for Security Administrator's > Tool for Analyzing Networks. Hey, thanks for the information, I was trying to find out why they do not call that as SANTA. I wonder, what they do if Venema and Farmer heard this. Maybe they will write something like repent. > > Thanks in advance, > > Ema Ferrell > Subsystems Engineering Branch > Shuttle Data Center/DE-CLC-A > 407-861-7275 (phone #) > 407-861-7470 (fax #) From firewalls-owner Sun Feb 2 02:41:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07905 for firewalls-outgoing; Sun, 2 Feb 1997 01:46:12 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07889 for ; Sun, 2 Feb 1997 01:45:54 -0800 (PST) From: osiris@pacificnet.net Received: from lwash (pm3a-16.pacificnet.net [207.171.18.17]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id BAA25173; Sun, 2 Feb 1997 01:43:38 -0800 Message-ID: <32F462D3.38E3@pacificnet.net> Date: Sun, 02 Feb 1997 01:48:03 -0800 Organization: - X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Can Baysal CC: "'Firewalls@GreatCircle.COM'" Subject: Re: SATAN user group? References: <32F4513E.3BA1440E@boun.edu.tr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can Baysal wrote: > > Ferrell-1, Ema wrote: > > > > Hi all, > > > ..................... > > P.S. For those who don't know SATAN stands for Security Administrator's > > Tool for Analyzing Networks. > > Hey, thanks for the information, I was trying to find out why they do > not call that as SANTA. I wonder, what they do if Venema and Farmer > heard this. Maybe they will write something like repent. You are either joking or have landed on the most unlikely coincidence! Contained within the SATAN distribution is a script called "repent" that will change all references of "SATAN" to "SANTA." In any event.. Has anyone on this list tried "Merlin?" I am wondering whether anyone has attempted to make a siilar interface to manage firewall admnistration and auditing. (Merln is a tool from CIAC. It integrates Tripwire, COPS, TIGER, Crack and reportedly, SPI, which is unavailable to us regular folk. The interface is exclusively PERL/HTML for use in X.) From firewalls-owner Sun Feb 2 03:04:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA09423 for firewalls-outgoing; Sun, 2 Feb 1997 02:14:27 -0800 (PST) Received: from hamlin.cc.boun.edu.tr (hamlin.cc.boun.edu.tr [193.140.192.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA09415 for ; Sun, 2 Feb 1997 02:14:00 -0800 (PST) Received: from ReAlbi.cc.boun.edu.tr by hamlin.cc.boun.edu.tr (AIX 4.1/UCB 5.64/4.03) id AA28350; Sun, 2 Feb 1997 12:07:50 +0300 Message-Id: <32F467E1.7E1C0F55@boun.edu.tr> Date: Sun, 02 Feb 1997 12:09:37 +0200 From: Can Baysal Organization: BUCC X-Mailer: Mozilla 3.01Gold (X11; I; Linux 1.3.20 i586) Mime-Version: 1.0 To: "'Firewalls@GreatCircle.COM'" Subject: Re: SATAN user group? References: <32F4513E.3BA1440E@boun.edu.tr> <32F462D3.38E3@pacificnet.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk osiris@pacificnet.net wrote: > > > Hey, thanks for the information, I was trying to find out why they do > > not call that as SANTA. I wonder, what they do if Venema and Farmer > > heard this. Maybe they will write something like repent. > > You are either joking or have landed on the most unlikely coincidence! :) > Contained within the SATAN distribution is a script called "repent" that > will change all references of "SATAN" to "SANTA." In any event.. > > Has anyone on this list tried "Merlin?" I am wondering whether anyone > has attempted to make a siilar interface to manage firewall > admnistration and auditing. (Merln is a tool from CIAC. It integrates > Tripwire, COPS, TIGER, Crack and reportedly, SPI, which is unavailable You know it is the way of our days, you can reach parts but not the whole. > to us regular folk. The interface is exclusively PERL/HTML for use in > X.) From firewalls-owner Sun Feb 2 04:55:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16076 for firewalls-outgoing; Sun, 2 Feb 1997 04:43:16 -0800 (PST) Received: from gargoyle.clark.net (pa1dsp11.dcwt.infi.net [208.136.65.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16068 for ; Sun, 2 Feb 1997 04:42:52 -0800 (PST) Received: (qmail 21874 invoked by uid 500); 2 Feb 1997 12:42:42 -0000 Date: Sun, 2 Feb 1997 07:42:42 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: Adam Shostack , "'Todd Graham Lewis'" , firewalls@GreatCircle.COM Subject: RE: [NTSEC] ActiveX, MSIE and Quicken In-Reply-To: <41FDA823FC5AD011A0970000E8D5C667029390@mail.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Feb 1997, Russ wrote: > To try and keep this on a Firewalls vein. The tunneling of anything over > HTTP is, in my opinion, the crappy technology. That goes for Java > applets or certificate authentication for that matter. I don't like the > idea of combining diverse tasks within a single channel if its possible > to avoid it, and it is possible, so the only reason its not being done > is to USURP FIREWALLS. Right, this is my whole problem with SSL. SHTTP was better, though I'd prefer that the firewall be able to man-in-the-middle the crypto stuff in either case, so as to pass it through an application layer gateway. > administrator to really know what's happening where, and the sandbox > can't be trusted enough to say you don't need to care what a Java applet > it doing, IMO. This is an issue with the implementation of the JVM though, which is certainly a better thing that straight object code. It's more a 'lesser of two evils' situation. I *could* see the JVM actually evolving into a trusted environment, or more properly, into a well-bounded untrusted one. I can't see OLE ever doing the same, so I'd rather try to back the horse that I'd like to see win. > So neither technology are THE answer. Both technologies are > demonstrations of future technology which will become AN answer. Whether > either survive, or some hybrid or completely different technology > emerges as THE answer is still to be seen. Which makes this the right time to be pressing for improvements in both, which blocking by enough people will get addressed. Certainly, the fact that ActiveX was holding us back from authorizing IE as an approved browser got at least a preliminary answer from MS. It's too bad they won't follow up on specific implementation deficiencies as quickly. > Windows 95 and NT 4.0 both implement a model that make that easy and > somewhat hidden (a shortcut accessed across a network share could easily > install itself without any notification whatsoever). This is true, and I think a number of companies are falling back to the old military compartmentalization model, I know we certainly are. The first order of business is to tighten down the interaction between the 'internal to the company' and the 'external to the company' zones, then the internal ones get the next set of restrictions. > what's needed now is more emphasis on the environments security. Windows > NT 4.0 represents, somewhat, the environment that all OLE-based > platforms have to become. An environment where distributed computing is > possible, but can also be implemented securely. But this discussion > digresses into issues that shouldn't be debated here. NT 4.0 is a start, but it certainly isn't the culmination of that evolution. > Bottom line is that with so little interest by Firewall administrators > in desktop security, their minds concreted in the idea that everything > is going to be controlled at the company gates by the GateKeeper, its > obvious that the Tunnellers will win and the GateKeepers will lose. With > that goes the legacy systems that put bottlenecks on technology and > innovation in favour of time-tested and proven security models. Fine, > it'll work great for lots of implementations, but while those walls > crumble and the GateKeeper continues to be assailed from his/her own > charges, at some point the realization will hit them that desktop > security and an integrated administration/security platform is the only > model that can move forward with the technology. The only way you can be proactive with desktop security is to control what runs on the desktop. That's why it's important to get the developers listening now, and not to accept blind tunneling. > is force the vendors to deliver the products that could do this. This > doesn't translate to a call for NT Firewalls (although light 'em if you > have 'em). It certainly *shouldn't* translate to a call for NT firewalls, that's too much like in-band control of the phone switch. > But if you think you can say that ActiveX is bad so take it way, you'll > have to tell them to take away all your MS desktops as well. I'm sure > many of you have been saying that for a while now, but the facts are in > front of the majority of you and can be seen just by looking around your > office. $300 NCs would make that a viable alternative. Too bad that's not a fiscal reality. The fact is that most desktop users in a corporate environment don't *need* OLE, or most of the other bloat that comes with a desktop OS. Most of them don't *need* the Internet either. But I'm still not at a point where I'm ready to pack up my toys and go home. With the right JVM, or with a JVM on the right hardware, Java can be well-bounded enough to be trustworthy. There's a couple of years worth of work there, but it is possible. I just don't see how you can do it, even with twice as long with OLE. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sun Feb 2 07:28:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20065 for firewalls-outgoing; Sun, 2 Feb 1997 07:10:38 -0800 (PST) Received: from internic.uob.bh ([193.188.12.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA20012 for ; Sun, 2 Feb 1997 07:10:15 -0800 (PST) Received: from netmgr.uob.bh ([193.188.12.65]) by internic.uob.bh (Netscape Mail Server v2.0) with SMTP id AAA7058 for ; Sat, 1 Feb 1997 08:45:59 +0300 Message-ID: <32F2D77E.6B7C@admin.uob.bh> Date: Sat, 01 Feb 1997 08:41:18 +0300 From: "Hisham Abdullatif Al-Rumaihi" Reply-To: rumaihi@admin.uob.bh Organization: University of Bahrain X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: DHCP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are using DHCP server runing on windows NT 4.0, is it possible to view/print the DHCP database?. Can you suggust any mailing list that is relatd to (networks). Thank you. From firewalls-owner Sun Feb 2 11:25:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28196 for firewalls-outgoing; Sun, 2 Feb 1997 11:08:54 -0800 (PST) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28159 for ; Sun, 2 Feb 1997 11:08:41 -0800 (PST) Received: from chris ([208.199.94.198]) by smtp2.erols.com (8.8.5/8.8.5) with SMTP id OAA10765 for ; Sun, 2 Feb 1997 14:07:23 -0500 (EST) Message-ID: <32F4E5E9.1504@tidalwave.net> Date: Sun, 02 Feb 1997 14:07:21 -0500 From: Chris Pressley Reply-To: chrisp@sitescape.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: Optimal Throughput for NAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NAT is a small part of my overall security plan. I'm looking for the best way to implement NAT, primarily from a cost and performance standpoint. Currently, I know of three ways to do NAT: 1) Install and configure a firewall 2) Dedicate a host, using software such as IPRoute (http://www.mischler.com/iproute/) 3) Configure a router (e.g. Cisco with IOS 11.2 and "IP Options") I'm looking for feedback on the following: 1) What is my best dollar/cost solution? 2) Are there other ways to implement NAT that I'm not aware of? Thanks in advance for any feedback. Chris From firewalls-owner Sun Feb 2 11:45:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28625 for firewalls-outgoing; Sun, 2 Feb 1997 11:25:17 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA28617 for ; Sun, 2 Feb 1997 11:25:06 -0800 (PST) Received: (qmail 10479 invoked from smtpd); 2 Feb 1997 19:23:53 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Feb 1997 19:23:53 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA06030; Sun, 2 Feb 1997 13:23:52 -0600 Received: by sonic.nmti.com; id AA10062; Sun, 2 Feb 1997 13:18:18 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9702021918.AA10062@sonic.nmti.com.nmti.com> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken To: Russ.Cooper@RC.on.ca (Russ) Date: Sun, 2 Feb 1997 13:18:17 -0600 (CST) Cc: firewalls@GreatCircle.com In-Reply-To: <41FDA823FC5AD011A0970000E8D5C667029390@mail.rc.on.ca> from "Russ" at Feb 1, 97 11:40:48 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Since Windows HAS BECOME an ActiveX environment, from top to bottom, > what's needed now is more emphasis on the environments security. Windows > NT 4.0 represents, somewhat, the environment that all OLE-based > platforms have to become. An environment where distributed computing is > possible, but can also be implemented securely. But this discussion > digresses into issues that shouldn't be debated here. We've already had this discussion, Russ, so I'll just say that NT at this time is nowhere *near* an environment where you could even *think* of running untrusted applications. A Java sandbox, or a chrooted secured sandbox on certain UNIX implementations, is getting there. The Safe Tcl sandbox is closer. I think that you could probably build an extremely useful sandbox using the NT kernel as a start, though it wouldn't include the Win32 subsystem... or if it did that subsystem would be so crippled that it wouldn't run any applications that currently exist out there. I've said before that the underlying NT security model, while overly complex, has a lot of potential... but it's never going to acheive that potential in Microsoft's hands, and if you think otherwise you're fooling yourself. The UNIX model is less fine-grained, but it's also a lot *simpler*, and there are ways to shed the parts of a UNIX implementation that don't use that model without breaking the UNIX API, because it's so much higher level than the NT one. Just as it's possible to shed the dangerous parts of Tcl without breaking the ability to do useful things in Tcl... simply because it's such a high level and simple model. > Bottom line is that with so little interest by Firewall administrators > in desktop security, their minds concreted in the idea that everything > is going to be controlled at the company gates by the GateKeeper, That's because it's the only place we have any control. We can't control the desktop, because our users have undeniable business reasons to support the inherently insecure Windows API. So long as that's true, all we can do is block the tunnelers. Because the Internet is not near as important as the desktop, so we can get away with telling people they can't use this or that new internet toy. > innovation in favour of time-tested and proven security models. Fine, > it'll work great for lots of implementations, but while those walls > crumble and the GateKeeper continues to be assailed from his/her own > charges, at some point the realization will hit them that desktop > security and an integrated administration/security platform is the only > model that can move forward with the technology. I would dearly like to see that, but I don't believe it will happen. The desktop is firmly in the hands of a man who can spell security but has no idea of what it means. > But if you think you can say that ActiveX is bad so take it way, you'll > have to tell them to take away all your MS desktops as well. Love to, but that won't happen. That's like trying to fireproof your office by banning paper. > I'm sure > many of you have been saying that for a while now, but the facts are in > front of the majority of you and can be seen just by looking around your > office. Yep. And those facts say that the desktop will be completely unable to provide any useful security for the forseeable future. From firewalls-owner Sun Feb 2 12:10:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00228 for firewalls-outgoing; Sun, 2 Feb 1997 11:54:21 -0800 (PST) Received: from neon.ingenia.ca (neon.ingenia.com [205.207.220.57]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA00208 for ; Sun, 2 Feb 1997 11:54:05 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.5/8.7.3) id OAA23121; Sun, 2 Feb 1997 14:52:31 -0500 From: Mike Shaver Message-Id: <199702021952.OAA23121@neon.ingenia.ca> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken In-Reply-To: from Todd Graham Lewis at "Jan 31, 97 09:42:57 am" To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Sun, 2 Feb 1997 14:52:29 -0500 (EST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Todd Graham Lewis: > On Fri, 31 Jan 1997, Russ wrote: > > > So yes, plug it up today, that's what I recommend anyway, but What we > > really need are new/improved desktop security products, not more filters > > for Firewalls. > > Not to be contentious or anything, but what we _need_ are designers who > put different technologies on different port numbers rather than cramming > everything under the sun down port 80. Pardon the arrogance, but what we _need_ are firewall designers/implementors/administrators/advocates who have outgrown the bogus `port = protocol' bit. Ports have meaning only for connection management. The use of `well-known-ports' is a convenience (snicker) at best, designed to allow people to synchronize their /etc/services files in lieu of a decent service-location directory or whatever. Assuming that port 80 means HTTP is only marginally more clueful than assuming that ports below 1024 are from root and so it's all Really OK To Trust Them. (Similarly for assuming that HTTP means HTML and images.) If you want to filter an application protocol, you need a application-protocol-level filter. > Geez, at age 21 I really am too young to get an ulcer. Not by a fair shot, gramps. =) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Welcome to the technocracy. #> #> "Nobody ever went broke underestimating the public's intelligence." #> - cbird@chat.carleton.ca From firewalls-owner Sun Feb 2 15:38:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA13761 for firewalls-outgoing; Sun, 2 Feb 1997 14:50:49 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA13587 for ; Sun, 2 Feb 1997 14:50:07 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA00888; Sun, 2 Feb 1997 14:16:43 -0800 Received: from squirrel.com(192.135.191.159) by mycroft via smap (V1.3mjr) id sma000879; Sun Feb 2 14:16:33 1997 Received: (from mch@localhost) by squirrel.com (8.6.12/SQUIRREL-1.0) id OAA15113; Sun, 2 Feb 1997 14:17:57 -0800 Message-ID: Date: Sun, 2 Feb 1997 14:17:57 -0800 From: mch@squirrel.com (Mark Henderson) To: chrisp@sitescape.com Cc: firewalls@GreatCircle.COM Subject: Re: Optimal Throughput for NAT References: <32F4E5E9.1504@tidalwave.net> X-Mailer: Mutt 0.58.1 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary=BcSYHtfZcVUIIZwe In-Reply-To: <32F4E5E9.1504@tidalwave.net>; from Chris Pressley on Feb 2, 1997 14:07:21 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --BcSYHtfZcVUIIZwe Chris Pressley writes: > NAT is a small part of my overall security plan. I'm looking for the > best way to implement NAT, primarily from a cost and performance > standpoint. Currently, I know of three ways to do NAT: > 1) Install and configure a firewall > 2) Dedicate a host, using software such as IPRoute > (http://www.mischler.com/iproute/) > 3) Configure a router (e.g. Cisco with IOS 11.2 and "IP Options") > > I'm looking for feedback on the following: > 1) What is my best dollar/cost solution? > 2) Are there other ways to implement NAT that I'm not aware of? I'm not going to attempt to answer the larger question, but you might also take a look at IP filter. It provides packet filtering, NAT functionality, and support for transparent proxies. It can also keep some connection state information. http://coombs.anu.edu.au/~avalon/ip-filter.html N.B. Although I like the feature set of this package, it is very much still a work in progress. If you aren't comfortable hacking a little C or generally playing around with your kernel, you should probably stay away from this. --BcSYHtfZcVUIIZwe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3a iQCVAwUBMvUSi6WYCYyyZn7/AQE5igP/WF7pCucj7LBONTbYQ7y6ZASEV2qLQ4qC Y+Hm/dVWpuwG258kIFen5WnJqEGiluoGicl3crF4cL0tr/AEQHSoSABDuZfuw9Y1 RPhWdljpOmDn2FaxjWr3CSVPEG1BQxAVhGvEj+RSq1pu10JWoGK13C1vbt7gNwqo yGw18AuW584= =m8cD -----END PGP SIGNATURE----- --BcSYHtfZcVUIIZwe-- From firewalls-owner Sun Feb 2 15:39:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10394 for firewalls-outgoing; Sun, 2 Feb 1997 14:00:44 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA10330 for ; Sun, 2 Feb 1997 14:00:22 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA23227; Sun, 2 Feb 1997 14:59:07 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd23225aaa; Sun Feb 2 14:58:56 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id OAA02338; Sun, 2 Feb 1997 14:58:54 -0700 From: Bob Beck Message-Id: <199702022158.OAA02338@snouts.obtuse.com> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken To: peter@baileynm.com (Peter da Silva) Date: Sun, 2 Feb 1997 14:58:52 -0700 (MST) Cc: Russ.Cooper@RC.on.ca, firewalls@GreatCircle.COM In-Reply-To: <9702021918.AA10062@sonic.nmti.com.nmti.com> from "Peter da Silva" at Feb 2, 97 01:18:17 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Banning ActiveX at the firewall is hardly taking away the MS desktops. It's still viable inside the firewall as long as you're talking about a relatively trusted environment. If you aren't talking about a relatively trusted environment inside you probably shouldn't be running an MS desktop anyway. > > But if you think you can say that ActiveX is bad so take it way, you'll > > have to tell them to take away all your MS desktops as well. > > Love to, but that won't happen. That's like trying to fireproof your > office by banning paper. > Not all that inconcievable. There are perfectly viable alternatives to an MS desktop for anyone who feels like using them. It's also possible to put them on another net by themselves with a seperate firewall and security policy. You can even run them fairly open, with the security policy that sensitive stuff doesn't go on the open net. I.E. network A is the low security network where the users are allowed to sysadmin their own desktops. Network B is the high security network where that isn't allowed, and the permitted OS's are mandated. Network B doesn't trust network A any more than it trusts the internet. Not foolproof in the slightest, but draws a better boundary for the users as to what is important. > > I'm sure > > many of you have been saying that for a while now, but the facts are in > > front of the majority of you and can be seen just by looking around your > > office. > > Yep. And those facts say that the desktop will be completely unable to > provide any useful security for the forseeable future. > Microsoft's desktop will always be completely unable to provide any useful security for the exact same reasons as we've seen for years and years with Sendmail. It's big, bloated and constantly afflicted with creeping featuritism. It's not *designed* to provide useful security, it's designed to work well as a desktop environment that can sell. period, Just as Sendmail is a MTA first and security somewhere not first. (This isn't always a bad thing if your first and formost requirement is a powerful MTA) Security can be addressed for 99% of it's users by a few glossies with the words "Hacker" "Internet" and "C2" jumbled in the the rest of the marketing hype, since the odds are they'll never get seriously hit even if they ran a fully unsecured box. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Sun Feb 2 16:28:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08292 for firewalls-outgoing; Sun, 2 Feb 1997 13:31:34 -0800 (PST) Received: from smtp1.erols.com (smtp1.erols.com [205.252.116.101]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA08238 for ; Sun, 2 Feb 1997 13:31:07 -0800 (PST) Received: from chris ([208.199.94.119]) by smtp1.erols.com (8.8.5/8.8.5) with SMTP id QAA17222 for ; Sun, 2 Feb 1997 16:30:42 -0500 Message-ID: <32F4FE72.7344@tidalwave.net> Date: Sun, 02 Feb 1997 15:52:02 -0500 From: Chris Pressley Reply-To: chrisp@sitescape.com X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Optimal Throughput for NAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NAT is a small part of my overall security plan. I'm looking for the best way to implement NAT, primarily from a cost and performance standpoint. Currently, I know of three ways to do NAT: 1) Install and configure a firewall 2) Dedicate a host, using software such as IPRoute (http://www.mischler.com/iproute/) 3) Configure a router (e.g. Cisco with IOS 11.2 and "IP Options") I'm looking for feedback on the following: 1) What is my best dollar/cost solution? 2) Are there other ways to implement NAT that I'm not aware of? Thanks in advance for any feedback. Chris From firewalls-owner Sun Feb 2 16:46:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA19969 for firewalls-outgoing; Sun, 2 Feb 1997 15:55:03 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA19959 for firewalls@greatcircle.com; Sun, 2 Feb 1997 15:54:58 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14337 for ; Sat, 1 Feb 1997 13:38:02 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC105E.11DA9840@mail.rc.on.ca>; Sat, 1 Feb 1997 16:36:27 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C667029384@mail.rc.on.ca> From: Russ To: "'Firewalls Mailing List'" Subject: NTBugTraq now available Date: Sat, 1 Feb 1997 16:36:26 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT BugTraq Mailing List In the tradition of Aleph One's BugTraq mailing list, this list has been created to invite the free and open discussion of Windows NT Security Exploits/Bugs or *SEBs* as I call them. This list is not intended to be a forum to discuss "how to" issues, but instead should be used to report reproducible SEBs which you have personally encountered with Windows NT or its related BackOffice products. Q:What is a SEB? A:Anything that can be done to a Windows NT installation via a remote connection (network or RAS) or through the local installation of commercial software which causes Windows NT to react in anything but an expected fashion. So telnet to TCP port 135 and typing 15 characters thereby causing the Windows NT CPU to go to 100% utilization would be an acceptable topic. Sitting at a console logged in as Administrator and removing the Administrator's file permissions on the %systemroot%\system32 would not be considered an acceptable topic. Do's: - Discuss SEB resolution or workaround. - Discuss SEBs in third-party Windows NT products, providing that the product is designed for BackOffice. - Discuss Macintosh, Netware, or Samba/Unix-related SEBs assuming that the SEB is related to Windows NT involvement. Don'ts: - Discuss Windows '95, unless, and only if, the Windows NT SEB can only be reproduced with a Windows '95 client. - Discuss Windows for Workgroups or Windows 3.x, for any reason. - Discuss products to enhance security, unless they have been proven to resolve an outstanding SEB. - Discuss Unix SEBs, these should be addressed to BUGTRAQ@NETSPACE.ORG (subscribe through LISTSERV@NETSPACE.ORG) - Discuss general Windows NT Security, how to, what to, why to, type questions. The NTSecurity@ISS.net list (subscribe through MAJORDOMO@ISS.NET) would be a better forum to discuss these issues. Vendor involvement in the list is not discouraged, but I would ask that you not use this forum as a method of advertising the value of your products. If a SEB shows a weakness in Windows NT design, and your product can resolve that weakness, a short note indicating TECHNICALLY how your product addresses the issue would be consider appropriate. If you don't address the issue in a technical fashion your subscription will be revoked. Now after reading all of this you'll probably wonder why I'm being so restrictive. For one, I want to keep the volume low, as low as possible. I want to keep the content as pertinent as I possibly can so that the list becomes a useful tool for everyone using Windows NT. If the list can remain on topic, people will post SEBs here first, and we will all have an opportunity to address the issues in a way best suited to our environments. I would also make a couple of recommendations to you prior to you posting a security exploit/bug. 1. Don't post SEBs unless you have been able to reproduce it. If the subscriber base grows as I expect it will, posting such messages may cause many people to waste valuable time trying to reproduce something which is not there. 2. When posting a SEB, make sure you include enough relevant information about your configuration to make it possible to reproduce your scenario. Versions of the relevant software, service pack levels of your system, platform, and any configuration information which might affect the issue. By doing this you will prevent a lot of messages asking you the basic questions and make resolution or workaround that much quicker. 3. When posting a resolution or workaround, if you have received a Microsoft Knowledgebase Article number (a Q#####), please post it with your message so everyone can read it if they want. 4. Remember your Non-Disclosure Agreements. Issues pertaining to products covered under NDA should not be discussed here, use the appropriate Microsoft Newsgroup for these issues. Typically, once a product has been released to public beta testing your NDA changes to one limiting you from discussing performance characteristics of the product. Please check with your Microsoft representative or Beta Administration if you are at all unsure of your NDA status prior to posting. This list operates on a confirmation basis. Your subscription, and every message you post to this list will generate a confirmation message from LISTSERV@RC.ON.CA. This is there for your protection to ensure that subscription requests really are from the actual individual email address. It is also there to let you think about your message prior to it being posted. This is not a configurable option. I hope that the list proves useful to you and your organization. With the REview option turned off, I hope that it will attract individuals in organizations who have the ability to address the issues which get raised on this list. I know from personal experience that having to pay Microsoft US$195 in order to report a bug (despite the fact you get a refund 3 or 4 days later) can often mean the difference between reporting a bug and not. This list should provide an alternative to that process, and at the same time, should allow the rest of the Windows NT community the opportunity both to take up the issue with their own Microsoft representatives, and protect themselves from the possible exploits which a SEB might expose them to. The objective is to get SEB resolution done faster, better, and with less risk to the Windows NT customer than currently exists. To subscribe to this Listserv, send a message to Listserv@rc.on.ca with SUB NTBUGTRAQ Your Name SUB NTBUGTRAQ Russ Cooper (for example) Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Sun Feb 2 16:52:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08048 for firewalls-outgoing; Sun, 2 Feb 1997 13:26:58 -0800 (PST) Received: from postbox.acs.ohio-state.edu (postbox.acs.ohio-state.edu [128.146.214.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA07941 for ; Sun, 2 Feb 1997 13:26:04 -0800 (PST) Received: from scanner (scanner.oar.net [199.18.97.164]) by postbox.acs.ohio-state.edu (8.8.5/8.8.4) with SMTP id QAA27595 for ; Sun, 2 Feb 1997 16:24:31 -0500 (EST) Message-ID: <32F505D4.369C@osu.edu> Date: Sun, 02 Feb 1997 16:23:32 -0500 From: Andrew Smith Reply-To: smith.1431@osu.edu X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please remove my name from the list. From firewalls-owner Sun Feb 2 17:20:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA26183 for firewalls-outgoing; Sun, 2 Feb 1997 16:43:13 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA26149 for ; Sun, 2 Feb 1997 16:42:56 -0800 (PST) Received: (qmail 11075 invoked from smtpd); 3 Feb 1997 00:41:40 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 3 Feb 1997 00:41:40 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id SAA22435; Sun, 2 Feb 1997 18:41:12 -0600 Received: by sonic.nmti.com; id AA16657; Sun, 2 Feb 1997 18:35:38 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9702030035.AA16657@sonic.nmti.com.nmti.com> Subject: Re: [NTSEC] ActiveX, MSIE and Quicken To: beck@obtuse.com (Bob Beck) Date: Sun, 2 Feb 1997 18:35:37 -0600 (CST) Cc: peter@baileynm.com, Russ.Cooper@RC.on.ca, firewalls@GreatCircle.COM In-Reply-To: <199702022158.OAA02338@snouts.obtuse.com> from "Bob Beck" at Feb 2, 97 02:58:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Banning ActiveX at the firewall is hardly taking away the MS > desktops. It's still viable inside the firewall as long as you're > talking about a relatively trusted environment. If you aren't talking > about a relatively trusted environment inside you probably shouldn't > be running an MS desktop anyway. Oh, definitely. Russ's comment about it not being the whole OLE environment but rather the web-enabled part of it being the poroblem is right on. The terminology war, however, is lost... the phrase "ActiveX" is going to be forever associated with applets, because that's the obvious technology difference between OLE and ActiveX. > Not all that inconcievable. There are perfectly viable > alternatives to an MS desktop for anyone who feels like using > them. Unfortunately, no. Not if you want to be able to effectively do business in America today. Microsoft's file formats are everywhere, and they work very hard at making sure that nothing but their products can use them effectively. > Microsoft's desktop will always be completely unable to > provide any useful security for the exact same reasons as we've seen > for years and years with Sendmail. It's worse than sendmail. Eric Allman isn't trying to make Sendmail do everything (there's no http and nntp in there, for example), and Eric *is* concerned about security. It's not at the top of the list, but at least it's *on* the list. From firewalls-owner Sun Feb 2 17:36:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA07607 for firewalls-outgoing; Sun, 2 Feb 1997 13:18:10 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA07596 for ; Sun, 2 Feb 1997 13:17:54 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id QAA15204; Sun, 2 Feb 1997 16:15:26 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma015202; Sun Feb 2 16:15:20 1997 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id QAA12393; Sun, 2 Feb 1997 16:06:47 -0500 Date: Sun, 2 Feb 1997 16:06:47 -0500 Message-Id: <199702022106.QAA12393@goffette.research.megasoft.com> From: C Matthew Curtin To: harley@icrf.icnet.uk Cc: firewalls@GreatCircle.COM Subject: What is a virus? (was: RE: [NTSEC] ActiveX, MSIE and Quicken ) In-Reply-To: <199701312007.MAA12560@mycroft.GreatCircle.COM> References: <199701312007.MAA12560@mycroft.GreatCircle.COM> X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "David" == harley writes: David> Actually, none of these are defining characteristics David> of a virus. All a virus has to do to -be- a virus is David> replicate. Uh, not quite. A "virus" is so named because of its resemblance to its biological namesake: it attaches itself to something that's already there. A worm also replicates itself, but it does not attach itself to something that's already there: it is, itself, a standalone program. The mainstream media has completely blurred the distinction between the two. Let's not allow "their" confusion to cause misunderstandings among "us," eh? -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Sun Feb 2 17:46:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06697 for firewalls-outgoing; Sun, 2 Feb 1997 13:06:02 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id NAA06683 for firewalls@greatcircle.com; Sun, 2 Feb 1997 13:05:49 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA29127 for ; Fri, 31 Jan 1997 07:45:58 -0800 (PST) Received: from cwiz.com by relay6.UU.NET with SMTP (peer crosschecked as: www.cwiz.com [208.210.163.10]) id QQcawt09367; Fri, 31 Jan 1997 10:45:14 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id JAA18433; Fri, 31 Jan 1997 09:50:56 -0600 Date: Fri, 31 Jan 1997 09:50:56 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199701311550.JAA18433@cwiz.com> To: solid@mozcom.com Subject: Re: Question on MAC Address Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jet, You did not state on what type of machine you are running this, nor did you state what OS. I do know that with Sun's and with SunOS and Solaris, all of the ethernet cards will have the same MAC address as the ethernet that is onboard. You can change the MAC address with the "ifconfig" command (ifconfig qe0 ether 0:0:20:75:a0:23) and specify a MAC address. Regards, /mdb ======================= Martin D. Baldenegro | The Cwiz Group | email - mdb@cwiz.com | ======================= ----- Begin Included Message ----- >From solid@mozcom.com Fri Jan 31 07:18:15 1997 Date: Fri, 31 Jan 1997 19:53:09 +0800 From: "Jet B. Bagadion" Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Question on MAC Address Content-Transfer-Encoding: 7bit Hi, I'm using Firewall-1 v2.0 and I'm using a SBus Quad ethernet controller. I noticed that when I use the command ifconfig -a , le0 and the ethernet ports of the Quad controller have the same ethernet MAC addresses. Should it be really like that? How will I know the right MAC address of the ethernet ports? Thanks. -- Jet B. Bagadion ----- End Included Message ----- From firewalls-owner Sun Feb 2 18:08:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06566 for firewalls-outgoing; Sun, 2 Feb 1997 13:03:43 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id NAA06557 for firewalls@greatcircle.com; Sun, 2 Feb 1997 13:03:29 -0800 (PST) Received: from mbagate2.mba.com ([206.235.208.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA18026 for ; Thu, 30 Jan 1997 14:28:01 -0800 (PST) Received: (from mail@localhost) by mbagate2.mba.com (8.6.9/8.6.9) id PAA05329 for ; Thu, 30 Jan 1997 15:22:43 -0700 Received: from cxh-austin.mba.com(38.228.202.1) by mbagate2.mba.com via smap (V1.3) id sma005326; Thu Jan 30 15:22:22 1997 Message-Id: <1.5.4.32.19970130222909.0030742c@mbagate2.mba.com> X-Sender: cxh@mbagate2.mba.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 30 Jan 1997 16:29:09 -0600 To: Firewalls@GreatCircle.COM From: Cynthia He Subject: HELP NEEDED: one time password with chroot ftp? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all, I am trying to set up a chroot ftp area for our clients. We also have a requirement that users have to use one time passwords to login. I am using TIS fwtk. What I have in netperm-table is something like this: netacl-ftpd: permit-hosts * -chroot /ftp/others/ -exec /usr/bin/ftpd -d When a user tries to login, he gets the following error: 530 Cannot connect to auth server ftp: Login failed. Remote system type is UNIX. It seems that the chroot happens before the user gets authenticated and hence has no access to the authsrv database. Is there a way to get around this? Thanks for any help. Cynthia From firewalls-owner Sun Feb 2 18:17:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA29850 for firewalls-outgoing; Sun, 2 Feb 1997 17:18:00 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA29732 for ; Sun, 2 Feb 1997 17:17:26 -0800 (PST) From: Martin_Khoo/SIN/Lotus@lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id UAA22629; Sun, 2 Feb 1997 20:12:41 -0500 Received: from MTA2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AC03920; Sun, 2 Feb 1997 20:09:13 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA v1.05 (305.4 1-15-1997)) id 85256433.00070EA4 ; Sun, 2 Feb 1997 20:17:05 -0400 X-Lotus-Fromdomain: LOTUSINT@LOTUS@MTA To: chrisp@sitescape.com Cc: firewalls@greatcircle.com Message-Id: <48256433.00059512.00@mta2.lotus.com> Date: Mon, 3 Feb 1997 09:14:29 +0900 Subject: Re: Optimal Throughput for NAT Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, IMHO, NAT is an important component of any security plan. It may be a small or large part of the overall plan but it varies with the site's policy. The 3 possible implemenetation of NAT that you mentioned will all work for you, but I feel that from a cost benefit point of view, the use of a firewall would make more sense. The firewall does more then NAT and I believe you would need a firewall as part of your security infrastructure. Having a dedicated box running a NAT application is kind of wastefull but then again you may have your reasons for doing so. Using the router to do NAT seems to make alot of sense for some people but I feel that you should let the router do what is primarily its main function : i.e providing routing . Well , many people may disagree with me on this but NO FLAMES PLEASE. Cheers! martin chrisp@tidalwave.net on 02/03/97 03:07:21 AM Please respond to chrisp@sitescape.com To: firewalls-digest@GreatCircle.COM cc: (bcc: Martin Khoo/SIN/Lotus) Subject: Optimal Throughput for NAT NAT is a small part of my overall security plan. I'm looking for the best way to implement NAT, primarily from a cost and performance standpoint. Currently, I know of three ways to do NAT: 1) Install and configure a firewall 2) Dedicate a host, using software such as IPRoute (http://www.mischler.com/iproute/) 3) Configure a router (e.g. Cisco with IOS 11.2 and "IP Options") I'm looking for feedback on the following: 1) What is my best dollar/cost solution? 2) Are there other ways to implement NAT that I'm not aware of? Thanks in advance for any feedback. Chris From firewalls-owner Sun Feb 2 18:20:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06565 for firewalls-outgoing; Sun, 2 Feb 1997 13:03:36 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id NAA06545 for firewalls@greatcircle.com; Sun, 2 Feb 1997 13:03:23 -0800 (PST) Received: from dns.byelex.nl (dns.byelex.nl [194.229.247.131]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01790 for ; Thu, 30 Jan 1997 12:01:24 -0800 (PST) Received: (from cowboy@localhost) by dns.byelex.nl (8.8.5/8.8.5) id VAA07482; Thu, 30 Jan 1997 21:00:36 +0100 Date: Thu, 30 Jan 1997 21:00:35 +0100 (MET) From: Kevin McPeake X-Sender: cowboy@dns.byelex.nl To: firewalls Subject: Re: checkpoint firewall-1 logs In-Reply-To: <19970130140437038.AAA208@garyw.citelecom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know what the policy is on this list for people that continue to post msg's like this, but I sent him my copy of the sub-info doc that tells him how to unsub himself. If he continues to post like this...all I can say is he was told how now. Kev On Thu, 30 Jan 1997, Gary Williams wrote: > immediately remove my name from your list! > > ---------- > > From: John Chen/New York/ACMC > > To: firewalls > > Subject: checkpoint firewall-1 logs > > Date: Wednesday, January 29, 1997 10:41 AM > > BYELEX BV Kevin McPeake Hulstkamp Gebouw Internet Consultant Maaskade 119 kmpeake@byelex.nl 3071 NK Rotterdam kevin@mcpeake.org "Winner of the Lotus Euro Beacon Award '96" http://www.byelex.nl/ I never give them hell. I just tell the truth and they think it's hell. - H. Truman From firewalls-owner Sun Feb 2 19:17:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18733 for firewalls-outgoing; Sun, 2 Feb 1997 19:07:56 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA18726 for ; Sun, 2 Feb 1997 19:07:48 -0800 (PST) From: Martin_Khoo/SIN/Lotus@lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id WAA25959; Sun, 2 Feb 1997 22:03:04 -0500 Received: from MTA2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AC04771; Sun, 2 Feb 1997 21:59:38 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA v1.05 (305.4 1-15-1997)) id 85256433.001127E7 ; Sun, 2 Feb 1997 22:07:23 -0400 X-Lotus-Fromdomain: LOTUSINT@LOTUS@MTA To: chrisp@sitescape.com Cc: firewalls@greatcircle.com Message-Id: <48256433.00059512.00@mta2.lotus.com> Date: Mon, 3 Feb 1997 11:00:28 +0900 Subject: Re: Optimal Throughput for NAT Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, IMHO, NAT is an important component of any security plan. It may be a small or large part of the overall plan but it varies with the site's policy. The 3 possible implemenetation of NAT that you mentioned will all work for you, but I feel that from a cost benefit point of view, the use of a firewall would make more sense. The firewall does more then NAT and I believe you would need a firewall as part of your security infrastructure. Having a dedicated box running a NAT application is kind of wastefull but then again you may have your reasons for doing so. Using the router to do NAT seems to make alot of sense for some people but I feel that you should let the router do what is primarily its main function : i.e providing routing . Well , many people may disagree with me on this but NO FLAMES PLEASE. Cheers! martin chrisp@tidalwave.net on 02/03/97 03:07:21 AM Please respond to chrisp@sitescape.com To: firewalls-digest@GreatCircle.COM cc: (bcc: Martin Khoo/SIN/Lotus) Subject: Optimal Throughput for NAT NAT is a small part of my overall security plan. I'm looking for the best way to implement NAT, primarily from a cost and performance standpoint. Currently, I know of three ways to do NAT: 1) Install and configure a firewall 2) Dedicate a host, using software such as IPRoute (http://www.mischler.com/iproute/) 3) Configure a router (e.g. Cisco with IOS 11.2 and "IP Options") I'm looking for feedback on the following: 1) What is my best dollar/cost solution? 2) Are there other ways to implement NAT that I'm not aware of? Thanks in advance for any feedback. Chris From firewalls-owner Sun Feb 2 19:36:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18575 for firewalls-outgoing; Sun, 2 Feb 1997 19:05:26 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA18557 for ; Sun, 2 Feb 1997 19:05:17 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199702030305.TAA18557@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Mon, 3 Feb 1997 03:03:58 GMT Subject: Re: What is a virus? (long & off-topic) To: cmcurtin@research.megasoft.com Date: Mon, 3 Feb 1997 03:03:58 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199702022106.QAA12393@goffette.research.megasoft.com> from "C Matthew Curtin" at Feb 2, 97 04:06:47 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > David> Actually, none of these are defining characteristics > David> of a virus. All a virus has to do to -be- a virus is > David> replicate. > > Uh, not quite. This discussion seems to be getting somewhat metaphysical and off-topic. Perhaps follow-ups would be more appropriate via e-mail. > > A "virus" is so named because of its resemblance to its biological > namesake: it attaches itself to something that's already there. I have to quibble with this, at least in the absence of a definition of 'attach', since it appears to exclude some boot sector viruses (notably those which don't preserve a copy of the original boot sector). and viruses which -replace- an existing file rather than append, prepend, or overwrite -part- of the target file. An adequate definition of attach would also have to cover spawning viruses, and viruses which modify the FAT rather than the target file. > A worm also replicates itself, but it does not attach itself to > something that's already there: it is, itself, a standalone program. > That's a different debate. I'd probably accept your definition, personally, but the argument is not as cut and dried as you imply. Fred Cohen, for instance, has stated that a worm is a special case of a virus. ["A short course in computer viruses" - Wiley] Either way, I don't see its relevance to the original posting or my follow-up. I didn't state that replication was a defining characteristic -only- of viruses. > The mainstream media has completely blurred the distinction between > the two. Let's not allow "their" confusion to cause misunderstandings > among "us," eh? > I didn't think anyone had mentioned worms up to now. My point was actually that the original post implied that the secondary characteristics of -some- viruses, e.g. covert operation, were primary characteristics, without mentioning replication at all. I think you'd find it difficult to find a competent virus specialist who was prepared to risk a definition of the term virus which didn't incorporate the concept of replication. I resent your implying that I derived my assertion from the mainstream media. What knowledge and opinions I may have are derived from much more rigorous sources. B-) I enclose the following extract from the alt.comp.virus not as support for my own stance (that would be inappropriate, since I wrote it, apart from the quotation from Fridrik Skulason), but because if you're going to attack my stance, you might as well know what it is. I haven't cut it, since part of it relates to the original post as well as the squelch to which I'm replying. ----------------------include------------------------- (3) What is a virus (and what are Trojans and Worms)? ===================================================== A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted). A dropper is a program which installs a virus or Trojan, often covertly. A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ. (The following is a slightly academic diversion) A lot of bandwidth is spent on precise definitions of some of the terms above. I have Fridrik Skulason's permission to include the following definition of a virus, which I like because it demonstrates most of the relevant issues. " #1 A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself. #2 The replication is intentional, not just a side-effect. #3 At least some of the replicants are also viruses, by this definition. #4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus. -- #1 is the main definition, which distinguishes between viruses and Trojans and other non-replicating malware. #2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself. #3 is necessary to exclude "intended" not-quite-viruses. #4 is necessary to exclude "worms", but at the same time it has to be broad enough to include companion viruses and .DOC viruses. " ---------------------------outclude------------------------------------- -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Feb 2 19:40:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA20618 for firewalls-outgoing; Sun, 2 Feb 1997 19:32:29 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA20590 for ; Sun, 2 Feb 1997 19:32:17 -0800 (PST) Message-Id: <199702030332.TAA20590@miles.greatcircle.com> Received: from [198.168.1.203] by cat.bbsr.edu (SMTPD32-3.00) id AB759BC00C8; Sun Feb 02 23:28:53 1997 From: "Jamie Thain" To: "Paul A. Murphy" , Subject: Re: NT Firewalls Date: Sun, 2 Feb 1997 23:35:04 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul, This NT vs UNIX firewall issue has been debated several times on this list. I would suggest that both OS's are able to be secure. And that local experience in making one or the other secure would help. I would also suggest that you not consider a firewall a single machine, but a configuration of several machines to defend against security threats to your computing environment. In the later statement I would suggest that you have at least two different OS types and two different Firewall vendor protections. For example. Firwall/Plus DMZ Firewall-1 NT --- Proxy stuff ---- UNIX --- Internal Lan. Likewise the security policy you are trying to implement will have a vast effect on the firewall configuration that you choose. regards:jamie ---------- > From: Paul A. Murphy > To: firewalls@GreatCircle.COM > Subject: NT Firewalls > Date: Sunday, February 02, 1997 12:10 AM > > Hello! > > My company is looking into firewalls to protect our network that is > connected with a T-1. > > Our company is migrating to NT as a standard and I am concerned that the > NT Firewalls are generally less secure than the UNIX firewalls and am > looking for material to make my case that the firewall be UNIX. > > I would appreciate any comments related to the UNIX vs NT debate. > > Thanks > > Paul Murphy > St. Louis From firewalls-owner Sun Feb 2 23:25:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA09987 for firewalls-outgoing; Sun, 2 Feb 1997 23:11:42 -0800 (PST) Received: from squirrel.com (squirrel.com [192.135.191.159]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA09979 for ; Sun, 2 Feb 1997 23:11:31 -0800 (PST) Received: (from mch@localhost) by squirrel.com (8.6.12/SQUIRREL-1.0) id XAA16015; Sun, 2 Feb 1997 23:09:39 -0800 Message-ID: Date: Sun, 2 Feb 1997 23:09:38 -0800 From: mch@squirrel.com (Mark Henderson) To: jonesmd@unifiedtech.com (Mike Jones) Cc: firewalls@GreatCircle.COM, solid@mozcom.com Subject: Re: Question on MAC Address References: <199701311328.IAA06926@bass.unifiedtech.com> X-Mailer: Mutt 0.58.1 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary=MycPikHgYmatd1I+ In-Reply-To: <199701311328.IAA06926@bass.unifiedtech.com>; from Mike Jones on Jan 31, 1997 08:28:09 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --MycPikHgYmatd1I+ Mike Jones writes: > Yes, it should be like that. It's just the way Suns work. They change > the MAC address of all Ethernet interfaces to be the same as the > "primary" interface (typically le0). It's OK, because MAC addresses only > really have to be unique on a per-segment basis for things to work, and > it keeps a 1-to-1 relationship between machines and MAC addresses. > > Mike Jones > Sr. Network Computing Advisor > UNIFIED Technologies On most modern Sun workstations and servers that MAC address is stored in NVRAM (SGS-Thomson M48T02, M48T08, M48T59Y depending upon the model of Sun). This is the same NVRAM that stores things like boot device, nvramrc, input-device, etc. - although the methods for modifying this ethernet address in NVRAM are not documented, at least by Sun ;-) The SS1000 and SC2000 are different in that, the MAC address is stored in a flash eeprom. In any case, this MAC address in NVRAM is the default MAC address for all ethernet and fast ethernet interfaces. You can override this default for any particular interface with ifconfig. Typically this is only an issue when one wants to put two interfaces on the same segment. --MycPikHgYmatd1I+ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3a iQCVAwUBMvWPLKWYCYyyZn7/AQHO7wP/duAYfPaVNY/ko5vFSYCd0goFr8Fg/xLo JyrxXBzczT+H3NAVuCKhlNKUHdKqiZifh1GFYpJ6E5duFGCyF9eRQmss+LtyfbPR WpH0KbzKDUK1LStoeYeSHe7x2vMG9TWQ24YGXnQXrl7XN0ARabd6EB/sO8pHcqtN QQAEHpBojBs= =QOo8 -----END PGP SIGNATURE----- --MycPikHgYmatd1I+-- From firewalls-owner Mon Feb 3 01:55:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22424 for firewalls-outgoing; Mon, 3 Feb 1997 01:43:48 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA22397 for ; Mon, 3 Feb 1997 01:43:26 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id BAA09518; Mon, 3 Feb 1997 01:39:00 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: "david.d.b.bolger@ .x400.entropy.ie"@entropy.entropy.ie Newsgroups: mail.firewalls Subject: None Date: 3 Feb 1997 01:38:54 -0800 Lines: 82 Message-ID: <5d4bne$8mf@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: Lines: 72 Xdeliver: processed on Mon Feb 3 01:38:49 PST 1997 Xdeliver: SENDER fw-1-mailinglist-owner@us.checkpoint.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from "david.d.b.bolger@ .x400.entropy.ie"@entropy.entropy.ie X400-Received: by mta EntropyMHS in /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Feb 97 09:30:09 +0000 X400-Received: by /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Feb 97 09:30:09 +0000 Date: 03 Feb 97 09:30:20 +0000 Delivery-Date: 03 Feb 97 09:30:20 +0000 Message-Type: Multiple Part X400-Originator: "david.d.b.bolger@ .x400.entropy.ie" X400-MTS-Identifier: [/PRMD=Entropy/ADMD=ENT/C=ie;ISOCOR-32eca775-entropymhs] X400-Recipients: owner-fw-1-mailinglist@us.checkpoint.com X400-Recipients: ToddK@competitive.com X400-Recipients: fw-1-mailinglist@us.checkpoint.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE(2): [FW1] FW logswitch on Windows NT Autoforwarded: FALSE To: owner-fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) To: ToddK@competitive.com (Non Receipt Notification Requested) CC: fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) In-Reply-To: <0131084029-Re: FW1 FW logswitch on Windows NT * @MHS> Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE(2): ?FW1? FW Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: owner-fw-1-mailinglist@us.checkpoint.com If you disable IP forwarding in NT, then if you wish to use it as a firewall, the packets destined for the other side will not even try to get to the firewall level. You need to have IP forwarding on, and then let FW-1 control it or not. =============================== David Bolger - Technical Engineer Entropy Ltd. Unit 25 Sandyford Office Park Dublin 18 Ireland Tel: ++353-1-2940199 Fax: ++353-1-2940121 email: David.Bolger@entropy.ie =============================== ---- owner-fw-1-mailinglist(a)us.checkpoint.com's Message ---- > The default for Firewall-1 is to 'control IP forwarding' which means > that although the NT IP forwarding is enbaled packets WILL NOT be > forwarded unless Firewall-1 permits. I beleive this is true even when > the Firewall-1 service is stopped due to the device driver changes to > the IP stack made by Checkpoint. > > Can anyone confirm this last point for me? > The last point is true. However, it is better to disable ip forwarding capablity of NT (I'm quite dark in NT) so that the host would not be able to forward ip even when FW-1 was unloaded from system. Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp phone:813-5690-0256 fax:813-5690-0250 From firewalls-owner Mon Feb 3 02:11:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23499 for firewalls-outgoing; Mon, 3 Feb 1997 01:55:56 -0800 (PST) Received: from server21.digital.fr (server21.digital.fr [193.56.15.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA23415 for ; Mon, 3 Feb 1997 01:55:35 -0800 (PST) Received: from mail.vbo.dec.com (mail.vbo.dec.com [16.36.208.34]) by server21.digital.fr (8.7.5/8.7) with ESMTP id KAA25596 for ; Mon, 3 Feb 1997 10:58:37 +0100 (MET) Received: from vbormc.vbo.dec.com (vbormc.vbo.dec.com [16.36.208.94]) by mail.vbo.dec.com (8.7.3/8.7) with ESMTP id KAA05336 for ; Mon, 3 Feb 1997 10:56:07 +0100 (MET) Received: from becomm.ebo.dec.com (becomm.ebo.dec.com [16.184.208.35]) by vbormc.vbo.dec.com (8.7.3/8.7) with SMTP id KAA17332 for ; Mon, 3 Feb 1997 10:51:09 +0100 Received: from beux1.ebo.dec.com by becomm.ebo.dec.com; (5.65v3.2/1.1.8.2/07Mar96-0234PM) id AA04977; Mon, 3 Feb 1997 10:53:44 +0100 Received: by beux1.ebo.dec.com; (5.65v3.2/1.1.8.2/11Feb96-0242PM) id AA21150; Mon, 3 Feb 1997 10:53:35 +0100 Subject: NT port numbers needed To: Firewalls@GreatCircle.COM X-Mailer: MAILworks 1.7-A From: Arjo Mukherjee 4663 Date: Mon, 3 Feb 97 10:53:35 +0100 Message-Id: <970203105335.20842@beux1.ebo.dec.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Anyone know what are the relevant IP port numbers for NT? I read somewhere that NT uses ports 512/tcp and 721-731/tcp for print services. What are the IP ports for File Sharing and other applicable NT services? Thanks, Arjo From firewalls-owner Mon Feb 3 02:25:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22373 for firewalls-outgoing; Mon, 3 Feb 1997 01:42:23 -0800 (PST) Received: from gate.dataquest.com (gate.dataquest.com [206.79.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA22345 for ; Mon, 3 Feb 1997 01:42:11 -0800 (PST) Received: from cc.dataquest.com (cc.dataquest.com [206.79.111.244]) by gate.dataquest.com (8.8.3/8.8.0) with SMTP id BAA25438 for ; Mon, 3 Feb 1997 01:41:21 -0800 (PST) Received: from ccMail by cc.dataquest.com (SMTPLINK V2.11.01) id AA854962845; Mon, 03 Feb 97 01:36:38 PST Date: Mon, 03 Feb 97 01:36:38 PST From: "Administrator" Message-Id: <9701038549.AA854962845@cc.dataquest.com> To: Firewalls@GreatCircle.COM Subject: Message not deliverable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Monday, February 3 1997 Volume 06 : Number 044 In this issue: Re: NT Firewalls Re: Question on MAC Address See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Sun, 2 Feb 1997 23:35:04 -0500 From: "Jamie Thain" Subject: Re: NT Firewalls Paul, This NT vs UNIX firewall issue has been debated several times on this list. I would suggest that both OS's are able to be secure. And that local experience in making one or the other secure would help. I would also suggest that you not consider a firewall a single machine, but a configuration of several machines to defend against security threats to your computing environment. In the later statement I would suggest that you have at least two different OS types and two different Firewall vendor protections. For example. Firwall/Plus DMZ Firewall-1 NT --- Proxy stuff ---- UNIX --- Internal Lan. Likewise the security policy you are trying to implement will have a vast effect on the firewall configuration that you choose. regards:jamie - ---------- > From: Paul A. Murphy > To: firewalls@GreatCircle.COM > Subject: NT Firewalls > Date: Sunday, February 02, 1997 12:10 AM > > Hello! > > My company is looking into firewalls to protect our network that is > connected with a T-1. > > Our company is migrating to NT as a standard and I am concerned that the > NT Firewalls are generally less secure than the UNIX firewalls and am > looking for material to make my case that the firewall be UNIX. > > I would appreciate any comments related to the UNIX vs NT debate. > > Thanks > > Paul Murphy > St. Louis ------------------------------ Date: Sun, 2 Feb 1997 23:09:38 -0800 From: mch@squirrel.com (Mark Henderson) Subject: Re: Question on MAC Address - --MycPikHgYmatd1I+ Mike Jones writes: > Yes, it should be like that. It's just the way Suns work. They change > the MAC address of all Ethernet interfaces to be the same as the > "primary" interface (typically le0). It's OK, because MAC addresses only > really have to be unique on a per-segment basis for things to work, and > it keeps a 1-to-1 relationship between machines and MAC addresses. > > Mike Jones > Sr. Network Computing Advisor > UNIFIED Technologies On most modern Sun workstations and servers that MAC address is stored in NVRAM (SGS-Thomson M48T02, M48T08, M48T59Y depending upon the model of Sun). This is the same NVRAM that stores things like boot device, nvramrc, input-device, etc. - although the methods for modifying this ethernet address in NVRAM are not documented, at least by Sun ;-) The SS1000 and SC2000 are different in that, the MAC address is stored in a flash eeprom. In any case, this MAC address in NVRAM is the default MAC address for all ethernet and fast ethernet interfaces. You can override this default for any particular interface with ifconfig. Typically this is only an issue when one wants to put two interfaces on the same segment. - --MycPikHgYmatd1I+ Content-Type: application/pgp-signature - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a iQCVAwUBMvWPLKWYCYyyZn7/AQHO7wP/duAYfPaVNY/ko5vFSYCd0goFr8Fg/xLo JyrxXBzczT+H3NAVuCKhlNKUHdKqiZifh1GFYpJ6E5duFGCyF9eRQmss+LtyfbPR WpH0KbzKDUK1LStoeYeSHe7x2vMG9TWQ24YGXnQXrl7XN0ARabd6EB/sO8pHcqtN QQAEHpBojBs= =QOo8 - -----END PGP SIGNATURE----- - --MycPikHgYmatd1I+-- ------------------------------ End of Firewalls-Digest V6 #44 ****************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Mon Feb 3 02:40:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA24909 for firewalls-outgoing; Mon, 3 Feb 1997 02:15:30 -0800 (PST) Received: from relay.cryptonet.it (relay.cryptonet.it [194.185.79.195]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA24871 for ; Mon, 3 Feb 1997 02:15:01 -0800 (PST) Message-Id: <199702031025.LAA07956@relay.cryptonet.it> Received: from enigma.cryptonet.it(192.168.1.1) by relay.cryptonet.it via smap (V1.3) id sma007954; Mon Feb 3 11:24:48 1997 From: David Vincenzetti Subject: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken) To: Firewalls@GreatCircle.COM Date: Mon, 3 Feb 1997 11:17:58 +0100 (MET) X-Pgp: vince@cryptonet.it 1024/A4D8B5CD 8CE2406F5CFBF9B9 D70DABF5912F66E8 X-Mjr: You can have Cheap, Easy, or Secure. Pick two X-Dijkstra: Testing can reveal the presence of bugs, but not their absence X-Mailer: ELM [version 2.4 PL24 PGP5a] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Oh, definitely. Russ's comment about it not being the whole OLE environment > but rather the web-enabled part of it being the poroblem is right on. The > terminology war, however, is lost... the phrase "ActiveX" is going to be > forever associated with applets, because that's the obvious technology > difference between OLE and ActiveX. > > > Not all that inconcievable. There are perfectly viable > > alternatives to an MS desktop for anyone who feels like using > > them. > > Unfortunately, no. Not if you want to be able to effectively do business > in America today. Microsoft's file formats are everywhere, and they work very > hard at making sure that nothing but their products can use them effectively. > > > Microsoft's desktop will always be completely unable to > > provide any useful security for the exact same reasons as we've seen > > for years and years with Sendmail. > > It's worse than sendmail. Eric Allman isn't trying to make Sendmail do > everything (there's no http and nntp in there, for example), and Eric > *is* concerned about security. It's not at the top of the list, but at > least it's *on* the list. Just to play Devils Advocate (I am a openness/source_included enthusiast!), the main difference between Sendmail and ActiveX is that the former provides full source while the latter does not provide any sources. Sendmail full sources are available, they can be studied and examined by everyone, and they can be studied by malicious hackers too. ActiveX sources are not available, and it is harder, for a malicious hacker, to spot new bugs. Sendmail is a crystal box while ActiveX is a black box (remember the old Security Thru Obscurity model?:-). As a matter of fact, a much larger number of bugs are found for systems whose sources are available. Installing patches is an EXPENSIVE activity, so most companies will NOT install all the patches as they are released by CERTs and vendors. Not installing new CERT patches is a bad habit, but companies usually do not have the knowledge/skills/manpower for keeping their software up to date. So, is source availability a real advantage for commercial companies? --vince From firewalls-owner Mon Feb 3 04:41:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA05114 for firewalls-outgoing; Mon, 3 Feb 1997 04:23:27 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA05106 for ; Mon, 3 Feb 1997 04:23:17 -0800 (PST) Received: from PRC.Sun.COM ([129.158.112.5]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id EAA01046; Mon, 3 Feb 1997 04:22:00 -0800 Received: from lingshan.PRC.Sun.COM by PRC.Sun.COM (SMI-8.6/SMI-5.3) id UAA01596; Mon, 3 Feb 1997 20:32:04 +0800 Received: by lingshan.PRC.Sun.COM (SMI-8.6/SMI-SVR4) id UAA00706; Mon, 3 Feb 1997 20:18:37 +0800 Date: Mon, 3 Feb 1997 20:18:37 +0800 From: Carl.Ma@PRC.Sun.COM (Carl Ma - SE Trainee) Message-Id: <199702031218.UAA00706@lingshan.PRC.Sun.COM> To: Martin_Khoo/SIN/Lotus@lotus.com Subject: About NAT Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have heard the product of Sun microsystem,Sunscreen, which can hide its IP address , does it use the some function of the NAT, where can I find more material of NAT? Thanks in advance! Carl.ma From firewalls-owner Mon Feb 3 05:25:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA08812 for firewalls-outgoing; Mon, 3 Feb 1997 05:18:42 -0800 (PST) Received: from csnnetra1 ([200.255.165.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA08735 for ; Mon, 3 Feb 1997 05:18:20 -0800 (PST) Received: from mg65 by csnnetra1 (SMI-8.6/SMI-SVR4) id LAA25672; Mon, 3 Feb 1997 11:15:56 -0200 Message-Id: <199702031315.LAA25672@csnnetra1> Comments: Authenticated sender is From: "Alessandro Jannuzzi" To: firewalls@GreatCircle.COM Date: Mon, 3 Feb 1997 11:15:23 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Virus Scan on the FW X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there a solution similary WebShild that I can run on a non-Intel plataform ? On Solaris 2.5 for instance. . . Thanks, Alessandro Jannuzzi jannuzzi@csn.com.br From firewalls-owner Mon Feb 3 05:55:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10613 for firewalls-outgoing; Mon, 3 Feb 1997 05:42:37 -0800 (PST) Received: from internet2.sbi.com (rutherford2.SBI.COM [192.195.121.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA10559 for ; Mon, 3 Feb 1997 05:42:19 -0800 (PST) Received: from internet.sbi.com (rutherford.SBI.COM [192.195.121.6]) by internet2.sbi.com (8.6.12/8.6.12) with SMTP id IAA25635 for ; Mon, 3 Feb 1997 08:41:05 -0500 Received: from confucious.sbi.com (security) by internet.sbi.com (4.1/SMI-4.1) id AA14875; Mon, 3 Feb 97 08:41:06 EST Received: from paranoid.sbi.com by confucious.sbi.com (SMI-8.6/SMI-SVR4) id IAA06883; Mon, 3 Feb 1997 08:41:04 -0500 Received: by paranoid.sbi.com (SMI-8.6/SMI-SVR4) id IAA00690; Mon, 3 Feb 1997 08:41:38 -0500 Date: Mon, 3 Feb 1997 08:41:38 -0500 From: jerrys@confucious.sbi.com (Jerry Simonowits) Message-Id: <199702031341.IAA00690@paranoid.sbi.com> To: Firewalls@GreatCircle.COM Subject: Firewall-1 bug X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using Firewall-1 version 2.1 and seem to have run accross a bug. I've added more hosts to my database than can be displayed on the screen and I get an error message: XView warning: Menu too large for screen (Command Menu package) And, nothing is displayed on the screen. It's been confirmed to me that this is a bug, but I haven't received any fixes.... Any suggestions ??? Jerry From firewalls-owner Mon Feb 3 06:10:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11072 for firewalls-outgoing; Mon, 3 Feb 1997 05:47:22 -0800 (PST) Received: from internet2.sbi.com (rutherford2.SBI.COM [192.195.121.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA11053 for ; Mon, 3 Feb 1997 05:47:13 -0800 (PST) Received: from internet.sbi.com (rutherford.SBI.COM [192.195.121.6]) by internet2.sbi.com (8.6.12/8.6.12) with SMTP id IAA25959 for ; Mon, 3 Feb 1997 08:46:00 -0500 Received: from confucious.sbi.com (security) by internet.sbi.com (4.1/SMI-4.1) id AA15301; Mon, 3 Feb 97 08:45:59 EST Received: from paranoid.sbi.com by confucious.sbi.com (SMI-8.6/SMI-SVR4) id IAA06915; Mon, 3 Feb 1997 08:45:58 -0500 Received: by paranoid.sbi.com (SMI-8.6/SMI-SVR4) id IAA00692; Mon, 3 Feb 1997 08:46:35 -0500 Date: Mon, 3 Feb 1997 08:46:35 -0500 From: jerrys@confucious.sbi.com (Jerry Simonowits) Message-Id: <199702031346.IAA00692@paranoid.sbi.com> To: Firewalls@GreatCircle.COM Subject: Re: Optimal Throughput for NAT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Martin wrote: [stuff cut] Using the router to do NAT seems to make alot of sense for some people but I feel that you should let the router do what is primarily its main function : i.e providing routing . Well , many people may disagree with me on this but NO FLAMES PLEASE. =========================================================================== Not a flame, just a difference of opinion...I've spent the last 9 years or so involved with routers, and I would have agreed with you completely, oh, until about the last 2 years or so. Router hardware has taken a major leap, and the processing power available to most routers these days is way way more then most "edge" routers require to accomplish their routing tasks. That being the task, why not use all that leftover power to do NAT and other useful things ? I would think that a good approach would be to define what needs doing and then find the appropriate system to accomplish that. In this case "system" may include a multiplicity of devices. Jerry From firewalls-owner Mon Feb 3 06:39:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11117 for firewalls-outgoing; Mon, 3 Feb 1997 05:48:14 -0800 (PST) Received: from MetGwy02.metlife.com ([204.146.159.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA11097 for ; Mon, 3 Feb 1997 05:47:55 -0800 (PST) Received: by MetGwy02.metlife.com(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 85256433.004B55FE ; Mon, 3 Feb 1997 08:42:52 -0400 X-Lotus-FromDomain: METLIFE @ METLIFENET From: "Mike Stoico" To: david@mony.com cc: Cihans@Garanti.Com.Tr, Firewalls@Greatcircle.Com Message-ID: <85256433:004B4BA9.00@MetGwy02.metlife.com> Date: Mon, 3 Feb 1997 08:44:31 -0400 Subject: Re: Virus Scan.... Mime-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=htt0AwaJJWdvCCNgIjUMvBGNVEF5GZifKxBgZ1WQJc2Bjir909QQtPX8" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --0__=htt0AwaJJWdvCCNgIjUMvBGNVEF5GZifKxBgZ1WQJc2Bjir909QQtPX8 Content-type: text/plain; charset=us-ascii Have you seen any performance hits on your traffic with this installed? We're looking at using it, and I have a concern about placing another hub between inside and outside. Also, is there any configuration that the user needs to do? Mike Stoico MetLife The views expressed here are probabvly not those of my employer (Embedded image moved david @ mony.com to file: 01/31/97 10:59 AM PIC13806.PCX) To: CihanS @ garanti.com.tr cc: firewalls @ GreatCircle.COM Subject: Re: Virus Scan.... Cihan Subasi said: > > And how WebShield will work? In the documents it is said that the > product is "Completely Transparent and cannot be bypassed by users" anybody > has any idea about those issues? What happens is that WebShield sits between your firewall (or exterior router) and your internal network. It has two network cards, but instead of routing it acts as a bridge. It does seem to be essentially invisible. However: We've run into some issues regarding it's use with FTP, and we're trying to find someone at McAfee who can give us some answers. Test it thoroughly and decide if you want to use it. And yes, there are all kinds of email attachments that it can't decode to detect virii. Our client wants us to implement it anyway, and hopefully they understand that this will _assist_ in preventing virus infections, not provide 100% protection. -- David Kozinn dkozinn@csc.com Computer Sciences Corporation Technology Management Group +1-201-907-6990 --0__=htt0AwaJJWdvCCNgIjUMvBGNVEF5GZifKxBgZ1WQJc2Bjir909QQtPX8 Content-type: application/octet-stream; name="PIC13806.PCX" Content-transfer-encoding: base64 CgUBCAAAAABoACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAABaQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAD1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPH E8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sTzRPHE8MTwhP1E9sT zRPHE8MTwhPwEwzIBgzYE8wTxhPDE8IT7hPOBtcTzBPGE8MTE+wTwgbCBwbCEgbCEgbCEsUG1hPL E8YTwxMT6hMMwgYHwgLCAwISwgfEEsMCwwbVE8sTxRPDExPpE8MGAwcCBwMCwhLDB8ISwgISwgLD BtUTyhPFE8MTE+gTwgIHA8ICEw4DDgLDE8USwwLCEMIG1BPKE8UTwxMT5xMCAwcDAg4TDgITwgIS D8ISD8ISBRICEcICwwbUE8oTxRPCExPmEwYCBwMCDgIOwgLDExITEhPCEg8GxgLDBtMMDAfJE8QT whMT5hMGwwITBgMCDhLFEw8SE8ISBgIDwhIDEsMGB9MDxwwHxRPDExPlEwYHAhESAg8CwhMPwhMP xBMPxRIQwgIDAgMCBtMDxwPEDAfDE8IT4RMHwwzCBgLCEhMCDxLIE8MSD8MSwwIQAwIDBgfSDMkD wgPCDAfCExPbEwfGDMIDDAIHERITEhMSwxMPwxMPwxPDEgIDAgMCwwMCBgzREwfHDMYDDMITE9YT B8UMyAMGB8ICBhLDAsYTEhMSExIPwhIHAgcCAwUQAgYRBgfSE8UTB8QMwgMMwhMT0hMHxAzLA8IM BsISDxESExITAw4DxBMSExITwxICBwPCAsMDDMIGB9ITyRMHwwzCExPPEwfDDMkDxQwHwhMGBxIT AhECEwMOAg7DExITDxMPwxIDAgMCBwMCDAYRBgfSE8kTwhPCDMITE8wTB8MMxwPEDMIHxxMGxBLD Ag4DDgIGwg/IEgIDwgIDAgwCEMIGB9ITyRMHDAcMwhMTyhMHwgzGA8MMwgfMEwYHwhLCEAIOAg4C DhDDAhIPxhIFAgXDAgUCEQYH0hPHEwfCDAcPDMITE8gTB8IMxQPDDAfQEwbDEhDEAhAOEA4QwgLG EgcSBhIGBcMCBcIGB9ATB8UMEwfCDA8HDwwHwhMTxhMHwgzEA8MMB9MTBgfCEhADEMICDhAOEMIC EQIDxxIGBwbCAgUCEQYHyxMHxAwHwhMHEwzCEwcPBw8MB8MTE8UTBwzEA8IMB9YTBsQSEAMCA8UC EQIDAgPDEgcSBgfCBgUQAhDCBgfGEwfEDAfGE8INEwzCEw8HwgwHwxPCE8QTBwzDA8IMB9gTBgfE EhACEMYCEQIDAsQSBhLDBsICEALCBgfCEwfDDAfKEwfCDRMHwhPCDAfEE8ITE8MTBwzCA8IMB9oT DBIHwxLDDBEDxQIDAgPDEgYSBgfCBgIQAhAGDAfCEwzDE8MHyRMHwhPCBxMHxRPDExPDEwzCAwwH 3RMGxxICEQPDAgMCA8MSBhIGBwYMBhACEAIGDMMTDBPCB8YTwwfHEwfGE8MTwhPDEwwDDAfeEwYH xxICEQPDAgMCwhIGEgYHBgwGEAIQAsIGB8MTDMYTwwfKEwzGE8MTwhPDE8IMB98TDBLCB8USAgMR xAISB8ISBgcGDAYQBhAGEAYMB8MMB8kTwwfHEwzGE8MTwhPDEwwPwgzfEwYSB8ISB8ISAhECAwID EgcSBwYHBgwGEAYQxgzDD8IHxRPDB8kTBwzGE8MTwhPDEwzDD8QM3BPCBhIGwxIGAhECAwIHBgcG yAzJDxMHzRMHwwwHxxPDE8ITwxMHDMYPxwwH1BMGEgYSBhLLDM4PwwwTDMcTwgfEDAfJE8QTwhMT xBMHwgzLD9sM0w/GDAfDEwzDEwfEDAfLE8YTwxMTxhMHxAztD8gMBgfIE8QMB84TxxPDE8ITyhMH xwzbD8sMEAUMBcIMwgYH1RPKE8UTwxMT0RMH2wwGEAYQBhACBQwFDAUMBgwHBgfWE8sTxRPDExPu EwYMBhAGEAIGDAYMwwYH1xPLE8YTwxMT8BPKBgfYE8wTxhPDExP1E9sTzRPHE8MTwhP1E9sTzRPH E8MTwhMMAAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD/ /wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8A AAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A //8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA/wAA AP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCkgICA /wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vwoKCk gICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw//vw oKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzApsrw //vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDAwNzA psrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICAwMDA wNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACAAICA wMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACAgACA AICAwMDAwNzApsrw//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP//////AAAAgAAAAIAAgIAAAACA gACA//vwoKCkgICA/wAAAP8A//8AAAD//wD/AP////// --0__=htt0AwaJJWdvCCNgIjUMvBGNVEF5GZifKxBgZ1WQJc2Bjir909QQtPX8-- From firewalls-owner Mon Feb 3 08:49:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19570 for firewalls-outgoing; Mon, 3 Feb 1997 07:20:17 -0800 (PST) Received: from poss.com (camel.poss.com [198.70.184.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19550 for ; Mon, 3 Feb 1997 07:20:04 -0800 (PST) Received: from sunfire ([207.113.179.166]) by poss.com (8.8.4/8.8.4) with ESMTP id KAA06480; Mon, 3 Feb 1997 10:16:39 -0500 (EST) Received: from localhost (wilcox@localhost) by sunfire (8.6.12/8.6.9) with ESMTP id KAA00693; Mon, 3 Feb 1997 10:19:41 -0500 Message-Id: <199702031519.KAA00693@sunfire> X-Mailer: exmh version 2.0beta 12/23/96 To: jerrys@confucious.sbi.com (Jerry Simonowits) cc: Firewalls@GreatCircle.COM Subject: Re: Firewall-1 bug In-reply-to: Message <199702031341.IAA00690@paranoid.sbi.com> from "Mon, 03 Feb 1997 08:41:38 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Feb 1997 10:19:40 -0500 From: Ken Wilcox Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jerrys@confucious.sbi.com (Jerry Simonowits) writes: > I'm using Firewall-1 version 2.1 and seem to have run accross a bug. I've > added more hosts to my database than can be displayed on the screen and > I get an error message: > > XView warning: Menu too large for screen (Command Menu package) > > And, nothing is displayed on the screen. > > It's been confirmed to me that this is a bug, but I haven't received any > fixes.... > > Any suggestions ??? > > Jerry > This is what Sunsolve has to say about this. I hope it helps. Document ID: 1890 SYNOPSIS: Error message: "Xview warning: Menu too large for screen" DETAIL DESCRIPTION: I create 250 hosts, but when I want to install a new rule I am not able to see the windows with all objects created. I receive the message "Xview warning: Menu too large for screen". What does this mean? SOLUTION SUMMARY: This is a known limitiation. Future releases of Firewall-1 will probably include a scroll-bar menu instead of this pop-up menu. However in the meantime here are several workarounds: 1. Edit the files manually. Instead of using the firewall GUI, you can modify the object file (objects.C) and the rule file (.W) under /etc/fw/conf with the command line interface. The format of the file is self-explanatory. Once you've done that you can type "fw load .W ". If you are using more than 250 objects it is probably faster to edit the rules and object list using the command line than the GUI anyway. 2. Group the objects and only display those needed. It is likely that, even if you are dealing with 250+ objects you do not want to create rules for every one of them. Usually you want to put your objects into groups and apply the filter rules only to those groups. If this is the case, you can create groups using the network object manager under the GUI and for each host you put in a group, in the host properties, un-select the check-box "Show in Menus". 3. Use networks whenever possible. Sometimes you do not really need that many hosts. See if you can group the hosts into network objects. 4. Share the load among several Firewalls. This is not very attractive because, after all, one reason of getting a firewall is that you want to manage your entire security policy from a central point. But if you really need hundreds of hosts and hundreds of rules to manage them, then you may consider splitting the security checking between several firewalls. This will also lower the risk of experiencing performance problems (specially if you are also using VPN and NAT). DATE APPROVED: 08/31/96 KEYWORDS: firewall xview warning objects file OS RELEASE: Solaris/SunOS 2.5/5.5 -- Ken Wilcox Perfect Order Inc. Account Representative Authorized Sun Reseller 2212 Eagles Nest Lane Monroeville PA 15146 Phone: +1 412 373 1528 Email: wilcox@poss.com Fax: +1 412 373 1722 From firewalls-owner Mon Feb 3 08:51:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20024 for firewalls-outgoing; Mon, 3 Feb 1997 07:23:38 -0800 (PST) Received: from NS1.Content.Net (NS1.Content.Net [206.253.232.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19883 for ; Mon, 3 Feb 1997 07:22:50 -0800 (PST) Received: from localhost (jims@localhost) by NS1.Content.Net (8.8.2/8.8.2) with SMTP id KAA05461; Mon, 3 Feb 1997 10:22:40 -0500 (EST) Date: Mon, 3 Feb 1997 10:22:40 -0500 (EST) From: Jim Serven X-Sender: jims@NS1.Content.Net To: Jerry Simonowits cc: Firewalls@GreatCircle.COM Subject: Re: Firewall-1 bug In-Reply-To: <199702031341.IAA00690@paranoid.sbi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's been confirmed to me that this is a bug, but I haven't received any > fixes.... > Any suggestions ??? Yes, Go into the Object Manager. and edit any objects which do NOT need to be on the menu. on the (editing) window for each object when you open it (along the bottom (in X)) is a "[ ] Show in Menu" - the default is for it to be checked. UN check it. and do this for as many hosts as necessary until you are able to view you objects in the expandable menu. Usually, we only "show" objects in the menu while we are adding them to a rule, and then we "unshow" them so that we can leave the menu space available for more important hosts(or whatever) or until we need it later. That way valuable X real estate is saved, and FW1(X) doesn't complain. If you have any questions, feel free to holler. Cheers! -Jim Certified Checkpoint Security Engineer CCSE ------------------------------------------- Jim Serven The GLIX Network President G-4010 W. Court St http://www.glix.net Flint, Mi 48532 (v) 810.898.4483 (f) 810.695.8403 ------------------------------------------- Firewalls, webSmiths, and bandwidth. oh my! From firewalls-owner Mon Feb 3 08:53:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22457 for firewalls-outgoing; Mon, 3 Feb 1997 07:49:53 -0800 (PST) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA22413 for ; Mon, 3 Feb 1997 07:49:26 -0800 (PST) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA12949; Mon, 3 Feb 1997 10:47:58 -0500 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.8.4/3.8) with SMTP id KAA29366; Mon, 3 Feb 1997 10:54:03 -0500 (EST) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA20974; Mon, 3 Feb 97 10:38:51 -0500 Date: Mon, 3 Feb 97 10:38:51 -0500 Message-Id: <9702031538.AA20974@uc0009.wangfed.com> From: "K.M." Reply-To: "K.M." To: jcanfiel@davocom.com, firewalls@greatcircle.com Subject: Re: Sidewinder vs. Cyberguard Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <32F3DA42.27E9@davocom.com> Jim Canfield writes: > First: How is security rated A1, B3, B2, B1, C2, C1 in the US, other > similar grading scales in England/Germany and probably countless others > worldwide. TCSEC (US) = ITSEC (EU) ---------- ---------- A1 = E6 / F6 (or F-A1) B3 = E5 / F5 (or F-B3) B2 = E4 / F4 (or F-B2) B1 = E3 / F3 (or F-B1) C2 = E2 / F2 (or F-C2) C1 = E1 / F1 (or F-C1) There is no concept, in TCSEC, for separate assurance and functionality evaluations. Each rating assumes a combination of functionality and assurance at a certain level. The Common Criteria (if they ever happen) will look a lot more like the ITSEC scheme. The TCSEC also does not evaluate *applications* (though it does evaluate the TCBs of relational database management systems). Thus, there are no TCSEC evaluations of *firewalls*, because these are applications. The ITSEC *does* evaluate applications - including firewalls. This is why CyberGuard was evaluated, as an application, in Europe, while the CyberGuard platform (Harris "Nighthawk") was all that was evaluated in the U.S. ("NightHawk" also got an E3/F3 rating in Europe). CyberGuard got an "E3" assurance rating at a UK CLEF. Then to find out what was the best achievable security rating > for a product that is usable. The highest rating any firewall has got is the ITSEC "E3" given to CyberGuard. Even this is possibly "underkill", for while the MACs provided at the E3 (B1) level may be used to protect the firewall, E3 does *not* provide a covert channel analysis, so there may be huge covert channels in a E3 (B1) operating system or application that can be exploited by a clever malfeasant. ON the other hand, none of the firewall applications (except Sidewinder) running on B1/E3 platforms actually use the MACs to reinforce separation between the networks connected to the firewall. Both CyberGuard and the Norman Firewall (which runs on Compartmented Mode Workstations with MACs) run at a single level in the MAC scheme of the operating system. There is no trusted process in these firewalls that would allow the "inside" to run at a higher classification level than the "outside", thus using the MACs and TCB effectively to separate the protected network from the unprotected one. Only Sidewinder does this, using type enforcement, and even with type enforcement, there is no sense of the inside being more protected than the outside (though the combination of non-TCB related firewall configuration - e.g., which proxies are two-way, which are only outbound ,etc. - and type enforcement can achieve something resembling this). However, I have heard that Sidewinder is very difficult to configure, unless they have managed to greatly improve their interface in new release. Cyberguard, on the other hand, is supposed to be as easy to configure as Firewall-One, and is more trustworthy. > The most secure, usable, firewall we have found to date is the > Cyberguard > > As mentioned the products are B1 compliant (awaiting certification).... The OS is already evaluted, and the E3 rating of the firewall application should be completed any day now. KM ===== K.M. Goertzel Manager, Business Development Secure Systems & Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA tel (703)827 3914 fax (703)827 3161 email goertzek@wangfed.com From firewalls-owner Mon Feb 3 09:12:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25633 for firewalls-outgoing; Mon, 3 Feb 1997 08:28:28 -0800 (PST) Received: from mail1.phoenix.net (mail1.phoenix.net [204.120.233.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA25626 for ; Mon, 3 Feb 1997 08:28:21 -0800 (PST) Received: from ottog.net1.net (ppp082.Net1.Net [204.254.232.82]) by mail1.phoenix.net (8.7.5/8.6.12) with ESMTP id KAA08871 for ; Mon, 3 Feb 1997 10:27:09 -0600 (CST) Message-Id: <199702031627.KAA08871@mail1.phoenix.net> From: "Greg Otto" To: Subject: Secure Kernel's versus Unix or NT Date: Mon, 3 Feb 1997 10:27:50 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for some information which compares the problems and issues of running Firewall systems on a real-time kernel versus on an existing operating system such as Unix or NT. I would like to get a better understanding of where the problems exist and what issues may arise. I understand that most OS based systems will "harden" up the OS, but I still wonder how many loop-holes are left out there. Thanks, Greg ============================================================================ Gregory Otto e-mail gdo@newf.com New Frontier Consulting WWW http://www.newf.com Houston, Texas Voice (713) 718-1358 ============================================================================ From firewalls-owner Mon Feb 3 09:22:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23397 for firewalls-outgoing; Mon, 3 Feb 1997 08:02:44 -0800 (PST) Received: from intkx001.usair.com (intkx001.usair.com [199.72.38.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA23372 for ; Mon, 3 Feb 1997 08:02:27 -0800 (PST) Received: from intad116.usair.com by intkx001.usair.com (AIX 4.1/UCB 5.64/4.03) id AA74194; Mon, 3 Feb 1997 10:56:56 -0500 Message-Id: <32F60B04.4E0B@usair.com> Date: Mon, 03 Feb 1997 10:57:57 -0500 From: Mark Smith Reply-To: msmith@usair.com X-Mailer: Mozilla 3.01 (Win95; I) Mime-Version: 1.0 To: firewalls@GreatCircle.com Subject: Filtering outbound packets Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the general practice for readers of this list on filtering outbound packets at the router between the ISP and the DMZ ? The original intent was to limit the chances of mounting attacks/FSP/general bad stuff using our site as base camp. Now, however, we have a mail application which appears to drive the router at max CPU, allegedly due to the filtering in place. That outbound filtering allows only the "good" protocols to their known ports. From firewalls-owner Mon Feb 3 09:27:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24890 for firewalls-outgoing; Mon, 3 Feb 1997 08:20:57 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA24850 for ; Mon, 3 Feb 1997 08:20:44 -0800 (PST) Received: (qmail 13505 invoked from smtpd); 3 Feb 1997 16:19:28 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 3 Feb 1997 16:19:28 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA14133; Mon, 3 Feb 1997 10:19:28 -0600 Received: by sonic.nmti.com; id AA07546; Mon, 3 Feb 1997 10:13:53 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9702031613.AA07546@sonic.nmti.com.nmti.com> Subject: Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken) To: vince@cryptonet.it (David Vincenzetti) Date: Mon, 3 Feb 1997 10:13:53 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199702031025.LAA07956@relay.cryptonet.it> from "David Vincenzetti" at Feb 3, 97 11:17:58 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Sendmail full sources are available, they can be studied > and examined by everyone, and they can be studied by malicious > hackers too. ActiveX sources are not available, and it is > harder, for a malicious hacker, to spot new bugs. I don't think you're thinking this through. You don't *need* source to break security on ActiveX, because there is none. All you need to do is spoof Authenticode or steal an Authenticode private key... and since there is no mechanism to revoke an Authenticode key as soon as *one* person has done it the game's over. Regardless of the utility crystal box vs. black box argument, it's got nothing to do with ActiveX. From firewalls-owner Mon Feb 3 09:41:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00772 for firewalls-outgoing; Mon, 3 Feb 1997 09:19:54 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA00753 for ; Mon, 3 Feb 1997 09:19:40 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.5/8.7/PanixU1.3) with SMTP id MAA15163 for ; Mon, 3 Feb 1997 12:18:09 -0500 (EST) Date: Mon, 3 Feb 1997 12:18:08 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: NT network and system management Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies because this is not strictly a firewall question. However, there are quite a few NT experts on the list who can help. I need to monitor the following items across about 80 Windows NT servers: DOS Devices : Paging File : Percent usage Peak Physical Disk : Percent disk time Physical Disk : Average disk sec/read (reads per second) Physical Disk : Disk read bytes/sec (read bytes per second) Physical Disk : Queue length Processor : Percent processor time Memory : pages/second Server : bytes total/second For each network user connected to server: NIC card address/MAC address Computer name (if any) IP address (if any) User name. Is there a group of NET commands which will give me this? Is there a commercial product that can be customized to give me this? Finally, which mailing list does this question really belong on? FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night ^^ From firewalls-owner Mon Feb 3 09:47:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20026 for firewalls-outgoing; Mon, 3 Feb 1997 07:23:39 -0800 (PST) Received: from gk-blue.unicc.org (gk-red.unicc.org [192.91.247.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA19870 for ; Mon, 3 Feb 1997 07:22:46 -0800 (PST) Received: by gk-blue.unicc.org; (5.65v3.2/1.3/10May95) id AA17758; Mon, 3 Feb 1997 16:23:58 +0100 Received: from gh.unicc.org (localhost [127.0.0.1]) by gh.unicc.org (8.7.5/8.7.3) with SMTP id QAA07405; Mon, 3 Feb 1997 16:23:54 +0100 (MET) Message-Id: <32F60309.41C6@unicc.org> Date: Mon, 03 Feb 1997 16:23:53 +0100 From: Lilia Miltcheva Organization: United Nations International Computing Centre X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: altavista-product@digital.com Cc: admin@unicc.org, firewalls@GreatCircle.COM Subject: Duplicated network addresses X-Url: http://altavista.software.digital.com/help/tunnelfaq4/index.htm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Guru, I'm keen on using the AltaVista Tunnel and have already a lot of requests for providing the service. I have a question : We are currently using Alta Vista FW for Unix and behind it we have class C addresses that we once got by EUnet. Than we changed the ISP and renumbered our "red" (external) network, but on the internal ("blue") WAN we kept the old IPs as there are anyhow not accessible from the Internet. What is going to happen if a remote client, using AVT connects to our AVT server, gets the numbers of the private networks (for example 193.72.45.0) and starts tunneling, but at the same time there is a server somewhere on the Internet that has address let's say 193.72.45.20 (same class C). How this clash could possibly be menaged? I'm aware that many people use inside their FW "any" IP addresses (just unique on the LAN), so that will be a problem with all those guys if some coincedence occurs. Is there something I'm missing? Thanks a lot in advance. I'll greately appriciate any help.... Lili From firewalls-owner Mon Feb 3 09:56:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01900 for firewalls-outgoing; Mon, 3 Feb 1997 09:35:04 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA01837 for ; Mon, 3 Feb 1997 09:34:33 -0800 (PST) Received: from West.Sun.COM ([129.153.100.31]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id JAA11027; Mon, 3 Feb 1997 09:32:47 -0800 Received: from topsun.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id JAA05376; Mon, 3 Feb 1997 09:32:07 -0800 Received: from plato.West.Sun.COM by topsun.West.Sun.COM (SMI-8.6/SMI-SVR4) id JAA13336; Mon, 3 Feb 1997 09:32:07 -0800 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id JAA05126; Mon, 3 Feb 1997 09:16:58 -0800 Date: Mon, 3 Feb 1997 09:16:58 -0800 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199702031716.JAA05126@plato.West.Sun.COM> To: firewalls@greatcircle.com, bsterling@hotmail.com Subject: Re: Securing Web Servers Cc: smith@sctc.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday 31 Jan 1997 - Brad Sterling wrote: > Memco SeOS, on the other hand, is capable of achieving the same results as > SideWinder, but requires no alteration of the OS, other than being installed so > that it can intercept system calls which are security oriented (very clever > stuff which is up for patents). Since Memco SeOS can achieve this with > standard vendor releases of any Unix system (Solaris, HP/UX, AIX, etc.), and > combined with FireWall-1 far outperforms any application level firewall, I > don't see a reasonable comparison. In fact Memco SeOS changes the kernel of the system via loadable kernel modules. What this does is to force every open, exec, write etc... call to be checked against an ACL prior to the action taking place and writes a log entry for each. Now, while this is pretty strong stuff there are no host-to-host authentication services, at least not in the 1.x releases. Also, try running this on a large Oracle, Sybase or other SQL server and watch your performance go down the drain. Patenting of a loadable kernel module might not be very easy since Memco is not the first, or last to do this sort of thing. I even have an example of a module in a 'Writing Device Drivers' course for SunOS,v4.X.x (c 1991/2) to capture just this type of info. (First release that let you load a module at boot time) Regardless, most SysV UNIX variants released in the past 6-18 months and/or next 6-18 months will/have inlcuded file ACL's which if maintainted reasonably well offer similar protection with less overhead sine they are native to the OS in use. I know, the famous 'we obivate the need for root' statement is flashy to mainframe centric minded folks but really, no matter how you do it the system always has one priveledged user id or another regardless if the name is 'root', 'seosadmin' or 'barney'... For standalone systems SeOS is very cool. For network trust unfortunately it seems to be lacking strong controls. A mixture of SeOS with network based audit and access control services offers the best of both worlds. Of course with the release of version 2.x things might be better. My 2cents worth, Matthew Archibald From firewalls-owner Mon Feb 3 10:12:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04387 for firewalls-outgoing; Mon, 3 Feb 1997 10:03:53 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA04366 for ; Mon, 3 Feb 1997 10:03:34 -0800 (PST) Received: from txau.tx.mt.np.els-gms.att.net by relay5.UU.NET with SMTP (peer crosschecked as: txau.tx.mt.np.els-gms.att.net [199.191.144.201]) id QQcbie24564; Mon, 3 Feb 1997 13:01:30 -0500 (EST) Date: Mon, 03 Feb 1997 11:02:20 -0500 From: mcoss@attmail.com (Michael J Coss) Received: from mcoss by attmail; Mon Feb 3 17:48:26 GMT 1997 Subject: Re: Sidewinder vs. Cyberguard In-Reply-To: your message <199702020407.XAA27088@unix1.sysnet.net> of Sat Feb 1 21:31:07 -0400 1997 To: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Patton wrote: >On what basis do you make this assertion? "secure" can mean a lot of >things and a rubber stamp from NSA or it's equivalent doesn't mean a >whole lot if buggy software can be trivially exploited. We could go on >about "usable" but I'll let that one slide. In particular is the >firewall configuration an EXACT match with the >"certified/tested/evaluated" machine? NT has a C2 rating but it's not >worth a damn. When was the last time you ran an NT box with no LAN, no >floppy, and with a modified BIOS? Not exactly a useful product. Then >again, assuming you duplicate this setup, place said machine nearish to a >window. Electronic eavesdropping (for about $3000 and change) or outside >observation does tend to degrade the usefulness of said rating does it >not? Your correct, "secure" is a nebulous term, but obviously you have not been involved with a evaluation of an operating system if you believe that its a rubber stamp. I worked on the NCSC evaluation of a UNIX operating system and it took too long (several years) and was not a rubber stamp. Your point about what the configuration is is quite true but Cyberguard has gone the extra mile of getting a Network evaluation to provide a better security solution that does include a network component. And you can buy the NightHawk in a TEMPEST cabinet if your concerned about that. >Ah, the GUI. Remote manageable too I think I recall. What to say when >the X11 session gets hijacked? You sure the box isn't running a >braindamaged X11 server? Can you attack the logging facility thru DOS? >What happens when you bog the machine down with hundreds of connections? >Does it run out of VM and spontaneously reboot? How about the logs >filling up the disk? What happens when this occurs and an exploit is >then launched? Do you still have an audit trail? First, I know of no system that is completely immune to a concerted denial of service attack. You can attempt to minimize the impact but with a general purpose operating system, it may be virtually impossible to eliminate. Second, unless your willing to expend the money to create a tamperproof box, the granting of access to the machine is taboo. >So they know how to check off all of the feature boxes on the report >card. Anybody can and everybody does that. Do you KNOW that the features are not provided? What feature do you believe they are lying about? >IMO ratings, be they NSA/NCSA or whatever aren't worth much and >deffinately not a price premium. I take far more comfort in people >banging away at the available stuff and fixing the problems. And what pray tell do you believe that the evaluations/testings are trying to do? The purpose of these are to provide a degree of comfort that someone other than the vendor has looked is varying degrees of detail at the implementation of the software/hardware combination. >Additionally, you really believe the vendor (or reviewer for that matter) >went thru every single line of code specifically looking for possible >exploits? Get real. Have you been involved in the evaluation process? I have. No, we didn't go thru every single line of code but we tried to get complete coverage and did a analysis of the data flow and looked at the access control mechanisms in great detail and looked at privileged processes to verify there correct operation and in those programs we did indeed look at every line and reviewed the libraries. That some people attempt to slide thru an evaluation, I have no doubt but I'd like to believe that that is the exception rather than the rule. >All the ratings do is study the protection scheme and bless it as logical >and OK at least in theory. Then with various degrees of persistance they >try to prove you can't get around said protection. Holes and stack smashes >by way of poorly written C and resolver libraries and DOS via SYN etc. >aren't addressed. While the NCSC did not require denial of service attacks, nor penetration testing (for a B1 system), we as part of our own Q&A did do these things based on knowledge gathered from various sources and our own experience. >If they were we wouldn't be plagued with some of the problems we have now. No product is completely immune no matter how much money or resources are thrown at it. What you want is a system that provides a degree of security, and some assurance that the vendor has made a best effort at 1) implementation of a security mechanism, and 2) discovery/correction of known bugs. Finally, there is the issue of do you need a secure operating system. While I believe that a properly implemented firewall does not require a trusted base to run on. A secure OS will help if the firewall code is compromised. It may not be sufficient to protect the network but it may minimize the damage. I'm not recommending either choice but I do believe that there is benefits derived from having the system evaluated by an outside source. Is it worth the money? The market has shown to date that they want security but don't want to pay for the extensive review/testing/etc. required to develop and maintain it. The expectation is that it should come for free..."Of course your software is safe...right?" ---Michael J Coss Lucent Technologies - Bell Laboratories mjcoss@lucent.com From firewalls-owner Mon Feb 3 10:17:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15043 for firewalls-outgoing; Mon, 3 Feb 1997 06:39:27 -0800 (PST) Received: from bastion.s-1.com (BASTION.FIVEPACES.COM [204.130.55.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA15034 for ; Mon, 3 Feb 1997 06:39:17 -0800 (PST) Received: from UNKNOWN [10.1.1.10] by bastion.s-1.com for id JAA29721; Mon Feb 3 09:37:57 1997 Received: from mordred.s-1.com by wine.s-1.com with SMTP (1.39.111.2/16.2) id AA204210569; Mon, 3 Feb 1997 09:36:09 -0500 Received: by mordred.s-1.com (5.65/2.1) id AA22362; Mon, 3 Feb 97 09:37:35 -0500 Message-Id: <9702031437.AA22362@mordred.s-1.com> Subject: RE: Technologic's Interceptor Date: Mon, 3 Feb 1997 09:37:30 -0500 (EST) X-Mailer: ELM [version 2.4 PL21] Content-Type: text To: Firewalls@GreatCircle.COM From: Charles Watt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, CjW81uLLaNxmHKEFGvLlRPVknGKeyMsMAGbyaXYA/6puqyPsHKbPrYb3seEbNK7i X0h3M7XKAjv7iTEPk411pPo= We use the Interceptor to protect Security First Network Bank. It installs easily, is very easy to administer, provides excellent logging and alarming, all with good throughput. In the past we have used or evaluated several other products (Checkpoint, Raptor, Gauntlet) before deciding on the Interceptor. Charles Watt Security First Technologies > We are presently evaluating different firewall solutions, one of which > is Technologic's Interceptor. > > Is it a good product? > > Can anyone please provide a little insight. > > Thanks in advance, > David Weinstein > VP of Information Systems and Technology > -----END PRIVACY-ENHANCED MESSAGE----- From firewalls-owner Mon Feb 3 11:04:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09613 for firewalls-outgoing; Mon, 3 Feb 1997 10:54:43 -0800 (PST) Received: from emf.emf.net (emf.emf.net [205.149.0.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09565 for ; Mon, 3 Feb 1997 10:54:13 -0800 (PST) Received: from d4bdonapc01 (dhcp-17-005.srv.ptss.com [155.241.17.5]) by emf.emf.net (EMF-K/K) with ESMTP id KAA28196; Mon, 3 Feb 1997 10:49:00 -0800 Message-Id: <199702031849.KAA28196@emf.emf.net> From: "David B. Donahue" To: , , , "Francis Yeung" Cc: Subject: Re: Re[2]: Highly available Internet connection Date: Mon, 3 Feb 1997 10:52:50 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to be a reseller (not anymore) for a product called Qualix "Secure-watch" it was a high availability solution, it worked very well for me in some complex configurations. It automatically backed up the firewall and/or web server hardware and software using automatic hot cutover/monitoring software and Shared SCSI disks. Tech support wasn't great, but it was OK if you were a Sr. Unix sys admin. According to the sales info on thier home page at: http://www.qualix.com/sysman/product/securewatch.htmld/ "Qualix has combined the core technology of the leading high-availability software, QualixHA(tm) (including Qualix HA-Environment(tm)and VERITAS FirstWatch(r)), with the security of the leading firewall, FireWall-1. These two products, along with special Qualix HA-Modules(tm) software, provide a packaged solution for highly available secure Internet connectivity." "In order to guarantee access to the Internet, SecureWatch uses two workstations. A primary workstation operates as the Internet firewall, and a "hot standby" workstation operates as the back-up." I'd bet that a solution like this would solve your problems, they have several competitors you can do a Hotbot search for "high availability firewall" and turn some of those up. -David B. Donahue P.S. I have no affiliation with them anymore, i just liked thier product, even if i had problems with thier T/S group. ---------- > From: Laura_Bohde@prenhall.com > To: firewalls@GreatCircle.COM; mike.starkweather@anheuser-busch.com; Francis Yeung > Subject: Re[2]: Highly available Internet connection > Date: Thursday, January 30, 1997 8:24 PM > > > The firewall is not powered off - what is powered off is > the router on one side of it, and the hub on the other > side. I never want to use a power switch on a Unix box > for fear of corrupting the File Systems/disks. Also - > leaving the firewall live enables us to ensure the backup > doesn't have any hardware problems. > > We haven't automated the synching yet. Static routes are > defined in a startup file - the same on both systems. > Doesn't change very often, and is easy to change on both > systems, should a new route need to be added. All I > actually need to do is copy the firewall config files (I > use tape right now, can't ftp because the backup isn't on > a live network) over to the backup system after I make a > configuration change. Only takes a few minutes - > > We also thought about the second disk idea, where you > could boot off of another disk that housed the > configuration, but we didn't want to worry about the > experience of the person performing the switch-over. > > - Laura > > > ______________________________ Reply Separator _________________________________ > Subject: Re: Highly available Internet connection > Author: fyeung@fyeung8.netific.com (Francis Yeung) at INTERNET-PUB > Date: 1/30/97 10:43 AM > > > Laura, > > What happens to the data - firewall rules, static routes etc, > ? How you do keep them in sync if one unit is powered off ? > > Thanks. > > Francis > > > From root@fyeung25.netific.com Thu Jan 30 03:32 PST 1997 > > From: Laura_Bohde@prenhall.com > > Date: Wed, 29 Jan 1997 23:20:46 -0500 > > Subject: Re: Highly available Internet connection > > To: "'firewalls@GreatCircle.COM'" , > > "Starkweather; Mike" > > > > > > We have two routers connected to the Internet configured > > identically, as well as two hubs, two firewalls, and two > > hubs on the other side. Then we installed Black Box > > power on/off switches (one on each router, and one on > > each hub at the other end). This way we can leave one > > network up and the other powered off. If any device in > > the "primary" network fails, with a simple phone call > > (our help desk can even do this), one network can be > > powered off and the other powered up. (this way all > > equipment can actually have the same IP addresses too.) > > > > Hope this helps - > > > > Laura > > > > > > ______________________________ Reply Separator > _________________________________ > > Subject: Highly available Internet connection > > Author: "Starkweather; Mike" at > > INTERNET-PUB > > Date: 1/29/97 4:40 PM > > > > > > My company wants to move toward Electronic Commerce on the Internet. > > One of the requirements would be a highly available, secure > > connection. One of the ideas I have considered is two firewalls going > > out over two routers to two wide area links to two ISPs. This is a > > pretty brute force approach. > > > > Does anyone have any ideas to share on how we might build an Internet > > connection that would approach 100 percent availability? > > > > Thanks for all your help. > > > > Mike Starkweather > > Anheuser-Busch > > > > > > From firewalls-owner Mon Feb 3 11:15:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09926 for firewalls-outgoing; Mon, 3 Feb 1997 10:57:45 -0800 (PST) Received: from mailhost.netrunner.net (mailhost.netrunner.net [204.137.145.201]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA09826 for ; Mon, 3 Feb 1997 10:57:05 -0800 (PST) Received: from brian ([207.100.192.100]) by mailhost.netrunner.net (8.7.5/8.7.5) with SMTP id OAA20494 for ; Mon, 3 Feb 1997 14:05:27 -0500 (EST) Date: Mon, 3 Feb 1997 14:05:27 -0500 (EST) Message-Id: <1.5.4.16.19970203135653.1aef92d6@mailhost.netrunner.net> X-Sender: brianp@mailhost.netrunner.net X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Brian Podolak Subject: Re: Sidewinder vs. Cyberguard Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 PM 2/1/97 -0400, you wrote: >Jim Canfield wrote: >>The most secure, usable, firewall we have found to date is the >>Cyberguard > >On what basis do you make this assertion? "secure" can mean a lot of >things and a rubber stamp from NSA or it's equivalent doesn't mean a >whole lot if buggy software can be trivially exploited. We could go on >about "usable" but I'll let that one slide. In particular is the >firewall configuration an EXACT match with the >"certified/tested/evaluated" machine? NT has a C2 rating but it's not >worth a damn. When was the last time you ran an NT box with no LAN, no >floppy, and with a modified BIOS? Not exactly a useful product. Then >again, assuming you duplicate this setup, place said machine nearish to a >window. Electronic eavesdropping (for about $3000 and change) or outside >observation does tend to degrade the usefulness of said rating does it >not? Firest Mistake. NT is not C2 complient. Anyone knowing anything about LAN security would know this. Do a little more research before replying to someone. Besides, do you even know the differnet levels of security, or are you just "anti-nt".(which is not a bad thing) > >>As mentioned the products are B1 compliant (awaiting certification).... >whatever, see above. > >>They are relatively easy to setup , nice GUI and it has built in the >Ah, the GUI. Remote manageable too I think I recall. What to say when >the X11 session gets hijacked? You sure the box isn't running a >braindamaged X11 server? Can you attack the logging facility thru DOS? >What happens when you bog the machine down with hundreds of connections? >Does it run out of VM and spontaneously reboot? How about the logs >filling up the disk? What happens when this occurs and an exploit is >then launched? Do you still have an audit trail? > Have you even used the Cyberguard product ? You would know this if you have. Pick up a phone and call !! >>ablity for most "standard "(excuse the word) proxies and allows creation >>of probably anything you might need. >So they know how to check off all of the feature boxes on the report >card. Anybody can and everybody does that. > >IMO ratings, be they NSA/NCSA or whatever aren't worth much and >deffinately not a price premium. I take far more comfort in people >banging away at the available stuff and fixing the problems. >Additionally, you really believe the vendor (or reviewer for that matter) >went thru every single line of code specifically looking for possible >exploits? Get real. All the ratings do is study the protection scheme >and bless it as logical and OK at least in theory. Then with various >degrees of persistance they try to prove you can't get around said >protection. Holes and stack smashes by way of poorly written C and >resolver libraries and DOS via SYN etc. aren't addressed. If they were >we wouldn't be plagued with some of the problems we have now. > SO..... Which firewall do you prefer? A filter in a router. Sorry about the late response, I took off this weekend for once. I believe if you do prefer one FW to another, that is fine. But don't say one box is "better" then another or one is not "good". How do we rate these today? As all LAN and WAN hardware desicions, personal tastes still are a factor. If I like Cyberguard and you like Guantlet, who is to say I am wrong or you are. Each application has it own requirements. Don't ask questions that pertain to firewalls in general. > ============================================================================ = Brian Podolak, ==== = E-Mail brianp@netrunner.net ==== ============================================================================ From firewalls-owner Mon Feb 3 12:11:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16660 for firewalls-outgoing; Mon, 3 Feb 1997 11:59:08 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA16642 for ; Mon, 3 Feb 1997 11:58:51 -0800 (PST) Received: from mfil.terminal (mfil@localhost) by beach.sctc.com (8.7.5/8.7.3) with SMTP id NAA23552; Mon, 3 Feb 1997 13:20:43 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA23544; Mon, 3 Feb 1997 13:20:36 -0600 (CST) Received: from cressida.sctc.com (cressida.sctc.com [172.17.192.62]) by sphinx.sctc.com (8.8.5/8.7.3) with ESMTP id NAA20517; Mon, 3 Feb 1997 13:23:04 -0600 (CST) Received: from localhost (willis@localhost) by cressida.sctc.com (8.8.5/8.8.4) with SMTP id NAA01821; Mon, 3 Feb 1997 13:23:01 -0600 (CST) Date: Mon, 3 Feb 1997 13:23:01 -0600 (CST) From: Matt Willis To: "K.M." cc: firewalls@GreatCircle.COM Subject: Re: Sidewinder vs. Cyberguard In-Reply-To: <9702031538.AA20974@uc0009.wangfed.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Feb 1997, K.M. wrote: > However, I have heard that Sidewinder is very difficult to configure, unless > they have managed to greatly improve their interface in new release. Sidewinder now offers a *real* GUI and a command line interface, for those of us that like it old-school. Not that I count as unbiased, but it's a night-and-day comparison to the old version... We've also done away with the notion of internal and external to allow for multiple network interfaces... The mail-filter is pretty hip, as well... drag-and-drop and such. Matt Willis Computer Scientist Secure Computing Corporation From firewalls-owner Mon Feb 3 12:41:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18364 for firewalls-outgoing; Mon, 3 Feb 1997 12:13:55 -0800 (PST) Received: from mailhost.netrunner.net (mailhost.netrunner.net [204.137.145.201]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA18299 for ; Mon, 3 Feb 1997 12:13:25 -0800 (PST) Received: from brian ([207.100.192.100]) by mailhost.netrunner.net (8.7.5/8.7.5) with SMTP id PAA26673 for ; Mon, 3 Feb 1997 15:21:40 -0500 (EST) Date: Mon, 3 Feb 1997 15:21:40 -0500 (EST) Message-Id: <1.5.4.16.19970203151305.19a7696a@mailhost.netrunner.net> X-Sender: brianp@mailhost.netrunner.net X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Brian Podolak Subject: Re: Sidewinder vs. Cyberguard Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 PM 2/1/97 -0400, you wrote: >Jim Canfield wrote: >>The most secure, usable, firewall we have found to date is the >>Cyberguard > >On what basis do you make this assertion? "secure" can mean a lot of >things and a rubber stamp from NSA or it's equivalent doesn't mean a >whole lot if buggy software can be trivially exploited. We could go on >about "usable" but I'll let that one slide. In particular is the >firewall configuration an EXACT match with the >"certified/tested/evaluated" machine? NT has a C2 rating but it's not >worth a damn. When was the last time you ran an NT box with no LAN, no >floppy, and with a modified BIOS? Not exactly a useful product. Then >again, assuming you duplicate this setup, place said machine nearish to a >window. Electronic eavesdropping (for about $3000 and change) or outside >observation does tend to degrade the usefulness of said rating does it >not? Firest Mistake. NT is not C2 complient. Anyone knowing anything about LAN security would know this. Do a little more research before replying to someone. Besides, do you even know the differnet levels of security, or are you just "anti-nt".(which is not a bad thing) > >>As mentioned the products are B1 compliant (awaiting certification).... >whatever, see above. > >>They are relatively easy to setup , nice GUI and it has built in the >Ah, the GUI. Remote manageable too I think I recall. What to say when >the X11 session gets hijacked? You sure the box isn't running a >braindamaged X11 server? Can you attack the logging facility thru DOS? >What happens when you bog the machine down with hundreds of connections? >Does it run out of VM and spontaneously reboot? How about the logs >filling up the disk? What happens when this occurs and an exploit is >then launched? Do you still have an audit trail? > Have you even used the Cyberguard product ? You would know this if you have. Pick up a phone and call !! >>ablity for most "standard "(excuse the word) proxies and allows creation >>of probably anything you might need. >So they know how to check off all of the feature boxes on the report >card. Anybody can and everybody does that. > >IMO ratings, be they NSA/NCSA or whatever aren't worth much and >deffinately not a price premium. I take far more comfort in people >banging away at the available stuff and fixing the problems. >Additionally, you really believe the vendor (or reviewer for that matter) >went thru every single line of code specifically looking for possible >exploits? Get real. All the ratings do is study the protection scheme >and bless it as logical and OK at least in theory. Then with various >degrees of persistance they try to prove you can't get around said >protection. Holes and stack smashes by way of poorly written C and >resolver libraries and DOS via SYN etc. aren't addressed. If they were >we wouldn't be plagued with some of the problems we have now. > SO..... Which firewall do you prefer? A filter in a router. Sorry about the late response, I took off this weekend for once. I believe if you do prefer one FW to another, that is fine. But don't say one box is "better" then another or one is not "good". How do we rate these today? As all LAN and WAN hardware desicions, personal tastes still are a factor. If I like Cyberguard and you like Guantlet, who is to say I am wrong or you are. Each application has it own requirements. Don't ask questions that pertain to firewalls in general. > ============================================================================ = Brian Podolak, ==== = E-Mail brianp@netrunner.net ==== ============================================================================ From firewalls-owner Mon Feb 3 14:27:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21279 for firewalls-outgoing; Mon, 3 Feb 1997 12:35:49 -0800 (PST) Received: from cypress.nwnet.net (cypress.nwnet.net [192.80.13.56]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA21213 for ; Mon, 3 Feb 1997 12:35:26 -0800 (PST) Received: from localhost (larry@localhost) by cypress.nwnet.net (970108885) with SMTP id MAA23416 for ; Mon, 3 Feb 1997 12:34:05 -0800 (PST) Date: Mon, 3 Feb 1997 12:34:05 -0800 (PST) From: "Larry J. Hughes Jr." Reply-To: "Larry J. Hughes Jr." To: firewalls@greatcircle.com Subject: FW's on NT server vs. workstation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (I'm resending this due to the apparent problems with distribution of issue #44 this past weekend.) For those of you running firewalls on NT platforms: is NT server a must, or does NT workstation suffice? Any variables I should be aware of? --- Larry J. Hughes Jr. larry@nwnet.net http://www.nwnet.net/~larry/ From firewalls-owner Mon Feb 3 14:53:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26914 for firewalls-outgoing; Mon, 3 Feb 1997 13:14:32 -0800 (PST) Received: from f15.hotmail.com (F15.hotmail.com [207.82.250.26]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA26868 for ; Mon, 3 Feb 1997 13:14:16 -0800 (PST) Received: (from root@localhost) by f15.hotmail.com (8.7.5/8.7.3) id NAA05684; Mon, 3 Feb 1997 13:12:56 -0800 (PST) Date: Mon, 3 Feb 1997 13:12:56 -0800 (PST) Message-Id: <199702032112.NAA05684@f15.hotmail.com> Received: from 193.1.182.55 by www.hotmail.com with HTTP; Mon, 03 Feb 1997 13:12:56 PST From: "John Cashman" To: Firewalls@GreatCircle.COM Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please remove my name from the list --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com --------------------------------------------------------- From firewalls-owner Mon Feb 3 15:14:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07939 for firewalls-outgoing; Mon, 3 Feb 1997 14:33:37 -0800 (PST) Received: from thor.inlink.com (ultra.inlink.com [206.196.96.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA07858 for ; Mon, 3 Feb 1997 14:32:37 -0800 (PST) Received: from mail.global-sol.com (global-sol.com [206.196.126.221]) by thor.inlink.com (8.8.5/V8) with ESMTP id QAA11469 for ; Mon, 3 Feb 1997 16:30:49 -0600 (CST) Received: from thor.inlink.com ([206.196.126.220]) by mail.global-sol.com (8.7.5/8.7.3) with SMTP id SAA02126 for ; Mon, 3 Feb 1997 18:11:43 GMT Message-Id: <199702031811.SAA02126@mail.global-sol.com> Comments: Authenticated sender is From: "Timothy P. Layton, Sr." Organization: Global Solutions Corporation To: firewalls@greatcircle.com Date: Mon, 3 Feb 1997 16:28:38 +0000 Subject: MS Proxy server ?? Reply-to: tlayton@global-sol.com X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone installed and played with the MS Proxy server yet ?? I am researching a firewall solution that will need to include proxy and N.A.T. Thanks for any input. From firewalls-owner Mon Feb 3 15:42:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07462 for firewalls-outgoing; Mon, 3 Feb 1997 14:28:36 -0800 (PST) Received: from mail.ptw.com (mail.ptw.com [207.104.240.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA07344 for ; Mon, 3 Feb 1997 14:28:04 -0800 (PST) Received: from localhost.com (qh-1-16.ptw.com [207.212.177.48]) by mail.ptw.com (8.8.3/8.6.9) with SMTP id OAA00279 for ; Mon, 3 Feb 1997 14:22:43 -0800 Message-Id: <199702032222.OAA00279@mail.ptw.com> Comments: Authenticated sender is From: "Jesse" To: firewalls@greatCircle.COM Date: Sun, 2 Feb 1997 14:27:26 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Rainbow Book Series? Reply-to: bextreme@POBox.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, does anyone know where I can get the entire Rainbow Book Series? Thanks!! -J =================================================== Finger bextreme@pobox.com for PGP Public Key Block. E-mail to jesse.brown@pobox.com phone: (805) 942-1391 pager: (805) 267-9511 --------------------------------------------------- Member of the HTML Writers Guild (http://hwg.org) =================================================== From firewalls-owner Mon Feb 3 16:02:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07769 for firewalls-outgoing; Mon, 3 Feb 1997 14:31:41 -0800 (PST) Received: from thor.inlink.com (ultra.inlink.com [206.196.96.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA07645 for ; Mon, 3 Feb 1997 14:30:39 -0800 (PST) Received: from mail.global-sol.com (global-sol.com [206.196.126.221]) by thor.inlink.com (8.8.5/V8) with ESMTP id QAA11098 for ; Mon, 3 Feb 1997 16:29:04 -0600 (CST) Received: from thor.inlink.com ([206.196.126.220]) by mail.global-sol.com (8.7.5/8.7.3) with SMTP id SAA02110 for ; Mon, 3 Feb 1997 18:09:58 GMT Message-Id: <199702031809.SAA02110@mail.global-sol.com> Comments: Authenticated sender is From: "Timothy P. Layton, Sr." Organization: Global Solutions Corporation To: firewalls@greatcircle.com Date: Mon, 3 Feb 1997 16:26:54 +0000 Subject: NAT on Cisco PIX vs. ?? Reply-to: tlayton@global-sol.com X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am familiar with NAT on the PIX and was wondering what operating systems that any one has had experience with in dealing with NAT. Does any one feel that there is a trade off with the PIX being a hardware solution vs. a software based solution ? Thanks for any input. From firewalls-owner Mon Feb 3 16:06:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12171 for firewalls-outgoing; Mon, 3 Feb 1997 15:06:43 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA12116 for ; Mon, 3 Feb 1997 15:06:18 -0800 (PST) Received: from txau.tx.mt.np.els-gms.att.net by relay7.UU.NET with SMTP (peer crosschecked as: txau.tx.mt.np.els-gms.att.net [199.191.144.201]) id QQcbiy12497; Mon, 3 Feb 1997 18:04:51 -0500 (EST) Date: Mon, 03 Feb 1997 17:08:55 -0500 From: mcoss@attmail.com (Michael J Coss) Received: from mcoss by attmail; Mon Feb 3 23:02:12 GMT 1997 Subject: Re: Sidewinder vs. Cyberguard To: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Patton wrote: >On what basis do you make this assertion? "secure" can mean a lot of >things and a rubber stamp from NSA or it's equivalent doesn't mean a >whole lot if buggy software can be trivially exploited. We could go on >about "usable" but I'll let that one slide. In particular is the >firewall configuration an EXACT match with the >"certified/tested/evaluated" machine? NT has a C2 rating but it's not >worth a damn. When was the last time you ran an NT box with no LAN, no >floppy, and with a modified BIOS? Not exactly a useful product. Then >again, assuming you duplicate this setup, place said machine nearish to a >window. Electronic eavesdropping (for about $3000 and change) or outside >observation does tend to degrade the usefulness of said rating does it >not? Your correct, "secure" is a nebulous term, but obviously you have not been involved with a evaluation of an operating system if you believe that its a rubber stamp. I worked on the NCSC evaluation of a UNIX operating system and it took too long (several years) and was not a rubber stamp. Your point about what the configuration is is quite true but Cyberguard has gone the extra mile of getting a Network evaluation to provide a better security solution that does include a network component. And you can buy the NightHawk in a TEMPEST cabinet if your concerned about that. >Ah, the GUI. Remote manageable too I think I recall. What to say when >the X11 session gets hijacked? You sure the box isn't running a >braindamaged X11 server? Can you attack the logging facility thru DOS? >What happens when you bog the machine down with hundreds of connections? >Does it run out of VM and spontaneously reboot? How about the logs >filling up the disk? What happens when this occurs and an exploit is >then launched? Do you still have an audit trail? First, I know of no system that is completely immune to a concerted denial of service attack. You can attempt to minimize the impact but with a general purpose operating system, it may be virtually impossible to eliminate. Second, unless your willing to expend the money to create a tamperproof box, the granting of access to the machine is taboo. >So they know how to check off all of the feature boxes on the report >card. Anybody can and everybody does that. Do you KNOW that the features are not provided? What feature do you believe they are lying about? >IMO ratings, be they NSA/NCSA or whatever aren't worth much and >deffinately not a price premium. I take far more comfort in people >banging away at the available stuff and fixing the problems. And what pray tell do you believe that the evaluations/testings are trying to do? The purpose of these are to provide a degree of comfort that someone other than the vendor has looked is varying degrees of detail at the implementation of the software/hardware combination. >Additionally, you really believe the vendor (or reviewer for that matter) >went thru every single line of code specifically looking for possible >exploits? Get real. Have you been involved in the evaluation process? I have. No, we didn't go thru every single line of code but we tried to get complete coverage and did a analysis of the data flow and looked at the access control mechanisms in great detail and looked at privileged processes to verify there correct operation and in those programs we did indeed look at every line and reviewed the libraries. That some people attempt to slide thru an evaluation, I have no doubt but I'd like to believe that that is the exception rather than the rule. >All the ratings do is study the protection scheme and bless it as logical >and OK at least in theory. Then with various degrees of persistance they >try to prove you can't get around said protection. Holes and stack smashes >by way of poorly written C and resolver libraries and DOS via SYN etc. >aren't addressed. While the NCSC did not require denial of service attacks, nor penetration testing (for a B1 system), we as part of our own Q&A did do these things based on knowledge gathered from various sources and our own experience. >If they were we wouldn't be plagued with some of the problems we have now. No product is completely immune no matter how much money or resources are thrown at it. What you want is a system that provides a degree of security, and some assurance that the vendor has made a best effort at 1) implementation of a security mechanism, and 2) discovery/correction of known bugs. Finally, there is the issue of do you need a secure operating system. While I believe that a properly implemented firewall does not require a trusted base to run on. A secure OS will help if the firewall code is compromised. It may not be sufficient to protect the network but it may minimize the damage. I'm not recommending either choice but I do believe that there is benefits derived from having the system evaluated by an outside source. Is it worth the money? The market has shown to date that they want security but don't want to pay for the extensive review/testing/etc. required to develop and maintain it. The expectation is that it should come for free..."Of course your software is safe...right?" ---Michael J Coss Lucent Technologies - Bell Laboratories mjcoss@lucent.com From firewalls-owner Mon Feb 3 16:26:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18897 for firewalls-outgoing; Mon, 3 Feb 1997 15:50:41 -0800 (PST) Received: from si-nic.hrz.uni-siegen.de (si-nic.hrz.uni-siegen.de [141.99.128.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18731 for ; Mon, 3 Feb 1997 15:49:46 -0800 (PST) Received: from vespa.unix-ag.uni-siegen.de by si-nic.hrz.uni-siegen.de with SMTP (5.67b/UniSiegen 1.1) id AA11184; Tue, 4 Feb 1997 00:48:13 +0100 Received: from privatehost (sfx@isdn92.hrz.uni-siegen.de [141.99.174.92]) by vespa.unix-ag.uni-siegen.de (Mailhost) with ESMTP id AAA23776 for ; Tue, 4 Feb 1997 00:47:20 +0100 (MET) To: "Firewalls" In-Reply-To: <32F462D3.38E3@pacificnet.net> From: "Lars Eilebrecht" Date: Tue, 04 Feb 1997 00:45:04 +0200 X-Mailer: IntuiNews 1.4 (28.6.96) Subject: Re: SATAN user group? Message-Id: <43790619.sfx@shadowbase.unix-ag.org> Organization: Unix workgroup at the University of Siegen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk osiris wrote: > Has anyone on this list tried "Merlin?" I am wondering whether anyone has > attempted to make a siilar interface to manage firewall admnistration and > auditing. (Merln is a tool from CIAC. It integrates Tripwire, COPS, TIGER, > Crack and reportedly, SPI, which is unavailable to us regular folk. The ^^^ SPI? ciao... Lars -- _____ ____ __ /\___// __// / __ sfx@cyberspace.org \ \ / /_\ / /\_\ http://www.cyberspace.org/~sfx/ ___\ \/ __// \ \/_/ /____\/_/ /_/\ \ - I don't know, I don't care, \_\ - and it doesn't make any difference. From firewalls-owner Mon Feb 3 16:29:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17618 for firewalls-outgoing; Mon, 3 Feb 1997 15:42:28 -0800 (PST) Received: from loki.atcon.com (loki.atcon.com [199.166.213.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA17579 for ; Mon, 3 Feb 1997 15:42:11 -0800 (PST) Received: from stealth.icondata.com (stealth.icondata.com [198.167.251.19]) by loki.atcon.com (8.8.3/8.7.3) with SMTP id TAA27191 for ; Mon, 3 Feb 1997 19:40:41 -0400 (AST) Received: by stealth.icondata.com with Microsoft Mail id <01BC120A.4F787AC0@stealth.icondata.com>; Mon, 3 Feb 1997 19:41:55 -0400 Message-ID: <01BC120A.4F787AC0@stealth.icondata.com> From: Jeff Simms To: "'firewalls@greatcircle.com'" Subject: RE: NT network and system management Date: Mon, 3 Feb 1997 19:41:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One product you may look into is MS SMS (System Management Server) = Server. I have only briefly looked at the product, but it does most, if = not all and more, of the things you require. Jeff Simms Network Services Manager auracom Internet Services -----Original Message----- From: FaNgYoU2 [SMTP:fangyou2@panix.com] Sent: Monday, February 03, 1997 1:18 PM To: firewalls@GreatCircle.COM Subject: NT network and system management Apologies because this is not strictly a firewall question. However, there are quite a few NT experts on the list who can help. I need to monitor the following items across about 80 Windows NT = servers: DOS Devices : Paging File : Percent usage Peak Physical Disk : Percent disk time Physical Disk : Average disk sec/read (reads per second) Physical Disk : Disk read bytes/sec (read bytes per second) Physical Disk : Queue length Processor : Percent processor time Memory : pages/second Server : bytes total/second For each network user connected to server: NIC card address/MAC address Computer name (if any) IP address (if any) User name. Is there a group of NET commands which will give me this? Is there a commercial product that can be customized to give me this? Finally, which mailing list does this question really belong on? FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night = ^^ From firewalls-owner Mon Feb 3 16:32:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA15568 for firewalls-outgoing; Mon, 3 Feb 1997 15:29:05 -0800 (PST) Received: from terisa-bh.terisa.com (terisa-bh.terisa.COM [205.226.38.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA15548 for ; Mon, 3 Feb 1997 15:28:55 -0800 (PST) Received: (from uucp@localhost) by terisa-bh.terisa.com (8.6.12/8.6.11) id PAA13228; Mon, 3 Feb 1997 15:28:59 -0800 Received: from itech.terisa.com by terisa-bh.terisa.com via smap (V1.3) id sma013225; Mon Feb 3 15:28:44 1997 Received: from kmac.terisa.COM (kmac.terisa.COM [205.226.39.35]) by itech.terisa.com (8.6.12/8.6.4) with SMTP id PAA13699; Mon, 3 Feb 1997 15:25:09 -0800 Message-Id: <199702032325.PAA13699@itech.terisa.com> X-Authentication-Warning: itech.terisa.com: Host kmac.terisa.COM didn't use HELO protocol To: Brian Podolak cc: Firewalls@GreatCircle.COM Subject: Re: Sidewinder vs. Cyberguard In-reply-to: Your message of "Mon, 03 Feb 1997 14:05:27 EST." <1.5.4.16.19970203135653.1aef92d6@mailhost.netrunner.net> Date: Mon, 03 Feb 1997 15:29:08 -0800 From: EKR Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > At 09:31 PM 2/1/97 -0400, you wrote: > >Jim Canfield wrote: > >>The most secure, usable, firewall we have found to date is the > >>Cyberguard > > > >On what basis do you make this assertion? "secure" can mean a lot of > >things and a rubber stamp from NSA or it's equivalent doesn't mean a > >whole lot if buggy software can be trivially exploited. We could go on > >about "usable" but I'll let that one slide. In particular is the > >firewall configuration an EXACT match with the > >"certified/tested/evaluated" machine? NT has a C2 rating but it's not > >worth a damn. When was the last time you ran an NT box with no LAN, no > >floppy, and with a modified BIOS? Not exactly a useful product. Then > >again, assuming you duplicate this setup, place said machine nearish to a > >window. Electronic eavesdropping (for about $3000 and change) or outside > >observation does tend to degrade the usefulness of said rating does it > >not? > > Firest Mistake. NT is not C2 complient. Anyone knowing anything about LAN > security would know this. Do a little more research before replying to > someone. Besides, do you even know the differnet levels of security, or are > you just "anti-nt".(which is not a bad thing) Actually, you're quite wrong. NT has been evaluated at C2 in a standalone configuration, which appears to be precisely what the gentleman was referring to. Please see: http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html -Ekr From firewalls-owner Mon Feb 3 16:36:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17994 for firewalls-outgoing; Mon, 3 Feb 1997 15:44:10 -0800 (PST) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17713 for ; Mon, 3 Feb 1997 15:42:57 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id RAA26513 for ; Mon, 3 Feb 1997 17:40:18 -0600 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma026498; Mon Feb 3 17:40:09 1997 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id RAA17246 for ; Mon, 3 Feb 1997 17:41:36 -0600 (CST) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id RAA07664 for firewalls@greatcircle.com; Mon, 3 Feb 1997 17:41:38 -0600 (CST) Date: Mon, 3 Feb 1997 17:41:38 -0600 (CST) From: Ken Hardy Message-Id: <199702032341.RAA07664@binki.bridge.com> To: firewalls@greatcircle.com Subject: Solved: Odd probes at port 7777 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: >Every couple of days we get an attempted connection to port 7777 from >scripps.edu, so I put a byte sucker on that port to log any received >data. It seems to be a 4 digit and a 2 digit number separated by a >comma, followed by a carriage return. Further investigation made it apparent that the connection to my port 7777 was occuring whenever a connection was made to the remote system's SMTP port. The data I captured, two comma-separated decimal numbers followed by a , is identical to an IDENT query. The second number was always 25. The lightbulb lights! I relayed this information to the site's admin. He reports that they had recently installed a new version of sendmail which does IDENT queries, but why to port 7777? The admin's latest message to me: >You were on the right track with your comment about services.. >We are a heavy user of NIS and ident is not a standard Solaris >/etc/services daemon. I found that the NIS file contained >an ident entry with an alias of auth.. There was an auth entry >in the NIS file at port 7777.. I converted it to only use >a local copy of the services file.. Hopefully, this will cause >the probing you were seeing to go away.. If it doesn't please >let me know.. THANKS for the heads-up on the problem! I don't see this on any of my Solaris systems (not using NIS). I'd guess that someone had put an "auth" entry in at 7777 to refer to TIS' authsrv, which uses that port. ^^^^ -- KH From firewalls-owner Mon Feb 3 18:10:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA12537 for firewalls-outgoing; Mon, 3 Feb 1997 18:07:48 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA12518 for ; Mon, 3 Feb 1997 18:07:37 -0800 (PST) From: osiris@pacificnet.net Received: from lwash (pm3e-31.pacificnet.net [207.171.18.224]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id SAA27015; Mon, 3 Feb 1997 18:05:29 -0800 Message-ID: <32F69A74.A8B@pacificnet.net> Date: Mon, 03 Feb 1997 18:09:56 -0800 Organization: - X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: Lars Eilebrecht CC: Firewalls Subject: Re: SATAN user group? References: <43790619.sfx@shadowbase.unix-ag.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lars Eilebrecht wrote: > > osiris wrote: > > > Has anyone on this list tried "Merlin?" I am wondering whether anyone has > > attempted to make a siilar interface to manage firewall admnistration and > > auditing. (Merln is a tool from CIAC. It integrates Tripwire, COPS, TIGER, > > Crack and reportedly, SPI, which is unavailable to us regular folk. The > ^^^ > SPI? > > ciao... > Lars Yeah...strange little ditty. SPI = Security Profile Inspector. It's a very powerful tool for examination of UNIX networks. Problem is, it's only available to the US Department of Energy and Department of Defense. (Or, qualified contractors.) You can check out at least their preview at http://ciac.llnl.gov/cstc/spi/spinet.html. About the closest I've been able to get to understanding this tool is to aqcuire the manuals (which apparently aren't restricted) and are here: ftp://ciac.llnl.gov/pub/spi/spi.rm.ps.Z. From firewalls-owner Mon Feb 3 18:56:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA16874 for firewalls-outgoing; Mon, 3 Feb 1997 18:44:13 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA16829 for ; Mon, 3 Feb 1997 18:44:00 -0800 (PST) Received: from sdfpc2.gsfc.nasa.gov by csc.com with smtp (Smail3.1.29.1 #1) id m0vrapU-001AdNC; Mon, 3 Feb 97 21:41 EST Message-ID: <32F6CCFC.6E6A@csc.com> Date: Mon, 03 Feb 1997 21:45:32 -0800 From: Adam Safier Reply-To: asafier@csc.com Organization: Computer Sciences Corp. X-Mailer: Mozilla 3.0 (Win16; U) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: watchman@molhub.mol.net.my, MMedwid@symantec.com Subject: Multicast through Firewall-1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide pointers to an MOSPF implementation for Solaris 2.5 (without full OSPF if possible - I plan static routs) or better yet, a multicast proxy or Firewall-1 rule that will pass multicast correctly? An alternative would be a proxy/rule for joining an external group and then doing NAT to unicast to selected host(s) internally. Anyone got one they can share? Background: By running _Mrouted_ on the firewall I can multicast between LAN's on either side of Firewall-1 on a SUN with Solaris 2.5 (I know... UDP, multicast <> security, but we have to have it.) Alas, the backbone (external) router will be running MOSPF. MOSPF and DVMRP supposedly do not talk to each other on Bay Networks routers (over which I have no control.) >From what I can tell from some searches, as of June '96 gated did not support MOSPF. It will someday but it doesn't look like it will be in time to help me. Knowledge sharing and misinformation: Multicast uses the Class D IP addresses to transmit a single packet that can be seen by a group of hosts. An IGMP (protocol 2, not ICMP) "join" (or "drop") message is sent to multicast capable routers by hosts that wish to join a multicast group. The router uses either MOSPF or DVMRP to tell other routers it has group memebers for that group. When a multicast UDP packet is sent by one host the routers unicast it between routers that have group memebers for that packet. When a router has an attached LAN with memebers in the group it sends that packet out with a multicast IP address (Ex: 224.1.2.3) on the LAN's multicast MAC address. (Ethernet actually ends up mapping 4 multicast IP addresses to each ethernet multicast address.) The need to write to a multicast MAC address is why I think regular NAT will not work well with multicast. We could try to work out something by overloading IP addresses on each interface and forcing a multicast MAC address on each multicast IP address in the ARP table but with a bunch of multicast addresses this is a painfully tedious process, if it even works! Mrouted takes care of all of that but then the firewall is acting as a router running DVMRP, which is incompatible with MOSPF (multicast extensions to OSPF!) I tried running an AltaVista search on +MOSPF +sun +multicast and got limited results and no pointers to MOSPF code -- Adam Safier asafier@csc.com http://www.csc.com CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax) Curious Cat Question: How does DIX Ethernet know the packet length? 802.3 Ethernet has a length field but DIX has a type and no length field. Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From firewalls-owner Mon Feb 3 19:25:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21106 for firewalls-outgoing; Mon, 3 Feb 1997 19:19:57 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA21076 for ; Mon, 3 Feb 1997 19:19:47 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id NAA07310 for ; Tue, 4 Feb 1997 13:18:23 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma007295; Tue Feb 4 13:18:21 1997 Message-ID: <32F6ACD0.2F25@medeserv.com.au> Date: Tue, 04 Feb 1997 13:28:16 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv Connect X-Mailer: Mozilla 3.0C-MESC (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Encryption Software mailing list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anybody familiar with an Encyrption Software mailing list or something along those lines? Best Regards Steven Herod From firewalls-owner Mon Feb 3 19:45:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21607 for firewalls-outgoing; Mon, 3 Feb 1997 19:25:52 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA21584 for ; Mon, 3 Feb 1997 19:25:42 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA12795; Mon, 3 Feb 1997 22:22:00 -0500 (EST) From: Adam Shostack Message-Id: <199702040322.WAA12795@homeport.org> Subject: Re: to source or not to source? (was: [NTSEC] ActiveX, MSIE and Quicken) In-Reply-To: <199702031025.LAA07956@relay.cryptonet.it> from David Vincenzetti at "Feb 3, 97 11:17:58 am" To: vince@cryptonet.it (David Vincenzetti) Date: Mon, 3 Feb 1997 22:21:59 -0500 (EST) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Malicious hackers have a lot more time on their hands than good guys. They do not, however, tend to publish bugs. So, what you see in public is that the many good guys who look at systems with source available announce problems, while the bad guys, who look at both source and binaries, do not announce problems. This is what statisticians refer to as the self-selection problem. Drawing inferences from bad data will probably lead you to bad inferences. Adam David Vincenzetti wrote: | Sendmail full sources are available, they can be studied | and examined by everyone, and they can be studied by malicious | hackers too. ActiveX sources are not available, and it is | harder, for a malicious hacker, to spot new bugs. | Sendmail is a crystal box while ActiveX is a black box | (remember the old Security Thru Obscurity model?:-). -- Pet peeve of the day: Security companies whose protocols dare not speak their name, because they don't have one. Guilty company of the day is now V-One. From firewalls-owner Mon Feb 3 20:32:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA28444 for firewalls-outgoing; Mon, 3 Feb 1997 20:15:59 -0800 (PST) Received: from www.fordnet.com ([204.57.142.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA28437 for ; Mon, 3 Feb 1997 20:15:53 -0800 (PST) Received: from autobahn.wolfenet.com (sea-ts1-p71.wolfenet.com [204.157.98.18]) by www.fordnet.com (8.7.3 Version 1.1 Build 565/8.7.3) with SMTP id VAA00016 for ; Mon, 03 Feb 1997 21:08:46 -0800 (Pacific Standard Time) Message-Id: <3.0.1.32.19970203201644.0068c418@fordnet.com> X-Sender: Jeremy@fordnet.com X-Mailer: Windows Eudora Light Version 3.0.1 beta 12 (32) Date: Mon, 03 Feb 1997 20:16:44 -0800 To: Firewalls@GreatCircle.COM From: Jeremy Johnson Subject: NT Firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just curious as to what all of you thought would be the best firewall to implement on a NT4.x server? we are a rapidly growing company and we need to establish our network security firmly before we take on many more clients. any thoughts? thanx Jeremy Johnson System Administrator Internet Autobahn, Inc. From firewalls-owner Mon Feb 3 20:41:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA28970 for firewalls-outgoing; Mon, 3 Feb 1997 20:20:21 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA28930 for ; Mon, 3 Feb 1997 20:20:08 -0800 (PST) Received: from clonvick-pc.cisco.com (sj-dial-4-26.cisco.com [171.68.179.91]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id UAA04488; Mon, 3 Feb 1997 20:18:22 -0800 (PST) Message-Id: <2.2.32.19970204041522.006bf3ac@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Feb 1997 22:15:22 -0600 To: CCCRE.CCULL@capital.ge.com, "firewalls(a)greatcircle.com" From: Chris Lonvick Subject: Re: Highly available Internet connection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi again, I just need to correct something I wrote about HSRP. The Great Powers That Be have told me that the interfaces configured with HSRP, disable ICMP redirects. This is so the workstations never get confused. If a Primary were to send out a redirect, the workstation that received it would send packets to it. If that router were to fail, then there would be no backup for it. Therefore, the developers reasoned, it is good to not send ICMP redirects to workstations. The workstations should always be able to reach a router on the LAN which is participating in HSRP. Sorry for the misinformation, Chris At 11:10 PM 1/31/97 -0600, Chris Lonvick wrote: >Hi folks, > >The details of HSRP (Hot Standby Router Protocol) can be found at: > http://www.cisco.com/warp/public/417/27.html > >I wouldn't say that there is any "load sharing" between the two (or more) >routers participating in HSRP. In essence, a Virtual MAC (VMAC) address is >passed back in response to an ARP from the Priamry HSRP router. The Primary >HSRP router will accept packets destined to that VMAC. If it dies, then the >Secondary will accept packets destined to the VMAC after the funeral (... >uhh, I mean to say, after the Secondary doesn't see any HSRP-Hello's within >a timeout period - usually 10 seconds, but it's configurable.) > >While these devices maintain a VMAC between them, each does have their own >unique MAC, and IP addresses and each maintains its' own routing tables. >So, if the primary fails, it should either have a real route to all known >destinations, or should have a default route. If both are on the same >internal LAN segment as well as external LAN segment (DMZ) then they will >both have the same routing table. > >As far as load sharing or balancing goes, if the routers have different >routing paths (one router has a connection to ISP-A and another has a >connection to ISP-B rather than being on the same DMZ LAN), they will >maintain different routing tables. So, if you configure a workstation with >a default gateway (the Primary HSRP router), and it sends packets towards >it, then the Primary HSRP router may respond with an ICMP-redirect which >points to one of the backup HSRP routers. In this way, some sessions may go >across the HSRP backup router. > >Getting back to the original question, I'd opt for diversity throughout your >enterprise if it's _that_ important to you. Most of the systems I've seen >have dealt with: >o what if my firewall dies? >o what if my link to my ISP dies? >o what if my ISP dies? >Which have the same single point of failure: your central site. > >Living in Houston, as elsewhere along the Gulf Coast, we worry about: what >if all communications to the city becomes unavailable? (Not to press our >luck, but I think that we're statistically overdue for a really big >hurricane.) So, to line this out with an example, if your Transaction >Processing machines (redundant, of course) are in Wichita and Des Moines, >then you should have ISP links in each of those cities which both of your TP >machines could access if >o the primary link were to fail >o the other TP machine were to fail >o that really big hurricane was to get to one city or the other. > >+++ Some commercialism follows +++ stop reading here if this offends you. >(hey, I gotta' make a living!) > >The Cisco PIX does have a failover feature. > http://www.cisco.com/warp/public/146/Intrafirewall.html >which does address the issue of "what if my firewall dies?" > >It is usually deployed on the same internal LAN and same DMZ-LAN. However, >just thinking about it, it should be possible to deploy them both on an >internal LAN, but on different external LANs with routers going to different >ISPs. Since the PIX is session stateful (the routers are, by default, not >stateful), sessions would be broken if the primary fails but general >connectivity would be maintained. > >Hope this helps, > >Chris Lonvick >Cisco Systems >Consulting Engineering >Houston, TX, USA >+1-713-778-5663 > > > > >At 10:38 AM 1/31/97 -0500, CCCRE.CCULL@capital.ge.com wrote: >> >>Are they one on the same box or is it two different router that >> >>automatically drop to a redundancy ? Thanks. >> >> >>-- Joel >> >> i didn't get your e-mail address joel, so i'm having to repond >> here... >> >> they are 2 physically seperate boxes (referring to cisco's hot standby >> protocol). i'm not sure if they do anything like load balancing, or >> if the split between the 2 is more static. however, i do know that >> when one fails, the other one picks up it's load. i'm working from 4 >> month old memory here, so this stuff is a little foggy.... but it >> seems like the 2 routers are seen (ip-wise) as 1 virtual router. i >> guess each router knows the other's routing table, but just ignores >> that portion as long as the other router is functional. if they DIDN'T >> know each others table, and 1 of the routers failed, there'd be a >> lag while it updated, and i remember no perceptible lag when we >> tested these.... >> >> chris cull >> cccre.ccull@capital.ge.com >> >> > > > From firewalls-owner Mon Feb 3 21:10:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA01400 for firewalls-outgoing; Mon, 3 Feb 1997 20:44:32 -0800 (PST) Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA01388 for ; Mon, 3 Feb 1997 20:44:19 -0800 (PST) Received: from kscgws00.ksc.nasa.gov by pp with SMTP (PP); Mon, 3 Feb 1997 23:44:21 -0500 Received: by kscgws00.ksc.nasa.gov with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC122C.4539FB20@kscgws00.ksc.nasa.gov>; Mon, 3 Feb 1997 23:45:00 -0500 Message-ID: From: "Ferrell-1, Ema" To: "'Lars Eilebrecht'" , "'osiris@pacificnet.net'" Cc: "'Firewalls'" Subject: RE: SATAN user group? Date: Mon, 3 Feb 1997 23:44:49 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can I get Merlin? Does it stand for something? I would like to check it out. Thanks! >---------- >From: osiris@pacificnet.net[SMTP:osiris@pacificnet.net] >Sent: Monday, February 03, 1997 9:09 PM >To: Lars Eilebrecht >Cc: Firewalls >Subject: Re: SATAN user group? > >Lars Eilebrecht wrote: >> >> osiris wrote: >> >> > Has anyone on this list tried "Merlin?" I am wondering whether anyone has >> > attempted to make a siilar interface to manage firewall admnistration and >> > auditing. (Merln is a tool from CIAC. It integrates Tripwire, COPS, >>TIGER, >> > Crack and reportedly, SPI, which is unavailable to us regular folk. The >> ^^^ >> SPI? >> >> ciao... >> Lars > >Yeah...strange little ditty. SPI = Security Profile Inspector. It's a >very powerful tool for examination of UNIX networks. Problem is, it's >only available to the US Department of Energy and Department of Defense. >(Or, qualified contractors.) You can check out at least their preview at >http://ciac.llnl.gov/cstc/spi/spinet.html. About the closest I've been >able to get to understanding this tool is to aqcuire the manuals (which >apparently aren't restricted) and are here: >ftp://ciac.llnl.gov/pub/spi/spi.rm.ps.Z. > From firewalls-owner Mon Feb 3 21:40:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05292 for firewalls-outgoing; Mon, 3 Feb 1997 21:19:09 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05276 for ; Mon, 3 Feb 1997 21:18:57 -0800 (PST) Received: from localhost (osiris@localhost) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id VAA24972; Mon, 3 Feb 1997 21:16:45 -0800 Date: Mon, 3 Feb 1997 21:16:43 -0800 (PST) From: Osiris To: "Ferrell-1, Ema" cc: "'Lars Eilebrecht'" , "'Firewalls'" Subject: RE: SATAN user group? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Feb 1997, Ferrell-1, Ema wrote: > Where can I get Merlin? Does it stand for something? I would like to > check it out. Thanks! Get Merlin here: http://ciac.llnl.gov in the "Tools" section. From firewalls-owner Mon Feb 3 22:25:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA13508 for firewalls-outgoing; Mon, 3 Feb 1997 22:17:37 -0800 (PST) Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA13501 for ; Mon, 3 Feb 1997 22:17:29 -0800 (PST) Received: from camdenave.xo.com.camdenave.xo.com ([205.158.161.107]) by mail-gw.pacbell.net (8.8.5/8.7.1) with ESMTP id WAA09724; Mon, 3 Feb 1997 22:16:05 -0800 (PST) Message-Id: <199702040616.WAA09724@mail-gw.pacbell.net> From: "Stan Wolf" To: Cc: "Firewall Newsgroup" , Subject: MS Proxy Server Date: Mon, 3 Feb 1997 22:16:04 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you will find what you are looking for at the following site: http://www.techweb.com/search/search.html In the first search field, enter "proxy server", and follow the first link you see presented to go to the article. It's not all that negative, but points out that more security may be required. I plan to use PSINet' managed and monitored "RouteWaller" packet filtering firewall router in front of MS Proxy Server running by itself on NT Server 4.0. Any thoughts on this arrangement, Jim? Microsoft has some interesting testimonials on their Proxy Server area. One of the sources is a newspaper group right here in my town. I spoke to him, and he is very pleased; using PS ONLY! _____ S|an \/\/olf swolf@pacbell.net From firewalls-owner Mon Feb 3 22:55:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA16327 for firewalls-outgoing; Mon, 3 Feb 1997 22:42:33 -0800 (PST) Received: from socrates.berkeley.edu (socrates.Berkeley.EDU [128.32.25.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA16310 for ; Mon, 3 Feb 1997 22:42:25 -0800 (PST) Received: from garnet.berkeley.edu (garnet.Berkeley.EDU [128.32.136.6]) by socrates.berkeley.edu (8.8.4/8.8.0) with ESMTP id WAA04707; Mon, 3 Feb 1997 22:41:03 -0800 (PST) Received: from pine by garnet.berkeley.edu (8.7.5/1.33-960227) id WAA22341; Mon, 3 Feb 1997 22:40:53 -0800 Message-Id: <2.2.32.19970204064107.006df0bc@garnet.berkeley.edu> X-Sender: mendes@garnet.berkeley.edu X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Feb 1997 22:41:07 -0800 To: Jeremy Johnson From: Jerry Mendes Subject: Re: NT Firewall Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just read an interesting review of about 8 NT Firewall products on the Network World website: http://www.nwfusion.com/ You'll have to identify yourself and create an account....pretty much painless. After logging in, you'll land on a page that asks you for a 4 digit number identifying the article you want to see. The one on the NT Firewall products is: 0402 Maybe this is what you want. Jerry Mendes, Principal Consultant DataComm Insights 150 Seminary Drive Mill Valley, California 94941 Voice: (415) 381-5500 FAX: (415) 381-5502 Email: mendes@garnet.berkeley.edu At 08:16 PM 2/3/97 -0800, Jeremy Johnson wrote: >Just curious as to what all of you thought would be the best firewall to >implement on a NT4.x server? we are a rapidly growing company and we need >to establish our network security firmly before we take on many more clients. >any thoughts? From firewalls-owner Tue Feb 4 00:10:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA22741 for firewalls-outgoing; Mon, 3 Feb 1997 23:54:03 -0800 (PST) Received: from mule0.mindspring.com (mule0.mindspring.com [204.180.128.166]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA22734 for ; Mon, 3 Feb 1997 23:53:53 -0800 (PST) Received: from [207.69.170.17] (user-37kbagh.dialup.mindspring.com [207.69.170.17]) by mule0.mindspring.com (8.8.4/8.8.4) with SMTP id CAA32360; Tue, 4 Feb 1997 02:51:55 -0500 Date: Tue, 4 Feb 1997 02:51:55 -0500 X-Sender: pelicans@pop.mindspring.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Matthew Patton From: pelicans@mindspring.com (BeachCruiser) Subject: Poor NSA...Hells freezin' over again. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:12 PM 2/1/97, Matthew Patton wrote: >>release of more test results as the X31 crew expands their commercial >>firewall product evaluations. Gauntlet and Sidewinder just happened to be >>the first two on the bench. Others are already in the queue. > >But has anybody read them? I just finished the TIS one and I'm VERY >nonplussed. What's the value added of the X31's efforts? There's no new >insight, and it was hardly what I'd consider rigorous. Indeed their >testing basically boiled down to confirming that the firewall obeyed >protocol conventions. So what? The trade rags do similar testing. Well then why don't you give Jim Harper a call. He's runs CSC's INFOSEC lab facility in Hanover, MD. Tell him you weren't happy with the limp wristed job that was done under the X31 network security products eval tasking, and you want the full up bed-of-nails protocol on your firewalls of choice...gate crashing and penetration vulnerability, covert channel analysis...the whole nine yards. Be aware that they do most of the INFOSEC T&E's for NSA, and that lab runs hot constantly, so, you'll probably have to wait a couple of months for a slot. BTW you might want to have your boss talk to some investment bankers about a second round public offering because what that job is gonna cost you exceeds most companies net worth. Otherwise the TPEP catalog would be 80 pages long instead of eight. >There are an incredible number of TIS sites out there and if the features >didn't work as advertised we've have known a LONG time ago. Well, sure lets just forget about this testing business altogether and let a defacto standard emerge based on the vendor with the largest installed base. Ok, TIS wins, we'll proclaim Fred Avolio the Bill Gates of Firewalls, those who survive can call him for a license, and the rest of you can find another other line of work. :) >I'll read the sidewinder one next and I'm prepared to be yet again >disappointed >at the coverage. It might also be helpful if some folks on this forum understood that the National Security Agency exists to serve the national intelligence and information systems security communities, at the pleasure of the Secretary of Defense, Director of Central Intelligence and the National Security Advisor. It is NOT in the business of validating or benchmarking the systems and products of commercial companies, or trying to please their systems administrators or corporate shareholders. "The Fort" hasn't taken this kind of beating since the '70's and '80's when we had a flock of commercial companies trying to build TEMPEST* approved equipment. It's very interesting to watch this come around again. There was the same noise over testing, certifications and endorsements then as there is now. Only, firewalls are the bullwhips of the '90's coming across NSA's hide. The clamoring from the user community is that they all want the "most secure" firewall. Of course they don't know, can't figure out, or agree on what "secure" even means now any more than they did back then. And the vendors don't know what benchmarks to build to. So, just like they did back in the TEMPEST days, some simply solve that problem by claiming that their product's trust level holds some relevance to Orange Book, or some other rating levels established by the security gods. Whether they actually did or not was just as much an open question then as it is now. And of course then, as is the case today, the "suits" downtown started feeling the political heat because the media was making hay about Russian's pointing pigtail antennas at or bouncing lasers off of windows and capturing the returns to intercept keystroke emissions or room conversations. Now the rage is about the hackers pillaging the national information infrastructure...and it all finally gets to the point were 20755 says, "ok, bring 'em on in here, wire 'em up, lets see what these things do and we'll publish the results. Well now something else is wrong...it seems that somebody's whinin' because the test is not rigorous enough, or the reports are no good, or, the soup's cold... I'm not hear to defend the NSA, but you could well imagine that some of those folks over there might be muttering, "screw this...I'm moving to the beach and be a plumber". Along comes the NCSA to try and bring some rationale to the process, in concert with nearly every developer in the business, by establishing a lab and hacking up some benchmarks . But, now some are saying that's not credible either because they're takin' money for it. Apparently somewhere along the line those folks were never told that the development and marketing of commercial security systems and products was a business. While still others don't seem to have any problem at all when an industry rag, owned by a publishing house for godsake, that doesn't know a covert channel from the English Channel, puts out a review and within an hour the Madison Avenue machine is in overdrive to tell you who won. Well, this aformentioned stupidity has brought me to realize that perhaps indeed Marcus was right...as long as you've got source code who needs X31, NCSA or Firewalls Home Journal to tell you about your gui frosted filter stack or app gateway of choice. If you've got the souce, everything is crystal clear...right? To you folks up in X31...hang in there...only six more weeks of winter. Ocean City and Dewey awaits you. uh...more tea anyone? ___________________________ Bob McKisson Cypress Systems Corporation P. O. Box 809 Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com I don't give them hell...I just give them the truth, and they think it's hell. - Harry Truman ps: Wonder if there is anyone else out there who knows or remembers what TEMPEST actually stands for? And yes it IS an acronym, and it DOES mean something. From firewalls-owner Tue Feb 4 00:41:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA24409 for firewalls-outgoing; Tue, 4 Feb 1997 00:34:20 -0800 (PST) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA24380 for ; Tue, 4 Feb 1997 00:34:01 -0800 (PST) Received: from negrita.nmac.ericsson.se (negrita.nmac.ericsson.se [130.100.187.78]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with SMTP id JAA20132 for ; Tue, 4 Feb 1997 09:32:49 +0100 (MET) Received: by negrita.nmac.ericsson.se (SMI-8.6/SMI-SVR4) id JAA03683; Tue, 4 Feb 1997 09:32:16 +0100 Date: Tue, 4 Feb 1997 09:32:16 +0100 From: etxrosd@nmac.ericsson.se (Robert Stahlbrand) Message-Id: <199702040832.JAA03683@negrita.nmac.ericsson.se> To: firewalls@greatcircle.com Subject: throughput on Ciscos contra NT, Solaris Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: dMKrDw75qYnSGO6ZPTMWgQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Is there anyone who knows about the difference in throughput on Cisco-routers contra using an NT-server (lets say HP, 166 MHz) running NT4.0 or an SUN Ultra1 running Solaris 2.5(.X) as the router. We are planning on using 100 Mbit/s ethernet cards and it seems like a solution with a Cisco in the 7000-serie with three 100 Mbit/s overrides our budget for this year. Is there a great loss of performance? Is it at all possible to install an inspection module on NT4.0-gw using Checkpoints Firewall-1 ver.2.1 if we use NT4.0 on the FW Manager host? Is it more unsecure to use nt or Solars on the router? This is what our configuration will look like: | 100 Mbit/s in every direction | Internet ____|____ Inspection | | DMZ Module | Router |____________ Installed |_________| | | _____|_____ | | | | | WWW | | |___________| | _____|_____________________ Intranet | | ____|____ | | | FW | FW Manager host |_________| ########################################################### # Robert Stahlbrand # # Network and System Administrator OPLab and NMAC domains # # # # Ericsson Telecom AB # # Box 333 # # 43184 Molndal # # Sweden # # +46 31 7476162 # # +46 31 7472942 (fax) # # # # robert@nmac.ericsson.se # ########################################################### From firewalls-owner Tue Feb 4 03:40:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA06645 for firewalls-outgoing; Tue, 4 Feb 1997 03:26:25 -0800 (PST) Received: from server21.digital.fr (server21.digital.fr [193.56.15.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA06607 for ; Tue, 4 Feb 1997 03:25:44 -0800 (PST) Received: from mail.vbo.dec.com (mail.vbo.dec.com [16.36.208.34]) by server21.digital.fr (8.7.5/8.7) with ESMTP id MAA16828 for ; Tue, 4 Feb 1997 12:28:51 +0100 (MET) Received: from vbormc.vbo.dec.com (vbormc.vbo.dec.com [16.36.208.94]) by mail.vbo.dec.com (8.7.3/8.7) with ESMTP id MAA24570 for ; Tue, 4 Feb 1997 12:26:14 +0100 (MET) Received: from becomm.ebo.dec.com (becomm.ebo.dec.com [16.184.208.35]) by vbormc.vbo.dec.com (8.7.3/8.7) with SMTP id MAA03953 for ; Tue, 4 Feb 1997 12:21:23 +0100 Received: from beux1.ebo.dec.com by becomm.ebo.dec.com; (5.65v3.2/1.1.8.2/07Mar96-0234PM) id AA06285; Tue, 4 Feb 1997 12:23:36 +0100 Received: by beux1.ebo.dec.com; (5.65v3.2/1.1.8.2/11Feb96-0242PM) id AA04693; Tue, 4 Feb 1997 12:23:27 +0100 Subject: Duplicated network addresses and VPN (AVT as requested) To: Firewalls@GreatCircle.COM X-Mailer: MAILworks 1.7-A From: Arjo Mukherjee 4663 Date: Tue, 4 Feb 97 12:23:27 +0100 Message-Id: <970204122327.3603@beux1.ebo.dec.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lilia Miltcheva asked " "I'm keen on using the AltaVista Tunnel and have already a lot of requests for providing the service. I have a question : We are currently using Alta Vista FW for Unix and behind it we have class C addresses that we once got by EUnet. Than we changed the ISP and renumbered our "red" (external) network, but on the internal ("blue") WAN we kept the old IPs as there are anyhow not accessible from the Internet. What is going to happen if a remote client, using AVT connects to our AVT server, gets the numbers of the private networks (for example 193.72.45.0) and starts tunneling, but at the same time there is a server somewhere on the Internet that has address let's say 193.72.45.20 (same class C). How this clash could possibly be menaged?" - ------------- Before I continue I would like to state that I am not an expert on the Alta Vista Tunnel. I have only installed it a couple of times and write the following based on that. Maybe it will help. I don't believe that there is anything to worry about as far as a clash is concerned. This is because while you set up the VPN (Virtual Privat Network) you need to define the IPs of the applicable FW's. In essence, the target address is encapsulated and passed through the firewalls. The destination firewall will pass the data to the Tunnel Server where it will be handled as needed. Therefore, as long as there is no clash with Firewall addresses, there should not be a problem. Another point, it is also possible to load the AVT on the FW machine, but I think most prefer to load it onto a seperate machine behind the destination firewall. Ciao, Arjo From firewalls-owner Tue Feb 4 03:55:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA07499 for firewalls-outgoing; Tue, 4 Feb 1997 03:38:40 -0800 (PST) Received: from SWBELL.net (mail1.rcsntx.swbell.net [151.164.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA07491 for ; Tue, 4 Feb 1997 03:38:22 -0800 (PST) Received: from bbenton.swbell.net (ppp-151-164-42-49.eulstx.swbell.net [151.164.42.49]) by SWBELL.net (8.7.5/8.7.1) with SMTP id FAA22561; Tue, 4 Feb 1997 05:37:13 -0600 (CST) Date: Tue, 4 Feb 1997 05:37:13 -0600 (CST) From: Bob Benton Subject: RE: NT port numbers needed To: Firewalls , Arjo Mukherjee Message-ID: <855063337@home486nt> X-Mailer: FPRetail Version 5.51.009 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MS's 4.0 Resource kit has a good starting list. lpd uses udp, 721-731 on 3.51. lpd uses tcp on anything from 512-1023 on 4.0 Not sure about file sharing. Get the kit. Bob > Hi, > > Anyone know what are the relevant IP port numbers for NT? > > I read somewhere that NT uses ports 512/tcp and 721-731/tcp for > print services. > > What are the IP ports for File Sharing and other applicable NT > services? > > Thanks, > Arjo > > > From firewalls-owner Tue Feb 4 04:56:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12898 for firewalls-outgoing; Tue, 4 Feb 1997 04:48:04 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA12884 for ; Tue, 4 Feb 1997 04:47:54 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA15489; Tue, 4 Feb 1997 07:43:03 -0500 (EST) From: Adam Shostack Message-Id: <199702041243.HAA15489@homeport.org> Subject: Re: NT Firewall In-Reply-To: <2.2.32.19970204064107.006df0bc@garnet.berkeley.edu> from Jerry Mendes at "Feb 3, 97 10:41:07 pm" To: mendes@garnet.berkeley.edu (Jerry Mendes) Date: Tue, 4 Feb 1997 07:43:02 -0500 (EST) Cc: Jeremy@fordnet.com, Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.nwfusion.com/cgi-bin/gate2?|wwV7tddI://PPP.GP81XZ9G.59b/i958ZGi7e/wVwWe7O.tdbEwqwFGP81XZ9GVWV6xvhuUMph,5oIt7eI1GDX,xvhu4Mvvzg,5oIt7eI1GDX Login as cypherpunks, password cypherpunks (this works most places that request a sign in, for those of you who don't know.) Firewalls relevance? That URL above gets you in as someone else. They're not using strong access controls, and are thus easily bypassed. Adam Jerry Mendes wrote: | You'll have to identify yourself and create an account....pretty much | painless. After logging in, you'll land on a page that asks you for a 4 | digit number identifying the article you want to see. The one on the NT | Firewall products is: 0402 -- Pet peeve of the day: Security companies whose protocols dare not speak their name, because they don't have one. Guilty company of the day is now V-One. From firewalls-owner Tue Feb 4 05:40:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15673 for firewalls-outgoing; Tue, 4 Feb 1997 05:25:56 -0800 (PST) Received: from portal2.ameritech.com (portal2.ameritech.com [198.186.232.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA15561 for ; Tue, 4 Feb 1997 05:25:23 -0800 (PST) From: MARK.ELIAS@x400gw.ameritech.com Received: by portal2.ameritech.com id AA08272 (InterLock SMTP Gateway 3.0 for firewalls@greatCircle.COM); Tue, 4 Feb 1997 08:23:59 -0500 Received: by portal2.ameritech.com (Internal Mail Agent-2); Tue, 4 Feb 1997 08:23:59 -0500 Received: by portal2.ameritech.com (Internal Mail Agent-1); Tue, 4 Feb 1997 08:23:59 -0500 Date: 4 Feb 97 08:22:13 -0500 To: firewalls@greatCircle.COM, /DDV=Jesse.Brown#064#POBox.com/DDT=RFC-822/S=Jesse.Brown/P=AMRTCH4/A=MCI/C=US/@x400gw.ameritech.com Subject: RE: Rainbow Book Series? In-Reply-To: <199702032222.OAA00279@mail.ptw.com> Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello, does anyone know where I can get the entire Rainbow Book > Series? > Try http://csrc.ncsl.nist.gov/secpubs/rainbow (csrc = Computer Security Resource Clearinghouse / nist = National Institute of Standards and Technology) There are order forms there as well as the actual documents. From firewalls-owner Tue Feb 4 06:10:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17773 for firewalls-outgoing; Tue, 4 Feb 1997 06:06:03 -0800 (PST) Received: from WKST194.SLD.GORDON.ARMY.MIL (wkst194.sld.gordon.army.mil [147.51.218.194]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA17766 for ; Tue, 4 Feb 1997 06:05:55 -0800 (PST) Date: Tue, 4 Feb 97 09:08:00 EST Message-Id: <9702040908.AA13332@WKST194.SLD.GORDON.ARMY.MIL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Inez M. Crawford" Reply-To: X-Sender: To: Jesse.Brown@POBox.com CC: firewalls@greatcircle.com Subject: Re: Rainbow Book Series? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this site - http://www.fas.org/irp/nsa/rainbow.htm It seems to have a very good collection of downloadable "books" IM Crawford From firewalls-owner Tue Feb 4 06:26:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18728 for firewalls-outgoing; Tue, 4 Feb 1997 06:22:51 -0800 (PST) Received: from server21.digital.fr (server21.digital.fr [193.56.15.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA18710 for ; Tue, 4 Feb 1997 06:22:35 -0800 (PST) Received: from mail.vbo.dec.com (mail.vbo.dec.com [16.36.208.34]) by server21.digital.fr (8.7.5/8.7) with ESMTP id PAA04962 for ; Tue, 4 Feb 1997 15:25:18 +0100 (MET) Received: from vbormc.vbo.dec.com (vbormc.vbo.dec.com [16.36.208.94]) by mail.vbo.dec.com (8.7.3/8.7) with ESMTP id PAA22407 for ; Tue, 4 Feb 1997 15:22:48 +0100 (MET) Received: from becomm.ebo.dec.com (becomm.ebo.dec.com [16.184.208.35]) by vbormc.vbo.dec.com (8.7.3/8.7) with SMTP id PAA13161 for ; Tue, 4 Feb 1997 15:17:51 +0100 Received: from beux1.ebo.dec.com by becomm.ebo.dec.com; (5.65v3.2/1.1.8.2/07Mar96-0234PM) id AA06205; Tue, 4 Feb 1997 15:20:14 +0100 Received: by beux1.ebo.dec.com; (5.65v3.2/1.1.8.2/11Feb96-0242PM) id AA13994; Tue, 4 Feb 1997 15:20:11 +0100 Subject: RE: AVT configurations To: Firewalls@GreatCircle.COM X-Mailer: MAILworks 1.7-A From: Arjo Mukherjee 4663 Date: Tue, 4 Feb 97 15:20:10 +0100 Message-Id: <970204152010.3603@beux1.ebo.dec.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Forwarded message follows ----- Delivery-Date: Tue, 4 Feb 97 14:58:27 +0100 To: Lilia Miltcheva Subject: RE: AVT configurations In-Reply-To: References: X-Mailer: MAILworks 1.7-A From: Arjo Mukherjee 4663 Date: Tue, 4 Feb 97 15:15:40 +0100 Message-ID: <970204151540.3603@beux1.ebo.dec.com> I have the feeling that every session that wants to use the AVT, has to be defined on the local clients. In other words, if you want to telnet using the VPN, then you have to set up a defined session with the link pointer to the local Tunnel. Otherwise, the routing will default wise direct the path to the firewall and out int the internet. I guess the question you have is how to set up the applicatiions on the local client to let it know when to use the Tuneel and when not to use it. >From the sparse docs that I could read, it appears as if on the local clients, ie. PC,s etc, one copies a couple of files, which the tunnel admin provides. These have the definitions for the tunnel path. It appears that if the user wants to use the tunnel, he needs to click on the application to activate the link to the tunnel components, and then he can use the VPN. Otherwise, it defaults to the firewall and out into the internet. Seems like the user has to activate the tunnel link if he wants to use it. Arjo > > Hi, Arjo! > > Thanks to have answered my mail. > > I do not worry about the routing. The question is if we have a duplicate > IP on the private network and on the Internet, which way the connection > is going to be decided - to go through the tunnel or through the regular > (ISP) way? > During the initial handshake the AVT server gives the IP numbers of the > private networks to the tunnel client. Logically than, any IP belonging > to one of those networks will be routed through the tunnel. This means > that if there is another host on the Internet with the same IP, it will > never be reached as far as the tunnel is up... > > Thanks, Lili > > > >---------- > >From: Arjo Mukherjee 4663[SMTP:mukherje@ebo.dec.com] > >Sent: Tuesday, February 04, 1997 3:26AM > >To: miltcheva@unicc.org > >Subject: AVT configurations > > > >Howdy, > > > >don't think there are address conflicts as the routing takes place > >through firewalls. in other words, the destination address is handled > >only after it reaches the target VPN Server (Tunnel Server). > > > >The firewall is set up to handle the tunnel addresses via relay. > > > >Arjo > > > > ----- End of forwarded message ----- From firewalls-owner Tue Feb 4 07:16:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23786 for firewalls-outgoing; Tue, 4 Feb 1997 06:56:29 -0800 (PST) Received: from wachusett.altavista-software.com ([205.181.164.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23767 for ; Tue, 4 Feb 1997 06:56:08 -0800 (PST) Received: by wachusett.altavista-software.com; (5.65v3.2/1.3/10May95) id AA00880; Tue, 4 Feb 1997 09:54:58 -0500 Date: Tue, 4 Feb 1997 09:54:41 -0500 (EST) From: Jeff Needle X-Sender: needle@plugh.hq.altav.com Reply-To: jeff.needle@altavista-software.com To: Lilia Miltcheva Cc: altavista-product@digital.com, admin@unicc.org, firewalls@GreatCircle.COM Subject: Re: Duplicated network addresses In-Reply-To: <32F60309.41C6@unicc.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When you use the AltaVista Tunnel, any network packets that travel the internet will have a source address of your physical adapter and a target address of your firewall's external interface (tunnel server in the case where you have no firewall). The tunnel server, upon receipt of a tunnel packet, will strip the tunnel header and decrypt the packet, restoring the original destination address. Therefore the only place your private network addresses will be seen are within your private network, between your tunnel server and the final internal destination. Hope this helps. If you have any further questions about AltaVista Tunnel, don't hesitate to contact me. Jeff Needle, AltaVista engineering On Mon, 3 Feb 1997, Lilia Miltcheva wrote: > Date: Mon, 03 Feb 1997 16:23:53 +0100 > From: Lilia Miltcheva > To: altavista-product@digital.com > Cc: admin@unicc.org, firewalls@GreatCircle.COM > Subject: Duplicated network addresses > > Dear Guru, > > I'm keen on using the AltaVista Tunnel and have already a lot of > requests for providing the service. I have a question : > > We are currently using Alta Vista FW for Unix and behind it we have > class C addresses that we once got by EUnet. Than we changed the ISP and > renumbered our "red" (external) network, but on the internal ("blue") > WAN we kept the old IPs as there are anyhow not accessible from the > Internet. > > What is going to happen if a remote client, using AVT connects to our > AVT server, gets the numbers of the private networks (for example > 193.72.45.0) and starts tunneling, but at the same time there is a > server somewhere on the Internet that has address let's say 193.72.45.20 > (same class C). How this clash could possibly be menaged? > > > I'm aware that many people use inside their FW "any" IP addresses (just > unique on the LAN), so that will be a problem with all those guys if > some coincedence occurs. > > Is there something I'm missing? > > Thanks a lot in advance.. I'll greately appriciate any help.... > > Lili > From firewalls-owner Tue Feb 4 07:49:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27998 for firewalls-outgoing; Tue, 4 Feb 1997 07:36:44 -0800 (PST) Received: from wachusett.altavista-software.com ([205.181.164.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27976 for ; Tue, 4 Feb 1997 07:36:33 -0800 (PST) Received: by wachusett.altavista-software.com; (5.65v3.2/1.3/10May95) id AA04094; Tue, 4 Feb 1997 10:35:22 -0500 Date: Tue, 4 Feb 1997 10:34:59 -0500 (EST) From: Jeff Needle X-Sender: needle@plugh.hq.altav.com To: Lilia Miltcheva Cc: "'admin@unicc.org'" , "'firewalls@greatcircle.com'" Subject: RE: Duplicated network addresses In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It won't matter if you assign an address that is equivalent to an external address. The only place those tunnel "pseudo addresses" will be seen is on the private network, beyond the tunnel server. They never travel on the internet. Any tunnel packets traveling on the internet will be encrypted and encapsulated in an IP packet with a source address of the client's real address and a destination address of your firewall, both of which would be legal address. The typical tunnel configuration seems to use RFC 1918 addresses for the tunnel clients. Jeff On Tue, 4 Feb 1997, Lilia Miltcheva wrote: > Date: Tue, 4 Feb 1997 16:32:00 +0100 > From: Lilia Miltcheva > To: "'jeff.needle@altavista-software.com'" > Cc: "'altavista-product@digital.com'" , > "'admin@unicc.org'" , > "'firewalls@greatcircle.com'" > Subject: RE: Duplicated network addresses > > Jeff, > > What you say is correct and I do not have any problem with that. My > question is rather what will happen if I address host.unicc.org that has > the same IP as www.microsoft.com, for example? > As the tunnel comes up, the tunnel server tells the client which > networks a to be tunneled, so logically in this case for > www.microsoft.com = host.unicc.org I will go through the tunnel and > therefore I will never be able to reach www.microsoft.com while the > tunnel is up.... > > Thanks a lot for your support, > Lili From firewalls-owner Tue Feb 4 08:27:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29210 for firewalls-outgoing; Tue, 4 Feb 1997 07:50:02 -0800 (PST) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29161 for ; Tue, 4 Feb 1997 07:49:37 -0800 (PST) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id KAA22492; Tue, 4 Feb 1997 10:48:25 -0500 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.8.4/3.8) with SMTP id KAA14495; Tue, 4 Feb 1997 10:54:31 -0500 (EST) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA26148; Tue, 4 Feb 97 10:39:17 -0500 Date: Tue, 4 Feb 97 10:39:17 -0500 Message-Id: <9702041539.AA26148@uc0009.wangfed.com> From: "K.M." Reply-To: "K.M." To: pelicans@mindspring.com, firewalls@GreatCircle.COM Subject: Re: Poor NSA...Hells freezin' over again. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TEMPEST = Transient ElectroMagnetic Pulse Emanation STandard ^ ^ ^ ^ ^ ^^ KM ===== K.M. Goertzel Manager, Business Development Secure Systems & Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA tel (703)827 3914 fax (703)827 3161 email goertzek@wangfed.com From firewalls-owner Tue Feb 4 08:42:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27431 for firewalls-outgoing; Tue, 4 Feb 1997 07:29:26 -0800 (PST) Received: from gk-blue.unicc.org (gk-red.unicc.org [192.91.247.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27413 for ; Tue, 4 Feb 1997 07:29:07 -0800 (PST) Received: by gk-blue.unicc.org; (5.65v3.2/1.3/10May95) id AA06978; Tue, 4 Feb 1997 16:30:26 +0100 Received: by gh-old.unicc.org (5.65/jsb-190694); id AA00396; Tue, 4 Feb 1997 16:30:27 +0100 Received: by new-exchange.unicc.org with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC12B8.F37AE050@new-exchange.unicc.org>; Tue, 4 Feb 1997 16:32:02 +0100 Message-Id: From: Lilia Miltcheva To: "'jeff.needle@altavista-software.com'" Cc: "'altavista-product@digital.com'" , "'admin@unicc.org'" , "'firewalls@greatcircle.com'" Subject: RE: Duplicated network addresses Date: Tue, 4 Feb 1997 16:32:00 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff, What you say is correct and I do not have any problem with that. My question is rather what will happen if I address host.unicc.org that has the same IP as www.microsoft.com, for example? As the tunnel comes up, the tunnel server tells the client which networks a to be tunneled, so logically in this case for www.microsoft.com = host.unicc.org I will go through the tunnel and therefore I will never be able to reach www.microsoft.com while the tunnel is up.... Thanks a lot for your support, Lili >---------- >From: Jeff Needle[SMTP:needle@altavista.digital.com] >Sent: Tuesday, February 04, 1997 12:54AM >To: Lilia Miltcheva >Cc: altavista-product@digital.com; admin@unicc.org; >firewalls@greatcircle.com >Subject: Re: Duplicated network addresses > >When you use the AltaVista Tunnel, any network packets that travel the >internet will have a source address of your physical adapter and a target >address of your firewall's external interface (tunnel server in the case >where you have no firewall). The tunnel server, upon receipt of a tunnel >packet, will strip the tunnel header and decrypt the packet, restoring the >original destination address. Therefore the only place your private >network addresses will be seen are within your private network, between >your tunnel server and the final internal destination. > >Hope this helps. If you have any further questions about AltaVista >Tunnel, don't hesitate to contact me. > >Jeff Needle, AltaVista engineering > > > >On Mon, 3 Feb 1997, Lilia Miltcheva wrote: > >> Date: Mon, 03 Feb 1997 16:23:53 +0100 >> From: Lilia Miltcheva >> To: altavista-product@digital.com >> Cc: admin@unicc.org, firewalls@GreatCircle.COM >> Subject: Duplicated network addresses >> >> Dear Guru, >> >> I'm keen on using the AltaVista Tunnel and have already a lot of >> requests for providing the service. I have a question : >> >> We are currently using Alta Vista FW for Unix and behind it we have >> class C addresses that we once got by EUnet. Than we changed the ISP and >> renumbered our "red" (external) network, but on the internal ("blue") >> WAN we kept the old IPs as there are anyhow not accessible from the >> Internet. >> >> What is going to happen if a remote client, using AVT connects to our >> AVT server, gets the numbers of the private networks (for example >> 193.72.45.0) and starts tunneling, but at the same time there is a >> server somewhere on the Internet that has address let's say 193.72.45.20 >> (same class C). How this clash could possibly be menaged? >> >> >> I'm aware that many people use inside their FW "any" IP addresses (just >> unique on the LAN), so that will be a problem with all those guys if >> some coincedence occurs. >> >> Is there something I'm missing? >> >> Thanks a lot in advance.. I'll greately appriciate any help.... >> >> Lili >> > > > > From firewalls-owner Tue Feb 4 08:49:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29012 for firewalls-outgoing; Tue, 4 Feb 1997 07:48:36 -0800 (PST) Received: from gk-blue.unicc.org (gk-red.unicc.org [192.91.247.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA28988 for ; Tue, 4 Feb 1997 07:48:25 -0800 (PST) Received: by gk-blue.unicc.org; (5.65v3.2/1.3/10May95) id AA28606; Tue, 4 Feb 1997 16:49:36 +0100 Received: by gh-old.unicc.org (5.65/jsb-190694); id AA02025; Tue, 4 Feb 1997 16:49:38 +0100 Received: by new-exchange.unicc.org with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC12BB.A2C958A0@new-exchange.unicc.org>; Tue, 4 Feb 1997 16:51:15 +0100 Message-Id: From: Lilia Miltcheva To: "'Lilia Miltcheva'" , "'Jeff Needle'" Cc: "'admin@unicc.org'" , "'firewalls@greatcircle.com'" Subject: RE: Duplicated network addresses Date: Tue, 4 Feb 1997 16:51:13 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff, Probably I cannot explain very well. What you say for me means that while I have the tunnel client up I will never see the host on the Internet (www.microsoft.com in my example)?! I will always go through the tunnel, because the tunnel client will think that this is a private address.... Thanks, Lili >---------- >From: Jeff Needle[SMTP:needle@altavista.digital.com] >Sent: Tuesday, February 04, 1997 1:34AM >To: Lilia Miltcheva >Cc: 'admin@unicc.org'; 'firewalls@greatcircle.com' >Subject: RE: Duplicated network addresses > >It won't matter if you assign an address that is equivalent to an external >address. The only place those tunnel "pseudo addresses" will be seen is >on the private network, beyond the tunnel server. They never travel on >the internet. Any tunnel packets traveling on the internet will be >encrypted and encapsulated in an IP packet with a source address of the >client's real address and a destination address of your firewall, both of >which would be legal address. > >The typical tunnel configuration seems to use RFC 1918 addresses for the >tunnel clients. > >Jeff > >On Tue, 4 Feb 1997, Lilia Miltcheva wrote: > >> Date: Tue, 4 Feb 1997 16:32:00 +0100 >> From: Lilia Miltcheva >> To: "'jeff.needle@altavista-software.com'" > >> Cc: "'altavista-product@digital.com'" , >> "'admin@unicc.org'" , >> "'firewalls@greatcircle.com'" >> Subject: RE: Duplicated network addresses >> >> Jeff, >> >> What you say is correct and I do not have any problem with that. My >> question is rather what will happen if I address host.unicc.org that has >> the same IP as www.microsoft.com, for example? >> As the tunnel comes up, the tunnel server tells the client which >> networks a to be tunneled, so logically in this case for >> www.microsoft.com = host.unicc.org I will go through the tunnel and >> therefore I will never be able to reach www.microsoft.com while the >> tunnel is up.... >> >> Thanks a lot for your support, >> Lili > > > From firewalls-owner Tue Feb 4 08:55:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04894 for firewalls-outgoing; Tue, 4 Feb 1997 08:37:12 -0800 (PST) Received: from strat.enernet.com (strat.enernet.com [206.116.106.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04871 for ; Tue, 4 Feb 1997 08:37:01 -0800 (PST) Received: from strat (strat.enernet.com [206.116.106.11]) by strat.enernet.com (8.7.5/8.7.3) with SMTP id JAA51050 for ; Tue, 4 Feb 1997 09:38:24 -0700 Message-ID: <32F76600.446B@enernet.com> Date: Tue, 04 Feb 1997 09:38:24 -0700 From: Chad David Organization: Enernet Technologies Inc. X-Mailer: Mozilla 3.0 (X11; I; AIX 1) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: NAT on Cisco PIX vs. ?? References: <199702031809.SAA02110@mail.global-sol.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Timothy P. Layton, Sr. wrote: > > I am familiar with NAT on the PIX and was wondering what > operating systems that any one has had experience with in dealing > with NAT. Does any one feel that there is a trade off with the > PIX being a hardware solution vs. a software based solution ? > > Thanks for any input. I have never used the PIX, but have been told by venders that NAT is slow, and that there have been problems due to memory and cpu constrains... compared to a unix (maybe NT) based firewall that is. Can anyone comment on this? -- Chad David Network Admin Enernet Technologies Inc. davidc@enernet.com From firewalls-owner Tue Feb 4 09:11:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06882 for firewalls-outgoing; Tue, 4 Feb 1997 08:55:04 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA06871 for ; Tue, 4 Feb 1997 08:54:55 -0800 (PST) Received: from gw.garrison.com (root@localhost) by gw.garrison.com (8.7.5/8.7.3) with ESMTP id TAA19236 for ; Fri, 18 Dec 1987 19:33:36 -0600 (CST) Received: from garrison.com. ([10.0.0.2]) by gw.garrison.com (8.7.5/8.7.3) with SMTP id TAA19230 for ; Fri, 18 Dec 1987 19:33:36 -0600 (CST) Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA16482; Tue, 4 Feb 97 10:48:30 CST Date: Tue, 4 Feb 97 10:48:30 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9702041648.AA16482@garrison.com.> To: goertzek@wangfed.com, willis@sctc.com Subject: Re: Sidewinder vs. Cyberguard Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Mon, 3 Feb 1997, K.M. wrote: > > > However, I have heard that Sidewinder is very difficult to configure, unless > > they have managed to greatly improve their interface in new release. Matt Willis wrote: > > Sidewinder now offers a *real* GUI and a command line interface, for those > of us that like it old-school. Not that I count as unbiased, but it's a > night-and-day comparison to the old version... > > We've also done away with the notion of internal and external to allow for > multiple network interfaces... > > The mail-filter is pretty hip, as well... drag-and-drop and such. > I would definitely have to agree. The interface for 3.01 of Sidewinder is quite nice (although I still prefer the cf lines for most admin. tasks). It is quite easy to open up ports and such, quite a lot easier than many other firewalls I've seen. I would agree, the Mail filtering capabilities are quite cool.. The drag-and-drop approach, and the configuration of the filtering/auditing is quite spiff. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Tue Feb 4 09:22:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03311 for firewalls-outgoing; Tue, 4 Feb 1997 08:22:33 -0800 (PST) Received: from wachusett.altavista-software.com ([205.181.164.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA03301 for ; Tue, 4 Feb 1997 08:22:19 -0800 (PST) Received: by wachusett.altavista-software.com; (5.65v3.2/1.3/10May95) id AA18495; Tue, 4 Feb 1997 11:21:02 -0500 Date: Tue, 4 Feb 1997 11:20:43 -0500 (EST) From: Jeff Needle X-Sender: needle@plugh.hq.altav.com To: Lilia Miltcheva Cc: "'admin@unicc.org'" , "'firewalls@greatcircle.com'" Subject: RE: Duplicated network addresses In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, now you've lost me a bit. But what I'm saying is that with the tunnel up, you'll have a route to the private network. Any traffic destined for that private network will be encrypted, sent over the internet with a destination address of the remote firewall and a source address of your physical network (typically, your ISP-assigned address). The only place that your private address will be seen is on the private network, after your tunnel server has decrypted the packet. If what you're saying is that you've picked addresses in your private network that overlap real outside addresses instead of using RFC 1918 addresses, then you'll certainly have some confusion! If one time you want traffic going to 207.68.156.61 to go to www.microsoft.com, and the next time, you want traffic going to 207.68.156.61 to go to a machine which you've got in your private network called host.unicc.org, then indeed you'll have to craft some routes that will cause this host to be reachable through the tunnel and you'll have to disconnect the tunnel before you can access that real address on the internet. Jeff On Tue, 4 Feb 1997, Lilia Miltcheva wrote: > Date: Tue, 4 Feb 1997 16:51:13 +0100 > From: Lilia Miltcheva