From owner-firewalls-outgoing Tue Jul 1 00:35:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA03754 for firewalls-outgoing; Tue, 1 Jul 1997 00:28:49 -0700 (PDT) Received: from drencrom.insync.net (drencrom.insync.net [204.253.208.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA03743 for ; Tue, 1 Jul 1997 00:28:43 -0700 (PDT) Received: from MarathonOil.com (smtp.marathonoil.com [209.16.12.1]) by drencrom.insync.net (8.8.6/8.7.1) with SMTP id CAA24778 for ; Tue, 1 Jul 1997 02:31:12 -0500 (CDT) Received: from HOU-Message_Server by MarathonOil.com with Novell_GroupWise; Tue, 01 Jul 1997 02:28:14 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 01 Jul 1997 02:32:00 -0500 From: D (Dave) McWilliam To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #307 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks, I have just joined this mail group and am fascinated and entertained by the chit chat. Unfortunately, my boss expects me to work so I don't have time to wade through interminable "Did not!" "Did so!" arguements to find the useful technical stuff we newcomers to security really do need. Does anyone know whether there is a adult/professional mail group I could join instead? Dave From owner-firewalls-outgoing Tue Jul 1 00:38:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA02377 for firewalls-outgoing; Tue, 1 Jul 1997 00:21:56 -0700 (PDT) Received: from skb.si ([193.77.127.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA02149 for ; Tue, 1 Jul 1997 00:21:17 -0700 (PDT) Received: by fw.skb.si id <26881>; Tue, 1 Jul 1997 09:21:27 +0100 Message-Id: <97Jul1.092127gmt+0100.26881@fw.skb.si> Date: Tue, 1 Jul 1997 08:23:18 +0100 From: Sergej Rinc Reply-To: sr@skb.si X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Borderware References: <199706302005.NAA23368@honor.greatcircle.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Manuel, > Does anyone have experience with Borderware Firewall? > If so, how where would you place it comparing to Raptor, Pix and FW-1 ? I've suggested to replace previous DMZ (three routers, two hosts, Indy Web server and BSDI Unix Firewall) with Borderware here in our bank. It was a good move and we have no problems with Borderware Firewall Server. I have tested three solutions last December - Raptor Eagle for Windows NT, Digital Firewall for Unix (Alta Vista Firewall wasn't on the market at that time) and Border Borderware Firewall Server. Border's solution excells in (ease of) setup, administration (Java GUI in browser), integrated secured servers (WWW, FTP, SMTP, POP3, Ident, ...), authentication and VLANs/IPSec (though other two have caught up here recently). Especially superb is a concept of the third subnet called Secure Server Network (SSN). It means nice solution for securing usually non or little secured servers (WWW). They can reside on SSN and are protected from the outside world while giving you transparent (no client software changes needed), full service for internal users. Border's integrated servers are secured so for example if you want to run CGI scripts you have to run separate server (and what better place to put it than on SSN). So, Raptor Eagle wasn't good enough because of Web and other servers (in)security - we've put our Web server on SSN (likewise with e-commerce server and soon MS Exchange from internal network). We use PIX here but just for purposes of translating local IP addresses so some of our employees can connect to one of outside stock excange intranets. We haven't considered using PIX as a main firewall (e.g. authentication for connecting to internal LAN will be done by authentication cards which are greatly supported in Borderware). And for FW-1 - I don't know the product well but I think Border's is better. BorderWare runs on secured version of BSDI Unix with secured servers (mailer is not sendmail but specially secured Z-mailer etc) so there's no NT's flaws. > Pete Vickers > p.s. I appreciate that a single UNIX box could possibly perform the = > function of router/firewall/host but I believe the solution with = > discreet box for each purpose, is more secure, simpler to configure & = > maintains more flexibility. Well, BorderWare is fine solution for you, too (runs on 486/Pentium PC, secured version of BSDI Unix). Actually you don't need a router with BorderWare (you can assign different network IP addresses for two or three NICs) but you'll need serial interface card in that case (e.g. modem). We use fast modem on Frame Relay connected to outside Cisco's router which is then connected to BorderWare. The advantage of a router is obvious since its access lists can block most of the traffic which would otherwise go to BorderWare (PC load!) but it's also fine for example for FTP service. I allow FTP in the router's access list (so I don't have to graduate there :-) but block it in Borderware so our site is still secured from FTP (internal user can of course use FTP freely for downloading from the Internet via BorderWare's proxy). -- Sergej Rinc system engineer, SKB banka d.d. http://www.skb.si mailto:sr@skb.si From owner-firewalls-outgoing Tue Jul 1 01:07:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA04672 for firewalls-outgoing; Tue, 1 Jul 1997 00:34:30 -0700 (PDT) Received: from newport.ntcnet.com (newport.ntcnet.com [205.232.95.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id AAA04652 for ; Tue, 1 Jul 1997 00:34:22 -0700 (PDT) Received: from x4ntc18 by newport.ntcnet.com; (5.65v3.2/1.1.8.2/13Jul95-1105AM) id AA27586; Tue, 1 Jul 1997 03:36:44 -0400 Message-Id: <33B8B3E2.2B40@hotmail.com> Date: Tue, 01 Jul 1997 03:38:10 -0400 From: DECkedout X-Mailer: Mozilla 3.01 (WinNT; I) [AXP] Mime-Version: 1.0 To: Joe Pollock Cc: firewalls@greatcircle.com Subject: Re: ICQ network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe Pollock wrote: > > One of my users sent me a spam message concerning the ICQ ("I Seek You") > Network, which claims to reduce an individual's Net identity to a single > number, announce to others when the individual is on-line, spawn IRC, > Internet Phone, email, video, etc. on command ... the list goes on and on. > > Here's the URL: > > http://www.mirabilis.com > > I found the site sadly lacking in technical detail (suprise, suprise > :-). The package you download is a beta release of a soon-to-be > commercial application. > > Anyone got any hard technical details to supply? I can hardly wait for > my users to start lobbying for something like this. > > Joe Pollock > The Evergreen State College > Olympia, WA 98505 I have tried to get technical details from Mirabilis since the user number was in 5 digits... I've followed the development for a long while... Whenever I use it i throw a sniffer/port scanner script on another machine running it.. that's the only hard Data I have. I've been following the ICQ related posts from this group for months two... But as far as I can tell, the app is a mystery to everyone. I personally would like to learn their custom control protocal simply to write a customized Unix port before it gets patented (which is probably why they haven't realeased hard facts to the public. Does anyone know anyone from Mirabilis? I have a lot of questions about it.... It definatlely raises an eyebrow or two... -DECkedout From owner-firewalls-outgoing Tue Jul 1 02:10:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA15724 for firewalls-outgoing; Tue, 1 Jul 1997 01:50:55 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA15717 for ; Tue, 1 Jul 1997 01:50:48 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-dynamic95.cisco.com [171.68.129.105]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA18012; Tue, 1 Jul 1997 10:50:04 +0200 (METDST) Message-Id: <3.0.32.19970701104241.00743abc@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 01 Jul 1997 10:51:51 +0000 To: Russ , "'Mimi Herrmann'" From: Eric Vyncke Subject: RE: question about firewalls on NT Cc: "'Firewalls Mailing List'" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:27 27/06/97 -0400, Russ wrote: >My #1 would be because you wanted to use the existing NT user database >to define your rules on your Firewall, saving you the administrative >overhead of having multiple user databases. I would also want it to >integrate authentication if possible, although my preference would be to >have everyone using a token first, and then the software authentication >(i.e. NTLM). I work from the premise that the customer has already >accepted the (in)security of NTLM and the NT SAM and are satisfied with >it sufficiently to use it at their Firewall also. One of the reasons >that many companies have gone with NT is the single-signon abilities >which they wish to extend to their Firewall also. Right, using the same database for NT Domain and firewall authentication can be useful. BUT, you can achieve the same effect by using a firewall on Unix or ... which is using Radius or Tacacs to access authentication (and authorization) information based on the NT SAM database. <...snip...> -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Tue Jul 1 02:37:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA20942 for firewalls-outgoing; Tue, 1 Jul 1997 02:24:03 -0700 (PDT) Received: from punt-1.mail.demon.net (punt-1c.mail.demon.net [194.217.242.136]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA20925 for ; Tue, 1 Jul 1997 02:23:56 -0700 (PDT) Received: from [194.202.103.133] ([194.202.103.133]) by punt-1.mail.demon.net id aa1024955; 1 Jul 97 9:52 BST Message-ID: <33B8C567.B41@threewiz.demon.co.uk> Date: Tue, 01 Jul 1997 09:52:55 +0100 From: David Harvey-George Organization: Kimble Consultancy Services Ltd X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Thomas Leitner CC: firewalls@greatcircle.com Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Leitner wrote: > > On Mon, 30 Jun 1997, Vin McLellan wrote: > > > Microsoft crowds firewall space > > Though Microsoft (MSFT) says it doesn't plan to > > compete with firewall vendors, its plans to add > > firewall security features to the next version of its > > Proxy Server > > And they think that anybody would trust them and their firewall, > given the numerous holes in their TCP/IP stack which were revealed in the > last couple of month? No, but a lot of folks only hear the marketing hype from M$ David From owner-firewalls-outgoing Tue Jul 1 04:00:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA24388 for firewalls-outgoing; Tue, 1 Jul 1997 02:44:09 -0700 (PDT) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA24285 for ; Tue, 1 Jul 1997 02:43:50 -0700 (PDT) From: "M Gillett" Message-Id: <28116.9707010945@sghms.ac.uk> Subject: Re: Firewalls-Digest V6 #307 To: Firewalls@GreatCircle.COM Date: Tue, 1 Jul 1997 10:45:46 +0100 (BST) Cc: pvickers@adtanz-signal.co.uk In-Reply-To: <199706302005.NAA23368@honor.greatcircle.com> from "Firewalls-Digest" at Jun 30, 97 01:05:14 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul wrote : >I'm in the middle of implementing Internet connectivity for the company, = >this comprises of a CISCO 2500 series router, a DMZ containing a host = >for SMTP / DNS [+ potentially FTP & HTTP], and a CISCO PIX firewall. >My question is what O/S & H/W to implement the host on ? Corporate = >policy is Win NT throughout, but my experince & this mailing list = >suggest otherwise... My own experience suggests that although you can probably offer a security service on NT the management overheads will be a little on the high side cf UNIX. >I think an appropriate solution would be a version of UNIX. Corporate = >policy & my confidence [probably] preclude free/unsupported [?] versions = >such as Linux. I am tempted to get a DEC Alpha c/w OSF/1 , DEC offer quite a nice AlphaServer set-up to provide WWW/FTP/DNS/SMTP out of the box - might be good if you have little unix expoerience. DECUnix or OSF/1 as it used to be known is in my experience a nice implementation and is relatively easy to secure. >if at a later = >date NT becomes more stable/dependable I can then change to NT on the = >Alpha. Alternatively I believe Sun sell a version of UNIX to run on an = >intel platform, which would also permit the change at a later date.=20 >I would appreciate any comments and/or suggestions on the matter. Solaris x86 is quite good but its application base is a little limited cf Solaris Sparc. Again if you are a pull the source and build it here kind of person this wont be a problem. On subject of protecting the host then there are a number of ways of doing that - I would recomend reading much of the materials in the Firewalls Books on securing a platform to operate as a firewall - i.e. take out all the services that you are not providing (esp R-type and NIS/NFS). Then if you need more look at things like TIS's Gauntlet Force Field - which appears (from specs and not personal experience) to offer checksumming of all key file areas, detailed logging of all access and 'smoke alarms' i.e. port traps for unsupported services. All of which will be usefull in defending your server. Note the usual advice about using SMAP to handle incomming mail and inhibiting zone tranfers from the DNS to all but your secondary name servers. Mark Gillett Technical Consultant St. Georges Hospital Medical School From owner-firewalls-outgoing Tue Jul 1 04:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA09618 for firewalls-outgoing; Tue, 1 Jul 1997 03:50:51 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA09582 for ; Tue, 1 Jul 1997 03:50:38 -0700 (PDT) Received: from zlap95.abirnet.co.il ([194.90.211.177]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id NAA28365; Tue, 1 Jul 1997 13:52:53 +0300 Date: Tue, 1 Jul 97 13:53:23 +0200 From: Ziv Dascalu Subject: Re: Network surveillance product? To: Bill Stout , firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <2.2.32.19970630224522.00a9f378@vaxf.pios.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Mon, 30 Jun 1997 15:45:22 -0700 Bill Stout wrote: > I have a customer that would like to add all of the security monitoring, > logging and reporting features of a firewall to a network. This would be > for commerce web farm or internal network protection purposes. > > The device would need to plug in and passively monitor (must not add a > proxy, and is not in the traffic flow). They would like to see a product > that monitors connections (by port number), looks for suspicious activity on > those connections, and maybe flood or otherwise disable the source. > Basically like a Courtney or NetRanger for networks. > > Anyone know of such a box? NFR - Not For Release? Actually this sounds > like an excellent opportunity for an ex-governement contractor Co. to > contribute. > > Bill Stout > > P.S. - I predict (application-level) network security monitoring and > response will eventually supplement network monitoring products. > I think that AbirNet SessionWall-3 is what you are looking for and you can download a 30 days "test drive" version from http://www.abirnet.com The beauty of SessionWall, in comparison to earlier firewall protection systems, is that it operates at the level of specific application sessions thus allowing flexibility and control by the user without adding additional network delays. It is designed to provide easy access and control, user transparency, a high level of performance, adaptability and ease-of-use. SessionWall is a software package that can be easily installed on any Windows (95 or NT) PC that is equipped with a network adapter connected to the company’s local area network. It is designed for plug-and-play installation. Once the program is installed, the system operator easily sets the user and server access policies (by a series of rules and actions) and clicks Start to begin the tracing. SessionWall has the following key features: Monitoring SessionWall has the ability to unobtrusively detect a broad range of events such as: * Users connecting to specific sites * Users using specific protocol * Sending or receiving of information that includes specific keywords * Suspicious network events eg. failed login attempts Alerting and Responding Alerts can be provided using one or a combination of the following notification methods: * Sending of an Email message or fax * Adding an entry to a NT System Log * Popping a specific message on the SessionWall operator screen * Invoking a Windows program to create a custom alert Blocking SessionWall provides the ability to block specific users from using specific servers, or to block access to defined TCP/IP services including: * Email * WEB browsing * News * Telnet * FTP Reporting You can generate reports on the status of network traffic by invoking the Reporter application. A number of different kinds of Reports are possible: * Common reports presenting data on clients per protocol, protocols per client * Protocol reports presenting data on status of usage of Web, Email, News, FTP and Telnet protocols. * Blocking reports listing overall occurrences by client and by server Hpe this helps Ziv Dascalu AbirNet From owner-firewalls-outgoing Tue Jul 1 04:29:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA10930 for firewalls-outgoing; Tue, 1 Jul 1997 04:02:51 -0700 (PDT) Received: from mail.rc.on.ca ([207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA10919 for ; Tue, 1 Jul 1997 04:02:44 -0700 (PDT) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1458.49) id ; Tue, 1 Jul 1997 07:05:02 -0400 Message-ID: From: Russ To: "firewalls@greatcircle.com" , "'McLellan, Vin'" Cc: Russ Subject: RE: Microsoft plans to offer a firewall Date: Tue, 1 Jul 1997 07:05:00 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All I can say is this; 1. Microsoft says they're gonna put Firewall features into Proxy Server. So Proxy Server is not a Firewall. 2. Microsoft says that the packet filtering in Routing and Remote Access Services for Windows NT is not a Firewall. Therefore, a proxy isn't a Firewall, and a packet filter isn't a Firewall, so just what do they think a Firewall is? The marketing blurb would have to read something like..."Microsoft introduces the first non-proxying, non-packet filtering, Firewall for Windows NT...its so transparent that hackers don't have to reconfigure anything in order to get in..." They seemed to have forgotten that the whole is the sum of its parts. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security owner of the NTBugTraq mailing list: http://ntbugtraq.rc.on.ca/index.html From owner-firewalls-outgoing Tue Jul 1 04:50:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA16396 for firewalls-outgoing; Tue, 1 Jul 1997 04:41:17 -0700 (PDT) Received: from x400gtw.pararede.pt (x400gtw.pararede.pt [194.79.64.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA16360 for ; Tue, 1 Jul 1997 04:41:03 -0700 (PDT) From: manuel.ricca@pararede.pt Received: by x400gtw.pararede.pt (8.6.8.1/1.2-eef) id MAA04457; Tue, 1 Jul 1997 12:44:07 GMT X400-Received: by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 01 Jul 97 12:43:55 +0000 Date: 01 Jul 97 12:43:55 +0000 Delivery-Date: 01 Jul 97 12:44:06 +0000 Message-Type: Multiple Part X400-Originator: manuel.ricca@pararede.pt X400-MTS-Identifier: [/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-33b558c9-Tubarao] X400-Recipients: firewalls@GreatCircle.com Original-Encoded-Information-Types: Teletex X400-Content-Type: P2-1988 Message-ID: Importance: normal Subject: Safeword with Radius - dont read unless you know these products Autoforwarded: FALSE To: firewalls@GreatCircle.com (Non Receipt Notification Requested) Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: Safeword with Ra Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, Has anyone out there tried configuring Safeword for Asynchronous challenge-response authentication (namely DESGold or MultiSync) ? Scenario is: MAX4000 - Radius Server - Safeword It doesn't work (Secure Computing guys say it does, so probably configuration problem - but I don't have the time to wait for their answer...) I think it's probably some attribute that's missing in the 'users' file for the Radius server. I run 'ident' with success for my users. However, I get 2 entries in the log file - one that says Passed (before challenge), and then a Failed (after entering the number returned in the card). In synchronous mode, it works. (!!!) Many thanks in advance, .M Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunicação, S.A. Tel: +351 1 3020451 Fax: +351 1 3020444 // Be happy - things can always get worse These are my own opinions and do not reflect those of my employer. My employer thinks I'm working. From owner-firewalls-outgoing Tue Jul 1 05:03:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA19482 for firewalls-outgoing; Tue, 1 Jul 1997 05:02:18 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA19475 for ; Tue, 1 Jul 1997 05:02:10 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa18399; 1 Jul 97 8:04 EDT Message-Id: <2.2.32.19970701120153.00c28e84@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 08:01:53 -0400 To: Dave Whitlow From: Jack Danahy Subject: Re: Network surveillance product? Cc: Bill Stout , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave - Yuck. Disabling the source isn't nice. Given the fact that the machine is probably a staging point for some parasite, or that the "attack" is actually a misdirected mount request, flooding the site is both ineffective and rude. As the professionals in the area, we need to convince our constituents that communication with other sites, and the filtering of traffic until it can be cleared, are more productive methods of counteracting these intrusions. We've handled a multitude of these, and universally, the offending admin can and will fix the problem. Occasionally, we even get the added benefit of helping them make their own systems more secure. Yours for the peaceful conservation of Internet bandwidth and the harmonious resolution of Internet conflict, Jack >> The device would need to plug in and passively monitor (must not add a >> proxy, and is not in the traffic flow). They would like to see a product >> that monitors connections (by port number), looks for suspicious activity on >> those connections, and maybe flood or otherwise disable the source. >> Basically like a Courtney or NetRanger for networks. Jack Danahy jdanahy@bbn.com Manager of Engineering (617) 873-4418 Network Security Services BBN Corporation "I'm speaking for myself, not for BBN." From owner-firewalls-outgoing Tue Jul 1 05:18:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20703 for firewalls-outgoing; Tue, 1 Jul 1997 05:10:21 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20693 for ; Tue, 1 Jul 1997 05:10:13 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id NAA25335 for ; Tue, 1 Jul 1997 13:14:34 +0200 Message-Id: <3.0.1.32.19970701141412.00d08608@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 01 Jul 1997 14:14:12 +0200 To: Firewalls@GreatCircle.COM From: "Gabriele Faggioni - Cap Gemini Italia S.p.A." Subject: Firewall on AIX Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've had some reserch on firewall on AIX, but I got very little. I have some FAQ at the http://www.checkpoint.com/opsec/Partners/memco/faq.html: - 6. Which versions of FireWall-1 are compatible with SeOS Secured! - For FireWall-1? - SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 - and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX - versions are currently in Beta testing and will be available soon. IBM AIX - and Windows NT versions are in development. It will be available until the tird quarter of the year. I've also found the IBM firewall but it seems very poore in his features. Does someone know other firewall on AIX? --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Tue Jul 1 05:33:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA22526 for firewalls-outgoing; Tue, 1 Jul 1997 05:25:21 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA22497 for ; Tue, 1 Jul 1997 05:25:10 -0700 (PDT) Received: from pm1-27.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10540; Tue, 1 Jul 97 07:24:49 -0400 Message-Id: <3.0.2.32.19970701072514.006a1968@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Tue, 01 Jul 1997 07:25:14 -0500 To: Vin McLellan From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 PM 6/30/97 -0500, Vin McLellan allegedly wrote: Thanks for mail, Vin, 8< [snip] > Though Microsoft (MSFT) says it doesn't plan to > compete with firewall vendors, its plans to add > firewall security features to the next version of its > Proxy Server software could shake up the firewall > software market. . Yeah, right. Just like M$ didn't *plan* to compete with Novell, Netscape, etc. M$ doesn't really compete, they simply see what someone else does well (like a market leader), puts these functionalities into their own products & then they use their marketing muscle to drive their product out the door & competitors into the ground. Personally, I am not at all impressed with M$'s predatory business practices. I think they will keep pushing the limits of what is right & legal to do and will probably get their clock cleaned by the Justice Dept. or the FTC. Given their predatory practices, I wouldn't be surprised if they were sniffing their own network (MSN) for competitive info, or ideas for new projects. (Nothing legally wrong with that - it *is* their own network). Note: I didn't say they were doing it - I just said I wouldn't be surprised. > The next version of Proxy Server goes into beta > testing in July; it will include firewall features > designed to block intruders on the Internet from > getting onto a company's internal networks, > Microsoft officials said. The features could hurt > sales of firewall software for Windows NT in > particular, and NT has been the market's hottest > segment. > > The move should come as no surprise, says Rob > Enderle, an analyst at Giga Information Group. It's > been clear since Microsoft introduced its first > version of Proxy Server that it would add firewall > functions. I think Rob is 100%correct. IMHO, the Proxy Server was just to test the water to see how the market would respond. As people are expecting M$ to come out with a firewall, I would say that M$ will (once again) change its mind and wade into the market. > Microsoft's decision could hurt makers of firewall > software, such as Raptor Systems. In February > Raptor announced a low-end firewall, called "The > Wall," targeted at small and mid-sized companies. > The Centri firewall from Global Internet.Com also > targets that space; sometime Microsoft ally Cisco > Systems announced last week it's buying Centri and > Global Internet.Com's software group. I see no immediate danger to major firewall vendors from M$. For the most part, they already have a solid reputation on the market & know how to design secure products. M$ doesn't have this reputation yet (and will probably have to do a huge PR campaign to try to restore confidence about their ability to deliver secure products). The new kids on the block will probably fade away when competing with M$. M$ has two main disadvantages: o They seem to be deficient in their ability to write secure TCP/IP stacks. o They seem to have problems in trying to write tight, clean, code - an important prerequisite in writing a secure applications such as firewalls. INFOSEC PROGRAMMING DESIGN RULE #1 The larger the size of the code, the greater the probability that the code will contain vulnerabilities which can be exploited. Another thing. As time passes, & NT becomes more prevalent, the hackers will redirect their efforts to NT and will start picking it apart (like they have with other vendors). IMHO, I think it is just a matter of time until we start seeing nonprived users able to gain privs by exploiting vulnerabilities in individual programs (buffer overflows, etc). Particularly sensitive are those programs which perform prived functions on behalf of non-prived users. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Tue Jul 1 05:48:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA20194 for firewalls-outgoing; Tue, 1 Jul 1997 05:07:18 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA20174 for ; Tue, 1 Jul 1997 05:07:06 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55560-3>; Tue, 1 Jul 1997 14:06:49 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Tue, 01 Jul 1997 14:08:57 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wj1jv-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 1 Jul 1997 14:08:59 +0200 (MET DST) Date: Tue, 1 Jul 1997 13:08:59 +0100 From: "Magossa'nyi A'rpa'd" To: dennis f dumont CC: firewalls@GreatCircle.COM, Mark Teicher Subject: Re: Remote management of firewalls internationally In-Reply-To: <9705308676.AA867699711@ccmgate.national-city.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Jun 1997, dennis f dumont wrote: > A suggestion from a close and wise friend asked me to inquire about this: > =20 > =20 > How can one remotely manage firewalls that are on the other side of the w= orld?=20 > How can it be done? and done safely? > =20 I'd do it using a VPN between (part of the) local and the remote network. It means that logically I'm inside the firewall. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Tue Jul 1 06:03:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA18354 for firewalls-outgoing; Tue, 1 Jul 1997 04:55:17 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA18278 for ; Tue, 1 Jul 1997 04:55:02 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa17512; 1 Jul 97 7:57 EDT Message-Id: <2.2.32.19970701115412.0070578c@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 07:54:12 -0400 To: Ken Hardy From: Jack Danahy Subject: Re: Remote management of firewalls internationally Cc: Alan , Mark Teicher , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk K - I've stumbled through the encryption regulations in a couple of lives, and my experience has been: Two things: 1) If you are a US-owned multinational, you can have encryption, limited to 56 bits, on your machine, so long as noone outside your company has access to the facilities of that machine. Also, noone outside your company can have physical access to the machine, such as local outsourced system support personnel. If your are performing all of your key management from the US, that may, as well, mitigate difficulties. Check with your beagles about specifics for your situation. 2) Your Frankfurt office may prove particularly thorny, however, as there exist German regulations prohibiting any type of employee monitoring which can be used as a performance metric. Since most of the walls generate user/usage stats, be aware. YMMV. I have no idea on the China encryption front. Jack At 11:41 PM 6/30/97 -0500, Ken Hardy wrote: >On Mon, 30 Jun 1997, Alan wrote: >> > How can one remotely manage firewalls that are on the other side of the world? >... >> If you have SSH or some other form of encryption/authentication between >> machines, then you should be able to maintain the firewall without too >> many problems. (Some sort of token-based authorization system or Public >> Key system would be a big plus and/or requirement in such a system.) > >But it might be difficult to get SSH or other form of encryption on >that machine on the other side of the world if your side happens to lie >in the U.S. > >Not to start a wandering and unrelated thread (hint hint), but I've >wondered how the law would apply if I were to log in to a machine in, >say, our company's Frankfurt office via the corporate WAN and built and >installed SSH on that machine while sitting in our U.S. office. Would >my work in doing the installation be considered exporting the encryption >in some manner, even if the software didn't get on the machine from or >through the U.S.? Of course, it reasons (if that word can be applied >to U.S. encryption policy) that I'd be on much shakier ground if the >SSH code from a site in Finland or Australia got on the German machine >via the company's Internet connection in the U.S. > >On a tenuously related note, does anyone know whether China's ban on >the use of encryption now extends to Hong Kong? > >-- >K ---------------------------------------------------------------------- Jack Danahy jdanahy@bbn.com Manager of Engineering Tel: (617) 873-4418 BBN Corporation Fax: (617) 873-6846 From owner-firewalls-outgoing Tue Jul 1 06:35:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA29087 for firewalls-outgoing; Tue, 1 Jul 1997 06:02:57 -0700 (PDT) Received: from punt-1.mail.demon.net (relay-13.mail.demon.net [194.217.242.137]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA29025 for ; Tue, 1 Jul 1997 06:02:45 -0700 (PDT) Received: from [194.202.103.133] ([194.202.103.133]) by punt-1.mail.demon.net id aa1308805; 1 Jul 97 13:45 BST Message-ID: <33B8FBFC.7972@threewiz.demon.co.uk> Date: Tue, 01 Jul 1997 13:45:48 +0100 From: David Harvey-George Organization: Kimble Consultancy Services Ltd X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: Russ CC: "firewalls@greatcircle.com" Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > > All I can say is this; > 2. Microsoft says that the packet filtering in Routing and Remote Access > Services for Windows NT is not a Firewall. > > Therefore, a proxy isn't a Firewall, and a packet filter isn't a > Firewall, so just what do they think a Firewall is? > Unless they fixed things in MPR (aka Steelhead) v1.0 the packet filter can't be used to build a firewall. You can't filter on flags or address ranges. So I guess M$ is right, it's not a firewall. Although like you I wonder what it actually is? David From owner-firewalls-outgoing Tue Jul 1 07:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03542 for firewalls-outgoing; Tue, 1 Jul 1997 06:23:26 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA03522 for ; Tue, 1 Jul 1997 06:23:17 -0700 (PDT) Received: (qmail 20446 invoked from smtpd); 1 Jul 1997 13:25:45 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Jul 1997 13:25:45 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03042; Tue, 1 Jul 1997 08:25:45 -0500 Received: by sonic.nmti.com; id AA13948; Tue, 1 Jul 1997 08:26:34 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707011326.AA13948@sonic.nmti.com.nmti.com> Subject: Re: Microsoft plans to offer a firewall To: vin@shore.net (Vin McLellan) Date: Tue, 1 Jul 1997 08:26:34 -0500 (CDT) Cc: firewalls@greatcircle.com, Russ.Cooper@RC.ON.CA In-Reply-To: from "Vin McLellan" at Jun 30, 97 09:31:25 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Though Microsoft (MSFT) says it doesn't plan to > compete with firewall vendors, its plans to add > firewall security features to the next version of its > Proxy Server software could shake up the firewall > software market. Oh boy, I'm sure there are some black hats just sharpening their knives and fire(wall)-axes waiting for this new challenge to go up. Cracking Microsoft. That's gotta be a popular game by now. From owner-firewalls-outgoing Tue Jul 1 07:35:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09777 for firewalls-outgoing; Tue, 1 Jul 1997 06:53:23 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09570 for ; Tue, 1 Jul 1997 06:52:28 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id PAA20791; Tue, 1 Jul 1997 15:54:02 +0200 Date: Tue, 1 Jul 1997 15:54:01 +0200 (MET DST) From: Kevin McPeake To: Russ cc: "firewalls@greatcircle.com" Subject: My faith is restored (was: RE: Microsoft plans to offer a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Jul 1997, Russ wrote: > All I can say is this; > [snip] > The marketing blurb would have to read something like..."Microsoft > introduces the first non-proxying, non-packet filtering, Firewall for > Windows NT...its so transparent that hackers don't have to reconfigure > anything in order to get in..." > > They seemed to have forgotten that the whole is the sum of its parts. > Just when I think Russ has lost all sense of humour, He goes off and does this. My faith has been restored Russ. :) Kev Kevin McPeake cowboy@orbital.byelex.nl Internet Consultant http://cowboy.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Tue Jul 1 07:50:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA16664 for firewalls-outgoing; Tue, 1 Jul 1997 07:39:07 -0700 (PDT) Received: from jefferson.mcn.net (jefferson.mcn.net [204.212.170.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA16657 for ; Tue, 1 Jul 1997 07:39:01 -0700 (PDT) Received: from recon.mcn.net (blpm01-253.mcn.net [204.212.170.253]) by jefferson.mcn.net (8.8.5/8.8.5) with ESMTP id IAA29924; Tue, 1 Jul 1997 08:41:31 -0600 (MDT) Message-ID: <33B915BF.61933A64@mcn.net> Date: Tue, 01 Jul 1997 08:35:43 -0600 From: "Z.W.H." X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "D (Dave) McWilliam" CC: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #307 -Reply X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Consider the "chit chat" on the list as sign posts to physical realities. Say, a road map with a personality of sorts. We travelers on the computer security journey can heed, or ignore the sign posts. The journey itself however is ours alone and we must plan our trip and do our own study, and make our own "wrong turns" along the way to our secure destination.... Personally, I perfer taking the time to read the signposts as untimately they reduce the amount of "wrong turns" we travelers may take thereby increasing overall productivity both for the individual, and the "boss"... Z. Wade Hampton SlamDunk Enterprises, Inc. Billings, Montana US D (Dave) McWilliam wrote: > Hi Folks, > I have just joined this mail group and am fascinated and > entertained by the chit chat. Unfortunately, my boss expects me to > work > so I don't have time to wade through interminable "Did not!" "Did so!" > > arguements to find the useful technical stuff we newcomers to security > > really do need. Does anyone know whether there is a adult/professional > > mail group I could join instead? > Dave From owner-firewalls-outgoing Tue Jul 1 08:05:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03609 for firewalls-outgoing; Tue, 1 Jul 1997 06:23:54 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [204.146.168.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA03602 for ; Tue, 1 Jul 1997 06:23:47 -0700 (PDT) From: uskanbye@ibmmail.com Message-Id: <199707011323.GAA03602@honor.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 2291; Tue, 01 Jul 97 09:26:20 EDT Date: Tue, 01 Jul 1997 09:26:15 EDT To: firewalls@GreatCircle.COM X-Sender-Info: Mitchell Ummel CSP CCP EMAIL:mummel@kdhe.state.ks.us Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: MTU Path Discovery w/proxy-based firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for any assistance/insight regarding the following environment: Internet <-> Eagle Raptor NT 4.0 <-> 16Mb TR's <-> T1 <-> 4Mb TR's Our symptoms include intermittant HTTP "partial page loads" for users on the 4Mb Token Ring networks. All proxy services working fine for staff on the 16Mb TR's. Sniffer traces show that packets are coming in through the firewall with MTU (max transfer unit) = 4500 and the "df" (don't fragment) bit set ON. The Token Ring interfaces MTU are all set at 4500. The CISCO has default MTU of 1500 for the serial T1 link, and thus (according to RFC 1191), the router is to send a ICMP message back to the source server, that in effect, requests a resend of the data with a smaller MTU. Sniffer shows the ICMP is generated at the router, and passes through the firewall, but no response is ever received from the server on the Internet. Any clues as to what's going on here? Any other Raptor NT 4.0 users (or other proxy-based firewalls) with similiar environment? Thanks in advance for all input.... --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ---------------WWW.STATE.KS.US/PUBLIC/KDHE---------------- --------------Landon State Office Building---------------- ------------------Phone (913) 296-5643-------------------- From owner-firewalls-outgoing Tue Jul 1 08:29:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08760 for firewalls-outgoing; Tue, 1 Jul 1997 06:48:23 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA07363 for ; Tue, 1 Jul 1997 06:42:47 -0700 (PDT) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id GAA15154 for ; Tue, 1 Jul 1997 06:19:11 -0700 (PDT) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id PAA20653; Tue, 1 Jul 1997 15:15:58 +0200 Date: Tue, 1 Jul 1997 15:15:57 +0200 (MET DST) From: Kevin McPeake To: Michael Cunningham cc: Pete Vickers , "'FIREWALLS@GreatCircle.COM'" Subject: Re: flavours of unix In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Jun 1997, Michael Cunningham wrote: > > I'm in the middle of implementing Internet connectivity for the company, this comprises of a > CISCO 2500 series router, a DMZ containing a host for SMTP / DNS [+ potentially FTP & HTTP], > and a CISCO PIX firewall. My question is what O/S & H/W to implement the [intelligent question snipped] > IMHO, there are several good version of unix that run on Intel arch. BSDI > is and execllent choice. (we all know the networking code is good:) > Solaris x86 is also very good as well. Both are quite robust operating [intelligent response snipped] I would second this.....but in a way that seeks to get the job done. We were long time a NT only house, but 8 months ago, began to look at other solutions (we are a software developer). Today, we employ Linux, Solaris for Intel and NT. If I had my way, I'd run everything on Linux, but some of the SW we run is Solaris only or NT only or Solaris & NT, but not Linux. To arguement your managers better, I would give you this advice: It's a mix match (what we have ourselves), and some would say it's more ineffecient to have multiple systems, but our experience has already shown us, that when we opened ourselves to more platforms, our own company growth has tripled, because customers have different needs, and ours may not be thiers. As far as what I would suggest for a firewall, I would definately say use some form of Unix, but don't stop there. Educate yourself on Unix....get to know it like the back of your hand (even if you stick your FW on NT, you should do this about NT). Get to understand tcp/ip routing & protocols. Read all the doc's you can get your hands on. Ask reasonable questions on here (don't be afriad to ask....just think out your questions first). Remember, Ignorance is no excuse. No cracker out there is gonna say "hey, this guy just didn't know better, so lets leave him alone". This is one game where your homework REALLY COUNTS. Kev Kevin McPeake cowboy@orbital.byelex.nl Internet Consultant http://cowboy.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought From owner-firewalls-outgoing Tue Jul 1 08:36:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20360 for firewalls-outgoing; Tue, 1 Jul 1997 08:29:48 -0700 (PDT) Received: from ladyred.rsoc.rockwell.com ([161.40.253.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20345 for ; Tue, 1 Jul 1997 08:29:42 -0700 (PDT) Received: from localhost (morrison@localhost) by ladyred.rsoc.rockwell.com (8.7.5/8.7.3) with SMTP id KAA04042; Tue, 1 Jul 1997 10:27:08 -0600 Date: Tue, 1 Jul 1997 10:27:08 -0600 (MDT) From: "This guy here at this system..." To: proff@suburbia.net cc: firewalls@GreatCircle.COM Subject: Re: TIS funding In-Reply-To: <19970630150413.20749.qmail@suburbia.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Jul 1997 proff@suburbia.net wrote: ...[ mad ravings snipped ]... > Awww. Come now Jody. Um. Do all of us have to be present for this discussion? It seems as if each of you DO have each others personal addresses... No need for a public demonstration, is there? .ps play nice .jam From owner-firewalls-outgoing Tue Jul 1 08:49:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA20535 for firewalls-outgoing; Tue, 1 Jul 1997 08:33:30 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA20506 for ; Tue, 1 Jul 1997 08:33:20 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA18327; Tue, 1 Jul 1997 11:32:25 -0400 (EDT) From: Adam Shostack Message-Id: <199707011532.LAA18327@homeport.org> Subject: Re: Remote management of firewalls internationally In-Reply-To: <2.2.32.19970701115412.0070578c@mail.bbnplanet.com> from Jack Danahy at "Jul 1, 97 07:54:12 am" To: jdanahy@bbn.com (Jack Danahy) Date: Tue, 1 Jul 1997 11:32:25 -0400 (EDT) Cc: ken@bridge.com, alano@teleport.com, mht@clark.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack Danahy wrote: | 2) Your Frankfurt office may prove particularly | thorny, however, as there exist German regulations | prohibiting any type of employee monitoring which | can be used as a performance metric. Since most | of the walls generate user/usage stats, be aware. | YMMV. | | I have no idea on the China encryption front. http://cwis.kub.nl/~frw/people/koops/cls2.htm#ch (This is pert of Bert-Jaap Koop's excellent Crypto Laws Survey, available at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Tue Jul 1 09:00:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14540 for firewalls-outgoing; Tue, 1 Jul 1997 07:15:32 -0700 (PDT) Received: from coyote.tech.telepac.pt (bdshack.telepac.pt [194.65.3.124]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA14508 for ; Tue, 1 Jul 1997 07:15:17 -0700 (PDT) Received: from torquemada ([194.65.3.123]) by coyote.tech.telepac.pt (8.8.5/8.8.5) with ESMTP id PAA00051; Tue, 1 Jul 1997 15:12:34 GMT Message-ID: <33B9115E.D228CC98@tech.telepac.pt> Date: Tue, 01 Jul 1997 15:17:02 +0100 From: Joao Brazao Ferreira X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: Ken Hardy CC: Alan , Mark Teicher , firewalls@GreatCircle.COM Subject: Re: Remote management of firewalls internationally X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms1D895A3463E2D1F778FCD039" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms1D895A3463E2D1F778FCD039 Content-Type: multipart/mixed; boundary="------------7D1BBB1A59F153C8662F5184" This is a multi-part message in MIME format. --------------7D1BBB1A59F153C8662F5184 Content-Type: text/plain; charset=us-ascii Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Ken Hardy wrote: > But it might be difficult to get SSH or other form of encryption on > that machine on the other side of the world if your side happens to > lie > in the U.S. > Well, and why not Web administration ? U.S. has agreed on exportation of Netscape and Microsoft web servers with 128 bit keys. Just wait for some vendor provided forms to manage the firewall. Regards, Joao Ferreira --------------7D1BBB1A59F153C8662F5184 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Joao Brazao Ferreira Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Joao Brazao Ferreira n: Ferreira;Joao Brazao org: Telepac, SA adr: Rua Dr Antonio Loureiro Borges, 1;;Miraflores;Alges;;1495;Portugal email;internet: jbf@tech.telepac.pt title: Programmer tel;work: +351-1-7907366 tel;fax: +351-1-7907001 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------7D1BBB1A59F153C8662F5184-- --------------ms1D895A3463E2D1F778FCD039 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQlQYJKoZIhvcNAQcCoIIQhjCCEIICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DwMwggpNMIIJtqADAgECAhBkN2sCaNB/G3w/GTghHmC5MA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA2MTYwMDAw MDBaFw05NzEyMTYyMzU5NTlaMIIBFTERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEdMBsGA1UEAxMUSm9hbyBCcmF6YW8gRmVycmVpcmExIjAgBgkq hkiG9w0BCQEWE2piZkB0ZWNoLnRlbGVwYWMucHQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA 3Os630dQO8L8+x17vKfGw7EoqgbZUhqQl/WaDeFRe0gCUcNMz8yMz7AnsUK/fRw045/kpLiZ XfTX9mFP1btXoQIDAQABo4IHkTCCB40wCQYDVR0TBAIwADCCAh8GA1UdAwSCAhYwggISMIIC DjCCAgoGC2CGSAGG+EUBBwEBMIIB+RaCAadUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRl cyBieSByZWZlcmVuY2UsIGFuZCBpdHMgdXNlIGlzIHN0cmljdGx5IHN1YmplY3QgdG8sIHRo ZSBWZXJpU2lnbiBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BTKSwgYXZh aWxhYmxlIGF0OiBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTOyBieSBFLW1haWwgYXQg Q1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5j LiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiAr MSAoNDE1KSA5NjEtODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFs bCBSaWdodHMgUmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFuZCBM SUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAsMCoW KGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyAwEQYJYIZIAYb4QgEB BAQDAgeAMDYGCWCGSAGG+EIBCAQpFidodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3Np dG9yeS9DUFMwggSHBglghkgBhvhCAQ0EggR4FoIEdENBVVRJT046IFRoZSBDb21tb24gTmFt ZSBpbiB0aGlzIENsYXNzIDEgRGlnaXRhbCAKSUQgaXMgbm90IGF1dGhlbnRpY2F0ZWQgYnkg VmVyaVNpZ24uIEl0IG1heSBiZSB0aGUKaG9sZGVyJ3MgcmVhbCBuYW1lIG9yIGFuIGFsaWFz LiBWZXJpU2lnbiBkb2VzIGF1dGgtCmVudGljYXRlIHRoZSBlLW1haWwgYWRkcmVzcyBvZiB0 aGUgaG9sZGVyLgoKVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMgYnkgcmVmZXJlbmNl LCBhbmQgCml0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIApD ZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BTKSwgYXZhaWxhYmxlCmluIHRo ZSBWZXJpU2lnbiByZXBvc2l0b3J5IGF0OiAKaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tOyBi eSBFLW1haWwgYXQKQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBW ZXJpU2lnbiwKSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0 MyBVU0EKCkNvcHlyaWdodCAoYykxOTk2IFZlcmlTaWduLCBJbmMuICBBbGwgUmlnaHRzIApS ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgQU5EIApMSUFCSUxJVFkg TElNSVRFRC4KCldBUk5JTkc6IFRIRSBVU0UgT0YgVEhJUyBDRVJUSUZJQ0FURSBJUyBTVFJJ Q1RMWQpTVUJKRUNUIFRPIFRIRSBWRVJJU0lHTiBDRVJUSUZJQ0FUSU9OIFBSQUNUSUNFClNU QVRFTUVOVC4gIFRIRSBJU1NVSU5HIEFVVEhPUklUWSBESVNDTEFJTVMgQ0VSVEFJTgpJTVBM SUVEIEFORCBFWFBSRVNTIFdBUlJBTlRJRVMsIElOQ0xVRElORyBXQVJSQU5USUVTCk9GIE1F UkNIQU5UQUJJTElUWSBPUiBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIKUFVSUE9TRSwgQU5E IFdJTEwgTk9UIEJFIExJQUJMRSBGT1IgQ09OU0VRVUVOVElBTCwKUFVOSVRJVkUsIEFORCBD RVJUQUlOIE9USEVSIERBTUFHRVMuIFNFRSBUSEUgQ1BTCkZPUiBERVRBSUxTLgoKQ29udGVu dHMgb2YgdGhlIFZlcmlTaWduIHJlZ2lzdGVyZWQKbm9udmVyaWZpZWRTdWJqZWN0QXR0cmli dXRlcyBleHRlbnNpb24gdmFsdWUgc2hhbGwgCm5vdCBiZSBjb25zaWRlcmVkIGFzIGFjY3Vy YXRlIGluZm9ybWF0aW9uIHZhbGlkYXRlZCAKYnkgdGhlIElBLjCBhgYKYIZIAYb4RQEGAwR4 FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzVi YzRiYzk3MDE3NDdkYTVkM2Y0MTQxYmVhZGIyYmQyZTg5MjA2YWM2ZmY4ZDIxMTQ5OWZhMmI5 NDNmNGU0OTM2NTQxMA0GCSqGSIb3DQEBBAUAA4GBAD/LkXOco4Zpd36bbmENdqOGfdqoa3x8 kF+RmnBR1UU5PJj/yGLJKSqBBMBzrmE0fmKf35g6a98pRZHBROexnh8VHWTflzHgwF5AiVQa 3+iDm+Hreql0wZOMiKmi2eztBPmE3pWnt0moOpPoZXeiV3Fi5QaNs3GUN1Y8Kmih9IWNMIIC eTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkw NjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmli ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W 1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0U Q5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMB AAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB BjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6Go oTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g1G7kf512XM59uhSirguf+2dbSKVnJa8Z ZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/pvkN27CmSjCCAjEwggGaAgUCpAAA ATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQGEwJVUzEX MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1h cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiHmgab EKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+C fbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3 glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60 vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQK Ew5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2 aWR1YWwgU3Vic2NyaWJlcgIQZDdrAmjQfxt8Pxk4IR5guTAJBgUrDgMCGgUAoH0wGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0BCQQxFgQUfHJHYG+NxKYR/16Xu1IN1x1O E+swHAYJKoZIhvcNAQkFMQ8XDTk3MDcwMTE0MTcwMlowHgYJKoZIhvcNAQkPMREwDzANBggq hkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAnV2L26+aFWsWeoXkLWn6pm/sYs26u7Z5c3XE Pv6xwozFBUoiqV78MrFFOuLNInEDmaMwppcq5lKEIWJVuPEPqw== --------------ms1D895A3463E2D1F778FCD039-- From owner-firewalls-outgoing Tue Jul 1 09:18:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21771 for firewalls-outgoing; Tue, 1 Jul 1997 08:56:40 -0700 (PDT) Received: from mailhub1.experian.com (mailhub1.experian.com [167.107.229.201]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21763 for ; Tue, 1 Jul 1997 08:56:29 -0700 (PDT) Received: (from uucp@localhost) by mailhub1.experian.com (8.8.5/8.8.5) id IAA07055; Tue, 1 Jul 1997 08:56:24 -0700 (PDT) Received: from mailsrv1.experian.com(192.45.133.1) by mailhub1 via smap (V1.3) id sma007046; Tue Jul 1 08:56:06 1997 Received: from gmills.ora.experian.com by mailsrv1. (SMI-8.6/SMI-SVR4) id IAA13393; Tue, 1 Jul 1997 08:59:07 -0700 Message-ID: <33B92725.76F5@experian.com> Date: Tue, 01 Jul 1997 08:49:57 -0700 From: Gary Mills Reply-To: gary.mills@experian.com Organization: Experian, Network Services X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Hassan Karim CC: manuel.ricca@pararede.pt, firewalls@GreatCircle.COM Subject: Re: Borderware References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had a thought on Firewall comparisons. When someone does a comparison it would be nice to see a comparison on the support of a product as well as bug reports. Is there some thing posted some where on how a vendor supports a product. Gary Mills Experian "These are my own opinions and do not reflect those of my employer." Hassan Karim wrote: > > I did a comparitive evaluation/installation of Borderware, FW-1 and IBM's > SNG and found > that Borderware is probably only suitable for a small network that > doesn't change very often. It is not really easy to configure at all. 1st > of all you can not configure it on the console... i.e. configuration must > me done remotely. the Java interface is very clunky compared to SNG's. Add > if you cant get the browser to work then the only way you can configure it > is by ftp'ng the config files from the Firewall... then make your changes > and then ftp them back to the firewall machine (hope there aren't any > mistakes or gotchas in the config files). BTW when I say remote I mean > eihter via https or ftp NOT telnet or ssh. Also... hope you have a vendor > that has in house in-depth expertise so that if you run into snags you can > get some help otherwise you'll be short because the manuals aren't all > that great. > > Plus since it only uses non-transparent proxy one would have to add users > for everyone that needed to leave the network > > Granted... I think security wise, although I couldn't get it to log > everything (probably user error), it is pretty tight. > > For the brave at heart, SNG seems to be a magnificent product. However, I > think there is an unnecesary (sp)layer of complexity when creating rules. > Firewall-1 is simple and straight forward. Although FW1's management > console hosed my local X sesion every time... the product overall is > tight! > > Hope this helps... > Peace, > Hassan > > On Mon, 30 Jun 1997 > manuel.ricca@pararede.pt wrote: > > > Does anyone have experience with Borderware Firewall? > > If so, how where would you place it comparing to Raptor, Pix and FW-1 ? > > > > TIA, > > .M > > > > Manuel Ricca (manuel.ricca@pararede.pt) > > ParaRede - Tecnologias de Comunicao, S.A. > > Tel: +351 1 3020451 > > Fax: +351 1 3020444 > > > > // Be happy - things can always get worse > > > > These are my own opinions and do not reflect those of my employer. > > My employer thinks I'm working. > > From owner-firewalls-outgoing Tue Jul 1 10:53:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01941 for firewalls-outgoing; Tue, 1 Jul 1997 10:35:59 -0700 (PDT) Received: from mgmtsolutions.com (fw.mgmtsolutions.com [206.14.13.66]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA01769 for ; Tue, 1 Jul 1997 10:35:21 -0700 (PDT) Received: from ixo.mgmtsolutions.com (win2-120.mgmtsolutions.com [192.168.2.120]) by mgmtsolutions.com (8.8.5/8.7.5) with SMTP id KAA05742 for ; Tue, 1 Jul 1997 10:27:57 -0700 Message-Id: <3.0.1.32.19970701105236.0069bacc@192.168.2.254> X-Sender: iano@192.168.2.254 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Tue, 01 Jul 1997 10:52:36 -0700 To: firewalls@GreatCircle.COM From: "Ian O'leary" Subject: opportunity Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I am a technical consultant with a client who is looking for a network security consultant for a 3 to 6 month contract to do Gauntlet firewall configurations in a cisco hardware environment. The company is based out of Menlo Park, California (415 area code, 25 miles south of San Francisco). Does any know any good websites where I might find consultants or consulting firms advertising their services? Thanking you in advance for any information that you may have, Ian O'Leary. MSI Consulting, 408-2926650x169. From owner-firewalls-outgoing Tue Jul 1 11:33:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29995 for firewalls-outgoing; Tue, 1 Jul 1997 10:25:32 -0700 (PDT) Received: from wizard.infovia.com.gt (wizard.infovia.com.gt [168.234.135.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA29896 for ; Tue, 1 Jul 1997 10:25:01 -0700 (PDT) Received: (from flopez@localhost) by wizard.infovia.com.gt (8.8.6/8.6.9) id LAA06978; Tue, 1 Jul 1997 11:21:17 -0500 Date: Tue, 1 Jul 1997 11:21:17 -0500 (CDT) From: Juan Francisco Lopez To: firewalls@GreatCircle.COM Subject: securing SMTP/POP host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone! I am currently setting up a SMTP/POP host (installing SMTP ver. 8.8.6 and Qualcomm popper ver. 2.3) on a Linux box (slackware ver. 2.0.18). At this point both are set up and working but I'm afraid there are things that need to be taken care of for security reasons. I read a couple of weeks ago a mail that stated that commands such as EXPN and VRFY should be disabled. Do I need to disable those commands (and some others maybe?) by commenting out its source code from the file srvrsmtp.c? is there another place I need to disable these features? Thanks a lot in advance for any help. Francisco Lopez IIDS - Infovia Guatemala, CA From owner-firewalls-outgoing Tue Jul 1 12:02:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA05925 for firewalls-outgoing; Tue, 1 Jul 1997 11:11:57 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA05905 for ; Tue, 1 Jul 1997 11:11:49 -0700 (PDT) Received: from default (pm14-26.pacificnet.net [207.171.10.59]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id LAA08842; Tue, 1 Jul 1997 11:05:14 -0700 (PDT) Message-ID: <33B94A85.555E@shell.pacificnet.net> Date: Tue, 01 Jul 1997 11:20:53 -0700 From: osiris Reply-To: osiris@shell.pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Vin McLellan CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A company that cannot make even the simplest implementations of IP secure are going to be offering a firewall. Now I've heard everything. Is this actually confirmed? From owner-firewalls-outgoing Tue Jul 1 12:34:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA10574 for firewalls-outgoing; Tue, 1 Jul 1997 12:25:26 -0700 (PDT) Received: from muuri.ssh.fi (ssh.fi [194.100.44.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA10558 for ; Tue, 1 Jul 1997 12:24:59 -0700 (PDT) Received: from pilari.ssh.fi (pilari.ssh.fi [192.168.2.1]) by muuri.ssh.fi (8.8.6/8.8.6/EPIPE-1.10) with ESMTP id WAA01156; Tue, 1 Jul 1997 22:27:05 +0300 (EET DST) Received: from morden.sandelman.ottawa.on.ca (morden.ssh.fi [192.168.2.101]) by pilari.ssh.fi (8.8.6/8.8.6/EPIPE-1.9) with ESMTP id WAA25841; Tue, 1 Jul 1997 22:27:04 +0300 (EET DST) Received: from morden.sandelman.ottawa.on.ca (localhost [127.0.0.1]) by morden.sandelman.ottawa.on.ca (8.7.5/8.7.3) with ESMTP id WAA09289; Tue, 1 Jul 1997 22:28:32 +0300 (EET DST) Message-Id: <199707011928.WAA09289@morden.sandelman.ottawa.on.ca> To: firewalls@greatcircle.com cc: mer@world.evansville.net Subject: Re: Stronger authentication for inbound HTTP X-URL: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/ Date: Tue, 01 Jul 1997 22:28:29 +0300 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Marc> Subject: Stronger authentication for inbound HTTP Marc> I understand that one-time passwords don't work for inbound Marc> Web traffic due to the nature of the HTTP protocol. Do any Marc> firewall vendors support anything stronger than basic Marc> password authentication for inbound HTTP traffic? With the Yes/no. There are ways to do a bit better than one time passwords. BlackHole (now called SecurIt Firewall or some such) allows this kind of thing. Essentially, the user is only challenged the first time (in protocol, using HTML forms from the firewall rather than HTTP headers), and then get configurable number of minutes to access. My recommendation is to put a third interface on the firewall ("a service network"), put the web server on that network, and use something like rsync over ssh to populate that web server from an internal master copy. If you then need SQL access or something, then you should probably be replicating your databases as well. Marc> One of our clients needs outside sales people to be able to Marc> access the company intranet securely to place orders, check Marc> inventory, status, etc., and the client is concerned about Marc> relying on simple password authentication. I built such a system for a customer. It was done on NT web servers, and took two months. A Unix solution would be faster though. Identical problem though. Marc> I'd love to see support for something like Marc> SecureNet-every-hour or SecureNet-every-day AND firewall- or Marc> webserver-based password authentication. Coupled with Marc> browser-based SSL encryption, this seems like a solid way to Well, if you want SSL, then the firewall can't do any authentication or auditing because the traffic is encrypted. You can make the firewall the endpoint for the SSL, but no current SSL "proxies" do this yet. Marc> allow travellers to do intranet work. Ideally the Marc> SecureNet-every-so-often feature would optionally require Marc> authentication for each outside IP address so as to reduce Marc> the ability of attackers who have learned the user's gateway Marc> password (perhaps via shoulder-surfing) to get in while the Marc> user is in legitimately. Marc> Is this sensible/possible? Does anyone support it now? Is Marc> anything like this in the works? I know that BlackHole can do what you want. [I'm no longer associated with them, but I did write the original HTTP proxy. Getting the SecurID NextPIN mode in was a challenge.] ] The sun rarely sets on Helsinki | one quark [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQB1AwUBM7laSMmxxiPyUBAxAQG6mQL9E+gt0MF307E6R4uq6bSvPlCJmuvlfE9N AwHZphhxNcmsbMXg+oHUjah2Vx/0VZkcEjaeSCop1rXVQevAl1geeeon2Jwe3b4d oQgQjbRU7jMRe5v47cejxD4gtzExRUi1 =s/u3 -----END PGP SIGNATURE----- From owner-firewalls-outgoing Tue Jul 1 15:25:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23319 for firewalls-outgoing; Tue, 1 Jul 1997 14:55:43 -0700 (PDT) Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23280 for ; Tue, 1 Jul 1997 14:55:29 -0700 (PDT) From: tlitney@kpmg.com Received: by p0015c01.kpmg.com; id RAA01763; Tue, 1 Jul 1997 17:57:46 -0400 (EDT) Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2) id xma001635; Tue, 1 Jul 97 17:57:23 -0400 Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with SMTP id RAA12890 for ; Tue, 1 Jul 1997 17:56:40 -0400 (EDT) Received: from ccMail by mailgate3.kpmg.com (IMA Internet Exchange 2.1 Enterprise) id 000BFFE1; Tue, 1 Jul 97 18:00:23 -0400 Mime-Version: 1.0 Date: Tue, 1 Jul 1997 13:34:36 -0400 Message-ID: <000BFFE1.3365@kpmg.com> Subject: Public Service Announcement To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BEEEEEEEEEEP! We interrupt this firewall feed for a public service announcement!!! CLUES FOR THE CLUELESS 1.) Don't confuse the list with the list server/majordomo. To leave the list or change list access, deal with the list server/majordomo. Sending those messages to the list will tend to generate negative e-mail. FIREWALL = mail to majordomo@greatcircle.com ("help" in message body) 2.) If you want to ask a question but you're afraid because you think it might be basic or simple, don't ask! First, consult the list's FAQ (Frequently Asked Questions). If you don't see your question covered in the FAQ, then try using any of a multitude of search engines. Hey, and who knows what you might learn by researching! If you still can't find an answer, then go ahead and post. FIREWALL FAQ = http://www.v-one.com/newpages/faq/htm 3.) Don't use your real IP addresses when describing your situation to the list. If you are sending to the list from a company address, don't describe serious exposures in too much detail. You never know who might be reading! 4.) If you are replying to a message, don't include excessive amounts of the original message in your reply. This is a courtesy to recipients on slower links and eliminates a lot of redundancy. It is acceptable to include enough of the original post to provide a context for your reply. We now send you back to your previous noise stream. Note: I would like to thank Cravoman and other for their energetic critique of "Clues". It was appreciated. I yield to overwhelming demand, "Clues" now has firewall list specific pointers. Tom ***************************************************************************** This has been a test of my computer penetration system. Had this been an actual penetration, your computer would have dialed 911, placed it's head between it's keys, and kissed it's asterisk goodbye!! ***************************************************************************** The opinions expressed above are products of my own delusions and are not necessarily shared by my employer, KPMG. From owner-firewalls-outgoing Tue Jul 1 16:48:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA02325 for firewalls-outgoing; Tue, 1 Jul 1997 16:09:41 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA02244 for ; Tue, 1 Jul 1997 16:09:25 -0700 (PDT) Received: from Corp.Sun.COM ([129.145.35.78]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id QAA03432 for ; Tue, 1 Jul 1997 16:36:53 -0700 Received: from zeppo.Corp.Sun.COM by Corp.Sun.COM (SMI-8.6/SMI-5.3) id QAA26625; Tue, 1 Jul 1997 16:12:01 -0700 Received: from railroad by zeppo.Corp.Sun.COM (SMI-8.6/SMI-SVR4) id QAA28182; Tue, 1 Jul 1997 16:12:01 -0700 Date: Tue, 1 Jul 1997 16:12:21 -0700 (PDT) From: Phil Burton Reply-To: Phil Burton Subject: No Malaysian Boycott!! Ha! To: Firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Contrary to what Palan was claiming in re the brouhaha over boycotts of Checkpoint's FireWall-1, the boycott is clearly alive and well in Malaysia. Here is a recent email to me from someone in Sun's field marketing organization. >----------------Begin Forwarded Message----------------< phil- Joe passwd along your name. i have some questions about the exportability fo FW-1, in particular to Maylasia. Maylasia has import restrictions for products from Israel. is this an issue for the Sun Branded product? Please advise thanks! >----------------End Forwarded Message----------------< From owner-firewalls-outgoing Tue Jul 1 17:19:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11194 for firewalls-outgoing; Tue, 1 Jul 1997 17:10:07 -0700 (PDT) Received: from qits.net.au (gw.qits.net.au [203.15.56.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11163 for ; Tue, 1 Jul 1997 17:09:50 -0700 (PDT) Received: from tsd2.development.qits.net.au ([131.242.167.99]) by gw.qits.net.au with ESMTP id <25985>; Wed, 2 Jul 1997 10:12:47 +1000 Received: by tsd2.development.qits.net.au with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 10:12:01 +1000 Message-ID: From: John Wiltshire To: firewalls@GreatCircle.COM Subject: RE: Borderware Date: Wed, 2 Jul 1997 10:11:59 +1000 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've been using Borderware here for firewalling our internet connection and have had very little problems with it. There were a few hiccups when we transferred over to version 4.0 with the remote java based interface and the fact that it didn't like IE (we run an NT based shop and policy is to use IE) but that is fixed now. Support from Secure Computing has been very good on the whole - problems which are sent to the mailing list tend to get a response within a few hours (depending on the time in the US of course). >From benchmarks I've seen it does not perform well in a high volume situation but for a small to medium size network it has really been a dream to set up, configure and maintain as well as having the advantage of running on a standard PC which cut our costs enourmously. John Wiltshire > -----Original Message----- > From: Gary Mills [SMTP:gary.mills@experian.com] > Sent: Wednesday, July 02, 1997 1:50 AM > To: Hassan Karim > Cc: manuel.ricca@pararede.pt; firewalls@GreatCircle.COM > Subject: Re: Borderware > > I had a thought on Firewall comparisons. When someone does a > comparison > it would be nice to see a comparison on the support of a product > as well as bug reports. Is there some thing posted some where on how a > vendor supports a product. > > Gary Mills > Experian > > "These are my own opinions and do not reflect those of my employer." > > > > > > > Hassan Karim wrote: > > > > I did a comparitive evaluation/installation of Borderware, FW-1 and > IBM's > > SNG and found > > that Borderware is probably only suitable for a small network that > > doesn't change very often. It is not really easy to configure at > all. 1st > > of all you can not configure it on the console... i.e. configuration > must > > me done remotely. the Java interface is very clunky compared to > SNG's. Add > > if you cant get the browser to work then the only way you can > configure it > > is by ftp'ng the config files from the Firewall... then make your > changes > > and then ftp them back to the firewall machine (hope there aren't > any > > mistakes or gotchas in the config files). BTW when I say remote I > mean > > eihter via https or ftp NOT telnet or ssh. Also... hope you have a > vendor > > that has in house in-depth expertise so that if you run into snags > you can > > get some help otherwise you'll be short because the manuals aren't > all > > that great. > > > > Plus since it only uses non-transparent proxy one would have to add > users > > for everyone that needed to leave the network > > > > Granted... I think security wise, although I couldn't get it to log > > everything (probably user error), it is pretty tight. > > > > For the brave at heart, SNG seems to be a magnificent product. > However, I > > think there is an unnecesary (sp)layer of complexity when creating > rules. > > Firewall-1 is simple and straight forward. Although FW1's management > > console hosed my local X sesion every time... the product overall is > > tight! > > > > Hope this helps... > > Peace, > > Hassan > > > > On Mon, 30 Jun 1997 > > manuel.ricca@pararede.pt wrote: > > > > > Does anyone have experience with Borderware Firewall? > > > If so, how where would you place it comparing to Raptor, Pix and > FW-1 ? > > > > > > TIA, > > > .M > > > > > > Manuel Ricca (manuel.ricca@pararede.pt) > > > ParaRede - Tecnologias de Comunicao, S.A. > > > Tel: +351 1 3020451 > > > Fax: +351 1 3020444 > > > > > > // Be happy - things can always get worse > > > > > > These are my own opinions and do not reflect those of my employer. > > > My employer thinks I'm working. > > > From owner-firewalls-outgoing Tue Jul 1 17:55:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12422 for firewalls-outgoing; Tue, 1 Jul 1997 17:17:15 -0700 (PDT) Received: from internet.kexin.co.kr (internet.kexin.co.kr [210.126.192.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12340 for ; Tue, 1 Jul 1997 17:16:54 -0700 (PDT) Received: by internet.kexin.co.kr; id JAA08120; Wed, 2 Jul 1997 09:08:21 +0900 (JST) Received: from mail.kexin.co.kr(210.126.192.141) by internet.kexin.co.kr via smap (3.2) id xma008118; Wed, 2 Jul 97 09:08:14 +0900 Received: from test.kexin.co.kr (kexin.kexin.co.kr [210.126.192.129]) by mail.kexin.co.kr (8.8.5/8.8.4) with ESMTP id JAA26214; Wed, 2 Jul 1997 09:13:32 +0900 (KST) Message-ID: <33B99DC0.EF7BDC88@kexin.co.kr> Date: Wed, 02 Jul 1997 09:16:01 +0900 From: Charlie Jahng Organization: KEXIN Systems, Inc. X-Mailer: Mozilla 4.0b4 [en] (Win95; I) MIME-Version: 1.0 To: Mark Teicher CC: firewalls@GreatCircle.COM Subject: Re: Remote management of firewalls internationally X-Priority: 3 (Normal) References: <3.0.1.32.19970630102958.008fe7f0@clark.net> Content-Type: text/plain; charset=iso-2022-kr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)C Mark Teicher wrote: > A suggestion from a close and wise friend asked me to inquire about > this: > > How can one remotely manage firewalls that are on the other side of > the world? > How can it be done? and done safely? > > /mark > > ######################################################### > 'Turn on, Boot Up, Jack in' > ######################################################### !!Of course! V-ONE SmartWall can be managed remotely through secure channel which is protected with mutual authentication and encryption. The management is driven by Web browser in remote PC with Windows 3.1, 95, NT or OS/2 as its OS. Refer www.v-one.com. I don't know this is the unique firewall which support remote management. Anybody knows else? -- Charlie Jahng(Chulwoong Jahng) General Manager of KEXIN Systems, Inc. The Leader of Security in Korea ======================================= Addr:MarcoPolo B/D 7th Floor, 720-20 !!!!!!!! Yeoksam-Dong Kangnam-Ku, Seoul, !!!!!!!! 135-080, Korea Tel:82-2-561-3981 Fax:82-2-561-3984 E-mail:cwjahng@kexin.co.kr ======================================= From owner-firewalls-outgoing Tue Jul 1 17:57:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA10930 for firewalls-outgoing; Tue, 1 Jul 1997 17:08:32 -0700 (PDT) Received: from netcomm.NetComm.IE (02-static-a.wokingham.luna.net [195.188.67.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA10884 for ; Tue, 1 Jul 1997 17:08:14 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id MAA01020; Tue, 1 Jul 1997 12:06:52 GMT X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <3.0.2.32.19970701072514.006a1968@in.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Jul 1997 01:17:39 +0100 To: Frank Willoughby From: Kevin Brown - NetComm Subject: Re: Microsoft plans to offer a firewall Cc: Vin McLellan , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, Moan Moan, whats wrong with 95 % of the desktop market? : -) You know, I cannot believe that people today shop for automobiles, and make choices. Wait till Microsoft come out with a car. Then we will all die! MS MKTG : Power Brakes ( well mabe in the 2007 Model) MS MKTG : Relaible Starting ( Sure, every time it stalls, you can restart it) etc etc. Can anyone explain how we let this happen. I didn't, I still use a Mac! ( And a Sun, and a Linus Machien, and a HP and......, but no MS) Kevin (ps When Banks use MS Firewalls, I am going over the other side, and then retire...I know a bank or to today using NT RAS to authenticate Home Dial in Banking......anyone want the Bank Names?) At 13:25 +0100 1/7/97, Frank Willoughby wrote: >At 09:31 PM 6/30/97 -0500, Vin McLellan allegedly wrote: > >Thanks for mail, Vin, > >8< [snip] > >> Though Microsoft (MSFT) says it doesn't plan to >> compete with firewall vendors, its plans to add >> firewall security features to the next version of its >> Proxy Server software could shake up the firewall >> software market. > >. Yeah, right. Just like M$ didn't *plan* to compete with >Novell, Netscape, etc. M$ doesn't really compete, they simply see >what someone else does well (like a market leader), puts these >functionalities into their own products & then they use their >marketing muscle to drive their product out the door & competitors >into the ground. > >Personally, I am not at all impressed with M$'s predatory business >practices. I think they will keep pushing the limits of what is >right & legal to do and will probably get their clock cleaned by >the Justice Dept. or the FTC. Given their predatory practices, >I wouldn't be surprised if they were sniffing their own network >(MSN) for competitive info, or ideas for new projects. (Nothing >legally wrong with that - it *is* their own network). Note: I >didn't say they were doing it - I just said I wouldn't be surprised. > > >> The next version of Proxy Server goes into beta >> testing in July; it will include firewall features >> designed to block intruders on the Internet from >> getting onto a company's internal networks, >> Microsoft officials said. The features could hurt >> sales of firewall software for Windows NT in >> particular, and NT has been the market's hottest >> segment. >> >> The move should come as no surprise, says Rob >> Enderle, an analyst at Giga Information Group. It's >> been clear since Microsoft introduced its first >> version of Proxy Server that it would add firewall >> functions. > >I think Rob is 100%correct. IMHO, the Proxy Server was just to >test the water to see how the market would respond. As people >are expecting M$ to come out with a firewall, I would say that >M$ will (once again) change its mind and wade into the market. > > >> Microsoft's decision could hurt makers of firewall >> software, such as Raptor Systems. In February >> Raptor announced a low-end firewall, called "The >> Wall," targeted at small and mid-sized companies. >> The Centri firewall from Global Internet.Com also >> targets that space; sometime Microsoft ally Cisco >> Systems announced last week it's buying Centri and >> Global Internet.Com's software group. > >I see no immediate danger to major firewall vendors from M$. For >the most part, they already have a solid reputation on the market >& know how to design secure products. M$ doesn't have this >reputation yet (and will probably have to do a huge PR campaign >to try to restore confidence about their ability to deliver secure >products). The new kids on the block will probably fade away when >competing with M$. > >M$ has two main disadvantages: >o They seem to be deficient in their ability to write secure TCP/IP > stacks. >o They seem to have problems in trying to write tight, clean, code > - an important prerequisite in writing a secure applications > such as firewalls. > >INFOSEC PROGRAMMING DESIGN RULE #1 >The larger the size of the code, the greater the probability that >the code will contain vulnerabilities which can be exploited. > >Another thing. As time passes, & NT becomes more prevalent, the >hackers will redirect their efforts to NT and will start picking >it apart (like they have with other vendors). IMHO, I think it >is just a matter of time until we start seeing nonprived users >able to gain privs by exploiting vulnerabilities in individual >programs (buffer overflows, etc). Particularly sensitive are >those programs which perform prived functions on behalf of >non-prived users. > >Best Regards, > > >Frank >The opinions of the author of this mail may not necessarily be >representative of the opinions of Fortifed Networks, Inc. > >Fortified Networks, Inc. - http://www.fortified.com/ >Expert (vendor-neutral) Computer and Network Security Consulting >Phone: (317) 573-0800 Fax: (317) 573-0817 //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / --UK-- Internet Associate | m \ Voice: +44-467-365419 | / Fax: +44-1276-35197 The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Tue Jul 1 18:18:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA20010 for firewalls-outgoing; Tue, 1 Jul 1997 17:57:48 -0700 (PDT) Received: from norwich.valley.net (norwich.valley.net [198.115.160.12]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA19993 for ; Tue, 1 Jul 1997 17:57:38 -0700 (PDT) Received: from hanover.VALLEY.NET (dns [198.115.160.10]) by norwich.valley.net (8.8.5/8.8.5) with SMTP id UAA21769 for ; Tue, 1 Jul 1997 20:59:52 -0400 Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from v2-p-121.valley.net for firewalls@GreatCircle.COM id <3980229> 01 Jul 97 20:59:46 EDT X-Sender: randy.witlicki@pop.valley.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Jul 1997 21:04:12 -0400 To: firewalls@GreatCircle.COM From: "Randy.Witlicki." Subject: Re: Microsoft plans to offer a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From the Tuesday, July 1, 1997 Wall Street Journal, page C7 in the "Small Stock Focus" section: Raptor Systems, which makes "firewall" software that provides computer-network security, slid 1 11/16, or 13%, to 11 3/16, Microsoft said it plans to enter the firewall business, a move that could cut into Raptor's business. - Randy - From owner-firewalls-outgoing Tue Jul 1 18:33:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA17917 for firewalls-outgoing; Tue, 1 Jul 1997 17:46:19 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA17801 for ; Tue, 1 Jul 1997 17:45:49 -0700 (PDT) Received: by gate.rmsbus.com; id TAA14029; Tue, 1 Jul 1997 19:47:22 -0500 (CDT) Received: from chris.rmsbus.com(204.126.30.52) by gate.rmsbus.com via smap (3.2) id xma014027; Tue, 1 Jul 97 19:47:01 -0500 Message-Id: <1.5.4.32.19970702003728.00685088@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Jul 1997 19:37:28 -0500 To: osiris@shell.pacificnet.net, Vin McLellan From: chris michael Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:20 AM 7/1/97 -0700, osiris wrote: >A company that cannot make even the simplest implementations of IP >secure are going to be offering a firewall. Now I've heard everything. >Is this actually confirmed? Actually, Trusted Information Systems, the Gauntlet folks are going to integrate the NT version of Gauntlet (sort of) with the MS proxy server. Apparently TIS has been working with MS on it for a while. > From owner-firewalls-outgoing Tue Jul 1 19:15:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA18589 for firewalls-outgoing; Tue, 1 Jul 1997 17:49:23 -0700 (PDT) Received: from gate.rmsbus.com (gate.rmsbus.com [207.49.255.141]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA18563 for ; Tue, 1 Jul 1997 17:49:11 -0700 (PDT) Received: by gate.rmsbus.com; id TAA14057; Tue, 1 Jul 1997 19:51:53 -0500 (CDT) Received: from chris.rmsbus.com(204.126.30.52) by gate.rmsbus.com via smap (3.2) id xma014055; Tue, 1 Jul 97 19:51:41 -0500 Message-Id: <1.5.4.32.19970702004208.00682ce0@popmail.insnet.com> X-Sender: cm@popmail.insnet.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 01 Jul 1997 19:42:08 -0500 To: firewalls@GreatCircle.COM From: chris michael Subject: TIS & NT security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since there's been some discussion on the list about MS's plans for NT security, here's the press release from TIS. > TRUSTED INFORMATION SYSTEMS ANNOUNCES WINDOWS NT SERVER-BASED SECURITY > DEVELOPMENT INITIATIVES=20 >=20 > Alliance to Provide Full Suite of Security Tools for Windows NT Server > and > the Enterprise >=20 > GLENWOOD, MD - In a major announcement today, Trusted Information > Systems, > Inc. (NASDAQ: TISX) confirmed that it is developing a premier class of > security management tools designed for use with Microsoft=D2 Proxy > Server and > the next version of Windows NT=D4 Server. TIS also announced that the > widely-anticipated next version of Microsoft Proxy Server is being > built > with a security architecture that will effectively complement TIS > Gauntlet=D2 > Internet Firewall - widely considered the most secure firewall on the > market > today. >=20 > "The TIS Gauntlet firewall and Microsoft Proxy Server together will > provide > a coordinated approach to managing both network security and > performance," > said Harvey L. Weiss, President of TIS' Commercial Division. "The > combination will allow serious-minded CIOs and network managers to > address > the security needs their companies require." Mr. Weiss further stated, > "Microsoft is addressing security with the seriousness it deserves and > matching their proxy server with the TIS approach gives the market an > excellent set of alternatives to UNIX."=20 >=20 > "Large enterprises will find their security needs met by the > combination of > Microsoft Proxy Server and high-end firewalls such as the TIS Gauntlet > firewall," said Lloyd Spencer, Group Product Manager for Networking > and > Communications at Microsoft Corporation (NASDAQ: MSFT). "We are > pleased to > be working with TIS and other vendors in the network security > marketplace to > enable a new range of products that will help grow the industry and > benefit > our mutual customers." > =20 > A perfect example of the Gauntlet firewall and Microsoft Proxy Server > combination is found on the Microsoft Campus itself. For several high > profile projects, Microsoft's Information Technologies Group selected > the > TIS Gauntlet NT Firewall as the primary line of defense when used in > conjunction with the Microsoft Proxy Server. Mr. Spencer stated, > "Microsoft is a living example of major enterprise collaborative > security." >=20 > Sources today speculated that Microsoft was considering entry into the > lucrative firewall market. TIS, the industry's leading proxy-based > firewall > manufacturer, revealed today that it has worked closely with Microsoft > for > the past several months pursuing the joint development of robust > security > solutions for the NT platform >=20 > TIS' development will provide Windows NT Server users with a full > service > security solution for managing their network security. Along with a > version > of the Gauntlet Internet Firewall written specifically for the Windows > NT > Server platform, TIS is working with Microsoft developers on new > security > applications for use with the Microsoft Proxy Server and the next > version of > Windows NT Server. > =20 > The Microsoft Proxy Server acts as a content cache server to enforce > Internet security and protect private Windows NT Server networks from > hackers. The server, when set in tandem with a Gauntlet firewall, can > bring > unprecedented security, management and networking capabilities to the > enterprise.=20 >=20 > Analysts comment that the NT market is taking off, but there are still > numerous concerns. "NT is becoming a dominant application and network > OS > platform, but security is still a question mark for some enterprise > customers," said Mike Rothman, Vice President of Global Networking > Strategies for META Group, Inc. "Moreover, proxy servers and > operating > systems will need to be supplemented with more robust security > functions, > especially for the periphery. That's where TIS fits in, to provide > complimentary technologies not addressed by the OS." > =20 > TIS recently announced the availability of its turnkey NT firewall > solution, > and also recently began shipping the newest version of its popular > UNIX > software, Gauntlet Internet Firewall version 4.0. For more > information on > the Gauntlet family of network security products, please=20 > visit the TIS website at > http://www.tis.com/docs/products/gauntlet/index.html=20 >=20 > # # # =20 > =20 > Microsoft and Windows NT are either trademarks or registered > trademarks of > Microsoft Corp. in the United States and/or other countries. > =20 > In addition to statements of historical fact, this release contains > forward-looking statements which are inherently subject to change, > based on > known and unknown risks, including but not limited to changes in the > market, > changes in the industry, and changes in relevant legislation. Please > refer > to the company's prospectus for additional information on factors that > could > materially affect the company's financial results. >=20 From owner-firewalls-outgoing Tue Jul 1 19:19:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA27262 for firewalls-outgoing; Tue, 1 Jul 1997 18:32:59 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.59.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id SAA27245 for ; Tue, 1 Jul 1997 18:32:51 -0700 (PDT) Received: from PaLaN-NeT.dataprep.com.my by snet (SMI-8.6/SMI-SVR4) id JAA03587; Wed, 2 Jul 1997 09:38:21 -0800 Date: Wed, 2 Jul 1997 09:38:21 -0800 Message-Id: <199707021738.JAA03587@snet> X-Sender: palan@202.190.59.4 X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: Phil Burton From: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= Subject: Re: No Malaysian Boycott!! Ha! Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:12 PM 7/1/97 -0700, you wrote: >Folks, > >Contrary to what Palan was claiming in re the brouhaha over boycotts of >Checkpoint's FireWall-1, the boycott is clearly alive and well in Malaysia.= =20 >Here is a recent email to me from someone in Sun's field marketing >organization. > > Buds, Phil, thanks for bringing this sugject to my attention. Guys, to be frank, I really have no idea on this issue of Malaysia boycott checkpoint's fw-1 product ! As far as I know, Malaysia only restrict the citizens from visiting Israel, which is purely due to political reasons (I beleive).=20 Phil, just for your information, majority of firewall installed in Malaysia are Checkpoint FW-1. So, I think the issue of import or export restriction is baseless comments. Anyway, I will do a further check with regard to this to confirm the situation.=20 rgds, PaLaN =20 >>----------------Begin Forwarded Message----------------< > > > >phil- > >Joe passwd along your name. i have some questions about the exportability >fo FW-1, in particular to Maylasia. Maylasia has import restrictions for >products from Israel. is this an issue for the Sun Branded product? > >Please advise >thanks! > > >>----------------End Forwarded Message----------------< > > Network Sec=B2rity Engineer West Malaysia. " Hey, here is my key ... lets exchange packets now !! " From owner-firewalls-outgoing Tue Jul 1 19:34:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA09722 for firewalls-outgoing; Tue, 1 Jul 1997 19:25:32 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id TAA09690 for ; Tue, 1 Jul 1997 19:25:19 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id MAA02121; Wed, 2 Jul 1997 12:27:55 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma002112; Wed, 2 Jul 97 12:27:53 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id MAA02374 for firewalls@greatcircle.com; Wed, 2 Jul 1997 12:31:50 +1000 From: Colin Campbell Message-Id: <199707020231.MAA02374@guru.citec.qld.gov.au> Subject: Re: Remote management of firewalls internationally To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Lots of solutions offered which work fine when the machine is up. What happens if it crashes and won't go past a point where networking is not enabled? Colin From owner-firewalls-outgoing Tue Jul 1 21:04:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA23296 for firewalls-outgoing; Tue, 1 Jul 1997 20:58:47 -0700 (PDT) Received: from delta.ece.nwu.edu (delta.ece.nwu.edu [129.105.5.103]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA23196 for ; Tue, 1 Jul 1997 20:58:26 -0700 (PDT) Received: (from bonomi@localhost) by delta.ece.nwu.edu (8.8.5/8.8.3) id XAA16110 for firewalls@greatcircle.com; Tue, 1 Jul 1997 23:00:59 -0500 (CDT) Date: Tue, 1 Jul 1997 23:00:59 -0500 (CDT) From: Robert Bonomi Message-Id: <199707020400.XAA16110@delta.ece.nwu.edu> To: firewalls@greatcircle.com Subject: Re: Remote management of firewalls internationally Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: Colin Campbell + Subject: Re: Remote management of firewalls internationally + To: firewalls@GreatCircle.COM + Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) + + Hi, + + Lots of solutions offered which work fine when the machine + is up. What happens if it crashes and won't go past a point + where networking is not enabled? + Or, if you can't change configuration without taking it down to 'single user'? A solution: This takes -two- firewall machines, and a 'secure server' behind each one. you run a secure, encrypted, channel from the management location to either 'secure server', as needed. The 'secure server' connects, via _serial_ port, to the *other* firewall box's console port. Voila! you've got a 'trusted path' to the console port, that does _not_ go through the firewall. Obviously, this solution is _NOT_ inexpensive -- but it *does* allow for 'unmanned' remote operation, at least for all but "very basic" hardware- related problems (e.g., "blown fuse"). A less expensive solution is to have someone _local_, _who_speaks_the_same_ _language_ (*fluently*!) as support -staff-, who can be called on to play "voice actuated terminal", for those occasions where 'secure remote access _through_ the box' fails. This person merely needs the ability to follow directions _precisely_, and observe and report *accurately*. The risk here is mostly an added exposure to a 'social engineering' attack. From owner-firewalls-outgoing Tue Jul 1 22:18:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA26592 for firewalls-outgoing; Tue, 1 Jul 1997 21:16:13 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA26460 for ; Tue, 1 Jul 1997 21:15:32 -0700 (PDT) Received: from user (171.orlando-009.fl.dial-access.att.net [207.146.72.171]) by mail.clark.net (8.8.5/8.6.5) with SMTP id AAA29656; Wed, 2 Jul 1997 00:18:03 -0400 (EDT) Message-Id: <3.0.1.32.19970702001730.00924dd0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 00:17:30 -0400 To: Jack Danahy , "firewalls@GreatCircle.COM" From: Mark Teicher Subject: Re: Security Expert (TM) Cc: "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" In-Reply-To: <2.2.32.19970630215047.00c0b78c@mail.bbnplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack, At 05:50 PM 6/30/97 -0400, Jack Danahy wrote: > > >Mark Teicher asks a good question, and with Joe Judge and Marcus >extending it to organizations, here's my 2b. > >IMHO > >Security experts aren't one skill set or another, aren't >prone to parochial definition. There are lots of types, >and you need 'em all. Where do those people fit into an organization who offer value added services to customers who want to protect themselves behind a firewall. So how do get lots of those types in a cheap economical way?? > >There are policy wonks who lay down the law about who can grant >access to whom, and who dictate the process about aging accounts, >generating passwords, and terminating employees. They are an >important and annoying lot who call out their strongest positions, >and can explain the risks in compromising them. They have a >slightly idealistic view, and can sometimes resemble good QA people. Policy is something that always a living document and usually the wonks in policy do not or are not well informed enough to dictate policy for people such as security experts since they are a different type of person. Even the process of aging accounts, changing passwords and terminating employees is different at each and every company.. Some companies who offer internet and firewall management solutions to companies sometimes do not even have the policies in place and use previous employees as examples to other potentially good people who have the potential but are given the chance. The important lot and annoying lot sometimes can never explain the risks since the risks they are assessing may not be the correct risks to assess. Your comparison of the annoying wonks and QA is questionable. Since my opinion of QA folks is that they insure a quality service or product that passes a certain criteria of testing, and the annoying wonks have no such skill since they are still learning themselves.. :) > >There are technologists who, hopefully, have specialized in a couple >of areas of enabling technologies. Key management, authentication, >transaction semantics, PKI's, firewalls, intrusion detection, >encryption, physical entitlement, application-level access control, >auditing, messaging, intrusion detection, vulnerability assessment, >etc. are all piece-parts in any overall solution. Typically they will >have a passing familiarity will all the pieces but feel most comfortable >with a handful. > >There are business people who need to be able to balance the cost >of the solution against the risk of the breach. They need to >understand the parasites that try to attach themselves to networked >computers, and balance the damage that can be done against the >cost of prevention. They have to understand the reality of the risks, >but they also have to understand why 100% security is impossible, and >why any sane business mind should be funding disaster recovery technology >as well as protection technology. The reality of risk is that security should always be a forethought in a company's mindset not a afterthought.. I have worked for a few companies who thought sending out overtime policy through email was a good idea, except that the forgot that email can be spoofed and email should never be trusted since the source can not always be verified. The parasites are always watching but sometimes they are not always parasites but employees who have not been trained properly or do not have any knowledge.. Developing tools and training programs should hopefully prevent some of the damage from being done.. > >There are the administrators who need to be able to manage the ongoing >harmonious interaction of the systems created. The auditing subsystems >need to communicate with the events, the events with the monitors, the >monitors with the walls, the walls with the PKI, I am getting a headache >just thinking about it. > >Lastly, there has to be the translator expert who can convert the entire >heap I just described into a PO that the CFO and CEO will sign on the line >for, with a deep understanding of what they have bought, what they haven't >bought, and that each payment is an installment in an ongoing series of >costs associated with this growing network community. They can't be just >sales people, they need to be the bringer of hard facts and a harder >reality. They need to take the punishment when they are wrong, and they >have to understand why the system needs to be changed, so that they can >again articulate how the system can be better next time. Just presenting a risk assessment and a cost analysis report to the CFO or CEO should be enough.. For example, take a look at the bean counters who worked onthe Ford Pinto a long time ago.. The CFO made a decision that it was easier to pay the injured people off than to spend the $12.00 to fix the part. If you really need to get a CFO or CEO to signed on the dotted line.. Give them the number of body bags they need to purchase... > >I don't know anyone who is all of these things. I think that I can name >a combination of 2/3 people who would give it to me, but few that could >do it all. > >For those of you looking to become a "Security Expert (TM)" I'd advise >picking what kind you mean. And don't expect any employer to fund it. >Twist your job, spend your time, read everything you get your hands on, >and on the day that you wake up worried because your mom orders hams >from Hanover with the ISP access you gave her, and you can then add the >SE brand to your forehead, for whatever that is worth. Some of us work in this field because we are underqualified to work at McDonald's.. Adding a SE brand to our foreheads might make sense, but the more important issue is that some people like to earn their money, and be satisfied that they thought they did the right thing. It is often a wonder that most people who are unsatisfied with their jobs work at the post office. But that is a different topic entirely.. Sincerely, Mark Teicher "Where reality is just your imagination playing tricks on you" > >Back to the land of the pointy-haired >Jack > >Jack Danahy jdanahy@bbn.com >Manager of Engineering (617) 873-4418 >Network Security Services BBN Corporation > "I'm speaking for myself, not for BBN." > > ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Tue Jul 1 22:21:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA20126 for firewalls-outgoing; Tue, 1 Jul 1997 20:43:22 -0700 (PDT) Received: from mail.vis.com.tw ([202.39.65.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA20117 for ; Tue, 1 Jul 1997 20:43:14 -0700 (PDT) From: wcsu@mail.vis.com.tw Received: by mail.vis.com.tw(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 482564C8.0013336B ; Wed, 2 Jul 1997 11:29:43 +0800 X-Lotus-FromDomain: VIS To: firewalls@GreatCircle.COM Message-ID: <482564C8.00118AFE.00@mail.vis.com.tw> Date: Wed, 2 Jul 1997 11:25:14 +0800 Subject: Anti-Virus Check in FW-1 Mime-Version: 1.0 Content-type: text/plain; charset=big5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I wonder how many viruses it can detect and how administrators can update virus patterns? And how will this feature, if enabled, degrade the performance of Firewall-1? By the way, where can I get a session authentication agent for Firewall-1? And in what kind of platform can a session agent resides? From owner-firewalls-outgoing Wed Jul 2 00:46:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA23379 for firewalls-outgoing; Wed, 2 Jul 1997 00:08:28 -0700 (PDT) Received: from vmsuser.acsu.unsw.EDU.AU (vmsuser.acsu.unsw.EDU.AU [129.94.112.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA23349 for ; Wed, 2 Jul 1997 00:08:18 -0700 (PDT) Received: from laptop (max414173.servers.unsw.EDU.AU) by vmsuser.acsu.unsw.EDU.AU (PMDF V4.3-13 #10833) id <01IKROVCLUWG8X021I@vmsuser.acsu.unsw.EDU.AU>; Wed, 02 Jul 1997 17:12:08 +1000 Date: Wed, 02 Jul 1997 17:09:50 +1000 From: "Costas C." Subject: (no subject) To: firewalls@GreatCircle.COM Message-id: <33B9FEBE.46C5@vmsuser.acsu.unsw.edu.au> MIME-version: 1.0 X-Mailer: Mozilla 3.0 (Win95; I) Content-type: text/plain; charset=iso-8859-7 Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 2 00:46:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22248 for firewalls-outgoing; Tue, 1 Jul 1997 23:55:50 -0700 (PDT) Received: from gfw.siemens.co.za (gfw.siemens.co.za [196.27.60.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA22217 for ; Tue, 1 Jul 1997 23:55:37 -0700 (PDT) Received: by gfw.siemens.co.za; id JAA14997; Wed, 2 Jul 1997 09:00:18 +0200 (SAT) Received: from sparkex.siemens.co.za(150.207.254.15) by gfw.siemens.co.za via smap (3.2) id xma014985; Wed, 2 Jul 97 09:00:03 +0200 Received: by sparkex with Internet Mail Service (5.0.1458.49) id ; Wed, 2 Jul 1997 08:57:52 +0200 Message-ID: <3FC114CE76D0CF118D1900AA00A4B6764F7470@sparkex> From: "Sizer, Kevin" To: firewalls@GreatCircle.COM Subject: RE: Auditing Firewall Product Source Code Date: Wed, 2 Jul 1997 08:57:49 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you really can audit source code to guarantee integrity, you're probably not far away from either writing it os speccing it out, to have it written for you. UK has had a practice where source code may become an issue of placing the customer copy of source code in escrow at either a bank or an agreed institution. Customer can review and sue supplier based on that code. Implied fact is that a) source / binary are for same versions of product, b) customer doesn't hack binary. Checksum takes care of latter. Practice has been adopted in South Africa for different reasons. -Kevin Sizer > ---------- > From: Kent Landfield[SMTP:kent@landfield.com] > Sent: Monday, June 30, 1997 4:36 PM > To: firewalls@GreatCircle.COM > Subject: Auditing Firewall Product Source Code > > # > # As security people, we should be careful about trusting anything > without > # source code anyway.. > > Firewall and other security software vendors: > > -- > Kent Landfield Network Flight Recorder, Inc. > Email: kent@nfr.net Phone: 1-817-545-2502 FAX: 1-817-545-7650 > > > > From owner-firewalls-outgoing Wed Jul 2 01:03:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19110 for firewalls-outgoing; Tue, 1 Jul 1997 23:35:33 -0700 (PDT) Received: from klse.com.my (smtp.klse.com.my [202.190.12.202]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id XAA19100 for ; Tue, 1 Jul 1997 23:35:26 -0700 (PDT) Received: from GPO#u#DOMAIN-Message_Server by klse.com.my with Novell_GroupWise; Wed, 02 Jul 1997 14:38:51 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 02 Jul 1997 14:47:03 +0800 From: "PONNIAH S/O P.RAMAIAH" To: palan@dataprep.com.my, philb@thejudge.Corp.Sun.COM Cc: firewalls@greatcircle.com, SITI_ZALEHA@klse.com.my Subject: Re: No Malaysian Boycott!! Ha! ha! HA! HA!HA???????????-Reply Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** High Priority ** I agree with Palan=27s opinion on the Firewall-1 issu. Malaysia is not = that extremist as claimed by Mr.PHILB. >>> =F6 PaLaN =F6 3/July/1997 01:38am >>> At 04:12 PM 7/1/97 -0700, you wrote: >Folks, > >Contrary to what Palan was claiming in re the brouhaha over boycotts of >Checkpoint=27s FireWall-1, the boycott is clearly alive and well in = Malaysia.=20 >Here is a recent email to me from someone in Sun=27s field marketing >organization. > > Buds, Phil, thanks for bringing this sugject to my attention. Guys, to be frank, = I really have no idea on this issue of Malaysia boycott checkpoint=27s fw-1 product =21 As far as I know, Malaysia only restrict the citizens from visiting Israel, which is purely due to political reasons (I beleive).=20 Phil, just for your information, majority of firewall installed in = Malaysia are Checkpoint FW-1. So, I think the issue of import or export restriction is baseless comments. Anyway, I will do a further check with regard to = this to confirm the situation.=20 rgds, PaLaN =20 >>----------------Begin Forwarded Message----------------< > > > >phil- > >Joe passwd along your name. i have some questions about the exportability >fo FW-1, in particular to Maylasia. Maylasia has import restrictions for >products from Israel. is this an issue for the Sun Branded product? > >Please advise >thanks=21 > > >>----------------End Forwarded Message----------------< > > Network Sec=B2rity Engineer West Malaysia. =22 Hey, here is my key ... lets exchange packets now =21=21 =22 From owner-firewalls-outgoing Wed Jul 2 02:21:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19449 for firewalls-outgoing; Tue, 1 Jul 1997 23:38:41 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA19394 for ; Tue, 1 Jul 1997 23:38:29 -0700 (PDT) Received: from user (237.orlando-008.fl.dial-access.att.net [207.146.71.237]) by mail.clark.net (8.8.5/8.6.5) with SMTP id CAA26456; Wed, 2 Jul 1997 02:39:17 -0400 (EDT) Message-Id: <3.0.1.32.19970702022816.0091d720@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 02:28:16 -0400 To: Robert Bonomi , firewalls@GreatCircle.COM From: Mark Teicher Subject: Re: Remote management of firewalls internationally In-Reply-To: <199707020400.XAA16110@delta.ece.nwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert, Not exactly, what I was thinking but your solution will work, except you did not take into account the import/export of certain firewall management software.?? /mark At 11:00 PM 7/1/97 -0500, Robert Bonomi wrote: >+ From: Colin Campbell >+ Subject: Re: Remote management of firewalls internationally >+ To: firewalls@GreatCircle.COM >+ Date: Wed, 2 Jul 1997 12:31:48 +1000 (EST) >+ >+ Hi, >+ >+ Lots of solutions offered which work fine when the machine >+ is up. What happens if it crashes and won't go past a point >+ where networking is not enabled? >+ > >Or, if you can't change configuration without taking it down to 'single user'? > > >A solution: > >This takes -two- firewall machines, and a 'secure server' behind each one. >you run a secure, encrypted, channel from the management location to either >'secure server', as needed. The 'secure server' connects, via _serial_ port, >to the *other* firewall box's console port. > >Voila! you've got a 'trusted path' to the console port, that does _not_ go >through the firewall. > >Obviously, this solution is _NOT_ inexpensive -- but it *does* allow for >'unmanned' remote operation, at least for all but "very basic" hardware- >related problems (e.g., "blown fuse"). > > >A less expensive solution is to have someone _local_, _who_speaks_the_same_ >_language_ (*fluently*!) as support -staff-, who can be called on to play >"voice actuated terminal", for those occasions where 'secure remote access >_through_ the box' fails. This person merely needs the ability to follow >directions _precisely_, and observe and report *accurately*. The risk here >is mostly an added exposure to a 'social engineering' attack. > > ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Wed Jul 2 03:03:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA11191 for firewalls-outgoing; Wed, 2 Jul 1997 02:14:11 -0700 (PDT) Received: from citadel.cdsec.com (gram.aztec.co.za [196.3.254.235]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA11172 for ; Wed, 2 Jul 1997 02:13:42 -0700 (PDT) Received: (from nobody@localhost) by citadel.cdsec.com (8.6.12/8.6.9) id LAA17322 for ; Wed, 2 Jul 1997 11:21:49 +0200 Received: by citadel via recvmail id 17282; Wed Jul 2 11:21:01 1997 Received: (from gram@localhost) by gram.cdsec.com (8.7.5/8.6.9) id LAA08085 for firewalls@greatcircle.com; Wed, 2 Jul 1997 11:03:14 +0200 From: Graham Wheeler Message-Id: <199707020903.LAA08085@gram.cdsec.com> Subject: Re: Stronger authentication for inbound HTTP To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 11:03:14 +0200 (SAT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Marc> Subject: Stronger authentication for inbound HTTP > > Marc> I understand that one-time passwords don't work for inbound > Marc> Web traffic due to the nature of the HTTP protocol. Do any > Marc> firewall vendors support anything stronger than basic > Marc> password authentication for inbound HTTP traffic? With the > > Yes/no. There are ways to do a bit better than one time passwords. > BlackHole (now called SecurIt Firewall or some such) allows this > kind of thing. > Essentially, the user is only challenged the first time (in > protocol, using HTML forms from the firewall rather than HTTP > headers), and then get configurable number of minutes to access. [shameless plug follows] Our Citadel firewall includes a Win '95 taskbar extension (or Win 3.1 app) which supports automated challenge callbacks from the firewall, using either S/Key or a digital signature based random challenge/response. Successful callbacks for a user/service/host combination can be cached for a configureable amount of time, to reduce the number of callbacks (and to prevent S/Key passwords from expiring almost immediately). Upon the first callback a dialog box will prompt for the password; the password is subsequently cached on the client machine so that further authentications can occur transparently. -- Dr Graham Wheeler E-mail: gram@cdsec.com Citadel Data Security Phone: +27(21)23-6065/6/7 Internet/Intranet Network Specialists Mobile: +27(83)-253-9864 Firewalls/Virtual Private Networks Fax: +27(21)24-3656 Data Security Products WWW: http://www.cdsec.com/ From owner-firewalls-outgoing Wed Jul 2 03:04:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA10978 for firewalls-outgoing; Wed, 2 Jul 1997 02:11:24 -0700 (PDT) Received: from mail.globalone.net (mail.globalone.net [199.184.38.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id CAA10948 for ; Wed, 2 Jul 1997 02:10:58 -0700 (PDT) Received: from globalone.net (special2 [192.168.73.250]) by mail.globalone.net (8.6.12/8.6.9) with ESMTP id FAA12416 for ; Wed, 2 Jul 1997 05:13:45 -0400 Received: from master1.bru.globalone.net (root@master1.bru.globalone.net [194.51.208.21]) by globalone.net (8.6.12/8.6.9) with ESMTP id FAA16880 for ; Wed, 2 Jul 1997 05:13:35 -0400 Received: from pop1.fra.globalone.net (pop1.fra.globalone.net [194.51.208.23]) by master1.bru.globalone.net (8.8.5/8.6.9) with ESMTP id LAA02322 for ; Wed, 2 Jul 1997 11:14:23 +0100 Received: from n206-w4.fra.globalone.net ([159.174.206.4]) by pop1.fra.globalone.net (Netscape Mail Server v2.02) with SMTP id AAA160; Wed, 2 Jul 1997 11:10:00 +0200 Received: by n206-w4.fra.globalone.net with Microsoft Mail id <01BC86D9.28BC8540@n206-w4.fra.globalone.net>; Wed, 2 Jul 1997 11:14:50 -0400 Message-ID: <01BC86D9.28BC8540@n206-w4.fra.globalone.net> From: "Christopher W. Scott" To: "'jdanahy@bbn.com'" , "ken@bridge.com" Cc: "firewalls@greatcircle.com" Subject: RE: Remote management of firewalls internationally Date: Wed, 2 Jul 1997 10:14:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken, Jack is correct in his basic understanding of the German = Betriebesverfassungsgesetz. However you can get authorization by = coordinating with the Betriebsrat (Works Council) of the = company/office. You will however have to document who has the access to = the information, why it is being gathered, and how it will be used. This = information MAY NOT be simply give to the management level for review = e.g. seeing who's surfing when they should be working. . It can however = be used to prosecute crimes, document violation of policies, and general = security auditing. I have had to tackle this issue myself and it's not = so bad. One of my firewalls is managed by a member of the Works Council. Regards, Christopher W. Scott Security Manager, Central Operations Global One=20 * My opinions are my own and do not necessarily represent those of = Global One or its Shareholders. -----Original Message----- From: jdanahy@bbn.com [SMTP:jdanahy@bbn.com] Sent: Tuesday, July 01, 1997 06:54 To: ken@bridge.com Cc: alano@teleport.com; mht@clark.net; firewalls@greatcircle.com Subject: Re: Remote management of firewalls internationally K - I've stumbled through the encryption regulations in a couple of lives, and my experience has been: Two things: 1) If you are a US-owned multinational, you can have encryption, limited to 56 bits, on your machine, so long as noone outside your company has access to the facilities of that machine. Also, noone outside your company can have physical access to the machine, such as local outsourced system support personnel. If your are performing all of your key management from the US, that may, as well, mitigate difficulties. Check with your beagles about specifics for your situation. 2) Your Frankfurt office may prove particularly thorny, however, as there exist German regulations prohibiting any type of employee monitoring which can be used as a performance metric. Since most of the walls generate user/usage stats, be aware. YMMV. I have no idea on the China encryption front. Jack At 11:41 PM 6/30/97 -0500, Ken Hardy wrote: >On Mon, 30 Jun 1997, Alan wrote: >> > How can one remotely manage firewalls that are on the other side of the world? >... >> If you have SSH or some other form of encryption/authentication = between >> machines, then you should be able to maintain the firewall without = too >> many problems. (Some sort of token-based authorization system or = Public >> Key system would be a big plus and/or requirement in such a system.) > >But it might be difficult to get SSH or other form of encryption on >that machine on the other side of the world if your side happens to lie >in the U.S. > >Not to start a wandering and unrelated thread (hint hint), but I've >wondered how the law would apply if I were to log in to a machine in, >say, our company's Frankfurt office via the corporate WAN and built and >installed SSH on that machine while sitting in our U.S. office. Would >my work in doing the installation be considered exporting the = encryption >in some manner, even if the software didn't get on the machine from or >through the U.S.? Of course, it reasons (if that word can be applied >to U.S. encryption policy) that I'd be on much shakier ground if the >SSH code from a site in Finland or Australia got on the German machine >via the company's Internet connection in the U.S. > >On a tenuously related note, does anyone know whether China's ban on >the use of encryption now extends to Hong Kong? > >-- >K ---------------------------------------------------------------------- Jack Danahy jdanahy@bbn.com Manager of Engineering Tel: (617) 873-4418 BBN Corporation Fax: (617) 873-6846 From owner-firewalls-outgoing Wed Jul 2 04:34:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA26995 for firewalls-outgoing; Wed, 2 Jul 1997 03:59:40 -0700 (PDT) Received: from herculis.alphawest.com.au (herculis.alphawest.com.au [203.14.124.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA26134 for ; Wed, 2 Jul 1997 03:58:10 -0700 (PDT) Received: by herculis.alphawest.com.au with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 19:02:34 +0800 Message-ID: <813621B906ABD011884A00A0C90092B1209590@herculis.alphawest.com.au> From: Todd Hooper To: "'Firewalls@GreatCircle.COM'" Cc: "'wcsu@mail.vis.com.tw'" Subject: re: Anti-Virus Check in FW-1 Date: Wed, 2 Jul 1997 19:02:33 +0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone wrote: > >Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I > wonder how > >many viruses it can detect and how administrators can update virus > >patterns? And how will this feature, if enabled, degrade the > performance > >of Firewall-1? > > >By the way, where can I get a session authentication agent for > Firewall-1? > >And in what kind of platform can a session agent resides? > > Check http://www.checkpoint.com for answers to the first question. > Briefly, > you can plug in a number of anti-virus scanners to Firewall-1. The > Checkpoint > Web site explains how you do it and which products are supported. > > I'm not sure on the session authentication agents - there is nothing > specific on the Web site. Checkpoint talked about a Windows based > session authentication agent at the 3.0 launch last year. > > The manual says: > > FireWall-1 Session Authentication Agent Protocol > > The FireWall-1 Session Authentication Agent Protocol is a TCP protocol > under > which FireWall-1 and the agent exchange messages. A detailed > description of > this protocol is available at http://www.checkpoint.com. > > Note: An OpenLook sample Session Authentication agent is in > $FWDIR/bin/fwsngui. > Other sample Session Authentication agents are available at > http://www.checkpoint.com. > > Regards, > > Todd > From owner-firewalls-outgoing Wed Jul 2 05:49:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02995 for firewalls-outgoing; Wed, 2 Jul 1997 04:28:06 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02965 for ; Wed, 2 Jul 1997 04:27:49 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id HAA23170; Wed, 2 Jul 1997 07:17:44 -0400 (EDT) From: Adam Shostack Message-Id: <199707021117.HAA23170@homeport.org> Subject: Re: Remote management of firewalls internationally In-Reply-To: <199707020400.XAA16110@delta.ece.nwu.edu> from Robert Bonomi at "Jul 1, 97 11:00:59 pm" To: bonomi@delta.ece.nwu.edu (Robert Bonomi) Date: Wed, 2 Jul 1997 07:17:43 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert Bonomi wrote: | Or, if you can't change configuration without taking it down to | 'single user'? | A solution: | | This takes -two- firewall machines, and a 'secure server' behind each one. | you run a secure, encrypted, channel from the management location to either | 'secure server', as needed. The 'secure server' connects, via _serial_ port, | to the *other* firewall box's console port. And when both machines foobar due to AC failing, followed by power failing? Can you accept 24 hours of downtime? And UPSs fail as well. Remember what happened to BBNPlanet's Stanford facility. | | A less expensive solution is to have someone _local_, _who_speaks_the_same_ | _language_ (*fluently*!) as support -staff-, who can be called on to play | "voice actuated terminal", for those occasions where 'secure remote access | _through_ the box' fails. This person merely needs the ability to follow | directions _precisely_, and observe and report *accurately*. The risk here | is mostly an added exposure to a 'social engineering' attack. But you also have someone who can go by to check on the physical security and integrity of your location. I would not run a firewall without a unix sysadmin type with a few brain cells within a reasonable transit distance. If you've got office space in the area, you've got people. If you don't have office space in the area, why are you deploying security tools there? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-outgoing Wed Jul 2 06:04:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA04892 for firewalls-outgoing; Wed, 2 Jul 1997 04:48:02 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA28981 for ; Wed, 2 Jul 1997 04:11:49 -0700 (PDT) Received: from homer.dejanews.com (homer.dejanews.com [205.238.143.161]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id DAA01526 for ; Wed, 2 Jul 1997 03:55:08 -0700 (PDT) Received: from byers.dejanews.com (byers.dejanews.com [205.238.143.212]) by homer.dejanews.com (8.7.6/8.6.12) with ESMTP id FAA20721 for ; Wed, 2 Jul 1997 05:52:36 -0500 (CDT) Received: from byers.dejanews.com (localhost.dejanews.com [127.0.0.1]) by byers.dejanews.com (8.7.5/8.6.12) with ESMTP id FAA09829 for ; Wed, 2 Jul 1997 05:52:35 -0500 Message-Id: <199707021052.FAA09829@byers.dejanews.com> To: firewalls@greatcircle.com Subject: Wanted: VPN options Date: Wed, 02 Jul 1997 05:52:34 -0500 From: Travis Hassloch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please add to this list: skIP F-secure VPN thanks -- Travis Hassloch / travish@dejanews.com / http://www.dejanews.com Deja News System Administration Group / "When news breaks... we fix it." From owner-firewalls-outgoing Wed Jul 2 06:13:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA08414 for firewalls-outgoing; Wed, 2 Jul 1997 05:11:36 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA08388 for ; Wed, 2 Jul 1997 05:11:25 -0700 (PDT) Received: from yoda.netscape.com (yoda.mcom.com [205.217.249.5]) by netscape.com (8.8.5/8.8.5) with ESMTP id FAA00229 for ; Wed, 2 Jul 1997 05:14:05 -0700 (PDT) Received: from pc-dwass.mcom.com ([205.217.254.107]) by yoda.netscape.com (Netscape Mail Server v2.02) with ESMTP id AAA14391; Wed, 2 Jul 1997 12:14:01 +0000 Message-ID: <33BA45A5.57AB2A3B@netscape.com> Date: Wed, 02 Jul 1997 14:12:21 +0200 From: dwass@netscape.com (David Wasser) Organization: Netscape Communications GmbH X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com CC: franks@netscape.com Subject: Tunneling tools with 128 bit encryption outside US? X-Priority: 3 (Normal) Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD713424DE27284B6BBD5E4A2" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msD713424DE27284B6BBD5E4A2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am looking for a product which will build an encrypted IP tunnel using 128 bit encryption technology that is available outside the US. Can anyone point me to a vendor? Thanx, -David -- David Wasser | Netscape Communications GmbH Principal Consultant | Am Soeldnermoos 6 | D-85399 Hallbergmoos DWass@netscape.com | Germany --------------msD713424DE27284B6BBD5E4A2 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIGxAYJKoZIhvcNAQcCoIIGtTCCBrECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BSswggJqMIIB06ADAgECAgIEMTANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoG A1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0lu Zm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcw NjA1MTcyODA5WhcNOTcxMjAyMTcyODA5WjCBiTELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHU5l dHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRgwFgYDVQQDEw9EYXZpZCBMLiBXYXNzZXIx ITAfBgkqhkiG9w0BCQEWEmR3YXNzQG5ldHNjYXBlLmNvbTEVMBMGCgmSJomT8ixkAQETBWR3 YXNzMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMPBUon4k+U2Vo5G2H9zNbgr1k6UNpIXl2Uz qXg6IGL+ZbvpHMeapG5UNMvq77eik68ZjqwFvsEeOV0XIL1g340CAwEAAaM2MDQwEQYJYIZI AYb4QgEBBAQDAgCgMB8GA1UdIwQYMBaAFPzgVOgH8ZXeOveZxq76FQxuxC6SMA0GCSqGSIb3 DQEBBAUAA4GBAJA+nJWlTaBH007tHRPQVY6n/k+gITQDhLCtvwvSIHpSjtPM3wojMSRZmLMA kYA/gwlUpO3//riiIB2/oVuMtFB97mX9yOwU/uu01k3NY23BB5UfrsX/UtEwOKr0Wx9z47Eu LYeXwP2Nb6aJ81swDP3gX0TIPKjqD7B01F12HvQnMIICuTCCAiKgAwIBAgIBATANBgkqhkiG 9w0BAQQFADB3MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlv bnMgQ29ycG9yYXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMT E3Jvb3RjYS5uZXRzY2FwZS5jb20wHhcNOTcwMzI2MDE0NDM4WhcNOTkwMzI2MDE0NDM4WjB3 MQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9y YXRpb24xHDAaBgNVBAsTE0luZm9ybWF0aW9uIFN5c3RlbXMxHDAaBgNVBAMTE3Jvb3RjYS5u ZXRzY2FwZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGqPv4tP6WHw0ff+9pt 2BigRT35x5tDzie0WhOcEX2/0vKIXse/sot5uqflKAtApo6ZMVXF+M6WBl4ihHa/ASJiw6mZ J7sIaBEUxwp+3LKH+MfgJDABvC2WhecZwy6hk3csNBgv+9+iSLPnoK96A+SLjHWkLZMgjCA5 VKdFukBlAgMBAAGjVTBTMBEGCWCGSAGG+EIBAQQEAwIABDAdBgNVHQ4EFgQU/OBU6Afxld46 95nGrvoVDG7ELpIwHwYDVR0jBBgwFoAU/OBU6Afxld4695nGrvoVDG7ELpIwDQYJKoZIhvcN AQEEBQADgYEAWffbG1x6BsTmxZhhhBjO+gZLILEkyvxZfj8Y8eS+rBDZStJpj278kcr1BBwK rrn6yjnsTQAZpmeUzOVAW1mEJJLwASwZ5AsvOxz2DxuFRezDl/HgukDL3VdxieCLSXBJH922 yzRvb88vIeRT0Rlmj2di8N3uHUgq8Ed7g3SHecgxggFhMIIBXQIBATB9MHcxCzAJBgNVBAYT AlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEcMBoG A1UECxMTSW5mb3JtYXRpb24gU3lzdGVtczEcMBoGA1UEAxMTcm9vdGNhLm5ldHNjYXBlLmNv bQICBDEwCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcN AQkEMRYEFF5gvhTsqdjwfmVENh2hArpb/x1xMBwGCSqGSIb3DQEJBTEPFw05NzA3MDIxMjEy MjFaMB4GCSqGSIb3DQEJDzERMA8wDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEQAQa X+74F3XgYDiazEQffhHowmBm3HHRYTYsX2CZVgSKj/rfQxWTRFLTRT/3thNrYlzEYRBApz5Y dVzRQ04JN50= --------------msD713424DE27284B6BBD5E4A2-- From owner-firewalls-outgoing Wed Jul 2 06:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14551 for firewalls-outgoing; Wed, 2 Jul 1997 06:14:52 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA14486 for ; Wed, 2 Jul 1997 06:14:22 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55634-3>; Wed, 2 Jul 1997 15:10:27 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 02 Jul 1997 15:12:52 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wjPDK-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Jul 1997 15:12:54 +0200 (MET DST) Date: Wed, 2 Jul 1997 14:12:54 +0100 From: "Magossa'nyi A'rpa'd" To: Firewall list Subject: src addr = 0.0.0.1 ?????? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I've received some strange probes apparently from 0.0.0.1 . It has tried only one tcp port. Anyone has any experiences or comments regarding that pattern? In what kind of network setup can it be dangerous, and what kind of netwo= rk setup is a good defence against this class of probes? --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Wed Jul 2 06:49:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA18657 for firewalls-outgoing; Wed, 2 Jul 1997 06:47:01 -0700 (PDT) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA18598 for ; Wed, 2 Jul 1997 06:46:44 -0700 (PDT) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id XzO29778; Tue, 01 Jul 1997 23:03:53 EDT To: firewalls@GreatCircle.COM Date: Tue, 1 Jul 1997 19:35:38 -0700 Subject: Re: ICQ network Message-ID: <19970701.195924.14390.3.wiseleo@juno.com> References: <33B8B3E2.2B40@hotmail.com> X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 0-1,3-5,7,9-10,12-22 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, I sent an invitation to Mirabilis with instructions on how to join this mailing list, hopefully we'll get some answers soon. *** Leonid Knyshov AKA Wise_One http://kiassociates.com/computerhelp http://kiassociates.com/computerhelp/personal For file attachments please use wiseleo@hotmail.com and send a note about it here :) On Tue, 01 Jul 1997 03:38:10 -0400 DECkedout writes: >Joe Pollock wrote: >> >> One of my users sent me a spam message concerning the ICQ ("I Seek >You") >> Network, which claims to reduce an individual's Net identity to a >single >why they haven't realeased hard facts to the public. Does anyone know >anyone from Mirabilis? I have a lot of questions about it.... It >definatlely raises an eyebrow or two... >-DECkedout From owner-firewalls-outgoing Wed Jul 2 07:31:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15872 for firewalls-outgoing; Wed, 2 Jul 1997 06:29:27 -0700 (PDT) Received: from garanti1.garanti.com.tr (garanti1.garanti.com.tr [194.54.51.100]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA15834 for ; Wed, 2 Jul 1997 06:29:11 -0700 (PDT) Received: from Mailhub by garanti1.garanti.com.tr id AA16176; Wed, 2 Jul 1997 16:30:07 +0400 Received: from GarantiUser by GarantiMailServer id AA03538; Wed, 2 Jul 1997 16:29:38 +0400 Received: from fw1.fw.garanti.com.tr by manage1.fw.garanti.com.tr (AIX 4.1/UCB 5.64/4.03) id AA18146; Thu, 3 Jul 1997 16:16:32 +0400 Message-Id: <33BAE418.3D5E@garanti.com.tr> Date: Wed, 02 Jul 1997 16:28:24 -0700 From: Cihan Subasi Reply-To: csubasi@garanti.com.tr Organization: Garanti Ticaret X-Mailer: Mozilla 3.0Gold (Win16; I) Mime-Version: 1.0 To: Firewalls Subject: 128-bit SSL.... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will have a question about security not about firewalls directly, After announcing that 128-bit SSL is export free, Netscape and Microsoft announced their WEB Servers supporting 128-bit SSL, but in order to be able use 128bit SSL, on the client side a certificate is needed and this certificate is browser dependent and not protable. Since we are not in USA and we dont know how 128bit SSL is used in USA, could anybody explain to me how 128-bit SSL works in USA?..do we need a special digital certificate on the client side in USA???? Or can you direct me to a direction where I can find the answer of above guestion???? Thank You, -- **************************************************************************** Cihan Subasi, Garanti Ticaret AS,Istanbul Turkey email:csubasi@garanti.com.tr tel: +902126570404 fax: +902126570473 **************************************************************************** From owner-firewalls-outgoing Wed Jul 2 07:41:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA09040 for firewalls-outgoing; Wed, 2 Jul 1997 05:18:18 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA08951 for ; Wed, 2 Jul 1997 05:17:55 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id IAA23346; Wed, 2 Jul 1997 08:19:35 -0400 (EDT) Message-Id: <3.0.32.19970702080847.007b15d0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 08:20:29 -0400 To: osiris@shell.pacificnet.net, Vin McLellan From: Anton J Aylward Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:20 AM 01/07/97 -0700, osiris wrote: ## Reply Start ## >A company that cannot make even the simplest implementations of IP >secure are going to be offering a firewall. Now I've heard everything. >Is this actually confirmed? I very strongly suggest you read a book called Extraordinary Popular Delusings and the Madnesses of Crowds by Charles Mackay, LLD It was published in 1841 and is still in print, which should tell you something. It is not 'fun' book, nor easy to read. If it were written today publishers would refuse it because of its heavy style and language, just like they would refuse Shakespear. Even if you only read the first two chapters, 88 pages in my volume, you will suffer various enlightenments. I have no doubts that many companies will buy microsoft's firewall purely because it comes from microsoft. We have already seen that they have turned of their critical faculties and, to misquote Bonhoeffer, have decided that "Bill Gates Is My Conscience". I expect to make a lot of money in coming years. Not only from InfoSec consulting, but also from Marcus Ranum's idea of selling short companies which put themselves in a highly exposed position. /anton > ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Telling the future by looking at the The Strahn & Strachan Group Inc | past assumes that conditions remain Information Security Consultants | constant. This is like driving a car Voice: (416) 494-8661 | by looking in the rear view mirror. Fax: (416) 494-8803 | - Herb Brody From owner-firewalls-outgoing Wed Jul 2 08:02:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25955 for firewalls-outgoing; Wed, 2 Jul 1997 07:31:47 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.225.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25922 for ; Wed, 2 Jul 1997 07:31:36 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55603-1>; Wed, 2 Jul 1997 16:31:19 +0100 Received: from Bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 02 Jul 1997 16:33:44 MET Received: from localhost by Bunuel.tii.matav.hu with smtp id m0wjQTa-002QtfC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 2 Jul 1997 16:33:46 +0200 (MET DST) Date: Wed, 2 Jul 1997 15:33:46 +0100 From: "Magossa'nyi A'rpa'd" To: Travis Hassloch CC: firewalls@GreatCircle.COM Subject: Re: Wanted: VPN options In-Reply-To: <199707021052.FAA09829@byers.dejanews.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, Travis Hassloch wrote: > Please add to this list: > skIP > F-secure VPN http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html=20 --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Wed Jul 2 08:11:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27210 for firewalls-outgoing; Wed, 2 Jul 1997 07:38:22 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA27180 for ; Wed, 2 Jul 1997 07:38:12 -0700 (PDT) From: Scott_Thomas@em.fcnbd.com Received: from po-internal.FCNBD.COM ([147.113.104.10]) by po-external.FCNBD.COM (8.8.5/fcnbd/domain/1.5.1) with ESMTP id JAA07237 for ; Wed, 2 Jul 1997 09:47:57 -0500 (CDT) Received: from em.fcnbd.com (ccintgat [147.113.229.37]) by po-internal.FCNBD.COM (8.8.5/fcnbd/internal-domain/1.5) with SMTP id JAA23368 for ; Wed, 2 Jul 1997 09:42:47 -0500 (CDT) Received: from ccMail by em.fcnbd.com (IMA Internet Exchange 2.1 Enterprise) id 001031FF; Wed, 2 Jul 97 09:41:39 -0500 Mime-Version: 1.0 Date: Wed, 2 Jul 1997 09:41:03 -0500 Message-ID: <001031FF.1944@em.fcnbd.com> To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All: Our company is implementing SAP in all of it's locations. Our desire is to have internal firewalls between the main corporate location and outer offices. We have attempted to run FW-1 in two locations so far with the same result. If a user at the outer office runs an SAP process that only involves one UNIX host at the main office it works fine. When the SAP process involves more than one host the returned transmission is never received, although it seems to leave the UNIX host. Currently our production host is only one HP 9000 and is working fine. Our staging and development areas invlove multiple HP 9000's that run processes between each other and transmissions get lost. If we drop the firewall daemon and let traffic pass through the Sparc station this process works fine with multiple HP hosts. In troubleshooting we have gone so far as to add a #1 rule for ANYtoANYtoANY and it still does not work. This has stumped both our local FW1 vendor as well as SUN support. Has anyone run into a similar problem? As far FW1 goes everthing we attempt to pass through it is correctly filtered except where multiple UNIX hosts are involved. Any help is appreciated... Scott Thomas Systems Officer 847-622-5762 From owner-firewalls-outgoing Wed Jul 2 09:07:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03806 for firewalls-outgoing; Wed, 2 Jul 1997 08:18:36 -0700 (PDT) Received: from csnnetra1.csn.com.br ([200.255.165.102]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA00299 for ; Wed, 2 Jul 1997 07:56:34 -0700 (PDT) Received: from mg65.csn.com.br ([172.16.10.3]) by csnnetra1.csn.com.br (8.8.5/8.8.5) with SMTP id LAA05099 for ; Wed, 2 Jul 1997 11:56:01 -0300 (EST) Message-Id: <199707021456.LAA05099@csnnetra1.csn.com.br> Comments: Authenticated sender is From: "Alessandro Jannuzzi" Organization: CSN To: firewalls@GreatCircle.COM Date: Tue, 2 Jul 1996 11:58:51 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Anti-Virus Check in FW-1 In-reply-to: <482564C8.00118AFE.00@mail.vis.com.tw> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, FW-1 3.0 provides this feature. An aplication-level protocol called CVP was projected to plug the FW-1 with any antiviruses that supports this protocol. For demonstration, I think, the version comes with a Cheyene anti-virus, but I guess it doesn't allow futures upgrades. The idea is : To get FW-1 and other powelfull antivirus that support CVP. Alessandro Jannuzzi jannuzzi@csn.com.br > Firewall-1 provides anti-virus feature for SMTP, HTTP and FTP. I wonder how > many viruses it can detect and how administrators can update virus > patterns? And how will this feature, if enabled, degrade the performance > of Firewall-1? > > By the way, where can I get a session authentication agent for Firewall-1? > And in what kind of platform can a session agent resides? > > > > From owner-firewalls-outgoing Wed Jul 2 09:21:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA10332 for firewalls-outgoing; Wed, 2 Jul 1997 08:50:58 -0700 (PDT) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA10314 for ; Wed, 2 Jul 1997 08:50:51 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy4.ba.best.com (8.8.5/8.8.3) with ESMTP id IAB12260 for ; Wed, 2 Jul 1997 08:52:59 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id IAA08004 for ; Wed, 2 Jul 1997 08:51:17 -0700 (PDT) Date: Wed, 2 Jul 1997 08:51:16 -0700 (PDT) From: "Kelly E. Gibbs" To: firewalls@greatcircle.com Subject: RIP vs. OSPF Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be a fair statement that OSPF is now the chosen protocol over RIP? If so, could someone offer any comment on why and which do you think will be the more dominate protocol in the future? Thanks, Kelly From owner-firewalls-outgoing Wed Jul 2 09:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14984 for firewalls-outgoing; Wed, 2 Jul 1997 09:23:56 -0700 (PDT) Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA14975 for ; Wed, 2 Jul 1997 09:23:49 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by proxy3.ba.best.com (8.8.5/8.8.3) with ESMTP id JAA08395; Wed, 2 Jul 1997 09:25:57 -0700 (PDT) Received: from localhost (kgibbs@localhost) by shellx.best.com (8.8.5/8.8.3) with SMTP id JAA27919; Wed, 2 Jul 1997 09:23:41 -0700 (PDT) Date: Wed, 2 Jul 1997 09:23:41 -0700 (PDT) From: "Kelly E. Gibbs" To: Anton J Aylward cc: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <3.0.32.19970702080847.007b15d0@the-wire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Companies that have formed some aliance with Microsoft will eventually be burned themselves. Take Digital for example. M$ paided DEC millions to retrain their VMS consultants for NT, and Digital thought there would be millions in NT consulting - instead they discovered just the opposite and as a result, had to layoff some of the new NT force. Now for my opinion: I think M$ simply wrote the $20M (or what ever value it was) off, just so DEC would loose some of their workforce and would no longer pose any threat to NT (not that it did today anyway, but just in case!). I believe that M$ would just love to completely destroy VMS and Digital UNIX, but again, this is purely speculation. I'm sure some of the firewall companies have embraced M$ and think they have formed an aliance (even through MSDN or other offerings), but this is about money, and M$ could care less. I really believe that Apple was the primary target of M$, not only to rid the OS from the face of this earth, but to shut the company down. It's my opinion that M$ purposely developed the Mac products to run as sub-standard software just to people would migrate to Intel in disappointment. I believe the next company we'll see inflicted by the sting of M$ is Netscape. Eventually, Sun, SCO, and other UNIX vendors will feel the pain; although it may take ten more years before there just memories of the past. What bothers me the most and I think a lot of you will agree, is that as we move forward, and technology advances, M$ will continue to plague our systems with sub-standard, highly propriatary, applications. Rebooting is well accepted today, and most of us who run NT servers just live with that - what else is there; do we have a choice? M$ has affected all of our lives, and some of us like/dislike M$, it doesn't matter. The masses will continue to flock to the almightly [Microsoft], and no one will be able to go up against the supreme deliverer of software. Gee, if Hitler were around he'd love to be in Bill Gate's shoes: World Dominance - what a concept! Same principle - just applied to software that's all. Throughout M$'s wonderful climb to dominate the world, where's the Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned share's of Apple stock in the past? On Wed, 2 Jul 1997, Anton J Aylward wrote: > At 11:20 AM 01/07/97 -0700, osiris wrote: > ## Reply Start ## > > >A company that cannot make even the simplest implementations of IP > >secure are going to be offering a firewall. Now I've heard everything. > >Is this actually confirmed? > > I very strongly suggest you read a book called > > Extraordinary Popular Delusings and the Madnesses of Crowds > by Charles Mackay, LLD > > It was published in 1841 and is still in print, which should tell you > something. > > It is not 'fun' book, nor easy to read. > If it were written today publishers would refuse it because of its heavy > style and language, just like they would refuse Shakespear. > > Even if you only read the first two chapters, 88 pages in my volume, you > will suffer various enlightenments. > > I have no doubts that many companies will buy microsoft's firewall purely > because it comes from microsoft. We have already seen that they have turned > of their critical faculties and, to misquote Bonhoeffer, have decided > that "Bill Gates Is My Conscience". > > I expect to make a lot of money in coming years. > Not only from InfoSec consulting, but also from Marcus Ranum's idea of > selling short companies which put themselves in a highly exposed position. > > > /anton > > > > ## Reply End ## > -------------------------------------------------------------------------- > Anton J Aylward | Telling the future by looking at the > The Strahn & Strachan Group Inc | past assumes that conditions remain > Information Security Consultants | constant. This is like driving a car > Voice: (416) 494-8661 | by looking in the rear view mirror. > Fax: (416) 494-8803 | - Herb Brody > From owner-firewalls-outgoing Wed Jul 2 09:48:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA16174 for firewalls-outgoing; Wed, 2 Jul 1997 09:35:31 -0700 (PDT) Received: from mail.credo.net (mail.noc.credo.net [199.107.168.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA16157 for ; Wed, 2 Jul 1997 09:35:22 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by mail.credo.net (8.8.5/8.7.3) with SMTP id JAA08601 for ; Wed, 2 Jul 1997 09:37:46 -0700 (PDT) Message-Id: <3.0.32.19970702093428.00f12830@199.107.168.5> Received: from john.credo.net ([199.107.169.3]) by darkstar.noc.credo.net via smtpd (for mail.noc.credo.net [199.107.168.5]) with SMTP; 2 Jul 1997 16:36:49 UT X-Sender: john@199.107.168.5 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 09:34:30 -0700 To: firewalls@GreatCircle.COM From: John Whittaker Subject: Re: Microsoft plans to offer a firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fyi - salient points from my conversation with microsoft: * Microsoft is releasing a new version of Proxy Server. * Version 1.0, already offered firewall class security, and has been in the marketplace since Nov '96. * Refer to C&L white paper available on http://www.microsoft.com/proxy * The new version will combine enhanced security and performance. This has never done before. * Microsoft is enhancing its firewall security features as a result of feedback from small business and branch office customers. * Proxy Server 2.0 will be a better alternative to Netscape Proxy Server and Novell Border Manager * Enhanced web content caching * Extensible firewall security * Proxy Server 2.0 is an "extensible firewall" platform, which creates opportunities for 3rd parties to extend and complement Proxy Server's network security capabilities * 3rd Party Enterprise Firewall Vendors : Checkpoint, Raptor, Trusted Information Systems * 3rd Party Virus Scanning & "Rogue Applet" blocking: Trend Micro * Content Filters - CyberPatrol and Surfwatch john. ------------------------------------------------------------------------- John Whittaker CREDO NET Vice President a division of Credo Computer Systems, Inc ------------------------------------------------------------------------- Providing your business with turnkey solutions for doing business in the information age. ------------------------------------------------------------------------- 22941 Triton Way, Suite 241, Laguna Hills, CA 92653 (888) 88-CREDO http://www.credo.net http://www.zoneoftrust.com From owner-firewalls-outgoing Wed Jul 2 10:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA26895 for firewalls-outgoing; Wed, 2 Jul 1997 10:41:33 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA26858 for ; Wed, 2 Jul 1997 10:41:24 -0700 (PDT) Received: from pm3-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA28125; Tue, 1 Jul 97 20:20:26 -0400 Message-Id: <3.0.2.32.19970701201820.006a16b0@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Tue, 01 Jul 1997 20:18:20 -0500 To: Kevin Brown - NetComm From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM In-Reply-To: References: <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:17 AM 7/2/97 +0100, someone surely spoofed Kevin Brown - NetComm's mail. I'm not quite sure what the first part of your mail was trying to point out. From a security standpoint, your ps was somewhat horrifying. As it is reasonably certain that M$ will produce a firewall, I'm rather uncomfortable with your mail's postscript: >Kevin >(ps When Banks use MS Firewalls, I am going over the other side, and then >retire...I know a bank or to today using NT RAS to authenticate Home Dial >in Banking......anyone want the Bank Names?) Do you mean that: o You would actually even think of cracking a bank? Perhaps even one of your own customers? o You would seriously offer the names of banks with serious security problems? Sorry, but the concept of what you are proposing is foreign to me. It seems to me that both items in your mail's postscript seem to be in direct opposition to the goals of InfoSec and what one expects from a security consultant. No offense, but if I was one of your customers, I would be *very* nervous right about now. Again, your mail was spoofed, right? Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Wed Jul 2 11:06:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29194 for firewalls-outgoing; Wed, 2 Jul 1997 10:59:40 -0700 (PDT) Received: from ns.dsw.net (mail.dswnet.com [205.185.134.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA29187; Wed, 2 Jul 1997 10:59:28 -0700 (PDT) Received: from internet.dswnet.com by ns.dsw.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Jul 1997 17:54:18 UT Received: from boni by internet (5.x/SMI-SVR4) id AA09971; Wed, 2 Jul 1997 11:03:29 -0700 Message-Id: <33BA97A0.6BBC5AB5@dsw.net> Date: Wed, 02 Jul 1997 11:02:08 -0700 From: "Boni D. Bruno" Reply-To: bbruno@dsw.net Organization: Data Systems West X-Mailer: Mozilla 4.01 [en] (WinNT; U) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM, bbruno@dsw.net Subject: Re: Firewalls-Digest V6 #307 X-Priority: 3 (Normal) References: <199706302005.NAA23368@honor.greatcircle.com> Content-Type: multipart/mixed; boundary="------------EEF28682C2D82E0D3A85C043" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------EEF28682C2D82E0D3A85C043 Content-Type: text/plain; charset=iso-8859-1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: quoted-printable Date: 30 Jun 97 12:48:49 +0000From: manuel.ricca@pararede.pt Subject: Borderware Does anyone have experience with Borderware Firewall? If so, how where would you place it comparing to Raptor, Pix and FW-1 ? TIA, =2EM Manuel Ricca (manuel.ricca@pararede.pt) ParaRede - Tecnologias de Comunica=E7=E3o, S.A. Tel: +351 1 3020451 Fax: +351 1 3020444 Borderware runs on the intel platform only (Secure Computing recommends a clone machine), some of the better known name brand machine like Compaq will not work usually. Borderware is built on a bastion implementation of BSD Unix which you have no access to. BorderWare defines a new product category of firewalls by combining packet filters and circuit-level gateways with application servers into a single self-contained system. BorderWare includes a secure Mail server, dual Name servers (internal and external), a News server, an anonymous FTP server, a WWW server and a Finger information server which you can choose to enable or disable. With the latest version Borderware 4.x, all configuration is done from a remote html browser which is extremely slow! Their front end is all Java, using their html forms to configure DNS for 15 zones took me all day just because the updates via the browser were taking forever! I can configure the same DNS information on UNIX or NT running either FW-1 or Raptor in an hour. Pix does not run on top of an operating system, so DNS is configured elsewhere. If you choose to enable the news server on Borderware, you do take a peformance hit. Based on my experience, Borderware is not an enterprise level firewall server and it offers very little flexibility. It can support a maximum of three interfaces: external, internal and ssn(a.k.a dmz). I would position this product to customers who have no experience setting up internet servers, DNS, MAIL, etc. Also, there is no internal authentication capabilities with Borderware, no skey, secure-id, nothing to authenticate your rules against. Raptor and FW-1 due offer authentication. The logging capabilities are not as good as Raptors or FW-1. Pix requires an syslog host for logging. If you are like me, and like to see whats going on at a kernel level and have access to modifiy your firewall system, Borderware will frustrate you, you are completely locked into their interface, for some people this is better, for others, it is not. PIX is a stateful packet filter with support for Dynamic NAT and a failover port to support a standby Pix server which is very nice. If you need extensive logging information though, it comes up short. Also, Pix comes with no Proxies and only supports two interfaces, I find myself having to supplement PIX with several proxies. FW-1 also is a stateful packet filter with some application software support for telnet, ftp and http. FW-1 offers a lot of flexibility and can support various interfaces, good logging capabilities, but no proxies. Also, FW-1v2.x does not integrate their NAT configuration with their GUI, you have to set this up at the command line. I here FW-1v3.x fixes this, but I can not comment on this yet. I often supplement FW-1 with proxies. Raptor also has good logging capabilities and has support for various interfaces, and it does come with several proxies. Raptor being an application gateway firewall, NAT is inherently built in to the product. All products have support for VPN, remote managment and snmp traps. -- Boni D. Bruno Vice President of Engineering Data Systems West,Inc. http://www.dsw.net Phone: (818) 883-9800 x 225 email:bbruno@dsw.net --------------EEF28682C2D82E0D3A85C043 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Boni Bruno Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Boni Bruno n: Bruno;Boni org: Data Systems West adr: ;;21101 Oxnard Street;Woodlad Hills;CA;91367; email;internet: bbruno@dsw.net title: Vice President of Engineering tel;work: 818-883-9800x225 tel;fax: 818-883-4604 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------EEF28682C2D82E0D3A85C043-- From owner-firewalls-outgoing Wed Jul 2 11:19:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA00665 for firewalls-outgoing; Wed, 2 Jul 1997 11:17:26 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA00626 for ; Wed, 2 Jul 1997 11:17:16 -0700 (PDT) Received: from default (pm14-14.pacificnet.net [207.171.10.47]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id LAA11874; Wed, 2 Jul 1997 11:10:43 -0700 (PDT) Message-ID: <33BA9D51.3602@pacificnet.net> Date: Wed, 02 Jul 1997 11:26:25 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: John Whittaker CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <3.0.32.19970702093428.00f12830@199.107.168.5> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Whittaker wrote: > > fyi - salient points from my conversation with microsoft: > > * Microsoft is releasing a new version of Proxy Server. One that works. > * Version 1.0, already offered firewall class security, and has > been in the marketplace since Nov '96. and is dubious. > * Refer to C&L white paper available on > http://www.microsoft.com/proxy White papers aren't such a good source for information anymore. White papers today == info-mercials. > * The new version will combine enhanced security and performance. > This has never done before. Releasing a product that actually works. > * Microsoft is enhancing its firewall security features as a > result of feedback from small business and branch office customers. Yeah, like "Why the hell doesn't this thing do what it's supposed to?" I'm sorry, but MS should keep out of the security business. Security is one area of concern in which MacDonalds-type manufacturing/merchandising could really hurt people. Secure application design should be left to those who know it. (Yes, yes, I know that MS is contracting some of it to people who DO know what they're doing. However, that won't cure OS-inherent problems that MS has, now, will it? TIS, Raptor or whoever may - and undoubtedly will - create an elegant, effective product for Microsloth only to have their reputations tarnished because some MS tweaker failed to properly implement IP - or some such nonsense.) In my opinion, MS ought to figure out how to prevent their servers from being downed by any Tom, Dick and Harry with a DoS tool before they release a product that will "..combine enhanced security and performance." How can they possibly keep a straight face while telling you some garbage like that? The only thing that will sell MS security products is the lack of security knowledge that a high percentage of their customers now possess. From owner-firewalls-outgoing Wed Jul 2 12:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04450 for firewalls-outgoing; Wed, 2 Jul 1997 11:48:28 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id LAA04425 for ; Wed, 2 Jul 1997 11:48:18 -0700 (PDT) Received: from ftp.com by ftp.com ; Wed, 2 Jul 1997 14:51:02 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Wed, 2 Jul 1997 14:51:02 -0400 Received: from lx400.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id OAA23190; Wed, 2 Jul 1997 14:47:07 -0400 Message-Id: <199707021847.OAA23190@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM To: kgibbs@best.com Cc: firewalls@greatcircle.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: shishir Subject: RE: RIP vs. OSPF Date: Wed, 02 Jul 1997 14:51:26 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am not a routing protocol expert but I can say that RIP and OSPF have dif= ferent benefits and drawbacks. OSPF is more complicated but does offer a l= ot more features like link state, cost, VLSM, quick convergence, etc. Howev= er, it is CPU intensive and takes a lot of resources. RIP on the other han= d is simpler but limited to 15 hops, based on hop counts whether they are T= 1s or 56kbps links. My $.02 - shishir >>Reply to your message of 7/2/97 1:04 PM >> >>Would it be a fair statement that OSPF is now the chosen protocol over R= IP? >>If so, could someone offer any comment on why and which do you think wil= l >>be the more dominate protocol in the future? =09 From owner-firewalls-outgoing Wed Jul 2 12:36:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA09686 for firewalls-outgoing; Wed, 2 Jul 1997 12:30:34 -0700 (PDT) Received: from netcomm.NetComm.IE (02-static-a.wokingham.luna.net [195.188.67.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA09643 for ; Wed, 2 Jul 1997 12:30:19 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id HAA00359; Wed, 2 Jul 1997 07:21:12 GMT X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <3.0.2.32.19970701201820.006a16b0@in.net> References: <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Jul 1997 20:32:02 +0100 To: Frank Willoughby From: Kevin Brown - NetComm Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, No I was not spoofed, but I have discovered that you do not have a sense of humour. ;-> IN reality when bank start to use MS products for Firewalls, I will retire. I was tying to point out that MS can even today, snare people into taking actions that are terribly foolish. Would you advise a bank to allow any customer to dial in for bank transactions with NT RAS as the sole form of Authentication for their internal Net? I did not name the bank, it was a JOKE Ha Ha MS, get it.....ah well, I will go back to lurking. NOTICE TO ALL: No you cannot know what bank is doing this, no I will not rob a bank, no I will not speed in my car. Frank, if I were really going to do this, do really think that I would announce it here? regards, Kevin At 2:18 +0100 2/7/97, Frank Willoughby wrote: >At 01:17 AM 7/2/97 +0100, someone surely spoofed Kevin Brown - NetComm's >mail. > >I'm not quite sure what the first part of your mail was trying to point >out. From a security standpoint, your ps was somewhat horrifying. As >it is reasonably certain that M$ will produce a firewall, I'm rather >uncomfortable with your mail's postscript: > >>Kevin >>(ps When Banks use MS Firewalls, I am going over the other side, and then >>retire...I know a bank or to today using NT RAS to authenticate Home Dial >>in Banking......anyone want the Bank Names?) > >Do you mean that: >o You would actually even think of cracking a bank? Perhaps even one of > your own customers? >o You would seriously offer the names of banks with serious security > problems? > >Sorry, but the concept of what you are proposing is foreign to me. >It seems to me that both items in your mail's postscript seem to >be in direct opposition to the goals of InfoSec and what one expects >from a security consultant. No offense, but if I was one of your >customers, I would be *very* nervous right about now. > >Again, your mail was spoofed, right? > >Best Regards, > > >Frank >The opinions of the author of this mail may not necessarily be >representative of the opinions of Fortifed Networks, Inc. > >Fortified Networks, Inc. - http://www.fortified.com/ >Expert (vendor-neutral) Computer and Network Security Consulting >Phone: (317) 573-0800 Fax: (317) 573-0817 //////////////////////////////////////////////////////////// Kevin Brown | N \ We operate in Ireland, UK NetComm | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / --UK-- Internet Associate | m \ Voice: +44-467-365419 | / Fax: +44-1276-35197 The Internet | \ email: kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Wed Jul 2 13:04:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11743 for firewalls-outgoing; Wed, 2 Jul 1997 12:44:14 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA11608 for ; Wed, 2 Jul 1997 12:43:36 -0700 (PDT) Received: (qmail 29622 invoked from smtpd); 2 Jul 1997 19:46:16 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Jul 1997 19:46:16 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA12129; Wed, 2 Jul 1997 14:46:16 -0500 Received: by sonic.nmti.com; id AA13147; Wed, 2 Jul 1997 14:47:04 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9707021947.AA13147@sonic.nmti.com.nmti.com> Subject: Re: Microsoft plans to offer a firewall To: john@credo.net (John Whittaker) Date: Wed, 2 Jul 1997 14:47:04 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970702093428.00f12830@199.107.168.5> from "John Whittaker" at Jul 2, 97 09:34:30 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: John Whittaker "CREDO" means "I believe", right? I hope you didn't believe this stuff: > fyi - salient points from my conversation with microsoft: > * Microsoft is releasing a new version of Proxy Server. I believe. > * Version 1.0, already offered firewall class security, and has > been in the marketplace since Nov '96. Nope. > * The new version will combine enhanced security and performance. > This has never done before. Oh boy, what does *this* mean? > * Proxy Server 2.0 will be a better alternative to Netscape Proxy > Server and Novell Border Manager They're not comparing it with real firewall packages. > * Extensible firewall security Extensible security? What the hell is "extensible security"? > * Proxy Server 2.0 is an "extensible firewall" platform, which > creates opportunities for 3rd parties to extend and complement Proxy > Server's network security capabilities Oh, it means you can add 3rd party products to reduce the security. From owner-firewalls-outgoing Wed Jul 2 13:21:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA07977 for firewalls-outgoing; Wed, 2 Jul 1997 12:14:06 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id MAA07928 for ; Wed, 2 Jul 1997 12:13:47 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) id AA28831; Wed, 2 Jul 97 12:16:08 PDT Received: by nob (SMI-8.6/UCDCS.SECLAB.Solaris2-2.0) id MAA20825; Wed, 2 Jul 1997 12:15:54 -0700 Date: Wed, 2 Jul 1997 12:15:54 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <199707021915.MAA20825@nob> To: firewalls@greatcircle.com Subject: CFP: 1998 SNDSS (updated; last reminder!) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security Where: Catamaran Resort, San Diego, California When: March 11-13, 1998 GOAL: The symposium will foster information exchange between hardware and software developers of network and distributed system security services. The intended audience is those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. Encouraging and enabling the Internet community to apply, deploy, and advance the state of available security technology is the major focus of symposium. Symposium proceedings will be published by the Internet Society. Topics for the symposium include, but are not limited to, the following: * Architectures for large-scale, heterogeneous distributed systems * Security in malleable systems: mobile code, mobile agents, dynamic policy updates, etc. * Special problems: e.g. interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integrating security services with system and application security facilities and with application protocols, including message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. * Fundamental services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Supporting mechanisms and APIs: key management and certification infrastructures, audit, and intrusion detection. * Telecommunications security, especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Controls: firewalls, packet filters, application gateways * Object security and security objects * Network information resources and tools such as World Wide Web (WWW), Gopher, Archie, and WAIS. * Electronic commerce: payment services, fee-for-access, EDI, notary; endorsement, licensing, bonding, and other forms of assurance; intellectual property protections GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Matt Bishop, University of California at Davis Steve Kent, BBN PROGRAM COMMITTEE: Steve Bellovin, AT&T Labs -- Research Doug Engert, Argonne National Laboratories Warwick Ford, VeriSign Li Gong, JavaSoft Rich Graveman, Bellcore Ari Juels, RSA Laboratories Tom Longstaff, CERT/CC Doug Maughan, National Security Agency Dan Nessett, 3Com Corporation Rich Parker, NATO Michael Roe, Cambridge University Rob Rosenthal, DARPA Wolfgang Schneider, GMD Darmstadt Christoph Schuba, Purdue University Win Treese, Open Market, Inc. Jonathan Trostle, Novell Gene Tsudik, USC/Information Sciences Institute Steve Welke, Institute for Defense Analyses LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses LOGISTICS CHAIR: Torryn Brazell, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals, for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1997, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Matt Bishop, Department of Computer Science, University of California at Davis, Davis CA 95616-8562, Email: sndss98-submissions@cs.ucdavis.edu. Phone: +1 (916) 752-8060, FAX: +1 (916) 752-4767, Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss98. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as in- dicated above. Authors and panelists will be notified of acceptance by 1 October 1997. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1997. From owner-firewalls-outgoing Wed Jul 2 13:49:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA15925 for firewalls-outgoing; Wed, 2 Jul 1997 13:15:26 -0700 (PDT) Received: from mail.credo.net (mail.noc.credo.net [199.107.168.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA15916 for ; Wed, 2 Jul 1997 13:15:20 -0700 (PDT) Received: from darkstar.noc.credo.net (darkstar.noc.credo.net [199.107.168.9]) by mail.credo.net (8.8.5/8.7.3) with SMTP id NAA12470; Wed, 2 Jul 1997 13:17:48 -0700 (PDT) Message-Id: <3.0.32.19970702131425.00a68bb0@199.107.168.5> Received: from john.credo.net ([199.107.169.3]) by darkstar.noc.credo.net via smtpd (for mail.noc.credo.net [199.107.168.5]) with SMTP; 2 Jul 1997 20:16:46 UT X-Sender: john@199.107.168.5 X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 02 Jul 1997 13:14:28 -0700 To: peter@baileynm.com (Peter da Silva) From: John Whittaker Subject: Re: Microsoft plans to offer a firewall Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk um. actually this was just for the list's benefit. i thought that it would be best to know exactly what microsoft had in mind...or at least was saying that they hand in mind, rather than the i heard this from a friend thing. whether or not i believe microsoft is not really pertinent to this list. john. At 02:47 PM 7/2/97 -0500, you wrote: >> From: John Whittaker > >"CREDO" means "I believe", right? I hope you didn't believe this stuff: > >> fyi - salient points from my conversation with microsoft: > >> * Microsoft is releasing a new version of Proxy Server. > >I believe. > >> * Version 1.0, already offered firewall class security, and has >> been in the marketplace since Nov '96. > >Nope. > >> * The new version will combine enhanced security and performance. >> This has never done before. > >Oh boy, what does *this* mean? > >> * Proxy Server 2.0 will be a better alternative to Netscape Proxy >> Server and Novell Border Manager > >They're not comparing it with real firewall packages. > >> * Extensible firewall security > >Extensible security? What the hell is "extensible security"? > >> * Proxy Server 2.0 is an "extensible firewall" platform, which >> creates opportunities for 3rd parties to extend and complement Proxy >> Server's network security capabilities > >Oh, it means you can add 3rd party products to reduce the security. > > From owner-firewalls-outgoing Wed Jul 2 13:50:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16445 for firewalls-outgoing; Wed, 2 Jul 1997 13:19:33 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA16438 for ; Wed, 2 Jul 1997 13:19:26 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id NAA15164; Wed, 2 Jul 1997 13:21:46 -0700 (PDT) Message-Id: <3.0.1.32.19970702162144.006bf030@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 02 Jul 1997 16:21:44 -0400 To: "Kelly E. Gibbs" From: Paul Ferguson Subject: Re: RIP vs. OSPF Cc: firewalls@GreatCircle.COM In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:51 AM 07/02/97 -0700, Kelly E. Gibbs wrote: > >Would it be a fair statement that OSPF is now the chosen protocol over RIP? I'm not sure what you mean by "chosen," but I would suggest that it [ospf] is much more preferable over any classful routing protocol, especially RIP. I would also suggest reading: RFC1923, "RIPv1 Applicability Statement for Historic Status," http://www.internic.net/rfc/rfc1923.txt >If so, could someone offer any comment on why and which do you think will >be the more dominate protocol in the future? > Classless routing protocols, of course. - paul >Thanks, >Kelly > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Wed Jul 2 13:51:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA11488 for firewalls-outgoing; Wed, 2 Jul 1997 12:43:10 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA11440 for ; Wed, 2 Jul 1997 12:42:54 -0700 (PDT) Received: by smartwall.v-one.com; id PAA01425; Wed, 2 Jul 1997 15:45:41 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (3.2) id xma001419; Wed, 2 Jul 97 15:45:29 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Wed, 2 Jul 1997 15:54:00 -0400 Message-ID: From: "McMahan, Peg" To: "'Adam Shostack'" , bonomi@delta.ece.nwu.edu Cc: firewalls@GreatCircle.COM Subject: RE: Remote management of firewalls internationally Date: Wed, 2 Jul 1997 15:53:58 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simple solution: If remote administration is a necessary component, buy a firewall that has the functionality to it. One has to understand, however, that there is always the possibility of problems that absolutely require a user at the console. If considerations aren't made for incidences in which user intervention is required, then you have to rethink things. It's all well and good to have remote admin, it's a nice feature.... however it is silly to think that you can rely on it in all situations. Adam, you make a good point. Our support staff has been receiving a good number of calls lately from people whose firewalls got messed up during recent severe storms... It's no fun explaining to a person that they can't reach their firewall remotely if it's sitting in a closet in a remote location, at a single user prompt needing to be fsck'd because the UPS didn't last as long as the power outage did. > -----Original Message----- > From: Adam Shostack [SMTP:adam@homeport.org] > Sent: Wednesday, July 02, 1997 7:18 AM > To: bonomi@delta.ece.nwu.edu > Cc: firewalls@GreatCircle.COM > Subject: Re: Remote management of firewalls internationally > > Robert Bonomi wrote: > > | Or, if you can't change configuration without taking it down to > | 'single user'? > > | A solution: > | > | This takes -two- firewall machines, and a 'secure server' behind > each one. > | you run a secure, encrypted, channel from the management location to > either > | 'secure server', as needed. The 'secure server' connects, via > _serial_ port, > | to the *other* firewall box's console port. > > And when both machines foobar due to AC failing, followed by > power failing? Can you accept 24 hours of downtime? And UPSs fail as > well. Remember what happened to BBNPlanet's Stanford facility. > | > | A less expensive solution is to have someone _local_, > _who_speaks_the_same_ > | _language_ (*fluently*!) as support -staff-, who can be called on to > play > | "voice actuated terminal", for those occasions where 'secure remote > access > | _through_ the box' fails. This person merely needs the ability to > follow > | directions _precisely_, and observe and report *accurately*. The > risk here > | is mostly an added exposure to a 'social engineering' attack. > > But you also have someone who can go by to check on the > physical security and integrity of your location. I would not run a > firewall without a unix sysadmin type with a few brain cells within a > reasonable transit distance. If you've got office space in the area, > you've got people. If you don't have office space in the area, why > are you deploying security tools there? > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > From owner-firewalls-outgoing Wed Jul 2 14:21:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA18913 for firewalls-outgoing; Wed, 2 Jul 1997 14:04:55 -0700 (PDT) Received: from bolchile.cl (borderware.bolchile.cl [200.29.35.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA18906 for ; Wed, 2 Jul 1997 14:04:44 -0700 (PDT) Received: by borderware.bolchile.cl via suspension id <20577>; Wed, 2 Jul 1997 17:19:18 -0400 Received: from getsadmin ([200.9.215.55]) by borderware.bolchile.cl with SMTP id <20575>; Wed, 2 Jul 1997 17:17:52 -0400 Message-ID: <33BAC277.3CBF@bolchile.cl> Date: Wed, 2 Jul 1997 17:04:55 -0400 From: "Raul Navarro G." Organization: Bolsa Electronica de Chile X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: "Firewall_greatcircle.com" Subject: messages log , Could be attack ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1 ) Help me please , what is the means of this messages in the messages log. IT there attack to stop services TCP/IP ? . What a need do to know that is attack ? can be that is problem in my configuration? i dont change nothing in last months . This messages repeat for more that 3 days May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in use May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use 2) what is the follow messages in netstat 0 usr2-dialup57.Denver.mci.net.2820 8760 0 8760 0 TIME_WAIT The local Address is 0 ? can be ? Muchas Gracias Raul Navarro G. From owner-firewalls-outgoing Wed Jul 2 14:41:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA20548 for firewalls-outgoing; Wed, 2 Jul 1997 14:32:41 -0700 (PDT) Received: from braila.iiruc.ro (braila.iiruc.ro [193.226.145.209]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA20541 for ; Wed, 2 Jul 1997 14:32:29 -0700 (PDT) Received: from ppp01-braila.iiruc.ro by braila.iiruc.ro id aa16207; 3 Jul 97 0:31 EETDST Message-ID: <33BB2697.35B0@geocities.com> Date: Wed, 02 Jul 1997 21:12:08 -0700 From: Gabriel Dura Reply-To: dura@geocities.com X-Mailer: Mozilla 3.01Gold (Win16; I) MIME-Version: 1.0 To: Joe Pollock CC: firewalls@greatcircle.com Subject: ICQ messaging system (was Re: ICQ network) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One observation about ICQ messaging... Sending a message to a user can be done in two ways: - using WWW pager (see http:///www.mirabilis.com) - using the send messsage feature from the ICQ program. The WWW pager procedure is done using a form. Sending the message is done using a GET method. The GET method has a limited number of caracters that can be sent. Well, the messaging feature of the main program supports the same number of caracters as the GET method. This leads me to the idea that they are actually using their CGI scripts for this. I think someone should verify this. I don't have the means to do that here... Hope it helps, Gabriel Joe Pollock wrote: > > One of my users sent me a spam message concerning the ICQ ("I Seek You") > Network, which claims to reduce an individual's Net identity to a single > number, announce to others when the individual is on-line, spawn IRC, > Internet Phone, email, video, etc. on command ... the list goes on and on. > > Here's the URL: > > http://www.mirabilis.com > > I found the site sadly lacking in technical detail (suprise, suprise > :-). The package you download is a beta release of a soon-to-be > commercial application. > > Anyone got any hard technical details to supply? I can hardly wait for > my users to start lobbying for something like this. > > Joe Pollock > The Evergreen State College > Olympia, WA 98505 From owner-firewalls-outgoing Wed Jul 2 15:20:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23203 for firewalls-outgoing; Wed, 2 Jul 1997 14:52:47 -0700 (PDT) Received: from dns2.infocom.etecsa.cu (infocom.etecsa.cu [169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA23141 for ; Wed, 2 Jul 1997 14:52:23 -0700 (PDT) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wjXMd-0009FAC; Wed, 2 Jul 97 17:55 EDT Received: from manati.in.etecsa.cu by mail.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa00976; Wed, 02 Jul 97 17:55 EDT Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wjXMc-0003UWC; Wed, 2 Jul 97 17:55 EDT Message-Id: To: firewalls@greatcircle.com Date: Wed, 2 Jul 1997 17:55:01 -0400 (EDT) From: Asley Lugo Avila X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Wed Jul 2 15:35:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA23505 for firewalls-outgoing; Wed, 2 Jul 1997 14:56:50 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA23496 for ; Wed, 2 Jul 1997 14:56:34 -0700 (PDT) Received: from default (pm14-7.pacificnet.net [207.171.10.40]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id OAA14800; Wed, 2 Jul 1997 14:50:03 -0700 (PDT) Message-ID: <33BAD0BD.4399@pacificnet.net> Date: Wed, 02 Jul 1997 15:05:49 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: "Kelly E. Gibbs" CC: Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kelly E. Gibbs wrote: > > > Throughout M$'s wonderful climb to dominate the world, where's the > Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned > share's of Apple stock in the past? Ahhh...there are other possibilities. Here's the most likely: A. The folks in the Antitrust division are cowards; or B. Their lawyers (DOJ) don't understand Antitrust law enough to pull it off. In my opinion, it's probably a bit of both. Either that, or they are closet Bork-ists up there. Bork has a rather novel view about Antitrust (one that is not entirely unsupported). To get a taste of that view (any DOJ personnel on this list?) try "The Antitrust Paradox: A Policy at War with Itself." (ISBN: 0-02-904455-3.) But, that's academic, because the DOJ - for whatever reason - has failed (and will continue to fail) in challenging M$. From owner-firewalls-outgoing Wed Jul 2 15:49:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA24978 for firewalls-outgoing; Wed, 2 Jul 1997 15:15:17 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id PAA24969 for ; Wed, 2 Jul 1997 15:15:10 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA39947; Wed, 2 Jul 1997 18:13:38 -0400 Date: Wed, 2 Jul 1997 18:13:38 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9707022213.AA39947@oxygen.house.gov> To: firewalls@greatcircle.com, kgibbs@best.com Subject: Re: RIP vs. OSPF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | From: "Kelly E. Gibbs" | Subject: RIP vs. OSPF | Mime-Version: 1.0 | Sender: firewalls-owner@GreatCircle.COM | | Would it be a fair statement that OSPF is now the chosen protocol over RIP? | If so, could someone offer any comment on why and which do you think will | be the more dominate protocol in the future? Enough problems with RIP caused people to create RIP-2. To quote from RFC 2200,the INTERNET OFFICIAL PROTOCOL STANDARDS: RIP -- The Routing Information Protocol (RIP) is widely implemented and used in the Internet. However, both implementors and users should be aware that RIP has some serious technical limitations as a routing protocol. The IETF is currently devpeloping several candidates for a new standard "open" routing protocol with better properties than RIP. The IAB urges the Internet community to track these developments, and to implement the new protocol when it is standardized; improved Internet service will result for many users. The worst thing about RIP is the large number of host computers configured to listen to RIP rather than use an appropriate router discovery protocol This is relevant to firewalls (it needed a hook, didn't it? :-) because of the obvious threat to the security of a host if a bad-guy sends it false route information that gets the packet stream sent to a host involved in spoofing. The best solution for security purposes is to (hard) configure the default router into your host computers. Unfortunately, this is not the most robust configuration against network failure because it locks the host into a single path when multiple (valid) routers may be available. From owner-firewalls-outgoing Wed Jul 2 15:49:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA22983 for firewalls-outgoing; Wed, 2 Jul 1997 14:50:45 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id OAA22968 for ; Wed, 2 Jul 1997 14:50:29 -0700 (PDT) Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA16743; Wed, 2 Jul 97 16:52:16 -0400 Message-Id: <3.0.2.32.19970702165231.006a79bc@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Wed, 02 Jul 1997 16:52:31 -0500 To: Kevin Brown - NetComm From: Frank Willoughby Subject: Re: Microsoft plans to offer a firewall Cc: Frank Willoughby , Frank Willoughby , Vin McLellan , firewalls@GreatCircle.COM In-Reply-To: References: <3.0.2.32.19970701201820.006a16b0@in.net> <3.0.2.32.19970701072514.006a1968@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:32 PM 7/2/97 +0100, Kevin Brown - NetComm wrote: >Frank, > >No I was not spoofed, but I have discovered that you do not have a sense of >humour. ;-> Sure I do. My puns are infamous. 8^) >I was tying to point out that MS can even today, snare people into taking >actions that are terribly foolish. Would you advise a bank to allow any >customer to dial in for bank transactions with NT RAS as the sole form of >Authentication for their internal Net? No on both counts. I wouldn't recommend that their customers use any authentication-only mechanism for dial-in bank transactions. Nor would I allow any inbound connection to terminate on their internal network. As anyone who has audited a bank can tell you, banks are notoriously insecure. Many (most?) banks are still using antiquated (and insecure) technologies to secure customer dial-in bank transactions. I recommended one solution to secure customer dial-in banking to an out-of-country bank. It was my understanding that this was going to be a competitive advantage for their bank over other banks. in the area. It'd be nice if other banks followed suit. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Wed Jul 2 17:30:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA04953 for firewalls-outgoing; Wed, 2 Jul 1997 16:36:47 -0700 (PDT) Received: from fw001.smb.com (fw001.smb.com [207.24.83.200]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA04918 for ; Wed, 2 Jul 1997 16:36:34 -0700 (PDT) Received: from sbmail.smb.com ([168.109.12.15]) by fw001.smb.com (8.8.5/InetRelay-1.10) with ESMTP id TAA16273 for ; Wed, 2 Jul 1997 19:39:17 -0400 (EDT) Received: from ccmentgate.corp.smb.com (ccmentgate.corp.smb.com [146.128.253.21]) by sbmail.smb.com (8.8.5/CMTF-Mailrelay-1.18) with SMTP id TAA04591 for ; Wed, 2 Jul 1997 19:39:16 -0400 (EDT) Received: from ccMail by ccmentgate.corp.smb.com (ccMail Link to SMTP R6.01.00 BETA) id AA867886924; Wed, 02 Jul 97 19:42:07 -0500 Message-Id: <9707028678.AA867886924@ccmentgate.corp.smb.com> X-Mailer: ccMail Link to SMTP R6.01.00 BETA Date: Wed, 02 Jul 97 19:35:33 -0500 From: "Dustin Goodwin" To: Subject: Labs that will do firewall perfomance testing. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for a commercial lab that will do on request for money testing of specific firewalls. We are interested in performance testing not penetration testing. - Dustin - From owner-firewalls-outgoing Wed Jul 2 17:35:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA09524 for firewalls-outgoing; Wed, 2 Jul 1997 17:08:19 -0700 (PDT) Received: from netcom4.netcom.com (netcom4.netcom.com [192.100.81.107]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA09517 for ; Wed, 2 Jul 1997 17:08:13 -0700 (PDT) Received: (from pomeranz@localhost) by netcom4.netcom.com (8.6.13/Netcom) id RAA17784; Wed, 2 Jul 1997 17:10:58 -0700 Message-Id: <199707030010.RAA17784@netcom4.netcom.com> From: pomeranz@netcom.com (Hal Pomeranz) Date: Wed, 2 Jul 1997 17:10:58 PDT In-Reply-To: johns@oxygen.house.gov (John Schnizlein) "Re: RIP vs. OSPF" (Jul 2, 6:13pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: johns@oxygen.house.gov (John Schnizlein), firewalls@GreatCircle.COM, kgibbs@best.com Subject: Re: RIP vs. OSPF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RIP has terrible convergence problems on very meshy networks-- routes may never stabilize if you lose a critical device. RIP doesn't support variable-length subnets either, though I gather this is coming in RIP-2. On the other hand, OSPF is a _pig_ on core routers in large networks. There are also interoperability problems still lurking between Cisco and Bay in my experience. Is anybody still running mixed-vendor network fabrics, though? On Jul 2, 6:13pm, John Schnizlein wrote: } The best solution for security purposes is to (hard) configure the default } router into your host computers. Unfortunately, this is not the most robust } configuration against network failure because it locks the host into a single } path when multiple (valid) routers may be available. See also Cisco's HSRP (Hot Standby Routing Protocol) which enables two routers to back each other up by sharing an IP address (which you then configure as default on your hosts). Also IRDP, or whatever they're calling these days. Hal Pomeranz, Principal Deer Run Associates hal@deer-run.com Network Connectivity and Security, Systems Management, Training From owner-firewalls-outgoing Wed Jul 2 17:52:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11888 for firewalls-outgoing; Wed, 2 Jul 1997 17:38:11 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA11880 for ; Wed, 2 Jul 1997 17:38:05 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjZwm-003o2PC; Wed, 2 Jul 1997 19:40:35 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Wed, 02 Jul 1997 19:40:32 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 02 Jul 1997 19:40:15 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #312 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Wed Jul 2 18:22:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA12893 for firewalls-outgoing; Wed, 2 Jul 1997 17:53:12 -0700 (PDT) Received: from topgun.asiapac.net (topgun.asiapac.net [202.188.0.106]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA12866 for ; Wed, 2 Jul 1997 17:52:58 -0700 (PDT) Received: from topgun ([202.188.0.106]) by topgun.asiapac.net (Netscape Mail Server v2.0) with SMTP id AAA2344 for ; Thu, 3 Jul 1997 08:53:34 +0800 Date: Thu, 3 Jul 1997 08:53:34 +0800 (SGT) From: Swee-Chuan Khoo X-Sender: sckhoo@topgun To: Firewalls@GreatCircle.COM Subject: malaysia - check point Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, well, as a system intergration company in malaysia dealing with internet connectivity and security, i can make some comment here. no boycott of check point here. we have already sold quite a few copies here ourself and local sun is promoting it well. FYI. From owner-firewalls-outgoing Wed Jul 2 18:33:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA11118 for firewalls-outgoing; Wed, 2 Jul 1997 17:27:16 -0700 (PDT) Received: from emout14.mail.aol.com (emout14.mx.aol.com [198.81.11.40]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA11103 for ; Wed, 2 Jul 1997 17:27:10 -0700 (PDT) From: Visionprof@aol.com Received: (from root@localhost) by emout14.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id UAA26963; Wed, 2 Jul 1997 20:29:26 -0400 (EDT) Date: Wed, 2 Jul 1997 20:29:26 -0400 (EDT) Message-ID: <970702202926_408997317@emout14.mail.aol.com> To: firewalls@greatcircle.com cc: Kevin.Brown@netcomm.ie Subject: Re: Microsoft plans to offer a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 7/2/97 Kevin wrote: >>(ps When Banks use MS Firewalls, I am going over the other side, and then >>retire...I know a bank or to today using NT RAS to authenticate Home Dial >>in Banking......anyone want the Bank Names?) I know of several myself....I tried to convince one such place not to go with MS NT as a firewall and internet server and lost my job over it. I don't believe how many organizations are blinded my MS Marketing.....it's the blinder leading the blind. Give me a UNIX box anyday!!!!! >>Can anyone explain how we let this happen. This one is easy. Mr. Gates said so. Let's all turn toward Redmond, Washington and bow. Tom Giudice Operating Systems Consultant Email: visionprof@aol.com Web Site: Vision Professional Se rvices The comments here are mine alone and not those of the firm I own. From owner-firewalls-outgoing Wed Jul 2 19:49:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA28032 for firewalls-outgoing; Wed, 2 Jul 1997 19:16:57 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA27886 for ; Wed, 2 Jul 1997 19:16:22 -0700 (PDT) Received: from rara32.curtin.edu.au (rara32.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKSOTJIJYOBB7KI5@alpha2.curtin.edu.au> for firewalls@GreatCircle.COM; Thu, 03 Jul 1997 10:21:33 +0800 Date: Thu, 03 Jul 1997 10:20:59 +0800 From: Bret Watson Subject: Re: Microsoft plans to offer a firewall In-reply-to: X-Sender: climbing@skuld.cage.curtin.edu.au To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: <3.0.32.19970702080847.007b15d0@the-wire.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My 2c worth. I'm sure M$ will really be buying a firewall company. I cannot believe that a software company who appear not to know about formal method design could even build a secure firwall. Sorry to Paul et al at M$ who seem to be working hard to ensure the security reputation of NT, but I have not seen many major OS vendors who have a good firewall - the two just don't seem to mix. The problem? fancy graphics and user functions have no place in a server platform - if you've used memphis you'll understand where NT is going... Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Wed Jul 2 20:24:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13076 for firewalls-outgoing; Wed, 2 Jul 1997 17:56:09 -0700 (PDT) Received: from relay3.jaring.my (relay3.jaring.my [192.228.128.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA13033 for ; Wed, 2 Jul 1997 17:55:50 -0700 (PDT) Received: from extol.extol.my (j20.ptl42.jaring.my [161.142.116.34]) by relay3.jaring.my (8.6.13/8.6.12) with ESMTP id IAA19964; Thu, 3 Jul 1997 08:58:14 +0800 Message-ID: <33BAFB69.C64E4C4A@pc.jaring.my> Date: Thu, 03 Jul 1997 08:07:53 +0700 From: Peng Chiew X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "PONNIAH S/O P.RAMAIAH" CC: palan@dataprep.com.my, philb@thejudge.Corp.Sun.COM, firewalls@GreatCircle.COM, SITI_ZALEHA@klse.com.my Subject: Re: No Malaysian Boycott!! Who's laughing now? X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PONNIAH S/O P.RAMAIAH wrote: > I agree with Palan's opinion on the Firewall-1 issu. Malaysia is not > that extremist as claimed by Mr.PHILB. > > >Contrary to what Palan was claiming in re the brouhaha over boycotts > of > >Checkpoint's FireWall-1, the boycott is clearly alive and well in > Malaysia. > >Here is a recent email to me from someone in Sun's field marketing > >organization. Let me repeat. There is ONLY an unofficial stand by the Malaysian Govt; applicable to Govt Depts.... that Israelite products CAN, REPEAT, CAN be purchased IF, there is no other alternative. Second, private commercial companies can purchase products from Israel. Those familar with crypto products would have hear of Algorithmic Research. It is an Israelite company that sells crypto products. Two banks in Malaysia are alrady using it for some time; say about 2 years. There is no, repeat, NO boycott of Israelite products. I ought to know, my employer sells them ;) Anyway the "recent email" was more of a question seeking confirmation rather than a statement. Any more Malaysian bashing? We've been severely criticised in the cypherpunks mailing before, so this is not something new. This has taken up sufficient bandwidth and I believe that this has gone out of topic. Shall we offline it and discuss in private? thanks. peng-chiew. From owner-firewalls-outgoing Wed Jul 2 20:34:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA11293 for firewalls-outgoing; Wed, 2 Jul 1997 20:15:42 -0700 (PDT) Received: from meretrix.com (dirty.meretrix.com [207.42.198.17]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA11232 for ; Wed, 2 Jul 1997 20:15:28 -0700 (PDT) Received: from kiri.meretrix.com (kiri.meretrix.com [207.42.198.18]) by meretrix.com (8.8.5/8.7.3) with ESMTP id FAA28181 for ; Thu, 3 Jul 1997 05:18:10 -0400 (EDT) Received: from kiri.meretrix.com (localhost.meretrix.com [127.0.0.1]) by kiri.meretrix.com (8.8.5/8.8.4) with ESMTP id XAA11240 for ; Wed, 2 Jul 1997 23:18:13 -0400 (EDT) Message-Id: <199707030318.XAA11240@kiri.meretrix.com> To: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-reply-to: Your message of "Wed, 02 Jul 1997 11:26:25 PDT." <33BA9D51.3602@pacificnet.net> Date: Wed, 02 Jul 1997 23:18:13 -0400 From: Harry Mantakos Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> * Refer to C&L white paper available on >> http://www.microsoft.com/proxy Well, I was all ready to go learn about network security, so I went to the Microsoft web page to download this paper. It's a .exe file. So to learn about how Microsoft has licked this internet security thing, I have to download a binary off a web page, bring it inside my firewall, and run it on my pc. I see. Well, I don't happen to have anything handy that can run one of those .exe file thingies, nor anything that can read the Microsoft Word document that is no doubt lurking within it, so I guess I'll have to look elsewhere. -harry ----------------------------------------------------------------------------- Human: Harry Mantakos USPS: 547 E. Gittings St. Baltimore, MD 21230 Email: harry@meretrix.com Evil Twins: harry@torrentnet.com, harry@cs.umd.edu From owner-firewalls-outgoing Wed Jul 2 23:03:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA16144 for firewalls-outgoing; Wed, 2 Jul 1997 22:46:48 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA15960 for ; Wed, 2 Jul 1997 22:46:14 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id WAA05077 for ; Wed, 2 Jul 1997 22:52:54 -0700 (PDT) Received: (qmail 24674 invoked by uid 110); 3 Jul 1997 05:48:54 -0000 Message-ID: <19970703054854.24673.qmail@suburbia.net> Subject: Re: messages log , Could be attack ? In-Reply-To: <33BAC277.3CBF@bolchile.cl> from "Raul Navarro G." at "Jul 2, 97 05:04:55 pm" To: rnavarro@bolchile.cl (Raul Navarro G.) Date: Thu, 3 Jul 1997 15:48:54 +1000 (EST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1 ) Help me please , what is the means of this messages in the messages > log. > IT there attack to stop services TCP/IP ? . > What a need do to know that is attack ? > can be that is problem in my configuration? i dont change nothing in > last months . > > This messages repeat for more that 3 days > May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use You are already running inetd. From owner-firewalls-outgoing Wed Jul 2 23:38:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA21399 for firewalls-outgoing; Wed, 2 Jul 1997 20:59:43 -0700 (PDT) Received: from fw001.smb.com (fw001.smb.com [207.24.83.200]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA21124 for ; Wed, 2 Jul 1997 20:58:54 -0700 (PDT) Received: from sbmail.smb.com ([168.109.12.15]) by fw001.smb.com (8.8.5/InetRelay-1.10) with ESMTP id AAA17813 for ; Thu, 3 Jul 1997 00:01:45 -0400 (EDT) Received: from ccmentgate.corp.smb.com (ccmentgate.corp.smb.com [146.128.253.21]) by sbmail.smb.com (8.8.5/CMTF-Mailrelay-1.18) with SMTP id AAA12940 for ; Thu, 3 Jul 1997 00:01:44 -0400 (EDT) Received: from ccMail by ccmentgate.corp.smb.com (ccMail Link to SMTP R6.01.00 BETA) id AA867902676; Thu, 03 Jul 97 00:04:37 -0500 Message-Id: <9707038679.AA867902676@ccmentgate.corp.smb.com> X-Mailer: ccMail Link to SMTP R6.01.00 BETA Date: Wed, 02 Jul 97 22:03:27 -0500 From: "Dustin Goodwin" To: Subject: Labs that will do firewall perfomance testing. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Please excuse if this is a duplicate post) Looking for a commercial lab that will do on request for money testing of specific firewalls. We are interested in performance testing not penetration testing. - Dustin - From owner-firewalls-outgoing Wed Jul 2 23:46:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA22760 for firewalls-outgoing; Wed, 2 Jul 1997 23:20:13 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA12551 for firewalls@greatcircle.com; Wed, 2 Jul 1997 22:31:14 -0700 (PDT) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA06176 for ; Tue, 1 Jul 1997 11:18:03 -0700 (PDT) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA06042 for firewalls@GreatCircle.COM; Tue, 1 Jul 1997 14:21:05 -0400 (EDT) Date: Tue, 1 Jul 1997 14:21:05 -0400 (EDT) From: Information Security Message-Id: <199707011821.OAA06042@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Cryptography Manifesto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security here. I have a document that explains NSA's domestic spy-fest in great detail. The document includes specifics on building a firewall analytic for examining email. The section of the document that is in is about 100K, so I'm sending this overview instead. If you want the document [7/4/97-dated version], email me using 'Subject: Requesting Cryptography Manifesto'. The document is 560K. BTW, the inside scoop from a TIS employee (don't ask!) is that the NSA really truly CANNOT break RSA/PGP, and are pissed about it. ;-) This manifesto is heavily documented by outside sources. * "Spying Budget Is Made Public By Mistake", By Tim Weiner * The New York Times, November 5 1994 * * By mistake, a Congressional subcommittee has published an unusually * detailed breakdown of the highly classified "black budget" for United * States intelligence agencies. * * In previously defeating a bill that would have made this information * public, the White House, CIA and Pentagon argued that revealing the * secret budget would cause GRAVE DAMAGE to the NATIONAL SECURITY of * the United States. * * $3.1 billion for the CIA * $10.4 billion for the Army, Navy, Air Force * and Marines special-operations units * $13.2 billion for the NSA/NRO/DIA * * The only damage done so far is to the * credibility of those who opposed the measure. Enjoy, ---guy@panix.com From owner-firewalls-outgoing Wed Jul 2 23:49:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA29432 for firewalls-outgoing; Wed, 2 Jul 1997 23:45:33 -0700 (PDT) Received: from mines.u-nancy.fr (mines.u-nancy.fr [192.70.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA29411 for ; Wed, 2 Jul 1997 23:45:26 -0700 (PDT) Received: (from grigori@localhost) by mines.u-nancy.fr (8.7.5/8.7.3) id IAA14685 for Firewalls@GreatCircle.COM; Thu, 3 Jul 1997 08:52:02 +0200 (MET DST) From: Laura Grigori Message-Id: <199707030652.IAA14685@mines.u-nancy.fr> Subject: Re: Firewalls-Digest V6 #312 To: Firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 08:52:01 +0200 (MET DST) In-Reply-To: <199707021820.LAA00955@honor.greatcircle.com> from "Firewalls-Digest" at Jul 2, 97 11:20:32 am X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Salutari, acuma am ajuns. Acuma la treaba, si nici o urmarire, si-mi povestesti in amanunte daca vorbesti cu Raphael, sau daca ai ceva noutati. Astept, Elutza. From owner-firewalls-outgoing Thu Jul 3 03:18:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA01105 for firewalls-outgoing; Thu, 3 Jul 1997 02:03:57 -0700 (PDT) Received: from mines.u-nancy.fr (mines.u-nancy.fr [192.70.66.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA00892 for ; Thu, 3 Jul 1997 02:03:09 -0700 (PDT) Received: (from grigori@localhost) by mines.u-nancy.fr (8.7.5/8.7.3) id LAA16318 for firewalls@greatcircle.com; Thu, 3 Jul 1997 11:09:28 +0200 (MET DST) From: Laura Grigori Message-Id: <199707030909.LAA16318@mines.u-nancy.fr> Subject: Re: Firewalls-Digest V6 #312 To: firewalls@greatcircle.com Date: Thu, 3 Jul 1997 11:09:28 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, This is regarding my previous message, in romanian, about somebody called Raphael. I want to apologize for it. This prouves one other possible risk of email: not checking the headers before sending the email. `Reply' is great feature, but I should have used it with more care. Once again, sorry. One more reason to moderate. From owner-firewalls-outgoing Thu Jul 3 04:04:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA17421 for firewalls-outgoing; Thu, 3 Jul 1997 01:06:44 -0700 (PDT) Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA17343 for ; Thu, 3 Jul 1997 01:06:22 -0700 (PDT) Received: from dv104 (actually 134.76.168.70) by gwdu42.gwdg.de with SMTP (PP); Thu, 3 Jul 1997 10:05:43 +0200 Message-Id: <3.0.2.32.19970703080618.00911ab0@popper.gwdg.de> X-Sender: switzel@popper.gwdg.de X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 b5 (32) Date: Thu, 03 Jul 1997 08:06:18 +0200 To: firewalls@greatcircle.com From: Stefan Witzel Subject: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 installed. The firewall seems to be ok, but when I start the log viewer (from the command line), after a while, this process uses up to 95% of the CPU time. I then have no access to the workstation. (I think the firewall works.) This occured under VUE and CDE. Any advice? Thanks in advance. Stefan Witzel switzel@uni-goettingen.de Universitaet Goettingen / Stabsstelle DV ------------------------- Gosslerstrasse 5-7 fon: +49 551 394160 37073 Goettingen fax: +49 551 399612 Germany From owner-firewalls-outgoing Thu Jul 3 04:08:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA20918 for firewalls-outgoing; Thu, 3 Jul 1997 01:18:08 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA20897 for ; Thu, 3 Jul 1997 01:18:00 -0700 (PDT) Received: from skb.si (skb.si [193.77.127.66]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id BAA20012 for ; Thu, 3 Jul 1997 01:22:02 -0700 (PDT) Received: by fw.skb.si id <26882>; Thu, 3 Jul 1997 10:16:36 +0100 Message-Id: <97Jul3.101636gmt+0100.26882@fw.skb.si> Date: Thu, 3 Jul 1997 09:18:30 +0100 From: Sergej Rinc Reply-To: sr@skb.si X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Borderware References: <199707021820.LAA00955@honor.greatcircle.com> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With the latest version Borderware 4.x, all configuration is done from a remote html browser which is extremely slow! Their front end is all Java, using their html forms to configure DNS for 15 zones took me all day just because the updates via the browser were taking forever! You don't have to use browser for DNS setup - you can upload these files to BorderWare or use Zone transfer. I wouldn't use browser for lot of zones. >Also, there is no internal authentication capabilities with Borderware, no skey, secure-id, nothing to authenticate your rules against. Please explain. All authentication cards are supported allready or can be - easily. S/Key, Secure-Id, ActiveCard, ... I guess you have something specifically in mind. -- Sergej Rinc system engineer, SKB banka d.d. http://www.skb.si mailto:sr@skb.si From owner-firewalls-outgoing Thu Jul 3 04:39:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA24425 for firewalls-outgoing; Thu, 3 Jul 1997 01:36:58 -0700 (PDT) Received: from trifork.gu.net (trifork.gu.net [194.93.190.194]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA24310 for ; Thu, 3 Jul 1997 01:36:22 -0700 (PDT) Received: from localhost (localhost.gu.kiev.ua [127.0.0.1]) by trifork.gu.net (8.8.5/8.8.5) with SMTP id OAA21992; Thu, 3 Jul 1997 14:41:02 +0300 (EEST) Date: Thu, 3 Jul 1997 14:41:01 +0300 (EEST) From: Andrew Stesin Reply-To: stesin@gu.net To: John Whittaker cc: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <3.0.32.19970702093428.00f12830@199.107.168.5> Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, John Whittaker wrote: > * The new version will combine enhanced security and performance. > This has never done before. ^^^ by Microsoft, one should mention. Other vendors might ;) have a different history. > * Microsoft is enhancing its firewall security features as a > result of feedback from small business and branch office customers. ... but with zero atention to industry expert' opinions? > * Enhanced web content caching ... still unable to communicate with i.e. Squid WWW-caches hierarchies? > * Extensible firewall security > > * Proxy Server 2.0 is an "extensible firewall" platform, which > creates opportunities for 3rd parties to extend and complement Proxy > Server's network security capabilities ... -- it contains holes so anyone who cares may feel herself free to fill them on her own? > * Content Filters - CyberPatrol and Surfwatch And this "feature" -- read "censorship" -- definitely _will_ work, no doubts. Best regards, Andrew Stesin nic-hdl: ST73-RIPE From owner-firewalls-outgoing Thu Jul 3 06:03:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA17420 for firewalls-outgoing; Thu, 3 Jul 1997 01:06:43 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA17251 for ; Thu, 3 Jul 1997 01:06:03 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id JAA03279; Thu, 3 Jul 1997 09:10:16 +0200 Message-Id: <3.0.1.32.19970703101001.00cab9bc@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 03 Jul 1997 10:10:01 +0200 To: Roger Rea From: =?iso-8859-1?Q?=22Gruppo_ONS_riunito_S=2Ep=2EA=2E_=28Societ=E0_per_Adulaz?= =?iso-8859-1?Q?ione=29=22?= Subject: RE: Firewall on AIX Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In 1, Jul, 1997 I wrote: ...I've had some reserch on firewall on AIX, but I got very little. ...I have some FAQ at the ...http://www.checkpoint.com/opsec/Partners/memco/faq.html: ...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! ...- For FireWall-1? ...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 ...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX ...- versions are currently in Beta testing and will be available soon. IBM ...AIX ...- and Windows NT versions are in development. ...It will be available until the tird quarter of the year. Roger Rea replied to me: >From: Roger Rea >To: >Cc: <75816664@ITHVM03.vnet.ibm.com> >Subject: Fwd: Firewall on AIX >Date: Wed, 2 Jul 1997 17:30:11 -0400 > >Gabriele.................Perhaps you have not looked at the current version of >the IBM Firewall. We are a much more complete firewall than other firewalls, >offering not only filtering architechtures like Check Point, but also >Application Gateways and Circuit Level Gateways. So you get three firewalls in >one. PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT FIREWALL. IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT INSPECTION. >We also offer Network Address Translation, logging, alerting, a JAVA-based GUI >with pre-defined services and context sensitive help. We've had IPSEC tunnels >for several releases and have added in the current release client IPSEC >software at no additional charge. We offer the Network Security Auditor, which >allows you to scan the network for security weaknesses. > >You can learn more about the IBM Firewall for AIX V3.1 and download trial >software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall THANK YOU FOR THE INFORMATION --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Thu Jul 3 06:46:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA01097 for firewalls-outgoing; Wed, 2 Jul 1997 23:54:31 -0700 (PDT) Received: from zeder.she.de (zeder.she.de [193.98.90.88]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA01071 for ; Wed, 2 Jul 1997 23:54:23 -0700 (PDT) Received: from hdrout3.she.de (hdrout3.she.de [194.120.238.5]) by zeder.she.de (8.8.5/8.7.6) with SMTP id IAA17238; Thu, 3 Jul 1997 08:57:09 +0200 Received: from heidelberg.teldix.de by hdrout3.she.de id aa17118; 3 Jul 97 8:52 CETDST Received: from hdmh1.teldix.de ([143.194.70.35]) by hdfw01.teldix.de via smtpd (for hdnetgw.she.de [193.141.149.7]) with SMTP; 3 Jul 1997 06:52:50 UT Received: from localhost by hdmh1.teldix.de with SMTP (1.39.111.2/16.2) id AA142332750; Thu, 3 Jul 1997 08:52:30 +0200 Date: Thu, 3 Jul 1997 08:52:30 +0200 (METDST) From: Wolfgang Rau To: David Wasser Cc: firewalls@greatcircle.com, franks@netscape.com Subject: Re: Tunneling tools with 128 bit encryption outside US? In-Reply-To: <33BA45A5.57AB2A3B@netscape.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try F-Secure from DataFellows: http://www.datafellows.com/ Regards - Wolfgang -------------------------------------------------------------- Wolfgang Rau | Phone: +49-6221-512-527; Fax: -305 TELDIX GmbH | Email: rau@teldix.de IVT | P.O.Box | Grenzhoefer Weg 36 D-69046 Heidelberg | D-69123 Heidelberg ______________________________________________________________ On Wed, 2 Jul 1997, David Wasser wrote: > I am looking for a product which will build an encrypted IP tunnel using > 128 bit encryption technology that is available outside the US. > > Can anyone point me to a vendor? > > Thanx, > -David > -- > David Wasser | Netscape Communications GmbH > Principal Consultant | Am Soeldnermoos 6 > | D-85399 Hallbergmoos > DWass@netscape.com | Germany From owner-firewalls-outgoing Thu Jul 3 07:48:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA05894 for firewalls-outgoing; Thu, 3 Jul 1997 05:45:11 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id FAA05860 for ; Thu, 3 Jul 1997 05:44:57 -0700 (PDT) Received: from tc24650 by csc.com via smtpd with smtp id for ; Thu, 3 Jul 97 08:47 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <33BB9E72.745C@csc.com> Date: Thu, 03 Jul 1997 08:43:31 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Dustin Goodwin CC: firewalls@greatcircle.com Subject: Re: Labs that will do firewall perfomance testing. References: <9707028678.AA867886924@ccmentgate.corp.smb.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dustin Goodwin wrote: > > > Looking for a commercial lab that will do on request for money testing > of specific firewalls. We are interested in performance testing not > penetration testing. Try: Computer Sciences Corporation Systems Engineering Division Hanover, MD. Call Alexa Grauch at (410) 684-3641. She doesn't work in the lab, but can forward you. Joe -- In theory, theory and practice are the same; In practice, they're not even close! From owner-firewalls-outgoing Thu Jul 3 08:20:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA02022 for firewalls-outgoing; Thu, 3 Jul 1997 05:17:52 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA27081 for ; Thu, 3 Jul 1997 04:41:37 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id EAA23268 for ; Thu, 3 Jul 1997 04:17:57 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id HAA07788; Thu, 3 Jul 1997 07:15:20 -0400 (EDT) Message-Id: <3.0.32.19970703070141.007a6db0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 07:15:50 -0400 To: Visionprof@aol.com, firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Microsoft plans to offer a firewall Cc: Kevin.Brown@netcomm.ie Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:29 PM 02/07/97 -0400, Visionprof@aol.com wrote: ## Reply Start ## >On 7/2/97 Kevin wrote: > >>>Can anyone explain how we let this happen. > >This one is easy. Mr. Gates said so. Let's all turn toward Redmond, >Washington and bow. To misquote Dr Bonhoeffer: My Conscience is Bill Gates. ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Thu Jul 3 08:35:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA24623 for firewalls-outgoing; Thu, 3 Jul 1997 04:27:11 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id EAA24591 for ; Thu, 3 Jul 1997 04:26:59 -0700 (PDT) Received: from tc24650 by csc.com via smtpd with smtp id for ; Thu, 3 Jul 97 07:29 EDT (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <33BB8C0D.2E23@csc.com> Date: Thu, 03 Jul 1997 07:25:01 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Scott_Thomas@em.fcnbd.com CC: Firewalls@GreatCircle.COM Subject: Re: SAP and Firewalls References: <001031FF.1944@em.fcnbd.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott_Thomas@em.fcnbd.com wrote: > > To All: > > Our company is implementing SAP in all of it's locations. Our desire > is to have internal firewalls between the main corporate location and > outer offices. We have attempted to run FW-1 in two locations so far > with the same result. If a user at the outer office runs an SAP > process that only involves one UNIX host at the main office it works > fine. > > When the SAP process involves more than one host the returned > transmission is never received, although it seems to leave the UNIX > host. Tough problem. Are you running a sniffer on the interior networks (all LANs attached to servers)? See what's coming into the firewall. That might help. Good luck, Joe -- In theory, theory and practice are the same; In practice, they're not even close! From owner-firewalls-outgoing Thu Jul 3 08:46:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA26964 for firewalls-outgoing; Thu, 3 Jul 1997 04:40:39 -0700 (PDT) Received: from srv1-poa.nutecnet.com.br (srv1-poa.nutecnet.com.br [200.248.149.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA26890 for ; Thu, 3 Jul 1997 04:40:08 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by srv1-poa.nutecnet.com.br (8.8.5/SCA-6.6) with SMTP id JAA09540 for ; Thu, 3 Jul 1997 09:44:07 -0200 (EDT) Received: from canario.nutec.com.br ([192.168.2.2]) by nutspgw.nutec.com.br via smtpd (for srv1-poa.nutecnet.com.br [200.248.149.1]) with SMTP; 3 Jul 1997 08:45:14 UT Received: from nutspgw.nutec.com.br by canario.nutec.com.br id aa04683; 3 Jul 97 8:35 GMT From: "Fernando da Silveira Montenegro" To: Received: from cancun.sao.nutecnet.com.br ([200.246.248.224]) by firewall.nutec.com.br via smtpd (for canario.nutec.com.br [192.168.2.2]) with SMTP; 3 Jul 1997 08:45:06 UT Subject: IP Filters? Date: Thu, 3 Jul 1997 08:42:35 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.0926.0 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0926.0 Message-ID: <9707030835.aa04683@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! What seems to be the general consensus on how many filtering rules one can configure on a router without imposing a noticeable performance penalty: 10? 50? 100? I know it probably varies wildly with the equipment you use (2501 x 7500, for instance), but is anybody running a Cisco 4000 with more than, say, 100 rules for each filter applied to an interface? The router has 8MB, and is talking two T1s (bonded, no multihoming). We plan to tighten up our environment a bit (too many DoS attacks for our liking), and are considering also stricter filters on our terminal servers (PortMaster2 units from Livingston). Same question applies: how many filters on a 1MB PM2? The problem is that the environment being protected is an ISP, so the typical "block unless needed" stance doesn't apply. Thanks in advance. I'll summarize later if there's interest. Regards, Fernando ObFirewall: Filtering is one element of our security architecture, which is migrating to a secure subnet protected by app.level firewall, and is, as usual, the first line of defense. -- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include From owner-firewalls-outgoing Thu Jul 3 08:49:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA23880 for firewalls-outgoing; Thu, 3 Jul 1997 04:22:58 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA23869 for ; Thu, 3 Jul 1997 04:22:49 -0700 (PDT) Received: from dmartinez.ins.com (unknown-43-60.dialcall.com [170.206.43.60]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id EAA27689; Thu, 3 Jul 1997 04:25:21 -0700 (PDT) Message-Id: <3.0.32.19970703072510.00698324@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 07:25:15 -0400 To: Stefan Witzel , firewalls@GreatCircle.COM From: "Darwin L. Martinez" Subject: Re: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check to see if on your log viewer, if you are trying to resolve IP addresses with DNS. If so, for each entry in the log, the machine queries DNS to try and get a name associated with the IP address entry. This is for both the source and destination addresses, meaning 2 queries are executed for each log entry. Disable that option (should be on the main log viewer screen), and your problem should disappear. Hope this helps. At 08:06 AM 7/3/97 +0200, Stefan Witzel wrote: >Hello, > >I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 >installed. The firewall seems to be ok, but when I start the log viewer (from >the command line), after a while, this process uses up to 95% of the CPU >time. >I then have no access to the workstation. (I think the firewall works.) > >This occured under VUE and CDE. > >Any advice? Thanks in advance. > > > >Stefan Witzel switzel@uni-goettingen.de >Universitaet Goettingen / Stabsstelle DV ------------------------- >Gosslerstrasse 5-7 fon: +49 551 394160 >37073 Goettingen fax: +49 551 399612 >Germany > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Client: 770-825-9482 Network Systems Consultant Pager: 888-346-1320 International Network Services Office: 770-641-3660 SouthEast Region, Atlanta 0000,0000,8080Email: <darwin_martinez@ins.com> INS Website: 8080,0000,8080< "0000,8080,0000Providing the Power of Operable Networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From owner-firewalls-outgoing Thu Jul 3 08:50:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14512 for firewalls-outgoing; Thu, 3 Jul 1997 07:01:07 -0700 (PDT) Received: from gauntlet.qdata.co.za (gauntlet.qdata.co.za [196.29.128.97]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA14427 for ; Thu, 3 Jul 1997 07:00:32 -0700 (PDT) Received: by gauntlet.qdata.co.za; id QAA02820; Thu, 3 Jul 1997 16:31:31 +0200 Received: from unknown(196.11.111.254) by gauntlet.qdata.co.za via smap (V3.1.1) id xma002766; Thu, 3 Jul 97 16:31:07 +0200 Message-ID: <33BBB0F2.11B992A@qdata.net> Date: Thu, 03 Jul 1997 16:02:27 +0200 From: Richard Chilcott Reply-To: richardc@qdata.net Organization: Q Data Internet X-Mailer: Mozilla 4.0b5 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: WatchGuard Firebox X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good Day Ladies, Gentlemen and any other person not in the last two groups, Does anybody have any comments to make about the WatchGuard Firebox firewall. Is it any good, and problems found with the installations etc Thanks Richard Chilcott Q Data Internet (Pty) Ltd. Phone: +27 11 266 5430 Fax: +27 11 266 5097 http://www.qdata.net Do not take life to seriously, you will not get out of it alive. From owner-firewalls-outgoing Thu Jul 3 09:01:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA12819 for firewalls-outgoing; Thu, 3 Jul 1997 06:46:34 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA12745 for ; Thu, 3 Jul 1997 06:46:16 -0700 (PDT) Received: from rodger-s.sprintspectrum.com (ATL-Dynamic4.ins.com [199.0.194.4]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA05763; Thu, 3 Jul 1997 06:48:44 -0700 (PDT) Message-Id: <3.0.32.19970703084835.00c46680@lexicon.ins.com> X-Sender: rodger_s@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 03 Jul 1997 08:48:40 -0500 To: Stefan Witzel , firewalls@GreatCircle.COM From: Steve Rodgers Subject: Re: Problem: HP-UX 10.20 and Firewall-1 V3.0 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan, The first thing I would try would be to upgrade to FW-1 Version 3.0a. I know it fixed "throughput" problems - not sure if they were CPU related or not. Just to be on the safe side I would upgrade anyway. At 08:06 AM 7/3/97 +0200, Stefan Witzel wrote: >Hello, > >I tried to run Firewall-1 V3.0 (not 3.0a) on a workstation with HP-UX 10.20 >installed. The firewall seems to be ok, but when I start the log viewer (from >the command line), after a while, this process uses up to 95% of the CPU >time. >I then have no access to the workstation. (I think the firewall works.) > >This occured under VUE and CDE. > >Any advice? Thanks in advance. > > > >Stefan Witzel switzel@uni-goettingen.de >Universitaet Goettingen / Stabsstelle DV ------------------------- >Gosslerstrasse 5-7 fon: +49 551 394160 >37073 Goettingen fax: +49 551 399612 >Germany > > _________________________________________________________________ Steve Rodgers, MCSE Network Systems Engineer International Network Services Phone: 913-859-1836 http://www.ins.com Pager: 888-808-2626 mailto:steve_rodgers@ins.com NASDAQ: INSS From owner-firewalls-outgoing Thu Jul 3 09:07:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14540 for firewalls-outgoing; Thu, 3 Jul 1997 07:01:20 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA14484 for ; Thu, 3 Jul 1997 07:00:48 -0700 (PDT) Received: by smartwall.v-one.com; id KAA15063; Thu, 3 Jul 1997 10:03:45 -0400 (EDT) Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (3.2) id xma015059; Thu, 3 Jul 97 10:03:41 -0400 Received: by nt-fs1.V-ONE.COM with Internet Mail Service (5.0.1457.3) id ; Thu, 3 Jul 1997 10:12:19 -0400 Message-ID: From: "McMahan, Peg" To: "'firewalls@greatcircle.com'" Subject: FW: messages log , Could be attack ? Date: Thu, 3 Jul 1997 10:12:19 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What it looks like is happening is that some daemons are being started > manually (through rc.local or similar startup scripts) while inetd is > still listening on behalf of these daemons... Check in the inetd.conf > file as well as the flavor of startup script your UNIX uses and see if > there is daemons duplicated. > > I doubt these are attacks at all, merely misconfigurations. > > -----Original Message----- > From: Raul Navarro G. [SMTP:rnavarro@bolchile.cl] > Sent: Wednesday, July 02, 1997 5:05 PM > To: Firewall_greatcircle.com > Subject: messages log , Could be attack ? > > 1 ) Help me please , what is the means of this messages in the > messages > log. > IT there attack to stop services TCP/IP ? . > What a need do to know that is attack ? > can be that is problem in my configuration? i dont change nothing in > last months . > > This messages repeat for more that 3 days > May 31 04:11:21 www inetd[115]: pop3/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: imap/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: chargen/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: daytime/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: discard/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: echo/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: time/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: finger/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: uucp/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: exec/tcp: bind: Address already in use > May 31 04:11:21 www inetd[115]: login/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: shell/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: telnet/tcp: bind: Address already in > use > May 31 04:11:21 www inetd[115]: ftp/tcp: bind: Address already in use > > 2) what is the follow messages in netstat > > 0 usr2-dialup57.Denver.mci.net.2820 8760 > 0 8760 0 TIME_WAIT > > The local Address is 0 ? can be ? > > Muchas Gracias > Raul Navarro G. From owner-firewalls-outgoing Thu Jul 3 09:57:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03859 for firewalls-outgoing; Thu, 3 Jul 1997 09:31:15 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03780 for ; Thu, 3 Jul 1997 09:30:51 -0700 (PDT) Received: from jdana.bbnplanet.com by mail.bbnplanet.com id aa11990; 3 Jul 97 12:32 EDT Message-Id: <2.2.32.19970703162949.00d8ab94@mail.bbnplanet.com> X-Sender: jdanahy@mail.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Jul 1997 12:29:49 -0400 To: Mark Teicher From: Jack Danahy Subject: Re: Sheepskin versus work experience Cc: Jack Danahy , "firewalls@GreatCircle.COM" , "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" , "Mark H. Teicher " , "Judge, Joseph" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ NOTE: This hasn't anything to do with firewalls. In as much as the question has been posed through the list, here is my response. Please forward any further discussion in email. I won't be posting anything else on this thread to this list, as I don't think it's an appropriate topic. ] At 10:45 AM 7/3/97 -0400, Mark Teicher wrote: >What does an employer look at when evaluating a consultant or possibly new >employee, whether they have sheepskin or the work experience to fulfill the >job requirements and assist the company being successful.. ? Why is it so >important to have a degree in today's world? Does it make you a better >person? What the difference between a recent graduate than a sysadmin who >has over 20 years experience? > > >/mark IMHO Let's start with the real question behind the statement: "Why are non-degreed people immediately precluded from some jobs simply because they don't possess a degree when they could -easily- perform the job." I think this is a fair question, and my answer is that, for many large companies, it is largely a question of filtering. The principle followed is that the existence of formalized education in a particular discipline provides a relatively objective proof that someone possesses a minimum level of knowledge about that discipline. Do lots of non-degreed people know more than that? Absolutely!! But lets look at it pragmatically. A large software or hardware vendor hires 100's of people every year. Those 100's of people reflect the distillation of 10's of thousands of resumes. The talented folk in HR and Personnel are typically the first line of defense in sorting through a blizzard of resumes, and they, rightfully, need a criteria for sorting. I, as the hiring body, owe them some discrete criteria to evaluate candidates -before- I ever meet them or speak with them. Now, as I cast about for people, I could spend hours with HR describing a pattern of career roles and industry contributions that would result in an adequate baseline of experience for a particular job. Things like; "Programmed in this", "Architected that", "Taught this", "Presented that". They could, in turn, look for resumes that met that variety of criteria. After this initial sort, I would need to telephone screen each of the individuals to understand whether they had actually done all of these things. Or, I could say: BS/MS Comp Sci., Comp Eng / 1-3 Years Dev Exp Done. I was going to write a good deal more, but this has absolutely nothing to do with Firewalls, so I'm done with this thread. Again, if anyone wants to pursue this further, let's do it in email. Sorry for the diversion. Jack Jack Danahy jdanahy@bbn.com Manager of Engineering (617) 873-4418 Network Security Services BBN Corporation "I'm only speaking for myself, here, not for BBN." From owner-firewalls-outgoing Thu Jul 3 10:11:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA05792 for firewalls-outgoing; Thu, 3 Jul 1997 00:16:20 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA05747 for ; Thu, 3 Jul 1997 00:16:09 -0700 (PDT) Received: from default (pm14-11.pacificnet.net [207.171.10.44]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id AAA23923; Thu, 3 Jul 1997 00:09:44 -0700 (PDT) Message-ID: <33BB53E7.583F@pacificnet.net> Date: Thu, 03 Jul 1997 00:25:27 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Harry Mantakos CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <199707030318.XAA11240@kiri.meretrix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah, incredible but true. However, for those that are genuinely interested, the full URL to that document is here: http://www.microsoft.com/proxy/common/Coopers.exe A few noteworthy points...According to M$: "Coopers & Lybrand LLP (C&L) conducted a four phase evaluation program that reviewed Installation, Configuration, Security Feature Analysis, and Penetration Testing in an effort to "unearth" any security vulnerabilities of Microsoft Proxy Server." C&L claim that the product withstood attacks from "...well-known and well documented tools, such as the public domain tools Internet Security Scanner and Satan..." Immediately following this, C&L advises that "...without careful installation, monitoring, and observation, any computing product or system may be vulnerable to exploitation..." In other words, "..we evaluated this product, but we cannot vouch for it, nor place our reputation on the line." Moreover (and even more incredibly) C&L go on to say that the Proxy Server uses NT 4.0 as its platform and therefore, 4.0's IP forwarding "may" present some security issues. Let me repeat that: IP forwarding MAY present some security issues. Whatever. Meanwhile, are they saying that if a target survives a scan by SafeSuite or SATAN, that it's okay? (Maybe Ballista would have been a better choice as it is a more recent development. I wonder, did they try scanning it with Jakal?) Okay enough to give it this "Security Seal of Approval" that M$ is parading around? Hahahaha. Not the Security Seal of Approval. Anything but that. That - and about 1.75 - will get you... From owner-firewalls-outgoing Thu Jul 3 10:20:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08186 for firewalls-outgoing; Thu, 3 Jul 1997 09:52:32 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA08007; Thu, 3 Jul 1997 09:51:42 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FB27R>; Thu, 3 Jul 1997 09:55:17 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BAB@mail1.sla.com> From: "Stackpole, Bill" To: "'Fernando da Silveira Montenegro'" , Firewalls@GreatCircle.COM Cc: "'firewalls@greatcircle.com'" Subject: RE: IP Filters? Date: Thu, 3 Jul 1997 09:55:16 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've never build an access list with more than 50 entries and I've never noticed any significant performance problems even on a 2500 series. There are some techniques you can use to speed up access list processing. Remember a Cisco list is exited on the first true so you can add lines like: ! TCP or UDP Ports above the last service you are permiting ! this is done to speed up the list processing access-list 101 deny tcp any host 255.255.255.255 gt 80 access-list 101 deny udp any host 255.255.255.255 gt 19 just before all the specific rules to speed up list processing. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Fernando da Silveira Montenegro [SMTP:montenegro@nutec.com.br] > Sent: Thursday, July 03, 1997 4:43 AM > To: Firewalls@GreatCircle.COM > Subject: IP Filters? > > Hello all! > > What seems to be the general consensus on how many filtering rules one > can > configure on a router without imposing a noticeable performance > penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x > 7500, > for instance), but is anybody running a Cisco 4000 with more than, > say, > 100 rules for each filter applied to an interface? The router has 8MB, > and > is talking two T1s (bonded, no multihoming). > > We plan to tighten up our environment a bit (too many DoS attacks for > our > liking), and are considering also stricter filters on our terminal > servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? > > The problem is that the environment being protected is an ISP, so the > typical "block unless needed" stance doesn't apply. > > Thanks in advance. I'll summarize later if there's interest. > > Regards, > Fernando > > ObFirewall: Filtering is one element of our security architecture, > which > is migrating to a secure subnet protected by app.level firewall, and > is, > as usual, the first line of defense. > -- > Fernando da Silveira Montenegro Nutec Informatica > System/Network Administrator Sao Paulo, SP, BRAZIL > mailto:montenegro@nutec.com.br http://www.nutecnet.com.br > voice.:+55-11-5505-5728 #include > > From owner-firewalls-outgoing Thu Jul 3 10:34:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA29532 for firewalls-outgoing; Thu, 3 Jul 1997 09:09:30 -0700 (PDT) Received: from gauntlet.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA29507 for ; Thu, 3 Jul 1997 09:09:22 -0700 (PDT) Received: by gauntlet.bridge.com; id LAA07423; Thu, 3 Jul 1997 11:11:50 -0500 (CDT) Received: from dns1srv.bridge.com(167.76.36.6) by gauntlet.bridge.com via smap (3.2) id xma007413; Thu, 3 Jul 97 11:11:39 -0500 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id LAA03465 for ; Thu, 3 Jul 1997 11:12:08 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id LAA23825 for firewalls@greatcircle.com; Thu, 3 Jul 1997 11:12:50 -0500 (CDT) Date: Thu, 3 Jul 1997 11:12:50 -0500 (CDT) From: Ken Hardy Message-Id: <199707031612.LAA23825@binki.bridge.com> To: firewalls@greatcircle.com Subject: global whois servers ?? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to determine who's up to some mischief as indicated by my firewall logs. They're coming from a .com.au domain. I'm aware of rs.internic.net for US domains and whois.ripe.net for European, but what about .au, etc. Does anyone know of a comprehensive list of whois server (or other means) for learning information about various domains around the world, such as contacts? Thanks. -- KH From owner-firewalls-outgoing Thu Jul 3 10:46:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19907 for firewalls-outgoing; Thu, 3 Jul 1997 07:46:21 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA19900 for ; Thu, 3 Jul 1997 07:46:12 -0700 (PDT) Received: from user (179.tampa-002.fl.dial-access.att.net [207.146.89.179]) by mail.clark.net (8.8.5/8.6.5) with SMTP id KAA09440; Thu, 3 Jul 1997 10:46:25 -0400 (EDT) Message-Id: <3.0.1.32.19970703104516.008bd7f0@clark.net> X-Sender: mht@clark.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 03 Jul 1997 10:45:16 -0400 To: Jack Danahy , "firewalls@GreatCircle.COM" From: Mark Teicher Subject: Re: Sheepskin versus work experience Cc: "masantis@ntmail.askin.es" , "'Char_Sample@notes.pw.com'" , "pnash@hanshan.bbnplanet.com" , "adam@homeport.org" , "craigaa@iafrica.com" , "Mark H. Teicher " , "Judge, Joseph" In-Reply-To: <2.2.32.19970630215047.00c0b78c@mail.bbnplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What does an employer look at when evaluating a consultant or possibly new employee, whether they have sheepskin or the work experience to fulfill the job requirements and assist the company being successful.. ? Why is it so important to have a degree in today's world? Does it make you a better person? What the difference between a recent graduate than a sysadmin who has over 20 years experience? /mark ######################################################### 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Thu Jul 3 11:11:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20537 for firewalls-outgoing; Thu, 3 Jul 1997 10:47:07 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA20488 for ; Thu, 3 Jul 1997 10:46:54 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjq0X-003pjrC; Thu, 3 Jul 1997 12:49:31 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Thu, 03 Jul 1997 12:49:25 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 03 Jul 1997 12:49:04 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #313 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Thu Jul 3 12:02:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03339 for firewalls-outgoing; Thu, 3 Jul 1997 09:28:57 -0700 (PDT) Received: from mail2.isys.net (dip033-1.hamburg.netsurf.de [194.64.236.33]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA03295 for ; Thu, 3 Jul 1997 09:28:43 -0700 (PDT) From: hartmut.fehling@hamburg.netsurf.de Received: from mail1.isys.net[193.96.224.33] by mail2.isys.net with smtp (Smail 3.2 #2 -iSYS-); id m0wjon8-000HEFC; Thu, 3 Jul 1997 18:31:34 +0200 (MET DST) Received: from hamburg.netsurf.de [194.195.202.96] by mail1.isys.net with esmtp (Smail 3.2 #3 -iSYS-); id m0wjon3-001LNkC; Thu, 3 Jul 1997 18:31:29 +0200 (MET DST) To: Firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 18:20:31 -0000 Message-ID: <19970703181733.hartmut.fehling@hamburg.netsurf.de> In-Reply-To: <199707021820.LAA00955@honor.greatcircle.com> Subject: Calling the Horde X-Mailer: Emissary V2.01, by Attachmate Corp. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just installed Checkpoint´s Firewall-1 in a cascaded configuration with a proxy and could not detect any security holes myself using standard security scanners. In order to make a really tough test before I actually connect the gateway to our network, I could ask some people I know in the Underground to spread the IP-Address, maybe the HW/SW-Configuration and perhaps even the FW-1-Settings and invite the guys to try it out and break in (into the empty network behind it). Question: Is this a wise thing to do / Has anybody "invited" Hackers in such a fashion? (I trust security consultants to help me set up a secure site, but not to drive a serious attack as a test) TIA, Hartmut Fehling From owner-firewalls-outgoing Thu Jul 3 12:30:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA00143 for firewalls-outgoing; Thu, 3 Jul 1997 09:12:10 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA00123 for ; Thu, 3 Jul 1997 09:12:02 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA19892; Thu, 3 Jul 1997 09:14:26 -0700 (PDT) Message-Id: <3.0.1.32.19970703121425.006ca360@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 03 Jul 1997 12:14:25 -0400 To: "Fernando da Silveira Montenegro" From: Paul Ferguson Subject: Re: IP Filters? Cc: Firewalls Mailing List In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In all recent releases of cisco IOS (since about 11.0(x) or so), extended access-filter lists are in the fast-switching path, so there should be negligible performance impact. Having said that, however, it stands to reason that the more access-lists that must be parsed, the greater impact it has on the forwarding performance. I would also suggest that it makes a world of difference exactly how you are implementing your access-lists, i.e. explicit permits with implicit denials vs. explicit denials with an explicit permit *; the former is a much more preferable method of allowing service through a filtering router than the latter. In any event, the only hard limit on access-lists are (a) the numerical limitation of numbered access-lists (99 per list type), and (b) the amount of nvram used to store the router configuration. Issue (a) has been eliminated with the integration of "named" access lists, which is not bound by the numerical limitation. - paul At 08:42 AM 07/03/97 -0300, Fernando da Silveira Montenegro wrote: > Hello all! > >What seems to be the general consensus on how many filtering rules one can >configure on a router without imposing a noticeable performance penalty: >10? 50? 100? > >I know it probably varies wildly with the equipment you use (2501 x 7500, >for instance), but is anybody running a Cisco 4000 with more than, say, >100 rules for each filter applied to an interface? The router has 8MB, and >is talking two T1s (bonded, no multihoming). > >We plan to tighten up our environment a bit (too many DoS attacks for our >liking), and are considering also stricter filters on our terminal servers >(PortMaster2 units from Livingston). Same question applies: how many >filters on a 1MB PM2? > >The problem is that the environment being protected is an ISP, so the >typical "block unless needed" stance doesn't apply. > >Thanks in advance. I'll summarize later if there's interest. > >Regards, >Fernando > >ObFirewall: Filtering is one element of our security architecture, which >is migrating to a secure subnet protected by app.level firewall, and is, >as usual, the first line of defense. >-- >Fernando da Silveira Montenegro Nutec Informatica >System/Network Administrator Sao Paulo, SP, BRAZIL >mailto:montenegro@nutec.com.br http://www.nutecnet.com.br >voice.:+55-11-5505-5728 #include > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Thu Jul 3 13:34:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA06589 for firewalls-outgoing; Thu, 3 Jul 1997 12:00:40 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA06194 for ; Thu, 3 Jul 1997 11:59:28 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id PAA03565; Thu, 3 Jul 1997 15:00:22 -0400 (EDT) Date: Thu, 3 Jul 1997 15:00:20 -0400 (EDT) From: Brian Mitchell To: Fernando da Silveira Montenegro cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x 7500, > for instance), but is anybody running a Cisco 4000 with more than, say, > 100 rules for each filter applied to an interface? The router has 8MB, and > is talking two T1s (bonded, no multihoming). If you do stuff like handle the most frequent packets first (say an established entry as the first rule) you shouldnt have too much of a performance problem. The key is getting the majority of packets evaluated at the very beginning, leaving the somewhat unusual packets near the end. > > We plan to tighten up our environment a bit (too many DoS attacks for our > liking), and are considering also stricter filters on our terminal servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? Denial of services attacks are essentially impossible to defeat. They will always be there in one form or another. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt From owner-firewalls-outgoing Thu Jul 3 13:41:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01227 for firewalls-outgoing; Thu, 3 Jul 1997 11:42:29 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA01019 for ; Thu, 3 Jul 1997 11:41:31 -0700 (PDT) Received: from newport.ntcnet.com (newport.ntcnet.com [205.232.95.2]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id LAA27996 for ; Thu, 3 Jul 1997 11:18:16 -0700 (PDT) Received: from x4ntc23 by newport.ntcnet.com; (5.65v3.2/1.1.8.2/13Jul95-1105AM) id AA14052; Thu, 3 Jul 1997 14:12:33 -0400 Message-Id: <33BB6919.7FB6@hotmail.com> Date: Thu, 03 Jul 1997 05:05:45 -0400 From: DECkedout X-Mailer: Mozilla 3.01 (WinNT; I) [AXP] Mime-Version: 1.0 To: Leonid S Knyshov , firewalls@GreatCircle.COM Subject: Re: ICQ network References: <33B8B3E2.2B40@hotmail.com> <19970701.195924.14390.3.wiseleo@juno.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That is the best idea i've heard of yet. I'd like them to see if they can handle the rigors of releasing queastionable software and trying to get it patented... I sure have a few questions of my own. Personally, my bet is that they stay out of the spotlight until they become commercial, then they don't have to release anything accept technical support for morons. Well folks, let's see who joins the party. -DECkedout Leonid S Knyshov wrote: > > Hi everyone, > > I sent an invitation to Mirabilis with instructions on how to join this > mailing list, hopefully we'll get some answers soon. > *** > Leonid Knyshov AKA Wise_One > http://kiassociates.com/computerhelp > http://kiassociates.com/computerhelp/personal > For file attachments please use wiseleo@hotmail.com and send a note about > it here :) > > On Tue, 01 Jul 1997 03:38:10 -0400 DECkedout > writes: > >Joe Pollock wrote: > >> > >> One of my users sent me a spam message concerning the ICQ ("I Seek > >You") > >> Network, which claims to reduce an individual's Net identity to a > >single > >why they haven't realeased hard facts to the public. Does anyone know > >anyone from Mirabilis? I have a lot of questions about it.... It > >definatlely raises an eyebrow or two... > >-DECkedout From owner-firewalls-outgoing Thu Jul 3 14:05:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21865 for firewalls-outgoing; Thu, 3 Jul 1997 13:09:54 -0700 (PDT) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21858 for ; Thu, 3 Jul 1997 13:09:48 -0700 (PDT) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.4/8.7.3) with ESMTP id QAA14142 for ; Thu, 3 Jul 1997 16:12:45 -0400 (EDT) Received: from roc02bxhgeisge.is.ge.com (roc02bxhgeisge.is.ge.com [3.159.52.21]) by thomas.ge.com (8.8.4/8.7.5) with ESMTP id QAA23192 for ; Thu, 3 Jul 1997 16:12:15 -0400 (EDT) Received: by roc02bxhgeisge.is.ge.com with Internet Mail Service (5.0.1458.49) id <3GX08XBN>; Thu, 3 Jul 1997 16:11:49 -0400 Message-ID: <3F8FEAE41F94D0119CE900805FFECA1201046547@roc01bxgeisge.is.ge.com> From: "Safier, Adam (GEIS)" To: Scott_Thomas@em.fcnbd.com Cc: "Firewalls@GreatCircle. COM (E-mail)" Subject: RE: Firewalls-Digest V6 #312 Date: Thu, 3 Jul 1997 16:11:43 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whenever I don't see a transmission returned I first check routing tables and IP masks. Especially if you are using manual routing. In your case it sounds like the routing works without the firewall so check your valid interface permissions in the gateway objects screen. Try turning off any protection against spoofing (valid is 'any' or no checking). That can block your outbound traffic as effectively as a bad route. Adam --------------- Adam Safier, Network Engineer/Security Consultant GE Information Services, Inc 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 8*273-5737 Adam.Safier@geis.ge.com The opinions expressed may not be shared by my employer. I'm proud to live in a country where I can express them. --------------- > -----Original Message----- > From: firewalls-digest-owner@GreatCircle.COM > [SMTP:firewalls-digest-owner@GreatCircle.COM] > Sent: Wednesday, July 02, 1997 2:21 PM > To: firewalls-digest@GreatCircle.COM > Subject: Firewalls-Digest V6 #312 > > > Firewalls-Digest Wednesday, July 2 1997 Volume 06 : > Number 312 > > > > Date: Wed, 2 Jul 1997 09:41:03 -0500 > From: Scott_Thomas@em.fcnbd.com > Subject: [none] > > To All: > > Our company is implementing SAP in all of it's locations. Our > desire > is to have internal firewalls between the main corporate location > and > outer offices. We have attempted to run FW-1 in two locations so > far > with the same result. If a user at the outer office runs an SAP > process that only involves one UNIX host at the main office it > works > fine. > > When the SAP process involves more than one host the returned > transmission is never received, although it seems to leave the > UNIX > host. Currently our production host is only one HP 9000 and is > working fine. Our staging and development areas invlove multiple > HP > 9000's that run processes between each other and transmissions > get > lost. > > If we drop the firewall daemon and let traffic pass through the > Sparc > station this process works fine with multiple HP hosts. In > troubleshooting we have gone so far as to add a #1 rule for > ANYtoANYtoANY and it still does not work. This has stumped both > our > local FW1 vendor as well as SUN support. > > Has anyone run into a similar problem? As far FW1 goes everthing > we > attempt to pass through it is correctly filtered except where > multiple > UNIX hosts are involved. > > Any help is appreciated... > > Scott Thomas > Systems Officer > 847-622-5762 > > From owner-firewalls-outgoing Thu Jul 3 14:23:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19231 for firewalls-outgoing; Thu, 3 Jul 1997 12:58:28 -0700 (PDT) Received: from panenergy.com (igate.panenergy.com [198.64.254.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19057 for ; Thu, 3 Jul 1997 12:57:58 -0700 (PDT) Received: by igate.panenergy.com id <36914>; Thu, 3 Jul 1997 14:58:53 -0500 Message-Id: <97Jul3.145853cdt.36914@igate.panenergy.com> X-Sender: rlaird@igate.panenergy.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 3 Jul 1997 15:00:45 -0500 To: Firewalls@GreatCircle.COM From: Robert Laird Subject: Slightly Off Topic: A security issue Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since my new Web server is going to sit outside the firewall, I'm wondering if MS IIS or Netscape's Enterprise is "more secure" than the other? Obviously, I'm not putting anything on it that is anything other than public information, and it will be monitored daily for intrusion, and their won't be any user log-ins other than necessary. Any thoughts/comments for a newbie? Thanks! -- Robert mailto:rlaird@panenergy.com From owner-firewalls-outgoing Thu Jul 3 14:34:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA03691 for firewalls-outgoing; Thu, 3 Jul 1997 14:07:37 -0700 (PDT) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA03554 for ; Thu, 3 Jul 1997 14:07:10 -0700 (PDT) Received: from ns.pdv.de [194.139.111.2] by mail.Germany.EU.net with SMTP (5.61c:012/2.7.0.i) id XAA20581; Thu, 3 Jul 1997 23:10:01 +0200 (MET DST) Received: by wall.pdv.de (8.6.11/GEN-1.2.3) via EUnet for mail.germany.eu.net id QAA01328; Thu, 3 Jul 1997 16:37:25 +0200 Received: from moon(192.168.12.25) by wall.pdv.de via smap (V1.3) id sma001325; Thu Jul 3 16:37:04 1997 Message-Id: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> X-Sender: nerle@tgate.pdv.de X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 03 Jul 1997 16:34:33 -0500 To: firewalls@greatcircle.com From: Dirk Nerling Subject: need suggestion xntpd a security hole ??? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I plan to update the time of our internal net from an Internet Time Server on a regular basis. Does anbody of you know something about the xntpd? Any intrusion listed? What do the experts suggest? so long Dirk -- Milky Way - Sol System - Earth - Europe - Germany - Thuringia - Erfurt http://wall.pdv.de/~nerle From owner-firewalls-outgoing Thu Jul 3 15:32:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25696 for firewalls-outgoing; Thu, 3 Jul 1997 11:16:30 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id LAA25608; Thu, 3 Jul 1997 11:16:05 -0700 (PDT) Received: from gauntlet.bridge.com (gkbkup2.bridge.com [167.76.159.20]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id LAA28270; Thu, 3 Jul 1997 11:21:26 -0700 (PDT) Received: by gauntlet.bridge.com; id NAA24872; Thu, 3 Jul 1997 13:18:09 -0500 (CDT) Received: from dns1srv.bridge.com(167.76.36.6) by gauntlet.bridge.com via smap (3.2) id xma024852; Thu, 3 Jul 97 13:18:05 -0500 Received: from binki.bridge.com (binki.bridge.com [167.76.24.243]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id NAA06030; Thu, 3 Jul 1997 13:18:32 -0500 (CDT) Received: (from ken@localhost) by binki.bridge.com (8.7/8.7) id NAA23944; Thu, 3 Jul 1997 13:19:15 -0500 (CDT) Date: Thu, 3 Jul 1997 13:19:15 -0500 (CDT) From: Ken Hardy Message-Id: <199707031819.NAA23944@binki.bridge.com> To: montenegro@nutec.com.br, Firewalls@GreatCircle.COM, BSTACKPO@sla.com Subject: RE: IP Filters? Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Stackpole, Bill" wrote: >There are some techniques you can use to speed up access list >processing. Remember a Cisco list is exited on the first true so you >can add lines like: > > ! TCP or UDP Ports above the last service you are permiting > ! this is done to speed up the list processing > access-list 101 deny tcp any host 255.255.255.255 gt 80 > access-list 101 deny udp any host 255.255.255.255 gt 19 > >just before all the specific rules to speed up list processing. Seems to me that that would speed things up most *if* the most common packets were those you're denying. Hopefully people are not continually banging on your router with prohibited traffic, and most of the packets it needs to process are those that are specifically allowed. In such a case, wouldn't it make more sense to put the rules that *allow* the most common traffic first? Just guessing, but you ought to be able to get 80%-90% or more of all packets to hit within the first half-dozen or so rules. -- KH From owner-firewalls-outgoing Thu Jul 3 15:35:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA27468 for firewalls-outgoing; Thu, 3 Jul 1997 13:42:46 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA27237 for ; Thu, 3 Jul 1997 13:41:31 -0700 (PDT) Received: from mailhost.dircon.co.uk (mailhost.dircon.co.uk [194.112.32.10]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id NAA01791 for ; Thu, 3 Jul 1997 13:21:07 -0700 (PDT) Received: from wend.dircon.co.uk (wend.dircon.co.uk [194.112.45.154]) by mailhost.dircon.co.uk (8.8.4/8.7.3) with ESMTP id VAA19071; Thu, 3 Jul 1997 21:18:33 +0100 (BST) Received: from localhost (dwhitlow@localhost) by wend.dircon.co.uk (8.8.5/8.8.5) with SMTP id VAA00562; Thu, 3 Jul 1997 21:11:34 +0100 Date: Thu, 3 Jul 1997 21:11:33 +0100 (BST) From: Dave Whitlow To: Ken Hardy cc: firewalls@GreatCircle.COM Subject: Re: global whois servers ?? In-Reply-To: <199707031612.LAA23825@binki.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Ken Hardy wrote: > I'm trying to determine who's up to some mischief as indicated by my > firewall logs. They're coming from a .com.au domain. I'm aware of > rs.internic.net for US domains and whois.ripe.net for European, but what > about .au, etc. > Does anyone know of a comprehensive list of whois server (or other > means) for learning information about various domains around the world, > such as contacts? Thanks. The third one, covering Asia-Pacific (including au) is APNIC. Access their server at www.apnic.net. There are country servers within apnic area which are also searchable and have links from the APNIC server. I find whois via www.thnic.net is useful for querying any of the NIC databases. Cheers, Dave ------------------------------------------------------------------------- Dave Whitlow Tel: +44-(0)181-861-2001 Idsec Ltd Fax: +44-(0)181-861-3433 Suite A, 31-33 College Road, Mail: dwhitlow@idsec.co.uk Harrow, HA1 1EJ, UK Web: http://www.idsec.co.uk From owner-firewalls-outgoing Thu Jul 3 15:44:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21456 for firewalls-outgoing; Thu, 3 Jul 1997 13:07:06 -0700 (PDT) Received: from srv1-poa.nutecnet.com.br (srv1-poa.nutecnet.com.br [200.248.149.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA21241 for ; Thu, 3 Jul 1997 13:06:20 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by srv1-poa.nutecnet.com.br (8.8.5/SCA-6.6) with SMTP id RAA07314; Thu, 3 Jul 1997 17:56:58 -0200 (EDT) Received: from nutspgw.nutec.com.br by canario.nutec.com.br id aa11958; 3 Jul 97 15:50 GMT From: "Fernando da Silveira Montenegro" To: "Ken Hardy" Cc: "Lista Firewalls" Received: from cancun.sao.nutecnet.com.br ([200.246.248.224]) by firewall.nutec.com.br via smtpd (for canario.nutec.com.br [192.168.2.2]) with SMTP; 3 Jul 1997 16:00:15 UT Subject: Re: IP Filters? Date: Thu, 3 Jul 1997 15:57:51 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.0926.0 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0926.0 Message-ID: <9707031550.aa11958@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! >Just guessing, but you ought >to be able to get 80%-90% or more of all packets to hit within the first >half-dozen or so rules. If you sort your rules nicely, you can decide on the majority of the packets within the first few rules. The problem arises when you specify a number of denys before the catch-all permit rule (remember, my environment is an ISP, where high ports are allowed and expected). For instance, if you look at the numbers below, you'll see that a LOT of UDP traffic (over 99.5% of it, as a matter of fact) had to follow at least 3 UDP-only rules, and that's because I can use the "range" operator (on other filtering engines, such as Livingston's, I'd need an additional 4 rules). With TCP, the number is a bit better because the huge huge majority (93.5%) matches the first rule, for "established" connections, but still, each server that I describe (such as the ficticious SMTP server below) adds more and more TCP rules. And I have quite a few servers... permit tcp any any established (73048149 matches) deny udp any any range 135 139 (176027 matches) deny udp any any eq sunrpc deny udp any any eq 2049 (164 matches) permit udp any any (36431719 matches) permit tcp any host 192.168.1.1 eq smtp (53081 matches) permit tcp any host 192.168.1.1 eq 113 (240630 matches) deny tcp any host 192.168.1.1 (520 matches) deny tcp any any range 135 139 (407 matches) deny tcp any any eq sunrpc deny tcp any any eq 2049 (38 matches) permit tcp any any (4749786 matches) permit icmp any any (837948 matches) I don't know how the routers implement the filtering mechanism (separate table for UDP, TCP, IP, ICMP, ...?) but in the worst case (simple table lookup), I'll have to have 5% of my TCP traffic go through 150-200 rules. That is what worries me. Am I making sense or just making a fool of myself by having this concern? I mean, is the perfomance penalty noticeable? >-- >KH > Fernando -- Fernando da Silveira Montenegro Nutec Informatica System/Network Administrator Sao Paulo, SP, BRAZIL mailto:montenegro@nutec.com.br http://www.nutecnet.com.br voice.:+55-11-5505-5728 #include From owner-firewalls-outgoing Thu Jul 3 16:05:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19271 for firewalls-outgoing; Thu, 3 Jul 1997 10:41:33 -0700 (PDT) Received: from mail.jet.es (jet.es [194.179.100.15]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA19055 for ; Thu, 3 Jul 1997 10:40:43 -0700 (PDT) Received: from hackenbush.ugm.fre (tony@info47.jet.es [194.224.180.47]) by mail.jet.es (8.8.5/8.8.5) with ESMTP id RAA18969; Thu, 3 Jul 1997 17:45:48 -0100 (GMT) Received: from hackenbush (tony@hackenbush [192.168.0.1]) by hackenbush.ugm.fre (8.8.3/8.8.3) with SMTP id SAA00315; Thu, 3 Jul 1997 18:21:28 +0200 Date: Thu, 3 Jul 1997 18:21:28 +0200 (MET DST) From: Tony X-Sender: tony@hackenbush To: "Kelly E. Gibbs" cc: Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Jul 1997, Kelly E. Gibbs wrote: > go up against the supreme deliverer of software. Gee, if Hitler were > around he'd love to be in Bill Gate's shoes: World Dominance - what a > concept! Same principle - just applied to software that's all. is Bill Gates the antichrist? :-)))) Quidquid latine dictum sit, altum viditur. (Whatever is said in Latin sounds profound.) From owner-firewalls-outgoing Thu Jul 3 16:19:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA12805 for firewalls-outgoing; Thu, 3 Jul 1997 14:48:02 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA11181 for ; Thu, 3 Jul 1997 14:41:30 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id OAA02444 for ; Thu, 3 Jul 1997 14:17:25 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id OAA07677 for ; Thu, 3 Jul 1997 14:09:28 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id QAA04500; Thu, 3 Jul 1997 16:04:45 -0500 Date: Thu, 3 Jul 1997 16:04:45 -0500 (CDT) From: Ken Jones To: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Brian Mitchell wrote: > If you do stuff like handle the most frequent packets first (say an > established entry as the first rule) you shouldnt have too much of a > performance problem. The key is getting the majority of packets evaluated > at the very beginning, leaving the somewhat unusual packets near the end. > Beware of putting the established entry first. Your first rules should deny spoofed packets from your internal ip addresses. If you allow established packets first, then outsiders can send packets with IP addresses spoofed to look like they are comming from insider you network.. it's a no no Ken Jones From owner-firewalls-outgoing Thu Jul 3 16:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07894 for firewalls-outgoing; Thu, 3 Jul 1997 14:26:10 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA07848 for ; Thu, 3 Jul 1997 14:25:49 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id RAA05035; Thu, 3 Jul 1997 17:28:42 -0400 Date: Thu, 3 Jul 1997 17:28:42 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: Fernando da Silveira Montenegro cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One client reported enormous degredation on high volume applications with even one filter rule. On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > Date: Thu, 3 Jul 1997 08:42:35 -0300 > From: Fernando da Silveira Montenegro > To: Firewalls@GreatCircle.COM > Subject: IP Filters? > > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? > > I know it probably varies wildly with the equipment you use (2501 x 7500, > for instance), but is anybody running a Cisco 4000 with more than, say, > 100 rules for each filter applied to an interface? The router has 8MB, and > is talking two T1s (bonded, no multihoming). > > We plan to tighten up our environment a bit (too many DoS attacks for our > liking), and are considering also stricter filters on our terminal servers > (PortMaster2 units from Livingston). Same question applies: how many > filters on a 1MB PM2? > > The problem is that the environment being protected is an ISP, so the > typical "block unless needed" stance doesn't apply. > > Thanks in advance. I'll summarize later if there's interest. > > Regards, > Fernando > > ObFirewall: Filtering is one element of our security architecture, which > is migrating to a secure subnet protected by app.level firewall, and is, > as usual, the first line of defense. > -- > Fernando da Silveira Montenegro Nutec Informatica > System/Network Administrator Sao Paulo, SP, BRAZIL > mailto:montenegro@nutec.com.br http://www.nutecnet.com.br > voice.:+55-11-5505-5728 #include > > > Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Thu Jul 3 17:48:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA07599 for firewalls-outgoing; Thu, 3 Jul 1997 14:24:04 -0700 (PDT) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA07514 for ; Thu, 3 Jul 1997 14:23:42 -0700 (PDT) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.4/8.7.3) with ESMTP id RAA12644 for ; Thu, 3 Jul 1997 17:26:35 -0400 (EDT) Received: from roc02bxhgeisge.is.ge.com (roc02bxhgeisge.is.ge.com [3.159.52.21]) by thomas.ge.com (8.8.4/8.7.5) with ESMTP id RAA26814 for ; Thu, 3 Jul 1997 17:26:04 -0400 (EDT) Received: by roc02bxhgeisge.is.ge.com with Internet Mail Service (5.0.1458.49) id <3GX08X6C>; Thu, 3 Jul 1997 17:25:39 -0400 Message-ID: <3F8FEAE41F94D0119CE900805FFECA1201050F60@roc01bxgeisge.is.ge.com> From: "Safier, Adam (GEIS)" To: "Firewalls@GreatCircle. COM (E-mail)" Subject: Re: Remote management of firewalls internationally Date: Thu, 3 Jul 1997 17:25:31 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Essentially, you have several architectures (or combinations thereof) to choose from. Most firewall vendors I know of offer a GUI management interface of some sort with encrypted sessions to the FW. Most GUI's are also limited in what they can configure so at some point during initial setup you will need a telnet or console access - most FW's require at least a little editing of some ASCII configuration files. The GUI's are OK for most subsequent basic maintenance of the FW rules but don't help with system admin very much. i.e. if your log files fill up the disk it's back to telnet/console access. The telnet link can be encrypted. Most FW installers don't like allowing telnet to the FW, especially from the external interface, so you might need an internal node you connect to first. It's really a good idea to have someone at the remote side that can follow basic directions to hit the reset switch and even enter some debug commands with your understanding and very patient guidance (or a sys admin, though I've found cash register operators can be excellent resources for remote control!) Checkpoints Firewall-1 takes things a step further - they break their system into 3 parts, a gateway, a manager and a GUI. The GUI - Manager - gateways links are encrypted. One manager can control several gateways and the GUI can be run from several platforms. Gets to be fun. Below is a GUI going through the FW gateway to the Manager station which comes back via an encrypted link to control the gateway. If you screw up and cut off access from your GUI you call someone and get them to log on the Manager either from the Manager console or another workstation running the GUI (GUI-2) GUI ******** FWGW ****** Manager ******** GUI-2 |* |* Telnet-----FWGW *********** FWGW * = encrypted data - and | = unencrypted portion of telnet link. The one problem I have with this is when you want to telnet it might not be encrypted over parts of the link. You either need to provide special secure telnet software OR run from the inside of another FW gateway, as in the diagram above, in which case the local LAN portion of the telnet is in the clear (might be OK if your policy says so and you don't want to change it!). FWGW to FWGW links can be encrypted and form the basis of a VPN(nothing says they must.) The main issue you will run into is local laws about what may or may not be encrypted. Even if you don't go into a encryption controlling country (fat chance in Europe), take into consideration what laws apply to traffic traversing but not stopping in a country where encryption is banned. Personally, I don't like the idea of setting up a dial up back door to manage the FW even if it is encrypted but that is another option. I once had the luxury of having a physically isolated private 10BaseT net dedicated just for firewall management - no other type of traffic allowed, but it's a rare luxury. > A suggestion from a close and wise friend asked me to inquire about this: > > > How can one remotely manage firewalls that are on the other side of the world? > How can it be done? and done safely? --------------- Adam Safier, Consultant GE Information Services, Inc 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 8*273-5737 Adam.Safier@geis.ge.com The opinions expressed may not be shared by my employer. I'm proud to live in a country where I can express them. --------------- From owner-firewalls-outgoing Thu Jul 3 17:49:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19881 for firewalls-outgoing; Thu, 3 Jul 1997 07:45:25 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA19872 for ; Thu, 3 Jul 1997 07:45:19 -0700 (PDT) From: firstcat@lsli.com Received: by gw.lsli.com id AA15091; Thu, 3 Jul 1997 09:48:13 -0500 Received: by lsli.com via smwrap Version 2.3 id smwrapJvEDIr; Thu Jul 3 09:47:47 1997 Date: Thu, 3 Jul 97 09:40:28 Subject: RE: Firewall on AIX To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livermore Software Labs has been building AIX firewalls since 1993. Give us a call or visit our web site at http://www.lsli.com Cheers Jay --- On Thu, 03 Jul 1997 10:10:01 +0200 =?iso-8859-1?Q?=22Gruppo_ONS_riunito_S=2Ep=2EA=2E_=28Societ=E0_per_Adulaz?= =?iso-8859-1?Q?ione=29=22?= wrote: >In 1, Jul, 1997 I wrote: >...I've had some reserch on firewall on AIX, but I got very little. >...I have some FAQ at the >...http://www.checkpoint.com/opsec/Partners/memco/faq.html: > >...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! >...- For FireWall-1? > >...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 >...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX >...- versions are currently in Beta testing and will be available soon. >IBM ...AIX >...- and Windows NT versions are in development. >...It will be available until the tird quarter of the year. > >Roger Rea replied to me: >>From: Roger Rea >>To: >>Cc: <75816664@ITHVM03.vnet.ibm.com> >>Subject: Fwd: Firewall on AIX >>Date: Wed, 2 Jul 1997 17:30:11 -0400 >> >>Gabriele.................Perhaps you have not looked at the current >version of >>the IBM Firewall. We are a much more complete firewall than other firewalls, >>offering not only filtering architechtures like Check Point, but also >>Application Gateways and Circuit Level Gateways. So you get three >firewalls in >>one. > >PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT >FIREWALL. >IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM >THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT >ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT >INSPECTION. > >>We also offer Network Address Translation, logging, alerting, a JAVA-based >GUI >>with pre-defined services and context sensitive help. We've had IPSEC >tunnels >>for several releases and have added in the current release client IPSEC >>software at no additional charge. We offer the Network Security Auditor, >which >>allows you to scan the network for security weaknesses. >> >>You can learn more about the IBM Firewall for AIX V3.1 and download trial >>software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall > >THANK YOU FOR THE INFORMATION > >--------------------------------------------------------------- > Gabriele Faggioni > > Open Network Services - Security > Cap Gemini Italia S.p.A. > Via Lombroso, 54 > MILANO (ITALIA) > http://www.sif.cgs.it > > mailto:gfaggion@sif.cgs.it > tel. ++39 2 59924 420 > fax. ++39 2 59924 245 -----------------End of Original Message----------------- ------------------------------------- Jay Lyall Channel Sales Director Livermore Software Laboratories, Intl. 2825 Wilcrest, Suite 160 Houston, Texas 77042-3358 1-713-974-3274 jay@lsli.com Date: 7/3/97 668 - The Neighbor of the Beast ------------------------------------- From owner-firewalls-outgoing Thu Jul 3 18:26:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13642 for firewalls-outgoing; Thu, 3 Jul 1997 12:32:29 -0700 (PDT) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA13592 for ; Thu, 3 Jul 1997 12:32:15 -0700 (PDT) Received: by relay.rv.tis.com; id PAA05599; Thu, 3 Jul 1997 15:34:57 -0400 (EDT) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (4.0) id xma005554; Thu, 3 Jul 97 15:34:29 -0400 Received: (from meenoo@localhost) by dira.rv.tis.com (8.7.4/8.7.3) id PAA24574; Thu, 3 Jul 1997 15:33:20 -0400 (EDT) Date: Thu, 3 Jul 1997 15:33:19 -0400 (EDT) From: Meenoo Shivdasani To: Ken Hardy cc: firewalls@GreatCircle.COM Subject: Re: global whois servers ?? In-Reply-To: <199707031612.LAA23825@binki.bridge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Ken Hardy wrote: > Does anyone know of a comprehensive list of whois server (or other > means) for learning information about various domains around the world, > such as contacts? Thanks. http://kryten.eng.monash.edu.au/whois-servers.list has a pretty large list of whois servers. M meenoo@tis.com NOTE: I do not speak for my employer From owner-firewalls-outgoing Thu Jul 3 18:41:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA05426 for firewalls-outgoing; Thu, 3 Jul 1997 16:31:58 -0700 (PDT) Received: from red6.cac.washington.edu (red6.cac.washington.edu [140.142.55.67]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA05411 for ; Thu, 3 Jul 1997 16:31:48 -0700 (PDT) Received: from localhost (dittrich@localhost) by red6.cac.washington.edu (8.8.4+UW97.04/8.8.4+UW97.04) with SMTP id QAA18315 for ; Thu, 3 Jul 1997 16:34:44 -0700 Date: Thu, 3 Jul 1997 16:34:43 -0700 (PDT) From: Dave Dittrich To: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde In-Reply-To: <199707032233.PAA23522@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 3 Jul 1997 18:20:31 -0000 > From: hartmut.fehling@hamburg.netsurf.de > Subject: Calling the Horde >=20 > Hi, >=20 > I just installed Checkpoint=B4s Firewall-1 in a cascaded > configuration with a proxy and could not detect any security holes > myself using standard security scanners. > =20 > In order to make a really tough test before I actually connect the > gateway to our network, I could ask some people I know in the > Underground to spread the IP-Address, maybe the HW/SW-Configuration > and perhaps even the FW-1-Settings and invite the guys to try it out > and break in (into the empty network behind it). >=20 > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > such a fashion? Probably not. I don't know about the laws in Germany, but to invite someone into your network (especially if you aren't clear about when the invitation is withdrawn) can give an attacker who later succeeds in getting through the firewall a justifiable defense that would get them an acquital. I don't know the precedent, but the story is being bandied about at security conferences about this occuring in a legal case. The cracker's defense was, essentially, "the login message said, 'Welcome to AIX' and so I had permission to come in." You hear all the time to remove any "Welcome..." banners and instead warn unauthorized users to leave and to warn everyone that keystrokes, files, etc. may be monitored during investigations. I'm not a lawyer, but I would definately make any such invited tests be done with signed docuements stating what they are being invited to do, when they can and can't attempt entry, and explicitly stating that any attempts after the test is over will be prosecuted as real break-in attempts. -- Dave Dittrich Client Services dittrich@cac.washington.edu Computing & Communications University of Washington Dave Dittrich / dittrich@cac.washington.edu From owner-firewalls-outgoing Thu Jul 3 19:35:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15715 for firewalls-outgoing; Thu, 3 Jul 1997 17:23:44 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA15659 for ; Thu, 3 Jul 1997 17:23:31 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id IAA04228; Fri, 4 Jul 1997 08:26:23 +0800 Date: Fri, 4 Jul 1997 08:26:23 +0800 (HKT) From: "Neil D. Quiogue" To: Dirk Nerling cc: firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Dirk Nerling wrote: > I plan to update the time of our internal net from > an Internet Time Server on a regular basis. Does > anbody of you know something about the xntpd? > > Any intrusion listed? What do the experts suggest? I've read/heard of no instrusions based on xntp. Of course, it also depends on the implementation of xntp (i.e., the version and platform). Usually, the ntp server (of some stratum) is placed in the bastion host which hopefully would be secured 'enough'. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Thu Jul 3 19:40:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA10622 for firewalls-outgoing; Thu, 3 Jul 1997 16:58:54 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id QAA10613 for ; Thu, 3 Jul 1997 16:58:47 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id IAA03988; Fri, 4 Jul 1997 08:01:42 +0800 Date: Fri, 4 Jul 1997 08:01:42 +0800 (HKT) From: "Neil D. Quiogue" To: hartmut.fehling@hamburg.netsurf.de cc: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde In-Reply-To: <19970703181733.hartmut.fehling@hamburg.netsurf.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > In order to make a really tough test before I actually connect the gateway > to our network, I could ask some people I know in the Underground to spread > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > FW-1-Settings and invite the guys to try it out and break in (into the > empty network behind it). > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > such a fashion? Check the legalities of this 'breaking' session. There are companies which have security policies that does not allow this. And I think it is bad practice to do this since the information would cascade throughout the underground community. Why not try to do this yourself? In security parlance, do not trust anyone. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Thu Jul 3 19:49:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA19819 for firewalls-outgoing; Thu, 3 Jul 1997 17:43:05 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA19484 for ; Thu, 3 Jul 1997 17:41:30 -0700 (PDT) Received: from proxy.colesmyer.com.au ([203.5.145.8]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with ESMTP id RAA05810 for ; Thu, 3 Jul 1997 17:39:49 -0700 (PDT) Received: from mercury.smkts.colesmyer.com.au ([172.16.49.23]) by proxy.colesmyer.com.au (8.7.5/8.7.3) with SMTP id KAA20909 for ; Fri, 4 Jul 1997 10:43:07 +1000 (EST) Received: by mercury.smkts.colesmyer.com.au with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BC8866.58DCAC30@mercury.smkts.colesmyer.com.au>; Fri, 4 Jul 1997 10:38:01 +1000 Message-ID: From: Phil Burg To: "'firewalls@greatcircle.com'" Subject: another Citrix Winframe query Date: Fri, 4 Jul 1997 10:38:09 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day all My apologies if this has been discussed before; I searched the archives but couldn't find this problem. Some of my users want to connect, through our firewall, to a third-party winframe server. The client PCs will be connected to our LAN at the same time as the remote server. I'm wondering if there's a known exposure in the Winframe client software that would allow the client PCs to be compromised ? regards Phil -- Phil Burg Technical Analyst Information Systems Security Coles Myer Ltd (03) 9483 7613 From owner-firewalls-outgoing Thu Jul 3 20:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA03426 for firewalls-outgoing; Thu, 3 Jul 1997 18:42:38 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.34]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA03169 for ; Thu, 3 Jul 1997 18:41:29 -0700 (PDT) Received: from kani.wwa.com (kani.wwa.com [198.49.174.58]) by miles.greatcircle.com (8.8.5/Miles-970308-2) with SMTP id SAA06943 for ; Thu, 3 Jul 1997 18:33:51 -0700 (PDT) Received: from nicorinc.com/smtp.nicorenergy.com [207.241.20.98] by kani.wwa.com with smtp (Smail3.2.WWA) id m0wjxD6-003o5sC; Thu, 3 Jul 1997 20:31:03 -0500 (CDT) Received: from DOMAINGO-Message_Server by nicorinc.com with Novell_GroupWise; Thu, 03 Jul 1997 20:30:55 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 03 Jul 1997 20:30:39 -0500 From: LARRY HUNKA Reply-To: LHunka@nicorinc.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #314 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll be out of the office until 7/7/97. I'll respond at that time... From owner-firewalls-outgoing Thu Jul 3 20:19:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA15224 for firewalls-outgoing; Thu, 3 Jul 1997 19:37:55 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA15175 for ; Thu, 3 Jul 1997 19:37:40 -0700 (PDT) Received: from rara24.curtin.edu.au (rara24.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKU3U5HUUOBB7VHO@alpha2.curtin.edu.au>; Fri, 04 Jul 1997 10:42:45 +0800 Date: Fri, 04 Jul 1997 10:41:54 +0800 From: Bret Watson Subject: Re: Microsoft plans to offer a firewall In-reply-to: <33BB53E7.583F@pacificnet.net> X-Sender: climbing@skuld.cage.curtin.edu.au To: osiris@pacificnet.net Cc: firewalls@GreatCircle.com Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: <199707030318.XAA11240@kiri.meretrix.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >C&L claim that the product withstood attacks from "...well-known and ... >"may" present some security issues. Let me repeat that: IP forwarding >MAY present some security issues. > Sounds like a normal netowrk audit report, in otherwords - it stopped all our tests, but a new test might come up tomorrow or you might change anything on the system and that might let something through. I love IT audit reports - they try so hard to dodge committing to anything that they end up not worth the paper they are printed on. I have to admit I'm gulty too - the last ISS scan I did for C&L had a restricted scope (decided by the client) and thus was inconclusive - so I just covered my ass like there was no tomorrow. But think about it - most new proxy servers will resist ISS without a drama - why? because ISS uses known attacks on known services - we don't know the attacks on MSP yet - but I'm sure they're out there. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Thu Jul 3 21:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA16171 for firewalls-outgoing; Thu, 3 Jul 1997 19:44:17 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA16141 for ; Thu, 3 Jul 1997 19:44:04 -0700 (PDT) Received: from rara24.curtin.edu.au (rara24.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKU430T6W0BB7UQ0@alpha2.curtin.edu.au>; Fri, 04 Jul 1997 10:49:14 +0800 Date: Fri, 04 Jul 1997 10:48:38 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> X-Sender: climbing@skuld.cage.curtin.edu.au To: Dirk Nerling Cc: firewalls@GreatCircle.com Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dirk, >I plan to update the time of our internal net from >an Internet Time Server on a regular basis. Does >anbody of you know something about the xntpd? > >Any intrusion listed? What do the experts suggest? NTP when not set up properly does provide a very big problem - basically an intruder can spoof the NTP packets and change timing within your network - thus doing things like hashing your logs. XNTPD can be set up to be safe. i. fully utilise the voting system - find at least 6 NTP servers (secondaries or above) that are geographically distant - I use one in france, in in Switzerland, one in Aust, one in NZ and one in Japan. ii. if you can get a DES library and rebuild XNTPD with it - there is a setting for it to use DES to authenticate - the auth is quite strong as it is effectively a one-time pad system. Most primaries will permit DES auth and some secondaries. The first item makes it very hard to spoof the packets, the second makes it impossible. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Thu Jul 3 21:19:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA04091 for firewalls-outgoing; Thu, 3 Jul 1997 20:59:52 -0700 (PDT) Received: from x11.boston.juno.com (x11.boston.juno.com [205.231.100.26]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA03872 for ; Thu, 3 Jul 1997 20:58:56 -0700 (PDT) Received: (from wiseleo@juno.com) by x11.boston.juno.com (queuemail) id AuL08396; Fri, 04 Jul 1997 00:01:35 EDT To: DECkedout@hotmail.com Cc: firewalls@GreatCircle.COM Date: Thu, 3 Jul 1997 20:50:08 -0700 Subject: Re: ICQ network Message-ID: <19970703.205644.15886.0.wiseleo@juno.com> References: <33BB6919.7FB6@hotmail.com> X-Mailer: Juno 1.38 X-Juno-Line-Breaks: 0-1,3-4,6-9,11-12,16-17,19-20,22-26,28,30-31,33-42 From: wiseleo@juno.com (Leonid S Knyshov) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, I believe we have a lot to worry about... Random incoming ports and stuff... Some good news, Java version of ICQ is due soon, meaning it can be disassembled with strace and similar tools and we will see the light :) That makes it truly cross-platform product *sigh*. Win/Mac World are no longer the only victims... I don't want any unchecked binary code on a UNIX machine... Try unrestricted file transfers in-bound and out-bound. Via ICQ file transfer feature. Or send URL, I believe that might invite you to a site where a CGI will check your information, hand you a Java applet and... Or even exploit that famous IE/Netscape collection of bugs... You see the possibilities? Add to that remote launch of programs (Netscape Conference for example), video games (Quake) etc... Thanks to Mirabilis for such a great product, but the specs are necessary to evaluate the threat... That's all for now, stay tuned :) *** Leonid Knyshov AKA Wise_One http://kiassociates.com/computerhelp http://kiassociates.com/computerhelp/personal For file attachments please use wiseleo@hotmail.com and send a note about it here :) On Thu, 03 Jul 1997 05:05:45 -0400 DECkedout writes: >That is the best idea i've heard of yet. I'd like them to see if they >can handle the rigors of releasing queastionable software and trying >to >get it patented... I sure have a few questions of my own. >Personally, >my bet is that they stay out of the spotlight until they become >commercial, then they don't have to release anything accept technical >support for morons. Well folks, let's see who joins the party. >-DECkedout From owner-firewalls-outgoing Thu Jul 3 21:49:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA07499 for firewalls-outgoing; Thu, 3 Jul 1997 21:17:56 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA03903 for ; Thu, 3 Jul 1997 20:59:05 -0700 (PDT) Message-Id: <199707040359.UAA03903@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA122078350; Fri, 4 Jul 1997 13:52:31 +1000 From: Darren Reed Subject: Re: IP Filters? To: montenegro@nutec.com.br (Fernando da Silveira Montenegro) Date: Fri, 4 Jul 1997 13:52:30 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9707030835.aa04683@canario.nutec.com.br> from "Fernando da Silveira Montenegro" at Jul 3, 97 08:42:35 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Fernando da Silveira Montenegro, sie said: > > Hello all! > > What seems to be the general consensus on how many filtering rules one can > configure on a router without imposing a noticeable performance penalty: > 10? 50? 100? That's the wrong way to think about it. If you're even considering performance, then 0 rules is the number to use. If you're serious about your security, you use as many rules as required to safely secure your network, irrespective of performance problems (which should be addressed through other means, such as faster hardware), at your router. This might mean you just block spoofing attacks, with your firewall providing further security for applications, etc. darren From owner-firewalls-outgoing Thu Jul 3 22:19:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21015 for firewalls-outgoing; Thu, 3 Jul 1997 08:02:19 -0700 (PDT) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21007 for ; Thu, 3 Jul 1997 08:02:12 -0700 (PDT) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA16513; Thu, 3 Jul 1997 11:05:51 -0400 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd16511aaa; Thu Jul 3 15:05:45 1997 Date: Thu, 3 Jul 1997 11:05:45 -0400 (EDT) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: "osiris@pacificnet.net" cc: "Kelly E. Gibbs" , Anton J Aylward , firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall In-Reply-To: <33BAD0BD.4399@pacificnet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Throughout M$'s wonderful climb to dominate the world, where's the > > Justice Department? I wonder if Janet Reno uses '95? Wonder if she owned > > share's of Apple stock in the past? > > Ahhh...there are other possibilities. Here's the most likely: > > A. The folks in the Antitrust division are cowards; or > B. Their lawyers (DOJ) don't understand Antitrust law enough to pull it > off. or they are nervous that they will get nailed by a harassment suit since they blew the last anti-trust suit one. They will need to get a _lot_ more evidence for a retry if they want a chance in hell. If they blow a second go at it, you can count on a third being HIGHLY unlikely. > But, that's academic, because the DOJ - for whatever reason - has failed > (and will continue to fail) in challenging M$. I look at the alternatives, we should at least be grateful that M$ is a US company and not some foreign conglomerate. It is unfortunate that SUN still hasn't been able to figure out how to compete with microsoft. Apple may have, however, i think that it is too late for them. The biggest thing in common with the two is that they need to transition from h/w to software or they are in BIG trouble as more and more of their lines become commodity products -- for sun, anything short of the enterprise class is within firing range of compaq and the rest of the herd. As for an M$ firewall, I'm sure that it will pale in comparison to anything, including something that people on this list could whip in their spare time. However, microsoft has proven time and time again that they aren't a software company, but a business which is intent on making money in any market niche they can find. For this reason, i intend on having at least a passing familiarity with their product because i'm convinced that the M$ name will mean more to people than the quality or capabilities of the software. Now for a big legal question: what sort of liability does a firewall vendor assume if they are responsible for the full gamut of installation of the machine and configuration against the local security policy? What if a product defect caused a breach of security for a company which resulted in secret/sensitive data being put all over the internet? Could it be that f/w vendors, should their product have an inherent weakness, be placing themselves at legal risk. Or could the strategy be "Hey, look, if they breach the firewall the OS crashes!" Makes me wonder. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks From owner-firewalls-outgoing Thu Jul 3 22:49:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29122 for firewalls-outgoing; Thu, 3 Jul 1997 22:46:03 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA29105 for ; Thu, 3 Jul 1997 22:45:53 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id CAA17456; Fri, 4 Jul 1997 02:01:19 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma017454; Fri, 4 Jul 97 02:01:05 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id BAA27050; Fri, 4 Jul 1997 01:45:53 -0400 (EDT) Date: Fri, 4 Jul 1997 01:45:53 -0400 (EDT) Message-Id: <199707040545.BAA27050@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Robert Laird Cc: Firewalls@GreatCircle.COM Subject: Re: Slightly Off Topic: A security issue In-Reply-To: <97Jul3.145853cdt.36914@igate.panenergy.com> References: <97Jul3.145853cdt.36914@igate.panenergy.com> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Robert" == Robert Laird writes: Robert> Since my new Web server is going to sit outside the firewall, Robert> I'm wondering if MS IIS or Netscape's Enterprise is "more Robert> secure" than the other? Given that even Microsoft has been having trouble keeping their site up and running due to people exploiting IIS and/or NT bugs, I'm inclined to believe that Microsoft's software is likely to be lower in quality than Netscape's. Also consider that Microsoft has been in "catch-up" mode for quite some time, ever since they decided that they needed to have an "internet strategy" (whatever that is). So, they're in a hurry to get stuff out the door, and are unlikely to hold up progress by doing things like extensive debugging. Further, Microsoft just isn't used to writing software that runs on untrusted networks, and the problems with their own web site seems a pretty good indication of their scalability and ability to resist attack. I like Netscape's servers quite a lot, and recommend them to someone who is looking for a commercial solution to their problem, or just can't edit configuration files for some reason to make a web server come up... Having said that, I'll add that my favorite web server is Apache. It's got full source code availability, and has lots of people looking it over. Bugs are much more likely to be discovered and fixed in that sort of product than in anything where source is not available. Further, it's darn, darn, fast, easy to configure and maintain, and it's free. Run it on a FreeBSD machine, and then see how Microsoft can claim that their almost-half-as-cool stuff can keep up, or come in at 1/3 the price... http://www.apache.org/ http://www.freebsd.org/ -- Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm From owner-firewalls-outgoing Fri Jul 4 00:04:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA16008 for firewalls-outgoing; Thu, 3 Jul 1997 23:56:53 -0700 (PDT) Received: from mail2.isdnet.net (mail2.hol.fr [194.149.160.36]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA15961 for ; Thu, 3 Jul 1997 23:56:43 -0700 (PDT) Received: from supervision.netsource.fr ([194.51.214.22]) by mail2.isdnet.net (8.8.5/Havas On Line) with SMTP id IAA13237 for ; Fri, 4 Jul 1997 08:59:45 +0200 (MET DST) Message-ID: <33BCA146.7059@hol.fr> Date: Fri, 04 Jul 1997 09:07:50 +0200 From: renouf X-Mailer: Mozilla 3.01-NSCP (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 00:19:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA17821 for firewalls-outgoing; Fri, 4 Jul 1997 00:06:27 -0700 (PDT) Received: from marikit.iphil.net (marikit.iphil.net [203.176.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA17706 for ; Fri, 4 Jul 1997 00:05:55 -0700 (PDT) Received: from marikit.iphil.net (neil@marikit.iphil.net [203.176.0.4]) by marikit.iphil.net (8.8.5/8.8.5) with SMTP id PAA09672; Fri, 4 Jul 1997 15:08:36 +0800 Date: Fri, 4 Jul 1997 15:08:36 +0800 (HKT) From: "Neil D. Quiogue" To: Bret Watson cc: Dirk Nerling , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Jul 1997, Bret Watson wrote: > i. fully utilise the voting system - find at least 6 NTP servers > (secondaries or above) that are geographically distant - I use one in > france, in in Switzerland, one in Aust, one in NZ and one in Japan. This suggestion would also make your system fault-tolerant to time server downtime due to differences both in domain and geography. It is also a good idea to have at least two local NTP servers to accommodate local server downtime with the two peering one another. [---] Neil D. Quiogue IPhil Communications Network, Inc. e-mail: neil@iphil.net From owner-firewalls-outgoing Fri Jul 4 00:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA20642 for firewalls-outgoing; Fri, 4 Jul 1997 00:23:48 -0700 (PDT) Received: from majestix.skp.de (majestix.skp.de [194.163.133.195]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA20591 for ; Fri, 4 Jul 1997 00:23:37 -0700 (PDT) Received: from steve (dhcp004 [192.168.0.24]) by majestix.skp.de (8.7.5/8.7.3) with SMTP id IAA09750; Fri, 4 Jul 1997 08:34:36 +0200 Message-Id: <199707040634.IAA09750@majestix.skp.de> Date: Fri, 04 Jul 1997 09:26:38 +0100 To: Derek Pokorny From: Stefan Farsch Cc: Subject: Re: In-Reply-To: <199707010527.HAA07033@majestix.skp.de> References: <199707010527.HAA07033@majestix.skp.de> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > remove > Your 'remove' command has been disabled. Try again wit another trick. ------------ From owner-firewalls-outgoing Fri Jul 4 04:05:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA23998 for firewalls-outgoing; Fri, 4 Jul 1997 03:53:54 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id DAA23991 for ; Fri, 4 Jul 1997 03:53:47 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id GAA23434; Fri, 4 Jul 1997 06:56:35 -0400 (EDT) Message-Id: <3.0.32.19970703212853.007cdda0@the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 04 Jul 1997 06:57:34 -0400 To: Nick Simicich , Fernando da Silveira Montenegro From: Anton J Aylward Subject: Re: IP Filters? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:28 PM 03/07/97 -0400, Nick Simicich wrote: ## Reply Start ## >One client reported enormous degredation on high volume applications with >even one filter rule. > >On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote: > >> >> What seems to be the general consensus on how many filtering rules one can >> configure on a router without imposing a noticeable performance penalty: >> 10? 50? 100? Have a look th the Network Systems BorderGuard series of routers. They were designed as security filters, use Andrew Molitor's advanced filter language, and DON'T DEGRADE as the filters are applied. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn & Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From owner-firewalls-outgoing Fri Jul 4 06:19:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04669 for firewalls-outgoing; Fri, 4 Jul 1997 06:07:42 -0700 (PDT) Received: from dns2.infocom.etecsa.cu (infocom.etecsa.cu [169.158.64.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA04630 for ; Fri, 4 Jul 1997 06:07:27 -0700 (PDT) Received: by dns2.infocom.etecsa.cu (Smail3.1.28.1 #3) id m0wk87q-0000JiC; Fri, 4 Jul 97 09:10 EDT Received: from manati.in.etecsa.cu by mail.infocom.etecsa.cu with SMTP id XXXXXXXX-Xa19955; Fri, 04 Jul 97 09:10 EDT Received: by manati.in.etecsa.cu (Smail3.1.28.1 #3) id m0wk87p-0003VqC; Fri, 4 Jul 97 09:10 EDT Message-Id: To: firewalls@greatcircle.com Date: Fri, 4 Jul 1997 09:10:12 -0400 (EDT) From: Asley Lugo Avila X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 06:34:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04906 for firewalls-outgoing; Fri, 4 Jul 1997 06:11:54 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA04899 for ; Fri, 4 Jul 1997 06:11:47 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id GAA00171; Fri, 4 Jul 1997 06:14:18 -0700 (PDT) Message-Id: <3.0.1.32.19970704091416.006dc930@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 04 Jul 1997 09:14:16 -0400 To: Brian Mitchell From: Paul Ferguson Subject: Re: IP Filters? Cc: Firewalls@GreatCircle.COM In-Reply-To: References: <9707030835.aa04683@canario.nutec.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote: > >Denial of services attacks are essentially impossible to defeat. They will >always be there in one form or another. > While that is true to some extent, there are certainly things one can do which help protect to a degree. There are several different versions of DoS attacks, but the ones which have been used predominantly are the TCP SYN and UDP flooding attacks. What these two attacks share are that they have been known to be launched by attackers using bogus source addresses, addresses which are not found in the global routing system. TCP SYN attacks which use this methodology can be thwarted using a TCP 'intercept', a TCP proxy which will not complete the TCP three-way handshake unless the originator of the TCP connection is reachable in the routing table. However, there is a more insidious form of this attack which uses random, bogus source addresses which *can* be found in the global routing system, so that a return path is available to complete the initial TCP three-way handshake. This has the unfortunate side-effect of not only affecting the initial target, but also an unwary third-party to whom the bogus addresses used actually belong. The same holds true for UDP flooding, however, there is no effective mechanism to proxy UDP since it is connectionless. The most effective method of minimizing the threat of DoS is to use fairly extensive traffic access-filters to protect services which do not need to be opened up for public connectivity. Also, host computer vendors have significantly strengthened their platforms and operating systems against these types of attacks by reducing the time-wait state for half-open TCP connections, as well as increased the number of connection buffers in the stack. I would suggest that anyone concerned about this issue contact their OS vendor to ask about patches which correct these deficiencies. These, in conjunction with TCP Intercept and ingress traffic filtering, provides a reasonable amount of protection. Of course, ICMP traffic can be blocked altogether using traffic filters, and is usually a pretty smart idea to do so at the border router. Note: ingress traffic filtering is a concept of filtering traffic leaving your administrative domain so that only traffic which is announced via routing (e.g BGP) is allowed to exit your routing domain. This does nothing to protect you from an attack, but it does disallow downstream users from launching attacks using nonexistent source addresses. I have an I-D (Internet Draft) which is now expired on the topic, which I plan to update and resubmit prior to Munich/IETF. ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Fri Jul 4 06:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09700 for firewalls-outgoing; Fri, 4 Jul 1997 06:46:57 -0700 (PDT) Received: from ee.net (ee.net [206.31.38.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA09457 for ; Fri, 4 Jul 1997 06:46:18 -0700 (PDT) Received: from squirrel (modem27.columbus.ee.net [206.222.0.27]) by ee.net (8.8.5/8.8.5) with SMTP id JAA26126 for ; Fri, 4 Jul 1997 09:49:59 -0400 (EDT) Message-Id: <3.0.1.32.19970704101812.0069d66c@ee.net> X-Sender: clydew@ee.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Fri, 04 Jul 1997 10:18:12 -0400 To: firewalls@GreatCircle.COM From: Clyde Williamson Subject: Remote Management Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- I'm looking for software that will allow me through the firewall to see what's going on at my clients site, or even getting the info right from the firewall would work. I need something that can check security, broken links etc. It would also be great if it could pull demographics as well. Is there anything out currently that would work? Perfer UNIX based solution. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBM70GEseWPtttGqZhAQFDeAf/ax5ISTo08dAheQvAJhRzESlaOdv8m+kk 39zBcxhCpzmWsSMl4QZ1WoAvev9bKNdHIiJkcG0pHmznF2HMk/uE2mlV1di9PAoi R8CuPbPzpzCyJ1zplIvy2rKLzASWEfqsPHjmdjWFW1l6ji0yq63gxibfmCOmi1qM aipbrc+Va+vWBpPPhyGsNXpjEnmkeA5FUTS5g4EBm2rcDDtR2QutbscmpmISIDCv FmX3/Bly1G5rDQq+8VPom6T6kK3gCvbYu6K5D7DTuUQmxcrnWSsTIhj442hB3Cei vhbeqlFLHEU0kzXQf5yGhHE+LTO7kMn04/c6CaYwWe0lF7TlxuO9/g== =boGA -----END PGP SIGNATURE----- Clyde Williamson PGP Public Key found at http://users1.ee.net/clydew/pgp.htm We cracked DES!!! http://www.frii.com/~rcv/deschall.htm Member of "The Interhack Posse!! From owner-firewalls-outgoing Fri Jul 4 09:04:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA22744 for firewalls-outgoing; Fri, 4 Jul 1997 08:51:09 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA22737 for ; Fri, 4 Jul 1997 08:50:49 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (ciop.cnuce.cnr.it [131.114.1.247]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id RAA24218; Fri, 4 Jul 1997 17:49:19 +0200 (MET DST) Message-ID: <33BCFDA4.5ACB@di.unipi.it> Date: Fri, 04 Jul 1997 15:41:56 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Bret Watson CC: Dirk Nerling , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bret Watson wrote: > XNTPD can be set up to be safe. > i. fully utilise the voting system - find at least 6 NTP servers > (secondaries or above) that are geographically distant - I use one in > france, in in Switzerland, one in Aust, one in NZ and one in Japan. > ii. if you can get a DES library and rebuild XNTPD with it - there is a > setting for it to use DES to authenticate - the auth is quite strong as it > is effectively a one-time pad system. Most primaries will permit DES auth > and some secondaries. > > The first item makes it very hard to spoof the packets, the second makes it > impossible. Note that if somebody wants to attack you, it could first try to attack your ISP. In this case, it could spoof all your NTP servers at the same time, wherever they are. I don't know the NTP authentication system, but probably it isn't a real one time pad (probably it will eventually cicle). It could nevertheless be an adequate protection. ciao - Claudio From owner-firewalls-outgoing Fri Jul 4 09:49:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25500 for firewalls-outgoing; Fri, 4 Jul 1997 09:33:46 -0700 (PDT) Received: from shell.firehouse.net (shell.firehouse.net [209.42.203.45]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA25483 for ; Fri, 4 Jul 1997 09:33:39 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id MAA07054; Fri, 4 Jul 1997 12:36:41 -0400 (EDT) Date: Fri, 4 Jul 1997 12:36:38 -0400 (EDT) From: Brian Mitchell To: Paul Ferguson cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-Reply-To: <3.0.1.32.19970704091416.006dc930@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Jul 1997, Paul Ferguson wrote: > At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote: > > > > >Denial of services attacks are essentially impossible to defeat. They will > >always be there in one form or another. > > > > > The most effective method of minimizing the threat of DoS > is to use fairly extensive traffic access-filters to protect > services which do not need to be opened up for public > connectivity. Also, host computer vendors have significantly > strengthened their platforms and operating systems against > these types of attacks by reducing the time-wait state for > half-open TCP connections, as well as increased the number > of connection buffers in the stack. I would suggest that > anyone concerned about this issue contact their OS vendor > to ask about patches which correct these deficiencies. > These, in conjunction with TCP Intercept and ingress > traffic filtering, provides a reasonable amount of > protection. Any public service can be used as an attack though. You allow www out? Great, flood target user wit src port 80 traffic, ack bit set. DPF technology can help significantly here, but one has to wonder if the time involved to stop a given attack is not greater than the potential risk. If someone wants to perform a denial of services attack against you badly enough, there is a good chance they will do it - and succeed - atleast, this is true for the average company. > > Of course, ICMP traffic can be blocked altogether using > traffic filters, and is usually a pretty smart idea to > do so at the border router. Unfortunately, tools such as traceroute and ping are useful, so allowing port_unreach (which unfortunately, opens you up to some denial of services holes on older boxes), echo_reply, and time_exceeded might be a good idea. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt From owner-firewalls-outgoing Fri Jul 4 10:05:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25899 for firewalls-outgoing; Fri, 4 Jul 1997 09:38:12 -0700 (PDT) Received: from homer.dejanews.com (homer.dejanews.com [205.238.143.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA25888 for ; Fri, 4 Jul 1997 09:38:05 -0700 (PDT) Received: from byers.dejanews.com (byers.dejanews.com [205.238.143.212]) by homer.dejanews.com (8.7.6/8.6.12) with ESMTP id LAA12976; Fri, 4 Jul 1997 11:41:11 -0500 (CDT) Received: from byers.dejanews.com (localhost.dejanews.com [127.0.0.1]) by byers.dejanews.com (8.7.5/8.6.12) with ESMTP id LAA16103; Fri, 4 Jul 1997 11:41:11 -0500 Message-Id: <199707041641.LAA16103@byers.dejanews.com> To: Paul Ferguson cc: Firewalls@GreatCircle.COM Subject: Re: IP Filters? In-reply-to: Your message of "Fri, 04 Jul 1997 09:14:16 EDT." <3.0.1.32.19970704091416.006dc930@lint.cisco.com> Date: Fri, 04 Jul 1997 11:41:11 -0500 From: Travis Hassloch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <3.0.1.32.19970704091416.006dc930@lint.cisco.com>, Paul Ferguson writ es: >What these two attacks share are that they have been known to >be launched by attackers using bogus source addresses, addresses >which are not found in the global routing system. TCP SYN attacks >which use this methodology can be thwarted using a TCP 'intercept', >a TCP proxy which will not complete the TCP three-way handshake >unless the originator of the TCP connection is reachable in the >routing table. Linux claims to have a "fix" for SYN attacks; standard patches reduce the problem but don't "fix" it and run the risk of penalizing high-latency connections (false positives as it were). Some have even considered using AI techniques for picking connections in the queue to expire. Can anyone comment on this? The only "fix" I can think of would be putting the burden of maintaining state on the originator, perhaps by passing some token back in the SA (2nd) packet and having the client repeat this in the 3rd packet. Not sure if there is room for this anywhere, and if so what kind of compatibility issues there would be. You have the disadvantage of not being able to list all sockets in the syn-received state but being able to do that would imply sensitivity to the attack wouldn't it? This has probably been covered before by protocol experts; if so, point me/us at the archive and let's not rehash it. >This has the unfortunate >side-effect of not only affecting the initial target, but also >an unwary third-party to whom the bogus addresses used actually >belong. This actually seems likely since the SYN flooders are likely just to pick pseudorandom 32-bit numbers (if not picking 0.0.0.0). >The same holds true for UDP flooding, however, there is no >effective mechanism to proxy UDP since it is connectionless. It doesn't keep connection state in the packet like TCP does, but that doesn't mean a gateway can't. Besides, if you rely on what the TCP flags say you're opening yourself up to passive port scans (i.e. scans based on packets with ACK set). >Of course, ICMP traffic can be blocked altogether using >traffic filters, and is usually a pretty smart idea to >do so at the border router. But if you aren't using application-level proxies which can receive ICMPs, you can't get unreachables back, right? That might be annoying. If I remember right, ICMPs are a little trickier to handle than standard TCP replies as some (for example, host unreach) can come from IPs other than the destination. Would it be useful to allow ICMPs relating to established connections from the first-hop just used for that connection? Another useful thing might be to check for ACKs corresponding to data which hasn't been sent (recently), indicating a possible TCP session-hijack. Interestingly, Joncheray doesn't mention this in his paper. I have heard Bellovin might have an RFC on this, but I haven't looked for it. >Note: ingress traffic filtering is a concept of filtering >traffic leaving your administrative domain so that only >traffic which is announced via routing (e.g BGP) is allowed >to exit your routing domain. This does nothing to protect >you from an attack, but it does disallow downstream users >from launching attacks using nonexistent source addresses. Is this the multi-network equivalent of blocking outgoing packets which don't appear from being part of your internal network? Disclaimer: I don't claim to be a protocol expert, and I should probably have verified some of these assumptions, but my books are at home. Be nice :) -- Travis Hassloch / travish@dejanews.com / http://www.dejanews.com Deja News System Administration Group / "When news breaks... we fix it." From owner-firewalls-outgoing Fri Jul 4 10:19:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01141 for firewalls-outgoing; Fri, 4 Jul 1997 10:14:53 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA01070 for ; Fri, 4 Jul 1997 10:14:36 -0700 (PDT) Received: from salsa.lightech.com.ar (router1-p15.pccp.com.ar [200.0.253.31]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with ESMTP id RAA13884 for ; Fri, 4 Jul 1997 17:01:58 GMT Message-ID: <33BCD808.61892F5D@lightech.com.ar> Date: Fri, 04 Jul 1997 14:01:29 +0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Calling the Horde X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms6C35A981119558B2E8A0BEB1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms6C35A981119558B2E8A0BEB1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Neil D. Quiogue wrote: > Why not try to do this yourself? In security parlance, do not trust > anyone. Moreover, what if a hacker that really found an unnoticed way through your firewall says you: Nice firewall you have, I cannot break in! He may enter anytime while you feel comfident about your security... Saludos -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------ms6C35A981119558B2E8A0BEB1 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQCwYJKoZIhvcNAQcCoIIP/DCCD/gCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DnkwggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICeTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTAN BgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x NzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5l dDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEg Q0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQao t3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zs uts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0P BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXG nAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzp LFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJV UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMx MjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNV BAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9G iILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeI Cc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJ KoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6g dTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJ M8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQeF/NotQ8hBZmWozA o3+6rTAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B CQQxFgQUI9ZSTkclcAoa5B2576wcMJXIc5gwHAYJKoZIhvcNAQkFMQ8XDTk3MDcwNDExMDEy OVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAEymx 1SNDx48/6aqoDHkm6DwRJeiUjNu8kubcZHy97tFYeK104ioUsllgnmhLjl9Qy9gsOx/L+eLj YpUab84/8Q== --------------ms6C35A981119558B2E8A0BEB1-- From owner-firewalls-outgoing Fri Jul 4 10:34:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA01184 for firewalls-outgoing; Fri, 4 Jul 1997 10:15:05 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA01102 for ; Fri, 4 Jul 1997 10:14:43 -0700 (PDT) Received: from salsa.lightech.com.ar (router1-p15.pccp.com.ar [200.0.253.31]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with ESMTP id RAA13887 for ; Fri, 4 Jul 1997 17:02:02 GMT Message-ID: <33BCDA9E.B29810E9@lightech.com.ar> Date: Fri, 04 Jul 1997 14:12:31 +0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1's SNMP X-Priority: 3 (Normal) Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msC767D758A9384B2EADF7ACED" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msC767D758A9384B2EADF7ACED Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello everybody! I have a question concerning FW-1's (v2.1, Solaris 2.5.1) SNMP daemon. With the default communities, ISS Firewall Scanner was able to contact it and fetch his MIB. Setting the communities to something non-obvious, the scanner got no response from the port. But, isn't it vulnerable to a brute-force password-guessing attack? It seems better to directly block (with some rule o rules) any connection to the daemon. I tried many rules for blocking SNMP (with the default communities), but the scanner allways got the MIB. Even the default "catch-all" rule doesn't take effect! The question is: how can I block a connection to SNMP daemon? As another question, is it possible to log a SecuRemote site creation? I mean seeing when anybody configures my FW-1 as a site for his SecuRemote client. TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------msC767D758A9384B2EADF7ACED Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQCwYJKoZIhvcNAQcCoIIP/DCCD/gCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DnkwggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICeTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTAN BgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x NzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5l dDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEg Q0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQao t3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zs uts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0P BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXG nAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzp LFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJV UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMx MjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNV BAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9G iILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeI Cc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJ KoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6g dTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJ M8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQeF/NotQ8hBZmWozA o3+6rTAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B CQQxFgQUGCfO2Z3IMaXqDHB2kPcGt4q+F8cwHAYJKoZIhvcNAQkFMQ8XDTk3MDcwNDExMTIz MVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARAOQWK N1u33HlGOk2awy3quOkN6CpC6/RFDk7hY8tHsPcuxhxxBdQMcCwcV6kNxBtrVvxoQSCFNZfr AU30CaJHrQ== --------------msC767D758A9384B2EADF7ACED-- From owner-firewalls-outgoing Fri Jul 4 12:19:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20003 for firewalls-outgoing; Fri, 4 Jul 1997 12:03:34 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id MAA19904 for ; Fri, 4 Jul 1997 12:03:16 -0700 (PDT) Message-Id: <199707041903.MAA19904@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA087872597; Sat, 5 Jul 1997 04:56:37 +1000 From: Darren Reed Subject: Re: IP Filters? To: travish@dejanews.com (Travis Hassloch) Date: Sat, 5 Jul 1997 04:56:37 +1000 (EST) Cc: pferguso@cisco.com, Firewalls@GreatCircle.COM In-Reply-To: <199707041641.LAA16103@byers.dejanews.com> from "Travis Hassloch" at Jul 4, 97 11:41:11 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Travis Hassloch, sie said: > > It doesn't keep connection state in the packet like TCP does, > but that doesn't mean a gateway can't. Besides, if you > rely on what the TCP flags say you're opening yourself > up to passive port scans (i.e. scans based on packets with ACK > set). Not if you've half a clue about things. Some vendors are missing half a clue but. > >Note: ingress traffic filtering is a concept of filtering > >traffic leaving your administrative domain so that only > >traffic which is announced via routing (e.g BGP) is allowed > >to exit your routing domain. This does nothing to protect > >you from an attack, but it does disallow downstream users > >from launching attacks using nonexistent source addresses. > > Is this the multi-network equivalent of blocking outgoing > packets which don't appear from being part of your internal > network? Yes. Something all routers should do, anyway. From owner-firewalls-outgoing Fri Jul 4 13:34:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA00749 for firewalls-outgoing; Fri, 4 Jul 1997 13:32:37 -0700 (PDT) Received: from usr05.primenet.com (usr05.primenet.com [206.165.5.105]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA00742 for ; Fri, 4 Jul 1997 13:32:31 -0700 (PDT) Received: from mingle-midi (ip214.vcv.primenet.com [204.245.12.214]) by usr05.primenet.com (8.8.5/8.8.5) with ESMTP id NAA01877 for ; Fri, 4 Jul 1997 13:35:38 -0700 (MST) Message-Id: <199707042035.NAA01877@usr05.primenet.com> From: "Marc H. Ingle" To: Date: Fri, 4 Jul 1997 13:34:04 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 16:34:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA11485 for firewalls-outgoing; Fri, 4 Jul 1997 16:06:20 -0700 (PDT) Received: from belenus.cvrd.br (belenus.cvrd.com.br [200.241.215.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id QAA11470 for ; Fri, 4 Jul 1997 16:06:13 -0700 (PDT) From: marcob@cvrd.com.br Received: from susvtxm1.cvrd.br by belenus.cvrd.br (AIX 4.1/UCB 5.64/FW1.0) id AA102220; Fri, 4 Jul 1997 20:05:42 -0300 Received: from susvtmg2.cvrd.br by susvtxm1.cvrd.br (AIX 4.1/UCB 5.64/4.03) id AA57634; Fri, 4 Jul 1997 20:09:58 -0300 Received: from ccMail by susvtmg2.cvrd.br (SMTPLINK V2.11) id AA868072246; Fri, 04 Jul 97 19:42:16 PST Date: Fri, 04 Jul 97 19:42:16 PST Message-Id: <9706048680.AA868072246@susvtmg2.cvrd.br> To: Firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, I am a information system auditor. Does anyone know any site or document that shows real cases related to firewall attacks. Besides that, does anyone have an program to audit/evaluate a firewall system ? Thanks. Marco A. Barros Rio de Janeiro - Brasil From owner-firewalls-outgoing Fri Jul 4 17:34:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA19175 for firewalls-outgoing; Fri, 4 Jul 1997 17:19:13 -0700 (PDT) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id RAA19139 for ; Fri, 4 Jul 1997 17:19:03 -0700 (PDT) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA24915 for Firewalls@GreatCircle.COM; Fri, 4 Jul 97 20:21:27 -0400 Received: by telecnnct.com (SMI-8.6/SMI-SVR4) id TAA28041; Fri, 4 Jul 1997 19:56:24 -0400 Received: from barney(205.172.229.10) by fred via TTC (V2.0) id xma027939; Fri, 4 Jul 97 19:56:01 -0400 Message-Id: <33BD8D8F.353C51DE@telecnnct.com> Date: Fri, 04 Jul 1997 19:55:59 -0400 From: Jim Harmon Organization: The Telephone Connection X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.4_DB sun4m) Mime-Version: 1.0 To: "Neil D. Quiogue" Cc: hartmut.fehling@hamburg.netsurf.de, Firewalls@GreatCircle.COM Subject: Re: Calling the Horde References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Neil D. Quiogue wrote: > > On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > > > In order to make a really tough test before I actually connect the gateway > > to our network, I could ask some people I know in the Underground to spread > > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > > FW-1-Settings and invite the guys to try it out and break in (into the > > empty network behind it). > > > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > > such a fashion? > > Check the legalities of this 'breaking' session. There are companies > which have security policies that does not allow this. And I think it is > bad practice to do this since the information would cascade throughout the > underground community. > > Why not try to do this yourself? In security parlance, do not trust > anyone. As I understand it, there are professional consultants who do this kind of work. I would NOT go to the "underground" as you say, as that is an open invitation for people to attack you ad-infinitum, and if any are successful, and don't tell you they were, when the system goes into "real network" mode, you'll be wide-open. -- Jim Harmon The Telephone Connection jim@telecnnct.com Rockville, Maryland From owner-firewalls-outgoing Fri Jul 4 18:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA26725 for firewalls-outgoing; Fri, 4 Jul 1997 18:46:19 -0700 (PDT) Received: from yum.samart.co.th (yum.samart.co.th [203.149.0.4]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id SAA26700 for ; Fri, 4 Jul 1997 18:46:12 -0700 (PDT) Received: from pc1.samart.co.th (dialup1-203.samart.co.th [203.149.1.203]) by yum.samart.co.th (8.8.5/8.7.3) with SMTP id IAA24577 for ; Sat, 5 Jul 1997 08:50:10 +0700 (ICT) Message-ID: <33BDA7AC.3B65@physicist.net> Date: Sat, 05 Jul 1997 08:47:24 +0700 From: WinX X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (no subject) Content-Type: text/plain; charset=euc-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Jul 4 20:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA02531 for firewalls-outgoing; Fri, 4 Jul 1997 20:33:24 -0700 (PDT) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA02517 for ; Fri, 4 Jul 1997 20:33:18 -0700 (PDT) Message-Id: <199707050333.UAA02517@honor.greatcircle.com> Received: from [192.168.1.202] by cat.bbsr.edu (SMTPD32-3.04) id A0B07135020A; Sat, 05 Jul 1997 00:34:08 -0300 From: "Jamie Thain" To: "Phil Burg" , "'firewalls@greatcircle.com'" Subject: Re: another Citrix Winframe query Date: Sat, 5 Jul 1997 00:34:30 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil, I don't know exposure is the right answer, but the client could choose to connect internal drives and ship data out. Printers can form back connection, but I think this is all at the request of the client. I am going to do a little testing with it to be sure... The question is has anyone tried to "back connect" through the "client" network? If you want absolute control put a Winframe in the middle. Users winframe to your server, and then use a winframe client installed to winframe out. regards:jamie Citrix Authorized Gold Dealer From owner-firewalls-outgoing Fri Jul 4 22:04:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA06185 for firewalls-outgoing; Fri, 4 Jul 1997 21:57:31 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id VAA06168 for ; Fri, 4 Jul 1997 21:57:22 -0700 (PDT) Received: from 134.7.108.53 (134.7.108.53) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKVN0VJ5YOBB7UTH@alpha2.curtin.edu.au> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 13:02:47 +0800 Date: Sat, 05 Jul 1997 13:01:58 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: <33BCFDA4.5ACB@di.unipi.it> X-Sender: climbing@skuld.cage.curtin.edu.au To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes if you are only using one line into your network then by compromising your ISP the attacker has the ability to spoof anything incoming. Mind you if the attacker has compromised you connection to the world you are in deep s^&t anyway. Claudio, you are right it will eventually cycle - however since it uses the NTP header and data as part of the seed the cycle is around about once per 136 years. [ref RFC 1305 C.2.1] yes - nothing is impossible to compro the time and money - however blowed if I can think of a situation where the in is high enough to spend the time to compromise a fully redundant NTP server.To ensure it _is_ impossible - many routers like cisco plug-in GPS cardsthat allow you to run a primary NTP server within your org. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Fri Jul 4 23:27:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA10878 for firewalls-outgoing; Fri, 4 Jul 1997 23:04:07 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA10871 for ; Fri, 4 Jul 1997 23:04:00 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id CAA09908; Sat, 5 Jul 1997 02:07:44 -0400 (EDT) Date: Sat, 5 Jul 1997 02:07:44 -0400 (EDT) From: Dave Wreski To: Bret Watson cc: firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 5 Jul 1997, Bret Watson wrote: > Yes if you are only using one line into your network then by compromising > your ISP the attacker has the ability to spoof anything incoming. Mind you > if the attacker has compromised you connection to the world you are in deep > s^&t anyway. As I have only read the basic instructions on fwtk that I plan to learn to use this weekend, hopefully you can tell me if I'm on the right track. I would also like to bring ntp into my network, on the only line providing Internet access to a small company I'm working with. Wouldn't the plug-gw be used in this circumstance? Would it be advisable to set up a xntpd server on one of my external boxes, and use it to serve the internal network, consisting of about 10 machines? Or would it be better to have each configure to use a proxying ntpdate? Thanks, Dave Wreski From owner-firewalls-outgoing Fri Jul 4 23:34:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA11068 for firewalls-outgoing; Fri, 4 Jul 1997 23:11:48 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA11061 for ; Fri, 4 Jul 1997 23:11:42 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id CAA09949 for ; Sat, 5 Jul 1997 02:15:31 -0400 (EDT) Date: Sat, 5 Jul 1997 02:15:30 -0400 (EDT) From: Dave Wreski To: firewalls@greatcircle.com Subject: Moving data to external machines Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I am working with trying to set up my first Internet server. The network will consist of several interior machines, and two external servers, as shown: Internet | | Linux with FWTK DNS/Mail/Proxy (Blocks all but WWW/Marimba) | | Linux with ip masq WWW/Marimba | | 10mbs Hub --------- | | | | | | | | | | Internal Network Since the internal machines are primarily NT 4.0 workstation, and I'm not too familiar with ssh under NT, how would I go about coping the data from the internal machines to the web server? There will be a staging server on the internal network, and I eventually need to get that data to the production server, as well as fetching mail and doing DNS queries from the firewall box. Should I redesign my distribution of services? Can I do an NFS proxy? SMB proxy? Would it be by default safe, since I'm not allowing connections internally on the external interface? Thanks for any ideas, Dave Wreski From owner-firewalls-outgoing Sat Jul 5 03:04:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25783 for firewalls-outgoing; Sat, 5 Jul 1997 02:54:36 -0700 (PDT) Received: from shup2.sh.cei.go.cn ([203.207.143.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id CAA25756 for ; Sat, 5 Jul 1997 02:54:07 -0700 (PDT) Received: from Y2000 ([203.207.143.12]) by shup2.sh.cei.go.cn (8.7.5+2.6Wbeta6/3.4W CEI-SH 96090315) with ESMTP id RAA24398 for ; Sat, 5 Jul 1997 17:55:28 +0800 (CST) Message-Id: <199707050955.RAA24398@shup2.sh.cei.go.cn> From: "Cai Xuewu" To: "firewalls mailing list" Subject: Any NAT implement? Date: Sat, 5 Jul 1997 17:57:27 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=HZ-GB-2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,everyone I'm working in a ISP company,under the request of my customer, I want to implement a NAT for my customer and make multi-user to use only a IP address. I have read RFC1631 and RFC 1918, and I wonder if some one know where I can find some sample for reference. Thanks in advance ==========================|=========================== Cai Xuewu |Shanghai Information Center xwcai@saturn.shcei.co.cn | | HuaShan Road 1076 | Shanghai 200050 | P.R.C | ==========================|=========================== From owner-firewalls-outgoing Sat Jul 5 09:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA15121 for firewalls-outgoing; Sat, 5 Jul 1997 08:58:33 -0700 (PDT) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA15112 for ; Sat, 5 Jul 1997 08:58:27 -0700 (PDT) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id MAA08796; Sat Jul 5 12:01:45 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id MAA04394; Sat, 5 Jul 1997 12:01:43 -0400 Subject: Re: need suggestion xntpd a security hole ??? References: Date: 05 Jul 1997 12:01:41 -0400 In-Reply-To: Dave Wreski's message of Sat, 5 Jul 1997 02:07:44 -0400 (EDT) Message-ID: Lines: 22 X-Mailer: Gnus v5.2.39/Emacs 19.34 To: Dave Wreski From: Douglas McNaught Cc: Bret Watson , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski writes: > I would also like to bring ntp into my network, on the only line providing > Internet access to a small company I'm working with. > > Wouldn't the plug-gw be used in this circumstance? Would it be advisable > to set up a xntpd server on one of my external boxes, and use it to serve > the internal network, consisting of about 10 machines? Or would it be > better to have each configure to use a proxying ntpdate? NTP is a UDP-based service, so you can't plug-gw it. The usual procedure is to run an NTP daemon on the bastion host, and sync it to as many low-stratum servers as possible. Have the internal clients sync either directly to the bastion host or to internal higher-stratum servers. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Sat Jul 5 10:34:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA20306 for firewalls-outgoing; Sat, 5 Jul 1997 10:20:47 -0700 (PDT) Received: from nic.com (nic.com [204.141.60.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA20281 for ; Sat, 5 Jul 1997 10:20:39 -0700 (PDT) Received: from localhost (dave@localhost) by nic.com (8.8.5/8.8.5) with SMTP id NAA14042; Sat, 5 Jul 1997 13:24:30 -0400 (EDT) Date: Sat, 5 Jul 1997 13:24:29 -0400 (EDT) From: Dave Wreski To: Douglas McNaught cc: Bret Watson , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would also like to bring ntp into my network, on the only line providing > > Internet access to a small company I'm working with. > NTP is a UDP-based service, so you can't plug-gw it. The usual > procedure is to run an NTP daemon on the bastion host, and sync it to > as many low-stratum servers as possible. Have the internal clients > sync either directly to the bastion host or to internal higher-stratum > servers. How is it more secure to run an ntp daemon on the bastion host, and serve the internal network from there, rather than from the stratum's on the Internet? I suppose I could only allow that port from bastion host to internal network... Thanks again, Dave From owner-firewalls-outgoing Sat Jul 5 13:19:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA29463 for firewalls-outgoing; Sat, 5 Jul 1997 13:13:26 -0700 (PDT) Received: from pse01.pios.com (PSE01.PIOS.COM [199.33.129.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id NAA29446 for ; Sat, 5 Jul 1997 13:13:19 -0700 (PDT) Received: by pse01.pios.com; (5.65v3.2/1.3/10May95) id AA12907; Sat, 5 Jul 1997 16:16:22 -0400 Received: from vaxc.PIOS.COM (vaxc.PIOS.COM) by gemini.pios.com (PMDF V5.0-6 #18985) id <01IKVTTZZ5DC8X0MBJ@gemini.pios.com> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 16:17:44 -0400 (EDT) Received: from cal_133.cal.pios.com (ras11.RAS.PIOS.COM) by PIOS.PIOS.COM (PMDF V5.0-6 #18984) id <01IKVTSCMMWG8YBHZZ@PIOS.PIOS.COM> for firewalls@GreatCircle.COM; Sat, 05 Jul 1997 16:16:28 -0400 (EDT) Date: Sat, 05 Jul 1997 16:15:38 -0400 From: Bill Stout Subject: Re: Microsoft plans to offer a firewall X-Sender: stoutb@192.168.0.37 To: firewalls@GreatCircle.COM Message-Id: <2.2.32.19970705201538.00696f38@192.168.0.37> Mime-Version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe I should've titled this "How to Make money fast" by investing in TIS. ;) Given this thread is definitely anti-Microsoft, and that I give bad MS press by creating exploit lists, inadvertently helped someone alter files at microsoft.com last year, scoffed at MS responses to security problems ("One must simply reboot the server to restore services"), and fear for James Bond 'The Net' scenarios with security-software distributed as mysterious compiled binaries only, I feel moved to respond as the devil's advocate. Over a year ago while working at Hitachi, I tried to get Hitachi to work with TIS to co-develop the NT version of Gauntlet. This was based on the reviewability of TIS source, my personal respect for Gauntlet, and the interest at TIS of working with Hitachi. I did get up to the Japanese executive level (above VP, below Pres/CEO), however due to an inability of lower level pointy-haired managers to; recognize TIS as a major player, recognize firewalls as a long-lived technology, and not make responses in 1995 such as "Why do we need firewalls when NT is secure?" the project died (One of the managers also had a alternative security project which also failed). Sadly I disappointed many people at TIS because of this. :( TIS was interested in working with Hitachi because we were one of the few companies which had NT source, and NT programmers. The ability to review NT source for security flaws was very important to TIS. At the time TIS had no NT version of Gauntlet, and very few NT-proficient programmers. TIS was also paying visits to Microsoft directly in order to partner/create a Firewall product (wisely not putting their eggs into one basket). I would give the MS/TIS combo the benefit of doubt, since TIS has a history of making source available for review, and being strongly critical while reviewing code. 'The big problem' with Microsoft is that source code is not reviewable, resulting in major security holes being discovered after many thousands of NT systems are used in production environments. Hopefully TIS is also wise enough not to create any NT dependencies in the firewall code. I'm sure TIS recognizes that Microsoft software is notoriously insecure. Given this, TIS will critically review MS code pertinent to the firewall, and make firewall source available. My faith in an NT firewall product is improved because of the association of TIS, home of 'crystal box' open source code. My caveat; no one can make security Microsoft-proof. Bill Stout From owner-firewalls-outgoing Sat Jul 5 13:49:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA00725 for firewalls-outgoing; Sat, 5 Jul 1997 13:35:48 -0700 (PDT) Received: from alpha.mcit.com (alpha.mcit.com [199.249.18.143]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id NAA00715 for ; Sat, 5 Jul 1997 13:35:41 -0700 (PDT) Received: from omzrelay.mcit.com (omzrelay.mcit.com [166.37.204.49]) by alpha.mcit.com (8.8.6/) with ESMTP id QAA24153 for ; Sat, 5 Jul 1997 16:39:00 -0400 (EDT) Received: from pop3a.mail.mci.com (pop3a.mail.mci.com [166.37.172.2]) by omzrelay.mcit.com (8.8.5/) with ESMTP id PAA32555 for ; Sat, 5 Jul 1997 15:39:00 -0500 (CDT) Received: from localHost ([204.189.236.145]) by pop3a.mail.mci.com (Post.Office MTA Undefined release Undefined ID# 1-123U25000L1S10) with SMTP id AAA25041 for ; Sat, 5 Jul 1997 16:38:59 -0400 Date: Sat, 05 Jul 1997 16:30 -0400 (EDT) From: "William Greenlee" To: Firewalls X-Mailer: MailRoom v2.1e Message-ID: <19970705203857.AAA25041@localHost> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Sat Jul 5 14:56:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA05494 for firewalls-outgoing; Sat, 5 Jul 1997 14:40:07 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA05485 for ; Sat, 5 Jul 1997 14:40:02 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id RAA26590; Sat, 5 Jul 1997 17:43:19 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC896B.449BD2E0@zandar.judgefamily.org>; Sat, 5 Jul 1997 17:45:46 -0400 Message-ID: <01BC896B.449BD2E0@zandar.judgefamily.org> From: Joseph Judge To: Dave Wreski , "'Douglas McNaught'" Cc: Bret Watson , "firewalls@GreatCircle.COM" Subject: RE: need suggestion xntpd a security hole ??? Date: Sat, 5 Jul 1997 17:45:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I second that motion (run xntpd on your gateway, sync to many, let internal servers get time against your gateway) ... but consider buying a GPS NTP time server ... They are not that expensive (couple hundred $US?) - joe ---------- From: Douglas McNaught[SMTP:doug@ono.tc.net] Sent: Saturday, July 05, 1997 12:01 PM To: Dave Wreski Cc: Bret Watson; firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? Dave Wreski writes: > I would also like to bring ntp into my network, on the only line providing > Internet access to a small company I'm working with. > > Wouldn't the plug-gw be used in this circumstance? Would it be advisable > to set up a xntpd server on one of my external boxes, and use it to serve > the internal network, consisting of about 10 machines? Or would it be > better to have each configure to use a proxying ntpdate? NTP is a UDP-based service, so you can't plug-gw it. The usual procedure is to run an NTP daemon on the bastion host, and sync it to as many low-stratum servers as possible. Have the internal clients sync either directly to the bastion host or to internal higher-stratum servers. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Sat Jul 5 15:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA05359 for firewalls-outgoing; Sat, 5 Jul 1997 14:38:44 -0700 (PDT) Received: from elektra.ultra.net (elektra.ultra.net [199.232.56.13]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id OAA05335 for ; Sat, 5 Jul 1997 14:38:37 -0700 (PDT) Received: from zandar.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by elektra.ultra.net (8.8.5/ult1.06) with SMTP id RAA21129; Sat, 5 Jul 1997 17:41:53 -0400 (EDT) Received: by zandar.judgefamily.org with Microsoft Mail id <01BC896B.11CBB4C0@zandar.judgefamily.org>; Sat, 5 Jul 1997 17:44:21 -0400 Message-ID: <01BC896B.11CBB4C0@zandar.judgefamily.org> From: Joseph Judge To: firewalls mailing list , "'Cai Xuewu'" Subject: RE: Any NAT implement? Date: Sat, 5 Jul 1997 17:44:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (keywords: rambling, NAT, ip-filter, ftp redirection) Cai - I have been using ip-filter for my "house network" at home in the manner you described. So, the example I give here will be a cookbook for that. IP-Filter is publicly available from http://coombs.anu.edu.au/~avalon and is very strong on features. There are commercial packet filters "out there" that are good ... but many that are not as strong as IP-Filter. The most current released version is 3.1.11. If you get that and compile it ... you have a packet filter and network address translator. (NAT = Network Address Translation for those who may not know). Under Solaris, it runs as a loadable kernel module ... so there is a start up script, /etc/init.d/ipfboot. You will have to modify this so that your network address translation rules get loaded. The startup script provided just loads the packet filter. You may also wish to customize how the log-program, "ipmon", gets started. For some reason, ipmon tends to suck up the CPU cycles (I think there is a missing sleep() call in a tight loop in ipmon). Anyway ... I add "ipnat -f /etc/ipnat.conf" to the start section. My /etc/ipnat.conf file looks like this: map ipdptp0 10.1.1.0/24 -> my-real-Internet-address/32 portmap tcp/udp 10000:65000 map ipdptp0 10.1.1.0/24 -> my-real-Internet-address/32 This tells the NAT code to remap packets that are exiting my ipdptp0 interface (which is my PPP interface to the Internet) to be mapped to the single host that my service provider thinks is at my house. My "house net" is 10.1.1.0, which is a PC at 10.1.1.3, a Macintosh at 10.1.1.2 and the Internet-gateway Sparc 5 at 10.1.1.1. I have some rules in the /etc/ipf.conf file for ip-filter to protect my machines, also. Remember - the "map" verb is to remap packets leaving your ip-filter machine, the "rdr" verb is to redirect inbound packets to the ip-filter machine. I mention this because the ftp protocol will break in some cases of NAT. You see, when my PC wants to connect out to an FTP site ... the control channel will come out of my machine at, for example, socket 1025. I've remapped my internal net to fall within the 10000 to 65000 port range. This is more than enough for a 3-machine network (or a small class C or so). But, that means the FTP site will see a connection from "my-real-machine" at, for example, socket 10000. No problems yet, yes? Then my PC tells the FTP site "give me this file, I'm listening on socket 1026" over the control channel. The FTP site hits "my-real-machine" at socket 1026 and there is nothing there (!!!). So, worry about sites that don't have passive FTP (where the client does not accept data connections, but call out to the FTP server instead). This is normal firewall passive-FTP problems. But, you can eliminate these problems with a "rdr" of any connections from the "house net" to anywhere port = 21 to be redirected up to some kind of FTP proxy server (which you would have to run on your ip-filter machine). good luck -- joe ---------- From: Cai Xuewu[SMTP:xwcai@shup2.sh.cei.go.cn] Sent: Saturday, July 05, 1997 1:57 PM To: firewalls mailing list Subject: Any NAT implement? Hi,everyone I'm working in a ISP company,under the request of my customer, I want to implement a NAT for my customer and make multi-user to use only a IP address. I have read RFC1631 and RFC 1918, and I wonder if some one know where I can find some sample for reference. Thanks in advance ==========================|=========================== Cai Xuewu |Shanghai Information Center xwcai@saturn.shcei.co.cn | | HuaShan Road 1076 | Shanghai 200050 | P.R.C | ==========================|=========================== From owner-firewalls-outgoing Sat Jul 5 17:34:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA16898 for firewalls-outgoing; Sat, 5 Jul 1997 17:30:12 -0700 (PDT) Received: from ceddec.com (brickwall.ceddec.com [207.91.200.193]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id RAA16889 for ; Sat, 5 Jul 1997 17:30:08 -0700 (PDT) Received: by brickwall.ceddec.com id <32257>; Sat, 5 Jul 1997 20:33:33 -0400 Date: Sat, 5 Jul 1997 20:34:50 -0400 From: tzeruch@ceddec.com X-Sender: nobody@mars.ceddec.com To: David Wasser cc: firewalls@GreatCircle.COM, franks@netscape.com Subject: Re: Tunneling tools with 128 bit encryption outside US? In-Reply-To: <33BA45A5.57AB2A3B@netscape.com> Message-Id: <97Jul5.203333edt.32257@brickwall.ceddec.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Or secure socket relay (ssr) - see http://www.medcom.se/ From owner-firewalls-outgoing Sat Jul 5 23:46:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA29404 for firewalls-outgoing; Sat, 5 Jul 1997 22:42:30 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA29394 for firewalls@greatcircle.com; Sat, 5 Jul 1997 22:42:27 -0700 (PDT) Received: from p0015c01.kpmg.com (p0016c01.kpmg.com [199.207.255.14]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id PAA21047 for ; Thu, 3 Jul 1997 15:22:22 -0700 (PDT) From: kenng@kpmg.com Received: by p0015c01.kpmg.com; id SAA05775; Thu, 3 Jul 1997 18:24:15 -0400 (EDT) Received: from pa0016c4.kpmg.com(130.100.150.27) by p0015c01.kpmg.com via smap (3.2) id xma005645; Thu, 3 Jul 97 18:24:02 -0400 Received: from mailgate3.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with SMTP id SAA08577; Thu, 3 Jul 1997 18:23:18 -0400 (EDT) Received: from ccMail by mailgate3.kpmg.com (IMA Internet Exchange 2.1 Enterprise) id 000C4716; Thu, 3 Jul 97 18:24:17 -0400 Mime-Version: 1.0 Date: Thu, 3 Jul 1997 18:12:16 -0400 Message-ID: <000C4716.3365@kpmg.com> To: Harry Mantakos , "osiris@pacificnet.net" Cc: firewalls@GreatCircle.COM Subject: Re[2]: Microsoft plans to offer a firewall Content-Type: multipart/mixed; boundary="IMA.Boundary.756869768" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.756869768 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part In a previous life I've seen Coopers and Lybrand's so-called security evaluation. To put it politely, I was not impressed. For our UNIX servers, they wanted a printout of the file permissions for every file on every system. I guess they never heard of 'find'. They missed NFS permission problems (like export *WORLD* *WRITABLE*), they missed that databases were *WORLD* *WRITABLE*, they missed a lot of basic hole checking. But, they were improving. The first time I met with them they didn't ask for any file permissions. Note: I say the above, and I say everything as an individual. I am not now, or ever have been a spokesman for where I work now. ______________________________ Reply Separator _________________________________ Subject: Re: Microsoft plans to offer a firewall Author: "osiris@pacificnet.net" at INTERNET Date: 7/3/97 12:25 AM Yeah, incredible but true. However, for those that are genuinely interested, the full URL to that document is here: http://www.microsoft.com/proxy/common/Coopers.exe A few noteworthy points...According to M$: "Coopers & Lybrand LLP (C&L) conducted a four phase evaluation program that reviewed Installation, Configuration, Security Feature Analysis, and Penetration Testing in an effort to "unearth" any security vulnerabilities of Microsoft Proxy Server." C&L claim that the product withstood attacks from "...well-known and well documented tools, such as the public domain tools Internet Security Scanner and Satan..." Immediately following this, C&L advises that "...without careful installation, monitoring, and observation, any computing product or system may be vulnerable to exploitation..." In other words, "..we evaluated this product, but we cannot vouch for it, nor place our reputation on the line." Moreover (and even more incredibly) C&L go on to say that the Proxy Server uses NT 4.0 as its platform and therefore, 4.0's IP forwarding "may" present some security issues. Let me repeat that: IP forwarding MAY present some security issues. Whatever. Meanwhile, are they saying that if a target survives a scan by SafeSuite or SATAN, that it's okay? (Maybe Ballista would have been a better choice as it is a more recent development. I wonder, did they try scanning it with Jakal?) Okay enough to give it this "Security Seal of Approval" that M$ is parading around? Hahahaha. Not the Security Seal of Approval. Anything but that. That - and about 1.75 - will get you... --IMA.Boundary.756869768 Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Content-Disposition: inline; filename="RFC822 message headers" Received: from pa0016c4.kpmg.com (130.100.150.27) by mailgate1.kpmg.com with SMTP (IMA Internet Exchange 2.1 Enterprise) id 00054C09; Thu, 3 Jul 97 15:01:07 -0400 Received: from pa0016c1.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with ESMTP id OAA19385 for ; Thu, 3 Jul 1997 14:55:55 -0400 (EDT) Received: by pa0016c1.kpmg.com; id OAA20198; Thu, 3 Jul 1997 14:56:38 -0400 (EDT) Received: from relay2.uu.net(192.48.96.7) by pa0016c1.kpmg.com via smap (3.2) id xma020133; Thu, 3 Jul 97 14:56:34 -0400 Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP (peer crosschecked as: [198.102.244.44]) id QQcwqd12965; Thu, 3 Jul 1997 14:55:26 -0400 (EDT) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA05792 for firewalls-outgoing; Thu, 3 Jul 1997 00:16:20 -0700 (PDT) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id AAA05747 for ; Thu, 3 Jul 1997 00:16:09 -0700 (PDT) Received: from default (pm14-11.pacificnet.net [207.171.10.44]) by polaris.pacificnet.net (8.8.5/8.8.5) with SMTP id AAA23923; Thu, 3 Jul 1997 00:09:44 -0700 (PDT) Message-ID: <33BB53E7.583F@pacificnet.net> Date: Thu, 03 Jul 1997 00:25:27 -0700 From: "osiris@pacificnet.net" Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Harry Mantakos CC: firewalls@GreatCircle.COM Subject: Re: Microsoft plans to offer a firewall References: <199707030318.XAA11240@kiri.meretrix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.756869768-- From owner-firewalls-outgoing Sat Jul 5 23:48:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA01879 for firewalls-outgoing; Sat, 5 Jul 1997 23:06:46 -0700 (PDT) Received: from alpha2.curtin.edu.au (alpha2.curtin.edu.au [134.7.70.20]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id XAA01862 for ; Sat, 5 Jul 1997 23:06:37 -0700 (PDT) Received: from rara19.curtin.edu.au (rara19.curtin.edu.au) by alpha2.curtin.edu.au (PMDF V5.0-6 #7809) id <01IKX3Q34TCGBB837S@alpha2.curtin.edu.au>; Sun, 06 Jul 1997 14:11:56 +0800 Date: Sun, 06 Jul 1997 14:11:15 +0800 From: Bret Watson Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: X-Sender: climbing@skuld.cage.curtin.edu.au To: Dave Wreski Cc: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The normal trick is to create two machines as NTP stratum 2 or 3 servers. The rest of the machines server off these two machines (for stability and redundancy). >From a traffic point of view it would be better to have the servers inside your firewall, though NTP traffic is pretty low after the system stabilises. I assume that your link is not a dial-up. I think Doug answers the question of whether you can run it through plug-gw >NTP is a UDP-based service, so you can't plug-gw it. The usual >procedure is to run an NTP daemon on the bastion host, and sync it to >as many low-stratum servers as possible. Have the internal clients >sync either directly to the bastion host or to internal higher-stratum >servers. Of course this reduces your redundancy as there is only one server now instead of two. If you allow a rule of to on UDP 123 and to on UDP 123 it should work There is a garmin GPS plug in for a cisco server that I know of - but your best source of specific info on these type of things is on comp.protocols.time.ntp Personally I would use an internal primary server synced from GPS or a radio clock - have a look at http://www.eecis.udel.edu/~ntp/ though they appear to be down at the moment. Cheers, Bret Bret Watson & Associates, Computer Security Consultants Bret.Watson@bwa.net http://www.bwa.net/ Phone: +61 41 4411 149 (local time UTC +8) Fax: +61 8 9454 6042 From owner-firewalls-outgoing Sat Jul 5 23:49:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA00492 for firewalls-outgoing; Sat, 5 Jul 1997 22:49:54 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970427-1) id WAA00472 for firewalls@greatcircle.com; Sat, 5 Jul 1997 22:49:50 -0700 (PDT) Received: from ns1 ([202.117.112.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id BAA05347 for ; Fri, 4 Jul 1997 01:46:31 -0700 (PDT) Received: from 202.117.112.3 ([202.117.114.61]) by ns1 (5.x/SMI-SVR4) id AA05045; Fri, 4 Jul 1997 16:44:06 +0900 Date: Fri, 4 Jul 1997 16:44:06 +0900 Message-Id: <9707040744.AA05045@ns1> From: qwd To: Subject: Help! X-Mailer: FoxMail 1.4.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello,all, I'd like to write some programm about proxy service(application gateway) of firewall. Where can I get some soure(some examples) about it? Qiu From owner-firewalls-outgoing Sun Jul 6 03:41:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA28467 for firewalls-outgoing; Sun, 6 Jul 1997 03:27:47 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-7.mail.demon.net [194.217.242.7]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id DAA28460 for ; Sun, 6 Jul 1997 03:27:41 -0700 (PDT) Received: from dowrmain.demon.co.uk ([158.152.123.251]) by punt-2.mail.demon.net id aa1225483; 6 Jul 97 10:21 BST Message-ID: Date: Sun, 6 Jul 1997 10:12:11 +0100 To: firewalls@greatcircle.com From: Ian Wade Reply-To: Ian Wade Subject: Linux software for GPS > ntpd ??? MIME-Version: 1.0 X-Mailer: Turnpike Version 3.00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone point me to Linux/Unix software which will convert the output from a GPS receiver to drive an NTP server? Ian -- \|--------\|--------\|--------\| Ian Wade |\--------|\--------|\--------|\ | | | | http://www.netro.co.uk/nosintro.html | Netro | Press | (tm)| for all about KA9Q NOS. From owner-firewalls-outgoing Sun Jul 6 04:49:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA02720 for firewalls-outgoing; Sun, 6 Jul 1997 04:36:23 -0700 (PDT) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA02713 for ; Sun, 6 Jul 1997 04:36:18 -0700 (PDT) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id MAA00404; Sun, 6 Jul 1997 12:39:27 +0200 Date: Sun, 6 Jul 1997 12:39:20 +0200 (MET DST) From: Arjan Vos To: kenng@kpmg.com cc: firewalls@greatcircle.com Subject: Re: Re[2]: Microsoft plans to offer a firewall In-Reply-To: <000C4716.3365@kpmg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997 kenng@kpmg.com wrote: > In a previous life I've seen Coopers and Lybrand's so-called security > evaluation. To put it politely, I was not impressed. For our UNIX > servers, they wanted a printout of the file permissions for every file > on every system. I guess they never heard of 'find'. They missed NFS > permission problems (like export *WORLD* *WRITABLE*), they missed that > databases were *WORLD* *WRITABLE*, they missed a lot of basic hole > checking. But, they were improving. The first time I met with them > they didn't ask for any file permissions. > > Note: I say the above, and I say everything as an individual. I am > not now, or ever have been a spokesman for where I work now. > I think you should be very careful when judging C&L based on a past experience. Maybe it says more about the persons performing the evaluation than C&L. From your mailaddress I assume you work for KPMG and KPMG is in the same business(es) as C&L and I'm sure such experiences as you describe may also be applicable to some of KPMG's security evaluations (and those of Ernst & Young and Deloitte & Touche and so on...:-)). However what I don't understand is that C&L agreed in publishing the so-called 'white paper' on the Internet. You can say they sold out on this one :-) What I know from one of the other 'big six' companies is that putting their name to one product requires a formal certification of the product, including source code reviews and penetration testing. And with penetration testing I don't mean ISS and SATAN-like wide scanning but more or less deep "C2-B1-and-up" like penetration testing. Gr. Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Sun Jul 6 05:04:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA03161 for firewalls-outgoing; Sun, 6 Jul 1997 04:54:25 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id EAA03146 for ; Sun, 6 Jul 1997 04:54:18 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (slip1.di.unipi.it [131.114.4.80]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id NAA11920; Sun, 6 Jul 1997 13:53:38 +0200 (MET DST) Message-ID: <33BF881C.4075@di.unipi.it> Date: Sun, 06 Jul 1997 13:57:16 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Dave Wreski CC: Douglas McNaught , Bret Watson , firewalls@GreatCircle.COM Subject: Re: need suggestion xntpd a security hole ??? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski wrote: > > How is it more secure to run an ntp daemon on the bastion host, and serve > the internal network from there, rather than from the stratum's on the > Internet? > > I suppose I could only allow that port from bastion host to internal > network... > > Thanks again, > Dave If you have a proxy based firewall, packet forwarding should be disabled, so allowing packets from the internet to internal hosts shouldn't be an option. Maybe you could use socks, but there is the usual problem of bugs in clients/servers: buffer overflows, misconfigurations... You can have a thight control on a single server on the bastion host, while an attack to an internal server could go undetected for a longer time... A compromised daemon on the bastion host isn't a nice thing anyway, so a GPS should be a better solution. ciao - Claudio From owner-firewalls-outgoing Sun Jul 6 06:49:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11516 for firewalls-outgoing; Sun, 6 Jul 1997 06:35:49 -0700 (PDT) Received: from deere3-bh.dx.deere.com (deere3-bh.dx.deere.com [207.122.201.68]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA11509 for ; Sun, 6 Jul 1997 06:35:44 -0700 (PDT) Received: (from uucp@localhost) by deere3-bh.dx.deere.com (8.6.12/8.6.11) id IAA02311 for ; Sun, 6 Jul 1997 08:39:08 -0500 Received: from 192.43.1.3 by deere3-bh.dx.deere.com via smap (3.2) id xma002309; Sun, 6 Jul 97 08:39:06 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id IAA29931; Sun, 6 Jul 1997 08:38:36 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id IAA19062; Sun, 6 Jul 1997 08:38:34 -0500 Message-ID: <33BF9F57.70DC2B83@90.deere.com> Date: Sun, 06 Jul 1997 08:36:23 -0500 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Two ISP's to one DMZ X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for advice from someone who has connected two or more different ISP's to the same DMZ. Are there pitfalls in doing this? Is it not possible. I need to stay up to aleast part of the net when a single ISP is having problems. Has anyone done this with success? From owner-firewalls-outgoing Sun Jul 6 07:19:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA13698 for firewalls-outgoing; Sun, 6 Jul 1997 07:05:43 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA13684 for ; Sun, 6 Jul 1997 07:05:33 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA00935; Sun, 6 Jul 1997 07:08:59 -0700 (PDT) Message-Id: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 06 Jul 1997 10:08:57 -0400 To: Bertrum Carroll From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: "Firewalls@GreatCircle.COM" In-Reply-To: <33BF9F57.70DC2B83@90.deere.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No problem -- run BGP between all peers. - paul At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: >I'm looking for advice from someone who has connected two or more >different ISP's to the same DMZ. > >Are there pitfalls in doing this? Is it not possible. I need to stay >up to aleast part of the net when a single ISP is having problems. > >Has anyone done this with success? > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Sun Jul 6 09:04:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21743 for firewalls-outgoing; Sun, 6 Jul 1997 08:38:24 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21734 for ; Sun, 6 Jul 1997 08:38:15 -0700 (PDT) Received: from clark.net (mht@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.5/8.6.5) with SMTP id LAA29073; Sun, 6 Jul 1997 11:41:38 -0400 (EDT) Date: Sun, 6 Jul 1997 11:41:35 -0400 (EDT) From: Mark Teicher To: Bertrum Carroll cc: "Firewalls@GreatCircle.COM" Subject: Re: Two ISP's to one DMZ In-Reply-To: <33BF9F57.70DC2B83@90.deere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BEtram, Yes this works very well, when the two ISP's can actually work together. I have been in situations where one ISP blamed the other for not following up on certain work. Let's take for example, your primary ISP is BBN Planet and the other is UUNET.. In your service line agreeement with both providers, you should ask for and insist on guarantees on swch when one or the other provider goes out, and the escalation path of each.. Who do they contact, how is the follow through. When things come back, are you given a lengthy explanation of what happenned or just PCI.. (Problem Cleared Itself. If you like some help picking the right ISP in providing this type of service, please feel free to drop me a note.. /mark teicher On Sun, 6 Jul 1997, Bertrum Carroll wrote: > I'm looking for advice from someone who has connected two or more > different ISP's to the same DMZ. > > Are there pitfalls in doing this? Is it not possible. I need to stay > up to aleast part of the net when a single ISP is having problems. > > Has anyone done this with success? > ########################################################## 'Turn on, Boot Up, Jack in' ######################################################### From owner-firewalls-outgoing Sun Jul 6 09:11:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA21709 for firewalls-outgoing; Sun, 6 Jul 1997 08:36:40 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA21701 for ; Sun, 6 Jul 1997 08:36:31 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id PAA24961 for ; Sun, 6 Jul 1997 15:40:02 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id PAA16166 for firewalls@greatcircle.com; Sun, 6 Jul 1997 15:28:52 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id PAA01852 for firewalls@greatcircle.com; Sun, 6 Jul 1997 15:39:45 GMT Message-Id: <199707061539.PAA01852@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: firewalls@greatcircle.com Date: Sun, 6 Jul 1997 15:39:45 +0000 (GMT) In-Reply-To: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> from "Paul Ferguson" at Jul 6, 97 10:08:57 am X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Paul Ferguson answered quite short to the question: > No problem -- run BGP between all peers. > > - paul Uhh ... what has the problem to do with BGP? I was thinking in terms of "trust" and such ... We are talking about a building with several ISP's working in this building? And they want to share the cost's for a DMZ installation? Or several ISP's at several locations? In this case I would have expected a tunnel solution between my outside router and the DMZ somewhere out in the world - or there is no difference between this outsourced DMZ and the "big bad internet(TM)". So: what exactly is the problem? (and is BGP the answer? ;-) Regards, Marc > At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: > > >I'm looking for advice from someone who has connected two or more > >different ISP's to the same DMZ. > > > >Are there pitfalls in doing this? Is it not possible. I need to stay > >up to aleast part of the net when a single ISP is having problems. > > > >Has anyone done this with success? -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Sun Jul 6 09:41:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA24225 for firewalls-outgoing; Sun, 6 Jul 1997 09:32:22 -0700 (PDT) Received: from weblock.tm.net.my (weblock.tm.net.my [202.188.0.180]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA24217 for ; Sun, 6 Jul 1997 09:32:16 -0700 (PDT) Received: from budweiser ([202.188.6.48]) by weblock.tm.net.my (Post.Office MTA v3.1 release PO203a ID# 581-39802U50000L50000S0) with SMTP id AAA1451; Mon, 7 Jul 1997 00:36:36 +0800 Message-ID: <33C09FBB.2817@tm.net.my> Date: Mon, 07 Jul 1997 00:50:19 -0700 From: ping Reply-To: ping@tm.net.my Organization: The Network Connections X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Paul Ferguson CC: Bertrum Carroll , "Firewalls@GreatCircle.COM" Subject: Re: Two ISP's to one DMZ References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: > > No problem -- run BGP between all peers. yup, this is more of a routing problem than firewall. And you want to make sure your IGP is running otherwise EBGP and IBGP won't help. > > - paul > > At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: > > >I'm looking for advice from someone who has connected two or more > >different ISP's to the same DMZ. > > > >Are there pitfalls in doing this? Is it not possible. I need to stay > >up to aleast part of the net when a single ISP is having problems. > > > >Has anyone done this with success? > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s -- -------------------------------------------------------------- Ping Onn Cheng The Network Connections Network Consultant 41 Jalan USJ 10/1, Taipan Crest Tel : 03-7337757 Subang Jaya, Selangor http://www.asiapac.net/~ping Malaysia -------------------------------------------------------------- From owner-firewalls-outgoing Sun Jul 6 09:56:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA25616 for firewalls-outgoing; Sun, 6 Jul 1997 09:45:52 -0700 (PDT) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id JAA25581 for ; Sun, 6 Jul 1997 09:45:42 -0700 (PDT) Received: from heaton.cl.cam.ac.uk [128.232.0.11] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.62 #6) id 0wkuUo-00072g-00; Sun, 6 Jul 1997 17:49:10 +0100 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: Ian Wade cc: firewalls@greatcircle.com Subject: Re: Linux software for GPS > ntpd ??? In-reply-to: Your message of Sun, 06 Jul 1997 10:12:11 +0100. Date: Sun, 06 Jul 1997 17:49:05 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can anyone point me to Linux/Unix software which will convert the output > from a GPS receiver to drive an NTP server? Try xntp3 from louie.udel.edu in pub/ntp From owner-firewalls-outgoing Sun Jul 6 11:04:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA08541 for firewalls-outgoing; Sun, 6 Jul 1997 10:51:30 -0700 (PDT) Received: from mailserver.di.unipi.it (memphis.di.unipi.it [131.114.4.6]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA08534 for ; Sun, 6 Jul 1997 10:51:22 -0700 (PDT) Received: from 131.114.4.36.di.unipi.it (slip1.di.unipi.it [131.114.4.80]) by mailserver.di.unipi.it (8.8.5/8.7.3) with SMTP id TAA18669; Sun, 6 Jul 1997 19:50:36 +0200 (MET DST) Message-ID: <33BFDBE0.52D2@di.unipi.it> Date: Sun, 06 Jul 1997 19:54:40 +0200 From: Claudio Telmon Reply-To: claudio@DI.Unipi.IT Organization: Dipartimento di Informatica, Universita' di Pisa, Italy X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Dave Wreski CC: firewalls@GreatCircle.COM Subject: Re: Moving data to external machines References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski wrote: > > Hi all. I am working with trying to set up my first Internet server. The > network will consist of several interior machines, and two external > servers, as shown: > > Internet > | > | > Linux with FWTK > DNS/Mail/Proxy > (Blocks all but WWW/Marimba) > | > | > Linux with ip masq > WWW/Marimba > | > | > 10mbs Hub > --------- > | | | | | > | | | | | > Internal Network > > Since the internal machines are primarily NT 4.0 workstation, and I'm not > too familiar with ssh under NT, how would I go about coping the data from > the internal machines to the web server? Note that in this setup your Web server is an internal machine. I wouldn't say this is a secure setup, since an attack against your WWW server would take the attacker right behind your defences. > There will be a staging server > on the internal network, and I eventually need to get that data to the > production server, as well as fetching mail and doing DNS queries from the > firewall box. > > Should I redesign my distribution of services? > I would. A third interface on the bastion host for the Web server could solve many of your problems. ciao - Claudio From owner-firewalls-outgoing Sun Jul 6 20:04:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA29393 for firewalls-outgoing; Sun, 6 Jul 1997 19:59:30 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id TAA29373 for ; Sun, 6 Jul 1997 19:59:22 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA19659; Sun, 6 Jul 1997 20:02:18 -0700 (PDT) Message-Id: <3.0.3.32.19970706230215.006b6378@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 06 Jul 1997 23:02:15 -0400 To: marc@sniff.ct-net.de From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <199707061539.PAA01852@sniff.franken.de> References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:39 PM 07/06/97 +0000, marc@sniff.ct-net.de wrote: >Paul Ferguson answered quite short to the question: > >> No problem -- run BGP between all peers. >> > >Uhh ... what has the problem to do with BGP? > Uh, because the original question asked how to connect two or more different routin domains (ISP's) to a shared (or perhaps switched) media interconnect point, and BGP is the de facto method for exterior routing between dissimilar administrative routing domans. That has everything to do with the problem, as well as the solution. You don't use a wrench to hammer a nail -- you use the correct tool for the job. >I was thinking in terms of "trust" and such ... >We are talking about a building with several ISP's working in this >building? And they want to share the cost's for a DMZ installation? > Trust is a very bad thing, but even if you are foolish enough to open your kimono, you still need the BGP protocol for routing beteen different administrative routin domains. >Or several ISP's at several locations? In this case I would have >expected a tunnel solution between my outside router and the DMZ >somewhere out in the world - or there is no difference between this >outsourced DMZ and the "big bad internet(TM)". > >So: what exactly is the problem? (and is BGP the answer? ;-) > The problem perhaps was miscommunicated, but as it stands, if the problem is simply how to exchange data between two ISP's at a common location,, BGP is the answer. - paul >Regards, Marc > >> At 08:36 AM 07/06/97 -0500, Bertrum Carroll wrote: >> >> >I'm looking for advice from someone who has connected two or more >> >different ISP's to the same DMZ. >> > >> >Are there pitfalls in doing this? Is it not possible. I need to stay >> >up to aleast part of the net when a single ISP is having problems. >> > >> >Has anyone done this with success? > >-- >Marc Binderberger 97076 Wuerzburg, Germany >marc@sniff.ct-net.de Powered by FreeBSD ;-) > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Sun Jul 6 20:19:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA00712 for firewalls-outgoing; Sun, 6 Jul 1997 20:14:19 -0700 (PDT) Received: from gtwau300.anz.com (gtwau300.anz.com.au [203.61.224.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id UAA00696 for ; Sun, 6 Jul 1997 20:14:06 -0700 (PDT) Received: by gtwau300.anz.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8AD7.541C3DF0@gtwau300.anz.com>; Mon, 7 Jul 1997 13:11:49 +1000 Message-ID: From: "Gasparini, Edy" To: Firewalls Subject: Cisco exploits/vulnerabilities Date: Mon, 7 Jul 1997 13:16:00 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, There are plenty of resources on the 'Net for known exploits/vulnerabilities for various Unix platforms, NT and others. What I can't seem to locate are Cisco exploits/vulnerabilities :( Does this mean that there are'nt any?? I think not :) Can anyone point out such a site/s? I don't necessarily want to know *how* to exploit Cisco routers, I just want to know what the known problems are and what is fixed in the various IOS levels. TIA. ./edy From owner-firewalls-outgoing Sun Jul 6 20:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA02891 for firewalls-outgoing; Sun, 6 Jul 1997 20:32:23 -0700 (PDT) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id UAA02884 for ; Sun, 6 Jul 1997 20:32:17 -0700 (PDT) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id UAA00988; Sun, 6 Jul 1997 20:35:49 -0700 (PDT) Received: from sgordiany-pc.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id UAA00755; Sun, 6 Jul 1997 20:35:48 -0700 (PDT) Message-Id: <3.0.32.19970706204429.006c27a4@mail> X-Sender: sgordiany@mail X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 06 Jul 1997 20:44:30 -0700 To: Bertrum Carroll , "Firewalls@GreatCircle.COM" From: Steven Gordiany Subject: Re: Two ISP's to one DMZ Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:36 AM 7/6/97 -0500, Bertrum Carroll wrote: >I'm looking for advice from someone who has connected two or more >different ISP's to the same DMZ. > >Are there pitfalls in doing this? Is it not possible. I need to stay >up to aleast part of the net when a single ISP is having problems. You will have to configure your outbound routers to run Border Gateway protocol (BGP) routing in this case. The only pitfall is configuring BGP to suit you particular environment. Border Gateway Protocol can be somewhat complicated if you've never configured it before. The other issue is dealing with both ISP's; sometimes they don't want to route each others address blocks. Redundancy is the issue here, if your running BGP and one of your ISP's has trouble, BGP will automatically (if configured right) announce an alternate route to your DMZ addresses through the 2nd ISP. Convergence time using the 2nd route is minimal, it should take 5 minutes or so. > >Has anyone done this with success? > > Yes. From owner-firewalls-outgoing Sun Jul 6 22:49:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA14336 for firewalls-outgoing; Sun, 6 Jul 1997 22:36:44 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id WAA14329 for ; Sun, 6 Jul 1997 22:36:38 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id FAA27188; Mon, 7 Jul 1997 05:40:25 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id FAA17202; Mon, 7 Jul 1997 05:29:07 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id FAA00510; Mon, 7 Jul 1997 05:36:29 GMT Message-Id: <199707070536.FAA00510@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: sgordiany@verisign.com (Steven Gordiany) Date: Mon, 7 Jul 1997 05:36:28 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <3.0.32.19970706204429.006c27a4@mail> from "Steven Gordiany" at Jul 6, 97 08:44:30 pm X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, first, please trash my first confused reply. I forgot to turn on my brain before sending the reply :( But another question comes up: Our local ISP here in Germany told me that it is no good idea to advertise networks below /19 , because some carriers filter out BGP routes to networks smaller than 8192 addresses. Is this correct? And if so, what will be the solution for Bertram Carrols problem? Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Mon Jul 7 01:19:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA25525 for firewalls-outgoing; Mon, 7 Jul 1997 01:16:07 -0700 (PDT) Received: from spock.bitmailer.com (spock.bitmailer.com [194.179.94.5]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA25416 for ; Mon, 7 Jul 1997 01:15:47 -0700 (PDT) Received: from ns.bitmailer.com (ns.bitmailer.com [194.179.94.1]) by spock.bitmailer.com (8.8.5/8.8.6) with SMTP id KAA27486; Mon, 7 Jul 1997 10:21:41 +0200 Received: from alex by ns.bitmailer.com with smtp (Smail3.1.29.1 #165) id m0wl9AG-003kKVC; Mon, 7 Jul 97 10:28 MET DST Message-Id: From: "Angel López Escobar" To: , Subject: RE: FireWall Audit Date: Mon, 7 Jul 1997 10:05:49 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Besides that, does anyone have an program to audit/evaluate a firewall > system ? > The only free program I'heard about it's SATAN, wich isn't exactly a tool to evaluate a FireWall, but it's to perform security cheking. You can find it on the net. Also you can find a comercial one, and I think that it is not very cheap. the company is Internet Security Systems www.iss.net an the product is SAFEsuit. Regards. From owner-firewalls-outgoing Mon Jul 7 01:34:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA24774 for firewalls-outgoing; Mon, 7 Jul 1997 01:14:37 -0700 (PDT) Received: from sif.cgs.it ([194.21.205.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id BAA24757 for ; Mon, 7 Jul 1997 01:14:15 -0700 (PDT) Received: from ons.sif.cgs.it (sgorla.sif.cgs.it [194.21.205.106]) by sif.cgs.it (8.7.5/8.7.3) with SMTP id JAA22312; Mon, 7 Jul 1997 09:19:37 +0200 Message-Id: <3.0.1.32.19970707101819.00743d0c@fw2> X-Sender: gfaggion@fw2 X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 07 Jul 1997 10:18:19 +0200 To: Mark Teicher From: "Gabriele Luigi Paolo Faggioni " Subject: RE: Firewall on AIX Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.1.32.19970704132343.00931eb0@clark.net> References: <3.0.1.32.19970703101001.00cab9bc@fw2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please explain me whitch are the IBM feature that aren't implemented on the FW1 firewall! At 13.23 4/7/1997 -0400, you wrote: >IBM has their own solution for the AIX.. It is designed to use the AIX >much better than Firewall -1 is.. > >/mark > > >At 10:10 AM 7/3/97 +0200, you wrote: >>In 1, Jul, 1997 I wrote: >>...I've had some reserch on firewall on AIX, but I got very little. >>...I have some FAQ at the >>...http://www.checkpoint.com/opsec/Partners/memco/faq.html: >> >>...- 6. Which versions of FireWall-1 are compatible with SeOS Secured! >>...- For FireWall-1? >> >>...- SeOS Secured! For FireWall-1 is compatible with FireWall-1 version 2.1 >>...- and version 3.0 for Solaris on Sun SPARC and x86. SunOS and HP-UX >>...- versions are currently in Beta testing and will be available soon. >>IBM ...AIX >>...- and Windows NT versions are in development. >>...It will be available until the tird quarter of the year. >> >>Roger Rea replied to me: >>>From: Roger Rea >>>To: >>>Cc: <75816664@ITHVM03.vnet.ibm.com> >>>Subject: Fwd: Firewall on AIX >>>Date: Wed, 2 Jul 1997 17:30:11 -0400 >>> >>>Gabriele.................Perhaps you have not looked at the current >>version of >>>the IBM Firewall. We are a much more complete firewall than other >firewalls, >>>offering not only filtering architechtures like Check Point, but also >>>Application Gateways and Circuit Level Gateways. So you get three >>firewalls in >>>one. >> >>PERHAPS YOU HAVEN'T LOOKED AT THE LAST 3 OR 4 VERSIONS OF THE CHECKPOINT >>FIREWALL. >>IT USES THE "STATEFUL INSPECTION" TECHNOLOGY TO FILTER ALL ISO LAYERS FROM >>THE NETWORK LAYER TO THE APPLICATION IN ONLY ONE PASS: THERE'A AN "INSPECT >>ENGINE" THAT USING DYNAMIC STAT TABLES ASSURES A FAST AND TRASPERENT >>INSPECTION. >> >>>We also offer Network Address Translation, logging, alerting, a JAVA-based >>GUI >>>with pre-defined services and context sensitive help. We've had IPSEC >>tunnels >>>for several releases and have added in the current release client IPSEC >>>software at no additional charge. We offer the Network Security Auditor, >>which >>>allows you to scan the network for security weaknesses. >>> >>>You can learn more about the IBM Firewall for AIX V3.1 and download trial >>>software from our web site at: http:\\www.ics.raleigh.ibm.com\firewall >> >>THANK YOU FOR THE INFORMATION >> >>--------------------------------------------------------------- >> Gabriele Faggioni >> >> Open Network Services - Security >> Cap Gemini Italia S.p.A. >> Via Lombroso, 54 >> MILANO (ITALIA) >> http://www.sif.cgs.it >> >> mailto:gfaggion@sif.cgs.it >> tel. ++39 2 59924 420 >> fax. ++39 2 59924 245 >>--------------------------------------------------------------- >> >> >######################################################### >'Turn on, Boot Up, Jack in' >######################################################### > > --------------------------------------------------------------- Gabriele Faggioni Open Network Services - Security Cap Gemini Italia S.p.A. Via Lombroso, 54 MILANO (ITALIA) http://www.sif.cgs.it mailto:gfaggion@sif.cgs.it tel. ++39 2 59924 420 fax. ++39 2 59924 245 --------------------------------------------------------------- From owner-firewalls-outgoing Mon Jul 7 05:34:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA13458 for firewalls-outgoing; Mon, 7 Jul 1997 05:25:02 -0700 (PDT) Received: from Sonnet.GSC.GTE.Com (Sonnet.GSC.GTE.Com [131.131.251.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA13448 for ; Mon, 7 Jul 1997 05:24:55 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com ("port 1688"@ndhm06.ndhm.gtegsc.com) by Sonnet.GSC.GTE.Com (PMDF V5.0-6 #17886) id <01IKY61K3YKY000H3R@Sonnet.GSC.GTE.Com> for firewalls@greatcircle.com; Mon, 07 Jul 1997 08:28:14 -0400 (EDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC8AAF.C6FDC140@ndhm06.ndhm.gtegsc.com>; Mon, 07 Jul 1997 08:28:42 -0400 Date: Mon, 07 Jul 1997 08:28:40 -0400 From: "Button, Dave" Subject: RE: need suggestion xntpd a security hole ??? To: "'firewalls@greatcircle.com'" , "'Dirk Nerling'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dirk Nerling wrote; >>I plan to update the time of our internal net from >>an Internet Time Server on a regular basis. Does >>anbody of you know something about the xntpd? >Any intrusion listed? What do the experts suggest? NTP relies on receiving time information via UDP from (usually) about three stratum-1 time servers. The basic service is vulnerable to spoofing and denial-of-service attacks. This is somewhat mitigated by the availability of an authenticated mode in which a MAC (Message Authentication Code) is appended. This requires that you share a DES key with the stratum-1 provider. I'm not even sure this is available outside the US and Canada as Dr. Mills now has an export version of xntpd, presumably sans DES. It was questions like this that led us at GTE to create our own redundant stratum-1 time servers within our intranet and behind our firewall. The hosts for the time servers host other security applications, so the cost was not great, and the system has been very reliable. The only problem, and this is true regardless of where your stratum-1 servers are, is that the Selective Availability channel of GPS, which is the only channel we civilians are allowed to use, is itself vulnerable to certain denial-of-service-attacks. Given that, use a GPS receiver that features a really good oscillator that is capable of riding out long periods of signal loss. Dave "The Box said Win '95 or better - So I used a Macintosh!" -Harold Herbert Tessman > From owner-firewalls-outgoing Mon Jul 7 05:49:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA14221 for firewalls-outgoing; Mon, 7 Jul 1997 05:46:18 -0700 (PDT) Received: from proteus.tidalwave.net (proteus.nicom.com [208.206.112.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id FAA14214 for ; Mon, 7 Jul 1997 05:46:14 -0700 (PDT) Received: from chris.tidalwave.net ([208.220.24.112]) by proteus.tidalwave.net (Netscape Mail Server v2.02) with SMTP id AAC23319 for ; Mon, 7 Jul 1997 08:41:30 -0400 Message-Id: <3.0.1.32.19970703120351.006bf660@postoffice.tidalwave.net> X-Sender: chrisp@postoffice.tidalwave.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 03 Jul 1997 12:03:51 -0400 To: firewalls-digest@GreatCircle.COM From: Chris Pressley Subject: router on external net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assume I setup a dual-homed firewall. My internal net connects to the internal interface on the firewall, and my external interface on the firewall connects to a T-1, then on to the ISP's router. The interface on my ISP's router is on the same network as my external interface. Two questions: 1. Do I need a router between my firewall external interface and my T-1 (I have to connect something to the CSU/DSU, right?). 2. Should I have a router between my firewall external interface and my T-1, give that my ISP's router is on the same network, for security reasons? Thanks, Chris From owner-firewalls-outgoing Mon Jul 7 06:19:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA16126 for firewalls-outgoing; Mon, 7 Jul 1997 06:08:59 -0700 (PDT) Received: from paranoid.convey.ru (ws06.convey.ru [195.182.128.21]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id GAA16118 for ; Mon, 7 Jul 1997 06:08:52 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id RAA22107; Mon, 7 Jul 1997 17:10:26 +0400 From: ArkanoiD Message-Id: <199707071310.RAA22107@paranoid.convey.ru> Subject: Re: FireWall Audit To: alopez@mdintesis.es (Angel López Escobar) Date: Mon, 7 Jul 1997 17:10:24 +0400 (MSD) Cc: marcob@cvrd.com.br, Firewalls@GreatCircle.COM In-Reply-To: from "Angel López Escobar" at Jul 7, 97 10:05:49 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > The only free program I'heard about it's SATAN, wich isn't exactly a > tool to evaluate a FireWall, but it's to perform security cheking. > You can find it on the net. > > Also you can find a comercial one, and I think that it is not very > cheap. the company is Internet Security Systems www.iss.net an the > product is SAFEsuit. "Not very cheap".. it is terribly overpriced.. and has limited abilities. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Mon Jul 7 07:34:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25306 for firewalls-outgoing; Mon, 7 Jul 1997 07:29:33 -0700 (PDT) Received: from iproute.com (atl679.avana.net [207.42.61.224]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA25266 for ; Mon, 7 Jul 1997 07:29:14 -0700 (PDT) From: mikech@avana.net Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id LAA10920; Mon, 7 Jul 1997 11:26:29 -0400 Date: Mon, 7 Jul 1997 10:10:17 -0500 Subject: Re: Two ISP's to one DMZ To: "Firewalls@GreatCircle.COM" , Bertrum Carroll X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: Bertrum Carroll Subject: Two ISP's to one DMZ Date: Sun, 06 Jul 1997 08:36:23 -0500 To: "Firewalls@GreatCircle.COM" > I'm looking for advice from someone who has connected two or more > different ISP's to the same DMZ. > > Are there pitfalls in doing this? Is it not possible. I need to stay > up to aleast part of the net when a single ISP is having problems. > > Has anyone done this with success? > ---------------End of Original Message----------------- I would think you might have better luck bringing your ISPs in on multiple interfaces. We had a client running our Firewall who brought two ISPs in. One was through a cable modem, the other through a 128K ISDN dialup. The cable modem was used for inbound and outbound (through NAT and Stateful Packet Inspection) web surfing, telneting, etc. (anything that didn't require a fixed IP). The ISDN link was used with a fixed IP for inbound services that required a Domain name (this wasn't very high bandwidth stuff) and as a backup ISP link. They had "real" IPs on the internal network. There were two main "default" routes set up with one having a higher preference than the other, so if one failed (cable) the other could take over (ISDN). The only problem that the client ran into is that they were advertising routes through RIP (this is not the default behavior of the firewall). Suddenly, all traffic intended for their ISDN ISP (Netrail) started coming in over their cable link (@Home). I guess @Home was accepting downstream route updates as gospel. Because our client was using NAT and stateful packet inspection, none of the Netrail ISP traffic could get through. It took Netrail and @Home about a day to get the routing tables straight again. Since then they have had no problems at all. You have a greater amount of control when you bring your traffic in over multiple interfaces than if everything is on one DMZ LAN. Separate interfaces means separate reports for traffic, hacking, uptime, etc. You can also reduce the chances of being brought down by a single interface failing. The key to this working was our "Dynamic-DNS" feature (which is also available for other OSs, see below), so that your Domains can follow you between ISPs. As soon as you lose one route our Firewall will notify the Dynamic DNS servers that its IP has changed and that the Domains should now point to a new IP address. This is a lot easier to implement than BGP (which may not be supported by all ISPs and may cause some confusion as routes are being updated). Outbound traffic always works. Inbound traffic takes at most about 10 minutes for DNS updates to take effect. It is much easier to reassign IPs to Domain names than to move routes. This also works independent of your ISP. BTW, don't flame me about BGP. In cases where I was able to implement it I would. It just isn't always available. You could also do this on other OSs (such as UNIX or NT) or Firewalls with software available from http://www.ml.org and http://www.dyndns.com. I hope this helps, Mike -- 14:08:42 07/06/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.823.7846 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Mon Jul 7 07:41:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA23242 for firewalls-outgoing; Mon, 7 Jul 1997 07:01:12 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA23235 for ; Mon, 7 Jul 1997 07:01:06 -0700 (PDT) Received: from mfrith.hpl.hp.com (mfrith.hpl.hp.com [15.144.62.2]) by palrel1.hp.com (8.8.5/8.8.5) with ESMTP id HAA06111 for ; Mon, 7 Jul 1997 07:04:43 -0700 (PDT) Received: (from mjf@localhost) by mfrith.hpl.hp.com (8.7.1/8.7.1) id PAA22474; Mon, 7 Jul 1997 15:04:41 +0100 (BST) From: Matthew Frith Message-Id: <199707071404.PAA22474@mfrith.hpl.hp.com> Subject: Routing with 2 checkpoint Firewalls To: Firewalls@GreatCircle.COM Date: Mon, 07 Jul 1997 15:04:41 BST Cc: azari@hplb.hpl.hp.com, adc@hplb.hpl.hp.com In-Reply-To: <199707070800.BAA24250@honor.greatcircle.com>; from "Firewalls-Digest" at Jul 7, 97 1:00 am x-HPVue$Revision: 1.8 $ MIME-Version: 1.0 Content-Type: Message/rfc822 x-Vue-Mime-Level: 4 X-Mailer: Elm [revision: 212.2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to configure a high availability solution with 2 Checkpoint firewalls running on HP-UX. I have the 2 firewalls sync'ing their state tables but am trying to setup a `hot-standby' solution similar to that of CISCO routers. Has anyone ever done this, or know how to setup the default route where machines on the internal network route (dynamically) to either of the firewalls, depending on which one is up? any help gratefully received.. Matt Frith Hewlett-Packard, Bristol, UK. mjf@hplb.hpl.hp.com From owner-firewalls-outgoing Mon Jul 7 07:49:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA25663 for firewalls-outgoing; Mon, 7 Jul 1997 07:34:50 -0700 (PDT) Received: from hcat.epcorp.com (test.epcorp.com [206.112.200.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id HAA25645 for ; Mon, 7 Jul 1997 07:34:42 -0700 (PDT) Received: from eppcmcw.eapi.com by hcat.epcorp.com id aa03500; 7 Jul 97 10:32 EDT Message-Id: <3.0.32.19970707103245.00c9e57c@mail.epcorp.com> X-Sender: martinw@mail.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 07 Jul 1997 10:32:46 -0400 To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com From: "Martin C. Walker" Subject: FW-1 DESTINATION IP Address Translation Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me with details on how translate the DESTINATION IP address in a forward moving packet outbound from the firewall to the internet ? normal NAT translates only the SOURCE IP address. Ideally I'd like to translate only the destination address and leave the source as an illegal 10.* address. If this is not doable I'd need to translate both addresses. I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86. I will be going to 3.0a soon, so if it's different or not do-able on 3.* products I'd like to know that too. TIA for the help -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | Cincinnati, OH 45202 | From owner-firewalls-outgoing Mon Jul 7 07:51:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20325 for firewalls-outgoing; Mon, 7 Jul 1997 06:44:18 -0700 (PDT) Received: from heaton.cl.cam.ac.uk (heaton.cl.cam.ac.uk [128.232.32.11]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20315 for ; Mon, 7 Jul 1997 06:44:12 -0700 (PDT) Received: from dean.cl.cam.ac.uk [128.232.0.105] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 1.62 #6) id 0wlE8I-0005rC-00; Mon, 7 Jul 1997 14:47:14 +0100 X-Mailer: exmh version 2.0gamma+CL 97/01/24 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: "Button, Dave" cc: "'firewalls@greatcircle.com'" , "'Dirk Nerling'" Subject: Re: need suggestion xntpd a security hole ??? In-reply-to: Your message of Mon, 07 Jul 1997 08:28:40 -0400. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 07 Jul 1997 14:47:01 +0100 From: Piete Brooks Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is somewhat mitigated by the availability of an authenticated mode in > which a MAC (Message Authentication Code) is appended. Unfortunately this is of little use as it relies on a shared secret, meaning that any system capable of using the service can also spoof :-( > I'm not even sure this is available outside the US and Canada It is. > as Dr. Mills now has an export version of xntpd, presumably sans DES. yes -- I asked him for that so that I could slot in Eric's code .... e.g. brolga.cc.uq.oz.au:/net.sources/authdes.c.Z This is Eric Youngs exportable DES implementation, re-re-bludgeoned by the author to suit this context. Totally un-encumbered by US export restrictions. comments/bugs and applause to eay@psych.psy.uq.oz.au From owner-firewalls-outgoing Mon Jul 7 08:11:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA27441 for firewalls-outgoing; Mon, 7 Jul 1997 07:52:59 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA27404 for ; Mon, 7 Jul 1997 07:52:47 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJG2>; Mon, 7 Jul 1997 07:56:30 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BAE@mail1.sla.com> From: "Stackpole, Bill" To: "'Ken Hardy'" , montenegro@nutec.com.br, Firewalls@GreatCircle.COM Subject: RE: IP Filters? Date: Mon, 7 Jul 1997 07:56:29 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good point, but I suppose it depends on the direction of the filter. These are on an inbound filter that denys everything but specific connections. What follows these statements are all the specific permits by port, source and destination. On some configurations I've done/seen this can be upward to 30 entries. So these two entries are designed to keep those 30 from being processed unnecessarily. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Ken Hardy [SMTP:ken@bridge.com] > Sent: Thursday, July 03, 1997 11:19 AM > To: montenegro@nutec.com.br; Firewalls@GreatCircle.COM; Stackpole, > Bill > Cc: firewalls@GreatCircle.COM > Subject: RE: IP Filters? > > "Stackpole, Bill" wrote: > > >There are some techniques you can use to speed up access list > >processing. Remember a Cisco list is exited on the first true so you > >can add lines like: > > > > ! TCP or UDP Ports above the last service you are permiting > > ! this is done to speed up the list processing > > access-list 101 deny tcp any host 255.255.255.255 gt 80 > > access-list 101 deny udp any host 255.255.255.255 gt 19 > > > >just before all the specific rules to speed up list processing. > > Seems to me that that would speed things up most *if* the most common > packets were those you're denying. Hopefully people are not > continually banging on your router with prohibited traffic, and most > of > the packets it needs to process are those that are specifically > allowed. In such a case, wouldn't it make more sense to put the rules > that *allow* the most common traffic first? Just guessing, but you > ought > to be able to get 80%-90% or more of all packets to hit within the > first > half-dozen or so rules. > > -- > KH From owner-firewalls-outgoing Mon Jul 7 09:08:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA24180 for firewalls-outgoing; Mon, 7 Jul 1997 07:11:46 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id HAA24166 for ; Mon, 7 Jul 1997 07:11:41 -0700 (PDT) Received: from big-dawgs.cisco.com (herndon-dhcp-109.cisco.com [171.68.53.109]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA13694; Mon, 7 Jul 1997 07:15:15 -0700 (PDT) Message-Id: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 07 Jul 1997 10:15:02 -0400 To: "Mark Horn [ Net Ops ]" From: Paul Ferguson Subject: Re: Two ISP's to one DMZ Cc: firewalls@GreatCircle.COM In-Reply-To: <19970707095116.62717@capmark.funb.com> References: <3.0.3.32.19970706230215.006b6378@lint.cisco.com> <3.0.3.32.19970706100857.006d037c@lint.cisco.com> <3.0.3.32.19970706230215.006b6378@lint.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:51 AM 07/07/97 -0400, Mark Horn [ Net Ops ] wrote: > >Is BGP the only answer? We have several ISP's providing service to us. >We have our own NIC assigned address block, and a NIC assigned AS number. >We've been trying (for several months) to set up BGP routing between all >of our providers. But we've run into trouble. > That's not surprising -- BGP can be hard, depending on the complexity of the peering policy. It can also be amazingly easy. >One of the providers doesn't want to set up peering with us. Their claim >is that you can have redundant ISP's through other methods than setting up >BGP peering. When pressed, they've been conspicuously quiet about what >these other methods are. > I'd be curious, as well. As I mentioned before, BGP is the de facto mechanism of exchanging routing information between diverse routing domains (inter-domain routing) in the Internet. Period. >Is there another way to set up redundancy between two ISP's without doing >BGP peering? > No, not really. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Mon Jul 7 09:16:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA20968 for firewalls-outgoing; Mon, 7 Jul 1997 06:48:15 -0700 (PDT) Received: from firstunion.com ([204.5.135.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id GAA20952 for ; Mon, 7 Jul 1997 06:48:09 -0700 (PDT) Received: by firstunion.com (4.1/SMI-4.1) id AA04804; Mon, 7 Jul 97 09:51:37 EDT Received: from cm_mailhost.capmark.funb.com(168.175.82.50) by gate.funb.com via smap (V2.0beta) id xma004796; Mon, 7 Jul 97 09:51:22 -0400 Received: from funws302.capmark.funb.com (funws302 [168.175.7.54]) by cm_mailhost.capmark.funb.com (8.7.5/8.7.3) with ESMTP id JAA04825; Mon, 7 Jul 1997 09:51:17 -0400 (EDT) Received: (mhorn@localhost) by funws302.capmark.funb.com (8.6.12/8.6.12) id JAA01649; Mon, 7 Jul 1997 09:51:16 -0400 Message-Id: <19970707095116.62717@capmark.funb.com> Date: Mon, 7 Jul 1997 09:51:16 -0400 From: "Mark Horn [ Net Ops ]" To: Paul Ferguson Cc: marc@sniff.ct-net.de, firewalls@GreatCircle.COM Subject: Re: Two ISP's to one DMZ References: <3.0.3.32.19970706100857.006d037c@lint.cisco.com> <3.0.3.32.19970706230215.006b6378@lint.cisco.com> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary=jRHKVT23PllUwdXP X-Mailer: Mutt 0.75 In-Reply-To: <3.0.3.32.19970706230215.006b6378@lint.cisco.com>; from Paul Ferguson on Sun, Jul 06, 1997 at 11:02:15PM -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Paul Ferguson says: >Uh, because the original question asked how to connect two >or more different routin domains (ISP's) to a shared (or >perhaps switched) media interconnect point, and BGP is >the de facto method for exterior routing between dissimilar >administrative routing domans. Is BGP the only answer? We have several ISP's providing service to us. We have our own NIC assigned address block, and a NIC assigned AS number. We've been trying (for several months) to set up BGP routing between all of our providers. But we've run into trouble. One of the providers doesn't want to set up peering with us. Their claim is that you can have redundant ISP's through other methods than setting up BGP peering. When pressed, they've been conspicuously quiet about what these other methods are. Is there another way to set up redundancy between two ISP's without doing BGP peering? -- Mark Horn PGP Public Key available from: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 --jRHKVT23PllUwdXP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM8D0TRCnm2cAy6VxAQE2swQAqiy/xU2/mKJ0j4YUgBhnCNLV3H+I7cG6 aaQqOz0Er4KSL6w/rvXhZLGJRa8DG8HLI4Resvhj/hICbuknDmZhqwWT345Qe3en 1O6/e9zq2lmduPlcW/oLk7PQYPtFTurXSk2JKi8ySClK0FVIedN8NKtfhl2bMsNc VUfR+Qo606Y= =cygq -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- From owner-firewalls-outgoing Mon Jul 7 09:40:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA05413 for firewalls-outgoing; Mon, 7 Jul 1997 08:39:14 -0700 (PDT) Received: from bhi-net.com (gateway1.bhi-net.com [198.64.51.1]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id IAA05363 for ; Mon, 7 Jul 1997 08:39:03 -0700 (PDT) Received: from cencokiss01.centrilift.com ([172.19.2.241]) by bhi-net.com (5.x/SMI-SVR4) id AA02727; Mon, 7 Jul 1997 10:42:29 -0500 Received: by CENCOKISS01 with Internet Mail Service (5.0.1457.3) id ; Mon, 7 Jul 1997 10:41:05 -0500 Message-Id: <015C783097B4D01197334000500050020D71DE@CENCOKISS01> From: "Crawford, Jim E." To: "'Firewalls@GreatCircle.COM'" Subject: FW1 example URI specification file needed Date: Mon, 7 Jul 1997 10:41:01 -0500 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone please email me a URI specification file example format that I can use as a base to import? Thanks! Jim Crawford Technical Analyst, Paranet Pager: (888)-509-9020 From owner-firewalls-outgoing Mon Jul 7 09:50:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA14347 for firewalls-outgoing; Mon, 7 Jul 1997 09:29:57 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id JAA14337 for ; Mon, 7 Jul 1997 09:29:48 -0700 (PDT) Received: from cayman.gblhorizon.com ([206.86.247.28]) by mail1.noc.netcom.net (8.8.5/8.8.5) with SMTP id JAA26996 for ; Mon, 7 Jul 1997 09:27:48 -0700 (PDT) Received: by cayman.gblhorizon.com (SMI-8.6/SMI-SVR4) id JAA12899; Mon, 7 Jul 1997 09:33:17 -0700 Date: Mon, 7 Jul 1997 11:33:16 -0500 (CDT) From: Ken Jones To: firewalls@greatcircle.com Subject: Re: need suggestion xntpd a security hole ??? In-Reply-To: <3.0.32.19970703163433.00ba9100@tgate.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Jul 1997, Dirk Nerling wrote: > Hello all, > > I plan to update the time of our internal net from > an Internet Time Server on a regular basis. Does > anbody of you know something about the xntpd? > > Any intrusion listed? What do the experts suggest? > The only intrusions I've heard about are spoofed udp packets with incorrect time. Normally the xntp server will throw these packets out. It's also fairly simple to buy a $500 or so GSP device and connect it to a machine with a serial cable. So there is no need to expose your net to ntp. Ken Jones From owner-firewalls-outgoing Mon Jul 7 09:52:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03243 for firewalls-outgoing; Mon, 7 Jul 1997 08:26:45 -0700 (PDT) Received: from weblock.tm.net.my (weblock.tm.net.my [202.188.0.180]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA03174 for ; Mon, 7 Jul 1997 08:26:25 -0700 (PDT) Received: from budweiser ([202.188.23.46]) by weblock.tm.net.my (Post.Office MTA v3.1 release PO203a ID# 581-39802U50000L50000S0) with SMTP id AAA25760; Mon, 7 Jul 1997 23:30:51 +0800 Message-ID: <33C1E1CD.452B@tm.net.my> Date: Mon, 07 Jul 1997 23:44:29 -0700 From: ping Reply-To: ping@tm.net.my Organization: The Network Connections X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Chris Pressley CC: firewalls-digest@GreatCircle.COM Subject: Re: router on external net References: <3.0.1.32.19970703120351.006bf660@postoffice.tidalwave.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Pressley wrote: > > Assume I setup a dual-homed firewall. My internal net connects to the > internal interface on the firewall, and my external interface on the > firewall connects to a T-1, then on to the ISP's router. The interface on > my ISP's router is on the same network as my external interface. Two > questions: > > 1. Do I need a router between my firewall external interface and my T-1 (I > have to connect something to the CSU/DSU, right?). If you can convert signal from your CSU/DSU to whatever interface at your firewall, then you don't need it coz the firewall machine can run routed. > > 2. Should I have a router between my firewall external interface and my > T-1, give that my ISP's router is on the same network, for security reasons? I would recommend a router, beside routing it should do some simple packet filtering before hitting the firewall. > > Thanks, > Chris -- -------------------------------------------------------------- Ping Onn Cheng The Network Connections Network Consultant 41 Jalan USJ 10/1, Taipan Crest Tel : 03-7337757 Subang Jaya, Selangor http://www.asiapac.net/~ping Malaysia -------------------------------------------------------------- From owner-firewalls-outgoing Mon Jul 7 09:53:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02825 for firewalls-outgoing; Mon, 7 Jul 1997 08:24:37 -0700 (PDT) Received: from gate.ct-net.de (gate.ct-net.de [195.4.230.3]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA02747 for ; Mon, 7 Jul 1997 08:24:16 -0700 (PDT) From: marc@sniff.ct-net.de Received: from service.ct-net.de (service.ct-net.de [195.4.230.4]) by gate.ct-net.de (8.8.5/8.8.5/cT-a) with ESMTP id PAA29266; Mon, 7 Jul 1997 15:27:55 GMT Received: (from uucp@localhost) by service.ct-net.de (8.8.5/8.8.5/cT-a) with UUCP id PAA18300; Mon, 7 Jul 1997 15:16:20 GMT Received: (from marc@localhost) by sniff.franken.de (8.8.5/8.8.5/mb-b) id PAA01680; Mon, 7 Jul 1997 15:21:17 GMT Message-Id: <199707071521.PAA01680@sniff.franken.de> Subject: Re: Two ISP's to one DMZ To: mhorn@funb.com (Mark Horn [ Net Ops ]) Date: Mon, 7 Jul 1997 15:21:17 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <19970707095116.62717@capmark.funb.com> from "Mark Horn [ Net Ops ]" at Jul 7, 97 09:51:16 am X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Horn asked: >Is BGP the only answer? We have several ISP's providing service to us. > [...] >One of the providers doesn't want to set up peering with us. Their claim >is that you can have redundant ISP's through other methods than setting up >BGP peering. When pressed, they've been conspicuously quiet about what >these other methods are. I guess, there are reasons, why you can't stop the contract with the unwilling provider. You say "several ISP's" ... more than two? There are ways to set up redundancy, but not as perfect as the BGP solution. You can use several NIC assigned network, one for each ISP. Getting out into the internet then is no problem, as long as you use proxies/caches or NAT (but I don't know any software doing what you need. May be you have to create your own scripts detecting the dead link and switching the proxy's address or the NAT Table). Your server needs several IP addresses and corresponding DNS entries. But because of the round-robin behaviour (at least BIND is doing so) 1/n of the access attempts will fail (n: number of your ISP's). If you work with 3 or more ISP's, I would try the BGP solution with this n-1 ISP's, at least for the WWW/FTP server. Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) From owner-firewalls-outgoing Mon Jul 7 10:41:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA06286 for firewalls-outgoing; Mon, 7 Jul 1997 08:44:20 -0700 (PDT) Received: from mail.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id IAA06254 for ; Mon, 7 Jul 1997 08:44:09 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id <3B2FBJG6>; Mon, 7 Jul 1997 08:47:54 -0700 Message-ID: <31557D725263D011B53A0060974FB8DC028BB0@mail1.sla.com> From: "Stackpole, Bill" To: "'Chris Pressley'" , firewalls-digest@GreatCircle.COM Subject: RE: router on external net Date: Mon, 7 Jul 1997 08:47:53 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is usually a router placed here but it depends to some degree on your ISP. You could use an Ethernet to T1 bridge to connect to the CSU/DSU. Or if your using frame relay you could use a frad. "Simplify - There is no value in complexity, it's too difficult to manage." Bill Stackpole, CISSP Seitel Leeds & Associates Voice: 206.283.4355 2 Nickerson St. Suite 201 Email: bstackpole@sla.com Seattle, Wa 98109 > -----Original Message----- > From: Chris Pressley [SMTP:chrisp@tidalwave.net] > Sent: Thursday, July 03, 1997 9:04 AM > To: firewalls-digest@GreatCircle.COM > Subject: router on external net > > Assume I setup a dual-homed firewall. My internal net connects to the > internal interface on the firewall, and my external interface on the > firewall connects to a T-1, then on to the ISP's router. The interface > on > my ISP's router is on the same network as my external interface. Two > questions: > > 1. Do I need a router between my firewall external interface and my > T-1 (I > have to connect something to the CSU/DSU, right?). > > 2. Should I have a router between my firewall external interface and > my > T-1, give that my ISP's router is on the same network, for security > reasons? > > Thanks, > Chris From owner-firewalls-outgoing Mon Jul 7 10:50:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19056 for firewalls-outgoing; Mon, 7 Jul 1997 10:01:31 -0700 (PDT) Received: from home.partan.com (home.partan.com [198.6.255.236]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with SMTP id KAA19038 for ; Mon, 7 Jul 1997 10:01:23 -0700 (PDT) Received: (from asp@localhost) by home.partan.com (8.6.12/8.6.12) id NAA09186; Mon, 7 Jul 1997 13:04:22 -0400 From: Andrew Partan Message-Id: <199707071704.NAA09186@home.partan.com> Subject: Re: Two ISP's to one DMZ To: pferguso@cisco.com (Paul Ferguson) Date: Mon, 7 Jul 1997 13:04:22 -0400 (EDT) Cc: mhorn@funb.com, firewalls@GreatCircle.COM In-Reply-To: <3.0.3.32.19970707101502.006c9e94@lint.cisco.com> from "Paul Ferguson" at Jul 7, 97 10:15:02 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Is there another way to set up redundancy between two ISP's without doing > >BGP peering? > > No, not really. Dual homed NAT. --asp@partan.com (Andrew Partan) From owner-firewalls-outgoing Mon Jul 7 11:02:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19231 for firewalls-outgoing; Mon, 7 Jul 1997 10:02:36 -0700 (PDT) Received: from elsa.arz.oeaw.ac.at (elsa.arz.oeaw.ac.at [193.170.80.10]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA19164 for ; Mon, 7 Jul 1997 10:02:16 -0700 (PDT) Received: from localhost (meli@localhost) by elsa.arz.oeaw.ac.at (8.7.5/8.7.3) with SMTP id TAA46936; Mon, 7 Jul 1997 19:05:36 +0200 Date: Mon, 7 Jul 1997 19:05:36 +0200 (DFT) From: Melitta Kimbacher To: Matthew Frith cc: Firewalls@GreatCircle.COM, azari@hplb.hpl.hp.com, adc@hplb.hpl.hp.com Subject: Re: Routing with 2 checkpoint Firewalls In-Reply-To: <199707071404.PAA22474@mfrith.hpl.hp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Jul 1997, Matthew Frith wrote: [NON-Text Body part not included] ------------------------------------------------------------------------ Melitta Kimbacher Austrian Academy of Sciences Tel.: +43 1 515 81 363 Computer Center Fax: +43 1 515 81 379 Dr. Ignaz Seipel-Platz 2 E-Mail:Melitta.Kimbacher@oeaw.ac.at A-1010 Wien From owner-firewalls-outgoing Mon Jul 7 11:05:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA23256 for firewalls-outgoing; Mon, 7 Jul 1997 10:24:07 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970427-1) with ESMTP id KAA23243 for ; Mon, 7 Jul 1997 10:24:01 -0700 (PDT) Received: from march.diginsite.com (march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.5/8.8.3) with ESMTP id KAA09086; Mon, 7 Jul 1997 10:24:14 -0700 Message-Id: <199707071724.KAA09086@mail.diginsite.com> From: "David Lang" To: "Neil D. Quiogue" , Cc: Subject: Re: Calling the Horde Date: Mon, 7 Jul 1997 09:24:25 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk would you really trust them to report the problems, not just save the info for after you go live? David Lang ---------- > From: Neil D. Quiogue > To: hartmut.fehling@hamburg.netsurf.de > Cc: Firewalls@GreatCircle.COM > Subject: Re: Calling the Horde > Date: Thursday, July 03, 1997 5:01 PM > > On Thu, 3 Jul 1997 hartmut.fehling@hamburg.netsurf.de wrote: > > > In order to make a really tough test before I actually connect the gateway > > to our network, I could ask some people I know in the Underground to spread > > the IP-Address, maybe the HW/SW-Configuration and perhaps even the > > FW-1-Settings and invite the guys to try it out and break in (into the > > empty network behind it). > > > > Question: Is this a wise thing to do / Has anybody "invited" Hackers in > > such a fashion? > > Check the legalities of this 'breaking' session. There are companies > which have security policies that does not allow this. And I think it is > bad practice to do this since the information would cascade throughout the > underground community. > > Why not try to do this yourself? In security parlance, do not trust > anyone. > > [---] > Neil D. Quiogue > IPhil Communications Network, Inc. > e-mail: neil@iphil.net > From owner-firewalls-outgoing Mon Jul 7 11:34:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19264 for firewalls-outgoing; Mon, 7 Jul 1997 10:02:59 -0700 (PDT) Received: