From owner-firewalls-outgoing Mon Sep 1 00:30:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA15077 for firewalls-outgoing; Mon, 1 Sep 1997 00:15:22 -0700 (PDT) Received: from gfw.siemens.co.za (gfw.siemens.co.za [196.27.60.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA15068 for ; Mon, 1 Sep 1997 00:15:15 -0700 (PDT) Received: by gfw.siemens.co.za; id JAA19017; Mon, 1 Sep 1997 09:20:58 +0200 (SAT) Received: from sparkex.siemens.co.za(150.207.254.15) by gfw.siemens.co.za via smap (3.2) id xmab19006; Mon, 1 Sep 97 09:20:42 +0200 Received: by sparkex with Internet Mail Service (5.0.1458.49) id ; Mon, 1 Sep 1997 09:20:21 +0200 Message-ID: <3FC114CE76D0CF118D1900AA00A4B676708320@sparkex> From: "Sizer, Kevin" To: Inno Eroraha , nelsonah@heathergreens.net Cc: firewalls@greatcircle.com Subject: RE: credit card fraud Date: Mon, 1 Sep 1997 09:20:20 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Inno Your point about credit card fraud not being a Nigerian specialty is valid, although the criminal element from that part of the world does use every criminal 'trick of their trade', the tricks are mostly learnt from elsewhere. The role played by Nigerian criminals in South Africa, especially in the drug / fraud areas has been a major one and a source of concern for our local policing authorities, but despite this high profile, I still believe that Nigeria itself has no larger or more active criminal syndicates than more 'developed' nations. Regards Kevin Sizer From owner-firewalls-outgoing Mon Sep 1 01:00:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA19203 for firewalls-outgoing; Mon, 1 Sep 1997 00:50:27 -0700 (PDT) Received: from ms1.src.siemens.es (ms1.src.siemens.es [195.53.72.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA19194 for ; Mon, 1 Sep 1997 00:50:19 -0700 (PDT) Received: by ms1.src.siemens.es with Internet Mail Service (5.0.1458.49) id ; Mon, 1 Sep 1997 10:03:29 +0200 Message-ID: <005349746AE9D011861D0000B43706B424D8@ms1.src.siemens.es> From: cceballos To: "'Firewall News'" Subject: Translation modes in FW-1 2.1 Date: Mon, 1 Sep 1997 10:03:28 +0200 X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In FW-1 version 2.1, what does exactly do the FWXT_DPORT_STATIC translation mode? (It is not explained in the product manuals? Thanks Cristina =A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8= =A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8=A8= =A8=A8=A8=A8=A8=B4=B4=B4=B4=B4 Cristina Ceballos =20 Dpto. Desarrollo Corporativo Siemens Redes Corporativas Tel.: +34 1 514 79 12 Fax: +34 1 514 79 62 mailto:cceballos@src.siemens.es From owner-firewalls-outgoing Mon Sep 1 01:45:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA25696 for firewalls-outgoing; Mon, 1 Sep 1997 01:40:30 -0700 (PDT) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA25680 for ; Mon, 1 Sep 1997 01:40:22 -0700 (PDT) Received: from cons-evyncke.cisco.com (brussels-ppp5.cisco.com [171.68.146.26]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id KAA08420; Mon, 1 Sep 1997 10:40:57 +0200 (METDST) Message-Id: <3.0.3.32.19970901103613.00789aa8@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 01 Sep 1997 10:36:13 +0000 To: mje@intersec.com (Mike Endrizzi), From: Eric Vyncke Subject: Re: VPNs and PPTP In-Reply-To: <19970831140318880.AAB254@polenta.intersec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, cannot resist... I guess Mike's message was to be taken to the second degree with a great sense of humour as mine should be as well. BTW, as Cisco employee I clearly have a bias, as Linux fan I also clearly have another bias :-) At 21:06 30/08/97 -0500, Mike Endrizzi wrote: >PPTP may not be the greatest technical, security and performance solution >but: > >1) free As fas as I know, the client is free but not the server, it runs only on NT server which is more expensive than NT workstation. >2) integrates cleanly into MS environments (95% of the desktop, probably >99% of road warriors) Right, but what if the last 1% is your CEO's mac :-) or my Linux :-)... >4) no extra hardware Which also means that the RRAS server (i.e. the end of PPTP tunnel) is a performance bottleneck specially when doing encryption. >6) transports IPX and native NETBEUI (broadcasts over the Internet, scary) >7) lower administrative costs (no key mgt, uses existing user database, no >extra hardware, > uses existing NT RAS administrative model) This is also a weak point. By the way, the pure PPTP stuff does not deal with authentication/encryption: it is purely a PPP frame transport. Now, the MS implementation uses MS-CHAP (and thus the MS Windows NT SAM user database) and their RSA based encryption algorithm. The last part is mostly unknown to me and I do fear that the same symmetric encryption key is always used... >8) did I say free? Yes :-) >Oh yes it has negatives like: > >1) weak authentication See comment above, this is related to MS implementation. >2) slower >3) bitch to install and figure out routing >4) GRE doesn't pass through all firewalls Also, the control session must be specially monitored. AFAIK the firewall software must be aware of this protocol to open the right port. >5) precious little debug information > >But oh well. > >PPTP: Yet another Microsoft standard that sends IPSEC, etc.... back > to the ivory towers. Not so sure, Microsoft also participated in the IPsec interoperability trials for the automotive industry. So, I guess/hope that MS will not only be IPsec compliant but will also push IPsec. Best regards -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From owner-firewalls-outgoing Mon Sep 1 02:00:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA26689 for firewalls-outgoing; Mon, 1 Sep 1997 01:47:45 -0700 (PDT) Received: from styx.optotrans.hu (styx.optotrans.hu [194.149.60.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA26641 for ; Mon, 1 Sep 1997 01:47:22 -0700 (PDT) From: Zoltan.KINCZLI@Synergon.hu Message-ID: <8842E1FF3C0BD111B8FF00805F8900C3040484@OPTONT> To: firewalls@GreatCircle.COM Subject: THANKS: data protection in the hard-drive Date: Mon, 1 Sep 1997 10:52:26 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for all who have replied. Soon i'll summarize the answers and post back to list Regards, Zoltan From owner-firewalls-outgoing Mon Sep 1 03:00:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA07539 for firewalls-outgoing; Mon, 1 Sep 1997 02:46:03 -0700 (PDT) Received: from hkt005.hkt.net ([205.252.130.220]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA07258 for ; Mon, 1 Sep 1997 02:44:42 -0700 (PDT) Received: from comexp.hkcg.com ([202.84.208.3]) by hkt005.hkt.net (Netscape Mail Server v2.02) with SMTP id AAA21902 for ; Mon, 1 Sep 1997 17:50:05 +0800 Received: by comexp.hkcg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCB6FF.A460E320@comexp.hkcg.com>; Mon, 1 Sep 1997 17:51:15 +0800 Message-ID: From: "Denis Koo N.C." To: "'Firewalls@greatcircle.com'" Date: Mon, 1 Sep 1997 17:50:59 +0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone try secure remote client before, I need some advise on the configuration denis From owner-firewalls-outgoing Mon Sep 1 03:30:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA15604 for firewalls-outgoing; Mon, 1 Sep 1997 03:27:23 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA15563 for ; Mon, 1 Sep 1997 03:27:11 -0700 (PDT) Received: from ziv_note.abirnet.co.il (y1.abirnet.co.il [194.90.211.22]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id NAA04614; Mon, 1 Sep 1997 13:28:32 +0300 Date: Mon, 1 Sep 97 13:37:23 +0200 From: Ziv Dascalu Subject: Re: Attacks from Internal To: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= , firewalls@GreatCircle.COM X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <3.0.2.32.19970819104953.007aed10@202.190.59.4> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I noticed that most of you in this list are more concern about protecting their network from external attacks. Some even talk about very comprehensive method on designing the architectures and make customers to spend lots of bucks. While others stick with the traditional architectures. I agree with your observations and the concerns that you raise about protecting networks. It was why several of us put our heads together to design and build a viable solution that addresses the points that you raise. The first point is that a comprehensive network protection solution should provide a single way to protect your users from both outside and side abuses and intrusions. The second point was that the solution should begin with an audit tool as a basic component. This audit tool provides the constant survellience, reports, logs and statistics from which you can determine wha needs to be done. These presentations need to be presented in a manner that you don't need a consultant to explain. The third point is that you need a way to react to the discovery with the appropriate blocking, alert or action. Addtionally, the solution should be easy to install, affordable, and easy to use. The last thing any one needs is an expensive, labor intensive, and skill intensive solution. So we switched the paradigm of traditional protection from locking the doors to putting an invisible screen around the network that requires to network reconfguration or ongoing administration asthe network changes. The invisible screen identifies who is going where, using what appliactions independent of whether the users were using Windows 3.1, Windows 95, Macs, or Unix. Then we included a way of quickly adding rules which sent alerts, logged, and or blocked inappropriate accesses. Protecting the network is different from protecting the end-to-end communciation. So our focus was to protect the network from intrusions and abuses and to provide a mechanism to block unauthorized access to servers. The various end-to-end authentication/verification/encryption schemes can be implemented in parallel to a comprehensive network protection solution. Let me know if what I am saying is of interest to you. Regards Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ /AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get an EVALUATION COPY at ===========/ From owner-firewalls-outgoing Mon Sep 1 04:15:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA21543 for firewalls-outgoing; Mon, 1 Sep 1997 04:03:33 -0700 (PDT) Received: from gte.com (h132-197-8-26.gte.com [132.197.8.26]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id EAA21504 for ; Mon, 1 Sep 1997 04:03:25 -0700 (PDT) Received: from rhb1-home.gte.com by gte.com (8.8.4/8.8.4) Message-Id: <3.0.32.19970901070834.006b7094@pophost.gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 01 Sep 1997 07:08:36 -0400 To: Firewalls@GreatCircle.COM From: Bob Bryant Subject: Firewall definitions Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a net address of a dictionary of firewall terms? Thanks in advance. Bob From owner-firewalls-outgoing Mon Sep 1 05:31:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA29455 for firewalls-outgoing; Mon, 1 Sep 1997 05:14:46 -0700 (PDT) Received: from server21.digital.fr (server21.digital.fr [193.56.15.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA29368 for ; Mon, 1 Sep 1997 05:14:02 -0700 (PDT) Received: from mail.vbo.dec.com (mail.vbo.dec.com [16.36.208.34]) by server21.digital.fr (8.7.5/8.7) with ESMTP id OAA25635; Mon, 1 Sep 1997 14:27:51 +0200 (MET DST) Received: from vbormc.vbo.dec.com (vbormc.vbo.dec.com [16.36.208.94]) by mail.vbo.dec.com (8.8.6/8.7) with ESMTP id OAA26273; Mon, 1 Sep 1997 14:19:31 +0200 (MET DST) Received: from becomm.ebo.dec.com (becomm.ebo.dec.com [16.184.208.35]) by vbormc.vbo.dec.com (8.7.3/8.7) with SMTP id NAA11182; Mon, 1 Sep 1997 13:57:29 +0200 Received: from rolix.ebo.dec.com by becomm.ebo.dec.com; (5.65v3.2/1.1.8.2/07Mar96-0234PM) id AA13446; Mon, 1 Sep 1997 14:17:52 +0200 Message-Id: <340AC2A5.13F3@ebo.dec.com> Date: Mon, 01 Sep 1997 14:27:01 +0100 From: Arjo Mukherjee X-Mailer: Mozilla 3.01 (WinNT; I) [AXP] Mime-Version: 1.0 To: stoustb@pios.com Cc: firewalls@greatcircle.com Subject: CLUSTERED FIREWALLS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, In response to Bill's query : "Anyone running clustered firewalls? I'm experimenting with Altavista FWs on TruClusters for UNIX. Dropping defcon level while TruCluster runs, don't work. State is not maintained on failover. I'd like to compare notes." Bill Stout ------------------- Initially, my guess is it looks like the 'dfws' directory is not on the shared disks. Can you check to see if the complete firewall software is installed on the shared disks. Bt default if I recall correctly, it installs in the /usr tree and this is usually on one of the systems internal disks. Ciao, Arjo From owner-firewalls-outgoing Mon Sep 1 05:45:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA29370 for firewalls-outgoing; Mon, 1 Sep 1997 05:14:04 -0700 (PDT) Received: from do.nachtwacht.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA29360 for ; Mon, 1 Sep 1997 05:13:55 -0700 (PDT) Received: from localhost (arjan@localhost) by do.nachtwacht.nl (8.8.4/8.8.4) with SMTP id OAA00602; Mon, 1 Sep 1997 14:19:25 +0200 Date: Mon, 1 Sep 1997 14:19:25 +0200 (MET DST) From: Arjan Vos To: Darren Reed cc: "Paul D. Robertson" , frankw@in.net, firewalls@GreatCircle.COM Subject: Re: Remote Firewall Penetration Testing In-Reply-To: <873095200.006241.0@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Sep 1997, Darren Reed wrote: > > What I like to arrange is to do testing on the firewall "unplugged" from > the internal network so thath there is minimal risk of "bad things" > happening or getting through. > > When testing FW-1 setups, I also like to have a box on the "other side" > which I control, so I can see what packets get through - not just what > gets back. That's a situation you could create when doing firewall evaluations as part of the firewall's building project. Before going live you need to test and audit it, so it's good to do that with the internal network disconnected. Also you can have your own machine "simulating" the internal network and see what got through the firewall. E.g., you can test packet filters that way with CAPE. On the other hand, some companies want firewall testing without the administrators knowing that a test will occur, so for them it's a real attack. Advantage of this approach is that you can actually test whether control and administrative procedures, such as detection and escalation procedures, are in place and working. And, of equal importance, you can test whether the technical detection/alerting/reporting measures within the firewall are indeed triggering the organisation. So you also test whether the technical measures taken are adequately supporting the organisation around firewall administration. I've seen many times that attacks have not been reacted upon, or have been logged but alerts didn't go off, or have been logged and alerts went off, but nobody reacted.... Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Mon Sep 1 06:45:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09263 for firewalls-outgoing; Mon, 1 Sep 1997 06:18:32 -0700 (PDT) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA09248 for ; Mon, 1 Sep 1997 06:18:25 -0700 (PDT) Received: from ziv_note.abirnet.co.il (y1.abirnet.co.il [194.90.211.22]) by wizard.abirnet.co.il (8.8.5/8.8.5) with SMTP id QAA06453; Mon, 1 Sep 1997 16:23:48 +0300 Date: Mon, 1 Sep 97 16:32:35 +0200 From: Ziv Dascalu Subject: Re: Mailing List To: Craig Haines , IPM Return requested X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <039143406D0671EA*/c=ca/admd=mark400/prmd=kpmg/o=noteServer/s=Haines/g=Craig/@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On 29 Aug 1997 09:36:39 -0400 Craig Haines wrote: > Pardon the interuption, but does anyone know of any mailing lists related to > the Internet and/or Internet security that discuss less technical issues? I'm > afraid this discussion is over my head! > > Many Thanks > > Craig ---------------End of Original Message----------------- see the mailing list intranet-protection@birnet.com /Ziv From owner-firewalls-outgoing Mon Sep 1 07:30:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14377 for firewalls-outgoing; Mon, 1 Sep 1997 07:14:13 -0700 (PDT) Received: from arthur.axion.bt.co.uk (mailhub.axion.bt.co.uk [132.146.5.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA14348 for ; Mon, 1 Sep 1997 07:14:04 -0700 (PDT) Received: from catullus.agw.bt.co.uk by arthur.axion.bt.co.uk with SMTP (PP); Mon, 1 Sep 1997 15:19:01 +0100 Received: from smsmaint003.agw.bt.co.uk (btsgate.agw.bt.co.uk [192.168.207.58]) by catullus.agw.bt.co.uk (8.8.3/8.8.3) with SMTP id PAA23116 for ; Mon, 1 Sep 1997 15:18:58 +0100 (BST) Received: by smsmaint003.agw.bt.co.uk with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCB6EA.959F5160@smsmaint003.agw.bt.co.uk>; Mon, 1 Sep 1997 15:20:30 +0100 Message-ID: From: "Ayeva, Kamon" To: "'Firewalls'" Subject: Mailing list submission Date: Mon, 1 Sep 1997 15:19:00 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Computer Security - Firewall From owner-firewalls-outgoing Mon Sep 1 19:15:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA18606 for firewalls-outgoing; Mon, 1 Sep 1997 19:10:24 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA18588; Mon, 1 Sep 1997 19:10:18 -0700 (PDT) Received: from uymfdlvk (191.worcester-001.ma.dial-access.att.net [207.116.216.191]) by mail.clark.net (8.8.5/8.6.5) with SMTP id WAA06090; Mon, 1 Sep 1997 22:15:53 -0400 (EDT) Message-Id: <3.0.3.32.19970901221433.009f62b0@clark.net> X-Sender: mht@clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 01 Sep 1997 22:14:33 -0400 To: firewall@greatcircle.com From: Mark Teicher Subject: Re: Checkpoint Firewall 1 licensing policy Cc: firewalls@greatcircle.com In-Reply-To: <340AC2A5.13F3@ebo.dec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After reading through Checkpoint Firewall -1 licensing policy, I am very confused on what they mean.. Can someone on this list please explain what they exactly mean?? /mark From owner-firewalls-outgoing Mon Sep 1 21:45:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25267 for firewalls-outgoing; Mon, 1 Sep 1997 21:31:30 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA25260 for ; Mon, 1 Sep 1997 21:31:23 -0700 (PDT) Received: from Aaron.citadel.com.au ([203.23.80.13]) by pluto (8.7.6/8.7.3) with SMTP id OAA17119; Tue, 2 Sep 1997 14:36:53 +1000 Message-Id: <199709020436.OAA17119@pluto> Reply-To: "Aaron Everingham" X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Aaron Everingham" To: , "rwm" Subject: Re: Gauntlet Performance Date: Sun, 31 Aug 1997 23:20:03 +1000 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You Wrote >I am reviewing an architecture where a TIS Gauntlet (version 3.2a) is >employed in a rather significant packet filter role which I suspect it >is not really designed for. The platform is a SPARC Ultra 170e. I am >concerned that bandwidth degregation will be significant if I employ >over 50 filter lines on "inside" and "outside" interfaces. >snip >Q2: Has anyone employed multiple Gauntlet's in parallel with them >running OSPF (gated) in an effort to increase performance? I am trying >to determine that if a Gauntlet is overburdened with the processing >associated with packet filtering a large number of packets, that the >"network" will be aware of this and cause OSPF load balancing to occur. >snip I can't really anser the performance question but might I suggest you look at the Cisco product that does load balancing. I looked into OSPF for GFW recently and the consensus view was that OSPF is tricky and slower than this Cisco device. I am not quite sure what it is called but you would find something on it on their web sites. From owner-firewalls-outgoing Tue Sep 2 00:30:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA04919 for firewalls-outgoing; Tue, 2 Sep 1997 00:18:11 -0700 (PDT) Received: from do.nachtwacht.nl (pino.demon.nl [194.159.226.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA04910 for ; Tue, 2 Sep 1997 00:18:05 -0700 (PDT) Received: from localhost (arjan@localhost) by do.nachtwacht.nl (8.8.4/8.8.4) with SMTP id JAA00705 for ; Tue, 2 Sep 1997 09:24:25 +0200 Date: Tue, 2 Sep 1997 09:24:25 +0200 (MET DST) From: Arjan Vos To: firewalls@greatcircle.com Subject: firewalls and IPv6 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Maybe I'm a bit off-topic now; in that case I apologize... I want to create some encrypted and authenticated tunnel over the Internet with IPv6. However I still need to use packet filters for non-authenticated packets. The following problem arises: If an encryption extension header exists it is not possible to know what's in the header of the transport layer protocol (e.g. TCP), so how should I create rules for non-authenticated, encrypted packets? (the easy way out is to block them, but as I don't know in advance with whom the people behind the firewall will be communicating with, I need to be flexible on that one...) So, my question is: does anybody know of some firewall implementation (preferably based on Linux, or Solaris 2.5)? Or does anybody tried something similar so I won't re-invent the wheel? Thanks, Gr. Arjan -- Eat hard Sleep hard Wear glasses if you need them From owner-firewalls-outgoing Tue Sep 2 01:00:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA06972 for firewalls-outgoing; Tue, 2 Sep 1997 00:48:58 -0700 (PDT) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA06926 for ; Tue, 2 Sep 1997 00:48:47 -0700 (PDT) From: CHRISTIAN_STAHL@HP-Denmark-om1.om.hp.com Received: from pisces.brussels.hp.com (pisces.brussels.hp.com [15.184.0.80]) by palrel1.hp.com (8.8.6/8.8.5) with ESMTP id AAA24778 for ; Tue, 2 Sep 1997 00:54:25 -0700 (PDT) Received: from localhost (root@localhost) by pisces.brussels.hp.com with SMTP (8.7.6/8.7.3 TIS 5.0 Openmail) id JAA26137 for Firewalls@GreatCircle.COM; Tue, 2 Sep 1997 09:54:23 +0200 (METDST) X-OpenMail-Hops: 2 Date: Tue, 2 Sep 97 09:54:02 +0200 Message-Id: Subject: Upgrading Raptor Eagle 3.1 to 4.0 on HP UNIX 10.20 MIME-Version: 1.0 TO: Firewalls@GreatCircle.COM Content-Type: multipart/mixed; boundary="openmail-part-000fe1cd-00000001" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --openmail-part-000fe1cd-00000001 Content-Type: text/plain; charset=US-ASCII; name="BDY.TXT" Content-Disposition: inline; filename="BDY.TXT" Content-Transfer-Encoding: 7bit Hello, I'm going to upgrade a Raptor Eagle 3.1 to a 4.0 on a HP UNIX 10.20 system and I would like to hear about there are any issues regarding keeping the current configuration. If I can keep the current configuration (make a upgrade) instead of installing on from scratch the work would be much easier, but I have been told that the upgrade procedure is not just straight forward and that it's easier to make a new installation. Any comment on that? Hope to get a quick answer, best regards Christian Stahl --openmail-part-000fe1cd-00000001 Content-Type: application/x-openmail-1734; name="WINMAIL.DAT" Content-Disposition: attachment; filename="WINMAIL.DAT" Content-Transfer-Encoding: base64 eJ8+IqeHAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5N aWNyb3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAMwAAAFVwZ3JhZGluZyBS YXB0b3IgRWFnbGUgMy4xIHRvIDQuMCBvbiBIUCBVTklYIDEwLjIwAMgOAQWAAwAOAAAAzQcJ AAIACQA0ABgAAgA2AQEAgAAASQAAAAQASQAQACkAQ0hSSVNUSUFOIFNUQUhMAE9QRU5NQUlM OkNIUklTVElBTiBTVEFITCAvSFAtRGVubWFyayxvbTEAAAAAAAAAAACmEAEggAMADgAAAM0H CQACAAkAMgA7AAIAVwEBCYABACEAAAA1NjIyRUE3MzYyMjNEMTExQTEwNjA4MDAwOUI2NTg2 QQDIBgEDkAYAHAMAAB8AAAALAAIAAQAAAAsAIwAAAAAAAwAmAAAAAAALACkAAAAAAAMALgAA AAAAAwA2AAAAAABAADkA4IyGJnW3vAEeAEIAAQAAABAAAABDSFJJU1RJQU4gU1RBSEwAQABI AEA1CSh1t7wBHgBwAAEAAAAzAAAAVXBncmFkaW5nIFJhcHRvciBFYWdsZSAzLjEgdG8gNC4w IG9uIEhQIFVOSVggMTAuMjAAAAIBcQABAAAAFgAAAAG8t3UmfnPqIlsjYhHRoQYIAAm2WGoA AB4AGgwBAAAAEAAAAENIUklTVElBTiBTVEFITAACAR0MAQAAACkAAABPUEVOTUFJTDpDSFJJ U1RJQU4gU1RBSEwgL0hQLURFTk1BUkssT00xAAAAAB4AHgwBAAAACQAAAE9QRU5NQUlMAAAA AB4AHwwBAAAAIAAAAENIUklTVElBTiBTVEFITCAvSFAtRGVubWFyayxvbTEAAwCAEP////9A AAcw0KXd83S3vAFAAAgw0KXd83S3vAEDAACACCAGAAAAAADAAAAAAAAARgAAAAAQhQAAAAAA AB4AA4AIIAYAAAAAAMAAAAAAAABGAAAAADiFAAABAAAAAQAAAAAAAAAeAASACCAGAAAAAADA AAAAAAAARgAAAAA3hQAAAQAAAAEAAAAAAAAAHgAFgAggBgAAAAAAwAAAAAAAAEYAAAAANoUA AAEAAAABAAAAAAAAAAMABoAIIAYAAAAAAMAAAAAAAABGAAAAABiFAAAAAAAAAwAHgAggBgAA AAAAwAAAAAAAAEYAAAAAEYUAAAAAAAALAAiACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAA AAMACYAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAAHgAKgAggBgAAAAAAwAAAAAAAAEYA AAAAVIUAAAEAAAAEAAAAOC4wAAMAC4AIIAYAAAAAAMAAAAAAAABGAAAAAFKFAAC3DQAACwAM gAggBgAAAAAAwAAAAAAAAEYAAAAAA4UAAAAAAAAeAD0AAQAAAAEAAAAAAAAAAwANNP03AACn bw== --openmail-part-000fe1cd-00000001-- From owner-firewalls-outgoing Tue Sep 2 06:00:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA00989 for firewalls-outgoing; Tue, 2 Sep 1997 05:52:58 -0700 (PDT) Received: from deere2-bh.dx.deere.com (deere2-bh.dx.deere.com [207.122.201.67]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA00972 for ; Tue, 2 Sep 1997 05:52:52 -0700 (PDT) Received: (from uucp@localhost) by deere2-bh.dx.deere.com (8.6.12/8.6.11) id HAA29342; Tue, 2 Sep 1997 07:57:55 -0500 Received: from 192.43.1.3 by deere2-bh.dx.deere.com via smap (3.2) id xma029312; Tue, 2 Sep 97 07:57:47 -0500 Received: from 90.deere.com by deere (SMI-8.6/SMI-SVR4) id HAA10036; Tue, 2 Sep 1997 07:58:17 -0500 Received: from catbert.uu.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id HAA06559; Tue, 2 Sep 1997 07:58:16 -0500 Message-ID: <340C0C05.2DE9A8A1@90.deere.com> Date: Tue, 02 Sep 1997 07:52:22 -0500 From: Bertrum Carroll X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Aaron Everingham CC: firewalls@GreatCircle.COM, rwm Subject: Re: Gauntlet Performance X-Priority: 3 (Normal) References: <199709020436.OAA17119@pluto> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Go to the CISCO Web page and search for a product called "Local Director" Aaron Everingham wrote: > You Wrote > >I am reviewing an architecture where a TIS Gauntlet (version 3.2a) is > > >employed in a rather significant packet filter role which I suspect > it > >is not really designed for. The platform is a SPARC Ultra 170e. I am > > >concerned that bandwidth degregation will be significant if I employ > >over 50 filter lines on "inside" and "outside" interfaces. > >snip > >Q2: Has anyone employed multiple Gauntlet's in parallel with them > >running OSPF (gated) in an effort to increase performance? I am > trying > >to determine that if a Gauntlet is overburdened with the processing > >associated with packet filtering a large number of packets, that the > > >"network" will be aware of this and cause OSPF load balancing to > occur. > >snip > > I can't really anser the performance question but might I suggest you > look > at the Cisco product that does load balancing. I looked into OSPF for > GFW > recently and the consensus view was that OSPF is tricky and slower > than > this Cisco device. I am not quite sure what it is called but you would > find > something on it on their web sites. From owner-firewalls-outgoing Tue Sep 2 06:46:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03270 for firewalls-outgoing; Tue, 2 Sep 1997 06:29:36 -0700 (PDT) Received: from ewa-canada.com (ewa-canada.com [165.154.102.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA03212 for ; Tue, 2 Sep 1997 06:29:18 -0700 (PDT) Received: by ewa-canada.com from localhost (router,SLMail V2.5); Tue, 02 Sep 1997 09:38:34 -0500 Received: by ewa-canada.com from Drain.ewa-canada.com (165.154.102.22::mail daemon,SLMail V2.5); Tue, 02 Sep 1997 09:38:33 -0500 Message-Id: <3.0.3.32.19970902093712.007cb690@ewa-canada.com> X-Sender: "Rick Low" X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Tue, 02 Sep 1997 09:37:12 -0400 To: br@ldl.net, Bill Stout From: "Rick Low" Subject: Re: NetRanger Cc: firewalls@GreatCircle.COM In-Reply-To: <3407548A.6F641BCE@ldl.net> References: <2.2.32.19970829174138.00a7d580@192.168.0.37> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 19:00 29-08-97 -0400, BlackNet Runner wrote: >Can anyone tell me where (url, phone number, ftp or the like) I can get >NetRanger? http://www.wheelgroup.com ------------------------------------------------------------------ Rick Low EWA-Canada Ltd. Voice: +1 (613) 230-6067 Ext 239 Suite 1600 - 275 Slater Street Fax: +1 (613) 230-4933 Ottawa, Ontario, Canada E-mail: rlow@ewa-canada.com K1P 5H9 From owner-firewalls-outgoing Tue Sep 2 07:16:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA06503 for firewalls-outgoing; Tue, 2 Sep 1997 07:05:41 -0700 (PDT) Received: from watson.bcm.tmc.edu (BCM.TMC.EDU [128.249.2.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA06484 for ; Tue, 2 Sep 1997 07:05:32 -0700 (PDT) Received: from tmh-exchange.tmh.tmc.edu (exchange.tmh.tmc.edu [128.249.193.16]) by watson.bcm.tmc.edu (8.7.6/8.6.6) with ESMTP id JAA17918 for ; Tue, 2 Sep 1997 09:11:11 -0500 (CDT) Received: by exchange.tmh.tmc.edu with Internet Mail Service (5.0.1458.49) id ; Tue, 2 Sep 1997 09:11:00 -0500 Message-ID: <5147D82D2EEACF119E650001FA3702F7960BC2@exchange.tmh.tmc.edu> From: "Gonzalez, David" To: nelsonah@HeatherGreens.net, "'Inno Eroraha'" Cc: nelsonah@HeatherGreens.net, firewalls@GreatCircle.COM Subject: RE: credit card fraud Date: Tue, 2 Sep 1997 09:10:57 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Both of you are going off on tangents now. Take it offline or outside = in the alley. > ---------- > From: Inno Eroraha[SMTP:eroraha@tis.com] > Sent: Saturday, August 30, 1997 23:23 > To: nelsonah@HeatherGreens.net > Cc: nelsonah@HeatherGreens.net; firewalls@GreatCircle.COM > Subject: Re: credit card fraud >=20 > Dear List subscribers: >=20 > I apologize in advance for this rather off-the-subject reply to this > message. I tried to maintain the tenet of this list but at the same > time, I > feel I must respond to a premature conclusion that one of our fellow > subscribers has reached without plausible explanation. >=20 > >lol, > > Inno - I'm very sure the passion of your sense of righteous > indignation > >applies to any criticism of the democratic institutions prevading > Nigeria, > >including it's popularly elected gov't. It does have a popularly > elected > >gov't, right? :) =20 > No, it doesn't and infact I am a critic of the government than most > people > are. So what does the fact that it doesn't have a democratically > elected > government have to do with teaching crimes in schools? OK, the > government > isn't democratic, therefore, do all non-democratic governments abet > criminal > activities? Hmm, I am trying to go with your reasoning here... >=20 > > > >And of course, the ring busted in New York with all that merchandise > being > >shipped to Nigeria, purchased with stolen credit card numbers, was > >probably just a fabrication. Darn that New York Times and Wall > Street > >Journal...=20 > > > OK, it may not have been. But, does the action of a few imply that a > whole > COUNTRY is involved in that type of activity? If you can rashly come > to such > a conclusion, then you are not objectionable in your rationale. >=20 > Sure the NY Times and The Wall Street Journal (of which I was a > previous > subscriber), are reputable newspapers, do you believe everything you > read in > these papers? I have no doubt at all that what the newspapers = reported > were > untrue, but I do know for a fact that the Nigerian government cannot > allow > teaching of "credit card fraud" in public schools when almost all the > entire > residents have not even seen, heard of, or know of credit card, let > alone > teach it in its high schools. >=20 > >I'll just have to get better sources from now on... like someone who > has > >roots there and visits regularly. Gosh I feel so, well, > unpolitically > >correct now... I stereotyped.=20 > > > You don't necessarily have to have roots there to reason. You were > trying to > fast-talk the entire firewall list subscribers to believing your > claim. The > sources that you have sited are probably credible in your opinion BUT > you > have failed to do one thing -- prove that your theory is true. You > have > merely misconstrued what the newspapers reported and have added your > own > spice to it inappropriately. >=20 > The fact that the Nigerian government is corrupt and the fact that > some > Nigerians committed some credit card fraud is no way a yardstick for > coming > to a conclusion that "Nigeria who has made it a state sponsored > activity and > teaches the tricks of the trade in their high schools" according to > you. >=20 > Still, you haven't substantiated your syllogism. Therefore, your = point > is > baseless. >=20 > So, let me re-ask my previous question: What Nigerian school teaches > people > on credit card fraud when credit cards are not even used there? >=20 > >On Sat, 30 Aug 1997, Inno Eroraha wrote: > > > >> At 03:52 PM 8/29/97 -0500, you wrote: > >> > > >> >This is off topic. Having said that... > >> > (1) Anyone can phone,mail, input in a credit card and purchase. > It > >> >leaves a trail and that's what deters most (except Nigeria who = has > made it > >> >a state sponsored activity and teaches the tricks of the trade in > their > >> >high schools. So the concern is valid. > >> This is pure garbage! What evidence do you have regarding this? > What > >> Nigerian school teaches people on credit card fraud when credit > cards are > >> not even used there? Unless, you have seen this yourself (which I > seriously > >> doubt), I would consider your conception stereotypical. Oh I guess > you can > >> also say that the fact that armed robberies are commited in US, > that US > >> schools "teach the tricks" of armed robbery? Why would Nigerian > government > >> even bother when credit card is not even used there and more than > 95% of the > >> residents haven't even seen a credit card? > >>=20 > >> FYI, I attended 12 years of schooling in Nigeria and visit there > quite > >> regularly. Further, I obtain news from there on quite frequently, > and I have > >> not heard of or seen schools where Criminal activities are being > taught to > >> students. Sure there are Criminal acts in every country, and sure > there are > >> criminal acts being committed in Nigeria, but not on credit card. > >>=20 > >> So, please get your facts straight before spilling out your > unsubstantiated > >> none sense. Perhaps your point would have been well taken if you > had shun > >> from an issue that you have no knowledge of. > >>=20 > >> -0- > >> inno > >>=20 > > > > > > >=20 From owner-firewalls-outgoing Tue Sep 2 08:11:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA08913 for firewalls-outgoing; Tue, 2 Sep 1997 07:36:51 -0700 (PDT) Received: from mail.adinet.com.uy (mail.adinet.com.uy [206.99.44.245]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA08843 for ; Tue, 2 Sep 1997 07:36:33 -0700 (PDT) Received: from asia (r44-105.adinet.com.uy [206.99.44.105]) by mail.adinet.com.uy with ESMTP (8.7.1/8.7.1) id LAA15260 for ; Tue, 2 Sep 1997 11:46:09 -0300 (SAT) Message-Id: <199709021446.LAA15260@mail.adinet.com.uy> From: "J.D." To: Subject: Best firewall choice Date: Tue, 2 Sep 1997 11:39:10 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I have an important customer connected to the Internet who needs a very secure solution. They work with NT 4.0 and all MS products. Having read about MS Proxy 2.0, I see it now offers packet filtering and firewall security. What solution would you recommend, Proxy or other firewall for NT ? Thanks for your help Dan From owner-firewalls-outgoing Tue Sep 2 11:28:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29616 for firewalls-outgoing; Tue, 2 Sep 1997 10:56:56 -0700 (PDT) Received: from melpomene.stj.gov.br (melpomene.stj.gov.br [200.18.200.25]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA29553 for ; Tue, 2 Sep 1997 10:56:41 -0700 (PDT) Received: from stj.gov.br (ares.olimpo [190.190.2.232]) by melpomene.stj.gov.br (8.8.3/8.8.3) with SMTP id OAA24009 for ; Tue, 2 Sep 1997 14:52:25 -0300 (EST) Message-Id: <199709021752.OAA24009@melpomene.stj.gov.br> Date: Tue, 02 Sep 1997 14:54 -0300 From: "Carlos Eduardo Miranda Zottman" <24279@hades01.stj.gov.br> To: firewalls@greatcircle.com Subject: VPNs and PPTP X-Attachments: WINMAIL.DAT Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="SBNT%2205lt*0408rw%1805hl" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --SBNT%2205lt*0408rw%1805hl Content-Type: text/plain; charset=US-ASCII Hello Everybody! I would like to say thanks to everyone that answered my questions about VPNs and PPTP. The answers that I have received have helped me to get started on these issues. Thanks! Carlos Zottmann zottmann@stj.gov.br --SBNT%2205lt*0408rw%1805hl Content-Type: application/octet-stream; name="WINMAIL.DAT" Content-Transfer-Encoding: base64 Content-Description: WINMAIL.DAT eJ8+IigRAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEADgAAAFZQTnMgYW5kIFBQVFAAHgQB BYADAA4AAADNBwkAAgAOADYAJgACAEsBASCAAwAOAAAAzQcJAAIADgA0ABcAAgA6AQEJgAEAIQAA AEVCQTZBNDE4OTgyM0QxMTFBQzI1MDA2MDk3MjIyQzExAOUGAQSQBgBAAQAAAQAAAAwAAAADAAAw AgAAAAsADw4AAAAAAgH/DwEAAABaAAAAAAAAAABglGRgQbgBCAArK4opAACLOAEAZAAaAEAAGgAA ABQAJ2ZpcmV3YWxsc0BncmVhdGNpcmNsZS5jb20nAGZpcmV3YWxsc0BncmVhdGNpcmNsZS5jb20A AAAeAAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGgAAAGZpcmV3YWxsc0BncmVhdGNpcmNsZS5j b20AAAADABUMAQAAAAMA/g8GAAAAHgABMAEAAAAcAAAAJ2ZpcmV3YWxsc0BncmVhdGNpcmNsZS5j b20nAAIBCzABAAAAHwAAAFNNVFA6RklSRVdBTExTQEdSRUFUQ0lSQ0xFLkNPTQAAAwAAOQAAAAAL AEA6AQAAAAIB9g8BAAAABAAAAAAAAAJGPgEDkAYAiAIAABAAAAALACMAAQAAAAMAJgAAAAAACwAp AAEAAAADADYAAAAAAEAAOQDAyfNHybe8AR4AcAABAAAADgAAAFZQTnMgYW5kIFBQVFAAAAACAXEA AQAAABYAAAABvLfJR+MYpKbzI5gR0awlAGCXIiwRAAADAAYQCRhJqQMABxC5AAAAHgAIEAEAAABl AAAASEVMTE9FVkVSWUJPRFlJV09VTERMSUtFVE9TQVlUSEFOS1NUT0VWRVJZT05FVEhBVEFOU1dF UkVETVlRVUVTVElPTlNBQk9VVFZQTlNBTkRQUFRQVEhFQU5TV0VSU1RIQVRJSAAAAAACAQkQAQAA AFABAABMAQAA9wEAAExaRnVXzwws/wAKAQ8CFQKoBesCgwBQAvIJAgBjaArAc2V0MjcGAAbDAoMy A8UCAHByQnER4nN0ZW0CgzN3AuQHEwKAfQqACM8J2TvxFg8yNTUCgAqBDbELYMBuZzEwNDYK+xRR IQvxIEhlbBWgIEWKdgSQeQbgZHkhCoURCoVJIHcIYGxkIEBsaWtlIHQa8HPMYXkdUBGAbmsEIB1h fmUbIgIgHUERgAVAAHF30wSQCYAgbR2wcQpQE8A+aQIgBCABoAhgBUBWUApOIJFuHPBQUFRQ8C4g VGgdQB9UHiEfEhcckBGAGyAgFhBjZWnPGyAc8CMzIhBscB+yHUP+ZxHAHYABkAAgH7ECIB3B7weQ HUAEASAhLhu8IgAd8p0brUMKwBWgBCBabwJAVQOBbgqFeimlQBPAaoAuZ292LmJyCoUFFTEALGAD ABAQAAAAAAMAERAAAAAAQAAHMCAJvvfIt7wBQAAIMCAJvvfIt7wBHgA9AAEAAAABAAAAAAAAAKWj --SBNT%2205lt*0408rw%1805hl-- From owner-firewalls-outgoing Tue Sep 2 12:13:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA03514 for firewalls-outgoing; Tue, 2 Sep 1997 11:36:06 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA03431 for ; Tue, 2 Sep 1997 11:35:35 -0700 (PDT) Received: from lightech.com.ar (router2-p05.pccp.com.ar [200.0.253.37]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with ESMTP id SAA17067; Tue, 2 Sep 1997 18:23:06 GMT Message-ID: <340C07EA.F270855A@lightech.com.ar> Date: Tue, 02 Sep 1997 15:34:54 +0300 From: Sergio Bollini Reply-To: sbollini@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" , "Mailing List, Firewall-1" Subject: SecuRemote 2.1a & Vanyan Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms4734605F86D4F8F57AB72965" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms4734605F86D4F8F57AB72965 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi all! Do you know about any problem, incompatibility or such, between SecuRemote 2.1a and Vanyan Vines (for Windows95 version 0 or a)? I had a machine which froze after the final reboot of the SecuRemote installation, another one worked for only one day then froze, and even another in which uninstallig SecuRemote wasn't enough and had also to uninstall TCP/IP. Does anybody know something about this problems? TIA -- Sergio E. Bollini LighTech Voice: (54-1) 373-1141 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215 Buenos Aires e-mail: sbollini@lightech.com.ar Argentina URL: http://www.lightech.com.ar --------------ms4734605F86D4F8F57AB72965 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQCwYJKoZIhvcNAQcCoIIP/DCCD/gCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DnkwggnDMIIJLKADAgECAhB4X82i1DyEFmZajMCjf7qtMA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAw MDBaFw05ODA0MTAyMzU5NTlaMIIBFDERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTEXMBUGA1UEAxMOU2VyZ2lvIEJvbGxpbmkxJzAlBgkqhkiG9w0B CQEWGHNib2xsaW5pQGxpZ2h0ZWNoLmNvbS5hcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCt Iw69fHnhJqxaDdc0Rakxy2ceJTT00bQiu/mm42O7ILzd/zKGwsT4+uQcHsFUm6Bjhcthh2ND 7iI7eQqGcGi5AgMBAAGjggcIMIIHBDAJBgNVHRMEAjAAMIICHwYDVR0DBIICFjCCAhIwggIO MIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhl IFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFp bGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBD UFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsx ICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxs IFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMCwwKhYo aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIDARBglghkgBhvhCAQEE BAMCB4AwNgYJYIZIAYb4QgEIBCkWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L0NQUzCCBIcGCWCGSAGG+EIBDQSCBHgWggR0Q0FVVElPTjogVGhlIENvbW1vbiBOYW1l IGluIHRoaXMgQ2xhc3MgMSBEaWdpdGFsIApJRCBpcyBub3QgYXV0aGVudGljYXRlZCBieSBW ZXJpU2lnbi4gSXQgbWF5IGJlIHRoZQpob2xkZXIncyByZWFsIG5hbWUgb3IgYW4gYWxpYXMu IFZlcmlTaWduIGRvZXMgYXV0aC0KZW50aWNhdGUgdGhlIGUtbWFpbCBhZGRyZXNzIG9mIHRo ZSBob2xkZXIuCgpUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2Us IGFuZCAKaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24gCkNl cnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUKaW4gdGhl IFZlcmlTaWduIHJlcG9zaXRvcnkgYXQ6IApodHRwczovL3d3dy52ZXJpc2lnbi5jb207IGJ5 IEUtbWFpbCBhdApDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZl cmlTaWduLApJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQz IFVTQQoKQ29weXJpZ2h0IChjKTE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMgClJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBBTkQgCkxJQUJJTElUWSBM SU1JVEVELgoKV0FSTklORzogVEhFIFVTRSBPRiBUSElTIENFUlRJRklDQVRFIElTIFNUUklD VExZClNVQkpFQ1QgVE8gVEhFIFZFUklTSUdOIENFUlRJRklDQVRJT04gUFJBQ1RJQ0UKU1RB VEVNRU5ULiAgVEhFIElTU1VJTkcgQVVUSE9SSVRZIERJU0NMQUlNUyBDRVJUQUlOCklNUExJ RUQgQU5EIEVYUFJFU1MgV0FSUkFOVElFUywgSU5DTFVESU5HIFdBUlJBTlRJRVMKT0YgTUVS Q0hBTlRBQklMSVRZIE9SIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUgpQVVJQT1NFLCBBTkQg V0lMTCBOT1QgQkUgTElBQkxFIEZPUiBDT05TRVFVRU5USUFMLApQVU5JVElWRSwgQU5EIENF UlRBSU4gT1RIRVIgREFNQUdFUy4gU0VFIFRIRSBDUFMKRk9SIERFVEFJTFMuCgpDb250ZW50 cyBvZiB0aGUgVmVyaVNpZ24gcmVnaXN0ZXJlZApub252ZXJpZmllZFN1YmplY3RBdHRyaWJ1 dGVzIGV4dGVuc2lvbiB2YWx1ZSBzaGFsbCAKbm90IGJlIGNvbnNpZGVyZWQgYXMgYWNjdXJh dGUgaW5mb3JtYXRpb24gdmFsaWRhdGVkIApieSB0aGUgSUEuMA0GCSqGSIb3DQEBBAUAA4GB AA00fYs+ZSeHAn3y/UrA5hFaMGQZVElGGB8ukDAtVDRTqgD9t1JdL2OiJ5DyYtvhS/m7YBjN dH+SnqyXydUYZbiIPshLfy2oTG+Pga8e8RLLiHvlU/uzQqNBpQNga+x9ia4T3aAb1tC5mxud EWFdLDqU22kiSFeRWU3Zh9Jizo2OMIICeTCCAeKgAwIBAgIQUh81HfJwfgArvspZhwTVOTAN BgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4x NzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5l dDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEg Q0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQao t3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zs uts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0P BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXG nAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzp LFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJV UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMx MjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNV BAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9G iILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeI Cc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJ KoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6g dTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJ M8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggFaMIIBVgIBATB2MGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQeF/NotQ8hBZmWozA o3+6rTAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNOTcwOTAyMTIzNDU3WjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMCAgEoMCMG CSqGSIb3DQEJBDEWBBSRRSOZlJMkbNmj/FoS73tHzjvfxDANBgkqhkiG9w0BAQEFAARAKBom fXxsFz6WKShTgeCiI4Bkue45GscjN2H2XQuj1hOBH3O9MEQpixSMrLUJ26Tq7spFQUMAqgC8 jTpIYa6MBA== --------------ms4734605F86D4F8F57AB72965-- From owner-firewalls-outgoing Tue Sep 2 13:46:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13629 for firewalls-outgoing; Tue, 2 Sep 1997 12:47:37 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.253.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA13551 for ; Tue, 2 Sep 1997 12:47:22 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55627>; Tue, 2 Sep 1997 21:51:42 +0100 Received: from bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Tue, 02 Sep 1997 21:52:07 MET Received: (qmail 12856 invoked by uid 1000); 2 Sep 1997 19:58:12 -0000 Date: Tue, 2 Sep 1997 20:58:12 +0100 From: "Magossa'nyi A'rpa'd" To: "J.D." CC: firewalls@GreatCircle.COM Subject: Re: Best firewall choice In-Reply-To: <199709021446.LAA15260@mail.adinet.com.uy> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Sep 1997, J.D. wrote: > Hello! >=20 > I have an important customer connected to the Internet who needs a very > secure solution.=20 > They work with NT 4.0 and all MS products. Having read about MS Proxy 2.0= , > I see it now offers packet=20 > filtering and firewall security.=20 > What solution would you recommend, Proxy or other firewall for NT ? None. If you want secure firewall, use a real OS or a blackbox type firewall. Microsoft and NT is notorious about negliging security issues completely, My favourite firewall reseller gives Raptor for NT-headed people, but they also told me that they would never use anything on NT for their own firewall. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Tue Sep 2 13:47:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA16010 for firewalls-outgoing; Tue, 2 Sep 1997 13:01:29 -0700 (PDT) Received: from mail.SKANDIA.COM ([206.103.7.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA15970 for ; Tue, 2 Sep 1997 13:01:13 -0700 (PDT) Received: from exchange.7.103.206.in-addr.arpa (exchange.7.103.206.in-addr.arpa [206.103.7.4]) by mail.SKANDIA.COM (NTMail 3.02.12) with ESMTP id va126537 for ; Tue, 2 Sep 1997 16:06:39 -0400 Received: by afsusexch.skandia.com with Internet Mail Service (5.0.1458.49) id ; Tue, 2 Sep 1997 16:08:26 -0400 Message-ID: <0B5F0F554B1ED111B3DE00805FCB807408C604@AFSUSEX3> From: "Battista, Gerry" To: "'firewalls@greatcircle.com'" Date: Tue, 2 Sep 1997 16:06:10 -0400 X-Priority: 3 X-MS-TNEF-Correlator: <0B5F0F554B1ED111B3DE00805FCB807408C604@AFSUSEX3> MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BCB7BA.720B6240" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BCB7BA.720B6240 Content-Type: text/plain Remove ------ =_NextPart_000_01BCB7BA.720B6240 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IhsUAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAAzQcJAAIAEAAGAAoAAgABAQEggAMADgAAAM0HCQAC ABAACAAYAAIAEQEBCYABACEAAABFNDM0NjZBODREMUVEMTExQjNERjAwODA1RkNCODA3NAAkBwEE gAEAAQAAAAAAAAENgAQAAgAAAAIAAgABA5AGAEgJAAAtAAAAAwA+gAggBgAAAAAAwAAAAAAAAEYA AAAAUoUAAHQQAAAeAD+ACCAGAAAAAADAAAAAAAAARgAAAABUhQAAAQAAAAUAAAA4LjAyAAAAAAMA QIAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwA9gAggBgAAAAAAwAAAAAAAAEYAAAAAA4UA AAAAAAALAEGACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAAAAMAO4AIIAYAAAAAAMAAAAAAAABG AAAAABCFAAAAAAAAAwA8gAggBgAAAAAAwAAAAAAAAEYAAAAAEYUAAAAAAAADAEKACCAGAAAAAADA AAAAAAAARgAAAAAYhQAAAAAAAB4AQ4AIIAYAAAAAAMAAAAAAAABGAAAAADaFAAABAAAAAQAAAAAA AAAeAESACCAGAAAAAADAAAAAAAAARgAAAAA3hQAAAQAAAAEAAAAAAAAAHgBFgAggBgAAAAAAwAAA AAAAAEYAAAAAOIUAAAEAAAABAAAAAAAAAAIBCRABAAAAsAQAAKwEAABZDAAATFpGdYTLNnwDAAoA cmNwZzEyNXIyDGBjMQMwAQcLYG6RDhAwMzMPFmZlD5JPAfcCpANjAgBjaArAc4RldALRcHJxMgAA kioKoW5vElAgMAHQhQHQNg+gMDUwNBQh8wHQFBA0fQdtAoMAUAPU+xH/EwtiE+EUUBOyGPQU0I8H EwKDFFARjjIzOBdU4iAHbSBDRRoEFjEanecUQBuvHLV5choED8ARnVwxNhYxHv8DgkcJ0Wu/GgQe wSEODlAiLwNzVAhwZRoENSRPODYlfxy0Qv0HQHQN4BoEKKEWbBt4BxO9HQc3Kv8etyyVIFY5Fk7/ IegslCOIFDAwLyVXLJQm5n41Fj8oiCyUKiYCkQjmO9UJbzA4v2UOMDU56jsB/zq/O8k51DvyOl8+ Lz3tPW/nO5857xBgMjhDukTRRI//RZk51EXCRC9H/0e9Rz9Fb/1JNDkOUEyETeFGA03gAoJQc3R5 bAeQaAngdIcAABNQA/BkY3RsCrHCXFA4YWRqdU9QBRDcZ2gFQjVyDAFjCcBQQOEDMHNuZXgXMAew BbCLAMACc3MAUHNiMhpRpHNhE/BcawngcAuQX1AfUIMIYFBwC4BlT4B2/1dAAUBRewwwUkQbkFUg BKBNC4BnRdFSxmJhFxBkPwIgU4BTJk+wUXBZcSAx/08TDlBUf1WPVp8AUVfcAKD/Uk5aX1tmTwQP wFxvXX9ej98OUFfPYO9h/1uTMwKCExB+Y1RAaYFRcFuQKlBXcCCSRAEQYXUqQCBQCsCCYQnAYXBo IEYCIdNUBCdxaS0PkDgBQFcQ124TZO9Qg2ILIHIJUHAymxagcDJ3J2FwMHNwAdD/a1JRn2h/aYZt sGxwBRACMFYtbRADYTopEG91kFModWJqBZB0dZBEYfh0ZTpUBCihbf9vD3Af/3EvcjdPoFuDDiFp gViWDlCbc090XlJXYRcBIEhbcf8EkFQELXF3b3h/eY96m1bvL3ufD5CHUAjQYgqwdDj/Z9oPVGPw fZ9+pofgf7ALULx5L20gepALEYAlc1QE/xuRgS+CP4NPep9yP4lPil//i2R1snVUdokwEI2vUS+H hA45kX+Sj5iARG9jdf8HgAIwBdBs4DfhlrKWEJZQ+48xAYBudhAAYAnwa4Ca4HcCAVPAfDJlAPCa 4E9gcEk8YFx2CJB3awuAZP8ewJ6CBPAHQBBhAUAOAI8C91tin+UCEG8FQhchEvJ2oI5tC1F2oB0A OlxcdOB6b2zBbW0QAxAHkKKQTZMN4ANgc28BgCBPASBrDeCd0FykRkUAwAMQLn1pUHSbsBcQllBT AYVSeHsBQJzhbk+wONCl5GwUY88DIBLzAIAFkGx2X4FksP8OcFPAqHIBkAAgqQKe0Zsh/wHBqHEW 4A9wAABksAzQAZD8IC438qhoDlCpIipAlqD/qZ+qr6u/D8BksAWBrV+ub+2vf2wewGSwbK0fsd+y 5T4pq+wncLC/tZ+y1GIg/igCkba/qLMooLRvuS+6P/+7T6jgLXC8kqlvvf+/D6vs/xuQvJ/CH8Mv xD+o4DAQwR//xq/Hv8jECvkDMJYPlx+Yrb57f7AEYIWwCoU38ADSgAsAAgABAAAAAgFxAAEAAAAW AAAAAby325kf3okWpyPCEdGJ6gCgJKrXCgAAQAA5AFSP8Kfbt7wBAwDxPwkEAAAeADFAAQAAAAcA AABHYmF0dHMAAAMAGkAAAAAAHgAwQAEAAAAHAAAAR2JhdHRzAAADABlAAAAAAAMA/T/kBAAAHgBw AAEAAAABAAAAAAAAAAMAJgAAAAAAAwA2AAAAAAADAIAQ/////wIBRwABAAAAMQAAAGM9VVM7YT0g O3A9U0tBTkRJQTtsPUFGU1VTRVgzLTk3MDkwMjIwMDYxMFotMzEwMAAAAAACAfk/AQAAAE0AAAAA AAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089U0tBTkRJQS9PVT1TSEVMVE9OL0NOPVJFQ0lQ SUVOVFMvQ049R0JBVFRJU1RBAAAAAB4A+D8BAAAAEAAAAEJhdHRpc3RhLCBHZXJyeQAeADhAAQAA AAoAAABHQkFUVElTVEEAAAACAfs/AQAAAE0AAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAA L089U0tBTkRJQS9PVT1TSEVMVE9OL0NOPVJFQ0lQSUVOVFMvQ049R0JBVFRJU1RBAAAAAB4A+j8B AAAAEAAAAEJhdHRpc3RhLCBHZXJyeQAeADlAAQAAAAoAAABHQkFUVElTVEEAAABAAAcw1Dkoh9u3 vAFAAAgwMpDp99u3vAEeAD0AAQAAAAEAAAAAAAAAHgAdDgEAAAABAAAAAAAAAB4ANRABAAAAMgAA ADwwQjVGMEY1NTRCMUVEMTExQjNERTAwODA1RkNCODA3NDA4QzYwNEBBRlNVU0VYMz4AAAALACkA AAAAAAsAIwAAAAAAAwAGEBV7uikDAAcQBgAAAAMAEBAAAAAAAwAREAAAAAAeAAgQAQAAAAcAAABS RU1PVkUAAAIBfwABAAAAMgAAADwwQjVGMEY1NTRCMUVEMTExQjNERTAwODA1RkNCODA3NDA4QzYw NEBBRlNVU0VYMz4AAAA/fA== ------ =_NextPart_000_01BCB7BA.720B6240-- From owner-firewalls-outgoing Tue Sep 2 15:00:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA28667 for firewalls-outgoing; Tue, 2 Sep 1997 14:27:54 -0700 (PDT) Received: from sequille.maricopa.gov (sequille.maricopa.gov [156.42.4.6]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA28620 for ; Tue, 2 Sep 1997 14:27:37 -0700 (PDT) Received: from smtpgw.maricopa.gov by sequille.maricopa.gov (5.4R3.10/1.34) id AA10695; Tue, 2 Sep 1997 14:35:47 -0700 Received: from SUPCOURT-Message_Server by smtpgw.maricopa.gov with Novell_GroupWise; Tue, 02 Sep 1997 14:22:53 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 Sep 1997 14:35:29 -0700 From: Tom Gardner To: firewalls@greatcircle.com Subject: PA-RISC vs Intel FW-1 Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I need some advice on sizing a machine to run FW-1. The Firewall will be used to protect our HP-UX Database servers from our corporate backbone. The number of connections will be approx. 2500 concurrent connections (SQLexec only. No HTTP or FTP). NAT will be used. ~85MB/s throughput is critical. My preference is Hp 9000 HP-UX PA-RISC, but a B,C or D series HP machine will put me over budget. Im considering spec'ing a Hp or Compac Pentium Pro 266MHZ 128MB 1GB / Solaris 2.6. with Dual 100MB/s 3Com's. I would spec a dual processor but FW-1 is not multi-threaded(!?). Here's my questions: Q: Would I see any throughput increase with a dual processor Intel/Solaris 2.x/FW-1 ? Q: If I load balance across two machines, how many Unlimited license's do I need ? Q: Has anyone beta tested FW-1 3.x on Solaris 2.6 (How stable is Sol 2.5.1/Fw-1) ? Q: How soon until FW-1 be Multi-threaded ? Q With respect to high availability, if I'm load balancing and CPU 'A' croaks will CPU 'B' stay up or be hopelessly confused? The bottom line is, I need 85MB/s throughput on PA-RISC or Intel PP. I could buy a used HP 9000 but, what is The minimum class of HP I need. Spec int and Spec fp benchmarks wont help me determine overall throughput of a given machine/OS/FW. I know that The HP's are highly optimized (IE heavily cached, High speed internal busses etc...) but would a $5000 PC with EDO and 512K Pipeline Burst cache out perform many Hp's in this application? Thanks, I appreciate any suggestions, URL's, or comments. Thomas S. Gardner Maricopa County Attorney's Office Lead Telecommunications Analyst "Unix" The Thinking Man's Operating System From owner-firewalls-outgoing Tue Sep 2 15:30:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA06353 for firewalls-outgoing; Tue, 2 Sep 1997 15:17:25 -0700 (PDT) Received: from wizard.infovia.com.gt (wizard.infovia.com.gt [168.234.135.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA06313 for ; Tue, 2 Sep 1997 15:17:07 -0700 (PDT) Received: (from flopez@localhost) by wizard.infovia.com.gt (8.8.6/8.6.9) id QAA10705 for firewalls@GreatCircle.com; Tue, 2 Sep 1997 16:17:46 -0500 From: Juan Francisco Lopez Message-Id: <199709022117.QAA10705@wizard.infovia.com.gt> Subject: SNMP security holes?! To: firewalls@GreatCircle.com Date: Tue, 2 Sep 1997 16:17:45 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone! Does any of you know of any security hole that are related to the use of SNMP? Can someone break into a network by using any SNMP based tool? What are the recommended filters to put into the routers and/or servers in order to avoid any break-through? (using Cisco routers, Linux and NT servers) ... TIA for any feedback... Francisco IIDS-Infovia Guatemala, C.A. From owner-firewalls-outgoing Tue Sep 2 17:00:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA17863 for firewalls-outgoing; Tue, 2 Sep 1997 16:56:24 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA17828 for ; Tue, 2 Sep 1997 16:56:02 -0700 (PDT) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id UAA02292; Tue, 2 Sep 1997 20:00:58 -0400 From: "Michael H. Warfield" Message-Id: <199709030000.UAA02292@alcove.wittsend.com> Subject: Re: SNMP security holes?! In-Reply-To: <199709022117.QAA10705@wizard.infovia.com.gt> from Juan Francisco Lopez at "Sep 2, 97 04:17:45 pm" To: flopez@wizard.infovia.com.gt (Juan Francisco Lopez) Date: Tue, 2 Sep 1997 20:00:58 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello everyone! > Does any of you know of any security hole that are related to the use > of SNMP? Can someone break into a network by using any SNMP based tool? S - Security N - Not M - My P - Problem... > What are the recommended filters to put into the routers and/or servers > in order to avoid any break-through? (using Cisco routers, Linux and > NT servers) ... If you are using SNMP v1 make sure it is blocked from the Internet in general and are using resonably obtuse community names. SNMP v2 at least has passwords... Sigh... > TIA for any feedback... > Francisco > IIDS-Infovia > Guatemala, C.A. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From owner-firewalls-outgoing Tue Sep 2 18:00:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA25832 for firewalls-outgoing; Tue, 2 Sep 1997 17:54:43 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA25825 for ; Tue, 2 Sep 1997 17:54:37 -0700 (PDT) Received: from Aaron.citadel.com.au ([203.23.80.13]) by pluto (8.7.6/8.7.3) with SMTP id LAA20240; Wed, 3 Sep 1997 11:00:17 +1000 Message-Id: <199709030100.LAA20240@pluto> Reply-To: "Aaron Everingham" X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Aaron Everingham" To: , "J.D." Subject: Re: Best firewall choice Date: Wed, 3 Sep 1997 10:59:01 +1000 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would recomend Gauntlet for NT as in it's new incarnation it works with the MS proxy server ---- From: J.D. To: firewalls@GreatCircle.COM Date: Wednesday, September 03, 1997 2:13 AM Subject: Best firewall choice >Hello! > >I have an important customer connected to the Internet who needs a very >secure solution. >They work with NT 4.0 and all MS products. Having read about MS Proxy 2.0, >I see it now offers packet >filtering and firewall security. >What solution would you recommend, Proxy or other firewall for NT ? > >Thanks for your help > >Dan > From owner-firewalls-outgoing Tue Sep 2 18:15:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA25523 for firewalls-outgoing; Tue, 2 Sep 1997 17:48:18 -0700 (PDT) Received: from iproute.com (att.avana.net [205.245.133.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA25516 for ; Tue, 2 Sep 1997 17:48:12 -0700 (PDT) Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id UAA18711 for ; Tue, 2 Sep 1997 20:54:27 -0400 Date: Tue, 2 Sep 1997 20:44:56 -0500 From: "Michael W. Chalkley" Subject: Giant security hole in ISP provided routers?!?!?! To: firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: <199709030000.UAA02292@alcove.wittsend.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I was at a customer site today when I noticed that they had a USRobotics Sportster modem connected to the console port of their ISP provided Cisco router. When I asked why it was there, I was told the ISP required it for "out-of-band" management. I asked for the phone number of this modem and dialed it from my notebook. Once connected I received the standard: Escape character is '^]'. User Access Verification Password: Since I knew the password I tried it and was in. How many ISP's out there are pulling this stunt? I could be a hacker dialing in on a daily basis or just be a pissed-off ex-employee of the ISP with revenge on my mind. Is this a standard practice? Any comments? Mike -- 20:44:56 09/02/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Tue Sep 2 18:45:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA02126 for firewalls-outgoing; Tue, 2 Sep 1997 18:34:51 -0700 (PDT) Received: from gargoyle.clark.net (pm1-20.dcwt.infi.net [208.136.65.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id SAA02077 for ; Tue, 2 Sep 1997 18:34:35 -0700 (PDT) Received: (qmail 989 invoked by uid 500); 3 Sep 1997 01:40:18 -0000 Date: Tue, 2 Sep 1997 21:40:17 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: "Michael W. Chalkley" cc: firewalls@GreatCircle.COM Subject: Re: Giant security hole in ISP provided routers?!?!?! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Sep 1997, Michael W. Chalkley wrote: > Hello: > > I was at a customer site today when I noticed that they had a USRobotics > Sportster modem connected to the console port of their ISP provided Cisco > router. When I asked why it was there, I was told the ISP required it for > "out-of-band" management. I asked for the phone number of this modem and > dialed it from my notebook. Once connected I received the standard: > > Escape character is '^]'. > > > User Access Verification > > Password: > > Since I knew the password I tried it and was in. Terminal passwords don't give you much on a Cisco. Without the enable password, the most you can do is get interface statistics and send a few pings. > How many ISP's out there are pulling this stunt? I could be a hacker dialing Probably a lot of them. At least yours had the sense to put passwords on it. > in on a daily basis or just be a pissed-off ex-employee of the ISP with > revenge on my mind. Is this a standard practice? I always purchase my own routers, and specify local control in service contract negotiation. At the least, password change intervals should be specified in the service contract. If you can't trust them to hold the password, I'm not sure how you can trust them to transit your traffic. None of this should be managed terribly differently than if you did it yourself, other than specifying it in the contracts, and your notification of personnel changes should you also hold the password(s). Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Tue Sep 2 19:34:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA10602 for firewalls-outgoing; Tue, 2 Sep 1997 19:20:37 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA10591 for ; Tue, 2 Sep 1997 19:20:31 -0700 (PDT) Received: from unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id WAA04560; Tue, 2 Sep 1997 22:22:14 -0400 Message-ID: <340CCC1F.2E88ED5@unifiedtech.com> Date: Tue, 02 Sep 1997 22:31:59 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Bertrum Carroll CC: Aaron Everingham , firewalls@GreatCircle.COM, rwm Subject: Re: Gauntlet Performance References: <199709020436.OAA17119@pluto> <340C0C05.2DE9A8A1@90.deere.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bertrum Carroll wrote: > Go to the CISCO Web page and search for a product called "Local > Director" That's a nice box, but not a good general solution. For one thing, it only handles TCP-based protocols. From owner-firewalls-outgoing Tue Sep 2 19:45:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA10102 for firewalls-outgoing; Tue, 2 Sep 1997 19:16:01 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA10084 for ; Tue, 2 Sep 1997 19:15:46 -0700 (PDT) Received: from unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id WAA04549; Tue, 2 Sep 1997 22:18:14 -0400 Message-ID: <340CCB2F.41620166@unifiedtech.com> Date: Tue, 02 Sep 1997 22:27:59 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: How many CPU's in your Firewall? References: <3.0.2.32.19970828105933.0070c318@mail> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Dieth wrote: > At 13:40 27.08.97 EDT, you wrote: > >On Sunday, August 24, 1997 at 4:18:20 pm EDT, > >Media Connection wrote: > >>Thanks to the help of everyone on this list, we > >>are going to roll out a firewall with 3 NIC's > >>running Solaris 2.5.1 and FW1. > >>Is a machine with one CPU sufficient to handle > >>this configuration? Does anyone have multiple CPU's > >>running in their firewall? > >It really depends on how much traffic you have, and how many different kinds > >of it there are. > From my point of understanding: > o FW1 is a "packet-filtering" firewall that does most of the work > in kernel mode, if you are not using the new proxies...eeehmmm...security > servers. True. > o Application-level gateways do most of the work in user mode. True. > Because you need special "multi-thread" applications to gain > the best performance with SMP boxes, a multi-cpu configuration > may not bring a significant performance boost using the > kernel mode packet filtering. Aaaaahhh...not so true. First of all, the Solaris kernel is multithreaded, which tends to boost the performance of just about everything on a multiCPU machine. Second, there will definitely be some advantage to multi-CPU machine if you're using the proxies, since the kernel will be able to have a user mode process running on one CPU while the kernel is working on the other. Third, there is some anecdotal evidence of actual observed performance improvement with 2 CPUs. On the other hand, I have a customer who's running FW-1 on a 1-CPU Ultra 1, logging virtually everything, and seeing over 350,000 log entries/day and isn't seeing a lot of CPU load. At this point I don't believe you can saturate an Ultra 1-based FW-1 box without multiple fast ethernets. Ok, maybe with 8 or 9 ethernets, though I have another customer who's running one with 9 live interfaces and again isn't CPU-bound. He doesn't have a lot of traffic on some of the interfaces, though. From owner-firewalls-outgoing Tue Sep 2 20:14:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA11844 for firewalls-outgoing; Tue, 2 Sep 1997 19:26:13 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA11766 for ; Tue, 2 Sep 1997 19:25:52 -0700 (PDT) Received: from big-dawg.cisco.com (herndon-dhcp-143.cisco.com [171.68.53.143]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id TAA19618; Tue, 2 Sep 1997 19:31:16 -0700 (PDT) Message-Id: <3.0.3.32.19970902223111.008199b0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 02 Sep 1997 22:31:11 -0400 To: "Michael W. Chalkley" From: Paul Ferguson Subject: Re: Giant security hole in ISP provided routers?!?!?! Cc: firewalls@GreatCircle.COM In-Reply-To: References: <199709030000.UAA02292@alcove.wittsend.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you use either TACACS or RADIUS, out-of-band access to the router can be controlled effectively. In fact, you can alternatively use a token-based smartcard mechanism. Tell your customer to wise up. ;-) - paul At 08:44 PM 9/2/97 -0500, Michael W. Chalkley wrote: >Hello: > >I was at a customer site today when I noticed that they had a USRobotics >Sportster modem connected to the console port of their ISP provided Cisco >router. When I asked why it was there, I was told the ISP required it for >"out-of-band" management. I asked for the phone number of this modem and >dialed it from my notebook. Once connected I received the standard: > >Escape character is '^]'. > > >User Access Verification > >Password: > >Since I knew the password I tried it and was in. > >How many ISP's out there are pulling this stunt? I could be a hacker dialing >in on a daily basis or just be a pissed-off ex-employee of the ISP with >revenge on my mind. Is this a standard practice? > >Any comments? > >Mike >-- >20:44:56 >09/02/97 >_______________________________________________________________________ >Michael W. Chalkley Tel: +1.770.772.4567 >ZapNet! Inc. Fax: +1.770.475.7640 >Suite 400-120 E-mail: mikech@iproute.com >10945 State Bridge Road mikech@avana.net >Alpharetta, GA 30202 http://www.iproute.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: ferguson@cisco.com c i s c o S y s t e m s From owner-firewalls-outgoing Tue Sep 2 20:30:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA22569 for firewalls-outgoing; Tue, 2 Sep 1997 20:25:34 -0700 (PDT) Received: from gargoyle.clark.net (pm1-20.dcwt.infi.net [208.136.65.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA22531 for ; Tue, 2 Sep 1997 20:25:23 -0700 (PDT) Received: (qmail 1251 invoked by uid 500); 3 Sep 1997 03:31:07 -0000 Date: Tue, 2 Sep 1997 23:31:07 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: "Michael W. Chalkley" cc: firewalls@GreatCircle.COM Subject: Re: Giant security hole in ISP provided routers?!?!?! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Sep 1997, Michael W. Chalkley wrote: > > > specified in the service contract. If you can't trust them to hold the > > password, I'm not sure how you can trust them to transit your traffic. > > I disagree with this statement. Lots of networks carry my traffic but none of > them have my passwords (I hope). An ISP doesn't need the password to my router > to carry my traffic effectively. Within the context of having ISP managed routers, not without any context, which is why I specificly specify customer owned and managed CPE from the demark. If they can't manage passwords according to a contract, I certainly wouldn't trust them to provide transit according to a contract, and that was the predicate to which I was refering. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Tue Sep 2 21:45:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA03091 for firewalls-outgoing; Tue, 2 Sep 1997 21:22:09 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id VAA03052 for ; Tue, 2 Sep 1997 21:21:58 -0700 (PDT) Received: by inet03.citec.qld.gov.au; id OAA10487; Wed, 3 Sep 1997 14:27:37 +1000 Received: from guru.citec.qld.gov.au(147.132.20.47) by inet03.citec.qld.gov.au via smap (3.2) id xma010408; Wed, 3 Sep 97 14:27:30 +1000 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id OAA32030; Wed, 3 Sep 1997 14:31:51 +1000 From: Colin Campbell Message-Id: <199709030431.OAA32030@guru.citec.qld.gov.au> Subject: Re: How many CPU's in your Firewall? To: mike.jones@unifiedtech.com (Mike Jones) Date: Wed, 3 Sep 1997 14:31:49 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <340CCB2F.41620166@unifiedtech.com> from "Mike Jones" at Sep 2, 97 10:27:59 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Mike Jones said: > > Peter Dieth wrote: > > > Because you need special "multi-thread" applications to gain > > the best performance with SMP boxes, a multi-cpu configuration > > may not bring a significant performance boost using the > > kernel mode packet filtering. > > Aaaaahhh...not so true. > First of all, the Solaris kernel is multithreaded, which tends to > boost the performance of just about everything on a multiCPU machine. > Second, there will definitely be some advantage to multi-CPU > machine if you're using the proxies, since the kernel will be able > to have a user mode process running on one CPU while the kernel > is working on the other. > Third, there is some anecdotal evidence of actual observed > performance improvement with 2 CPUs. > But, I have information from Sun (OZ) firewall guru that says FW-1 is not multi-threaded and so cannot take advantage of multiple CPUs. That is why they push the load-sharing state-sharing scenario. Colin From owner-firewalls-outgoing Tue Sep 2 22:15:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA02405 for firewalls-outgoing; Tue, 2 Sep 1997 21:18:09 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA23570 for ; Tue, 2 Sep 1997 20:31:08 -0700 (PDT) Received: from iproute.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id TAA21545; Tue, 2 Sep 1997 19:52:31 -0700 (PDT) Received: from att (att.iproute.com [192.168.0.4]) by iproute.com (8.8.4/8.8.4) with SMTP id WAA19037; Tue, 2 Sep 1997 22:57:47 -0400 Date: Tue, 2 Sep 1997 22:52:10 -0500 From: "Michael W. Chalkley" Subject: Re: Giant security hole in ISP provided routers?!?!?! To: "Paul D. Robertson" Cc: firewalls@GreatCircle.COM X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297) Evaluation Copy, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------ From: "Paul D. Robertson" Subject: Re: Giant security hole in ISP provided routers?!?!?! Date: Tue, 2 Sep 1997 21:40:17 -0400 (EDT) To: "Michael W. Chalkley" Cc: firewalls@GreatCircle.COM > On Tue, 2 Sep 1997, Michael W. Chalkley wrote: > > specified in the service contract. If you can't trust them to hold the > password, I'm not sure how you can trust them to transit your traffic. I disagree with this statement. Lots of networks carry my traffic but none of them have my passwords (I hope). An ISP doesn't need the password to my router to carry my traffic effectively. > None of this should be managed terribly differently than if you did it > yourself, other than specifying it in the contracts, and your > notification of personnel changes should you also hold the password(s). > > Paul > ----------------------------------------------------------------------------- > Paul D. Robertson "My statements in this message are personal opinions > proberts@clark.net which may have no basis whatsoever in fact." > PSB#9280 > > ---------------End of Original Message----------------- Personally, I feel that there should be an additional layer of security such as callback or one time passwords/tokens with this type of setup. Just my $0.02. Mike -- 22:52:11 09/02/97 _______________________________________________________________________ Michael W. Chalkley Tel: +1.770.772.4567 ZapNet! Inc. Fax: +1.770.475.7640 Suite 400-120 E-mail: mikech@iproute.com 10945 State Bridge Road mikech@avana.net Alpharetta, GA 30202 http://www.iproute.com From owner-firewalls-outgoing Tue Sep 2 23:30:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA19846 for firewalls-outgoing; Tue, 2 Sep 1997 23:20:27 -0700 (PDT) Received: from cabernet.jps.net ([206.170.168.62]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA19793 for ; Tue, 2 Sep 1997 23:20:15 -0700 (PDT) Received: from jasmine ([209.76.38.142]) by cabernet.jps.net (post.office MTA v1.9.3 **** trial license expired ****) with SMTP id AAA138 for ; Tue, 2 Sep 1997 23:12:25 -0700 Received: by localhost with Microsoft MAPI; Tue, 2 Sep 1997 23:30:23 -0700 Message-ID: <01BCB7F8.2F6DAAE0.jlz@isli.com> From: Jian Zhen To: "'Firewalls@GreatCircle.COM'" Subject: Firewall configuration Date: Tue, 2 Sep 1997 22:15:11 -0700 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I was wondering what hardware platform is best to support a company with ~500 users. The firewall is gauntlet 4.0. What I need to find out is the system architecture, CPU speed, memory size, etc for the machine that's going to hold the firewall. Any ideas? any input would be greatly apprciated Jian From owner-firewalls-outgoing Wed Sep 3 01:45:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA03173 for firewalls-outgoing; Wed, 3 Sep 1997 01:37:01 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id BAA03141 for ; Wed, 3 Sep 1997 01:36:53 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id MAA14571; Wed, 3 Sep 2036 12:40:10 +0400 From: ArkanoiD Message-Id: <203609030840.MAA14571@paranoid.convey.ru> Subject: log connection attempts? To: firewalls@greatcircle.com Date: Wed, 3 Sep 136 12:40:07 +0400 (MSD) Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, Did anyone try to patch the kernel to log connection attempts for ports (tcp and maybe udp) where no program accepts connection? (2.1.7) I _know_ i can do nearly the same with IP filtering/logging but i prefer another way.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Wed Sep 3 02:00:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id BAA02409 for firewalls-outgoing; Wed, 3 Sep 1997 01:25:16 -0700 (PDT) Received: from caissedesdepots.fr ([193.106.105.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id BAA02342 for ; Wed, 3 Sep 1997 01:23:51 -0700 (PDT) Received: by caissedesdepots.fr (SMI-8.6/SMI-SVR4) id KAA26276; Wed, 3 Sep 1997 10:31:03 +0200 Received: from esmailfed1(158.156.1.206) by esfirewal1 via smap (V2.0) id xma026259; Wed, 3 Sep 97 10:30:05 +0200 Received: from cmi.cdc.fr (localhost [127.0.0.1]) by esmailfed1.serv.cdc.fr (8.8.5/8.8.5) with SMTP id KAA15216 for ; Wed, 3 Sep 1997 10:27:00 +0200 (MET DST) Received: from julia by cmi.cdc.fr (SMI-8.6/SMI-SVR4) id KAA16722; Wed, 3 Sep 1997 10:23:44 +0200 Received: from fsdevelop0 (fsdevelop0 [158.156.188.20]) by julia (8.6.10/8.6.10) with ESMTP id KAA15752 for ; Wed, 3 Sep 1997 10:27:40 +0200 Received: by fsdevelop0 (SMI-8.6/SMI-SVR4) id KAA01121; Wed, 3 Sep 1997 10:25:10 +0200 Date: Wed, 3 Sep 1997 10:25:10 +0200 From: jdgorin@icdc.caissedesdepots.fr (Jean-Denis GORIN) Message-Id: <199709030825.KAA01121@fsdevelop0> To: firewalls@greatcircle.com Subject: Re: SNMP security holes?! X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does any of you know of any security hole that are related to the use > of SNMP? Can someone break into a network by using any SNMP based tool? > What are the recommended filters to put into the routers and/or servers > in order to avoid any break-through? (using Cisco routers, Linux and > NT servers) ... > Look at Phrack #50 for some exploits of the SNMP security holes. Phrack site is : http://www.phrack.com Jean-Denis Gorin jdgorin@icdc.caissedesdepots.fr | Informatique CDC | CMI Tel : (+33) 0 140 49 34 69 | 3, rue Lafayette Fax : (+33) 0 142 85 06 10 | 75009 PARIS FRANCE From owner-firewalls-outgoing Wed Sep 3 03:28:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA10592 for firewalls-outgoing; Wed, 3 Sep 1997 02:33:26 -0700 (PDT) Received: from titan.mad.servicom.es (titan.mad.servicom.es [194.106.0.133]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA10498 for ; Wed, 3 Sep 1997 02:33:06 -0700 (PDT) From: Juan Carlos Gomez Received: from Servicom.mad.servicom.es by titan.mad.servicom.es (8.6.12/FI-3.3) Wed, 3 Sep 1997 11:38:52 +0200 Message-Id: <3.0.32.19970903114002.00c27a18@pop.mad.servicom.es> X-Sender: jcgomez@pop.mad.servicom.es X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 03 Sep 1997 11:40:03 +0100 To: Firewalls@GreatCircle.COM Subject: log problem with FW-1 version 3.0a.p1 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have a problem with FW-1 version 3: when I start "fwd" or the "log viewer", the error message that appears is: "fwd: log_get: len is not a multiple of 4. rounding" therefore, the log viewer do not work very well. I have this problem in versions 3.0 and 3.0a.p1 Has anybody know the problem? Thanks in advance. _________________________________________________ Juan Carlos G=F3mez Castillo ___Servicom Madrid________________________________ Edificio TORONA, Avda. de Europa, 24 28100 Madrid SPAIN Phone:(+34 1) 6617902 Fax:(+34 1) 6614664 __________________________________________________ From owner-firewalls-outgoing Wed Sep 3 03:30:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA20851 for firewalls-outgoing; Wed, 3 Sep 1997 03:18:12 -0700 (PDT) Received: from ivy.tc.pw.com (ivy.tc.pw.com [131.209.1.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA14802 for ; Wed, 3 Sep 1997 02:51:21 -0700 (PDT) From: Pio_Gaeta@europe.notes.pw.com Received: by ivy.tc.pw.com; id DAA15027; Wed, 3 Sep 1997 03:23:25 -0700 (PDT) Received: from cactus.tc.pw.com(131.209.7.48) by ivy.tc.pw.com via smap (3.2) id xma015020; Wed, 3 Sep 97 03:22:59 -0700 Received: (from root@localhost) by cactus.tc.pw.com (8.8.4/8.7.3) id DAA00912 for firewalls@GreatCircle.COM; Wed, 3 Sep 1997 03:14:15 -0700 (PDT) Message-Id: <199709031014.DAA00912@cactus.tc.pw.com> To: firewalls@GreatCircle.COM Date: Wed, 3 Sep 97 10:18:14 +0100 Subject: Anti-SPAM SENDMAIL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I heard about a new version of sendmail whith anti-relay or anti-spamming options. Is this a definitive solution to spamming or what? Is there a version also for NT systems??? I would like to have your opinion. TIA Pio ---------------------------------------- Pio Gaeta Information System Risk Management Price Waterhouse Rome - Italy mailto: Pio_Gaeta@Europe.notes.PW.com From owner-firewalls-outgoing Wed Sep 3 05:30:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA04390 for firewalls-outgoing; Wed, 3 Sep 1997 05:16:53 -0700 (PDT) Received: from cicero.cybercity.dk (cicero.cybercity.dk [195.8.128.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA04383 for ; Wed, 3 Sep 1997 05:16:47 -0700 (PDT) Received: from schizo.dk.tfs.com (mail.trw.dk [195.8.133.123]) by cicero.cybercity.dk (8.8.5/8.8.5) with ESMTP id OAA18648; Wed, 3 Sep 1997 14:16:49 +0200 (CEST) Received: from critter.freebsd.dk (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.5/8.7.3) with ESMTP id LAA13138; Wed, 3 Sep 1997 11:52:55 +0200 (MET DST) Received: from critter.freebsd.dk (localhost.dk.tfs.com [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.7) with ESMTP id LAA04928; Wed, 3 Sep 1997 11:52:29 +0200 (CEST) To: ArkanoiD cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: log connection attempts? In-reply-to: Your message of "Wed, 03 Sep 0136 12:40:07 +0400." <203609030840.MAA14571@paranoid.convey.ru> Date: Wed, 03 Sep 1997 11:52:29 +0200 Message-ID: <4926.873280349@critter.freebsd.dk> From: Poul-Henning Kamp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: >nuqneH, > >Did anyone try to patch the kernel to log connection attempts for ports >(tcp and maybe udp) where no program accepts connection? (2.1.7) Set these two sysctl variables to non-zero: net.inet.tcp.log_in_vain: 0 net.inet.udp.log_in_vain: 0 -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." From owner-firewalls-outgoing Wed Sep 3 06:00:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA07238 for firewalls-outgoing; Wed, 3 Sep 1997 05:51:19 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA07158; Wed, 3 Sep 1997 05:51:01 -0700 (PDT) Message-Id: <199709031251.FAA07158@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA195191038; Wed, 3 Sep 1997 08:50:38 -0400 Date: Wed, 3 Sep 1997 08:50:38 -0400 From: gary flynn To: firewalls@GreatCircle.COM, owner-firewalls-outgoing@GreatCircle.COM Subject: Re: SNMP security holes?! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Juan Francisco Lopez > > Does any of you know of any security hole that are related to the use > of SNMP? Can someone break into a network by using any SNMP based tool? > What are the recommended filters to put into the routers and/or servers > in order to avoid any break-through? (using Cisco routers, Linux and > NT servers) ... SNMP is used to manage devices. What you can do with it depends upon the functionality of the devices agent and MIB. Information in standard MIBs will allow you to get information about network topology and system architecture and processes. Vendor proprietary MIBs may allow you to do things like reconfigure and reboot routers. Hence, you don't want indiscrimminate access. Access is protected by a clear-text password called a community. SNMPv2 has stronger authentication features but few installed devices support it. Try to configure SNMP manageable devices as follows: a) Use non-standard community names. b) Be aware of the clear text nature of the community names and act appropriately. Use encrypted tunnels, secure hubs, "secure wires", segmentation, or any other means at your disposal to decrease risk of compromization. c) If possible, limit functionality to read-only. d) Limit manageability to your management station's IP address. e) Send authentication traps so you know when someone is tampering. Obviously, if you want to manage a device via SNMP, you can't block it. It goes back to that risk analysis thing again...whats the risk of not managing the devices vs managing them :) Gary Flynn Network Analyst James Madison University From owner-firewalls-outgoing Wed Sep 3 07:00:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA15750 for firewalls-outgoing; Wed, 3 Sep 1997 06:43:27 -0700 (PDT) Received: from bpexchgw1.AndersenCorp.com (mail.AndersenCorp.com [158.107.48.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA15723 for ; Wed, 3 Sep 1997 06:43:20 -0700 (PDT) Received: by mail.AndersenCorp.com with Internet Mail Service (5.0.1458.49) id ; Wed, 3 Sep 1997 08:49:09 -0500 Message-ID: From: "Clark, Mike" To: "'Firewalls@GreatCircle.COM'" Subject: Dictionary Request Date: Wed, 3 Sep 1997 08:48:57 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone have a net address of a dictionary of firewall terms? Thanks in >advance. >Bob Try: http://www.rirr.cnuce.cnr.it/Glossario/glhpage.html Mike From owner-firewalls-outgoing Wed Sep 3 07:11:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08981 for firewalls-outgoing; Wed, 3 Sep 1997 06:03:09 -0700 (PDT) Received: from ime.net (ime.net [209.90.192.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA08965 for ; Wed, 3 Sep 1997 06:03:03 -0700 (PDT) From: dynamo@ime.net Received: from ime.net (dynamo@ime.net [209.90.192.3]) by ime.net (8.8.7/8.8.7) with SMTP id JAA13325; Wed, 3 Sep 1997 09:08:39 -0400 (EDT) Date: Wed, 3 Sep 1997 09:08:39 -0400 (EDT) To: Pio_Gaeta@europe.notes.pw.com cc: firewalls@GreatCircle.COM Subject: Re: Anti-SPAM SENDMAIL In-Reply-To: <199709031014.DAA00912@cactus.tc.pw.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unless you want to deny all email whatsoever theres no defninitive answer to spamming. On Wed, 3 Sep 1997 Pio_Gaeta@europe.notes.pw.com wrote: > I heard about a new version of sendmail whith anti-relay or anti-spamming > options. > > Is this a definitive solution to spamming or what? > > Is there a version also for NT systems??? > > I would like to have your opinion. > > TIA > > Pio > > > ---------------------------------------- > Pio Gaeta > Information System Risk Management > Price Waterhouse > Rome - Italy > mailto: Pio_Gaeta@Europe.notes.PW.com > From owner-firewalls-outgoing Wed Sep 3 07:33:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11495 for firewalls-outgoing; Wed, 3 Sep 1997 06:18:14 -0700 (PDT) Received: from netcomm.NetComm.IE (whittall.demon.co.uk [194.222.255.208]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA09980 for ; Wed, 3 Sep 1997 06:09:57 -0700 (PDT) Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by netcomm.NetComm.IE (8.8.0/8.7) with ESMTP id VAA01473; Tue, 2 Sep 1997 21:51:50 GMT X-Sender: kevinbr@129.156.240.1 Message-Id: In-Reply-To: <01BCB7F8.2F6DAAE0.jlz@isli.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 3 Sep 1997 11:02:46 +0100 To: Jian Zhen From: Kevin Brown - NetComm Subject: Re: Firewall configuration Cc: "'Firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Can people looking for advice state the bandwidth of the pipe that the firewall is attached to? 1000 Users and a 64 kbit line means the line is the bottleneck, not the hardware. Most hardware is well capable of dealing with 10Mbits sec ethernet in normal user terms, but how many people have T1 or E1 or higher pipes? I have had 500 Users on a 75Mhz Pentium with Linux, on a 64 kbit link. Again in my experience the bottleneck in the link. Any one have any comments on this? Are there really high speed links gong in out there? Kevin At 6:15 +0100 3/9/97, Jian Zhen wrote: >Hi > >I was wondering what hardware platform is best to support a company with >~500 users. The firewall is gauntlet 4.0. What I need to find out is the >system architecture, CPU speed, memory size, etc for the machine that's >going to hold the firewall. > >Any ideas? > >any input would be greatly apprciated > >Jian //////////////////////////////////////////////////////////// | N \ We operate in Ireland, UK | e / and the Middle East Internet Training, | t \ --DUBAI-- Consultancy and Networking | C / Voice: +971-4-491476 | o \ Fax: +971-4-492957 Sun Microsystems | m / --UK-- Internet Associate | m \ Voice: +44-467-365419 | / Fax: +44-1276-35197 The Internet | \ kevinbr@netcomm.ie Experts | / info@netcomm.ie | \ http://www.netcomm.ie \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ From owner-firewalls-outgoing Wed Sep 3 07:54:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA11214 for firewalls-outgoing; Wed, 3 Sep 1997 06:16:31 -0700 (PDT) Received: from scifi.squawk.com (scifi.squawk.com [199.74.151.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA11160 for ; Wed, 3 Sep 1997 06:16:16 -0700 (PDT) Received: from localhost (njs@localhost) by scifi.squawk.com (8.8.5/8.8.5) with SMTP id JAA30481; Wed, 3 Sep 1997 09:21:59 -0400 Date: Wed, 3 Sep 1997 09:21:59 -0400 (EDT) From: Nick Simicich X-Sender: njs@scifi To: "Michael W. Chalkley" cc: firewalls@GreatCircle.COM Subject: Re: Giant security hole in ISP provided routers?!?!?! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Sep 1997, Michael W. Chalkley wrote: > Hello: > > I was at a customer site today when I noticed that they had a USRobotics > Sportster modem connected to the console port of their ISP provided Cisco > router. When I asked why it was there, I was told the ISP required it for > "out-of-band" management. I asked for the phone number of this modem and > dialed it from my notebook. Once connected I received the standard: > > Escape character is '^]'. > > > User Access Verification > > Password: > > Since I knew the password I tried it and was in. > > How many ISP's out there are pulling this stunt? I could be a hacker dialing > in on a daily basis or just be a pissed-off ex-employee of the ISP with > revenge on my mind. Is this a standard practice? There are a lot of them. This is bad practice, in my opinion, and also majority practice. If this is a manned location, the ISP can call the operators and ask them to connect the modem if they need it. And every use of the modem should be coordinated with on-site people. Remote areas are harder, but there are devices that positively authenticate modem connections, suc that the hacker can't get past the modem, or will never get the answer tone. The real question is, "Is this a secure area?" If, in fact, the router is an internet router, and is not providing filtering, then it matters little. It can be a denial of service, but it can't affect security, since anything going over the internet is insecure. If, on the other hand, this router is providing filtering, or is maintaining virtual circuits on a semi-private network, then the practice is indefensible from the security standpoint. Some lessening of the risk is provided by the use of such things as TACACS+ for authentication. In that case, the internal passwords are only used when the router loses connectivity to the TACACS+ server (at least for Ciscos). But, eventually, the reason that this sort of thing is done is cost. That which does not kill us, makes us stronger. That which does kill us makes us smell stronger, after a few days, anyway. Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From owner-firewalls-outgoing Wed Sep 3 08:51:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA13975 for firewalls-outgoing; Wed, 3 Sep 1997 06:31:42 -0700 (PDT) Received: from pafb.af.mil (mail.pafb.af.mil [131.25.253.22]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA13943 for ; Wed, 3 Sep 1997 06:31:31 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (js-jtf.af.mil [131.25.50.17]) by pafb.af.mil (8.8.0/8.7.3) with SMTP id JAA11122 for ; Wed, 3 Sep 1997 09:37:26 -0400 (EDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCB84C.938F0420@jtfcom.js-jtf.af.mil>; Wed, 3 Sep 1997 09:34:29 -0400 Message-ID: From: "Engasser, Charlie" To: "'Juan Carlos Gomez'" , "'Firewalls@GreatCircle.COM'" Subject: RE: log problem with FW-1 version 3.0a.p1 Date: Wed, 3 Sep 1997 09:34:26 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am having a problem with the log when if I make a major change to the firewall config, it will stop displaying relevant capture information. It still logs everything, because if I reboot, and restart the log, everything is still there, but sometimes it just stops showing it. Otherwise I have few complaints. One of the things I've heard alot of people say about FW-1 is the ease of use on the interface. I have not looked at the UNIX versions, but there are some things on the NT version that are seriously lacking. 1: The policies editor does not save it's window sizes and location after exiting, thus I must redo it every time I log in. 2: There are no rules templates (or at least if there is, I have not figured out a way to do it). For instance, I want all my rules to install on a specific box, or at a specific time. 3: There is no way to restore a rulesbase from an alternate source, nor is there a way to save it. Thus there is no way to back the system up, without using a tape drive. It takes just as long to rebuild NT and restore FW-1 from tape as it does to re-install FW-1 from scratch. There should be a feature to allow you to save and restore the policy from another source within the editor. 4: An auto-discover feature would be nifty. Once you identify the internal networks, FW-1 should be able to go out and use SNMP to autodiscover your network like Openview or Polycenter can. As it identifies systems, you should be able to use the object manager to put in the specifics as you go. Failing that, the Object manager should not require me to redo all the steps to add a new object (the add object screen should clear itself and stay open). If there is a Checkpoint Rep out there listening I'd love to here what they have to say about this.=20 There are others but then again, I started on Borderware, of which I could write pages about also. The main difference between Firewall-1 and the other 3-4 firewalls that I've used, is that FW-1 actually appears to do what I want from the filtering angle, whereas other packages either would not, or others, simply did not work period, even with Techsupport on the phone. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Charles Engasser, Network Engineer Joint STARS, Joint Test Force.=20 1500 Nasa Blvd, Melbourne Florida. 32904 (407)726-7048 engasser@js-jtf.af.mil -------------------------------------------------------------------------= --------------- Ethernet (n): something used to catch the etherbunny -------------------------------------------------------------------------= ------------------------------------- IPv6 will offer 128 bits of address space giving users at least 1,564 IP addresses per square yard of the=20 earth's surface. - Network Computing, 7/1/97. -------------------------------------------------------------------------= -------------------------------------- >-----Original Message----- >From: Juan Carlos Gomez [SMTP:jcgomez@mad.servicom.es] >Sent: Wednesday, September 03, 1997 6:40 AM >To: Firewalls@GreatCircle.COM >Subject: log problem with FW-1 version 3.0a.p1 > >Hello, > I have a problem with FW-1 version 3: when I start "fwd" or the "log >viewer", the error message that appears is: > >"fwd: log_get: len is not a multiple of 4. rounding" > >therefore, the log viewer do not work very well. > >I have this problem in versions 3.0 and 3.0a.p1 > >Has anybody know the problem? > >Thanks in advance. >_________________________________________________ > Juan Carlos G=F3mez Castillo >___Servicom Madrid________________________________ > Edificio TORONA, Avda. de Europa, 24 > 28100 Madrid SPAIN > Phone:(+34 1) 6617902 Fax:(+34 1) 6614664 >__________________________________________________ From owner-firewalls-outgoing Wed Sep 3 09:41:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA14397 for firewalls-outgoing; Wed, 3 Sep 1997 06:34:18 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA14254 for ; Wed, 3 Sep 1997 06:33:45 -0700 (PDT) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id JAA05734; Wed, 3 Sep 1997 09:39:04 -0400 From: "Michael H. Warfield" Message-Id: <199709031339.JAA05734@alcove.wittsend.com> Subject: Re: Anti-SPAM SENDMAIL In-Reply-To: <199709031014.DAA00912@cactus.tc.pw.com> from "Pio_Gaeta@europe.notes.pw.com" at "Sep 3, 97 10:18:14 am" To: Pio_Gaeta@europe.notes.pw.com Date: Wed, 3 Sep 1997 09:39:04 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I heard about a new version of sendmail whith anti-relay or anti-spamming > options. Sendmail 8.8.x (last I looked 8.8.7) has some named rules some of which are invoked before transfering the message so you change check the mail "From" and the recipient "To" before transfering the message. That way you can do several very NICE things to spammers... 1) You can block forwarding. If the messages is not to or from an allowed system, you don't permit forwarding to other systems. 2) You can block specific spammers. 3) You can block entire hostile domains. 4) You can block systems which are reporting forged addresses or whose address can not be reverse resolved. Many more numerous trick to eliminate some of the more popular spammmer tracks of the trade. You can also set your rejection error code to whatever you want. You can make it a "5xx" permanent error causing the sending system to immediately discard the mail or, if you are in a particulary foul mood, you can set it to a "4xx" temporary error causing it to pile up in the spool system of the sender until it eventually times out (or he runs out of disk space when everybody does it). :-) Check out http://www.sendmail.org for more information. You can also get the "Blacklist of Internet Advertisers" to help build your spammer files from: "http://www-math.uni-paderborn.de/~axel/BL/" > Is this a definitive solution to spamming or what? No. Just another tool. It also requires some ongoing maintenance such as keeping your spammer files up to date. The spammers constantly try and work around it by changing tactics. Of the four points above, I see #1 and #4 most important to me because it DOES prevent spammers from abusing my systems as hop point through which to spam others. > Is there a version also for NT systems??? I believe this is rumored to be the case. > I would like to have your opinion. My opinion is that if you are trying this on NT then you better batten down the hatches. Unbind Netbios from tcp/ip, make sure, that if you are running a DNS server on it, you have the latest security patches, make double sure you are at 4.0 SP3 or better, and make sure port 135 is not reachable. Spammers are known to throw a few rocks at systems which impliment anti-spamming techniques. Exposing an NT box to this could result in some unwelcome surprises (DNS down, Blue Screen of Death, Pegged performance meter - all know and mostly fixed bugs). > TIA > Pio > ---------------------------------------- > Pio Gaeta > Information System Risk Management > Price Waterhouse > Rome - Italy > mailto: Pio_Gaeta@Europe.notes.PW.com Mike From owner-firewalls-outgoing Wed Sep 3 10:28:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA01152 for firewalls-outgoing; Wed, 3 Sep 1997 08:14:46 -0700 (PDT) Received: from ns.vaterlaus.ch (vaterlaus-gw.solnet.ch [194.235.60.47]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id IAA00885 for ; Wed, 3 Sep 1997 08:13:52 -0700 (PDT) Received: from host1.vaterlaus.ch ( [194.235.45.17] ) by ns.vaterlaus.ch (Hethmon Brothers Smtpd) ; Wed, 3 Sep 1997 17:18:11 CET-1CDT Message-Id: <199708031718.1151425.7@ns.vaterlaus.ch> Received: from host2.vaterlaus.ch by ns.vaterlaus.ch (Hethmon Brothers Pop3d) ; Wed, 3 Sep 1997 17:18:08 CET-1CDT From: "Peter Vaterlaus EDV-Systemberatung" To: "Firewalls@GreatCircle.COM" Cc: "J.D." Date: Wed, 03 Sep 97 17:14:25 +0100 Reply-To: "Peter Vaterlaus EDV-Systemberatung" X-Mailer: Peter Vaterlaus's Registered PMMail 1.52 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Best firewall choice Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Sep 1997 21:46:29 -0700 (PDT), Firewalls-Digest wrote: >Date: Tue, 2 Sep 1997 11:39:10 -0300 >From: "J.D." >Subject: Best firewall choice > >Hello! > >I have an important customer connected to the Internet who needs a very >secure solution. >They work with NT 4.0 and all MS products. Having read about MS Proxy 2.0, >I see it now offers packet >filtering and firewall security. >What solution would you recommend, Proxy or other firewall for NT ? If your customer really needs a "very secure" solution, then they need a experienced consultant and not a product selection. The security you reach depends sometimes more on the product configuration and on the specific environment than on the product itself. The decision for the product can only be made, by comparing your requirements with the product features and shortcomings. Anyway, to create a "very secure" environment you usually use at least two screening routers and a proxy-firewall, preferably not based on NT. If "very secure" means banking, then there may be some additional barriers. regards Peter Vaterlaus //------------------------------------------------------------ // Consulting and Security for Networks and Internet // Peter Vaterlaus edv@vaterlaus.ch http://www.vaterlaus.ch/edv // EDV-Systemberatung tel ++41 32 621 84 21 // Klosterplatz 6, Postfach fax ++41 32 621 84 25 // CH-4502 Solothurn // Switzerland //------------------------------------------------------------ From owner-firewalls-outgoing Wed Sep 3 10:29:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA12287 for firewalls-outgoing; Wed, 3 Sep 1997 09:11:58 -0700 (PDT) Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA12206 for ; Wed, 3 Sep 1997 09:11:31 -0700 (PDT) Received: from nnsp.eds.com (nnsp2.eds.com [199.228.143.130]) by ns2.eds.com (8.8.6/8.8.5) with ESMTP id MAA20505 for ; Wed, 3 Sep 1997 12:17:07 -0400 (EDT) Received: from geronimo.inm.eds.com (geronimo.inm.eds.com [148.94.38.71]) by nnsp.eds.com (8.8.5/8.8.5) with ESMTP id MAA29696 for ; Wed, 3 Sep 1997 12:17:07 -0400 (EDT) Received: from wiley.inm.eds.com (wiley [148.94.210.170]) by geronimo.inm.eds.com (8.7.5/8.7.3) with ESMTP id LAA14046 for ; Wed, 3 Sep 1997 11:17:51 -0500 (CDT) Message-ID: <340D8D96.46F5B9FE@inm.eds.com> Date: Wed, 03 Sep 1997 11:17:26 -0500 From: Sean Wiley Organization: EDS Internet X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Legal liabilities in unsuccessful attack X-Priority: 3 (Normal) References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msB508016FD38598E0C0846888" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a cryptographically signed message in MIME format. --------------msB508016FD38598E0C0846888 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit We have a facility where we host several customers web sites. If we recognize that someone is repeatedly, but unsuccessfully, trying to atack one of the sites, do we take on any legal liability by NOT pursuing the attacker and trying to shut them down? We have agreements with our customers about how and when we notify them that an attack has occurred and that is not really part of my question. An analogy was drawn to a court case in Ohio somewhere in which a person had posted a sign stating "beware of biting dog". Of course, someone got bit and sued. The dog owner lost the case because he was aware of the biting dog and hadn't taken -enough- precautions whereas a lazy owner without the sign could have pleaded ignorance. I have no idea as to the accuracy of that story and certainly believe we have an obligation to provide site security, but I'm developing a lot of concerns about what we do or don't do as part of our response. Any pointers? -- Sean Wiley swiley@inm.eds.com --------------msB508016FD38598E0C0846888 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQjgYJKoZIhvcNAQcCoIIQfzCCEHsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DvwwggpCMIIJq6ADAgECAhA7mbIxU2H3lVYEBBph51e6MA0GCSqGSIb3DQEBBAUAMGIxETAP BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA3MTUwMDAw MDBaFw05ODAxMTQyMzU5NTlaMIIBCjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVh bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs YXNzIDEgLSBOZXRzY2FwZTETMBEGA1UEAxMKU2VhbiBXaWxleTEhMB8GCSqGSIb3DQEJARYS c3dpbGV5QGlubS5lZHMuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMn8RlhJAOeG7ZXi 4P50eDFTLBZfyWMbMhzQAZUqPftFrQ/9997TGmDSRrOHgsDBSUCByNhzy6UxzqJ7kYX9DP0C AwEAAaOCB5EwggeNMAkGA1UdEwQCMAAwggIfBgNVHQMEggIWMIICEjCCAg4wggIKBgtghkgB hvhFAQcBATCCAfkWggGnVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMgYnkgcmVmZXJl bmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRvLCB0aGUgVmVyaVNpZ24g Q2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQgKENQUyksIGF2YWlsYWJsZSBhdDog aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzsgYnkgRS1tYWlsIGF0IENQUy1yZXF1ZXN0 c0B2ZXJpc2lnbi5jb207IG9yIGJ5IG1haWwgYXQgVmVyaVNpZ24sIEluYy4sIDI1OTMgQ29h c3QgQXZlLiwgTW91bnRhaW4gVmlldywgQ0EgOTQwNDMgVVNBIFRlbC4gKzEgKDQxNSkgOTYx LTg4MzAgQ29weXJpZ2h0IChjKSAxOTk2IFZlcmlTaWduLCBJbmMuICBBbGwgUmlnaHRzIFJl c2VydmVkLiBDRVJUQUlOIFdBUlJBTlRJRVMgRElTQ0xBSU1FRCBhbmQgTElBQklMSVRZIExJ TUlURUQuoA4GDGCGSAGG+EUBBwEBAaEOBgxghkgBhvhFAQcBAQIwLDAqFihodHRwczovL3d3 dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9DUFMgMBEGCWCGSAGG+EIBAQQEAwIHgDA2Bglg hkgBhvhCAQgEKRYnaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTMIIE hwYJYIZIAYb4QgENBIIEeBaCBHRDQVVUSU9OOiBUaGUgQ29tbW9uIE5hbWUgaW4gdGhpcyBD bGFzcyAxIERpZ2l0YWwgCklEIGlzIG5vdCBhdXRoZW50aWNhdGVkIGJ5IFZlcmlTaWduLiBJ dCBtYXkgYmUgdGhlCmhvbGRlcidzIHJlYWwgbmFtZSBvciBhbiBhbGlhcy4gVmVyaVNpZ24g ZG9lcyBhdXRoLQplbnRpY2F0ZSB0aGUgZS1tYWlsIGFkZHJlc3Mgb2YgdGhlIGhvbGRlci4K ClRoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVzIGJ5IHJlZmVyZW5jZSwgYW5kIAppdHMg dXNlIGlzIHN0cmljdGx5IHN1YmplY3QgdG8sIHRoZSBWZXJpU2lnbiAKQ2VydGlmaWNhdGlv biBQcmFjdGljZSBTdGF0ZW1lbnQgKENQUyksIGF2YWlsYWJsZQppbiB0aGUgVmVyaVNpZ24g cmVwb3NpdG9yeSBhdDogCmh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbTsgYnkgRS1tYWlsIGF0 CkNQUy1yZXF1ZXN0c0B2ZXJpc2lnbi5jb207IG9yIGJ5IG1haWwgYXQgVmVyaVNpZ24sCklu Yy4sIDI1OTMgQ29hc3QgQXZlLiwgTW91bnRhaW4gVmlldywgQ0EgOTQwNDMgVVNBCgpDb3B5 cmlnaHQgKGMpMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyAKUmVzZXJ2ZWQuIENF UlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIEFORCAKTElBQklMSVRZIExJTUlURUQuCgpX QVJOSU5HOiBUSEUgVVNFIE9GIFRISVMgQ0VSVElGSUNBVEUgSVMgU1RSSUNUTFkKU1VCSkVD VCBUTyBUSEUgVkVSSVNJR04gQ0VSVElGSUNBVElPTiBQUkFDVElDRQpTVEFURU1FTlQuICBU SEUgSVNTVUlORyBBVVRIT1JJVFkgRElTQ0xBSU1TIENFUlRBSU4KSU1QTElFRCBBTkQgRVhQ UkVTUyBXQVJSQU5USUVTLCBJTkNMVURJTkcgV0FSUkFOVElFUwpPRiBNRVJDSEFOVEFCSUxJ VFkgT1IgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSClBVUlBPU0UsIEFORCBXSUxMIE5PVCBC RSBMSUFCTEUgRk9SIENPTlNFUVVFTlRJQUwsClBVTklUSVZFLCBBTkQgQ0VSVEFJTiBPVEhF UiBEQU1BR0VTLiBTRUUgVEhFIENQUwpGT1IgREVUQUlMUy4KCkNvbnRlbnRzIG9mIHRoZSBW ZXJpU2lnbiByZWdpc3RlcmVkCm5vbnZlcmlmaWVkU3ViamVjdEF0dHJpYnV0ZXMgZXh0ZW5z aW9uIHZhbHVlIHNoYWxsIApub3QgYmUgY29uc2lkZXJlZCBhcyBhY2N1cmF0ZSBpbmZvcm1h dGlvbiB2YWxpZGF0ZWQgCmJ5IHRoZSBJQS4wgYYGCmCGSAGG+EUBBgMEeBZ2ZDQ2NTJiZDYz ZjIwNDcwMjkyOTg3NjNjOWQyZjI3NTA2OWM3MzU5YmVkMWIwNTlkYTc1YmM0YmM5NzAxNzQ3 ZGE1ZDNmMjE0MWJlYWRiMmJkMmU4OTIxMWE4NmJmNmQyMTE0OTk3YTJiZjQzZjRlNTk0NjU0 MTANBgkqhkiG9w0BAQQFAAOBgQAG92xtSl3XEQahX/CCCT/mpY+Wdd9WL9C1F9jk2hx+NPhV oBPV0swG6kJq4JFHdXDN3Vyn8d2+ezN+XlRtha9ZdQNYx8nJynonyPua1eFpyhjgNG7ZOmfM AKM6dnvyx74YeigucefjD4Arfe0hUSQJuXCvdueoVj8Idn7ak68j9jCCAn0wggHmoAMCAQIC FHUTa1jzgGlXdaaiTVkQTZzqdkrxMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFy eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NzA2MjQwNzAwMDBaFw05OTA2MjQwNzAw MDBaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIG A1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAthSmz03QBQ3YyiPQb6q0KZJjjiz4b5bXLp12SxGx No1XycP9HMa6/h4IujPKleq+41vNBqi3eR1EKu1z8rFSg2gQcGSR1z5r+fddnRRDm26XRZiB R9Ety927ctdMP3Gq4kDyVDm8Fu7PfOy62z9sKrMWsYYSna6TNNW41dD3PqkCAwEAAaMzMDEw EQYJYIZIAYb4QgEBBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMA0GCSqG SIb3DQEBAgUAA4GBAJIMS+m6k83/2uZg/Z5kA2YVL1Y8OExoSkfF86uPJdlmQ3NDFXNEvhRI gVp3DMx66tmxvPKL/xGx3xRQSNxlHQuJ+aFeSFJv7bVr9LgITDjwuYlnKQ/g4Df3puvU9NVC qV39veeefBvnT4UtBKFgLoW46+L67xQFJhUYVW8ToR1xMIICMTCCAZoCBQKkAAABMA0GCSqG SIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUG A1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw05NjAxMjkwMDAwMDBaFw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQK Ew5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5Rm/baNW YS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIeaBpsQoXPftFg5 a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg1y2He6G3 MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBSc7qaVdzcP4J9sJCYYiqC THYAbiU91cIJcFcBDA93Hxih+xxgDqB1O0khQf6nXC1MQknT/yjYjOqd/skH4neCUyPeVfPO RJP6+ky9yjbzW2aynsjyDF5e1KG0IQkzyjtZ/JLCOPyt2ZYk4C36oyn1M2h4TrS8n2k14qiY lHM7xDGCAVowggFWAgEBMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlT aWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBT dWJzY3JpYmVyAhA7mbIxU2H3lVYEBBph51e6MAkGBSsOAwIaBQCgfTAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMCMGCSqGSIb3DQEJBDEWBBQHaTAhWQHGnUJdm7X+tprcciExVTAcBgkq hkiG9w0BCQUxDxcNOTcwOTAzMTYxNzI3WjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMC AgEoMA0GCSqGSIb3DQEBAQUABECep6JublNxPbCGpFzRlcqj7UB4DwKjyQznsUdMU683pZRM vMk/xfY83rO7mUtsc6kLsJ4+n/I4SNXB7B0Xf3T0 --------------msB508016FD38598E0C0846888-- From owner-firewalls-outgoing Wed Sep 3 12:21:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA19285 for firewalls-outgoing; Wed, 3 Sep 1997 09:51:53 -0700 (PDT) Received: from pafb.af.mil (mail.pafb.af.mil [131.25.253.22]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA19242 for ; Wed, 3 Sep 1997 09:51:39 -0700 (PDT) Received: from jtfcom.js-jtf.af.mil (js-jtf.af.mil [131.25.50.17]) by pafb.af.mil (8.8.0/8.7.3) with SMTP id MAA15979 for ; Wed, 3 Sep 1997 12:58:10 -0400 (EDT) Received: by jtfcom.js-jtf.af.mil with Microsoft Exchange (IMC 4.0.837.3) id <01BCB868.9AA05680@jtfcom.js-jtf.af.mil>; Wed, 3 Sep 1997 12:55:06 -0400 Message-ID: From: "Engasser, Charlie" To: "'Colin Campbell'" , "'mike.jones@unifiedtech.com'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: How many CPU's in your Firewall? Date: Wed, 3 Sep 1997 12:55:05 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> Aaaaahhh...not so true. >>> First of all, the Solaris kernel is multithreaded, which tends to >>> boost the performance of just about everything on a multiCPU machine. >>> Second, there will definitely be some advantage to multi-CPU >>> machine if you're using the proxies, since the kernel will be able >>> to have a user mode process running on one CPU while the kernel >>> is working on the other. >>> Third, there is some anecdotal evidence of actual observed >>> performance improvement with 2 CPUs. >>> >>But, I have information from Sun (OZ) firewall guru that says FW-1 >>is not multi-threaded and so cannot take advantage of multiple CPUs. >>That is why they push the load-sharing state-sharing scenario. > >Colin > >Even so, at the very minimum, a second processor would allow the system >to offload OS tasks such as I/O and GUI to the second processor and >should allow more cycles to be used by the firewall. Overall throughput >may not be affected, but response time on the management console >(assuming you do it all on the same box) should be smoother. > >Charlie Engasser... > From owner-firewalls-outgoing Wed Sep 3 12:26:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA18559 for firewalls-outgoing; Wed, 3 Sep 1997 09:48:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA16307 for ; Wed, 3 Sep 1997 09:31:23 -0700 (PDT) Received: from mercury.Sun.COM by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id IAA28466; Wed, 3 Sep 1997 08:31:55 -0700 (PDT) Received: from Ebay.Sun.COM ([129.150.111.20]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id IAA19684; Wed, 3 Sep 1997 08:36:45 -0700 Received: from althea.EBay.Sun.COM by Ebay.Sun.COM (SMI-8.6/SMI-5.3) id IAA29930; Wed, 3 Sep 1997 08:36:40 -0700 Received: from althea by althea.EBay.Sun.COM (SMI-8.6/SMI-SVR4) id IAA03326; Wed, 3 Sep 1997 08:34:16 -0700 Date: Wed, 3 Sep 1997 08:34:16 -0700 (PDT) From: Jerald Josephs Reply-To: Jerald Josephs Subject: Re: Firewalls-Digest V6 #420 To: Firewalls@GreatCircle.COM Cc: gardner@smtpgw.maricopa.gov Message-ID: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: EfCkSJ9qXGElRcCbFwfJdg== X-Mailer: dtmail 1.1.0 CDE Version 1.1 SunOS 5.5.1 sun4u sparc Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jj> jj>Date: Tue, 02 Sep 1997 14:35:29 -0700 jj>From: Tom Gardner jj>Subject: PA-RISC vs Intel FW-1 Server jj> jj>Greetings, jj> jj>I need some advice on sizing a machine to run FW-1. The Firewall will be used to jj>protect our HP-UX Database servers from our corporate backbone. The number of jj>connections will be approx. 2500 concurrent connections (SQLexec only. No HTTP or jj>FTP). NAT will be used. ~85MB/s throughput is critical. jj> jj>My preference is Hp 9000 HP-UX PA-RISC, but a B,C or D series HP machine will put me over jj>budget. jj> jj>Im considering spec'ing a Hp or Compac Pentium Pro 266MHZ 128MB 1GB / Solaris 2.6. jj>with Dual 100MB/s 3Com's. I would spec a dual processor but FW-1 is not multi-threaded(!?). jj> jj>Here's my questions: jj> jj>Q: Would I see any throughput increase with a dual processor Intel/Solaris 2.x/FW-1 ? jj> Yes, it is possible that you will see a performance increase by adding a second CPU to firewall host. jj>Q: If I load balance across two machines, how many Unlimited license's do I need ? jj> Load balancing, which really should be referred to as Connection Control (because it is provided by the "Connection Control Module" and is enabled through the license called "connect"), is available for any FireWall-1 3.0 product, whether it is a limited node or unlimited node product. Therefore, you do not need an unlimited license. In addition, it you did need an unlimited license (for some reason) you would only need one unlimited license. jj>Q: Has anyone beta tested FW-1 3.x on Solaris 2.6 (How stable is Sol 2.5.1/Fw-1) ? jj> FW-1 3.0b code has been tested on Solaris 2.6 Sparc and we have been told that we will see a patch in a couple of weeks. We have also learned that 3.0b is not yet ready-for-prime-time on Solaris 2.6 Intel, but that it should not be far behind the patches for Sparc I run 3.0a.p1 on Solaris 2.5.1 on Sparc and Intel and find it stable, meaining that my application level daemons are not dying and my site remains protected. The X/Motif GUI interface, /etc/fw/bin/fwpolicy has problems and frequently seg faults while I mess around with my configuration, but this has no impact on security, just usability. I consider this minor and look forward to the release of 3.0b as a solution to this problem. jj>Q: How soon until FW-1 be Multi-threaded ? jj> I understand that the reason that FW-1 is not multi-threaded is because it enables Checkpoint to maintain a single (or fewer) code-tree that is ported to multiple platforms. To change the code to make it multi-threaded would introduce a code management problem, if not nightmare. Based upon what I have seen, Checkpoint is wise to not pursue this. If you need more throughput on a Sparc, consider using SunScreen SPF-200 or SunScreen EFS. Rumor has it that they are much faster on a Sparc than FireWall-1 is. jj>Q With respect to high availability, if I'm load balancing and CPU 'A' croaks jj>will CPU 'B' stay up or be hopelessly confused? jj> I don't think that this is relative to the application but how the OS is going to handle this failure. I think that it is up to the OS to empty the queue for CPU A and schedule those jobs for CPU B. I am no kernel wizard, but basic logic would create a model that is like a supermarket check-out line. If the cashier of the line that I am in croaks, do I stay in that line, or do I move over to a line that is still be served? jj>The bottom line is, I need 85MB/s throughput on PA-RISC or Intel PP. I could buy a used HP 9000 jj>but, what is The minimum class of HP I need. Spec int and Spec fp benchmarks wont help jj>me determine overall throughput of a given machine/OS/FW. I know that The HP's are jj>highly optimized (IE heavily cached, High speed internal busses etc...) but would a jj>$5000 PC with EDO and 512K Pipeline Burst cache out perform many Hp's in this application? jj> I honestly don't know, nor do I know how to compare a robust Intel platform to a relevant Sparc platform. I do believe, however, that I can build an Intel platform running Solaris 2.5.1 that will do very well. I am also under the impression that even if I equip my gateway with 100BaseT interfaces, I am not going to realize 100Mb performance, but a percentaage of that. If I add FireWall-1, I do expect throughput to decrease, especially when I begin to utilize the additional features such as Connection Control, Content Security, User Authentication, and Encryption. FireWall-1 has a lot of nice features, but I sincerely question whether I would want to use them all at the same time. jj>Thanks, I appreciate any suggestions, URL's, or comments. jj> jj>Thomas S. Gardner jj>Maricopa County Attorney's Office jj>Lead Telecommunications Analyst jj>"Unix" The Thinking Man's Operating System jj> jj> /\ Jerald E. Josephs \\ \ Course Developer - Network Security \ \\ / Sun Educational Services / \/ / / / / \//\ \//\ / / / / /\ / / \\ \ Phone/VM: 408-276-0941 \ \\ FAX: 408-276-1565 \/ E-mail: jerald.josephs@EBay.Sun.COM From owner-firewalls-outgoing Wed Sep 3 13:02:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA07762 for firewalls-outgoing; Wed, 3 Sep 1997 11:31:15 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA07588 for ; Wed, 3 Sep 1997 11:30:19 -0700 (PDT) Received: from gte.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id KAA01175; Wed, 3 Sep 1997 10:55:36 -0700 (PDT) Received: from rhb1laptop.gte.com by gte.com (8.8.4/8.8.4) Date: Wed, 3 Sep 1997 13:58:43 -0400 (EDT) Message-Id: <199709031758.NAA15626@gte.com> X-Sender: rhb1@pophost.gte.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: bob bryant Subject: archives Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In responce to one of the postings, the advice was to check the archives for past postings on the subject. Can some tell me how this is done? I am looking for past postings on PPTP in particular. Thanks in advance. Bob Bob Bryant Member of Technical Staff of GTE Laboratories Incorporated Secure Systems Department phone: 617-466-2821 email: rbryant@gte.com fax: 617-466-2838 From owner-firewalls-outgoing Wed Sep 3 13:17:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22919 for firewalls-outgoing; Wed, 3 Sep 1997 10:17:22 -0700 (PDT) Received: from billybob.ins.gte.com (billybob.ins.gte.com [206.124.66.244]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA22625 for ; Wed, 3 Sep 1997 10:15:51 -0700 (PDT) Received: from dfwtx03.ins.gte.com (dfwtx03.ins.gte.com [206.124.66.249]) by billybob.ins.gte.com (8.8.5/8.8.5) with ESMTP id MAA09431 for ; Wed, 3 Sep 1997 12:21:34 -0500 (CDT) Received: by dfwtx03.ins.gte.com with Internet Mail Service (5.0.1457.3) id ; Wed, 3 Sep 1997 12:21:15 -0500 Message-ID: <308F522E7AD2D0119353006097266E8682C212@dfwtx03.ins.gte.com> From: Gregg Earnhart To: "'firewalls@greatcircle.com'" Subject: NT qud Ethernet and Checkpoint Date: Wed, 3 Sep 1997 12:21:12 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a Quad interface Ethernet card that plays well with Windows NT and Checkpoint Firewall? I have tried Matrox Shark-100 Multiport NIC+ cards and found that this does NOT work. BTW.I would like to know of any FDDI solution for Windows NT as well. glearnhart@ins.gte.com Gregg Earnhart Sr. Systems Engineer Security Services From owner-firewalls-outgoing Wed Sep 3 13:26:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA05429 for firewalls-outgoing; Wed, 3 Sep 1997 11:18:54 -0700 (PDT) Received: from ha1.ntr.net (ha1.ntr.net [206.112.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA00244 for ; Wed, 3 Sep 1997 10:52:37 -0700 (PDT) Received: (from sean@localhost) by ha1.ntr.net (NTR*NET 2.1.0) id NAA21899 for firewalls@greatcircle.com; Wed, 3 Sep 1997 13:58:19 -0400 (EDT) From: Sean McPherson Message-Id: <199709031758.NAA21899@ha1.ntr.net> Subject: Re: DNS "spoofing" simplified In-Reply-To: <19970903170841.06357@sequent.com> from Unicorn at "Sep 3, 97 05:08:41 pm" To: firewalls@greatcircle.com Date: Wed, 3 Sep 1997 13:58:18 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi Guys (F/M), > > --- On Sep 03, philbert apparently wrote -------------------------------------- > > > Please do not email me asking where to get jizz. If you don't have > > it I'm not going to give it to you. Also the return email in the script > > does not have an MX *yet* so if you want to reach me I can be found on > > irc efnet as philbert. > > jizz can be found at: http://rootshell.connectnet.com/jizz.c (among > other sites)... > > --- and thus sprach: philbert ------------------------- > > Ciao, > Unicorn. > -- > ======= _ __,;;;/ TimeWaster on http://www.IAEhv.nl/users/hvdl ============== > ,;( )_, )~\| Hans "Unicorn" Van de Looy PGP: 64 07 5D 4C 3F 81 22 73 > ;; // `--; GSM: +31 653 261 368 52 9D 87 08 51 AA 35 F0 > ==='= ;\ = | ==== Youth is not a time in life, it's a State of Mind! ======== > Actually, the correct URL is http://rootshell.connectnet.com/hacking/jizz.c Just so nobody gets confused :) -- Sean McPherson sean@ntr.net Systems Administration NTR.Net Corporation -- REALITY.SYS corrupted. Reboot universe? [Y n] From owner-firewalls-outgoing Wed Sep 3 13:42:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA11370 for firewalls-outgoing; Wed, 3 Sep 1997 11:58:33 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id LAA11362 for ; Wed, 3 Sep 1997 11:58:27 -0700 (PDT) Received: from [10.0.2.15] (eu.ansp.br [143.108.1.19]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id QAA00856 for ; Wed, 3 Sep 1997 16:03:17 -0300 Message-ID: <340DB565.6C7D@sti.com.br> Date: Wed, 03 Sep 1997 16:07:17 -0300 From: Marlon Borba Organization: Tribunal Regional Federal X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Authsrv don't work. Help!! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Firewalls gurus, We are trying to build a TIS Firewall over Linux, according to a HOWTO instructions ("Firewall & Proxy Server Howto"), but, when we try to run authsrv, we get the message bash: ./authsrv: No such file or directory We are *sure* the PATH is correct, the authsrv executable is in the right directory (/usr/local/etc), the right permissions were assigned (755), the compilation worked with no errors and WE ARE ROOT! Please, can you shed some light on that? Thank you, Marlon Borba Network Administrator Sao Paulo, BRAZIL From owner-firewalls-outgoing Wed Sep 3 15:13:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA22691 for firewalls-outgoing; Wed, 3 Sep 1997 13:02:51 -0700 (PDT) Received: from moat.cna.org (MOAT.CNA.ORG [192.189.236.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA22663 for ; Wed, 3 Sep 1997 13:02:40 -0700 (PDT) Received: by moat.cna.org; id QAA22469; Wed, 3 Sep 1997 16:05:00 -0400 (EDT) Received: from milliways.cna.org(192.189.234.1) by moat.cna.org via smap (3.2) id xma022403; Wed, 3 Sep 97 16:04:38 -0400 Received: from ss04.cna.org by alpha7.cna.org with SMTP; Wed, 3 Sep 1997 16:06:43 -0400 Date: Wed, 3 Sep 1997 16:09:09 -0400 (EDT) From: John Cosimano To: firewalls@greatcircle.com Subject: Question for sendmail experts Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are running a Gauntlet V3.2 firewall and I am grappling with trying to get sendmail running properly for our setup which is somewhat non-standard. Here's a brief outline of what I am facing. Split DNS on the firewall Internal domain, let's call it foobar.org External domain, let's call it bing.foo.bar.com Firewall is forwarding off to Novell GrouWise on the inside for mail processing. The problem is I need to modify the /etc/sendmail.cf to rewrite outbound mail headers to change the return address from user@foobar.org to user@bing.foo.bar.com. I have added the following to ruleset S12, but have not had any luck: #rewrite mail originating from the mailhub (call it ngw.foobar.org) R$*<@ngw.foobar.org>$* $@$1<@bing.foo.bar.com>$2 #rewrite mail from elsewhere in the domain R$*<@.foobar.org>$* $@$1<@bing.foo.bar.com>$2 I'm not sure why this doesn't work. If anyone has any suggestions, I'd appreciate hearing from you. -- John Cosimano Unix Systems Administrator The CNA Corporation Alexandria, VA USA cosimanj@cna.org From owner-firewalls-outgoing Wed Sep 3 15:32:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA17736 for firewalls-outgoing; Wed, 3 Sep 1997 12:37:47 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA17696 for ; Wed, 3 Sep 1997 12:37:35 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Wed, 3 Sep 1997 12:43:17 -0700 Message-ID: From: "Stackpole, Bill" To: "'firewalls@greatcircle.com'" Subject: FW: SNMP security holes?! Date: Wed, 3 Sep 1997 12:43:15 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > -----Original Message----- > From: Stackpole, Bill > Sent: Wednesday, September 03, 1997 12:32 PM > To: 'Juan Francisco Lopez' > Subject: RE: SNMP security holes?! > > > > -----Original Message----- > From: Juan Francisco Lopez [SMTP:flopez@wizard.infovia.com.gt] > Sent: Tuesday, September 02, 1997 2:18 PM > To: firewalls@GreatCircle.com > Subject: SNMP security holes?! > > Hello everyone! > > Does any of you know of any security hole that are related to the use > of SNMP? [Bill Stackpole] SNMP does really have any security built > into it. There are community strings that permit/deny access to the > agent on a device but these are passed across the wire in plain text. > You can use something that is difficult to guess and for sure change > the defaults! > Can someone break into a network by using any SNMP based tool? [Bill > Stackpole] Yes, if the person knows the "write" community string > they can alter just about anything on a device. Including the > security access lists. If I disable your security filter then I'm > free to attack anything at your site. > What are the recommended filters to put into the routers and/or > servers > in order to avoid any break-through? [Bill Stackpole] Don't enable > SNMP on your security router. Filter out the SNMP ports for udp and > tcp on the security router. Make the read/write community string > obsure (i.e., try2guessthis1) and if your SNMP manager allows make > them different for each device. > TIA for any feedback... > > Francisco > IIDS-Infovia > Guatemala, C.A. From owner-firewalls-outgoing Wed Sep 3 16:08:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20205 for firewalls-outgoing; Wed, 3 Sep 1997 12:49:45 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA20190 for ; Wed, 3 Sep 1997 12:49:39 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Wed, 3 Sep 1997 12:55:22 -0700 Message-ID: From: "Stackpole, Bill" To: "'Sean Wiley'" , Firewalls@GreatCircle.COM Subject: RE: Legal liabilities in unsuccessful attack Date: Wed, 3 Sep 1997 12:55:20 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of the ISPs I work with puts it in the contract that the owner of the server is responsible for the security. They don't monitor for attacks but of the server owners showed me his event log and it contained 40 pages of failed logins from people trying to hack into his system. I'm not a lawyer but I would encourage you to reaffirm with the server owners their responsibility for security. And if you have the time and can nail one of these hackers more power to you. > -----Original Message----- > From: Sean Wiley [SMTP:swiley@inm.eds.com] > Sent: Wednesday, September 03, 1997 9:17 AM > To: Firewalls@GreatCircle.COM > Subject: Legal liabilities in unsuccessful attack > > We have a facility where we host several customers web sites. If we > recognize that someone is repeatedly, but unsuccessfully, trying to > atack one of the sites, do we take on any legal liability by NOT > pursuing the attacker and trying to shut them down? > > We have agreements with our customers about how and when we notify > them > that an attack has occurred and that is not really part of my > question. > > An analogy was drawn to a court case in Ohio somewhere in which a > person > had posted a sign stating "beware of biting dog". Of course, someone > got > bit and sued. The dog owner lost the case because he was aware of the > biting dog and hadn't taken -enough- precautions whereas a lazy owner > without the sign could have pleaded ignorance. > > I have no idea as to the accuracy of that story and certainly believe > we > have an obligation to provide site security, but I'm developing a lot > of > concerns about what we do or don't do as part of our response. Any > pointers? > > -- > Sean Wiley > swiley@inm.eds.com > << File: S/MIME Cryptographic Signature >> From owner-firewalls-outgoing Wed Sep 3 16:53:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA25235 for firewalls-outgoing; Wed, 3 Sep 1997 13:14:44 -0700 (PDT) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA25159 for ; Wed, 3 Sep 1997 13:14:24 -0700 (PDT) Received: from unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id QAA10129; Wed, 3 Sep 1997 16:16:45 -0400 Message-ID: <340DC5BD.46F9E4AA@unifiedtech.com> Date: Wed, 03 Sep 1997 16:17:01 -0400 From: Mike Jones Organization: Unified Technologies, Inc. X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Colin Campbell CC: firewalls@GreatCircle.COM Subject: Re: How many CPU's in your Firewall? References: <199709030431.OAA32030@guru.citec.qld.gov.au> Content-Type: multipart/mixed; boundary="------------CC8EEA119C31D6DBBC1AAA6A" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------CC8EEA119C31D6DBBC1AAA6A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Colin Campbell wrote: > My mailer thinks Mike Jones said: > > Peter Dieth wrote: > > > Because you need special "multi-thread" applications to gain > > > the best performance with SMP boxes, a multi-cpu configuration > > > may not bring a significant performance boost using the > > > kernel mode packet filtering. > > Aaaaahhh...not so true. > > First of all, the Solaris kernel is multithreaded, which tends to > > boost the performance of just about everything on a multiCPU machine. > > Second, there will definitely be some advantage to multi-CPU > > machine if you're using the proxies, since the kernel will be able > > to have a user mode process running on one CPU while the kernel > > is working on the other. > > Third, there is some anecdotal evidence of actual observed > > performance improvement with 2 CPUs. > But, I have information from Sun (OZ) firewall guru that says FW-1 > is not multi-threaded and so cannot take advantage of multiple CPUs. > That is why they push the load-sharing state-sharing scenario. It won't take as much advantage as if it were multithreaded, but it will have some advantage for the reasons I said above. --------------CC8EEA119C31D6DBBC1AAA6A Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies adr: ;;105 Jordan Road;Troy;NY;12180;US email;internet: mike.jones@unifiedtech.com title: Sr. Technology Advisor tel;work: (518) 283-1003 tel;fax: (518) 283-1189 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard --------------CC8EEA119C31D6DBBC1AAA6A-- From owner-firewalls-outgoing Wed Sep 3 17:02:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA17839 for firewalls-outgoing; Wed, 3 Sep 1997 12:38:20 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA17821 for ; Wed, 3 Sep 1997 12:38:11 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Wed, 3 Sep 1997 12:43:53 -0700 Message-ID: From: "Stackpole, Bill" To: "'firewalls@greatcircle.com'" Subject: FW: Giant security hole in ISP provided routers?!?!?! Date: Wed, 3 Sep 1997 12:43:52 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > -----Original Message----- > From: Stackpole, Bill > Sent: Wednesday, September 03, 1997 12:42 PM > To: 'Michael W. Chalkley' > Subject: RE: Giant security hole in ISP provided routers?!?!?! > > It has been my experience (and I work with a lot of ISPs) that most of > them are woefully lacking in security knowledge. So here's may > suggestion. If your ISP needs out of band management fine but don't > leave the modem plug into the phone jack. Make them call and ask for > access to your router, call back and verify the identify of the person > requesting access and then plug the phone in. Have them call you > back when they are done so you can unplug phone. If they fail to call > you back unplug the phone then call and complain to their boss. > > -----Original Message----- > From: Michael W. Chalkley [SMTP:mikech@avana.net] > Sent: Tuesday, September 02, 1997 6:45 PM > To: firewalls@GreatCircle.COM > Subject: Giant security hole in ISP provided routers?!?!?! > > Hello: > > I was at a customer site today when I noticed that they had a > USRobotics > Sportster modem connected to the console port of their ISP provided > Cisco > router. When I asked why it was there, I was told the ISP required it > for > "out-of-band" management. I asked for the phone number of this modem > and > dialed it from my notebook. Once connected I received the standard: > > Escape character is '^]'. > > > User Access Verification > > Password: > > Since I knew the password I tried it and was in. > > How many ISP's out there are pulling this stunt? I could be a hacker > dialing > in on a daily basis or just be a pissed-off ex-employee of the ISP > with > revenge on my mind. Is this a standard practice? > > Any comments? > > Mike > -- > 20:44:56 > 09/02/97 > ______________________________________________________________________ > _ > Michael W. Chalkley Tel: > +1.770.772.4567 > ZapNet! Inc. Fax: > +1.770.475.7640 > Suite 400-120 E-mail: > mikech@iproute.com > 10945 State Bridge Road > mikech@avana.net > Alpharetta, GA 30202 > http://www.iproute.com From owner-firewalls-outgoing Wed Sep 3 18:06:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA20233 for firewalls-outgoing; Wed, 3 Sep 1997 12:49:56 -0700 (PDT) Received: from diablo.intergate.bc.ca (diablo.intergate.bc.ca [207.34.179.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA20204 for ; Wed, 3 Sep 1997 12:49:45 -0700 (PDT) Received: from seane (pm8s1.intergate.bc.ca [205.206.194.136]) by diablo.intergate.bc.ca (8.8.5/8.6.9) with ESMTP id NAA24643; Wed, 3 Sep 1997 13:34:05 -0700 (PDT) Message-ID: <340DC2BB.7EA6D31F@intergate.bc.ca> Date: Wed, 03 Sep 1997 13:04:12 -0700 From: Sean Elrington Reply-To: seane@choreo.ca Organization: Choreo Systems X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: Jian Zhen CC: "'Firewalls@GreatCircle.COM'" Subject: Re: Firewall configuration X-Priority: 3 (Normal) References: <01BCB7F8.2F6DAAE0.jlz@isli.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sizing a firewall depends on many factors and there is no absolute answer. Get more horsepower than you think you will need and make sure that your get good quality interface cards. Some considerations include: 1. The size of the rule base. If you allow everyone out with no restrictions and no one, in then the firewall doesn't have to work too hard to decide whether to pass a packet. 2. The line speed. The line speed is more of a bottleneck than the firewall, at least up to T1 + connections. The speed of an internet connection depends on the speed of the remote server, overall Internet congestion and the speed of the local link. For most businesses the firewall does not typically add a lot of latency. So don't buy a powerhouse firewall to serve a 56 K line. 3. Encryption. VPNs are CPU intensive and can add a lot of latency. 4. The type of traffic. The firewall needs to hold state information for every TCP conection, so a web browser might make a lot of little connections as opposed to an ftp client which might make only one. 5. Application level filtering. Do you want to screen files types or http tags in the data stream? If so then you will need cycles to do so. 6. Logging. Do you want the firewall to do a reverse lookup on every IP address it sees? It makes the logs more readable but it does add overhead. Do you want real-time logging to a GUI? The cycles have to come from somewhere. 7. Other services. DNS can add overhead on a busy network, and obviously so can running a web or ftp server on the same box as the firewall (which is NOT recommended). ... I am sure other readers can add more considerations... For an NT based firewall on less than a T1 connection for 500 users you should look at a Pentium Pro 200 with at least 64 Mb RAM, 2 gig HD, high quality Ethernet cards. There are ways of doing this more cheaply, but since you are asking this question I am assuming you don't want to be playing around with Linux on a 486. Of course, if you need screaming performance and money is no object then you might want to look at a UNIX platform (no holy wars please). > I was wondering what hardware platform is best to support a company > with > ~500 users. The firewall is gauntlet 4.0. What I need to find out is > the > system architecture, CPU speed, memory size, etc for the machine > that's > going to hold the firewall. -- Sean Elrington Choreo Systems - Vancouver (604) 737-3993 www.choreosystems.com seane@choreo.ca ===================================================== Firewalls, encryption, security tools X.11, NFS, TCP/IP Messaging and Directory software ===================================================== From owner-firewalls-outgoing Wed Sep 3 18:46:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA15036 for firewalls-outgoing; Wed, 3 Sep 1997 14:58:38 -0700 (PDT) Received: from tango.lightech.com.ar (tango.lightech.com.ar [200.0.253.134]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA15027 for ; Wed, 3 Sep 1997 14:58:31 -0700 (PDT) From: sbollini@tango.lightech.com.ar Received: (sbollini@localhost) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) id VAA19292 for firewalls@GreatCircle.COM; Wed, 3 Sep 1997 21:46:31 GMT Message-Id: <199709032146.VAA19292@tango.lightech.com.ar> X-Mailer: SCO OpenServer Mail Release 5.0 To: firewalls@GreatCircle.COM Subject: problems with asmtpd Date: Wed, 3 Sep 97 18:46:31 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody! I'm working with Solaris 2.5.1 and FW-1 3.0a.p1 and I'm having the following problem: configuring a SMTP resource I need to rewrite recipient field from user@1.2.3.4 to In the resource definition I wrote: *@1.2.3.4 -> <&@domain.com> but the recipient gets rewrited to &@domain.com (i.e. & does not expand to the recipient user name and the signs < and > don't appear) Does anybody know what can be happening? TIA From owner-firewalls-outgoing Wed Sep 3 18:50:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA14059 for firewalls-outgoing; Wed, 3 Sep 1997 14:52:19 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA14048 for ; Wed, 3 Sep 1997 14:52:13 -0700 (PDT) Received: from [10.0.2.15] (eu.ansp.br [143.108.1.19]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id SAA07364 for ; Wed, 3 Sep 1997 18:57:08 -0300 Message-ID: <340DDE29.F63@sti.com.br> Date: Wed, 03 Sep 1997 19:01:13 -0300 From: Marlon Borba Organization: Tribunal Regional Federal X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Trying to run authsrv (2) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cynthia He wrote: 8< Is your current directory /usr/local/etc? If your path is setup right, you should not need to specify the path as in './authsrv', just 'authsrv' should work. 8< I've tried it both ways, authsrv and ./authsrv, in the directory /usr/local/etc and outside it. Either way, it don't worked :< Marlon From owner-firewalls-outgoing Wed Sep 3 18:53:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA21876 for firewalls-outgoing; Wed, 3 Sep 1997 15:36:30 -0700 (PDT) Received: from gotham.mcny.com (gotham.mcny.com [207.122.13.30]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA21782 for ; Wed, 3 Sep 1997 15:36:07 -0700 (PDT) Received: from localhost (mcnyweb@localhost) by gotham.mcny.com (8.8.5/8.7.2) with SMTP id SAA21391 for ; Wed, 3 Sep 1997 18:40:25 -0400 (EDT) Date: Wed, 3 Sep 1997 18:40:25 -0400 (EDT) From: Media Connection To: firewalls@greatcircle.com Subject: Switches Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are about to purchase switches for our network. We started looking at Cisco 2900's, but now find BayNetworks BayStack 350T quite appealing. There is a 8K price difference, and I was wondering if anyone has experience with one switch versus the other, or any other switches. Below, is a comparison I put together based on the marketing materials from both companies. Thanks for your help. Cost: Bay - 3,995 Cisco - 11,500 No. of 10/100 Autosensing ports: Bay - 16 Cisco - 14 Autosensing: Bay - 10/100 Megabit on all ports Cisco - 10/100 Megabit on all prots Switching Backplane: Bay - 1.2-Gps Cisco - 1.2-Gps Mgmt: Bay - Telnet into device Cisco - Entire software suite Network Layer: Bay - Layer 2 Cisco - Layer 2 Packets per second: Bay - 1.6 million Cisco - 1 million Number of MAC Addresses: Bay - 8,192 Cisco - 16,000 From owner-firewalls-outgoing Wed Sep 3 18:56:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA10849 for firewalls-outgoing; Wed, 3 Sep 1997 14:30:12 -0700 (PDT) Received: from mail1.quadrix.com (mail1.quadrix.com [208.210.34.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id OAA10804 for ; Wed, 3 Sep 1997 14:29:59 -0700 (PDT) Received: (qmail 10568 invoked from network); 3 Sep 1997 21:33:59 -0000 Received: from jukyu.quadrix.com (208.210.35.65) by mail1.quadrix.com with SMTP; 3 Sep 1997 21:33:59 -0000 Received: (qmail 394 invoked by uid 104); 3 Sep 1997 21:35:58 -0000 Date: 3 Sep 1997 21:35:58 -0000 Message-ID: <19970903213558.393.qmail@jukyu.quadrix.com> MBOX-Line: From bve Wed Sep 3 17:35 EDT 1997 From: BVE To: ziv@AbirNet.com cc: firewalls@greatcircle.com Subject: A thinly-veiled ad... Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Mon, 1 Sep 97 13:37:23 +0200 From: Ziv Dascalu Subject: Re: Attacks from Internal I noticed that most of you in this list are more concern about protecting their network from external attacks. Some even talk about very [etc....] It strikes me that this is nothing more than a thinly-veiled ad for your product. This is expressly NOT the purpose for this list, as I understand it. While certainly, you have toned down the frequency and volume of your ads posted to this list, I would prefer that you did not do so at all. If you have meaningful discussion to raise, do so. If you contribute, it's even ok to mention your product (briefly, as you do in your signature), but you do not add to the discussion -- you merely attempt to push your product. Please refrain from doing this in the future. If you wish to converse with me on the subject, send me private e-mail. Any message sent to this list, even if also sent to me privately, will NOT be responded to.... -- -- Bill Van Emburg Quadrix Solutions, Inc. (bve@quadrix.com) (http://quadrix.com) "You do what you want, and if you didn't, you don't" From owner-firewalls-outgoing Wed Sep 3 18:57:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA09498 for firewalls-outgoing; Wed, 3 Sep 1997 16:58:32 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA09453 for ; Wed, 3 Sep 1997 16:58:18 -0700 (PDT) Received: from pc.sti.com.br (dial-1-208.sti.com.br [200.240.5.208]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id VAA19392 for ; Wed, 3 Sep 1997 21:03:11 -0300 Message-Id: <3.0.1.32.19970903210312.0079dbc0@sti.com.br> X-Sender: marlon@sti.com.br X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Wed, 03 Sep 1997 21:03:12 -0300 To: firewalls@greatcircle.com From: Marlon Borba Subject: Re: Authsrv don't work. Help!! In-Reply-To: <3.0.3.32.19970903164245.009a2730@stardust.com> References: <340DB565.6C7D@sti.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:42 03/09/97 -0700, you wrote: >Are you in /usr/local/etc? when you wun this? > Sure. The directory is in the PATH and I tried this from the directory AND out. Marlon. From owner-firewalls-outgoing Wed Sep 3 18:58:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA22743 for firewalls-outgoing; Wed, 3 Sep 1997 18:06:55 -0700 (PDT) Received: from a4000.rapid.net (a4000.rapid.net [38.178.148.7]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA22716 for ; Wed, 3 Sep 1997 18:06:46 -0700 (PDT) Received: from a2000.rapid.net (a2000.rapid.net [38.178.148.4]) by a4000.rapid.net (8.8.5/RAPID.NET-8.8.5) with SMTP id VAA12852 for ; Wed, 3 Sep 1997 21:12:36 -0400 (EDT) Message-Id: <3.0.3.32.19970903211536.009d2700@rapid.net> X-Sender: rick@rapid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 03 Sep 1997 21:15:36 -0400 To: firewalls@GreatCircle.COM From: Rick Hardy Subject: Opinions of MS Proxy Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello... I have recently been asked to look at MS Proxy server..... The client was initially was looking at Checkpoint FW-1 and may still go that router, but has side tracked me into looking at MS Proxy.... (Since it's a 20th the cost...) Anyway, does anyone have any experience with MS Proxy?!?! What can and can't it do? Any got-yas? I do know that MS Proxy is NOT a firewall, but I would assume for outbout(To Internet) it would server the same purpose to a limited extent? I would also assume for inbound access it would really offer much? Also, I fear the next question would be is it possible to implement MS Proxy and PPTP together? If so, what would the ideal install be?? Can they both be installed on the same box??? Any opinions would be greatly appreciated.... --=Rick Hardy=-- From owner-firewalls-outgoing Wed Sep 3 19:00:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA18299 for firewalls-outgoing; Wed, 3 Sep 1997 17:42:44 -0700 (PDT) Received: from mailhost.Ipsilon.COM (mailhost.ipsilon.com [205.226.5.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id RAA18278 for ; Wed, 3 Sep 1997 17:42:37 -0700 (PDT) Received: from jc.ipsilon.com (jc.Ipsilon.COM [205.226.2.151]) by mailhost.Ipsilon.COM (8.6.11/8.6.10) with ESMTP id RAA10116; Wed, 3 Sep 1997 17:11:40 -0700 Message-ID: <340DFB58.53B8F540@ipsilon.com> Date: Wed, 03 Sep 1997 17:05:45 -0700 From: John Carosella Reply-To: jc@Ipsilon.COM Organization: www.ipsilon.com X-Mailer: Mozilla 4.01 [en] (Win95; U) MIME-Version: 1.0 To: Gregg Earnhart CC: "'firewalls@greatcircle.com'" Subject: Re: NT qud Ethernet and Checkpoint X-Priority: 3 (Normal) References: <308F522E7AD2D0119353006097266E8682C212@dfwtx03.ins.gte.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gregg, You can get the Matrox Shark to work in the Ipsilon platform for FireWall-1 (FW-1 Rls 3.0). It also supports FDDI. It's not NT, but it is Intel hardware. Can be a black-box firewall or an integrated router/firewall. Drop me an email if you want further clarification. jc Gregg Earnhart wrote: > Does anyone know of a Quad interface Ethernet card that plays well > with > Windows NT and Checkpoint Firewall? I have tried Matrox Shark-100 > Multiport NIC+ cards and found that this does NOT work. > > BTW.I would like to know of any FDDI solution for Windows NT as well. > > glearnhart@ins.gte.com > Gregg Earnhart > Sr. Systems Engineer Security Services -- ------------------------------------------------------------------------- John Carosella email: jc@ipsilon.com Difficult is good . . . Unreasonable is better . . . Impossible is best! ------------------------------------------------------------------------- From owner-firewalls-outgoing Wed Sep 3 19:02:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13424 for firewalls-outgoing; Wed, 3 Sep 1997 17:19:19 -0700 (PDT) Received: from kryten.act.softway.com.au (kryten.act.softway.com.au [203.29.136.93]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA08239 for ; Wed, 3 Sep 1997 16:52:20 -0700 (PDT) Received: by kryten.act.softway.com.au; id JAA12819; Thu, 4 Sep 1997 09:57:59 +1000 (EST) Received: from chrisnic.act.softway.com.au(192.168.20.10) by kryten.act.softway.com.au via smap (3.2) id xma012816; Thu, 4 Sep 97 09:57:36 +1000 Message-Id: <1.5.4.32.19970904000306.00a773b0@dynamite.com.au> X-Sender: chrisn@dynamite.com.au X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Sep 1997 10:03:06 +1000 To: Firewalls@GreatCircle.COM From: Christopher Nicholls Subject: Re: Firewalls-Digest V6 #421 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:18 3/09/97 -0700, Jian Zhen wrote: >Date: Tue, 2 Sep 1997 22:15:11 -0700 >From: Jian Zhen >Subject: Firewall configuration > >Hi > >I was wondering what hardware platform is best to support a company with >~500 users. The firewall is gauntlet 4.0. What I need to find out is the >system architecture, CPU speed, memory size, etc for the machine that's >going to hold the firewall. > >Any ideas? > >any input would be greatly apprciated For what TIS themselves recommend see: http://www.tis.com/docs/products/gauntlet/tech4.html They give a full description of the hardware there. Regards Christopher ----------------------------------------------------------------------------- Christopher A Nicholls ----------------------------------------------------------------------------- Softway Pty Ltd ACN: 002 726 641 Canberra Branch Office: Advance Bank Centre, 60 Marcus Clarke Street, Canberra City ACT 2602 Ph: +61 2 62434834 Fax: +61 2 6243 4848 E-mail: chrisn@softway.com.au Mob: 0411 454 755 WWW: http://www.softway.com.au ----------------------------------------------------------------------------- "...life's too short." Anon. From owner-firewalls-outgoing Wed Sep 3 20:15:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA03015 for firewalls-outgoing; Wed, 3 Sep 1997 19:04:36 -0700 (PDT) Received: from foonix.slnsw.gov.au (feenix.slnsw.gov.au [202.0.106.99]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA02997 for ; Wed, 3 Sep 1997 19:04:28 -0700 (PDT) Received: (from uucp@localhost) by foonix.slnsw.gov.au (8.8.4/8.8.4) id MAA05025 for ; Thu, 4 Sep 1997 12:10:18 +1000 (EST) Received: from ilanet.slnsw.gov.au(172.16.0.4) by foonix.slnsw.gov.au via smap (V1.3) id sma005012; Thu Sep 4 12:10:13 1997 Received: from slid.slnsw.gov.au (slid.slnsw.gov.au [172.16.0.3]) by ilanet.slnsw.gov.au (8.8.4/8.8.4) with ESMTP id MAA17711 for ; Thu, 4 Sep 1997 12:10:12 +1000 (EST) Received: (from david@localhost) by slid.slnsw.gov.au (8.8.4/8.8.4) id MAA24392 for Firewalls@GreatCircle.COM; Thu, 4 Sep 1997 12:10:03 +1000 (EST) Date: Thu, 4 Sep 1997 12:10:03 +1000 (EST) From: David Cragg Message-Id: <199709040210.MAA24392@slid.slnsw.gov.au> To: Firewalls@GreatCircle.COM Subject: Large Libraries that have Firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Currently I am receiving questions from staff like: "Why do we have to have a firewall?" Sound familiar? I provide them with standard security reasons that we all know. However they claim they do not know of any Library in the US, Australia etc. that has a firewall. I find this hard to believe. However does anybody know of well-known libraries that have firewalls? I wanted to provide these people with a list so they can stop asking me these silly questions. :) Send your mail directly to me. I will summarise if people are interested. Thanks in advance, David. From owner-firewalls-outgoing Wed Sep 3 20:46:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA22800 for firewalls-outgoing; Wed, 3 Sep 1997 20:38:14 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA22786 for ; Wed, 3 Sep 1997 20:38:08 -0700 (PDT) Received: from spikeman (chi-il12-21.ix.netcom.com [204.32.166.213]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id WAA04089 for ; Wed, 3 Sep 1997 22:44:05 -0500 (CDT) Message-Id: <199709040344.WAA04089@Kitten.mcs.com> From: "Spikeman" To: Subject: Date: Wed, 3 Sep 1997 22:42:36 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Remove From owner-firewalls-outgoing Wed Sep 3 21:16:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA26831 for firewalls-outgoing; Wed, 3 Sep 1997 20:56:45 -0700 (PDT) Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA26665 for ; Wed, 3 Sep 1997 20:56:08 -0700 (PDT) Received: from Aaron.citadel.com.au ([203.23.80.13]) by pluto (8.7.6/8.7.3) with SMTP id OAA24597 for ; Thu, 4 Sep 1997 14:01:53 +1000 Message-Id: <199709040401.OAA24597@pluto> Reply-To: "Aaron Everingham" X-Mailer: Microsoft Outlook Express 4.71.0544.0 From: "Aaron Everingham" To: "Firewalls" Subject: email encryption Date: Thu, 4 Sep 1997 14:00:37 +1000 X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somewhat off topic but... Does anyone know of an email encryption package that a) integrates into win95/nt explorer so the encryption can be applied to an attachemnt of any mail app? b) support digital x509 sigs and c) ctreates self extracting archives out of the attachement ? thanks in advance Aaron Everingham Northern Regions Manager Citadel Security Management Systems aaron@citadel.com.au www.citadel.com.au Ph: 02 9261 1299 Fax: 02 9261 4787 From owner-firewalls-outgoing Wed Sep 3 21:47:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA05996 for firewalls-outgoing; Wed, 3 Sep 1997 21:42:36 -0700 (PDT) Received: from audrey.Ivy.NET (audrey.ivy.net [208.0.35.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA05704 for ; Wed, 3 Sep 1997 21:41:45 -0700 (PDT) Received: (from padre@localhost) by audrey.Ivy.NET (8.7.6/8.7.3) id AAA25530 for firewalls@greatcircle.com; Thu, 4 Sep 1997 00:47:39 -0400 From: Micheal Sean Message-Id: <199709040447.AAA25530@audrey.Ivy.NET> Subject: Re: Gauntlet Performance (fwd) To: firewalls@greatcircle.com Date: Thu, 4 Sep 1997 00:47:37 -0400 (EDT) Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >> Go to the CISCO Web page and search for a product called "Local > >> Director" > > > >That's a nice box, but not a good general solution. For one thing, > >it only handles TCP-based protocols. > > Most apps you'll want to load balance will be tcp based apps. smtp http ftp gopher What udp apps do you deal with ? dns and ntp. These aren't major bandwidth hogs. In fact, lookups are tcp. What's nice about the local director is between 45 and 90 Mbs throughput and true fault tolerance (HSRP). That and the fact that NO client or server side software installation is needed. Cheers, Padre From owner-firewalls-outgoing Wed Sep 3 22:02:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA27189 for firewalls-outgoing; Wed, 3 Sep 1997 20:59:02 -0700 (PDT) Received: from lucifer.adams.edu (lucifer.adams.edu [192.156.134.6]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA27180 for ; Wed, 3 Sep 1997 20:58:56 -0700 (PDT) Received: from localhost (jjj@localhost) by lucifer.adams.edu (8.8.6/8.8.6) with SMTP id WAA02197; Wed, 3 Sep 1997 22:04:46 -0600 Date: Wed, 3 Sep 1997 22:04:46 -0600 (MDT) From: Joel J Jensen To: Media Connection cc: firewalls@GreatCircle.COM Subject: Re: Switches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 Sep 1997, Media Connection wrote: > We are about to purchase switches for our network. > We started looking at Cisco 2900's, but now find > BayNetworks BayStack 350T quite appealing. There > is a 8K price difference, and I was wondering if > anyone has experience with one switch versus > the other, or any other switches. I tried to buy some BayStack switches recently and found there to be a long backlog on getting them. Since I needed them now, I had to change my order to another manufacturer. If waiting (and waiting....) isn't an issue in your situation then no problem. It was a _very real_ problem for us. ------------------------------------------------------------------------------- Joel J Jensen | Adams State College | (719)589-7790 (voice) jjj@lucifer.adams.edu | 208 Edgemont Blvd | (719)589-7522 (fax) | Alamosa, CO 81102 | ------------------------------------------------------------------------------- From owner-firewalls-outgoing Wed Sep 3 22:16:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA04384 for firewalls-outgoing; Wed, 3 Sep 1997 21:35:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA04195 for ; Wed, 3 Sep 1997 21:35:14 -0700 (PDT) From: eric.greenwood@datacraft.co.nz Received: from zephyr.grace.cri.nz by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id UAA13870; Wed, 3 Sep 1997 20:23:38 -0700 (PDT) Received: by zephyr.grace.cri.nz (5.57/Ultrix4.0) id AA02508; Thu, 4 Sep 97 15:28:32 +1200 Received: by DCNZ-LWH01.datacraft.co.nz; Thu, 4 Sep 97 15:34:48 -1200 Date: Thu, 4 Sep 97 15:34:45 NST Message-Id: X-Priority: 3 (Normal) To: Subject: Checkpoint FW-1 on AIX X-Incognito-Sn: 640 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody had any experience of running Checkpoint FW-1 on AIX ?? I would be interested in any feedback, user comments, how easy to install and configure, look and feel , problems encountered etc etc. also, is it safe to assume that the rule set (or stateful checking) is consistently applied between products, (ie) FW-1 on NT, SunOS, Solaris and AIX ?? Thank you Eric Greenwood Branch Manager Datacraft (NZ) Ltd reply to: eric.greenwood@datacraft.co.nz From owner-firewalls-outgoing Wed Sep 3 22:39:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA28185 for firewalls-outgoing; Wed, 3 Sep 1997 21:04:17 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA28170 for ; Wed, 3 Sep 1997 21:04:12 -0700 (PDT) Received: from ttruitt-pc.cisco.com (sj-dial-3-36.cisco.com [171.68.179.37]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id VAA22629; Wed, 3 Sep 1997 21:09:37 -0700 (PDT) Message-Id: <3.0.3.32.19970903220601.00983570@diablo.cisco.com> X-Sender: ttruitt@diablo.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 03 Sep 1997 22:06:01 -0600 To: Media Connection , firewalls@GreatCircle.COM From: "R. Todd Truitt" Subject: Re: Switches In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *** Vendor Alert *** ;-) Since this is a firewall list, I won't go into details here. However, please e-mail me directly and I'll discuss a couple of key issues to look for, regardless of vendor, when making a switching decision. Cheers --T At 06:40 PM 9/3/97 -0400, Media Connection wrote: >We are about to purchase switches for our network. >We started looking at Cisco 2900's, but now find >BayNetworks BayStack 350T quite appealing. There >is a 8K price difference, and I was wondering if >anyone has experience with one switch versus >the other, or any other switches. Below, is a >comparison I put together based on the marketing >materials from both companies. Thanks for your >help. > >Cost: >Bay - 3,995 >Cisco - 11,500 > >No. of 10/100 Autosensing ports: >Bay - 16 >Cisco - 14 > >Autosensing: >Bay - 10/100 Megabit on all ports >Cisco - 10/100 Megabit on all prots > >Switching Backplane: >Bay - 1.2-Gps >Cisco - 1.2-Gps > >Mgmt: >Bay - Telnet into device >Cisco - Entire software suite > >Network Layer: >Bay - Layer 2 >Cisco - Layer 2 > >Packets per second: >Bay - 1.6 million >Cisco - 1 million > >Number of MAC Addresses: >Bay - 8,192 >Cisco - 16,000 > > > > From owner-firewalls-outgoing Wed Sep 3 22:46:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA24745 for firewalls-outgoing; Wed, 3 Sep 1997 20:48:38 -0700 (PDT) Received: from cheops.anu.edu.au ([150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA21368 for ; Wed, 3 Sep 1997 20:29:35 -0700 (PDT) Message-Id: <199709040329.UAA21368@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA277513982; Thu, 4 Sep 1997 13:33:02 +1000 From: Darren Reed Subject: Re: log problem with FW-1 version 3.0a.p1 To: Engasser@js-jtf.af.mil (Engasser Charlie) Date: Thu, 4 Sep 1997 13:33:02 +1000 (EST) Cc: jcgomez@mad.servicom.es, Firewalls@GreatCircle.COM In-Reply-To: from "Engasser, Charlie" at Sep 3, 97 09:34:26 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Engasser, Charlie, sie said: [...] > One of the things I've heard alot of people say about FW-1 is the ease > of use on the interface. I have not looked at the UNIX versions, but > there are some things on the NT version that are seriously lacking. How about the problem that a ruleset, when viewed using the same version of the browser on NT & Unix, appears to be different on each ? (The Unix one was correct...) My suggestion to anone running FW-1 would be to learn about inspect and verify that what they see is what they get. Darren From owner-firewalls-outgoing Wed Sep 3 23:46:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA27242 for firewalls-outgoing; Wed, 3 Sep 1997 23:18:22 -0700 (PDT) Received: from ot.stpn.soft.net (freebie.opentech.stpn.soft.net [204.143.126.74]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id WAA22338 for ; Wed, 3 Sep 1997 22:54:15 -0700 (PDT) Received: from andes (andes.opentech.stpn.soft.net [204.143.126.66]) by ot.stpn.soft.net (8.6.12/8.6.12) with ESMTP id LAA11479; Thu, 4 Sep 1997 11:33:43 +0530 Message-ID: <340EE174.C45D396F@opentech.stpn.soft.net> Date: Thu, 04 Sep 1997 11:27:33 -0500 From: Prashant Dongre Reply-To: pdongre@opentech.stpn.soft.net X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: ArkanoiD CC: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? X-Priority: 3 (Normal) References: <203609030840.MAA14571@paranoid.convey.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ArkanoiD wrote: > nuqneH, > > Did anyone try to patch the kernel to log connection attempts for ports > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > I _know_ i can do nearly the same with IP filtering/logging but i > prefer another way.. > > -- > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! Have you configured kernel for IPFW (IP Firewall) ?. IPFW does log connection attempts for the ports which are blocked for a network. Messages get into /var/log/messages and also displayed on the console. Prashant From owner-firewalls-outgoing Thu Sep 4 00:17:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA09747 for firewalls-outgoing; Thu, 4 Sep 1997 00:09:39 -0700 (PDT) Received: from mail-spool.is.co.za (mail-spool.is.co.za [196.4.160.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA09562 for ; Thu, 4 Sep 1997 00:09:05 -0700 (PDT) Received: from mailhost.ixchange.com (mailhost.ixchange.com [196.33.240.7]) by mail-spool.is.co.za (8.8.6/IShub#3) with SMTP id JAA29375 for ; Thu, 4 Sep 1997 09:13:43 +0200 Received: by mailhost.ixchange.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCB913.0CDDC930@mailhost.ixchange.com>; Thu, 4 Sep 1997 09:15:13 +0200 Message-ID: X-MS-TNEF-Correlator: From: MARTIN BREMER To: "firewalls@GreatCircle.COM" Subject: Firewall that supports DecNet, TCP/IP, IPX Date: Thu, 4 Sep 1997 09:02:48 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BCB913.0CDF4FD0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BCB913.0CDF4FD0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi All I need to know more about any Firewall Products that will support the above protocols in one. I also need more info on a product called The Gnat Box (I think). Please resond Thanks Martin Bremer +27 11 806 4390 ------ =_NextPart_000_01BCB913.0CDF4FD0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ig4HAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQmAAQAhAAAARDg3QjlBRkMwMjI1RDExMTlENjAwMEEwMjQ2M0I3 ODMA/wYBIIADAA4AAADNBwkABAAJAA8ADAAEAAkBAQWAAwAOAAAAzQcJAAQACQACADAABAAgAQEN gAQAAgAAAAIAAgABBIABACsAAABGaXJld2FsbCB0aGF0IHN1cHBvcnRzIERlY05ldCwgVENQL0lQ LCBJUFgAQg4BA5AGAIwKAAAkAAAACwACAAEAAABAADkAACV2jQC5vAEeAHAAAQAAACsAAABGaXJl d2FsbCB0aGF0IHN1cHBvcnRzIERlY05ldCwgVENQL0lQLCBJUFgAAAIBcQABAAAAFgAAAAG8uQCN Zfyae9klAhHRnWAAoCRjt4MAAAMABhDE/upWAwAHEK4AAAAeAAgQAQAAAGUAAABISUFMTElORUVE VE9LTk9XTU9SRUFCT1VUQU5ZRklSRVdBTExQUk9EVUNUU1RIQVRXSUxMU1VQUE9SVFRIRUFCT1ZF UFJPVE9DT0xTSU5PTkVJQUxTT05FRURNT1JFSU5GT09OAAAAAAMAEBAAAAAAAwAREAAAAAACAQkQ AQAAAI4GAACKBgAAgA8AAExaRnVi7B/oAwAKAHJjcGcxMjVyMgxgYzEDMAEHC2BukQ4QMDMzDxZm ZQ+STwH3AqQDYwIAY2gKwHOEZXQC0XBycTIAAJIqCqFubxJQIDAB0IUB0DYPoDA1MDQUIfMB0BQQ NH0HbQKDAFAD1PsR/xMLYhPhFFATshj0FNCLBxMV5DYRjjIzOBdUoiAHbSBDRRXkNxp/pxRAG68c tXlyFeQ5EY6vGlAWMR7/A4JHCdFrAoPfDAEg/w5QIi8Dc1QIcCPUuxYxIQ04GmElnwOCQgdA/nQN 4CPUJWEWbBt4BxMdBv8bcCr/HrcslSBVDjAWTiHo/yyUI4kaYTBOJWYslCbnHZG/ME0olyyUKiYC kQjmOwlv6jA4v2UOMDU56jsBOr//O8k51DvyOl8+Lz3tPW87n/M57xBgMjhDukTRRI9Fmf851EXC RC9H/0e9Rz9Fb0k0fjkOUEyETeFGA03gAoJzqHR5bAeQaAngdAAAQxNQA/BkY3RsCrFcYVA4YWRq dU9QBRBnvmgFQhYyDAEPUgHQNR2QDmMJwFBAAzBzbmV4XxcwB7AFsADAAnNzAFBzLGIyFFBPQGET 8Fxr/QngcAuQUB9QgwhgUHALgPplT4B2V9ABQFF7DDBSRP8bkFLHVbAEoAuAUvAbkFNW9GJhFxBk AiBUEFO2T7DzUXBakSAxTxMOUFUPVh//Vy8AUVhsAKBST1r/XA5PBP8PwF2PXp9frw5QWF9iD2Mf 7VwsMwKCExBjVNBrwVFwJ1ywKlBYACBEARBhdSkqQCBQCsBhCcBhcDhoIEYCIVSUMBFpLXUPkDhq IWlwU2afUINiPQsgcglQcnIWoHJydzT7QyEXAHAB0G2SUZ9qL2s/b2/wbrAFEAIwLW9QA2E6hSkQ b3hgU3ViagWQgnR4YERhdGU6VJT/GmFwP3FPcl9zb3R3T6Bco38OIWvBWSYOUHWPdp93plLzV/EX ASBIXJEEkFSUHZH/ej97T3xffWtXf35vD5CKsOUI0GIKsHQ4aY4PkGWgn4D/ggaLQIMQC1B5L29g 931gCxGDhXNUlBuRhI+Fn/+Gr31vdH+Af40vjj14gngk33lZINCRD1EviuQ5lN+V78OB95xwRG9j dQeAAjD/BdBvIDfjExCIsE9QAZFPgOcAAKCCoHRlbQtReXCaIOA5ODcxNBpQDkGggr8AkKHhoQWI 850QiQJuFsBzLWGI82pjnQGJAgIQbP0JAHelhU9QCsABkBcxpnT9CrBjCmCkVAuAAQACMAHhB4jz eXBT8FwnMDEttwKCpGSfgGKPYwKzYgcw9nNrwZARM2YBiLCr4qVgN6CFDMGr4SCp4qCRbmEdB4Ag qtGggpogNzk16jEgwDWgKG+DMVNxFyDfoNiv5q5sr5sFoHWooZ0Q11TQN/AKoXAEkHevARPg9bQE aBpQOBuAAzCaEZoA95pAkpEBgG544ABgCfBtwP+fYAIBVFB/ArGAtuFPYLQw5Q5QdgiQd2uoYR7A uFL/BPAHQBBhAUAOAJJiXIK5tX0CEG8FQhchEvKhxh0AOtRcXHewb28BbW9QAxCbB5C8YE0N4ANg c28BgFwgTwEgDeCxgFy+FkXrAMADEC5rkHSq4BcQmkA7U5GIsngBQFyCBJB5N54wING64cDlCOFz eMESfbaxbk+wONC/tG5UrJAg5xLzAIAFkGx2YKFmYA5w/1RQxDKm0sTCqGQBwcQxFuCfD3AAAGZg DNABkCAuoCT/xEYOUMTiKkCakMVfxm/Hf78PwGZgBYHJH8ovyz9sHsDdZmBsyN/Nn86lKcesMBDH zH/RX86UYiAoApHSf7/Ec7Sx0D/U/9YP1x9sHZD/2FLFL9m/2s/HrBuQ2F/d3//e79//xKAg0Nzf 4m/jf+SE/wr5AzCZ/5sPnJ9TRaERD2Vtg4BpLICmECAKhQqFSZYgU9AJgCCv0CBr6iF2IARgONAg AaCIgfDwbr55vPE40I7Q7rG8gWQOcD+jMPAgFuAFQAPw7rFzdfxwcAkR8rHw424RF3C68BufYMIR IOnhAiBlLiD/77EHQL3A79TwswuAAhD1Qffw8PRy8mIguUFPgJhh8/HGR63wBUBCb3jj8O/Ao/LA C4BrKS7u7FBPgP1rYSA40L3AqHDu7PhQAHD8a3Pu7AKRDDBugO3Yn+DbACDp4UI40AeAcv0mCvPv 6g/rHwVA7ckrNWBc8A6QYZBgNiA0M7SQ/SZ9BgAEsQTwAAADAIAQ/////wMAAYAIIAYAAAAAAMAA AAAAAABGAAAAAFKFAAC3DQAAHgACgAggBgAAAAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOC4w AB4ACYAIIAYAAAAAAMAAAAAAAABGAAAAADaFAAABAAAAAQAAAAAAAAAeAAqACCAGAAAAAADAAAAA AAAARgAAAAA3hQAAAQAAAAEAAAAAAAAAHgALgAggBgAAAAAAwAAAAAAAAEYAAAAAOIUAAAEAAAAB AAAAAAAAAAsABIAIIAYAAAAAAMAAAAAAAABGAAAAAAOFAAAAAOIAAwADgAggBgAAAAAAwAAAAAAA AEYAAAAAAYUAAAAAAAALAAWACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAAAAMABoAIIAYAAAAA AMAAAAAAAABGAAAAABCFAAAAAAAAAwAHgAggBgAAAAAAwAAAAAAAAEYAAAAAEYUAAAAAAAADAAiA CCAGAAAAAADAAAAAAAAARgAAAAAYhQAAAAAAAAMAJgAAAAAAAwA2AAAAAAACAfk/AQAAAB4AAAAA AAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAALgAAAB4A+D8BAAAAFQAAAFN5c3RlbSBBZG1pbmlz dHJhdG9yAAAAAAIB+z8BAAAAHgAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAAAAAAuAAAAHgD6 PwEAAAAVAAAAU3lzdGVtIEFkbWluaXN0cmF0b3IAAAAAQAAHMADGti4AubwBQAAIMDDxxkgCubwB AwANNP0/AAACARQ0AQAAABAAAABUlKHAKX8QG6WHCAArKiUXHgA9AAEAAAABAAAAAAAAAAsAKQAA AAAACwAjAAAAAAACAX8AAQAAAEcAAAA8Yz16YSVhPXRlbGtvbTQwMCVwPW14JWw9SVhDSEFOR0Uv U01UUC8wMDA2RDU2RkBtYWlsaG9zdC5peGNoYW5nZS5jb20+AAB2WQ== ------ =_NextPart_000_01BCB913.0CDF4FD0-- From owner-firewalls-outgoing Thu Sep 4 01:32:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA17936 for firewalls-outgoing; Thu, 4 Sep 1997 00:48:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id AAA15727 for ; Thu, 4 Sep 1997 00:34:58 -0700 (PDT) Received: from central.webforum.de by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id AAA21446; Thu, 4 Sep 1997 00:35:24 -0700 (PDT) Received: (from uucp@localhost) by central.webforum.de (8.7.6/8.7.6-webforum) id JAA26278; Thu, 4 Sep 1997 09:40:02 +0100 Received: from localhost (klaus@localhost) by gaston.m.isar.de (8.7.6/8.7.6-webforum) with SMTP id JAA27332; Thu, 4 Sep 1997 09:38:10 +0100 Date: Thu, 4 Sep 1997 09:38:10 +0100 (WET DST) From: Klaus Lichtenwalder To: Prashant Dongre cc: ArkanoiD , firewalls@GreatCircle.COM, freebsd-security@FreeBSD.ORG Subject: Re: log connection attempts? In-Reply-To: <340EE174.C45D396F@opentech.stpn.soft.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Sep 1997, Prashant Dongre wrote: > ArkanoiD wrote: > > nuqneH, > > > > Did anyone try to patch the kernel to log connection attempts for ports > > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > > > I _know_ i can do nearly the same with IP filtering/logging but i > > prefer another way.. > > > [...] > Have you configured kernel for IPFW (IP Firewall) ?. > > IPFW does log connection attempts for the ports which are blocked for a network. > > Messages get into /var/log/messages and also displayed on the console. > > Prashant > There's a patch for linux out that logs connection attempts to unserved ports. Might be worth a look if somebody tries to port sth like this to different os'. Klaus -- Klaus Lichtenwalder, Dipl. Inform., PGP Key: email to key@Four11.com Lichtenwalder@ACM.org http://www.wp.com/Klaus K.Lichtenwalder@Computer.org fax: +49-89-91072699 No wonder nobody comes here--it's too crowded. -Yogi Berra From owner-firewalls-outgoing Thu Sep 4 03:01:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA03653 for firewalls-outgoing; Thu, 4 Sep 1997 02:38:07 -0700 (PDT) Received: from gate.sbbio.be (gate.sbbio.be [193.75.228.253]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id CAA03606 for ; Thu, 4 Sep 1997 02:37:50 -0700 (PDT) Received: (from root@localhost) by gate.sbbio.be (8.6.9/8.6.9) id LAA18034 for ; Thu, 4 Sep 1997 11:03:44 +0200 Received: from hp.sbbio.be(193.74.128.246) by gate.sbbio.be via smap (V1.3) id sma018014; Thu Sep 4 11:03:13 1997 Received: from [10.2.1.184] by rxu01 with SMTP (1.37.109.4/16.2) id AA13289; Thu, 4 Sep 97 10:55:36 +0200 Received: by MASUIT2 with Microsoft Mail id <01BCB924.8424D9A0@MASUIT2>; Thu, 4 Sep 1997 11:20:14 +0200 Message-Id: <01BCB924.8424D9A0@MASUIT2> From: Pascal Masuit To: "'Firewalls@GreatCircle.COM'" Subject: DHCP and firewalls Date: Thu, 4 Sep 1997 11:20:13 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm in the process of migrating about 1000 Windows TCP/IP clients from statically assigned IP addresses to DHCP. Up until today, Internet access has been managed by using a firewall (TIS based, running on BSD) with an ordinary access-list based on IP addresses. The goal is to manage access to the Internet for DHCP clients. Most of our servers and clients run on a Microsoft OS. Therefore I had the following scenario in mind... >From an administration point of view, it would be interesting to be able to manage Internet access, based on Windows NT user accounts. 1/ Create a Global User Group (e.g.. Internet Clients) on the PDC for domain X. 2/ Integrate a dual homed NT Server with proxy or firewall software in domain X. QUESTIONS: ------------------- Q1: Has anyone got experience with: - a similar setup ? - MS Proxy 1.0 or 2.0 beta ? - using MS Proxy Server in combination with a UNIX firewall ? Q2: Do other options/products exist which allow you to efficiently integrate DHCP and Internet access management ? Note: 1/ One option is: reserving IP addresses in the Microsoft DHCP manager to Internet clients. However, I'd like to avoid this since we've got about 300 Internet clients, and maintenance of those clients is labor intensive. 2/ I read about MS Proxy Server 2.0, which should tightly integrate with Windows NT Server user authentication! Definitely going to evaluate this product, but I'm afraid the PROXY server - as its name implies - will not provide us with the required security (!?). All comments and/or experiences are welcome. Thanks in advance for sharing your view on this. Pascal ------------------------------------------- Pascal Masuit - Network Support Engineer e-mail: masuit@sbbio.be SmithKline Beecham Biologicals Rixensart - Belgium ------------------------------------------- From owner-firewalls-outgoing Thu Sep 4 04:53:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA16645 for firewalls-outgoing; Thu, 4 Sep 1997 04:18:16 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA12484 for ; Thu, 4 Sep 1997 03:33:43 -0700 (PDT) Received: from saris.unipo.sk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id DAA25318; Thu, 4 Sep 1997 03:33:57 -0700 (PDT) Received: (from marusak@localhost) by saris.unipo.sk (8.6.13/8.6.12) id MAA21536 for firewalls@GreatCircle.COM; Thu, 4 Sep 1997 12:33:13 +0200 From: Martin Marusak Message-Id: <199709041033.MAA21536@saris.unipo.sk> Subject: qmail To: firewalls@GreatCircle.COM Date: Thu, 4 Sep 1997 12:33:12 +0200 (MET DST) X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello qmail was recommended for me as a replacement for sendmail. I was told it doesn't have so big bugs and is more secure. What do you thing about using qmail instead of sendmail? Martin Marusak From owner-firewalls-outgoing Thu Sep 4 05:02:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA20605 for firewalls-outgoing; Thu, 4 Sep 1997 04:53:51 -0700 (PDT) Received: from cbisinet.cbis.com (cbisinet.cbis.com [206.230.22.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA20587 for ; Thu, 4 Sep 1997 04:53:42 -0700 (PDT) From: warren.moore@cbis.com Received: from notes.cbis.com by cbisinet.cbis.com (5.x/SMI-SVR4) id AA23749; Thu, 4 Sep 1997 07:59:30 -0400 Received: by notes.cbis.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256508.0041C3CB ; Thu, 4 Sep 1997 07:58:19 -0400 X-Lotus-Fromdomain: CBIS@CBISEXT To: firewalls-digest@GreatCircle.COM Message-Id: <85256508.0040D600.00@notes.cbis.com> Date: Thu, 4 Sep 1997 07:59:18 -0400 Subject: Anyone Know "WebWall" Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Do any of you have first-hand knowledge of the new McAfee "WebWall" firewall product. As usual, McAfee's marketing organization is touting it as the greatest thing since sliced bread. The html demo is neat, but I would like to know if there's any substance behind the fluff. --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. (CBIS Inc.) From owner-firewalls-outgoing Thu Sep 4 05:16:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA20819 for firewalls-outgoing; Thu, 4 Sep 1997 04:56:51 -0700 (PDT) Received: from extcom4.cbs.nl (extcom4.cbs.nl [192.87.118.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA20799 for ; Thu, 4 Sep 1997 04:56:32 -0700 (PDT) Received: from [192.87.118.71] by extcom4.cbs.nl (5.65/1.34) id AA22639; Thu, 4 Sep 97 13:54:23 +0200 Received: from MSWUIT by wonderwall.cbs.nl via smtpd (for extcom4.cbs.nl [192.87.118.4]) with SMTP; 4 Sep 1997 11:50:31 UT Received: from mailbht1.cbs.nl (unverified [105.1.1.6]) by mswuit.cbs.nl (Integralis SMTPRS 2.04) with SMTP id ; Thu, 04 Sep 1997 13:55:28 +0200 X-To: firewalls@greatcircle.com.internet Received: by rh1e.cbs.nl with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCB93A.6FD4F3C0@rh1e.cbs.nl>; Thu, 4 Sep 1997 13:57:09 +0200 Message-Id: From: "Pleuger, R.B.W." To: "'firewalls@GreatCircle.COM'" Subject: Webserver logging Date: Thu, 4 Sep 1997 13:56:55 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Recently we put a webserver behind our firewall (eagle nt 4.0). >The problem now is that all hits from the outside world are being logged with the ip address of the inside interface of our firewall. Do other firewall do the same and, if they don't, why does raptor do it? Regards Roger From owner-firewalls-outgoing Thu Sep 4 06:13:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA15590 for firewalls-outgoing; Thu, 4 Sep 1997 04:00:26 -0700 (PDT) Received: from bramber.windsor.com (bramber.windsor.com [199.181.96.54]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id DAA15476 for ; Thu, 4 Sep 1997 03:59:58 -0700 (PDT) Received: from raglan (carew.windsor.com [199.181.96.17]) by bramber.windsor.com (8.6.12/8.6.12) with SMTP id HAA28080; Thu, 4 Sep 1997 07:05:49 -0400 Received: by localhost with Microsoft MAPI; Thu, 4 Sep 1997 07:05:48 -0400 Message-ID: <01BCB900.F88BA090.EricSmith@windsor.com> From: "Eric V. Smith" To: "'Micheal Sean'" , "firewalls@GreatCircle.COM" Subject: LocalDirector question (was: Gauntlet Performance) Date: Thu, 4 Sep 1997 07:05:46 -0400 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, September 04, 1997 12:48 AM, Micheal Sean [SMTP:padre@Ivy.NET] wrote: > > What udp apps do you deal with ? dns and ntp. These aren't major > bandwidth hogs. In fact, lookups are tcp. What's nice about the > local director is between 45 and 90 Mbs throughput and true fault > tolerance (HSRP). That and the fact that NO client or server > side software installation is needed. This is a LocalDirector question and isn't really related to firewalls, so I apologize in advance. I have a client who wants to use a LocalDirector to balance load across multiple web servers. The problem is that they are maintaining state on the servers, using cookies sent back to the clients to manage which state information belongs to which client. If you're familiar with Microsoft ASP sessions, it's the same thing. The upshot is that every request from a given client must go to the same server. Does anyone know if the LocalDirector can handle this? There would be an idle timeout of say 20 minutes after which a request from the same client would be considered a new session, so it wouldn't have to have infinite memory to remember every client connection ever made. Here's the firewall slant: I'm concerned that even if the LocalDirector can do this, outbound HTTP proxies at the client would cause everyone from AOL, for example, to hit the same web server. Has anyone ever tried using a LocalDirector for this application? Thanks. Eric. From owner-firewalls-outgoing Thu Sep 4 08:21:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA16576 for firewalls-outgoing; Thu, 4 Sep 1997 07:25:11 -0700 (PDT) Received: from blackhole1.tactik.com (bgs1.tactik.com [206.47.15.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA16491 for ; Thu, 4 Sep 1997 07:24:45 -0700 (PDT) Received: from blackyqe0.ceb.qc.ca (blackyqe0.ceb.qc.ca [204.101.110.2]) by blackhole1 with ESMTP (DuhMail/2.0) id LAA00769; Thu, 4 Sep 1997 11:14:05 -0400 Received: from [204.101.110.173] ([204.101.110.173]) by ceb.qc.ca with SMTP (DuhMail/2.0) id KAA08018; Thu, 4 Sep 1997 10:52:57 -0400 X-Authentication-Warning: ceb.qc.ca: Host [204.101.110.173] claimed to be 6706hvw4p750 Message-ID: <340EC5E0.4BF@tactik.com> Date: Thu, 04 Sep 1997 10:29:52 -0400 From: Alex Fournier Reply-To: afournie@tactik.com X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: "Pleuger, R.B.W." CC: "'firewalls@GreatCircle.COM'" Subject: Re: Webserver logging References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most firewalls (application gateways or proxies) will have the same effect. I don't believe SPF based firewalls will have this effect (FW-1). Unless you have access to the source code of your firewall software and of your webserver, there's not much you can do about it. Alex Pleuger, R.B.W. wrote: > > Hi, > > Recently we put a webserver behind our firewall (eagle nt 4.0). > >The problem now is that all hits from the outside world are being logged with > the ip address of the inside interface of our firewall. Do other > firewall do the same and, if they don't, why does raptor do it? > > Regards > > Roger -- Alex Fournier Développement Bell -- groupe Tactik From owner-firewalls-outgoing Thu Sep 4 08:32:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA28833 for firewalls-outgoing; Thu, 4 Sep 1997 05:48:52 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA28745 for ; Thu, 4 Sep 1997 05:48:32 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id PAA00746; Thu, 4 Sep 1997 15:58:07 +0400 From: ArkanoiD Message-Id: <199709041158.PAA00746@paranoid.convey.ru> Subject: Re: log connection attempts? To: pdongre@opentech.stpn.soft.net Date: Thu, 4 Sep 1997 15:58:07 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: <340EE174.C45D396F@opentech.stpn.soft.net> from "Prashant Dongre" at Sep 4, 97 11:27:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > ArkanoiD wrote: > > > nuqneH, > > > > Did anyone try to patch the kernel to log connection attempts for ports > > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > > > I _know_ i can do nearly the same with IP filtering/logging but i > > prefer another way.. > > > > -- > > _ _ _ _ _ _ _ > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > Have you configured kernel for IPFW (IP Firewall) ?. > > IPFW does log connection attempts for the ports which are blocked for a network. > > Messages get into /var/log/messages and also displayed on the console. > > Prashant > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ create additional filtering rules etc. As i said i do know how to do that. I just do not want to. I want to log connection attempts without that. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Thu Sep 4 09:39:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA23540 for firewalls-outgoing; Thu, 4 Sep 1997 05:19:55 -0700 (PDT) Received: from alpha.netvision.net.il (alpha.NetVision.net.il [194.90.1.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA23506 for ; Thu, 4 Sep 1997 05:19:38 -0700 (PDT) Received: from pentium133 (ts031p13.pop3b.netvision.net.il [199.203.202.69]) by alpha.netvision.net.il (8.8.6/8.8.6) with SMTP id PAA18042; Thu, 4 Sep 1997 15:24:56 +0300 (IDT) Message-ID: <340EA845.7FDA@netvision.net.il> Date: Thu, 04 Sep 1997 15:23:33 +0300 From: Itai Dor-on Reply-To: silicom@netvision.net.il Organization: Silicom Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, ntsecurity@iss.net Subject: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Date: Wed, 03 Sep 1997 19:57:14 -0700 From: Kerry Organization: Microsoft Newsgroups: microsoft.public.proxybeta This message is in response to a posting by Itai Dor-on on this newsgroup about Proxy Server version 2.0 Beta. Itai had several questions about Proxy Server 2.0 features, security, and market positioning. I am a Program Manager for Microsoft Proxy Server. I would like to clarify the feature-set and market positioning of Proxy Server v2.0, and respond to some specific comments in Itai's posting. Proxy Server version 2.0 is currently in 'Beta' status, with the final retail release scheduled for later this calendar year. I would like to apologize for lack of complete product documentation & marketing information at this time. We are working on improved documentation on the product, to be available before or at product final release. In order to give many people access to our beta versions for evaluation and feedback purposes, we made the decision to put these pre-release versions on the web. We did this, knowing that the final complete set of documentation and marketing information was under development and ask beta customers to be patient while we finish this up and make it available as soon as possible. First, a bit of history: Microsoft Proxy Server version 1.0, released last October, was positioned as an extensible (via ISAPI) security & performance product for connecting private networks to the Internet. The product includes an application-layer proxy service (Web Proxy) for http, ftp & gopher, and a circuit-layer (Windows Sockets API layer) proxy service (WinSock Proxy) for support of all Internet protocols by transparently remoting client TCP/UDP requests. The version 1.0 product offers the following features: - Performance & Management - Passive Caching - Active Caching - Tight Integration with Windows NT & IIS - Easy GUI setup & admin tools - Dial-on-Demand - Support for IPX/SPX or TCP/IP on private network - Security - Runs on dual-homed machine with IP routing disabled - Built on top of the Windows NT secure networking O/S - IP address aggregation (hides internal addresses) - Uses a Local Address Table (LAT) to identify internal/external addresses & block external requests - Access control by user, protocol, domain (both proxy services) - Transaction logging to file or database We do not refer to Proxy version 1.0 as a firewall, because it does not have the complete set of security features and functionality we consider necessary to position the product as a firewall. However, we do say that Proxy version 1.0 has 'firewall class securty' because all of our testing indicates that when configured properly, the Windows NT 4.0 and Proxy Server 1.0 combination offer a very high level of security. In fact, in an independent security evaluation of Proxy Server v1.0 by Coopers & Lybrand, they did not find any security risks associated with the product (please download the Coopers & Lybrand whitepaper from http://www.microsoft.com/proxy/). Proxy v2.0: Microsoft Proxy Server version 2.0 Final Beta was made available on the web this week. Proxy Server version 2.0 is "An extensible firewall and content cache server, providing Internet security while improving network response-time and efficiency". The most significant features added to the version 2.0 product are: - Performance & Management - Hierarchical Caching - Distributing Caching - Administration of multiple proxies - Product-wide performance improvements - Security - Dynamic Packet Filtering - Logging of dropped packets - Real-time alerting - Reverse Proxy/Virtual Hosting - Server Proxy (support for internal servers) In addition, we've added a SOCKS version 4.3 service to improve our support of non-Windows clients. We also continue to support extensibility via the ISAPI Filter APIs for compatibility with Proxy Server add-ons developed by independent software vendors for Proxy Server versions 1.0 and 2.0. Proxy Server version 2.0 offers security at three layers. We offer application-layer proxies for http, ftp, gopher (Web Proxy) and circuit/API-layer proxies (WinSock Proxy & SOCKS Proxy). We also add security at the IP packet layer with our dynamic packet filtering feature. The kernel-mode packet filtering is integrated with the proxy services: ports are 'opened' as necessary, resulting in packets being allowed up the stack for the minimum duration necessary and only on ports being used. We only filter external interfaces, and the default state of received packets for all TCP/IP protocols and TCP/UDP ports is 'drop'. Packets are dropped for the following reasons: - TCP/IP protocol or port number unexpected - IP Spoof attempt - Badly formed fragment - Fragments not supported (config. option) - Log disk full In addition, our packet filtering supports: - Configuration of static filters for services running on the Proxy server machine - Internal servers (email, WWW, etc.) communicating with external servers/clients - DMZ networks containing IPs routable on the Internet - Logging of all dropped packets - Real-time alerting based on thresholds via NT event log and/or email The added security features and functionality in Proxy Server version 2.0 does make this product an excellent firewall solution, and our positioning statement (above, in quotes) indeed refers to the product as a firewall. Some customers will use Proxy Server v2.0 as their only Internet security device, while other customers will want the combined feature-set of multiple products or desire multiple layers of security and will therefore use our product in conjunction with other security products. It is much more likely that a site would have multiple kinds/layers of security devices, than they would have multiple kinds/layers of mail servers. This is why we differentiate between sites that currently have firewall products and those that do not. Comments on some of the other issues Itai raises in the posting: >You don't understand our Reverse Proxy feature< Reverse Proxy allows the Proxy Server to forward external client requests to internal web servers in a controlled, secure way. The proxy appears to the clients as a single or multiple web servers (client requests are NOT proxy requests), and the routing of requests by the proxy is transparent to the clients. The proxy administrator creates a mapping table associating Internet domain names (with or without paths) to internal domain names (with or without paths). Internal machines not listed in the mapping table will never receive requests from the proxy. By using DNS names (via the http HOST header) and/or URI paths, the proxy can impersonate multiple web servers simultaneously with the advantage of offering security, logging, & caching for these web sites. >You believe that Proxy Server is for outbound access only< Microsoft Proxy Server version 1.0 supports internal clients accessing external servers. In Proxy Server version 2.0, we have added support for internal servers and inbound access. Again, these features are configurable by the administrator to avoid unnecessary security risks. The new features to support internal servers are: - Reverse Proxy (This supports internal Web servers - see above for more information) - Server Proxy (This supports any TCP/UDP server running on an internal Windows/Windows NT machine) This is a new feature of the WinSock Proxy. It is set up by installing the WinSock Proxy client on the internal server machine, and the WinSock Proxy will remote the internal server's Winsock listen() and other APIs. For security, the WinSock Proxy will authenticate a user account on the internal server machine. - DMZ networks (This supports any TCP/IP-based internal server on a machine with an IP address that can be routed on the Internet) This is a feature of our packet filtering and can be used for internal non-Windows server machines such as UNIX mail servers. Security is done by IP address. >You mention that firewalls are either "Application Gateways" or "Filtering Gateways"< With three layers of security, Proxy Server v2.0 is both. - Application-layer security via the Web Proxy. - Circuit/API-layer security via the WinSock Proxy and SOCKS Proxy. - IP-layer security with dynamic packet filtering. >You ask about our support for SMTP< We do not include an application-layer proxy for SMTP. Our product supports SMTP clients and servers via circuit-layer proxies and packet filtering, however we do not verify the integrity of the structure of SMTP packets. Most concerns about the structure of SMTP packets are due to serious security bugs that have been found in UNIX-based SENDMAIL servers. Microsoft Exchange Server does not have any known SENDMAIL-like security bugs. In addition, if a mail server is placed on a DMZ network, our packet filtering can be used to protect other internal machines and other machines on the DMZ network. >You seem to be confused about what's included in Proxy Server vs. what ISVs add with ISAPI extensions< Everything described in this message is built into the Proxy Server product (version 1.0 or 2.0, as specified). ISVs have written Proxy Server extensions using the ISAPI Filter interface for such functionality as virus-scanning, content-filtering, and application/script blocking. For a list of add-on products to Proxy Server version 1.0, click on the 'Partners Showcase' button at http://www.microsoft.com/proxy/. I hope this clarifies the feature-set and positioning of Microsoft Proxy Server. We will continuously update the information on our web site, develop more detailed marketing literature, and improve product documentation for the final retail release. From owner-firewalls-outgoing Thu Sep 4 10:04:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04940 for firewalls-outgoing; Thu, 4 Sep 1997 06:23:17 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA04909; Thu, 4 Sep 1997 06:23:08 -0700 (PDT) Message-Id: <199709041323.GAA04909@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA136969387; Thu, 4 Sep 1997 09:23:07 -0400 Date: Thu, 4 Sep 1997 09:23:07 -0400 From: gary flynn To: mcnyweb@mcny.com, owner-firewalls-outgoing@GreatCircle.COM Subject: Re: Switches Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also look at the new Cisco 2926 switches. From owner-firewalls-outgoing Thu Sep 4 11:12:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04908 for firewalls-outgoing; Thu, 4 Sep 1997 06:23:06 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA04865 for ; Thu, 4 Sep 1997 06:22:55 -0700 (PDT) Received: from pc (dial-1-153.sti.com.br [200.240.5.153]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id KAA06099 for ; Thu, 4 Sep 1997 10:20:40 -0300 Message-Id: <3.0.1.32.19970904102046.00799470@sti.com.br> X-Sender: marlon@sti.com.br X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 04 Sep 1997 10:20:46 -0300 To: firewalls@greatcircle.com From: Marlon Borba Subject: Re: Authsrv don't work. Help!! In-Reply-To: References: <340DB565.6C7D@sti.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:16 03/09/97 -0500, you wrote: >Marlon, Kamal, >is authsrv a shell script or perl script? Nope, is an ELF executable, generated by gcc. >If yes, does the first line in that shell script have the right >path to that shell or perl? > >Kamal Marlon From owner-firewalls-outgoing Thu Sep 4 11:20:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA04712 for firewalls-outgoing; Thu, 4 Sep 1997 06:21:26 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA04589 for ; Thu, 4 Sep 1997 06:20:57 -0700 (PDT) Received: from pc (dial-1-153.sti.com.br [200.240.5.153]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id KAA06409 for ; Thu, 4 Sep 1997 10:25:54 -0300 Message-Id: <3.0.1.32.19970904102600.007a3c30@sti.com.br> X-Sender: marlon@sti.com.br X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 04 Sep 1997 10:26:00 -0300 To: firewalls@greatcircle.com From: Marlon Borba Subject: Re: log connection attempts? In-Reply-To: References: <340EE174.C45D396F@opentech.stpn.soft.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:38 04/09/97 +0100, you wrote: >There's a patch for linux out that logs connection attempts to unserved >ports. Might be worth a look if somebody tries to port sth like this to >different os'. Interesting. Please, give the ftp or URL so we can download that :) Marlon > >Klaus > From owner-firewalls-outgoing Thu Sep 4 11:26:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA06099 for firewalls-outgoing; Thu, 4 Sep 1997 06:31:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA05810 for ; Thu, 4 Sep 1997 06:30:25 -0700 (PDT) Received: from trem.cnt.org.br by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA29683; Thu, 4 Sep 1997 06:08:32 -0700 (PDT) Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA14606; Thu, 4 Sep 1997 10:02:56 -0200 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9709041202.AA14606@trem.cnt.org.br> Subject: Real Audio To: firewalls@GreatCircle.COM Date: Thu, 4 Sep 1997 10:02:55 -0200 (GRNLNDDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. Could someone point me where I can find Real Audio protocol specifications ? I have been told it uses both TCP and UDP to stablish a communication, but I've never seen it's specification. Thanks in advance -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br -> Turn your PC into a workstation - Use FreeBSD ! <- From owner-firewalls-outgoing Thu Sep 4 12:04:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA07395 for firewalls-outgoing; Thu, 4 Sep 1997 09:24:18 -0700 (PDT) Received: from sgii.com (lucifer.sgii.com [208.144.1.27]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA07292 for ; Thu, 4 Sep 1997 09:23:57 -0700 (PDT) Received: from SGII0__.sgii.com ([208.144.1.21]) by sgii.com (8.8.4/8.8.4) with ESMTP id MAA02001 for ; Thu, 4 Sep 1997 12:34:00 -0400 (EDT) Message-Id: <199709041634.MAA02001@sgii.com> From: "Matthew Smith" To: "Firewalls Digest" Subject: Connecting through FTP proxy Date: Thu, 4 Sep 1997 12:30:54 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. I would like to allow my ftp client to connect to a remote server through a proxy server. Are there any commands which must be sent in addition to the FTP protocol commands, or is it as simple as specifying "USER user@remote-host" instead of "USER user" to the proxy server, then proceding normally as though connected to the remote FTP host? Thanks. Matt ----- Matthew Smith msmith@sgii.com From owner-firewalls-outgoing Thu Sep 4 12:20:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA11041 for firewalls-outgoing; Thu, 4 Sep 1997 09:45:36 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA10991 for ; Thu, 4 Sep 1997 09:45:23 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA00158; Thu, 4 Sep 1997 19:48:37 +0400 From: ArkanoiD Message-Id: <199709041548.TAA00158@paranoid.convey.ru> Subject: Re: log connection attempts? To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Thu, 4 Sep 1997 19:48:37 +0400 (MSD) Cc: phk@critter.freebsd.dk, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG In-Reply-To: <587.873384304@time.cdrom.com> from "Jordan K. Hubbard" at Sep 4, 97 07:45:04 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > Is something wrong with your editor? :-) > Jordan > Nope,that's just a greeting. The language is tlhIngan Hol ;). -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Thu Sep 4 12:25:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03923 for firewalls-outgoing; Thu, 4 Sep 1997 06:15:00 -0700 (PDT) Received: from davinci.sti.com.br (davinci.sti.com.br [200.240.11.251]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA03726 for ; Thu, 4 Sep 1997 06:14:04 -0700 (PDT) Received: from pc (dial-1-153.sti.com.br [200.240.5.153]) by davinci.sti.com.br (8.8.6/8.8.5) with SMTP id KAA05938 for ; Thu, 4 Sep 1997 10:18:57 -0300 Message-Id: <3.0.1.32.19970904101903.007abb10@sti.com.br> X-Sender: marlon@sti.com.br X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 04 Sep 1997 10:19:03 -0300 To: firewalls@greatcircle.com From: Marlon Borba Subject: Re: Authsrv don't work. Help!! In-Reply-To: <199709040114.SAA23946@cactus.tc.pw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:59 03/09/97 EDT, you wrote: >Hi, Ave, > Have you tried to run the authsrv standalone? /usr/local/etc/authsrv If so >do you get the >authsrv prompt? I've tried it to no avail. My shell doesn't even find the executable, answering with that dreaded 'No such file or directory'.. I've REchecked the PATH, ls -lsa shows the file in /usr/local/etc as one could expect, the permissions are 755 and we tried to run it as root. :-( > If that works have you tried telnetting to port 7777? Also >have you checked your >syslogs? Sounds like your executable is not being seen assuming that the >running authsrv from >the command line and port 7777 is working. We'll check this, thank you.. > >char > Marlon From owner-firewalls-outgoing Thu Sep 4 12:43:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05131 for firewalls-outgoing; Thu, 4 Sep 1997 06:24:47 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA05123 for ; Thu, 4 Sep 1997 06:24:38 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCB915.69E1F8C0@bdc9000.pccmis.com>; Thu, 4 Sep 1997 09:32:08 -0400 Message-ID: From: Chris Brenton To: "'bob bryant'" , "'firewalls@GreatCircle.COM'" Subject: RE: archives Date: Thu, 4 Sep 1997 09:32:06 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out: http://www.greatcircle.com/firewalls/ This also has the FAQ and subscription info for those that keep sending "remove" to the list. :) -----Original Message----- From: bob bryant [SMTP:rbryant@gte.com] Sent: Wednesday, September 03, 1997 1:59 PM To: firewalls@GreatCircle.COM Subject: archives In responce to one of the postings, the advice was to check the archives for past postings on the subject. Can some tell me how this is done? I am looking for past postings on PPTP in particular. Thanks in advance. Bob Bob Bryant Member of Technical Staff of GTE Laboratories Incorporated Secure Systems Department phone: 617-466-2821 email: rbryant@gte.com fax: 617-466-2838 From owner-firewalls-outgoing Thu Sep 4 12:45:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA14193 for firewalls-outgoing; Thu, 4 Sep 1997 07:08:46 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA14186 for ; Thu, 4 Sep 1997 07:08:39 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id RAA00931; Thu, 4 Sep 1997 17:09:07 +0400 From: ArkanoiD Message-Id: <199709041309.RAA00931@paranoid.convey.ru> Subject: Re: log connection attempts? To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 4 Sep 1997 17:09:06 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <1808.873380801@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 4, 97 03:46:41 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > >> > >> Set these two sysctl variables to non-zero: > >> net.inet.tcp.log_in_vain: 0 > >> net.inet.udp.log_in_vain: 0 > >> > >fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid > > > >..and i don't remember smth like that when browsing the sources. > > Upgrade to 2.2.2 then. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > I really don't want to ;) i'd prefer a small patch for 2.1.7.1. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Thu Sep 4 13:34:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA17308 for firewalls-outgoing; Thu, 4 Sep 1997 07:29:39 -0700 (PDT) Received: from cyrus.watson.org (AMALTHEA.RES.CMU.EDU [128.2.91.57]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA17255 for ; Thu, 4 Sep 1997 07:29:26 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA01567; Thu, 4 Sep 1997 10:35:12 -0400 (EDT) Date: Thu, 4 Sep 1997 10:35:11 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: ArkanoiD cc: pdongre@opentech.stpn.soft.net, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? In-Reply-To: <199709041158.PAA00746@paranoid.convey.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Sep 1997, ArkanoiD wrote: > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ > create additional filtering rules etc. As i said i do know how to do that. > I just do not want to. I want to log connection attempts without that. Take a look at these two locations -- there was mention of a better syslog here on freebsd-security recently. There were also statistics-gathering modifications on disconnected ports. http://minnie.cs.adfa.oz.au/Seminars/AUUG96/index.html ftp://minnie.cs.adfa.oz.au/pub/NetSecurity/ Hope that helps. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/ From owner-firewalls-outgoing Thu Sep 4 13:45:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA03392 for firewalls-outgoing; Thu, 4 Sep 1997 09:04:11 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA03349 for ; Thu, 4 Sep 1997 09:03:55 -0700 (PDT) Received: from mtibodea-pc.cisco.com (dhcp-usreston-31.cisco.com [171.68.57.31]) by lint.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id JAA18631; Thu, 4 Sep 1997 09:09:41 -0700 (PDT) Message-Id: <3.0.2.32.19970905120441.008342b0@lint.cisco.com> X-Sender: mtibodea@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 05 Sep 1997 12:04:41 -0400 To: "Eric V. Smith" , "'Micheal Sean'" , "firewalls@GreatCircle.COM" From: Mike Tibodeau Subject: Re: LocalDirector question (was: Gauntlet Performance) In-Reply-To: <01BCB900.F88BA090.EricSmith@windsor.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will take this question off-line. If anyone else is interested, let me know separately so that we do not clog up this list. -Mike At 07:05 AM 9/4/97 -0400, Eric V. Smith wrote: >On Thursday, September 04, 1997 12:48 AM, Micheal Sean [SMTP:padre@Ivy.NET] >wrote: >> >> What udp apps do you deal with ? dns and ntp. These aren't major >> bandwidth hogs. In fact, lookups are tcp. What's nice about the >> local director is between 45 and 90 Mbs throughput and true fault >> tolerance (HSRP). That and the fact that NO client or server >> side software installation is needed. > >This is a LocalDirector question and isn't really related to firewalls, so >I apologize in advance. > >I have a client who wants to use a LocalDirector to balance load across >multiple web servers. The problem is that they are maintaining state on >the servers, using cookies sent back to the clients to manage which state >information belongs to which client. If you're familiar with Microsoft ASP >sessions, it's the same thing. The upshot is that every request from a >given client must go to the same server. Does anyone know if the >LocalDirector can handle this? There would be an idle timeout of say 20 >minutes after which a request from the same client would be considered a >new session, so it wouldn't have to have infinite memory to remember every >client connection ever made. > >Here's the firewall slant: I'm concerned that even if the LocalDirector >can do this, outbound HTTP proxies at the client would cause everyone from >AOL, for example, to hit the same web server. > >Has anyone ever tried using a LocalDirector for this application? > >Thanks. > >Eric. > > > ______________________________________________________________________ Mike Tibodeau, Systems Engineer, Cisco Systems, Inc., Herndon, VA. Well, if you're like me, and I know I am... From owner-firewalls-outgoing Thu Sep 4 13:49:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA13297 for firewalls-outgoing; Thu, 4 Sep 1997 07:04:32 -0700 (PDT) Received: from grizu.pp-ulm.de (grizu.pp-ulm.de [195.30.58.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA13203 for ; Thu, 4 Sep 1997 07:04:07 -0700 (PDT) From: kb@pp-ulm.de Received: (from mail@localhost) by grizu.pp-ulm.de (8.7.5/8.7.3) id QAA30660 for ; Thu, 4 Sep 1997 16:13:24 +0200 X-Authentication-Warning: grizu.pp-ulm.de: mail set sender to using -f Received: from email.pp-ulm.de(192.168.200.100) by grizu.pp-ulm.de via smap (V1.3) id sma030654; Thu Sep 4 16:13:16 1997 Received: from nt_domain_pc.pp-ulm.de (NT_DOMAIN_PC.pp-ulm.de [192.168.200.42]) by email.pp-ulm.de (8.7.5/8.7.3) with SMTP id RAA15730 for ; Thu, 4 Sep 1997 17:03:41 +0200 Received: by nt_domain_pc.pp-ulm.de with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCB94D.2F0F6650@nt_domain_pc.pp-ulm.de>; Thu, 4 Sep 1997 16:11:21 +0200 Message-ID: To: , Subject: AW: Anyone Know "WebWall" Date: Thu, 4 Sep 1997 16:11:20 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tested WebShield, and if Web Wall is based on the same strategy and concept I would test it befor I buy it. Web shield is a Virus scanning machine. It will crash if a file contains more=20 than 20 viruses (:-), and then everything passes by. If you do not have=20 an internal DNS server, mail will be send double. ______/ /\____________________________________ / / \ Klaus Boden /_/ /\ \ Pfeiffer und Partner=20 __\ \ \/ / the client server company=20 / /\\ \ /=20 / / \\ \ \ Address : Magirusstra=DFe 4, 89129 Langenau /_/ /\ \\ \ \ Phone : +49 7345 9669-18 \ \ \/ / \_\/ Fax : +49 7345 9669-20 \ \ / mailto:kb@pp-ulm.de \ \ \ http://www.pp-ulm.de ____\ \ \__________________________________ \_\/ >---------- >Von: warren.moore@cbis.com[SMTP:warren.moore@cbis.com] >Gesendet: Donnerstag, 4. September 1997 13:59 >An: firewalls-digest@GreatCircle.COM >Betreff: Anyone Know "WebWall" > > >Folks: > >Do any of you have first-hand knowledge of the new McAfee "WebWall" >firewall product. As usual, McAfee's marketing organization is touting = it >as the greatest thing since sliced bread. The html demo is neat, but I >would like to know if there's any substance behind the fluff. >--- >Warren S. Moore, CISSP >Information Security Specialist >Cincinnati Bell Information Systems Inc. (CBIS Inc.) > > > > From owner-firewalls-outgoing Thu Sep 4 14:04:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA03689 for firewalls-outgoing; Thu, 4 Sep 1997 06:13:51 -0700 (PDT) Received: from ip192100-153-15.f.cdc.com (mail.british-airways.com [194.201.29.3]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA03580 for ; Thu, 4 Sep 1997 06:13:25 -0700 (PDT) From: Steve.1.ENGLAND@British-Airways.com Received: from baw-gw.british-airways.com by bawhub1.british-airways.com (X.400 to RFC822 Gateway); Thu, 4 Sep 1997 14:19:59 +0100 X400-Received: by mta BAWMTA in /c=gb/admd=attmail/prmd=ba/; Relayed; 04 Sep 1997 14:19:58 +0100 X400-Received: by /c=GB/admd=ATTMAIL/prmd=BA/; Relayed; 04 Sep 1997 13:12:29 Z X400-MTS-Identifier: [/c=GB/admd=ATTMAIL/prmd=BA/; BSC400A1 970904131227504181] Content-Identifier: FWTK FTP chroot Content-Return: Prohibited X400-Content-Type: P2-1984 ( 2 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Allowed Alternate-Recipient: Prohibited X400-Originator: Steve.1.ENGLAND@British-Airways.com X400-Recipients: firewalls@greatcircle.com Message-Id: <"BSC400A1 970904131227504181*/c=GB/admd=ATTMAIL/prmd=BA/o=British Airways PLC/s=ENGLAND/g=STEVE/i=1/"@MHS> Date: 04 Sep 1997 13:12:29 Z To: OASXGW2 -00000001 * Subject: FWTK FTP chroot into separate areas - long MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Using the FWTK v2.0 i'm attempting to selectively chroot() logical sets of hosts into different areas via FTP, each "jail" containing full chroot suppport infrastructure files to essentially mask off each of our customers from one another. The rest of the picture of requirements reads thus: 1. Given varying degrees of risk customers can be categorised into requiring low/medium/high levels of security from their FTP transfers. SecurID or plaintext password auth. to ftp-gw is the first step. 2. Once authenticated via the authsrv'er, sites can connect to the FTP server (same machine) using "user steve@machine" syntax which should chroot() them into a given dir. which should be customisable via the netperm-table. 3. FTP command level filtering based on each site - eg. customer X can only 'STOR', customer Y can only 'RETR'. Simple diag. how i see it. (customer)--->ftp-gw--->(authenticate)---->ftpd(PROXY_PASSTHRU)--->ftp-gw Problems. 1. 1. & 3. above are working but i can only get 2. to chroot() to one area only for everyone not per host/set of hosts. I believe the netperm-tables (at system level & chrooted area levels) should be read on each invocation of ftp-gw but it appears as though the directives get followed the first time (e.g. -authall -deny { cdup mkd } ) but not on succesive occasions ?! Trying to use the FWTK UDP based syslog to shed any light on why the chroots() aren't but its not playing at the mo' either. Ideally i would want to set the auth stuff & command limitation at the system level netperm-table & just the "directory" spec. in the lower level. Questions. 1. I'm not too familiar with AIX - what files are required for a UDP based syslog to work in a chrooted area ? 2. Is my logic ok ? Am i missing something glaringly obvious ? 3. Any other clues/insights ? Thanks Steve From owner-firewalls-outgoing Thu Sep 4 15:14:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA25324 for firewalls-outgoing; Thu, 4 Sep 1997 11:06:18 -0700 (PDT) Received: from dns1 (dns1.comuni-k.com [206.49.78.17]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA25245 for ; Thu, 4 Sep 1997 11:05:52 -0700 (PDT) Received: from diseno-ii.comuni-k.com by dns1 (SMI-8.6/SMI-SVR4) id NAA14805; Thu, 4 Sep 1997 13:03:35 -0600 Received: by diseno-ii.comuni-k.com with Microsoft Mail id <01BCB934.1D56D880@diseno-ii.comuni-k.com>; Thu, 4 Sep 1997 13:11:54 -0600 Message-ID: <01BCB934.1D56D880@diseno-ii.comuni-k.com> From: Juan Carlos Martínez Medina To: "firewalls@GreatCircle.COM" Subject: Modems Date: Thu, 4 Sep 1997 13:11:48 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Does anyone know what kind of modem do the ISP's use for the Dial-up = acces. is it a rack modem=B4s or a home modems thanks From owner-firewalls-outgoing Thu Sep 4 15:16:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA15909 for firewalls-outgoing; Thu, 4 Sep 1997 10:18:09 -0700 (PDT) Received: from mitra.pgt.mpt.gov.br ([200.130.0.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA15387 for ; Thu, 4 Sep 1997 10:15:35 -0700 (PDT) Received: from support.pgt.mpt.gov.br (support.pgt.mpt.gov.br [200.130.0.2]) by mitra.pgt.mpt.gov.br (8.7.6/8.7.3) with SMTP id OAA16158 for ; Thu, 4 Sep 1997 14:19:02 -0300 (EST) Received: by support.pgt.mpt.gov.br with Microsoft Mail id <01BCB93D.A244E920@support.pgt.mpt.gov.br>; Thu, 4 Sep 1997 14:20:02 -0300 Message-ID: <01BCB93D.A244E920@support.pgt.mpt.gov.br> From: Lucas Cotta To: "Firewalls (Correio eletronico)" Subject: about sendmail security Date: Thu, 4 Sep 1997 14:19:55 -0300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Colleagues, I have the following problem: it would like to inhibit the TELNET for the door 25 of my server of electronic mail. Do you have some thing on that? thank you Lucas Cotta Engineer of Support Public ministry of the Work From owner-firewalls-outgoing Thu Sep 4 17:30:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA04222 for firewalls-outgoing; Thu, 4 Sep 1997 11:58:26 -0700 (PDT) Received: from mail.eckler.ca ([207.167.214.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA04212 for ; Thu, 4 Sep 1997 11:58:18 -0700 (PDT) From: pyst-onge@eckler.ca Message-Id: Date: Thu, 4 Sep 1997 15:01:44 -0500 To: firewalls@greatcircle.com Subject: Firewall and CC:Mail MIME-version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable X-Mailer: TFS Gateway /220000000/221020325/221000808/221090186/ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We would like to set up a firewall here=2E We're running on a Windows=20= NT=20 server, with a Ascend router=2E What we'd like to do is have outside=20 access restricted to all except our CC:Mail couterpart in another=20 office and the employees there=2E What would be the best solution for=20 that? =20 We only have about 12 employees here, and a bit more in the other=20 office, so anything too expensive is out of the question=2E=2E=2E =20 Thanks, =20 Pierre-Yves St-Onge Eckler Partners Ltd=2E From owner-firewalls-outgoing Thu Sep 4 17:33:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19693 for firewalls-outgoing; Thu, 4 Sep 1997 07:46:21 -0700 (PDT) Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA19643 for ; Thu, 4 Sep 1997 07:46:04 -0700 (PDT) From: dharris@kcp.com Message-Id: <199709041446.HAA19643@honor.greatcircle.com> Received: by kcpgw.kcp.com id AA09145 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 4 Sep 1997 09:52:06 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-2); Thu, 4 Sep 1997 09:52:06 -0500 Received: by kcpgw.kcp.com (Internal Mail Agent-1); Thu, 4 Sep 1997 09:52:06 -0500 Mime-Version: 1.0 Date: Thu, 4 Sep 1997 09:50:02 -0500 Subject: Citrix WinFrame To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been "requested" to create a tiny hole through our firewall to allow internal users to access an application on an external system. The hole would allow communication between the user's Win95 or NT client and a Citrix system running a database application. My understanding of the Citrix system is that it provides a virtual Win95 or NT session on the server which then allows the local user to run the Win95 or NT application on the server with the end result being that the user appears to be running the application locally. I would appreciate comments about the risks involved in allowing this access. I suspect that the connection protocol is completely bidirectional and thus *could* provide access to our internal network for external Win95 or NT systems. dharris@kcp.com From owner-firewalls-outgoing Thu Sep 4 18:14:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA21258 for firewalls-outgoing; Thu, 4 Sep 1997 07:59:23 -0700 (PDT) Received: from dns1.tc.net (dns1.tc.net [208.205.78.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA21232 for ; Thu, 4 Sep 1997 07:59:15 -0700 (PDT) Received: from UNKNOWN [208.205.78.200] by dns1.tc.net for id LAA17244; Thu Sep 4 11:05:16 1997 Received: (from doug@localhost) by ono.tc.net (8.7.6/8.7.3) id LAA11387; Thu, 4 Sep 1997 11:05:15 -0400 Subject: Re: Webserver logging References: Date: 04 Sep 1997 11:05:13 -0400 In-Reply-To: "Pleuger, R.B.W."'s message of "Thu, 4 Sep 1997 13:56:55 +0200" Message-ID: Lines: 23 X-Mailer: Gnus v5.4.65/XEmacs 20.2 To: "Pleuger, R.B.W." From: Douglas McNaught Cc: "'firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Pleuger, R.B.W." writes: > Hi, > > Recently we put a webserver behind our firewall (eagle nt 4.0). The > problem now is that all hits from the outside world are being logged > with the ip address of the inside interface of our firewall. Do > other firewall do the same and, if they don't, why does raptor do > it? All the proxy firewalls that I've seen do the same thing. It's because the connection to the webserver is coming from the proxy running on the firewall, not from the external client. You'll need to analyze your firewall logs to recover the original client information. -Doug -- sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{( $_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while( $c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x== $z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n"; From owner-firewalls-outgoing Thu Sep 4 18:15:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA08591 for firewalls-outgoing; Thu, 4 Sep 1997 06:44:32 -0700 (PDT) Received: from matav.hu (firewall.matav.hu [145.236.253.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA08506 for ; Thu, 4 Sep 1997 06:43:58 -0700 (PDT) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by firewall.matav.hu with SMTP id <55591>; Thu, 4 Sep 1997 15:49:09 +0100 Received: from bunuel.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Thu, 04 Sep 1997 15:49:32 MET Received: (qmail 21508 invoked by uid 1000); 4 Sep 1997 13:55:24 -0000 Date: Thu, 4 Sep 1997 14:55:24 +0100 From: "Magossa'nyi A'rpa'd" To: Martin Marusak CC: firewalls@GreatCircle.COM Subject: Re: qmail In-Reply-To: <199709041033.MAA21536@saris.unipo.sk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Sep 1997, Martin Marusak wrote: > =09hello >=20 > qmail was recommended for me as a replacement for sendmail. I was > told it doesn't have so big bugs and is more secure. What do you thing > about using qmail instead of sendmail? Definitely better. qmail's architecture means that it does nothing as root (except binding the port 25 perhaps?), and very little in setuid. It also have more separation inside. That effectively means if a cracker could find= a bug in qmail, it would be enough only get one user ID out of the 3 user ID of qmail, and that in turn could enable him only to play with _parts_ of th= e mailing things (and try other security holes in the system). In contrast to that sendmail runs as root, have setuid root binary, and a long and seemingly continous history of remote root exploits. Well and qmail is the fastest MTA I know, and in some aspects more configurable than the others, despite the fact that it had been designed with security in mind. --- GNU GPL: csak tiszta forr=E1sb=F3l From owner-firewalls-outgoing Thu Sep 4 18:20:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09672 for firewalls-outgoing; Thu, 4 Sep 1997 06:50:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA09506 for ; Thu, 4 Sep 1997 06:50:14 -0700 (PDT) Received: from cicero.cybercity.dk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA00694; Thu, 4 Sep 1997 06:50:41 -0700 (PDT) Received: from schizo.dk.tfs.com (mail.trw.dk [195.8.133.123]) by cicero.cybercity.dk (8.8.5/8.8.5) with ESMTP id PAA05983; Thu, 4 Sep 1997 15:48:51 +0200 (CEST) Received: from critter.freebsd.dk (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.7/8.7.3) with ESMTP id PAA09607; Thu, 4 Sep 1997 15:46:49 +0200 (MET DST) Received: from critter.freebsd.dk (localhost.dk.tfs.com [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.7) with ESMTP id PAA01810; Thu, 4 Sep 1997 15:46:42 +0200 (CEST) To: ArkanoiD cc: firewalls@GreatCircle.COM, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: log connection attempts? In-reply-to: Your message of "Thu, 04 Sep 1997 16:17:51 +0400." <199709041217.QAA00831@paranoid.convey.ru> Date: Thu, 04 Sep 1997 15:46:41 +0200 Message-ID: <1808.873380801@critter.freebsd.dk> From: Poul-Henning Kamp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199709041217.QAA00831@paranoid.convey.ru>, ArkanoiD writes: >nuqneH, > >> >> In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: >> >nuqneH, >> > >> >Did anyone try to patch the kernel to log connection attempts for ports >> >(tcp and maybe udp) where no program accepts connection? (2.1.7) >> >> Set these two sysctl variables to non-zero: >> net.inet.tcp.log_in_vain: 0 >> net.inet.udp.log_in_vain: 0 >> >fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid > >..and i don't remember smth like that when browsing the sources. Upgrade to 2.2.2 then. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." From owner-firewalls-outgoing Thu Sep 4 19:02:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09311 for firewalls-outgoing; Thu, 4 Sep 1997 06:49:02 -0700 (PDT) Received: from gate1.sprintlink.net (gate1.sprintlink.net [199.0.233.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id GAA06366 for ; Thu, 4 Sep 1997 06:32:32 -0700 (PDT) Received: from athens.res.sprintlink.net by gate1.sprintlink.net via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 4 Sep 1997 13:38:35 UT Received: from dodecahedron.res.sprintlink.net (dodecahedron.res.sprintlink.net [199.0.235.36]) by athens.res.sprintlink.net (8.8.5/8.8.5) with ESMTP id JAA12964 for ; Thu, 4 Sep 1997 09:38:32 -0400 (EDT) Received: (from rquinn@localhost) by dodecahedron.res.sprintlink.net (8.8.5/8.8.5) id JAA00320; Thu, 4 Sep 1997 09:38:33 -0400 (EDT) Message-ID: <19970904093833.60713@athens.res.sprintlink.net> Date: Thu, 4 Sep 1997 09:38:33 -0400 From: Rob Quinn To: firewalls@greatcircle.com Subject: Re: Webserver logging (Raptor) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 In-Reply-To: ; from Pleuger, R.B.W. on Thu, Sep 04, 1997 at 01:56:55PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Recently we put a webserver behind our firewall (eagle nt 4.0). > The problem now is that all hits from the outside world are being logged with > the ip address of the inside interface of our firewall. Do other > firewall do the same and, if they don't, why does raptor do it? A simple perl script will convert the Eagle logs to NCSA log format. Remember that your logs show both inbound and outbound http hits. I chose to filter by the interface (le0). My short script is below. -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn@sprint.net | | Sprint Corporate Security | #!/usr/local/bin/perl -w require "ctime.pl"; #EMAIL rquinn #SUBJECT genhttplog report for FIREWALL $UTCoffset=-999; while(<>) { chop; if(/changelog: 108 starting new log file. UTC offset is (-?\d\d\d\d)$/) { $UTCoffset=$1; next; } next if($_ !~ /httpd.*: 121 Statistics: /o); next if($_ !~ /result=\"\d\d\d\s/); next if($_ !~ /srcif=le0/); ($Host,$Authuser,$Status,$Bytes,$Request,$Date)=("UNKNOWN","-","999",0,"UNKNOWN","UNKNOWN"); $Year=substr(ctime(time),-3,2); ($Host)=/src=(\S+)\/\d+\s/; $Authuser=$1 if(/user=(\S+) auth=/); ($Status)=(/result=\"(\d\d\d)\s.*\"/); $Bytes += $1 if (/sent=(\d+)\s/); $Bytes += $1 if (/rcvd=(\d+)\s/); $Request=$1." ".$2 if (/op=(\S+)\sarg=(\S+)\s/); $Date=$2."/".$1."/19$Year:".$3 if(/^(\S\S\S)\s(\s?\d+)\s(\d\d:\d\d:\d\d)\s/); substr($Date,0,1)="0" if(substr($Date,0,1) eq " "); print "$Host - $Authuser [$Date $UTCoffset] \"$Request\" $Status $Bytes\n"; } From owner-firewalls-outgoing Thu Sep 4 19:03:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09946 for firewalls-outgoing; Thu, 4 Sep 1997 06:53:05 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA01467 for ; Thu, 4 Sep 1997 06:00:48 -0700 (PDT) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id IAA12909; Thu, 4 Sep 1997 08:54:44 -0400 From: "Michael H. Warfield" Message-Id: <199709041254.IAA12909@alcove.wittsend.com> Subject: Re: qmail In-Reply-To: <199709041033.MAA21536@saris.unipo.sk> from Martin Marusak at "Sep 4, 97 12:33:12 pm" To: marusak@unipo.sk (Martin Marusak) Date: Thu, 4 Sep 1997 08:54:44 -0400 (EDT) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > hello > qmail was recommended for me as a replacement for sendmail. I was > told it doesn't have so big bugs and is more secure. What do you thing > about using qmail instead of sendmail? I've now been using qmail for several months. We use it on our mailing list engine. I'm less than impressed. It was my decision to use QMail and the reason I changed to QMail is still valid. Now, however, all direct access into QMail from outside of our network is blocked and the only access is filtered through another system running sendmail. We installed it less for security and more for it's touted ability to service large mailing lists with much better performance. In that regard, it definitly does deliver. I've heard some claim that it can deliver an order of magnitude more messages in a given amount of real time than can sendmail. That, I do believe. I had also tried some frontends for sendmail to speed up its message delivery by splitting up large lists (I have several mailing lists over 1,000 subscribers and one over 6,000 subscribers). QMail seems more efficient and less resource intensive than even that configuration. Performance wise, QMail seems to be everything it's cracked up to be. On the front of reliability and recoverability, I am NOT impressed at all, just the opposite. It's error detection and recovery, quite frankly suck. I have not found anyway to configure it with limits to shut down when certain resources such as disk space run low. When it runs out of space, it commits henious random acts of terrorism. On one occasion, it ran out of space in one file system and spewed thousands of empty messages (which then looked to everybody like they came from root@systemname). I've had it run amock like this a couple of times. As a result of the random acts of terrorism, I instituted means by which I could rapidly shut down the QMail system when some problems are detected. Usually when I get up in the morning and discover more than 500 messages coming in from over night... :-( My next discovery was that, once you have detected that you have bad messages in the queue and must decontaminate the system, QMail provides no dequeue utility. To also say its storage methodology is a little archane will win you the understatement of the year award! I finally wrote a script which would take a list of message numbers (ususally derived from either processing qmail-qread or from some other scan of the /var/qmail/queue/mess/* directories), search all of the various and sundry directories under /var/qmail/queue, then nuke off any matching files. That script has been worth its weight in gold... What really depressed me most about QMail was a glance at the sources! I was trying to figure out how to put in some simple resource limits (say to stop accepting mail if the spool system drops below a certain number of free block), things which we take for granted in sendmail. I also was trying to figure out things about the directories, file names, and formats for qmail-clean. To do so, I dug into the sources and was shocked! There are NO COMMENTS and the darn things are blocked together with so little delimiting white space that it looks like a prime candidate for the self- obfuscating C contest! The bracing and blocking are abysmal. I tried for a while to figure out which end was up and finally threw up my hands in total disgust! I'm a Senior Engineer over a department of several engineers. I've since pointed out these sources to other engineers as examples of exactly what NEVER to do in coding. Anyone presenting a coding style like this to me in a design review would be rewriting it from scratch. The way it is coded, I found it impossible to figure out how it was suppose to work making it impossible to determine why it screws up the way it does when it runs out of this resource or that (one time is was system inodes, one time it was filesystem inodes, one time it was filesystem blocks). Yes it is nice to make sure the system has enough resources, but you can't always be sure when you are not always sure what the resource requirements are going to be or if they are going to change. I would consider it to be mandatory that a package like this be reasonably failsafe. Let's not forget the reason it went from 1.00 to 1.01. Someone discovered that they could create a system wide denial of service attack using QMail by opening up enough connections to run the process table into the ground. I've hacked on various sendmail sources, smail 2.x sources (not related to Tron's smail 3.x), and smail 3.x sources (Tron and I corresponded years ago about "%" hack implimentations in smail) and a variety of other packages of many flavors. QMail may be the only package to have earn the distinction of having me give up on the sources as being intractable. My opinion at this point is that QMail is an immature package lacking in some fundamental features that keep it from being a robust system, making it "brittle". Its failure modes are pretty much catastrophic. Its poor coding style make enhancements and debugging painful at best. It absolutely outperforms sendmail, running rings around it. But I would not run QMail without screening it behind sendmail on another system at this point. I just don't trust it! And to say that I trusted sendmail (which use to be referred to as the "bug of the month (week) club") more than QMail should tell you a lot! > Martin Marusak Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From owner-firewalls-outgoing Thu Sep 4 21:31:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09322 for firewalls-outgoing; Thu, 4 Sep 1997 20:18:40 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA16079 for ; Thu, 4 Sep 1997 18:24:53 -0700 (PDT) Received: from server1.codetel.net.do by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id SAA15650; Thu, 4 Sep 1997 18:25:18 -0700 (PDT) Received: from default (port42.tricom.net [205.160.164.207]) by server1.codetel.net.do (8.8.4/8.7.2) with SMTP id VAA08089 for ; Thu, 4 Sep 1997 21:31:23 +0400 (AST) Message-Id: <3.0.1.32.19970904213014.0069136c@codetel.net.do> X-Sender: mer.concepcion@codetel.net.do X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 04 Sep 1997 21:30:14 -0400 To: firewalls@GreatCircle.COM From: Edwin Concepcion Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove from list Oracion al WebMaster: "...WebMaster TodoPoderoso, concedeme la serenidad de saber cuando desconectarme, el coraje para saber cuando revisar el correo y la sabiduria para alejarme de los chat-rooms..." System.out.println('Edwin Concepcion'); System.out.println('mer.concepcion@codetel.net.do'); System.out.println('morrison@quisqueya.com'); From owner-firewalls-outgoing Thu Sep 4 21:58:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA05608 for firewalls-outgoing; Thu, 4 Sep 1997 20:00:54 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA05143 for ; Thu, 4 Sep 1997 19:59:30 -0700 (PDT) Received: from fw.paimail.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id TAA18607; Thu, 4 Sep 1997 19:12:46 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id VAA12973; Thu, 4 Sep 1997 21:06:09 -0400 Received: from dhcp22.paimail.com(10.0.2.22) by fw.paimail.com via smap (V2.0) id xmab12966; Thu, 4 Sep 97 21:05:44 -0400 Message-Id: <3.0.3.32.19970904221541.006c2d90@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 04 Sep 1997 22:15:41 -0400 To: Marlon Borba From: Rick Murphy Subject: Re: Authsrv don't work. Help!! Cc: firewalls@GreatCircle.COM In-Reply-To: <340DB565.6C7D@sti.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:07 PM 9/3/97 -0300, Marlon Borba wrote: >bash: ./authsrv: No such file or directory Probably can't execute a shared library that authsrv is linked against. Linking everything statically should fix it; finding the missing shared lib as well will fix it. I dunno what tools AIX has for listing shared library dependencies. -Rick From owner-firewalls-outgoing Thu Sep 4 22:32:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09027 for firewalls-outgoing; Thu, 4 Sep 1997 20:15:42 -0700 (PDT) Received: from compaq1.lucentncg.com (compaq1.lucentncg.com [207.113.5.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA09015 for ; Thu, 4 Sep 1997 20:15:36 -0700 (PDT) Received: from ncg1.lucentncg.com ([172.20.1.10]) by compaq1.lucentncg.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 5 Sep 1997 03:29:20 UT Received: by ncg1.lucentncg.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCB980.D54A73B0@ncg1.lucentncg.com>; Thu, 4 Sep 1997 22:21:04 -0500 Message-ID: From: "Davis, Rob" To: "'pyst-onge@eckler.ca'" , "'firewalls@GreatCircle.COM'" Subject: RE: Firewall and CC:Mail Date: Thu, 4 Sep 1997 22:20:41 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of a few solutions off the top of my head, although there are probably _many_ ways to do what you need. 1) Use an Ascend router at the other site and use proprietary Ascend VPN between the two routers (talk to your Ascend rep about this) 2) Use the same kind of firewall at both sites and use VPN between the two firewalls. Almost all commercial firewalls support VPN between two firewalls - although IMHO if you plan to use NT for the firewall I would stick to Raptor. Check Point seems to run great on Solaris, but not as smoothly on NT in my experience. Other firewalls my work fine, but since I haven't used them I can't comment on them :) (There are a lot of reasons to pick a particular brand of firewall - whole other topic!) 3) Set-up a rule to allow CC:Mail through and use strong authentication (S-Key is free) for the users. If you only have 12 employees S-Key may not be a bad solution. I don't think S-Key scales very well due to the high training costs involved with non-technical employees and smart cards can get expensive $$ If you had the money, I would use commercial firewall at each site with VPN. regards, Rob -- Rob Davis Lucent Technologies, Network Consulting Group Network Consultant http://www.lucentncg.com (972) 419-3815 1-800-SKY-PAGE #126-9384 >-----Original Message----- >From: pyst-onge@eckler.ca [SMTP:pyst-onge@eckler.ca] >Sent: Thursday, September 04, 1997 3:02 PM >To: firewalls@GreatCircle.COM >Subject: Firewall and CC:Mail > > We would like to set up a firewall here. We're running on a Windows NT > server, with a Ascend router. What we'd like to do is have outside > access restricted to all except our CC:Mail couterpart in another > office and the employees there. What would be the best solution for > that? > > We only have about 12 employees here, and a bit more in the other > office, so anything too expensive is out of the question... > > Thanks, > > Pierre-Yves St-Onge > Eckler Partners Ltd. From owner-firewalls-outgoing Thu Sep 4 23:32:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA23425 for firewalls-outgoing; Thu, 4 Sep 1997 08:13:29 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA23402 for ; Thu, 4 Sep 1997 08:13:22 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Thu, 4 Sep 1997 08:19:29 -0700 Message-ID: From: "Stackpole, Bill" To: "'Pleuger, R.B.W.'" , "'firewalls@GreatCircle.COM'" Subject: RE: Webserver logging Date: Thu, 4 Sep 1997 08:19:27 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The web server gets the source IP address from the packer header and that header is modified by the proxy on the firewall. In truth the source for the packet is the IP address of the firewall. > -----Original Message----- > From: Pleuger, R.B.W. [SMTP:RPGR@cbs.nl] > Sent: Thursday, September 04, 1997 4:57 AM > To: 'firewalls@GreatCircle.COM' > Subject: Webserver logging > > Hi, > > Recently we put a webserver behind our firewall (eagle nt 4.0). > >The problem now is that all hits from the outside world are being > logged with > the ip address of the inside interface of our firewall. Do other > firewall do the same and, if they don't, why does raptor do it? > > Regards > > Roger From owner-firewalls-outgoing Fri Sep 5 00:05:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id TAA27602 for firewalls-outgoing; Thu, 4 Sep 1997 19:22:26 -0700 (PDT) Received: from fw.paimail.com ([204.183.2.130]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA27348 for ; Thu, 4 Sep 1997 19:21:36 -0700 (PDT) Received: (from uucp@localhost) by fw.paimail.com (8.6.12/8.6.9) id VAA12992; Thu, 4 Sep 1997 21:16:09 -0400 Received: from dhcp22.paimail.com(10.0.2.22) by fw.paimail.com via smap (V2.0) id xma012989; Thu, 4 Sep 97 21:15:41 -0400 Message-Id: <3.0.3.32.19970904222206.006bd0d8@fw.paimail.com> X-Sender: rick@fw.paimail.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 04 Sep 1997 22:22:06 -0400 To: Douglas McNaught From: Rick Murphy Subject: Re: Webserver logging Cc: "Pleuger, R.B.W." , "'firewalls@GreatCircle.COM'" In-Reply-To: References: <"Pleuger, R.B.W."'s message of "Thu, 4 Sep 1997 13:56:55 +0200"> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:05 AM 9/4/97 -0400, Douglas McNaught wrote: >All the proxy firewalls that I've seen do the same thing. It's >because the connection to the webserver is coming from the proxy >running on the firewall, not from the external client. You'll need to >analyze your firewall logs to recover the original client >information. The TIS Gauntlet plug-gw has the ability to mirror the originating source address on a plug-gw connection. (You put a "force_source_address true" line in the netperm-table for 3.x; I think it's GUI managable for 4.x). -Rick From owner-firewalls-outgoing Fri Sep 5 00:17:47 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA02728 for firewalls-outgoing; Thu, 4 Sep 1997 06:07:59 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA02718 for ; Thu, 4 Sep 1997 06:07:52 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA00831; Thu, 4 Sep 1997 16:17:51 +0400 From: ArkanoiD Message-Id: <199709041217.QAA00831@paranoid.convey.ru> Subject: Re: log connection attempts? To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 4 Sep 1997 16:17:51 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <4926.873280349@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 3, 97 11:52:29 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: > >nuqneH, > > > >Did anyone try to patch the kernel to log connection attempts for ports > >(tcp and maybe udp) where no program accepts connection? (2.1.7) > > Set these two sysctl variables to non-zero: > net.inet.tcp.log_in_vain: 0 > net.inet.udp.log_in_vain: 0 > fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid ..and i don't remember smth like that when browsing the sources. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Fri Sep 5 00:17:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA01714 for firewalls-outgoing; Thu, 4 Sep 1997 11:44:56 -0700 (PDT) Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA01697 for ; Thu, 4 Sep 1997 11:44:47 -0700 (PDT) Received: by relay2.cospo.osis.gov (4.1/SMI-4.1) id AA03590; Thu, 4 Sep 97 14:47:06 EDT Message-Id: <9709041847.AA03590@relay2.cospo.osis.gov> Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3) id sma003585; Thu Sep 4 14:46:52 1997 Received: by washington.cospo.osis.gov (1.38.193.4/16.2) id AA20128; Thu, 4 Sep 1997 14:49:45 -0400 From: "Joseph S. D. Yao" Subject: Re: Authsrv don't work. Help!! To: Firewalls@GreatCircle.COM Date: Thu, 4 Sep 1997 14:49:45 -0400 (EDT) Cc: marlon@sti.com.br In-Reply-To: <199709032235.PAA21640@honor.greatcircle.com> from "Firewalls-Digest" at Sep 3, 97 03:35:19 pm X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 03 Sep 1997 16:07:17 -0300 > From: Marlon Borba > Subject: Authsrv don't work. Help!! > > We are trying to build a TIS Firewall over Linux, according to a HOWTO > instructions ("Firewall & Proxy Server Howto"), but, when we try to run > authsrv, we get the message > > bash: ./authsrv: No such file or directory > > We are *sure* the PATH is correct, the authsrv executable is in the > right directory (/usr/local/etc), the right permissions were assigned > (755), the compilation worked with no errors and WE ARE ROOT! You refer to the "TIS Firewall" as if there were only one, which of course is not the case. May one assume you mean the FWTK? This is a simple misunderstanding of Unix command syntax. It is possible that you need to get someone who understands Unix command use on your staff. The command './authsrv' tells the shell to IGNORE the $PATH. Instead, it looks for the command 'authsrv' in the current directory ("."). When you entered this command, had you remembered to 'cd /usr/local/etc' first? It is possible that, from another directory, you could also say '/usr/local/etc/authsrv'. I haven't tried that, though: I don't know whether the program looks for a database in the user's current directory. I always 'cd' first. OBTW - Note that "$PATH" should n o t have an entry that is either "." or blank. The following are security risks: :(anything) (anything): (anything)::(anything) .:(anything) (anything):. (anything):.:(anything) -- Joe Yao jsdy@cospo.osis.gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. From owner-firewalls-outgoing Fri Sep 5 00:32:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id LAA29976 for firewalls-outgoing; Thu, 4 Sep 1997 11:35:29 -0700 (PDT) Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id LAA29856 for ; Thu, 4 Sep 1997 11:34:54 -0700 (PDT) Received: by relay2.cospo.osis.gov (4.1/SMI-4.1) id AA03453; Thu, 4 Sep 97 14:37:05 EDT Message-Id: <9709041837.AA03453@relay2.cospo.osis.gov> Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3) id sma003448; Thu Sep 4 14:36:52 1997 Received: by washington.cospo.osis.gov (1.38.193.4/16.2) id AA19957; Thu, 4 Sep 1997 14:39:42 -0400 From: "Joseph S. D. Yao" Subject: Re: Legal liabilities in unsuccessful attack To: Firewalls@GreatCircle.COM Date: Thu, 4 Sep 1997 14:39:41 -0400 (EDT) Cc: swiley@inm.eds.com In-Reply-To: <199709032235.PAA21640@honor.greatcircle.com> from "Firewalls-Digest" at Sep 3, 97 03:35:19 pm X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ------------------------------ > Date: Wed, 03 Sep 1997 11:17:26 -0500 > From: Sean Wiley > Subject: Legal liabilities in unsuccessful attack > > We have a facility where we host several customers web sites. If we > recognize that someone is repeatedly, but unsuccessfully, trying to > atack one of the sites, do we take on any legal liability by NOT > pursuing the attacker and trying to shut them down? ... Both Cheswick & Bellovin and Garfinkel & Spafford devote appreciable page space to addressing this. But, ultimately, we computer folk have a built-in handicap when it comes to such situations. We're used to dealing with reality, be it hard, soft, or virtual. This makes us not particularly suited to thinking in legal terms. In addition, many of the concerns are still being worked out ... and probably will still be, well into the next millennium. You and your boss or relevant administrative types should approach your corporate counsel on this. Unless he or she has been doing a lot of research on this particular type of problem, you should work with counsel to identify and approach a recognized expert in the field. (Recognized by more than self, that is.) Put your questions and fears to said expert. Be aware, too, that legal counsel is more likely to say "No" to anything, or at least point out the hazards. You and your admin type [which is why that person is along] must generate the positives and weigh risks vs. benefits. Sorry not to have definitive answers: but both of the books mentioned above also counsel seeking, well, counsel. Hope this helps. -- Joe Yao jsdy@cospo.osis.gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. From owner-firewalls-outgoing Fri Sep 5 00:43:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11859 for firewalls-outgoing; Thu, 4 Sep 1997 15:24:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id PAA11668 for ; Thu, 4 Sep 1997 15:24:04 -0700 (PDT) Received: from mailsrv1.pcy.mci.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA11004; Thu, 4 Sep 1997 15:24:34 -0700 (PDT) Received: from kirtley (usr31-dialup36.mix1.WillowSprings.mci.net) by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.1-9 #10045) with ESMTP id <01IN94ZPLSFC9GV75X@MAIL-CLUSTER.PCY.MCI.NET> for firewalls@greatcircle.com; Thu, 4 Sep 1997 17:54:23 EDT Date: Thu, 04 Sep 1997 16:54:19 -0500 From: "Tim Kirtley,Unix Systems Admin" Subject: bodiless ! error To: firewalls@GreatCircle.COM Message-id: <340F2E0A.607D2CA8@internetMCI.com> MIME-version: 1.0 X-Mailer: Mozilla 4.01 [en] (WinNT; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Priority: 3 (Normal) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Smapd gives me: sma#### is bodiless ! | no child process - message discarded I know these messages have contents, because I send them myself. Sendmail alone works fine. What gives ? From owner-firewalls-outgoing Fri Sep 5 01:09:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA25896 for firewalls-outgoing; Thu, 4 Sep 1997 21:24:22 -0700 (PDT) Received: from relay8.jaring.my (relay8.jaring.my [192.228.128.118]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA25604 for ; Thu, 4 Sep 1997 21:23:31 -0700 (PDT) Received: from PaLaN-NeT.dataprep.com.my (palan-net.dataprep.com.my [202.190.59.59]) by relay8.jaring.my (8.8.5/8.8.5) with SMTP id MAA29036 for ; Fri, 5 Sep 1997 12:29:22 +0800 (MYT) Message-Id: <3.0.2.32.19970905122359.007b4a30@192.228.128.118> X-Sender: palank@192.228.128.118 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Fri, 05 Sep 1997 12:23:59 +0800 To: firewalls@greatcircle.com From: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= Subject: Security Technology Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy all, Can anyone add some other security technology that conform to the "standards" ? If you know any beside the below, please let me know.. Today's Security Technology include : 1. Encryption (VPN, PPTP, etc) 2. FIREWALL (Packet filter, Proxy, Stateful, etc) 3. Authentication & Authorisation (TACACS, RADIUS, etc) 4. ????? 5. ????? Rgds, PaLaN Security Analyst West Malaysia. _______________________________________________ "Here is my key ... lets exchange packets now." From owner-firewalls-outgoing Fri Sep 5 01:43:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id XAA28334 for firewalls-outgoing; Thu, 4 Sep 1997 23:59:01 -0700 (PDT) Received: from tower.sedwards.com (newline2.cts.com [205.163.21.59]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id XAA28327 for ; Thu, 4 Sep 1997 23:58:55 -0700 (PDT) From: sedwards@cts.com Received: from localhost (sedwards@localhost) by tower.sedwards.com (8.8.5/8.8.5) with SMTP id AAA17196; Fri, 5 Sep 1997 00:04:32 -0700 (PDT) X-Authentication-Warning: tower.sedwards.com: sedwards owned process doing -bs Date: Fri, 5 Sep 1997 00:04:32 -0700 (PDT) X-Sender: sedwards@tower.sedwards.com To: Lucas Cotta cc: "Firewalls (Correio eletronico)" Subject: Re: about sendmail security In-Reply-To: <01BCB93D.A244E920@support.pgt.mpt.gov.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HAHAHAHAHA. Sorry, nothing personal, I just couldn't resist. This is a common misconception. Many people think that there is something special about the TELNET program accessing the SMTP port on a mail server. There isn't. TELNET just opens a connection to the server on a specified port, usually 23, which connects to the telnetd server. If the user specifies port 25, it connects to your mail server, frequently sendmail. If you block access to port 25, you block access to port 25. Thus, no one can connect to port 25, be it TELNET or a sending mail server -- no one can send you email either. Thanks in advance, Steve Edwards sedwards@cts.com +1-760-723-2727 On Thu, 4 Sep 1997, Lucas Cotta wrote: > Dear Colleagues, > > I have the following problem: it would like to inhibit the TELNET for the > door 25 of my server of electronic mail. Do you have some thing on that? > > > thank you > > > Lucas Cotta > Engineer of Support > Public ministry of the Work > > > From owner-firewalls-outgoing Fri Sep 5 04:17:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id DAA28520 for firewalls-outgoing; Fri, 5 Sep 1997 03:11:53 -0700 (PDT) Received: from cello.cs.iitm.ernet.in ([206.103.12.228]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id DAA28504 for ; Fri, 5 Sep 1997 03:11:38 -0700 (PDT) Received: from localhost (shankar@localhost) by cello.cs.iitm.ernet.in (8.7.5/8.6.9) with SMTP id PAA00876; Fri, 5 Sep 1997 15:49:51 +0530 Date: Fri, 5 Sep 1997 15:49:50 +0530 (IST) From: "K.A.Shankar" To: John Cosimano cc: firewalls@GreatCircle.COM Subject: Re: Question for sendmail experts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 Sep 1997, John Cosimano wrote: > > We are running a Gauntlet V3.2 firewall and I am grappling with trying to > get sendmail running properly for our setup which is somewhat > non-standard. Here's a brief outline of what I am facing. > > Split DNS on the firewall > > Internal domain, let's call it foobar.org > > External domain, let's call it bing.foo.bar.com > > Firewall is forwarding off to Novell GrouWise on the inside for mail > processing. > > The problem is I need to modify the /etc/sendmail.cf to rewrite outbound > mail headers to change the return address from user@foobar.org to > user@bing.foo.bar.com. I have added the following to ruleset S12, but have > not had any luck: > > #rewrite mail originating from the mailhub (call it ngw.foobar.org) > R$*<@ngw.foobar.org>$* $@$1<@bing.foo.bar.com>$2 > > #rewrite mail from elsewhere in the domain > R$*<@.foobar.org>$* $@$1<@bing.foo.bar.com>$2 > Try this in ruleset S1 itself. Shankar.K.A > I'm not sure why this doesn't work. If anyone has any suggestions, I'd > appreciate hearing from you. > > -- > John Cosimano > Unix Systems Administrator > The CNA Corporation > Alexandria, VA USA > cosimanj@cna.org > From owner-firewalls-outgoing Fri Sep 5 04:32:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25222 for firewalls-outgoing; Fri, 5 Sep 1997 02:37:59 -0700 (PDT) Received: from fn5.freenet.tlh.fl.us (fn5.freenet.tlh.fl.us [204.194.39.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA25215 for ; Fri, 5 Sep 1997 02:37:52 -0700 (PDT) From: wladams@freenet.tlh.fl.us Received: from localhost ([[UNIX: localhost]]) by fn5.freenet.tlh.fl.us (8.8.5/8.8.5) with SMTP id FAA20065; Fri, 5 Sep 1997 05:42:52 -0400 (EDT) Date: Fri, 5 Sep 1997 05:42:52 -0400 (EDT) To: Lucas Cotta cc: "Firewalls (Correio eletronico)" Subject: Re: about sendmail security In-Reply-To: <01BCB93D.A244E920@support.pgt.mpt.gov.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 Sep 1997, Lucas Cotta wrote: > Dear Colleagues, > > I have the following problem: it would like to inhibit the TELNET for the > door 25 of my server of electronic mail. Do you have some thing on that? > lucas: i'm not sure what platform you are running but the following worked for me with linux. if you are running sendmail via inetd you can frontend it with tcpd which will validate by hostname and can be configured with reverse dns lookup. if you are running sendmail as a daemon you can link it with libwrap.a from the tcpd package which effectively accomplishes the same end. there is appropriate documentation in any recent sendmail release on how to accomplish this. on a more general note if you are concerned about attacks external to your domain, you will find the need for some kind of firwalling cannot be avoided. bill From owner-firewalls-outgoing Fri Sep 5 04:47:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id EAA08836 for firewalls-outgoing; Fri, 5 Sep 1997 04:34:14 -0700 (PDT) Received: from ns1.pnsi.net ([198.145.134.15]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id EAA08750 for ; Fri, 5 Sep 1997 04:33:56 -0700 (PDT) Received: from edsawick by ns1.pnsi.net (Unoverica 2.11a) id 00000216; Fri, 5 Sep 1997 04:48:22 -0700 Message-Id: <199709051148.00000216@ns1.pnsi.net> Reply-To: From: "Ed Sawicki" To: , , , "Anton J Aylward" Subject: Re: Proxy Server 2.0 features & market positioning byMicrosoft Program Manager Date: Fri, 5 Sep 1997 04:38:59 -0700 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you (and possibly others) may be a bit vendorphobic. The message that you're complaining about is clearly stated as "Proxy Server 2.0 features & marketing positioning..." in the subject line. You can easily choose to delete it without reading it if you choose. The message from Microsoft's Program Manager was posted in response to another message so it wasn't unsolicited advertising. Also, Microsoft does not have a history of doing this on this list so it's not abuse. I prefer that vendors are allowed to participate in this list and contribute bits of information that we may not otherwise find on their Web site. As an author, I know that my preconceived notion of product features and design philosophy is sometimes wrong and I need feedback from the vendor to see the product in the light that the vendor intended. I'm not comfortable with your interpretation of "blatant advertising". In summary, I do not need the protection that you're trying to provide for me. Ed Sawicki - author of several ALC Press books. http://www.alcpress.com ---------- > From: Anton J Aylward > To: silicom@netvision.net.il; firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: Re: Proxy Server 2.0 features & market positioning byMicrosoft Program Manager > Date: Thursday, September 04, 1997 7:12 PM > > ## Reply Start ## > > Quite apart from its length, I think this oversteps the mark > into blatant advertising. It would have been quite sufficient > to have supplied a URL. > > >This message is in response to a posting by Itai Dor-on on this newsgroup > >about Proxy Server version 2.0 Beta. Itai had several questions about > >Proxy Server 2.0 features, security, and market positioning. > > > >I am a Program Manager for Microsoft Proxy Server. I would like to clarify > >the feature-set and market positioning of Proxy Server v2.0, and respond > >to some specific comments in Itai's posting. > > That's what I mean. > If we want to know the 'market positioning' we can look it up from a URL. > This was an excessive post considering the question. > > /anton > > ## Reply End ## > -------------------------------------------------------------------------- > Anton J Aylward | "Quality refers to the extent to which > The Strahn & Strachan Group Inc | processes, products, services, and > Information Security Consultants | relationships are free from defects, > Voice: (416) 494-8661 | constraints and items which do not add > Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-outgoing Fri Sep 5 05:02:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id CAA25586 for firewalls-outgoing; Fri, 5 Sep 1997 02:42:33 -0700 (PDT) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA25555 for ; Fri, 5 Sep 1997 02:42:14 -0700 (PDT) Received: by fw4.tns.co.za; id LAA00724; Fri, 5 Sep 1997 11:47:57 +0200 (SAT) Message-Id: <199709050947.LAA00724@fw4.tns.co.za> Received: from unknown(89.0.4.177) by fw4.tns.co.za via smap (V3.1.1) id xma000641; Fri, 5 Sep 97 11:47:40 +0200 Reply-To: From: "Billy Verreynne" To: "Matthew Smith" , "Firewalls Digest" Subject: Re: Connecting through FTP proxy Date: Fri, 5 Sep 1997 11:47:46 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Matthew Smith wrote > I would like to allow my ftp client to connect to a remote server through a > proxy server. Are there any commands which must be sent in addition to the > FTP protocol commands, or is it as simple as specifying "USER > user@remote-host" instead of "USER user" to the proxy server, then > proceding normally as though connected to the remote FTP host? Sample session: C:\>ftp www.borland.com Connected to netserv.borland.com. //* the ftp proxy wants to autenticate first - so I need to give //* it my proxy/firewall id and password: 220-Proxy first requires authentication 220 firewall FTP proxy (Version V666) ready. User (netserv.borland.com:(none)): myname 331 Enter authentication password for myname Password:***** 230 User authenticated to proxy //* ok, now the proxy server has opened a conection to Borland's //* FTP server, but I haven't signed onto that FTP server yet, so: ftp> user anonymous //* Borland's FTP server replies with: 331 Password required for anonymous. Password:***** 230 User anonymous logged in. As you can see, you have to "logon" twice. Once via the FTP proxy and the second time to the actual ftp server you're connecting to. regards, Billy From owner-firewalls-outgoing Fri Sep 5 05:39:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id AAA05701 for firewalls-outgoing; Fri, 5 Sep 1997 00:36:02 -0700 (PDT) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id AAA05605 for ; Fri, 5 Sep 1997 00:35:36 -0700 (PDT) Received: (qmail 17994 invoked from smtpd); 5 Sep 1997 07:41:41 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Sep 1997 07:41:41 -0000 Received: from grendel.nmti.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id CAA09824; Fri, 5 Sep 1997 02:41:41 -0500 Received: by grendel.nmti.com; (5.65v3.2/1.1.8.2/25Aug97-0307PM) id AA14258; Fri, 5 Sep 1997 02:43:52 -0500 From: Peter da Silva Message-Id: <9709050743.AA14258@grendel.nmti.com> Subject: Re: Citrix WinFrame To: dharris@kcp.com Date: Fri, 5 Sep 1997 02:43:52 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199709041446.HAA19643@honor.greatcircle.com> from "dharris@kcp.com" at Sep 4, 97 09:50:02 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I would appreciate comments about the risks involved in allowing this access. I > suspect that the connection protocol is completely bidirectional and thus > *could* provide access to our internal network for external Win95 or NT systems. Not unless you open the hole in as well as out. It's purely a virtual display and keyboard, like X, but with a good deal less interaction between the display server and the client applications. Treat it as telnet. From owner-firewalls-outgoing Fri Sep 5 06:18:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA24123 for firewalls-outgoing; Fri, 5 Sep 1997 05:44:57 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA23967 for ; Fri, 5 Sep 1997 05:44:12 -0700 (PDT) Received: from gateway.damark.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id FAA01654; Fri, 5 Sep 1997 05:44:37 -0700 (PDT) Received: by gateway.damark.com; id HAA19374; Fri, 5 Sep 1997 07:49:27 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (3.2) id xme019368; Fri, 5 Sep 97 07:49:04 -0500 Received: by damark.com (5.65/1.2-eef) id AA05219; Fri, 5 Sep 97 07:47:06 -0500 Message-Id: <9709051247.AA05219@damark.com> From: "william.wells" To: Lucas Cotta Subject: RE: about sendmail security Date: Fri, 05 Sep 97 07:42:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sendmail can't tell the difference between a telnet and an mailer trying to use port 25. In order to inhibit a person from telnetting to port 25, you also inhibit a mailer from using port 25. We use a specially written program answer connections to port 25. This program only allows the minimum number of sendmail commands to work and also checks addresses for oddities. If the mail is OK, the program passes the mail inward for further processing. This is often done by writing the mail to a file and using another program to pass the mail further. By doing this, an external person can't make a direct network connection to the inside. In our case, we licensed the program when we bought our firewall software. We've since made small modifications for items specific to Damark. William Wells Manager, System Administration Damark International, Inc william.wells@damark.com The opinions above are mine and do not necessarily reflect Damark's opinions. ---------- From: Lucas Cotta To: Firewalls (Correio eletronico) Subject: about sendmail security Date: Thursday, September 04, 1997 12:19PM Dear Colleagues, I have the following problem: it would like to inhibit the TELNET for the door 25 of my server of electronic mail. Do you have some thing on that? thank you Lucas Cotta Engineer of Support Public ministry of the Work From owner-firewalls-outgoing Fri Sep 5 06:33:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id FAA21449 for firewalls-outgoing; Fri, 5 Sep 1997 05:32:21 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id FAA21395 for ; Fri, 5 Sep 1997 05:32:04 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id IAA28221; Fri, 5 Sep 1997 08:37:52 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id IAA03849; Fri, 5 Sep 1997 08:38:11 -0400 (EDT) Message-Id: <3.0.32.19970905085421.007a4690@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 05 Sep 1997 08:55:47 -0400 To: , , , , "Anton J Aylward" From: Anton J Aylward Subject: Re: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:38 AM 05/09/97 -0700, Ed Sawicki wrote: ## Reply Start ## >I think you (and possibly others) may be a bit vendorphobic. No, I deal with a lot of vendors and have good relationships with them. >The message that you're complaining about is clearly stated >as "Proxy Server 2.0 features & marketing positioning..." >in the subject line. You can easily choose to delete it >without reading it if you choose. This is the argument spammers make. Sorry, I don't consider it valid. >The message from Microsoft's >Program Manager was posted in response to another message >so it wasn't unsolicited advertising. I didn't use the world "unsolicited". Please don't put words in my mouth. >Also, Microsoft does >not have a history of doing this on this list so it's not >abuse. Oh, OK, so the first rape is allowed because the guy doesn't have a history or doing it, so its not abuse. Fine, I'll tell Alan Dershowitz that and he can use it in the next issue of his book "The Abuse Excuse". >I prefer that vendors are allowed to participate in this list >and contribute bits of information that we may not otherwise >find on their Web site. I think that's a laudatory position. it perfectly reflects my attitude that the posting we are referring to was excessive, because it was cut&paste from MS published information. Since I have Proxy Server docs and marketing literature on my desk I can happily assert to that. >As an author, I know that my preconceived >notion of product features and design philosophy is sometimes >wrong and I need feedback from the vendor to see the product >in the light that the vendor intended. I'm not arguing YOUR needs. I'm arguing this instance. The positing was excessive and far beyond what even vendors supply. We have regular contributions from people, for example, at Cisco, along such lines. They are not as voluminous or as marketing oriented. This is a technology & support list. I know from my own experience, in the role of an author or reviewer, marketing treats one differently from being an end user. >In summary, I do not need the protection that you're trying to >provide for me. That could be taken as an invitation to be spammed. Do you need the protection your ISP is providing, that firewalls are providing? That's what this groups is about. Lets get back to basics: 1. Was the positing significantly longer than most on this list? 2. Did it supply information which could have been obtained from a web page or other marketing documents? Q1 makes it excessive. Q2 deals with my point about a URL being sufficient. I think we're experienced enough to recognize the mailto: on most web pages and most vendors have a link to obtain more information. And yes, I do work proactively to suppress spamming and other abuses. You might also see the .sig line on my earlier posting which said.. left"Quality refers to the extent to which processes, products, services, and relationships are free from defects, constraints and items which do not add value." - Dr. Mildred G Pryor, 1995 I would assert that the long positing did not add value and so decreases the quality of the list. I firmly believe that this list has a reputation based on it NOT being a sounding board for vendors to tout their wares. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 494-8661 | constraints and items which do not add Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-outgoing Fri Sep 5 06:47:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA06478 for firewalls-outgoing; Fri, 5 Sep 1997 06:38:41 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA06448 for ; Fri, 5 Sep 1997 06:38:25 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA01192; Fri, 5 Sep 1997 16:48:17 +0400 From: ArkanoiD Message-Id: <199709051248.QAA01192@paranoid.convey.ru> Subject: Re: log connection attempts? To: robert+freebsd@cyrus.watson.org Date: Fri, 5 Sep 1997 16:48:16 +0400 (MSD) Cc: pdongre@opentech.stpn.soft.net, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: from "Robert Watson" at Sep 4, 97 10:35:11 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ > > create additional filtering rules etc. As i said i do know how to do that. > > I just do not want to. I want to log connection attempts without that. > > Take a look at these two locations -- there was mention of a better syslog > here on freebsd-security recently. There were also statistics-gathering > modifications on disconnected ports. > > http://minnie.cs.adfa.oz.au/Seminars/AUUG96/index.html > ftp://minnie.cs.adfa.oz.au/pub/NetSecurity/ Thanks! That's [nearly] the thing i was looking for. Actually it is for an older kernel version and requires minor modifications to be used with 2.1.7.1 but it should not be hard to do. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-firewalls-outgoing Fri Sep 5 07:44:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA09766 for firewalls-outgoing; Fri, 5 Sep 1997 06:53:18 -0700 (PDT) Received: from denver.denversys.com ([208.203.232.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA09682 for ; Fri, 5 Sep 1997 06:52:59 -0700 (PDT) Received: by DENVER with Internet Mail Service (5.0.1457.3) id ; Fri, 5 Sep 1997 10:00:17 -0400 Message-ID: <91D5B68FD598D011A11100A0C925E4B6030DEC@DENVER> From: Stephen Greenwalt To: firewalls@GreatCircle.COM Date: Fri, 5 Sep 1997 10:00:14 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Informational: Anyone about to deploy a firewall / proxy server / etc., or who is generally involved in that industry would do well to visit the following site; http://watchguard.denversys.com Sincerely, Stephen Greenwalt From owner-firewalls-outgoing Fri Sep 5 07:47:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA18371 for firewalls-outgoing; Fri, 5 Sep 1997 07:36:57 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA18345 for ; Fri, 5 Sep 1997 07:36:50 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCB9E8.BCAB5EB0@bdc9000.pccmis.com>; Fri, 5 Sep 1997 10:44:50 -0400 Message-ID: From: Chris Brenton To: "'william.wells'" , "'Lucas Cotta'" Cc: "'firewalls@greatcircle.com'" Subject: RE: about sendmail security Date: Fri, 5 Sep 1997 10:44:49 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We use a specially written program answer connections to port 25. This >program only allows the minimum number of sendmail commands to work and also >checks addresses for oddities. If the mail is OK, the program passes the >mail inward for further processing. This is often done by writing the mail >to a file and using another program to pass the mail further. By doing this, >an external person can't make a direct network connection to the inside. Humm. How about a process that not only checks that the source IP address can be resolved to a valid host, but that it can be resolved back to a system which also has a valid MX record. Just a thought... From owner-firewalls-outgoing Fri Sep 5 08:32:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA10952 for firewalls-outgoing; Fri, 5 Sep 1997 06:59:37 -0700 (PDT) Received: from bw151zhb.bluewin.ch (bw151zhb.bluewin.ch [195.186.1.16]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA10928 for ; Fri, 5 Sep 1997 06:59:29 -0700 (PDT) Received: from pc200 (del14pub195.bluewin.ch [195.186.14.195]) by bw151zhb.bluewin.ch (8.8.5/8.8.5) with SMTP id QAA04644 for ; Fri, 5 Sep 1997 16:04:00 +0200 (MET DST) Message-ID: <34101F7F.3B8D@bluewin.ch> Date: Fri, 05 Sep 1997 16:04:31 +0100 From: thuler Reply-To: mirabel@bluewin.ch X-Mailer: Mozilla 3.01 [fr]C-KIT-bw (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Special request Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody, Everydays, I'm receiving one or two anonymails. Can you tell me where I can see the name of the expeditor. Unfortunately, I don't know a good program for it. If you have something for me, please, send me by e-mail. Thanks Vincent - Switzerland From owner-firewalls-outgoing Fri Sep 5 08:53:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA02321 for firewalls-outgoing; Fri, 5 Sep 1997 08:42:28 -0700 (PDT) Received: from checkov.twc.com (securit.twc.com [206.114.124.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA02296 for ; Fri, 5 Sep 1997 08:42:20 -0700 (PDT) Received: by checkov.twc.com with Internet Mail Service (5.0.1457.3) id ; Fri, 5 Sep 1997 10:48:02 -0500 Message-ID: <97431B954A9AD0119CCC00609733C455067A0E@checkov.twc.com> From: "Jim E. Crawford" To: "'Stephen Greenwalt'" , firewalls@GreatCircle.COM Subject: RE: Date: Fri, 5 Sep 1997 10:48:01 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find this kind of tasteless plug for a substandard firewall system offensive. This list is about helping others with firewall issues. I get enough junk email in my box without having to read a sales pitch for low-end-linux-off-a-floppy firewall. > -----Original Message----- > From: Stephen Greenwalt [SMTP:StephenG@DENVERSYS.COM] > Sent: Friday, September 05, 1997 9:00 AM > To: firewalls@GreatCircle.COM > Subject: > > Hi, > > Informational: > > Anyone about to deploy a firewall / proxy server / etc., or who is > generally involved in that industry would do well to visit the > following > site; http://watchguard.denversys.com > > Sincerely, > > Stephen Greenwalt From owner-firewalls-outgoing Fri Sep 5 09:02:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA18775 for firewalls-outgoing; Fri, 5 Sep 1997 07:39:36 -0700 (PDT) Received: from netbox.sdsi.com (netbox.sdsi.com [205.187.81.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id HAA18687 for ; Fri, 5 Sep 1997 07:39:04 -0700 (PDT) Received: from gatekeeper_public by netbox.sdsi.com (NTMail 3.02.07) with ESMTP id ga188870 for ; Fri, 5 Sep 1997 09:43:10 -0500 Received: (from u_smap@localhost) by gatekeeper.sdsi.com (8.8.4/8.8.4) id JAA02322 for ; Fri, 5 Sep 1997 09:42:55 -0500 X-Authentication-Warning: gatekeeper.sdsi.com: u_smap set sender to using -f Received: from unknown(205.187.81.210) by gatekeeper via smap (V2.0) id xma002318; Fri, 5 Sep 97 09:42:49 -0500 Received: by quake.sdsi.COM with Microsoft Mail id <01BCB9E0.47E2F3C0@quake.sdsi.COM>; Fri, 5 Sep 1997 09:44:18 -0500 Message-ID: <01BCB9E0.47E2F3C0@quake.sdsi.COM> From: Eric Dykema To: "'firewalls@greatcircle.com'" Subject: MS PPTP Date: Fri, 5 Sep 1997 09:44:17 -0500 X-Info: SDSI Mail Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A higher rung on the corporate ladder is pushing me to implement Microsoft's PPTP. The goal is to create a VPN across the Internet. I have some preconceived ideas of the PPTP product, but I'm looking for input from anybody who's actually used it. I'm hoping to hear both pros and cons. TIA ----------------------------------------------------------------- Eric Dykema Network Administrator Software Development Systems Oak Brook, IL 630.368.0400 (Voice) 630.990.8584 (Fax) Email: Eric_Dykema@sdsi.com ----------------------------------------------------------------- From owner-firewalls-outgoing Fri Sep 5 09:23:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA29553 for firewalls-outgoing; Fri, 5 Sep 1997 08:29:14 -0700 (PDT) Received: from soran.pacific.net.sg (soran.pacific.net.sg [203.120.90.76]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA29454 for ; Fri, 5 Sep 1997 08:28:54 -0700 (PDT) Received: from madcap.dyn.ml.org (d125137.ppp125.cyberway.com.sg [203.116.125.137]) by soran.pacific.net.sg with ESMTP id XAA28088 for ; Fri, 5 Sep 1997 23:34:56 +0800 (SGT) Received: (qmail 1605 invoked by uid 100); 5 Sep 1997 15:31:03 -0000 Message-ID: <19970905233103.64953@dyn.ml.org> Date: Fri, 5 Sep 1997 23:31:03 +0800 From: Ng Pheng Siong To: ArkanoiD Cc: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? References: <203609030840.MAA14571@paranoid.convey.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76e In-Reply-To: <203609030840.MAA14571@paranoid.convey.ru>; from ArkanoiD on Wed, Sep 03, 2036 at 12:40:07PM +0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 3, ArkanoiD wrote: > Did anyone try to patch the kernel to log connection attempts for ports > (tcp and maybe udp) where no program accepts connection? (2.1.7) About 2 years ago, some one from Oz did just that. Asking the search engines... Altavista... results totally irrelevant. (Seems that it is run by the Internic whois people these days. ;) Infoseek... hmmm, ip masquerade... Lycos... got it! First entry, too: http://minnie.cs.adfa.oz.au/Seminars/AUUG96/netpaper.html Off-hand I wonder if in-kernel logging might undo measures like syn-flood proofing, etc., and introduce DOS possibilities. BTW, read today that CMU is being awarded a patent for Lycos-related technology. -- Ng Pheng Siong From owner-firewalls-outgoing Fri Sep 5 10:40:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA18698 for firewalls-outgoing; Fri, 5 Sep 1997 09:59:46 -0700 (PDT) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA18672 for ; Fri, 5 Sep 1997 09:59:36 -0700 (PDT) Received: from localhost.evil.org (dyn1019c.dialin.rad.net.id [202.154.42.19]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id AAA26571; Sat, 6 Sep 1997 00:05:29 +0700 (WIB) Date: Sat, 6 Sep 1997 00:04:10 +0700 (JVT) From: Doy X-Sender: doy@localhost.evil.org Reply-To: Doy To: thuler , Firewall Mailing List Subject: Re: Special request In-Reply-To: <34101F7F.3B8D@bluewin.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Sep 1997, thuler wrote: > Hello everybody, > > Everydays, I'm receiving one or two anonymails. Can you tell me where I > can see the name of the expeditor. Unfortunately, I don't know a good > program for it. If you have something for me, please, send me by e-mail. > > Thanks > > Vincent - Switzerland > Have you inspected the full header of the mail? It will tell you alot, like where the mail was originated and the paths it travelled. The *name* of the expeditor? Well, I believe no program is able to find it. regards, Doy From owner-firewalls-outgoing Fri Sep 5 10:47:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA17429 for firewalls-outgoing; Fri, 5 Sep 1997 09:53:36 -0700 (PDT) Received: from cougar.alscomp.com (cougar.alscomp.com [204.33.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA17285 for ; Fri, 5 Sep 1997 09:52:51 -0700 (PDT) Received: by cougar.alscomp.com (Smail3.1.29.1 #2) id m0x71n5-002GfqC; Fri, 5 Sep 97 13:03 EDT Date: Fri, 5 Sep 1997 13:03:26 -0400 (EDT) From: Chris Briggs To: Chris Brenton cc: "'firewalls@greatcircle.com'" Subject: RE: about sendmail security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Sep 1997, Chris Brenton wrote: > Humm. How about a process that not only checks that the source IP > address can be resolved to a valid host, but that it can be resolved > back to a system which also has a valid MX record. > > Just a thought... The latest smail beta does this, along with other checks intended to deny relaying spam, or at least make it a little more difficult. Generated quite a bit of talk on the smail list a month or so ago because Greg enabled those checks by default and a lot of people found their DNS was incomplete... You can get smail at ftp.planix.com/pub/Smail. -cb --------------------------------------------------------------------------- Chris Briggs chris@cougar.alscomp.com A.L.S. Computer Systems Network Specialist Gan, if you're trying to scare me, you're succeeding. -- Vila [Time Squad] From owner-firewalls-outgoing Fri Sep 5 11:02:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA18058 for firewalls-outgoing; Fri, 5 Sep 1997 09:57:13 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA18010 for ; Fri, 5 Sep 1997 09:57:01 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCB9FC.533A2D30@bdc9000.pccmis.com>; Fri, 5 Sep 1997 13:05:03 -0400 Message-ID: From: Chris Brenton To: "'Ed Forbes'" Cc: "'firewalls@greatcircle.com'" Subject: RE: about sendmail security Date: Fri, 5 Sep 1997 13:05:01 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Humm. How about a process that not only checks that the source IP >> address can be resolved to a valid host, but that it can be resolved >> back to a system which also has a valid MX record. >> >> Just a thought... > >Why would it have to resolve to a valid MX record? MX records are only >required if the mail shouldn't be returned to the sending host. > >Just my thoughts, I was thinking from a security perspective. For example, if I telnet port 25 of your mail host and you are checking to insure that my IP address has a valid host name, your machine will accept the connection. If however, your machine checks to see if I am a valid mail system (i.e. MX record check), it would deny the connection. True this is not bulletproof, but it does add another layer of validation checking to make mail spoofing that much more difficult. From owner-firewalls-outgoing Fri Sep 5 11:17:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA19624 for firewalls-outgoing; Fri, 5 Sep 1997 10:03:29 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA19593 for ; Fri, 5 Sep 1997 10:03:21 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA05238; Fri, 5 Sep 1997 10:07:29 -0700 Date: Fri, 5 Sep 1997 10:07:29 -0700 (PDT) From: Leonard Miyata To: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= cc: firewalls@GreatCircle.COM Subject: Re: Security Technology In-Reply-To: <3.0.2.32.19970905122359.007b4a30@192.228.128.118> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there What about ... a. Network Layer end to end Authentication and Integrity (e.g. IPSEC) b. Session Layer Authentication & Encryption (e.g. KERBEROS, SSL) c. Application Encryption with implied integrity and authentication (e.g. PGP, S-MIME) d. Public key infrastructure to support digital signiture (e.g. X.509) e. Private (Secret) Key managment via Smart Card (e.g. FORTEZZA, ???) Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Fri, 5 Sep 1997, =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= wrote: > Howdy all, > > Can anyone add some other security technology that conform to the > "standards" ? If you know any beside the below, please let me know.. > > Today's Security Technology include : > > 1. Encryption (VPN, PPTP, etc) > 2. FIREWALL (Packet filter, Proxy, Stateful, etc) > 3. Authentication & Authorisation (TACACS, RADIUS, etc) > 4. ????? > 5. ????? > > Rgds, > PaLaN > > Security Analyst > West Malaysia. > _______________________________________________ > "Here is my key ... lets exchange packets now." > > From owner-firewalls-outgoing Fri Sep 5 12:01:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA17236 for firewalls-outgoing; Fri, 5 Sep 1997 09:52:41 -0700 (PDT) Received: from pp-ulm.de (grizu.pp-ulm.de [195.30.58.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id JAA17158 for ; Fri, 5 Sep 1997 09:52:23 -0700 (PDT) From: kb@pp-ulm.de Received: from email.pp-ulm.de by pp-ulm.de (SMI-8.6/SMI-SVR4) id SAA00598; Fri, 5 Sep 1997 18:59:00 +0200 Received: from nt_domain_pc.pp-ulm.de (NT_DOMAIN_PC.pp-ulm.de [192.168.200.42]) by email.pp-ulm.de (8.7.5/8.7.3) with SMTP id TAA22806 for ; Fri, 5 Sep 1997 19:52:46 +0200 Received: by nt_domain_pc.pp-ulm.de with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCBA2D.C33F6E20@nt_domain_pc.pp-ulm.de>; Fri, 5 Sep 1997 18:58:57 +0200 Message-ID: To: Subject: FW1 - log messages Date: Fri, 5 Sep 1997 18:58:56 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! I started some time ago setting up my fw-1, and by looking at the messages I find a lot of logs with the following contens: Action Service Source Destination Proto Rule S_port lnfo=09 drop 47110 router 255.255.255.255 udp 2050 len 124 I do not know if this is ok or not. Router is my ISDN router to the provider. Also there are some messages I do not see in the log file and I wonder why. Thank's for your help Klaus ______/ /\____________________________________ / / \ Klaus Boden /_/ /\ \ Pfeiffer und Partner=20 __\ \ \/ / the client server company=20 / /\\ \ /=20 / / \\ \ \ Address : Magirusstra=DFe 4, 89129 Langenau /_/ /\ \\ \ \ Phone : +49 7345 9669-18 \ \ \/ / \_\/ Fax : +49 7345 9669-20 \ \ / mailto:kb@pp-ulm.de \ \ \ http://www.pp-ulm.de ____\ \ \__________________________________ \_\/ From owner-firewalls-outgoing Fri Sep 5 12:07:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA21444 for firewalls-outgoing; Fri, 5 Sep 1997 10:12:00 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA21221 for ; Fri, 5 Sep 1997 10:10:57 -0700 (PDT) Received: by gateway.damark.com; id MAA06533; Fri, 5 Sep 1997 12:17:11 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (3.2) id xme006527; Fri, 5 Sep 97 12:17:09 -0500 Received: by damark.com (5.65/1.2-eef) id AA20517; Fri, 5 Sep 97 12:17:07 -0500 Message-Id: <9709051717.AA20517@damark.com> From: "william.wells" To: Chris Brenton , "'Lucas Cotta'" Subject: RE: about sendmail security Date: Fri, 05 Sep 97 12:16:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've actually considered rejecting mail when we can't confirm the sender. In almost all cases, the IP address is the same company and we often find that the mail server was being moved or a secondary DNS server wasn't updated. In all cases, our customers don't appreciate it if we reject mail because their mail service has problems. We do get reports from the firewall and do look into them. We don't get many problems. I have considered, however, of adding a line to the body of the mail indicating that the "sending system" cannot be confirmed and that the mail might be bogus. William Wells Manager, Systems Administration Damark International, Inc william.wells@damark.com All opinions are my own.... ---------- From: Chris Brenton To: 'william.wells'; 'Lucas Cotta' Cc: 'firewalls@greatcircle.com' Subject: RE: about sendmail security Date: Friday, September 05, 1997 9:44PM >We use a specially written program answer connections to port 25. This >program only allows the minimum number of sendmail commands to work and also >checks addresses for oddities. If the mail is OK, the program passes the >mail inward for further processing. This is often done by writing the mail >to a file and using another program to pass the mail further. By doing this, >an external person can't make a direct network connection to the inside. Humm. How about a process that not only checks that the source IP address can be resolved to a valid host, but that it can be resolved back to a system which also has a valid MX record. Just a thought... From owner-firewalls-outgoing Fri Sep 5 12:17:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22517 for firewalls-outgoing; Fri, 5 Sep 1997 10:18:31 -0700 (PDT) Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA13616 for ; Fri, 5 Sep 1997 09:35:07 -0700 (PDT) Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id SAA23788 for ; Fri, 5 Sep 1997 18:44:25 +0200 (SAT) Received: by citadel via recvmail id 23753; Fri Sep 5 18:43:51 1997 by gram.cdsec.com (8.8.5/8.8.5) id SAA07036 for firewalls@greatcircle.com; Fri, 5 Sep 1997 18:31:03 +0200 (SAT) From: Graham Wheeler Message-Id: <199709051631.SAA07036@cdsec.com> Subject: RE: about sendmail security To: firewalls@greatcircle.com Date: Fri, 5 Sep 1997 18:31:03 +0200 (SAT) X-Mailer: ELM [version 2.4 PL25-h4.1] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Humm. How about a process that not only checks that the source IP > address can be resolved to a valid host, but that it can be resolved > back to a system which also has a valid MX record. Our Citadel firewall has a feature something like this. We check the FROM: address in an SMTP exchange, and check whether we can do an A or an MX record lookup for this address. If not, the mail is rejected; if we get a DNS timeout, we do a temporary reject. Sites that want to do something similar without using a firewall could modify smap from the TIS toolkit to do this - changing sendmail would be somewhat more of a challenge. However, our experience shows that this only filters out about 10% of spam mail. It's better than nothing, but there is a lot more that could be done. For example, checking for X-Advertisement mail headers would eliminate quite a few more spam messages; blocking all mail from certain hosts that are the originators of lost of spam would also be quite effective, although this would require a list of offending hosts to be maintained and kept current. At the moment we're just collecting these spam messages and will sometime soon try to come up with some heuristics that will eliminate a whole lot more. It's quite a satisfying activity... ;-) g. -- Dr Graham Wheeler E-mail: gram@cdsec.com Citadel Data Security Phone: +27(21)23-6065/6/7 Internet/Intranet Network Specialists Mobile: +27(83)-253-9864 Firewalls/Virtual Private Networks Fax: +27(21)24-3656 Data Security Products WWW: http://www.cdsec.com/ From owner-firewalls-outgoing Fri Sep 5 13:47:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA27064 for firewalls-outgoing; Fri, 5 Sep 1997 08:16:39 -0700 (PDT) Received: from point.pch.gc.ca (point.pch.gc.ca [167.33.21.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA26801 for ; Fri, 5 Sep 1997 08:15:34 -0700 (PDT) From: Bill_Royds@pch.gc.ca Received: from pchgate.pch.gc.ca (pchgate.pch.gc.ca [167.33.21.2]) by point.pch.gc.ca (8.7.6/8.7.3) with SMTP id LAA01617 for ; Fri, 5 Sep 1997 11:20:31 -0400 (EDT) Received: from relay.pch.gc.ca by pchgate.pch.gc.ca via smtpd (for point.pch.gc.ca [167.33.21.4]) with SMTP; 5 Sep 1997 15:21:46 UT Received: from pch.gc.ca (pch-mail-smtp.pch.gc.ca [167.33.1.28]) by relay.pch.gc.ca (8.7.6/8.7.3) with SMTP id LAA03526 for ; Fri, 5 Sep 1997 11:24:01 -0400 (EDT) Received: by pch.gc.ca(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 85256509.00543EA2 ; Fri, 5 Sep 1997 11:20:10 -0400 X-Lotus-FromDomain: PCH To: Firewalls@GreatCircle.COM Message-ID: <85256509.00538442.00@pch.gc.ca> Date: Fri, 5 Sep 1997 11:17:57 -0400 Subject: Re:Webserver logging Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have written Perl scripts which analyse the Raptor Eagle Unix Version 4.0 logs to extract the logging information. An early version is available at the Raptor ftp site (under unsupported directory). We run them over our log files each night after the logfiles are turned over and give a CERN or IIS version logfile to the server webmasters. There is the restriction that the Perl program cannot combine intrinsic server information (replace ~user references with actual entries for eacmple) but it generallt produces useful results. In Firewalls-Digest Thursday, September 4 1997 Volume 06 : Number 424 was request: Date: Thu, 4 Sep 1997 13:56:55 +0200 From: "Pleuger, R.B.W." Subject: Webserver logging Hi, Recently we put a webserver behind our firewall (eagle nt 4.0). >The problem now is that all hits from the outside world are being logged with the ip address of the inside interface of our firewall. Do other firewall do the same and, if they don't, why does raptor do it? Regards Roger From owner-firewalls-outgoing Fri Sep 5 13:59:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA26465 for firewalls-outgoing; Fri, 5 Sep 1997 10:32:38 -0700 (PDT) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA26410 for ; Fri, 5 Sep 1997 10:32:25 -0700 (PDT) Received: from noam (slip139-92-89-182.tel.il.ibm.net [139.92.89.182]) by out2.ibm.net (8.8.5/8.6.9) with ESMTP id RAA124220 for ; Fri, 5 Sep 1997 17:38:30 GMT Message-ID: <3410436C.9CFCFC47@israelmail.com> Date: Fri, 05 Sep 1997 20:37:49 +0300 From: Noam Rathaus X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "firewalls@GreatCircle.COM" Subject: Possible Security Threat? X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I would like to know if anyone heard of a hacker trying to mimic a Windows NT Server's Master Browser and thus creating a huge upsurge in forced elections? -- Thanks Noam Rathaus NT / Exchange / Network Administrator. Certified CNA - Site Builder Network 2 Israel mailto://dolittle@israelmail.com UIN: 486098 (http://www.mirabilis.com) ------------------------------------------------- If you use Netscape get yourself certificated at http://www.verisign.com (for free...) this will enable you to encrypt outgoing email. ------------------------------------------------- From owner-firewalls-outgoing Fri Sep 5 14:02:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA22952 for firewalls-outgoing; Fri, 5 Sep 1997 10:20:39 -0700 (PDT) Received: from mail1.quadrix.com (mail1.quadrix.com [208.210.34.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id KAA22893 for ; Fri, 5 Sep 1997 10:20:20 -0700 (PDT) Received: (qmail 11982 invoked from network); 5 Sep 1997 17:24:39 -0000 Received: from jukyu.quadrix.com (208.210.35.65) by mail1.quadrix.com with SMTP; 5 Sep 1997 17:24:39 -0000 Received: (qmail 992 invoked by uid 104); 5 Sep 1997 17:26:41 -0000 Date: 5 Sep 1997 17:26:41 -0000 Message-ID: <19970905172641.991.qmail@jukyu.quadrix.com> MBOX-Line: From bve Fri Sep 5 13:26 EDT 1997 From: BVE To: marusak@unipo.sk Subject: RE: qmail cc: firewalls@greatcircle.com Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Thu, 4 Sep 1997 12:33:12 +0200 (MET DST) From: Martin Marusak qmail was recommended for me as a replacement for sendmail. I was told it doesn't have so big bugs and is more secure. What do you thing about using qmail instead of sendmail? Martin Marusak We've used it here for a while now, and I really like it a lot. It was designed from the ground up for security, and is very easy to configure. We don't need a separate mail proxy, because qmail effectively eliminates the problem by design. (It has a bunch of small programs, each dedicated to a specific task -- the SMTP daemon is a lot like a proxy....) If you choose to use qmail's Maildir format, it also completely eliminates the whole class of problems associated with the mail spool -- mail is simply stored in each user's home directory. There are POP clients, mailing list managers (& patches to make existing ones work), a /usr/lib/sendmail replacement (for compatibility), and more. However, sendmail *is* still a more functional program, so if you're doing really hairy format conversions and such, you *may* still need it for internal use only. The best thing I like about using qmail (we use it exclusively in our environment, at this point), is that every time I hear about a new sendmail bug, I just hit "d"! ;-) We spend much less time worrying about upgrading our mail servers these days.... Overall, I rate it very highly. However, if anyone has had bad experiences with it, or knows of security problems, I would very much like to hear about them.... -- -- Bill Van Emburg Quadrix Solutions, Inc. Phone: 732-235-2335 (bve@quadrix.com) Fax: 732-235-2336 (http://quadrix.com) "You do what you want, and if you didn't, you don't" From owner-firewalls-outgoing Fri Sep 5 14:03:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA20590 for firewalls-outgoing; Fri, 5 Sep 1997 07:48:29 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA13732 for ; Fri, 5 Sep 1997 07:13:26 -0700 (PDT) Received: from mail.baileynm.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA02593; Fri, 5 Sep 1997 06:01:42 -0700 (PDT) Received: (qmail 18680 invoked from smtpd); 5 Sep 1997 13:06:38 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Sep 1997 13:06:38 -0000 Received: from grendel.nmti.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA20990; Fri, 5 Sep 1997 08:06:37 -0500 Received: by grendel.nmti.com; (5.65v3.2/1.1.8.2/25Aug97-0307PM) id AA04646; Fri, 5 Sep 1997 08:08:48 -0500 From: Peter da Silva Message-Id: <9709051308.AA04646@grendel.nmti.com> Subject: Re: Proxy Server 2.0 features & market positioning byMicrosoft Program Manager To: ed@alcpress.com Date: Fri, 5 Sep 1997 08:08:48 -0500 (CDT) Cc: silicom@netvision.net.il, firewalls@GreatCircle.COM, ntsecurity@iss.net, anton@Toronto.com In-Reply-To: <199709051148.00000216@ns1.pnsi.net> from "Ed Sawicki" at Sep 5, 97 04:38:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think you (and possibly others) may be a bit vendorphobic. > The message that you're complaining about is clearly stated > as "Proxy Server 2.0 features & marketing positioning..." > in the subject line. That doesn't tell me it's marketing fluff. I might well post a message with that title pointing out how their marketing position is inconsistent with their features. Even a message from a Microsoft address might contain useful information under that title. And in any case I tend to give messages from Firewalls a higher priority, and it's useful that I be able to do so, simply because they are so rarely contain marketing noise. So it's *not* possible to just skip a message like that without reading it. And I wouldn't want to discourage people at Microsoft from commenting from the trenches by making them think their messages would simply be discarded just because of where they're posting from, which is what you seem to be proposing. No, it's not classical spam. It's not unsolicited marketing email. But I think that we need to draw the line on this list against vendors sending apparently solicited responses to the list as a whole: we've had periods in the past where single vendors have pushed a significant amount of such fluff down the pipe. With more and more vendors getting into it, especially companies like Microsoft who have been pushing the ragged edge of acceptable behaviour in marketing material in the past (yes, I've had bulk mail from them that it's a stretch to consider solicited), if we don't draw that line here it's just going to get worse. I hope in the future that they send lengthy web-formatted low-content pieces to just the person who requested it. From owner-firewalls-outgoing Fri Sep 5 14:04:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA03208 for firewalls-outgoing; Fri, 5 Sep 1997 08:47:26 -0700 (PDT) Received: from bbnplanet.com (mail.bbnplanet.com [198.114.157.21]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id IAA03104 for ; Fri, 5 Sep 1997 08:47:01 -0700 (PDT) Received: from pasilla.bbnplanet.com by mail.bbnplanet.com id aa23348; 5 Sep 97 11:53 EDT Received: by pasilla.bbnplanet.com (SMI-8.6/SMI-4.1) id LAA08254; Fri, 5 Sep 1997 11:53:13 -0400 Message-Id: <199709051553.LAA08254@pasilla.bbnplanet.com> Subject: Re: about sendmail security To: Chris Brenton Date: Fri, 5 Sep 1997 11:53:13 -0400 (EDT) From: Ed Forbes Cc: firewalls@greatcircle.com In-Reply-To: from "Chris Brenton" at Sep 5, 97 10:44:49 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >We use a specially written program answer connections to port 25. This > >program only allows the minimum number of sendmail commands to work > and also > >checks addresses for oddities. If the mail is OK, the program passes > the > >mail inward for further processing. This is often done by writing the > mail > >to a file and using another program to pass the mail further. By doing > this, > >an external person can't make a direct network connection to the > inside. > > Humm. How about a process that not only checks that the source IP > address can be resolved to a valid host, but that it can be resolved > back to a system which also has a valid MX record. > > Just a thought... Why would it have to resolve to a valid MX record? MX records are only required if the mail shouldn't be returned to the sending host. Just my thoughts, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ed Forbes Internet Support Engineer GTE Internetworking Services 150 Cambridge Park Drive Cambridge, MA. 02140 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-outgoing Fri Sep 5 14:17:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id JAA08233 for firewalls-outgoing; Fri, 5 Sep 1997 09:10:54 -0700 (PDT) Received: from vanur.online.ee (vanur.online.ee [194.106.96.8]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id JAA08204 for ; Fri, 5 Sep 1997 09:10:44 -0700 (PDT) Received: from localhost by vanur.online.ee (8.8.4/8.7.2) for ; (actually from jk@localhost); SMTP id TAA06615 Date: Fri, 5 Sep 1997 19:16:12 +0300 (EET DST) From: Jyri Kaljundi X-Sender: jk@vanur.online.ee To: ipfilter@postbox.anu.edu.au, Firewalls mailing list Subject: adding payload examination to ipfilter/ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How hard would it be to add some payload examination capabilities to free firewalls/packet filters like the ipfilter/ipfw code? What I would like to see is something similar to Check Point FireWall-1 INSPECT language, where you can change the rules on the fly, depending on some changing variables. How I see it is today's firewalls are more moving in such direction, that from one side there still should be application layer examination, you should for example be able to filter FTP safely and understand the FTP traffic, on the other side you want to do this as efficiently as possible, using not specific proxies for every protocol but instead do it as deeply inside the kernel or operating system as possible. When possible, you would want to let packets freely through the filter code (there is quite a lot of time in application layer proxies where you actually are using either some kind of null tunnels or not examining the payload) and only when needed examine the internals of the protocol traffic. No need to keep the proxy processes laying around all the time, it takes computing resources, it makes the firewall as a product more complicated (you must have hundreds of proxies as that is how many protocols we have today, more coming every day), and for firewall vendors it makes it harder to write their products, they can never write proxies for every protocol. So according to how far in the protocol / connection lifecycle you are, you should change between network layer examination and application layer examination. IPfilter is a great piece of sofwtware, but it only works at the network layer. A capability of switching to application layer now and then would be just great, and for that what we need is code or scripting language to define easily our own smart filters. So people who are more familiar with ipfilter, how hard would it be to do that? Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-outgoing Fri Sep 5 15:28:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA05247 for firewalls-outgoing; Fri, 5 Sep 1997 06:34:18 -0700 (PDT) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA04959 for ; Fri, 5 Sep 1997 06:33:09 -0700 (PDT) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.6/8.8.6) with ESMTP id JAA06538 for ; Fri, 5 Sep 1997 09:39:14 -0400 (EDT) Received: from msb01hqctmsge.gectms.ge.com ([3.102.72.54]) by thomas.ge.com (8.8.4/8.7.5) with ESMTP id JAA06410 for ; Fri, 5 Sep 1997 09:38:43 -0400 (EDT) Received: by msb01hqctmsge.gectms.ge.com with Internet Mail Service (5.0.1458.49) id ; Fri, 5 Sep 1997 09:35:38 -0400 Message-ID: From: "Sokolowski, Ryan (CAP, TMS)" To: ed@alcpress.com, "'Peter da Silva'" Cc: silicom@netvision.net.il, firewalls@GreatCircle.COM, ntsecurity@iss.net, anton@Toronto.com Subject: RE: [NTSEC] Re: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Date: Fri, 5 Sep 1997 09:33:53 -0400 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "I hope in the future that they send lengthy > web-formatted low-content pieces to just the person who requested it." > > Well, Peter, I hope that in the future YOU send your opinion to only those who care! I just joined this list (NTSECURITY) a few days ago and am astounded at how childish and juvenile and ill-mannered many posters seem to be. When responding to something is it really necessary to direct this to the ENTIRE list? Also, the vast majority of the posts to this group really seem minor and irrelevant, to the point that I'm not sure it's worth sorting through 50+ junk e-mails a day to find something of worth. Is not this group suffering from its own self-generating spam? I'll stick around for another week and see if things get any better. If not, I'm gone -- I am gainfully employed and definitely have better things to do with my time than weed through garbage. Ryan Sokolowski, MCSE, CNA Consultant GE Capital Consulting Ryan.Sokolowski@gectms.ge.com > ---------- > From: Peter da Silva[SMTP:peter@grendel.nmti.com] > Reply To: Peter da Silva > Sent: Friday, September 05, 1997 8:08 AM > To: ed@alcpress.com > Cc: silicom@netvision.net.il; firewalls@GreatCircle.COM; > ntsecurity@iss.net; anton@Toronto.com > Subject: [NTSEC] Re: Proxy Server 2.0 features & market > positioning byMicrosoft Program Manager > > > I think you (and possibly others) may be a bit vendorphobic. > > The message that you're complaining about is clearly stated > > as "Proxy Server 2.0 features & marketing positioning..." > > in the subject line. > > That doesn't tell me it's marketing fluff. I might well post a message > with that title pointing out how their marketing position is > inconsistent > with their features. Even a message from a Microsoft address might > contain > useful information under that title. And in any case I tend to give > messages > from Firewalls a higher priority, and it's useful that I be able to do > so, > simply because they are so rarely contain marketing noise. > > So it's *not* possible to just skip a message like that without > reading > it. And I wouldn't want to discourage people at Microsoft from > commenting > from the trenches by making them think their messages would simply be > discarded just because of where they're posting from, which is what > you > seem to be proposing. > > No, it's not classical spam. It's not unsolicited marketing email. But > I > think that we need to draw the line on this list against vendors > sending > apparently solicited responses to the list as a whole: we've had > periods > in the past where single vendors have pushed a significant amount of > such > fluff down the pipe. > > With more and more vendors getting into it, especially companies like > Microsoft who have been pushing the ragged edge of acceptable > behaviour in > marketing material in the past (yes, I've had bulk mail from them that > it's a stretch to consider solicited), if we don't draw that line here > it's just going to get worse. I hope in the future that they send > lengthy > web-formatted low-content pieces to just the person who requested it. > From owner-firewalls-outgoing Fri Sep 5 15:47:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29180 for firewalls-outgoing; Fri, 5 Sep 1997 10:52:18 -0700 (PDT) Received: from smtp.gte.net (smtp.gte.net [207.115.153.29]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA29160 for ; Fri, 5 Sep 1997 10:52:08 -0700 (PDT) Received: from glearnhart ([199.180.5.17]) by smtp.gte.net (SMI-8.6/SMI-SVR4) with SMTP id MAA17779; Fri, 5 Sep 1997 12:57:22 -0500 (CDT) Message-Id: <199709051757.MAA17779@smtp.gte.net> From: "Gregg Earnhart" To: "J.D." , Subject: Re: Best firewall choice Date: Fri, 5 Sep 1997 12:57:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1008.3 X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.1008.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Checkpoint Firewall-1 for windows NT has a very good product. www.checkpoint.com. A proxy or packet filter is not really as important as the functional features which come with Checkpoint. It depends greatly on what the need is from the network. Do you need ATM speed? How about remote management? You get the idea. Tons of other vendors offer this or say the next release will contain.... Gregg Earnhart ge@gte.net -----Original Message----- From: J.D. To: firewalls@greatcircle.com Date: Tuesday, September 02, 1997 10:46 AM Subject: Best firewall choice >Hello! > >I have an important customer connected to the Internet who needs a very >secure solution. >They work with NT 4.0 and all MS products. Having read about MS Proxy 2.0, >I see it now offers packet >filtering and firewall security. >What solution would you recommend, Proxy or other firewall for NT ? > >Thanks for your help > >Dan > From owner-firewalls-outgoing Fri Sep 5 15:54:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29911 for firewalls-outgoing; Fri, 5 Sep 1997 10:57:52 -0700 (PDT) Received: from mail1.microsoft.com (mail1.microsoft.com [131.107.3.41]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA29880 for ; Fri, 5 Sep 1997 10:57:40 -0700 (PDT) Received: by INET-01-IMC with Internet Mail Service (5.0.1459.27) id ; Fri, 5 Sep 1997 11:03:16 -0700 Message-ID: <28347281A2B5CF119AB000805FD4186603D73AD7@RED-77-MSG.dns.microsoft.com> From: Paul Leach To: ed@alcpress.com, "'Peter da Silva'" Cc: silicom@netvision.net.il, firewalls@GreatCircle.COM, ntsecurity@iss.net, anton@Toronto.com Subject: RE: [NTSEC] Re: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Date: Fri, 5 Sep 1997 11:03:12 -0700 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1459.27) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about remembering that Itai Dor-on posted it to the list, not the MS PM. And that Itai's first posting that prompted the reply explicitly questioned the legitimacy of _positioning_ MS PRoxy 2.0 as a firewall. > ---------- > From: Peter da Silva[SMTP:peter@grendel.nmti.com] > Reply To: Peter da Silva > Sent: Friday, September 05, 1997 6:08 AM > To: ed@alcpress.com > Cc: silicom@netvision.net.il; firewalls@GreatCircle.COM; > ntsecurity@iss.net; anton@Toronto.com > Subject: [NTSEC] Re: Proxy Server 2.0 features & market > positioning byMicrosoft Program Manager > > > I think you (and possibly others) may be a bit vendorphobic. > > The message that you're complaining about is clearly stated > > as "Proxy Server 2.0 features & marketing positioning..." > > in the subject line. > > That doesn't tell me it's marketing fluff. I might well post a message > with that title pointing out how their marketing position is > inconsistent > with their features. Even a message from a Microsoft address might > contain > useful information under that title. And in any case I tend to give > messages > from Firewalls a higher priority, and it's useful that I be able to do > so, > simply because they are so rarely contain marketing noise. > > From owner-firewalls-outgoing Fri Sep 5 16:33:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA01099 for firewalls-outgoing; Fri, 5 Sep 1997 06:18:39 -0700 (PDT) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id FAA18374 for ; Fri, 5 Sep 1997 05:18:41 -0700 (PDT) Received: by interlock.reston.ans.net id AA23892 (InterLock SMTP Gateway 4.1 for firewalls@GreatCircle.COM); Fri, 5 Sep 1997 08:24:33 -0400 Message-Id: <199709051224.AA23892@interlock.reston.ans.net> From: "Conrad Minor" To: "Anton J Aylward" , , , Subject: Re: [NTSEC] Re: Proxy Server 2.0 features & market positioning byMicrosoft Program Manager Date: Fri, 5 Sep 1997 08:23:22 -0400 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I found Microsoft's statements interesting. I considered it appropriate for the NT Security list. Conrad ---------- > From: Anton J Aylward > To: silicom@netvision.net.il; firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: [NTSEC] Re: Proxy Server 2.0 features & market positioning byMicrosoft Program Manager > Date: Thursday, September 04, 1997 10:12 PM > > ## Reply Start ## > > Quite apart from its length, I think this oversteps the mark > into blatant advertising. It would have been quite sufficient > to have supplied a URL. > > >This message is in response to a posting by Itai Dor-on on this newsgroup > >about Proxy Server version 2.0 Beta. Itai had several questions about > >Proxy Server 2.0 features, security, and market positioning. > > > >I am a Program Manager for Microsoft Proxy Server. I would like to clarify > >the feature-set and market positioning of Proxy Server v2.0, and respond > >to some specific comments in Itai's posting. > > That's what I mean. > If we want to know the 'market positioning' we can look it up from a URL. > This was an excessive post considering the question. > > /anton > > ## Reply End ## > -------------------------------------------------------------------------- > Anton J Aylward | "Quality refers to the extent to which > The Strahn & Strachan Group Inc | processes, products, services, and > Information Security Consultants | relationships are free from defects, > Voice: (416) 494-8661 | constraints and items which do not add > Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-outgoing Fri Sep 5 17:23:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id KAA29993 for firewalls-outgoing; Fri, 5 Sep 1997 10:58:15 -0700 (PDT) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id KAA29930 for ; Fri, 5 Sep 1997 10:57:58 -0700 (PDT) Received: from localhost.evil.org (dyn1033c.dialin.rad.net.id [202.154.42.33]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id BAA06414; Sat, 6 Sep 1997 01:04:05 +0700 (WIB) Date: Sat, 6 Sep 1997 01:02:47 +0700 (JVT) From: Doy X-Sender: doy@localhost.evil.org Reply-To: Doy To: =?iso-8859-1?Q?=F6?= PaLaN =?iso-8859-1?Q?=F6?= cc: firewalls@greatcircle.com Subject: Re: Security Technology In-Reply-To: <3.0.2.32.19970905122359.007b4a30@192.228.128.118> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Sep 1997, =F6 PaLaN =F6 wrote: > Can anyone add some other security technology that conform to the > "standards" ? If you know any beside the below, please let me know.. >=20 > Today's Security Technology include : >=20 > 1. Encryption (VPN, PPTP, etc) > 2. FIREWALL (Packet filter, Proxy, Stateful, etc) > 3. Authentication & Authorisation (TACACS, RADIUS, etc) > 4. ?????=09 > 5. ????? >=20 Intrusion Detection Systems (IDS). The differences between IDS and firewalls : 1. firewalls have filter/block capability, while IDS can only detect intrusion after it happened. 2. IDS usually are more intelligent (can be trained, can learn). 3. IDS is very general term. It ranges from program that monitor keystroke to a network sniffer. Can be host based (monitors a host) or network based (monitors network). Because host based IDS is installed in a host, it can monitor host's=20 specific parameter (like keystroke, CPU usage and number of processes per user) and detect application's specific attacks. The network based IDS monitors network activities (just like firewall), but does not have filtering capability (?). I think that's the only thing that firewall and network based IDS differs (if we really want to make a=20 difference (?)). There are two detection models for IDS, anomaly detc. and misuse detection. With anomaly dt., an intrusion is defined as everything that's not 'usually' thing. With misuse det., an intrusion is activity that match a specific attack pattern. Other differences between IDS and other approaches is usually IDS is more intelligent. It can be trained, it can learn and it *can* detect intrusions (firewalls just block activities, don't bother whether they are normal activities or intrusions). Sorry if this sounds like I'm doing lecturing (I'm not a lecture!). But that's reflects my understanding to both IDS and firewalls, and I need=20 confirmations from you guys, the experts. You can visit http://www.cs.purdue.edu/coast/intrusion-detection/ or obtain few papers by Sandeep Kumar and Aurobindo Sundaram (both Purdue?), I forgot the links. regards, Doy From owner-firewalls-outgoing Fri Sep 5 17:24:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA16285 for firewalls-outgoing; Fri, 5 Sep 1997 12:29:39 -0700 (PDT) Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA16161 for ; Fri, 5 Sep 1997 12:28:49 -0700 (PDT) Received: from s0000451.hsdc.com (mail.hsdc.com [207.220.88.16]) by mail1.noc.netcom.net (8.8.5/8.8.5) with ESMTP id MAA17137 for ; Fri, 5 Sep 1997 12:28:44 -0700 (PDT) Received: by s0000451.hsdc.com with Internet Mail Service (5.0.1457.3) id ; Fri, 5 Sep 1997 12:33:28 -0700 Message-ID: From: Brian Lindsay To: firewalls@GreatCircle.COM Date: Fri, 5 Sep 1997 12:33:24 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From owner-firewalls-outgoing Fri Sep 5 17:25:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA18173 for firewalls-outgoing; Fri, 5 Sep 1997 12:42:41 -0700 (PDT) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA18135 for ; Fri, 5 Sep 1997 12:42:27 -0700 (PDT) Received: (from george@localhost) by wicked.neato.org (8.8.5/8.8.5) id MAA02276; Fri, 5 Sep 1997 12:50:26 -0700 (PDT) Date: Fri, 5 Sep 1997 12:50:25 -0700 (PDT) Message-Id: <199709051950.MAA02276@wicked.neato.org> To: "Jim E. Crawford" Cc: "'Stephen Greenwalt'" , firewalls@GreatCircle.COM Subject: Re: SPAM by denversys From: george@neato.org X-Remailed: true Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JCrawford@checkov.twc.com said: > I find this kind of tasteless plug for a substandard firewall system > offensive. This list is about helping others with firewall issues. I > get enough junk email in my box without having to read a sales pitch > for low-end-linux-off-a-floppy firewall. Even worse, these guys are JUST some dinky worthless reseller and this guy is some idiot marketdroid! What complete crap. Avoid these dudes (Denversys) like the plague. If your interested in this subpar product go to real company directly watchguard.com. Take a stand against SPAM - vote with you money - don't do business with companies like this! george From owner-firewalls-outgoing Fri Sep 5 17:27:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA19319 for firewalls-outgoing; Fri, 5 Sep 1997 12:49:42 -0700 (PDT) Received: from Blue.HeatherGreens.net (Blue.HeatherGreens.net [208.218.206.12]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA19205 for ; Fri, 5 Sep 1997 12:49:15 -0700 (PDT) Received: from localhost (root@localhost) by Blue.HeatherGreens.net (8.7.5/8.7.3) with SMTP id PAA01853; Fri, 5 Sep 1997 15:55:54 -0500 Date: Fri, 5 Sep 1997 15:55:54 -0500 (EST) From: security Reply-To: nelsonah@HeatherGreens.net To: "Jim E. Crawford" cc: "'Stephen Greenwalt'" , firewalls@GreatCircle.COM Subject: RE: In-Reply-To: <97431B954A9AD0119CCC00609733C455067A0E@checkov.twc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wow! A low-end-linux-off-a-floppy firewall? Let me look... Sorry, just couldn't resist.... On Fri, 5 Sep 1997, Jim E. Crawford wrote: > I find this kind of tasteless plug for a substandard firewall system > offensive. This list is about helping others with firewall issues. I > get enough junk email in my box without having to read a sales pitch for > low-end-linux-off-a-floppy firewall. > > > > -----Original Message----- > > From: Stephen Greenwalt [SMTP:StephenG@DENVERSYS.COM] > > Sent: Friday, September 05, 1997 9:00 AM > > To: firewalls@GreatCircle.COM > > Subject: > > > > Hi, > > > > Informational: > > > > Anyone about to deploy a firewall / proxy server / etc., or who is > > generally involved in that industry would do well to visit the > > following > > site; http://watchguard.denversys.com > > > > Sincerely, > > > > Stephen Greenwalt > From owner-firewalls-outgoing Fri Sep 5 17:28:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA12204 for firewalls-outgoing; Fri, 5 Sep 1997 12:05:58 -0700 (PDT) Received: from igate.nrc.gov (igate.nrc.gov [148.184.176.31]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA12169 for ; Fri, 5 Sep 1997 12:05:42 -0700 (PDT) Received: from nrc.gov by smtp-gateway SMTP id PAA01472 for ; Fri, 5 Sep 1997 15:11:44 -0400 (EDT) Received: from GATED-Message_Server by nrcsmtp.nrc.gov with Novell_GroupWise; Fri, 05 Sep 1997 15:13:32 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 05 Sep 1997 15:08:05 -0400 From: Victor Pham To: firewalls@GreatCircle.COM, dharris@kcp.com Subject: Re: Citrix WinFrame -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greeting, You CAN actually allow your internal network to communicate safely through a firewall, with an external server using Citrix Winframe's ICA protocol. (I believe ICA uses port 1494 tcp/udp). 1. Proxy outbound connection from win95 client. For example, if the software use a browser as its front-end, you need to proxy port 80. 2. On the proxy machine, inside the firewall, run a tcp relay program such as Delegate to relay the inbound/outbound ICA requests. (Proxy server should be as secure as possible...or you can chain it to a vanilla Socks server & runs the tcp relay program there) 3. You should also proxy outbound telnet & ftp to prevent, reverse telnet & ftp attack. (TIS fwtk has a good telnet & ftp proxy daemon) 4. Have an adequate filtering scheme at the firewall, of course... 5. It'll be better if you can established a encrypted tunnel between the wins95 client and the external Winframe server. It's quite easy to set one up w/ several packages, such as AltaVista Tunneling, etc. Cheers, Victor Pham From owner-firewalls-outgoing Fri Sep 5 17:29:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA15350 for firewalls-outgoing; Fri, 5 Sep 1997 12:24:03 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA15287 for ; Fri, 5 Sep 1997 12:23:41 -0700 (PDT) Received: by gateway.damark.com; id OAA16418; Fri, 5 Sep 1997 14:29:45 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (3.2) id xme016374; Fri, 5 Sep 97 14:29:18 -0500 Received: by damark.com (5.65/1.2-eef) id AA27907; Fri, 5 Sep 97 14:27:25 -0500 Message-Id: <9709051927.AA27907@damark.com> From: "william.wells" To: Chris Brenton , "'Ed Forbes'" Subject: RE: about sendmail security Date: Fri, 05 Sep 97 14:22:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not all systems which can send mail can receive mail. This is especially true now that browsers "do mail". You can configure your browser to send mail with a from address which is your inbound mail system. Things, in this case, wouldn't match. ---------- From: Chris Brenton To: 'Ed Forbes' Cc: 'firewalls@greatcircle.com' Subject: RE: about sendmail security Date: Friday, September 05, 1997 12:05PM >> Humm. How about a process that not only checks that the source IP >> address can be resolved to a valid host, but that it can be resolved >> back to a system which also has a valid MX record. >> >> Just a thought... > >Why would it have to resolve to a valid MX record? MX records are only >required if the mail shouldn't be returned to the sending host. > >Just my thoughts, I was thinking from a security perspective. For example, if I telnet port 25 of your mail host and you are checking to insure that my IP address has a valid host name, your machine will accept the connection. If however, your machine checks to see if I am a valid mail system (i.e. MX record check), it would deny the connection. True this is not bulletproof, but it does add another layer of validation checking to make mail spoofing that much more difficult. From owner-firewalls-outgoing Fri Sep 5 17:31:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA16956 for firewalls-outgoing; Fri, 5 Sep 1997 12:34:35 -0700 (PDT) Received: from mail.diginsite.com (mail.diginsite.com [208.2.189.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id MAA16929 for ; Fri, 5 Sep 1997 12:34:25 -0700 (PDT) Received: from march.diginsite.com (dlang@march.diginsite.com [208.2.189.102]) by mail.diginsite.com (8.8.6/8.8.6) with SMTP id MAA09961; Fri, 5 Sep 1997 12:31:54 -0700 Date: Fri, 5 Sep 1997 12:33:40 -0700 (PDT) From: David Lang To: Chris Brenton cc: "'Ed Forbes'" , "'firewalls@greatcircle.com'" Subject: RE: about sendmail security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A MX record is only needed if you need to redirect the mail. for example my desktop running linux which does not have a mx record for it's ip address may want to send mail to your system. my incoming mail has nothing to do with the ip address I am sending from and would be rejected by your system. David Lang On Fri, 5 Sep 1997, Chris Brenton wrote: > > >> Humm. How about a process that not only checks that the source IP > >> address can be resolved to a valid host, but that it can be resolved > > >> back to a system which also has a valid MX record. > >> > >> Just a thought... > > > >Why would it have to resolve to a valid MX record? MX records are > only > >required if the mail shouldn't be returned to the sending host. > > > >Just my thoughts, > > I was thinking from a security perspective. For example, if I telnet > port 25 of your mail host and you are checking to insure that my IP > address has a valid host name, your machine will accept the connection. > If however, your machine checks to see if I am a valid mail system > (i.e. MX record check), it would deny the connection. > > True this is not bulletproof, but it does add another layer of > validation checking to make mail spoofing that much more difficult. > > > From owner-firewalls-outgoing Fri Sep 5 17:53:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA16306 for firewalls-outgoing; Fri, 5 Sep 1997 12:29:48 -0700 (PDT) Received: from bdc9000.pccmis.com (pccentral.cyberportal.net [204.97.235.63]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA16234 for ; Fri, 5 Sep 1997 12:29:17 -0700 (PDT) Received: by bdc9000.pccmis.com with Microsoft Exchange (IMC 4.0.837.3) id <01BCBA11.8D5F88B0@bdc9000.pccmis.com>; Fri, 5 Sep 1997 15:37:00 -0400 Message-ID: From: Chris Brenton To: "'firewalls@greatcircle.com'" Subject: FW: about sendmail security Date: Fri, 5 Sep 1997 15:36:54 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Jonathan M. Bresler [SMTP:jmb@FRB.GOV] >>I was thinking from a security perspective. For example, if I telnet >>port 25 of your mail host and you are checking to insure that my IP >>address has a valid host name, your machine will accept the connection. >>If however, your machine checks to see if I am a valid mail system >>(i.e. MX record check), it would deny the connection. > > there are a great number of hosts that send and receive mail >everyday that do *not* have any MX records at all. this is clearly >"a bad thing" but it is a common thing. if you only accept mail from >hosts that have a valid MX record, you "may" be unable to correspond >with many people. Agreed. This is one of those "how much is security worth" type of things. For example, there are a large number of Web sites that use ActiveX and Java controls. You can protect your network by filtering out ActiveX and Java at the firewall, but now your users no longer have access to these scripts. In the process of protecting your environment from potential malicious attacks, you are also required to block some of the useful stuff that is safe. MX screening is the same type of thing (although not as effective). Is it right for everyone? Absolutely not. In some situations however, the additional peace of mind may be worth it. From owner-firewalls-outgoing Fri Sep 5 18:17:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA14140 for firewalls-outgoing; Fri, 5 Sep 1997 17:38:50 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA14117 for ; Fri, 5 Sep 1997 17:38:44 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.0.1458.49) id ; Fri, 5 Sep 1997 20:44:40 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66701F752@ns.ntadvice.com> From: Russ To: "'Kenny Breeding'" , firewalls@GreatCircle.COM Subject: RE: INTERNET EXPLORER BUG SILENTLY CORRUPTS WEB VISITOR'S PC Date: Fri, 5 Sep 1997 20:44:38 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is great. Not only do we have to contend with the media talking about security exploits in released software, but now we have to deal with security exploits in beta software too. So are developers now expect to come up with secure code in their heads before they ever type it in?? Cheers, Russ From owner-firewalls-outgoing Fri Sep 5 18:41:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA13611 for firewalls-outgoing; Fri, 5 Sep 1997 17:32:34 -0700 (PDT) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA13603 for ; Fri, 5 Sep 1997 17:32:27 -0700 (PDT) Received: by ns.ntadvice.com with Internet Mail Service (5.0.1458.49) id ; Fri, 5 Sep 1997 20:38:19 -0400 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66701F751@ns.ntadvice.com> From: Russ To: =?iso-8859-1?Q?=27=F6_PaLaN_=F6=27?= , firewalls@greatcircle.com Subject: RE: Security Technology Date: Fri, 5 Sep 1997 20:38:16 -0400 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about; 4. Monitoring (SNMP, HP Openview, Heroics Robomon) 5. Password verification (l0phtcrack) 6. Scanning (ISS) 7. Configuration Management (Sysdiff, SMS, Nortan Administrator) 8. Backups (Legato Networker) 9. Security Policy Audit/Definition (Frank Willoughby...;-]...there you go Frank!...;-]) 10. Proprietary Hacks (Axent Technologies, MWC) 11. Public Hacks (Bill Stout, mudge and Weld Pond) 12. "The Sky is falling" broadcasts (EE Times, Network World, CNN) 13. New forms of English (John Johnson) 14. Speaking Acronyms (Vint Cerf et al) 15. More lines of text than are ever needed to make the point (Russ Cooper...oops, that's me!!) Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From owner-firewalls-outgoing Fri Sep 5 18:57:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA28767 for firewalls-outgoing; Fri, 5 Sep 1997 13:42:13 -0700 (PDT) Received: from wtpprod1.wtp.net (wtpprod1.wtp.net [206.26.76.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA28699 for ; Fri, 5 Sep 1997 13:41:55 -0700 (PDT) Received: from wtpbl-4.wtp.net (wtpbl-43.wtp.net [208.150.193.43]) by wtpprod1.wtp.net (8.8.5/8.8.5) with SMTP id OAA13283 for ; Fri, 5 Sep 1997 14:48:07 -0600 (MDT) Message-ID: <34106A59.4DBC@wtp.net> Date: Fri, 05 Sep 1997 14:38:27 -0600 From: ZWH X-Mailer: Mozilla 3.03Gold (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: "Tasteless Plug" References: <97431B954A9AD0119CCC00609733C455067A0E@checkov.twc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim E. Crawford wrote: > > I find this kind of tasteless plug FACT...... repulsive is the word that comes to my mind >for a substandard firewall system OPINION.....descriptive, but basicly ineffective > offensive. This list is about helping others with firewall issues. AMEN..... >I > get enough junk email in my box without having to read a sales pitch >for a low-end-linux-off-a-floppy firewall. PRETTY HARSH.....but deftly illustrates the ANGER caused by the "borderline spam" spoken of here > > -----Original Message----- > > From: Stephen Greenwalt [SMTP:StephenG@DENVERSYS.COM] > > Sent: Friday, September 05, 1997 9:00 AM > > To: firewalls@GreatCircle.COM > > Subject: > > > > Hi, > > > > Informational: > > > > Anyone about to deploy a firewall / proxy server / etc., or who is > > generally involved in that industry would do well to visit the > > following > > site; http://watchguard.denversys.com > > > > Sincerely, > > > > Stephen Greenwalt ** I wholeheartedly agree with Jim! Can't you people who are pushing products just SPAM the rest of the world and leave this list alone? What do you think....people who read this list are looking to buy a firewall or firewall product? GET A CLUE! Sincerely, Z. Wade Hampton President & CEO SlamDunk Enterprises, Inc. Billings, Montana From owner-firewalls-outgoing Fri Sep 5 19:18:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA14640 for firewalls-outgoing; Fri, 5 Sep 1997 17:48:26 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA10627 for ; Fri, 5 Sep 1997 17:13:56 -0700 (PDT) Received: from shell.firehouse.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id PAA17817; Fri, 5 Sep 1997 15:21:20 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id SAA13329; Fri, 5 Sep 1997 18:24:37 -0400 (EDT) Date: Fri, 5 Sep 1997 18:24:33 -0400 (EDT) From: Brian Mitchell To: Jyri Kaljundi cc: ipfilter@postbox.anu.edu.au, Firewalls mailing list Subject: Re: adding payload examination to ipfilter/ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 Sep 1997, Jyri Kaljundi wrote: > > How hard would it be to add some payload examination capabilities to free > firewalls/packet filters like the ipfilter/ipfw code? What I would like to > see is something similar to Check Point FireWall-1 INSPECT language, where > you can change the rules on the fly, depending on some changing variables. First, ipfilter prob needs to be fully stateful :) > > How I see it is today's firewalls are more moving in such direction, that > from one side there still should be application layer examination, you > should for example be able to filter FTP safely and understand the FTP > traffic, on the other side you want to do this as efficiently as possible, > using not specific proxies for every protocol but instead do it as deeply > inside the kernel or operating system as possible. When possible, you > would want to let packets freely through the filter code (there is quite a > lot of time in application layer proxies where you actually are using The usefullness is debatable, it violates the least privledge model by making every proxied protocol run as root, effectively. I'm not convinced this is a great idea. > either some kind of null tunnels or not examining the payload) and only > when needed examine the internals of the protocol traffic. No need to keep > the proxy processes laying around all the time, it takes computing Run the proxy from inetd. > resources, it makes the firewall as a product more complicated (you must > have hundreds of proxies as that is how many protocols we have today, more > coming every day), and for firewall vendors it makes it harder to write > their products, they can never write proxies for every protocol. So > according to how far in the protocol / connection lifecycle you are, you > should change between network layer examination and application layer > examination. The number of proxys where you actually need to examine the payload is relatively small. > > IPfilter is a great piece of sofwtware, but it only works at the network > layer. A capability of switching to application layer now and then would > be just great, and for that what we need is code or scripting language to > define easily our own smart filters. So people who are more familiar with > ipfilter, how hard would it be to do that? I think there are other areas ipfilter can work on, such as improving the statefulness of it. From owner-firewalls-outgoing Fri Sep 5 19:32:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id OAA04666 for firewalls-outgoing; Fri, 5 Sep 1997 14:17:51 -0700 (PDT) Received: from deimos.frii.com (deimos.frii.com [208.146.240.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id OAA04630; Fri, 5 Sep 1997 14:17:41 -0700 (PDT) Received: from localhost (evans@localhost) by deimos.frii.com (8.8.5/8.8.5) with SMTP id PAA28577; Fri, 5 Sep 1997 15:22:11 -0600 (MDT) Date: Fri, 5 Sep 1997 15:22:11 -0600 (MDT) From: Evans To: Firewalls-digest@GreatCircle.COM cc: Firewalls Digest Subject: Re: Connecting through FTP proxy In-Reply-To: <199709050947.LAA00724@fw4.tns.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Remove From owner-firewalls-outgoing Fri Sep 5 20:06:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA24187 for firewalls-outgoing; Fri, 5 Sep 1997 18:32:00 -0700 (PDT) Received: from caliban.dihelix.com (caliban.dihelix.com [198.180.136.138]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA23925 for ; Fri, 5 Sep 1997 18:31:00 -0700 (PDT) Received: (from langfod@localhost) by caliban.dihelix.com (8.8.7/8.8.3) id PAA21492; Fri, 5 Sep 1997 15:36:57 -1000 (HST) Message-Id: <199709060136.PAA21492@caliban.dihelix.com> Subject: Re: INTERNET EXPLORER BUG SILENTLY CORRUPTS WEB VISITOR'S PC In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66701F752@ns.ntadvice.com> from Russ at "Sep 5, 97 08:44:38 pm" To: Russ.Cooper@rc.on.ca (Russ) Date: Fri, 5 Sep 1997 15:36:57 -1000 (HST) Cc: kenbreed@usit.net, firewalls@GreatCircle.COM From: "David Langford" X-blank-line: This space intentionaly left blank. X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ >This is great. Not only do we have to contend with the media talking >about security exploits in released software, but now we have to deal >with security exploits in beta software too. So are developers now >expect to come up with secure code in their heads before they ever type >it in?? >Russ That is the general idea, yes. David Langford From owner-firewalls-outgoing Fri Sep 5 20:43:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id RAA15644 for firewalls-outgoing; Fri, 5 Sep 1997 17:52:46 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id RAA15517 for ; Fri, 5 Sep 1997 17:52:23 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id UAA17787; Fri, 5 Sep 1997 20:58:20 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id UAA17543; Fri, 5 Sep 1997 20:58:49 -0400 (EDT) Message-Id: <3.0.32.19970905121038.007c2830@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 05 Sep 1997 21:15:58 -0400 To: Chris Brenton From: Anton J Aylward Subject: RE: about sendmail security Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:44 AM 05/09/97 -0400, you wrote: ## Reply Start ## >Humm. How about a process that not only checks that the source IP >address can be resolved to a valid host, but that it can be resolved >back to a system which also has a valid MX record. Try, for example, Dan Bernstein's QMAIL: http://koobera.math.uic.edu/www/qmail.html or http://www.qmail.org/ or one of the modified version of SMAP which supports this, such as the one in juniper http://www.cih.com/~hagan/smap-hacks/ _Part_ of what these do is to check the from IP address of the incoming packets, perform a reverse DNS lookup, and see if it exists, and if the address thus obtained matches the address that the MTA uses in its HELO string. I haven't checked the code to see if it looks for a MX from the source. You might like to consider a scenario whereby there isn't a MX record becuase there is an A record and the sysadmin believes sendmail can cope with just A records...... /anton ## Reply End ## From owner-firewalls-outgoing Fri Sep 5 21:16:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11261 for firewalls-outgoing; Thu, 4 Sep 1997 15:17:18 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id PAA11199 for firewalls@greatcircle.com; Thu, 4 Sep 1997 15:16:50 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id GAA18664 for ; Sat, 30 Aug 1997 06:07:09 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id JAA20172 for ; Sat, 30 Aug 1997 09:12:16 -0400 (EDT) Message-Id: <199708301312.JAA20172@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Sat, 30 Aug 1997 09:09:11 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Concealed advertising Reply-to: mjr@clark.net In-reply-to: <199708300346.UAA28835@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk security writes: > If I didn't know better, I'd say this was a cleverly disguised add for a > NetRanger.... It looks like a setup shot. Kind of like when a reseller of a product posts asking "is this thing we resell any good?" and then prearranged others chime in about how wonderful it is... > On Wed, 27 Aug 1997 CHRIS.NICHOLS@EY.COM wrote: > > Can anyone provide opinions about Wheelgroups NetRanger product? Since the original query came from someone eat Ernst and Young, "cleverly concealed advertisement" isn't the term to apply, especially after E&Y has all these big banners on their press page about the partnership they have with wheel group. (http://www.ey.com/press/releases/051997.htm) I actually don't mind a little commercial fluff now and then, but sneaky stuff like this makes me wonder about someone's morals. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Fri Sep 5 22:02:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id VAA27362 for firewalls-outgoing; Thu, 4 Sep 1997 21:29:33 -0700 (PDT) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id VAA27327 for ; Thu, 4 Sep 1997 21:29:23 -0700 (PDT) Received: from neil.databranch.com ([207.146.36.3]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA28753 for ; Fri, 5 Sep 1997 04:35:27 +0000 Message-Id: <3.0.3.32.19970905002940.0069eba4@postoffice.worldnet.att.net> X-Sender: nwashburn@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Fri, 05 Sep 1997 00:29:40 -0400 To: firewalls@greatcircle.com From: Nwashburn Subject: Checkpoint Firewall-1 & Authentication Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I recently setup FW1 to do USER Authentication for every user(out-going access only)on the network to authenticate first to the firewall before it will allow them to access any HTTP or FTP site. I also went into the browsers(Netscape) configuration, and configured the HTTP and FTP proxies to point to FW1 internal adapters IP address. The HTTP proxie points to port 80 and FTP uses port 21. The HTTP and FTP protocols in Firewall-1 are also using these port values. The reason I am doing it this way is for internal security reasons and so that I do not have to keep entering my username and password every time I change to a different HTTP site. I am more or less treating Firewall-1 as a proxy server. The problems that I have encountered by doing this, is that various sites that I try to browse come back with a message that says..."That port has been disable for security reasons" or "Unknown WWW server". I also get the same response when I try to download files from ftp servers via the browser. The authentication works fine and I only have to enter my username and password once. By treating the FW1 system as a proxy server, am I forcing FW1 to use ports 80 and 21 only? I know that I can change those values, but if you do not know what port values are being used on the destination server, how do you assign the correct ports in FW1 or your browser??? Would I have to setup a resource in FW1 that would identify all hosts and there ports, after I determine what the values are, and setup a rule that allows access to these sites??? Should I setup a separate proxy server(Microsoft, Netscape)???? Also, if there are any internet tools that would assist in this type of configuration please let me know. Any ideas would be appreciated. Neil Washburn nwashburn@worldnet.att.net Databranch From owner-firewalls-outgoing Fri Sep 5 22:48:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA12954 for firewalls-outgoing; Thu, 4 Sep 1997 22:48:17 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id WAA07706 for ; Thu, 4 Sep 1997 22:25:02 -0700 (PDT) Received: from ttruitt-pc.cisco.com (sj-dial-3-33.cisco.com [171.68.179.34]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id WAA04559; Thu, 4 Sep 1997 22:30:53 -0700 (PDT) Message-Id: <3.0.3.32.19970904184403.009bb5f0@diablo.cisco.com> X-Sender: ttruitt@diablo.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 04 Sep 1997 18:44:03 -0600 To: "Eric V. Smith" , "'Micheal Sean'" , "firewalls@GreatCircle.COM" From: "R. Todd Truitt" Subject: Re: LocalDirector question (was: Gauntlet Performance) In-Reply-To: <01BCB900.F88BA090.EricSmith@windsor.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric-- Answers in-line. At 07:05 AM 9/4/97 -0400, Eric V. Smith wrote: >On Thursday, September 04, 1997 12:48 AM, Micheal Sean [SMTP:padre@Ivy.NET] >wrote: >> >> What udp apps do you deal with ? dns and ntp. These aren't major >> bandwidth hogs. In fact, lookups are tcp. What's nice about the >> local director is between 45 and 90 Mbs throughput and true fault >> tolerance (HSRP). That and the fact that NO client or server >> side software installation is needed. > >This is a LocalDirector question and isn't really related to firewalls, so >I apologize in advance. > >I have a client who wants to use a LocalDirector to balance load across >multiple web servers. The problem is that they are maintaining state on >the servers, using cookies sent back to the clients to manage which state >information belongs to which client. If you're familiar with Microsoft ASP >sessions, it's the same thing. The upshot is that every request from a >given client must go to the same server. Does anyone know if the >LocalDirector can handle this? There would be an idle timeout of say 20 >minutes after which a request from the same client would be considered a >new session, so it wouldn't have to have infinite memory to remember every >client connection ever made. > Look at the sticky command. >Here's the firewall slant: I'm concerned that even if the LocalDirector >can do this, outbound HTTP proxies at the client would cause everyone from >AOL, for example, to hit the same web server. > Not a problem. The client will be resolving to a "virtual ip addr". All request will go to this virtual ip addr. The LD will keep track of "real ip addrs (the web servers)" and source ip addrs. Hope this helps, --T >Has anyone ever tried using a LocalDirector for this application? Every day. `;-) > >Thanks. > >Eric. > > > From owner-firewalls-outgoing Fri Sep 5 23:02:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id MAA13603 for firewalls-outgoing; Thu, 4 Sep 1997 12:55:43 -0700 (PDT) Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id MAA13469 for ; Thu, 4 Sep 1997 12:55:15 -0700 (PDT) Received: by relay2.cospo.osis.gov (4.1/SMI-4.1) id AA04516; Thu, 4 Sep 97 15:58:12 EDT Message-Id: <9709041958.AA04516@relay2.cospo.osis.gov> Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3) id sma004509; Thu Sep 4 15:57:49 1997 Received: by washington.cospo.osis.gov (1.38.193.4/16.2) id AA21050; Thu, 4 Sep 1997 16:00:43 -0400 From: "Joseph S. D. Yao" Subject: Re: Question for sendmail experts To: Firewalls@GreatCircle.COM Date: Thu, 4 Sep 1997 16:00:42 -0400 (EDT) Cc: cosimanj@cna.org, jsdy@washington.cospo.osis.gov (Joseph S. D. Yao) In-Reply-To: <199709032235.PAA21640@honor.greatcircle.com> from "Firewalls-Digest" at Sep 3, 97 03:35:19 pm X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 3 Sep 1997 16:09:09 -0400 (EDT) > From: John Cosimano > Subject: Question for sendmail experts > > We are running a Gauntlet V3.2 firewall and I am grappling with trying to > get sendmail running properly for our setup which is somewhat > non-standard. Here's a brief outline of what I am facing. > Split DNS on the firewall > Internal domain, let's call it foobar.org > External domain, let's call it bing.foo.bar.com > Firewall is forwarding off to Novell GrouWise on the inside for mail > processing. > The problem is I need to modify the /etc/sendmail.cf to rewrite outbound > mail headers to change the return address from user@foobar.org to > user@bing.foo.bar.com. I have added the following to ruleset S12, but have > not had any luck: > > #rewrite mail originating from the mailhub (call it ngw.foobar.org) > R$*<@ngw.foobar.org>$* $@$1<@bing.foo.bar.com>$2 > > #rewrite mail from elsewhere in the domain > R$*<@.foobar.org>$* $@$1<@bing.foo.bar.com>$2 > > I'm not sure why this doesn't work. If anyone has any suggestions, I'd > appreciate hearing from you. > > - -- > John Cosimano > Unix Systems Administrator > The CNA Corporation > Alexandria, VA USA > cosimanj@cna.org Actually, this is a fairly normal setup for people running a firewall, except for the Novell ... ummm ... stuff. I would suggest the following change: > #rewrite mail from elsewhere in the domain > R$*<@.foobar.org>$* $@$1<@bing.foo.bar.com>$2 R$*<@*foobar.org>$* $@$1<@bing.foo.bar.com>$2 /^\ | In fact, this one rule could replace both of those above. DC SAGE has had some talks on sendmail recently ... they may have made it on line at their web site, - not sure. -- Joe Yao jsdy@cospo.osis.gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. From owner-firewalls-outgoing Fri Sep 5 23:18:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA24178 for firewalls-outgoing; Fri, 5 Sep 1997 18:31:57 -0700 (PDT) Received: from alpha.netvision.net.il (alpha.NetVision.net.il [194.90.1.13]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA23833 for ; Fri, 5 Sep 1997 18:30:43 -0700 (PDT) Received: from netvision.net.il (ts039p7.pop3b.netvision.net.il [199.203.202.207]) by alpha.netvision.net.il (8.8.6/8.8.6) with ESMTP id EAA24476; Sat, 6 Sep 1997 04:36:21 +0300 (IDT) Message-ID: <3410C150.EC05D24@netvision.net.il> Date: Sat, 06 Sep 1997 04:34:56 +0200 From: Itai Dor-on Reply-To: silicom@netvision.net.il Organization: Silicom Technologies X-Mailer: Mozilla 4.02 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: I am amazed! Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk About a four days ago I posted a message by the name of “Proxy server 2.0 beta - is it a true firewall?” that questioned some security features of Microsoft Proxy Server 2.0 (beta). In that message I mentioned that I questioned Microsoft on the matter presented by sending a message to the proxy beta NEWS GROUP at msnews. I also wrote that I was willing to post the response to the mailing list. Kerry Schwartz, who is PROGRAM MANAGER for MS Proxy Server, was kind enough to respond to my post with a very detail explanation that is TECHNICAL despite the subject title (personally I was flattered). Even thought the response questions my knowledge, I decided to put all of this aside and post it to the list with no modification so I can contribute to the security community. The content of the post is VERY important to any security expert/consultant that is involved with firewall tech. How Microsoft positions Microsoft proxy server 2.0 is relatively important as any technical question. and I won’t bother to explain why, it is obvious. I was shocked to see that certain subscribers started to SPAM the list with stupid arguments against the post. If one would like to comment he should send the reply directly to me not to all the subscribers. Another thing that amazed me is how long did it take for some people to realize that I sent the post NOT Microsoft. I suspect that they didn’t even read the post just saw the word Microsoft and started burning! And why do they reply with “RE:” + “original subject” leaving others to suspect it is a serious technical comment regarding the original post. They could respond with a modified subject line so people can distinguish and decided if they would like to read it or not I couldn’t post a URL because it was on the msnew NEWSGROUP and I thought it would be much more convenient for other subscribers to read it. I think certain people have to much spare time so instead of wasting it by sending messages that contain arguments and analogies with no benefit (rape?!) I am willing to buy a LOT of time If anyone is selling, name the price! One thing I learned is to never send anymore ‘interesting’ responses that I get from vendors. That’s all. Itai Dor-on P.S Yes I like Microsoft. From owner-firewalls-outgoing Fri Sep 5 23:33:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA19811 for firewalls-outgoing; Fri, 5 Sep 1997 18:05:58 -0700 (PDT) Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.31]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA19790 for ; Fri, 5 Sep 1997 18:05:50 -0700 (PDT) Received: by mail5.microsoft.com with Internet Mail Service (5.0.1459.27) id ; Fri, 5 Sep 1997 18:14:19 -0700 Message-ID: From: Vinod Valloppillil To: "'Peter da Silva'" , ed@alcpress.com Cc: silicom@netvision.net.il, firewalls@GreatCircle.COM, ntsecurity@iss.net, anton@Toronto.com Subject: RE: Proxy Server 2.0 features & market positioning byMicrosoft Pr ogram Manager Date: Fri, 5 Sep 1997 18:11:44 -0700 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1459.27) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I thought I'd de-lurk for a second and point out that the email Itai forwarded to this list was: * posted on a Microsoft support newsgroup for Proxy Server * sent to Itai as personal email in response to his questions on NTSecurity & firewalls@greatcircle.com ---> Microsoft did NOT post that email to this newsgroup as part of any marketing activity. Itai Dor-On (who is NOT a Microsoft employee) forwarded that personal email to the newsgroup b/c there have been many questions on this group about the Proxy Server product. > -----Original Message----- > From: Peter da Silva [SMTP:peter@grendel.nmti.com] > Sent: Friday, September 05, 1997 6:09 AM > To: ed@alcpress.com > Cc: silicom@netvision.net.il; firewalls@GreatCircle.COM; > ntsecurity@iss.net; anton@Toronto.com > Subject: Re: Proxy Server 2.0 features & market positioning > byMicrosoft Program Manager > > > I think you (and possibly others) may be a bit vendorphobic. > > The message that you're complaining about is clearly stated > > as "Proxy Server 2.0 features & marketing positioning..." > > in the subject line. > > That doesn't tell me it's marketing fluff. I might well post a message > with that title pointing out how their marketing position is > inconsistent > with their features. Even a message from a Microsoft address might > contain > useful information under that title. And in any case I tend to give > messages > from Firewalls a higher priority, and it's useful that I be able to do > so, > simply because they are so rarely contain marketing noise. > > So it's *not* possible to just skip a message like that without > reading > it. And I wouldn't want to discourage people at Microsoft from > commenting > from the trenches by making them think their messages would simply be > discarded just because of where they're posting from, which is what > you > seem to be proposing. > > No, it's not classical spam. It's not unsolicited marketing email. But > I > think that we need to draw the line on this list against vendors > sending > apparently solicited responses to the list as a whole: we've had > periods > in the past where single vendors have pushed a significant amount of > such > fluff down the pipe. > > With more and more vendors getting into it, especially companies like > Microsoft who have been pushing the ragged edge of acceptable > behaviour in > marketing material in the past (yes, I've had bulk mail from them that > it's a stretch to consider solicited), if we don't draw that line here > it's just going to get worse. I hope in the future that they send > lengthy > web-formatted low-content pieces to just the person who requested it. From owner-firewalls-outgoing Fri Sep 5 23:48:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11040 for firewalls-outgoing; Thu, 4 Sep 1997 15:15:42 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id PAA10993 for firewalls@greatcircle.com; Thu, 4 Sep 1997 15:15:30 -0700 (PDT) Received: from moria.imaginet.fr (moria.imaginet.fr [194.51.83.1]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id NAA02640 for ; Fri, 29 Aug 1997 13:47:48 -0700 (PDT) Received: from imaginet.fr (zoltar.imaginet.fr [194.51.83.150]) by moria.imaginet.fr via ESMTP (950215.SGI.8.6.10/911001.SGI) id WAA07126; Fri, 29 Aug 1997 22:52:07 +0200 Received: from altair.gods.imaginet.fr (altair.gods.imaginet.fr [195.68.1.72]) by imaginet.fr (8.7.5/8.7.31) with SMTP id WAA28873; Fri, 29 Aug 1997 22:52:41 +0200 (METDST) Message-Id: <199708292052.WAA28873@imaginet.fr> Comments: Authenticated sender is From: "Lionel MARIE" Organization: Imaginet France To: firewalls@GreatCircle.COM, Nick Keenan Date: Fri, 29 Aug 1997 22:49:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: credit card fraud Reply-to: Lionel.MARIE@imaginet.fr In-reply-to: <3.0.1.32.19970829093220.009bf4f8@peter> References: <1.5.4.32.19970829042950.00a39270@dynamite.com.au> X-mailer: Pegasus Mail for Win32 (v2.54) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Fri, 29 Aug 1997 09:32:20 -0400 > To: firewalls@GreatCircle.COM > From: Nick Keenan > Subject: Re: credit card fraud Hello All, > What I find interesting about this case was that he "intended" to sell the > credit card numbers -- he had not been successful. Despite the widespread > fear, I don't see the numbers themselves being terribly valuable. Think of > how many people you give your credit card number to without thinking -- > cashiers, waiters, order-takers, etc. How often do you read about a > cashier who spends a year collecting credit card numbers and then > absconding to Rio? Never. I DO agree with you on this point Nick. To complete your list ("cashiers, waiters..."), i would like to tell you something so amazing in France : when you buy a train ticket with an automatic distributor and pay with your credit card, the machine delivers a "recept" ticket with the price AND the 16 digits of your credit card and the expiration date!!! The most amazing thing is to look how many people leave this ticket in the distributor. In fact, these automatic machines are credit card number distributors too!... 1001 apologies for my poor english... -Lionel.. > > Note that his press release (like most) was put out by a company with a > product to sell. CSI is trying to get you to shell out for their "Special > Report." Like the FBI, they are engaging in fear-mongering to further > their own interests. > > >> Carlos Salgado, Jr. pleaded guilty on Monday to four of five counts in a > >>federal indictment accusing him of hacking systems to gather credit card > >>information which he intended to sell on the black market. When Mr. > Salgado > >>was arrested, he had in his possession an encrypted CD-ROM containing > roughly > >>100,000 credit card numbers stolen from companies doing business over the > >>Internet. The Computer Security Institute has published the "CSI Special > >>Report on the Salgado Case" which details the case and provides some > insights > >>into the "dark side of electronic commerce." [Computer Security Institute, > >>Richard Power, editorial director, 415-905-2310, www.gocsi.com] > > > > -- Lionel MARIE - Network Operations Center - www.imaginet.fr ImagiNet Conseil / ImagiNet Design / ImagiNet Solutions Tel : 01 533 666 00 - Fax : 01 43 38 42 62 - Lionel.Marie@imaginet.fr From owner-firewalls-outgoing Sat Sep 6 00:01:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA25194 for firewalls-outgoing; Thu, 4 Sep 1997 16:35:27 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA25185 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:35:24 -0700 (PDT) Received: from krypton.tip.nl (krypton.tip.nl [195.18.64.74]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id CAA00504 for ; Mon, 1 Sep 1997 02:09:05 -0700 (PDT) Received: from amsterdam-199.trb.pop.tip.nl by krypton.tip.nl with smtp (Smail3.2 #12) id m0woFcO-000MOiC; Tue, 15 Jul 1997 23:58:48 +0200 (MET DST) Message-Id: Comments: Authenticated sender is From: "Dennis Roos" Organization: service for Systems To: firewalls@GreatCircle.COM, Philippe.Cayphas@ping.be Date: Tue, 15 Jul 1997 21:51:11 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Subject: Re: NSA backdoors in OS Reply-to: d_roos@hotmail.com In-reply-to: <19970714.190253.3654.0.wiseleo@juno.com> X-mailer: Pegasus Mail for Windows (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 14 Jul 97 at 18:35, Leonid wrote: > Philippe, > > That would simply mean "Welcome to 100% Linux world!" When do we start with it, 'cause I'm getting tired of all the m$ versions of it's windoze OS... > 2 words explain this approach: "Source code" > > It's unlikely NSA would get into my system when I can eliminate their > backdoor code... But if the NSA doesn't... probably some hacker will... these guys are using Linux from day 1 just to get experience within an UNIX environment... Another thing about a free OS... Everyone can develop for it, thus you have to check _every_ source of _every_ util you wanna use, before installing it... and speaking for myself... I'm quite busy just keeping things working and secure (when possible :( ) > Not necessarily Linux but any OS with source code... BlackBox approach > such as our most dearly beloved (NOT) Windows NT would suddenly die in > eyes of all IT security people and thus in corporate environments becaus= e > no one would trust M$. > > Would you?! Better... _NEVER_ have ,) > I strongly disagree with that approach, a backdoor stands a chance to be > found... Now, if a dedicated hacker decided to hunt around for the > "master code" in his HP-UX 20 (I assume it doesn't exist at the moment) > he would have eventually found it, right? Or better yet, a group of > dedicated people.. investigating every utility, every kernel call etc... > > Or a CrackTheNSA Internet campaign similar to crack DES encryption... > > I would say NSA will rule every corporation... making trade secrets > non-existant etc in the event of compromise of the master key... > > I am sure this request will never be honored for NSA. > *** > > On Sun, 13 Jul 1997 17:49:12 +0200 Philippe Cayphas > writes: > >Hi, > > > >I 'd last week a discussion with a commercial person (;- explaining me > >that all US operating systems have backdoors set up for the NSA. > > > >What is your feeling about that fact? Which guaranties can be given by > >vendors? How 'bout _NONE_ 
  Just look at Bill...

  * First we needed doze 95 now we need his Next Technology.
    
     I hope his FT (Final Technology will soon appear)...
    
  * Don't even mention it be=EFng 'feature' free :(
> > > >Philippe > > regards, Dennis Roos =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D S ervice A dvice 4 Network C onsultancy S ystems T roubleshooting ---------------------------------------------------------- Thought for the day: Communist (n): one who has given up all hope of becoming a Capitalist. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D From owner-firewalls-outgoing Sat Sep 6 00:02:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id PAA11069 for firewalls-outgoing; Thu, 4 Sep 1997 15:15:58 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id PAA11059 for firewalls@greatcircle.com; Thu, 4 Sep 1997 15:15:53 -0700 (PDT) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA02342 for ; Fri, 29 Aug 1997 18:31:52 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.5/8.6.5) with SMTP id VAA14196 for ; Fri, 29 Aug 1997 21:35:39 -0400 (EDT) Message-Id: <199708300135.VAA14196@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: Network Flight Recorder, Inc. To: Firewalls@GreatCircle.COM Date: Fri, 29 Aug 1997 21:32:35 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NetRanger Reply-to: mjr@clark.net In-reply-to: <199708292031.NAA01144@honor.greatcircle.com> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...a few minor nits about NFR... Bill Stout writes: > Intrusion detection systems will be a big piece of the market real soon. > NSC (network.com) has a Netranger/Borderguard product. Intrusion detection > products are also available from Network Flight Recorder - (Finally!) > (nfr.com) NFR's not really an intrusion detection system. It's a much more general tool that cuts across a wide number of categories. I like to stretch peoples' preconceptions! :) In My Opinion there are 2 kinds of technologies that are getting a lot of play in the post-firewall era: - Intrusion Detection Systems: systems that attempt to model "security correct" behavior and hostile behavior and to then detect them. - Burglar Alarms: systems that recognize specific events that are believed to have security significance, and to fire an alert Intrusion detection systems are high end expert systems and take a lot of work to build - there are a number of research projects in this area, and a very few products. Burglar alarms are quite easy to implement. In fact, I was building them in 1990 using NNstat and awk. :) They're a great technology because they are very simple to understand and they work fast. As I see it the network burglar alarms are closest to virus scanners: their utility is directly related to the completeness of their alarm ruleset. That's also the biggest disadvantage of virus scanners -- you've got to worry about the new stuff. It's great if you sell them because your customer needs a new release every couple months. :) There's also another category cropping up, which are what I'd call: - Network Burglar Alarm Services: services that specialize in security consulting related to analyzing and responding to network burglar alarms That's a terrific service opportunity, and there are a number of players aligning themselves to grab that market. I guess if you want to know where NFR fits in, we're building tools those guys would like. :) NFR isn't an intrusion detection system, and it isn't a burglar alarm. You could (easily) use an NFR as a data source for an intrusion detection platform and it's good for that. You can (trivially) use an NFR as a platform for writing burglar alarms, and it's great for that. But we've designed it to do all kinds of other things that are (!gasp!) not related to security. Why? I think security and network management, as technologies, have to merge to be successful. It's going to happen and I'm going to help it if I can. If it doesn't I think that we security guys will be subsumed if the network management guys ever get their act together and decide that there is more to managing a network than "ping." > My expectation level has been set on high for the NFR product, since Marcus > is with them. "With them" is an understatement!! It's my company! :) These days I don't get to write code but the guys who are doing code are better at it than I am anyhow. I am the pointy-hair guy from Dilbert who keeps asking them useful questions like: "Why isn't the intersection ball on the origin/destination scatter plot blue?" :) This is fate's revenge for my comment on managment at LISA '95 mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. Personal Work New Book!! From owner-firewalls-outgoing Sat Sep 6 00:32:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id HAA19368 for firewalls-outgoing; Thu, 4 Sep 1997 07:44:06 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id HAA19360 for ; Thu, 4 Sep 1997 07:44:01 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id HAA00590; Thu, 4 Sep 1997 07:45:04 -0700 (PDT) To: ArkanoiD cc: phk@critter.freebsd.dk (Poul-Henning Kamp), firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG Subject: Re: log connection attempts? In-reply-to: Your message of "Thu, 04 Sep 1997 16:17:51 +0400." <199709041217.QAA00831@paranoid.convey.ru> Date: Thu, 04 Sep 1997 07:45:04 -0700 Message-ID: <587.873384304@time.cdrom.com> From: "Jordan K. Hubbard" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > nuqneH, Is something wrong with your editor? :-) Jordan From owner-firewalls-outgoing Sat Sep 6 00:32:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA23408 for firewalls-outgoing; Thu, 4 Sep 1997 16:19:37 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA23350 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:19:24 -0700 (PDT) Received: from nis.acs.uci.edu (nis.acs.uci.edu [128.200.16.34]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id TAA04341 for ; Sun, 31 Aug 1997 19:00:27 -0700 (PDT) Received: from trask by nis.acs.uci.edu (8.8.5) id TAA25975; Sun, 31 Aug 1997 19:06:58 -0700 (PDT) Date: Sun, 31 Aug 1997 19:07:20 -0700 (PDT) From: Dan Stromberg X-Sender: strombrg@trask To: FIREWALLS@GREATCIRCLE.COM Subject: patch for problem with tis fwtk ftp-gw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This patch allowed (for me) use of the ftp gateway with hostnames, rather than only IP addresses on my debian linux system. More specifically, a username of "strombrg@bingy.acs.uci.edu" didn't work prior to the patch, but a username of "strombrg@128.200.34.36" did. Sorry if this has been covered before. I don't subscribe to the firewalls list. If there is an official patch coordinator for this package, I'd be pleased to hear about it. --- fwtk/lib/nama.c.t Sun Aug 31 17:21:04 1997 +++ fwtk/lib/nama.c Sun Aug 31 17:23:23 1997 @@ -427,7 +427,7 @@ syslog(LLEV,"securityalert: invalid host address length (%d) hostname %.512s", hp->h_length, nam); return(0); } - bcopy(hp->h_addr,&sin.sin_addr,hp->h_length); + bcopy(hp_addr,&sin.sin_addr,hp->h_length); eq = maskmatch(pat, inet_ntoa(sin.sin_addr)); if (eq) return eq; From owner-firewalls-outgoing Sat Sep 6 00:42:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id NAA21552 for firewalls-outgoing; Thu, 4 Sep 1997 13:36:02 -0700 (PDT) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id NAA21365 for ; Thu, 4 Sep 1997 13:35:21 -0700 (PDT) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Thu, 4 Sep 1997 13:41:35 -0700 Message-ID: From: "Stackpole, Bill" To: "'silicom@netvision.net.il'" , firewalls@greatcircle.com Cc: "Brown, Patrick" , "Lehman, Matthew" , "Icenhour, Rodney" Subject: RE: Proxy Server 2.0 features & market positioning by Microsoft P rogram Manager Date: Thu, 4 Sep 1997 13:41:32 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is just my observation for what it is worth. I've been doing security work for about 10 years and there seems to be a fairly common body of knowledge and terminology used among security professionals (including those on this list). I've been to several NT security discussions/presentations given by Microsoft personnel and it strikes me as odd that Microsoft personnel don't speak in these terms. This marketing brochure is just another example. Personally it makes me a little wary. Is it possible for a person (or company) that hasn't been in the security arena long enough to know the terminology really able to produce a well designed security product? I'm not saying this should be the sole reason for judging the validity of a product but on the other hand, "Would you trust your brain to a surgeon that didn't talk like a doctor?" Just something to think about. From owner-firewalls-outgoing Sat Sep 6 01:44:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA24063 for firewalls-outgoing; Thu, 4 Sep 1997 16:23:13 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id QAA24048 for ; Thu, 4 Sep 1997 16:22:54 -0700 (PDT) Received: from mail.ka.inka.de by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id QAA12786; Thu, 4 Sep 1997 16:23:24 -0700 (PDT) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0x6lJn-000DHKC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 5 Sep 1997 01:28:07 +0200 (MET DST) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 5 Sep 97 01:28 MET DST Received: by lina.inka.de id m0x6kw9-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 5 Sep 1997 01:03:41 +0200 (CEST) Message-Id: Date: Fri, 5 Sep 1997 01:03:40 +0200 From: Bernd Eckenfels To: =?iso-8859-1?Q?Juan_Carlos_Mart=EDnez_Medina?= Cc: "firewalls@GreatCircle.COM" Subject: Re: Modems References: <01BCB934.1D56D880@diseno-ii.comuni-k.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.67 In-Reply-To: =?iso-8859-1?Q?=3C01BCB934=2E1D56D880=40diseno-ii=2Ecomuni-k=2Ecom=3E=3B?= =?iso-8859-1?Q?_from_Juan_Carlos_Mart=EDnez_Medina_on_Thu=2C_Sep_04=2C_1?= =?iso-8859-1?Q?997_at_01=3A11=3A48PM_-0600?= Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Does anyone know what kind of modem do the ISP's use for the Dial-up acces. > is it a rack modem´s or a home modems Very small ones use HomeModems, bigger ones use Rack Modems. Especially here in germany you can use a S2M (30 ISDN Channels) Router with DSP Modem-Cards. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-outgoing Sat Sep 6 04:52:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA09436 for firewalls-outgoing; Thu, 4 Sep 1997 20:19:53 -0700 (PDT) Received: from mail.the-wire.com (mail.the-wire.com [198.53.192.5]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA20689 for ; Thu, 4 Sep 1997 18:49:01 -0700 (PDT) Received: from psyche.the-wire.com (psyche [198.53.192.2]) by mail.the-wire.com (8.8.7/8.8.7) with ESMTP id VAA16820; Thu, 4 Sep 1997 21:54:21 -0400 (EDT) Received: from anton.the-wire.com (anton.the-wire.com [205.206.32.227]) by psyche.the-wire.com (8.8.6/8.6.12) with SMTP id VAA06604; Thu, 4 Sep 1997 21:54:48 -0400 (EDT) Message-Id: <3.0.32.19970904160110.009e6b10@mail.the-wire.com> X-Sender: anton@mail.the-wire.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 04 Sep 1997 22:12:00 -0400 To: silicom@netvision.net.il, firewalls@GreatCircle.COM, ntsecurity@iss.net From: Anton J Aylward Subject: Re: Proxy Server 2.0 features & market positioning by Microsoft Program Manager Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ## Reply Start ## Quite apart from its length, I think this oversteps the mark into blatant advertising. It would have been quite sufficient to have supplied a URL. >This message is in response to a posting by Itai Dor-on on this newsgroup >about Proxy Server version 2.0 Beta. Itai had several questions about >Proxy Server 2.0 features, security, and market positioning. > >I am a Program Manager for Microsoft Proxy Server. I would like to clarify >the feature-set and market positioning of Proxy Server v2.0, and respond >to some specific comments in Itai's posting. That's what I mean. If we want to know the 'market positioning' we can look it up from a URL. This was an excessive post considering the question. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 494-8661 | constraints and items which do not add Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995 From owner-firewalls-outgoing Sat Sep 6 04:53:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id WAA11428 for firewalls-outgoing; Fri, 5 Sep 1997 22:26:19 -0700 (PDT) Received: from sunphil ([208.142.163.65]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id WAA11390 for ; Fri, 5 Sep 1997 22:26:07 -0700 (PDT) Received: by sunphil (SMI-8.6/SMI-SVR4) id NAA02861; Sat, 6 Sep 1997 13:25:25 -0800 Date: Sat, 6 Sep 1997 13:25:25 -0800 From: drexx@pspi.com.ph (Drexx Laggui) Message-Id: <199709062125.NAA02861@sunphil> To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com Subject: Routing, FW-1, and NAT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, I'm getting tired of RIP. Really. It is so dynamically unpredictable. You see, I'm on my third project case that involves an established corporation deciding to connect the Internet with an internal class C address of 192.9.x.x To illustrate a typical setup: 192.9.x.x <-> Cisco 2500 <-> FW-1 v3.0 <-> Cisco 2500 <-> Internet ^ | Cisco 2509 192.9.x.x With the only legal IP addresses I have is at the side of FW-1 facing the world, I have to do automatic network address translation (NAT) for the properly subnetted intranet. I had no choice but to run RIP yet with an entry in the /etc/gateways of "norip le0", wherein le0 is my external interface so that I could at least connect to the Internet. RIP is definitely running within the intranet. Fiddling around with the "route add default a.b.c.d x" for the intranet objects doesn't really seem to work. Does anybody have an FAQ on setups like this? Did anybody even manage to setup stuff like this? Anybody can give me pointers on how to properly install/configure static routing in this case? I have assumed that internal RIP use is critical because the 192.9.x.x addresses are very active in the Internet (eg: www.sun.com = 192.9.9.100). Can anybody prove me otherwise? many, many thanks, Drexx. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, CSD-TSR /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222 \_____\ \\ Fax : (++ 63-2) 813-3516 \_____\/ Email: drexx@pspi.com.ph =+=+=+=+=+=+ This e-mail is made from 100% recycled electrons. +=+=+=+=+=+= From owner-firewalls-outgoing Sat Sep 6 04:53:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id UAA20934 for firewalls-outgoing; Fri, 5 Sep 1997 20:54:46 -0700 (PDT) Received: from mail-response.com ([205.254.167.57]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id UAA20924 for ; Fri, 5 Sep 1997 20:54:40 -0700 (PDT) From: cyberspace@mail-response.com Received: by mail-response.com (8.8.5/8.8.5) with SMTP id CAA29621; Sat, 6 Sep 1997 02:46:49 -0400 (EDT) Date: Sat, 6 Sep 1997 02:46:49 -0400 (EDT) Message-Id: <199709060646.CAA29621@mail-response.com> X-Advertisement: Visit http://www.iemmc.org for name removal information. To: cyberspace@mail-response.com Subject: Health Alert Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to apologize if this message has been sent to you in error. I have had my eyes opened and I feel a responsibility to share this information with you,and to let you know there are conscious manufactures who are creating Earth-friendly and People-friendly products that you can feel safe using in your home. You can make a difference in your own health of your family. The Problem, Do you remember when the Skull & Crossbones was on the label of many householdproducts??? When we think o f the word poison we usually think about someone ingesting a toxic substance. Your body can be poisoned in many other ways to. They can be absorbed into your body,say like when you get a chemical on your skin and you absorbed it into your body,have you ever heard of transdermal patches,stop smoking etc,The skin will absorb far more than we ever imagined.In other words a toxic chemical can be absorbed by ingesting it,touching it,smelling it,or even touching a surface that it has been on days or maybe even months before. More than 7 million accidental poisonings occur each year,with more than 75% involving children under the age of 6 Women who work at home have a 54% higher death rate from cancer than those who work away from home. The 15 year study concluded it was as a direct result of the much higher exposure rate to toxic chemicals in common household products!----Toronto Indoor Air Conference 1990 Warning labels required by the U.S.Gov., EPA,Office of Pesticides and Toxic Substances: Danger- A single taste to a teaspoon can be fatal to an adult Warning- A teaspoon to an ounce can be fatal to an adult Caution -A ounce to a pint can be fatal to an adult The solution: Two european bio-chemists working on behalf of an american entrepreneur, have discovered a new breakthrough molecular technology. It may replace nearly all existing products in the multi-billion dollar residential and business chemical markets. The technology is non-combustible, non-fuming, non-hazardous, and non-toxic. It is totally biodegradable. Consumers are reporting amazing benefits by using the solution as a replacement to hundreds of toxic chemicals. http://www.web2010.com/flourish/cc/prelaunch.htm /////////////////////////////////////////////////////////////////// I want to apologize for the intrusion on your time.Hopefully you have found this site worthwhile. If you wish to be removed from this advertiser's future mailings, please reply with the subject "Remove" and this software will automatically block you from their future mailings. /////////////////////////////////////////////////////////////////// From owner-firewalls-outgoing Sat Sep 6 04:54:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA23631 for firewalls-outgoing; Thu, 4 Sep 1997 16:20:29 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA23503 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:19:56 -0700 (PDT) Received: from gargoyle.clark.net (pm1-62.dcwt.infi.net [208.136.65.62]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id UAA18150 for ; Sun, 31 Aug 1997 20:39:25 -0700 (PDT) Received: (qmail 9592 invoked by uid 500); 1 Sep 1997 03:49:12 -0000 Date: Sun, 31 Aug 1997 23:49:12 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Frank Willoughby cc: firewalls@GreatCircle.com Subject: Re: Remote Firewall Penetration Testing In-Reply-To: <3.0.3.32.19970831214255.006a8f64@in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 31 Aug 1997, Frank Willoughby wrote: > I disagree. Testing on the inside simulates attacks that disgruntled > employees could make on the firewall - include trying to log into the > firewall using valid Username/Password combinations, Denial-of-Serivce Username/Password auditing doesn't require network access. Especially if the bastion host doesn't allow network access to itself. > attacks, etc. Internal employees with an axe to grind would love to > seize control of the firewall, reconfigure the rules to allow all > inbound traffic & then post the info to a local (or global) hacker > site as a worthwhile site to crack. But once again, that may or may not be the point of a security audit. Some organizations specificly want auditing of external attack vectors, as they may choose to use a different mechanism to audit their internal network if they don't want to give phyiscal access to an untrusted entity. > > > >> o Depending on how the firewall's rules are set up, a set of exposures > >> from the DMZ may be different than that of the firewall's external > >> (Internet side) interface. > > > >DMZ = Internet side, or it's not a DMZ, it's a protected segment, no > >matter how public, private or little protection. > > Your definition of a DMZ is different than the definition I am familiar > with & is the same definition which is shared by other InfoSec colleagues. > FWIW, interestingly enough, I double-checked and also found references > made by other people who use your definition. Oh, I guess I'm not in the "InfoSec colleagues" club. I tend to use various terms for the subnets in between internal screening routers and bastion hosts, but I've always felt that something inside your key demarcation point doesn't fit the definition of a DMZ. DMZs are about the built up enemy forces beyond your border, and buffer zones, not about the turncoat or SOF unit behind your lines. In my compartmentalization model, traffic that comes from untrusted, unknown sources is indicative of a different threat level than that which comes from within the borders (not necessarily a lower threat level however, depending on the threatcon at the time). Therefore, I find it helpful to differentiate that with more pointed terminology. Even if it's "DMZ" verses "Internal DMZ", no bastion is an island, and processes and procedures for handling "internal" attacks are vastly different than those for handling "external" attacks, even if it is a cross-compartmental attack. While I don't necessarily extend total trust based on "internal" and "external", they are handled by different laws, processes and procedures and different authoritative zones of control, and therefore differentiated in architectural discussions. In terms of traffic, the Web network you described is affected by the bastion host, and therefore not the same as an external DMZ segment, which is only affected by the outside screening router. Since we're talking about testing the bastion primarily, then it would make sense to not pass traffic through the bastion to do that for most stages. > >I doubt you'd want to do encryption to the host you're testing. That > >certainly skews the results. > > Granted. But isn't this what you proposed? If not, could you elaborate > on your suggestion with the encrypted tunnel? "Encrypted tunnel to a host on the DMZ.", which could be elaborated more thoroughly as "Encrypted tunnel to a host on the DMZ which isn't the bastion host. Be it an outside screening router, or host placed on the DMZ for that purpose. > >1 CD ROM, shipped to the customer. > > This doesn't solve the problem of the customer or the shipping agent having > access to the tools, nor does it assure that the environment on the CD will It's not the tool, it's the tunnel. If you're really paranoid, sign the media and ship it seperately to an out-of-band address. Hell, a Cisco 2514 will do encrypted tunnels now-a-days. > However, I would counter that our prices (including on-site service) are > probably less than others who are performing remote testing. YMMV, but > I find it unlikely that you'll find a seasoned ISO who will do it for > less than we do. Our costs are less, so your costs are less. 1. I've met so many "seasoned ISO's" who didn't know their butts from their hands, especially outside of a RACF environment that it's not funny. Next you'll be waving little NCSA certificates around? 2. If you're speaking of the literal me, I can do my own testing and verification thanks. Continuously too, it's included in what I do, so it only costs my time. > Which is why I prefer to do due diligence and to be onsite during testing. > I'll be able to check very precious little if I were to test off-site. You didn't answer the question. Do you do signal tests of cables while you're on-site? Do you verify router and swich code checksums? Is there actualy real value there, or is it just making you feel better? I'm curious how much external folks check, because when I do my own audits, there's a tile-puller in my hand, and I've been known to byte compare router code to my known reference verisons. > Of course, our contracts protect us. Our contracts are written by experts > in corporate contract law. Consequently, our liabilities are pretty close > to zero. However, no matter what the paper says, it is my understanding > that *no* contract will protect a company against incompetence or gross > negligence. Doing less than full testing could potentially be perceived > as not doing an adequate job. If I saw a potential problem and chose to > ignore it, then the potential for legal liabilities exists - no matter > what the paper says. Which is why the contract should specifiy methodology and scope. Incompetence and gross negligence are *way* outside the curve as I understand it. I just had this discussion with one of our corporate lawgeeks last week, and it's my understanding that 'best common practice' is a low enough bar for most professionals to walk over without breaking stride. > Of course we test the stack. Also, how are you going to test bandwidth > problems over a 28K or 56K line when the customer has a T3? Suppose > you are running a test which opens & closes ports very quickly. At low > speeds such as 56K, the firewall will run the test just fine, but when > connected to the firewall, this has resulted in Denial-of-Service attacks > on some firewalls which would return control to the firewall when I aborted > the test. Available bandwidth really does make a difference. Right, but the point was that those tests don't have to come from known networks. They can come from *any* network, since they only need to get packets to the host under attack, not receive them back. You're generating the sequence numbers, you can generate RSTs if that's necessary. > But they can identify that a test is in progress (Courtney et al). > Obviously, different attacks have different signatures. I am not > going to advertise to the world that a customer has a firewall > which electronically emulates a sieve. If it does, it already does, that's obscurity, not security. [snip the infomercial] > Also, I learned from a master in the field. Where is the greater good > achieved? Putting my skills to work for one company? Or helping as > many companies as possible get their act together? (Particularly when > they are so vulnerable?) If I was to work for one company, once they > are up to speed & have achieved consistently high levels of InfoSec > which don't impede business ops, where do you go from there? I like > helping people & I like solving problems & turning companies' security > around to where it should be instead of nonexistent as it currently is. I like doing it too, I just don't charge money for it if it doesn't involve my employer. But then I've never felt the need to sell anything so I don't put long infomercials in my posts. > >But if it's based on a D-O-S attack, there's not a whole bunch of value > >to certifying the fact that the bastion isn't vulnerable if the next > >upstream hop is always vulnerable. In either case, the site is down and > >the attack succeeds. Vendors can address most of the flaws, and some > >have, others haven't. > > What happens at the upstream hop is beyond the ability of the customer > to control. I have a contract with the customer - not the upstream > provider. I work for the "joy of security", not for the parameters of a contract, YMMV. > Actually, the company will be vulnerable during the time between when the > attack is initiated and the corrective measures have been implemented. No, they're *already* vulnerable. If it's detectable they're probably already owned anyway. You'd be surprised at how many are. > Depends on who you are up against. Some don't care, because they will > be gone in a couple of days anyway or if they may have been hopping > countries to get to the attack site. We can't track attackers as > fast as they can build connections. I've yet to come up against one who didn't care. Perhaps I'm just playing with a different class of attacker. > >By the same token, if the firewall is in a secure area, I may not want > >short-term consultants in that area. For all I know, you're bringing in > >stuff to grab signals off of the *other* sensitive equipment in that > >area, leaving diskettes in the servers, and all kinda of dastardly things > >that even complete dilligence on the part of the escort won't turn up. > > Which is why I advocate that the consultants should always be escorted > so that the customer can see what is going on. Also, for those who are > really paranoid, during the contract negotiations, you can insist that > the consultant appear onsite and that the hard drive will be crypto-erased Which doesn't take into account flash, or a zillion other things. We're not in the business of disassembling computers, we're in the business of business. > or destroyed before the consultant leaves. You don't have that kind of > control when the consultant is attacking remotely. You don't need it remotely, they're not gaining physical access. > > Again, security isn't 100%. However, even someone who is very paranoid > will like our references. I've never seen a reference I didn't like. > Last, but not least. > I will not put Fortified Networks nor the customer at risk in doing > remote testing until I can find a way to do it *securely* without > sacrificing quality or accuracy. So far I haven't seen it. I would > like to hear more about your proposed solutions (or alternatives), > though. I understand your stand completely, and I can appreciate your sticking with your stance, however, I've put in enough secure links to insecure places in my time to think that it's not an insurmountable problem. > wish them well and turn the project down. I am sure that there will > be someone who will take their money, but it won't be us. Like the saying goes, "You can't buy integrity." > The postings made by you and Russ are always thought-provoking and > I enjoy reading them. We often agree and sometimes we disagree. > It appears that this is one of those times. But, that's OK, we all > have our own opinions. I'm doing what I feel is right for Fortified > Networks & our customers and you are doing what you feel is right for > you & your organization. I don't have a problem with that. I agree with that entirely. I don't have a problem with disagreeing, and I'll stick to my position in this case. Hopefully we all think some more and everyone benifits from it, no matter which side they end up on. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-outgoing Sat Sep 6 06:02:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA23183 for firewalls-outgoing; Thu, 4 Sep 1997 16:18:39 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA23102 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:18:26 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id PAA15374 for ; Sun, 31 Aug 1997 15:45:20 -0700 (PDT) Received: from pm1-18.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA01496; Sun, 31 Aug 97 17:48:33 -0400 Message-Id: <3.0.3.32.19970831122818.006bc0d8@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 31 Aug 1997 12:28:18 -0500 To: Russ From: Frank Willoughby Subject: RE: Remote Firewall Penetration Testing Cc: firewalls@GreatCircle.com In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66701F66D@ns.ntadvice.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:46 PM 8/30/97 -0400, Russ allegedly wrote: Russ, Thanks for your mail. You brought up some good points. We may disagree on some fine points, but basically, I don't think we are that far apart. I think that some your criticisms are based on assumptions which are not accurate. >Frank, > >Saying that the service you provide, or the fashion of service you >provide, is better than another is Ok, but let's be realistic as well. You are missing my point. The point I was trying to make was that IMHO, Remote Penetration Testing of firewalls is difficult to do correctly and without exposing the customer. When I mention a problem, I prefer to provide a solution to that problem where appropriate. Pointing out what we do & don't do & why we do or don't do it tends to avoid situations where a person is saying one thing and doing the opposite. IOW, someone knows what they should be doing, but aren't doing it for some reason or other. >First of all, you say that you cost a mere $1-2k more than the Remote >Security Testing (RST) packages. So if I have 5 offices, that's $5-10k >more expensive, etc... starts to add up, doesn't it?. As I interpret it, your first statement is incorrect. I didn't quote the price of our Firewall Evaluation / Penetration Service (FEPS) nor are our prices $1-2K more than Remote Security Testing packages (tools?). I am assuming you mean scanners here. The $1-2K difference we are talking about are travel expenses only. Whether a customer is local or not has no bearing on what we charge. The customer provides the plane tickets, hotel, etc. This gives them control of the travel expenses, and frees us of having to fill out travel expense reports - the bane of every consultant. 8^) Another thing. We won't do a Penetration Test only & I'll explain what we do in bullet-form in a second. The FEPS includes an evaluation of the customer's business & security requirements, a vendor-neutral selection of the appropriate firewalls (plural) for the customer, an Internet Security Policy Template (since a firewall is an implementation of a security policy), and the Firewall Penetration Test. We also design the Internet Firewall Network Security Configuration and will perform a high-level Internal Network Security Evaluation & Design. You can't order just a Firewall Penetration Test. Not doing all of the above is not performing a thorough job & may give the customer the impression that they have adequate security when this is not the case. Why the FEPS includes the above: o Evaluation of the customer's business & security requirements This is a mandatory requirement so that the appropriate solution (firewall & network security) can be designed. o Vendor-neutral selection of the appropriate firewalls (plural) for the customer. A firewall which is right for Customer A may not be right for Customer B. We feel it is important to represent our customer's interests - not those of a particular vendor. IMO, anyone who recommends only one firewall is a thinly disguised reseller or has some biases which need examining. o An Internet Security Policy Template (since a firewall is an implementation of a security policy) o Design the Internet Firewall Network Security Configuration If the Internet firewall network configuration isn't properly designed (or even examined), gaping holes could exist which could expose the company's networks. If the consultant doesn't look at the network topology diagram, something is very wrong. o Perform a high-level Internal Network Security Evaluation & Design. You could have a bullet-proof Firewall & Internet Firewall Network Security Configuration & still get taken out by back doors which exist on your network. (Modems on PCs are common examples) Again, the Internal Network Security Eval & Design is necessary to ensure that gaping holes don't exist which could compromise or bypass the firewall. Doing less than this isn't being thorough, IMHO. o The Firewall Penetration Test. Throwing tools at the firewall alone isn't very effective. Also, the results may need to be interpreted. Some "vulnerabilities" that a scanner may indicate might not be actually be vulnerabilities. Also, tools alone won't tell you everything about the firewall's security. Some tests have to be performed manually (like a check to see if the rules are correctly set up & are in line with what the customer wants from the Internet. Also, it is important to train the customer in what is & what isn't secure. Most firewalls will let the customer open up the firewall. Opening up some services could be dangerous and seriously impact the company's business. The customers need to be given guidelines on what is OK & what's not. After that, it's their call. IMO, doing any less than all of the above is not being thorough enough. Lack of attention to the above details may indicate false positives, or worse, put the customer at risk. >Next, let's say that I want this done every month, because I want to >make sure that a new system or new configuration hasn't been implemented >incorrectly. That's now $60-120k per year that you're costing me more >than the RST, right? Wrong. Unlike other companies, we provide a transfer of knowledge with every contract. Except for the proprietary stuff, they will understand what we did & why we recommend certain solutions over other ones. Some tools used to be throwaways. Now we have to pay full price for them. Instead of paying for the tools once & then charging the customer over & over for the tools (or use of them for maintenance contracts) like some companies do, we will leave one or more tools behind for the customer so that they can test their firewall whenever they choose. This helps the customer become self-sufficient. IMO, security consulting isn't a license to fleece the customer, nor should customers be permanently dependent on us for their security. >Then there is the cost of my people who have to be around while you're >doing your thing, their salaries. That's another $1-2k per month, or >$12-24k per year. So now we're up to $72-144k per year you're costing >me. We *want* the employees to be around when we are onsite so that a transfer of knowledge *can* occur. Also, since the customer has one or more of the tools we used, they can perform their own testing & save a small fortune. Another thing, just because the consultant is performing security tasks doesn't mean that they should be permitted to go unescorted within the company. BTW, the $72-144K/year are grossly over-inflated and have based on false or inaccurate assumptions. >Now to the risks that RST doesn't address, or so you say. You keep >referring to the ISP being taken out. If, as a previous poster pointed >out, I'm running from different netblocks around the world, the only ISP >that could be taken out and prove viable to the hacker would be the >customer's ISP. That means they (the hackers) have to take out the >customer ISP for every customer you have. Don't you think you're >over-emphasizing this risk? Let's be realistic here, Mom and Pop ISPs >might not be in a position to protect themselves from such exploits, but >the vast majority of business is not getting supplied by M&P, they're >getting it from a bigger entity with the resources to protect themselves >(hey, don't get me wrong here, its not like big ISPs never get hit, but >not as casually as you suggest hackers can to track your activities). I disagree with thought that the vast majority of business is not getting supplied Mom & Pop ISPs. There are many more small-medium businesses than there are corporate giants. Small-medium businesses are also on the 'Net and also need to be secured. They don't have as much money to spend, so many companies ignore them. FWIW, our smallest customer so far was a 7-man shop. Another thing. You are forgetting that ISPs are in the business of providing as many connections as possible. This is in opposition to the basic network security design principle of limiting the number of external connections & then guarding those connections. Also, an attacker wouldn't even have to take out the ISP. They could (quite legally) have a server installed at the ISP via a front company. Then they could use that server as a staging area to take out companies. They could also use it to sniff the network traffic going to/from the company (possibly a competitor). BTW, this is one reason that I would never recommend that a customer use an ISP which is in the same industry (such as s/w development) or whose function isn't solely that of an ISP. >So while the risk of such an exploit, as you suggest, is not nil it is >also not a major factor in my risk assessment of doing RST. Wide-spread >compromise of my testing service is virtually impossible (since the >hacker would need monitoring code in hundreds of ISPs or on major >network backbone routers - which further minimizes the risk to those >customers of that backbone provider). Localized compromise of my efforts >is more likely (i.e. one particular ISP or network), but its highly >unlikely that this will exist for a protracted period of time without me >becoming aware of it (either through one of my customers getting hacked >following an RST, or information gained from the network providers >themselves). So where's the beef?? I disagree completely for the reasons mentioned in my last several paragraphs. >Then there are the RST services run by ISPs themselves. These services >are provided completely within networks controlled by the ISP itself, >between itself and its customer. No external networks involved, and they >have the ability to verify the integrity of their systems between >themselves and the client. This is a valid RST service in the model >you're condemning, but it's extremely unlikely that its susceptible to >the risk you state. Again, I disagree for a couple of reasons. o It puts the ISP in a conflict-of-interest. The ISP is not a neutral party as they provide the Internet access (even more so if the ISP provided the security design or the firewall) o The ISP doesn't have a need-to-know what the customer's internal Information Security Infrastructure is like. They are there to provide Internet Access. o Information Security Services should be performed by experienced Information Security professionals (preferably seasoned Information Security Officers). ISPs don't usually have Information Security professionals or seasoned ISOs working for them. While there are exceptions, this holds true for most of the ISPs I am familiar with. o ISPs, by definition, have open insecure environments & provide external entities access to their systems. This violates two basic tenets of Information Security. o FWIW, some ISPs provide a Firewall Management Service - which, IMO, is a *very* bad idea - as it provides the ISP with complete access to the customer's internal network. None of the above comments are tended as a slight to ISPs. They are in the business of providing Internet Access and do this very well. They are in a different field and have different business objectives than Information Security Consulting companies and their goals are frequently in opposition to Information Security goals. o Open network vs. closed network (or network with limited, controlled access points) o No or very limited controls vs. stronger controls o Little accountability vs. stronger accountability & paper trail requirements o Etc. >COPS services can be extremely valuable to customers to keep them >informed of patches and known vulnerabilities. While the order from on >high may come down to have a particular daemon patched, its difficult to >ensure that it has been done everywhere without such services. They can >be run internally, and in every good network there should be systems >dedicated to the tasks of performing COPS analysis regularly with >appropriate escalation procedures when the errors are not corrected, but >that's not viable for everyone. Paying a consultant to do this work is, >in many cases, a viable option and makes sense, but not in all cases or >all networks. Agreed. But COPS doesn't do everything. IMHO, there is no one solution which is appropriate for every corporate environment. Every company is different. What works in one company won't work in another. >So its fine for you to say that your service is better, but let's not >claim that every implementation of RST is a Bad Thing(tm) just to make >your marketing point. Some of them can be a Good Thing(tm), and are. As stated earlier, I didn't bring up the point for marketing purposes. The point was made because I strongly feel that Remote Penetration of Firewalls is not a good idea and I am amazed at the number of reputable companies who are doing this and should know better. I only pointed out what we do so that you know we aren't saying one thing & doing another. BTW, I think Martha Stewart beat you to trademarking the "Good Thing(tm)". 8^) 8^) >A company may not wish to spend $72-144k per year on you doing what a >system can do automatically. Very Good - since we never charge that much to perform (Local) Firewall Penetration Testing. >Instead they may spend $12-24k on the >automatic service and have $60-120k money left in their budget to hire >you to come in and do the *Good Stuff(tm)*, meaty security >policy/analysis work with much more value to them, and you. Replace the words "automatic service" with "Firewall Evaluation & Penetration Service" and we are in 100% agreement. >Of course the profit margin is much higher on Tiger Testing than >anything else in the security industry, so I can appreciate you not >wanting to loose that revenue stream, but its happening and going to >continue... Hmmmm. Perhaps we aren't charging enough. 8^) When we leave the tools behind & show the customer how to conduct their own basic firewall penetration tests, we are walking away from the high profit margins you mentioned. It means less money for us, but I'm comfortable with our approach and feel that this is the right thing to do. I believe that a Firewall Penetration Test is necessary to ensure that the firewall is secure enough to protect the company. OTOH, I believe that many Penetration Tests of Corporations (Tiger Team, etc.) are unnecessary. It may be a way some companies use to fleece customers. Give me a whiteboard & a marker & I'll show you what your exposures are in 1-3 hours more than what most companies will after 1-3 weeks of "penetration testing". All a penetration test does is prove a customer has a problem. Duuuuh. We already know that every corporation has massive security problems. FWIW, in almost all companies that we have audited we discovered that their vulnerabilities were substantial enough that anyone could write their own paycheck - they just didn't know how. >BTW, I do not perform RST myself and do not sell RST services from any >company/organization. I also do not perform Tiger Testing in-house. So I >have no personal stake in this argument other than to avoid fear >mongering to sell a service type. We are frequently asked to perform a Penetration Test of a corporation & so far, we have always been able to talk the customer out of it. It's a waste of their money ($30K - to over $100K) and our time. Spend the money on fixing problems, not chasing problems we already know about. Design security from the inside out, not the outside in. >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Sat Sep 6 06:52:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA23249 for firewalls-outgoing; Thu, 4 Sep 1997 16:18:54 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA23239 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:18:49 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id PAA15399 for ; Sun, 31 Aug 1997 15:46:40 -0700 (PDT) Received: from pm1-18.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA01499; Sun, 31 Aug 97 17:48:39 -0400 Message-Id: <3.0.3.32.19970831174640.006bc728@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 31 Aug 1997 17:46:40 -0500 To: "Paul D. Robertson" From: Frank Willoughby Subject: Re: Remote Firewall Penetration Testing Cc: firewalls@GreatCircle.com In-Reply-To: References: <3.0.3.32.19970830162031.006ae7f4@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:54 PM 8/30/97 -0400, Paul Robertson allegedly wrote: >On Sat, 30 Aug 1997, Frank Willoughby wrote: > >> >But it is possible to minimize the hazard as >> >identified by you. >> >> You're right, it is possible to minimize the hazard. But so far, >> I haven't seen a solution which is secure enough for me and is >> less expensive (time, money, manpower) than doing it locally. >Secure tunnel to the DMZ of the tested network. This is one way of performing the task, but we rejected it for a couple of reasons: o The DMZ is just one leg of the firewall. A Firewall Penetration Test should performed on each interface of the firewall. o Depending on how the firewall's rules are set up, a set of exposures from the DMZ may be different than that of the firewall's external (Internet side) interface. o More in a few minutes... >ObRussCooper: Microsoft's PPTP could do this with NT Server. > >Most two node VPN software solutions are pretty cheap actually. Even if >you buy the RSA stuff, you're talking less than travel, room, and board. Perhaps, but let's look at the possibilities: o If you are using the User->Firewall encryption or even the Firewall->Firewall encryption, and running the tools from your remote system to the firewall, then your test results may not be accurate. Some firewalls will pass encrypted sessions thru the firewall (tunneling) as it trusts the remote party. o If you wish, you can establish an encrypted tunnel to a system which the customer provides. The customer would then place the system on the outside and inside of the firewall. The problem here, is that you are expecting the customer to correctly install the system. They may indeed have this competence. But the problem is that *you* didn't set it up. Something may be misconfigured or may not work well enough for you to achieve accurate results. Also, how do you validate something you haven't seen yourself? o You could send an attack system to the customer (@ $400-500 to ship) each way and have the customer connect it to each of the firewall's interfaces. At this point, we have already reached the $1K mark and gained no financial benefits over local testing. Also, you are depending on someone else to performing part of your testing operations correctly (ie connecting the attack system properly to the firewall. You have no verification that is being performed properly. Using part of a test in your reports for which you have no verification could taint the results. How do you know your attack system is correctly connected to the customer's network? There are many problems which could occur which won't immediately be apparent when performing remote networking operations (as most Help Desk personnel can testify). Since we have no physical control over the system (during shipping and while onsite), there is also the possibility that the tools may be copied and used for unintended purposes (raising potential legal liability issues) or be used against the customer (if the attack system is stolen during shipping). >> If all IP addresses belong to the same entity, (ie - your company) >> then nothing is really gained. One attacker may be monitoring one >> IP address range, another might be monitoring another address range. >> As the bad guys know who the good guys are, we have to assume that >> they are monitoring our network traffic and take appropriate precautions. >> >> If all of the IP addresses are at the same ISP, the process is even >> easier for the attackers. > >That's assuming that the ISP is small enough, or the levels of traffic >from the ISP small enough that the traffic is statisticly significant. >Unless you're looking to test flood protection, you can do a heck of a >lot with dial-up ISDN or post-CIDR provider netblocks which don't get >registered to you. Actually, we do test flood protections. Dialup connections won't give us the bandwidth we need to take out the firewall. We also need to have the test conditions be as close to the customer's environment as possible *and* not have our testing betray our presence or that our testing is in progress. >> Even if attackers aren't set up at the ISPs your company is using, >> they might have cracked the customer's local ISP and set up a sniffer. > >If that's the case, they'll probably get enough information to mount a >Net or non-Net based attack *anyway*. Your local testing won't find >that, and won't stop it from happening. Good point. But OTOH, we don't need to add fuel to the fire either. As InfoSec consultants, we need to be discreet. Testing across the Internet isn't very discreet. >> The sniffer will probably be set to trigger on certain strings (password), >> or signatures (test signature of common commercial & attacker security >> scanners). They may also be using a scanner detector. The attackers >> don't even need to have the results in real time. They just need to >> check the results frequently enough to take advantage of the window >> of vulnerability & take out the system before the vulnerabilities are >> corrected. > >That would be real-time, unless you're not watching the scanner results >in real-time. Then there's the fact that if they've gone to all that >trouble, not shutting down the scanner in real-time gives them the same >vulnerability asessment that the scanning firm has, I'm not sure that's >as bad as you'd make it seem, since we'd trust our scanning firm to get >us that report (out of band) as soon as they found a vulnerability. Assuming they are running one of the popular scanners, the report will be finished in @15 minutes. When we do the testing onsite, the customer is there with us and sees the results in real time. Once the firewall passes the tests, only *then* will the firewall be put on line. >> >I am lucky that I work for a company with world-wide presence, so >> >I am able to use several company-owned hops before I got to the >> >client to be tested (sometimes using encrypted and authenticated >> >tunnels... another reason for not doing automatically testing :-)). >> >The attacker then has to follow the track, but probaly isn't able to >> >recognize a test in progress at all. >> >> I disagree. If the attackers have taken out the ISP, they may have >> uploaded scanner detectors and are using them (it would sure make >> the sifting process easier). > >But if, as asserted, the packets are encrypted, then (a) they can't forge >false returns without alerting the scanners, and (b) they can't know what is >going on. Not that they'll automatically jump to the good guy conclusion >anyway necessarily. There's more bad guys out there than good guys doing >penetration tests. I discussed this in the paragraphs above. >> >> PS - We offer a vendor-neutral Firewall Evaluation/Penetration Test >> >> Service in which subject the firewall to over 400 tough security >> >> tests (manual & automated). This helps to ensure that the firewall >> >> is robust enough to meet the security challenges posed by connecting >> >> a company to the Internet. > >A firewall is *never* robust enough to meet the security challenges posed >by connecting a company to the Internet, limit, yes, meet, no. You are right. I should have been more careful in my wording. The problem is that the bad guys are 1 1/2 steps ahead of the good guys. It will always be the case. There is no such thing as completely secure firewalling which permits any network connectivity. We can ensure that the firewall is able to defend against the most prevalent attacks on the 'Net today. But InfoSec is not so much a goal as it is a direction. 100% secure doesn't exist. Never has, never will. >IP over >SMTP, Reverse Telnet over ICMP, http to a command CGI, there are a million >ways in and out of a "protected" network, most of which can be made fairly >indistinguishable from "real" network traffic. Excellent points and reasons why I strongly recommend Application Gateways over Packet Filters (even Stateful Inspection Filters). One problem I see on the horizon in firewall testing is how to verify the robustness/design of the proxies & "Inspection Engines". This is tough to do right and requires that the vendor permit access to the source code. (Don't hold your breath for this to happen). >> >I prefer to do the testing locally as well. Another advantage is that you >> >can create greater loads on the firewall than in the real (Internet) >> >world. So you you can indeed test the robustness of the firewall better. >> >> Excellent point. > >And mostly moot, the majority of connections are small enough that they >can be flooded further back in the path, smurf.c is a prime example of >that working at provider's peering routers even. I disagree. The test is being performed against the firewall - not the various and sundry components of the Internet over which the customer has no control. The firewall *should* be capable of handling the most prevalent attacks. Some problems are the result of inherent design problems in TCP/IP and there is little the firewall vendors can do to prevent these problems. >> It's slightly more expensive than doing it remotely, but the >> customers should not be penny-wise & pound-foolish. They may >> end up putting their company at risk in order to save $1-2K USD. > >If what you're saying is true, then the company is _already_ under >attack, so then they are possibly changing the chance of detecting an >attack vector, but they are not adding more risk to their scenerio. It's >already raining, forecasting humidity is moot. But the company may not *yet* be under attack. Remote testing draws unnecessary attention to the customer's firewall and may provide the attacker with some information which they ordinarily wouldn't receive. >> If the decision to do remote testing is an internal management >> decision, I would recommend escalating the issue and letting >> them be aware that the quality of the work, which is being >> performed by professionals such as yourself, is being put at >> risk (as is the company's reputation if something goes wrong). >> IMHO, it is simply not worth the risk. > >And that management would probably argue that if the consultant can't solve >the problem of remote testing securely, then they're probably not as good >at security as they claim to be. YMMV. You can't solve management problems through technical means. The problem is that management may not understand the basics of InfoSec or that the manager's main motivation may be with an eye on the profit margin - rather than doing the job correctly. In either case, the manager needs to become more aware of Information Security & how vulnerable their company *really* is. >> If the choice is the customer's, then I would point out to the >> customer, the risks of remote security testing. Let them see >> the wisdom in spending the extra $1-2K USD to have quality work > >I'd rather spend that once to do a secure tunnel than every time I wanted >an external security audit. Everyone has different standards of what they will accept. Personally, I don't feel the cost/security/benefit analysis adds up, but that's just my opinion. One company may perform the assessment for X dollars and use a secure tunnel. (I would consider the test results invalid because I don't have control/validation of every aspect of testing. It could very well be that another company could perform the same task locally for less money than it takes the other company to perform less extensive tests remotely. Regardless of whether the bottom line is security (where local testing is appropriate) or money (where the customer is shopping for the lowest price for competent security consulting services), it pays to shop around. One competitor bid for more than **7x** what we bid for a contract in Grand Rapids, Michigan. Why one would want to pay *more* for security consulting services from an inexperienced consultant who has never worked a day as an Information Security Officer is beyond me. >> performed which won't put their company at risk. I would definitely >> try to make this point to the CFO. As the CFO's job is to manage > >You'd be surprised how many times you wouldn't get to the CFO, ours sure >as heck wouldn't go against his CIO's recommendation without something >more firm than "quality, a little more, and may put at risk". I would be specific in my examples to the CFO & CIO. It seems to have worked so far. >> >Another issue is the greater control you have when testing locally. You >> >can have feedback from the firewall immediately and react to that. In the >> >end it turns out to be much more efficient, more thorough and cheaper. > >While there are some good reasons for local testing, I don't for a minute >belive that remote testing is automatically invalid, and that it can't be >done correctly. In my worldview, anyone who tells me there's only one >solution to my problem is too short-sighted to deal with on a long-term >basis. If I were shopping for external audit testing, I'd be looking for >someone who would be looking long-term, and I've been in this field long >enough to know that there's _always_ more than one way to do anything, >even when I can't see it myself. Sure, it's possible & I've explored a number of these (some of which I listed in this mail). So far, I haven't found any that I'm satisfied with. I *am* open to suggestions though, and will entertain any ideas for remote testing which won't sacrifice the quality of testing or the validity of the overall results. >On-site gives you physical access, and if I'm not auditing physical >access, then I may require that you do the penetration testing remotely. >I have to balance letting you on-site with my trust of you and your company. >It is getting harder to tell the bad guys from the good guys, and I might not >like the idea of finding out the hard way who's who. > >Paul Excellent points. If I may address them individually.... >On-site gives you physical access, and if I'm not auditing physical >access, then I may require that you do the penetration testing remotely. That's OK. We either do it right, or not at all (& we don't charge extra for doing it right). 8^) I'm not going to sign off that something is secure unless I have verified it myself. Regarding physical access... you could have a bullet-proof firewall which is correctly configured and have a rock-solid network security design. However, if the firewall is sitting in an open area and someone reconfigures the firewall to pass all services (perhaps because someone forgot to use a screensaver) or someone *steals* the firewall, then the firewall was never properly secured IMO. I'm not about to walk into that landmine. At the end of the day, when we sign off on a report - OUR name goes on the report & it is a reflection of OUR work. I'm not going to set up Fortified Networks to get into a situation where we will end up delivering invalid or inaccurate results. >It is getting harder to tell the bad guys from the good guys, and I might not >like the idea of finding out the hard way who's who. You are absolutely right. Sadly, most companies don't check credentials. Bad guys have also set themselves up as Information Security Consulting Companies. Personally, I will only hire former Information Security Officers who have a proven track record of success. This helps to establish & maintain credibility. It also means that we can present a level of competence that most other companies in a 3-state radius can't touch, but I digress.... Another thing is to check references (customers & character). Just keep in mind that hackers who have set themselves up as consultants will also have customers. But what about the ethics? If you have 10 problems & the hacker writes up only 9 in the report.... 8^( >----------------------------------------------------------------------------- >Paul D. Robertson "My statements in this message are personal opinions >proberts@clark.net which may have no basis whatsoever in fact." > PSB#9280 Thanks again for your mail & the thought-provoking points you raised. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Sat Sep 6 07:47:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id QAA23565 for firewalls-outgoing; Thu, 4 Sep 1997 16:20:11 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-970824-1) id QAA23453 for firewalls@greatcircle.com; Thu, 4 Sep 1997 16:19:46 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with SMTP id TAA11921 for ; Sun, 31 Aug 1997 19:43:07 -0700 (PDT) Received: from pm4-15.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA14170; Sun, 31 Aug 97 21:44:53 -0400 Message-Id: <3.0.3.32.19970831214255.006a8f64@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 31 Aug 1997 21:42:55 -0500 To: "Paul D. Robertson" From: Frank Willoughby Subject: Re: Remote Firewall Penetration Testing Cc: firewalls@GreatCircle.com In-Reply-To: References: <3.0.3.32.19970831174640.006bc728@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:01 PM 8/31/97 -0400, Paul D. Robertson wrote: >On Sun, 31 Aug 1997, Frank Willoughby wrote: > >> o The DMZ is just one leg of the firewall. A Firewall Penetration >> Test should performed on each interface of the firewall. > >That depends on the security policy more than anything. Some places >allow all outbound traffic, and therefore, only concern themselves with >inbound results. I disagree. Testing on the inside simulates attacks that disgruntled employees could make on the firewall - include trying to log into the firewall using valid Username/Password combinations, Denial-of-Serivce attacks, etc. Internal employees with an axe to grind would love to seize control of the firewall, reconfigure the rules to allow all inbound traffic & then post the info to a local (or global) hacker site as a worthwhile site to crack. >> o Depending on how the firewall's rules are set up, a set of exposures >> from the DMZ may be different than that of the firewall's external >> (Internet side) interface. > >DMZ = Internet side, or it's not a DMZ, it's a protected segment, no >matter how public, private or little protection. Your definition of a DMZ is different than the definition I am familiar with & is the same definition which is shared by other InfoSec colleagues. FWIW, interestingly enough, I double-checked and also found references made by other people who use your definition. To me a DMZ is neither Inside nor Outside - it's sort of a network no-man's land. A DMZ on the Internet places it on the Outside. Here's an example of what I mean: -----------------+------------ (Internet network) | Router | Firewall---------Web/FTP Server on DMZ | Router | -----------------+------------ (Internal network) >> Perhaps, but let's look at the possibilities: >> o If you are using the User->Firewall encryption or even the >> Firewall->Firewall encryption, and running the tools from your >> remote system to the firewall, then your test results may not >> be accurate. Some firewalls will pass encrypted sessions thru >> the firewall (tunneling) as it trusts the remote party. > >I doubt you'd want to do encryption to the host you're testing. That >certainly skews the results. Granted. But isn't this what you proposed? If not, could you elaborate on your suggestion with the encrypted tunnel? >> o If you wish, you can establish an encrypted tunnel to a system which >> the customer provides. The customer would then place the system on >> the outside and inside of the firewall. The problem here, is that you >> are expecting the customer to correctly install the system. They may >> indeed have this competence. But the problem is that *you* didn't set >> it up. Something may be misconfigured or may not work well enough for >> you to achieve accurate results. Also, how do you validate something >> you haven't seen yourself? > >1 CD ROM, shipped to the customer. This doesn't solve the problem of the customer or the shipping agent having access to the tools, nor does it assure that the environment on the CD will actually work on the customer's system environment. Many firewalls & NIC cards won't work in certain environments. Pentium CPU or clone? Will the NIC cards work in the Master and Slave PCI slots or just the Master PCI slot? These are a few items which make a difference and which could keep a firewall or attack system from functioning properly. I have run into too many of these things to take a hardware configuration for granted. >> o You could send an attack system to the customer (@ $400-500 to ship) > >CDs are much cheaper to ship than systems, and on-site work in our area >costs a lot due to high hotel fees which would negate your advantage >pretty quickly. However, I would counter that our prices (including on-site service) are probably less than others who are performing remote testing. YMMV, but I find it unlikely that you'll find a seasoned ISO who will do it for less than we do. Our costs are less, so your costs are less. >> Using part of a test in your reports for which you have no verification >> could taint the results. How do you know your attack system is correctly > >By the results. If you're on the same segment, you can check the ARP >cache on the remote endpoint of the tunnel, other than that, all of the >packets will come back through the tunnel, so you can use the same >results. How do you *know* a switch port isn't VPNing you somewhere if >you're on-site? I can probably fool you as much in person as I can >remotely if we're not using just your hardware, and if we were, then >you're not auditing the complete setup, no? Any results can be tainted, >being there doesn't necessarily remove that possibility. Do you always >signal-test both ends of every cable when you're on-site? Do you >checksum switch and router sofware? There's a million ways a corrupt >admin or already compromised site can skew a test, if you're looking for >absolutes, then you're probably going to get very frustrated. Which is why I prefer to do due diligence and to be onsite during testing. I'll be able to check very precious little if I were to test off-site. >> Since we have no physical control over the system (during shipping and >> while onsite), there is also the possibility that the tools may be copied >> and used for unintended purposes (raising potential legal liability issues) >> or be used against the customer (if the attack system is stolen during >> shipping). > >If your contracts aren't already protecting you from that, you're in need >of a *lot* of help. Of course, our contracts protect us. Our contracts are written by experts in corporate contract law. Consequently, our liabilities are pretty close to zero. However, no matter what the paper says, it is my understanding that *no* contract will protect a company against incompetence or gross negligence. Doing less than full testing could potentially be perceived as not doing an adequate job. If I saw a potential problem and chose to ignore it, then the potential for legal liabilities exists - no matter what the paper says. >> Actually, we do test flood protections. Dialup connections won't give > >Flood protection can be tested with spoofed source addresses, so the >issue there is pretty moot. Most flood attacks have that signaure >anyway, and if you're not doing that, then you aren't fully testing the >robustness of the stack, since multiple source addresses are a lot more >resource grabbing than packets from a single address. Of course we test the stack. Also, how are you going to test bandwidth problems over a 28K or 56K line when the customer has a T3? Suppose you are running a test which opens & closes ports very quickly. At low speeds such as 56K, the firewall will run the test just fine, but when connected to the firewall, this has resulted in Denial-of-Service attacks on some firewalls which would return control to the firewall when I aborted the test. Available bandwidth really does make a difference. >> Good point. But OTOH, we don't need to add fuel to the fire either. >> As InfoSec consultants, we need to be discreet. Testing across the >> Internet isn't very discreet. > >If it's a target, it's a target, and there's not a lot of difference >between a test and an attack, so I'm unsure how much that raises the bar. >Packets don't necessarily scream "I'm not a new VPN application", or >"This is a good-guy test, not a bad-guy probe". But they can identify that a test is in progress (Courtney et al). Obviously, different attacks have different signatures. I am not going to advertise to the world that a customer has a firewall which electronically emulates a sieve. >> Assuming they are running one of the popular scanners, the report will >> be finished in @15 minutes. When we do the testing onsite, the customer >> is there with us and sees the results in real time. Once the firewall >> passes the tests, only *then* will the firewall be put on line. > >That's only useful in situations where the firewall isn't already up. >I'd hazard to guess that in most cases it's more useful to be able to do >recurring audits than preliminary work. I also would have guessed that a >consultant would want that business more than the one-time stuff. This is a very big planet and most of the companies have serious security problems. Recurring audits of an entire corporation or the MIS Dept. are one area of business (in which we also excel - implementing high levels of InfoSec is another). A customer will *always* have the requirement for an independent 3rd party to perform an audit. There are so many corporations that have so many problems that they are ill-equiped to solve, we're not hurting for work. o Internet Security & Firewalls o O/S Security o Network Security o InfoSec Policies, Procedures, Standards, & Guidelines o CPDR (Contingency Planning / Disaster Recovery) o Implementing High levels of InfoSec which are user-friendly & virtually non-intrusive to business operations o Etc., etc. More importantly, I have another agenda. I didn't set up Fortified Networks to get rich overnight. I set it up because I saw (and am still bothered by the fact) that most corporations are defenseless and can be taken out extremely easily. Further, most have a rudimentary grasp of the fundamentals of physical security (locks on doors), but aren't up to a network or O/S audit. Corporations aren't practicing safe computing. Also, I learned from a master in the field. Where is the greater good achieved? Putting my skills to work for one company? Or helping as many companies as possible get their act together? (Particularly when they are so vulnerable?) If I was to work for one company, once they are up to speed & have achieved consistently high levels of InfoSec which don't impede business ops, where do you go from there? I like helping people & I like solving problems & turning companies' security around to where it should be instead of nonexistent as it currently is. Part of my motivation comes from a time when I was an ISO for an overseas subsidiary of a high-tech company. While there, I was called in to perform an investigation for a company, & other assignments. There is no joy in wading through several GB of data - particularly when the problem is preventable. While at the overseas subsidiary, I achieved and sustained the highest level of measurable InfoSec of any country in the world - month after month for over 4 *years*. We withstood a number of hacker attacks with zero penetrations (X25 sweeps, dialups, etc.). I was pretty shaken by what I saw at the customer site and was unaware that other companies had close to non-existent security. After I left the high-tech company, I went to work for another company. That company had abysmal security and I did what I could for them. When it became apparent that they just wanted to go through the motions without actually doing anything, I left them to start Fortified Networks and help those who really need help and want it. I don't know, but it rubs me the wrong way when I see that a multi-billion dollar company that can be peeled like a grape in a very short period of time. I also enjoy helping people. I particularly enjoy walking into a corporation which is a disaster waiting to happen. When I leave, they are on the right track and frequently, many suggestions will have been implemented before the project was finished. It kind of makes the long hours worthwhile. Anyway, the above is what makes me tick. YMMV. >> >And mostly moot, the majority of connections are small enough that they >> >can be flooded further back in the path, smurf.c is a prime example of >> >that working at provider's peering routers even. >> >> I disagree. The test is being performed against the firewall - not >> the various and sundry components of the Internet over which the >> customer has no control. The firewall *should* be capable of handling >> the most prevalent attacks. Some problems are the result of inherent >> design problems in TCP/IP and there is little the firewall vendors can >> do to prevent these problems. > >But if it's based on a D-O-S attack, there's not a whole bunch of value >to certifying the fact that the bastion isn't vulnerable if the next >upstream hop is always vulnerable. In either case, the site is down and >the attack succeeds. Vendors can address most of the flaws, and some >have, others haven't. What happens at the upstream hop is beyond the ability of the customer to control. I have a contract with the customer - not the upstream provider. >> But the company may not *yet* be under attack. Remote testing draws >> unnecessary attention to the customer's firewall and may provide the >> attacker with some information which they ordinarily wouldn't receive. > >Which, if it's done to fix the problems should be moot fairly quickly. Actually, the company will be vulnerable during the time between when the attack is initiated and the corrective measures have been implemented. >Also, it shows that someone is watching packets into and out of the >network, and most of the bad guys probably don't want to go near a >network that probably has a sniffer sitting there logging the evidence, >along with someone who knows how to interpret it analyzing the results. Depends on who you are up against. Some don't care, because they will be gone in a couple of days anyway or if they may have been hopping countries to get to the attack site. We can't track attackers as fast as they can build connections. >> >On-site gives you physical access, and if I'm not auditing physical >> >access, then I may require that you do the penetration testing remotely. >> >> That's OK. We either do it right, or not at all (& we don't charge >> extra for doing it right). 8^) I'm not going to sign off that >> something is secure unless I have verified it myself. >> >> Regarding physical access... you could have a bullet-proof firewall >> which is correctly configured and have a rock-solid network security >> design. However, if the firewall is sitting in an open area and >> someone reconfigures the firewall to pass all services (perhaps >> because someone forgot to use a screensaver) or someone *steals* >> the firewall, then the firewall was never properly secured IMO. >> I'm not about to walk into that landmine. > >By the same token, if the firewall is in a secure area, I may not want >short-term consultants in that area. For all I know, you're bringing in >stuff to grab signals off of the *other* sensitive equipment in that >area, leaving diskettes in the servers, and all kinda of dastardly things >that even complete dilligence on the part of the escort won't turn up. Which is why I advocate that the consultants should always be escorted so that the customer can see what is going on. Also, for those who are really paranoid, during the contract negotiations, you can insist that the consultant appear onsite and that the hard drive will be crypto-erased or destroyed before the consultant leaves. You don't have that kind of control when the consultant is attacking remotely. >> Another thing is to check references (customers & character). Just >> keep in mind that hackers who have set themselves up as consultants >> will also have customers. But what about the ethics? If you have >> 10 problems & the hacker writes up only 9 in the report.... 8^( > >References are very hard to check in this industry unless someone has a >specific well-known name, which may be the opposite of the requirements >of thier last employer. There's no central registry of folks who used >to do good stuff for [pick an agency that needs good stuff]. A company >*can't* say why a former employee was terminated without the threat of rather >large lawsuits, and even the government, with its vast background-checking >resources misses things during SBI and EBI investigations, so a couple of >phone calls aren't much assurance. Again, security isn't 100%. However, even someone who is very paranoid will like our references. >In an industry where it's very >difficult to hire your own resources (not to mention expensive), >outsourcing should be looked at with even more paranoia than normal. I agree 100% Last, but not least. I will not put Fortified Networks nor the customer at risk in doing remote testing until I can find a way to do it *securely* without sacrificing quality or accuracy. So far I haven't seen it. I would like to hear more about your proposed solutions (or alternatives), though. In any event, I have to do what I think is right for the customer and for Fortified Networks. I chose the high road and will only perform testing locally for the reasons I have specified, and so far, I haven't seen anything which would dissuade me. Perhaps I will lose business because I won't do remote testing. Some customers wanted us to test their firewall remotely. When we explained why we won't test remotely, they understood and agreed with us. If a potential customer insists on a requirement to test remotely, we'll wish them well and turn the project down. I am sure that there will be someone who will take their money, but it won't be us. The postings made by you and Russ are always thought-provoking and I enjoy reading them. We often agree and sometimes we disagree. It appears that this is one of those times. But, that's OK, we all have our own opinions. I'm doing what I feel is right for Fortified Networks & our customers and you are doing what you feel is right for you & your organization. I don't have a problem with that. Thanks again for your posting. >Regards, > >Paul >----------------------------------------------------------------------------- >Paul D. Robertson "My statements in this message are personal opinions >proberts@clark.net which may have no basis whatsoever in fact." Best Regards, Frank PS - FWIW, I'll be on the road for the next couple of days & won't have time to respond to replies on this thread until I get back. The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-outgoing Sat Sep 6 08:47:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id IAA25428 for firewalls-outgoing; Sat, 6 Sep 1997 08:02:06 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id IAA25322 for ; Sat, 6 Sep 1997 08:01:46 -0700 (PDT) Message-Id: <199709061501.IAA25322@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA196178376; Sun, 7 Sep 1997 01:06:16 +1000 From: Darren Reed Subject: Re: adding payload examination to ipfilter/ipfw To: jk@stallion.ee (Jyri Kaljundi) Date: Sun, 7 Sep 1997 01:06:16 +1000 (EST) Cc: ipfilter@coombs.anu.edu.au, Firewalls@GreatCircle.COM In-Reply-To: from "Jyri Kaljundi" at Sep 5, 97 07:16:12 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail I received from Jyri Kaljundi, sie wrote [...] > How hard would it be to add some payload examination capabilities to free > firewalls/packet filters like the ipfilter/ipfw code? What I would like to > see is something similar to Check Point FireWall-1 INSPECT language, where > you can change the rules on the fly, depending on some changing variables. What do you mean by "change the rules on the fly" ? [...] > IPfilter is a great piece of sofwtware, but it only works at the network > layer. A capability of switching to application layer now and then would > be just great, and for that what we need is code or scripting language to > define easily our own smart filters. So people who are more familiar with > ipfilter, how hard would it be to do that? If you really want to do this, you should setup rules the same as is required for transparent proxying. Sure, you don't get the entire packet at your application, BUT, you do get a real TCP stream or a complete UDP packet, curtesy of the kernel which has put all the pieces back together for you. So, when your application proxy gets the data from the local end of the connection, it knows it is all in sequence, etc. Short of putting hooks in the OS to directly support this sort of thing, correctly doing the above in the kernel (almost) requires implementing TCP a second time, just for this. It _maybe_ possible to avoid this with STREAMS, but if so, I would have thought FW-1 would ahve gone this path and they haven't. Darren From owner-firewalls-outgoing Sat Sep 6 09:19:29 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id SAA10973 for firewalls-outgoing; Thu, 4 Sep 1997 18:00:33 -0700 (PDT) Received: from ivy.tc.pw.com (ivy.tc.pw.com [131.209.1.4]) by honor.greatcircle.com (8.8.5/Honor-970824-1) with ESMTP id SAA10849 for ; Thu, 4 Sep 1997 18:00:10 -0700 (PDT) From: Pio_Gaeta@europe.notes.pw.com Received: by ivy.tc.pw.com; id SAA20592; Thu, 4 Sep 1997 18:33:13 -0700 (PDT) Received: from cactus.tc.pw.com(131.209.7.48) by ivy.tc.pw.com via smap (3.2) id xma020281; Thu, 4 Sep 97 18:31:35 -0700 Received: (from root@localhost) by cactus.tc.pw.com (8.8.4/8.7.3) id SAA26029 for firewalls@GreatCircle.COM; Thu, 4 Sep 1997 18:22:48 -0700 (PDT) Message-Id: <199709050122.SAA26029@cactus.tc.pw.com> To: firewalls@GreatCircle.COM Date: Thu, 4 Sep 97 15:08:14 +0100 Subject: RE: Anti SPAM SENDMAIL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found your tips very useful! Many thanks to everybody Pio ---------------------------------- Pio Gaeta Information System Risk Management Price Waterhouse Rome - Italy From owner-firewalls-outgoing Sat Sep 6 09:27:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970308-1) id GAA06848 for firewalls-outgoing; Sat, 6 Sep 1997 06:48:52 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycro