From owner-firewalls-list Sat Nov 1 15:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09228; Sat, 1 Nov 1997 14:18:15 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA09056 for ; Sat, 1 Nov 1997 14:17:44 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA21538; Sat, 1 Nov 1997 12:01:24 -0500 Date: Sat, 1 Nov 1997 12:01:21 -0500 (EST) From: Rabid Wombat To: Miles Lott cc: "'firewalls@GreatCircle.COM'" Subject: RE: Advertisement: "Fish Lovers Only" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It wan't spam, it was a stego'd invitation to Lucky Green's Halloween party. Everybody spawn ... On Tue, 28 Oct 1997, Miles Lott wrote: > What's with all the spam on this list? > > > From owner-firewalls-list Sat Nov 1 15:44:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09215; Sat, 1 Nov 1997 14:18:12 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA09047 for ; Sat, 1 Nov 1997 14:17:43 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA21584; Sat, 1 Nov 1997 12:34:37 -0500 Date: Sat, 1 Nov 1997 12:34:33 -0500 (EST) From: Rabid Wombat To: Arthur Young cc: Christopher Hornor , "firewalls@GreatCircle.COM" Subject: RE: (no subject) In-Reply-To: <01BCE388.EF23F5E0@ahy@ziplink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes. The infamous Marcus Ranum moved the implementation into hardware several years ago to improve speed. On Tue, 28 Oct 1997, Arthur Young wrote: > Isn't that hardware? > > -----Original Message----- > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > Sent: Tuesday, October 28, 1997 9:24 PM > To: Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: Re: (no subject) > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > I am looking for information regarding your most powerful firewall and > > filter software . > > do you have any suggestions ?? If possible in Japanese. > > > > Thank you, > > Chris Hornor > > > > > > > > > > From owner-firewalls-list Sat Nov 1 16:45:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA07045; Sat, 1 Nov 1997 16:39:39 -0800 (PST) Received: from sensible.instinctive.com ([209.48.136.141]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA07014 for ; Sat, 1 Nov 1997 16:39:25 -0800 (PST) Received: (qmail 8010 invoked by uid 0); 2 Nov 1997 00:37:33 -0000 Received: from unknown (HELO dietcoke) (unknown) by unknown with SMTP; 2 Nov 1997 00:37:33 -0000 Message-Id: <3.0.3.32.19971101194043.00b7e7b0@sensible.instinctive.com> X-Sender: gregh@sensible.instinctive.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 01 Nov 1997 19:40:43 -0500 To: firewalls@GreatCircle.COM From: Greg Haverkamp Subject: Re: sex,lies, and application proxy based fw vs Check Point In-Reply-To: References: <"Your message with ID" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary R. Wolfe responded to Paul Robertson (11:41 AM 10/31/97 -0700): >> Actually 'Out Of Band', which is a perfectly well-defined packet which >> should be, if definined in the application layer protocol, processed >> immediately (hence out of band), rather than in the order it was received >> in the TCP stream. OOB data is indicated by the URG flag set in the >> packet. As Darren has pointed out, the applications programmer of an >> application receiving OOB data must specificily ask to receive such >> data. It's important to understand that this is a perfectly >> legitimate, well-defined TCP packet which was being handled incorrectly by >> Microsoft's TCP implementations. Hence my assertion that packet filters >> (with or without state) don't protected from Internetwork or lower >> transport layer problems that they don't know about. >> >Paul, > are you saying that a proxy will not pass this flag through? It will reset >the URG flag? What if the application needs that flag for proper operation? I believe he's saying what has been central to his point all along: 1) an application gateway will "pass" only what is needed by the application in question; meanwhile, 2) a typical SPF will pass whatever it doesn't know to be bad. The key to the above lies in the use of "pass." An application gateway will (should) look at the data coming from side A and, using knowledge of the application in question, rebuild that data on side B based on the data from side A. The only time an URG flag should be set is if the application gateway knows that URG flags are to be passed from side A to side B. Otherwise, it won't make it across, because the application gateway doesn't copy the packet, it builds it. On the other hand, unless an SPF knows about the URG flag being a bad thing for an application, it will tend to pass the packet along. Or, as an alternative, it would have to block all URG flags unless it knew that they were valid for a particular application. Hope I didn't put any incorrect words in anyone's mouth. Greg From owner-firewalls-list Sat Nov 1 21:29:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA09465; Sat, 1 Nov 1997 20:55:01 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA09409 for ; Sat, 1 Nov 1997 20:54:46 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sat, 1 Nov 1997 10:29:32 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> From: Russ To: firewalls@GreatCircle.COM Cc: "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sat, 1 Nov 1997 10:29:31 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMO, TIS are extremely concerned, now that they are a public corporation, with the marketing perception of AGs. The fact that two SPF vendors are equaling their shipped boxes figures must have a significant impact on their expected projections. Fred Avolio has combined valuable information with marketing specific rhetoric in an attempt to refocus potential customer attention on what should be a very important decision. I have mixed feelings about the method, but the decision is important enough to warrant ardent discussion. I fail to understand why most security professionals don't appreciate this in a similar fashion. Its extremely expensive, and very difficult, to prove that one implemented Firewall is "better" than another implement Firewall, in the same facility. Recreating the test traffic to obtain a valid comparison, while ensuring that the traffic is "real-world" to the customer's regular traffic, normally prevents such comparisons. Therefore, the marketing of SPF vs. AG must come down to "religious" issues for most customers. If TIS, the leading AG vendor, did not offer some sound bytes that will win customers their resellers would likely do it for them. Better to lead than to follow I always say. CP is equally culpable in such activities, as are most vendors. I think Frank made a valid point, originally, when he said that this was a new tact for TIS, and one he didn't appreciate (regardless of his motives). TIS has always led by action, not words, but in today's market this has clearly not been enough. Ideally, I too would have preferred to see them stay out of this sort of marketing, but clearly business dictates otherwise. If, as security professionals, you don't appreciate the marketing battle that's been going on for the last 2 or 3 years, I'd suggest your missing something. SPF vs. AG give customers a basis to describe their general needs, and a way to ascribe their policies and beliefs. Understanding how an MIS manager views security (vis-a-vis SPF vs. AG) allows us to move more quickly to determine how to secure it (by being able to talk in their terms). Understanding, fully, all "generations" of Firewalls is essential, just as essential as understanding perceptions about those "generations". In the final analysis, I suspect the document wasn't intended to "prove" anything, merely add food for thought in the never-ending "how" discussion. It will certainly be interesting should Fred decide to provide us with insight into demonstrating some of his claims (both pro and con). Particularly with the introduction of network appliances and the onslaught of encryption. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From owner-firewalls-list Sat Nov 1 21:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA17417; Sat, 1 Nov 1997 21:31:14 -0800 (PST) Received: from fw4.tns.co.za (fw4.tns.co.za [196.4.160.32]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA17374 for ; Sat, 1 Nov 1997 21:31:02 -0800 (PST) Received: by fw4.tns.co.za; id HAA01597; Sun, 2 Nov 1997 07:30:35 +0200 (SAT) Message-Id: <199711020530.HAA01597@fw4.tns.co.za> Received: from unknown(89.1.0.48) by fw4.tns.co.za via smap (V3.1.1) id xma001594; Sun, 2 Nov 97 07:30:27 +0200 From: "Billy Verreynne" To: Subject: Re: Linux et al PFs Date: Sat, 1 Nov 1997 11:25:09 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > john wrote: > > I couldn't agree with you more in that respect- Linux will definatly > outpreform NT, both in speed, reliability, and the amount of users it can > serve. The only applications we use NT for is custom stuff- and only > because we have to. Anything serious is done from the UN*X spectrum. Off topic, but anyway. This is absolute bull. It's like saying that you need to have a 16" dick to satisfy a women. Crap. When talking about who can outperform who get the facts right. What platform - RISC or CISC, single CPU, SMP or even clusters? What service(s) is/are being compared? Are the service(s) from the same vendor (i.e. how good is the code)? Are the network architecture the same? (i.e. same topology, same number of segments etc.). What network cards are being used and what are the driver versions? How many users are being served? Are the same clients used? What is used as the baseline for the comparison and what is compared and why? etc etc. So some people have a hard on for BSD, others for Linux, NT or even OS/2. So what. I prefer Burger King to McDonalds. But to simply say that anything serious is done Unix belongs in alt.urban.legends. regards, Billy From owner-firewalls-list Sat Nov 1 23:14:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA04849; Sat, 1 Nov 1997 22:59:01 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA04787 for ; Sat, 1 Nov 1997 22:58:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id BAA14486; Sun, 2 Nov 1997 01:56:17 -0500 (EST) From: Adam Shostack Message-Id: <199711020656.BAA14486@homeport.org> Subject: Re: Obtaining an Export License In-Reply-To: <199710311656.LAA13095@panix2.panix.com> from Information Security at "Oct 31, 97 11:56:46 am" To: guy@panix.com (Information Security) Date: Sun, 2 Nov 1997 01:56:16 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PKZIP's encryption methods are not secure. The fact that they use 96 bit keys is irrelevant. See the Sci.crypt archives RISKs archives: http://catless.ncl.ac.uk/Risks/16.39.html http://infinity.nus.sg/cypherpunks/dir.archive-95.11.22-95.11.28/0096.html Because the US regulations are designed to limit the spread of crypto by fear, uncertainty, and doubt, I'll suggest that the fact that the key is 96 bits probably makes zip unexportable. I suggest PGP, which can be found outside the US, and implements zip compression as part of its encryption. I've been using PGP as a general purpose compression/ascii encoder for a while. Adam Information Security wrote: | > From owner-firewalls-list@GreatCircle.COM Fri Oct 31 10:34:51 1997 | > > | > >How does one go about obtaining an Export License for a given encryption | > >software? We have offices in the U.S. and Malaysia where we need to use | > >96-bit pkzip software (customer requirement). | | Wouldn't you be better off locating an outside-of-the-USA site | for the software, and importing it? | | ---guy | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Sun Nov 2 05:29:05 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA03518; Sun, 2 Nov 1997 05:27:51 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA03511 for ; Sun, 2 Nov 1997 05:27:46 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id IAA04079; Sun, 2 Nov 1997 08:28:46 -0500 (EST) Date: Sun, 2 Nov 1997 08:28:46 -0500 (EST) From: Information Security Message-Id: <199711021328.IAA04079@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: Altavista SMTPin bungling? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Sat Nov 1 22:07:06 1997 > > Hi (first post!) > > Ive been reading your stuff for a while - and it looks like you are the > people to send this to. > > We are looking at a scenario where we might open an alternative route to > the backoffice SMTP server for an exclusively trusted host, as we arent > too happy with the Altavista FW's handling of SMTPin. We seem to have > 'lost' a lot of mail. No reverse DNS lookups should be used for SMTP: it violates the RFC to require the 'From' to be authenticated. (Anyone remember Chuck Yerkes saying this many moons ago?) Just use IP addresses or unauthenticated 'From' for any filtering/blocking. ---guy From owner-firewalls-list Sun Nov 2 06:29:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA08371; Sun, 2 Nov 1997 06:19:57 -0800 (PST) Received: from xfrsparc.tic.com ([206.225.55.37]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA08344 for ; Sun, 2 Nov 1997 06:19:48 -0800 (PST) Received: from casa-pc.tic.com by xfrsparc.tic.com (8.8.5/xfrsparc.1.3) id IAA03375; Sun, 2 Nov 1997 08:18:57 -0600 (CST) Received: from localhost by casa-pc.tic.com (8.8.6/sub.1.6) id IAA00846; Sun, 2 Nov 1997 08:18:57 -0600 Message-Id: <199711021418.IAA00846@casa-pc.tic.com> To: firewalls@greatcircle.com Subject: Re: sex,lies, and application proxy based fw vs Check Point In-reply-to: Your message of "Sat, 01 Nov 1997 10:29:31 EST." <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> Date: Sun, 02 Nov 1997 08:18:56 -0600 From: Smoot Carl-Mitchell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been following this discussion with some interest and have been quiet up to this point in time. I have set up both TIS's Gauntlet and Checkpoint's Firewall-1 for clients. So I've had real world experience with both. The discussion about which method (AGs or SPF) is interesting, but not particularly relevant in today's networking market. When Firewall-1 first came out, I got an evaluation copy from Sun. I never used it because it looked like just another packet filter with a flashy user interface. I could do much the same thing with any good filtering router. In fairness FW-1 has added a number of features to the basic package which give it similar functionality to an AG. I personally find AGs conceptually easier to understand, but that is because of my background and experience with them. I did completely missed the point of what FW-1 was all about. It sold, I believe, because it had that GUI. As an old networking pro, I hated GUIs because they limited what I could do. I later learned that FW-1 does have an underlying linear language, so the GUI just adds flash to the basic package. However, that flash, I believe, is an important marketing tool. I've come to believe that GUIs are really designed for the purchasing managers and not for the technical people that need to use an actual product. A GUI is basically packaging. They usually do not add any functionality to a package, but any good marketing person will tell you that flash sells, almost regardless of the underlying technology. I call this principal the triumph of marketing over technology. Before I get roasted by the Checkpoint folks, I do believe they have some good underlying technology. Whether SPF is better technology than AG is debatable. However, Checkpoint did understand marketing and they shipped their product with a flashy GUI for marketing purposes. It evidently worked. They should be congratulated for understanding why products sell. Smoot Carl-Mitchell Texas Internet Consulting 2836 San Gabriel Austin, TX 78705 +1 512 477-3320 From owner-firewalls-list Sun Nov 2 07:29:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14219; Sun, 2 Nov 1997 07:19:57 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA14212 for ; Sun, 2 Nov 1997 07:19:51 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 10:19:35 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> From: Russ To: "'Tim Lebrun'" , firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: PPTP configuration Date: Sun, 2 Nov 1997 10:19:34 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So we have a T1 internet connection run which (from the outside) >first, goes through a Cisco 7000 router, then through a Gauntlet >firewall, and then the users get logged on to a NT Ras server >using PPTP. And from there the users can go and do anything >on the network, ie: Mail, Novell, Tn3270, Telnet. First let me say that my position on PPTP has changed, as you'll likely notice from the message below. You will have a couple of problems with this configuration. 1. There is no way within NT or via PPTP to force the users to use NT boxes as their clients. 2. Only NT-NT communications can be forced to *not* use LanMan hashes for their passwords. 3. PPTP uses the OWF hash of the password as the shared key for encrypting the PPTP session. This information is sent at the session setup of every PPTP connection. 4. When the OWF hash is based on the *LanMan* hash of the password, it is extremely weak and subject to brute force decryption based on known, available, methods and tools. 5. The shared key, derived as per #3 above, is used *every* time a connection is established, and remains the same until the user changes their password. It is therefore long-lived (certainly live much longer than a reasonable average of 3 days it might take to brute force the LanMan key space). 6. Given NT's TCP sequence predictability, hijacking a PPTP session based on a Win95 client (or an NT client *not* configured to *not* use LanMan) should be a straight-forward process. The bottom line, in my current opinion, is that the use of PPTP cannot be relied upon to be secure. While it may be possible to prevent a Win95 client from obtaining a successful completed login to your PPTP server (say by forcing checks during the login script processing, mandatory profiles, etc...) there is no way to prevent them from trying to connect using a LanMan hash. As such, their passwords could be made available to hackers. Once captured, they could subsequently be used on NT clients to establish successful logins by hackers. Security Dynamics have said that it is possible to use SecurID with PPTP. Even if this is done I am still not convinced it would be sufficient to overcome the issues. 1. If the SecurID token value is used as the client password in the steps listed above, then the session would be encrypted with an extremely weak value (known to be a number of a specific length). Real-time brute force would likely be possible (obviously depends on the length of the sessions). Trial-and-error over a period of time would likely yield at least one session hijack, then depending on who's session is captured... 2. Assuming that the SecurID token value is not used as the session encryption key, then the risks are still present for hijacking (since the session key would then be derived from the client password). IOWs, SecurID has not really added anything to the security of the solution. 3. Assuming that normal client authentication takes place first, then the SecurID authentication, then the session encrypted with the original client password hash, you still have the same problems. The only viable solution would be for Security Dynamics to combine the SecurID token value with the client password hash (in some reasonable fashion) and then use this new value as the basis for the session encryption. If this is done, then the entire solution becomes very viable (IMO) and well worth investigating. Unfortunately I haven't asked Security Dynamics for these specifics, maybe someone from there can comment?? Finally, if you are in a situation where you can trust the clients to use NT (remember, you have no way to enforce this policy), then PPTP remains a valid mechanism IMO. The issues arise when you either; a) cannot trust the clients to use NT only, b) must use Win95 clients, c) do not have control over whether or not the NT clients have disabled LanMan hashes. Cheers, Russ From owner-firewalls-list Sun Nov 2 07:44:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA14320; Sun, 2 Nov 1997 07:22:56 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA14313 for ; Sun, 2 Nov 1997 07:22:41 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id KAA17982; Sun, 2 Nov 1997 10:22:12 -0500 (EST) Message-Id: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 2 Nov 1997 04:20:14 -0500 To: Firewalls@greatcircle.com From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: , Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doug Bridgens queried the FW Listocracy with a dangerously big and simple request: >> Would some kind person please give a brief summary of where the IT >> world is in terms of encryption methods? There seem to be lots of Paul D. Robertson responded: >All over the place. There are many good, and many bad products out there, >it tends to be up to the user to evaluate which are which. General >initiatives other than SSL tend to be not quite there yet. All true, more or less -- but there are a couple of other ways of looking at this scene. In the first place, crypto has become, and will become more so, the heartland of information security. And the heart of the heartland will always be dedicated hardware: chips and secured memory modules (which can offer relatively more speed, assurance, and stored-data integrity.) This is the allure of smartcards, for where the user meets the network, and special-purpose encryptors elsewhere, for high-speed and/or high-security environments. Another guideline: in cryptography "old" (relatively speaking) is good. Americans from Missouri (the "show me" state) are famous for their hard-headed demand for real-world demonstrations rather than airy explanations. When it comes to crypto, all the pros, everywhere, are from Missouri. All the noise about algorithms and key-lengths tends to obscure the fact that the really dangerous aspect of applied cryptography is in the actual implementation of a crypto system. Thus, implementation code which has held up (a) under widespread scrutiny and (b) in a wide variety of working systems will always be trusted more than any other crypto system (new or well-known) which can't match it on those two criteria. In their respective categories, this is the huge advantage that reference implementations of DES (among the symmetric systems,) and RSA (among the asymmetric systems) hold over their often-impressive cryptographic competitors. Corporate compsec pros like those on this list will likely stay with DES (or 3DES, which sacrifices little or none of the credibility of 56-bit DES) long after apparently stronger and more flexible alternatives are available because they've come to trust the implementations they use. (And when they switch, it will be to something with a multi-year track record of widespread implementation.) >> different types are they hardware/software and how do they actually work >> in practice. >Completely implementation dependent, normally based on the algorithm. There are three categories of crypto tools: classic symmetric algorithms; assymmetric (public key) algorithms; and hashes (one-way functions.) You should go elsewhere to learn the basics of what they offer, and how different classes of algorithms (e.g., stream vs block ciphers) are structured to optimize various functions. (Today, I'd say that the choice between hw or sw is based on cost and the relative need for security/assurance or speed -- irrespective of the algorithm.) The advent of corporate and national public key infrastructures (PKI) seems likely to introduce a major paradigm shift in the economics of Information Security. PKI -- and specifically, the mechanism of a digital signature -- will allow us to offer security as a productivity enhancer, rather than the costly pain in the ass that compsec and comsec have traditionally been. Within the context of an X509 certificate-based PKI, contracts, purchase orders, administrative agreements can be exchanged and signed online. This is expected to offer significant efficiencies both within corporate bureaucracies and for trade among commercial entities which have had no previous contact with one another. The attractiveness of this model is such that there is an enormous drive to push it into praxis -- even before the logistics of key and certificate management and the relevant legal issues have been settled. Here in the States, there are small to tiny Gnostic cults (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based public key implementations, but -- as you've doubtless noted in Europe -- internationally, and in the US commercial world, RSA-based PK tech is almost universal. This is, in part, because stable RSA implementations have been in the field for15 years; and, in part, due to the particular weight of defacto standardization in PKI. (Even within the US military -- as our DoD finally discovered with Fortezza -- when someone wants to place a PO for toilet paper or ball bearings, they want to be able to exchange digital signatures with someone other than other US military sites.) >> Also I am based in Europe so does this mean I have better >> (more secure) encryption tools to work with, as apposed to the US? If >No, it simply means that you aren't allowed to use strong US developed >tools. US laws are currently based on the export of strong encryption, >not its creation. Your non-American "encryption tools" are almost surely stronger, "more secure," that those which are currently allowed to be exported from the US -- but, for the commercial market, that is not really the issue. Outside of PKI, there is not much of a market for crypto, per se. The demand is for crypto-enhanced functionality in various applications, utilities, or operating systems. US export control regulations effectively limit the strength of the crypto that can be shipped integrated into those products -- and often, US vendors still have no strong international competition for the products which provide the base functionality. (Products like Xpresso, Safe Passage, and Fortify are now available to inject or supplement the limited-strength crypto in American-made webservers or browsers, for example -- but the exception proves the rule. In most other categories of software, your options as a non-American seeking to buy _integrated_ strong crypto are probably limited.) >> this is a bit too much to ask of the list then can someone point me to a >> document that is current? > >Scneier's Applied Cryptography 2nd Ed. for protocols That's Bruce Schneier: >http://www.tis.com/docs/research/crypto/index.html for a fair product list > >sci.crypt for discussions > All good suggestions. I might also suggest you review the relevant IETF RFCs and the mailing lists of the various IETF Working Groups: The ISO or your own national standards group may have similar discussion groups. Paul noted earlier that the user today is all but "on his own" in evaluating the quality of various cryptographic products. I suggest that users are well served if they stick by the recommendations of the various standards organizations with regard to algorithms and, to the extent possible, implementation guidelines. Crypto standardization is highly political -- with both competitive and government pressures, sometimes bizarrely so -- but (key length issues aside) what emerges from these groups is likely to be comparatively solid on implementation. The (American) National Computer Security Association has also recently developed consortiums of American and European crypto vendors which will attempt certify crypto implementation code as meeting certain minimal standards. Such certification efforts have been quite controversial in firewalls, but it may be less so in crypto. If successful, this effort or others like it may help raise a threshold barrier against poor implementations. I should also note that I've been a consultant to SDTI, the parent company for RSADSI (which holds a US-only patent on RSA public key cryptography) for many years. I apologize to all for the discursive length. Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From owner-firewalls-list Sun Nov 2 08:14:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA20819; Sun, 2 Nov 1997 08:10:31 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA20726 for ; Sun, 2 Nov 1997 08:10:09 -0800 (PST) Received: (qmail 482 invoked by uid 500); 2 Nov 1997 16:50:25 -0000 Date: Sun, 2 Nov 1997 11:50:25 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705552C@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Nov 1997, Russ wrote: > IMO, TIS are extremely concerned, now that they are a public > corporation, with the marketing perception of AGs. The fact that two SPF > vendors are equaling their shipped boxes figures must have a significant > impact on their expected projections. Fred Avolio has combined valuable > information with marketing specific rhetoric in an attempt to refocus > potential customer attention on what should be a very important > decision. Which is immaterial to the subsequent discussion of technical features which ensued. > Its extremely expensive, and very difficult, to prove that one > implemented Firewall is "better" than another implement Firewall, in the > same facility. Recreating the test traffic to obtain a valid comparison, > while ensuring that the traffic is "real-world" to the customer's > regular traffic, normally prevents such comparisons. Therefore, the > marketing of SPF vs. AG must come down to "religious" issues for most > customers. Which doesn't mean that a number of people haven't done such tests. I think your predicates may hold true for 'most customers', but that different predicates, and resultant answers should apply for security professionals. Just because you, or your customers, or your company (genericly, not personally) can't do valid tests doesn't make valid tests any less relevent. > I think Frank made a valid point, originally, when he said that this was > a new tact for TIS, and one he didn't appreciate (regardless of his Not very new, it was discussed quite some time ago on c.s.f. > If, as security professionals, you don't appreciate the marketing battle > that's been going on for the last 2 or 3 years, I'd suggest your missing > something. SPF vs. AG give customers a basis to describe their general If, as security professionals, we don't take the time to learn each of the issues behind the technologies, and can't seperate the marketing issues from the technological ones, then I'd suggest we'd be missing a bigger piece of the pie. I'm tasked with evaluating and implementing technologies, not marketing departments. That requires that I know to ask if a packet filter drops FO=1 packets, or if an application gateway MITMs SSL to pass it through an HTTP gateway, not if "hackers prefer xyzzy", or "Wunderwall is sold in K-Mart with a bottle opener." > in their terms). Understanding, fully, all "generations" of Firewalls is > essential, just as essential as understanding perceptions about those > "generations". Being able to understand and articulate the technologies are more important for those of us in the field. If one of my business units is trying to make a security decision based on perception, it's my job to go hit them with the clue hammer. That generally takes a day at the white board, irregardless of which perception they're making the choice based on. Calling them generations is IMO a misnomer, since I don't happen to believe that they are replacements for each other. They're different animals, they can and do interbreed into hybrids, but there are circumstances where one is more appropriate that the other for each case. I've got some problems with the way some application proxy vendors (including TIS) handle some protocols as well as the way that packet filters handle them, but after the intial vendor bashing, this thread was about the technologies and we've only gone to implementations where it was necessary to prove or disprove a point. For what it's worth, this thread has probably been the best overall discussion this list has had in about a year. I've put packet filters, application gateways, and hybrids into various places. I think I've got a good grasp of the technologies, as well as the implementations. I also have a good grasp of the business case and the particular threat models. While I'm aware of the marketing issues, I don't think they are relevent to the technical discussion which this bloomed into. I don't known why we're vectoring back to the marketing stuff here, since the first couple of notes pretty much covered that ground. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 09:29:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA29015; Sun, 2 Nov 1997 09:25:18 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA29006 for ; Sun, 2 Nov 1997 09:25:11 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 12:24:51 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705553A@ns.ntadvice.com> From: Russ To: "'Paul D. Robertson'" Cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sun, 2 Nov 1997 12:24:51 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Which is immaterial to the subsequent discussion of technical features >which ensued. I made my point specifically because the marketing aspects of the discussion were not, IMO, fully discussed. Much of Fred's document attempts to persuade the reader about a particular technology based on marketing information, not solely on technology (quoting IDC for example). Denver Systems did this and everyone railed at them, but because Fred is Fred we should just bow our heads and forget marketing rhetoric? I didn't think so, hence my comments. FWIW, I did send Fred, privately, my comments on how I thought his market-speak was ill-stated. An attempt to appease the trigger-happy flamers from repeating their inferno on me. Once Fred's replied, I'll happily restate them in public (see that's the difference that Fred deserves vs. Denver Systems). >Which doesn't mean that a number of people haven't done such tests. I >think your predicates may hold true for 'most customers', but that >different predicates, and resultant answers should apply for security >professionals. Just because you, or your customers, or your company >(genericly, not personally) can't do valid tests doesn't make valid tests >any less relevent. I, my customers, and my company can do valid tests. While your parenthetic disclaimer "(generically, not personally)" may be have been enough in your mind, the wording comes off sounding too much like a personal reproach for my liking. I never said that the tests weren't valid, but no test results exist in the public realm that can reliably be used by anyone who chooses not to do the tests themselves (or cannot). Therefore no valid test results exist for the vast majority of customers wishing to implement Firewall solutions, hence my point that the marketing of the products/technology is a very large factor in the decision process. An example of this is any test done in any magazine/publication, since the test criteria is not specific to the person reading the results, the results come down to being marketing material rather than valid technical data. Who cares, for example, how much traffic can be pumped through a FW if the traffic is not representative of your own traffic? - What effect does, say, doubling the amount of SMTP traffic and halving the amount of HTTP traffic (in a given test mix) have on the overall performance of FWs? Obviously such changes are likely to have more impact on AGs than on SPFs, but who can say for sure? - What about encrypted traffic, how does that affect the performance of the various boxes, or more complex protocols like NBT or even FTP, do both technologies handle them equally well, if not, what's the difference? - If I run each Proxy in a different user context, how much of a performance hit do I see vs. using a single context for all Proxies? - Does a FW-FW VPN create the same load as a Client-FW VPN? The list goes on and on, and is very valid for all customers, but unless they do the tests themselves any reported values are near worthless (read: marketing information). Since much of the rhetoric that is thrown around, both by the vendors and by the security professionals, is based solely on their own tests/experience, or a few controlled tests done by vendors, or generic tests done by publications, none of which that I've seen can be reliably used by anyone whom the tests weren't designed for, I put it to you that much of what "professionals" say about the technology is based on what I call "marketing information". FWIW, I would like to see protocol-by-protocol comparisons for security gateways. They should present a list of threats tested, as well as the performance during those tests. They should be done unencrypted and encrypted. Then a rough mix of traffic can be thrown at the boxes to give an idea of overhead of mixing protocols. A comprehensive table like this would, IMO, put an end to much of the discussion. NCSA/DataComms, can you here me?? [Paul's description of his personal abilities snipped] >While I'm aware of the marketing issues, I >don't think they are relevent to the technical discussion which this >bloomed into. I don't known why we're vectoring back to the marketing >stuff here, since the first couple of notes pretty much covered that ground. The first sentence explains the second. You don't think marketing is relevant to the technical discussion, hence you don't understand why I made my points about marketing being important. Rather than trying to blow off my opinions, why not instead ask me why I think their relevant next time, maybe you'll learn something (boy do I wish I had a "clue hammer")...;-] Cheers, Russ From owner-firewalls-list Sun Nov 2 09:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA29098; Sun, 2 Nov 1997 09:29:52 -0800 (PST) Received: from gargoyle.clark.net (pm1-61.dcwt.infi.net [208.136.65.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA29080 for ; Sun, 2 Nov 1997 09:29:43 -0800 (PST) Received: (qmail 709 invoked by uid 500); 2 Nov 1997 18:10:03 -0000 Date: Sun, 2 Nov 1997 13:10:03 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ , firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Paul D. Robertson wrote: > Which doesn't mean that a number of people haven't done such tests. I > think your predicates may hold true for 'most customers', but that > different predicates, and resultant answers should apply for security > professionals. Just because you, or your customers, or your company > (genericly, not personally) can't do valid tests doesn't make valid tests Because I wasn't particularly clear here, "genericly, not personally" was meant to change the statement to mean that it applied to a generic set of people, not Russ in particular. I was in no way casting aspersions on Russ' abilities to perform tests, and apologize if it seemed that way. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 09:59:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA00907; Sun, 2 Nov 1997 09:47:31 -0800 (PST) Received: from gargoyle.clark.net (pm1-61.dcwt.infi.net [208.136.65.61]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA00816 for ; Sun, 2 Nov 1997 09:47:12 -0800 (PST) Received: (qmail 786 invoked by uid 500); 2 Nov 1997 18:27:32 -0000 Date: Sun, 2 Nov 1997 13:27:32 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM, "'TIS - Avolio, Fred'" , "'Darden, Frank'" Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705553A@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Russ wrote: > >Which doesn't mean that a number of people haven't done such tests. I > >think your predicates may hold true for 'most customers', but that > >different predicates, and resultant answers should apply for security > >professionals. Just because you, or your customers, or your company > >(genericly, not personally) can't do valid tests doesn't make valid > tests > >any less relevent. > > I, my customers, and my company can do valid tests. While your > parenthetic disclaimer "(generically, not personally)" may be have been > enough in your mind, the wording comes off sounding too much like a > personal reproach for my liking. I have clarified this. I will again repeat that it was not specificly aimed at you, and in no way was meant to cast such aspersions. > I never said that the tests weren't valid, but no test results exist in > the public realm that can reliably be used by anyone who chooses not to > do the tests themselves (or cannot). Therefore no valid test results > exist for the vast majority of customers wishing to implement Firewall > solutions, hence my point that the marketing of the products/technology > is a very large factor in the decision process. Parts of tests certainly can though. Since I'm not going to cast aspersions at particular products, let's just say that there is a set of test results which can be applicable. For example, testing products to performance failure, and noting the failure characteristics can be applicable to anyone using that device. > I put it to you that much of what "professionals" say about the > technology is based on what I call "marketing information". I'll agree with that. > The first sentence explains the second. You don't think marketing is > relevant to the technical discussion, hence you don't understand why I > made my points about marketing being important. Rather than trying to > blow off my opinions, why not instead ask me why I think their relevant > next time, maybe you'll learn something (boy do I wish I had a "clue > hammer")...;-] Ok, could you explain why you think that particular instances of marketing rhetoric are applicable to the general discussion of base technologies? Surely the technology works the same way that the technology works regardless of what any particular company says about it? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 10:44:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11218; Sun, 2 Nov 1997 10:37:54 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA11201 for ; Sun, 2 Nov 1997 10:37:45 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 13:37:29 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C66705553E@ns.ntadvice.com> From: Russ To: "'Paul D. Robertson'" Cc: firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point Date: Sun, 2 Nov 1997 13:37:29 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have clarified this. Thanks...;-] >Parts of tests certainly can though. Since I'm not going to cast >aspersions at particular products, let's just say that there is a set of >test results which can be applicable. For example, testing products to >performance failure, and noting the failure characteristics can be >applicable to anyone using that device. Testing to failure is only valid if the traffic used to create the failure matches (to varying degrees) the traffic you expect to see. Today we talk about "throughput", and rarely see the characteristics of the data being used for the test. As I said, some traffic puts higher demand on the technology. How do we know that the mix used in one of those publication evaluations is sufficiently equal across all technologies, or, sufficient representative across all customers? If the IDC or some other body were to come out and say "The average mix of traffic across an average company's gateway is thusly formed...", and then that same mix was used in a test, then I'd say we would have a valid benchmark to make *some* comparisons/judgements from. The effect on that benchmark based on variations in the mix could substantially change the results. (let's call the test GAPING, for General Application Performance of InterNet Gateways...;-]) Example, I go out and buy the solution that offers the best GAPING results, my mix is pretty close to the GAPING criteria. Everything is wonderful. Over the next year, I implement VPN technology for a large segment of my vast salesforce. My particular solution may, or may not, be the best solution for this change in the mix (i.e. thousands of encrypted external connections). Granted, no solution may be able to make the transition well, and revisions to the solution may make stated test results change over time. IMO, anything other than per protocol, encrypted and non-encrypted, saturation test results are the only results which would serve a valid public purpose. These you could pick amongst to construct your own comparisons. >Ok, could you explain why you think that particular instances of marketing >rhetoric are applicable to the general discussion of base technologies? >Surely the technology works the same way that the technology works >regardless of what any particular company says about it? All solutions that cannot be implemented are useless, agreed? Wire-cutters are the best security mechanism around, but hardly useful. Anything above wire-cutters has some component that affects the userbase. I use the term userbase to describe not only the end-clients, but also the administrative staff, IS folks, purchasing department all the way up to the CEO who wants to make a public statement about an affiliation with a particular vendor. I think all rhetoric is wrong, but not all marketing is rhetoric. As I've said before, test results are marketing information, and those test results could be presented in such a way as to make a substantial impact on the userbase, and therefore the technology. If, through performance testing, you could substantially prove that Vendor A's FTP capabilities were significantly slower (read: say 3 times slower) than Vendor B's, and this information was used over and over again in marketing information, chances are we'd see a substantial change to the underlying technology. Security programmers are not, very often, sitting around purely thinking of the next best security idea they can. More often than not they're hard at work trying to solve the next marketing question that's been raised. Its a rare place indeed where marketing is not dictating (to a large extent) what gets done when and in what version. APIs, for example, are an important technological component. They are also an extremely valuable marketing tool. If I have a set of well written APIs into my solution, I'm more likely to be able to convince vendors to add to it. If they do, the public perception that the solution is "good" will increase, regardless of whether or not it really is "good" or not. 3rd parties will not write add-ons because I've got a good API, or good underlying technology, they'll write them because they believe they'll sell a lot piggy-backing on my market-share. Hence the technology ends up getting shaped around the vendor with good marketing techniques (read: Microsoft) CP with OPSec is an attempt to do this, and no doubt TIS' relationship with Microsoft will be a similar attempt. I would prefer to see a balance between SPFs and AGs, as both have their place, but this balance can only be achieved with sufficient marketing information to ensure that one does not dominate the other. If OPSec is incredibly effective, and a non-OPSec vendor tries to move forward without a strong alliance group, it will, IMO, lose market-share. This may not matter to those of you who care less whether you're buying your product from a "big" or "little" vendor, but it makes a huge difference as to whether or not that vendor can continue to develop solutions into the long-term future at all. Look at Tandem Computers, who for the longest time were a marginal vendor. Excellent solution, priced at a level customers would purchase, yet the company could not continue to survive without massive changes. The changes had to happen for the technology to continue to be viable (you make far more money on new customers than you do on existing ones, in case anyone hadn't noticed). So, technology for technologies sake is wonderful, but without marketing it has little value as a long-term solution. How far away do you think we are from Macs becoming PCs? (don't answer, take it as an observation). Cheers, Russ From owner-firewalls-list Sun Nov 2 14:59:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA27551; Sun, 2 Nov 1997 14:57:14 -0800 (PST) Received: from softway95.softway.com (softway95.softway.com [206.80.1.38]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA27528 for ; Sun, 2 Nov 1997 14:57:05 -0800 (PST) Received: from softway.com ([207.174.14.69]) by softway95.softway.com (8.8.5/8.6.12) with ESMTP id OAA01709; Sun, 2 Nov 1997 14:56:35 -0800 (PST) Message-ID: <345D053A.8BAE82A7@softway.com> Date: Sun, 02 Nov 1997 15:56:58 -0700 From: Jason Zions Organization: Softway Systems Inc. X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Russ CC: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: [NTSEC] RE: PPTP configuration References: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The issues arise when you either; a) > cannot trust the clients to use NT only, b) must use Win95 clients, c) > do not have control over whether or not the NT clients have disabled > LanMan hashes. So there's no way to force the NT server to refuse LanMan hashes? That'd be the easiest and most obvious way to avoid the issue; must mean that it's impossible. :-( Jason From owner-firewalls-list Sun Nov 2 15:14:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA26793; Sun, 2 Nov 1997 14:48:58 -0800 (PST) Received: from gargoyle.clark.net (pm1-48.dcwt.infi.net [208.136.65.48]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA26749 for ; Sun, 2 Nov 1997 14:48:41 -0800 (PST) Received: (qmail 1584 invoked by uid 500); 2 Nov 1997 23:29:07 -0000 Date: Sun, 2 Nov 1997 18:29:07 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Russ cc: firewalls@GreatCircle.COM Subject: RE: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C66705553E@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Russ wrote: > Testing to failure is only valid if the traffic used to create the > failure matches (to varying degrees) the traffic you expect to see. Right. Fortunately (or rather probably more unfortunately) we can look at the current attack methodologies and find out where the failure characteristics of a good deal of network devices lie. > Today we talk about "throughput", and rarely see the characteristics of > the data being used for the test. As I said, some traffic puts higher > demand on the technology. How do we know that the mix used in one of > those publication evaluations is sufficiently equal across all > technologies, or, sufficient representative across all customers? We ask them what their methodology was. Just like we tend to ask firewall and platform vendors specific detailed questions about the internals of their products. How easy that information is to get, how current it stays, and how truthful the answers play out to be is how you start to build a trust model for a vendor. I'm frequently very pleastantly surprised at how far vendors are willing to go these days on the basis of mutual trust without even the standard non-disclosure agreement. I find myself considering that in my trust model, because frequently I'm able to find out failure modes, thresholds and programming models without going through six months of teeth pulling. Then we can move much more quickly to the due dilligence phase, where I can ask for specific proof of the assertions, or build test cases to prove or disprove them. > If the IDC or some other body were to come out and say "The average mix > of traffic across an average company's gateway is thusly formed...", and > then that same mix was used in a test, then I'd say we would have a > valid benchmark to make *some* comparisons/judgements from. The effect > on that benchmark based on variations in the mix could substantially > change the results. (let's call the test GAPING, for General Application > Performance of InterNet Gateways...;-]) There is certainly a lot of work to be done in this area. I'd prefer to see it from a completely vendor neutral source. The problem with the current testing model (you know who you are), IMO, is that with the vendor feedback loop fully engaged, we can't guage how well designed the product was. Also, just like the paper certifications for some administrators, it's more a measure of how well you test than how well you perform on the job. > IMO, anything other than per protocol, encrypted and non-encrypted, > saturation test results are the only results which would serve a valid > public purpose. These you could pick amongst to construct your own > comparisons. The problem here is implementation vs. weighting. As has been pointed out before, comparing a 300Mhz Sparc to a 200Mhz isn't always relevent. I'd love to see some sort of concise scaling and cost-per-unit as well as maximum performance metric, but I don't think it's safe to assume that will happen in a way that won't be superceded every few weeks for a while. Hardware cycles are getting as bad as software ones these days. > All solutions that cannot be implemented are useless, agreed? > Wire-cutters are the best security mechanism around, but hardly useful. Which doesn't change the technology, only its potential application. > Anything above wire-cutters has some component that affects the > userbase. I use the term userbase to describe not only the end-clients, > but also the administrative staff, IS folks, purchasing department all > the way up to the CEO who wants to make a public statement about an > affiliation with a particular vendor. > > I think all rhetoric is wrong, but not all marketing is rhetoric. As > I've said before, test results are marketing information, and those test > results could be presented in such a way as to make a substantial impact > on the userbase, and therefore the technology. If, through performance > testing, you could substantially prove that Vendor A's FTP capabilities > were significantly slower (read: say 3 times slower) than Vendor B's, > and this information was used over and over again in marketing > information, chances are we'd see a substantial change to the underlying > technology. Were performance your only metric, and were it likely that said change was possible without breaking the underlying codebase. > > Security programmers are not, very often, sitting around purely thinking > of the next best security idea they can. More often than not they're > hard at work trying to solve the next marketing question that's been > raised. Its a rare place indeed where marketing is not dictating (to a > large extent) what gets done when and in what version. APIs, for For the general marketplace, that's certainly true. In the security marketplace, for instance TCB type systems, it's still not a total corruption, since most of those companies don't tend to have large marketing organizations yet. > example, are an important technological component. They are also an > extremely valuable marketing tool. If I have a set of well written APIs > into my solution, I'm more likely to be able to convince vendors to add > to it. If they do, the public perception that the solution is "good" > will increase, regardless of whether or not it really is "good" or not. > 3rd parties will not write add-ons because I've got a good API, or good > underlying technology, they'll write them because they believe they'll > sell a lot piggy-backing on my market-share. Right, which is why I think it's more important to evaulate the technology, for instance "Is an API useful, or does it decrease security?" versus listening to the marketing folks, or indeed the programming staff tell me how wonderful it is. The more informed the buyer is, the less effective the marketing hype. > Hence the technology ends up getting shaped around the vendor with good > marketing techniques (read: Microsoft) CP with OPSec is an attempt to do > this, and no doubt TIS' relationship with Microsoft will be a similar > attempt. For some companies that's true. For others, the technologies get shaped around other things. I'm still of the opinion that it is possible to buy security products from companies who do security well, not marketing well, over time that may change, or may not, depending on how many me's there are, and what the business requirements evolve into. > I would prefer to see a balance between SPFs and AGs, as both have their > place, but this balance can only be achieved with sufficient marketing > information to ensure that one does not dominate the other. If OPSec is > incredibly effective, and a non-OPSec vendor tries to move forward > without a strong alliance group, it will, IMO, lose market-share. This > may not matter to those of you who care less whether you're buying your > product from a "big" or "little" vendor, but it makes a huge difference > as to whether or not that vendor can continue to develop solutions into > the long-term future at all. Look at Tandem Computers, who for the If at that point, the situation were such that the solution needed to be upgraded, and the alternatives weren't accpetable, and the vendor wasn't making enough to move forward, obviously we'd either have to choose a less palatable solution, not do whatever it is we were doing, or buy the vendor. Just as obviously, not everyone has those options. I also tend to thing that packet filters have their place. There are things that packet filters don't do, stateful, stateless, or both. While it's certainly true that there are things that application gateways don't do as well, I've never argued otherwise, I just happen to think they're more easily solvable at border routers, or host IP stacks than the obverse are at a packet filter. > So, technology for technologies sake is wonderful, but without marketing > it has little value as a long-term solution. How far away do you think > we are from Macs becoming PCs? (don't answer, take it as an > observation). I'll still choose security over marketing. Buying a technology for its security properties rather than its marketing ones is still important to me. That doesn't mean its exclusionary, it just means that I won't buy well-marketed obscurity when I have a poorly marketed security solution. Maybe not as obviously, it is important to be able to set a realistic lifecycle on any solution. While we've come a long way from the early eighties lifecycle design methodologies, a great deal of it is still pertinent. Despite all the marketing hoopla, solid network security engineering hasn't changed a great deal in principle from that period either, and if you bank on a single solution from a single vendor, no matter what their current size, and never re-evaluate, or question that choice, then I think we all know where you'll go. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 16:14:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA04700; Sun, 2 Nov 1997 16:06:48 -0800 (PST) Received: from gargoyle.clark.net (pm1-48.dcwt.infi.net [208.136.65.48]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA04673 for ; Sun, 2 Nov 1997 16:06:37 -0800 (PST) Received: (qmail 1769 invoked by uid 500); 3 Nov 1997 00:47:05 -0000 Date: Sun, 2 Nov 1997 19:47:05 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Vin McLellan cc: Firewalls@greatcircle.com, Doug.Bridgens@3Dlabs.com Subject: Re: FIREWALL: Encryption round up? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Vin McLellan wrote: > The advent of corporate and national public key infrastructures > (PKI) seems likely to introduce a major paradigm shift in the economics of > Information Security. PKI -- and specifically, the mechanism of a digital > signature -- will allow us to offer security as a productivity enhancer, > rather than the costly pain in the ass that compsec and comsec have > traditionally been. I'm not sure that national PKI brings anything to the table. Corporate PKI, will almost definitely be a good thing. Given the history in trade of government supplied credentials, I think national PKIs will probably be more of an abuse vector, though I would guess that some Corporate PKIs could turn that way should the usage for corporate keys extend beyond the traditional corporate boundries. Unfortunately, the potential volume revenues in this area are making it difficult to generate much support for freeware initiatives and multiple-certificate scenerios where more complex trust boundries can be created. Not that those wouldn't make trust modeling more difficult. > Here in the States, there are small to tiny Gnostic cults > (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based > public key implementations, but -- as you've doubtless noted in Europe -- > internationally, and in the US commercial world, RSA-based PK tech is > almost universal. This is, in part, because stable RSA implementations With the expiration of D-H and H-M, I think we'll probably see a shift in this. Certainly things are looking like they're starting to shift that way with SSL V3. D-H/SHA/3DES is certainly attractive to those of us who would rather not pay for our trust infrastructure on a server-by-server basis. It is possible that the freeing of PK in the US will generate much more software than before, especially if the export restrictions were to die a reasonably quick death. While your points are well worth noting, and RSA is indeed in a very strong position as far as extension of trust, until last month, there really wasn't a viable alternative to licensed PK exchange, and the Hellman-Merkle patent gave rise to questions on if there were *any* alternative. With that out of the way, we're in a pretty unique situation. In the least, it should be interesting. > Paul noted earlier that the user today is all but "on his own" in > evaluating the quality of various cryptographic products. I suggest that > users are well served if they stick by the recommendations of the various > standards organizations with regard to algorithms and, to the extent > possible, implementation guidelines. Crypto standardization is highly > political -- with both competitive and government pressures, sometimes > bizarrely so -- but (key length issues aside) what emerges from these > groups is likely to be comparatively solid on implementation. Very good advice, and worth leaving in as a repetition. > > The (American) National Computer Security Association > has also recently developed consortiums of American > and European crypto vendors which will attempt certify crypto > implementation code as meeting certain minimal standards. Such > certification efforts have been quite controversial in firewalls, but it > may be less so in crypto. If successful, this effort or others like it may > help raise a threshold barrier against poor implementations. I think in crypto it's easier to say what an implementation should do. With a more defined environment, we'll see much less questioning since the testing methodology should be that much easier to implement. This is certainly a barrier which needs raising. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 2 17:44:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA15390; Sun, 2 Nov 1997 17:17:37 -0800 (PST) Received: from ns.cmbchina.com ([202.96.161.112]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA15339 for ; Sun, 2 Nov 1997 17:17:21 -0800 (PST) Received: from cmbchina.com ([10.1.4.25]) by ns.cmbchina.com (Netscape Mail Server v2.0) with ESMTP id AAA4253 for ; Mon, 3 Nov 1997 09:17:20 +0900 Message-ID: <345D2610.F687B011@cmbchina.com> Date: Mon, 03 Nov 1997 09:17:04 +0800 From: fw1@cmbchina.com (fw1) X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Firewall-1 on Windows NT Platform Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Everybody: Can anybody give me EVAL SERIAL NUMBER of Firewal-1 on Windows NT 4.0 platform? Thanks for your help! From owner-firewalls-list Sun Nov 2 18:01:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA19170; Sun, 2 Nov 1997 17:49:22 -0800 (PST) Received: from ns.ntadvice.com (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA19155 for ; Sun, 2 Nov 1997 17:49:15 -0800 (PST) Received: by ns.ntadvice.com with Internet Mail Service (5.5.1939.0) id ; Sun, 2 Nov 1997 20:48:58 -0500 Message-ID: <61B80F9FF411D1118DEF0000E8D5C667055548@ns.ntadvice.com> From: Russ To: "'Jason Zions'" , Russ Cc: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: [NTSEC] RE: PPTP configuration Date: Sun, 2 Nov 1997 20:48:57 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So there's no way to force the NT server to refuse LanMan hashes? That'd >be the easiest and most obvious way to avoid the issue; must mean that >it's impossible. :-( I honestly don't think its a matter of being impossible, as surely it isn't. One thing I would look for, however, is just whether or not all NT functions that involve hashes are done using NT hashes only (this would be a logical extrapolation of their statement that LM hashes are only removed if enforced on both the server *and* the client). I do think its a matter that to do so would prevent the use of Win95, and I believe MS feels this setting would cause to many support issues. It would also glaringly focus attention on the insecurities of Win95 (not that they try and say it is secure, just that they probably don't want it pointed out so vividly). Humble opinions all of my own. Cheers, Russ From owner-firewalls-list Sun Nov 2 20:39:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA03311; Sun, 2 Nov 1997 20:15:50 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA03294 for ; Sun, 2 Nov 1997 20:15:43 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id XAA18376; Sun, 2 Nov 1997 23:15:25 -0500 (EST) Message-Id: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 2 Nov 1997 21:43:25 -0500 To: "Paul D. Robertson" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: Firewalls@greatcircle.com, Doug.Bridgens@3Dlabs.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: >> The advent of corporate and national public key infrastructures >> (PKI) seems likely to introduce a major paradigm shift in the economics of >> Information Security. PKI -- and specifically, the mechanism of a digital >> signature -- will allow us to offer security as a productivity enhancer, >> rather than the costly pain in the ass that compsec and comsec have >> traditionally been. Paul D. Robertson responded: >I'm not sure that national PKI brings anything to the table. Corporate >PKI, will almost definitely be a good thing. Given the history in trade >of government supplied credentials, I think national PKIs will probably >be more of an abuse vector, though I would guess that some Corporate PKIs >could turn that way should the usage for corporate keys extend beyond the >traditional corporate boundries. Unfortunately, the potential volume >revenues in this area are making it difficult to generate much support >for freeware initiatives and multiple-certificate scenerios where more >complex trust boundries can be created. Not that those wouldn't make >trust modeling more difficult. I think the overwhelming value of PKI will be inter-corporate, in the open economy, with interoperability of the sort demonstrated by the widespread adoption of S/MIME. Internal corporate CAs can offer neat administrative efficiences, but commerce exists only within a larger economy. Governments (e.g., Canada) will sponsor or license National CAs -- and at various level of government, they will surely have their own CAs issuing certificates for government employees and officials -- but the full potential of digital sigs in Commerce will only come from CAs (like GTE, Verisign, etc.) which offer certificates binding corporate or individual identities and public key pairs which can be validated by receiving parties anywhere in a economy. Eventually, I expect these CA to be honored internationally, but for the immediate future I expect national laws to define their scope with legislation. > >> Here in the States, there are small to tiny Gnostic cults >> (Fortezza, PGP's D-H, Eliptic Curve) which are committed to non-RSA-based >> public key implementations, but -- as you've doubtless noted in Europe -- >> internationally, and in the US commercial world, RSA-based PK tech is >> almost universal. This is, in part, because stable RSA implementations >With the expiration of D-H and H-M, I think we'll probably see a shift in >this. Certainly things are looking like they're starting to shift that >way with SSL V3. D-H/SHA/3DES is certainly attractive to those >of us who would rather not pay for our trust infrastructure on a >server-by-server basis. It is possible that the freeing of PK in the US >will generate much more software than before, especially if the export >restrictions were to die a reasonably quick death. > >While your points are well worth noting, and RSA is indeed in a very strong >position as far as extension of trust, until last month, there really >wasn't a viable alternative to licensed PK exchange, and the >Hellman-Merkle patent gave rise to questions on if there were *any* >alternative. With that out of the way, we're in a pretty unique >situation. In the least, it should be interesting. Since the RSA patent has only three (3!!) years to run in the US, (and unpatented RSA is widely used worldwide,) I think it is extremely unlikely that any of the alternative PKI structure has a chance of drawing major investment. Successful intra-corporate CAs can be based on any PKI model -- but the lesson of Fortezza is that anything other than an RSA-based PKI today exists only in an ghetto, isolated from cert-based PK exchanges with the larger RSA-based PKI economy. The huge installed base of RSA code worldwide -- and the committment of the major CAs -- and Microsoft, Netscape, IBM and the rest of the S/MIME consortium -- to RSA code they know, use, and trust makes for, IMNSHO, an overwhelming barrier to entry for Diffie-Hellman-based PKI. Again, in three years, the RSA algorithms are equally free in the US -- and in most of the world, all the alternatives are available at no cost. Here, where developers license RSA -- and there, where they don't -- RSA is the overwhelming choice. (Mostly, I would argue, because that trusted base of 15 years of RSA implementation code now exists.) How RSA captured the market is an interesting study, but not directly relevant here. In an alternative universe, this situation might have been reversed. I don't think the RSA model has any huge intrinsic superiority over the D-H/SHA/3DES model you suggest, but the RSA model has the installed base, the most trusted code base, and the committment of the major vendors, abroad and in the US. And, PKI (again, the lesson of Fortezza) is a winner-take-all proposition. Re the IETF: The IESG and some of the IETF security area WGs have a real problem with intellectual property rights in cryptography. Despite an IAB policy to the contrary, they detest them. (I'd love to see a Congressional investigation into the way the IETF has handled proposed standards for encryption in Internet e-mail; but OTOH I'd hate to give that much ammunition to those who argue for a government takeover of Internet governance.) I expect the facts of the market will render their own verdict on the IETF and the passionate anti-RSA crusades among the IETF's volunteer technocrats. The major vendors, I suggest, have already been heard from. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Sun Nov 2 23:14:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA14621; Sun, 2 Nov 1997 23:12:19 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA14604 for ; Sun, 2 Nov 1997 23:12:09 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id CAA18691; Mon, 3 Nov 1997 02:09:32 -0500 (EST) From: Adam Shostack Message-Id: <199711030709.CAA18691@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 2, 97 04:20:14 am" To: vin@shore.net (Vin McLellan) Date: Mon, 3 Nov 1997 02:09:31 -0500 (EST) Cc: Firewalls@GreatCircle.COM, Doug.Bridgens@3Dlabs.com, proberts@clark.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If the really dangerous aspect of a cryptosystem system is the implementation, and the code must hold up under widespread scrutiny, it can not be hardware. On one side, trusting users with cyrpto code on a genreal purpose computer whose maker tells you its not a secure platform is, well, foolish. On the other, trusting hardware is a tough thing. I can play mind games with you to demonstrate that you can't really trust that the hardware was done right without routinely stripping random units down with a microscope. (Its easier with software to demonstrate it correct) Moti Young and Adam Young have a wonderful set of papers on Kleptography; the art of making apparently compliant cryptographic black boxes screw their users. Persuing a holy grail of hardware or smartcards or standard libraries of tools is, well, persuing a holy grail. Cryptography is hard, and looks to stay hard for the forseeable future. The stunningly clever work of Oded Goldreich on the scientific foundations of modern cryptography provide a direction that looks very promising, but the road will not be short. I think that standard libraries of functions, once we have standard libraries for the basic building blocks, will be more useful than hardware. Hardware is simply not flexible enough. (And, no, we don't have a standard library today. BSAFE is not available outside the US, and is priced out of the reach of most startups who would like to add cryptography as an incidental. Its easier to justify doing something half baked when the price starts at $70k.) SSLeay is looking good, if it were documented and the random numbers were done better. Adam Vin McLellan wrote: | All true, more or less -- but there are a couple of other ways of | looking at this scene. In the first place, crypto has become, and will | become more so, the heartland of information security. And the heart of | the heartland will always be dedicated hardware: chips and secured memory | modules (which can offer relatively more speed, assurance, and stored-data | integrity.) This is the allure of smartcards, for where the user meets the | network, and special-purpose encryptors elsewhere, for high-speed and/or | high-security environments. [...] | All the noise about algorithms and key-lengths tends to obscure the | fact that the really dangerous aspect of applied cryptography is in the | actual implementation of a crypto system. Thus, implementation code which | has held up (a) under widespread scrutiny and (b) in a wide variety of | working systems will always be trusted more than any other crypto system | (new or well-known) which can't match it on those two criteria. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 3 02:14:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA29084; Mon, 3 Nov 1997 02:06:48 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA29041 for ; Mon, 3 Nov 1997 02:06:34 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id FAA26088; Mon, 3 Nov 1997 05:06:22 -0500 (EST) Message-Id: In-Reply-To: <199711030709.CAA18691@homeport.org> References: from Vin McLellan at "Nov 2, 97 04:20:14 am" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Nov 1997 05:07:12 -0500 To: "Adam Shostack" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: firewalls@greatcircle.com, "Paul D. Robertson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan huffed and puffed: >| In the first place, crypto has become, and will >| become more so, the heartland of information security. And the heart of >| the heartland will always be dedicated hardware: chips and secured memory >| modules (which can offer relatively more speed, assurance, and stored-data >| integrity.) This is the allure of smartcards, for where the user meets the >| network, and special-purpose encryptors elsewhere, for high-speed and/or >| high-security environments. >[...] >| All the noise about algorithms and key-lengths tends to obscure the >| fact that the really dangerous aspect of applied cryptography is in the >| actual implementation of a crypto system. Thus, implementation code which >| has held up (a) under widespread scrutiny and (b) in a wide variety of >| working systems will always be trusted more than any other crypto system >| (new or well-known) which can't match it on those two criteria. Adam Shostack stepped in with a needle and made his point with a deft poke: > If the really dangerous aspect of a cryptosystem system is the >implementation, and the code must hold up under widespread scrutiny, >it can not be hardware. Ouch! A jab that is unfortunately not inappropriate. Actually, I was thinking of documentation which could be reviewed by many, while the validation of the documentation against the implementation would be done by a few overly-conscientious, well-funded wizards like yourself, Adam. Ok. I am unconfortable with the paradox, but I still don't see any way out of it yet. What HW offers sw can not; and what SW offers hw can not. > On one side, trusting users with crypto code on a general >purpose computer whose maker tells you its not a secure platform is, >well, foolish. On the other, trusting hardware is a tough thing. I >can play mind games with you to demonstrate that you can't really >trust that the hardware was done right without routinely stripping >random units down with a microscope. So the choice is to be either foolish or tough & trusting? Sounds about right.... I've been saying for years that folks will never fully appreciate the elegant and wholly-obvious simplicity of hand-held authentication tokens (which have no circuit connection to a cpu or a network) until we start wondering what -- besides what it is supposed to do -- our smartcard might be doing. (Still, I can't see memorizing yard-long primes, nor keeping the Keys to the Kingdom in freely-accessible memory... so I already carry a couple of smartcards in addition to my SecurID. ) > Persuing a holy grail of hardware or smartcards or standard >libraries of tools is, well, persuing a holy grail. Cryptography is >hard, and looks to stay hard for the forseeable future. The >stunningly clever work of Oded Goldreich on the scientific foundations >of modern cryptography provide a direction that looks very promising, >but the road will not be short. As is often the case, Adam, your post has sent me off to the library. Thank you. But, for all the vaunted "flexibility" and easy validation you find in wholly-software crypto -- do you really think you will escape depending on hardware, given _it's_ meritorious advantages??? > I think that standard libraries of functions, once we have >standard libraries for the basic building blocks, will be more useful >than hardware. Hardware is simply not flexible enough. (And, no, we >don't have a standard library today. BSAFE is not available outside >the US, and is priced out of the reach of most startups who would like >to add cryptography as an incidental. Its easier to justify doing >something half baked when the price starts at $70k.) SSLeay >is looking good, if it were documented and the random numbers were >done better. Good argument. I don't know anything about the pricing of B-safe licenses. (Although I'll always remember that Phil Zimmerman rejected an RSA PKC license at $5K to put PGP into freeware circulation;-) OTOH, B-safe now includes not only RSAPKC and the full shelf of Ron Rivest's prodigious creativity (MD2, MD5, RC2, RC4, RC5) but SHA-1, Diffie-Hellman, Bloom-Shamir, DSA/DSS, DES, 3DES, DESX, etc.) Everything but the kitchen sink; for UNIX, WIN, and Mac platforms. I've heard rumors, however, that RSADSI was planning to eventually license B-safe module-by-module. If and when that happens, I agree it could open the B-safe library to a much broader range of potential licensees. You could visit your Congressman about the export issues -- but personally, I don't think the NSA will let go of US policy until it becomes apparent to everyone (even pols) that 21st Century e-commerce can't develop on a party line. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Mon Nov 3 03:29:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA08443; Mon, 3 Nov 1997 03:26:55 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA08430 for ; Mon, 3 Nov 1997 03:26:49 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id GAA19213; Mon, 3 Nov 1997 06:23:53 -0500 (EST) From: Adam Shostack Message-Id: <199711031123.GAA19213@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 3, 97 05:07:12 am" To: vin@shore.net (Vin McLellan) Date: Mon, 3 Nov 1997 06:23:53 -0500 (EST) Cc: adam@homeport.org, firewalls@greatcircle.com, proberts@clark.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: | > If the really dangerous aspect of a cryptosystem system is the | >implementation, and the code must hold up under widespread scrutiny, | >it can not be hardware. | | Ok. I am unconfortable with the paradox, but I still don't see any | way out of it yet. What HW offers sw can not; and what SW offers hw can not. Indeed. My suspicion is that crypto-hardware will go the way of the supercomputer. While it offers many advantages, the price performance is not there to justify it, which will push the price up. Positive feedback loop. At the same time, the capabilities of a basic intel box running a free unix and acting as a crypto-peripheral are growing. The Libretto (from Toshiba) is a p-75 with 32 mb of ram that's about the size of the Newton. I'd be suprized if Toshiba would refuse an offer to buy just the motherboards in the 10,00 unit range. There is one area where co-processors will survive for a while, and that is exponentiation. NCipher has some very cool boxes that can do about 300 RSA signatures per second. This blows away general purpose computers. They incidentally offer FIPS 140 level 2 protection for your keys, but I couldn't sell management on that. (Even when management knows *and pays* the cost of doing the right thing without FIPS 140 hardware) Speed I can sell to businesses. As far as smartcards for the home user, I don't see it. Verifone may decide to do SET for credit cards, which means that they will be deployed, but I'll save my rant on the two types of smartcards for another day. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 3 05:44:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA15029; Mon, 3 Nov 1997 05:28:11 -0800 (PST) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA15013 for ; Mon, 3 Nov 1997 05:28:04 -0800 (PST) Received: (from pokey@localhost) by maddie.atlantic.com (8.8.5/8.7.3) id IAA24891; Mon, 3 Nov 1997 08:27:45 -0500 From: Rick Romkey Message-Id: <199711031327.IAA24891@maddie.atlantic.com> Subject: Re: Firewall-1 on Windows NT Platform To: fw1@cmbchina.com (fw1) Date: Mon, 3 Nov 1997 08:27:44 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <345D2610.F687B011@cmbchina.com> from "fw1" at Nov 3, 97 09:17:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi Everybody: > Can anybody give me EVAL SERIAL NUMBER of Firewal-1 on Windows NT > 4.0 platform? > Thanks for your help! > Eval licenses are now being distributed by resellers who can aquire a "bank" of them from CheckPoint. If you require a TEMPORARY license, contact an authorized CheckPoint reseller. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From owner-firewalls-list Mon Nov 3 06:29:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21027; Mon, 3 Nov 1997 06:27:04 -0800 (PST) Received: from corinto.argo.es (corinto.argo.es [194.235.99.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA20950 for ; Mon, 3 Nov 1997 06:26:45 -0800 (PST) Received: from argo.es (jcea@castor.argo.es [194.235.99.4]) by corinto.argo.es (8.8.5/8.8.5) with ESMTP id PAA14299; Mon, 3 Nov 1997 15:24:28 +0100 (MET) Message-ID: <345DFB0F.DEE80C86@argo.es> Date: Mon, 03 Nov 1997 15:25:51 -0100 From: "=?iso-8859-1?Q?Jes=FAs?= Cea =?iso-8859-1?Q?Avi=F3n?=" Reply-To: jcea@argo.es Organization: Argo Redes y Servicios Telematicos, S.A. X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: Don Lewis CC: firewalls@GreatCircle.COM, hacking@argo.es Subject: Re: "SYN" protection product leads References: <199710291014.CAA27966@salsa.gv.tsc.tdk.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don Lewis wrote: > } * Linux: No backlog. No memory. When a Syn arrives, a hash is > } calculated to generate an unique ISN. The packet is replied using > } that value (cookie) and silenly dropped. If the original syn was > } faked, nothing is done. If the syn was real, the remote computer > } will send us an ACK with the correct values and conection is > } established. The ideal solution if faking hashes is difficult > } (cryptography rules, of course). > > This is somewhat risky if you have listening sockets in the same > port range that is used for outgoing connections and you are > protecting the listening sockets with something like a Cisco > "established" filter rule. This type of filter protects listening > connections by blocking any initial incoming SYN packets. If an > outsider is able to fake the hash, he can send an initial ACK packet > which would look like the final packet in the three way connection > handshake. Because the inside host doesn't keep any state until the > connection is established, it would be fooled into thinking it had > gotten the initial SYN and sent the reply, so it would set up the > connection. The packet filter would not block the > initial incoming packet, since it would have an ACK and not have a > SYN, making the filter think the packet was a reply to an established > outgoing connection. Of course, all the security, in this scheme, came from the HASH. If the hash isn't secure or isn't implemented with care, you are **doomed**. In fact you can reseed the hash each five minutes, for example, if you are paranoid enough. > You should be safe with a stateful packet filter that doesn't open the > path for incoming packets unless it has seen an outgoing SYN packet. Yes, you are right. Only enable incoming packet if (apart from SYN packets): a) You send a SYN. So it's an outgoing connection. b) You send a SYN+ACK. It's the second step in the handshake for an incomming connection. Nevertheless, my idea was to implement the SYN cookie scheme at the firewall, in order to protect the DMZ from external SYN flooding against bad behaved hosts (read: Windows machines :) and to avoid sequence number prediction. An interesting addition to SPF, don't it? What do you think? -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/_/_/_/ PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibnitz From owner-firewalls-list Mon Nov 3 08:38:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA28816; Mon, 3 Nov 1997 08:06:59 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA28809 for ; Mon, 3 Nov 1997 08:06:54 -0800 (PST) Received: by SLA_NT2 with Internet Mail Service (5.0.1457.3) id ; Mon, 3 Nov 1997 08:04:05 -0800 Message-ID: From: "Stackpole, Bill" To: "'Tim Lebrun'" , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 08:04:03 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PPTP only works on NT so your remote users will have to at least be running 4.0 workstation. My experience hasn't been good with this protocol although I haven't tried the implementation. If your ISP doesn't used fixed IP addresses then you will have to open up PPTP to the world which means the world can attach your internal RAS server. The other problem I ran into was the inablility to access resources on the PPTP (RAS) server itself. Seems that NT server couldn't route between the tunnel IP address and it's own IP. Again this may be something that Steelhead fixed. > -----Original Message----- > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > Sent: Friday, October 31, 1997 2:20 PM > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: PPTP configuration > > I would like some expert opinions on > the setup that we are looking at > implementing. > We want to eventually get > rid of our dial-in rack and allow > users to enter our network through > the internet. So we have a T1 > internet connection run which (from > the outside) first, goes through a > Cisco 7000 router, then through a > Gauntlet firewall, and then the > users get logged on to a NT Ras > server using PPTP. And from there > the users can go and do anything on > the network, ie: Mail, Novell, > Tn3270, Telnet. > My Question is - what are the > possible problems with kind of > setup? > From owner-firewalls-list Mon Nov 3 08:44:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA00295; Mon, 3 Nov 1997 08:33:52 -0800 (PST) Received: from gateway.adidasus.com (spfrw001.adidasus.com [208.146.114.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA00285 for ; Mon, 3 Nov 1997 08:33:46 -0800 (PST) Received: by gateway.adidasus.com; id LAA19125; Mon, 3 Nov 1997 11:33:34 -0500 (EST) Received: from unknown(10.75.10.7) by gateway.adidasus.com via smap (4.0a) id xma019118; Mon, 3 Nov 97 11:33:22 -0500 Message-ID: <345DFCFB.5FE664FC@internetmci.com> Date: Mon, 03 Nov 1997 11:34:03 -0500 From: Tim Lebrun X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: "Stackpole, Bill" CC: firewalls@GreatCircle.COM Subject: Re: PPTP configuration References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>PPTP only works on NT so your remote users will have to at least be > >>running 4.0 workstation. > > Actually M$ just released a Dialup Networking upgrade which allows 95 to > do PPTP. > >>My experience hasn't been good with this protocol although I haven't > >>tried the implementation. > >>If your ISP doesn't used fixed IP addresses then you will have to open > >>up PPTP to the world which means the world can attach your internal RAS > > >>server. The other problem I ran into was the inablility to access > >>resources on the PPTP (RAS) server itself. Seems that NT server > >>couldn't route between the tunnel IP address and it's own IP. Again > >>this may be something that Steelhead fixed. > > > -----Original Message----- > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > > > I would like some expert opinions on > > the setup that we are looking at > > implementing. > > We want to eventually get > > rid of our dial-in rack and allow > > users to enter our network through > > the internet. So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. And from there > > the users can go and do anything on > > the network, ie: Mail, Novell, > > Tn3270, Telnet. > > My Question is - what are the > > possible problems with kind of > > setup? > > From owner-firewalls-list Mon Nov 3 09:59:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA08696; Mon, 3 Nov 1997 09:47:12 -0800 (PST) Received: from subforce1.substance.com ([204.94.189.254]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA08647 for ; Mon, 3 Nov 1997 09:47:00 -0800 (PST) Received: from pc575.examen.com ([158.222.64.246] (may be forged)) by subforce1.substance.com (8.8.6/8.6.9) with ESMTP id JAA05334; Mon, 3 Nov 1997 09:45:40 -0800 Message-Id: <199711031745.JAA05334@subforce1.substance.com> From: "linus" To: "Arthur Young" , "'Rabid Wombat'" , "Christopher Hornor" Cc: Subject: Re: (no subject) Date: Mon, 3 Nov 1997 09:44:01 -0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are indeed wise and with tao to suggest most powerful firewall of all master! I am in awe of your network ninja skill, you honor our craft! ---------- > From: Arthur Young > To: 'Rabid Wombat' ; Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: RE: (no subject) > Date: Tuesday, October 28, 1997 7:03 AM > > Isn't that hardware? > > -----Original Message----- > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > Sent: Tuesday, October 28, 1997 9:24 PM > To: Christopher Hornor > Cc: firewalls@GreatCircle.COM > Subject: Re: (no subject) > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > I am looking for information regarding your most powerful firewall and > > filter software . > > do you have any suggestions ?? If possible in Japanese. > > > > Thank you, > > Chris Hornor > > > > > > > > From owner-firewalls-list Mon Nov 3 10:14:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10880; Mon, 3 Nov 1997 10:04:59 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA10846 for ; Mon, 3 Nov 1997 10:04:49 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA14254; Mon, 3 Nov 1997 10:01:07 -0800 Date: Mon, 3 Nov 1997 10:01:07 -0800 (PST) From: Leonard Miyata To: Russ cc: "'Jason Zions'" , Russ , firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: RE: [NTSEC] RE: PPTP configuration In-Reply-To: <61B80F9FF411D1118DEF0000E8D5C667055548@ns.ntadvice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somewhere on the Microsoft web site, (security section?) they have an article on how to turn off (via the registry) the Lan Manager hash for Win NT 4.0. Its a pity Microsoft didn't port the full NT PPTP implementation as part of the Dial-Up 1.2 upgrade. One would hope Microsoft won't make the same mistake with the KERBEROS port for NT 5.0 and offer support in the Memphis release.... Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com On Sun, 2 Nov 1997, Russ wrote: > >So there's no way to force the NT server to refuse LanMan hashes? > That'd > >be the easiest and most obvious way to avoid the issue; must mean that > >it's impossible. :-( > > I honestly don't think its a matter of being impossible, as surely it > isn't. One thing I would look for, however, is just whether or not all > NT functions that involve hashes are done using NT hashes only (this > would be a logical extrapolation of their statement that LM hashes are > only removed if enforced on both the server *and* the client). > > I do think its a matter that to do so would prevent the use of Win95, > and I believe MS feels this setting would cause to many support issues. > It would also glaringly focus attention on the insecurities of Win95 > (not that they try and say it is secure, just that they probably don't > want it pointed out so vividly). > > Humble opinions all of my own. > > Cheers, > Russ > > From owner-firewalls-list Mon Nov 3 11:19:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA16096; Mon, 3 Nov 1997 10:41:43 -0800 (PST) Received: from commons.cmold.com (commons.cmold.com [204.255.183.49]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA16019 for ; Mon, 3 Nov 1997 10:41:28 -0800 (PST) Received: (from Uactech@localhost) by commons.cmold.com (8.8.7/8.6.12) with UUCP id OAA20096; Mon, 3 Nov 1997 14:49:29 -0500 (EST) X-Authentication-Warning: commons.cmold.com: Uactech set sender to gaarder@spencer.actech.com using -f Received: from ovid.actech.com (ovid [198.41.4.14]) by spencer.actech.com (8.7.1/8.7.1) with ESMTP id NAA00890; Mon, 3 Nov 1997 13:35:02 -0500 (EST) Received: (from gaarder@localhost) by ovid.actech.com (8.7.1/8.7.1) id NAA26793; Mon, 3 Nov 1997 13:35:13 -0500 (EST) Date: Mon, 3 Nov 1997 13:35:13 -0500 (EST) Message-Id: <199711031835.NAA26793@ovid.actech.com> From: Steve Gaarder To: Tim Lebrun Cc: firewalls@GreatCircle.COM Subject: Re: PPTP configuration In-Reply-To: <345DFCFB.5FE664FC@internetmci.com> References: <345DFCFB.5FE664FC@internetmci.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Lebrun writes: > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > Sent: Friday, October 31, 1997 2:20 PM > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > Subject: PPTP configuration > So we have a T1 > internet connection run which (from > the outside) first, goes through a > Cisco 7000 router, then through a > Gauntlet firewall, and then the > users get logged on to a NT Ras > server using PPTP. You may have a problem getting through your Gauntlet, since it is an application gateway. PPTP uses neither TCP nor UDP, but one of the lesser-known protocols in the IP family (I forget just which one), so a tcp "plug gateway" will not do the trick. You would need a proxy specifically designed for PPTP. I don't know of such a beast; does anyone? Steve Gaarder Network and Systems Administrator gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA From owner-firewalls-list Mon Nov 3 12:59:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA00121; Mon, 3 Nov 1997 12:37:57 -0800 (PST) Received: from gateway.mpath.com (gateway.mpath.com [204.242.182.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA00106 for ; Mon, 3 Nov 1997 12:37:50 -0800 (PST) Received: from mpath.com (nodserv.mpath.com [206.233.214.16]) by gateway.mpath.com (8.8.5/8.8.5) with ESMTP id MAA05152; Mon, 3 Nov 1997 12:37:45 -0800 (PST) Received: from localhost (vision@localhost) by mpath.com (8.8.5/8.8.5) with SMTP id MAA15398; Mon, 3 Nov 1997 12:37:39 -0800 (PST) Date: Mon, 3 Nov 1997 12:37:38 -0800 (PST) From: Max Vision To: Steve Gaarder cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: Re: PPTP configuration In-Reply-To: <199711031835.NAA26793@ovid.actech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correct me if I'm wrong, but PPTP uses TCP 1723. Max On Mon, 3 Nov 1997, Steve Gaarder wrote: > Tim Lebrun writes: > > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. > > You may have a problem getting through your Gauntlet, since it is an > application gateway. PPTP uses neither TCP nor UDP, but one of the > lesser-known protocols in the IP family (I forget just which one), so > a tcp "plug gateway" will not do the trick. You would need a proxy > specifically designed for PPTP. I don't know of such a beast; does > anyone? > > Steve Gaarder Network and Systems Administrator > gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA > From owner-firewalls-list Mon Nov 3 13:59:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA05198; Mon, 3 Nov 1997 13:30:07 -0800 (PST) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA05177 for ; Mon, 3 Nov 1997 13:29:59 -0800 (PST) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCE85C.8F280090@irwin-exch2.army.mil>; Mon, 3 Nov 1997 13:29:49 -0800 Message-ID: From: G2 Security Division To: "'Cimmino, Marcos'" , "'Olivier@teamwork.co.za'" , "'winspace@geko.net.au'" Cc: "'firewalls@greatcircle.com'" Subject: RE: SCO how secure ? Date: Mon, 3 Nov 1997 13:26:30 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The federal government has a page with the Trusted Product information. URL is http://www.radium.ncsc.mil/tpep/epl/index.html The page has links to the Rainbow series, the orange book drives the trusted computer base ratings. -----Original Message----- From: Cimmino, Marcos [SMTP:MCimmino@uniFON.com.ar] Sent: Monday, October 27, 1997 6:47 AM To: 'Olivier@teamwork.co.za'; 'winspace@geko.net.au' Cc: 'firewalls@greatcircle.com' Subject: RE: SCO how secure ? Hello to everybody >Can Somebody please tell me where I can find the Trusted Product Evaluation Program? Thank you very much >---------- >From: Norman Widders[SMTP:winspace@geko.net.au] >Sent: Lunes 27 de Octubre de 1997 10:18 >To: Olivier@teamwork.co.za >Cc: firewalls@greatcircle.com >Subject: SCO how secure ? > >+----------------------------------------------------------------------- >---- >| On or about Mon, 27 Oct 1997 06:46:02 +0200, >| Wim Olivier wrote: >+----------------------------------------------------------------------- >---- > >> IT IS C2 COMPLIANT. > > ^^^^^ > >Where is one single document that shows that SCO has >passed the 'Trusted Product Evaluation Program' ? > >Based upon SCO's own documents they said >'it meets C2 requirements' this is not the same as >being on the Trusted Product Evaluation Program. > >Please share any documentation that you know of with _all_ >of us if you know something that proves SCO is C2... >Not that C2 is worth much... imho > > >-- >Yours faithfully, Norman Widders. > >+----------------------------------------------------------- >| winspace@geko.net.au >| www.geocities.com/researchtriangle/4431 >| Paladin Corporation Pty. Ltd. >+----------------------------------------------------------- > > > From owner-firewalls-list Mon Nov 3 14:29:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA09419; Mon, 3 Nov 1997 14:16:00 -0800 (PST) Received: from ns.rc.on.ca (ns.ntadvice.com [207.176.151.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA09409 for ; Mon, 3 Nov 1997 14:15:49 -0800 (PST) Received: by ns.rc.on.ca with Internet Mail Service (5.5.1939.0) id ; Mon, 3 Nov 1997 17:15:36 -0500 Message-ID: <418996AD2954D11180860000E8D5C66778C5@ns.rc.on.ca> From: Russ To: "'Max Vision'" , Steve Gaarder Cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 17:15:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1939.0) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Correct me if I'm wrong, but PPTP uses TCP 1723. >Max Ok Max, I'll correct you, 'cause your wrong...;-] Actually, the PPTP control channel uses TCP/UDP 1723 (in practice it seems to only use TCP). However, the "payload", or actual useful part of the PPTP stream is held within IP 47, GRE, Generic Routing Encapsulation protocol. You're tunneling PPP within IP, hence the need for an encapsulated channel. The 1723 channel controls the flow of the PPTP session. Common mistake. Cheers, Russ From owner-firewalls-list Mon Nov 3 14:44:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA10702; Mon, 3 Nov 1997 14:30:07 -0800 (PST) Received: from abhiweb.com (bonn.abhiweb.com [205.138.236.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA10690 for ; Mon, 3 Nov 1997 14:30:00 -0800 (PST) Received: from pc-bruce.InternetDevices.com (pc-bruce.abhiweb.com [205.138.236.31]) by abhiweb.com (8.6.12/8.6.12) with SMTP id OAA02323 for ; Mon, 3 Nov 1997 14:28:49 -0800 Message-Id: <3.0.5.32.19971103143516.009f1350@bonn.abhiweb.com> X-Sender: byrd@bonn.abhiweb.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 03 Nov 1997 14:35:16 -0800 To: firewalls@GreatCircle.COM From: Bruce Byrd Subject: Re: PPTP configuration In-Reply-To: References: <199711031835.NAA26793@ovid.actech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the Network TeleSystems PPTP FAQ, www.nts.com (NTS sells a Mac and Win 3.1 PPTP client)- Q: How do I configure my company's firewall or network traffic filters to allow me to tunnel to our NT RAS from outside of our network? A: Configure your firewall or filters to pass through all Generic Routing Encapsulation (GRE, which is IP protocol 0x2F) packets and TCP/IP traffic to and from port 1723 on your NT RAS. Bruce At 12:37 PM 11/3/97 -0800, Max Vision wrote: >Correct me if I'm wrong, but PPTP uses TCP 1723. >Max > ----------------------------------------------------------- Bruce Byrd Internet Devices Inc. www.InternetDevices.com "Our new Fort Knox Firewall Device provides a turnkey security solution for small and medium sized companies" From owner-firewalls-list Mon Nov 3 14:59:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA12892; Mon, 3 Nov 1997 14:43:02 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA12803 for ; Mon, 3 Nov 1997 14:42:39 -0800 (PST) Received: by SLA_NT2 with Internet Mail Service (5.0.1457.3) id ; Mon, 3 Nov 1997 14:39:04 -0800 Message-ID: From: "Stackpole, Bill" To: "'Max Vision'" , Steve Gaarder Cc: Tim Lebrun , firewalls@GreatCircle.COM Subject: RE: PPTP configuration Date: Mon, 3 Nov 1997 14:39:02 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That's correct but the protocol is type 47 which is not tcp or udp so some firewall proxies will not support it. > -----Original Message----- > From: Max Vision [SMTP:vision@mpath.com] > Sent: Monday, November 03, 1997 12:38 PM > To: Steve Gaarder > Cc: Tim Lebrun; firewalls@GreatCircle.COM > Subject: Re: PPTP configuration > > Correct me if I'm wrong, but PPTP uses TCP 1723. > Max > > On Mon, 3 Nov 1997, Steve Gaarder wrote: > > > Tim Lebrun writes: > > > > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > > Sent: Friday, October 31, 1997 2:20 PM > > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > > Subject: PPTP configuration > > > So we have a T1 > > > internet connection run which (from > > > the outside) first, goes through a > > > Cisco 7000 router, then through a > > > Gauntlet firewall, and then the > > > users get logged on to a NT Ras > > > server using PPTP. > > > > You may have a problem getting through your Gauntlet, since it is an > > application gateway. PPTP uses neither TCP nor UDP, but one of the > > lesser-known protocols in the IP family (I forget just which one), > so > > a tcp "plug gateway" will not do the trick. You would need a proxy > > specifically designed for PPTP. I don't know of such a beast; does > > anyone? > > > > Steve Gaarder Network and Systems Administrator > > gaarder@cmold.com C-MOLD, Ithaca, N.Y., USA > > From owner-firewalls-list Mon Nov 3 17:29:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA08833; Mon, 3 Nov 1997 17:27:27 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id RAA08825 for ; Mon, 3 Nov 1997 17:27:21 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA25800; Mon, 3 Nov 1997 19:05:26 -0500 Date: Mon, 3 Nov 1997 19:05:22 -0500 (EST) From: Rabid Wombat To: linus cc: Arthur Young , Christopher Hornor , firewalls@GreatCircle.COM Subject: Re: (no subject) In-Reply-To: <199711031745.JAA05334@subforce1.substance.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, all credit for the hardware design goes to Marcus Ranum. He used to have a web page up with a picture and installation instructions, but I think he took it down to make room for his B&W photos. -r.w. The ancient masters were subtle, mysterious, profound, responsive. The depth of their knowledge is unfanthomable. On Mon, 3 Nov 1997, linus wrote: > You are indeed wise and with tao to suggest most powerful firewall of all > master! I am in awe of your network ninja skill, you honor our craft! > > ---------- > > From: Arthur Young > > To: 'Rabid Wombat' ; Christopher Hornor > > > Cc: firewalls@GreatCircle.COM > > Subject: RE: (no subject) > > Date: Tuesday, October 28, 1997 7:03 AM > > > > Isn't that hardware? > > > > -----Original Message----- > > From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] > > Sent: Tuesday, October 28, 1997 9:24 PM > > To: Christopher Hornor > > Cc: firewalls@GreatCircle.COM > > Subject: Re: (no subject) > > > > > > Purchase honorable wirecutters. Implement between router and csu/dsu. > > > > On Tue, 28 Oct 1997, Christopher Hornor wrote: > > > > > I am looking for information regarding your most powerful firewall and > > > filter software . > > > do you have any suggestions ?? If possible in Japanese. > > > > > > Thank you, > > > Chris Hornor > > > > > > > > > > > > > From owner-firewalls-list Mon Nov 3 18:14:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA11657; Mon, 3 Nov 1997 17:57:40 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id RAA11621 for ; Mon, 3 Nov 1997 17:57:26 -0800 (PST) Received: from [198.115.179.81] (vin.shore.net [198.115.179.81]) by relay1.shore.net (8.8.7/8.8.7) with ESMTP id UAA10333; Mon, 3 Nov 1997 20:57:16 -0500 (EST) Message-Id: In-Reply-To: <3.0.32.19971103091612.00905a10@best.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Nov 1997 20:57:53 -0500 To: "Steve G. Steinberg" From: Vin McLellan Subject: Re: FIREWALL: Encryption round up? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan opined: >>Again, in three years, the RSA algorithms are equally free in the US -- and >>in most of the world, all the alternatives are available at no cost. Here, >>where developers license RSA -- and there, where they don't -- RSA is the >>overwhelming choice. (Mostly, I would argue, because that trusted base of >>15 years of RSA implementation code now exists.) Steve G. Steinberg responded: >Hmm, are you explicitly not talking about elliptical curve here? >Seems like that because of the low-computation/memory requirements >of ECC, Certicom has had an awfull lot of luck getting wireless >and smartcard manufacturers to sign deals with them. Motorola >has already announced that all their 2-way pagers will use ECC, >which means given expected sales, their will be _many_ more devices >with ECC than with RSA in 5 years. And, if as you say, winner >takes all in PKI, that would seem to say that ECC will eventually >be able to displace RSA on the desktop. > >What am I missing? EC is a elegant technology and Certicom is a neat company with a lot of talented people. The Motorola pager deal is certainly not the last occasion where the demands of a specific application will lead developers to choose either EC or D-H/DSA. EC's apparent advantages -- smaller keys, less communication, less storage -- were particularly relevant to the pager deal, and EC's relative slow calculation of digital signatures was maybe not so important. RSA's major advantage against all alternatives, as I noted earlier, lies in its extensive trusted code base (from RSADSI, as well as from numerous independent sources, particularly in Europe) and the 15 years it has been the subject to intensive study and research. By contrast, major implementations of EC are relatively recent. The recent and unexpected discovery of weaknesses in some classes of ECs by Nigel Smart, of Hewlett Packard Labs, only reminded us that the strengths and weaknesses of EC are still being researched, documented, and quantified. (I note, however, that new version of RSA's B-Safe cryptographic toolkit will include a variety of EC modules.) Several of the industry's leading cryptographers -- e.g., Arjen Lenstra of Citibank, Taher ElGamal of Netscape, and Michael Wiener of Entrust -- have lately echoed the (perhaps less disinterested;-) warnings of Ron Rivest, Len Adleman, and Claus Schnoor that EC cryptosystems, while potentially very interesting, is not yet quite ready for prime time. Weiner, the chief cryptographer at Entrust Technologies, recently offered what I thought was fascinating (and from a cryptographer, unusually straightforward) comment on Entrust's choice of RSA's PKC as the foundation for its PKI product line. Weiner highlighted RSA's "very fast" digital signature verification and public-key encryption as major technical advantages over all competitors -- specifically including EC. (Dr. Weiner's comments may also explain why RSA-based S/MIME was so rapidly and widely adopted by the leading e-mail vendors -- while the IETF's security cadre dithers about, bitching about the illegitimacy of patents on crypto systems, and trying to score points for D-H based PGP.) Said Weiner: "The competitors to RSA are systems based on the discrete logarithm problem, such as DSA, Diffie-Hellman, and the elliptic curve variants of DSA and Diffie-Hellman. These schemes are competitive with RSA on speed of digital signature generation and private-key decryption, but are up to two orders of magnitude slower at digital signature verification and public-key encryption. "The importance of the speed of signature verification and public-key encryption can be seen from the way that cryptography is used in a PKI. Consider the example of secure email. An email is signed just once, but that signature must be verified by each recipient. Certificates and revocation lists are signed once by a Certification Authority (CA), but are typically verified many thousands of times. "A full-scale PKI will have multiple cross-certified CAs requiring end user software to verify multiple certificates and revocation lists to complete a single transaction. When encrypting email, the symmetric key used to encrypt the email contents must be individually encrypted for each recipient so that many public-key encryptions must be performed to send a single email. These operations are quite fast when using RSA, but are much slower when using DSA, Diffie-Hellman, or their elliptic curve variants. "The main advantage that elliptic curve cryptography has over other public-key algorithms is that its digital signatures and encrypted symmetric keys are shorter. This is not important for most applications on PCs, but there are other applications where this can be important. Elliptic curve operations can also be implemented fairly compactly in custom silicon. "Public-Key Infrastructures should be flexible enough to handle the full range of popular public-key algorithms available. Currently, RSA is the most widely used, and this is likely to continue to be the case due to its advantages of fast digital signature verification and fast public-key encryption." /end Weiner quote/ PKC-threatening "breakthroughs" in mathematics are, by definition, unpredicable; and some applications can very effectively leverage particular aspects of EC, D-H, or the DSA. Withall, it makes sense to open up the various PKC standards to all the options and let experience guide us. (We are, after all, talking about using this math as the foundation for the 21st Century economy. Lord knows, such a structure must be algorithm-agile!) For general purpose PKC apps, however, RSA's trusted code base seems likely continue to dominate the market -- long after the RSA/MIT public key patent expires, in fact. There are, btw, a number of schemes to precompute the DSA in order to boost the performance of EC and D-H to nearly match the speed of RSA in some PKI apps. I understand, however, that even the US government has had to acknowledge that there are patents which seem to cover this approach. RSADSI has one; I think MIT has another. Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From owner-firewalls-list Mon Nov 3 18:45:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA16745; Mon, 3 Nov 1997 18:40:01 -0800 (PST) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.235]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA16737 for ; Mon, 3 Nov 1997 18:39:48 -0800 (PST) Received: from rush.nsr.hp.com (rush.nsr.hp.com [15.17.36.5]) by palrel1.hp.com (8.8.6/8.8.5tis) with ESMTP id SAA28397; Mon, 3 Nov 1997 18:39:26 -0800 (PST) Received: from nsr.hp.com (hpwxx034.sgp.hp.com) by rush.nsr.hp.com with ESMTP (1.39.111.2/16.2+CNS 4.0.1 ) id AA102421215; Mon, 3 Nov 1997 18:40:15 -0800 Message-Id: <345E8A78.D827195@nsr.hp.com> Date: Tue, 04 Nov 1997 10:37:44 +0800 From: Kevin Steves Organization: Hewlett-Packard X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: Russ Cc: firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: PPTP configuration References: <61B80F9FF411D1118DEF0000E8D5C667055537@ns.ntadvice.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > 6. Given NT's TCP sequence predictability, hijacking a PPTP session > based on a Win95 client (or an NT client *not* configured to *not* use > LanMan) should be a straight-forward process. Can you expand on this attack? I'm guessing it might be blind (can't see responses) and may be against the PPTP control connection; or maybe you're referring to predicting TCP ISNs in the GRE encapsulated, PPP encrypted TCP segment? Kevin From owner-firewalls-list Mon Nov 3 19:30:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15585; Mon, 3 Nov 1997 18:30:55 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [156.153.255.219]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA15570 for ; Mon, 3 Nov 1997 18:30:47 -0800 (PST) Received: from rush.nsr.hp.com (rush.nsr.hp.com [15.17.36.5]) by palrel3.hp.com (8.8.5/8.8.5tis) with ESMTP id SAA22816; Mon, 3 Nov 1997 18:30:40 -0800 (PST) Received: from nsr.hp.com (hpwxx034.sgp.hp.com) by rush.nsr.hp.com with ESMTP (1.39.111.2/16.2+CNS 4.0.1 ) id AA102320690; Mon, 3 Nov 1997 18:31:30 -0800 Message-Id: <345E8869.9159107D@nsr.hp.com> Date: Tue, 04 Nov 1997 10:28:57 +0800 From: Kevin Steves Organization: Hewlett-Packard X-Mailer: Mozilla 4.03 [en] (Win95; I) Mime-Version: 1.0 To: Russ Cc: firewalls@GreatCircle.COM Subject: Re: PPTP configuration References: <418996AD2954D11180860000E8D5C66778C5@ns.rc.on.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: > Actually, the PPTP control channel uses TCP/UDP 1723 (in practice it > seems to only use TCP). However, the "payload", or actual useful part of > the PPTP stream is held within IP 47, GRE, Generic Routing Encapsulation > protocol. You're tunneling PPP within IP, hence the need for an > encapsulated channel. The 1723 channel controls the flow of the PPTP > session. According to an MS whitepaper I have titled "Understanding PPTP" (sorry, don't have a web reference), "The IP datagrams are created using a modified version of the Internet GRE protocol (GRE is defined in RFCs 1701 and 1702)". Anyone know what was "modified" in GRE? Kevin From owner-firewalls-list Mon Nov 3 20:55:19 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA17252; Mon, 3 Nov 1997 18:45:41 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id SAA17180 for ; Mon, 3 Nov 1997 18:45:16 -0800 (PST) Received: from sover.net (usr2a18.rut.sover.net [206.25.64.214]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id VAA23381 for ; Mon, 3 Nov 1997 21:45:11 -0500 (EST) Message-ID: <345E8D1E.D9F2ABEC@sover.net> Date: Mon, 03 Nov 1997 21:49:02 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Ever seen this in practice?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was flipping through some Cisco training material and ran across a communication property that I do not believe I have ever seen in the field. The subject was regarding how segments are handled at the transport layer. The text stated that when there are multiple sessions taking place between two IP hosts, that the sessions could be multiplexed together in order to decrease the number of required packets. In other words, let's assume host "A" has three users logged on who all have active Telnet sessions taking place to host "B". According to the text, these three sessions could be combined into a single IP packet using multiple transport headers to distinguish each unique session (i.e. source and reply ports) and multiple payloads. In fact, it was explained to me that all traffic does not have to be initiated from the same host or even be the same transport or service. For example I could be using HTTP from host "A" to "B" while host "B" has initiated a Telnet and SNMP back to host "A". All three sessions could me multiplexed into the same set of IP packets. While normally I place little weight in events I have never measured with an analyzer, the source of this info was the Cisco training manuals. I did however find some other things that I _know_ are mistakes, but we will not go there... So has anyone actually ever seen this before? If so, how does a firewall deal with this type of connection? This would speak volumes to inspecting payload. I would assume that a firewall/filter that simply makes decisions based upon the data located at a certain offset from the preamble field would probably miss this. I would also assume that the support of this type of multiplexing would be vendor specific. Anyone out there doing it? Thanks in advance! Chris ************************************** cbrenton@sover.net http://www.amazon.com/exec/obidos/ats-query/0740-8883012-887529 "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." From owner-firewalls-list Mon Nov 3 22:27:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA26131; Mon, 3 Nov 1997 19:53:55 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id TAA26121 for firewalls@greatcircle.com; Mon, 3 Nov 1997 19:53:53 -0800 (PST) Received: from ns.nexus.net.mx (nexusparc.acnet.net [167.114.25.165]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA08409 for ; Fri, 31 Oct 1997 09:19:27 -0800 (PST) Received: (from jdelgado@localhost) by ns.nexus.net.mx (8.8.5/8.7.2) id MAA16636; Fri, 31 Oct 1997 12:08:29 -0600 (CST) Date: Fri, 31 Oct 1997 12:08:28 -0600 (CST) From: Jose Luis Delgado To: Firewalls@GreatCircle.COM Subject: Help with Raptor !! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI to everybody! I'm looking for a bit of your help! I'm going to install in a machine with this characteristics: Sparc20 160MB (I'm going to upgrade to 256MB) 2HD (1GB each) 1 microprocessor (I'm going to put one more) this software: - Solaris 2.5.1 - Eagle Raptor Firewall! - WebNotes Question: Am I going to have PERFORMANCE problems with this characteristics? is my hardware enough? else... which? Thanks in advance! P.S.: I'm not in your mailing list... yet, can you response directly? From owner-firewalls-list Mon Nov 3 22:29:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25656; Mon, 3 Nov 1997 19:50:54 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id TAA25636 for firewalls@greatcircle.com; Mon, 3 Nov 1997 19:50:50 -0800 (PST) Received: from moria.imaginet.fr (moria.imaginet.fr [194.51.83.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA16802 for ; Fri, 31 Oct 1997 00:22:01 -0800 (PST) Received: from imaginet.fr (zoltar.imaginet.fr [194.51.83.150]) by moria.imaginet.fr via ESMTP (950215.SGI.8.6.10/911001.SGI) id JAA10010; Fri, 31 Oct 1997 09:22:16 +0100 Received: from altair.gods.imaginet.fr (altair.gods.imaginet.fr [195.68.1.72]) by imaginet.fr (8.7.5/8.7.31) with SMTP id JAA26044; Fri, 31 Oct 1997 09:22:47 +0100 (MET) Message-Id: <199710310822.JAA26044@imaginet.fr> Comments: Authenticated sender is From: "Lionel MARIE" Organization: Imaginet France To: firewalls@GreatCircle.COM, Steve and Jill Lodin Date: Fri, 31 Oct 1997 09:18:24 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: "SYN" protection product leads... Reply-to: Lionel.MARIE@imaginet.fr In-reply-to: <2.2.16.19971030144330.2957fb26@pop.iquest.net> X-mailer: Pegasus Mail for Win32 (v2.54) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all There is a good introduction & access-lists at : http://www.amazing.com/internet/ -Lionel. > Date: Thu, 30 Oct 1997 09:43:30 -0500 > To: firewalls@GreatCircle.COM > From: Steve and Jill Lodin > Subject: Re: "SYN" protection product leads... > At 08:15 PM 10/28/97 +0100, you wrote: > >On Tue, 28 Oct 1997, James Terry wrote: > > > >> i'm looking for info on systems that could provide fault-tolerant > >> protection against "SYN" attacks > > There is a recent article in one of the IEEE magazines by some Purdue > University COAST researchers. Try searching the IEEE web site. > > > Steve > -- > Steve Lodin > swlodin@iquest.net > http://members.iquest.net/~swlodin/ > > > From owner-firewalls-list Tue Nov 4 02:59:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA18011; Tue, 4 Nov 1997 02:47:39 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id CAA18004 for ; Tue, 4 Nov 1997 02:47:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id FAA25794; Tue, 4 Nov 1997 05:44:35 -0500 (EST) From: Adam Shostack Message-Id: <199711041044.FAA25794@homeport.org> Subject: Re: FIREWALL: Encryption round up? In-Reply-To: from Vin McLellan at "Nov 3, 97 08:57:53 pm" To: vin@shore.net (Vin McLellan) Date: Tue, 4 Nov 1997 05:44:35 -0500 (EST) Cc: sgs@best.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: | >with ECC than with RSA in 5 years. And, if as you say, winner | >takes all in PKI, that would seem to say that ECC will eventually | >be able to displace RSA on the desktop. (I don't buy the winner take all approach to PKI. There need to be gateways between pagers and email and the web; its perfectly feasable that we'll see ECC pagers, DH/DSS mail, and RSA web certificates all co-deployed. The programmers are different, the language is different (in the case of pagers), etc. I also don't buy much of the global PKI expectations that seem to be floating about; I'll post more on that later.) | EC is a elegant technology and Certicom is a neat company with a | lot of talented people. The Motorola pager deal is certainly not the last | Several of the industry's leading cryptographers -- e.g., Arjen | Lenstra of Citibank, Taher ElGamal of Netscape, and Michael Wiener of | Entrust -- have lately echoed the (perhaps less disinterested;-) warnings | of Ron Rivest, Len Adleman, and Claus Schnoor that EC cryptosystems, while | potentially very interesting, is not yet quite ready for prime time. While I personally agree with the RSA camp, that ECC are only ready for prime time where RSA can't go for performance and memory, there are a *LOT* of very talented cryptographers at Certicom. Moti Young, Don Beaver, Neal Koblitz, and plenty of other really first rate people have joined the company. I can't believe these folks didn't think long and hard about the system. | | (Dr. Weiner's comments may also explain why RSA-based S/MIME was so | rapidly and widely adopted by the leading e-mail vendors -- while the | IETF's security cadre dithers about, bitching about the illegitimacy of | patents on crypto systems, and trying to score points for D-H based PGP.) RSA's S/MIME gets into products becuase theres a toolkit for it. Now that the PGP SDK is shipping as well, expect to see lots more PGP based tools. There are a lot more deployed users of PGP than users of S/MIME, based on PGP keys on business cards, web pages, etc. The issue that the IETF is waiting on is RSA's refusal to state that standard pricing for use of the RSA patent in S/MIME applications will be made available, as well as change control being ceded to the IETF. Claiming that the IETF 'dithers' is pure crapola taken from a press release. The IETF has a clear process; RSA knows what it is, and is playing games rather than addressing the issues. The IETF process is not always easy to follow, but it does tend to produce useful standards better than anyone elses' process. If the IETF took the RSA proposal as it stands, the IETF would be rubber stamping a standard from RSA, compelling people who want to comply with the standard to negotiate a deal with RSA. If RSA makes the terms open and clear to all comers, then that may be possible. As it stands, all IETF acceptance of RSA's proposal would mean is that RSA can call S/MIME 'standards compliant,' which is clearly important to them. But given their apparent lack of willingness to pay the price of those standards, they're not advancing. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Tue Nov 4 03:59:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA25649; Tue, 4 Nov 1997 03:39:08 -0800 (PST) Received: from prop.caribnet.net (prop.caribnet.net [205.214.195.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA25565 for ; Tue, 4 Nov 1997 03:38:50 -0800 (PST) Received: from localhost (konk@localhost) by prop.caribnet.net (8.8.7/8.8.0) with SMTP id HAA06249 for ; Tue, 4 Nov 1997 07:50:01 -0400 Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) From: Joe Smith To: firewalls@GreatCircle.COM Subject: SSL WatchGuard Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings I have been tasked with looking at several firewalls, and I have been reading your posts with interest. The reviews that I have read have rated CheckPoint, WatchGuard and Sunscrean the highest. The one that I am tending towards is the WatchGuard system. Do any of you on this list have RL experence with it? Are there any other problems with WatchGuard that I should know about? Thanks for the help! John From owner-firewalls-list Tue Nov 4 05:44:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06672; Tue, 4 Nov 1997 05:38:53 -0800 (PST) Received: from snowball.webtrek.com (snowball.webtrek.com [206.239.36.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06665 for ; Tue, 4 Nov 1997 05:38:45 -0800 (PST) Received: from localhost (klemmerj@localhost) by snowball.webtrek.com (8.8.5/8.8.5) with SMTP id IAA30772; Tue, 4 Nov 1997 08:38:13 -0500 Date: Tue, 4 Nov 1997 08:38:12 -0500 (EST) From: Joe Klemmer Reply-To: Firewall list To: Darren Reed cc: john , gwhalin@numerix.com, firewalls@GreatCircle.COM Subject: Re: Linux et al PFs In-Reply-To: <199710311300.FAA23870@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Nov 1997, Darren Reed wrote: > p.s. one thing which does concern me about Linux is the bugs which seem > to be always getting fixed...I only started reading the kernel mailling > list recently and I was shocked at some of the things which were a > problem, especially as I believed 2.0.30 was "stable & relatively bugfree". > (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be > less of those type of bugs...) The buggieness of the 2.0.3x kernels is more related to Linus having a baby and moving to the US than anything else. They are definitely atypical of the norm for "production" kernels. --- Microsoft is not the answer. | In a World Without Fences, Microsoft is the question, | Who Needs Gates? NO is the answer. | Linux - http://www.linux.org From owner-firewalls-list Tue Nov 4 05:59:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA06814; Tue, 4 Nov 1997 05:45:34 -0800 (PST) Received: from snowball.webtrek.com (snowball.webtrek.com [206.239.36.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA06807 for ; Tue, 4 Nov 1997 05:45:29 -0800 (PST) Received: from localhost (klemmerj@localhost) by snowball.webtrek.com (8.8.5/8.8.5) with SMTP id IAA30831; Tue, 4 Nov 1997 08:45:31 -0500 Date: Tue, 4 Nov 1997 08:45:31 -0500 (EST) From: Joe Klemmer Reply-To: Firewall list To: "Jonathan M. Bresler" cc: Firewall list Subject: Re: Linux et al PFs In-Reply-To: <199710311355.IAA23333@kryten.frb.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 31 Oct 1997, Jonathan M. Bresler wrote: > >> FreeBSD/OpenBSD/NetBSD etc has proven to generally be reliable in > >> high-stress conditions, but isn't quite as easy to setup. > > > > It must have been a long time since you've looked at Linux, then. > >It's current state is equal or better at networking that the BSD's. > > please show me number better than ftp.cdrom.com > > 200GB/day (average) > 228GB/day (high to date) Check with DejaNews. That's running on Linux and handling the entire News feed archive. --- "To be considered half as good as a man, a woman must work twice as hard. Fortunately, this is not difficult..." From owner-firewalls-list Tue Nov 4 06:51:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15095; Tue, 4 Nov 1997 06:40:18 -0800 (PST) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA15077 for ; Tue, 4 Nov 1997 06:40:07 -0800 (PST) Received: from localhost.127.0.0 (dyn1031c.dialin.rad.net.id [202.154.42.31]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id VAA28063 for ; Tue, 4 Nov 1997 21:40:05 +0700 (WIB) Message-ID: <345F3229.1AAE@indo-mail.com> Date: Tue, 04 Nov 1997 21:33:13 +0700 From: Doy X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: "Firewalls@GreatCircle.COM" Subject: Hijak detection Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guys, I wonder if there are firewall/intrusion detection products that can deal with TCP session hijack.. I didn't see threads related to this topic in the last half year ..okay, I'm new to this list.. ;) Suppose the TCP session is not encrypted, and the attacker is on the packet's route, what can we do about it? Surrender..?? Of course not. We can build statistical analysis on number of invalid packets that transmitted on each session. Has anybody done this? Is this approach valid anyway? I'd like to see other solutions/products beside encryption/routing/netw. segmentation. regards, Doy From owner-firewalls-list Tue Nov 4 07:14:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14768; Tue, 4 Nov 1997 06:38:07 -0800 (PST) Received: from ntserver.newoak.com ([146.115.61.251]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA14746 for ; Tue, 4 Nov 1997 06:37:59 -0800 (PST) Received: from mike-feinstein ([10.0.21.186]) by ntserver.newoak.com (Netscape Mail Server v2.02) with ESMTP id AAA43; Mon, 3 Nov 1997 23:08:29 -0500 Message-ID: <345E6FE4.BAF2018@newoak.com> Date: Mon, 03 Nov 1997 19:44:20 -0500 From: mfeinstein@newoak.com (Michael G. Feinstein) Reply-To: mfeinstein@newoak.com Organization: New Oak Communications X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: "Stackpole, Bill" CC: "'Tim Lebrun'" , firewalls@GreatCircle.COM Subject: Re: PPTP configuration X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As mentioned in a previous reply, Microsoft has release PPTP for Windows 95 as part of the Dial-Up Networking 1.2 Upgrade. This is available for free on the Microsoft Web site. Keep in mind that running the PPTP protocol doesn't mean that you are terminating the session on an NT server. My company's product, the NOC 4000, can serve as a PPTP server (among other things) for up to 2,000 simultaneous sessions and 45 Mbps of aggregated tunneled, compressed, and encrypted traffic. It has a full firewall filtering mechanism built in so that it doesn't suffer from the fixed IP address issue mentioned below. The NOC 4000 is designed to run in parallel to your firewall, either directly connected to the Internet WAN connection or behind a router which is connecting your LAN to the Internet. Check out our Web site at http://www.newoak.com for more information. You can also reply to me directly for more specific product information. Stackpole, Bill wrote: > PPTP only works on NT so your remote users will have to at least be > running 4.0 workstation. > My experience hasn't been good with this protocol although I haven't > tried the implementation. > If your ISP doesn't used fixed IP addresses then you will have to open > > up PPTP to the world which means the world can attach your internal > RAS > server. The other problem I ran into was the inablility to access > resources on the PPTP (RAS) server itself. Seems that NT server > couldn't route between the tunnel IP address and it's own IP. Again > this may be something that Steelhead fixed. > > > -----Original Message----- > > From: Tim Lebrun [SMTP:tlebrun@internetmci.com] > > Sent: Friday, October 31, 1997 2:20 PM > > To: firewalls@GreatCircle.COM; ntsecurity@iss.net > > Subject: PPTP configuration > > > > I would like some expert opinions on > > the setup that we are looking at > > implementing. > > We want to eventually get > > rid of our dial-in rack and allow > > users to enter our network through > > the internet. So we have a T1 > > internet connection run which (from > > the outside) first, goes through a > > Cisco 7000 router, then through a > > Gauntlet firewall, and then the > > users get logged on to a NT Ras > > server using PPTP. And from there > > the users can go and do anything on > > the network, ie: Mail, Novell, > > Tn3270, Telnet. > > My Question is - what are the > > possible problems with kind of > > setup? > > -- Michael Feinstein New Oak Communications VP, Product Marketing 125 Nagog Park Tel: 978-266-1011 x103 Acton, MA 01720 Fax: 978-266-1080 http://www.newoak.com mfeinstein@newoak.com Pager: 800-592-6311 From owner-firewalls-list Tue Nov 4 07:40:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA17065; Tue, 4 Nov 1997 06:53:00 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16917 for ; Tue, 4 Nov 1997 06:52:23 -0800 (PST) Received: from newfed.frb.gov by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id GAA17568; Tue, 4 Nov 1997 06:02:53 -0800 (PST) Received: from FRB.GOV (umailfwd@localhost) by newfed.frb.gov (8.8.7/8.8.7) with UUCP id IAA13677 for GreatCircle.COM!firewalls; Tue, 4 Nov 1997 08:38:07 -0500 (EST) Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA28006; Tue, 4 Nov 97 08:53:49 EST Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.8.7/8.8.5) with SMTP id IAA06227 for ; Tue, 4 Nov 1997 08:53:08 -0500 (EST) Message-Id: <199711041353.IAA06227@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: localhost.frb.gov [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Firewall list Subject: Re: Linux et al PFs In-Reply-To: Your message of "Tue, 04 Nov 1997 08:45:31 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 04 Nov 1997 08:53:08 -0500 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> please show me number better than ftp.cdrom.com >> >> 200GB/day (average) >> 228GB/day (high to date) > > Check with DejaNews. That's running on Linux and handling the >entire News feed archive. deja-news regularly bounces mail destined for some newsgroups. the may be doing very well, but could be doing better yet. if you have been or are advocating linux, perhaps you would be kind enough to check with DejaNews. ;) jmb From owner-firewalls-list Tue Nov 4 07:47:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22341; Tue, 4 Nov 1997 07:27:20 -0800 (PST) Received: from resu01.wei.sk.ca (resu01.wei.sk.ca [204.83.14.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22255 for ; Tue, 4 Nov 1997 07:27:03 -0800 (PST) Received: by resu01.wei.sk.ca (1.39.111.2/16.2) id AA142506616; Tue, 4 Nov 1997 09:16:56 -0600 Received: from unknown(1.10.20.4) by resu01.wei.sk.ca via smap (3.2) id xma014220; Tue, 4 Nov 97 09:16:30 -0600 Received: by refs04.wei.sk.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCE903.CF03D5C0@refs04.wei.sk.ca>; Tue, 4 Nov 1997 09:27:02 -0600 Message-Id: From: "Walsh, Hilda" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Tue, 4 Nov 1997 09:27:00 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The user "shanner" is no longer at Wascana Energy. Please delete from your Mailing Lists......thx!! Hilda Walsh E-mail Administrator (306) 781-8331 walsh@wei.sk.ca >---------- >From: System Administrator[SMTP:postmaster@wei.sk.ca] >Sent: Tuesday, November 04, 1997 9:03 AM >To: ^Exchange Administrators >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > shanner@wei.sk.ca > >The message that caused this notification was: > > To: Firewalls@GreatCircle.COM > From: Firewalls@GreatCircle.COM > Subject: Hijak detection > > > From owner-firewalls-list Tue Nov 4 09:01:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA28469; Tue, 4 Nov 1997 08:02:36 -0800 (PST) Received: from sj-fte02-sun.cisco.com (sj-fte02-sun.cisco.com [171.68.200.96]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA28453 for ; Tue, 4 Nov 1997 08:02:31 -0800 (PST) Received: from localhost (rbharani@localhost) by sj-fte02-sun.cisco.com (8.6.11/CA/950118) with SMTP id IAA18240 for ; Tue, 4 Nov 1997 08:02:38 -0800 Date: Tue, 4 Nov 1997 08:02:38 -0800 (PST) From: Rakesh Bharania To: Firewalls@GreatCircle.COM Subject: Re: PPTP In-Reply-To: <199711041100.DAA18470@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those who werre curious earlier, PPTP uses IP protocol type 47 (GRE) and TCP 1723. Cheers, --- Rakesh Bharania "The Cosmic Armadillo" V: (408) 526-5981 Cisco Systems TAC (Applications Team) F: (408) 527-2636 San Jose, CA "Cisco Systems? Aren't those the guys with the trucks?" From owner-firewalls-list Tue Nov 4 09:13:07 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29041; Tue, 4 Nov 1997 08:09:10 -0800 (PST) Received: from freedom.gmsociety.org ([209.116.153.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29006 for ; Tue, 4 Nov 1997 08:08:59 -0800 (PST) Received: (from brad@localhost) by freedom.gmsociety.org (8.8.5/8.7.3) id LAA17744; Tue, 4 Nov 1997 11:08:42 -0500 From: Brad Message-Id: <199711041608.LAA17744@freedom.gmsociety.org> Subject: Re: Hijak detection To: doy@indo-mail.com (Doy) Date: Tue, 4 Nov 1997 11:08:41 -0500 (EST) Cc: firewalls@greatcircle.com Reply-To: anarch@freedom.gmsociety.org In-Reply-To: <345F3229.1AAE@indo-mail.com> from "Doy" at Nov 4, 97 09:33:13 pm X-Mailer: ELM [version 2.4 PL25 PGP7] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming NetSonar vulnerability scanner. Handles hijacking and much more, also works at fast ethernet and fddi speeds. Wrath > > Guys, > > I wonder if there are firewall/intrusion detection products that can > deal with TCP session hijack.. I didn't see threads related to this > topic in the last half year ..okay, I'm new to this list.. ;) > > Suppose the TCP session is not encrypted, and the attacker is on the > packet's route, what can we do about it? Surrender..?? > > Of course not. We can build statistical analysis on number of invalid > packets that transmitted on each session. Has anybody done this? Is this > approach valid anyway? > > I'd like to see other solutions/products beside encryption/routing/netw. > segmentation. > > regards, > Doy > From owner-firewalls-list Tue Nov 4 09:56:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09189; Tue, 4 Nov 1997 09:14:11 -0800 (PST) Received: from relay.de.uu.net (relay.de.uu.net [192.76.144.64]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA04812 for ; Tue, 4 Nov 1997 08:48:41 -0800 (PST) Received: from prosecco.munich.ibm.de [192.54.74.2] by relay.de.uu.net with ESMTP (5.61c:012/2.7.0.l-relay) id RAA03231; Tue, 4 Nov 1997 17:48:37 +0100 (MET) Received: (from smap@localhost) by prosecco. (fw-afx-1) id RAA28532 for ; Tue, 4 Nov 1997 17:49:33 +0100 Received: from cerberus.ak.munich.ibm.com(9.23.4.12) by prosecco.munich.ibm.de via smap (V1.3) id sma029296; Tue Nov 4 17:49:24 1997 Received: from barolo.munich.de.ibm.com (barolo.munich.de.ibm.com [9.165.98.98]) by cerberus (8.8.3/8.7afx1) with ESMTP id RAA22430 for ; Tue, 4 Nov 1997 17:48:30 +0100 Received: (from afx@localhost) by barolo (8.8.5/8.7afx2) id RAA16264; Tue, 4 Nov 1997 17:48:28 +0100 Message-ID: <19971104174828.35945@barolo.munich.de.ibm.com> Date: Tue, 4 Nov 1997 17:48:28 +0100 From: Andreas Siegert To: "'firewalls'" Subject: Bay networks and filtering References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 In-Reply-To: ; from "Steven Johnson (BUS)" on Thu, Oct 30, 1997 at 10:30:16AM -0500 X-Organisation: IBM Unternehmensberatung GmbH / IT Security Consulting X-Address: Leopoldstrasse 175, 80804 Muenchen, Germany X-Phone: +49-89-4504-4509 (internal 945-4509), Fax -3853 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for Information on the filtering capabilities of Bay networks Routers. I know that there is a firewall-1 Module for them, but I am looking for the basic stuff. Can I do sensible Syn/Ack checks with plenty of rules, specific to in and outbound traffic? Can I log all specific to rules? I have seen quite a few of their web pages, but all I found was rather crude (only 31 rules, no SYN/ACK check), is that really true in current releases? thanks for any hints afx -- Andreas Siegert afx@ibm.de / afx@barolo.munich.de.ibm.com / AFX at IPNET PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05 From owner-firewalls-list Tue Nov 4 12:16:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29091; Tue, 4 Nov 1997 08:09:45 -0800 (PST) Received: from resu01.wei.sk.ca (resu01.wei.sk.ca [204.83.14.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29072 for ; Tue, 4 Nov 1997 08:09:35 -0800 (PST) Received: by resu01.wei.sk.ca (1.39.111.2/16.2) id AA171289172; Tue, 4 Nov 1997 09:59:32 -0600 Received: from unknown(1.10.20.4) by resu01.wei.sk.ca via smap (3.2) id xma017107; Tue, 4 Nov 97 09:59:24 -0600 Received: by refs04.wei.sk.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCE909.C8D5BF00@refs04.wei.sk.ca>; Tue, 4 Nov 1997 10:09:49 -0600 Message-Id: From: "Walsh, Hilda" To: "'Firewalls@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Tue, 4 Nov 1997 10:09:48 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The user "shanner" is no longer at Wascana Energy. Please delete from your Mailing Lists......thx!! Hilda Walsh E-mail Administrator (306) 781-8331 walsh@wei.sk.ca >---------- >From: System Administrator[SMTP:postmaster@wei.sk.ca] >Sent: Tuesday, November 04, 1997 10:06 AM >To: ^Exchange Administrators >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > shanner@wei.sk.ca > >The message that caused this notification was: > > To: 'Firewalls@GreatCircle.COM' > From: 'Firewalls@GreatCircle.COM' > Subject: FW: Notification: Inbound Mail Failur > > > From owner-firewalls-list Tue Nov 4 12:12:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27416; Tue, 4 Nov 1997 10:48:39 -0800 (PST) Received: from ovid.kub.spink.sd.us (csd2-074.sd.cybernex.net [204.141.237.74]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27289 for ; Tue, 4 Nov 1997 10:48:08 -0800 (PST) Received: from localhost (vince@localhost [127.0.0.1]) by ovid.kub.spink.sd.us (8.8.7/8.7.3) with SMTP id MAA21189; Tue, 4 Nov 1997 12:53:04 -0600 Date: Tue, 4 Nov 1997 12:53:04 -0600 (CST) From: Vince Kub X-Sender: vince@ovid.kub.spink.sd.us To: Andreas Siegert cc: "'firewalls'" Subject: Re: Bay networks and filtering In-Reply-To: <19971104174828.35945@barolo.munich.de.ibm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Andreas Siegert wrote: > Hi, > > I am looking for Information on the filtering capabilities of Bay networks > Routers. I know that there is a firewall-1 Module for them, but I am looking > for the basic stuff. Can I do sensible Syn/Ack checks with plenty of rules, > specific to in and outbound traffic? Can I log all specific to rules? > > I have seen quite a few of their web pages, but all I found was rather crude > (only 31 rules, no SYN/ACK check), is that really true in current releases? > > thanks for any hints > afx With 10.x GAME they got to 128 rules but, at least with what I've seen, the general efficiency of filtering is much worse than with IOS. (I suspect there must be substantially different algorithmic approaches in the internal code between Bay/Cisco.) We ended up replacing all the Bay stuff with Cisco 7206s where we needing filtering rules. Even end users commented on the perceptible difference in "crispness" in surfing the Web, etc. The logging is much weaker than with IOS (you can tell if it dropped a TCP or UDP packet but not the source or destination ports of the packet) and the management software (Site Manager) is - well let's be charitable and say it is an excellent late '80s implementation of an engineer's tool that Marketing must have decided to "get a GUI" for. I like Bay's switches but they have traditionally been a few years behind the curve with router technology, at least in terms of feature set. They are supposedly quite fast but, again in anecdotal observation, are not well suited to "high accountability" projects. Enough opinion for you? ;-) - VAK From owner-firewalls-list Tue Nov 4 14:08:35 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20770; Tue, 4 Nov 1997 13:16:22 -0800 (PST) Received: from hotmail.com (F45.hotmail.com [207.82.250.56]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA20701 for ; Tue, 4 Nov 1997 13:15:59 -0800 (PST) Received: (qmail 21082 invoked by uid 0); 4 Nov 1997 21:15:50 -0000 Message-ID: <19971104211550.21081.qmail@hotmail.com> Received: from 206.15.64.10 by www.hotmail.com with HTTP; Tue, 04 Nov 1997 13:15:50 PST X-Originating-IP: [206.15.64.10] From: "Alexis Zephrides" To: firewalls@greatcircle.com Subject: Private web-based email with SSL secure??? Content-Type: text/plain Date: Tue, 04 Nov 1997 13:15:50 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I consult for an ISP that has a couple of Intel 266 Pentiums, 1 500Mhz Alpha and a Sparc all running linux. We have been talking about writing our own web based email app (like HotMail) so that our users can get mail remotely. We have only found one app like this that runs under Linux and it is written in PERL. If we use SSL on the web server, will the entire e-mail session be encrypted including login? The POP server is behind the Firewall as well. Thanks in advance, Alexis Agean Consulting ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Tue Nov 4 15:01:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28464; Tue, 4 Nov 1997 10:53:22 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA28271 for ; Tue, 4 Nov 1997 10:52:24 -0800 (PST) Received: from main.geminisecure.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id JAA18529; Tue, 4 Nov 1997 09:53:32 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA19204; Tue, 4 Nov 1997 09:50:01 -0800 Date: Tue, 4 Nov 1997 09:49:59 -0800 (PST) From: Leonard Miyata To: firewalls@GreatCircle.COM Subject: Disabling LAN Manager on NT Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I double checked my reference. At http://www.microsoft.com/security/ There is a ftp link to patch that will turn off LANManager authentication on Windows NT. Be sure to read the details involved.... Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc From owner-firewalls-list Tue Nov 4 15:02:01 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA25692; Tue, 4 Nov 1997 13:52:59 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA25653 for ; Tue, 4 Nov 1997 13:52:45 -0800 (PST) Message-Id: <199711042152.NAA25653@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA006390345; Wed, 5 Nov 1997 08:52:25 +1100 From: Darren Reed Subject: Re: Linux et al PFs To: firewalls@GreatCircle.COM Date: Wed, 5 Nov 1997 08:52:25 +1100 (EDT) Cc: zaph0d@phawd.com-stock.com, gwhalin@numerix.com In-Reply-To: from "Joe Klemmer" at Nov 4, 97 08:38:12 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Joe Klemmer, sie said: > > On Sat, 1 Nov 1997, Darren Reed wrote: > > > p.s. one thing which does concern me about Linux is the bugs which seem > > to be always getting fixed...I only started reading the kernel mailling > > list recently and I was shocked at some of the things which were a > > problem, especially as I believed 2.0.30 was "stable & relatively bugfree". > > (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be > > less of those type of bugs...) > > The buggieness of the 2.0.3x kernels is more related to Linus > having a baby and moving to the US than anything else. They are > definitely atypical of the norm for "production" kernels. I'm not sure that this puts Linux in a more favourable light. If he gets hit by a bus or is otherwise incapacitated for a length of time, are you saying that Linux would suffer as a result ? Darren From owner-firewalls-list Tue Nov 4 15:27:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22654; Tue, 4 Nov 1997 13:34:24 -0800 (PST) Received: from typhoon.dstc.qut.edu.au (typhoon.dstc.qut.edu.au [131.181.71.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA22628 for ; Tue, 4 Nov 1997 13:34:08 -0800 (PST) Received: from absinthe.dialup.dstc.edu.au (adamb.dialup.dstc.edu.au [130.102.177.159]) by typhoon.dstc.qut.edu.au (8.8.5/8.8.5) with SMTP id HAA09060; Wed, 5 Nov 1997 07:33:52 +1000 (EST) Message-Id: <3.0.32.19971104221328.00923e10@zikzak.net> X-Sender: adamb@zikzak.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Nov 1997 06:31:56 +1000 To: cbrenton@sover.net, firewalls@GreatCircle.COM From: Adam Burns Subject: Re: Ever seen this in practice?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:49 PM 03/11/97 -0500, Chris Brenton wrote: > >So has anyone actually ever seen this before? If so, how does a firewall >deal with this type of connection? This would speak volumes to >inspecting payload. I would assume that a firewall/filter that simply >makes decisions based upon the data located at a certain offset from the >preamble field would probably miss this. > This encapsulation reminds me of ssh IP packet forwarding. Granted not quite the same as your 'multiplexor', ssh has the ability to tunnel IP packets end to end within a single encrypted "sheath" TCP connection. Adam. -NetStorm-----------------------------------------[adamb@netstorm.net.au] adam burns central++vortex po box 3168 vortex@netstorm.net.au SBBC 4101 australia PGP: http://www.netstorm.net.au/pgp/netstorm.net.au/adamb.html ------------------------------------------------------------------------- storming the reality network into a state of suspended disbelief From owner-firewalls-list Tue Nov 4 15:39:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA29480; Tue, 4 Nov 1997 14:15:44 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA29405 for ; Tue, 4 Nov 1997 14:15:25 -0800 (PST) Message-Id: <199711042215.OAA29405@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA012251555; Wed, 5 Nov 1997 09:12:35 +1100 From: Darren Reed Subject: Re: sex,lies, and application proxy based fw vs Check Point To: ryanr@sybase.com (Ryan Russell) Date: Wed, 5 Nov 1997 09:12:34 +1100 (EDT) Cc: ccf15429@cc.iitd.ernet.in, proberts@clark.net, firewalls@GreatCircle.COM In-Reply-To: <8825653F.0064A83B.00@gwwest.sybase.com> from "Ryan Russell" at Oct 29, 97 11:24:23 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Ryan Russell, sie said: > > The OOB bug is interesting because it's a layer-4 problem, > and points out one of the things that Checkpoint didn't > take into account when they are passing packets through. Doesn't that give you cause to stop and think about whether their marketting hype about "layer 1 - 7" filtering actually means anything useful ? Darren From owner-firewalls-list Tue Nov 4 15:40:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA04281; Tue, 4 Nov 1997 14:47:31 -0800 (PST) Received: from cneeson-sun.cisco.com (cneeson-sun.cisco.com [171.68.98.158]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA04244 for ; Tue, 4 Nov 1997 14:47:17 -0800 (PST) Received: from localhost (cneeson@localhost) by cneeson-sun.cisco.com (8.6.11/CA/950118) with SMTP id JAA23287; Wed, 5 Nov 1997 09:47:14 +1100 Date: Wed, 5 Nov 1997 09:47:13 +1100 (EST) From: Colin Neeson To: Firewall list cc: Darren Reed , john , gwhalin@numerix.com Subject: Re: Linux et al PFs In-Reply-To: Message-ID: X-Avian: This message conforms to RFC1149 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Joe Klemmer wrote: |On Sat, 1 Nov 1997, Darren Reed wrote: | |> p.s. one thing which does concern me about Linux is the bugs which seem |> to be always getting fixed...I only started reading the kernel mailling |> list recently and I was shocked at some of the things which were a |> problem, especially as I believed 2.0.30 was "stable & relatively bugfree". |> (Although the "open(dev,-1)" in *BSD is frightening too, there seem to be |> less of those type of bugs...) | | The buggieness of the 2.0.3x kernels is more related to Linus |having a baby and moving to the US than anything else. They are |definitely atypical of the norm for "production" kernels. | *WHO* *CARES*?! Move back to the firewall discussion please. All of this should be living on comp.os.linux.advocacy.i.don't.want.it.on.the.firewalls.list.any.more. Thanks. -Colin From owner-firewalls-list Tue Nov 4 16:44:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA15778; Tue, 4 Nov 1997 16:05:50 -0800 (PST) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA15722 for ; Tue, 4 Nov 1997 16:05:37 -0800 (PST) Received: from maestro.Maestro.COM by relay7.UU.NET with SMTP (peer crosschecked as: [198.102.66.11]) id QQdogu26166; Tue, 4 Nov 1997 19:05:42 -0500 (EST) Received: from localhost by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA13620; Tue, 4 Nov 97 19:03:31 EST Date: Tue, 4 Nov 1997 19:03:31 -0500 (EST) From: Sick Puppy To: firewalls@GreatCircle.com Subject: Howl for help Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sara Gordon, please send your current e-mail address to the Dawg. Urgent. Black Synapse is tying knots in my tail and it h_u_r_t_s. Sick Puppy, the Cat_Eating_Dawg From owner-firewalls-list Tue Nov 4 18:30:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA09093; Tue, 4 Nov 1997 18:16:04 -0800 (PST) Received: from quechua.inka.de (quechua.inka.de [193.197.84.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA08856 for ; Tue, 4 Nov 1997 18:15:20 -0800 (PST) Received: from uu.inka.de [193.197.84.8] by quechua.inka.de with smtp id 0xSuz8-0006pp-00; Wed, 5 Nov 1997 03:14:22 +0100 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 5 Nov 97 03:14 MET Received: by lina.inka.de id m0xSukU-00014AC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 5 Nov 1997 02:59:14 +0100 (CET) Message-Id: Date: Wed, 5 Nov 1997 02:59:14 +0100 From: Bernd Eckenfels To: cbrenton@sover.net Cc: firewalls@greatcircle.com Subject: Re: Ever seen this in practice?? References: <345E8D1E.D9F2ABEC@sover.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <345E8D1E.D9F2ABEC@sover.net>; from Chris Brenton on Mon, Nov 03, 1997 at 09:49:02PM -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Nov 3, Chris Brenton wrote > The subject was regarding how segments are handled at the transport > layer. The text stated that when there are multiple sessions taking > place between two IP hosts, that the sessions could be multiplexed > together in order to decrease the number of required packets. Hmm.. well.. there are a few solutions like: Term/TIA/SLIRP via TCP or tunneling via ssh. But Idont think there is a multiplexing-only Solution (other than RPC based). Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From owner-firewalls-list Tue Nov 4 20:21:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA22712; Tue, 4 Nov 1997 20:04:30 -0800 (PST) Received: from paranoia.abm.com.au (abm-3-34.abm.com.au [203.16.203.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA22697 for ; Tue, 4 Nov 1997 20:04:22 -0800 (PST) Received: (from uucp@localhost) by paranoia.abm.com.au (8.8.3/8.8.3) id PAA18243 for ; Wed, 5 Nov 1997 15:14:21 +1100 (EST) Received: from euphoria.abm.com.au(203.16.203.130) by paranoia.abm.com.au via smap (V1.3) id sma018239; Wed Nov 5 15:13:58 1997 Received: by euphoria. (SMI-8.6/SMI-SVR4) id PAA18417; Wed, 5 Nov 1997 15:04:30 +1100 Message-Id: <199711050404.PAA18417@euphoria.> Received: from austlabs.ozemail.com.au(203.108.63.220) by euphoria via smap (V1.3) id sma018412; Wed Nov 5 15:04:19 1997 From: "Jan Zeilinga" To: Subject: why use a smtp proxy Date: Wed, 5 Nov 1997 13:56:42 +1100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The current purposed configuration is to allow smtp traffic through the firewall to our exchange server. The exchange server then decides what to do with the mail and routes it on-wards to its destined servers within our network. My question is would you use the smtp security server with firewall-1 to do this, no security server at all or allow connections to port 25 from the internet, or install an other smtp proxy... What purpose would the smtp proxy serve? Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Tue Nov 4 23:29:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA07184; Tue, 4 Nov 1997 23:21:46 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA07176 for ; Tue, 4 Nov 1997 23:21:39 -0800 (PST) Received: from pm4-22.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA05351; Wed, 5 Nov 97 02:20:27 -0500 Message-Id: <3.0.3.32.19971105022156.01424a88@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 05 Nov 1997 02:21:56 -0500 To: anarch@freedom.gmsociety.org From: Frank Willoughby Subject: Re: Hijak detection Cc: doy@indo-mail.com (Doy), firewalls@greatcircle.com In-Reply-To: <199711041608.LAA17744@freedom.gmsociety.org> References: <345F3229.1AAE@indo-mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:08 AM 11/4/97 -0500, Brad wrote: >Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming NetSonar vulnerability scanner. >Handles hijacking and much more, also works at fast ethernet and fddi speeds. > >Wrath Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be able to stop session hijacking? Any hacker who is worth their salt will be able to roll their own custom packets to be exactly what the firewall would expect the packets to be (including source/destination info, sequence numbers, etc.) The only defense against session hijacking that I'm aware of is to encrypt from point-to-point. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-list Wed Nov 5 00:14:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA10006; Wed, 5 Nov 1997 00:05:27 -0800 (PST) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA09992 for ; Wed, 5 Nov 1997 00:05:20 -0800 (PST) Received: from www (xpl102.xnc.de [194.77.5.66]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id JAA12435; Wed, 5 Nov 1997 09:05:11 +0100 Message-ID: <346028B7.47765EE8@edina.xnc.com> Date: Wed, 05 Nov 1997 09:05:11 +0100 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Jan Zeilinga CC: Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy References: <199711050404.PAA18417@euphoria.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan Zeilinga wrote: > > Hi, > > The current purposed configuration is to allow smtp traffic through the > firewall to our exchange server. The exchange server then decides what to > do with the mail and routes it on-wards to its destined servers within our > network. My question is would you use the smtp security server with > firewall-1 to do this, no security server at all or allow connections to > port 25 from the internet, or install an other smtp proxy... > > What purpose would the smtp proxy serve? > > Jan Zeilinga > Unix/Network consultant > abm Australasia Pty Ltd > Tel 613-94159166 > Fax 613-94159245 Hi ! Mostly, e-mail daemons suffer from being attackable by: 1. unallowed commands (defained in RFC's), like the sendmail "|...." cammand. 2. buffer overflows. That means, you can put a program into them mailprograms stack and execute with (mostly) root rights. To prevent this, there are PROXY's, like smpd, which are small, without functionality and hoped, not to be vulnerable to buffer overflow's. They also let just commands pass through, wich are defined by RFC. All other are blocked. sendmail, e.g. does the opposite. First it lets all pass, then filters. It can be too late then. cu, Guido Stepken From owner-firewalls-list Wed Nov 5 01:31:34 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA22831; Wed, 5 Nov 1997 01:14:18 -0800 (PST) Received: from mail.secureservers.net (geek-gw.ptw.com [207.212.186.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id BAA21648 for ; Wed, 5 Nov 1997 01:03:24 -0800 (PST) Received: (qmail 22805 invoked from network); 5 Nov 1997 09:08:42 -0000 Received: from localhost (bextreme@127.0.0.1) by localhost with SMTP; 5 Nov 1997 09:08:42 -0000 Date: Wed, 5 Nov 1997 01:08:41 -0800 (PST) From: Jesse Brown X-Sender: bextreme@geek-gw.ptw.com To: Stepken cc: Jan Zeilinga , Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy In-Reply-To: <346028B7.47765EE8@edina.xnc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Stepken wrote: > Jan Zeilinga wrote: > > > > Hi, > > > > The current purposed configuration is to allow smtp traffic through the > > firewall to our exchange server. The exchange server then decides what to > > do with the mail and routes it on-wards to its destined servers within our > > network. My question is would you use the smtp security server with > > firewall-1 to do this, no security server at all or allow connections to > > port 25 from the internet, or install an other smtp proxy... > > > > What purpose would the smtp proxy serve? > > > > Jan Zeilinga > > Unix/Network consultant > > abm Australasia Pty Ltd > > Tel 613-94159166 > > Fax 613-94159245 > Hi ! > > Mostly, e-mail daemons suffer from being attackable by: > 1. unallowed commands (defained in RFC's), like the sendmail "|...." > cammand. Ummm. Wrong. This is a bug. Not an 'unallowed command'. One of the problems of programs like sendmail is the overwhelming complexity of the program. Because of this bugs can abound and unintented results are often the outcome. > 2. buffer overflows. That means, you can put a program into them > mailprograms stack and execute with (mostly) root rights. > It depends on the mailer whether or not you can get root. For instance, qmails smtp daemon (which processes incoming mail) is not priveledged. All it does it pass mail onto the mail queue system (which also does not run as root). Therefor a buffer overflow attack in qmails smtp daemon won't do a heck of alot for an attack. > To prevent this, there are PROXY's, like smpd, which are small, without > functionality and hoped, not to be vulnerable to buffer overflow's. > They also let just commands pass through, wich are defined by RFC. > All other are blocked. > an application proxy (like smtpd) are not mail handlers. Rather, it reads an incoming connection and generates another connection to the internal machine - sending along all the data it knows to send. As these proxys are supposed to be the first line of defense they are usually extensivly checked for buffer overflow and other problems. Remember, it is not a mail server of a mail client. just a PROXY. it merely handles the exchange of data. > sendmail, e.g. does the opposite. First it lets all pass, then filters. > It can be too late then. Sendmail is mail server software. It can be configure to drop connections from a certain host, etc. > > cu, Guido Stepken > > -J From owner-firewalls-list Wed Nov 5 01:44:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA11200; Wed, 5 Nov 1997 00:12:42 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA11160 for ; Wed, 5 Nov 1997 00:12:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA01853; Wed, 5 Nov 1997 03:09:33 -0500 (EST) From: Adam Shostack Message-Id: <199711050809.DAA01853@homeport.org> Subject: Re: Hijak detection In-Reply-To: <3.0.3.32.19971105022156.01424a88@in.net> from Frank Willoughby at "Nov 5, 97 02:21:56 am" To: frankw@in.net (Frank Willoughby) Date: Wed, 5 Nov 1997 03:09:32 -0500 (EST) Cc: anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are real defenses, and there are hacks. Host security is a solid defense, firewalls are a hack. Point to point encryption is a real defense, but there are hacks available. The point that (doy?) made is that session hijacking produces a flood of shit as you jam in packets in the hopes of getting the numbers right. (Since the other guy is transmitting at the same time as you, you often send a slew of packets, to get them into the stack first.) There are a number of papers on detecting this sort of thing, many published in the months after Tsutomo was hacked. Thus, you can detect an attack, and perhaps respond to it. Its not an ideal defense. (point to point cryptographic *authentication*, not encryption, is the ideal defense. Encryption is, of course useful for other things.) However, we should not let the best become the enemy of the good. Adam Frank Willoughby wrote: | At 11:08 AM 11/4/97 -0500, Brad wrote: | >Check out Wheelgroup's NetRanger Intrusion Detection product and upcoming | NetSonar vulnerability scanner. | >Handles hijacking and much more, also works at fast ethernet and fddi speeds. | > | >Wrath | | Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be | able | to stop session hijacking? Any hacker who is worth their salt will be able | to | roll their own custom packets to be exactly what the firewall would expect | the | packets to be (including source/destination info, sequence numbers, etc.) | The | only defense against session hijacking that I'm aware of is to encrypt from | point-to-point. | | Best Regards, | | | Frank | The opinions of the author of this mail may not necessarily be | representative of the opinions of Fortifed Networks, Inc. | | Fortified Networks, Inc. - http://www.fortified.com/ | Expert (vendor-neutral) Computer and Network Security Consulting | Phone: (317) 573-0800 Fax: (317) 573-0817 | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Wed Nov 5 05:59:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA13463; Wed, 5 Nov 1997 05:57:58 -0800 (PST) Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id FAA13456 for ; Wed, 5 Nov 1997 05:57:51 -0800 (PST) Received: from pm2-30.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA17180; Wed, 5 Nov 97 08:56:43 -0500 Message-Id: <3.0.3.32.19971105085813.012fb454@in.net> X-Sender: frankw@in.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 05 Nov 1997 08:58:13 -0500 To: Adam Shostack From: Frank Willoughby Subject: Re: Hijak detection Cc: frankw@in.net (Frank Willoughby), anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM In-Reply-To: <199711050809.DAA01853@homeport.org> References: <3.0.3.32.19971105022156.01424a88@in.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: >There are real defenses, and there are hacks. Host security is a >solid defense, firewalls are a hack. Point to point encryption is a >real defense, but there are hacks available. Which particular hacks are you referring to? (If you wish, feel free to e-mail me this off-line). >The point that (doy?) made is that session hijacking produces a flood >of shit as you jam in packets in the hopes of getting the numbers >right. (Since the other guy is transmitting at the same time as you, >you often send a slew of packets, to get them into the stack first.) This step shouldn't be necessary. Monitor the packets going to/from the firewall (or target system), bring down the victim's system on the outside (OOB, etc.), and then send in the correct packets to the firewall/system. The firewall wouldn't notice the difference, and it is likely, the victim would chalk up the problem to network difficulties. >There are a number of papers on detecting this sort of thing, many >published in the months after Tsutomo was hacked. I've seen several of these and didn't see anything that would deter the aforementioned attack. OTOH, location-based authentication (based on GPS) *might* slow this attack down for the near future, but only for the military folks. The current resolution of GPS wouldn't deter this type of attack for civilians - at least not today. If you have the time, I would be interested in a reference or pointer about a method which does not use encryption to deter session hijacking (other than GPS location-based authentication). >Thus, you can detect an attack, and perhaps respond to it. In the aforementioned attack, the firewall would not be aware that anything was up (or even care). By the time the victim recovered, the bad guy would already be into the internal system. >Its not an >ideal defense. (point to point cryptographic *authentication*, not >encryption, is the ideal defense. Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down a serious attacker. 8< [snip] Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Consulting Phone: (317) 573-0800 Fax: (317) 573-0817 From owner-firewalls-list Wed Nov 5 06:14:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13706; Wed, 5 Nov 1997 06:06:55 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA13691 for ; Wed, 5 Nov 1997 06:06:49 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA03367; Wed, 5 Nov 1997 09:03:59 -0500 (EST) From: Adam Shostack Message-Id: <199711051403.JAA03367@homeport.org> Subject: Re: Hijak detection In-Reply-To: <3.0.3.32.19971105085813.012fb454@in.net> from Frank Willoughby at "Nov 5, 97 08:58:13 am" To: frankw@in.net (Frank Willoughby) Date: Wed, 5 Nov 1997 09:03:59 -0500 (EST) Cc: adam@homeport.org, frankw@in.net, anarch@freedom.gmsociety.org, doy@indo-mail.com, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby wrote: | At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: | >There are real defenses, and there are hacks. Host security is a | >solid defense, firewalls are a hack. Point to point encryption is a | >real defense, but there are hacks available. | | Which particular hacks are you referring to? (If you wish, feel free | to e-mail me this off-line). The suggestion that Doy made, perhaps the new wheel group product. | >The point that (doy?) made is that session hijacking produces a flood | >of shit as you jam in packets in the hopes of getting the numbers | >right. (Since the other guy is transmitting at the same time as you, | >you often send a slew of packets, to get them into the stack first.) | | This step shouldn't be necessary. Monitor the packets going to/from | the firewall (or target system), bring down the victim's system on | the outside (OOB, etc.), and then send in the correct packets to the | firewall/system. The firewall wouldn't notice the difference, and it | is likely, the victim would chalk up the problem to network difficulties. You assume a perfect attacker. I assume script kiddies. There are more script kiddies than perfect attackers. If you spend time watching real attacks on real systems, you realize how many idiots are out there. | >There are a number of papers on detecting this sort of thing, many | >published in the months after Tsutomo was hacked. | | I've seen several of these and didn't see anything that would deter | the aforementioned attack. OTOH, location-based authentication | (based on GPS) *might* slow this attack down for the near future, | but only for the military folks. The current resolution of GPS | wouldn't deter this type of attack for civilians - at least not | today. I have no clue what you're talking about, other than that paper about location escrow by Denning. Anyone who can't redo their TCP stack to break that can't execute a perfect hijack either. | If you have the time, I would be interested in a reference or pointer | about a method which does not use encryption to deter session hijacking | (other than GPS location-based authentication). Pointer: Doy's previous posts about the statistical deviations in bad packets when hijacking takes place. | >Its not an | >ideal defense. (point to point cryptographic *authentication*, not | >encryption, is the ideal defense. | | Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down | a serious attacker. No, such as IPsecurity AH packets. SSL3 using seperate keys to authenticate and encrypt a session. I apologize for my lack of precision, I should have said cryptographic integrity protection for the session. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Wed Nov 5 06:45:02 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14728; Wed, 5 Nov 1997 06:29:05 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA14709 for ; Wed, 5 Nov 1997 06:28:59 -0800 (PST) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.8.8/8.8.8) with ESMTP id JAA08406; Wed, 5 Nov 1997 09:29:16 -0500 (EST) Received: from localhost (proberts@localhost) by clark.net (8.8.8/8.8.8) with SMTP id JAA16114; Wed, 5 Nov 1997 09:29:15 -0500 (EST) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Wed, 5 Nov 1997 09:29:15 -0500 (EST) From: "Paul D. Robertson" To: Adam Shostack cc: Frank Willoughby , firewalls@GreatCircle.COM Subject: Re: Hijak detection In-Reply-To: <199711050809.DAA01853@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Adam Shostack wrote: > The point that (doy?) made is that session hijacking produces a flood > of shit as you jam in packets in the hopes of getting the numbers > right. (Since the other guy is transmitting at the same time as you, > you often send a slew of packets, to get them into the stack first.) > There are a number of papers on detecting this sort of thing, many > published in the months after Tsutomo was hacked. Even in an ideal hijack, you'd see traffic from the attacker and the victim at the same time, one would suppose you could alert on that even if the attacker was sniffing sequence numbers instead of guessing them. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Wed Nov 5 07:14:09 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA18144; Wed, 5 Nov 1997 07:08:33 -0800 (PST) Received: from cleopatra.ultra.net (cleopatra.ultra.net [199.232.56.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA18107 for ; Wed, 5 Nov 1997 07:08:22 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by cleopatra.ultra.net (8.8.5/ult1.05) with SMTP id KAA15725; Wed, 5 Nov 1997 10:08:36 -0500 (EST) Received: by joespc.judgefamily.org with Microsoft Mail id <01BCE9D2.D3EF2380@joespc.judgefamily.org>; Wed, 5 Nov 1997 10:08:56 -0500 Message-ID: <01BCE9D2.D3EF2380@joespc.judgefamily.org> From: Joseph Judge To: "Firewalls@GreatCircle.COM" , "'Jan Zeilinga'" Subject: RE: why use a smtp proxy Date: Wed, 5 Nov 1997 10:08:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan - It is all a matter of risks and what you are willing to take on ... versus the cost of doing it another way. So: - do you trust that the Exchange server was written with risk and security in mind ? - do you think they wrote robust code (no buffer overruns that could compromise the box via the SMTP handling code?) - if not, then what would be the risk ... with this box sitting uncontained on your company net? (and I type this with a straight face, even after seeing the way MS programmers handle the exception conditions in their code. Read the Risks forum for various MS server "unexpected behaviors") - Do you want to offer the full suite of SMTP "verbs" to the outside world - realize that *anyone* can just 'telnet' to this port from the Internet and will be talking directly to a machine "inside your trusted zone" (to use silly marketing speak) etc, etc, etc, . think along those lines. I don't know about FW-1's proxy, but they may have addressed these items to reduce the risk that the inside SMTP server (whatever it is from old sendmail with the wizard bug from years ago to the newest spiffiest SMTPd). See how well smap/smapd from Marcus has lasted over the years --- minimalistic, well thought-out design that has been protecting bad email servers since like 87 or '88? (that is like an eon in Internet time). -- -joe ---------- From: Jan Zeilinga[SMTP:j.zeilinga@abm.com.au] Sent: Tuesday, November 04, 1997 9:56 PM To: Firewalls@GreatCircle.COM Subject: why use a smtp proxy Hi, The current purposed configuration is to allow smtp traffic through the firewall to our exchange server. The exchange server then decides what to do with the mail and routes it on-wards to its destined servers within our network. My question is would you use the smtp security server with firewall-1 to do this, no security server at all or allow connections to port 25 from the internet, or install an other smtp proxy... What purpose would the smtp proxy serve? Jan Zeilinga Unix/Network consultant abm Australasia Pty Ltd Tel 613-94159166 Fax 613-94159245 From owner-firewalls-list Wed Nov 5 08:30:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA22907; Wed, 5 Nov 1997 07:35:29 -0800 (PST) Received: from cleopatra.ultra.net (cleopatra.ultra.net [199.232.56.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22862 for ; Wed, 5 Nov 1997 07:35:17 -0800 (PST) Received: from joespc.judgefamily.org (joesmac.ultranet.com [199.232.59.222]) by cleopatra.ultra.net (8.8.5/ult1.05) with SMTP id KAA24671 for ; Wed, 5 Nov 1997 10:35:35 -0500 (EST) Received: by joespc.judgefamily.org with Microsoft Mail id <01BCE9D6.98905440@joespc.judgefamily.org>; Wed, 5 Nov 1997 10:35:55 -0500 Message-ID: <01BCE9D6.98905440@joespc.judgefamily.org> From: Joseph Judge To: "'Firewalls Mailing List'" Subject: FIX protocol Date: Wed, 5 Nov 1997 10:34:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The FIX protocol (http://www.fixprotocol.org/) is becoming more and popular in the financial community. I am involved in a project at work to pursue extending the use of this outside of the point-to-point private links (read: they want to use FIX over the Internet). Anyone in the firewalls community have any hands-on with FIX? --joe From owner-firewalls-list Wed Nov 5 08:45:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29498; Wed, 5 Nov 1997 08:08:15 -0800 (PST) Received: from garuda.barc.ernet.in (garuda.barc.ernet.in [202.41.86.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA29386 for ; Wed, 5 Nov 1997 08:07:44 -0800 (PST) Received: from sparc03.barc.ernet.in by garuda.barc.ernet.in via SMTP (940816.SGI.8.6.9/940406.SGI) for id WAA05157; Mon, 3 Nov 1997 22:24:12 -0800 Received: from localhost by sparc03.barc.ernet.in (4.1/SMI-4.1) id AA15766; Tue, 4 Nov 97 11:56:45 IST Date: Tue, 4 Nov 1997 11:56:45 +0530 (IST) From: "c.s.r.murthy" To: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Sirs! We have a class `C` internet address space at our disposal. I want to split into two subnets and connect them using firewall. I want to keep important systems like DNS and MAIL server on the subnet outside firewall which will have direct internet access. Hosts inside fire wall should have internet access for all applications, whereas internet hosts should be prevented from accessing hosts on subnet inside firewall. MAIL server Does anybody know how to configure linux FWTK for this setup Thanks in advance From owner-firewalls-list Wed Nov 5 09:09:40 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23192; Wed, 5 Nov 1997 07:36:45 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA22994 for ; Wed, 5 Nov 1997 07:35:55 -0800 (PST) Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA29242; Wed, 5 Nov 1997 10:33:33 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA14954; Wed, 5 Nov 1997 10:33:30 -0500 (EST) Date: Wed, 5 Nov 1997 10:33:30 -0500 (EST) Message-Id: <199711051533.KAA14954@SPARKY.CF.CS.YALE.EDU> To: anarch@freedom.gmsociety.org, frankw@in.net Subject: Re: Hijak detection Cc: doy@indo-mail.com, firewalls@greatcircle.com From: "H. Morrow Long" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Frank Willoughby >Perhaps I'm missing something. Why would Wheelgroup's NetRanger >product be able to stop session hijacking? Any hacker who is worth >their salt will be able to roll their own custom packets to be exactly >what the firewall would expect the packets to be (including >source/destination info, sequence numbers, etc.) The only defense >against session hijacking that I'm aware of is to encrypt from >point-to-point. They may pro-actively allow the network admin/infosec officer terminate the TCP in real-time from the network by sending TCP resets for the TCP session to both endpoints of the conversation being hijacked, and also possibly send ICMP 'destination unreachable' messages to both endpoint hosts as well (though that is a much more drastic step to take and would likely cause all TCP connections between the two machines to be torn down). H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX) INET: http://pantheon.yale.edu/~long/ mailto:Morrow.Long@yale.edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469@pager.mcb.com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09 From owner-firewalls-list Wed Nov 5 09:12:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA29317; Wed, 5 Nov 1997 08:07:15 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA29230 for ; Wed, 5 Nov 1997 08:06:55 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id SAA17746 for ; Wed, 5 Nov 1997 18:07:05 +0200 (EET) Date: Wed, 5 Nov 1997 18:07:04 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: sex,lies, and application proxy based fw vs Check Point In-Reply-To: <199711022315.PAA29474@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Nov 1997, Smoot Carl-Mitchell wrote: > I've come to believe that GUIs are really designed for the purchasing > managers and not for the technical people that need to use an actual > product. A GUI is basically packaging. They usually do not add any > functionality to a package, but any good marketing person will tell > you that flash sells, almost regardless of the underlying technology. There still is more than just marketing. What a good GUI sometimes can do is to save your time, and the time of good networking and security professionals is not really cheap. So sometimes a good professional using a graphical interface can do much more in shorter time than someone using just a command-line interface. There are some assumptions I make with this: the person working with the GUI must know what is under it and what really happens with every button he presses. He must know how to use the product without the GUI and preferably have general knowledge of both the network protocols and may be even other vendors products. Still I believe with the rate of firewalls installed every day growing rapidly, there is a very big number of people who have bought a firewall solution based just on marketing. There just are not enough security people available. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Wed Nov 5 09:44:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02090; Wed, 5 Nov 1997 08:27:45 -0800 (PST) Received: from pinux.selfin.net ([194.244.74.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA02077 for ; Wed, 5 Nov 1997 08:27:34 -0800 (PST) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id AAA04439; Thu, 6 Nov 1997 00:19:11 +0100 Message-Id: <199711052319.AAA04439@pinux.selfin.net> From: "Franco RUGGIERI" To: "Billy Verreynne" Cc: "GreatCircle forum" Subject: R: Unlimited Users Firewalls Date: Wed, 5 Nov 1997 16:12:09 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Billy, maybe I'm biassed by my deep love towards a company whose workhorse (dubbed by the year it was finally released) too many times so far has left me stranded, by just losing few, but meaningful, kilobytes of key stuff. When you say: "The problem I believe is that NT's IP is not always robust enough to survive a hacker attack." you are firing an A-bomb, IMHO. Aren't you? Do I correctly understand you if I say that, since firewalls are here to ward off hackers' attacks, it's better not to rely on an NT since its IP isn't up to the task we want to use it? This reminds me of having heard that, in the early decades of this century, a racing car maker overlooked the importance of brakes by saying: "My cars are to run, not to stop". It has disappeared from the marketplace. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Billy Verreynne > A: ygerman@genre.com; yati@mod.gov.my > Cc: Firewalls@GreatCircle.COM > Oggetto: Re: Unlimited Users Firewalls > Data: giovedì 23 ottobre 1997 10.32 > > > ygerman@genre.com wrote: > > > I would also say stay away from NT firewalls because the NT TCP/IP > > stack is not as robust as Unix in a high volume environment. > > On what facts do you base this? AFAIK the problems with Microsoft's > implementation of TCP/IP have more to do with incorrectly handling packets > that were incorrectly assembled (e.g. the OOB problem which gave all the > dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not > always respond as it should - what about SYN stealth scans? > > A company I know have been using NT with SQL-Server across a WAN for a > number of years now. The volumes are pretty high - hundreds of users doing > OLTP transactions. The problem has never been with TCP/IP on NT, but rather > with SQL-Server and the Microsoft client (Win95) DB library. > > I have worked with NT since the first beta, and TCP/IP IMHO was never a > problem, but rather the use of it (like running NetBIOS pipes across TCP/IP > instead of using sockets). Of course Microsoft was naive in believing they > could implement the RFCs for TCP/IP without paying much attention to wrong > IP packets. But remember these IP packets are almost always the result of > hacker attacks. In a standard high volume business environment NT's IP is > stable and robust enough IMHO. The problem I believe is that NT's IP is not > always robust enough to survive a hacker attack. > > NT has received a lot of flak, especially from the Unix lovers, but it is > still a good operating system and one that is used (as with Unix) > throughout the world by many companies for running mission critical > applications. > > regards, > Billy From owner-firewalls-list Wed Nov 5 09:46:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA02167; Wed, 5 Nov 1997 08:28:15 -0800 (PST) Received: from pinux.selfin.net ([194.244.74.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA02137 for ; Wed, 5 Nov 1997 08:28:01 -0800 (PST) Received: from client ([194.244.74.131]) by pinux.selfin.net (8.7.5/8.7.3) with ESMTP id AAA04448; Thu, 6 Nov 1997 00:19:37 +0100 Message-Id: <199711052319.AAA04448@pinux.selfin.net> From: "Franco RUGGIERI" To: Cc: "GreatCircle forum" Subject: R: Unlimited Users Firewalls Date: Wed, 5 Nov 1997 16:52:42 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig, please tell me your opinion on this statement of mine (many people have been burned alive for much less than that). A firewall is something that must not be tampered with, so the fewer people know something about it (in the organization it is there to protect) the better. Thus, a UNIX O.S. is a good thing in an environment where many people know NT, i.e. almost everywhere. TIA. ------------------------------- Franco RUGGIERI fruggieri@selfin.net ---------- > Da: Craig I. Hagan > A: Billy Verreynne > Cc: ygerman@genre.com; yati@mod.gov.my; Firewalls@GreatCircle.COM > Oggetto: Re: Unlimited Users Firewalls > Data: sabato 25 ottobre 1997 3.37 > > > > dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not > > always respond as it should - what about SYN stealth scans? > > what about them? you are ignoring the disease by addressing the > symptoms. the fact is that you can't yet state with certainity > that MS's tcp code is safe/secure. > > > > > A company I know have been using NT with SQL-Server across a WAN for a > > number of years now. The volumes are pretty high - hundreds of users doing > > OLTP transactions. The problem has never been with TCP/IP on NT, but rather > > with SQL-Server and the Microsoft client (Win95) DB library. > > > > hundreds of users isn't high volume. more imporatantly, hundreds > of users with what expectation of response time? I would expect > sub-second (200ms) worst case response time for a production > DB engine with so low a load. > > > > stable and robust enough IMHO. The problem I believe is that NT's IP is not > > always robust enough to survive a hacker attack. > > > NT has received a lot of flak, especially from the Unix lovers, but it is > > still a good operating system and one that is used (as with Unix) > > throughout the world by many companies for running mission critical > > applications. > > I would argue that NT still has much more flak to go as fortune 1000 > companies start trying to take it out of pilot and into production for > certain 'mission critical' applications. > > I argue that the ideas behind NT -- that unix, although a good operating > system, is too complex for the average business due to the scarcity of > knowledgeable people -- is reasonable. however, to then say that NT is > good because it is the _only_ OS to fill that need (regardless of > shortcomings) is a little premature. Ask me again in five years when NT > has had a chance to incubate a bit longer. Currently, i don't consider it > reasonable to compare a young (few year old) os against unix which has > been around for a generation in terms of robustness, etc. > > -- craig > > ---------------------------------------------------------------------------- --- > Craig I. Hagan "It's a small world, but I wouldn't want to back it up" > hagan(at)cih.com "True hackers don't die, their ttl expires" > "It takes a village to raise an idiot, but an idiot can raze a village" > > Stop the spread of spam, use a sendmail condom! > http://www.cih.com/~hagan/smtpd-hacks > From owner-firewalls-list Wed Nov 5 09:48:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA05701; Wed, 5 Nov 1997 08:53:43 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA05691 for ; Wed, 5 Nov 1997 08:53:26 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA24623; Wed, 5 Nov 1997 11:59:11 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw.cih.com(204.69.206.1) via SMTP by cih-gw.cih.com, id smtpd24621aaa; Wed Nov 5 16:59:09 1997 Date: Wed, 5 Nov 1997 11:59:09 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Franco RUGGIERI cc: GreatCircle forum Subject: Re: R: Unlimited Users Firewalls In-Reply-To: <199711052319.AAA04448@pinux.selfin.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Craig, > please tell me your opinion on this statement of mine (many people have > been burned alive for much less than that). > > A firewall is something that must not be tampered with, so the fewer people > know something about it (in the organization it is there to protect) the > better. Thus, a UNIX O.S. is a good thing in an environment where many > people know NT, i.e. almost everywhere. many takes. the short one is that if the above were true, and the firewall person left, was hit by a bus, etc, then the company is *FUCKED*. Additionally, you may need to change the firewall to reflect changes in security policy -- after all, the firewall merely enacts policy, it doesn't create it. A better method, imho, of saying it (perhaps what you meant) would be: " Firewalls exist to enact corporate security policy. Since this policy changes infrequently, access controls to the firewall should be both severely restricted, and logged in such a way as to make any and all actions obvious to an experienced administrator. Additionally, all changes made to the firewall must go through authorized change control procedures so that they can accurately reflect the security policy, and the coding can be properly reviewed to make sure that policy is correctly enacted. " IMHO, knowledge is a good thing: if everyone knew about the firewall, how it worked, and WHY it did what it did, and even the source code of the firewall, it shouldn't matter if the firewall properly enacts your policies (and they demand stringent access control). In fact, if the people in the company were knowledgeable, then they would likely know the policy and WHY it was in effect. As for the OS choice of the firewall, unix/NT/OS2/mac/DOS/whatever, security through obscurity is the worst case scenario in that you are banking on people not knowing something rather than proper access controls and channels to facilitate this. A better question might be: if you are using unix/NT/OS2/mac/DOS/whatever for a firewall, how could people (both internal and external) gain unauthorized access to the firewall? If your policy states that this should not be, then you should take every action to prevent it. For an NT machine, it may mean not participating in a domain, blocking all of the RPC/auth/whatever ports,disabling a rack of services,etc. for unix it may mean not participating in a YP/NIS domain, not running RPC/portmapper and a myriad of other daemons, etc. same ideas, different OS. But, all comes down to policy and properly enacting it. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks From owner-firewalls-list Wed Nov 5 09:54:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09764; Wed, 5 Nov 1997 09:27:55 -0800 (PST) Received: from ss1.digex.net (ss1.digex.net [204.91.97.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09699 for ; Wed, 5 Nov 1997 09:27:38 -0800 (PST) Received: from 172.16.5.57 (pix000211.staff.digex.net [206.205.168.223]) by ss1.digex.net (8.8.4/8.8.4) with SMTP id MAA18739 for ; Wed, 5 Nov 1997 12:27:45 -0500 (EST) X-Mailer: InterCon tcpCONNECT4 4.0.2 (Macintosh) MIME-Version: 1.0 Message-Id: <9711051228.AA08574@172.16.5.57> Date: Wed, 5 Nov 1997 12:28:08 -0500 From: "Roberta Long" To: firewalls@GreatCircle.COM Subject: Info about v-one products? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone has been asking me about these products. Can anyone provide me with first-hand experiences in dealing with this company and their products? Roberta From owner-firewalls-list Wed Nov 5 09:55:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA09852; Wed, 5 Nov 1997 09:28:15 -0800 (PST) Received: from columbia.digiweb.com (columbia.digiweb.com [206.161.225.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA09777 for ; Wed, 5 Nov 1997 09:27:57 -0800 (PST) Received: from dyabolyk.com (dino.underground.net [207.213.51.18]) by columbia.digiweb.com (8.8.8/8.8.5) with ESMTP id MAA28970 for ; Wed, 5 Nov 1997 12:28:06 -0500 (EST) Mail-For: Message-ID: <3460AC60.B2A70B29@dyabolyk.com> Date: Wed, 05 Nov 1997 09:26:57 -0800 From: jonathan tobin/DBK Reply-To: dyabolyk@dyabolyk.com Organization: _.._.>.---- X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: NT Server Security References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may not be specifically related to firewalls, but I'd like to know if there are any sites or mailinglists that deal with NT Server Securtiy. Any leads would be most appreciated. --jt From owner-firewalls-list Wed Nov 5 09:56:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10355; Wed, 5 Nov 1997 09:31:53 -0800 (PST) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA10346 for ; Wed, 5 Nov 1997 09:31:47 -0800 (PST) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id JAA01650; Wed, 5 Nov 1997 09:32:03 -0800 (PST) Received: from arrakis.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id JAA21035; Wed, 5 Nov 1997 09:32:02 -0800 (PST) Received: by arrakis.verisign.com (SMI-8.6/SMI-SVR4) id JAA27141; Wed, 5 Nov 1997 09:31:59 -0800 Date: Wed, 5 Nov 1997 09:31:59 -0800 From: varmav@verisign.com (Vik Varma) Message-Id: <199711051731.JAA27141@arrakis.verisign.com> To: Firewalls@GreatCircle.COM, murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 8L3if8/hgyK9PHYjOahc2Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello Sirs! > > We have a class `C` internet address space at our disposal. I want to > split into two subnets and connect them using firewall. I want to keep > important systems like DNS and MAIL server on the subnet outside firewall > which will have direct internet access. Hosts inside fire wall should have > internet access for all applications, whereas internet hosts should be > prevented from accessing hosts on subnet inside firewall. MAIL server > > Does anybody know how to configure linux FWTK for this setup Is there a reason you want a valid class C address space inside your firewall? Why not just use one of the private class C addresses specified in RFC 1918? This is typically what you want to do, using the firewall box as your gateway to the world and have it perform NAT (via proxies) on all external services. -- Vik Varma VeriSign, Inc System Administrator (650) 429-3352 Operations, Information Systems Vik.Varma@verisign.com From owner-firewalls-list Wed Nov 5 09:58:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA10829; Wed, 5 Nov 1997 09:40:45 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA10822 for ; Wed, 5 Nov 1997 09:40:37 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by cypress.idir.net (8.8.5/8.8.4) with SMTP id LAA27080; Wed, 5 Nov 1997 11:39:50 -0600 Date: Wed, 5 Nov 1997 11:39:49 -0600 (CST) From: Jason Keimig To: Adam Shostack cc: Frank Willoughby , firewalls@GreatCircle.COM Subject: Re: Hijak detection In-Reply-To: <199711050809.DAA01853@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point that (doy?) made is that session hijacking produces a flood > of shit as you jam in packets in the hopes of getting the numbers > right. (Since the other guy is transmitting at the same time as you, > you often send a slew of packets, to get them into the stack first.) > There are a number of papers on detecting this sort of thing, many > published in the months after Tsutomo was hacked. Actually, the attacker does the _least_ amount of work, in terms of the packet storms that result from hi-jacking a session. The fundamental aspect of hijacking revolves around de-syncing the state machine of the connection between the two attacked hosts. The "flood" you refer to is simply the result of the unsuspecting hosts ACKing packets that are not in-line with the current sequence numbers that THEY believe are correct. Since the attacker (assumably) inserts _something_ into the connection, the resultant SEQ/ACK pair will always be different between the two unsuspecting hosts. As the attacker continues to insert data into the stream, the receiving host ACKs this data, but the other end sees the ACK as out of bounds with its idea of the current state. So, it just ACKs the ACK. This perpetuates as ACKs answering ACKs. Hence, the eternal ACK storm. What actually kills this ack storm is a lost packet. Once one ACK is dropped, the storm disappears. This is a function of the network load and reliablity of the the layer-1 medium. So yes, you _can_ detect these ACK storms, but what you really want to see in the packets you pick up is the idea of the desynchronized state machine. Locating WHEN the desynch occured gives a little more information. Something nobody really ever talks about in foiling/detecting all of these IP spoofing attacks is to look at the layer-2 information of suspected forged attacks. That and looking at packet IDs can give fairly certain proof that some clown really is trying to do something evil. Of course, proxys and bridges CAN complicate things tho... Granted that this analysis is in itself limited, but all of the "hacking" tools out there TODAY just do simple Layer 3/4 forgings -- and these are easy to detect. -J. From owner-firewalls-list Wed Nov 5 10:37:56 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA11141; Wed, 5 Nov 1997 09:56:01 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA11134 for ; Wed, 5 Nov 1997 09:55:53 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA04939; Wed, 5 Nov 1997 09:52:32 -0800 Date: Wed, 5 Nov 1997 09:52:32 -0800 (PST) From: Leonard Miyata To: Russ cc: firewalls@greatcircle.com, ntsecurity@iss.net Subject: RE: Disabling LAN Manager on NT In-Reply-To: <418996AD2954D11180860000E8D5C66778EB@ns.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay Russ, I submit to greater authority on the subject, Please accept my humble apologies..... I don't monitor the ntsecurity forum and missed this thread... (Now I wonder if the KERBEROS port for NT5 is going to fix this problem??) Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Wed, 5 Nov 1997, Russ wrote: > This can only be enforced if both the client and the server have it > disabled. From KB article Q147706; > > "To eliminate LM authentication with protocols other than remote file > sharing (for example, Microsoft RPC, RAS, Internet Information Server > (IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the > client and the server need to have the hotfix installed." > > The key only affects whether or not LM is going to be sent, not whether > or not its going to be accepted. Your comments are a mis-representation > of the facts and I would suggest you correct them in public. You cannot > "turn off LANManager authentication on Windows NT", you can only prevent > it from being sent. > > If I don't see a correct in a couple of days I'll send one myself, since > you're contradicting what I've said publicly (seemingly insistently). > > Cheers, > Russ > > From owner-firewalls-list Wed Nov 5 13:10:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17566; Wed, 5 Nov 1997 12:27:10 -0800 (PST) Received: from dfw-ix11.ix.netcom.com (dfw-ix11.ix.netcom.com [206.214.98.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA17557 for ; Wed, 5 Nov 1997 12:27:00 -0800 (PST) From: dje@dmc22.com Received: (from smap@localhost) by dfw-ix11.ix.netcom.com (8.8.4/8.8.4) id OAA15753 for ; Wed, 5 Nov 1997 14:27:12 -0600 (CST) Date: Wed, 5 Nov 1997 14:27:12 -0600 (CST) Message-Id: <199711052027.OAA15753@dfw-ix11.ix.netcom.com> Received: from trn-nj4-02.ix.netcom.com(206.214.121.98) by dfw-ix11.ix.netcom.com via smap (V1.3) id rma014164; Wed Nov 5 14:19:43 1997 To: firewalls@greatcircle.com Subject: Systems Engineer Needed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking to hire a Systems Engineer to provide Pre-Sales technical support, perform product technical presentations and demonstrations for networking software installed on Unix, Novell and Windows NT platforms. The requirements include: Knowlege of one or more of the previously mentioned platforms, strong communication skills, and the ability to get people excited about new technologies. We're one of the largest software companies in the world. Candidate can report to any one of three offices in New Jersey (southern, central and northern). Compensation 50,000 - $90,000, outstanding benefits (including company paid medical and dental). Company that has been consistantly rated one of the best companies to work for in North America. If you know someone that would be interested I can be contacted at: Dave Eide Voice: (609) 584-9000 ext 273 Fax (609) 584-9575 Email dje@dmc22.com From owner-firewalls-list Wed Nov 5 17:40:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA10228; Wed, 5 Nov 1997 17:14:51 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id RAA09084 for firewalls@greatcircle.com; Wed, 5 Nov 1997 17:06:32 -0800 (PST) Received: from public.sta.net.cn (public.sta.net.cn [202.96.199.97]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA21201 for ; Tue, 4 Nov 1997 19:49:17 -0800 (PST) Received: from public.sta.net.cn ([202.96.201.28]) by public.sta.net.cn (8.8.7/8.8.7) with ESMTP id LAA11805 for ; Wed, 5 Nov 1997 11:49:16 +0800 (CST) Message-ID: <345FF08C.981DE78A@public.sta.net.cn> Date: Wed, 05 Nov 1997 12:05:33 +0800 From: NetSea X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 17:41:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA09085; Wed, 5 Nov 1997 17:06:36 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id RAA09035 for firewalls@greatcircle.com; Wed, 5 Nov 1997 17:06:08 -0800 (PST) Received: from smurf.cali-net.com ([209.75.104.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA03353 for ; Tue, 4 Nov 1997 14:40:36 -0800 (PST) Received: from localhost (circle@localhost) by smurf.cali-net.com (8.8.7/8.8.7-Sendmail unsolicited email through this server is illegal) with SMTP id SAA18108; Tue, 4 Nov 1997 18:33:32 GMT Date: Tue, 4 Nov 1997 18:33:31 +0000 ( ) From: RHS Linux User To: Doy cc: "Firewalls@GreatCircle.COM" Subject: Re: Hijak detection In-Reply-To: <345F3229.1AAE@indo-mail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Nov 1997, Doy wrote: > Guys, > > I wonder if there are firewall/intrusion detection products that can > deal with TCP session hijack.. I didn't see threads related to this > topic in the last half year ..okay, I'm new to this list.. ;) > > Suppose the TCP session is not encrypted, and the attacker is on the > packet's route, what can we do about it? Surrender..?? > Detecting hijaking from inside your network, or hijaking comming from another route would be easy to detect by a intrusion detection system that maintains a ARP list of currently active TCP sessions and their corresponding hardware addresses. Then have the program detect any packets comming from a different hardware address that wasn't assigned to that specific IP. I don't know of any way you could prevent non-blind hijacking, except for the fact that you may end up seeing out of seqence packets or packets with duplicate sequence numbers arrive at the victim's host after the hijak begins. If you could remedy a method of doing this reliably you could then have the intrusion detection software enable a filter in your firewall/router, or perhaps send a RST packet to the server shutting off the session. > Of course not. We can build statistical analysis on number of invalid > packets that transmitted on each session. Has anybody done this? Is this > approach valid anyway? > > I'd like to see other solutions/products beside encryption/routing/netw. > segmentation. > This was just a thought, I probably overlooked something simpler. Just another reason not to use the telnet protocol. Jean-Christophe Smith California Network Solutions jean@internet-security.com http://www.cali-net.com From owner-firewalls-list Wed Nov 5 19:10:37 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA15999; Wed, 5 Nov 1997 17:44:33 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id QAA08046 for firewalls@greatcircle.com; Wed, 5 Nov 1997 16:59:22 -0800 (PST) Received: from public.sta.net.cn (public.sta.net.cn [202.96.199.97]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA23804 for ; Mon, 3 Nov 1997 19:38:15 -0800 (PST) Received: from public.sta.net.cn (ts2-68.sta.net.cn [202.96.198.196]) by public.sta.net.cn (8.8.7/8.8.7) with ESMTP id LAA08040 for ; Tue, 4 Nov 1997 11:38:05 +0800 (CST) Message-ID: <345E9C6A.7CEC0584@public.sta.net.cn> Date: Tue, 04 Nov 1997 11:54:18 +0800 From: NetSea X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 21:06:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA17340; Wed, 5 Nov 1997 20:33:56 -0800 (PST) Received: from garuda.barc.ernet.in (garuda.barc.ernet.in [202.41.86.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA17123 for ; Wed, 5 Nov 1997 20:31:20 -0800 (PST) Received: from sparc03.barc.ernet.in by garuda.barc.ernet.in via SMTP (940816.SGI.8.6.9/940406.SGI) id UAA02497; Wed, 5 Nov 1997 20:19:08 -0800 Received: from localhost by sparc03.barc.ernet.in (4.1/SMI-4.1) id AA19870; Thu, 6 Nov 97 09:52:00 IST Date: Thu, 6 Nov 1997 09:52:00 +0530 (IST) From: "c.s.r.murthy" To: Vik Varma Cc: Firewalls@GreatCircle.COM, murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) In-Reply-To: <199711051731.JAA27141@arrakis.verisign.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Nov 1997, Vik Varma wrote: > > Hello Sirs! > > > > We have a class `C` internet address space at our disposal. I want to > > split into two subnets and connect them using firewall. I want to keep > > important systems like DNS and MAIL server on the subnet outside firewall > > which will have direct internet access. Hosts inside fire wall should have > > internet access for all applications, whereas internet hosts should be > > prevented from accessing hosts on subnet inside firewall. MAIL server > > > > Does anybody know how to configure linux FWTK for this setup > > Is there a reason you want a valid class C address space inside your firewall? > Why not just use one of the private class C addresses specified in RFC 1918? > This is typically what you want to do, using the firewall box as your gateway to > the world and have it perform NAT (via proxies) on all external services. > > -- > Vik Varma VeriSign, Inc > System Administrator (650) 429-3352 > Operations, Information Systems Vik.Varma@verisign.com > Thanks for the reply sir! Actually I dont want to use NAT as it consumes more time for each packet. I want to have a simple filter which takes forwarding decissions based on IP address only and it should not go for NAT. Is there any such firewall software available ? From owner-firewalls-list Wed Nov 5 21:08:13 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA14933; Wed, 5 Nov 1997 20:22:36 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA14806 for ; Wed, 5 Nov 1997 20:22:11 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id UAA03635; Wed, 5 Nov 1997 20:23:57 -0800 (PST) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA07643; Wed, 5 Nov 97 20:24:37 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256547.001835FA ; Wed, 5 Nov 1997 20:24:26 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: netsea@public.sta.net.cn Cc: firewalls@GreatCircle.COM Message-Id: <88256547.0018C9B7.00@gwwest.sybase.com> Date: Wed, 5 Nov 1997 20:32:30 -0800 Subject: Re: Help : Cisco access list Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That doesn't give you much protection... if you want inside people to connect to arbitrary Internet resources, about the best you can do is only allow established packets in. Note, of course, that this will not work with UDP services, and a fair number of TCP services, like FTP. Telnet and WWW will work. Ryan netsea@public.sta.net.cn on 11/04/97 08:05:33 PM To: firewalls@GreatCircle.COM cc: (bcc: Ryan Russell/SYBASE) Subject: Help : Cisco access list Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Wed Nov 5 22:29:46 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA04077; Wed, 5 Nov 1997 22:15:15 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id WAA03869 for ; Wed, 5 Nov 1997 22:14:34 -0800 (PST) Received: from clonvick-pc.cisco.com (houcons.cisco.com [171.68.41.7]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id WAA10023; Wed, 5 Nov 1997 22:14:20 -0800 (PST) Message-Id: <2.2.32.19971106061246.006de0a0@localhost> X-Sender: clonvick@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Nov 1997 00:12:46 -0600 To: NetSea , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Help : Cisco access list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Hong, Take a look at http://www/warp/public/701/31.html to see some options on how you can accomplish this as well as how to take some other security measures. Hope this helps, Chris Lonvick Cisco Systems Corporate Consulting Houston, TX, USA +1.713.778.5663 At 12:05 PM 11/5/97 +0800, NetSea wrote: >Hi, everybody, > >I have an CISCO 4500 router (A) in my office. It connects > > > > Router A (in my office) Router B ( from ISP ) > _______ _______ > | |s0 s0| | > |_______|-------------------|_______|--------- INTERNET > xxx.xxx.xxx.aa xxx.xxx.xxx.bb > > >to a Router (B) from ISP. What I want to do is that all hosts in my >office can access Internet resources such as WWW, but the outside >world can not access any host in my office through the routers. How >should I configure the routers to achieve that? > >Thanks in advance! > >Hong > >---------------------------------------------- >Shen Hong Network Engineer >NetSea Computer Co. Ltd. >E-mail: netsea@public.sta.net.cn >---------------------------------------------- > > > > From owner-firewalls-list Wed Nov 5 23:08:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA27613; Wed, 5 Nov 1997 21:38:09 -0800 (PST) Received: from blackbird.jetlink.net (blackbird.jetlink.net [206.72.64.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id VAA27387 for ; Wed, 5 Nov 1997 21:37:29 -0800 (PST) Received: from gnss.com (ppp-208-19-49-228.isdn.jetlink.net [208.19.49.228]) by blackbird.jetlink.net (8.8.7/CSE) with ESMTP id VAA13652; Wed, 5 Nov 1997 21:37:18 -0800 (PST) Message-ID: <3461577C.3BE1595E@gnss.com> Date: Wed, 05 Nov 1997 21:37:00 -0800 From: "osiris@gnss.com" Reply-To: osiris@gnss.com Organization: Global Network Security Systems X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: Jyri Kaljundi CC: Firewalls@GreatCircle.COM Subject: Re: sex,lies, and application proxy based fw vs Check Point References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jyri Kaljundi wrote: > On Sun, 2 Nov 1997, Smoot Carl-Mitchell wrote: > > > I've come to believe that GUIs are really designed for the purchasing > > managers and not for the technical people that need to use an actual > > product. A GUI is basically packaging. They usually do not add any > > functionality to a package, but any good marketing person will tell > > you that flash sells, almost regardless of the underlying technology. > > There still is more than just marketing. What a good GUI sometimes can do > is to save your time, and the time of good networking and security > professionals is not really cheap. So sometimes a good professional using > a graphical interface can do much more in shorter time than someone using > just a command-line interface. Sometimes. And sometimes, the number of clicks (or menus deep) required make it a time-waster, too. On the issue of whether it's marketing or not, though, I am inclined to agree that much of it is marketing. Certainly, the development of a GUI-based app is more expensive and time-consuming. Those efforts are presumably done with the hope that a GUI will attract a wider customer base. Equally, however, I am not sure that using a GUI-based security application is any less saavy than using a CLI app. (Nor does it neccessarily show evidence that the operator doesn't know what he/she is doing.) In either case, you are rarely - if ever - going to have the source. Therefore, you cannot truly know whether the product can be trusted, but only whether it serves its intended purpose. So, when your job is applying security controls system-wide, GUI tools can come in handy and there's no reason not to use them. But, I will certainly agree that many people purchase firewall solutions on marketing alone. (Which is why I am equally certain that firewall products produced by or in conjunction with Microsoft will become extremely popular. Hmm. That says a whole lot right there. ;-) > > > There are some assumptions I make with this: the person working with the > GUI must know what is under it and what really happens with every button > he presses. He must know how to use the product without the GUI and > preferably have general knowledge of both the network protocols and may be > even other vendors products. > > Still I believe with the rate of firewalls installed every day growing > rapidly, there is a very big number of people who have bought a firewall > solution based just on marketing. There just are not enough security > people available. > > Jyri Kaljundi > jk@stallion.ee > AS Stallion Ltd > http://www.stallion.ee/ From owner-firewalls-list Wed Nov 5 23:14:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA13359; Wed, 5 Nov 1997 23:01:47 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id XAA13315 for ; Wed, 5 Nov 1997 23:01:37 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 88256547.0026A4B4 ; Wed, 5 Nov 1997 23:02:05 -0800 X-Lotus-FromDomain: ALMADEN To: firewalls@GreatCircle.COM Message-ID: <88256547.001FCA61.00@mailgw1.almaden.ibm.com> Date: Wed, 5 Nov 1997 22:58:17 -0800 Subject: Re: Help : Cisco access list Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On router A: int s0 access-group 100 in access-list 100 permit tcp any any established access-list 100 permit udp any any access-list 100 deny ip any any log This allows outbound TCP connections and any UDP connections. It prevents inbound TCP connections and ICMP (and all other protocols) in either direction. Among the changes that could be made to somewhat increase security: * Anti address spoofing, in both directions. * Restriction of UDP (but you will probably need to allow port 53 to support DNS requests). Note that other followers of this list can point out many exposures with just this form of protection (simple packet filtering). The largest of these is probably that if a single machine on your network is compromised, they are all exposed to direct, unfiltered attacks. Tony Rall >> I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? << From owner-firewalls-list Thu Nov 6 00:14:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA24593; Thu, 6 Nov 1997 00:04:19 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA24585 for ; Thu, 6 Nov 1997 00:04:14 -0800 (PST) Received: from edina.xenologics.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id AAA00613; Thu, 6 Nov 1997 00:04:09 -0800 (PST) Received: from www (xpl114.xnc.de [194.77.5.78]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id JAA10393; Thu, 6 Nov 1997 09:03:21 +0100 Message-ID: <342EFDD0.478ED9A9@edina.xnc.com> Date: Mon, 29 Sep 1997 03:01:04 +0200 From: Stepken Organization: F.S.S. X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Jesse Brown CC: Jan Zeilinga , Firewalls@GreatCircle.COM Subject: Re: why use a smtp proxy References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jesse Brown wrote: > > > > Mostly, e-mail daemons suffer from being attackable by: > > 1. unallowed commands (defined in RFC's), like the sendmail "|...." > > cammand. > > Ummm. Wrong. This is a bug. Not an 'unallowed command'. One of the > problems of programs like sendmail is the overwhelming complexity of the > program. Because of this bugs can abound and unintented results are often > the outcome. Correct, sorry. But in the RFC's you can find lots of agreements, how daemons can communicate. > > 2. buffer overflows. That means, you can put a program into them > > mailprograms stack and execute with (mostly) root rights. > > > > It depends on the mailer whether or not you can get root. For instance, > qmails smtp daemon (which processes incoming mail) is not priveledged. All > it does it pass mail onto the mail queue system (which also does not > run as root). Therefor a buffer overflow attack in qmails smtp daemon > won't do a heck of alot for an attack. I'd always prefer the short code of a proxy, which passes mail to a program, running in user-mode. Under LINUX and FreeBSD it has been shown, that a escape from chroot() and user-mode to root is still possible. 1. aim must be a very strict selection of commands. > > To prevent this, there are PROXY's, like smpd, which are small, without > > functionality and hoped, not to be vulnerable to buffer overflow's. > > They also let just commands pass through, wich are defined by RFC. > > All other are blocked. > > > > an application proxy (like smtpd) are not mail handlers. Rather, it reads > an incoming connection and generates another connection to the internal > machine - sending along all the data it knows to send. > > As these proxys are supposed to be the first line of defense they are > usually extensivly checked for buffer overflow and other problems. True, but this is no guarantee > Remember, it is not a mail server of a mail client. just a PROXY. it > merely handles the exchange of data. > > > sendmail, e.g. does the opposite. First it lets all pass, then filters. > > It can be too late then. > > Sendmail is mail server software. It can be configure to drop connections > from a certain host, etc. I also have some scripts to let sednmail run under user account. It works, but i don't really care, seems too dangerous to me... > > > > cu, Guido Stepken > > > > > > -J From owner-firewalls-list Thu Nov 6 00:29:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26242; Thu, 6 Nov 1997 00:26:29 -0800 (PST) Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA26193 for ; Thu, 6 Nov 1997 00:26:15 -0800 (PST) Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id KAA06179 for ; Thu, 6 Nov 1997 10:30:40 +0200 (SAT) Received: by citadel via recvmail id 6143; Thu Nov 6 10:29:59 1997 by gram.cdsec.com (8.8.5/8.8.5) id JAA12905 for firewalls@greatcircle.com; Thu, 6 Nov 1997 09:32:10 +0200 (SAT) From: Graham Wheeler Message-Id: <199711060732.JAA12905@cdsec.com> Subject: Re: Hijak detection To: firewalls@greatcircle.com Date: Thu, 6 Nov 1997 09:32:09 +0200 (SAT) In-Reply-To: <3.0.3.32.19971105022156.01424a88@in.net> from "Frank Willoughby" at Nov 5, 97 02:21:56 am X-Mailer: ELM [version 2.4 PL25-h4.1] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Perhaps I'm missing something. Why would Wheelgroup's NetRanger product be > able > to stop session hijacking? Any hacker who is worth their salt will be able > to > roll their own custom packets to be exactly what the firewall would expect > the > packets to be (including source/destination info, sequence numbers, etc.) > The > only defense against session hijacking that I'm aware of is to encrypt from > point-to-point. Agreed. The arguments that there will be packets seen from both the hijacker and the hijackee are specious; a sophisticated hijacker will be able to filter out the hijackee's traffic as well as inject their own (in fact that's the easy part). It wouldn't be easy to do this by hand, but a gateway machine could be modified so that it watched for a certain TCP connection, and then stopped forwarding the legit packets and instead injected its own. This wouldn't require any manual intervention and if done properly cannot be detected. regards Graham -- Dr Graham Wheeler E-mail: gram@cdsec.com Citadel Data Security Phone: +27(21)23-6065/6/7 Internet/Intranet Network Specialists Mobile: +27(83)-253-9864 Firewalls/Virtual Private Networks Fax: +27(21)24-3656 Data Security Products WWW: http://www.cdsec.com/ From owner-firewalls-list Thu Nov 6 00:44:44 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA28847; Thu, 6 Nov 1997 00:41:53 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA28751 for ; Thu, 6 Nov 1997 00:41:33 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA08487; Thu, 6 Nov 1997 03:39:57 -0500 (EST) From: Adam Shostack Message-Id: <199711060839.DAA08487@homeport.org> Subject: Re: Hijak detection In-Reply-To: <199711060823.JAA18887@marc.ksfw.esb.eur.deuba.com> from Marc Heuse at "Nov 6, 97 09:23:50 am" To: marc.heuse@mail.deuba.com Date: Thu, 6 Nov 1997 03:39:57 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc Heuse wrote: | Hi, | | > | >The point that (doy?) made is that session hijacking produces a flood | > | >of shit as you jam in packets in the hopes of getting the numbers | > | >right. (Since the other guy is transmitting at the same time as you, | > | >you often send a slew of packets, to get them into the stack first.) | > | This step shouldn't be necessary. Monitor the packets going to/from | > | the firewall (or target system), bring down the victim's system on | > | the outside (OOB, etc.), and then send in the correct packets to the | > | firewall/system. The firewall wouldn't notice the difference, and it | > | is likely, the victim would chalk up the problem to network difficulties. | > You assume a perfect attacker. I assume script kiddies. There are | > more script kiddies than perfect attackers. If you spend time | > watching real attacks on real systems, you realize how many idiots are | > out there. | | Are you trying to protect networks from kiddies or real hackers? | You must try to prevent and detect hacks from the experts, because they | do the real damage, not some kids searching for fun. It depends on who I'm protecting. When I do work with a bank, both, of course. When I have my home computer, I protect it from the script kiddies. (Script kiddies, btw, is a term to describe the 14 year old who downloads an exploit, doesn't understand it, but uses it on you anyway. There are *lots* of script kiddies.) Also, I suspect that the people who broke into the CIA, DOJ, Kleigman Furs, Labour, etc, were not professionals, but script kiddies. If you don't think that was real damage, ask the folks who will never again be promoted; ask them about how happy management was to have to deal with the problem. With Deutche Bank, you clearly also need to worry about professionals breaking in to steal money. But its a mistake to say "Well, it won't stop a pro, lets not bother." If there are tools that you can use to stop both, great. But making the pro sweat is a useful thing in its own right. | And to add something useful to the discussion: | | the possiblity to detect hijacking from the client side is only possible | if the attacker chooses an attack type which does not change the routing | path of the packets. Then you can see ACK packets while your connection | either is freezed or terminated. ... | to summarize, you can only detect the attack with some luck on the server | side - if the attacker does not control a router in the path. | otherwise - you can't :-( ... so use ssltelnet, deslogin, ssh, kerberos etc. | and trop telnet, r-commands and one-time-passwords. Absolutely. If you re-read my original message on the subject, I said that this would be a hack, not a real defense. But it might be a useful hack. (And incidentally, one time passwords are still useful in the context of encrypted logins. For forcing strong passwords, for managing termination of access, for preventing password sharing, etc. Your milage will vary with the system you use.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Thu Nov 6 01:14:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA04495; Thu, 6 Nov 1997 01:12:11 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA04346 for ; Thu, 6 Nov 1997 01:11:38 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id EAA08583; Thu, 6 Nov 1997 04:09:25 -0500 (EST) From: Adam Shostack Message-Id: <199711060909.EAA08583@homeport.org> Subject: Re: Hijak detection In-Reply-To: from Jason Keimig at "Nov 5, 97 11:39:49 am" To: jkeimig@idir.net (Jason Keimig) Date: Thu, 6 Nov 1997 04:09:25 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jason, You are absolutely correct. My error. I suggest everyone re-read your post, since it is succinct, clear, and correct, whereas my post, was, at best, succinct, clear, and misleading. :) Adam Jason Keimig wrote: | | | > The point that (doy?) made is that session hijacking produces a flood | > of shit as you jam in packets in the hopes of getting the numbers | > right. (Since the other guy is transmitting at the same time as you, | > you often send a slew of packets, to get them into the stack first.) | > There are a number of papers on detecting this sort of thing, many | > published in the months after Tsutomo was hacked. | | Actually, the attacker does the _least_ amount of work, in terms of the | packet storms that result from hi-jacking a session. The fundamental aspect | of hijacking revolves around de-syncing the state machine of the connection | between the two attacked hosts. | | The "flood" you refer to is simply the result of the unsuspecting hosts | ACKing packets that are not in-line with the current sequence numbers that | THEY believe are correct. Since the attacker (assumably) inserts | _something_ into the connection, the resultant SEQ/ACK pair will always be | different between the two unsuspecting hosts. As the attacker continues to | insert data into the stream, the receiving host ACKs this data, but the | other end sees the ACK as out of bounds with its idea of the current state. | So, it just ACKs the ACK. This perpetuates as ACKs answering ACKs. Hence, | the eternal ACK storm. | | What actually kills this ack storm is a lost packet. Once one ACK is | dropped, the storm disappears. This is a function of the network load and | reliablity of the the layer-1 medium. | | So yes, you _can_ detect these ACK storms, but what you really want to see | in the packets you pick up is the idea of the desynchronized state machine. | Locating WHEN the desynch occured gives a little more information. Something | nobody really ever talks about in foiling/detecting all of these IP spoofing | attacks is to look at the layer-2 information of suspected forged attacks. | That and looking at packet IDs can give fairly certain proof that some clown | really is trying to do something evil. Of course, proxys and bridges CAN | complicate things tho... Granted that this analysis is in itself limited, | but all of the "hacking" tools out there TODAY just do simple Layer 3/4 forgings | -- and these are easy to detect. | | -J. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Thu Nov 6 01:29:25 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA06335; Thu, 6 Nov 1997 01:18:52 -0800 (PST) Received: from relay3.Austria.EU.net (relay3.Austria.EU.net [193.154.160.103]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA06251 for ; Thu, 6 Nov 1997 01:18:34 -0800 (PST) Received: from vie.co.at (uucp@localhost) by relay3.Austria.EU.net (8.8.6/8.8.6) with UUCP id KAA15621 for firewalls@GreatCircle.COM; Thu, 6 Nov 1997 10:10:29 +0100 (MET) Received: (from hvt@localhost) by oz.vie.co.at (8.6.12/8.6.9) id JAA13149 for firewalls@GreatCircle.COM; Thu, 6 Nov 1997 09:25:33 GMT From: anton horvath Message-Id: <199711060925.JAA13149@oz.vie.co.at> Subject: Cisco config examples To: firewalls@GreatCircle.COM Date: Thu, 6 Nov 1997 09:25:33 +0000 (GMT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have little chances to work with a cisco, but I am often asked to look into configs of our partners. Could someone point me to detailed and good explained configuration examples in the net. thanks, anton -- Office address (Vienna Airport) : Private address : Co. Anton Horvath Anton Horvath Flughafen Wien AG. Hptpl. 31 Postfach 1 A-1300, Vienna A-7100, Neusiedl/See Austria Austria Voice: (++43 - 1) 7007 Ext: 2837 Voice: (++43 - 02167) 8560 Fax: (++43 - 1) 7007 Ext: 5188 EMail: hvt@vie.co.at From owner-firewalls-list Thu Nov 6 01:40:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26021; Thu, 6 Nov 1997 00:24:46 -0800 (PST) Received: from vogon.de.deuba.com (vogon.de.deuba.com [194.175.189.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA25959 for ; Thu, 6 Nov 1997 00:24:30 -0800 (PST) Received: by vogon.de.deuba.com id AA65064; Thu, 6 Nov 1997 09:23:34 +0100 Received: vogon.de.deuba.com via smap (V2.0) id xma006180; Thu, 6 Nov 97 09:23:26 +0100 Received: by smap.mail.deuba.com id JAA25714; Thu, 6 Nov 1997 09:23:03 +0100 Received: proxy2.esb.eur.deuba.com via smap (V2.0) id xma050004; Thu, 6 Nov 97 09:22:43 +0100 Received: from marc.ksfw.esb.eur.deuba.com by marvin.ose.eur.deuba.com id JAA33532; Thu, 6 Nov 1997 09:24:17 +0100 Received: (from marc@localhost) by marc.ksfw.esb.eur.deuba.com (8.8.7/8.8.5) id JAA18887; Thu, 6 Nov 1997 09:23:50 +0100 From: Marc Heuse Message-Id: <199711060823.JAA18887@marc.ksfw.esb.eur.deuba.com> Subject: Re: Hijak detection In-Reply-To: <199711051403.JAA03367@homeport.org> from Adam Shostack at "Nov 5, 97 09:03:59 am" To: adam@homeport.org (Adam Shostack) Date: Thu, 6 Nov 1997 09:23:50 +0100 (CET) Cc: firewalls@greatcircle.com Reply-To: marc.heuse@mail.DeuBa.COM X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > | >The point that (doy?) made is that session hijacking produces a flood > | >of shit as you jam in packets in the hopes of getting the numbers > | >right. (Since the other guy is transmitting at the same time as you, > | >you often send a slew of packets, to get them into the stack first.) > | This step shouldn't be necessary. Monitor the packets going to/from > | the firewall (or target system), bring down the victim's system on > | the outside (OOB, etc.), and then send in the correct packets to the > | firewall/system. The firewall wouldn't notice the difference, and it > | is likely, the victim would chalk up the problem to network difficulties. > You assume a perfect attacker. I assume script kiddies. There are > more script kiddies than perfect attackers. If you spend time > watching real attacks on real systems, you realize how many idiots are > out there. Are you trying to protect networks from kiddies or real hackers? You must try to prevent and detect hacks from the experts, because they do the real damage, not some kids searching for fun. And to add something useful to the discussion: the possiblity to detect hijacking from the client side is only possible if the attacker chooses an attack type which does not change the routing path of the packets. Then you can see ACK packets while your connection either is freezed or terminated. from the server side you can detect multiple (and some of them invalid) ACK packets when the attack starts. If the attacker terminates the session of the client or changes the routing path, this will stop shortly after the overtake. You can also detect RST packets generated by the client if the session was terminated from the client side (by the attacker) (From the RFC 793): (CLOSED STATE, SEGMENT ARRIVES) An incoming segment not containing a RST causes a RST to be sent in response. however if the attacker controls a router a simple deny rule on a ciso for example like access-list 101 deny tcp victim 0.0.0.0 target 0.0.0.0 would do the trick. to summarize, you can only detect the attack with some luck on the server side - if the attacker does not control a router in the path. otherwise - you can't :-( ... so use ssltelnet, deslogin, ssh, kerberos etc. and trop telnet, r-commands and one-time-passwords. Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK----- From owner-firewalls-list Thu Nov 6 03:41:04 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA14117; Thu, 6 Nov 1997 03:15:44 -0800 (PST) Received: from tom.fjcomp.com (tom.fjcomp.com [194.200.142.228]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA14109 for ; Thu, 6 Nov 1997 03:15:36 -0800 (PST) Received: from tilly.fjcomp.com ([145.227.24.19]) by tom.fjcomp.com (Netscape Mail Server v2.02) with ESMTP id AAA1854 for ; Thu, 6 Nov 1997 11:12:47 +0000 Received: from minn.dsbc.icl.co.uk ([145.227.19.59]) by tilly.fjcomp.com (Netscape Mail Server v2.02) with ESMTP id AAA9088; Thu, 6 Nov 1997 11:12:24 +0000 Received: (from mbm@localhost) by minn.dsbc.icl.co.uk (8.8.7/8.8.5) id LAA03425; Thu, 6 Nov 1997 11:14:19 GMT From: Malcolm Mladenovic Message-Id: <199711061114.LAA03425@minn.dsbc.icl.co.uk> Subject: Re: Ever seen this in practice?? To: cbrenton@sover.net Date: Thu, 6 Nov 1997 11:14:19 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <345E8D1E.D9F2ABEC@sover.net> from "Chris Brenton" at Nov 3, 97 09:49:02 pm Reply-To: mbm@fjcomp.com (Malcolm Mladenovic) Organization: Fujitsu, Bracknell, Berkshire, UK Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So has anyone actually ever seen this before? If so, how does a firewall > deal with this type of connection? This would speak volumes to > inspecting payload. I would assume that a firewall/filter that simply > makes decisions based upon the data located at a certain offset from the > preamble field would probably miss this. Sounds like TMux - RFC 1692. I don't know what its current status is. There is a paragraph in the RFC suggesting that non-TMux routers should be set to block all TMux packets - causing the hosts to fall back to normal. -Malcolm From owner-firewalls-list Thu Nov 6 03:55:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA16487; Thu, 6 Nov 1997 03:39:16 -0800 (PST) Received: from oakland-ws-34.clark.net (oakland-ws-34.clark.net [204.245.172.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA16480 for ; Thu, 6 Nov 1997 03:39:09 -0800 (PST) From: mht@clark.net Received: from highlander (187.middletown-07.va.dial-access.ATT.net [12.68.19.187]) by oakland-ws-34.clark.net (8.8.5/8.8.5) with SMTP id GAA18336; Thu, 6 Nov 1997 06:54:17 -0500 Message-Id: <3.0.3.32.19971106063624.00a333f0@pop.clark.net> X-Sender: mht@pop.clark.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 06:36:24 -0500 To: Joe Smith , firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard Cc: Kimberly Chen In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For more information about Seattle Software Laboratories WatchGuard Firebox 10/100 products, please refer to the following URL: www.watchguard.com For general sales inquires please email sales@watchguard.com. At 07:50 AM 11/4/97 -0400, Joe Smith wrote: >Greetings > >I have been tasked with looking at several firewalls, and I have been >reading your posts with interest. The reviews that I have read have rated >CheckPoint, WatchGuard and Sunscrean the highest. The one that I am >tending towards is the WatchGuard system. > >Do any of you on this list have RL experence with it? Are there any other >problems with WatchGuard that I should know about? > >Thanks for the help! > >John > > From owner-firewalls-list Thu Nov 6 05:44:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA18711; Thu, 6 Nov 1997 05:06:45 -0800 (PST) Received: from gatekeeper.oss.akzonobel.nl (gatekeeper.oss.akzonobel.nl [192.87.3.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA18703 for ; Thu, 6 Nov 1997 05:06:37 -0800 (PST) Received: (from mail@localhost) by gatekeeper.oss.akzonobel.nl (8.7.5/8.7.3) id OAA25588 for ; Thu, 6 Nov 1997 14:20:34 +0100 (MET) Received: from apou02.akzonobel.nl(145.49.90.250) by gatekeeper.oss.akzonobel.nl via smap (V2.0alpha) id xma029607; Thu, 6 Nov 97 14:17:36 +0100 Received: by apou02.akzonobel.nl id OAA04967; Thu, 6 Nov 1997 14:03:25 GMT Date: Thu, 6 Nov 1997 14:03:25 GMT Received: from umc by apou02.akzonobel.nl via MR/VESTA with conversational-MRIF; Thu, 06 Nov 97 14:03:24 +0000 Posted: Thu, 06 Nov 97 07:54:33 +0000 From: "Donald Six" Message-ID: <1733540706111997/A00723/FATHER> App-Message-ID: <1733540706111997/A00723/FATHER/11BB31F61D00> To: "Firewalls Mailing List" Reply-Requested-From: "Firewalls Mailing List" Subject: A review or last opinion Sensitivity: Company-Confidential Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a review, or anyone's opinion, on Network-1's FireWall/Plus firewall. From owner-firewalls-list Thu Nov 6 05:59:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA21863; Thu, 6 Nov 1997 05:44:13 -0800 (PST) Received: from hq15.pcmail.ingr.com (hq15.pcmail.ingr.com [129.135.251.243]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA21092 for ; Thu, 6 Nov 1997 05:36:21 -0800 (PST) Received: by HQ15 with Internet Mail Service (5.0.1458.49) id ; Thu, 6 Nov 1997 07:36:36 -0600 Message-ID: From: "Jarmon, Don R" To: "'Andreas Siegert'" Cc: "'firewalls'" Subject: RE: Bay networks and filtering Date: Thu, 6 Nov 1997 07:36:34 -0600 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's some template examples. This filter templates resides in the wf/config directory. Construct filters for the interface's inbound traffic. The answer to your questions is yes. Baynetworks filtering capabilities seems to be one of there best keep secrets. Some of the features are software version dependent. Hope this helps. If now, 1-800-2LANWAN. > -----Original Message----- > From: Andreas Siegert [SMTP:afx@ibm.de] > Sent: Tuesday, November 04, 1997 10:48 AM > To: 'firewalls' > Subject: Bay networks and filtering > > Hi, > > I am looking for Information on the filtering capabilities of Bay > networks > Routers. I know that there is a firewall-1 Module for them, but I am > looking > for the basic stuff. Can I do sensible Syn/Ack checks with plenty of > rules, > specific to in and outbound traffic? Can I log all specific to rules? > > I have seen quite a few of their web pages, but all I found was rather > crude > (only 31 rules, no SYN/ACK check), is that really true in current > releases? > > thanks for any hints > afx > -- > Andreas Siegert afx@ibm.de / afx@barolo.munich.de.ibm.com / AFX > at IPNET > PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05 begin 600 TEMPLATE.FLT M5$5-4$Q!5$4@5$A%7T))5%]35$]04U](15)%(0T*#0H)4%)/5$]#3TP@25`- M"@T*"0E!0U1)3TX-"@D)"4Q/1PT*"0D)1%)/4`T*"0E%3D1?04-424].#0H- M"@D)1DE%3$0@25!?1$535$E.051)3TY?041$4D534PT*"0D),"XP+C`N,"TR M-34N,C4U+C(U-2XR-34-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP- M"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TY%5U-&145$7T58 M0TA!3D=%#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4 M#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$12 M15-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45. M1%]&245,1`T*#0H)"49)14Q$(%5$4%]33U520T5?4$]25`T*"0D),3$Y+3$Q M.0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E.051)3TY?4$]2 M5`T*"0D),3$Y+3$Q.0T*"0E%3D1?1DE%3$0-"@T*"45.1%]04D]43T-/3`T* M#0I%3D1?5$5-4$Q!5$4-"@T*5$5-4$Q!5$4@04Q,3U=?15A415).04Q?3E10 M#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4#0H)"45. M1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$1215-3#0H) M"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45.1%]&245, M1`T*#0H)"49)14Q$(%5$4%]33U520T5?4$]25`T*"0D),3(S+3$R,PT*"0E% M3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E.051)3TY?4$]25`T*"0D) M,3(S+3$R,PT*"0E%3D1?1DE%3$0-"@T*"45.1%]04D]43T-/3`T*#0I%3D1? M5$5-4$Q!5$4-"@T*5$5-4$Q!5$4@04Q,3U=?15A415).04Q?5$-07T1!5$%? M15A#2$<-"@T*"5!23U1/0T],($E0#0H-"@D)04-424].#0H)"0E!0T-%4%0- M"@D)14Y$7T%#5$E/3@T*#0H)"49)14Q$($E07T1%4U1)3D%424].7T%$1%)% M4U,-"@D)"6YN;BYN;FXN;FYN+FYN;@T*"0E%3D1?1DE%3$0-"@T*"0E&245, M1"!40U!?1$535$E.051)3TY?4$]25`T*"0D),3`R-"TV-34S-0T*"0E%3D1? M1DE%3$0-"@T*"0E&245,1"!54T527T1%1DE.140@4D5&.DA%041%4E]%3D0@ M3T9&4T54.C$P-"!"251724142#HX#0H)"0DP6#$P+3!8,3`-"@D)14Y$7T9) M14Q$#0H-"@E%3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!, M051%($%,3$]77T585$523D%,7U1#4%]!0T-%4U,-"@T*"5!23U1/0T],($E0 M#0H-"@D)04-424].#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49) M14Q$($E07T1%4U1)3D%424].7T%$1%)%4U,-"@D)"6YN;BYN;FXN;FYN+FYN M;@T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!?1$535$E.051)3TY?4$]2 M5`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!54T52 M7T1%1DE.140@4D5&.DA%041%4E]%3D0@3T9&4T54.C$P-"!"251724142#HX M#0H)"0DP6#$X+3!8,3@-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP- M"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77T585$523D%,7U1# M4%]#3TY.14-4#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-# M15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y!5$E/3E]! M1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FX-"@D)14Y$7T9)14Q$#0H-"@D) M1DE%3$0@5$-07T1%4U1)3D%424].7U!/4E0-"@D)"3$P,C0M-C4U,S4-"@D) M14Y$7T9)14Q$#0H-"@D)1DE%3$0@55-%4E]$149)3D5$(%)%1CI(14%$15)? M14Y$($]&1E-%5#HQ,#0@0DE45TE$5$@Z.`T*"0D),%@Q,BTP6#$R#0H)"45. M1%]&245,1`T*#0H)14Y$7U!23U1/0T],#0H-"D5.1%]414U03$%410T*#0I4 M14U03$%412!!3$Q/5U])3E1%4DY!3%]&5%!?04-#15-3#0H-"@E04D]43T-/ M3"!)4`T*#0H)"4%#5$E/3@T*"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T* M"0E&245,1"!)4%]$15-424Y!5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN M;BYN;FXM;FYN+FYN;BYN;FXN;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$ M(%1#4%]33U520T5?4$]25`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0- M"@T*"0E&245,1"!40U!?1$535$E.051)3TY?4$]25`T*"0D),C`M,C$-"@D) M14Y$7T9)14Q$#0H-"@E%3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H- M"E1%35!,051%($%,3$]77TE.5$523D%,7TE#35`-"@T*"5!23U1/0T],($E0 M#0H-"@D)04-424].#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49) M14Q$($E07U!23U1/0T],#0H)"0DQ+3$-"@D)14Y$7T9)14Q$#0H-"@E%3D1? M4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE. M5$523D%,7T1.4U]!0T-%4U,-"@T*"5!23U1/0T],($E0#0H-"@D)04-424]. M#0H)"0E!0T-%4%0-"@D)14Y$7T%#5$E/3@T*#0H)"49)14Q$($E07T1%4U1) M3D%424].7T%$1%)%4U,-"@D)"6YN;BYN;FXN;FYN+FYN;BUN;FXN;FYN+FYN M;BYN;FX-"@D)14Y$7T9)14Q$#0H-"@D)1DE%3$0@54107U-/55)#15]03U)4 M#0H)"0DU,RTU,PT*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!51%!?1$535$E. M051)3TY?4$]25`T*"0D)-3,M-3,-"@D)14Y$7T9)14Q$#0H-"@E%3D1?4%)/ M5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE.5$52 M3D%,7TA45%!?04-#15-3#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/3@T* M"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-424Y! M5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN;FXN M;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$(%1#4%]33U520T5?4$]25`T* M"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!?1$53 M5$E.051)3TY?4$]25`T*"0D).#`M.#`-"@D)14Y$7T9)14Q$#0H-"@E%3D1? M4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"E1%35!,051%($%,3$]77TE. M5$523D%,7U--5%!?04-#15-3#0H-"@E04D]43T-/3"!)4`T*#0H)"4%#5$E/ M3@T*"0D)04-#15!4#0H)"45.1%]!0U1)3TX-"@T*"0E&245,1"!)4%]$15-4 M24Y!5$E/3E]!1$1215-3#0H)"0EN;FXN;FYN+FYN;BYN;FXM;FYN+FYN;BYN M;FXN;FYN#0H)"45.1%]&245,1`T*#0H)"49)14Q$(%1#4%]33U520T5?4$]2 M5`T*"0D),3`R-"TV-34S-0T*"0E%3D1?1DE%3$0-"@T*"0E&245,1"!40U!? M1$535$E.051)3TY?4$]25`T*"0D),C4M,C4-"@D)14Y$7T9)14Q$#0H-"@E% ?3D1?4%)/5$]#3TP-"@T*14Y$7U1%35!,051%#0H-"@== ` end From owner-firewalls-list Thu Nov 6 06:30:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA27132; Thu, 6 Nov 1997 06:14:27 -0800 (PST) Received: from mail1.eni.net (mail1.eni.net [205.214.51.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA23986 for ; Thu, 6 Nov 1997 05:56:27 -0800 (PST) Received: from rzedeck.eni.net ([206.135.230.58]) by mail1.eni.net (8.8.5/8.8.5) with SMTP id FAA21260; Thu, 6 Nov 1997 05:57:31 -0800 (PST) Received: by rzedeck.eni.net with Microsoft Mail id <01BCEA91.7FF436C0@rzedeck.eni.net>; Thu, 6 Nov 1997 08:53:49 -0500 Message-ID: <01BCEA91.7FF436C0@rzedeck.eni.net> From: Rachel Zedeck To: "firewalls@GreatCircle.COM" , "'Roberta Long'" Subject: RE: Info about v-one products? Date: Thu, 6 Nov 1997 08:53:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Roberta: I've finished their firewall training for three of their product sets. = This product's focus has been changed from a stand alone firewall to a = bundled product. I would be happy to give you more information on it = depending on the application you need. It works very well with = Gauntlet, Raptor, even Checkpoint and uses some fine grain filtering = tools which are very interesting. Rachel=20 ---------- From: Roberta Long[SMTP:robertal@digex.net] Sent: Wednesday, November 05, 1997 12:28 PM To: firewalls@GreatCircle.COM Subject: Info about v-one products? Someone has been asking me about these products. Can anyone provide me = with=20 first-hand experiences in dealing with this company and their products? = Roberta From owner-firewalls-list Thu Nov 6 10:49:57 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA06576; Thu, 6 Nov 1997 06:58:52 -0800 (PST) Received: from gateway.adidasus.com (spfrw001.adidasus.com [208.146.114.30]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA06505 for ; Thu, 6 Nov 1997 06:58:33 -0800 (PST) Received: by gateway.adidasus.com; id JAA09710; Thu, 6 Nov 1997 09:58:35 -0500 (EST) Received: from unknown(10.75.10.7) by gateway.adidasus.com via smap (4.0a) id xma009707; Thu, 6 Nov 97 09:58:09 -0500 Message-ID: <3461DB2C.99A0C536@internetmci.com> Date: Thu, 06 Nov 1997 09:58:52 -0500 From: Tim Lebrun X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: Chris Lonvick CC: NetSea , firewalls@GreatCircle.COM Subject: Re: Help : Cisco access list References: <2.2.32.19971106061246.006de0a0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a cisco mailing list that anyone knows of ?????? Chris Lonvick wrote: > Hello Hong, > > Take a look at > http://www/warp/public/701/31.html > to see some options on how you can accomplish this as well as how > to take some other security measures. > > Hope this helps, > > Chris Lonvick > Cisco Systems > Corporate Consulting > Houston, TX, USA > +1.713.778.5663 > > At 12:05 PM 11/5/97 +0800, NetSea wrote: > >Hi, everybody, > > > >I have an CISCO 4500 router (A) in my office. It connects > > > > > > > > Router A (in my office) Router B ( from ISP ) > > _______ _______ > > | |s0 s0| | > > |_______|-------------------|_______|--------- INTERNET > > xxx.xxx.xxx.aa xxx.xxx.xxx.bb > > > > > >to a Router (B) from ISP. What I want to do is that all hosts in my > >office can access Internet resources such as WWW, but the outside > >world can not access any host in my office through the routers. How > >should I configure the routers to achieve that? > > > >Thanks in advance! > > > >Hong > > > >---------------------------------------------- > >Shen Hong Network Engineer > >NetSea Computer Co. Ltd. > >E-mail: netsea@public.sta.net.cn > >---------------------------------------------- > > > > > > > > From owner-firewalls-list Thu Nov 6 11:00:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA13565; Thu, 6 Nov 1997 10:17:42 -0800 (PST) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA28620 for ; Thu, 6 Nov 1997 08:52:27 -0800 (PST) Received: from ramon.openu.ac.il[rafi] by tavor.openu.ac.il with SMTP id AA27941 (5.67a8/IDA-1.5 for ); Thu, 6 Nov 1997 18:52:33 +0200 Received: from localhost (nullhost.openu.ac.il)[] by ramon.openu.ac.il with SMTP id AA19948 (5.67a8/IDA-1.5); Thu, 6 Nov 1997 18:52:29 +0200 Date: Thu, 6 Nov 1997 18:52:27 +0200 (IST) From: Rafi Sadowsky X-Sender: rafi@ramon To: Donald Six Cc: Firewalls Mailing List Subject: Re: A review or last opinion { Network-1 Firewall plus ] In-Reply-To: <1733540706111997/A00723/FATHER> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would appreciate copies if this if possible thanks, Rafi -- Rafi Sadowsky rafi@oumail.openu.ac.il Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410 Mangler ( :-) | member ILAN-CERT(CERT-L@VM.TAU.AC.IL) Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi On Thu, 6 Nov 1997, Donald Six wrote: > I am looking for a review, or anyone's opinion, on Network-1's FireWall/Plus > firewall. > From owner-firewalls-list Thu Nov 6 11:07:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11723; Thu, 6 Nov 1997 10:08:02 -0800 (PST) Received: from caladan.verisign.com (caladan.verisign.com [205.180.232.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA11698 for ; Thu, 6 Nov 1997 10:07:52 -0800 (PST) Received: from mentat.verisign.com by caladan.verisign.com (8.8.5/BCH1.0) id KAA19035; Thu, 6 Nov 1997 10:07:50 -0800 (PST) Received: from arrakis.verisign.com by mentat.verisign.com (8.8.5/BCH1.0) id KAA09283; Thu, 6 Nov 1997 10:07:45 -0800 (PST) Received: by arrakis.verisign.com (SMI-8.6/SMI-SVR4) id KAA28804; Thu, 6 Nov 1997 10:07:42 -0800 Date: Thu, 6 Nov 1997 10:07:42 -0800 From: varmav@verisign.com (Vik Varma) Message-Id: <199711061807.KAA28804@arrakis.verisign.com> To: murthy@sparc03.barc.ernet.in Subject: Re: Your Message Sent on Tue, 4 Nov 1997 11:56:45 +0530 (IST) Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: qeOUmx+G21K+y05qF9Pbeg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Thanks for the reply sir! > > Actually I dont want to use NAT as it consumes more time for each packet. > I want to have a simple filter which takes forwarding decissions based > on IP address only and it should not go for NAT. > > Is there any such firewall software available ? Sure. That's just a normal packet filter firewall. Check out Firewall-1 from CheckPoint or PIX from Cisco, to mention only two. Of course, there are many others as well. -- Vik Varma VeriSign, Inc System Administrator (650) 429-3352 Operations, Information Systems Vik.Varma@verisign.com From owner-firewalls-list Thu Nov 6 11:14:49 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA10343; Thu, 6 Nov 1997 10:00:12 -0800 (PST) Received: from fcdcfw.co.franklin.oh.us (co.franklin.oh.us [198.234.34.194]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA10208 for ; Thu, 6 Nov 1997 09:59:47 -0800 (PST) Received: from cmplser1.co.franklin.oh.us by fcdcfw.co.franklin.oh.us (AIX 4.1/UCB 5.64/4.03) id AA17806; Thu, 6 Nov 1997 12:57:32 -0500 Received: from fcdcemail.co.franklin.oh.us by cmplser1.co.franklin.oh.us (Lotus SMTP MTA v1.05 (274.9 11-27-1996)) with SMTP id 85256547.00635277; Thu, 6 Nov 1997 13:04:51 -0400 Received: from fcdcy684 ([10.0.9.121]) by fcdcemail.co.franklin.oh.us (Netscape Mail Server v2.0) with SMTP id AAA40 for ; Thu, 6 Nov 1997 12:56:53 -0500 Message-Id: <3.0.3.32.19971106130004.009526d0@mail> X-Sender: dbmcglumphy@mail X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 13:00:04 -0500 To: firewalls@GreatCircle.COM From: dbmcglumphy@co.franklin.oh.us (David B. McGlumphy) Subject: Proxy recommendations Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am the Webmaster for a county data center in Ohio. We currently are using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. The proxy seems to hang for long periods of time after a few hours of running, forcing us to do frequent restarts. We have a brand new Risc box in and are looking at alternatives to Netscape's Proxy Server. Does anyone have any suggestions for a good proxy server? We are looking at ~500 users doing only http (for now). Thanks for any help, Dave McGlumphy David McGlumphy, WebMaster PHONE: (614) 462-6795 Franklin County Data Center FAX: (614) 462-6311 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us Columbus, Ohio 43215 dmcglump@ix.netcom.com ef770@kanga.cwru.edu ** The opinions expressed herein are those of the author and not those of Franklin County Data Center or any other company, governmental agency, or organization. ** __ _ _ _ () , | LINUX / ) ' ) ) ) /`-'| /) / |Choice of a / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation / / | ' ' From owner-firewalls-list Thu Nov 6 11:20:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA17660; Thu, 6 Nov 1997 10:49:49 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA17618 for ; Thu, 6 Nov 1997 10:49:38 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Thu, 6 Nov 1997 10:46:41 -0800 Message-ID: From: "Stackpole, Bill" To: "'anton horvath'" , firewalls@GreatCircle.COM Subject: RE: Cisco config examples Date: Thu, 6 Nov 1997 10:46:39 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All the Cisco IOS documentation is available via their web site and most include examples. The docs are divided into two parts (a command reference and a "how to" guide) so make sure and look at both sets of documents to get the whole picture. > -----Original Message----- > From: anton horvath [SMTP:hvt@vie.co.at] > Sent: Thursday, November 06, 1997 1:26 AM > To: firewalls@GreatCircle.COM > Subject: Cisco config examples > > Hi, > > I have little chances to work with a cisco, but I am often asked > to look into configs of our partners. > > Could someone point me to detailed and good explained configuration > examples in the net. > > thanks, anton > > -- > Office address (Vienna Airport) : Private address : > Co. Anton Horvath Anton Horvath > Flughafen Wien AG. Hptpl. 31 > Postfach 1 > A-1300, Vienna A-7100, Neusiedl/See > Austria Austria > Voice: (++43 - 1) 7007 Ext: 2837 Voice: (++43 - 02167) 8560 > Fax: (++43 - 1) 7007 Ext: 5188 > EMail: hvt@vie.co.at From owner-firewalls-list Thu Nov 6 12:09:26 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA16783; Thu, 6 Nov 1997 07:48:02 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA16753 for ; Thu, 6 Nov 1997 07:47:51 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id JAA02452; Thu, 6 Nov 1997 09:14:52 -0600 Date: Thu, 6 Nov 1997 09:14:51 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: NetSea cc: firewalls@GreatCircle.COM Subject: Re: Help : Cisco access list In-Reply-To: <345FF08C.981DE78A@public.sta.net.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Utilize an inside and outside access listing configuration in which packets not requested are denied. +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@cheez.lowprofile.net | Computer Networking Specialist | | cheez@globalreach.net | Remote Management Specialist | | cheez@hotmail.com | Linux/Windows NT Specialist | +------If at first you don't succeed, redefine success.--------+ On Wed, 5 Nov 1997, NetSea wrote: Date: Wed, 05 Nov 1997 12:05:33 +0800 From: NetSea To: firewalls@GreatCircle.COM Subject: Help : Cisco access list Hi, everybody, I have an CISCO 4500 router (A) in my office. It connects Router A (in my office) Router B ( from ISP ) _______ _______ | |s0 s0| | |_______|-------------------|_______|--------- INTERNET xxx.xxx.xxx.aa xxx.xxx.xxx.bb to a Router (B) from ISP. What I want to do is that all hosts in my office can access Internet resources such as WWW, but the outside world can not access any host in my office through the routers. How should I configure the routers to achieve that? Thanks in advance! Hong ---------------------------------------------- Shen Hong Network Engineer NetSea Computer Co. Ltd. E-mail: netsea@public.sta.net.cn ---------------------------------------------- From owner-firewalls-list Thu Nov 6 13:20:51 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA01865; Thu, 6 Nov 1997 11:59:53 -0800 (PST) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id LAA01683 for ; Thu, 6 Nov 1997 11:59:16 -0800 (PST) Received: from ramon.openu.ac.il[rafi] by tavor.openu.ac.il with SMTP id AA02751 (5.67a8/IDA-1.5 for ); Thu, 6 Nov 1997 21:59:41 +0200 Received: from localhost (nullhost.openu.ac.il)[] by ramon.openu.ac.il with SMTP id AA20195 (5.67a8/IDA-1.5); Thu, 6 Nov 1997 21:59:38 +0200 Date: Thu, 6 Nov 1997 21:59:35 +0200 (IST) From: Rafi Sadowsky X-Sender: rafi@ramon To: "David B. McGlumphy" Cc: firewalls@GreatCircle.COM Subject: Re: Proxy recommendations In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you may want too try Squid: http://squid.nlanr.net/Squid/ it's a PD version of harvest ( high ) which is a hgh perfomance http proxy -even though netscape proxy works fine -- Rafi Sadowsky rafi@oumail.openu.ac.il Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410 Mangler ( :-) | member ILAN-CERT(CERT-L@VM.TAU.AC.IL) Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi On Thu, 6 Nov 1997, David B. McGlumphy wrote: > Hello, > I am the Webmaster for a county data center in Ohio. We currently are > using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of > running, forcing us to do frequent restarts. We have a brand new Risc box > in and are looking at alternatives to Netscape's Proxy Server. Does anyone > have any suggestions for a good proxy server? We are looking at ~500 users > doing only http (for now). Thanks for any help, > Dave McGlumphy > > > > David McGlumphy, WebMaster PHONE: (614) 462-6795 > Franklin County Data Center FAX: (614) 462-6311 > 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us > Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > > ** The opinions expressed herein are those of the author and not those > of Franklin County Data Center or any other company, governmental > agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU > /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' > From owner-firewalls-list Thu Nov 6 13:22:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA27101; Thu, 6 Nov 1997 11:39:22 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA26893 for ; Thu, 6 Nov 1997 11:38:41 -0800 (PST) Received: from zepher.milkyway.com ([12.70.0.195]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAB21700; Thu, 6 Nov 1997 19:39:09 +0000 Message-Id: <3.0.3.32.19971106143424.006c6ef4@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 14:34:24 -0500 To: "Franco RUGGIERI" , "Billy Verreynne" From: Steve Kruse Subject: Re: R: Unlimited Users Firewalls Cc: "GreatCircle forum" In-Reply-To: <199711052319.AAA04439@pinux.selfin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, all, not to make a blatantly commercial statement here...hold your flames!! However, at Milkyway, our evaluation of the NT stack caused us to completely throw it out and *replace it* with a fully hardened stack. As far as I know, we are the only FW company producing an NT version that does that, rather than just patching / diddling with the NT version of the stack. Of course, we believe we have the better mouse trap!!!! Download an eval at http://www.milkyway.com if you want to check it out. I say that this is not a "commercial posting" in that I am merely agreeing that others feel the NT stack is not secure, but to educate that there ARE ways to have NT and still be secure! Comments welcome ... Flames ignored with vigor! Steve Kruse At 03:12 PM 11/5/97 +0000, Franco RUGGIERI wrote: >Billy, >maybe I'm biassed by my deep love towards a company whose workhorse (dubbed >by the year it was finally released) too many times so far has left me >stranded, by just losing few, but meaningful, kilobytes of key stuff. >When you say: "The problem I believe is that NT's IP is not always robust >enough to survive a hacker attack." you are firing an A-bomb, IMHO. Aren't >you? >Do I correctly understand you if I say that, since firewalls are here to >ward off hackers' attacks, it's better not to rely on an NT since its IP >isn't up to the task we want to use it? >This reminds me of having heard that, in the early decades of this century, >a racing car maker overlooked the importance of brakes by saying: "My cars >are to run, not to stop". It has disappeared from the marketplace. > >------------------------------- >Franco RUGGIERI >fruggieri@selfin.net > >---------- >> Da: Billy Verreynne >> A: ygerman@genre.com; yati@mod.gov.my >> Cc: Firewalls@GreatCircle.COM >> Oggetto: Re: Unlimited Users Firewalls >> Data: gioved=EC 23 ottobre 1997 10.32 >>=20 >> > ygerman@genre.com wrote: >> >> > I would also say stay away from NT firewalls because the NT TCP/IP=20 >> > stack is not as robust as Unix in a high volume environment. >>=20 >> On what facts do you base this? AFAIK the problems with Microsoft's >> implementation of TCP/IP have more to do with incorrectly handling >packets >> that were incorrectly assembled (e.g. the OOB problem which gave all the >> dumb snotty nose wannabe hackers a hard on) . But even Unix TCP/IP do not >> always respond as it should - what about SYN stealth scans? >>=20 >> A company I know have been using NT with SQL-Server across a WAN for a >> number of years now. The volumes are pretty high - hundreds of users >doing >> OLTP transactions. The problem has never been with TCP/IP on NT, but >rather >> with SQL-Server and the Microsoft client (Win95) DB library.=20 >>=20 >> I have worked with NT since the first beta, and TCP/IP IMHO was never a >> problem, but rather the use of it (like running NetBIOS pipes across >TCP/IP >> instead of using sockets). Of course Microsoft was naive in believing >they >> could implement the RFCs for TCP/IP without paying much attention to >wrong >> IP packets. But remember these IP packets are almost always the result of >> hacker attacks. In a standard high volume business environment NT's IP is >> stable and robust enough IMHO. The problem I believe is that NT's IP is >not >> always robust enough to survive a hacker attack. >>=20 >> NT has received a lot of flak, especially from the Unix lovers, but it is >> still a good operating system and one that is used (as with Unix) >> throughout the world by many companies for running mission critical >> applications. >>=20 >> regards, >> Billy > ***************************************************** * Steve Kruse Milkyway Networks * * Network Systems Engineer 1342 E. Vine St. #224 * * 407-847-8977 Voice Kissimmee, FL 34744 * * 407-847-7203 Fax http://www.milkyway.com * ***************************************************** From owner-firewalls-list Thu Nov 6 13:23:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12871; Thu, 6 Nov 1997 12:41:44 -0800 (PST) Received: from NetComm.IE (carpet.rotterdam.luna.net [194.151.24.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA12799 for ; Thu, 6 Nov 1997 12:41:25 -0800 (PST) Received: from kevinbr.horizon.ie (mobile-104-113.horizon.ie [193.120.104.113]) by NetComm.IE (8.8.5/8.8.3) with SMTP id VAA11710; Thu, 6 Nov 1997 21:41:11 GMT Message-Id: <3.0.5.32.19971106203931.007c8100@www.netcomm.ie> X-Sender: kevinbr@www.netcomm.ie X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 06 Nov 1997 20:39:31 +0000 To: dbmcglumphy@co.franklin.oh.us (David B. McGlumphy), firewalls@GreatCircle.COM From: Kevin Brown Subject: Re: Proxy recommendations In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Look at squid........ Kevin At 13:00 06/11/97 -0500, David B. McGlumphy wrote: >Hello, > I am the Webmaster for a county data center in Ohio. We currently are >using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of >running, forcing us to do frequent restarts. We have a brand new Risc box >in and are looking at alternatives to Netscape's Proxy Server. Does anyone >have any suggestions for a good proxy server? We are looking at ~500 users >doing only http (for now). Thanks for any help, > Dave McGlumphy > > > >David McGlumphy, WebMaster PHONE: (614) 462-6795 >Franklin County Data Center FAX: (614) 462-6311 >373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us >Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > >** The opinions expressed herein are those of the author and not those >of Franklin County Data Center or any other company, governmental >agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU >/__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' > > From owner-firewalls-list Thu Nov 6 13:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14283; Thu, 6 Nov 1997 12:47:21 -0800 (PST) Received: from keymaster.rnb.com (keymaster.rnb.com [204.178.81.14]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA03497 for ; Thu, 6 Nov 1997 12:07:39 -0800 (PST) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Received: By keymaster.rnb.com via smap (3.2) id xma014803; Thu, 6 Nov 97 15:07:38 -0500 Message-ID: X-Mailer: XFMail 1.2-beta-103097 [p0] on Solaris X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3.0.3.32.19971106130004.009526d0@mail> Date: Thu, 06 Nov 1997 15:07:36 -0500 (EST) Organization: Republic National Bank From: Ken Kempster To: (David B. McGlumphy) Subject: RE: Proxy recommendations Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use Gauntlet here. Works good and we're doing over 200,000 hits on http per day. On 06-Nov-97 David B. McGlumphy wrote : > Hello, > I am the Webmaster for a county data center in Ohio. We currently are > using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. > The proxy seems to hang for long periods of time after a few hours of > running, forcing us to do frequent restarts. We have a brand new Risc box > in and are looking at alternatives to Netscape's Proxy Server. Does anyone > have any suggestions for a good proxy server? We are looking at ~500 users > doing only http (for now). Thanks for any help, > Dave McGlumphy > > > > David McGlumphy, WebMaster PHONE: (614) 462-6795 > Franklin County Data Center FAX: (614) 462-6311 > 373 South High Street 9th Flr. Internet: dbmcglumphy@co.franklin.oh.us > Columbus, Ohio 43215 dmcglump@ix.netcom.com > ef770@kanga.cwru.edu > > ** The opinions expressed herein are those of the author and not those > of Franklin County Data Center or any other company, governmental > agency, or organization. ** > __ _ _ _ () , | LINUX > / ) ' ) ) ) /`-'| /) / |Choice of a > / / __. , ___ / / / _. / / // . . ____ _ /_ , ,| GNU > /__/_(_(__\/ (<_ / ' (_(_ /__-<_(/_(_/_/) ) )_/_)_/ /_(_/_|generation > / / | > ' ' |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Systems Consultant _\|/_ | | Republic National Bank (o o) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO-(_)-OOo~~~~~~~~~~~~~~ From owner-firewalls-list Thu Nov 6 13:26:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA09781; Thu, 6 Nov 1997 12:30:22 -0800 (PST) Received: from ns (ns.ami.net [207.87.243.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA09565 for ; Thu, 6 Nov 1997 12:29:42 -0800 (PST) Received: by ns (5.x/SMI-SVR4) id AA01099; Thu, 6 Nov 1997 15:33:35 -0500 Date: Thu, 6 Nov 1997 15:33:35 -0500 From: destry@ami.net (Richard Fronck) Message-Id: <9711062033.AA01099@ns> To: Firewalls@GreatCircle.COM Subject: syslogd on SunOS doesn't work Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our SunOS based firewall solution only logs 10% of the log messages! This affects every firewall, that uses syslogd, running on any SunOS. I noticed that our throughput totals for our firewalls didn't match up with the totals from the router. I checked, and the firewall and it is only logging 10% of the proxy log output during peak utilization. We generate approximately 3 log messages per connection. We generate approximately 1500 processes/connections per minute. But, we only log approximately 150 - 200 messages per minute. We should log approximately 4500 - 6000 messages per minute. Here's the problem: (from http://sunsolve.sun.com) SUN SYSLOG DAEMON BUG INFORMATION: Bug Id 1144033 states "the streams log driver can drop syslog messages under heavy loads" Bug Id 1225626 "There is no guarantee that syslog() will actually be successful in its logging. Unfortunately, this works as designed." Here's the solution: ***NONE*** Sun says that logging is "improved" in Solaris 2.6, but they don't intend to "fix" it. (This would take a re-write of the entire streams library.) This is what I found. (The code that I used was taken from one of the bug id's and modified slightly) While the new OS is better, it's still not fixed. Both machines had a load average of >1% at run time. Solaris 2.5.1 logs 5.559% of the log requests. Logged 559 out 10,000 Solaris 2.6 logs 87.21% of the log requests. Logged 8721 out 10,000 uname -a SunOS hostname001 5.4 G __m8 in /log_syslog=1000, count= 57 Search for __m9 in /log_syslog=1000, count= 55 wc of /log_syslog= 559 /log_syslog -- end Results on Solaris 2.5.1 ----------------------------------------- uname -a SunOS hostname002 5.6 Generic sun4m sparc SUNW,SPARCstation-5 -- Results on Solaris 2.6 ----------------------------------------------- Search for __m0 in /log_syslog=1000, count= 872 Search for __m1 in /log_syslog=1000, count= 872 Search for __m2 in /log_syslog=1000, count= 872 Search for __m3 in /log_syslog=1000, count= 872 Search for __m4 in /log_syslog=1000, count= 872 Search for __m5 in /log_syslog=1000, count= 871 Search for __m6 in /log_syslog=1000, count= 872 Search for __m7 in /log_syslog=1000, count= 872 Search for __m8 in /log_syslog=1000, count= 873 Search for __m9 in /log_syslog=1000, count= 873 wc of /log_syslog= 8721 /log_syslog -- end Results on Solaris 2.6 ------------------------------------------- -- code ---------------------------------------------------------------- #include #include main() { int i; system("cp /etc/syslog.conf /rette.syslog.conf"); system("echo 'local0.debug /log_syslog' > /etc/syslog.conf"); remove("/log_syslog"); system("touch /log_syslog"); system("kill -HUP `cat /etc/syslog.pid`"); sleep(1); for (i=0; i<1000; i++) { syslog( LOG_LOCAL0 | LOG_INFO, "__m0" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m1" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m2" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m3" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m4" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m5" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m6" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m7" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m8" ); syslog( LOG_LOCAL0 | LOG_INFO, "__m9" ); } sleep(15); system("mv /rette.syslog.conf /etc/syslog.conf"); sleep(1); system("kill -HUP `cat /etc/syslog.pid`"); sleep(1); printf("\nSearch for __m0 in /log_syslog=%d, count= ",i); system("grep -c __m0 /log_syslog"); printf("\nSearch for __m1 in /log_syslog=%d, count= ",i); system("grep -c __m1 /log_syslog"); printf("\nSearch for __m2 in /log_syslog=%d, count= ",i); system("grep -c __m2 /log_syslog"); printf("\nSearch for __m3 in /log_syslog=%d, count= ",i); system("grep -c __m3 /log_syslog"); printf("\nSearch for __m4 in /log_syslog=%d, count= ",i); system("grep -c __m4 /log_syslog"); printf("\nSearch for __m5 in /log_syslog=%d, count= ",i); system("grep -c __m5 /log_syslog"); printf("\nSearch for __m6 in /log_syslog=%d, count= ",i); system("grep -c __m6 /log_syslog"); printf("\nSearch for __m7 in /log_syslog=%d, count= ",i); system("grep -c __m7 /log_syslog"); printf("\nSearch for __m8 in /log_syslog=%d, count= ",i); system("grep -c __m8 /log_syslog"); printf("\nSearch for __m9 in /log_syslog=%d, count= ",i); system("grep -c __m9 /log_syslog"); printf("\nwc of /log_syslog= "); system("wc -l /log_syslog"); } -- end code ------------------------------------------------------------- Thanks, Destry From owner-firewalls-list Thu Nov 6 13:28:03 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA14457; Thu, 6 Nov 1997 12:48:42 -0800 (PST) Received: from mtigwc04.worldnet.att.net (mtigwc04.worldnet.att.net [204.127.131.33]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA26874 for ; Thu, 6 Nov 1997 11:38:39 -0800 (PST) Received: from zepher.milkyway.com ([12.70.0.195]) by mtigwc04.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA21700; Thu, 6 Nov 1997 19:39:05 +0000 Message-Id: <3.0.3.32.19971106142148.006c284c@postoffice.worldnet.att.net> X-Sender: jsk347@postoffice.worldnet.att.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 14:21:48 -0500 To: hagan@cih.com, Franco RUGGIERI From: Steve Kruse Subject: Re: R: Unlimited Users Firewalls Cc: GreatCircle forum In-Reply-To: References: <199711052319.AAA04448@pinux.selfin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IMHO...an additional policy would include something to the effect: "...the security manager shall escrow with the (pick one here..President, Technology manager, Operations manager...) office all passwords, access controls, keys and other such mechanisms to which the Security Officer normally has the only access. This information shall be placed in a sealed envelope, proctected by a security seal or other tamperproof mechanism, and locked in a secure cabinet, safe or desk to which only the escrow officer has access. This information shall be updated and re-sealed upon any change within the same business day such changes are made".... If the S.O. **DOES** get hit by a bus, at least SOMEONE can get access to the FW, routers and other things should it become necessary. Comments welcome...Flames Ignored! At 04:59 PM 11/5/97 +0000, Craig I. Hagan wrote: >> Craig, >> please tell me your opinion on this statement of mine (many people have >> been burned alive for much less than that). >> >> A firewall is something that must not be tampered with, so the fewer people >> know something about it (in the organization it is there to protect) the >> better. Thus, a UNIX O.S. is a good thing in an environment where many >> people know NT, i.e. almost everywhere. > >many takes. > >the short one is that if the above were true, and the firewall person >left, was hit by a bus, etc, then the company is *FUCKED*. Additionally, >you may need to change the firewall to reflect changes in security policy >-- after all, the firewall merely enacts policy, it doesn't create it. > >A better method, imho, of saying it (perhaps what you meant) would be: > >" >Firewalls exist to enact corporate security policy. Since this policy >changes infrequently, access controls to the firewall should be both >severely restricted, and logged in such a way as to make any and all >actions obvious to an experienced administrator. Additionally, all changes >made to the firewall must go through authorized change control procedures >so that they can accurately reflect the security policy, and the coding >can be properly reviewed to make sure that policy is correctly enacted. >" > >IMHO, knowledge is a good thing: if everyone knew about the firewall, how >it worked, and WHY it did what it did, and even the source code of the >firewall, it shouldn't matter if the firewall properly enacts your >policies (and they demand stringent access control). In fact, if the >people in the company were knowledgeable, then they would likely know the >policy and WHY it was in effect. > >As for the OS choice of the firewall, unix/NT/OS2/mac/DOS/whatever, >security through obscurity is the worst case scenario in that you are >banking on people not knowing something rather than proper access controls >and channels to facilitate this. > >A better question might be: if you are using unix/NT/OS2/mac/DOS/whatever >for a firewall, how could people (both internal and external) gain >unauthorized access to the firewall? If your policy states that this >should not be, then you should take every action to prevent it. For an NT >machine, it may mean not participating in a domain, blocking all of the >RPC/auth/whatever ports,disabling a rack of services,etc. for unix it may >mean not participating in a YP/NIS domain, not running RPC/portmapper and >a myriad of other daemons, etc. same ideas, different OS. But, all comes >down to policy and properly enacting it. > > >-- craig > >--------------------------------------------------------------------- - ---------- >Craig I. Hagan "It's a small world, but I wouldn't want to back it up" >hagan(at)cih.com "True hackers don't die, their ttl expires" > "It takes a village to raise an idiot, but an idiot can raze a village" > > Stop the spread of spam, use a sendmail condom! > http://www.cih.com/~hagan/smtpd-hacks > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNGIYqtIk6V3CiVjTEQJeHACfQtXcFobqsoxx/XChihqRGBHU/okAoJst 1l+5ojo5GOdwxN6PTpFaxbkZ =6bY+ -----END PGP SIGNATURE----- ***************************************************** * Steve Kruse Milkyway Networks * * Network Systems Engineer 1342 E. Vine St. #224 * * 407-847-8977 Voice Kissimmee, FL 34744 * * 407-847-7203 Fax http://www.milkyway.com * ***************************************************** From owner-firewalls-list Thu Nov 6 14:01:11 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA22290; Thu, 6 Nov 1997 13:51:16 -0800 (PST) Received: from macmail.sonicsys.com (macmail.sonicsys.com [209.19.28.20]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA22245 for ; Thu, 6 Nov 1997 13:51:03 -0800 (PST) Received: from [209.19.28.54] by with SMTP id BAI2961672997; Thu, 06 Nov 1997 14:56:38 X-Sender: denis@macmail.sonicsys.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Nov 1997 14:53:13 -0800 To: firewalls@GreatCircle.com From: Denis Lesak Subject: Sonic Interpol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are a new firewall vendor that is offering the industry's first full featured Internet Security Appliance for $1999. The Interpol features: Web Browser Managed Stateful Inspection packet security ISDN - T1 1 year CyberNOT subscription Remote Access Authentification (MD5 based security) NAT Network Address Translation DMZ for public servers Installs in under 20 minutes! Any questions? Please review www.sonicsys.com Contact: sales@sonicsys.com ____________________________________________________________________ Denis Lesak denis@sonicsys.com Regional Sales Manager 408.736.1900 ext 106 575 N Pastoria Ave 408.736.7228 fax Sunnyvale, CA 94086 Web: http://www.sonicsys.com Do you want Plug N Play firewall protection for under $2,000? http://www.sonicsys.com/Interpol.html ____________________________________________________________________ From owner-firewalls-list Thu Nov 6 14:03:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA20924; Thu, 6 Nov 1997 13:40:52 -0800 (PST) Received: from powerlite (powerlite.unitedspacealliance.com [161.40.253.23]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA20767 for ; Thu, 6 Nov 1997 13:40:05 -0800 (PST) Received: by powerlite (SMI-8.6/SMI-SVR4) id PAA16294; Thu, 6 Nov 1997 15:28:45 -0600 Date: Thu, 6 Nov 1997 15:28:45 -0600 From: sarak@powerlite.rsoc.rockwell.com (Sara Kensington) Message-Id: <199711062128.PAA16294@powerlite> To: firewalls@GreatCircle.COM Subject: [ANNOUNCE] NASA Computer Security Conference Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: mFlsHr0oas45j/gpHIUkcA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a short notice for those that have an interest in this sort of thing; There will be a NASA Sponsored Computer Security Conference, Dec 8th-13th 1997, with two and four day workshops given on Dec 8th & 9th and 11th & 12th in Galveston, Texas at the San Luis Resort and Convention Center. Dec 10th is pretty much dedicated to product demonstrations and installation classes, and this conference includes examinations and certifications for those that like paper for the wall :) For up-to-date information, please refer to the URL http://www2.unitedspacealliance.com/itse/ or, you can call from 8:00 am to 5:00 pm Central Time, Monday thru Friday toll free: 1-888-258-8859 ext:280 for more information. Sara Kensington IT Security Engineering Team Penetration Testing United Space Alliance sarak@powerlite.rsoc.rockwell.com .ps Please accept my apologies to those who may interpret this as SPAM From owner-firewalls-list Thu Nov 6 17:25:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA17542; Thu, 6 Nov 1997 16:02:28 -0800 (PST) Received: from irwin-exch2.army.mil (IRWIN-EXCH2.ARMY.MIL [144.147.50.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id QAA17514 for ; Thu, 6 Nov 1997 16:02:17 -0800 (PST) Received: by irwin-exch2.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEACD.6BBEE880@irwin-exch2.army.mil>; Thu, 6 Nov 1997 16:02:45 -0800 Message-ID: From: G2 Security Division To: "'BSTACKPO@sla.com'" , "'firewalls@greatcircle.com'" , "Burnett, Charles" , "McCray, John" Subject: FW: DMZ Implementation Date: Thu, 6 Nov 1997 15:59:25 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looks like a classic implementation. Highlighted section on "customers...DMZ hosts...administrative functions" suggested to me that your organization might have a separation of duties between a network security officer and system administrators for various hosts within the DMZ. We are looking at some reorganization possibilities. Contrary to public belief, the government is also susceptible to the "doing more with less" routine. Whereas doctrine normally calls for the person owning the system to provide security, most computer specialists focus on connectivity functions. Thus we have to think about retraining traditional security policy people to assume more technically-oriented security duties. KFW >---------- >From: Stackpole, Bill[SMTP:BSTACKPO@sla.com] >Sent: Friday, October 31, 1997 7:58 AM >To: 'Gaddy Gumbao' >Cc: 'firewalls' >Subject: RE: DMZ Implementation > >I can give you my method and I'm sure there are other ways to do this. >I put a third interface into my firewall server and set up rules that >allow external access to hosts on the DMZ limited to the services they >provide (e.g., Web, FTP, etc.) I also set up rules that allow internal >users to access DMZ hosts. Also limited to the services those users >require. And finally I set up rules that allow DMZ hosts to access >specific hosts and services they require on the external and/or internal >network. > >I allow no transparent connections, everything goes though the proxies. >I use different private addressing on the DMZ and internal networks and >I do the manufacture's recommended security fixes and configurations to the DMZ hosts. As a final measure I recommend to my customers that they >have a good backup and restore capability for their DMZ hosts and that they >restrict administrative functions on DMZ hosts to the system >console ONLY. > >> -----Original Message----- >> From: Gaddy Gumbao [SMTP:succesor@mnl.sequel.net] >> Sent: Friday, October 31, 1997 10:34 AM >> To: rob.holman@ganda.demon.co.uk; firewalls@greatcircle.com >> Subject: DMZ Implementation >> >> >> >> >> hi there guys, >> >> Would anyone there would like to help me setup a DMZ. >> Where can I get a reference or a notes on what or how to setup a DMZ. >> >> I 'm running Checkpoint firewall-1 on our Network. >> >> Thanks >> >> Gaddy >> System Administrator >> > From owner-firewalls-list Thu Nov 6 22:44:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA28107; Thu, 6 Nov 1997 22:33:08 -0800 (PST) Received: from mail.azid.com (diazo.azid.com [207.240.15.195]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA28093 for ; Thu, 6 Nov 1997 22:33:02 -0800 (PST) Received: (qmail 4016 invoked from network); 7 Nov 1997 06:33:41 -0000 Received: from diazo.azid.com (207.240.15.195) by diazo.azid.com with SMTP; 7 Nov 1997 06:33:41 -0000 Date: Thu, 6 Nov 1997 23:33:41 -0700 (MST) From: Eric Johnson To: Joe Smith cc: firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One more thing: I don't know this for a fact, but empirically it seems that the Firebox slows down noticably if the loghost is under heavy load. So: Pick a capable loghost. --Eric --- Eric Johnson (ej@azid.com) Arizona Internet Developers Inc. (AZID.COM) http://www.azid.com/ +1-602 { 996-9682(v) | 333-2043(f) | 289-1628(p) } On Tue, 4 Nov 1997, Joe Smith wrote: : Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) : From: Joe Smith : To: firewalls@GreatCircle.COM : Subject: SSL WatchGuard : : Greetings : : I have been tasked with looking at several firewalls, and I have been : reading your posts with interest. The reviews that I have read have rated : CheckPoint, WatchGuard and Sunscrean the highest. The one that I am : tending towards is the WatchGuard system. : : Do any of you on this list have RL experence with it? Are there any other : problems with WatchGuard that I should know about? : : Thanks for the help! : : John : From owner-firewalls-list Thu Nov 6 22:59:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA27986; Thu, 6 Nov 1997 22:31:00 -0800 (PST) Received: from mail.azid.com (diazo.azid.com [207.240.15.195]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id WAA27979 for ; Thu, 6 Nov 1997 22:30:47 -0800 (PST) Received: (qmail 4009 invoked from network); 7 Nov 1997 06:31:13 -0000 Received: from diazo.azid.com (207.240.15.195) by diazo.azid.com with SMTP; 7 Nov 1997 06:31:13 -0000 Date: Thu, 6 Nov 1997 23:31:13 -0700 (MST) From: Eric Johnson To: Joe Smith cc: firewalls@GreatCircle.COM Subject: Re: SSL WatchGuard In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Joe, [ couldn't resist: any Hendrix fans here? ] We use the Firebox here and have installed two so far at client sites. The thing I like least about it so far: in the GUI you get Incoming and Outgoing tabs for each service (eg. ftp) that you allow/deny. With three interfaces, it would be nice if the GUI gave Incoming/Outgoing tabs *for each interface*. Example: The other day, under time pressure, we wanted to drop a box on the (otherwise unused) Optional interface and enable ftp from it to (only) my ftp host on the outside. From the GUI's perspective, Outgoing means Internal/Optional to External; however, I already had a config setup for Any Internal to Any External ftp; to restrict that Optional host to a specific External host hosed my existing rules. However, the GUI writes plaintext config files, so if I got ambitious, I'm sure I could roll-my-own config easily enough, and I have already successfully hand-edited config files. It's Linux-based, quick and easy to setup (with the "CIO Friendly"TM Win95 GUI (actually, it's an X GUI ported to Win32: how ironic :-)), logs to a syslog host on the internal interface, can be remotely configured/monitored/rebooted via the GUI; boots from a single floppy, which can be write protected :-) We have not pushed ours very hard, but are told that the 10Mb box will do "wire speed for up to 300 simultaneous sessions", whatever that means. The 10/100Mb box would be more capable still. For $3500 I think it's a smokin' deal. Caveat: AZID is a WatchGuard reseller. Regards, --Eric --- Eric Johnson (ej@azid.com) Arizona Internet Developers Inc. (AZID.COM) http://www.azid.com/ +1-602 { 996-9682(v) | 333-2043(f) | 289-1628(p) } On Tue, 4 Nov 1997, Joe Smith wrote: : Date: Tue, 4 Nov 1997 07:50:01 -0400 (AST) : From: Joe Smith : To: firewalls@GreatCircle.COM : Subject: SSL WatchGuard : : Greetings : : I have been tasked with looking at several firewalls, and I have been : reading your posts with interest. The reviews that I have read have rated : CheckPoint, WatchGuard and Sunscrean the highest. The one that I am : tending towards is the WatchGuard system. : : Do any of you on this list have RL experence with it? Are there any other : problems with WatchGuard that I should know about? : : Thanks for the help! : : John From owner-firewalls-list Thu Nov 6 23:29:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA04957; Thu, 6 Nov 1997 23:27:07 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id XAA04948 for ; Thu, 6 Nov 1997 23:27:02 -0800 (PST) Received: from ttruitt-pc.cisco.com (sj-dial-3-4.cisco.com [171.68.179.5]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id XAA10525; Thu, 6 Nov 1997 23:27:02 -0800 (PST) Message-Id: <3.0.3.32.19971106232306.0083cc30@diablo.cisco.com> X-Sender: ttruitt@diablo.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 23:23:06 -0700 To: Tim Lebrun From: "R. Todd Truitt" Subject: Re: Help : Cisco access list Cc: NetSea , firewalls@GreatCircle.COM In-Reply-To: <3461DB2C.99A0C536@internetmci.com> References: <2.2.32.19971106061246.006de0a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 AM 11/6/97 -0500, Tim Lebrun wrote: >Is there a cisco mailing list that anyone knows of ?????? > Try the newsgroup comp.dcom.sys.cisco. Also, as Chris pointed out, the Cisco web page is very serious and very good. Go to www.cisco.com -> service and support -> docs or tech tips or tech tools. Cheers, --T _________________________________________________________________________ R. Todd Truitt ttruitt@cisco.com Systems Engineer PGP Public Key: Security, Availabilty and Management Specialist http://pgpkeys.mit.edu Cisco Systems, Inc. 303.220.6164 From owner-firewalls-list Fri Nov 7 01:59:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA19975; Fri, 7 Nov 1997 01:50:35 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA19968 for ; Fri, 7 Nov 1997 01:50:30 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id EAA02903 for firewalls@greatcircle.com; Fri, 7 Nov 1997 04:52:30 -0500 (EST) Date: Fri, 7 Nov 1997 04:52:30 -0500 (EST) From: Information Security Message-Id: <199711070952.EAA02903@panix2.panix.com> To: firewalls@greatcircle.com Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Thu Nov 6 18:21:40 1997 > > Just a short notice for those that have an interest in > this sort of thing; Maybe, maybe not. > There will be a NASA Sponsored Computer Security Conference, > Dec 8th-13th 1997, with two and four day workshops given on > Dec 8th & 9th and 11th & 12th in Galveston, Texas at the > San Luis Resort and Convention Center. Dec 10th is pretty > much dedicated to product demonstrations and installation > classes, and this conference includes examinations and > certifications for those that like paper for the wall :) > > For up-to-date information, please refer to the URL > > http://www2.unitedspacealliance.com/itse/ Problem! This seminar, "Security Management and the Internet", comes up as: Technology for Information Security Conference `97 We're sorry, this page is under construction. We'll have more information soon. Please stop back. Why, so does seminar, "The Future of Computer Forensics". As does "The Wizard of OZ on Information Security". Why, there are seventeen dead seminars!!! Yes, this _does_ sound like NASA quality stuff. You know, like the recent mad scientist B-movie NASA brought us: need seven lightbulbs worth of juice for Cassini? Hey, let's load it up with 72 pounds of ceramicized plutonium! Good thing it didn't blow up on launch. Hopefully, in two years when it does a planetary gravity-assist flyby of Earth at 40,000 miles per hour, it will miss Earth. Because NASA documents say that 20 pounds of the plutonium will become _respirable_ particles. NASA is the last place on Earth one should go to for risk assessment. > Sara Kensington > IT Security Engineering Team > Penetration Testing > United Space Alliance > sarak@powerlite.rsoc.rockwell.com > > .ps Please accept my apologies to those who may > interpret this as SPAM Spam? Why would you be worried a little ol' conference would be spam? # TISC '97 is the first to bring the predominant security relevant # certification programs for both government and industry together, # in one place, at one time, at one cost. # # This year, the Certified Recovery Planner (CRP) by Harris Recovery # Institute and the Certified Information Systems Security Professional # (CISSP) by the International Information Systems Security Certification # Consortium (ISC2) examinations will be offered to those who are qualified # and desire to take the certification examination and who have contacted the # respective associations to arrange seating and payment of certification fees. Right: spam. I remember when the State of New Jersey wanted to certify programmers. It didn't go over well. It didn't happen. The only plus I can see is the "Firewalls and Beyond" seminar is given by a "Marcus Ranum", which is very close to the name of someone well known to the security community. ---guy From owner-firewalls-list Fri Nov 7 03:14:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA29499; Fri, 7 Nov 1997 03:10:25 -0800 (PST) Received: from iva.laus.hr ([194.152.247.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA29490 for ; Fri, 7 Nov 1997 03:10:12 -0800 (PST) Received: from laus.dbk.laus.hr (laus.dbk.laus.hr [194.152.247.130]) by iva.laus.hr (8.8.5/8.8.4) with ESMTP id MAA03326; Fri, 7 Nov 1997 12:08:51 +0100 Received: from sioux (sioux.dbk.laus.hr [194.152.247.137]) by laus.dbk.laus.hr (8.8.5/8.8.4) with SMTP id MAA21163; Fri, 7 Nov 1997 12:11:14 GMT Message-Id: <3.0.2.32.19971107121203.00933160@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Fri, 07 Nov 1997 12:12:03 +0200 To: Ken Kempster , (David B. McGlumphy) From: Mario Misic Subject: RE: Proxy recommendations Cc: firewalls@GreatCircle.COM In-Reply-To: References: <3.0.3.32.19971106130004.009526d0@mail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:07 1997.11.06 -0500, Ken Kempster wrote: >We use Gauntlet here. Works good and we're >doing over 200,000 hits on http per day. > > > >On 06-Nov-97 David B. McGlumphy wrote >: >> Hello, >> I am the Webmaster for a county data center in Ohio. We currently are >> using a RISC/6000 box running IBM's SNG on AIX and Netscape's Proxy Server. >> The proxy seems to hang for long periods of time after a few hours of >> running, forcing us to do frequent restarts. We have a brand new Risc box >> in and are looking at alternatives to Netscape's Proxy Server. Does anyone >> have any suggestions for a good proxy server? We are looking at ~500 users >> doing only http (for now). Thanks for any help, Hi! Are you running Gauntlet on RS/6000 - AIX machine ? I heard that it is not possible to run Gauntlet on AIX! By M2 ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Mario Misic | e-mail: mario@laus.hr ~ ~ CC Computer Consulting | Tel: +385 (20) 411-136 ~ ~ Janjevska 15 | +385 (1) 6552-330 ~ ~ 20 000 Dubrovnik | Fax: +385 (20) 411-136 ~ ~ Hrvatska (Croatia) | URL: http://www.laus.hr ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>>>>> Every dog will have his day ! <<<<<<<<<<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-firewalls-list Fri Nov 7 04:14:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA06584; Fri, 7 Nov 1997 04:01:55 -0800 (PST) Received: from beaadmin.bea.doc.gov (beaadmin.bea.doc.gov [198.76.170.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA06576 for ; Fri, 7 Nov 1997 04:01:51 -0800 (PST) Received: by beaadmin.bea.doc.gov; id HAA01887; Fri, 7 Nov 1997 07:02:02 -0500 (EST) Received: from unknown(172.25.1.5) by beaadmin.bea.doc.gov via smap (3.2) id xma001883; Fri, 7 Nov 97 07:02:01 -0500 Received: from BEA-Message_Server by bea.doc.gov with Novell_GroupWise; Fri, 07 Nov 1997 07:03:27 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 07 Nov 1997 07:03:14 -0500 From: Bill Moulyn To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #529 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Which one are you concerned with Ed? From owner-firewalls-list Fri Nov 7 06:15:42 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13487; Fri, 7 Nov 1997 06:08:21 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA13470 for ; Fri, 7 Nov 1997 06:08:12 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.5/8.8.5) id KAA06272; Fri, 7 Nov 1997 10:08:10 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V2.0) id xma006012; Fri, 7 Nov 97 09:07:19 -0500 Received: from clmail.erenj.com (clmail.erenj.com [159.70.1.248]) by eredns.erenj.com (8.8.5/8.8.5) with ESMTP id KAA29518; Fri, 7 Nov 1997 10:00:33 -0400 Received: from tiger (tiger.ecsc.exxon.com [159.129.116.3]) by clmail.erenj.com (8.8.5/8.8.5) with SMTP id IAA12060; Fri, 7 Nov 1997 08:59:30 -0500 (EST) Message-ID: <34631EEE.3F54BC7E@erenj.com> Date: Fri, 07 Nov 1997 08:00:14 -0600 From: Andy Howard Organization: Exxon Computing Services Company X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: Information Security CC: firewalls@greatcircle.com Subject: Re: [ANNOUNCE] NASA Computer Security Conference References: <199711070952.EAA02903@panix2.panix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security (Guy) wrote: > The only plus I can see is the "Firewalls and Beyond" seminar is > given by a "Marcus Ranum", which is very close to the name of > someone well known to the security community. Hmm, I recognized another name, William Cheswick.... I seem to recall that his name comes up in the discussions of firewalls and security on occasion. (-: Several other speakers known in the industry are slated. I'm not an icon in the industry and certainly no wizard, but I would recommend this conference, certainly for anybody that lives in the area. Plenty of time and opportunity to exchange ideas with other attendees and the speakers. Nice location. IMO, the different certifications are no better or worse than any other industry type certifications. And, before certification, test or no, you have to show evidence of 3 years experience in the area your are testing for (novel idea, eh?). The certifications are already in existence, this just an easy opportunity to review for the exams and sit for them. I am not associated with NASA, but have enjoyed and learned from the last two TISC conferences. -- Andy Howard achowar@erenj.com -- the above comments are mine only-- From owner-firewalls-list Fri Nov 7 07:00:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16828; Fri, 7 Nov 1997 06:58:17 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA16794 for ; Fri, 7 Nov 1997 06:58:05 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id JAA27782 for ; Fri, 7 Nov 1997 09:58:12 -0500 (EST) Message-Id: <199711071458.JAA27782@mail.atl.bellsouth.net> From: "Steve Jackson Brown" To: Subject: Finjan Surfin Gate Review Date: Fri, 7 Nov 1997 09:55:48 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an interesting review of Finjan SurfinGate I found. http://www.rstcorp.com/hostile-applets/drowning.html From owner-firewalls-list Fri Nov 7 08:00:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23653; Fri, 7 Nov 1997 07:45:52 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA23644 for ; Fri, 7 Nov 1997 07:45:45 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA06418 for ; Fri, 7 Nov 1997 16:46:21 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA10974 for ; Fri, 7 Nov 1997 16:45:35 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Fri, 7 Nov 1997 16:47:07 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABA@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: FIN Scanning through all kind of packet-filtering firewalls? Date: Fri, 7 Nov 1997 16:47:04 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! The FIN scanning method (presented in Phrack Magazine 49, article 15) where you can scan for open ports on a host behind a packet-filtering firewall even though your rules denys it is certainly working on Checkpoint ver. 2.1(a) but I wonder if anyone have experiences with other firewall software or verisons of software (packet-filtering, do I have to mention that again?)?=20 I know that the behavior is possible because of a bug in the BSD = netcode which most UNIX-systems today seem to run but I have not heard of any patches (Alan Cox, are you still alive?). Should I look for patches for my O.S or for my firewall software? Are Ciscos vulnerable with IOS-versions below 11? I have heard romours.... Please, I don't want tons of mail asking, how do you do that? or do you have there source code? If you are interested of how it works (and it works good), read the article at http://www.infowar.com/iwftp/Phrack/Phrack49/P49-15.txt which deals = with the details. You can also try nmap which is in Phrack Magazine 51, article 11 and is a great scanning-program which supports more scanning-methods! It's also VERY fast! Keep on the good work Fyodor!!! Name: Robert St=E5hlbrand Company: Ericsson Telecom AB Company-Address: Fl=F6jelbergsv=E4gen 1C, Box 333 Zip-Code: 431 24 M=F6lndal Phone Number: +46 31 747 6162 Fax Number: +46 31 747 3777 Email: robert.stahlbrand@nmac.ericsson.se From owner-firewalls-list Fri Nov 7 08:15:17 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA25272; Fri, 7 Nov 1997 08:04:13 -0800 (PST) Received: from svvan200.sierrasys.com (svvan200.sierrasys.com [192.251.26.40]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA25239 for ; Fri, 7 Nov 1997 08:04:02 -0800 (PST) Received: by svvan200.sierrasys.com with Internet Mail Service (5.0.1458.49) id ; Fri, 7 Nov 1997 08:03:30 -0800 Message-ID: From: Craig Ward To: firewalls@greatcircle.com Subject: RE: [ANNOUNCE] NASA Computer Security Conference Date: Fri, 7 Nov 1997 08:01:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good grief! More luddite fud mongering. Will it never end? Please take this elsewhere. > > -----Original Message----- > From: Information Security [SMTP:guy@panix.com] > Sent: Friday, November 07, 1997 1:53 AM > To: firewalls@greatcircle.com > Subject: Re: [ANNOUNCE] NASA Computer Security Conference > ... > You know, like the recent mad scientist B-movie NASA brought us: need > seven lightbulbs worth of juice for Cassini? Hey, let's load it up > with 72 pounds of ceramicized plutonium! Good thing it didn't blow > up on launch. Hopefully, in two years when it does a planetary > gravity-assist flyby of Earth at 40,000 miles per hour, it will > miss Earth. Because NASA documents say that 20 pounds of the plutonium > will become _respirable_ particles. > > NASA is the last place on Earth one should go to for risk assessment. > > > From owner-firewalls-list Fri Nov 7 09:44:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA06599; Fri, 7 Nov 1997 09:41:27 -0800 (PST) Received: from ns2.ge.com (ns2.ge.com [192.35.39.25]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA06583 for ; Fri, 7 Nov 1997 09:41:13 -0800 (PST) From: CCCRE.CCULL@capital.ge.com Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns2.ge.com (8.8.7/8.8.6) with ESMTP id MAA13355 for ; Fri, 7 Nov 1997 12:45:03 -0500 (EST) Received: from CAPITAL.GE.COM ([3.113.164.135]) by thomas.ge.com (8.8.7/8.8.7) with SMTP id MAA19865 for ; Fri, 7 Nov 1997 12:41:27 -0500 (EST) Received: by CAPITAL.GE.COM (Soft-Switch LMS 2.0) with snapi via CCCREGWY id 0013800003384938; Fri, 7 Nov 1997 12:39:19 -0500 To: " - (052)firewalls(a)GreatCircle.COM" Subject: Re[2]: [ANNOUNCE] NASA Computer Security Conference Message-ID: <0013800003384938000002L082*@MHS> Date: Fri, 7 Nov 1997 12:39:19 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oh yeah, this is a great forum for discussion of the risks of plutonium by someone who evidently has NO training on the matter. as an ex-nuclear field-type person, i can tell you that i have no fears (and no vested interest in the success of)of this tree-hugger overblown bullshit case of enviromentalism. you're probably the same type of goober who swears by electric cars even though they cause more pollution, the just move the source..... From owner-firewalls-list Fri Nov 7 10:00:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA07565; Fri, 7 Nov 1997 09:55:18 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id JAA07537 for ; Fri, 7 Nov 1997 09:55:11 -0800 (PST) From: Neil_Buckley/CAM/Lotus@lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id MAA05962; Fri, 7 Nov 1997 12:53:16 -0500 Received: from MTA2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AB21909; Fri, 7 Nov 1997 12:49:47 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 85256548.0062D4B1 ; Fri, 7 Nov 1997 12:59:29 -0500 X-Lotus-Fromdomain: LOTUS@MTA To: firewalls@greatcircle.com Message-Id: <85256548.00439F0A.00@mta2.lotus.com> Date: Fri, 7 Nov 1997 12:57:20 -0500 Subject: Penetration Detection Tools Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anyone have recomendations for third party penetration detection tools, I am fairly familiar with most freeware products for UNIX, but I need a company wide solution. Thanks in advance for any info, Neil Buckley nbuckley@lotus.com From owner-firewalls-list Fri Nov 7 11:00:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA15748; Fri, 7 Nov 1997 10:54:24 -0800 (PST) Received: from spiffy.paradigmsim.com (spiffy.paradigmsim.com [206.7.114.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA15738 for ; Fri, 7 Nov 1997 10:54:17 -0800 (PST) Received: from kennyspc.paradigmsim.com by spiffy.paradigmsim.com via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id MAA16100; Fri, 7 Nov 1997 12:52:34 -0600 Received: by kennyspc.paradigmsim.com with Microsoft Mail id <01BCEB7C.99D3D500@kennyspc.paradigmsim.com>; Fri, 7 Nov 1997 12:56:44 -0600 Message-ID: <01BCEB7C.99D3D500@kennyspc.paradigmsim.com> From: Ken Atkinson To: " - (052)firewalls(a)GreatCircle.COM" , "'CCCRE.CCULL@capital.ge.com'" Subject: RE: Re[2]: [ANNOUNCE] NASA Computer Security Conference Date: Fri, 7 Nov 1997 12:56:43 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SHUT UP. FIREWALLS remember. ---------- From: CCCRE.CCULL@capital.ge.com[SMTP:CCCRE.CCULL@capital.ge.com] Sent: Friday, November 07, 1997 11:39 AM To: - (052)firewalls(a)GreatCircle.COM Subject: Re[2]: [ANNOUNCE] NASA Computer Security Conference oh yeah, this is a great forum for discussion of the risks of plutonium by someone who evidently has NO training on the matter. as an ex-nuclear field-type person, i can tell you that i have no fears (and no vested interest in the success of)of this tree-hugger overblown bullshit case of enviromentalism. you're probably the same type of goober who swears by electric cars even though they cause more pollution, the just move the source..... From owner-firewalls-list Fri Nov 7 11:15:10 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA14448; Fri, 7 Nov 1997 10:44:31 -0800 (PST) Received: from wpmail.gbr.epa.gov (wpmail.gbr.epa.gov [204.46.159.160]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA14409 for ; Fri, 7 Nov 1997 10:44:21 -0800 (PST) Received: from gbdomain-Message_Server by wpmail.gbr.epa.gov with Novell_GroupWise; Fri, 07 Nov 1997 12:43:00 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 07 Nov 1997 12:41:40 -0600 From: MIKE JENKINS To: firewalls@greatcircle.com Subject: Re: syslogd on SunOS doesn't work Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shouldn't that first line of code be "#!/bin/sh"? ;-) (Use the 'logger' command to send stuff to syslog.) This is horrible. Sigh. > ---code ---------------------------------------------------------------- >#include >#include > >main() >{ > int i; > > system("cp /etc/syslog.conf /rette.syslog.conf"); > system("echo 'local0.debug /log_syslog' > /etc/syslog.conf"); > remove("/log_syslog"); > system("touch /log_syslog"); > system("kill -HUP `cat /etc/syslog.pid`"); > sleep(1); > > for (i=0; i<1000; i++) > { > syslog( LOG_LOCAL0 | LOG_INFO, "__m0" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m1" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m2" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m3" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m4" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m5" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m6" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m7" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m8" ); > syslog( LOG_LOCAL0 | LOG_INFO, "__m9" ); > } > sleep(15); > system("mv /rette.syslog.conf /etc/syslog.conf"); > sleep(1); > system("kill -HUP `cat /etc/syslog.pid`"); > sleep(1); > printf("\nSearch for __m0 in /log_syslog=%d, count= ",i); > system("grep -c __m0 /log_syslog"); > printf("\nSearch for __m1 in /log_syslog=%d, count= ",i); > system("grep -c __m1 /log_syslog"); > printf("\nSearch for __m2 in /log_syslog=%d, count= ",i); > system("grep -c __m2 /log_syslog"); > printf("\nSearch for __m3 in /log_syslog=%d, count= ",i); > system("grep -c __m3 /log_syslog"); > printf("\nSearch for __m4 in /log_syslog=%d, count= ",i); > system("grep -c __m4 /log_syslog"); > printf("\nSearch for __m5 in /log_syslog=%d, count= ",i); > system("grep -c __m5 /log_syslog"); > printf("\nSearch for __m6 in /log_syslog=%d, count= ",i); > system("grep -c __m6 /log_syslog"); > printf("\nSearch for __m7 in /log_syslog=%d, count= ",i); > system("grep -c __m7 /log_syslog"); > printf("\nSearch for __m8 in /log_syslog=%d, count= ",i); > system("grep -c __m8 /log_syslog"); > printf("\nSearch for __m9 in /log_syslog=%d, count= ",i); > system("grep -c __m9 /log_syslog"); > printf("\nwc of /log_syslog= "); > system("wc -l /log_syslog"); >} >---end code ------------------------------------------------------------- From owner-firewalls-list Fri Nov 7 11:29:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19742; Fri, 7 Nov 1997 11:25:56 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA19713 for ; Fri, 7 Nov 1997 11:25:48 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id OAA21105 for firewalls@GreatCircle.COM; Fri, 7 Nov 1997 14:27:50 -0500 (EST) Date: Fri, 7 Nov 1997 14:27:50 -0500 (EST) From: Information Security Message-Id: <199711071927.OAA21105@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good grief, people, the crack at NASA for needlessly risking shooting a large amount of plutonium up in a space shot was just a shot in passing. I was reporting that the spam referenced a very poorly done WWW. And, no, I am actually pro-nuclear and pro-space exploration, and yes, it was an incredibly stupid thing for NASA to do. If you want extended details, email me subject "Requesting Cassini Flame" and I'll send it to you. (for those who think I'm wrong, or anti-technology). Otherwise, yes, let's drop it. Sheesh. ---guy From owner-firewalls-list Fri Nov 7 12:30:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA27945; Fri, 7 Nov 1997 12:15:07 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA27692; Fri, 7 Nov 1997 12:14:30 -0800 (PST) Message-Id: <199711072014.MAA27692@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA206603179; Fri, 7 Nov 1997 15:06:19 -0500 Date: Fri, 7 Nov 1997 15:06:19 -0500 From: gary flynn To: firewalls@GreatCircle.COM, owner-firewalls-list@GreatCircle.COM Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: > > The FIN scanning method (presented in Phrack Magazine 49, article 15) > where you can scan for open ports on a host behind a packet-filtering > firewall even though your rules denys it is certainly working on > Checkpoint ver. 2.1(a) What exactly do you mean by working? You must have some type of filter that allows port communications if the sessions are established internally like the Cisco "established" ACL. I'm not familiar with Checkpoint but any packet filter that is filtering on a destination port is going to toss the packet regardless of the SYN or any other flag unless there is some special programming. It may get to the router/firewall itself if its an output filter or it may get through a Cisco-like "established" filter but I don't think its going to get through anything else. Gary Flynn Network Analyst James Madison University From owner-firewalls-list Fri Nov 7 12:57:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA01630; Fri, 7 Nov 1997 12:42:38 -0800 (PST) Received: from mail.halsp.hitachi.com (unknown-112-2.halsp.hitachi.com [198.70.112.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA01545 for ; Fri, 7 Nov 1997 12:42:19 -0800 (PST) Received: from pop.halsp.hitachi.com by mail.halsp.hitachi.com (SMI-8.6/SMI-SVR4) id MAA28823; Fri, 7 Nov 1997 12:38:45 -0800 Received: from coho ([137.168.6.112]) by pop.halsp.hitachi.com (Netscape Messaging Server 3.01) with SMTP id AAA29948 for ; Fri, 7 Nov 1997 12:42:55 -0800 Message-ID: <34637EA0.3D83@halsp.hitachi.com> Date: Fri, 07 Nov 1997 12:48:32 -0800 From: Eric Vanuska X-Mailer: Mozilla 3.01Gold (X11; I; HP-UX A.09.05 9000/710) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Extensions to Radius Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, We are using Radius for authentication and would like to hack radiusd to accomodate authentication to a Netscape LDAP 2.0 server, using the client digital certificate and user ID, i.e. instead of include'ing ACE.h in radiusd.c, include LDAP.h. Has onyone tried this? If so, do have some source code you want to share? :) If not, does anyone want to share any thoughts on this adventure? Thanks, in advance, EricV. From owner-firewalls-list Fri Nov 7 13:00:38 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA03103; Fri, 7 Nov 1997 12:54:55 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA03084 for ; Fri, 7 Nov 1997 12:54:46 -0800 (PST) Received: from tc24650 by csc.com via smtpd with smtp id for ; Fri, 7 Nov 97 15:55 EST (/\oo/\ Smail3.1.29.1 #29.9 built 21-apr-97) Message-ID: <34637FB6.E61@csc.com> Date: Fri, 07 Nov 1997 15:53:10 -0500 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Information Security CC: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference References: <199711071927.OAA21105@panix2.panix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information Security wrote: > > Good grief, people, the crack at NASA for needlessly risking shooting > a large amount of plutonium up in a space shot was just a shot in passing. Second shot. -- Joe Loiacono (301) 415-6153 Computer Sciences Corporation http://www.csc.com From owner-firewalls-list Fri Nov 7 13:31:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA03706; Fri, 7 Nov 1997 13:01:25 -0800 (PST) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA03680 for ; Fri, 7 Nov 1997 13:01:15 -0800 (PST) Received: from apd.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 7 Nov 1997 21:01:49 UT Received: from tssdc.saic.com (tssdc.saic.com [149.8.88.104]) by monster.apd.saic.com (8.6.12/8.6.12) with SMTP id PAA04482; Fri, 7 Nov 1997 15:59:17 -0500 Received: by tssdc.saic.com(Lotus SMTP MTA v1.06 (346.4 3-18-1997)) id 85256548.0078E9EE ; Fri, 7 Nov 1997 17:00:42 -0400 X-Lotus-FromDomain: SAIC From: "David Sulser" To: Neil_Buckley/CAM/Lotus@lotus.com cc: firewalls@GreatCircle.COM Message-ID: <85256548.00733765.00@tssdc.saic.com> Date: Fri, 7 Nov 1997 16:03:11 -0400 Subject: Re: Penetration Detection Tools Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Sulser 11-07-97 04:03 PM If you want to go the audit reduction route, do check out http://www.saic.com/it/cmds/index.html It's in another part of the company, so I don't sell it. I have seen it work it and it is effective. David Sulser Vienna, Va. "Neil_Buckley/CAM/Lotus"@lotus.com on 11/07/97 12:57:20 PM To: firewalls@GreatCircle.COM cc: (bcc: David Sulser/SAIC) Subject: Penetration Detection Tools Hello, Does anyone have recomendations for third party penetration detection tools, I am fairly familiar with most freeware products for UNIX, but I need a company wide solution. Thanks in advance for any info, Neil Buckley nbuckley@lotus.com From owner-firewalls-list Fri Nov 7 16:42:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24370; Fri, 7 Nov 1997 15:07:57 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA24359 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:07:54 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA26741 for ; Thu, 6 Nov 1997 14:18:41 -0800 (PST) Received: from big-dawgs.cisco.com (herndon-dhcp-42.cisco.com [171.68.53.42]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id OAA17439; Thu, 6 Nov 1997 14:18:33 -0800 (PST) Message-Id: <3.0.3.32.19971106171832.007f1be0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 06 Nov 1997 17:18:32 -0500 To: Tim Lebrun From: Paul Ferguson Subject: Re: Help : Cisco access list Cc: Chris Lonvick , NetSea , firewalls@GreatCircle.COM In-Reply-To: <3461DB2C.99A0C536@internetmci.com> References: <2.2.32.19971106061246.006de0a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:58 AM 11/6/97 -0500, Tim Lebrun wrote: >Is there a cisco mailing list that anyone knows of ?????? > If you wish to subscribe to the Cisco mailing list, please send your request (subscribe cisco) to cisco-request@spot.colorado.edu. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. mailto:ferguson@cisco.com c i s c o S y s t e m s From owner-firewalls-list Fri Nov 7 16:44:00 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA24008; Fri, 7 Nov 1997 15:04:41 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA23992 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:04:37 -0800 (PST) Received: from freedom.gmsociety.org ([209.116.153.41]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id UAA19127 for ; Wed, 5 Nov 1997 20:44:58 -0800 (PST) Received: (from brad@localhost) by freedom.gmsociety.org (8.8.5/8.7.3) id XAA03871; Wed, 5 Nov 1997 23:45:17 -0500 From: Brad Message-Id: <199711060445.XAA03871@freedom.gmsociety.org> Subject: Re: Hijak detection To: circle@cali-net.com (RHS Linux User) Date: Wed, 5 Nov 1997 23:45:17 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "RHS Linux User" at Nov 4, 97 06:33:31 pm X-Mailer: ELM [version 2.4 PL25 PGP7] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that NetRanger is looking for the flood of packets that can/will be gereated in order to match the SN. Doesn't this basically produce an ACK "storm" that is detectable and can thus be reacted upon (TCP RESET)? > On Tue, 4 Nov 1997, Doy wrote: > > > Guys, > > > > I wonder if there are firewall/intrusion detection products that can > > deal with TCP session hijack.. I didn't see threads related to this > > topic in the last half year ..okay, I'm new to this list.. ;) > > > > Suppose the TCP session is not encrypted, and the attacker is on the > > packet's route, what can we do about it? Surrender..?? > > > Detecting hijaking from inside your network, or hijaking comming from > another route would be easy to detect by a intrusion detection system that > maintains a ARP list of currently active TCP sessions and their > corresponding hardware addresses. Then have the program detect any packets > comming from a different hardware address that wasn't assigned to that > specific IP. > > I don't know of any way you could prevent non-blind hijacking, except for > the fact that you may end up seeing out of seqence packets or packets with > duplicate sequence numbers arrive at the victim's host after the hijak > begins. If you could remedy a method of doing this reliably you could then > have the intrusion detection software enable a filter in your > firewall/router, or perhaps send a RST packet to the server shutting off > the session. > > > Of course not. We can build statistical analysis on number of invalid > > packets that transmitted on each session. Has anybody done this? Is this > > approach valid anyway? > > > > I'd like to see other solutions/products beside encryption/routing/netw. > > segmentation. > > > > This was just a thought, I probably overlooked something simpler. > Just another reason not to use the telnet protocol. > > Jean-Christophe Smith > California Network Solutions > jean@internet-security.com > http://www.cali-net.com > > From owner-firewalls-list Fri Nov 7 16:45:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA23495; Fri, 7 Nov 1997 15:03:00 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-971021-1) id PAA23484 for firewalls@greatcircle.com; Fri, 7 Nov 1997 15:02:56 -0800 (PST) Received: from server2.rad.net.id (server2.rad.net.id [202.154.1.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA18797 for ; Wed, 5 Nov 1997 15:31:04 -0800 (PST) Received: from localhost.127.0.0 (dyn1031c.dialin.rad.net.id [202.154.42.31]) by server2.rad.net.id (8.8.5/RADNET) with SMTP id GAA14178; Thu, 6 Nov 1997 06:30:14 +0700 (WIB) Message-ID: <346101AE.6B99@indo-mail.com> Date: Thu, 06 Nov 1997 06:30:54 +0700 From: Doy X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: Adam Shostack CC: Brad , RHS Linux User , "H. Morrow Long" , Frank Willoughby , anarch@freedom.gmsociety.org, firewalls@GreatCircle.COM Subject: Re: Hijak detection References: <199711051403.JAA03367@homeport.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm agree that host authentication is the only real defense. I think network level encryption will defend against this kind of attack too. Transport level encryption might stop hijacking, but still vulnerable to DoS attack (the attacker might still able to put both hosts in desynchronized mode). When I made my previous post, I assume a situation where we couldn't apply any kind of authentication and encryption, and to made the situation worse, the packets is routed via a segment where a highly motivated proffesional (goverment ;-)) spy cracker(tm) is ready to hijack... Given the situation, the only chance to detect the attack is to analyze invalid packets (sequence number) transmitted by a session. Problems : 1. How do we detect a hijack. Even in normal TCP conversation, there are lot of packets with invalid SN (duplication, etc.), so how we decide if an invalid packet is part of a hijacked session and which is not? 2. How to determine which is the attacker and which is the victim. By using only TCP seq. num., we definitely CAN NOT decide which is the attacker and which is the victim, because a skilled attacker would most likely only send 'good' packet, making the victim looks bad. While a 'young' attacker probably still making mistakes on calculating SN, thus making both attacker and victim look bad. By looking at route information in the packet (if available) will provide important clue, but still not reliable if your network use multiple route. Looking at the H/W address of a packet won't help much, because you'll only see the gateway H/W address in the packet. 3. To make the situation worse... The attacker might send OOB packets, change route information, or other DoS attack to the victim. The firewall/IDS should aware that these are parts of the hijacking procedure, and terminate the victim's sessions immediately. So, I didn't make any suggestion about a product. Nor I sell any. Infact, if WheelGroup claims that their product can deal with TCP hijack attack, how the heck they're doing it? regards, Doy Adam Shostack wrote: > > Frank Willoughby wrote: > | At 03:09 AM 11/5/97 -0500, Adam Shostack allegedly wrote: > > | >There are real defenses, and there are hacks. Host security is a > | >solid defense, firewalls are a hack. Point to point encryption is a > | >real defense, but there are hacks available. > | > | Which particular hacks are you referring to? (If you wish, feel free > | to e-mail me this off-line). > > The suggestion that Doy made, perhaps the new wheel group product. > > | >The point that (doy?) made is that session hijacking produces a flood > | >of shit as you jam in packets in the hopes of getting the numbers > | >right. (Since the other guy is transmitting at the same time as you, > | >you often send a slew of packets, to get them into the stack first.) > | > | This step shouldn't be necessary. Monitor the packets going to/from > | the firewall (or target system), bring down the victim's system on > | the outside (OOB, etc.), and then send in the correct packets to the > | firewall/system. The firewall wouldn't notice the difference, and it > | is likely, the victim would chalk up the problem to network difficulties. > > You assume a perfect attacker. I assume script kiddies. There are > more script kiddies than perfect attackers. If you spend time > watching real attacks on real systems, you realize how many idiots are > out there. > > | >There are a number of papers on detecting this sort of thing, many > | >published in the months after Tsutomo was hacked. > | > | I've seen several of these and didn't see anything that would deter > | the aforementioned attack. OTOH, location-based authentication > | (based on GPS) *might* slow this attack down for the near future, > | but only for the military folks. The current resolution of GPS > | wouldn't deter this type of attack for civilians - at least not > | today. > > I have no clue what you're talking about, other than that > paper about location escrow by Denning. Anyone who can't redo their > TCP stack to break that can't execute a perfect hijack either. > > | If you have the time, I would be interested in a reference or pointer > | about a method which does not use encryption to deter session hijacking > | (other than GPS location-based authentication). > > Pointer: Doy's previous posts about the statistical deviations in bad > packets when hijacking takes place. > > | >Its not an > | >ideal defense. (point to point cryptographic *authentication*, not > | >encryption, is the ideal defense. > | > | Such as SecurID, Digital Pathways, DESlock, etc? These wouldn't slow down > | a serious attacker. > > No, such as IPsecurity AH packets. SSL3 using seperate keys > to authenticate and encrypt a session. I apologize for my lack of > precision, I should have said cryptographic integrity protection for > the session. > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume From owner-firewalls-list Fri Nov 7 16:46:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA14364; Fri, 7 Nov 1997 14:17:56 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA14322 for ; Fri, 7 Nov 1997 14:17:42 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Fri, 7 Nov 1997 14:17:19 -0800 Message-ID: From: Jerry Huyghe To: "'Steve Jackson Brown'" , firewalls@greatcircle.com Subject: RE: Finjan Surfin Gate Review Date: Fri, 7 Nov 1997 14:17:18 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The review you point to shows the problems with the so-called "Java and ActiveX security" approach used by McAfee and FinJan. Simply blocking known web sites with Vandal applets or filtering names of known hostile classes will not block targeted attacks or new threats. Vandals are not viruses. They deliver their payload or steal the information they want as soon as they enter your system. Viruses, on the other hand, can be isolated and sent to a vendor for analysis before they cause irrevocable damage. Furthermore, Vandals do not replicate and can be written in ANY programming language. The quick fix, which was implemented by FinJan and McAfee, is to use URL filtering or scanning techniques to look for known vandals. Even with known vandals, these techniques can be bypassed easily by rewriting the vandal applet or placing it on a new site. If somebody writes an ActiveX control designed to only attack when it is in YOUR network, FinJan and McAfee's proposed solutions will not block the attack. Similarly, attacks written in Javascript, automatic plug-ins, or trojan horses would not be blocked at all. We believe the most effective solution is to create a browser sandbox- a more generic and effective approach. This should be built in to the OS but is not. Any Internet content is restricted from accessing certain parts of the drive. An ActiveX control should not delete files from the root directory or read a file in the My Documents folder. Furthermore, an anti-vandal sandbox will block vandals written in Javascript, hostile plug-ins, and booby-trapped web links. Protection from vandal applets is a new technology which is still being defined...any thoughts? Jerry Huyghe Product Manager eSafe Technologies http://www.esafe.com > -----Original Message----- > From: Steve Jackson Brown [SMTP:sjbrown@bellsouth.net] > Sent: Friday, November 07, 1997 6:56 AM > To: firewalls@greatcircle.com > Subject: Finjan Surfin Gate Review > > Here's an interesting review of Finjan SurfinGate I found. > > http://www.rstcorp.com/hostile-applets/drowning.html > > From owner-firewalls-list Fri Nov 7 17:10:15 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA08241; Fri, 7 Nov 1997 16:58:04 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id QAA08234 for ; Fri, 7 Nov 1997 16:57:59 -0800 (PST) Received: from sover.net (usr2a22.rut.sover.net [206.25.64.218]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id TAA17870 for ; Fri, 7 Nov 1997 19:58:37 -0500 (EST) Message-ID: <3463BA21.BBC8D010@sover.net> Date: Fri, 07 Nov 1997 20:02:25 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Ever seen this in practice?? References: <199711061114.LAA03425@minn.dsbc.icl.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Malcolm Mladenovic wrote: > > Sounds like TMux - RFC 1692. I don't know what its current status is. > There is a paragraph in the RFC suggesting that non-TMux routers should > be set to block all TMux packets - causing the hosts to fall back to normal. Exactly right! Took a breeze through the RFC and it describes the exact conditions I was describing. One paragraph in particular I would like to quote: "The multiplexing is achieved by combining the individual segments, (H,B1) through (H,Bn), into a single message. This single message has an IP header which is equal to H, but having in the PROTOCOL field the value 18 which is the protocol number of the TMux protocol. This IP header is followed by all the segments, B1 through Bn. Each segment, Bi, is preceded by a 4 octet TMux mini header. This contains the number of the protocol to which this segment is addressed. It also contains the total length of this segment, including this mini header. Since this mini header is not otherwise protected by a check-sum, it also includes a checksum field which just covers this mini header." So, per the RFC, an IP packet containing multiple sessions should have a value of "18" in the IP protocol ID field. Since TCP uses "6", and UDP uses "17" (if memory serves), this gives a very distinct method of filtering out this type of traffic without the need to inspect payload. That assumes, of course, that someone has not figured out how to break it. Thanks for the feedback! ************************************** cbrenton@sover.net http://www.amazon.com/exec/obidos/ats-query/0740-8883012-887529 "We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true." From owner-firewalls-list Fri Nov 7 18:45:31 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA25184; Fri, 7 Nov 1997 18:24:55 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id SAA25161 for ; Fri, 7 Nov 1997 18:24:46 -0800 (PST) Received: (qmail 29264 invoked from smtpd); 8 Nov 1997 02:25:25 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Nov 1997 02:25:25 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id UAA22620; Fri, 7 Nov 1997 20:25:24 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA15340; Fri, 7 Nov 1997 20:27:51 -0600 From: Peter da Silva Message-Id: <9711080227.AA15340@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: jerry@us.esafe.com (Jerry Huyghe) Date: Fri, 7 Nov 1997 20:27:51 -0600 (CST) Cc: sjbrown@bellsouth.net, firewalls@greatcircle.com In-Reply-To: from "Jerry Huyghe" at Nov 7, 97 02:17:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Protection from vandal applets is a new technology which is still being > defined...any thoughts? Use the approach in HTML: don't allow the applets the ability to perform dangerous acts. If you want to do more, then explicitly download and install a plugin. That way you have control and you have to perform an explicit install before you're exposed. The only applet technology I know of that does this is the Tk plugin, which actually removes all dangerous commands from the interpreter before running the applet, so even if it's hostile it has no access to anything outside the sandbox. From owner-firewalls-list Sat Nov 8 01:00:20 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26136; Sat, 8 Nov 1997 00:48:53 -0800 (PST) Received: from messiah.cableinet.net (messiah.cableinet.net [194.117.157.68]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id AAA26129 for ; Sat, 8 Nov 1997 00:48:46 -0800 (PST) Received: (qmail 18914 invoked from network); 8 Nov 1997 09:52:05 -0000 Received: from lions.cableinet.net (193.38.113.5) by messiah with SMTP; 8 Nov 1997 09:52:05 -0000 Received: from known-space (usr109-bas.cableinet.co.uk [194.117.148.119]) by lions.cableinet.net (950413.SGI.8.6.12/951211.SGI) via SMTP id IAA11390 for ; Sat, 8 Nov 1997 08:37:25 GMT From: "Sam Thornton" To: "Firewalls Mailing List" Subject: IngresNet Date: Sat, 8 Nov 1997 08:48:34 -0000 Message-ID: <01bcec23$1938e1e0$779475c2@known-space> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0156_01BCEC23.1938E1E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_0156_01BCEC23.1938E1E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear all, I have recently been asked if we can connect an external site, through = our Firewall, to an Ingres database. The remote client will be using CA OpenRoad which, (I'm lead to belive), = uses IngresNet. I've talked to the DB admin/support team and they have = no idea as to how IngresNet works.. in fact they told me all that would = be needed was a telnet session(!). Does anyone have any details on IngresNet e.g. tcp/udp port numbers, any = quirks (such as dynamic port re-allocation as in sql*net) or anything = else that would be pertinent when trying to pass this, in as secure a = manner as possible, through a Firewall. Thanks, Sam. ------=_NextPart_000_0156_01BCEC23.1938E1E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear all, 
 
I have recently been asked if we can = connect an=20 external site, through our Firewall, to an Ingres database.
 
The remote client will be using CA = OpenRoad=20 which, (I'm lead to belive), uses IngresNet. I've talked to the DB = admin/support=20 team and they have no idea as to how IngresNet works.. in fact they told = me all=20 that would be needed was a telnet session(!).
 
Does anyone have any details on = IngresNet e.g.=20 tcp/udp port numbers, any quirks (such as dynamic port re-allocation as = in=20 sql*net) or anything else that would be pertinent when trying to pass = this, in=20 as secure a manner as possible, through a Firewall.
 
Thanks,
 
Sam.
------=_NextPart_000_0156_01BCEC23.1938E1E0-- From owner-firewalls-list Sat Nov 8 01:30:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA26531; Sat, 8 Nov 1997 01:07:30 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA26521 for ; Sat, 8 Nov 1997 01:07:23 -0800 (PST) Message-Id: <199711080907.BAA26521@honor.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA205130075; Sat, 8 Nov 1997 20:07:55 +1100 From: Darren Reed Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? To: gary@habanero.jmu.edu (gary flynn) Date: Sat, 8 Nov 1997 20:07:54 +1100 (EDT) Cc: firewalls@GreatCircle.COM, firewall-wizards@nfs.net In-Reply-To: <199711072014.MAA27692@honor.greatcircle.com> from "gary flynn" at Nov 7, 97 03:06:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from gary flynn, sie said: > > > From: > > > > The FIN scanning method (presented in Phrack Magazine 49, article 15) > > where you can scan for open ports on a host behind a packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a) [...] > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. I wouldn't be so sure about that. Checkpoint's FW-1 will pass all packets through with the ACK flag set (except, I think SYN-ACK) but will strip the body of any data. They do this so that they can rebuild state for a connection which has remained open over (say) the firewall rebooting or connection information expiring. If the reply packet was returned, anyway, there's your scan! Darren From owner-firewalls-list Sat Nov 8 03:01:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA29636; Sat, 8 Nov 1997 01:39:41 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id BAA29611 for ; Sat, 8 Nov 1997 01:39:26 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id KAA27370 for ; Sat, 8 Nov 1997 10:40:11 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id KAA15086 for ; Sat, 8 Nov 1997 10:39:25 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Sat, 8 Nov 1997 10:40:57 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABB@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'gary flynn'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Sat, 8 Nov 1997 10:40:53 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok! I will explain myself a little bit better......... > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 7 november 1997 21:06 > To: firewalls@GreatCircle.COM; owner-firewalls-list@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? >=20 > > From: > >=20 > > The FIN scanning method (presented in Phrack Magazine 49, article > 15) > > where you can scan for open ports on a host behind a > packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a)=20 >=20 > What exactly do you mean by working? You must have some type of > filter that allows port communications if the sessions are > established internally like the Cisco "established" ACL.=20 > [Robert St=E5hlbrand] =20 > What I mean by working is even though I have rules that denys any = type > of packets (tcp, udp) to a specific host behind my firewall, I can > still scan it for open ports (TCP only)!!! But in my logger it looks > like the firewall is dropping all packets but a sniffer on the inside > proofs that the packet gets through!!! > The packets are small fragmented (I think that even none-fragmented > works too but it's not verifyed yet) packets with the FIN-flag set > (indicating that it's the last packet in a TCP-session) and if the > remote host is sending back a Reset, the port is closed, otherwise > it's open. >=20 > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. >=20 > It may get to the router/firewall itself if its an output filter > or it may get through a Cisco-like "established" filter but I > don't think its going to get through anything else. > [Robert St=E5hlbrand] =20 > NO!!!! The packet gets through!!!!!!!!!!!!!!!! (Unless my sniffer is > spoked :-)) Read the article in Phrack Magazine!!! >=20 > Gary Flynn > Network Analyst > James Madison University > [Robert St=E5hlbrand] =20 >=20 > /Robert St=E5hlbrand, System and Security responsible, = nmac.ericsson.se From owner-firewalls-list Sat Nov 8 04:06:54 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA04239; Sat, 8 Nov 1997 03:52:43 -0800 (PST) Received: from lms03.us.ibm.com (lms03.ny.us.ibm.com [198.133.22.39]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id DAA04232 for ; Sat, 8 Nov 1997 03:52:35 -0800 (PST) Received: from US.IBM.COM (d03lms01.boulder.ibm.com [9.99.80.11]) by lms03.us.ibm.com (8.8.7/8.8.7) with SMTP id HAA07968 for ; Sat, 8 Nov 1997 07:50:31 -0500 Received: by US.IBM.COM (Soft-Switch LMS 2.0) with snapi via D03AU001 id 5030100012801184; Sat, 8 Nov 1997 06:53:08 -0500 From: D03NM014/03/M/IBM To: Subject: Trish Sundgaard/Dallas/IBM is out of the office. Message-ID: <5030100012801184000002L042*@MHS> Date: Sat, 8 Nov 1997 06:53:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am out of the office from 11/07/97, returning 11/12/97. You will rec= eive only this notification of my absence prior to my return, at which time = I will respond. = From owner-firewalls-list Sat Nov 8 08:25:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA22861; Sat, 8 Nov 1997 08:19:01 -0800 (PST) Received: from server-one ([207.0.213.4]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA22854 for ; Sat, 8 Nov 1997 08:18:55 -0800 (PST) Received: from [207.0.213.73] by server-one (NTMail 3.02.13) with ESMTP id ia116488 for ; Sat, 8 Nov 1997 12:19:32 -0400 Reply-To: From: "melissa jimenez" To: "=?ISO-8859-1?Q?Robert_St=E5hlbrand?=" , "'gary flynn'" Cc: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Sat, 8 Nov 1997 12:13:28 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <16193196740821@iamnet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk xcvcvxc ---------- De: Robert Ståhlbrand A: 'gary flynn' CC: 'firewalls@greatcircle.com' Asunto: RE: FIN Scanning through all kind of packet-filtering firewalls? Fecha: Sábado, 8 de Noviembre de 1997 05:40 AM Ok! I will explain myself a little bit better......... > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 7 november 1997 21:06 > To: firewalls@GreatCircle.COM; owner-firewalls-list@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? > > > From: > > > > The FIN scanning method (presented in Phrack Magazine 49, article > 15) > > where you can scan for open ports on a host behind a > packet-filtering > > firewall even though your rules denys it is certainly working on > > Checkpoint ver. 2.1(a) > > What exactly do you mean by working? You must have some type of > filter that allows port communications if the sessions are > established internally like the Cisco "established" ACL. > [Robert Ståhlbrand] > What I mean by working is even though I have rules that denys any type > of packets (tcp, udp) to a specific host behind my firewall, I can > still scan it for open ports (TCP only)!!! But in my logger it looks > like the firewall is dropping all packets but a sniffer on the inside > proofs that the packet gets through!!! > The packets are small fragmented (I think that even none-fragmented > works too but it's not verifyed yet) packets with the FIN-flag set > (indicating that it's the last packet in a TCP-session) and if the > remote host is sending back a Reset, the port is closed, otherwise > it's open. > > I'm not familiar with Checkpoint but any packet filter that is > filtering on a destination port is going to toss the packet > regardless of the SYN or any other flag unless there is some > special programming. > > It may get to the router/firewall itself if its an output filter > or it may get through a Cisco-like "established" filter but I > don't think its going to get through anything else. > [Robert Ståhlbrand] > NO!!!! The packet gets through!!!!!!!!!!!!!!!! (Unless my sniffer is > spoked :-)) Read the article in Phrack Magazine!!! > > Gary Flynn > Network Analyst > James Madison University > [Robert Ståhlbrand] > > /Robert Ståhlbrand, System and Security responsible, nmac.ericsson.se ---------- From owner-firewalls-list Sat Nov 8 10:25:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29849; Sat, 8 Nov 1997 10:11:39 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29824 for ; Sat, 8 Nov 1997 10:11:30 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.7/8.8.3) with SMTP id UAA16886 for ; Sat, 8 Nov 1997 20:12:13 +0200 (EET) Date: Sat, 8 Nov 1997 20:12:13 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Security certification (Was: Re: [ANNOUNCE] NASA Computer ...) In-Reply-To: <199711080900.BAA26375@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy Howard wrote: > IMO, the different certifications are no better or worse than any other > industry type certifications. And, before certification, test or no, > you have to show evidence of 3 years experience in the area your are > testing for (novel idea, eh?). The certifications are already in > existence, this just an easy opportunity to review for the exams and sit > for them. Personally I have not taken any of these exams because of financial reasons, but I would think that at leas I personally would benefit of them: perhaps by going through some check lists, read books and articles on points I feel I don't know enough about etc. Something like CISSP or CISA exam would put pressure on me to find more time for additional studies on the subjects, and this could not be bad for me. Another question is how you will use your certification later, is it for you to test yourself or to tell people how smart you are. Jyri Kaljundi jk@stallion.ee AS Stallion Ltd http://www.stallion.ee/ From owner-firewalls-list Sat Nov 8 13:10:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA00870; Sat, 8 Nov 1997 13:06:24 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA00862 for ; Sat, 8 Nov 1997 13:06:13 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id QAA21589; Sat, 8 Nov 1997 16:03:38 -0500 (EST) From: Adam Shostack Message-Id: <199711082103.QAA21589@homeport.org> Subject: Re: Finjan Surfin Gate Review In-Reply-To: <9711080227.AA15340@baileynm.com> from Peter da Silva at "Nov 7, 97 08:27:51 pm" To: peter@baileynm.com (Peter da Silva) Date: Sat, 8 Nov 1997 16:03:38 -0500 (EST) Cc: jerry@us.esafe.com, sjbrown@bellsouth.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll mention that Security-7 (www.security7.com) has a product that will look through the Java classes or ActiveX controls and allow you to block things that you don't like. (Thus, you could block all Java that calls the file io classes.) Adam Peter da Silva wrote: | > Protection from vandal applets is a new technology which is still being | > defined...any thoughts? | | Use the approach in HTML: don't allow the applets the ability to perform | dangerous acts. If you want to do more, then explicitly download and | install a plugin. That way you have control and you have to perform an | explicit install before you're exposed. | | The only applet technology I know of that does this is the Tk plugin, which | actually removes all dangerous commands from the interpreter before running | the applet, so even if it's hostile it has no access to anything outside the | sandbox. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Sat Nov 8 13:40:33 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02734; Sat, 8 Nov 1997 13:28:31 -0800 (PST) Received: from hotmail.com (F26.hotmail.com [207.82.250.37]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id NAA02704 for ; Sat, 8 Nov 1997 13:28:21 -0800 (PST) Received: (qmail 18652 invoked by uid 0); 8 Nov 1997 21:29:07 -0000 Message-ID: <19971108212907.18651.qmail@hotmail.com> Received: from 209.75.196.2 by www.hotmail.com with HTTP; Sat, 08 Nov 1997 13:29:07 PST X-Originating-IP: [209.75.196.2] From: "Alexis Zephrides" To: ben@edelweb.fr, firewalls@greatcircle.com Subject: Re: Private web-based email with SSL secure??? Content-Type: text/plain Date: Sat, 08 Nov 1997 13:29:07 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What is this ap that you've found? I've been thinking of the same thing >meself for awhile now. > >Ben. > >On Tue, 4 Nov 1997, Alexis Zephrides wrote: > >> Hello: >> >> I consult for an ISP that has a couple of Intel 266 Pentiums, >> 1 500Mhz Alpha and a Sparc all running linux. We have been talking >> about writing our own web based email app (like HotMail) so that >> our users can get mail remotely. We have only found one app like this >> that runs under Linux and it is written in PERL. If we use SSL >> on the web server, will the entire e-mail session be encrypted including >> login? The POP server is behind the Firewall as well. >> >> Thanks in advance, >> >> Alexis >> Agean Consulting The original app we were looking at was EMU but we have just found a new one called Clio (http://www.clio.com) that is faster, more stable and has more features. We also liked the price at $1 per user for a license ;-) With SSL on the server we have found that the entire session is encrypted (we used a Network General Sniffer) including the login and password. --Alexis Aegean Consulting ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From owner-firewalls-list Sat Nov 8 14:25:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08906; Sat, 8 Nov 1997 14:15:07 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA08881 for ; Sat, 8 Nov 1997 14:14:59 -0800 (PST) Received: (qmail 2238 invoked from smtpd); 8 Nov 1997 22:15:41 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Nov 1997 22:15:41 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA17344 for ; Sat, 8 Nov 1997 16:15:41 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA01637; Sat, 8 Nov 1997 16:18:08 -0600 From: Peter da Silva Message-Id: <9711082218.AA01637@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: firewalls@GreatCircle.COM Date: Sat, 8 Nov 1997 16:18:08 -0600 (CST) In-Reply-To: <199711082103.QAA21589@homeport.org> from "Adam Shostack" at Nov 8, 97 04:03:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) It's not possible for it to do that even in theory for general ActiveX controls, because they can contain arbitrary '386 instructions, possibly encrypted or compressed with unknown algorithms to reduce size or protect intellectual property. For Java, I suppose you could do it. The problem is that the authors of legitimate applets will have no way of knowing what the rules they're subject to are. It's better to make that sort of thing explicit in the specification for the applet language even if that prevents you from doing some useful things. From owner-firewalls-list Sat Nov 8 14:40:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA08404; Sat, 8 Nov 1997 14:10:50 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id OAA08355 for ; Sat, 8 Nov 1997 14:10:30 -0800 (PST) Received: from cypress.idir.net (cypress.idir.net [204.189.68.16]) by cypress.idir.net (8.8.5/8.8.4) with SMTP id QAA01782 for ; Sat, 8 Nov 1997 16:11:15 -0600 Date: Sat, 8 Nov 1997 16:11:14 -0600 (CST) From: Jason Keimig To: firewalls@greatcircle.com Subject: Re: Hijak detection Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm agree that host authentication is the only real defense. I think > network level encryption will defend against this kind of attack too. > Transport level encryption might stop hijacking, but still vulnerable to > DoS attack (the attacker might still able to put both hosts in > desynchronized mode). All true and very relevent. You COULD even encrypt most of the headers, but this breaks things like NAT and proxy services. > 1. How do we detect a hijack. > Even in normal TCP conversation, there are lot of packets with > invalid SN (duplication, etc.), so how we decide if an invalid packet is > part of a hijacked session and which is not? The duplication is not as severe as you would see with a hijacked session. You will generally see several hundred ACKed packets thrown around for each new packet introduced by the hijacker. > 2. How to determine which is the attacker and which is the victim. > By using only TCP seq. num., we definitely CAN NOT decide which is > the attacker and which is the victim, because a skilled attacker would > most likely only send 'good' packet, making the victim looks bad. While > a 'young' attacker probably still making mistakes on calculating SN, > thus making both attacker and victim look bad. This is true if you look at only a single ACK on one side of the stream. If you compare the ACKs from both sides, you can see the side that has been spoon-fed data by the attacker as their ACK # will be higher than the supposedly corresponding SEQ # of the unmolested side. This is due to the fact that the SEQ/ACK pair is based solely on the # of bytes sent/received after the session has been established. This pair is by no means a security mechanism in the purest sense. It is used primary to keep the sides in synch with one another. The fact that it prevents accepting data out of order is really just a security side effect inherent with connection-oriented bitstreams. > By looking at route information in the packet (if available) will > provide important clue, but still not reliable if your network use > multiple route. This really is a non-issue as just about all routers and hosts nowadays have source-routing disabled. I realize that there is a possibility for misconfigured boxes, but this is a reaching effort that generally does not turn up anything. That is, a source-routed packet will set off too many alarms and gives away all covertness of the attack. > Looking at the H/W address of a packet won't help much, because > you'll only see the gateway H/W address in the packet. Actually, this is where you will see the mistakes of a 'young' attacker. Calculating the SEQ/ACK # of a session is fairly straight-forward once the highjacking has commenced: you just have to wade through all of the ACK syncs between the two hosts. As I stated in another post, JUST ABOUT all of the scripts/prgrams out there that do various forms of IP spoofing (I did find an old SunOS forging tool in my archives that modified the MAC address of the outgoing packet) do NOT address the layer-2 issue. Forged IP packets from user space WILL STILL CONTAIN the source MAC address of the host used to forge the packet. This is trivial to detect. The "professional" hacker (the word professional used loosely here) will have a modified IP stack that addresses this issue by swapping out the local MAC with that of forged IP-layer-2 mapping. There are still some tricks to catch this, the attacker just has to be careful on how this mapping is obtained (this is part of my thesis, I've had to deal with this aspect quite intimately!). So, in a nutshell, LOOKING at the layer-2 information will turn up 90% of the offending hosts performing ANY kind of spoofing attack. There is also the analysis of the IP packet ID that I won't get into. Although it can used be for detection purposes, it gives less information on _who_ is doing the attack. > 3. To make the situation worse... > The attacker might send OOB packets, change route information, or > other DoS attack to the victim. The firewall/IDS should aware that these > are parts of the hijacking procedure, and terminate the victim's > sessions immediately. OOB packets aren't usually handled by the end host in the purest sense and routers, by definition, don't accept redirects. Where do these aspects come into play? > Infact, if WheelGroup claims that their product can deal with TCP hijack > attack, how the heck they're doing it? Good question, any takers? -J. From owner-firewalls-list Sat Nov 8 19:25:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA27861; Sat, 8 Nov 1997 19:22:54 -0800 (PST) Received: from maildeliver0.tiac.net (maildeliver0.tiac.net [199.0.65.19]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id TAA27854 for ; Sat, 8 Nov 1997 19:22:49 -0800 (PST) Received: from mx1.tiac.net (mx1.tiac.net [199.0.65.251]) by maildeliver0.tiac.net (8.8.7/8.8) with ESMTP id WAA13106 for ; Sat, 8 Nov 1997 22:23:40 -0500 (EST) Received: from rhill.icenetsys.com (icenetsys.com [206.119.11.248]) by mx1.tiac.net (8.8.7/8.6.9) with SMTP id WAA01148 for ; Sat, 8 Nov 1997 22:23:38 -0500 (EST) Message-Id: <2.2.32.19971109032822.01d1ca50@pop.tiac.net> X-Sender: rhill@pop.tiac.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 08 Nov 1997 22:28:22 -0500 To: firewalls@GreatCircle.COM From: "Richard A. Hill" Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:52 11/7/97 -0500, you wrote: > >You know, like the recent mad scientist B-movie NASA brought us: need >seven lightbulbs worth of juice for Cassini? Hey, let's load it up >with 72 pounds of ceramicized plutonium! Good thing it didn't blow >up on launch. Hopefully, in two years when it does a planetary >gravity-assist flyby of Earth at 40,000 miles per hour, it will >miss Earth. Because NASA documents say that 20 pounds of the plutonium >will become _respirable_ particles. > >NASA is the last place on Earth one should go to for risk assessment. > Now now, let's keep the politics out of the list .. otherwise I'd have to respond and rebut the respirable particle claim with quotes from other experts, and you'ld have to bring in nuclear-phobes and I'd bring in nuclear-philes and we'ld tie the entire list up for weeks in a useless flame war and everyone would be sick of us in two days. Let's just say that some of us have more realistic risk expectations than others and that I'ld rather see a flawed NASA than none at all. And FYI, I just brought up that website and all seminars are appropriately documented and listed Richard ####################################################### Richard A. Hill rhill@icenetsys.com RichHill@AOL.com "That which does not kill us should not be given a second chance" ################################################################ From owner-firewalls-list Sun Nov 9 05:55:39 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA23551; Sun, 9 Nov 1997 05:49:00 -0800 (PST) Received: from kaja.octonline.com ([207.6.35.100]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA23544 for ; Sun, 9 Nov 1997 05:48:55 -0800 (PST) Received: from dabion.kaja ([207.6.35.181]) by kaja.octonline.com (2.0 Build 2119 (Berkeley 8.8.4)/8.8.4) with ESMTP id IAA03718 for ; Sun, 09 Nov 1997 08:50:56 -0500 Message-Id: <199711091350.IAA03718@kaja.octonline.com> From: "Don A. Abion" To: Subject: university project Date: Sun, 9 Nov 1997 08:48:14 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello there, my name is Don and I'm in need of a firewall software for a school project that my group and I are attempting to complete. We are taking a course dealing with software evaluation methods, and we have limited resourses when it comes to firewalls. So far, we've found free downloadable firewall softwares, but they run off windows NT, and none of us have access to that operating system. We need a firewall software to evaluate, and we need is something that has GUI capabilities so that a full demonstration can be performed (thus, win95 would be great). If you can recommend any free downloads for firewall software which doesn't require much memory and be able to run off win95 on a stand alone system, we would be very greatful. Thank you for time concerning our request. Don dabion@octonline.com dabio@acs.ryerson.ca From owner-firewalls-list Sun Nov 9 06:40:36 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA26896; Sun, 9 Nov 1997 06:30:48 -0800 (PST) Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA26875 for ; Sun, 9 Nov 1997 06:30:42 -0800 (PST) Received: (from guy@localhost) by panix2.panix.com (8.8.5/8.7/PanixU1.3) id JAA18917; Sun, 9 Nov 1997 09:33:03 -0500 (EST) Date: Sun, 9 Nov 1997 09:33:03 -0500 (EST) From: Information Security Message-Id: <199711091433.JAA18917@panix2.panix.com> To: firewalls@GreatCircle.COM Subject: Re: [ANNOUNCE] NASA Computer Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-firewalls-list@GreatCircle.COM Sat Nov 8 23:02:53 1997 > From: "Richard A. Hill" > > At 04:52 11/7/97 -0500, you wrote: > > Now now, let's keep the politics out of the list . Actually, the politics of encryption are quite important, but I will avoid discussing the (weak) encryption tie-in unless people keep bringing it up. > And FYI, I just brought up that website and > all seminars are appropriately documented and listed Excellent. That means the main reason I "posted" got immediate results. > At 04:52 11/7/97 -0500, guy wrote: > >Because NASA documents say that 20 pounds of the plutonium > >will become _respirable_ particles. > > [I can] rebut the respirable particle > claim with quotes from other experts... Email me to do so. * Final Environmental Impact Statement for the Cassini Mission * ----- ------------- ------ --------- --- --- ------- ------- * * NASA, June 1995 * ---- ---- ---- * * For all the reentry cases studied, about 32 to 34 percent of the * plutonium dioxide from the three RTGs is expected to be released * at high altitude...these are [deadly] respirable particles... And: good luck. ;-) I am *deleting* the Cassini flame out of the Cryptography Manifesto, so get your copy now if you want to see it. ---guy From owner-firewalls-list Sun Nov 9 06:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29079; Sun, 9 Nov 1997 06:47:22 -0800 (PST) Received: from blackbird.jetlink.net (blackbird.jetlink.net [206.72.64.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA29064 for ; Sun, 9 Nov 1997 06:47:16 -0800 (PST) Received: from gnss.com (ppp-208-19-49-166.isdn.jetlink.net [208.19.49.166]) by blackbird.jetlink.net (8.8.7/CSE) with ESMTP id GAA24877; Sun, 9 Nov 1997 06:48:00 -0800 (PST) Message-ID: <3465CD13.6F22AB15@gnss.com> Date: Sun, 09 Nov 1997 06:47:47 -0800 From: "osiris@gnss.com" Reply-To: osiris@gnss.com Organization: Global Network Security Systems X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: "Don A. Abion" CC: Firewalls@GreatCircle.COM Subject: Re: university project References: <199711091350.IAA03718@kaja.octonline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is what GNSS has on the subject, but perhaps some other list members can offer more substantial links or resources. (Note that we cannot provide an endorsement for these products as we have not evaluated them at this firm, i.e., batteries not included, force majeur, look both ways before crossing, restrictions may apply, etc. :-) PC Personal Firewall for 95 http://www.softwarebuilders.com/SBI_Mall/Info_PC_Secure.html NetProxy for 95 ftp://software.ieway.com/netprx12.zip and the docs on it: http://www.grok.co.uk/netproxy/overview.html WinProxy Download page: http://www.ositis.com/menu2.htm and docs: http://www.ositis.com/ PC Desktop Firewall for 95 http://www.signal9.com/misc/special.html EDArmor 95 http://www.emdent.com/pages/arm95perpr.htm InternetGate for 95 http://www.bmtmicro.com/catalog/igatewin.html Good luck with your project. (This has been a public service from the staff at http://www.gnss.com) Don A. Abion wrote: > hello there, > > my name is Don and I'm in need of a firewall software for a school project > that my group and I are attempting to complete. We are taking a course > dealing with software evaluation methods, and we have limited resourses > when it comes to firewalls. So far, we've found free downloadable firewall > softwares, but they run off windows NT, and none of us have access to that > operating system. We need a firewall software to evaluate, and we need is > something that has GUI capabilities so that a full demonstration can be > performed (thus, win95 would be great). If you can recommend any free > downloads for firewall software which doesn't require much memory and be > able to run off win95 on a stand alone system, we would be very greatful. > Thank you for time concerning our request. > > Don > > dabion@octonline.com > dabio@acs.ryerson.ca From owner-firewalls-list Sun Nov 9 13:55:41 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA21266; Sun, 9 Nov 1997 13:41:30 -0800 (PST) Received: from mail.atl.bellsouth.net (mail.atl.bellsouth.net [205.152.0.21]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id NAA21249 for ; Sun, 9 Nov 1997 13:41:22 -0800 (PST) Received: from nope (bims008201.bims.bellsouth.net [205.152.8.201]) by mail.atl.bellsouth.net (8.8.5/8.8.5) with ESMTP id QAA16408; Sun, 9 Nov 1997 16:41:26 -0500 (EST) Message-Id: <199711092141.QAA16408@mail.atl.bellsouth.net> From: "Steve Jackson Brown" To: "Adam Shostack" , "Peter da Silva" Cc: , Subject: Re: Finjan Surfin Gate Review Date: Sun, 9 Nov 1997 16:38:49 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How do these products protect you if the web site you are visiting is using SSL to transfer the Java applets? It would seem that if it is encrypted, it would be impossible to inspect Java applets, making it useless. One thing I thought that was ironic in the http://www.rstcorp.com/hostile-applets/drowning.html review was the install script for Finjan was xhost + How security knowledgable is a security company when they build install scripts that open you up to worst attacks? Is anyone actually buying or deploying this Java security stuff? Is it alot of hype? ---------- > From: Adam Shostack > To: Peter da Silva > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; firewalls@GreatCircle.COM > Subject: Re: Finjan Surfin Gate Review > Date: Saturday, November 08, 1997 4:03 PM > > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) > > Adam > > > Peter da Silva wrote: > | > Protection from vandal applets is a new technology which is still being > | > defined...any thoughts? > | > | Use the approach in HTML: don't allow the applets the ability to perform > | dangerous acts. If you want to do more, then explicitly download and > | install a plugin. That way you have control and you have to perform an > | explicit install before you're exposed. > | > | The only applet technology I know of that does this is the Tk plugin, which > | actually removes all dangerous commands from the interpreter before running > | the applet, so even if it's hostile it has no access to anything outside the > | sandbox. > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > From owner-firewalls-list Sun Nov 9 15:40:53 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA28361; Sun, 9 Nov 1997 15:39:05 -0800 (PST) Received: from gatekeeper.bh.org (gatekeeper.bh.org [204.68.182.1]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id PAA28349 for ; Sun, 9 Nov 1997 15:39:00 -0800 (PST) Received: from bh.org (bhhome.bh.org [204.68.182.2]) by gatekeeper.bh.org (8.8.5/8.8.5) with ESMTP id SAA14041; Sun, 9 Nov 1997 18:40:40 -0500 Message-ID: <346649FA.41AB2077@bh.org> Date: Sun, 09 Nov 1997 18:40:43 -0500 From: Bill Heiser X-Mailer: Mozilla 4.03 [en] (WinNT; U) MIME-Version: 1.0 To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Re: [FW1] Does FW-1 support Point to Point Tunneling Protocol? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > I have discovered that Microsoft has a way to do Virtual Private > > Networks through something they call PPTP (Point to Point Tunneling > Protocol). > > It is basically an encryption between a client Win95 to a WinNT RAS > server. What do people think about this? It sounds scary to me. :) Does PPTP provide a high enough level of security to warrant its use for a VPN like this essentially bypassing the firewall? From owner-firewalls-list Sun Nov 9 19:57:14 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA10533; Sun, 9 Nov 1997 19:40:40 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id TAA10522 for ; Sun, 9 Nov 1997 19:40:33 -0800 (PST) Received: (qmail 18081 invoked by uid 500); 10 Nov 1997 03:43:45 -0000 Date: Sun, 9 Nov 1997 22:43:45 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Steve Jackson Brown cc: firewalls@GreatCircle.COM Subject: Re: Finjan Surfin Gate Review In-Reply-To: <199711092141.QAA16408@mail.atl.bellsouth.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Nov 1997, Steve Jackson Brown wrote: > One thing I thought that was ironic in the > http://www.rstcorp.com/hostile-applets/drowning.html review was the install > script for Finjan was xhost + > How security knowledgable is a security company when they build install > scripts that open you up to > worst attacks? I haven't been following this thread since inception, so apologies if this has been covered before. For anyone who's interested, Mark LaDue has been posting Finjan's reactions to the review in comp.security.firewalls. It certainly makes interesting reading. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From owner-firewalls-list Sun Nov 9 20:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA13667; Sun, 9 Nov 1997 20:45:54 -0800 (PST) Received: from molhub.mol.net.my (aimsvan.mol.net.my [202.190.128.10]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id UAA13653 for ; Sun, 9 Nov 1997 20:45:49 -0800 (PST) Received: from mit.com.my by molhub.mol.net.my; Mon, 10 Nov 97 12:50:27 +0800 Received: by mit_svr with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 12:17:08 +0800 Message-ID: From: Chai Lim Chong To: Firewalls@GreatCircle.COM Subject: Strange firewall log messages Date: Mon, 10 Nov 1997 12:16:59 +0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, My TIS firewall recorded these strange messages several times in a day. But disappeared on the following day and did not appear again. Can anyone explain to me what these lines are all about ? Nov 7 11:01:25 MYserver vmunix: securityalert: tcp from 127.0.0.1:2807 to 127.0.0.1 on unserved port 2121 Nov 7 11:02:01 MYserver vmunix: securityalert: tcp from 127.0.0.1:2814 to 127.0.0.1 on unserved port 2121 Nov 7 11:02:38 MYserver vmunix: securityalert: tcp from 127.0.0.1:2818 to 127.0.0.1 on unserved port 2121 Nov 7 11:03:49 MYserver vmunix: securityalert: tcp from 127.0.0.1:2825 to 127.0.0.1 on unserved port 2121 Nov 7 11:03:49 MYserver vmunix: securityalert: tcp from 127.0.0.1:2826 to 127.0.0.1 on unserved port 2121 Thanks in advance.. Regards, Chai Lim Chong Lcchai@mit.com.my From owner-firewalls-list Mon Nov 10 00:55:28 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA26056; Mon, 10 Nov 1997 00:43:49 -0800 (PST) Received: from spock.bitmailer.com (spock.bitmailer.com [194.179.94.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id AAA26049 for ; Mon, 10 Nov 1997 00:43:43 -0800 (PST) Received: from ns.bitmailer.com (ns.bitmailer.com [194.179.94.1]) by spock.bitmailer.com (8.8.5/8.8.6) with SMTP id JAA08190; Mon, 10 Nov 1997 09:28:33 +0100 Received: from alex(src addr [194.179.94.99]) (2474 bytes) by ns.bitmailer.com via smail with P\:esmtp /R:smart_host /T:smtp (sender: ) id for ; Mon, 10 Nov 1997 10:23:42 +0100 (MET) Message-Id: From: "Angel López Escobar" To: , Subject: RE: Penetration Detection Tools Date: Mon, 10 Nov 1997 09:13:31 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BCEDB8.EA2219C0" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Este es un mensaje con múltiples partes en formato MIME. ------=_NextPart_000_01BCEDB8.EA2219C0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, Have a look to www.iss.net, they have tools for that. Regards, ---------- > De: Neil_Buckley/CAM/Lotus@lotus.com > A: firewalls@greatcircle.com > Asunto: Penetration Detection Tools > Fecha: viernes 7 de noviembre de 1997 18:57 > > Hello, > > Does anyone have recomendations for third party penetration detection > tools, I am fairly familiar with most freeware products for UNIX, but I > need a company wide solution. > > Thanks in advance for any info, > > Neil Buckley > nbuckley@lotus.com > > ------=_NextPart_000_01BCEDB8.EA2219C0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi,

Have a look to = www.iss.net, they have tools for = that.

Regards,

----------
> De: Neil_Buckley/CAM/Lotus@lotus.com
> A: firewalls@greatcircle.com
> Asunto: Penetration Detection Tools
> = Fecha: viernes 7 de noviembre de 1997 18:57
>
> = Hello,
>
>      Does anyone have = recomendations for third party penetration detection
> tools, =  I am fairly familiar with most freeware products for UNIX, but = I
> need a company wide solution.
>
> Thanks in = advance for any info,
>
> Neil Buckley
> nbuckley@lotus.com
>
>

------=_NextPart_000_01BCEDB8.EA2219C0-- From owner-firewalls-list Mon Nov 10 04:41:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA13781; Mon, 10 Nov 1997 04:39:01 -0800 (PST) Received: from relay.eunet.pt (relay.EUnet.pt [193.126.4.65]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id EAA13774 for ; Mon, 10 Nov 1997 04:38:53 -0800 (PST) Received: (from uucp@localhost) by relay.eunet.pt (8.8.5/8.8.5) with UUCP id MAA02244 for firewalls@greatcircle.com; Mon, 10 Nov 1997 12:39:52 GMT Received: from eniac (eniac [128.22.4.16]) by btagate (8.6.12/8.6.12) with SMTP id NAA10781 for ; Mon, 10 Nov 1997 13:50:20 GMT Message-Id: <1.5.4.32.19971110114253.00924910@btagate> X-Sender: sys6849@btagate X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Nov 1997 11:42:53 +0000 To: firewalls@greatcircle.com From: Paulo Jorge Delgado Subject: Need help comparing solutions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, The company I work for has decided to connect to the Internet using a firewall solution. This is a rather long story, but after creating a workgroup with people from IT Security, Systems Management and Telecomunications, creating a Security Policy and contacting several vendors, we decided to propose a solution integrating several products, connected in series: - A firewall using statefull inspection - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) - A proxy based access control aplication (for "URL censorship") - A proxy based firewall - A suite of auditing tools With this we aimed at creating a screened subnet architecture, with special focus on redundacy. We wanted to make sure that compromising one of the elements of the solution, the others would still be able to provide some measure of security and eventualy detect attacks coming from the compromised element. Someone else is proposing a cheaper solution, something like: +------------+ | Statefull | | Outside ----+ inspection +------+ networks | firewall | | +--------------+ +-----+------+ | | Dual-homed | | | | | Netscape | | Internal | +---+ Proxy Server +-----+ network | | | HTTP, FTP, | | +-----+-------+ | | Gopher | | | Netscape | +--------------+ | Mail Server | +-------------+ They say that Netscape proxy server gives some additional security, complementing the firewall, so this would also be a redundant solution and with the added benefit of reducing the number of licences I need on the firewall. I don't know this Netscape Proxy Server, but I feel that it can't act as a real firewall. Can someone on the list comment on the relative security of this cheaper solution? Many thanks, Paulo +-------------------------------+---------------------------------------+ | Paulo Jorge Delgado | Internet: Paulo.Delgado@bta.pt | | Banco Totta & Acores | Office: +351-1-7922467 | | Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481 | | 1000 Lisboa | | | Portugal | | +-------------------------------+---------------------------------------+ From owner-firewalls-list Mon Nov 10 05:26:43 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA17135; Mon, 10 Nov 1997 05:19:52 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA17102 for ; Mon, 10 Nov 1997 05:19:46 -0800 (PST) Message-Id: <199711101319.FAA17102@honor.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA258237369; Mon, 10 Nov 1997 08:09:29 -0500 Date: Mon, 10 Nov 1997 08:09:29 -0500 From: gary flynn To: avalon@coombs.anu.edu.au, gary@habanero.jmu.edu Subject: Re: FIN Scanning through all kind of packet-filtering firewalls? Cc: firewall-wizards@nfs.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Darren Reed > > I'm not familiar with Checkpoint but any packet filter that is > > filtering on a destination port is going to toss the packet > > regardless of the SYN or any other flag unless there is some > > special programming. > > I wouldn't be so sure about that. Checkpoint's FW-1 will pass all > packets through with the ACK flag set (except, I think SYN-ACK) > but will strip the body of any data. They do this so that they can > rebuild state for a connection which has remained open over (say) > the firewall rebooting or connection information expiring. If the > reply packet was returned, anyway, there's your scan! I didn't think about that. I should have capitalized "packet filter" :) One normally thinks of state and proxy firewalls as somewhat more secure than a simple packet filter but in this case the opposite may be true. From owner-firewalls-list Mon Nov 10 06:00:30 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA19474; Mon, 10 Nov 1997 05:47:09 -0800 (PST) Received: from eldec.eldec.com ([208.213.94.130]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id FAA19453 for ; Mon, 10 Nov 1997 05:47:02 -0800 (PST) Received: by eldec.eldec.com; id AA165569544; Mon, 10 Nov 1997 08:45:44 -0500 Received: from unknown(130.30.60.2) by eldec.eldec.com via smap (V3.1.1) id xma016473; Mon, 10 Nov 97 08:45:18 -0500 Received: from bdc003nt.eldec.com by unix11.eldec.com with SMTP (1.37.109.4/16.2) id AA27657; Mon, 10 Nov 97 05:46:39 -0800 Received: by bdc003nt.eldec.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BCED9C.0B2C1250@bdc003nt.eldec.com>; Mon, 10 Nov 1997 05:46:51 -0800 Message-Id: From: "Lau, Chris" To: "'firewalls@greatcircle.com'" Subject: spam Date: Mon, 10 Nov 1997 05:46:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Does anyone have a solution on how to stop spam email at the firewall level? We are using TIS Gauntlet. Some one out there is using our company name to send out spam email. We are getting many angry replies to us asking us to stop spamming. We were not the ones doing it. Christopher Lau Crane-Eldec Corp. (425) 743-8150 clau@eldec.com From owner-firewalls-list Mon Nov 10 06:16:22 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA21889; Mon, 10 Nov 1997 06:07:31 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id GAA21875 for ; Mon, 10 Nov 1997 06:07:25 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA28028; Mon, 10 Nov 1997 09:05:59 -0500 (EST) From: Adam Shostack Message-Id: <199711101405.JAA28028@homeport.org> Subject: Re: Finjan Surfin Gate Review In-Reply-To: <199711092141.QAA16408@mail.atl.bellsouth.net> from Steve Jackson Brown at "Nov 9, 97 04:38:49 pm" To: sjbrown@bellsouth.net (Steve Jackson Brown) Date: Mon, 10 Nov 1997 09:05:59 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think they do protect you if the connection is encrypted, or if the attacker is very clever. However, there are a lot of dumb attackers, and I think that you may block some attacks with it. (Of course, you really want a langauge thats safe, running on a reasonable OS. But since we don't have that, Java and ActiveX firewalls may be coming.) Adam Steve Jackson Brown wrote: [Charset ISO-8859-1 unsupported, filtering to ASCII...] | How do these products protect you if the web site you are visiting is using | SSL to transfer the Java applets? | | It would seem that if it is encrypted, it would be impossible to inspect | Java applets, making it useless. | | One thing I thought that was ironic in the | http://www.rstcorp.com/hostile-applets/drowning.html review was the install | script for Finjan was xhost + | How security knowledgable is a security company when they build install | scripts that open you up to | worst attacks? | | Is anyone actually buying or deploying this Java security stuff? Is it | alot of hype? | ---------- | > From: Adam Shostack | > To: Peter da Silva | > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; firewalls@GreatCircle.COM | > Subject: Re: Finjan Surfin Gate Review | > Date: Saturday, November 08, 1997 4:03 PM | > | > I'll mention that Security-7 (www.security7.com) has a product that | > will look through the Java classes or ActiveX controls and allow you | > to block things that you don't like. (Thus, you could block all Java | > that calls the file io classes.) | > | > Adam | > | > | > Peter da Silva wrote: | > | > Protection from vandal applets is a new technology which is still | being | > | > defined...any thoughts? | > | | > | Use the approach in HTML: don't allow the applets the ability to | perform | > | dangerous acts. If you want to do more, then explicitly download and | > | install a plugin. That way you have control and you have to perform an | > | explicit install before you're exposed. | > | | > | The only applet technology I know of that does this is the Tk plugin, | which | > | actually removes all dangerous commands from the interpreter before | running | > | the applet, so even if it's hostile it has no access to anything | outside the | > | sandbox. | > | | > | > | > -- | > "It is seldom that liberty of any kind is lost all at once." | > -Hume | > | > | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-firewalls-list Mon Nov 10 08:13:08 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27626; Mon, 10 Nov 1997 07:32:50 -0800 (PST) Received: from serv1.cyberaccess.fr ([195.132.13.234]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA27547 for ; Mon, 10 Nov 1997 07:32:28 -0800 (PST) Received: from cyberaccess.fr ([195.132.13.195]) by serv1.cyberaccess.fr (Netscape Messaging Server 3.0) with ESMTP id AAA5245; Mon, 10 Nov 1997 16:31:25 +0100 Message-ID: <34672A1A.9F65ADCE@cyberaccess.fr> Date: Mon, 10 Nov 1997 16:37:07 +0100 From: "Christian ALT" X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "firewalls@greatcircle.com" Subject: nmap on Solaris Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried to compile nmap under Solaris 2.5.1 GCC 2.7.2.1and I have some problems finding or changing some includes netinet/ip_tcp.h : No such file or directory If someone has a pointer for me or any other information I would be gratfull to any help. Christian ALT From owner-firewalls-list Mon Nov 10 08:27:24 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA29333; Mon, 10 Nov 1997 07:41:57 -0800 (PST) Received: from relay.norwest.com (relay.Norwest.Com [198.74.26.65]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA29238 for ; Mon, 10 Nov 1997 07:41:38 -0800 (PST) Message-Id: <199711101541.HAA29238@honor.greatcircle.com> Received: by relay.norwest.com (1.37.109.20/16.2) id AA043386562; Mon, 10 Nov 1997 09:42:42 -0600 Received: from msgmsp1.norwest.com(162.101.130.4) by relay.norwest.com via smap (V1.3) id smaa28990; Mon Nov 10 08:55:57 1997 Received: by msgmsp1.norwest.com with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 08:55:00 -0600 From: "Hudspeth, Todd" To: "'firewalls@greatcircle.com'" Subject: Performance Testing Tools Date: Mon, 10 Nov 1997 08:53:48 -0600 X-Priority: 3 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone aware of any performance measurement tools that would simulate thousands of users performing various methods of access to and through a firewall? Such as, internal to external ftp, http, https, telnet and VPN? Thanks, Todd Hudspeth Norwest Services, Inc. todd.hudspeth@norwest.com From owner-firewalls-list Mon Nov 10 08:28:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03551; Mon, 10 Nov 1997 08:02:54 -0800 (PST) Received: from pandora.gsionline.com ([204.254.209.241]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id IAA03532 for ; Mon, 10 Nov 1997 08:02:47 -0800 (PST) Received: from pandora.gsionline.com by pandora.gsionline.com (NTMail 3.02.09) with ESMTP id da213957 for ; Mon, 10 Nov 1997 11:04:55 -0500 Message-Id: <3.0.1.32.19971110110100.008ef0d0@peter> X-Sender: nbk#204.254.209.2@peter X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 10 Nov 1997 11:01:00 -0500 To: "Lau, Chris" From: NB Keenan Subject: Re: spam Cc: firewalls@greatcircle.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone have a solution on how to stop spam email at the firewall >level? We are using TIS Gauntlet. Some one out there is using our >company name to send out spam email. We are getting many angry replies >to us asking us to stop spamming. We were not the ones doing it. I've heard of a device called a "lawyer" that is very effective at stopping people from using your company name without your permission. From owner-firewalls-list Mon Nov 10 08:30:18 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA02129; Mon, 10 Nov 1997 07:54:23 -0800 (PST) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id HAA02061 for ; Mon, 10 Nov 1997 07:54:08 -0800 (PST) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEDC6.DD33FA90@xchangebox2.USADOMAIN1>; Mon, 10 Nov 1997 10:53:23 -0500 Message-ID: From: "Zilber, Alexey" To: "'Anton J Aylward'" , "'john'" Cc: "'Jonathan M. Bresler'" , "'Firewall list'" Subject: RE: Pissing Contest (wasRe: Linux et al PFs ) Date: Mon, 10 Nov 1997 10:54:48 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Coming back from vacation, I'd just like to add to this dead thread that there's a WIRED article comparing all the OS's. They ranked Linux right up there, even above FreeBSD for the amount of load it can handle without chocking. >---------- >From: john[SMTP:zaph0d@phawd.com-stock.com] >Sent: Friday, October 31, 1997 3:58 PM >To: Anton J Aylward >Cc: Jonathan M. Bresler; Firewall list >Subject: Re: Pissing Contest (wasRe: Linux et al PFs ) > >He's simply demonstrateing FreeBSD's ability to handle network traffic >more efficently. > >Which, directly affects firewalls preformance and security, and therefore >is very relivant to firewalls discussion. > >On Fri, 31 Oct 1997, Anton J Aylward wrote: > >> At 08:55 AM 31/10/97 -0500, Jonathan M. Bresler wrote: >> > >> > please show me number better than ftp.cdrom.com >> >> Could you guys move this off the list to provate e-mail. >> This is no longer constructive to the issue of firewalls. >> I could equaly make the argument that a firewall is like >> a fuse so you want to to go down to isolate & protect the >> internal network. You can chop the logic any which way you >> want, but once it gets ito "My X is bigger than yours" we >> are not chopping logic any more. >> >> /anton >> >> -------------------------------------------------------------------------- >> Anton J Aylward | So, Two cheers for Democracy: one >> The Strahn & Strachan Group Inc | because it admits variety and two >> Information Security Consultants | because it permits criticism. >> Voice: (416) 494-8661 | - E. M. Forster >> Fax: (416) 494-8803 | >> > > From owner-firewalls-list Mon Nov 10 08:31:32 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27554; Mon, 10 Nov 1997 07:32:32 -0800 (PST) Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id HAA27498 for ; Mon, 10 Nov 1997 07:32:17 -0800 (PST) Received: from geek.nmac.ericsson.se (geek.nmac.ericsson.se [130.100.187.83]) by penguin.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-1.12) with ESMTP id QAA05250 for ; Mon, 10 Nov 1997 16:33:10 +0100 (MET) Received: from haig.oplab.nmac.ericsson.se (haig.oplab.nmac.ericsson.se [130.100.187.85]) by geek.nmac.ericsson.se (8.8.5/8.8.5) with ESMTP id QAA26601 for ; Mon, 10 Nov 1997 16:32:06 +0100 Received: by haig.oplab.nmac.ericsson.se with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 16:33:43 +0100 Message-ID: <43BED8177D10D011A69A0800092C15D70BBABE@haig.oplab.nmac.ericsson.se> From: =?iso-8859-1?Q?Robert_St=E5hlbrand?= To: "'firewalls@greatcircle.com'" Subject: RE: FIN Scanning through all kind of packet-filtering firewalls? Date: Mon, 10 Nov 1997 16:33:41 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi again! Tomorrow I will continue my investigations with my FW-1 and if I find the time, do a test with a ip-filtering program called IP-filter. I will try to cover as much as possible like for example, small fragmented packets (24 byte, maybe less) FIN-scanning etc. I will report the results to the list as soon as possible. /Robert > -----Original Message----- > From: gary flynn [SMTP:gary@habanero.jmu.edu] > Sent: den 10 november 1997 14:09 > To: avalon@coombs.anu.edu.au; gary@habanero.jmu.edu > Cc: firewall-wizards@nfs.net; firewalls@GreatCircle.COM > Subject: Re: FIN Scanning through all kind of packet-filtering > firewalls? > > > From: Darren Reed > > > I'm not familiar with Checkpoint but any packet filter that is > > > filtering on a destination port is going to toss the packet > > > regardless of the SYN or any other flag unless there is some > > > special programming. > > > > I wouldn't be so sure about that. Checkpoint's FW-1 will pass all > > packets through with the ACK flag set (except, I think SYN-ACK) > > but will strip the body of any data. They do this so that they can > > rebuild state for a connection which has remained open over (say) > > the firewall rebooting or connection information expiring. If the > > reply packet was returned, anyway, there's your scan! > > I didn't think about that. I should have capitalized > "packet filter" :) > > One normally thinks of state and proxy firewalls as somewhat more > secure than a simple packet filter but in this case the opposite > may be true. From owner-firewalls-list Mon Nov 10 08:46:16 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08050; Mon, 10 Nov 1997 08:35:14 -0800 (PST) Received: from sla-nt2.sla.com (mail1.sla.com [207.153.168.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id IAA08032 for ; Mon, 10 Nov 1997 08:35:01 -0800 (PST) Received: by mail1.sla.com with Internet Mail Service (5.0.1457.3) id ; Mon, 10 Nov 1997 08:32:40 -0800 Message-ID: From: "Stackpole, Bill" To: "'Paulo Jorge Delgado'" , firewalls@greatcircle.com Subject: RE: Need help comparing solutions Date: Mon, 10 Nov 1997 08:32:38 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Either you guys are really paranoid or you have something very valuable to protect. Just a curiousity factor but did your workgroup do any risk analysis before coming up with this solution? - A firewall using statefull inspection This could be integrated into the router along with a good set of filters to protect you "DMZ". - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) So far the best solutions for this are on stand-alone systems but several major vendors are moving to integrate this functionality into their firewall servers. - A proxy based access control aplication (for "URL censorship") Personally I'd bag this and write an acceptible use policy, have employees sign it and fire those that violate it. However, vendor like Raptor do have some "URL censorship" add-ons. Or you could use a passive monitor like ON Tech's Internet Manager. - A proxy based firewall An alternative to a second firewall might be a good monitoring system like NetRanger that would alert you to attacks and/or wrongful usage. Unless of course you are looking for some of the other benefits that a proxy might provide like Web page caching. - A suite of auditing tools - ??? Router based firewalls don't require per user licenses and most of the passive monitors I've seen don't require them either. As for the Netscape proxy, it works. So doesn't the Microsoft proxy. Are they firewalls? Hardly. > -----Original Message----- > From: Paulo Jorge Delgado [SMTP:Paulo.Delgado@bta.pt] > Sent: Monday, November 10, 1997 3:43 AM > To: firewalls@greatcircle.com > Subject: Need help comparing solutions > > Hello, > > The company I work for has decided to connect to the Internet using > a firewall solution. This is a rather long story, but after creating > a workgroup with people from IT Security, Systems Management and > Telecomunications, creating a Security Policy and contacting > several vendors, we decided to propose a solution integrating > several products, connected in series: > > - A firewall using statefull inspection > - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP) > - A proxy based access control aplication (for "URL censorship") > - A proxy based firewall > - A suite of auditing tools > > With this we aimed at creating a screened subnet architecture, with > special focus on redundacy. We wanted to make sure that compromising > one of the elements of the solution, the others would still be able > to provide some measure of security and eventualy detect attacks > coming from the compromised element. > > Someone else is proposing a cheaper solution, something like: > > +------------+ > | Statefull | | > Outside ----+ inspection +------+ > networks | firewall | | +--------------+ > +-----+------+ | | Dual-homed | | > | | | Netscape | | Internal > | +---+ Proxy Server +-----+ network > | | | HTTP, FTP, | | > +-----+-------+ | | Gopher | | > | Netscape | +--------------+ > | Mail Server | > +-------------+ > > They say that Netscape proxy server gives some additional security, > complementing the firewall, so this would also be a redundant solution > and with the added benefit of reducing the number of licences I need > on the firewall. > > I don't know this Netscape Proxy Server, but I feel that it can't act > as a real firewall. Can someone on the list comment on the relative > security of this cheaper solution? > > Many thanks, > > Paulo > > +-------------------------------+------------------------------------- > --+ > | Paulo Jorge Delgado | Internet: Paulo.Delgado@bta.pt > | > | Banco Totta & Acores | Office: +351-1-7922467 > | > | Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481 > | > | 1000 Lisboa | > | > | Portugal | > | > +-------------------------------+------------------------------------- > --+ From owner-firewalls-list Mon Nov 10 10:09:21 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA15126; Mon, 10 Nov 1997 09:39:25 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA15068 for ; Mon, 10 Nov 1997 09:39:09 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 09:39:39 -0800 Message-ID: From: Jerry Huyghe To: "'Adam Shostack'" , peter@baileynm.com Cc: sjbrown@bellsouth.net, firewalls@GreatCircle.COM Subject: RE: Finjan Surfin Gate Review Date: Mon, 10 Nov 1997 09:39:37 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, Security-7 has a good product, but it is a gateway solution, which will not stop SSL or VPN encrypted transmissions. It must be combined with solid runtime protection. Sincerely, Jerry Huyghe Product Manager eSafe Technologies > -----Original Message----- > From: Adam Shostack [SMTP:adam@homeport.org] > Sent: Saturday, November 08, 1997 1:04 PM > To: peter@baileynm.com > Cc: jerry@us.esafe.com; sjbrown@bellsouth.net; > firewalls@GreatCircle.COM > Subject: Re: Finjan Surfin Gate Review > > I'll mention that Security-7 (www.security7.com) has a product that > will look through the Java classes or ActiveX controls and allow you > to block things that you don't like. (Thus, you could block all Java > that calls the file io classes.) > > Adam > > > Peter da Silva wrote: > | > Protection from vandal applets is a new technology which is still > being > | > defined...any thoughts? > | > | Use the approach in HTML: don't allow the applets the ability to > perform > | dangerous acts. If you want to do more, then explicitly download and > | install a plugin. That way you have control and you have to perform > an > | explicit install before you're exposed. > | > | The only applet technology I know of that does this is the Tk > plugin, which > | actually removes all dangerous commands from the interpreter before > running > | the applet, so even if it's hostile it has no access to anything > outside the > | sandbox. > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > From owner-firewalls-list Mon Nov 10 10:15:27 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA14567; Mon, 10 Nov 1997 09:36:50 -0800 (PST) Received: from bastion.smacek.com (bastion.smacek.com [207.250.113.129]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id JAA14549 for ; Mon, 10 Nov 1997 09:36:41 -0800 (PST) Received: from rgplinux.smacek.com (rgplinux.smacek.com [207.250.113.2]) by bastion.smacek.com (8.8.5/8.8.5) with ESMTP id LAA19435 for ; Mon, 10 Nov 1997 11:31:47 -0600 Received: from rgplinux.smacek.com (localhost [127.0.0.1]) by rgplinux.smacek.com (8.8.5/8.8.5) with SMTP id LAA04360 for ; Mon, 10 Nov 1997 11:38:25 -0600 Message-ID: X-Mailer: XFMail 1.1 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Mon, 10 Nov 1997 11:31:19 -0600 (CST) From: Rich Peiffer To: firewalls@greatcircle.com Subject: SNMP Scan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem with various sites continuously scanning my nets for any host willing to answer an SNMP service request (UDP port 161). The scan typically happens once or twice a day, and is getting quite annoying. It appears that my firewall is rejecting the requests properly, but I am wondering what my next step should be? I have attempted to contact the admin of the domains where the attacks appear to be originating. The problems there are obvious (large dialup networks, spoofed source addreses, etc.) Should I maybe be dumping the contents of some of these packets? If so, what should I be looking for? Is there a gaping hole in SNMP somewhere? I am considering filtering out these rejected packet messages from my syslog files as they tend to cloud up the rest of the messages which are important. There is also one other thing that bothers me regarding this issue. Most packets are rejected by my external router when they are inbound on the interface connected to the internet. I just recently noticed the packet destined to the external router itself appears to make it in, and the router's response is rejected. The following is an example of what I am getting: Nov 10 09:53:55 bastion kernel: IP fw-out deny eth1 UDP 207.250.113.129:161 207. 198.221.100:2142 L=89 S=0x00 I=27282 F=0x0000 T=64 *** the above message is from my external router, note it appears to be a response to the attack, not the attack itself. Nov 10 09:53:55 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.191:161 L=89 S=0x00 I=18239 F=0x0000 T=112 *** this message is a "normal" rejection. Nov 10 09:53:57 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.129:161 L=89 S=0x00 I=34111 F=0x0000 T=112 *** here is a "normal" rejection from my external router which occured just after the above two rejections. I am wondering what the first syslog entry above means. Any request for service 161 from outside my net (207.250.113.xxx) should have been rejected on it's way in. I have checked my total firewall configuration over many times, and it appears to be OK. Any advice or explanations would be appreciated! TIA. -Rich -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 From owner-firewalls-list Mon Nov 10 11:13:55 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA24477; Mon, 10 Nov 1997 10:25:20 -0800 (PST) Received: from relay.allstate.com (relay.allstate.com [167.127.242.253]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id KAA24421 for ; Mon, 10 Nov 1997 10:25:07 -0800 (PST) Received: from mail.allstate.com by relay.allstate.com (AIX 3.2/UCB 5.64/4.03) id AA23578; Mon, 10 Nov 1997 12:28:34 -0600 Received: from Allstate-Message_Server by allstate.com with Novell_GroupWise; Mon, 10 Nov 1997 12:26:08 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 10 Nov 1997 12:25:08 -0600 From: Michael Martinson To: firewalls@GreatCircle.com Subject: What Linux version is best for Firewall? Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm putting together the pieces and parts for a firewall. I've read that Red Hat is the best version of Linux for a stripped down proxy firewall. I'm just making sure that Red Hat is the version which most firewalls are on. I've checked out: http://www.ssc.com/lj/issue25/1204.html and found that it has a lot of help. I'm wondering if anyone is willing to give me a list of what patches they do to the Kernel to make it as secure as possible. Michael Martinson Senior Systems Software Programmer Lincoln Benefit Life 1(800)525-2799 x8710 martimdp@allstate.com From owner-firewalls-list Mon Nov 10 11:15:52 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29855; Mon, 10 Nov 1997 10:53:08 -0800 (PST) Received: from firewall.co.alameda.ca.us (firewall.co.alameda.ca.us [166.107.250.34]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA29554 for ; Mon, 10 Nov 1997 10:52:03 -0800 (PST) Received: (from Administrator@localhost) by firewall.co.alameda.ca.us (1.0 (Berkeley 8.7) Build 341/Configuration 4) id KAA00199 for ; Mon, 10 Nov 1997 10:07:31 -0800 Received: from msmail.co.alameda.ca.us(166.107.250.98) by firewall via smtp-gw id xma1404.tmp; Mon, 10 Nov 97 10:07:07 -0800 Received: by msmail.co.alameda.ca.us with Internet Mail Service (5.0.1458.49) id ; Mon, 10 Nov 1997 10:05:47 -0800 Message-ID: <88B8AB5C9DD0CF11B1310000F821B7799704DA@msmail.co.alameda.ca.us> From: "Noe, John, ITD" To: "'firewalls'" Date: Mon, 10 Nov 1997 10:05:44 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I am a firewall administrator for County Government offices in California. Our shop is starting to beocme quite security conscious (finally). We are using the Centri product (3.x.). I am struggling with the question of opening up ports on the firewall for our users. What is the real world way of dealing with these requests? Opening up the ports, but only between specific sources and destinations? also, will soon be installing Cisco PIX... Any words good or bad? How about sendmail, DNS servers for the untrusted network? Thanks! john John R. Noe 510.272.3864 From owner-firewalls-list Mon Nov 10 11:42:58 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA07780; Mon, 10 Nov 1997 11:34:41 -0800 (PST) Received: from saturn.hrz.tu-chemnitz.de (saturn.hrz.tu-chemnitz.de [134.109.132.51]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA07634 for ; Mon, 10 Nov 1997 11:34:09 -0800 (PST) Received: from mailbox.hrz.tu-chemnitz.de by saturn.hrz.tu-chemnitz.de with Local SMTP (PP); Mon, 10 Nov 1997 20:34:53 +0100 Received: from cello.hrz.tu-chemnitz.de (cello.hrz.tu-chemnitz.de [134.109.72.62]) by mailbox.hrz.tu-chemnitz.de (8.8.5/8.8.3) with ESMTP id UAA07822; Mon, 10 Nov 1997 20:34:52 +0100 (MET) Received: from localhost by cello.hrz.tu-chemnitz.de (8.8.5/client-1.5) id UAA03125; Mon, 10 Nov 1997 20:34:51 +0100 Date: Mon, 10 Nov 1997 20:34:51 +0100 (MET) From: Johannes Schwabe To: "Lau, Chris" cc: "'firewalls@greatcircle.com'" Subject: Re: spam In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Nov 1997, Lau, Chris wrote: > Hi: > > Does anyone have a solution on how to stop spam email at the firewall > level? We are using TIS Gauntlet. Some one out there is using our This issue is not too much related to firewalls. > company name to send out spam email. We are getting many angry replies > to us asking us to stop spamming. We were not the ones doing it. > I fear you provided not enough information. Does the spammer use your mail servers to relay his spam ? If so, you should block relaying. But you cannot stop anybody with technical means from forging From: and Reply-To: headers. You should use social (contacting the provider / upstream provider of the spammer) or juridical (suing the spammer) means. Contact me if you need assistance. From owner-firewalls-list Mon Nov 10 12:56:48 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA19386; Mon, 10 Nov 1997 12:26:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id MAA19324 for ; Mon, 10 Nov 1997 12:26:33 -0800 (PST) Received: from bastion.smacek.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-970426) id MAA23173; Mon, 10 Nov 1997 12:27:05 -0800 (PST) Received: from rgplinux.smacek.com (rgplinux.smacek.com [207.250.113.2]) by bastion.smacek.com (8.8.5/8.8.5) with ESMTP id OAA22971 for ; Mon, 10 Nov 1997 14:21:07 -0600 Received: from rgplinux.smacek.com (localhost [127.0.0.1]) by rgplinux.smacek.com (8.8.5/8.8.5) with SMTP id OAA08003 for ; Mon, 10 Nov 1997 14:27:34 -0600 Message-ID: X-Mailer: XFMail 1.1 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Date: Mon, 10 Nov 1997 14:26:56 -0600 (CST) From: Rich Peiffer To: firewalls@GreatCircle.COM Subject: FW: Message not deliverable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem with various sites continuously scanning my nets for any host willing to answer an SNMP service request (UDP port 161). The scan typically happens once or twice a day, and is getting quite annoying. It appears that my firewall is rejecting the requests properly, but I am wondering what my next step should be? I have attempted to contact the admin of the domains where the attacks appear to be originating. The problems there are obvious (large dialup networks, spoofed source addreses, etc.) Should I maybe be dumping the contents of some of these packets? If so, what should I be looking for? Is there a gaping hole in SNMP somewhere? I am considering filtering out these rejected packet messages from my syslog files as they tend to cloud up the rest of the messages which are important. There is also one other thing that bothers me regarding this issue. Most packets are rejected by my external router when they are inbound on the interface connected to the internet. I just recently noticed the packet destined to the external router itself appears to make it in, and the router's response is rejected. The following is an example of what I am getting: Nov 10 09:53:55 bastion kernel: IP fw-out deny eth1 UDP 207.250.113.129:161 207. 198.221.100:2142 L=89 S=0x00 I=27282 F=0x0000 T=64 *** the above message is from my external router, note it appears to be a response to the attack, not the attack itself. Nov 10 09:53:55 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.191:161 L=89 S=0x00 I=18239 F=0x0000 T=112 *** this message is a "normal" rejection. Nov 10 09:53:57 bastion kernel: IP fw-in deny eth1 UDP 207.198.221.100:2142 207. 250.113.129:161 L=89 S=0x00 I=34111 F=0x0000 T=112 *** here is a "normal" rejection from my external router which occured just after the above two rejections. I am wondering what the first syslog entry above means. Any request for service 161 from outside my net (207.250.113.xxx) should have been rejected on it's way in. I have checked my total firewall configuration over many times, and it appears to be OK. Any advice or explanations would be appreciated! TIA. -Rich -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 From owner-firewalls-list Mon Nov 10 13:12:59 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA25908; Mon, 10 Nov 1997 12:57:36 -0800 (PST) Received: from xchangebox2.USADOMAIN1 (XCHANGEBOX2.USANETWORKS.COM [208.225.13.9]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA25830 for ; Mon, 10 Nov 1997 12:57:18 -0800 (PST) Received: by xchangebox2.USADOMAIN1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BCEDF1.3B61AED0@xchangebox2.USADOMAIN1>; Mon, 10 Nov 1997 15:56:39 -0500 Message-ID: From: "Zilber, Alexey" To: "'Firewall list'" Cc: "'jmb@FRB.GOV'" , "'hagan@cih.com'" Subject: RE: Pissing Contest (wasRe: Linux et al PFs ) Date: Mon, 10 Nov 1997 15:58:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oops, sorry it wasn't Wired. Wired had something else. This was on INTERNETWEEK. Comparing all the major OS's (inlcuding Linux and BSD). Quite an interesting article.. and aptly named too... >http://www.techweb.com/se/directlink.cgi?INW19970901S0125 From owner-firewalls-list Mon Nov 10 14:01:23 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA15081; Mon, 10 Nov 1997 12:07:48 -0800 (PST) Received: from pecos-int.iphase.com ([157.175.3.200]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id MAA14954 for ; Mon, 10 Nov 1997 12:07:21 -0800 (PST) Received: by pecos-int.iphase.com; id AA09850; Mon, 10 Nov 97 14:08:25 CST Received: from rodan.iphase.com(157.175.111.4) by pecos.iphase.com via smap (3.2) id xma009756; Mon, 10 Nov 97 14:07:55 -0600 Received: from iphase.com (chip-fddi [157.175.140.220]) by rodan.Iphase.COM (8.8.7/8.8.7) with ESMTP id OAA03960; Mon, 10 Nov 1997 14:10:05 -0600 (CST) Message-Id: <34676996.567AC049@iphase.com> Date: Mon, 10 Nov 1997 14:07:50 -0600 From: Patrick Larkin Jr Organization: Interphase Corporation X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 4.1.3 sun4c) Mime-Version: 1.0 Newsgroups: comp.security.firewalls,comp.lang.java.security To: Firewalls@greatcircle.com, plarkin@iphase.com Subject: Summary on Java Sanity Check Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I Posted a query titled "Sanity Check my Java/Security Stance" to "comp.security.firewalls" and "comp.lang.java.security" Newsgroups and also "firewalls@greatcircle.com" mailing list. Got 12 replies. The list below summarizes them (Note, the total exceeds 12 because some folks offered multiple statements). In cases where there were more than one particular statement, I took the liberty of paraphrasing the best one and adding to the count for each additional one that had the same basic principle. QTY Statement ---- ----------------------------------------------------------------------- 4 We face these same issues, please post your results (or "the answer") 4 Buy our product, it protects you (or "you can buy protection") 4 Real world business apps in Java are few and far between 2 We dont allow it, we dont leave it up to users. 2 put PCs on the DMZ 2 Be careful about relying on a policy alone Here were some notable quotes (included in counts above): * So what are these business related sites that insist you must use JAVA ? Have yet to get an answer to that one. * After our users claimed they had to have Java to do their work, turns out it was to see what other companies were doing with Java. * Despite this type of "policy" I have found that both users and management will hold you responsible with the attitude of "YOU should have known that THEY couldn't possibly know better as to which Java sites to trust". Be careful -- when problems occur, some people look first for a fall guy and second for a solution. Conclusions: Judging from this, I had nobody say they Let it through their firewall unabated.Furthermore, there seems to be more folks asking the question than there are answers. We have yet to have formulated an "answer".... I'm still waiting for the users to provide an example URL and info to back up their claims that "Sun, 3com and other big companies let it through". Also, it is worth noting that the day after my posting, I got a telephone voicemail from a guy at 'Digitivity' trying to sell me his "protection". I did not post my phone number (though it is obtainable via the net). I did not ask for telephone calls or sales pitches. Thus, I wont be buying that product. I get enough "spam" email as it is... the last thing I need is more of it, and over the phone too. Thank you all for your insight and for responding, Original Posting: > Ok, my users are getting restless and are beginning to say "I can't do my > job because Java is blocked by the Firewall". Therefore, I'm curious to > know what the current stance is in the industry regarding letting Java thru. > > We've had TIS Gauntlet for a couple years now, and installed their blocker > for Java, JavaScript and ActiveX as soon as it came out. During that time, > we'd see numerous postings on bugtraq, cert, and so on about Java security > problems. I've not really followed THESE NGs, but the lists have pretty > much quieted down regarding Java. > > Initially, I thought if we could get Gauntlet to check site > certificates at the firewall, that would be best, but the more > I think about it, I dont want to make a career out of fulfilling > "please add XYZ.com to the 'permit java' list" requests. > > So the questions are: > Do most company's let Java thru the firewall nowadays? > If so, what conditions do you place on it? > > We do not want our proprietary source code, nor other confidential > business files leaking out. We have probably half our users on Win95 > and the other half on SunOS or Solaris. Although my department only > supports Netscape Navigator/Communicator, there are quite a few who > install their "browser of choice". With site certificates in Netscape v4.x, > I feel a little more comfortable letting Java through. Given this > culture, here is the stance I'm considering: > We will open up our firewall to Java which brings with it > certain risks... To minimize these risks we recommend you > ONLY run Netscape Communicator v4.03 or higher and learn > about Site Certificates before checking the "Enable Java(script)" > buttons in the config screens. Determining what Java sites > can be trusted is YOUR RESPONSIBILITY. Failure to make prudent > use of the above mentioned security mechanisms can lead to > problems for which we cannot be responsible. > Is this a reasonable policy given the state of Java and Netscape v4.x? > Are we missing anything? Is it too strict or not strict enough? > > Finally, I envision seeding everyone's certificates with a few major > sites like sun, netscape, etc. and set it to "deny ALL java > unless it's site certificate is one of these". > Is there a URL that explains how to set this up and/or explains > to my average user how to manage certificates? > The pages I've found at www.netscape.com are pretty lame on these > issues, but surely they're buried somewhere there (or somewhere else). > > Please followup to me directly via Email as I'm sure this has been rehashed > many times. TIA for all your help! -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Patrick Larkin Jr -SysAdm, Texan, Drummer, Patriot- From owner-firewalls-list Mon Nov 10 15:51:45 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA09682; Mon, 10 Nov 1997 11:43:17 -0800 (PST) Received: from ns.gmds.com ([206.98.109.2]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id LAA09628 for ; Mon, 10 Nov 1997 11:43:00 -0800 (PST) Date: Mon, 10 Nov 1997 11:43:00 -0800 (PST) From: bookinfo@answerme.com Message-Id: <199711101943.LAA09628@honor.greatcircle.com> Received: from answerme.com ([207.34.181.196]) by ns.gmds.com (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-43306U2500L250S0) with SMTP id AAA309; Sat, 8 Nov 1997 23:50:10 -0800 To: bookinfo@answerme.com Subject: 5-Become a #1 Best-Selling Author.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -------------------------------------------------------------------------------------------- Steal the #1 spot on the BEST-SELLER LISTS Do you want to get Published NOW? Here's how you do it... -------------------------------------------------------------------------------------------- FACT: Did you know that 95% of first-time authors who try to get published end up with a handful of rejection letters instead of those Million dollars advances you hear about? Only a fraction of submitted manuscripts are published and the MAJORITY of them are sadly thrown into the pile of "unwanted" manuscripts... * DO you have a dream to see yourself in print? NOW & not years later? * DO you want to know how writers are making MILLIONS of dollars out of their once rejected books? * DO you want to see your book on the BEST SELLER charts and in major bookstore chains? * DO you want to see *YOUR BOOK* sell thousands of copies instead of sitting in a rejection pile of manuscripts? If you answered YES to all of these questions, then please read on... Discover how you can get your book out of those worthless piles of manuscripts and on to the Best-Sellers Lists instead! ------------------------------------------------------------------------------------------------------------ You want to Publish your Book-And, you want to Publish it NOW! The way to do this is Self-Publishing... ----------------------------------------------------------------------------------------------------------- Does the prospect of Self-Publishing scare you? DON'T LET IT! This field in Publishing is very profitable and producing your own books has never been easier! It's the best way to get NOTICED... Did you know that Mark Twain, an author in history started out by self-publishing? Yes, it is true... So how do you publish your book with great success so that you DO get NOTICED? ORDER OUR SELF-PUBLISHING KIT Why? Because this kit contains everything you will ever need to know about publishing your own book. You'll know exactly how the executives at the Conglomerates do it. ------------------------------------------------------------------------------------------------- You will BENEFIT from getting VALUABLE INSIDE information from our Kit! ------------------------------------------------------------------------------------------------- Major publishers don't want you to have this kit because once you read through the materials, you'll be all playing on the same field--their field! The Kit is written in a easy-to-follow format and there are no fancy terms that will confuse you. Here is what the kit REVEALS that nobody else will tell you: * You'll gain compelling insight on what REALLY works and what doesn't in publishing books. The case studies will show you how publishers made their BEST-SELLER success and how you can too. *· Gain a sharp edge by discovering how to write your book so that it is BEST-SELLER material. Major publishers know this vital method, but you will never hear about it. * Discover how to get your books into major bookstore chains, such as BARNES AND NOBLE and all the other biggies... * Getting reviewed is a BIG break-through for authors... See how to get raving reviews in Major publications like the New York Times and other prominent reviewers. * Discover how to get your book into BOOK CLUBS. Some clubs have over a million members... If your book makes it as a FEATURED SELECTION, it will be sent to ALL the members automatically... That will mean more sales and PROMOTION as a writer for you-and legions of fans who will WANT your next book as soon as it's printed!!! * A publishing Timetable (the ones that BIG publishing houses follow): Know exactly what to do and when you should do it. You'll need this list of events! * Benefit from a massive information-filled resource directory filled with valuable contact information and numbers of key people in the industry that you MUST have. All this hard-to-find information will be yours! * Use these 30 creative ideas to raise money. Part of the problem with Self-Publishing is finding the money to do it. These creative methods are PROVEN and SURE-FIRE ways to get the money you need... You'll even see how to get grants (FREE money)! Self-publishing is very profitable and can make you a celebrity author. The methods in the kit will show you EVERYTHING. Just look at the author of The Celestine Prophecy-his story has made publishing history!! He SELF-PUBLISHED his book and went off to become a MAJOR AUTHOR! Not only did Warner Books scoop up this title for a colossal $800,000, the book as been on the best-seller's list, holding the title of the longest running hardcover fiction to hit the charts! All this because he self-published his book? You bet! So where do you want to be now? In the "Slush Pile" or on the charts with a hefty check to show for it? If you've been rejected too many times, it's not the end for you!!! The Self-Publishing Kit will help you GET PUBLISHED-NOW! If it's your dream to be published and become a celebrity author, order the self publishing kit today. You'll feel on top of the world when you're #1 on the BEST-SELLER LISTS! -------------------------------------------------------------------------------------- HURRY and ORDER the Self-Publishing Kit Today! If you order within 10 days we'll give it to you for **$18.95** The Kits are selling fast and ...QUANTITIES ARE LIMITED... After the 10 days the kit will be priced at $26.95. So hurry and take advantage of our 10 day offer! ---------------------------------------------------------------------------------------- The Kit comes with a 100% money-back guarantee. Try the methods. If they don't work for you, send it back for a FULL refund! (less shipping & handling). You're Publishing future is in YOUR hands. Editors and Agents are NOT concerned about your career...To see yourself on the Best-Seller's List, you must take action- TODAY! Order the Self-Publishing Kit and begin your publishing career NOW... SELF-PUBLISHING: * is your key to getting Published and Getting noticed... * will fulfill your dream to be #1 on the Best-Seller's list... * will ensure that one day you will be at the major bookstore chains blissfully signing away autographs... Experience and live the dreams you desire and DESERVE!--ORDER your copy of the Self-Publishing kit today... To order, please fill out the form below and mail it to us! ------------------------------------------------------------------------------------------------------------------------------------- YES, I want to order The Self-Publishing Kit and take control of my publishing future right away... I am ordering within 10 days so that I can get in on the 10 day special! Number of copies: ____ PRICING: Canadian and US Residents $18.95 + $5.00 (P&H) per kit. International $18.95 + $10.00 (P&H) per kit **100% Money-back guarantee** (All Prices in US DOLLARS ONLY-Canadian / International orders, note that your checks and money orders must be written in US dollars/currency or there will be delays in your order). TOTAL AMOUNT ENCLOSED: $ ______________US DOLLARS ( ) Check ( ) Money Order (Payable to: Future Books) Sorry, no VISA or MasterCard accepted. NAME ___________________________________________ ADDRESS ________________________________________ __________________________________________________ CITY _________________ STATE_______ ZIP __________ TEL ( ) ________________ EMAIL __________________ Mail your orders to: Future Books Order Dept. 1197SL5 34A-2755 Lougheed Hwy., Suite 510 Port Coquitlam, BC, V3B 5Y9 Canada Please allow two to three weeks for your order to be processed and sent. Checks will have to clear before kits can be sent out. THANK YOU FOR YOUR ORDER! PS: If you have any friends who could use this kit, forward a copy of this letter to them!!! From owner-firewalls-list Mon Nov 10 15:52:06 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27786; Mon, 10 Nov 1997 10:43:42 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27689 for ; Mon, 10 Nov 1997 10:43:17 -0800 (PST) Received: from cheez.lowprofile.net (cheez.lowprofile.net [206.97.249.88]) by cheez.lowprofile.net (8.8.5/8.8.5) with SMTP id MAA29200; Mon, 10 Nov 1997 12:11:18 -0600 Date: Mon, 10 Nov 1997 12:11:17 -0600 (CST) From: "Daniel \"Cheez\" Brown" To: "Hudspeth, Todd" cc: "'firewalls@greatcircle.com'" Subject: Re: Performance Testing Tools In-Reply-To: <199711101541.HAA29238@honor.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd- Personally, I know of none. But I would suggest just writing a few shell scripts and putting them on outside machines, being careful not to overload the machines. that do nothing but hit ports 21, 23, 25, 80, and 110 repeatedly. You might wish to do some other ports too, but those are the main ones. You could also use a portscanner on each machine, running 4-8 copies of the program on each machine, and set it to repeatedly scan the first 200 ports. That would be a pretty good stress test for a firewall. Sorry i cant offer any rock solid information, but good luck. Luck be with ye, +----Daniel "Cheez" Brown------------Global Data Systems-------+ | http://cheez.lowprofile.net | Security Advisor, Global Reach | | cheez@cheez.lowprofile.net | Computer Networking Specialist | | cheez@globalreach.net | Remote Management Specialist | | cheez@hotmail.com | Linux/Windows NT Specialist | +------If at first you don't succeed, redefine success.--------+ On Mon, 10 Nov 1997, Hudspeth, Todd wrote: Date: Mon, 10 Nov 1997 08:53:48 -0600 From: "Hudspeth, Todd" To: "'firewalls@greatcircle.com'" Subject: Performance Testing Tools Is anyone aware of any performance measurement tools that would simulate thousands of users performing various methods of access to and through a firewall? Such as, internal to external ftp, http, https, telnet and VPN? Thanks, Todd Hudspeth Norwest Services, Inc. todd.hudspeth@norwest.com From owner-firewalls-list Mon Nov 10 16:06:12 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA15966; Mon, 10 Nov 1997 14:38:51 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with SMTP id OAA15959 for ; Mon, 10 Nov 1997 14:38:42 -0800 (PST) Received: (qmail 11249 invoked from smtpd); 10 Nov 1997 22:39:48 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 10 Nov 1997 22:39:48 -0000 Received: from baileynm.com (grendel.nmti.com [198.178.0.150]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA24227 for ; Mon, 10 Nov 1997 16:39:48 -0600 Received: by baileynm.com; (5.65v3.2/1.1.8.2/08Sep97-0924AM) id AA19600; Mon, 10 Nov 1997 16:42:16 -0600 From: Peter da Silva Message-Id: <9711102242.AA19600@baileynm.com> Subject: Re: Finjan Surfin Gate Review To: firewalls@GreatCircle.COM Date: Mon, 10 Nov 1997 16:42:16 -0600 (CST) In-Reply-To: from "Jerry Huyghe" at Nov 10, 97 09:39:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yes, Security-7 has a good product, but it is a gateway solution, which > will not stop SSL or VPN encrypted transmissions. It must be combined > with solid runtime protection. Adam also sent me private mail stating that for most applets it will work just fine, even though a really malicious one would be able to sneak through if it was obscured by compression or encryption. The problem I see is that there is readily available code to perform that sort of encryption in virus writer's toolkits, many of which are publicly advertised in hobbyist magazines "for research purposes". So anyone writing a malicious applet can easily hide it in an apparently innocuous program by running a stealth virus generator and making the malicious code the payload. The whole issue of scanning for dangerous code is a fundamentally broken approach to security. It's failed spectacularly for virus detectors (though it's beena tremendous success for virus detector COMPANIES as people have to keep paying danegelt to McAfee and Symantec to keep up the arms race), and it will fail even more spectacularly here (virus writers are primarily ego driven. With hostile applets, where you can force the code to be executed where and when you want, when you know your victim has a communication link up, you can get real money out of the deal). The only viable solution is a strong sandbox that doesn't contain any tools that can be used to violate the integrity of the user's system. Yes, this will limit the end-user's ability to do some interesting and useful things with applets. What a SHAME. The poor user will need to actually DOWNLOAD and INSTALL a plugin (after verifying that it really came from an entity that he can successfuly sue if it contains malicious code). I think that's a small price to pay for a modicum of security. In terms of the technology available currently... last week i suggested that Safe Tcl was the only really secure sandbox. It's the one that's been developed the most, but there are a couple of other interesting options: ActiveX and native code: this is almost criminally lax about security. Java: It's pretty safe from stealth-type abuse, so scanning is an option... and in fact that's how its security model works. Experience has shown that there's still work to be done. Visual Basic: If used as a sandbox... all I can say is "Word Macro Virus". Javascript: It's a pretty limited interpreter. It's got more potential holes than HTML, but they seem pretty much to be limited to privacy issues. Safe Tcl: It's got a lot more capability than Javascript, and has proven itself pretty secure. At least one large regional ISP has been using it for server-side customer scripting without untoward events. Postscript: There's been a couple of problems with people using poorly designed security to change printer settings, and a hole in the setup code in Ghostscript, but in a browser context where configuration isn't done through the scripting language that's not an issue. I'd really like to see browsers with embedded Postscript interpreters, other than Adobe's pretty but illegible PDF. Safe Perl, and so on: There's been some work in making "safe" versions of other popular scripting languages. I don't know of any that are really suitable for plugins or applets. Advanced HTML: Netscape and others have had problems with adding new features to HTML that have caused problems in association with Javascript (for example, the frame bug). On the other hand it's a language that's very easy to scan, and with a bit more care it can be extended into a much more capable language than it is now, without compromising security. Has anyone seen anything interesting done with embedded Postscript or more procedurally oriented HTML (the war over whether HTML is descriptive or layout oriented has, of course, been lost to the glamor kiddies)? -- %!PS true(<; Mon, 10 Nov 1997 16:01:41 -0800 (PST) Received: (qmail 23022 invoked from network); 11 Nov 1997 01:03:32 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 11 Nov 1997 01:03:32 -0000 Date: Mon, 10 Nov 1997 17:03:31 -0800 (PST) From: Jesse Brown X-Sender: bextreme@geek-gw.ptw.com To: Michael Martinson cc: firewalls@GreatCircle.COM Subject: Re: What Linux version is best for Firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Distribution you are running it one is usually less important than the Kernel Version. (As most of the firewalling code built into Linux is in the Kernel). I personally run SLackware, and haven't had a problem yet. -J On Mon, 10 Nov 1997, Michael Martinson wrote: > I'm putting together the pieces and parts > for a firewall. I've read that Red Hat is > the best version of Linux for a stripped > down proxy firewall. I'm just making sure > that Red Hat is the version which most > firewalls are on. > > I've checked out: > http://www.ssc.com/lj/issue25/1204.html > and found that it has a lot of help. I'm > wondering if anyone is willing to give me a > list of what patches they do to the Kernel > to make it as secure as possible. > > Michael Martinson > Senior Systems Software Programmer > Lincoln Benefit Life > 1(800)525-2799 x8710 > martimdp@allstate.com > > -- Jesse Brown - bextreme@pobox.com From owner-firewalls-list Mon Nov 10 16:22:50 1997 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27897; Mon, 10 Nov 1997 10:44:13 -0800 (PST) Received: from beta.mcit.com (beta.mcit.com [199.249.19.143]) by honor.greatcircle.com (8.8.5/Honor-971021-1) with ESMTP id KAA27848 for ; Mon, 10 Nov 1997 10:43:56 -0800 (PST) Received: from ndcrelay.mcit.com (ndcrelay.mcit.com [166.37.172.49]) by beta.mcit.com (8.8.7/) with ESMTP id MAA27784; Mon, 10 Nov 1997 12:44:53 -0600 (CST) Received: from imeid02.mcit.com.mci.com (imeid02.mcit.com [166.37.221.14]) by ndcrelay.mcit.com (8.8.5/) with ESMTP id NAA17724; Mon, 10 Nov 1997 13:44:53 -0500 (EST) Received: from localHost ([166.41.52.104]) by imeid02.mcit.com.mci.com (Intermail v3.1 117 223) with SMTP id <19971110184452.OHIA4591@[166.41.52.104]>; Mon, 10 Nov 1997 12:44:52 -0600 Date: Mon, 10 Nov 1997 11:44 -0700 (MST) From: Steve Lindauer To: "Hudspeth, Todd" CC: "'firewalls@greatcircle.com'" Subject: Re: Performance Testing Tools X-Mailer: MailRoom v1.0d Message-Id: <19971110184452.OHIA4591@[166.41.52.104]> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd, Check these: Company Product Website -------- -------- --------- Auto Tester Inc. AutoTester Web www.autotester.com Centerline Software QC/Advantage www.centerline.com Compuware QA Center www.compuware.com Eastern Systems TestWeb www.easternsystems.com Mercury Interactive Astra SiteManager www.merc-int.com Astria SiteTest Web Test Platinum Technology Web Qualify www.platinum.com Final Exam Pure Astria Corp Performix.Web www.pureatria.com Rational Software SQA LoadTest 6.0 www.sqa.com Seque Software SilkTest www.segue.com Sil