From firewalls-owner Wed Apr 1 00:18:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23352; Tue, 31 Mar 1998 12:21:23 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA02920 for ; Mon, 30 Mar 1998 19:28:24 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id TAA05087 for ; Mon, 30 Mar 1998 19:30:53 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id IAA14035; Mon, 30 Mar 1998 08:17:39 -0500 Date: Mon, 30 Mar 1998 08:17:35 -0500 (EST) From: Rabid Wombat To: Michael Meyer LJO cc: "'shimons@bll.co.il'" , "'firewalls@greatcircle.com'" Subject: Re: FW: IPX through a firewall In-Reply-To: <3B5286C7DE27D111B6CB0000F822C74B013352BA@lkgexc2.bb.dec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Letting UDP throguh firewalls is generally a bad idea. On Mon, 30 Mar 1998, Michael Meyer LJO wrote: > Dear Sir or Madam: > Please read RFC1234 located at > http://www.cis.ohio-state.edu/htbin/rfc/rfc1234.html > > This memo describes a method of encapsulating IPX datagrams within UDP > packets so that IPX traffic can travel across an IP Internet. > Sincerely, > Michael C. Meyer > AltaVista Technical Support > altavista-support@digital.com > http://support.altavista-software.com/ > > Use web site for immediate partner support. > > > -----Original Message----- > From: Michael Meyer LJO > Sent: Monday, March 30, 1998 2:09 PM > To: 'shimons@bll.co.il' > Cc: 'firewalls@greatcircle.com' > Subject: IPX through a firewall > > Dear Sir or Madam: > There are few IPX firewalls out there so you would probably be > better served using an IP firewall. Send your IPX to an IP gateway then to > your firewall. Your best bet would be to use Novell NetWare 5.0 with native > IP support. See LAN Times, March 16, 1998. Even though Novell has offered an > IP-based solution for some time with NetWare/IP, that solution merely > "wrapped" the NetWare IPX traffic in IP clothes. > Sincerely, > Michael C. Meyer > AltaVista Technical Support > altavista-support@digital.com > http://support.altavista-software.com/ > > Use web site for immediate partner support. > Date: Wed, 25 Mar 1998 13:24:51 +0000 > From: shimons@bll.co.il > Subject: IPX through a firewall > > If I need to transport the IPX protocol through a firewall, what would be > the pros and cons (security wise) of the following options: > 1. route IPX through the firewall ignoring it completely. > 2. route IPX through a separate router and use the router's ACL > 3. use an IPX firewall (anyone has recommendations/horror stories?) > > pls. CC me as I only read the digest form of the list > TIA, Shimon Silberschlag > > From firewalls-owner Wed Apr 1 01:55:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24375; Tue, 31 Mar 1998 12:28:20 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA04745 for ; Tue, 31 Mar 1998 09:46:06 -0800 (PST) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id JAA22421 for ; Tue, 31 Mar 1998 09:48:35 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yK5AP-0001fc-00; Tue, 31 Mar 1998 12:49:46 -0500 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Date: Tue, 31 Mar 1998 12:49:22 -0500 To: Perry From: Vin McLellan Subject: Re: Laptop security / CMW variants Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perry < queries the List: >1) Can anyone recommend a laptop security product that supports full disk >encryption via a pcmcia card, a bonus would be VPN support for remote >authentication issues. I have reviewed PC/DACS over the past week which >is a software encryption/access control package, but the encryption >segment leaves a lot to be desired security wise (not to mention that the >product sucks). Check out: < I just picked this announcement up off Bizwire. Suerte, _Vin ---- Kasten Chase Applied Research Limited (TSE-KCA) today announced a joint sales and marketing agreement with SPYRUS, a leading electronic commerce company based in San Jose, California, to provide high performance, high security cryptographic technology as part of the world's first PCMCIA FORTEZZA(R)-based secure remote access solution for government agencies. Under the agreement, SPYRUS has developed a FORTEZZA(R)-enabled version of its proprietary Locksmith software application and its LYNKS Privacy Card(tm) for use with Kasten Chase's remote access products. Kasten Chase will deliver secure remote access solutions that include the SPYRUS family of hardware and software products. The SPYRUS products, bundled into the offering, will add desktop protection functionality to the solution that already provides authentication and encryption technology. "Our partnership with SPYRUS is an example of our commitment to offer a total secure access solution to the government and financial markets," said Steve Ducat, vice president of sales for Kasten Chase. "Our partnership with SPYRUS , a leader in cryptographic desktop technology, adds important media encryption capabilities to our existing security portfolio, thereby positioning our offering to become the de facto standard for FORTEZZA(R)-based secure remote access." SPYRUS has developed a customized FORTEZZA(R)-based version of its Locksmith(tm) media encryption software for use with Kasten Chase's OPtiva Secure Plus. Locksmith adds another layer of security features to a remote access application by combining a personal identification number (PIN) with the SPYRUS PCMCIA-compliant LYNKS Privacy Card. LYNKS Privacy Cards enable security-critical capabilities -- user authentication, message privacy, message integrity authentication, and secure storage -- for a FORTEZZA(R)-based media encryption solution. "SPYRUS is leading the e-commerce industry in FORTEZZA(R)-based hardware and software solutions for high performance, high assurance Internet data access and security solutions," said Charlie Scruggs, director of sales for SPYRUS. "Remote access security is becoming an increasing problem for companies, with over 14 million people working from home or remote locations in the United States alone. With solutions such as those developed by SPYRUS and Kasten Chase, the travelling road warrior will no longer need to be concerned about the loss of a laptop computer and the potential damage resulting from misuse of critical corporate information." < --------------- >2) Has anyone done a comparison between the different MLS and/or CMW >oriented OS' (ie Trusted Solaris, HPUX CMW, OSF CMW)? Any information >would be greatly appreciated. I too would be interested if you find a good repository for this sort of comparitive info. You might check out the Dockmaster discussion groups. Contact the NISSC office at the NSA to arrange for access. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + < * 53 Nichols St., Chelsea, MA 02150 USA <<617> 884-5548 From firewalls-owner Wed Apr 1 02:34:21 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for ; Tue, 31 Mar 1998 22:14:28 -0800 (PST) Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000 Message-ID: <3521DBD2.B29513E0@encomix.es> Date: Wed, 01 Apr 1998 08:16:50 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Questions about ICMP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I have some questions about ICMP filtering, what kind of icmp packets should I filter? In other way, what icmp options can I permit in packets? Im seeking for a RESTRICTIVE policy, but I need to let ping and traceroute get out and in... Thx in advance -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Wed Apr 1 05:05:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21957; Tue, 31 Mar 1998 12:13:42 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA02101 for ; Tue, 31 Mar 1998 09:30:12 -0800 (PST) Received: from cs.weber.edu ([137.190.16.18]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id JAA21503 for ; Tue, 31 Mar 1998 09:03:52 -0800 (PST) Received: from icarus.weber.edu (cs.weber.edu) by cs.weber.edu (4.1/SMI-4.1.1) id AA05287; Tue, 31 Mar 98 10:00:13 MST Received: by icarus.weber.edu (SMI-8.6/SMI-SVR4) id KAA19538; Tue, 31 Mar 1998 10:10:34 -0700 Date: Tue, 31 Mar 1998 10:10:33 -0700 (MST) From: Henry Hertz Hobbit To: Robert Ludwig Cc: "'Firewall'" Subject: Re: Ammunition, please In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Mar 1998, Robert Ludwig wrote: > In fifteen years of security consulting, I have never > been to a site that allowed passwords to age more than 30 > days (on the theory that a moving target is harder to hit). > The idea that since a user's password has been compromised > it should be allowed to remain compromised is equivalent to > saying that since someone has shoplifted something from a store > once, that store should simply leave its doors unlocked forever. > Advice that I find is beyond idiotic and well into irresponsible. No problem with the first idea, but I have a brother that after seeing so many break-ins in the homes in his area, he finally did not lock the door to his house any more. His reasoning? Almost any drug addict or pervert that is going to break in is going to find a very friendly Golden Retriever (way to friendly to people to be a watch-dog, but Doberman and German Shepard owners beware - the ones Barney had a scrap with came out the losers). My brother's view was that he would rather have them take the stuff and NOT break in his $500 door. But then he subscribes to my philosophy that less is frequently more - Zen idea. Hmm, maybe that means that there is a market for stolen doors? HHH PS No, most of the people I meet are quite friendly and my experience is not that they are ALL out to get you. Even many hackers have their own code of ethics - no schools, etc. From firewalls-owner Wed Apr 1 05:19:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21745; Tue, 31 Mar 1998 12:12:03 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA14629 for ; Tue, 31 Mar 1998 03:21:10 -0800 (PST) Received: from giav05.gia.ch (giav05.gia.ch [193.222.224.32]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA19137 for ; Tue, 31 Mar 1998 03:23:36 -0800 (PST) X-Envelope-To: Received: from giav08.gia.ch(193.222.224.16) by giav05.gia.ch via smap (V2.0beta) id xma028012; Tue, 31 Mar 98 13:24:32 +0200 Received: from mmdlt002.m-m.ch ([193.222.225.50]) by giau001.gia.ch (8.8.5/8.8.5) with ESMTP id NAA32563 for ; Tue, 31 Mar 1998 13:24:32 +0200 (MET DST) Received: by MMDLT002 with Internet Mail Service (5.0.1458.49) id ; Tue, 31 Mar 1998 13:24:31 +0200 Message-ID: From: "Berchtold Patrick (GIAPBE)" To: "'Taufik Islam'" , "Firewalls Mailing List (E-Mail)" Subject: AW: Sniffer Date: Tue, 31 Mar 1998 13:24:28 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows NT's own network monitor is doing quite a good job. It's restriction is that it only records packets that are addressed to or from that host. Say, if you run it on host myhost.foo.bar, you can only see packets that are sent to or from myhost.foo.bar, but not any "3rd party packets" eg from host1.foo.bar to host2.foo.bar The network monitor included in MS SMS is basically the same, but without that boring restriction. The most powerful monitor I know is Sniffer (former NetXRay) from Network Associates. It is easily scalable for your specific needs. See http://www.nai.com/ for more. Another monitor I once heard about is NetAnt from People Network. See http://www.people-network.com/netant.htm for info. But if you have a Linux box at hand I would rather use tcpdump than those above. It's powerful, easy to use and free. Patrick =20 > -----Urspr=FCngliche Nachricht----- > Von: Taufik Islam [SMTP:Tislam@acaonline.org] > Gesendet am: Freitag, 27. M=E4rz 1998 23:21 > An: Firewalls@GreatCircle.COM > Betreff: Sniffer >=20 > Is there a good Packet sniffer that runs on for NT 4.0 ? > Please help me with any information you may have > Thanks >=20 > If you know of any good packet sniffer for UNIX please let me know > also. >=20 > Taufik Islam > Network Engineer, ACA From firewalls-owner Wed Apr 1 06:36:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA22720; Tue, 31 Mar 1998 12:17:48 -0800 (PST) Received: from ee.net (ee.net [206.31.38.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA07853 for ; Mon, 30 Mar 1998 19:53:26 -0800 (PST) Received: from squirrel.interhack.net (modem163.columbus.ee.net [209.51.204.163]) by ee.net (8.8.5/8.8.5) with SMTP id XAA27204; Mon, 30 Mar 1998 23:00:34 -0500 (EST) Message-Id: <3.0.1.32.19980330225327.02fa6a7c@ee.net> X-Sender: clydew@ee.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Mon, 30 Mar 1998 22:53:27 -0500 To: quiksilver From: Clyde Williamson Subject: Re: cable modem security Cc: firewalls@GreatCircle.COM In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- There is a secure shell client for NT and Win 95 free at : http://www.hadiko.de/tutorien/benutzerbetreuung/Betreuung/Anleitungen/ freesshwin.html The page is in german but you can use babelfish.altavista.digital.com to translate. Hint: use build 3298059 and cryptlib 1.00 with the patch... all other builds seem to crash when they disconnect.... But I've got it working great. At 21:07 03/30/1998 -0500, you wrote: >well, if you were using unix, you could install Secure Shell. It >encrypts telnet sessions. > >On Mon, 30 Mar 1998, Brett Mayer wrote: > >> >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >> >> >> >> >> >> >I have just installed a cable modem from the @home network to a single >> >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >> >cannot get any support from @home about security. >> > >> >I only plan to run Netscape, and read mail and news groups. What can I do >> >to protect data on this machine from security risks? >> > >> >Ned >> >> >> Brett Mayer >> ESM-Tivoli >> GMAC\RFC >> (612)832-7148 >> >> >> >> > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNSBopseWPtttGqZhAQFUmwf/XAyQW3eQKFZVNdXy48dH8j16Ck5I6QpN FcUVyKW/A9+m8C247kq5DhgrKXrhYXMqa0diGUtLksHTNI4ItW7wjECOsAmMLy6k ycd07kmFF5WH/34YVbKQOZjZcNJ74p5HQGQ519Cl0sZjw5wJ2OPlOqr+TIDqjgK+ FHieDnyUw8v/LLeY5zPH8uBUCH29kpBos1Za0MysQPABi1hcd8j6THMwwdFuyPYH YNax3jhSS8OAbRiIQqwleRpg2jsC2lT9F71tR5Bp8Acis2iXhytuGuEMhC/TKHd0 F7obT8WH5l3C6FXuoS+m6ACV/SPYZ08IW8ig+PHjLPxM54c4VLL+SA== =h7/x -----END PGP SIGNATURE----- Clyde Williamson PGP Public Key found at: http://users1.ee.net/clydew/pgp.htm -------------------------------------------- Quidquid latine dictum sit, altum viditur. | (Anything in Latin sounds profound.) | -------------------------------------------- From firewalls-owner Wed Apr 1 06:37:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA07365; Wed, 1 Apr 1998 03:42:57 -0800 (PST) Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA07320 for ; Wed, 1 Apr 1998 03:42:44 -0800 (PST) From: BrianM@dial.pipex.com Received: (qmail 2056 invoked from network); 1 Apr 1998 11:46:52 -0000 Received: from brianm2.cims.co.uk (HELO brianm2) (194.73.141.14) by smtp.dial.pipex.com with SMTP; 1 Apr 1998 11:46:52 -0000 Reply-To: To: Subject: Cisco Router Config Date: Wed, 1 Apr 1998 13:50:15 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Disposition-Notification-To: "Brian Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SGkgQWxsIChBZ2FpbikNCglFbmNsb3NlZCBwbGVhc2UgZmluZCBhIHNhbXBsZSAoZmFjdGlvdXMp IHJvdXRlciBjb25maWcsIGFzc3VtaW5nIHRoZSBmb2xsb3dpbmcgc2l0dWF0aW9uLCBldGgwOmNv bm5lY3Rpb24gdG8gZmlyZXdhbGwgc2VyMDpsZWFzZWQgbGluZSB0byBpbnRlcm5ldCwgMTkyLjE2 OC4wLjIgaXMgZmlyZXdhbGwsIDE5Mi4xNjguMC4zIGFuZCAuNCBhcmUgbWFuYWdlbWVudCBzdGF0 aW9ucywgc2hvdWxkIHRoaXMgY29uZmlnIHByZXZlbnQgRG9TIGF0dGFja3MsIElQIHNwb29maW5n LCBhbmQgYmUgZ2VuZXJhbGx5IHNlY3VyZT8gIEkga25vdyB0aGF0IHRoZXJlIGlzIG5vIHJvdXRp bmcgZXRjIGV0YyAoSSBqdXN0IGRpZCB0aGlzIGluIG5vdGVwYWQhISkNCg0KVGhhbmtzDQoNCkJy aWFuIE11cnBoeQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0Kbm8gc2VydmljZSB0Y3Atc21hbGwt c2VydmVycw0Kbm8gc2VydmljZSB1ZHAtc21hbGwtc2VydmVycw0Kbm8gaXAgYm9vdHAgc2VydmVy DQpubyBzZXJ2aWNlIGZpbmdlcg0Kc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1z ZWMNCnNlcnZpY2UgdGltZXN0YW1wcyBsb2cgZGF0ZXRpbWUgbXNlYw0Kc2VydmljZSBwYXNzd29y ZC1lbmNyeXB0aW9uDQoNCmVuYWJsZSBwYXNzd29yZCBlbmFibGUNCg0KdXNlcm5hbWUgbWFuYWdl ciBwYXNzd29yZCA3IGxldG1laW4NCg0Kc25tcC1zZXJ2ZXIgY29tbXVuaXR5IHB1YmxpYyBSTyAx DQpzbm1wLXNlcnZlciBjb21tdW5pdHkgcHJpdmF0ZSBSVyAxDQpubyBzbm1wLXNlcnZlciB0cmFw LWF1dGhlbnRpY2F0aW9uDQoNCmludGVyZmFjZSBldGhlcm5ldDANCmlwIGFkZHJlc3MgMTkyLjE2 OC4wLjEgMjU1LjI1NS4yNTUuMA0KaXAgYWNjZXNzLWdyb3VwIDEwMSBpbg0KaXAgYWNjZXNzLWdy b3VwIDExMSBpbg0KDQppbnRlcmZhY2Ugc2VyaWFsMA0KaXAgYWRkcmVzcyAxOTIuMTY4LjEuMSAy NTUuMjU1LjI1NS4wDQppcCBhY2Nlc3MtZ3JvdXAgMTAxIGluDQppcCBhY2Nlc3MtZ3JvdXAgMTEx DQoNCmFjY2Vzcy1saXN0IDEgcGVybWl0IDE5Mi4xNjguMC4yDQphY2Nlc3MtbGlzdCAxIHBlcm1p dCAxOTIuMTY4LjAuMw0KYWNjZXNzLWxpc3QgMSBwZXJtaXQgMTkyLjE2OC4wLjQNCg0KYWNjZXNz LWxpc3QgMTIgcGVybWl0IDE5Mi4xNjguMC4yIDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3Qg MTIgcGVybWl0IDE5Mi4xNjguMC4zIDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3QgMTIgcGVy bWl0IDE5Mi4xNjguMC40IDI1NS4yNTUuMjU1LjI1NQ0KYWNjZXNzLWxpc3QgMTIgZGVueSBpcCBh bnkgYW55IGxvZw0KDQphY2Nlc3MtbGlzdCA1MSBkZW55IDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1 DQoNCmFjY2Vzcy1saXN0IDEwMSBkZW55IHRjcCAxOTIuMTY4LjAuMSAwLjAuMC4wIDE5Mi4xNjgu MC4xIDAuMC4wLjAgbG9nDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgMTkyLjE2OC4xLjEgMC4w LjAuMCAxOTIuMTY4LjEuMSAwLjAuMC4wIGxvZw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFu eSBhbnkgYW55IGFueSBlcSA1Mw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdWRwIGFueSBhbnkgYW55 IGFueSBlcSA2OQ0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSA4 Nw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSAxMTENCmFjY2Vz cy1saXN0IDEwMSBkZW55IHVkcCBhbnkgYW55IGFueSBhbnkgZXEgMTExDQphY2Nlc3MtbGlzdCAx MDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDIwNDkNCmFjY2Vzcy1saXN0IDEwMSBkZW55 IHRjcCBhbnkgYW55IGFueSBhbnkgZXEgNTEyDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55 IGFueSBhbnkgYW55IGVxIDUxMw0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55 IGFueSBlcSA1MTQNCmFjY2Vzcy1saXN0IDEwMSBkZW55IHRjcCBhbnkgYW55IGFueSBhbnkgZXEg NTE1DQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55IGFueSBhbnkgYW55IGVxIDU0MA0KYWNj ZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSAyMDAwDQphY2Nlc3MtbGlz dCAxMDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDIwMDANCmFjY2Vzcy1saXN0IDEwMSBk ZW55IHRjcCBhbnkgYW55IGFueSBhbnkgZXEgMjAwMQ0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdWRw IGFueSBhbnkgYW55IGFueSBlcSAyMDAxDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB0Y3AgYW55IGFu eSBhbnkgYW55IGVxIDYwMDANCmFjY2Vzcy1saXN0IDEwMSBkZW55IHVkcCBhbnkgYW55IGFueSBh bnkgZXEgNjAwMA0KYWNjZXNzLWxpc3QgMTAxIGRlbnkgdGNwIGFueSBhbnkgYW55IGFueSBlcSA2 MDAxDQphY2Nlc3MtbGlzdCAxMDEgZGVueSB1ZHAgYW55IGFueSBhbnkgYW55IGVxIDYwMDENCmFj Y2Vzcy1saXN0IDEwMSBwZXJtaXQgdGNwIDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1IDAuMC4wLjAg MjU1LjI1NS4yNTUuMjU1IGVzdGFibGlzaGVkDQphY2Nlc3MtbGlzdCAxMDEgcGVybWl0IGlwIDAu MC4wLjAgMjU1LjI1NS4yNTUuMjU1IDAuMC4wLjAgMjU1LjI1NS4yNTUuMjU1DQoNCmFjY2Vzcy1s aXN0IDExMSBkZW55IGlwIDE5Mi4xNjguMC4wIDAuMC4wLjI1NSAwLjAuMC4wIDI1NS4yNTUuMjU1 LjI1NSBsb2cNCmFjY2Vzcy1saXN0IDExMSBkZW55IGlwIDE5Mi4xNjguMS4wIDAuMC4wLjI1NSAw LjAuMC4wIDI1NS4yNTUuMjU1LjI1NSBsb2cNCmFjY2Vzcy1saXN0IDExMSBwZXJtaXQgaXAgMTky LjE2OC4wLjAgMC4wLjIuMjU1IGFueQ0KYWNjZXNzLWxpc3QgMTExIGRlbnkgaXAgYW55IGFueSBs b2cNCg0KbGluZSBjb25zb2xlIDANCmxvZ2luDQpwYXNzd29yZCBoZWxsbw0KZXhlYy10aW1lb3V0 IDEgMzANCg0KbGluZSBhdXggMA0KYWNjZXNzLWNsYXNzIDUxIGluDQoNCmxpbmUgdnR5IDAgNA0K YWNjZXNzLWNsYXNzIDEyIGluDQpsb2dpbg0KcGFzc3dvcmQgaGVsbG8NCg== From firewalls-owner Wed Apr 1 06:53:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15378; Tue, 31 Mar 1998 18:45:15 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA15588 for ; Mon, 30 Mar 1998 23:34:34 -0800 (PST) From: amir.ameri@zurich.com Received: from ZURICH.COM ([195.28.226.41]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id XAA11613 for ; Mon, 30 Mar 1998 23:36:44 -0800 (PST) Received: from ZurichNotes.com ([172.29.6.228]) by ZURICH.COM (Soft-Switch LMS 2.0) id 0049600001446180; Tue, 31 Mar 1998 09:36:24 +0200 Received: by ZurichNotes.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id C12565D8.002F574B ; Tue, 31 Mar 1998 09:37:05 +0100 Date: Tue, 31 Mar 1998 08:37:13 +0100 To: Subject: Re: Security Policy Message-ID: X-Lotus-FromDomain: ZURICH Original-Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles, the best source I have so far come across (I wish I had known = of it 8 months ago and could have saved literally thousands of dollars multiplied) is a book by Charles Cresson Wood titled Information Securi= ty Policies Made Easy ISBN =AA1-881585-04-2 Web site: http://www.baselinesoft.com. I could simply say, I don't know of anyth= ing comparable to it (I am talking from a customers perspective). You get a= book and a CD containing all the information, which you simply cut and paste! Amir Ameri ZURINET Security Manager = From firewalls-owner Wed Apr 1 07:25:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA20961; Wed, 1 Apr 1998 06:47:48 -0800 (PST) Received: from portal.east.saic.com (Portal.East.saic.com [198.151.13.15]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA20784 for ; Wed, 1 Apr 1998 06:47:15 -0800 (PST) Received: from blazer.cist.saic.com by portal.east.saic.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 14:51:22 UT Received: from obiwan (unverified [149.8.156.16]) by blazer.cist.saic.com (EMWAC SMTPRS 0.83) with SMTP id ; Wed, 01 Apr 1998 09:53:58 -0500 From: "Chris Kostick" To: "Roman Ramirez" , Subject: Re: Questions about ICMP Date: Wed, 1 Apr 1998 09:53:40 -0500 Message-ID: <01bd5d7d$f5a86170$109c0895@obiwan.cist.saic.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have some questions about ICMP filtering, what kind of icmp packets >should I filter? > >In other way, what icmp options can I permit in packets? First of all you have a have a device capable of making decisions that includes information about the interface a packet came in on. In most terms, the Internal or External interface. This allows you to differentiate the direction of ICMP Request and Replies. Usually, requests going out and replies coming in are good. The other direction is not so good. Second, you don't want to allow ICMP without some type of state kept about the traffic. For example, if an ICMP "network unreachable" message is received, was there an earlier connection (existing or established) from the identified source to that destination network? If so, allow it through. Otherwise assume it's bogus and drop it. >Im seeking for a RESTRICTIVE policy, but I need to let ping and >traceroute get out and in... Letting ping and traceroute in AND out is not a good idea. At the very least base the decision on the direction of the packet and the ICMP type. In the case of ping, allow the Request to go out and the Reply to come back, but not the reverse. In the case of traceroute, allow ICMP time-exceeded messages to come in. -- Chris From firewalls-owner Wed Apr 1 07:54:35 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA10358 for ; Mon, 30 Mar 1998 20:07:54 -0800 (PST) Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 for ; Mon, 30 Mar 1998 20:10:11 -0800 (PST) Received: from BUTCHER56@aol.com by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; Mon, 30 Mar 1998 22:38:44 -0500 (EST) From: BUTCHER56 Message-ID: <2bcaadbe.35206546@aol.com> Date: Mon, 30 Mar 1998 22:38:44 EST Mime-Version: 1.0 Subject: Hi I want to meet you im a model! Content-type: multipart/mixed; boundary="part0_891315524_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891315524_boundary Content-ID: <0_891315524@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891315524_boundary Content-ID: <0_891315524@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: BUTCHER56 Return-path: To: BUTCHER56@aol.com Subject: Hi I want to meet you im a model! Date: Mon, 30 Mar 1998 22:21:48 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Come to my home and get inside and you will seem! click here --part0_891315524_boundary-- From firewalls-owner Wed Apr 1 08:39:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA18710; Tue, 31 Mar 1998 13:58:48 -0800 (PST) Received: from ns.telegroup.com (ns.telegroup.com [208.219.0.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA18380 for ; Tue, 31 Mar 1998 13:57:42 -0800 (PST) Received: from radius.telegroup.com (radius.telegroup.com [208.219.5.2]) by ns.telegroup.com (8.8.5/8.8.5) with ESMTP id QAA03644; Tue, 31 Mar 1998 16:00:13 -0600 (CST) Received: from mandrake.telegroup.com (macke@mandrake.telegroup.com [208.219.1.177]) by radius.telegroup.com (8.8.5/8.8.3) with SMTP id QAA01084; Tue, 31 Mar 1998 16:01:23 -0600 (CST) Date: Tue, 31 Mar 1998 16:01:23 -0600 (CST) From: Brian Macke Reply-To: bmacke@telegroup.com To: Roland Mueller cc: lpchiew@pc.jaring.my, Firewalls@GreatCircle.COM Subject: Re: Updated rfc1244? In-Reply-To: <35209020.3535@debis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Damn.. all these resposes.. I thought I was the only one that actually read the RFC. How many places actually use it as an SOP for their envrinments? On Tue, 31 Mar 1998, Roland Mueller wrote: > griffin wrote: > > > > Hi! > > > > I remembered reading somewhere that the RFC1244 > > was to be replaced by a new rfc. Anyone knows > > what that is? > > > > Thanks. > > > > Grif. > You are right, the new site security handbook is RFC 2196 > regards > Roland > -- > _________________________________________________________ > Roland Mueller > Daimler-Benz AG > Bereich Datenschutz > HPC 0179 > 70546 Stuttgart > Tel. (+49) 711-972-2328 Fax. (+49) 711-972-1918 > e-mail: rmueller@debis.com > -Brian James Macke macke@telegroup.com Unix SysAdmin/Security Specialist Telegroup, Inc. "In order to get that which you wish for, you must first get that which builds it." -- Unknown From firewalls-owner Wed Apr 1 08:39:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA13689; Tue, 31 Mar 1998 16:53:08 -0800 (PST) Received: from engine3-dc.wdc.cwi.net (engine3-dc.wdc.cwi.net [205.136.1.212]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA13326 for ; Tue, 31 Mar 1998 16:51:59 -0800 (PST) Received: from firewall1.contcirc.com ([206.142.48.2]) by engine3-dc.wdc.cwi.net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 100-36394U2500L250S0) with SMTP id AAA18873 for ; Tue, 31 Mar 1998 19:50:19 -0500 Received: from circuit by firewall1.contcirc.com (5.x/SMI-SVR4) id AA21782; Tue, 31 Mar 1998 17:55:28 -0700 Received: from pxc3sc302.contcirc.com by circuit (4.1/SMI-4.1) id AA05417; Tue, 31 Mar 98 16:54:41 MST Received: from ccMail by pxc3sc302.contcirc.com (ccMail Link to SMTP R8.00.00) id AA891395885; Tue, 31 Mar 98 17:58:08 -0700 Message-Id: <9803318913.AA891395885@pxc3sc302.contcirc.com> X-Mailer: ccMail Link to SMTP R8.00.00 Date: Tue, 31 Mar 98 17:55:32 -0700 From: "Danny Johnson" To: Subject: Re: cable modem security Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that's a little outdated. The cable modem (for @home anyway) runs on it's own fiber optic line which goes somewhere near your major cross streets. Then a coax line is ran down your street from which all the users are strung from there with coax leading to each house. This is a separate line from your tv cable. Before (I'm not sure how long ago) if you had file and print sharing turned on in win95 then it would be possible for anyone on your street line to view your hard drive by simply using the network neighborhood icon. Most modems today don't allow that even if you have file/print sharing on, i believe, especially the ones @home uses (Motorola and Lancity). As far as using a sniffer, I'm not sure as to what is vulnerable. The sniffer would have to be setup on the same street line to work. But this would only affect the transfer of information not the data stored on your computer which is what you were asking about. If the modem was hooked up directly to a hub there might be some security compromise as well. If you're really paranoid or you network multiple computers from your @home connection consider using some firewall software for use on pc's like pc-firewall or something similar. This is what I have understood, no correctness guarantee here. dj ______________________________ Reply Separator _________________________________ Subject: cable modem security Author: "Brett Mayer" at internet Date: 3/30/98 5:40 PM >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >I have just installed a cable modem from the @home network to a single >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >cannot get any support from @home about security. > >I only plan to run Netscape, and read mail and news groups. What can I do >to protect data on this machine from security risks? > >Ned Brett Mayer ESM-Tivoli GMAC\RFC (612)832-7148 From firewalls-owner Wed Apr 1 09:06:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA08834; Wed, 1 Apr 1998 08:13:43 -0800 (PST) Received: from wizard.routers.com (wizard.routers.com [206.222.193.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08795 for ; Wed, 1 Apr 1998 08:13:30 -0800 (PST) Received: from adat0pc.routers.com (adat0pc.routers.com [206.222.193.74]) by wizard.routers.com (8.8.3/8.8.3) with SMTP id KAA01873 for ; Wed, 1 Apr 1998 10:17:44 -0600 (CST) Date: Wed, 1 Apr 1998 10:09:45 -0600 From: Todd Adamson Subject: Re: Sniffer (NetXray) To: firewalls@GreatCircle.com X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been using the NetXray product since about the time thatthey were purchased by NGC (Now NAI). The only negative items that I can say about it are: (1) You have to be careful with the NIC card that you use. Because NetXray uses the NDIS driver from windows or from a manufacturer, Not all of the level 1 errors can be seen - ie. collisions, runts and so forth. If you have the choice, look over their list of suggested NIC cards. (2) I sometimes miss the Expert analysis of the Sniffer product during capture. The good part is that the traces from NetXray can be saved in Sniffer format to get that analysis when you need it. Todd Adamson ta@mgmtcomm.com adat0@routers.com > Windows NT's own network monitor is doing quite a good job. It's > restriction is that it only records packets that are addressed to or > from that host. Say, if you run it on host myhost.foo.bar, you can only > see packets that are sent to or from myhost.foo.bar, but not any "3rd > party packets" eg from host1.foo.bar to host2.foo.bar > > The network monitor included in MS SMS is basically the same, but > without that boring restriction. > > The most powerful monitor I know is Sniffer (former NetXRay) from > Network Associates. It is easily scalable for your specific needs. See > http://www.nai.com/ for more. > > Another monitor I once heard about is NetAnt from People Network. See > http://www.people-network.com/netant.htm for info. > > But if you have a Linux box at hand I would rather use tcpdump than > those above. It's powerful, easy to use and free. > > Patrick > > > > Is there a good Packet sniffer that runs on for NT 4.0 ? > > Please help me with any information you may have > > Thanks > > > > If you know of any good packet sniffer for UNIX please let me know > > also. > > > > Taufik Islam > > Network Engineer, ACA > From firewalls-owner Wed Apr 1 09:20:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA18278; Wed, 1 Apr 1998 09:01:10 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA17966 for ; Wed, 1 Apr 1998 09:00:07 -0800 (PST) Received: from relay2.mail.uk.psi.net (relay2.mail.uk.psi.net [154.32.107.6]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id IAA08472 for ; Wed, 1 Apr 1998 08:34:43 -0800 (PST) Received: from ([193.114.35.5]) [193.114.35.5] by relay2.mail.uk.psi.net with smtp (Exim 1.82 #2) id 0yKQUV-0001Le-00; Wed, 1 Apr 1998 17:35:55 +0100 Received: from staines-mime.trading.centrica.com by [193.114.35.5] via smtpd (for relay2.mail.uk.psi.net [154.32.107.6]) with SMTP; 1 Apr 1998 16:32:13 UT Received: from staines-ex01.trading.centrica.com (unverified [128.1.144.1]) by staines-mime.trading.centrica.com (Integralis SMTPRS 2.04) with ESMTP id ; Wed, 01 Apr 1998 17:35:13 +0100 Received: by staines-ex01.trading.centrica.com with Internet Mail Service (5.5.1960.3) id ; Wed, 1 Apr 1998 17:35:22 +0100 Message-Id: <3E60782BD6C5D111ADD100805F8B824E8158@staines-ex01.trading.centrica.com> From: Steve Pearse To: "'Andrew Cameron'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Raptor. Date: Wed, 1 Apr 1998 17:35:16 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yes, we took off reverse lookups before. we found that Raptor NT is indeed FAST :) , our problem was that we use NT authentication, and somehow the WINS was doing a broadcast not a point to point, we changed that, and wammo, its warp factor 10 :) thanks all for the hints. -----Original Message----- From: Andrew Cameron [mailto:andrew@andy.alt.za] Sent: Tuesday, March 31, 1998 9:54 PM To: Steve Pearse Cc: firewalls@greatcircle.com Subject: Raptor. I do not have any performance problems in Fact we find it very fast. Most performance problems seem to be with incorrectly configured DNS. Try disabling reverse lookups and see if this helps. Steve Pearse Subject: RAPTOR performance We seem to be experiecing performance problems with Raptor, we have around 300 users going through one NT/Compaq 5000/Raptor box (concurrently probably less than 100) and compared to our old borderware proxy, it appears slow. Is this the experience of others here ? should we have used Unix ? We are an NT shop, and like the ease of admin of the NT accounts, are the better performing firewalls that also use the NT SAM ? thanks for any advice ------------------------------------------------------------------------ ----- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ------------------------------------------------------------------------ ---- From firewalls-owner Wed Apr 1 09:34:24 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA11080; Wed, 1 Apr 1998 08:26:15 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA10968 for ; Wed, 1 Apr 1998 08:25:44 -0800 (PST) Received: from zeke.gov.yk.ca ([199.247.128.34]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA08358 for ; Wed, 1 Apr 1998 08:28:01 -0800 (PST) Received: by zeke.gov.yk.ca; id IAA09180; Wed, 1 Apr 1998 08:29:17 -0800 (PST) Received: from unknown(199.247.130.34) by zeke.gov.yk.ca via smap (4.1) id xma009094; Wed, 1 Apr 98 08:28:36 -0800 Received: from 185580 ([199.247.134.102]) by raptor.gov.yk.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id H7VN6XJV; Wed, 1 Apr 1998 08:28:35 -0800 Message-Id: <1.5.4.32.19980401162836.0096e910@mailhost.gov.yk.ca> X-Sender: ynet\kwiat\larry.kwiat@mailhost.gov.yk.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Apr 1998 08:28:36 -0800 To: Vin McLellan , "Paul D. Robertson" From: Larry Kwiat Subject: Re: Ammunition, please Cc: Jesse Brown , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> I think the only real solution is a physical security device (say >>> SecureID) that also takes into account biometrics (retinal scans, finger >>> prints, etc.). Passwords are to easy to guess. > > Paul D. Robertson responded with an >uncharacteristically bloody vision: > >>It's hard enough to get users to take care of laptops, with biometrics, >>now I have to worry about them taking care of their body parts? >> >>Guido the denial-of-serivce expert will be closing down your access >>temporarily... > > Guido and his buddy Mac the Knife don't have to go that far today. One of the difficulties of the security business, is the hype. People get influenced by the James Bond-Saves-The-World mentality. It is far better to keep it simple. In saying the following, I may have erred even on the side of complication. The subject here is risk management. If you "wire" the people to the boxes, you make it worth the risk to take the person with the box. You change the shape of the window of possibility for the perpetrator, but you don't substantially change the situation. Banks have had this problem for years over other types of access issue. Ideally, risks should be parcelled out as a management strategy. When you allow them to aggregate, your risk-management picture is progressing toward getting out of hand. That is not supportable in good risk management, if there are no potential gains. I don't count increasing the risk exposure on human life and limb in order to "raise the ante" and maybe create very temporary deterrance as a gain of anything substantial. A person might examine the risk parcels... Remember, the parcels should be kept separate and managed that way for least risk in general. Parcel: the laptop or other net access device in personal care. Parcel: the key to the laptop, physical or logical, in personal care. Parcel: the owner. Parcel: the network. (this should be also separated out into parcels, I simplify) etc. To allow the physical attributes of the person to become a completely necessary part of the access system is to marry two of the parcels. This is not a real good idea. ...my two cent's worth anyway... L. Sincerely, Larry Kwiat Security Coordinator Government of Yukon Larry.Kwiat@gov.yk.ca Phone: (867) 667-8081 From firewalls-owner Wed Apr 1 11:16:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA05383; Wed, 1 Apr 1998 10:25:17 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA05308 for ; Wed, 1 Apr 1998 10:24:55 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 10:28:23 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C578FA20@mail.citysearch.com> From: Michael Batchelor To: firewalls@GreatCircle.COM Subject: RE: Split DNS config questions Date: Wed, 1 Apr 1998 10:28:19 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the hints and tips from everyone who responded. The part I was not "getting" was the need to duplicate inside and outside zone databases, if inside and outside zones belong to the same domain. Since our outside zones are larger and more dynamic than the inside zone, I have chosen to use a new subdomain for the inside zone, which is relatively stable. This way I avoid having to duplicate the administrative effort for both inside and outside zones. I'll just set up the resolv.conf on inside hosts so that the search order looks at the inside and then the outside domains. > -----Original Message----- > From: Leonard Miyata [SMTP:leonard@geminisecure.com] > Sent: Wednesday, April 01, 1998 9:55 AM > To: Michael Batchelor > Cc: firewalls@GreatCircle.COM > Subject: Re: Split DNS config questions > > Hi There > > First, the best reference for this subject is > Building Internet Firewalls, Chapman & Zwicky > DNS and Bind 2ND EDITION!! Albitz & Liu > Both from O'Reilly & Associates, Inc. > The Two together provide a good write up on the interactions of DNS > Firewalls and DMZ configurations > > The entire purpose of 'Split' DNS is to set up a Private DNS > infrastructure to resolve your internal Private Address, and your > Public Address their allowed to Talk to. Meanwhile, your Official > Public DNS Server Contains your Public address, and resolves Internet > connections. Since the Public Server does not know your internal > Address, > the 'Split' DNS configuration 'hides' the internal addresses from > public > view. By the way... they both use 'Your Domain' but they are duplicate > infrastructure. > > For Complete isolation, not only do you need your Private Primay and > Secondary DNS Servers, you also need a Private root Server granting > your > Private Primary Authoritative for the domain. > > Personal Opinions Provided by > Leonard Miyata > aka leonard@geminisecure.com > Gemini Computers Inc. > > On Tue, 31 Mar 1998, Michael Batchelor wrote: > > > I am having some trouble understanding how split DNS is supposed to > > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some > info on > > the web about split DNS (fwtk FAQ, for instance, has a short > tutorial), > > and have gone over the discussion in the Cheswick/Bellovin firewalls > > book, but still have some unresolved questions: > > > > 1. If I want to use the same domain for internal and external, how > does > > the internal DNS server know when to forward to the firewall? I set > up > > the internal name server as primary for company.com, but > www.company.com > > is an external host. The internal server doesn't want to forward > > queries for www.company.com to the firewall. It returns NXDOMAIN > for > > all outside hosts in the same domain, if the internal server doesn't > > have a record. Must I set up a different internal domain for inside > > DNS? That works, by the way, but I was under the impression that > split > > DNS worked with the same domain inside and outside. It's really > > inconvenient for me to have to make internal.company.com or > whatever. > > > > 2. I prepared a named.cache file for the internal DNS server that > lists > > itself as a root server. Named likes to complain in the log files > about > > "sysquery: no addrs found for root NS ()". If I leave out the > > named.cache from the named.conf, it fails to operate (SRVFAIL > errors). > > If I use the named.cache from rs.internic.net, all answers are > > non-authoritative. > > > > 3. My firewall is actually not listed in the NIC as primary for our > > domain. Our external primaries are co-located at our ISP. So I set > up > > the firewall named as a caching forwarder to the existing external > name > > servers. When the internal server is set up with a subdomain, > rather > > than the same domain as the external hosts, this seems to work OK. > I > > have the firewall named set to log all queries, and it does get the > > queries from the internal server, and forwards to the external. So > I > > think this setup is functionally OK, but wanted to mention it in > case it > > has relevance to my other questions. > > > > Any hints, tips, or URLs to a complete discussion with examples > would be > > very much appreciated. > > > > _______________________________________________________ > > UNIX TEAM - Because it tells me to. > > > > From firewalls-owner Wed Apr 1 11:29:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA19256; Wed, 1 Apr 1998 06:38:15 -0800 (PST) Received: from ecbull20.frec.bull.fr (ecbull20.frec.bull.fr [129.183.1.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA14119 for ; Wed, 1 Apr 1998 01:51:04 -0800 (PST) From: Ciaran.Deignan@bull.net Received: from esquelet (esquelet.frec.bull.fr [129.183.82.33]) by ecbull20.frec.bull.fr (8.8.8/8.8.8) with SMTP id LAA23362; Wed, 1 Apr 1998 11:55:12 +0200 Received: from localhost by esquelet (AIX 4.1/UCB 5.64/4.03) id AA149676; Wed, 1 Apr 1998 11:54:59 +0200 Date: Wed, 1 Apr 1998 11:54:59 +0200 (DFT) X-Sender: deignan@esquelet To: firewalls@GreatCircle.COM Cc: Ghislain.Kerviler@bull.net, Frederic.Soinne@bull.net, Daniel.Sorba@bull.net Subject: Re: NetWall from Bull Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nerijus Krukauskas on 31.03.98 14:30:13 wrote: > Hello, > > Does anyone has any experience with NetWall from Bull? Is it worth to > install this firewall solution? I work for Bull, so my opinion is obviously biased, however Netwall is ICSA (formally NCSA) certified, check out http://www.ncsa.com/fwcd/netwall.html There is good information on how netwall works in the Netwall White Paper at http://www-frec.bull.com/OSBU2_0/wp_netwall.htm , and there is an execelent "how to do it" guide in the Secure-ready White Paper at http://www-frec.bull.com/OSBU2_0/wp_securehp.htm . Netwall is a stateful IP filter, plus "transparent" application proxies (TIS proxies with Bull added-value), plus optional remote control (encrypted connection) and other optional features. The IP filter can group one or more interfaces into security domains (Internal, External, DMZ, User-defined) for collective managament: From any Internal to any DMZ, any service, accept Netwall uses a ergonomic GUI running on the AIX (NT version available) platform (or a remote administration running on an AIX or Windows95 platform). Netwall costs in the region of $10K (50K FF). An entry-level package (IP filtering onlt, limited to 50 "internal" IP addresses) costs in the region of $3K. Hope this helps, Ciaran +-------------------------------------------------------------------------+ Ciaran Deignan Tel: (France) 04 76 29 79 92 BULL XS-BU (http://www-frec.bull.com) Internet Support Project Leader Office: C1/012 Bullcom: 229 79 92 Mail to: C1/023 or Ciaran.Deignan@bull.net Fax: 229 76 89 +-------------------------------------------------------------------------+ From firewalls-owner Wed Apr 1 11:57:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA23526; Tue, 31 Mar 1998 12:23:04 -0800 (PST) Received: from mtigwc03.worldnet.att.net (mtigwc03.worldnet.att.net [204.127.131.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA29236 for ; Mon, 30 Mar 1998 19:10:26 -0800 (PST) Received: from 90.san-francisco-16.ca.dial-access.att.net ([12.64.163.90]) by mtigwc03.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA3793; Tue, 31 Mar 1998 03:14:23 +0000 Received: by 90.san-francisco-16.ca.dial-access.att.net with Microsoft Mail id <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net>; Mon, 30 Mar 1998 19:08:39 -0800 Message-ID: <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net> From: Ray Ricardo To: "'firewall-wizards@nfr.net'" , "'firewalls@greatcircle.com'" Subject: FW: FW-1 redundancy Date: Mon, 30 Mar 1998 19:08:19 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Configured properly, dynamic routing can safely be used in the DMZ to achieve redundent firewall availability. If you OWN and CONTROL your exterior and interior routers, you can configure the routers to ONLY recieve routing updates from the security server in the DMZ (using GATED) and configure the security server to ONLY send updates to your exterior and interior routers. No other routing updates would be required. Once this is accomplished, the exterior and interior routers will always have current knowledge of the state of the firewalls in the DMZ. If a firewall fails, the routers will stop recieving routing updates from that server, flush it out of its routing tables and begin sending packets to the other firewall. It is important that this configuration is implemented by a security / network professional who has expert understanding of the risk associated with network routing. This goes against conventional thinking, but done properly, it can be implemented safely. p.s. I would advise using OSPF instead of RIP2. Ray Ricardo > ---------- > From: Jose R. Ferreira[SMTP:jricardo@medidata.com.br] > Sent: Monday, March 30, 1998 9:35 AM > To: Firewalls@GreatCircle.COM > Subject: FW-1 redundancy > > > > > From: Jose R. Ferreira@MLX on 30/03/98 14:35 > > > Hi All, > > I am looking for a solution to give more availability to an Internet > site. > Today its configuration is quite simple: > > > External router > | > _______|___________ > | > FW-1 (Checkpoint) + NAT > | > ______|___________ > | > Internal network > > > > I am thinking about in the diagram below, using a routing protocol > like > OSPF or RIP to inform internal network that there is another route if > a > FireWall or a link fails, using a internal router as a default gateway > for > the internal network. > > > External router > | > _____________|_____________ > | | > | | > FW-1 2.0 FW-1 2.0 > | (NAT) | (NAT) > ______|_______________|____ > | > Internal router > | > | > Internal Network > > > Does anyboby know if the FireWall-1 product supports synchronization > (the state tables and rules are kept in synchronization) ? > > > I have read about a solution from stonesoft, called stonebeat. Does > anybody > have some experience with this product ? > > I am very interested to know your opinion, experience and solutions > for > this situation. > > Regards, > Jose Ricardo > > From firewalls-owner Wed Apr 1 11:57:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24217; Tue, 31 Mar 1998 12:26:49 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA17045 for ; Mon, 30 Mar 1998 18:03:23 -0800 (PST) Received: from mailhost.netvisioninc.com (NS1.netvisioninc.com [207.181.146.2]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id RAA01733 for ; Mon, 30 Mar 1998 17:40:47 -0800 (PST) Received: by NS1.netvisioninc.com with Internet Mail Service (5.5.1960.3) id ; Mon, 30 Mar 1998 20:48:01 -0500 Message-ID: <2110E4FFF059D011966000A024DAB8E709369B@NS1.netvisioninc.com> From: Charles Getty To: "'Brett Mayer'" , "Firewalls (E-mail)" Subject: RE: cable modem security Date: Mon, 30 Mar 1998 20:48:00 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: multipart/alternative; boundary="---- =_NextPart_001_01BD5C47.09562AA0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_001_01BD5C47.09562AA0 Content-Type: text/plain That assumes you can put the "cable modem" into a promiscuous mode.... The cable modem is essentially a transparent bridge... Does anyone know of other devices that allow you to access the cable medium? Is there a online copy of this article in 2600? -----Original Message----- From: Brett Mayer [mailto:BMayer@rfc.com] Sent: Monday, March 30, 1998 5:40 PM To: firewalls@GreatCircle.com Subject: cable modem security >From what I've heard, the cable modem runs over the existing cable TV lines strung throughout you're area. Anyone with a packet sniffer can tap in and see all transmissions. There is a great article about it in 2600 (the one with the orangutang the cover)\ >I have just installed a cable modem from the @home network to a single >machine running NT 4.0 SP3. It provides REALLY GREAT performance, but I >cannot get any support from @home about security. > >I only plan to run Netscape, and read mail and news groups. What can I do >to protect data on this machine from security risks? > >Ned Brett Mayer ESM-Tivoli GMAC\RFC (612)832-7148 ------ =_NextPart_001_01BD5C47.09562AA0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: cable modem security

That assumes you can put the "cable modem" = into a promiscuous mode....  The cable modem is essentially a = transparent bridge... Does anyone know of other devices that allow you = to access the cable medium?  Is there a online copy of this = article in 2600?  

-----Original Message-----
From: Brett Mayer [mailto:BMayer@rfc.com]
Sent: Monday, March 30, 1998 5:40 PM
To: firewalls@GreatCircle.com
Subject: cable modem security


From what I've heard, the cable modem runs over the = existing cable TV lines strung throughout you're area. Anyone with a = packet sniffer can tap in and see all transmissions. There is a great = article about it in 2600 (the one with the orangutang the = cover)\





>I have just installed a cable modem from the = @home network to a single
>machine running NT 4.0 SP3.  It provides = REALLY GREAT performance, but I
>cannot get any support from @home about = security.
>
>I only plan to run Netscape, and read mail and = news groups.  What can I do
>to protect data on this machine from security = risks?
>
>Ned


Brett Mayer
ESM-Tivoli
GMAC\RFC
(612)832-7148

------ =_NextPart_001_01BD5C47.09562AA0-- From firewalls-owner Wed Apr 1 13:08:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11651; Wed, 1 Apr 1998 10:59:00 -0800 (PST) Received: from geocities.com (mail4.geocities.com [209.1.224.24]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA11626 for ; Wed, 1 Apr 1998 10:58:41 -0800 (PST) Received: from geocities.com (cs103-3.u.washington.edu [140.142.180.39]) by geocities.com (8.8.5/8.8.5) with ESMTP id LAA20679 for ; Wed, 1 Apr 1998 11:02:54 -0800 (PST) Message-ID: <35228F60.14F0AD3D@geocities.com> Date: Wed, 01 Apr 1998 11:02:56 -0800 From: Daniel Walsh X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Subject: Spam! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll make this short, and I know this has nothing to do with firewalls, but. . . SPAM! How do I deal with the "unidentified recipients?" And more importantly, I have recieved several e-mails from an AOL account, that returns an unidentified user response when I tried to get off the list. Help? Maybe a direction to send me in? and more on the subject: I want to thank you guys for the topics. My presentation for my LAN class went much smoother because of this list! thanks dan --------------------------------- Daniel Walsh University of Washington Engineering Alumni Assoc. -Webslave karsus@geocities.com ---------------------------------- From firewalls-owner Wed Apr 1 13:57:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA09511; Wed, 1 Apr 1998 10:47:05 -0800 (PST) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA09444 for ; Wed, 1 Apr 1998 10:46:49 -0800 (PST) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.8.7/8.8.8) id KAA23177; Wed, 1 Apr 1998 10:50:36 -0800 (PST) From: "Marc D. Jackson" Message-Id: <199804011850.KAA23177@Xenon.Stanford.EDU> Subject: Re: FW: FW-1 redundancy To: ray.06@worldnet.att.net (Ray Ricardo) Date: Wed, 1 Apr 1998 10:50:35 -0800 (PST) Cc: firewall-wizards@nfr.net, firewalls@GreatCircle.COM In-Reply-To: <01BD5C0F.3FA6C200@90.san-francisco-16.ca.dial-access.att.net> from "Ray Ricardo" at Mar 30, 98 07:08:19 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ray Ricardo writes: > > > Configured properly, dynamic routing can safely be used in the DMZ to > achieve redundent firewall availability. If you OWN and CONTROL your > exterior and interior routers, you can configure the routers to ONLY > recieve routing updates from the security server in the DMZ (using > GATED) and configure the security server to ONLY send updates to your > exterior and interior routers. > > No other routing updates would be required. Once this is accomplished, > the exterior and interior routers will always have current knowledge of > the state of the firewalls in the DMZ. If a firewall fails, the routers > will stop recieving routing updates from that server, flush it out of > its routing tables and begin sending packets to the other firewall. > > It is important that this configuration is implemented by a security / > network professional who has expert understanding of the risk associated > with network routing. This goes against conventional thinking, but done properly, it can be implemented safely. > > p.s. I would advise using OSPF instead of RIP2. You might want to tell why one should use OSPF over RIP2. mj > > Ray Ricardo > > > ---------- > > From: Jose R. Ferreira[SMTP:jricardo@medidata.com.br] > > Sent: Monday, March 30, 1998 9:35 AM > > To: Firewalls@GreatCircle.COM > > Subject: FW-1 redundancy > > > > > > > > > > From: Jose R. Ferreira@MLX on 30/03/98 14:35 > > > > > > Hi All, > > > > I am looking for a solution to give more availability to an Internet > > site. > > Today its configuration is quite simple: > > > > > > External router > > | > > _______|___________ > > | > > FW-1 (Checkpoint) + NAT > > | > > ______|___________ > > | > > Internal network > > > > > > > > I am thinking about in the diagram below, using a routing protocol > > like > > OSPF or RIP to inform internal network that there is another route if > > a > > FireWall or a link fails, using a internal router as a default gateway > > for > > the internal network. > > > > > > External router > > | > > _____________|_____________ > > | | > > | | > > FW-1 2.0 FW-1 2.0 > > | (NAT) | (NAT) > > ______|_______________|____ > > | > > Internal router > > | > > | > > Internal Network > > > > > > Does anyboby know if the FireWall-1 product supports synchronization > > (the state tables and rules are kept in synchronization) ? > > > > > > I have read about a solution from stonesoft, called stonebeat. Does > > anybody > > have some experience with this product ? > > > > I am very interested to know your opinion, experience and solutions > > for > > this situation. > > > > Regards, > > Jose Ricardo > > > > > > > From firewalls-owner Wed Apr 1 15:18:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA24727; Wed, 1 Apr 1998 07:04:49 -0800 (PST) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA24670 for ; Wed, 1 Apr 1998 07:04:36 -0800 (PST) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA5059 for ; Wed, 1 Apr 1998 07:08:14 -0800 Message-Id: <3.0.3.32.19980401071144.00a65af0@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Apr 1998 07:11:44 -0800 To: firewalls@greatcircle.com From: rkizer@sddpc.org (Kizer, Randall) Subject: Re: Laptop security / CMW variants In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try looking into Axent's Security Briefcase. For << $100. you can encrypt the files on your laptop, have strong authentication (one-time password) and have a VPN session over an unsecured public network (Internet). At 12:49 PM 3/31/98 -0500, you wrote: >>>> Perry < queries the List: >1) Can anyone recommend a laptop security product that supports full disk >encryption via a pcmcia card, a bonus would be VPN support for remote >authentication issues. I have reviewed PC/DACS over the past week which >is a software encryption/access control package, but the encryption >segment leaves a lot to be desired security wise (not to mention that the >product sucks). Check out: < I just picked this announcement up off Bizwire. Suerte, _Vin ---- Kasten Chase Applied Research Limited (TSE-KCA) today announced a joint sales and marketing agreement with SPYRUS, a leading electronic commerce company based in San Jose, California, to provide high performance, high security cryptographic technology as part of the world's first PCMCIA FORTEZZA(R)-based secure remote access solution for government agencies. Under the agreement, SPYRUS has developed a FORTEZZA(R)-enabled version of its proprietary Locksmith software application and its LYNKS Privacy Card(tm) for use with Kasten Chase's remote access products. Kasten Chase will deliver secure remote access solutions that include the SPYRUS family of hardware and software products. The SPYRUS products, bundled into the offering, will add desktop protection functionality to the solution that already provides authentication and encryption technology. "Our partnership with SPYRUS is an example of our commitment to offer a total secure access solution to the government and financial markets," said Steve Ducat, vice president of sales for Kasten Chase. "Our partnership with SPYRUS , a leader in cryptographic desktop technology, adds important media encryption capabilities to our existing security portfolio, thereby positioning our offering to become the de facto standard for FORTEZZA(R)-based secure remote access." SPYRUS has developed a customized FORTEZZA(R)-based version of its Locksmith(tm) media encryption software for use with Kasten Chase's OPtiva Secure Plus. Locksmith adds another layer of security features to a remote access application by combining a personal identification number (PIN) with the SPYRUS PCMCIA-compliant LYNKS Privacy Card. LYNKS Privacy Cards enable security-critical capabilities -- user authentication, message privacy, message integrity authentication, and secure storage -- for a FORTEZZA(R)-based media encryption solution. "SPYRUS is leading the e-commerce industry in FORTEZZA(R)-based hardware and software solutions for high performance, high assurance Internet data access and security solutions," said Charlie Scruggs, director of sales for SPYRUS. "Remote access security is becoming an increasing problem for companies, with over 14 million people working from home or remote locations in the United States alone. With solutions such as those developed by SPYRUS and Kasten Chase, the travelling road warrior will no longer need to be concerned about the loss of a laptop computer and the potential damage resulting from misuse of critical corporate information." < --------------- >2) Has anyone done a comparison between the different MLS and/or CMW >oriented OS' (ie Trusted Solaris, HPUX CMW, OSF CMW)? Any information >would be greatly appreciated. I too would be interested if you find a good repository for this sort of comparitive info. You might check out the Dockmaster discussion groups. Contact the NISSC office at the NSA to arrange for access. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + < * 53 Nichols St., Chelsea, MA 02150 USA <<617> 884-5548 <<<<<<<< From firewalls-owner Wed Apr 1 18:07:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA11029; Wed, 1 Apr 1998 13:16:29 -0800 (PST) Received: from zaphod.axion.bt.co.uk (zaphod.axion.bt.co.uk [132.146.5.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA14229 for ; Wed, 1 Apr 1998 01:51:33 -0800 (PST) Received: from catullus.agw.bt.co.uk by zaphod.axion.bt.co.uk with SMTP (PP); Wed, 1 Apr 1998 10:54:51 +0100 Received: from newgate.agw.bt.co.uk (newgate.agw.bt.co.uk [147.150.193.219]) by catullus.agw.bt.co.uk (8.8.8/8.8.8) with ESMTP id JAA15688 for ; Wed, 1 Apr 1998 09:54:50 GMT Message-Id: <199804010954.JAA15688@catullus.agw.bt.co.uk> Received: by SMSMAINT-NEW with Internet Mail Service (5.5.1960.3) id <2AY3LZSD>; Wed, 1 Apr 1998 10:58:54 +0100 From: "Pearce, Danny" To: Firewalls@GreatCircle.COM Subject: RE: Intranet security products Date: Wed, 1 Apr 1998 10:43:26 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.iss.net - RealSecure/Internet Security Scanner(set of) http://www.wheelgroup.com - NetRanger/NetSonar http://www.nai.com - CyberCop http://www.axent.com - NetRecon Plus a few others that are not so good Abirnet SessionWall NFR Network Flight Recorder (www.nfr.org) ++++++++++++++++++++++++++++++++++++++++++++++++++++ > My employer is looking for a tool that will detect intrusions primarily > from internal sources. We need a solution that will work on NT and > integrates well with Netscape > Suitespot servers. We are setting up an Intranet and are concerned about > internal users that might want to screw around. > > thanks in advance... > > Dave ++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Wed Apr 1 19:10:16 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA06409; Wed, 1 Apr 1998 12:58:22 -0800 (PST) Received: from hef.ncanet.com (hef.ncanet.com [206.63.127.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA25677 for ; Wed, 1 Apr 1998 09:40:08 -0800 (PST) Received: from tigger2.ncanet.com ([206.63.127.20]) by hef.ncanet.com (Netscape Mail Server v2.02) with SMTP id AAA16639; Wed, 1 Apr 1998 09:45:43 -0800 Message-Id: <3.0.3.32.19980401094441.006c7298@hef.ncanet.com> X-Sender: BobF@hef.ncanet.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 01 Apr 1998 09:44:41 -0800 To: "Berchtold Patrick (GIAPBE)" From: bobf@NCAnet.com (Bob Fitton) Subject: Re: AW: Sniffer Cc: "'Taufik Islam'" , "Firewalls Mailing List (E-Mail)" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You might also look into the Shomiti product line:=20 http://www.shomiti.com/ They have both software-only and hardware solutions, the hardware=20 solutions capable of full 100MB line-rate capture and/or packet=20 generation. At 01:24 PM 3/31/98 +0200, Berchtold Patrick (GIAPBE) wrote: >Windows NT's own network monitor is doing quite a good job. It's >restriction is that it only records packets that are addressed to or >from that host. Say, if you run it on host myhost.foo.bar, you can=20 only >see packets that are sent to or from myhost.foo.bar, but not any=20 "3rd >party packets" eg from host1.foo.bar to host2.foo.bar > >The network monitor included in MS SMS is basically the same, but >without that boring restriction. > >The most powerful monitor I know is Sniffer (former NetXRay) from >Network Associates. It is easily scalable for your specific needs.=20 See >http://www.nai.com/ for more. > >Another monitor I once heard about is NetAnt from People Network.=20 See >http://www.people-network.com/netant.htm for info. > >But if you have a Linux box at hand I would rather use tcpdump than >those above. It's powerful, easy to use and free. > >Patrick > >=20 > >> -----Urspr=FCngliche Nachricht----- >> Von: Taufik Islam [SMTP:Tislam@acaonline.org] >> Gesendet am: Freitag, 27. M=E4rz 1998 23:21 >> An: Firewalls@GreatCircle.COM >> Betreff: Sniffer >>=20 >> Is there a good Packet sniffer that runs on for NT 4.0 ? >> Please help me with any information you may have >> Thanks >>=20 >> If you know of any good packet sniffer for UNIX please let me know >> also. >>=20 >> Taufik Islam >> Network Engineer, ACA > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNSJ9CNl6d/249nb1EQKbrwCgjzwGt84R+5PmjdqcXMXX2yvns4gAn1pw 4A9Thwql1QZ853dBai2Sybb1 =3DrVwk -----END PGP SIGNATURE----- Bob Fitton, Sr. Network Engineer www.NCAnet.com Network Computing Architects 425.451.8995 10245 Main Street, Bellevue WA 98004 FAX.453.3461 From firewalls-owner Wed Apr 1 19:30:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA21968; Wed, 1 Apr 1998 14:05:21 -0800 (PST) Received: from imo28.mx.aol.com (imo28.mx.aol.com [198.81.17.72]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA21929 for ; Wed, 1 Apr 1998 14:05:09 -0800 (PST) Received: from JonnyBoy85@aol.com by imo28.mx.aol.com (IMOv13.ems) id PCUYa24392 for ; Wed, 1 Apr 1998 17:08:46 -0500 (EST) From: JonnyBoy85 Message-ID: <5fa01b9b.3522baf1@aol.com> Date: Wed, 1 Apr 1998 17:08:46 EST To: Firewalls@GreatCircle.com Mime-Version: 1.0 Subject: Hi Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Mailer: Windows AOL sub 168 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, thanks for the help and advice from my last post.. Maybe you can help me with another query. Can anybody explain about T1,T2, and T3 lines, they're like ISDN I think. I have tried everywhere to find out about them, and was starting to think that there was no such thing as a T3, but I found out again today that there is. Thanks again everybody.. Jonathan From firewalls-owner Wed Apr 1 20:41:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA26863; Wed, 1 Apr 1998 12:19:25 -0800 (PST) Received: from doggate.exchange.microsoft.com (doggate.exchange.microsoft.com [131.107.88.55]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA26827 for ; Wed, 1 Apr 1998 12:19:12 -0800 (PST) Received: by DOGGATE with Internet Mail Service (5.5.2190.3) id <2B99FL85>; Wed, 1 Apr 1998 12:23:28 -0800 Message-ID: From: "Vinod Valloppillil (Exchange)" To: firewalls@GreatCircle.COM Subject: great circle spam relay Date: Wed, 1 Apr 1998 12:23:22 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2190.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk is it just me or is anyone else getting a ton of spam relayed by greatcircle.com? From firewalls-owner Wed Apr 1 20:41:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA05367; Wed, 1 Apr 1998 15:12:28 -0800 (PST) Received: from relay.la.tis.com (relay.la.tis.com [198.51.22.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA05269 for ; Wed, 1 Apr 1998 15:12:06 -0800 (PST) Received: by relay.la.tis.com; id PAA17094; Wed, 1 Apr 1998 15:30:44 -0800 (PST) Received: from scintillate.la.tis.com(192.5.49.8) by relay.la.tis.com via smap (3.2) id xma017092; Wed, 1 Apr 98 15:30:44 -0800 Received: from empty (empty.la.tis.com [192.5.49.185]) by scintillate.la.tis.com (8.8.5/8.8.5) with SMTP id PAA15221 for ; Wed, 1 Apr 1998 15:14:21 -0800 (PST) Message-Id: <3.0.5.32.19980401151544.00c39610@pop> X-Sender: lothie@pop X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 01 Apr 1998 15:15:44 -0800 To: firewalls@greatcircle.com From: Lothie/Mimi Herrmann Subject: Re: Questions :) In-Reply-To: <35229D01.3B68@antares.serpro.gov.br> References: <9804011940.AA20572@antares.serpro.gov.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:01 PM 4/1/98 -0300, marcos antonio de sousa wrote: >> > I=B4m using Netscape 3.0 and someone has read my e-mails. >> > How it=B4s possible ? Of course, my question if for someone that don=B4= t >> > know my password :) >> > Thanks and hugs >> > Marcos How do you know they read your email? Anybody with root access can read your email before you POP it to your local machine. That's most likely what happened. -- Lothie/Mimi Herrmann, Senior Network Engineer mailto:lothie@tis.com or mailto:gauntlet-support@tis.com Disclaimer: TIS won't allow me to speak for them, even if I wanted to! From firewalls-owner Wed Apr 1 20:41:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA28571; Wed, 1 Apr 1998 14:41:31 -0800 (PST) Received: from firewall.sni-usa.com (firewall.sni-usa.com [140.231.44.101]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id OAA28407 for ; Wed, 1 Apr 1998 14:40:47 -0800 (PST) Received: from passer.sni-usa.com by firewall.sni-usa.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 22:27:29 UT Received: from burexserv.sni-usa.com (burexserv.sni-usa.com [136.157.5.6]) by passer.sni-usa.com (SMI-8.6/) with ESMTP for delivery to "" id RAA09941; Wed, 1 Apr 1998 17:36:05 -0500 Received: by burexserv.sni-usa.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 17:47:05 -0500 Message-ID: From: "Page, Sr., Alan" To: Brett Mayer , firewalls@GreatCircle.com Subject: RE: cable modem security Date: Wed, 1 Apr 1998 17:47:03 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to install cable modems for Time Warner with there Road Runner service. When you are connected to a cable modem it is no different then being on a LAN. You are running TCP/IP. There are some good personal firewall programs out than can allow you to add the extra layer of security to your system. Having NTFS as the file system with a secure ACL will also help. but the one thing to remember is it is just a Large network. no different from your average corporations net. Sincerly, Alan Page Sr. Network Consultant Siemens Nixdorf Information Systems email Alan.page@sni-usa.com > -----Original Message----- > From: Brett Mayer [SMTP:BMayer@rfc.com] > Sent: Monday, March 30, 1998 5:40 PM > To: firewalls@GreatCircle.com > Subject: cable modem security > > From what I've heard, the cable modem runs over the existing cable TV > lines strung throughout you're area. Anyone with a packet sniffer can > tap in and see all transmissions. There is a great article about it in > 2600 (the one with the orangutang the cover)\ > > > > > > >I have just installed a cable modem from the @home network to a > single > >machine running NT 4.0 SP3. It provides REALLY GREAT performance, > but I > >cannot get any support from @home about security. > > > >I only plan to run Netscape, and read mail and news groups. What can > I do > >to protect data on this machine from security risks? > > > >Ned > > > Brett Mayer > ESM-Tivoli > GMAC\RFC > (612)832-7148 From firewalls-owner Wed Apr 1 21:40:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA25577; Wed, 1 Apr 1998 16:41:34 -0800 (PST) Received: from ns.mapcoinc.com (ns.mapcoinc.com [206.103.80.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA00797 for ; Wed, 1 Apr 1998 14:51:05 -0800 (PST) From: klinec@mapcoinc.com Received: from mercury.mapcoinc.com (mercury.mapco.com [10.250.8.16]) by ns.mapcoinc.com (AIX4.2/UCB 8.7/8.7) with SMTP id QAA124160 for ; Wed, 1 Apr 1998 16:50:50 -0600 (CST) Received: by mercury.mapcoinc.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 062565D9.007E126D ; Wed, 1 Apr 1998 16:57:02 -0600 X-Lotus-FromDomain: ALLIANCECOAL To: Firewalls@GreatCircle.COM Message-ID: <062565D9.007DACD7.00@mercury.mapcoinc.com> Date: Wed, 1 Apr 1998 16:56:57 -0600 Subject: Bordermanager as firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any first-hand experience with Novell's Bordermanager as a firewall? We are in the process of selecting a firewall product, and one vendor is going to propose Bordermanager. I have to admit, I was a little surprised. I was expecting IBM Firewall (because we're an AIX shop), Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to equate that product with MS Proxy Server. We have a 400-desktop enterprise with eight Frame-Relay connected remote sites, and are looking for a firewall solution for the entire enterprise. In addition, we are in a rapid growth mode, and predict doubling in size both in number of desktops and number of WAN-connected sites by year-end. Any thoughts anyone has would be appreciated. Thanks, Curtis Kline Network Engineer MAPCO Coal, Inc. Tulsa, OK From firewalls-owner Wed Apr 1 22:14:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22475; Wed, 1 Apr 1998 16:26:22 -0800 (PST) Received: from bridge.millstream.net (bridge.millstream.net [208.12.120.211]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA22368 for ; Wed, 1 Apr 1998 16:25:42 -0800 (PST) Received: from localhost (mike@localhost) by bridge.millstream.net (8.8.5/8.8.5) with SMTP id SAA09589; Wed, 1 Apr 1998 18:32:05 -0600 (CST) Date: Wed, 1 Apr 1998 18:32:05 -0600 (CST) From: Mike Bresina To: Daniel Walsh cc: Firewalls Subject: Re: Spam! In-Reply-To: <35228F60.14F0AD3D@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Apr 1998, Daniel Walsh wrote: > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? Check the headers; the spams have been propagated via the list itself. As far as the 'remove' "feature", that's just a way to get away with distributing spam software. Bear in mind that spammers are rarely selling anything; spam is a denial-of-service attack masquerading as business mail. Note the phony unsub posts; they're spelled wrong so majordomo won't recognize the keyword and divert them from the list. Why a listmom of a firewalls list would put up with these shenanigans is beyond me. --------------------------------------- Mike Bresina (mike@vsat.net) System Administrator Intellicom Customer Service Center http://www.vsat.net/ v. (715) 720-1760 f. (715) 720-1762 --------------------------------------- From firewalls-owner Wed Apr 1 22:49:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13392; Wed, 1 Apr 1998 15:46:34 -0800 (PST) Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA13243 for ; Wed, 1 Apr 1998 15:45:55 -0800 (PST) Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id PAA11988; Wed, 1 Apr 1998 15:49:53 -0800 (PST) Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4) id PAA16931; Wed, 1 Apr 1998 15:49:27 -0800 Date: Wed, 1 Apr 1998 15:49:27 -0800 From: rdew@el.nec.com (Bob De Witt) Message-Id: <199804012349.PAA16931@yginsburg.el.nec.com> To: sutherland@mail.com Subject: Re: Breaking the PIX box.. (was: What is a good Firewall?) Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, I have used PIX boxes for several years, albeit sporadically. I have not heard of anyone breaking into a PIX once it was configured. I would really like to know how you did it, so I can take appropriate precautions next time. TIA, Bob De Witt, (this gig email address: rdew@el.nec.com) (next gig [after 4/10/98]email address: rdew@[...tbd...]) The views expressed herein are my own, and are not attributable to any other source, be it employer, friend or foe. > From sutherland@mail.com Thu Mar 26 14:01:49 1998 > From: "Chris Sutherland" > To: > Subject: Breaking the PIX box.. (was: What is a good Firewall?) > Date: Thu, 26 Mar 1998 10:08:33 -0700 > X-MSMail-Priority: Normal > X-Priority: 3 > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Okie Lads, > > as i have had a number of requests, I will post a detailed description of > PIX attacks, possibly even with scripts (but let me make sure i'm not > violating an NDA before i do). Either way, you'll have the juicy bits on > your desktops in a day or two. > > I would like to make this comment as well, and please, just send the flames > directly to me. Given today technology and the skill of our adversaries, > don't you think any company advertising their product as "inpenetrable" to > be incredibly naive? After all, wasn't there a ship that had the same > claims? > > > chris > From firewalls-owner Wed Apr 1 23:26:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA22680; Wed, 1 Apr 1998 16:28:08 -0800 (PST) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA22628 for ; Wed, 1 Apr 1998 16:27:42 -0800 (PST) Received: from localhost (1898 bytes) by apu.rcp.net.pe via sendmail with P:stdio/R:inet_hosts/T:smtp (sender: ) (ident using unix) id for ; Wed, 1 Apr 1998 19:29:49 -0500 (EST) (Smail-3.2.0.96 1997-Jun-2 #4 built 1997-Nov-8) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Re: Spam! To: karsus@geocities.com (Daniel Walsh) Date: Wed, 1 Apr 1998 19:29:49 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <35228F60.14F0AD3D@geocities.com> from Daniel Walsh at "Apr 1, 98 11:02:56 am" PGP-FingerPrint: 55 B9 83 D2 61 71 E6 6B 1E CE FD B5 F7 AA F1 B5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For an excellent anti-spam smtp server take a look at: http://www.zmailer.org Enrique Vadillo- ---- Daniel Walsh escribió ---- > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- > > > -- e-mail: vadillo@rcp.net.pe | "Mis opiniones son propias, y no representan http://www.rcp.net.pe (PERU) | forzosamente la opinion de mi institucion". ========================================================================== Red Cientifica Peruana Internet Peru ========================================================================== -- RCP - Intered Peru Fax: +51 1 241-1320 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) From firewalls-owner Thu Apr 2 02:34:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA24706; Wed, 1 Apr 1998 12:04:24 -0800 (PST) Received: from antares.serpro.gov.br ([161.148.1.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA24648 for ; Wed, 1 Apr 1998 12:03:54 -0800 (PST) Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) id AA07244; Wed, 1 Apr 1998 16:17:32 -0400 Message-Id: <35229D01.3B68@antares.serpro.gov.br> Date: Wed, 01 Apr 1998 17:01:05 -0300 From: marcos antonio de sousa X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Questions :) References: <9804011940.AA20572@antares.serpro.gov.br> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail Delivery Subsystem wrote: > > ----- Transcript of session follows ----- > >>> RCPT To: > <<< 550 ... User unknown > 550 ... User unknown > > ----- Unsent message follows ----- > Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) > id AA27482; Wed, 1 Apr 1998 15:40:07 -0400 > Message-Id: <3522943C.4D31@antares.serpro.gov.br> > Date: Wed, 01 Apr 1998 16:23:40 -0300 > From: marcos antonio de sousa > X-Mailer: Mozilla 3.0 (Win95; I) > Mime-Version: 1.0 > To: firewall@greatcircle.com > Subject: Questions > References: <9804011750.AA21334@antares.serpro.gov.br> > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > > Mail Delivery Subsystem wrote: > > > > ----- Transcript of session follows ----- > > >>> RCPT To: > > <<< 550 ... User unknown > > 550 ... User unknown > > > > ----- Unsent message follows ----- > > Received: from [161.148.196.39] by antares.serpro.gov.br (AIX 4.1/UCB 5.64/4.03) > > id AA33876; Wed, 1 Apr 1998 13:50:42 -0400 > > Message-Id: <35227A97.688A@antares.serpro.gov.br> > > Date: Wed, 01 Apr 1998 14:34:15 -0300 > > From: marcos antonio de sousa > > X-Mailer: Mozilla 3.0 (Win95; I) > > Mime-Version: 1.0 > > To: firewall@GreatCircle.com > > Subject: Questions :) > > Content-Type: text/plain; charset=iso-8859-1 > > Content-Transfer-Encoding: 8bit > > > > Hi friends ... > > I´m using Netscape 3.0 and someone has read my e-mails. > > How it´s possible ? Of course, my question if for someone that don´t > > know my password :) > > Thanks and hugs > > Marcos From firewalls-owner Thu Apr 2 02:34:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21333; Wed, 1 Apr 1998 19:05:09 -0800 (PST) Received: from cupts1 ([202.202.32.33]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA21179 for ; Wed, 1 Apr 1998 19:04:19 -0800 (PST) Received: from Shine81.cqupt.edu.cn ([202.202.35.81]) by cupts1 (5.x/SMI-SVR4) id AA01885; Thu, 2 Apr 1998 10:59:20 +0800 Message-Id: <35230246.234F@cqupt.edu.cn> Date: Thu, 02 Apr 1998 11:13:10 +0800 From: Yang Xiaolong Reply-To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn Organization: CUPT X-Mailer: Mozilla 3.02Gold (Win95; I) Mime-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi,All, I have a router Cisco2511(ISO software version 10.2) and Hayes Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact it only supports 9600,if the speed is above 9600,the login window will display some odd codes.My router config is following: ! interface Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 64 async dynamic address async dynamic routing async mode interactive ! From firewalls-owner Thu Apr 2 02:34:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24639; Wed, 1 Apr 1998 19:24:29 -0800 (PST) Received: from name.mcalbds.com ([205.214.199.244]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA24494 for ; Wed, 1 Apr 1998 19:23:55 -0800 (PST) Received: (from uucp@localhost) by name.mcalbds.com (8.8.4/8.8.4) id XAA02100; Wed, 1 Apr 1998 23:32:26 -0400 Received: from laptop.stokes.com(172.18.1.2) by name.mcalbds.com via smap (V2.0) id xma002093; Wed, 1 Apr 98 23:31:57 -0400 Date: Wed, 1 Apr 1998 23:31:55 -0400 (GMT+4) From: Roger Hill X-Sender: rhill@lappie.stokes.com To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Apr 1998, Vinod Valloppillil (Exchange) wrote: > is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > Oh yes. ============================================================================ Roger Hill, P.O.Box 4T, Barbados, West Indies. E-mail:rhill@mcalbds.com Tel:246-436-6530/228-0677/230-9596 Fax:246-433-8365 ============================================================================ From firewalls-owner Thu Apr 2 03:38:46 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA28517; Wed, 1 Apr 1998 12:30:45 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA28355 for ; Wed, 1 Apr 1998 12:30:06 -0800 (PST) Received: from ntserver1.us.esafe.com (c209-43-213-2.esafe.com [209.43.213.2]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id MAA10484 for ; Wed, 1 Apr 1998 12:03:11 -0800 (PST) Received: by c209-43-213-2.esafe.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 12:03:23 -0800 Message-ID: From: Jerry Huyghe To: "'Gordon LaSane'" , Doug Drake , Bruno , firewalls mailing list Subject: RE: Virus checking at the firewall level. Date: Wed, 1 Apr 1998 12:03:22 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correction. McAfee does not offer a CVP product, only eSafe (1st CVP product), Symantec, and Integralis. > -----Original Message----- > From: Gordon LaSane [SMTP:glasane@gdsconnect.com] > Sent: Tuesday, March 31, 1998 1:05 PM > To: Doug Drake; Bruno; firewalls mailing list > Subject: RE: Virus checking at the firewall level. >=20 > Hey folks,=20 > The latest state of the art are virus scan products which are CVP > (content vector protocol) compliant.=20 > In this scenario the firewall receives mail, passes the mail to the > virus scan server which validates and passes, or cleanses/quarantines > mail before it is passed back to the firewall for forwarding/logging. > See: McAfee, Symantec and Secure Computing=20 > Gordon LaSane=20 > Global=A0 Data=A0 Systems, Inc.=20 > Internet and Intranet Firewalls and Security Group=20 > Consulting and Installing Solutions for Your Company's Data Security: = > Remote User Authentication=20 > Internet Access=20 > Virtual Private Networks=20 > Web Filtering=20 > Intranets=20 > Firewalls=A0=A0=A0=A0=A0=A0=20 > =A0=A0=A0=A0=A0=A0=A0=20 > Gordon LaSane=20 > 781/740-8818 x13 ph=20 > 781/740-8830 fax=20 > glasane@gdsconnect.com =20 > =09 >=20 >=20 >=20 > ----Original Message-----=20 > From:=A0=A0 Doug Drake [SMTP:ddrake@mci.net]=20 > Sent:=A0=A0 Tuesday, March 31, 1998 7:55 AM=20 > To:=A0=A0=A0=A0 Bruno; firewalls mailing list=20 > Subject:=A0=A0=A0=A0=A0=A0=A0 Re: Virus checking at the firewall = level.=20 > I believe the best way is to perform the check at the desktop.=A0 > There are a=20 > number of products that will allow for automatic updates to the = client > side=20 > Virus checker, when they log-on.ogu=20 > Doug=20 > At 09:08 PM 3/30/98 -0100, Bruno wrote:=20 > >Hello all again,=20 > >=20 > >I posted earlier a question regarding time out problems when virus=20 > >checking at firewall level. The feedback I mainly obtained was, yes, > the=20 > >virus checkers (eliashim, norton, mime sweeper...) have this problem = > >that they need to download the entire file before being able to = check >=20 > >it, during which the browser times out...=20 > >=20 > >Now my question to you people out there is: How do you do it ? Do = you >=20 > >not virus check at the firewall level ? Do you count the end user to > do=20 > >it ? DO you have a miracle solution ?=20 > >=20 > >Thanks for any input=20 > >Bruno=20 > >=20 >=20 > = ********************************************************************** > ******=20 > Doug Drake=20 > Manager Security Products Engineering=20 > (703)715-7388=20 > Vnet 272-7388=20 > E-mail=A0 ddrake@mci.net=20 > = ********************************************************************** > ******=20 From firewalls-owner Thu Apr 2 03:38:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21679; Wed, 1 Apr 1998 19:09:19 -0800 (PST) Received: from theta2.ben2.ucla.edu (theta2.ben2.ucla.edu [164.67.131.36]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA22754 for ; Wed, 1 Apr 1998 09:24:48 -0800 (PST) Received: from zhang ([149.142.110.207]) by theta2.ben2.ucla.edu (8.8.8/8.8.8) with ESMTP id JAA36774; Wed, 1 Apr 1998 09:28:47 -0800 Message-ID: <35227BE1.30508EDA@ucla.edu> Date: Wed, 01 Apr 1998 09:39:45 -0800 From: Randy Zhang Reply-To: hzhang1@ucla.edu Organization: UCLA X-Mailer: Mozilla 4.01 [en] (Win95; I) MIME-Version: 1.0 To: BrianM@dial.pipex.com CC: firewalls-digest@GreatCircle.COM Subject: Re: Cisco Router Config X-Priority: 3 (Normal) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you tested your config? Because I do not think it will work. 2 points to consider: 1) You are using subnet zero 2) The router will not let you config two access groups per interface. Randy BrianM@dial.pipex.com wrote: > Hi All (Again) > Enclosed please find a sample (factious) router config, > assuming the following situation, eth0:connection to firewall > ser0:leased line to internet, 192.168.0.2 is firewall, 192.168.0.3 and > .4 are management stations, should this config prevent DoS attacks, IP > spoofing, and be generally secure? I know that there is no routing > etc etc (I just did this in notepad!!) > > Thanks > > Brian Murphy > ------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > no service tcp-small-servers > no service udp-small-servers > no ip bootp server > no service finger > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > > enable password enable > > username manager password 7 letmein > > snmp-server community public RO 1 > snmp-server community private RW 1 > no snmp-server trap-authentication > > interface ethernet0 > ip address 192.168.0.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 in > > interface serial0 > ip address 192.168.1.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 > > access-list 1 permit 192.168.0.2 > access-list 1 permit 192.168.0.3 > access-list 1 permit 192.168.0.4 > > access-list 12 permit 192.168.0.2 255.255.255.255 > access-list 12 permit 192.168.0.3 255.255.255.255 > access-list 12 permit 192.168.0.4 255.255.255.255 > access-list 12 deny ip any any log > > access-list 51 deny 0.0.0.0 255.255.255.255 > > access-list 101 deny tcp 192.168.0.1 0.0.0.0 192.168.0.1 0.0.0.0 log > access-list 101 deny tcp 192.168.1.1 0.0.0.0 192.168.1.1 0.0.0.0 log > access-list 101 deny tcp any any any any eq 53 > access-list 101 deny udp any any any any eq 69 > access-list 101 deny tcp any any any any eq 87 > access-list 101 deny tcp any any any any eq 111 > access-list 101 deny udp any any any any eq 111 > access-list 101 deny udp any any any any eq 2049 > access-list 101 deny tcp any any any any eq 512 > access-list 101 deny tcp any any any any eq 513 > access-list 101 deny tcp any any any any eq 514 > access-list 101 deny tcp any any any any eq 515 > access-list 101 deny tcp any any any any eq 540 > access-list 101 deny tcp any any any any eq 2000 > access-list 101 deny udp any any any any eq 2000 > access-list 101 deny tcp any any any any eq 2001 > access-list 101 deny udp any any any any eq 2001 > access-list 101 deny tcp any any any any eq 6000 > access-list 101 deny udp any any any any eq 6000 > access-list 101 deny tcp any any any any eq 6001 > access-list 101 deny udp any any any any eq 6001 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 established > access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 > > access-list 111 deny ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 deny ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 permit ip 192.168.0.0 0.0.2.255 any > access-list 111 deny ip any any log > > line console 0 > login > password hello > exec-timeout 1 30 > > line aux 0 > access-class 51 in > > line vty 0 4 > access-class 12 in > login > password hello From firewalls-owner Thu Apr 2 04:48:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA00726; Wed, 1 Apr 1998 17:04:27 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA00717 for ; Wed, 1 Apr 1998 17:04:19 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 17:07:56 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C57B3F79@mail.citysearch.com> From: Michael Batchelor To: Firewalls Subject: RE: Spam! Date: Wed, 1 Apr 1998 17:07:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I must echo Daniel's complaint. I have also received 2-3 spams per day for the last couple of days from an account at AOL telling me "HI I want to meet you I'm a model...". They all were forwarded via the firewalls mailing list. You'd think the firewalls list would have some spam protection... :) Or at least refuse to forward messages to the list that come from non-subscribers. I presume this person spams mailing lists, and lets the list manager do the leg work getting it to multiple recipients. Not good. >Received: from relay2.UU.NET by pascamail-2.pmi with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) > id H0S7H3YY; Wed, 1 Apr 1998 09:37:27 -0800 >Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejgg27335; Wed, 1 Apr 1998 12:37:21 -0500 (EST) >Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 -0800 (PST) >Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA10358 for ; Mon, 30 Mar 1998 20:07:54 -0800 (PST) >Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) > by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 > for ; Mon, 30 Mar 1998 20:10:11 -0800 (PST) >Received: from BUTCHER56@aol.com > by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; > Mon, 30 Mar 1998 22:38:44 -0500 (EST) >From: BUTCHER56 >Message-ID: <2bcaadbe.35206546@aol.com> >Date: Mon, 30 Mar 1998 22:38:44 EST >Mime-Version: 1.0 >Subject: Hi I want to meet you im a model! >Content-type: multipart/mixed; > boundary="part0_891315524_boundary" >X-Mailer: AOL 2.5 for Windows sub 2 >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk >To: undisclosed-recipients:; > -----Original Message----- > From: Daniel Walsh [SMTP:karsus@geocities.com] > Sent: Wednesday, April 01, 1998 11:03 AM > To: Firewalls > Subject: Spam! > > I'll make this short, and I know this has nothing to do with > firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the > list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- > From firewalls-owner Thu Apr 2 04:48:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13054; Wed, 1 Apr 1998 06:01:01 -0800 (PST) Received: from ALPHA1.RESTON.MCI.NET (alpha1.Reston.mci.net [204.70.128.80]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA12977 for ; Wed, 1 Apr 1998 06:00:41 -0800 (PST) Received: from mickey ([166.45.1.53]) by ALPHA1.RESTON.MCI.NET (PMDF V5.1-10 #8388) with SMTP id <01IVCLE41HPO000H1F@ALPHA1.RESTON.MCI.NET> for firewalls@GreatCircle.COM; Wed, 1 Apr 1998 09:04:31 EST Date: Wed, 01 Apr 1998 08:59:08 -0500 From: Doug Drake Subject: RE: Virus checking at the firewall level. In-reply-to: X-Sender: ddrake@alpha1.reston.mci.net To: Gordon LaSane , Bruno , firewalls mailing list Message-id: <3.0.3.32.19980401085908.009c5420@alpha1.reston.mci.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Content-type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Conceptually CVP is a wonderful thing but can you give me any numbers on the latency that this process causes on your network? I have not seen anything that will show me benchmarks for CVP bsed virus scanning, especially with a firewall and even more with encryption. If I could get some good numbers I might be infavor of it. But until then, I like speed on my network and virus scaning on the desk top :). At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: >>>> ArialHey folks, ArialThe latest state of the art are virus scan products which are CVP (content vector protocol) compliant. ArialIn this scenario the firewall receives mail, passes the mail to the virus scan server which validates and passes, or cleanses/quarantines mail before it is passed back to the firewall for forwarding/logging. ArialSee: McAfee, Symantec and Secure Computing ArialGordon LaSane ArialGlobal Data Systems, IncArial. Times New RomanInternet and Intranet Firewalls and Security Group Times New RomanConsulting and Installing Solutions for Your Company's Data Security: Times New RomanRemote User Authentication Times New RomanInternet Access Times New RomanVirtual Private Networks Times New RomanWeb Filtering Times New RomanIntranets Times New RomanFirewalls ArialGordon LaSane Arial781/740-8818 x13 ph Arial781/740-8830 fax <Arial0000,0000,ffffglasane@gdsconnect.com Arial-----Original Message----- ArialFrom: Doug Drake [SMTP:ddrake@mci.net] ArialSent: ArialTuesday, March 31, 1998 7:55 AM ArialTo: ArialBruno; firewalls mailing list ArialSubject: ArialRe: Virus checking at the firewall level. ArialI believe the best way is to perform the check at the desktop. There are a Arialnumber of products that will allow for automatic updates to the client side ArialVirus checker, when they log-on.ogu ArialDoug ArialAt 09:08 PM 3/30/98 -0100, Bruno wrote: Arial>Hello all again, Arial> Arial>I posted earlier a question regarding time out problems when virus Arial>checking at firewall level. The feedback I mainly obtained was, yes, the Arial>virus checkers (eliashim, norton, mime sweeper...) have this problem Arial>that they need to download the entire file before being able to check Arial>it, during which the browser times out... Arial> Arial>Now my question to you people out there is: How do you do it ? Do you Arial>not virus check at the firewall level ? Do you count the end user to do Arial>it ? DO you have a miracle solution ? Arial> Arial>Thanks for any input Arial>Bruno Arial> Arial**************************************************************************** ArialDoug Drake ArialManager Security Products Engineering Arial(703)715-7388 ArialVnet 272-7388 ArialE-mail ddrake@mci.net Arial**************************************************************************** <<<<<<<< **************************************************************************** Doug Drake Manager Security Products Engineering (703)715-7388 Vnet 272-7388 E-mail ddrake@mci.net **************************************************************************** From firewalls-owner Thu Apr 2 04:50:17 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA22799; Wed, 1 Apr 1998 21:40:25 -0800 (PST) Received: from mx4.tm.net.my (mx.tm.net.my [202.188.1.8]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA22718; Wed, 1 Apr 1998 21:40:04 -0800 (PST) Received: from mx4.tm.net.my ([209.0.90.146]) by mx4.tm.net.my (Post.Office MTA v3.1.2 release (PO203-101c) ID# 581-43702U150000L150000S0) with SMTP id AAB8113; Thu, 2 Apr 1998 13:37:44 +0800 To: DSNTS@NOWERE.NET Message-ID: Date: Wed, 01 Apr 98 21:31:35 EST From: CREATIVESSS333 Subject: ADVERTISE BY EMAIL Reply-To: DSST@NOWHERE.NET.COMAS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you looking for a reliable Direct E-mail Advertising Company? Well look no further!! We have over 1 yr experience in bulk email service. We guarantee our work. Increase your companies profits by up to 100% We will get you hits on your website. We will get you the phone calls! If your involved in MLM this is a Must!!!! 1-888-242-5076 APRIL special 1.3mil -$299.00 150K---$119.00 We can also target names for you. Month of APRIL any order and receive 100k FREE! We also have CO-OP ads starting at $50.00 Just Need Email addresses We have a Brand New Clean list 30days old 10million for only $200.00 Stop fooling around with those dirty addresses. 60-90 DAYS $50.00 PER 2 MILLION 90-120 $25.00 PER 2 MILLION CALL NOW 1-888-242-5076 WE GIVE YOU A GUARANTEE ON OUR WORK! From firewalls-owner Thu Apr 2 05:34:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA19889; Tue, 31 Mar 1998 11:57:06 -0800 (PST) Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA19862 for ; Tue, 31 Mar 1998 11:56:51 -0800 (PST) Received: from ax-akl-exchcomm.axon.co.nz by ax-akl-fw.axon.co.nz (8.8.5/1.3.5) with ESMTP id IAA02804 for ; Wed, 1 Apr 1998 08:06:09 +1200 (NZST) Received: by ax-akl-exchcomm.axon.co.nz with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 08:03:49 +1200 Message-ID: <42CCA0F98530D111A77900805F0D52B33B7676@AX-AKL-EXCHANGE> From: "Edkins, Rob - Axon AKL" To: "'David Santeramo'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Intranet security products Date: Wed, 1 Apr 1998 08:03:50 +1200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at Sessionwall 3, from Abirnet. It is a "Suspicious Activity" monitor that has some interesting features. You can download a trial from www.abirnet.com > -----Original Message----- > From: David Santeramo [SMTP:santercon@clarityconnect.com] > Sent: Tuesday, March 31, 1998 10:47 AM > To: Firewalls@GreatCircle.COM > Subject: Intranet security products > > > My employer is looking for a tool that will detect intrusions > primarily > from internal sources. We need a solution that will work on NT and > integrates well with Netscape > Suitespot servers. We are setting up an Intranet and are concerned > about > internal users that might want to screw around. > > thanks in advance... > > Dave > From firewalls-owner Thu Apr 2 05:34:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21295; Wed, 1 Apr 1998 19:04:54 -0800 (PST) Received: from folifw1.wepex.com ([166.49.124.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id IAA06501 for ; Wed, 1 Apr 1998 08:02:54 -0800 (PST) Received: by folifw1.wepex.com; id HAA07814; Wed, 1 Apr 1998 07:54:14 -0800 Received: from csifiapp621.wepex.net(166.49.116.21) by folifw1.wepex.com via smap (3.2) id xma007750; Wed, 1 Apr 98 07:54:00 -0800 Received: by csifiapp621.wepex.net with Internet Mail Service (5.0.1458.49) id ; Wed, 1 Apr 1998 08:06:54 -0800 Message-ID: <59726335C162D111B2CF00805FA7205D5AA0EF@csifiapp621.wepex.net> From: "Litney, Tom" To: "'firewall post'" Subject: Re: Ammunition, please Date: Wed, 1 Apr 1998 08:06:52 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry Vin, I'm afraid I have to side with Paul on this one. Biometrics may be the wave of the future but .... Our physical security people love to use biometric controls. The thing I always try to stress to them is please make it a body part that I could live without. The PS people take great glee in pointing out that as the products get more sophisticated and sensitive even if Guido removed the biometric body part, he still would not achive his ultimate goal, access. They follow up describing the metrics that are used for validation, temperature, blood flow, etc. etc... I remind them that Guido may not know he will be unsuccessful when he tries, but I can't take much consolation in his failure if I'm out a critical body part. :-P Tom >> stuff deleted! Go to the archive to view the thread. From firewalls-owner Thu Apr 2 05:35:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21475; Tue, 31 Mar 1998 12:09:40 -0800 (PST) Received: from ax-akl-fw.axon.co.nz (ax-akl-fw.axon.co.nz [202.135.112.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA07204 for ; Mon, 30 Mar 1998 19:50:18 -0800 (PST) Received: from ax-akl-exchcomm.axon.co.nz by ax-akl-fw.axon.co.nz (8.8.5/1.3.5) with ESMTP id PAA08614 for ; Tue, 31 Mar 1998 15:59:29 +1200 (NZST) Received: by ax-akl-exchcomm.axon.co.nz with Internet Mail Service (5.0.1458.49) id ; Tue, 31 Mar 1998 15:57:11 +1200 Message-ID: <42CCA0F98530D111A77900805F0D52B33B7672@AX-AKL-EXCHANGE> From: "Edkins, Rob - Axon AKL" To: "'Rick Murphy'" Cc: Firewalls@GreatCircle.COM Subject: RE: FW-1 redundancy Date: Tue, 31 Mar 1998 15:57:11 +1200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, put you wrong on the load balancing. This refers to Checkpoint's ability to load balance among internal server resources: eg a pool of identical http servers which are behind the Checkpoint firewall. The Synchronisation feature for high availability does support authentication, re-establishing connections if the primary module fails. NB. Forgot to mention, you need Firewall 1 V3.0 for all this stuff. > -----Original Message----- > From: Rick Murphy [SMTP:rmurphy@itm-inst.com] > Sent: Tuesday, March 31, 1998 2:07 PM > To: Edkins, Rob - Axon AKL > Cc: 'Jose R. Ferreira'; Firewalls@GreatCircle.COM > Subject: RE: FW-1 redundancy > > At 08:59 AM 3/31/98 +1200, Edkins, Rob - Axon AKL wrote: > >Firewall 1 actually supports your intended configfuration quite > happily > >and will even load-balance across the 2 Firewalls! > > Does this load balancing work when you're using "security servers"? > Authenticating HTTP? Doing virus scanning? Or is it only available > when you're packet filtering? > -Rick From firewalls-owner Thu Apr 2 05:35:08 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA07455; Wed, 1 Apr 1998 03:43:30 -0800 (PST) Received: from 12.66.115.5 (5.chicago-11.il.dial-access.att.net [12.66.115.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA07418; Wed, 1 Apr 1998 03:43:19 -0800 (PST) Date: Wed, 1 Apr 1998 03:43:19 -0800 (PST) Message-Id: <199804011143.DAA07418@honor.greatcircle.com> From: promo311@iddqd.org Subject: FREE DEMO of Software That Puts You On Top of 450 Search Engines! X-Reply-To: promo311@iddqd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FREE DEMO OF SOFTWARE THAT SUBMITS YOUR SITE TO OVER 450 SEARCH ENGINES! I thought I would drop you a line today to let you know about the revolutionary new "Search Engine Spider" which will allow you to submit your web page to over 450 different search engines and directories, in the categories YOU CHOOSE! I have a FREE DEMO COPY of the software waiting here for you. If you decide you like it because it's SAVING YOU TONS OF TIME and GETTING YOU TO THE TOP OF THE SEARCH ENGINES, then register and pay only $49.95! How can you go wrong? You get to try it first for free, and only pay if you want to unlock all of its features. Think about how much you paid for your last "submission service" to run just once! You can run this over and over to KEEP YOUR RANK ON THE SEARCH ENGINES! All you have to do to get your FREE DOWNLOAD is visit: http://www.masterpromote.com Just for stopping by, you will have access to our HUGE LIST of FREE CLASSIFIED ADS! Thanks again for your time. I look forward to hearing from you. Best Regards, Joe Halinsdorf President MasterPromote P.S. Reseller opportunities are available! *************************** To be removed, please visit http://www.masterpromote.com and type your name in the "Remove Me!" box to the left. You will then be removed from the database of MasterPromote and many other online marketers. Sorry for any inconveinence we may have caused you. From firewalls-owner Thu Apr 2 05:34:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA03610; Wed, 1 Apr 1998 22:40:18 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA03569 for ; Wed, 1 Apr 1998 22:40:01 -0800 (PST) Received: (qmail 22950 invoked from network); 2 Apr 1998 06:42:21 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 2 Apr 1998 06:42:21 -0000 Message-ID: <35233361.664CA16F@encomix.es> Date: Thu, 02 Apr 1998 08:42:41 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: FW Subject: The return of the ICMP :) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello again: Thx to all who replied to my questions, Ive just read all the messages and Im making my theories :) Ok, step by step I get the next comments: i) If my FW can do this, I should let ICMP requests OUT I should let ICMP replies , Time Exceeded( type 11 ) IN ii) I know, Traceroute can be used to map a network, but I really need to allow that, anyone knows a way to establish a rule to let traceroute in from trusted networks and to return spoofed route info to non-trusted? I seen places where when you try to "traceroute" them the last hop you can get is 1.1.1.1 And next hops are * * * :-? :-? iii) ICMP types usually permitted are: 0 ECHO REPLY -> Let IN 8 ECHO -> Let OUT 3 UNREACHABLE -> Let IN 4 SOURCE-QUEND -> What's that? :) 11 TIME EXCEEDED -> Let IN Am I right? Thx again... -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Thu Apr 2 05:35:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA13575; Wed, 1 Apr 1998 23:43:05 -0800 (PST) Received: from smtp1.mailsrvcs.net (smtp1.gte.net [207.115.153.30]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA16345 for ; Wed, 1 Apr 1998 21:10:16 -0800 (PST) Received: from GTE.net (1Cust136.tnt17.chi5.da.uu.net [153.36.180.136]) by smtp1.mailsrvcs.net with ESMTP id XAA16432; Wed, 1 Apr 1998 23:13:14 -0600 (CST) Message-ID: <35231E43.F46CB4E5@GTE.net> Date: Wed, 01 Apr 1998 23:12:35 -0600 From: Austin X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls CC: Daniel Walsh Subject: Re: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and Spam! References: <35228F60.14F0AD3D@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I suggest that you block all AOL traffic. What has ever come out of AOL that was any good? Also, I've been on the list for sometime now, and I have a few questions that have never really been answered or even asked yet: - I think that Novell is a bad NOS for firewalls, but Microsoft's NT disrupts the space/time dimension. Is it true that NT is a superior waste of space or does John Travolta lay claim to that? - And why do all OS's have two syllables?? Novell, NT, UNIX, Linux, Alpha, Redhat, and others. I did leave out OS/2 'cause it's a virus. I wipe it out whan I encounter it. And it doesn't fit my theory anways. ------ sorry - just being bombastic - all questions are hopefully rhetorical to you......... I hope... to you..... Daniel Walsh wrote: > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? > > and more on the subject: I want to thank you guys for the topics. My > presentation for my LAN class went much smoother because of this list! > > thanks > > dan > --------------------------------- > Daniel Walsh > University of Washington > Engineering Alumni Assoc. > -Webslave > karsus@geocities.com > ---------------------------------- I hope From firewalls-owner Thu Apr 2 06:28:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA19688; Wed, 1 Apr 1998 06:42:05 -0800 (PST) Received: from dns.portcullis-security.com (dns.portcullis-security.com [194.203.128.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA09060 for ; Wed, 1 Apr 1998 01:29:01 -0800 (PST) Received: from tgb-mailhost.portcullis-security.com (unverified [194.203.128.123]) by dns.portcullis-security.com (Integralis SMTPRS 2.04) with ESMTP id ; Wed, 01 Apr 1998 10:32:21 +0100 Received: by tgb-mailhost.portcullis-security.com with Internet Mail Service (5.0.1457.3) id ; Wed, 1 Apr 1998 10:23:46 +0100 Message-Id: <21905E09B270D111815400C0DFAA15330AF23B@tgb-mailhost.portcullis-security.com> From: Tony M Hall To: "'Gordon LaSane'" Cc: "'Firewalls Forum'" Subject: RE: Virus checking at the firewall level. Date: Wed, 1 Apr 1998 10:23:44 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See also: F-Secure Anti-Virus for Firewalls (Data Fellows). http://www.portcullis-security.com/fsav/fs-fire.htm Cheers. Tony H. Portcullis Technical Support: F-Secure Anti-Virus; Integralis MIMEsweeper; Biodata BIGfire Firewall. http://www.portcullis-security.com > ---------- > From: Gordon LaSane[SMTP:glasane@gdsconnect.com] > Sent: Tuesday, March 31, 1998 10:04PM > To: Doug Drake; Bruno; firewalls mailing list > Subject: RE: Virus checking at the firewall level. >=20 > Hey folks,=20 > The latest state of the art are virus scan products which are CVP > (content vector protocol) compliant.=20 > In this scenario the firewall receives mail, passes the mail to the > virus scan server which validates and passes, or cleanses/quarantines > mail before it is passed back to the firewall for forwarding/logging. > See: McAfee, Symantec and Secure Computing=20 > Gordon LaSane=20 > Global=A0 Data=A0 Systems, Inc.=20 > Internet and Intranet Firewalls and Security Group=20 > Consulting and Installing Solutions for Your Company's Data Security: = > Remote User Authentication=20 > Internet Access=20 > Virtual Private Networks=20 > Web Filtering=20 > Intranets=20 > Firewalls=A0=A0=A0=A0=A0=A0=20 > =A0=A0=A0=A0=A0=A0=A0=20 > Gordon LaSane=20 > 781/740-8818 x13 ph=20 > 781/740-8830 fax=20 > glasane@gdsconnect.com =20 > =09 >=20 >=20 >=20 > -----Original Message-----=20 > From:=A0=A0 Doug Drake [SMTP:ddrake@mci.net]=20 > Sent:=A0=A0 Tuesday, March 31, 1998 7:55 AM=20 > To:=A0=A0=A0=A0 Bruno; firewalls mailing list=20 > Subject:=A0=A0=A0=A0=A0=A0=A0 Re: Virus checking at the firewall = level.=20 > I believe the best way is to perform the check at the desktop.=A0 > There are a=20 > number of products that will allow for automatic updates to the = client > side=20 > Virus checker, when they log-on.ogu=20 > Doug=20 > At 09:08 PM 3/30/98 -0100, Bruno wrote:=20 > >Hello all again,=20 > >=20 > >I posted earlier a question regarding time out problems when virus=20 > >checking at firewall level. The feedback I mainly obtained was, yes, > the=20 > >virus checkers (eliashim, norton, mime sweeper...) have this problem = > >that they need to download the entire file before being able to = check >=20 > >it, during which the browser times out...=20 > >=20 > >Now my question to you people out there is: How do you do it ? Do = you >=20 > >not virus check at the firewall level ? Do you count the end user to > do=20 > >it ? DO you have a miracle solution ?=20 > >=20 > >Thanks for any input=20 > >Bruno=20 > >=20 >=20 > = ********************************************************************** > ******=20 > Doug Drake=20 > Manager Security Products Engineering=20 > (703)715-7388=20 > Vnet 272-7388=20 > E-mail=A0 ddrake@mci.net=20 > = ********************************************************************** > ******=20 >=20 From firewalls-owner Thu Apr 2 06:28:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA21555; Wed, 1 Apr 1998 19:07:59 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA06157 for ; Wed, 1 Apr 1998 10:30:48 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id KAA09607 for ; Wed, 1 Apr 1998 10:04:22 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA15407; Wed, 1 Apr 1998 09:55:19 -0800 Date: Wed, 1 Apr 1998 09:55:18 -0800 (PST) From: Leonard Miyata To: Michael Batchelor cc: firewalls@GreatCircle.COM Subject: Re: Split DNS config questions In-Reply-To: <9494F3B8EDAED111949B00600815D1C576D43B@mail.citysearch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi There First, the best reference for this subject is Building Internet Firewalls, Chapman & Zwicky DNS and Bind 2ND EDITION!! Albitz & Liu Both from O'Reilly & Associates, Inc. The Two together provide a good write up on the interactions of DNS Firewalls and DMZ configurations The entire purpose of 'Split' DNS is to set up a Private DNS infrastructure to resolve your internal Private Address, and your Public Address their allowed to Talk to. Meanwhile, your Official Public DNS Server Contains your Public address, and resolves Internet connections. Since the Public Server does not know your internal Address, the 'Split' DNS configuration 'hides' the internal addresses from public view. By the way... they both use 'Your Domain' but they are duplicate infrastructure. For Complete isolation, not only do you need your Private Primay and Secondary DNS Servers, you also need a Private root Server granting your Private Primary Authoritative for the domain. Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Tue, 31 Mar 1998, Michael Batchelor wrote: > I am having some trouble understanding how split DNS is supposed to > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some info on > the web about split DNS (fwtk FAQ, for instance, has a short tutorial), > and have gone over the discussion in the Cheswick/Bellovin firewalls > book, but still have some unresolved questions: > > 1. If I want to use the same domain for internal and external, how does > the internal DNS server know when to forward to the firewall? I set up > the internal name server as primary for company.com, but www.company.com > is an external host. The internal server doesn't want to forward > queries for www.company.com to the firewall. It returns NXDOMAIN for > all outside hosts in the same domain, if the internal server doesn't > have a record. Must I set up a different internal domain for inside > DNS? That works, by the way, but I was under the impression that split > DNS worked with the same domain inside and outside. It's really > inconvenient for me to have to make internal.company.com or whatever. > > 2. I prepared a named.cache file for the internal DNS server that lists > itself as a root server. Named likes to complain in the log files about > "sysquery: no addrs found for root NS ()". If I leave out the > named.cache from the named.conf, it fails to operate (SRVFAIL errors). > If I use the named.cache from rs.internic.net, all answers are > non-authoritative. > > 3. My firewall is actually not listed in the NIC as primary for our > domain. Our external primaries are co-located at our ISP. So I set up > the firewall named as a caching forwarder to the existing external name > servers. When the internal server is set up with a subdomain, rather > than the same domain as the external hosts, this seems to work OK. I > have the firewall named set to log all queries, and it does get the > queries from the internal server, and forwards to the external. So I > think this setup is functionally OK, but wanted to mention it in case it > has relevance to my other questions. > > Any hints, tips, or URLs to a complete discussion with examples would be > very much appreciated. > > _______________________________________________________ > UNIX TEAM - Because it tells me to. > > From firewalls-owner Thu Apr 2 06:54:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16395; Thu, 2 Apr 1998 06:25:06 -0800 (PST) Received: from mailer.syr.edu (mailer.syr.edu [128.230.20.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA16340 for ; Thu, 2 Apr 1998 06:24:50 -0800 (PST) Received: from rodan.syr.edu by mailer.syr.edu (LSMTP for Windows NT v1.1a) with SMTP id <0.CF13B310@mailer.syr.edu>; Thu, 2 Apr 1998 9:29:17 -0500 Received: from localhost (rgrimsha@localhost) by rodan.syr.edu (8.8.7/8.8.7) with SMTP id JAA21377; Thu, 2 Apr 1998 09:29:15 -0500 (EST) X-Authentication-Warning: rodan.syr.edu: rgrimsha owned process doing -bs Date: Thu, 2 Apr 1998 09:29:15 -0500 (EST) From: Randy Grimshaw X-Sender: rgrimsha@rodan.syr.edu To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk me too :( <> is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Thu Apr 2 07:25:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA12891; Wed, 1 Apr 1998 23:39:16 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA06950 for ; Wed, 1 Apr 1998 20:23:31 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM) id AA30666; Wed, 1 Apr 1998 23:30:28 -0500 Received: from [170.149.63.45] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA26064; Wed, 1 Apr 1998 23:28:11 -0500 Message-Id: <3.0.1.32.19980401232759.00897250@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Wed, 01 Apr 1998 23:27:59 -0500 To: Firewalls@GreatCircle.COM From: "Jon E. Price" Subject: socks versus fw-1 stateful inspection vulnerabilities Cc: gordy@nytimes.com, theresa@nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any known or theoretical insecurities or vulnerabilities or other shortcomings (eg. performance) using socks or the fw-1 stateful inspection technologies? If I have an application that can work with either fw-1 stateful inspection OR a socks relay what criteria can I use to choose? Some possible applications are: irc chat aol instant messenger icq Thanks, Jon --------------------------------------------------------------- Jon E. Price Systems Analyst News Systems The New York Times --------------------------------------------------------------- From firewalls-owner Thu Apr 2 08:25:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA17648; Wed, 1 Apr 1998 06:30:36 -0800 (PST) Received: from krypton.raptor.com (raptor.com [209.48.140.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA17498 for ; Wed, 1 Apr 1998 06:29:51 -0800 (PST) Received: from neon.raptor.com by krypton.raptor.com via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 1 Apr 1998 17:39:02 UT Received: from work (dlancaster.usnetworks.net [206.61.49.10]) by neon.raptor.com (8.7.3/8.7.3) with SMTP id JAA25860 for ; Wed, 1 Apr 1998 09:27:12 -0500 (EST) From: "Dale Lancaster" To: Subject: RE: Raptor Performance Date: Wed, 1 Apr 1998 08:32:50 -0600 Message-ID: <000701bd5d7b$0c71ff40$0a313dce@work> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with Andrew, its likely a reverse DNS issue. The default behavior of our product is to perform reverse lookups of both the source and destination IP address to obtain the hostnames to store in the log file. If DNS is not configured properly then you will see significant delays due to DNS timeouts. You can disable the reverse lookup feature in the GUI. I have talked to other firewall vendors and they say this is also a common problem for them - misconfigured DNS (and routing :-). You didn't specify exactly what performance you were/were not getting. Email me directly and I will try to work with you on it. As to overall performance, we hired NSTL to run an aggregate throughput test on our latest release, EagleNT 5.0 on a dual Pentium II system. We were able to sustain T-3 rates (for HTTP and FTP transfers). If you are running EagleNT 4.0, you should upgrade to EagleNT 5.0 to get the additional performance enhancements and functionality. best regards, dale ========================================================================== Dale Lancaster Director of Technical Marketing Raptor Systems A Division of Axent Technologies ========================================================================== Date: Tue, 31 Mar 1998 22:53:47 +0200 (GMT+0200) From: Andrew Cameron Subject: Raptor. I do not have any performance problems in Fact we find it very fast. Most performance problems seem to be with incorrectly configured DNS. Try disabling reverse lookups and see if this helps. Steve Pearse Subject: RAPTOR performance We seem to be experiecing performance problems with Raptor, we have around 300 users going through one NT/Compaq 5000/Raptor box (concurrently probably less than 100) and compared to our old borderware proxy, it appears slow. Is this the experience of others here ? should we have used Unix ? We are an NT shop, and like the ease of admin of the NT accounts, are the better performing firewalls that also use the NT SAM ? thanks for any advice - -------------------------------------------------------------------------- --- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ========================================================================== Dale Lancaster Director of Technical Marketing Raptor Systems A Division of Axent Technologies ========================================================================== From firewalls-owner Thu Apr 2 10:37:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA25461; Thu, 2 Apr 1998 09:50:16 -0800 (PST) Received: from ns1.ci.saint-petersburg.fl.us (mail.ci.saint-petersburg.fl.us [208.160.176.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id JAA25440 for ; Thu, 2 Apr 1998 09:50:07 -0800 (PST) Received: from mail by ns1.ci.saint-petersburg.fl.us via smtpd (for honor.greatcircle.com [198.102.244.44]) with SMTP; 2 Apr 1998 20:56:30 UT Received: from STPETE_MAIL-Message_Server by mail.ci.saint-petersburg.fl.us with Novell_GroupWise; Thu, 02 Apr 1998 12:52:39 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 12:52:26 -0400 From: Donna Mattick To: firewalls@greatcircle.com Subject: spam relay Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am glad I'm not the only one getting annoyed by "hi I am a model" or "you have won $5000" Donna Mattick City of St. Petersburg Dmmattic@ci.saint-petersburg.fl.us Go DevilRays!!!!!!!! From firewalls-owner Thu Apr 2 12:08:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA22442; Thu, 2 Apr 1998 09:24:01 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA22435 for ; Thu, 2 Apr 1998 09:23:55 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id JAA26444; Thu, 2 Apr 1998 09:30:01 -0800 (PST) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02732; Thu, 2 Apr 98 09:28:16 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DA.005FF56B ; Thu, 2 Apr 1998 09:28:07 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn Cc: firewalls-digest@GreatCircle.COM Message-Id: <882565DA.005FA07C.00@gwwest.sybase.com> Date: Thu, 2 Apr 1998 09:27:46 -0800 Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You didn't send the relevant section: line 1 16 session-timeout 70 exec-timeout 0 30 session-limit 4 arap enable login tacacs modem InOut transport preferred none transport input all rxspeed 115200 txspeed 115200 flowcontrol hardware You'll likely not want all the options I have in my config (unless you want to support ARA.) Also make sure you've got the right initialization string in the chat script. Mine is pretty simple: chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNECT \c Cisco has some reasonable tutorials on their web site. Ryan Yang Xiaolong on 04/01/98 07:13:10 PM Please respond to yangxl@cqupt.edu.cn; Please respond to yl@cquc.edu.cn To: firewalls-digest@GreatCircle.COM cc: (bcc: Ryan Russell/SYBASE) Subject: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Hi,All, I have a router Cisco2511(ISO software version 10.2) and Hayes Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact it only supports 9600,if the speed is above 9600,the login window will display some odd codes.My router config is following: ! interface Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp bandwidth 64 async dynamic address async dynamic routing async mode interactive ! From firewalls-owner Thu Apr 2 12:08:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA27659; Thu, 2 Apr 1998 10:08:00 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA27625 for ; Thu, 2 Apr 1998 10:07:45 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA20889; Thu, 2 Apr 1998 10:01:44 -0800 Date: Thu, 2 Apr 1998 10:01:43 -0800 (PST) From: Leonard Miyata To: dmcewen@nsf.gov cc: firewalls@GreatCircle.COM Subject: Re: Re[2]: Split DNS config questions In-Reply-To: <9803028915.AA891536326@yrelay.nsf.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi There Again!! There are a few other tricks you can use to.... Most TCP/IP hosts can support up to 3 DNS nameservers. as an example in the resolv.conf domain Your.domain nameserver A.B.C.X nameserver A.B.C.Y nameserver A.B.C.Z >From what I understand from the documentation, the host will do a sequential check of the nameservers in the order of X,Y,Z until it gets a successful resolution. This could be used on the firewall (in support of proxy gateways) to first check itself to resolve internal names, then the public DNS server for Internet connections. Another paranoid approach is to set up a DNS Server in your DMZ as a non caching forwarder that knows about both your internal and external DNS Servers. DMZ hosts can use it to resolve address and you set your external router/gateway to block DNS request to both your Internal and DMZ forwarder Servers coming from the Internet. This approach is safer then the last as it protects your Internal Server from corrupted DNS records. (The hijacking of the Internic Root servers last summer would be an example of this...) Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Thu, 2 Apr 1998 dmcewen@nsf.gov wrote: > Hi back at you, > > I'd like to quickly detail a sample configuration for a couple of > reasons, first to share some experience, and second to see if there > are comments that could improve upon my understanding. For this > example I assume that you are using a proxy firewall so all requests > from inside hosts go the the firewall, and they are relayed to the > target machine with a source IP address of your firewall. > > This example requires that inside users be allowed access to some > Internet resources, and thus need to be able to translate host.domain > to an IP address. > > In this example, you would have 2 DNS servers. One outside which > is registered as your authoritative name server and is configured > as a primary, and one inside which is configured as a primary. > > The outside name server only has addresses for those hosts in > your DMZ and your firewall machine. The named.ca file lists the > root name servers A.ROOT-SERVERS.NET etc... The named.conf file > has entry like: > > zone "company.com" { > type master; > file "company.zone"; > }; > zone "1.1.1.in-addr.arpa" { > type master; > file "company.rev"; > }; > > The outside name server has a /etc/resolv.conf file like: > > domain company.com > nameserver 127.0.0.1 > > This means that named requests from your outside name server go > to it's dns for resolution. > > > The inside server has the same info in the zone and rev files as your outside > server, but also has entries for each inside host. It is likewise a master for > company.com and 1.1.1.in-addr.arpa zone. The /etc/resolv.conf file lists: > > domain company.com > nameserver 127.0.0.1 > > And it has a named.ca file with the root name servers. > > Your firewall machine has a resolv.conf file like: > > domain company.com > nameserver 127.0.0.1 > > which means it uses the inside name server . > > Requests for DNS from outside get sent to the outside name server. > Requests for DNS from the inside get sent to the inside name server. > Requests from the firewall get sent to the inside name server. > > The key here is that DNS requests (UDP and TCP) must both be allowed through > your firewall. > > The other option that I'm aware of is to make your inside name server reside on > the firewall machine. Same configuration as above, but all inside hosts go to > the firewall to get DNS resolution. This way there are no holes in the firewall > but then again, your running another service directly on the firewall which is > open to forged data that can corrupt the DNS cache. > > Thanks for any feedback. > > Don > From firewalls-owner Thu Apr 2 12:21:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00717; Thu, 2 Apr 1998 10:31:32 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA00414 for ; Thu, 2 Apr 1998 10:29:53 -0800 (PST) Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id KAA07423 for ; Thu, 2 Apr 1998 10:04:11 -0800 (PST) Received: from c00069-100lez.eos.ncsu.edu (c00069-100lez.eos.ncsu.edu [152.1.26.28]) by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP id NAA21511 for ; Thu, 2 Apr 1998 13:05:14 -0500 (EST) Date: Thu, 2 Apr 1998 13:05:14 -0500 (EST) From: Ken Williams X-Sender: jkwilli2@c00069-100lez.eos.ncsu.edu To: Firewalls Subject: Re: Spam! In-Reply-To: <35237DE0.AC37DFA5@san.osd.mil> Message-ID: X-Copyright: The contents of this message may not be reproduced in any form X-Copyright: (including Commercial use) unless specific permission is granted X-Copyright: by the author of the message. All requests must be in writing. X-Disclaimer: The contents of this email are for educational purposes only X-Disclaimer: and do not reflect the thoughts or opinions of either myself X-Disclaimer: or my employer and are not endorsed by sponsored by or provided X-Disclaimer: on behalf of North Carolina State University. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Apr 1998, MAJ John Conklin wrote: >I am new to this listserver. I just signed on within the past week. At >around the same time, I was looking at setting up a personal AOL account >through the Netscape 4.04 configuration. I didn't get very far into the >AOL account process, as I realized it wasn't what I needed. Is it >possible that through my actions, I have generated this spamming? The >same day that I aborted my AOL account sign-up, I received this ... >model ...' request. Couldn't possibly be a coincidence now, could it? It's your fault. >Sorry, if I was the cause of this. However, is it possible that actions >that I highlighted above resulted in the mass-spamming that we are all >seeing? If so, what do we do to defend ourselves? Well, I have some buddies down at Fort Bragg with the 82nd Airborne... I think we should hire a crack team of mercenaries to storm AOL headquarters and take out their mail servers with a couple hundred pounds of semtek. Even though that won't stop the SPAM, it will help save the NET from AOL. Regards, Ken Williams ORG: NC State Computer Science Dept VP of The E.H.A.P. Corp. EML: jkwilli2@adm.csc.ncsu.edu ehap@hackers.com WWW: http://152.7.11.38/~tattooman/ http://www.hackers.com/ehap/ PGP: finger tattooman@152.7.11.38 From firewalls-owner Thu Apr 2 13:23:00 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17929; Thu, 2 Apr 1998 12:13:28 -0800 (PST) Received: from puma.sirinet.net (puma.sirinet.net [198.203.196.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA17703 for ; Thu, 2 Apr 1998 12:12:25 -0800 (PST) Received: (from debie@localhost) by puma.sirinet.net (8.8.8/8.8.6) id OAA01463 for firewalls@greatcircle.com; Thu, 2 Apr 1998 14:16:32 -0600 Date: Thu, 2 Apr 1998 14:16:32 -0600 From: Debie Beley Message-Id: <199804022016.OAA01463@puma.sirinet.net> To: firewalls@greatcircle.com Subject: spam Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check the headers.... From firewalls-owner Thu Apr 2 13:25:01 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03518; Thu, 2 Apr 1998 07:53:47 -0800 (PST) Received: from boavista.com.br ([200.244.107.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA03452 for ; Thu, 2 Apr 1998 07:53:30 -0800 (PST) Received: from BOAVISTA-Message_Server by boavista.com.br with Novell_GroupWise; Thu, 02 Apr 1998 13:00:18 -0300 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 12:54:30 -0300 From: Cleber Luz Viana To: Firewalls@GreatCircle.COM Subject: Re: Bordermanager as firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whe we test, some firewalls, i was test Border Manager. It is not only a firewall, it have some others features. The cool thing in Border Manager is run over netware, if u use netware in your network will be more simply to administrate your users. Other way, Novell never did a firewall, that is the first one. >>> 01/04/98 19:56:57 >>> Does anyone have any first-hand experience with Novell's Bordermanager as a firewall? We are in the process of selecting a firewall product, and one vendor is going to propose Bordermanager. I have to admit, I was a little surprised. I was expecting IBM Firewall (because we're an AIX shop), Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to equate that product with MS Proxy Server. We have a 400-desktop enterprise with eight Frame-Relay connected remote sites, and are looking for a firewall solution for the entire enterprise. In addition, we are in a rapid growth mode, and predict doubling in size both in number of desktops and number of WAN-connected sites by year-end. Any thoughts anyone has would be appreciated. Thanks, Curtis Kline Network Engineer MAPCO Coal, Inc. Tulsa, OK From firewalls-owner Thu Apr 2 13:27:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA00836; Thu, 2 Apr 1998 10:32:56 -0800 (PST) Received: from ntrj01.landesigners.com.br ([200.240.22.210]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA00812 for ; Thu, 2 Apr 1998 10:32:46 -0800 (PST) Received: by NT01 with Internet Mail Service (5.0.1458.49) id <2D47BL2M>; Thu, 2 Apr 1998 15:37:46 -0300 Message-ID: From: Leonardo Pacheco To: "'firewalls@GreatCircle.COM'" Subject: RE: great circle spam relay Date: Thu, 2 Apr 1998 15:35:22 -0300 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Me too, but I had no idea where it was coming from... -----Original Message----- From: Randy Grimshaw [mailto:rgrimsha@mailbox.syr.edu] Sent: Thursday, April 02, 1998 11:29 AM To: Vinod Valloppillil (Exchange) Cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay me too :( <> is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Thu Apr 2 14:15:42 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA26686; Thu, 2 Apr 1998 07:18:15 -0800 (PST) Received: from simba.mpinet.net (mail.mpinet.net [208.6.196.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA26615 for ; Thu, 2 Apr 1998 07:17:58 -0800 (PST) Received: from [207.203.248.35] by simba.mpinet.net (NTMail 3.03.0017/42.aadq) with ESMTP id ma759108 for ; Thu, 2 Apr 1998 10:21:45 +0000 Message-Id: <3.0.32.19980402102112.006856d8@mail.mpinet.net> X-Sender: havoc@mail.mpinet.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Apr 1998 10:21:13 -0800 To: firewalls@greatcircle.com From: havoc Subject: Return of ICMP... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk #set default forwarding policy to masquerade all packets.. (tcp/udp/icmp..) ipfwadm -F -p masq #be sure that incoming accepts atleast the icmp packets to recieve the pings.. ipfwadm -I -p deny ipfwadm -I -a accept -P icmp -S 0/0 -D loc.al.ho.st/32 but now i have heard that being behind a firewall with unclassified addressing one should not try any icmp msging such as pinging or tracerouting.. because the destination hosts might think you are trying to spoof your address .. BUT the new kernel comes with icmp masquerading built into it... so i dunno.. -havoc At 08:42 AM 4/2/98 +0200, you wrote: >Hello again: > >Thx to all who replied to my questions, Ive just read all the messages >and Im making my theories :) > >Ok, step by step I get the next comments: > >i) If my FW can do this, I should let ICMP requests OUT > I should let ICMP replies >, Time Exceeded( type 11 ) IN > >ii) I know, Traceroute can be used to map a network, but I really need >to allow that, anyone knows a way to establish a rule to let traceroute >in from trusted networks and to return spoofed route info to >non-trusted? I seen places where when you try to "traceroute" them the >last hop you can get is 1.1.1.1 And next hops are * * * :-? :-? > >iii) ICMP types usually permitted are: > 0 ECHO REPLY -> Let IN > 8 ECHO -> Let OUT > 3 UNREACHABLE -> Let IN > 4 SOURCE-QUEND -> What's that? :) > 11 TIME EXCEEDED -> Let IN > >Am I right? > >Thx again... > >-- >http://www.encomix.es/users/patowc >mailto://rramirez@encomix.es > > > > From firewalls-owner Thu Apr 2 15:48:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA16798; Thu, 2 Apr 1998 06:28:08 -0800 (PST) Received: from gate4.mcc.net (gate4.mcc.net [207.245.25.250]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA16772 for ; Thu, 2 Apr 1998 06:27:59 -0800 (PST) Received: from [10.1.1.25] ([10.1.1.25]:4220 "EHLO a01ex001.mcc.net" ident: "SOCKFAULT1") by gate.mcc.net with ESMTP id <421764-9137>; Thu, 2 Apr 1998 07:32:12 -0700 Received: by a01ex001.mcc.net with Internet Mail Service (5.0.1458.49) id ; Thu, 2 Apr 1998 07:32:22 -0700 Message-ID: From: "Paquette, Trevor" To: "'klinec@mapcoinc.com'" , Firewalls@GreatCircle.COM Subject: RE: Bordermanager as firewall? Date: Thu, 2 Apr 1998 07:32:19 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warning.. one of our customers put in this product and their network throughput for HTTPS dropped like a rock. Your mileage may vary. > -----Original Message----- > From: klinec@mapcoinc.com [SMTP:klinec@mapcoinc.com] > Sent: Wednesday, April 01, 1998 3:57 PM > To: Firewalls@GreatCircle.COM > Subject: Bordermanager as firewall? > > Does anyone have any first-hand experience with Novell's Bordermanager > as a > firewall? We are in the process of selecting a firewall product, and > one > vendor is going to propose Bordermanager. I have to admit, I was a > little > surprised. I was expecting IBM Firewall (because we're an AIX shop), > Checkpoint, Cisco PIX, etc., but not Bordermanager. I tended to > equate > that product with MS Proxy Server. > > We have a 400-desktop enterprise with eight Frame-Relay connected > remote > sites, and are looking for a firewall solution for the entire > enterprise. > In addition, we are in a rapid growth mode, and predict doubling in > size > both in number of desktops and number of WAN-connected sites by > year-end. > > Any thoughts anyone has would be appreciated. > > Thanks, > Curtis Kline > Network Engineer > MAPCO Coal, Inc. > Tulsa, OK > From firewalls-owner Thu Apr 2 16:41:53 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA10275; Thu, 2 Apr 1998 05:54:50 -0800 (PST) Received: from beta.nsf.gov (beta.nsf.gov [206.2.78.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA10229 for ; Thu, 2 Apr 1998 05:54:36 -0800 (PST) From: dmcewen@nsf.gov Received: by beta.nsf.gov; id IAA19184; Thu, 2 Apr 1998 08:58:54 -0500 (EST) Received: from mailman.nsf.gov(128.150.11.2) by beta.nsf.gov via smap (3.2) id xma019173; Thu, 2 Apr 98 08:58:50 -0500 Received: from yrelay.nsf.gov (yrelay.nsf.gov [128.150.195.91]) by mailman.nsf.gov (8.8.4/8.8.4) with SMTP id IAA16976; Thu, 2 Apr 1998 08:58:48 -0500 Received: from ccMail by yrelay.nsf.gov (SMTPLINK V2.11.01) id AA891536326; Thu, 02 Apr 98 08:58:06 EST Date: Thu, 02 Apr 98 08:58:06 EST Message-Id: <9803028915.AA891536326@yrelay.nsf.gov> To: Michael_Batchelor@citysearch.com, Leonard Miyata Cc: firewalls@GreatCircle.COM Subject: Re[2]: Split DNS config questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi back at you, I'd like to quickly detail a sample configuration for a couple of reasons, first to share some experience, and second to see if there are comments that could improve upon my understanding. For this example I assume that you are using a proxy firewall so all requests from inside hosts go the the firewall, and they are relayed to the target machine with a source IP address of your firewall. This example requires that inside users be allowed access to some Internet resources, and thus need to be able to translate host.domain to an IP address. In this example, you would have 2 DNS servers. One outside which is registered as your authoritative name server and is configured as a primary, and one inside which is configured as a primary. The outside name server only has addresses for those hosts in your DMZ and your firewall machine. The named.ca file lists the root name servers A.ROOT-SERVERS.NET etc... The named.conf file has entry like: zone "company.com" { type master; file "company.zone"; }; zone "1.1.1.in-addr.arpa" { type master; file "company.rev"; }; The outside name server has a /etc/resolv.conf file like: domain company.com nameserver 127.0.0.1 This means that named requests from your outside name server go to it's dns for resolution. The inside server has the same info in the zone and rev files as your outside server, but also has entries for each inside host. It is likewise a master for company.com and 1.1.1.in-addr.arpa zone. The /etc/resolv.conf file lists: domain company.com nameserver 127.0.0.1 And it has a named.ca file with the root name servers. Your firewall machine has a resolv.conf file like: domain company.com nameserver 127.0.0.1 which means it uses the inside name server . Requests for DNS from outside get sent to the outside name server. Requests for DNS from the inside get sent to the inside name server. Requests from the firewall get sent to the inside name server. The key here is that DNS requests (UDP and TCP) must both be allowed through your firewall. The other option that I'm aware of is to make your inside name server reside on the firewall machine. Same configuration as above, but all inside hosts go to the firewall to get DNS resolution. This way there are no holes in the firewall but then again, your running another service directly on the firewall which is open to forged data that can corrupt the DNS cache. Thanks for any feedback. Don ______________________________ Reply Separator _________________________________ Subject: Re: Split DNS config questions Author: Leonard Miyata at NOTE Date: 4/2/98 8:01 AM Hi There First, the best reference for this subject is Building Internet Firewalls, Chapman & Zwicky DNS and Bind 2ND EDITION!! Albitz & Liu Both from O'Reilly & Associates, Inc. The Two together provide a good write up on the interactions of DNS Firewalls and DMZ configurations The entire purpose of 'Split' DNS is to set up a Private DNS infrastructure to resolve your internal Private Address, and your Public Address their allowed to Talk to. Meanwhile, your Official Public DNS Server Contains your Public address, and resolves Internet connections. Since the Public Server does not know your internal Address, the 'Split' DNS configuration 'hides' the internal addresses from public view. By the way... they both use 'Your Domain' but they are duplicate infrastructure. For Complete isolation, not only do you need your Private Primay and Secondary DNS Servers, you also need a Private root Server granting your Private Primary Authoritative for the domain. Personal Opinions Provided by Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Tue, 31 Mar 1998, Michael Batchelor wrote: > I am having some trouble understanding how split DNS is supposed to > work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some info on > the web about split DNS (fwtk FAQ, for instance, has a short tutorial), > and have gone over the discussion in the Cheswick/Bellovin firewalls > book, but still have some unresolved questions: > > 1. If I want to use the same domain for internal and external, how does > the internal DNS server know when to forward to the firewall? I set up > the internal name server as primary for company.com, but www.company.com > is an external host. The internal server doesn't want to forward > queries for www.company.com to the firewall. It returns NXDOMAIN for > all outside hosts in the same domain, if the internal server doesn't > have a record. Must I set up a different internal domain for inside > DNS? That works, by the way, but I was under the impression that split > DNS worked with the same domain inside and outside. It's really > inconvenient for me to have to make internal.company.com or whatever. > > 2. I prepared a named.cache file for the internal DNS server that lists > itself as a root server. Named likes to complain in the log files about > "sysquery: no addrs found for root NS ()". If I leave out the > named.cache from the named.conf, it fails to operate (SRVFAIL errors). > If I use the named.cache from rs.internic.net, all answers are > non-authoritative. > > 3. My firewall is actually not listed in the NIC as primary for our > domain. Our external primaries are co-located at our ISP. So I set up > the firewall named as a caching forwarder to the existing external name > servers. When the internal server is set up with a subdomain, rather > than the same domain as the external hosts, this seems to work OK. I > have the firewall named set to log all queries, and it does get the > queries from the internal server, and forwards to the external. So I > think this setup is functionally OK, but wanted to mention it in case it > has relevance to my other questions. > > Any hints, tips, or URLs to a complete discussion with examples would be > very much appreciated. > > _______________________________________________________ > UNIX TEAM - Because it tells me to. > > From firewalls-owner Thu Apr 2 17:08:28 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA24385; Thu, 2 Apr 1998 16:07:15 -0800 (PST) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA24320 for ; Thu, 2 Apr 1998 16:06:55 -0800 (PST) Received: from cc-smtp.gasonics.com by relay1.smtp.psi.net (8.8.5/SMI-5.4-PSI) id TAA24983; Thu, 2 Apr 1998 19:11:22 -0500 (EST) Received: from ccMail by cc-smtp.gasonics.com (IMA Internet Exchange 2.11 Enterprise) id 000426DE; Thu, 2 Apr 1998 16:30:24 -0800 Mime-Version: 1.0 Date: Thu, 2 Apr 1998 16:09:24 -0800 Message-ID: <000426DE.1537@gasonics.com> From: jqian@gasonics.com (John Qian) To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk REQUEST From firewalls-owner Thu Apr 2 17:54:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA23850; Thu, 2 Apr 1998 16:03:40 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA23047 for ; Thu, 2 Apr 1998 15:59:53 -0800 (PST) Received: from ontime.sabre.net (sabre.net [199.100.49.3]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id PAA16332 for ; Thu, 2 Apr 1998 15:40:27 -0800 (PST) Received: (from uucp@localhost) by ontime.sabre.net (8.6.11/8.6.11) id RAA12483 for ; Thu, 2 Apr 1998 17:41:44 -0600 Received: from ngw.sabre.com(192.168.133.149) by ontime.sabre.net via smap (V1.3) id sma011897; Thu Apr 2 17:37:43 1998 Received: from USGW-Message_Server by sabre.com with Novell_GroupWise; Thu, 02 Apr 1998 17:37:13 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 02 Apr 1998 17:42:37 -0600 From: Jasjit K Singh Reply-To: Jasjit_K_Singh@sabre.com To: Firewalls@greatcircle.com Subject: Firewalls-Digest V7 #146-Auto Answer Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Thu Apr 2 18:50:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA15732; Thu, 2 Apr 1998 15:13:51 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA15716 for ; Thu, 2 Apr 1998 15:13:42 -0800 (PST) Received: (from hagan@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id SAA26548; Thu, 2 Apr 1998 18:19:12 -0500 To: "Jon E. Price" Cc: Firewalls@GreatCircle.COM, gordy@nytimes.com, theresa@nytimes.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <3.0.1.32.19980401232759.00897250@mailgate.nytimes.com> From: "Craig I. Hagan" Date: 02 Apr 1998 18:19:12 -0500 In-Reply-To: "Jon E. Price"'s message of "Wed, 01 Apr 1998 23:27:59 -0500" Message-ID: Lines: 40 X-Mailer: Gnus v5.4.66/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Jon E. Price" writes: > Are there any known or theoretical insecurities or vulnerabilities or other > shortcomings (eg. performance) using socks or the fw-1 stateful inspection > technologies? > > If I have an application that can work with either fw-1 stateful inspection > OR a socks relay what criteria can I use to choose? think risk based. stateful inspection and/or circuit level firewalling (socks) uses either analysis of the network layer, or misdirection of the network layer to achieve security. This allows you to manage a great deal of the risks out there on the net. The issue that you need to confront is what risks do you wish to take/control. For example, socks/SI/masq/NAT firewall technology can't handle things like pulling activeX or java from web pages, they can't easily log what (or permit/deny) type of ftp transaction occurred -- did you put/get, what filename? Nor can they perform email relay prevention/spam filtering, again best done at the application level with an app proxy (smap or smtpd are examples thereof). personally, i think that SI/NAT/masq/etc are good technologies to use in constructing your firewall, but, you would want to add application level proxying to handle those certain situations where SI/etc just doesn't give you the power/flexibility that is needed to properly do your risk management. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks In Bandwidth we trust From firewalls-owner Thu Apr 2 19:06:37 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA15072; Tue, 31 Mar 1998 18:42:34 -0800 (PST) Received: from fw.itm-inst.com (fw.itm-inst.com [206.239.41.100]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA18244 for ; Mon, 30 Mar 1998 18:08:44 -0800 (PST) Received: by fw.itm-inst.com; id VAA26933; Mon, 30 Mar 1998 21:12:34 -0500 (EST) Received: from sark.itm-inst.com(10.0.3.121) by fw.itm-inst.com via smap (2.0) id xma026928; Mon, 30 Mar 98 21:12:11 -0500 Message-Id: <3.0.3.32.19980330210646.00710158@fw.itm-inst.com> X-Sender: rmurphy@fw.itm-inst.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 30 Mar 1998 21:06:46 -0500 To: "Edkins, Rob - Axon AKL" From: Rick Murphy Subject: RE: FW-1 redundancy Cc: "'Jose R. Ferreira'" , Firewalls@GreatCircle.COM In-Reply-To: <42CCA0F98530D111A77900805F0D52B33B766C@AX-AKL-EXCHANGE> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:59 AM 3/31/98 +1200, Edkins, Rob - Axon AKL wrote: >Firewall 1 actually supports your intended configfuration quite happily >and will even load-balance across the 2 Firewalls! Does this load balancing work when you're using "security servers"? Authenticating HTTP? Doing virus scanning? Or is it only available when you're packet filtering? -Rick From firewalls-owner Thu Apr 2 19:06:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA11848; Wed, 1 Apr 1998 23:34:21 -0800 (PST) Received: from geocities.com (mail6.geocities.com [209.1.224.26]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA04640 for ; Wed, 1 Apr 1998 20:12:55 -0800 (PST) Received: from geocities.com (cs113-9.u.washington.edu [140.142.181.11]) by geocities.com (8.8.5/8.8.5) with ESMTP id UAA08663 for ; Wed, 1 Apr 1998 20:17:11 -0800 (PST) Message-ID: <35231138.66E5C96A@geocities.com> Date: Wed, 01 Apr 1998 20:16:56 -0800 From: Daniel Walsh X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls Subject: Circle o' Spam, etc. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, ever since I started on any kind of listserv, I have gotten spam of all kinds! Firewall question: (really!) ;) I did a presentation on firewalls for a class, and I detailed DMZ's, proxys, and application gateways. I still don't know a lot, but in the "professional" world, is there a system (DMZ, proxy, app.gateway, packet filter) that is recommended as a good, general firewall? I know that it depends on the protected network. But, suppose a small corp network. thanks daniel From firewalls-owner Thu Apr 2 19:06:49 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA14411; Thu, 2 Apr 1998 03:57:24 -0800 (PST) Received: from www.idss.ida.org (www.idss.ida.org [129.246.226.95]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA14349 for ; Thu, 2 Apr 1998 03:57:08 -0800 (PST) Received: from san.osd.mil ([195.8.133.232]) by www.idss.ida.org (post.office MTA v2.0 0813 ID# 0-33302U1110) with ESMTP id AAA516; Thu, 2 Apr 1998 07:00:24 -0500 Message-ID: <35237DE0.AC37DFA5@san.osd.mil> Date: Thu, 02 Apr 1998 14:00:32 +0200 From: MAJ John Conklin Reply-To: jconklin@san.osd.mil Organization: ODC, Denmark X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Firewalls CC: Michael Batchelor Subject: Re: Spam! References: <9494F3B8EDAED111949B00600815D1C57B3F79@mail.citysearch.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am new to this listserver. I just signed on within the past week. At around the same time, I was looking at setting up a personal AOL account through the Netscape 4.04 configuration. I didn't get very far into the AOL account process, as I realized it wasn't what I needed. Is it possible that through my actions, I have generated this spamming? The same day that I aborted my AOL account sign-up, I received this ... model ...' request. Sorry, if I was the cause of this. However, is it possible that actions that I highlighted above resulted in the mass-spamming that we are all seeing? If so, what do we do to defend ourselves? --- Michael Batchelor wrote: > I must echo Daniel's complaint. I have also received 2-3 spams per day > for the last couple of days from an account at AOL telling me "HI I want > to meet you I'm a model...". They all were forwarded via the firewalls > mailing list. You'd think the firewalls list would have some spam > protection... :) Or at least refuse to forward messages to the list > that come from non-subscribers. I presume this person spams mailing > lists, and lets the list manager do the leg work getting it to multiple > recipients. Not good. > > > -----Original Message----- > > From: Daniel Walsh [SMTP:karsus@geocities.com] > > Sent: Wednesday, April 01, 1998 11:03 AM > > To: Firewalls > > Subject: Spam! > > > > I'll make this short, and I know this has nothing to do with > > firewalls, but. . . SPAM! How do I deal with the "unidentified > > recipients?" And more importantly, I have recieved several > > e-mails from an AOL account, that returns an unidentified user > > response when I tried to get off the list. > > Help? Maybe a direction to send me in? > > > > thanks > > > > dan > > --------------------------------- > > Daniel Walsh > > University of Washington > > Engineering Alumni Assoc. > > -Webslave > > karsus@geocities.com > > ---------------------------------- From firewalls-owner Thu Apr 2 19:49:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA26975; Thu, 2 Apr 1998 19:42:10 -0800 (PST) Received: from imo25.mx.aol.com (imo25.mx.aol.com [198.81.17.69]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA26918 for ; Thu, 2 Apr 1998 19:41:53 -0800 (PST) Received: from V75ortex@aol.com by imo25.mx.aol.com (IMOv13.ems) id XFRFa10381; Thu, 2 Apr 1998 22:27:38 -0500 (EST) From: V75ortex Message-ID: <85cc294e.3524572c@aol.com> Date: Thu, 2 Apr 1998 22:27:38 EST Mime-Version: 1.0 Subject: Here Content-type: multipart/mixed; boundary="part0_891574058_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891574058_boundary Content-ID: <0_891574058@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891574058_boundary Content-ID: <0_891574058@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: V75ortex Return-path: To: V75ortex@aol.com Subject: Here Date: Thu, 2 Apr 1998 22:14:41 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Click here for 10 free pics --part0_891574058_boundary-- From firewalls-owner Thu Apr 2 20:37:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00939; Thu, 2 Apr 1998 20:11:13 -0800 (PST) Received: from cebu.mozcom.com (cebu.mozcom.com [207.0.115.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA00761 for ; Thu, 2 Apr 1998 20:10:24 -0800 (PST) Received: from localhost (derts@localhost) by cebu.mozcom.com (8.8.8/8.6.9) with SMTP id MAA11174; Fri, 3 Apr 1998 12:00:24 GMT Date: Fri, 3 Apr 1998 12:00:24 +0000 ( ) From: Ederlindo Cojuangco To: yangxl@cqupt.edu.cn, yl@cquc.edu.cn cc: firewalls-digest@GreatCircle.COM Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? In-Reply-To: <35230246.234F@cqupt.edu.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about the rxspeed and the txspeed of your config? On Thu, 2 Apr 1998, Yang Xiaolong wrote: > Hi,All, > I have a router Cisco2511(ISO software version 10.2) and Hayes > Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact > it only supports 9600,if the speed is above 9600,the login window will > display some odd codes.My router config is following: > > ! > interface Async1 > ip unnumbered Ethernet0 > ip tcp header-compression passive > encapsulation ppp > bandwidth 64 > async dynamic address > async dynamic routing > async mode interactive > ! > From firewalls-owner Fri Apr 3 01:22:44 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA22167; Thu, 2 Apr 1998 23:43:48 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA21957 for ; Thu, 2 Apr 1998 23:43:03 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 882565DB.002AD5A2 ; Thu, 2 Apr 1998 23:47:52 -0800 X-Lotus-FromDomain: ALMADEN To: Leonard Miyata cc: firewalls@GreatCircle.COM Message-ID: <882565DB.00299204.00@mailgw1.almaden.ibm.com> Date: Thu, 2 Apr 1998 23:45:29 -0800 Subject: Re: Split DNS config questions Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Most TCP/IP hosts can support up to 3 DNS nameservers. as an example in the resolv.conf domain Your.domain nameserver A.B.C.X nameserver A.B.C.Y nameserver A.B.C.Z >From what I understand from the documentation, the host will do a sequential check of the nameservers in the order of X,Y,Z until it gets a successful resolution. This could be used on the firewall (in support of proxy gateways) to first check itself to resolve internal names, then the public DNS server for Internet connections. << This does not generally work. Yes, you can specify multiple nameservers, but when the resolver gets an answer from one of them it no longer questions the others. The resolver (client) sends a recursive query to the first server. If it gets a prompt response (either "here's the answer you wanted" or "I couldn't find an answer") it won't even ask the second nameserver. (OS/2 TCP/IP V3 and up has the only resolver I'm aware of that will can be configured to ask a second server after getting a negative reply; to implement this it makes use of 2 resolv files.) Tony Rall From firewalls-owner Fri Apr 3 05:06:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA28775; Fri, 3 Apr 1998 04:04:05 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA11106 for ; Thu, 2 Apr 1998 03:42:45 -0800 (PST) From: raf@ezunx.com Received: from ezunx.com (44.225.csx.com [206.142.44.225]) by scruz.net (8.8.5/1.34) with ESMTP id DAA27584 for ; Thu, 2 Apr 1998 03:47:08 -0800 (PST) Message-ID: <35237A8E.EC7AE794@ezunx.com> Date: Thu, 02 Apr 1998 06:46:22 -0500 X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: gre and cisco Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the IOS version requirements for passing PPTP through a cisco box and does anyone know of a good place to get some setup examples? thanks From firewalls-owner Fri Apr 3 05:20:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29067; Fri, 3 Apr 1998 04:06:16 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA17814 for ; Thu, 2 Apr 1998 09:00:00 -0800 (PST) Received: from ns.CompuNetServices.com (ns.compunetservices.com [207.15.26.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA05526 for ; Thu, 2 Apr 1998 08:42:31 -0800 (PST) Received: (from tobor@localhost) by ns.CompuNetServices.com (8.8.5/8.7.3) id KAA03110; Thu, 2 Apr 1998 10:39:36 -0600 (CST) Date: Thu, 2 Apr 1998 10:39:36 -0600 (CST) From: Roy Stevens To: firewalls@greatcircle.com Subject: SSH Questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Fri Apr 3 06:34:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26611; Fri, 3 Apr 1998 03:33:43 -0800 (PST) Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA28366 for ; Thu, 2 Apr 1998 16:30:15 -0800 (PST) Received: from localhost (ronald@localhost) by mail.trace.com.tw (8.8.6/8.8.6) with SMTP id IAA29143; Fri, 3 Apr 1998 08:33:44 +0800 X-Comments: ****** Message sent through an Trace account ****** X-http: ****** http://www.trace.com.tw ****** Date: Fri, 3 Apr 1998 08:33:44 +0800 (CST) From: Ronald Wiplinger To: Debie Beley cc: firewalls@GreatCircle.COM Subject: Re: spam In-Reply-To: <199804022016.OAA01463@puma.sirinet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Apr 1998, Debie Beley wrote: > check the headers.... > Did you? How far did your research go? Does the sender domain exist, ..... ? From firewalls-owner Fri Apr 3 07:12:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10848; Fri, 3 Apr 1998 02:38:51 -0800 (PST) Received: from guvnor.blackwell.co.uk (bisgw.blackwell.co.uk [195.70.69.190]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA02995 for ; Thu, 2 Apr 1998 07:51:24 -0800 (PST) Received: from exchange1.blackwell.co.uk by guvnor.blackwell.co.uk (MX V4.2 VAX) with SMTP; Thu, 02 Apr 1998 16:55:43 BST Received: by EXCHANGE1 with Internet Mail Service (5.0.1458.49) id ; Thu, 2 Apr 1998 16:55:23 +0100 Message-ID: <3BFE2589D330D111AE87006008062DE42F127A@pc37.blackwell.co.uk> From: Martin Hepworth To: Firewalls Subject: RE: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and Spam! Date: Thu, 2 Apr 1998 16:55:37 +0100 X-Priority: 3 X-Mailer: Internet Mail Service (5.0.1458.49) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well the only is that Scott Adams uses it (and derides it also but...) :-) Martin Hepworth Blackwell's Information Services Tel: +44 1865 792 792 X3233 1st Rule of Computer Security WYDSIWGY: What You Don't See is What Gets You > -----Original Message----- > From: Austin [SMTP:AKallevi@GTE.net] > Sent: Thursday, April 02, 1998 6:13 AM > To: Firewalls > Cc: Daniel Walsh > Subject: Re: Spam!Spam!Spam!Spam!Spam!Spam!Spam!Spam! & eggs and > Spam! > > I suggest that you block all AOL traffic. What has ever come out of > AOL > that was any good? > > Also, I've been on the list for sometime now, and I have a few > questions > that have never really been answered or even asked yet: > > - I think that Novell is a bad NOS for firewalls, but Microsoft's NT > disrupts the space/time dimension. Is it true that NT is a superior > waste > of space or does John Travolta lay claim to that? > > - And why do all OS's have two syllables?? Novell, NT, UNIX, Linux, > Alpha, > Redhat, and others. I did leave out OS/2 'cause it's a virus. I wipe > it > out whan I encounter it. And it doesn't fit my theory anways. > ------ > sorry - just being bombastic - all questions are hopefully rhetorical > to > you......... I hope... to you..... > > > Daniel Walsh wrote: > > > I'll make this short, and I know this has nothing to do with > firewalls, > > but. . . > > SPAM! How do I deal with the "unidentified recipients?" And more > > importantly, I have recieved several e-mails from an AOL account, > that > > returns an unidentified user response when I tried to get off the > list. > > Help? Maybe a direction to send me in? > > > > and more on the subject: I want to thank you guys for the topics. > My > > presentation for my LAN class went much smoother because of this > list! > > > > thanks > > > > dan > > --------------------------------- > > Daniel Walsh > > University of Washington > > Engineering Alumni Assoc. > > -Webslave > > karsus@geocities.com > > ---------------------------------- > > I hope > From firewalls-owner Fri Apr 3 07:35:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA06222; Fri, 3 Apr 1998 04:38:13 -0800 (PST) Received: from giav05.gia.ch (giav05.gia.ch [193.222.224.32]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA06215 for ; Fri, 3 Apr 1998 04:38:04 -0800 (PST) X-Envelope-To: Received: from giav08.gia.ch(193.222.224.16) by giav05.gia.ch via smap (V2.0beta) id xma017767; Fri, 3 Apr 98 14:41:38 +0200 Received: from mmdlt002.m-m.ch ([193.222.225.50]) by giau001.gia.ch (8.8.5/8.8.5) with ESMTP id OAA24370 for ; Fri, 3 Apr 1998 14:41:40 +0200 (MET DST) Received: by MMDLT002 with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 14:41:40 +0200 Message-ID: From: "Berchtold Patrick (GIAPBE)" To: "Firewalls Mailing List (E-Mail)" Subject: RE: [NTSEC] MS Proxy Server as Firewall? Date: Fri, 3 Apr 1998 14:41:37 +0200 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See KB article Q160700 for information on how to change the WSP client state without restarting. > Besides, having to reboot when activating/deactivating the winsock proxy > makes it very cumbersome to use on a portable when moving between sites. Patrick Berchtold IT Security Consultant GIA Grapha Informatik AG Peyermattstrasse 3 CH-4665 Oftringen Phone: +41 62 789 71 71 Fax: +41 62 789 71 99 E-Mail: giapbe@gia.ch WWW: http://www.gia.ch/ From firewalls-owner Fri Apr 3 07:38:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA09756; Fri, 3 Apr 1998 05:17:05 -0800 (PST) Received: from bolero-x.rahul.net (bolero.rahul.net [192.160.13.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA09746 for ; Fri, 3 Apr 1998 05:16:56 -0800 (PST) Received: from waltz.rahul.net by bolero-x.rahul.net with SMTP id AA08821 (5.67b8/IDA-1.5 for ); Fri, 3 Apr 1998 05:21:19 -0800 From: Bennett Todd Received: by waltz.rahul.net (5.67b8/jive-a2i-1.0) id AA02005; Fri, 3 Apr 1998 05:21:18 -0800 Date: Fri, 3 Apr 1998 05:21:18 -0800 Message-Id: <199804031321.AA02005@waltz.rahul.net> To: karsus@geocities.com Cc: firewalls@greatcircle.com Subject: The One True Firewall (was Re: Circle o' Spam, etc.) In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >[...] in the "professional" world, is there a system (DMZ, proxy, >app.gateway, packet filter) that is recommended as a good, general >firewall? I know that it depends on the protected network. But, suppose >a small corp network. You will find many opinions out there. Opinions are like [...]. But many people think that a pretty good ``one-size-fits-all'' looks like inside, protected net <==> screening router <==> bastion w/ proxies <==DMZ==> screening router <==> internet You place ``public'' servers on that DMZ --- WWW and so on. Either or both of the screening routers can be ``stateful inspection'' packet filters if you like. Bonus points if you can make the inside screening router, the bastion, and the outside screening router use completely and utterly different IP stacks:-). For a corporate setting, there should be relatively few machines in the DMZ, and they should be exquisitely tightly secured. The vast majority of your clients will be on the inside net, and the proxy on the firewall should be stripping applets. For something wide open and tolerant like an ISP, the picture looks exactly the same, but the majority of the big iron is out in the DMZ, and it's got most of the users so it's not so well secured --- hence you need to back it up carefully, ring it 'round with alarums (tripwire is cool. NFR is cool too) and expect to deal with intrusions periodically. But the ISP should have their business machines --- the ones that track user payment info, accounts payable, etc. --- on an ``inside'' net that's protected just like any other business. If I had to do this today, from scratch, I'd make the inside router a suitable-size Cisco. IOS is great. I'd probably make the bastion host either an intel PC or a sparc, running OpenBSD, qmail, and a small handful of proxies from fwtk. Left entirely to my own devices I'd make the outside screening router with Red Hat Linux and ipfw, with packet reassembly enabled (not that the OpenBSD bastion needs any such coddling, but it might be nice if you put a victim in the DMZ). If cost were no object or there were some pressure applied to run a commercial firewall, you can use an FW-1 or a PIX for that outside screening router. Of course if you've got a Big site, perhaps with multiple T3s coming in or better, that outside screening router wants to be something like a pair of hogged-out Cisco 7513s in HSRP. This whole concept --- a one-size-fits-all firewall architecture --- is predicated on the (controversial) belief that the benefit -vs- risk tradeoffs of various protocols won't end up looking too wildly different from one organization to the next. There are two gross steps in protection level, that more-or-less fit the difference in control between a screening router and an application proxy, and just about any organization will have need of both levels. Starting with the above Big Picture, most of the work comes in sketching in the details: exactly what protocols will be permitted from where to where. That's where all the negotiation and design comes in. -Bennett From firewalls-owner Fri Apr 3 07:42:18 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11465; Fri, 3 Apr 1998 02:42:56 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA12055 for ; Thu, 2 Apr 1998 14:53:55 -0800 (PST) Received: from mitra.pgt.mpt.gov.br ([200.236.83.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA14034 for ; Thu, 2 Apr 1998 14:56:40 -0800 (PST) Received: from support.pgt.mpt.gov.br (support.pgt.mpt.gov.br [200.236.82.2]) by mitra.pgt.mpt.gov.br (8.8.5/8.8.5) with SMTP id UAA04410; Thu, 2 Apr 1998 20:06:18 -0300 (EST) Reply-To: "Lucas Cotta" From: "Lucas Cotta" To: "Ryan Russell" , , Cc: Subject: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? Date: Thu, 2 Apr 1998 20:02:55 -0300 Message-ID: <01bd5e8b$78e9df60$0252ecc8@support.pgt.mpt.gov.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Colleagues, excuse for having entered in your chat. It is that have a problem and it would like help. I noticed that you speak on connection to routers CISCO with ACCESS SERVER. Any help will be well coming. it happens that have to connect a point A in a point B. in the point (A) it is a customer with Unix FreeBSD. in the point (A) I use to do the connection SLIP. I use the following configurations: in the file sysconfig, that is where they are the net parameters ifconfig_sl0 = " inet 200.130.0.1 200.6.48.2 mtu 576 " in the file netstart, that has the net beginnings slattach -clh -s 19200 /dev/ttyd0 everything well knows that this configuration above works. even so, I have an access server in the CISCO 2511 and it would like that this user entered through a LP of 19200 bps called in a door Async. I don't know as I do. It can help. Precise to configure the Interface Async 9 and the Line 9 of this ACCESS SERVER. precise of help. thank you very much LUCAS COTTA -----Mensagem original----- De: Ryan Russell Para: yangxl@cqupt.edu.cn ; yl@cquc.edu.cn Cc: firewalls-digest@GreatCircle.COM Data: Quinta-feira, 2 de Abril de 1998 16:15 Assunto: Re: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool? >You didn't send the relevant section: > >line 1 16 > session-timeout 70 > exec-timeout 0 30 > session-limit 4 > arap enable > login tacacs > modem InOut > transport preferred none > transport input all > rxspeed 115200 > txspeed 115200 > flowcontrol hardware > > >You'll likely not want all the options I have in my config (unless >you want to support ARA.) Also make sure you've got the right >initialization string in the chat script. Mine is pretty simple: > >chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c >CONNECT \c > >Cisco has some reasonable tutorials on their web site. > > Ryan > > > > > > >Yang Xiaolong on 04/01/98 07:13:10 PM > >Please respond to yangxl@cqupt.edu.cn; Please respond to yl@cquc.edu.cn > >To: firewalls-digest@GreatCircle.COM >cc: (bcc: Ryan Russell/SYBASE) >Subject: How can Cisco2511 support high speed(above 28.8)dailup network > with Hayes Modem Pool? > > > > >Hi,All, > I have a router Cisco2511(ISO software version 10.2) and Hayes >Modem Pool(V.34+FAX),and it should support high speed dailup,but in fact >it only supports 9600,if the speed is above 9600,the login window will >display some odd codes.My router config is following: > >! >interface Async1 >ip unnumbered Ethernet0 >ip tcp header-compression passive >encapsulation ppp >bandwidth 64 >async dynamic address >async dynamic routing >async mode interactive >! > > > > > > > From firewalls-owner Fri Apr 3 08:35:27 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA13628; Fri, 3 Apr 1998 02:49:53 -0800 (PST) Received: from att.com (kcgw2.att.com [192.128.133.152]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA10967 for ; Thu, 2 Apr 1998 05:58:45 -0800 (PST) Received: by kcgw2.att.com; Thu Apr 2 07:44 CST 1998 Received: from flf960r1.ems.att.com (flf960r1.ems.att.com [135.71.244.37]) by kcig2.att.att.com (AT&T/GW-1.0) with SMTP id IAA07211 for ; Thu, 2 Apr 1998 08:02:52 -0600 (CST) Received: from flf960bh1.ems.att.com by flf960r1.ems.att.com (SMI-8.6/EMS-1.2 sol2) id JAA29122; Thu, 2 Apr 1998 09:00:43 -0500 Received: by flf960bh1.ems.att.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BD5E16.193B9AB0@flf960bh1.ems.att.com>; Thu, 2 Apr 1998 09:02:44 -0500 Message-ID: From: "Fenaughty, Kevin M, SITS" To: "'Firewalls'" Subject: RE: Spam! Date: Thu, 2 Apr 1998 09:03:45 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I feel better now .... I was beginning to think it was just me. The SPAM from the "model" was DEFINITELY unwanted. Can we stop this or is it just an annoyance we must tolerate on a list such as this ? Kevin Fenaughty AT&T Solutions >-----Original Message----- >From: Michael Batchelor [SMTP:Michael_Batchelor@citysearch.com] >Sent: Wednesday, April 01, 1998 8:08 PM >To: Firewalls >Subject: RE: Spam! > >I must echo Daniel's complaint. I have also received 2-3 spams per day >for the last couple of days from an account at AOL telling me "HI I want >to meet you I'm a model...". They all were forwarded via the firewalls >mailing list. You'd think the firewalls list would have some spam >protection... :) Or at least refuse to forward messages to the list >that come from non-subscribers. I presume this person spams mailing >lists, and lets the list manager do the leg work getting it to multiple >recipients. Not good. > >>Received: from relay2.UU.NET by pascamail-2.pmi with SMTP (Microsoft >Exchange Internet Mail Service Version 5.0.1458.49) >> id H0S7H3YY; Wed, 1 Apr 1998 09:37:27 -0800 >>Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP >> (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) >> id QQejgg27335; Wed, 1 Apr 1998 12:37:21 -0500 (EST) >>Received: (majordom@localhost) by honor.greatcircle.com >(8.8.5/Honor-Lists-970926-1) id SAA15463; Tue, 31 Mar 1998 18:46:55 >-0800 (PST) >>Received: from miles.greatcircle.com (miles.greatcircle.com >[198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with >ESMTP id UAA10358 for ; Mon, 30 Mar 1998 >20:07:54 -0800 (PST) >>Received: from imo20.mx.aol.com (imo20.mx.aol.com [198.81.17.42]) >> by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id UAA07319 >> for ; Mon, 30 Mar 1998 20:10:11 -0800 >(PST) >>Received: from BUTCHER56@aol.com >> by imo20.mx.aol.com (IMOv13.ems) id 9MZKa04942; >> Mon, 30 Mar 1998 22:38:44 -0500 (EST) >>From: BUTCHER56 >>Message-ID: <2bcaadbe.35206546@aol.com> >>Date: Mon, 30 Mar 1998 22:38:44 EST >>Mime-Version: 1.0 >>Subject: Hi I want to meet you im a model! >>Content-type: multipart/mixed; >> boundary="part0_891315524_boundary" >>X-Mailer: AOL 2.5 for Windows sub 2 >>Sender: firewalls-owner@GreatCircle.COM >>Precedence: bulk >>To: undisclosed-recipients:; > >> -----Original Message----- >> From: Daniel Walsh [SMTP:karsus@geocities.com] >> Sent: Wednesday, April 01, 1998 11:03 AM >> To: Firewalls >> Subject: Spam! >> >> I'll make this short, and I know this has nothing to do with >> firewalls, >> but. . . >> SPAM! How do I deal with the "unidentified recipients?" And more >> importantly, I have recieved several e-mails from an AOL account, that >> returns an unidentified user response when I tried to get off the >> list. >> Help? Maybe a direction to send me in? >> >> and more on the subject: I want to thank you guys for the topics. My >> presentation for my LAN class went much smoother because of this list! >> >> thanks >> >> dan >> --------------------------------- >> Daniel Walsh >> University of Washington >> Engineering Alumni Assoc. >> -Webslave >> karsus@geocities.com >> ---------------------------------- >> > From firewalls-owner Fri Apr 3 08:55:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA15401; Fri, 3 Apr 1998 02:57:02 -0800 (PST) Received: from mailgw1.almaden.ibm.com ([198.4.83.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA01959 for ; Thu, 2 Apr 1998 13:51:55 -0800 (PST) From: trall@almaden.ibm.com Received: by mailgw1.almaden.ibm.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 882565DA.007888D2 ; Thu, 2 Apr 1998 13:56:33 -0800 X-Lotus-FromDomain: ALMADEN To: hzhang1@ucla.edu cc: firewalls-digest@GreatCircle.COM Message-ID: <882565DA.00774929.00@mailgw1.almaden.ibm.com> Date: Thu, 2 Apr 1998 13:56:28 -0800 Subject: Re: Cisco Router Config Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >2 points to consider: >1) You are using subnet zero >2) The router will not let you config two access groups per interface. > >> interface ethernet0 >> ip address 192.168.0.1 255.255.255.0 >> ip access-group 101 in >> ip access-group 111 in >> >> interface serial0 >> ip address 192.168.1.1 255.255.255.0 >> ip access-group 101 in >> ip access-group 111 Using subnet zero isn't such a bad thing, but they aren't even doing that. There is no subnetting at all on these interfaces. (If subnet 0 were actually being used, you should include "ip subnet-zero".) You can have (and normally do) have 2 access groups per interface, but one must be "in" and the other "out". Both of the interfaces shown fail in that respect. Tony Rall Randy Zhang on 04/01/98 09:39:45 AM Please respond to hzhang1@ucla.edu To: BrianM@dial.pipex.com cc: firewalls-digest@GreatCircle.COM Subject: Re: Cisco Router Config Have you tested your config? Because I do not think it will work. 2 points to consider: 1) You are using subnet zero 2) The router will not let you config two access groups per interface. Randy BrianM@dial.pipex.com wrote: > Hi All (Again) > Enclosed please find a sample (factious) router config, > assuming the following situation, eth0:connection to firewall > ser0:leased line to internet, 192.168.0.2 is firewall, 192.168.0.3 and > .4 are management stations, should this config prevent DoS attacks, IP > spoofing, and be generally secure? I know that there is no routing > etc etc (I just did this in notepad!!) > > Thanks > > Brian Murphy > ------------ --------------------------------------------------------------------------- --------------------------------------------------------------------------- -------------------------- > > no service tcp-small-servers > no service udp-small-servers > no ip bootp server > no service finger > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > > enable password enable > > username manager password 7 letmein > > snmp-server community public RO 1 > snmp-server community private RW 1 > no snmp-server trap-authentication > > interface ethernet0 > ip address 192.168.0.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 in > > interface serial0 > ip address 192.168.1.1 255.255.255.0 > ip access-group 101 in > ip access-group 111 > > access-list 1 permit 192.168.0.2 > access-list 1 permit 192.168.0.3 > access-list 1 permit 192.168.0.4 > > access-list 12 permit 192.168.0.2 255.255.255.255 > access-list 12 permit 192.168.0.3 255.255.255.255 > access-list 12 permit 192.168.0.4 255.255.255.255 > access-list 12 deny ip any any log > > access-list 51 deny 0.0.0.0 255.255.255.255 > > access-list 101 deny tcp 192.168.0.1 0.0.0.0 192.168.0.1 0.0.0.0 log > access-list 101 deny tcp 192.168.1.1 0.0.0.0 192.168.1.1 0.0.0.0 log > access-list 101 deny tcp any any any any eq 53 > access-list 101 deny udp any any any any eq 69 > access-list 101 deny tcp any any any any eq 87 > access-list 101 deny tcp any any any any eq 111 > access-list 101 deny udp any any any any eq 111 > access-list 101 deny udp any any any any eq 2049 > access-list 101 deny tcp any any any any eq 512 > access-list 101 deny tcp any any any any eq 513 > access-list 101 deny tcp any any any any eq 514 > access-list 101 deny tcp any any any any eq 515 > access-list 101 deny tcp any any any any eq 540 > access-list 101 deny tcp any any any any eq 2000 > access-list 101 deny udp any any any any eq 2000 > access-list 101 deny tcp any any any any eq 2001 > access-list 101 deny udp any any any any eq 2001 > access-list 101 deny tcp any any any any eq 6000 > access-list 101 deny udp any any any any eq 6000 > access-list 101 deny tcp any any any any eq 6001 > access-list 101 deny udp any any any any eq 6001 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 established > access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 > 255.255.255.255 > > access-list 111 deny ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 deny ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255 > log > access-list 111 permit ip 192.168.0.0 0.0.2.255 any > access-list 111 deny ip any any log > > line console 0 > login > password hello > exec-timeout 1 30 > > line aux 0 > access-class 51 in > > line vty 0 4 > access-class 12 in > login > password hello From firewalls-owner Fri Apr 3 09:09:56 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA15288; Fri, 3 Apr 1998 02:55:39 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA16260 for ; Thu, 2 Apr 1998 04:05:02 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA24228 for ; Thu, 2 Apr 1998 03:25:10 -0800 (PST) Received: from sover.net (usr0a35.rut.sover.net [206.25.64.135]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id GAA17743; Thu, 2 Apr 1998 06:26:26 -0500 (EST) Message-ID: <352375FD.EB4185E8@sover.net> Date: Thu, 02 Apr 1998 06:26:53 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: JonnyBoy85 CC: Firewalls@GreatCircle.COM Subject: Re: T1 question (verbose reply) References: <5fa01b9b.3522baf1@aol.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JonnyBoy85 wrote: > Hi all, > thanks for the help and advice from my last post.. > > Maybe you can help me with another query. Can anybody explain about T1,T2, > and T3 lines, they're like ISDN I think. Their sort of alike if you look at one of them in a mirror while hanging up side down. ;) A T1 is a full duplex signal over two pair wire cabling. This wire pair terminates in a receptacle that resembles the square phone jacks used in older homes. T1’s are used for dedicated point to point connections the same as leased lines. Bandwidth on a T1 is available in increments from 64 Kb/s up to 1.544 Mb/s. T1s use time division to break the two wire pairs up into 24 separate channels. Time division is the allotment of available bandwidth based on time increments. In the case of a T1 circuit, each "channel" is allowed to transmit for 5.2 microseconds (ms). This is the amount of time a T1 requires to transmit 8 bits (or 1 byte) of information. At the end of 5.2 ms the channel must stop transmitting and relinquish control of the circuit to the next channel. If the channel has additional information to transmit it must wait 119.8 ms. This is the amount of time it would take to cycle through the other 23 channels so that it is again that channel’s turn to transmit. To determine the available bandwidth on each channel we must first determine the "sample rate". The sample rate is the number of times each channel is allowed to transmit in a 1 second period of time. Since each channel is allowed to transmit for 5.2 ms before releasing control to the next channel we have: 1 (second) /.0000052 (transmit time per channel) = 192,398 transmissions per second This is the total number of transmissions possible in a one second period of time along a T1 line. These 192,398 transmissions are then broken up equally over the 24 channels: 192,398 (transmissions) / 24 (the number of channels) = 8,000 In other words, each of those 24 channels is allowed to transmit 8,000 times per second. This is our "sample rate" or the number of times per second that each channel is sampled or checked to see if it needs to transmit data. To determine the available bandwidth per channel we multiple the sample rate buy the amount of data we can transmit each sample period or: 8 bits X 8000 samples per second = 64 Kb/s So the short answer to all this number crunching is that each of the 24 channels on a T1 line is capable of moving 64 Kb worth of data per second. So with 24 active channels the full bandwidth available on a T1 would be: 64 Kb/s X 24 = 1.536 Mb/s Note that there is 8 Kb/s unaccounted for from the 1.544 Mb/s bandwidth stated in the first paragraph. (1544 Kb/s - 1536 Kb/s = 8 Kb/s). This 8 Kb/s is overhead which goes towards managing the connections. So while a T1 is able to move 1.544 Mb of information per second, only 1.536 Mb can be actual data. While the discrepancy is minor, it is important to note where it is coming from. The nice thing about this setup is that an exchange carrier will lease you individual channels of this T1 referred to as a "fractional T1" based on your bandwidth requirements. If you only need 512 Kb/s then you only need to lease 8 channels. In the long term, this can save a considerable amount of money over leasing a full T1. This can be an ideal solution for a company that only needs 64 or 128 Kb/s now but may want to upgrade to a larger pipe later. By initially connecting via a fractional T1 you will not need to rewire, simply turn on additional channels. These 24 channels can also be broken up and dedicated to different services, i.e., 3 channels can be dedicated to data with 1 channel being dedicated to voice. In this way a single connection can provide connectivity for multiple services. > I have tried everywhere to find out about them, and was starting to think that > there was no such thing as a T3, but I found out again today that there is. Yup, there just not as common. A T3 is bundle of 30 T1's. Total potential bandwidth is around 45 Mb. Hope this helps, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Fri Apr 3 10:11:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10979; Fri, 3 Apr 1998 02:39:43 -0800 (PST) Received: from ns.sikasenbey.or.jp (ns.sikasenbey.or.jp [210.169.217.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA29490 for ; Thu, 2 Apr 1998 22:29:06 -0800 (PST) Received: from jj3dw3.q3q3665f.com ([209.60.248.100]) by ns.sikasenbey.or.jp (SMI-8.6/3.6W) with SMTP id PAA00095; Fri, 3 Apr 1998 15:21:04 +0900 Date: Fri, 3 Apr 1998 15:21:04 +0900 From: 181855d6 <181855d6@msn.com> To: Received: from SMTP.XServer (Smail4.1.19.1 #20) id m0wBzN7-009vdR; Monday, April 6th, 1998 Received: from mail.apache.net(really [164/187]) by relay.comanche.com Saturday, April 4th, 1998 Received: from 32776.21445(really [80110/80111]) by relay.denmark.nl Thursday, April 2nd, 1998 Received: from local.nethost.org(really [24553/24554]) by relay.SS621.net Wednesday, April 1st, 1998 Message-Id: <19943672.886214@relay.comanche.denmark.eu> Tuesday, April 7th, 1998 Reply-To: 181855d6@msn.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Authenticated sender is <181855d6@msn.com> Subject: and Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit EMAIL MARKETING WORKS!! Bull's Eye Gold is the PREMIER email address collection tool. This program allows you to develop TARGETED lists of email addresses. Doctors, florists, MLM, biz opp,...you can collect anything...you are only limited by your imagination! You can even collect email addresses for specific states, cities, and even countries! All you need is your web browser and this program. Our software utilizes the latest in search technology called "spidering". By simply feeding the spider program a starting website it will collect for hours. The spider will go from website to targeted website providing you with thousands upon thousands of fresh TARGETED email addresses. When you are done collecting, the spider removes duplicates and saves the email list in a ready to send format. No longer is it necessary to send millions of ads to get a handful of responses...SEND LESS...EARN MORE!!! A terrific aspect of the Bull's Eye software is that there is no difficult set up involved and no special technical mumbo-jumbo to learn. All you need to know is how to search for your targeted market in one of the many search engines and let the spider do the rest! Not familiar with the search engines? No problem, we provide you with a list of all the top search engines. Just surf to the location of a search engine on your browser then search for the market you wish to reach...it's that easy! For instance if you were looking for email addresses of Doctors in New York all you would do is: 1) Do a search using your favorite search engine by typing in the words doctor(s) and New York 2) Copy the URL (one or more)...that's the stuff after the http://... for instance it might look like http://www.yahoo.com/?doctor(s)/?New+York 3) Press the START button THAT's IT!!! The Bull's Eye spider will go to all the websites that are linked, automatically extracting the email addresses you want. The spider is passive too! That means you can let it run all day or all night while you are working on important things or just having fun on your computer. There is no need to keep a constant watch on it, just feed it your target market and give it praise when it delivers thousands of email addresses at the end of the day! Features of the Bull's Eye Software: * Does TARGETED searches of websites collecting the email addresses you want! * Collects Email addresses by City, State, even specific Countries * Runs Automatically...simply enter the Starting information, press The Start Button, and it does the rest * Filters out duplicates * Keeps track of URLs already visited * Can run 24 hours per day, 7 days per week * Fast and Easy List Management * Also has built in filtering options...you can put in words that it "Must" have while searching,...you can even put in criteria that it "Must NOT Have"...giving you added flexibility * Also imports email addresses from any kind of files (text files, binary files, database files) * List editor handles Multiple files to work on many lists simultaneously * Has a Black-Book feature... avoid sending emails to people who do not want to receive it * Built-in Mail program...send email directly on the internet with just a click of your mouse * Personalized Emails...if the email address has the user's name when it is collected,..you can send Personalized emails!!! * Sort by Location, Server, User Name, Contact Name * Advanced Operations: · Email address lists export in many different formats (HTML, Comma delimited, text file) · Advanced editing...Transfer, Copy, Addition, Delete, Crop, Move to Top/Bottom · Operations between lists...Union, Subtraction, Comparison * Program is Passive,...meaning you can run other programs at the same time CALL FOR MORE INFORMATION 213-980-7850 CALL FOR MORE INFORMATION 213-980-7850 ORDERING INFORMATION Customer Name Company Name Address City State Zip Phone Fax Email Address ______ BULL'S EYE SOFTWARE $259.00 Includes Software, Instructions, Technical Support ______ Shipping & Handling (2-3 Day Fedex) $10.00 (Fedex Overnite) $20.00 ______ TOTAL (CA Residents add applicable sales tax) *All orders are for Win 95 and Win NT *****CREDIT CARDS ACCEPTED***** MASTERCARD VISA AMEX PLEASE CALL 213-980-7850 to process your order 9am-5pm Pacific Time Checks or Money Orders send to: WorldTouch Network Inc. 5670 Wilshire Blvd. Suite 2170 Los Angeles, CA 90036 Please note: Allow 5 business days for all checks to clear before order is shipped. From firewalls-owner Fri Apr 3 10:13:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA29668; Fri, 3 Apr 1998 04:09:04 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA19001 for ; Thu, 2 Apr 1998 06:38:35 -0800 (PST) Received: from garlic.negia.net (garlic.negia.net [206.61.0.14]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA29871 for ; Thu, 2 Apr 1998 06:41:24 -0800 (PST) Received: from oak.negia.net (oak.negia.net [206.61.0.154]) by garlic.negia.net (8.8.5/8.8.5) with SMTP id JAA32370; Thu, 2 Apr 1998 09:28:06 -0500 Date: Thu, 2 Apr 1998 09:29:26 -0500 (EST) From: Patrick Darden To: "Vinod Valloppillil (Exchange)" cc: firewalls@GreatCircle.COM Subject: Re: great circle spam relay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tons and tons and tons and tons. -Patrick Darden -- darden@negia.net System Administrator (706) 546-5787 NE Georgia Internet Access On Wed, 1 Apr 1998, Vinod Valloppillil (Exchange) wrote: > is it just me or is anyone else getting a ton of spam relayed by > greatcircle.com? > From firewalls-owner Fri Apr 3 10:13:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA26952; Fri, 3 Apr 1998 03:45:06 -0800 (PST) Received: from mail.atnet.at (mail.atnet.at [194.152.160.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA26936 for ; Fri, 3 Apr 1998 03:44:55 -0800 (PST) Received: from Standard.prod-net ([194.152.161.3]) by mail.atnet.at (8.8.8/8.6.9) with SMTP id NAA17035 for ; Fri, 3 Apr 1998 13:49:15 +0200 Message-Id: <3.0.5.32.19980403134815.007c4dc0@mail.atnet.at> X-Sender: oekk@mail.atnet.at (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 13:48:15 +0200 To: firewalls@GreatCircle.COM From: Harti Subject: Windows 95 Access over UNIX-Firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use Windows 95 PC's and the TAS-Server (It's like SAMBA but easier and much more expensive :-) from Syntax. We have now a second network and the PC's should have a connection to the TAS server. Our UNIX SUN SOLARIS Firewall-I would allow the access, but the names of the servers are searched via broadcasting and broadcasting is stopped by the firewall. Is there a possibility to tell the IP-Adresses of the netbios-servers to the WIN95 clients? Or is it possible to tell the firewall to route the broadcasts (and make a 10.0.2.255 from the 10.0.2.x net to a 10.1.0.255 for the 10.1.0.x net?) Many thanks Harti ________________________________________________________________ Your mails are being watched. So don't use the words: Police kills drugs or you get points on their files! From firewalls-owner Fri Apr 3 10:13:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA03623; Fri, 3 Apr 1998 07:07:34 -0800 (PST) Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA03578 for ; Fri, 3 Apr 1998 07:07:24 -0800 (PST) Received: from microl_8 (slip129-37-123-99.oh.us.ibm.net [129.37.123.99]) by out2.ibm.net (8.8.5/8.6.9) with SMTP id PAA250642 for ; Fri, 3 Apr 1998 15:11:55 GMT Message-Id: <199804031511.PAA250642@out2.ibm.net> X-Sender: usinet.daemond@pop4.ibm.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Demo Date: Fri, 03 Apr 1998 10:14:22 -0500 To: firewalls@greatcircle.com From: "steplogic@geocities.com" Subject: the spam wars Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least with AOL spammers you can retaliate. Do what I've been doing: forward their message to postmaster@aol.com with a note to the post master that this is unwelcome spam. Just my two cents. ---------------------------------------------------- my home page is http://www.geocities.com/ResearchTriangle/Lab/6749/ The fastest way to respond to this message is through the ICQ Network.A message sent this way will go directly to my screen. If you have ICQ you can message me to ICQ#:9249485 If you don't have ICQ you can page me through: * My Personal Communication Center: http://wwp.mirabilis.com/9249485 (go there and try it!) * Or you can send me a regular e-mail to my EmailExpress address: 9249485@pager.mirabilis.com Download ICQ at http://www.icq.com/ Include your ICQ details in YOUR e-mail signature: http://www.icq.com/emailsig.html ---------------------------------------------------- From firewalls-owner Fri Apr 3 11:52:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA22605; Fri, 3 Apr 1998 10:59:04 -0800 (PST) Received: from ns1.rconnect.com (ns1.rconnect.com [206.144.249.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA22382 for ; Fri, 3 Apr 1998 10:58:05 -0800 (PST) Received: from heimdall (kprod60.rconnect.com [209.32.14.60]) by ns1.rconnect.com (8.8.7/8.8.7) with SMTP id NAA17035; Fri, 3 Apr 1998 13:01:57 -0600 (CST) Received: from heimdall by kproducts.kproducts.com (8.8.6/8.8.6) with SMTP id NAA00559; Fri, 3 Apr 1998 13:05:20 -0600 (CST) Message-Id: <199804031905.NAA00559@kproducts.kproducts.com> X-Sender: troy@mail.dakota.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 03 Apr 1998 13:07:03 -0600 To: Harti From: Troy Hanson Subject: Re: Windows 95 Access over UNIX-Firewall? Cc: firewalls@GreatCircle.COM In-Reply-To: <3.0.5.32.19980403134815.007c4dc0@mail.atnet.at> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does your package (TAS) support the WINS Server capabilities (a la NT)? If so, all you need to do is set up the WINS service. It is extremely simple to set up in samba and NT, most of the work is done by the clients telling the WINS server they are 'up', so all you have to do is enable the WINS server to listen and keep track. You also get the advantage of cutting down on broadcast traffic. I am unaware of any other way to browse across subnets. I know SAMBA supports WINS, both as a server, and as a wins proxy. One gotcha: In Win95, under the WINS Server entry, if you only have one WINS server you need to enter it as both primary and secondary, otherwise sometimes Win95 'forgets' it and blanks it out on reboot. Hope this helps, troy At 01:48 PM 4/3/98 +0200, you wrote: >We use Windows 95 PC's and the TAS-Server (It's like SAMBA but easier and >much more expensive :-) from Syntax. >We have now a second network and the PC's should have a connection to the >TAS server. Our UNIX SUN SOLARIS Firewall-I would allow the access, but the >names of the servers are searched via broadcasting and broadcasting is >stopped by the firewall. >Is there a possibility to tell the IP-Adresses of the netbios-servers to >the WIN95 clients? >Or is it possible to tell the firewall to route the broadcasts (and make a >10.0.2.255 from the 10.0.2.x net to a 10.1.0.255 for the 10.1.0.x net?) > >Many thanks >Harti >________________________________________________________________ >Your mails are being watched. >So don't use the words: Police kills drugs or you get points on their files! > From firewalls-owner Fri Apr 3 11:56:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA29114; Fri, 3 Apr 1998 06:49:52 -0800 (PST) Received: from beta.nsf.gov (beta.nsf.gov [206.2.78.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA29091 for ; Fri, 3 Apr 1998 06:49:40 -0800 (PST) From: dmcewen@nsf.gov Received: by beta.nsf.gov; id JAA07953; Fri, 3 Apr 1998 09:54:09 -0500 (EST) Received: from mailman.nsf.gov(128.150.11.2) by beta.nsf.gov via smap (3.2) id xma007926; Fri, 3 Apr 98 09:53:43 -0500 Received: from yrelay.nsf.gov (yrelay.nsf.gov [128.150.195.91]) by mailman.nsf.gov (8.8.4/8.8.4) with SMTP id JAA18309; Fri, 3 Apr 1998 09:53:42 -0500 Received: from ccMail by yrelay.nsf.gov (SMTPLINK V2.11.01) id AA891626021; Fri, 03 Apr 98 09:53:18 EST Date: Fri, 03 Apr 98 09:53:18 EST Message-Id: <9803038916.AA891626021@yrelay.nsf.gov> To: firewalls@GreatCircle.COM, Roy Stevens Subject: Re: SSH Questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SSH provides security via encryption, so it makes it much harder to snoop your data including userid and password. However, if some one is able to comprimise your userid/password, then you have made the firewall a joke because it is so easy to tunnel other protocols via ssh. I'd suggest that inbound ssh only be done with strong auth such as SecurID. ______________________________ Reply Separator _________________________________ Subject: SSH Questions Author: Roy Stevens at NOTE Date: 4/3/98 9:43 AM I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Fri Apr 3 12:07:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA22057; Fri, 3 Apr 1998 06:18:12 -0800 (PST) Received: from brussels.cisco.com (brussels.cisco.com [171.68.129.238]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA21860 for ; Fri, 3 Apr 1998 06:17:28 -0800 (PST) Received: from evyncke-pc.cisco.com (evyncke-isdn-home.cisco.com [171.68.148.198]) by brussels.cisco.com (8.8.5/8.8.5) with SMTP id QAA16949; Fri, 3 Apr 1998 16:20:31 +0200 (METDST) Message-Id: <3.0.5.32.19980403161750.00967e40@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 16:17:50 +0200 To: raf@ezunx.com, firewalls@GreatCircle.COM From: Eric Vyncke Subject: Re: gre and cisco In-Reply-To: <35237A8E.EC7AE794@ezunx.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:46 2/04/98 -0500, raf@ezunx.com wrote: >What are the IOS version requirements for passing PPTP through a cisco box >and does anyone know of a good place to get some setup examples? Passing PPTP is quite simple, the extended ACL should permit: - IP protocol 47 (= GRE) - TCP port 1723 (= control port) E.g.: access-list 101 permit tcp xxx yyy eq 1723 access-list 101 permit 47 xxx yyy And extended ACL are fairly old in IOS(these are the ACL with source and destination address), so, your router probably support them. Now, beware that you just open a possibly wide security hole: the IOS router cannot check INSIDE the PPTP connection for IP-spoofing or any other attack. Best regards -eric > >thanks > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke@cisco.com Mobile: +32-75-312.458 From firewalls-owner Fri Apr 3 13:08:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09731; Fri, 3 Apr 1998 02:29:28 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA18480 for ; Thu, 2 Apr 1998 15:30:14 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id PAA15012 for ; Thu, 2 Apr 1998 15:11:50 -0800 (PST) Received: (from hagan@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id SAA26522; Thu, 2 Apr 1998 18:14:01 -0500 To: Charles Getty Cc: "'Brett Mayer'" , "Firewalls (E-mail)" Subject: Re: cable modem security References: <2110E4FFF059D011966000A024DAB8E709369B@NS1.netvisioninc.com> From: "Craig I. Hagan" Date: 02 Apr 1998 18:14:01 -0500 In-Reply-To: Charles Getty's message of "Mon, 30 Mar 1998 20:48:00 -0500" Message-ID: Lines: 28 X-Mailer: Gnus v5.4.66/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Getty writes: > That assumes you can put the "cable modem" into a promiscuous mode.... > The cable modem is essentially a transparent bridge... Does anyone know > of other devices that allow you to access the cable medium? Is there a > online copy of this article in 2600? the lancity NCP box that i've got via mediaone is a smart bridge: i only see packets directed towards my mac or the broadcast. HOWEVER, one can easily snarf someone else's packets with a few send_arp games (make them think that the upstream router has a mac addr of FF:FF:FF:FF:FF:FF). This will give you at least a few minute of sniffing until you need to "refresh" their cache. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan(at)cih.com "True hackers don't die, their ttl expires" "It takes a village to raise an idiot, but an idiot can raze a village" Stop the spread of spam, use a sendmail condom! http://www.cih.com/~hagan/smtpd-hacks In Bandwidth we trust From firewalls-owner Fri Apr 3 13:13:07 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09911; Fri, 3 Apr 1998 02:32:10 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id DAA02913 for ; Thu, 2 Apr 1998 03:12:12 -0800 (PST) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id DAA23510 for ; Thu, 2 Apr 1998 03:15:00 -0800 (PST) Received: from sover.net (usr0a35.rut.sover.net [206.25.64.135]) by pike.sover.net (8.8.5/8.8.5) with ESMTP id GAA16187; Thu, 2 Apr 1998 06:16:13 -0500 (EST) Message-ID: <35237398.16FA66C8@sover.net> Date: Thu, 02 Apr 1998 06:16:40 -0500 From: Chris Brenton Reply-To: cbrenton@sover.net X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: klinec@mapcoinc.com, firewalls@greatcircle.com Subject: Re: Bordermanager as firewall? References: <062565D9.007DACD7.00@mercury.mapcoinc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk klinec@mapcoinc.com wrote: > Does anyone have any first-hand experience with Novell's Bordermanager as a > firewall? > I tended to equate that product with MS Proxy Server. That's a pretty accurate description. There is a proxy for HTTP (which provides cacheing) but pretty much everything else is done via static or dynamic packet filtering. About the biggest difference between the two is that BM supports static NAT so you can reach private address internal systems, while MSP2 does not. The rest of the features are pretty close. I hear that BM 1.5 has some new features but it not yet been released. I agree. Kind of a weird suggestion. I've suggested and deployed BM for NetWare only shops but in mixed environments, I tend to stay away from it. If you are a heavy NDS shop BM can be a good thing, otherwise it may seem like it is more work than it's worth. > We have a 400-desktop enterprise with eight Frame-Relay connected remote > sites, and are looking for a firewall solution for the entire enterprise. > In addition, we are in a rapid growth mode, and predict doubling in size > both in number of desktops and number of WAN-connected sites by year-end. BM would handle the speed issues, the security is a judgement concern. Personally, I would look for a Unix based solution. Cheers, Chris -- ************************************** cbrenton@sover.net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/ From firewalls-owner Fri Apr 3 13:23:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA26554; Fri, 3 Apr 1998 13:03:44 -0800 (PST) Received: from gateway.hannaford.com (gateway.hannaford.com [198.190.28.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA18107 for ; Fri, 3 Apr 1998 10:43:44 -0800 (PST) Received: by gateway.hannaford.com (950413.SGI.8.6.12/940406.SGI.AUTO) for id NAA15928; Fri, 3 Apr 1998 13:46:49 -0500 Received: from lms.hannaford.com(198.190.25.5) by gateway via smap (3.2) id xma015917; Fri, 3 Apr 98 13:46:42 -0500 Received: by LMS0200.HANNAFORD.COM (Soft-Switch LMS 2.1.0.0) with snapi via NOTES id 0002000001562997; Fri, 3 Apr 1998 13:44:10 -0500 From: "Punsky, Bill" To: Internet Subject: Security Scanners Message-ID: <0002000001562997000002L072*@MHS> Date: Fri, 3 Apr 1998 13:44:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, What are the functional differences between SATAN and Ballista (i.e., w= hat vulnerabilities does Ballista check for that SATAN doesn't)? Thanks. = From firewalls-owner Fri Apr 3 14:49:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA25005; Fri, 3 Apr 1998 12:56:23 -0800 (PST) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA24948 for ; Fri, 3 Apr 1998 12:56:07 -0800 (PST) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA17251; Fri, 3 Apr 1998 16:00:36 -0500 Date: Fri, 03 Apr 1998 16:00:32 -0500 From: "Stout, William" Subject: Unwanted data appears inside firewalled network To: "'Firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unwanted data continues to infiltrate our protected network via SMTP, HTTP, NNTP, floppy disks, RAS connections, and VPNs . We have a strong firewall. What gives? Firewalls based on the OSI layers don't work. We need AI/fuzzy logic (OSI layer 8 = intelligence?). Say a cracker builds network attack at OSI layer three. You build a perimeter wall up to layer three, called a packet filter to his traffic out of your domain. The cracker builds an application attack. You raise your perimeter wall to layer seven with a proxy. The cracker builds onto that application (viruses, SPAM, etc). The cracker is looking over your wall again. Now what? We ran out of OSI layers to build our wall. We're mentally confined to this completely artificial layer model. Crackers aren't. We could build an AI system on the perimeter wall to add intelligence on the firewall. Or we could build a network-wide management system (tied into firewalls, virus scanners, & IDS probes) to create a 'ceiling' across the perimeter walls. Bill Stout ______________________________________________________________________ New Bill Stout early warning (4/3/98): Economic shock wave finally coming from Asia. Distribution chip sales way down (1st qtr '98) in Silicon Valley. Other industries to follow. Stock market will drop. Prepare your finances. See: http://www.intel.com/pressroom/archive/releases/CN30498b.HTM http://www.amd.com/news/corppr/9802.html http://www.national.com/news/1998/9803/q3fy98.html From firewalls-owner Fri Apr 3 14:59:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA14976; Fri, 3 Apr 1998 14:31:12 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA14639 for ; Fri, 3 Apr 1998 14:29:47 -0800 (PST) Received: from engine3-dc.wdc.cwi.net (engine3-dc.wdc.cwi.net [205.136.1.212]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA06528 for ; Fri, 3 Apr 1998 14:23:09 -0800 (PST) Received: from firewall1.contcirc.com ([206.142.48.2]) by engine3-dc.wdc.cwi.net (Post.Office MTA v3.1.2 release (PO203-101c) ID# 100-36394U2500L250S0) with SMTP id AAA19951; Fri, 3 Apr 1998 17:18:37 -0500 Received: from circuit by firewall1.contcirc.com (5.x/SMI-SVR4) id AA29800; Fri, 3 Apr 1998 15:23:51 -0700 Received: from pxc3sc302.contcirc.com by circuit (4.1/SMI-4.1) id AA24965; Fri, 3 Apr 98 14:23:03 MST Received: from ccMail by pxc3sc302.contcirc.com (ccMail Link to SMTP R8.00.00) id AA891645850; Fri, 03 Apr 98 15:24:13 -0700 Message-Id: <9804038916.AA891645850@pxc3sc302.contcirc.com> X-Mailer: ccMail Link to SMTP R8.00.00 Date: Fri, 03 Apr 98 15:22:04 -0700 From: "Danny Johnson" To: , Subject: Re: Firewalls-Digest V7 #146-Auto Answer Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You gotta be kidding me! ______________________________ Reply Separator _________________________________ Subject: Firewalls-Digest V7 #146-Auto Answer Author: at INTERNET Date: 4/2/98 5:42 PM I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Fri Apr 3 16:09:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09864; Fri, 3 Apr 1998 02:31:06 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA11885 for ; Thu, 2 Apr 1998 06:03:02 -0800 (PST) Received: from hobbes.risq.qc.ca (hobbes.risq.qc.ca [192.26.210.154]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA28237 for ; Thu, 2 Apr 1998 06:05:52 -0800 (PST) Received: from hobbes.risq.qc.ca (cdupre@localhost) by hobbes.risq.qc.ca (8.8.8/8.8.7) with ESMTP id JAA23253; Thu, 2 Apr 1998 09:07:08 -0500 (EST) Message-Id: <199804021407.JAA23253@hobbes.risq.qc.ca> X-Mailer: exmh version 2.0delta 6/3/97 Organization: RISQ - http://www.risq.qc.ca/ From: Christophe Dupre To: Daniel Walsh cc: Firewalls Subject: Re: Spam! In-reply-to: Your message of "Wed, 01 Apr 1998 11:02:56 PST." <35228F60.14F0AD3D@geocities.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Apr 1998 09:07:08 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'll make this short, and I know this has nothing to do with firewalls, > but. . . > SPAM! How do I deal with the "unidentified recipients?" And more > importantly, I have recieved several e-mails from an AOL account, that > returns an unidentified user response when I tried to get off the list. > Help? Maybe a direction to send me in? In the last few weeks, this mailing list has relayed a fair amount of spam. Anyway, I'm using procmail for pre-filing of my mail, and all the mail from addresses from which I received SPAM are filed in a SPAM folder, which I empty from time to time. As for protecting a site from SPAM, the basic measure is to disallow mail relaying, except for those domains for which the server is MX. The next step, which is a bit more dangerous, is to implement the RBL (Realtime Blackhole List - see http://maps.vix.com/rbl/ ), which will deny all mail sent from known SPAM relays. we haven't (yet) implemented this measure, where's still thinking through the possible impacts - this could deny non-SPAM mails, also... Think what would happend if AOL was to be added to the RBL. Also, since authentication is not yet used for DNS distribution, someone could possibly poison a secondary DNS... -- Christophe Dupre Analyste de systemes, RISQ inc. 1801 McGill College, suite 800 Tel: (514) 840-1235, ext 6971 Montreal, QC CANADA FAX: (514) 840-1244 "Nous ne sommes pas libres de ne pas etre libres, nous sommes obliges de l'etre" - Fernando Savater #include From firewalls-owner Fri Apr 3 16:14:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA10056; Fri, 3 Apr 1998 02:34:04 -0800 (PST) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA08709 for ; Thu, 2 Apr 1998 11:19:05 -0800 (PST) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.8.5/fcnbd/domain/1.5.1) with ESMTP id NAA04665; Thu, 2 Apr 1998 13:23:18 -0600 (CST) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.122.227]) by po-internal.FCNBD.COM (8.8.5/fcnbd/internal-domain/1.5) with ESMTP id NAA05865; Thu, 2 Apr 1998 13:23:16 -0600 (CST) Received: from r9.cmg.fcnbd.com (r9.cmg.FCNBD.COM [147.113.118.125]) by abacab.cmg.FCNBD.COM (8.8.5/fcnbd/server-subdomain/2.4) with ESMTP id NAA16000; Thu, 2 Apr 1998 13:23:15 -0600 (CST) Received: (from pmarc@localhost) by r9.cmg.fcnbd.com (8.8.7/8.8.7) id NAA00340; Thu, 2 Apr 1998 13:17:31 -0600 (CST) Message-Id: <199804021917.NAA00340@r9.cmg.fcnbd.com> MIME-Version: 1.0 (NeXT Mail 4.2mach v148) Content-Type: text/enriched; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline In-Reply-To: <199804010954.JAA15688@catullus.agw.bt.co.uk> X-Nextstep-Mailer: Mail 4.2mach (Enhance 2.0b5) Received: by NeXT.Mailer (1.148) From: "Paul M. Cardon" Date: Thu, 2 Apr 98 13:17:29 -0600 To: "Pearce, Danny" Subject: Re: Intranet security products cc: Firewalls@GreatCircle.COM Reply-To: pmarc@cmg.fcnbd.com References: <199804010954.JAA15688@catullus.agw.bt.co.uk> X-Warners: Yakko, Wakko & Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Pearce, Danny" thus spake unto me: > `http://www.iss.net - RealSecure/Internet Security Scanner(set of) > `http://www.wheelgroup.com - NetRanger/NetSonar > `http://www.nai.com - CyberCop > `http://www.axent.com - NetRecon >=20 > Plus a few others that are not so good >=20 > Abirnet SessionWall > NFR Network Flight Recorder (www.nfr.org) =20 What are your criteria for saying which of these are and aren't good? =20 Are you considering only the scope of the vulnerability database which is of somewhat decreased value in the face of packet manipulation attacks mentioned by the SNI paper? Some versions of the above systems are not able to detect attacks that are in their vulnerability database when an attacker is fragmenting traffic or otherwise manipulating traffic. =20 Are you considering how well the products scale in terms of managing them in a large, heterogeneous, distributed environment? Some of these are limited in the number of monitors that can be deployed per management console, the range of physical media types and network protocols supported, and the bandwidth that the monitor can keep up with. Are they extensible by the end user or does the customer have to rely on the vendor to release new attack signatures? I would hate to have a window of time where a known and understood attack can get by because I am waiting for the next product release. I have yet to see a vendor release updates more frequently than once a month. In some environments that window is too large of an exposure. The worst things we can do as security professionals is say that a product is good or bad without giving the context in which that judgement is made. -paul From firewalls-owner Fri Apr 3 16:20:09 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03927; Fri, 3 Apr 1998 16:06:49 -0800 (PST) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id QAA03857 for ; Fri, 3 Apr 1998 16:06:31 -0800 (PST) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65v3.2/1.1.8.2/30Mar95-0352PM) id AA31562; Fri, 3 Apr 1998 19:13:48 -0500 Received: from [170.149.212.99] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA09612; Fri, 3 Apr 1998 19:11:29 -0500 Message-Id: <3.0.5.32.19980403191101.008198a0@mailgate.nytimes.com> X-Sender: gordy@mailgate.nytimes.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 03 Apr 1998 19:11:01 -0500 To: "Danny Johnson" From: Gordy Thompson Subject: Re: Firewalls-Digest V7 #146-Auto Answer Cc: , In-Reply-To: <9804038916.AA891645850@pxc3sc302.contcirc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least it's not spam, or "usubscrible" ... At 03:22 PM 4/3/98 -0700, Danny Johnson wrote: > > You gotta be kidding me! > > >______________________________ Reply Separator _________________________________ >Subject: Firewalls-Digest V7 #146-Auto Answer >Author: at INTERNET >Date: 4/2/98 5:42 PM > > >I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. > >Thanks!!! > > > > > ========================================================================== Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212 556 1386 The New York Times fax: 212 556 1636 For years we thought that a million monkeys sitting at a million keyboards would produce the Complete Works of Shakespeare; today, thanks to the Internet, we know that's not true. From firewalls-owner Fri Apr 3 17:40:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03307; Fri, 3 Apr 1998 16:02:34 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA03253 for ; Fri, 3 Apr 1998 16:02:00 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 16:05:56 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C585372D@mail.citysearch.com> From: Michael Batchelor To: dmcewen@nsf.gov, firewalls@GreatCircle.COM, Roy Stevens Subject: RE: SSH Questions Date: Fri, 3 Apr 1998 16:05:55 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is possible to close these SSH holes. You can configure the sshd to disallow port forwarding and X11 forwarding. Furthermore, you can disable UNIX password authentication, and permit only RSA public key authentication, and also disable the interaction with ssh-agent. If you want maximum paranoia, you can configure sshd to only accept host keys from known hosts, and then have your remote users all create keys for their home PC, or whatever, and install these keys on the host that receives outside SSH logins. Users can exercise paranoia on their own by creating an authorized_keys file in their $HOME/.ssh directory, which contains the public keys of remote users who are allowed access to the account. This will typically contain only the public key of the owner of the account. It's pretty robust, but not straight out of the box with the default config files. As with all things security-related, you must know what you are doing. > -----Original Message----- > From: dmcewen@nsf.gov [SMTP:dmcewen@nsf.gov] > Sent: Friday, April 03, 1998 6:53 AM > To: firewalls@GreatCircle.COM; Roy Stevens > Subject: Re: SSH Questions > > SSH provides security via encryption, so it makes it much harder to > snoop your data including userid and password. However, if some one is > > able to comprimise your userid/password, then you have made the > firewall a joke because it is so easy to tunnel other protocols via > ssh. I'd suggest that inbound ssh only be done with strong auth such > as SecurID. > > > ______________________________ Reply Separator > _________________________________ > Subject: SSH Questions > Author: Roy Stevens at NOTE > Date: 4/3/98 9:43 AM > > > I have started research into running ssh accross the INTERNET. > My preliminary research has shown much promiss. > > I would appreciate any feedback on this. > > I am particularly interested in firewall issues, ie proxy or IP > forwarding problems. > > Thanks for any correspondance. > > TOBOR > > > From firewalls-owner Fri Apr 3 17:53:57 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09523; Fri, 3 Apr 1998 02:26:19 -0800 (PST) Received: from imo28.mx.aol.com (imo28.mx.aol.com [198.81.17.72]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02656 for ; Thu, 2 Apr 1998 13:56:24 -0800 (PST) Received: from Oasis179@aol.com by imo28.mx.aol.com (IMOv13.ems) id KVNNa19781; Thu, 2 Apr 1998 16:56:39 -0500 (EST) From: Oasis179 Message-ID: <2ac32cd5.35240998@aol.com> Date: Thu, 2 Apr 1998 16:56:39 EST Mime-Version: 1.0 Subject: Im Jenny Content-type: multipart/mixed; boundary="part0_891554199_boundary" X-Mailer: AOL 2.5 for Windows sub 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --part0_891554199_boundary Content-ID: <0_891554199@inet_out.mail.aol.com.1> Content-type: text/plain; charset=US-ASCII   --part0_891554199_boundary Content-ID: <0_891554199@inet_out.mail.aol.com.2> Content-type: message/rfc822 Content-transfer-encoding: 7bit Content-disposition: inline From: Oasis179 Return-path: To: Oasis179@aol.com Subject: Im Jenny Date: Thu, 2 Apr 1998 16:53:51 EST Organization: AOL (http://www.aol.com) Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Hi I'm Jenny and I made a webpage which has my picture on it, I think im very pretty, tell me what you think. Click Here --part0_891554199_boundary-- From firewalls-owner Fri Apr 3 18:48:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09405; Fri, 3 Apr 1998 02:24:48 -0800 (PST) Received: from atlantic.leisureplan.co.za (atlantic.leisureplanet.com [196.25.192.37]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA03767 for ; Thu, 2 Apr 1998 05:23:18 -0800 (PST) Received: by atlantic.leisureplan.co.za with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BD5E4C.74A667F0@atlantic.leisureplan.co.za>; Thu, 2 Apr 1998 15:31:50 +0200 Message-ID: From: William Evans To: "'firewalls@GreatCircle.COM'" Subject: DOS attacks on NT Date: Thu, 2 Apr 1998 15:31:48 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone tell me whether the following would indicate a DOS attack, or a corrupt TPC/IP configuration on the server. The output below is the result of a netstat -n | grep 0.0.0.0 TCP 205.158.7.34:80 0.0.0.0:18474 TIME_WAIT TCP 205.158.7.34:2950 0.0.0.0:51436 SYN_SENT TCP 205.158.7.34:139 0.0.0.0:18553 ESTABLISHED TCP 205.158.7.34:2254 0.0.0.0:34851 ESTABLISHED TCP 205.158.7.37:80 0.0.0.0:2192 ESTABLISHED TCP 205.158.7.39:80 0.0.0.0:0 TIME_WAIT We are only seeing this on one of our servers. Thanks William From firewalls-owner Fri Apr 3 18:50:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA24706; Fri, 3 Apr 1998 17:57:51 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA24675 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:57:43 -0800 (PST) Received: from CHROMIUM ([165.21.74.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA12802 for ; Mon, 30 Mar 1998 10:15:36 -0800 (PST) Received: from mail pickup service by singnet.com.sg with Microsoft SMTPSVC; Tue, 31 Mar 1998 02:22:00 +0800 Received: from argon.singnet.com.sg - 165.21.74.27 by singnet.com.sg with Microsoft SMTPSVC; Sun, 29 Mar 1998 06:34:47 +0800 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by argon.singnet.com.sg (8.8.8/8.8.8) with ESMTP id GAA13028 for ; Sun, 29 Mar 1998 06:31:22 +0800 (SST) Received: from honor.greatcircle.com by relay4.UU.NET with ESMTP (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) id QQeisg12444; Sat, 28 Mar 1998 17:30:59 -0500 (EST) Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA07491; Sat, 28 Mar 1998 12:52:38 -0800 (PST) Received: from acamail1.acaonline.org (acamail1.acaonline.org [207.98.144.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA19846 for ; Fri, 27 Mar 1998 14:20:25 -0800 (PST) Received: by ACA_EXCHANGE with Internet Mail Service (5.0.1458.49) id ; Fri, 27 Mar 1998 15:20:58 -0700 Message-ID: <815366BCD402D111960E0000F805887B307DB0@ACA_EXCHANGE> From: Taufik Islam To: Firewalls@GreatCircle.COM Subject: Sniffer Date: Fri, 27 Mar 1998 15:20:56 -0700 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a good Packet sniffer that runs on for NT 4.0 ? Please help me with any information you may have Thanks If you know of any good packet sniffer for UNIX please let me know also. Taufik Islam Network Engineer, ACA From firewalls-owner Fri Apr 3 19:35:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA06949; Fri, 3 Apr 1998 16:25:51 -0800 (PST) Received: from pascamail-2.pmi (mail.citysearch.com [205.227.223.133]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA06853 for ; Fri, 3 Apr 1998 16:25:24 -0800 (PST) Received: by mail.citysearch.com with Internet Mail Service (5.0.1458.49) id ; Fri, 3 Apr 1998 16:29:23 -0800 Message-ID: <9494F3B8EDAED111949B00600815D1C5859329@mail.citysearch.com> From: Michael Batchelor To: firewalls@GreatCircle.COM Subject: RE: Re[2]: Split DNS config questions Date: Fri, 3 Apr 1998 16:29:20 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As it turns out, a lot of my confusion was from an incorrect configuration on the inside servers. While I had a directive in named.conf for the forwarders, I omitted the option "forward only;". Without this option, named (BIND 8) insists on having a hints file, even if the hints file is full of bogus info. It will replace the hints with whatever it finds via the forwarder. Imagine my confusion when I set the hints file to contain (exactly!) this: . 99999999 IN NS foo.bar.com. foo.bar.com. 99999999 IN A 1.2.3.4 And then discovered the names and addresses of all the root servers in the named_dump.db on the inside servers! They discovered the real root servers via the forwarder. Adding "forward only;" to the options section keeps named from looking for a root server, when it should only be forwarding. No hints file needed. Its cache gets filled only with the results of queries it has satisfied. It's kind of like a default route for DNS, as Rick Murphy put it. He gave me some good insights into how this is supposed to work, and I thank him for taking the time to help me. Here's a sanitized version of my named.conf on the inside server: options { directory "/var/named"; forwarders { 10.0.0.1; }; forward only; }; zone "inside.company.com" in { type master; file "company.hosts"; }; zone "10.in-addr.arpa" in { type master; file "company.10.rev"; }; The named.conf for the firewall server is even simpler (our outside DNS is served by existing hosts at our ISP's facilities). All it has to do is cache and handle queries from the inside servers. options { directory "/var/named"; }; zone "." in { type hint; file "named.cache"; }; Since we already have outside nameservers, we can tighten this up some by setting the firewall named to allow queries only from the inside addresses, and to bind only to the inside interface. YMMV, of course. :) I hope this summary helps someone else get split DNS setup correctly. From firewalls-owner Fri Apr 3 20:15:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA03289; Fri, 3 Apr 1998 16:02:18 -0800 (PST) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA03267 for ; Fri, 3 Apr 1998 16:02:09 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id QAA01367; Fri, 3 Apr 1998 16:08:29 -0800 (PST) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB13090; Fri, 3 Apr 98 16:06:44 PST Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DC.000099D7 ; Fri, 3 Apr 1998 16:06:33 -0800 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: "Stout, William" Cc: "'Firewalls@GreatCircle.COM'" Message-Id: <882565DC.0000695E.00@gwwest.sybase.com> Date: Fri, 3 Apr 1998 16:05:53 -0800 Subject: Re: Unwanted data appears inside firewalled network Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, layer 8 is economics, and layer 9 is politics. Since OSI layers rely on the lower layers, it's not possible to build an intelligence layer on top of that. Ryan "Stout, William" on 04/03/98 01:00:32 PM To: "'Firewalls@GreatCircle.COM'" cc: (bcc: Ryan Russell/SYBASE) Subject: Unwanted data appears inside firewalled network Unwanted data continues to infiltrate our protected network via SMTP, HTTP, NNTP, floppy disks, RAS connections, and VPNs . We have a strong firewall. What gives? Firewalls based on the OSI layers don't work. We need AI/fuzzy logic (OSI layer 8 = intelligence?). Say a cracker builds network attack at OSI layer three. You build a perimeter wall up to layer three, called a packet filter to his traffic out of your domain. The cracker builds an application attack. You raise your perimeter wall to layer seven with a proxy. The cracker builds onto that application (viruses, SPAM, etc). The cracker is looking over your wall again. Now what? We ran out of OSI layers to build our wall. We're mentally confined to this completely artificial layer model. Crackers aren't. We could build an AI system on the perimeter wall to add intelligence on the firewall. Or we could build a network-wide management system (tied into firewalls, virus scanners, & IDS probes) to create a 'ceiling' across the perimeter walls. Bill Stout ______________________________________________________________________ New Bill Stout early warning (4/3/98): Economic shock wave finally coming from Asia. Distribution chip sales way down (1st qtr '98) in Silicon Valley. Other industries to follow. Stock market will drop. Prepare your finances. See: http://www.intel.com/pressroom/archive/releases/CN30498b.HTM http://www.amd.com/news/corppr/9802.html http://www.national.com/news/1998/9803/q3fy98.html From firewalls-owner Fri Apr 3 20:20:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA27514; Fri, 3 Apr 1998 18:09:35 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA27496 for firewalls@greatcircle.com; Fri, 3 Apr 1998 18:09:31 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA11393 for ; Tue, 31 Mar 1998 07:02:26 -0800 (PST) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id HAA20560 for ; Tue, 31 Mar 1998 07:04:55 -0800 (PST) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yK2c2-0000mg-00; Tue, 31 Mar 1998 10:06:07 -0500 X-Sender: vin@shell1.shore.net (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 31 Mar 1998 10:06:44 -0500 To: firewalls@greatcircle.com From: "Renard, Kenneth" Subject: SecurID & a Biometric & a PIN! (Was: Ammunition, please) Cc: "Paul D. Robertson" , Vin McLellan , Jesse Brown Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Great discussion, guys! I have a comment to throw in here that has always concerned me about biometrics. Its not so much the biometric data itself, but how it is used, or more likely, misused. Comments, clarifications, or corrections are welcome. Take an analytical step back and look at the biometric data. The measurement that it takes is going to be transformed into a "signature" of the scan, fingerprint, voice data. This signature/transform must remove (most?) variations among different measurements over time and various measuring devices. The data used (compared) will be relatively static. We've learned from passwords that "static" can be bad. Biometric data has an extremely low degree of secrecy. I can get your fingerprint from your coffee mug, a retinal scan from your eye doctor, a face print from seeing you in the streets, etc. The signature/transform algorithm is assumed to be known (autocorrelation function for voice, etc.). Therefore, I can easily generate the biometric data necessary to assume your identity. "Stealing" the data can be done much easier and secretly than an attack on the body. I, for one, would barely notice a missing coffee mug compared to a missing digit. Assume the data is stolen. The high degree of user authenticity afforded by biometrics comes from the ability of _only_ the valid user to present the biometric data to the "system". A warm, pulsing thumb set upon a measuring device is a good indicator of who you are. Now the problem is comparing that data to a (remote?) database of data without allowing data to be inserted between the measuring device and the compare operation. You must completely authenticate the dialogue between the measuring device and the compare stage and only allow transactions with trusted measuring devices. For example: The "Mission Impossible" scenario where the fingerprint measuring devices appear to be in the wall, with "secured" (behind the wall) wiring into the authentication system. This would be a nice closed system. Only those measuring devices that are securely hardwired into the system are allow to authenticate. On the other hand (pun intended): Your fingerprint device is connected via a serial port to your PC. An attacker could easily unplug the fingerprint device and plug in the coffee mug to give the same response (the stolen biometric data) unless the measuring device itself was authenticated. This is the type of biometric authentication I've seen demo-ed so far. What I'd like to see is a "tamper-proof" token (a la SecurID) that measures the biometric, takes a PIN, and an internal seed to generate authentication data and/or unlock a stored private key. The biometric data would be utilized to its best potential without a significant threat of data insertion. All 3 authentication factors in one credit-card sized token! Well, someday. The perverbial Guido and Mac the Knife are still a problem. How about a duress finger? :-) -Ken From firewalls-owner Fri Apr 3 21:12:14 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09322; Fri, 3 Apr 1998 02:23:33 -0800 (PST) Received: from loas.clark.net (loas.clark.net [168.143.0.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA13325 for ; Thu, 2 Apr 1998 06:10:16 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by loas.clark.net (8.8.8/8.8.8) with SMTP id JAA12889 for ; Thu, 2 Apr 1998 09:14:31 -0500 (EST) Message-Id: <3.0.3.32.19980402091420.00690c68@mail.clark.net> X-Sender: mjr@mail.clark.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Thu, 02 Apr 1998 09:14:20 -0500 To: Firewalls@GreatCircle.COM From: "Marcus J. Ranum" Subject: Re: great circle spam relay In-Reply-To: <199804020933.BAA12083@honor.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Vinod Valloppillil (Exchange)" writes: >is it just me or is anyone else getting a ton of spam relayed by >greatcircle.com? It's everybody. For those of you who like a lower traffic, spam-free, product plug-free version of a firewalls list, you may want to check out firewall-wizards. The firewall-wizards archives are on http://www.nfr.net/firewall-wizards/archives.html you can join by mailing majordomo@nfr.net. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr From firewalls-owner Fri Apr 3 22:05:15 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09639; Fri, 3 Apr 1998 02:27:47 -0800 (PST) Received: from wall.cpr.fr (wall.cpr.fr [193.57.80.130]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA15775 for ; Thu, 2 Apr 1998 12:00:46 -0800 (PST) Received: by wall.cpr.fr; id WAA22150; Thu, 2 Apr 1998 22:05:07 +0200 Received: from unknown(193.57.82.188) by wall.cpr.fr via smap (3.2) id xma022144; Thu, 2 Apr 98 22:05:02 +0200 Received: by localhost with Microsoft MAPI; Thu, 2 Apr 1998 22:04:05 +0200 Message-ID: <01BD5E83.40DBDF40.paulboyer@usa.net> From: Paul Boyer To: "'firewalls@GreatCircle.com'" Subject: FW: Virus checking at the firewall level. Date: Thu, 2 Apr 1998 22:04:04 +0200 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, performance is a big issue :( I was told trend micro's one at http://www.trendmicro.com is not using CVP for performance reasons. Has someone experince with it ? Paul -----Original Message----- From: Doug Drake Sent: Wednesday, April 01, 1998 8:59 AM To: Gordon LaSane ; Bruno ; firewalls mailing list Subject: RE: Virus checking at the firewall level. Conceptually CVP is a wonderful thing but can you give me any numbers on the latency that this process causes on your network? I have not seen anything that will show me benchmarks for CVP bsed virus scanning, especially with a firewall and even more with encryption. If I could get some good numbers I might be infavor of it. But until then, I like speed on my network and virus scaning on the desk top :). At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: [Paul BOYER] -snip- From firewalls-owner Fri Apr 3 22:20:11 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id WAA10010; Fri, 3 Apr 1998 22:06:49 -0800 (PST) Received: from smtp.enteract.com (thor.enteract.com [206.54.252.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA09995 for ; Fri, 3 Apr 1998 22:06:42 -0800 (PST) Message-Id: <199804040606.WAA09995@honor.greatcircle.com> Received: (qmail 12024 invoked from network); 4 Apr 1998 06:11:28 -0000 Received: from jimst.sa.enteract.com (HELO Default) (207.229.133.64) by thor.enteract.com with SMTP; 4 Apr 1998 06:11:28 -0000 Reply-To: From: "James Strompolis" To: Subject: RE: Firewalls-Digest V7 #146-Auto Answer Date: Fri, 3 Apr 1998 22:57:41 -0600 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What EXACTLY would you like us to try with you later? Sounds to me as if someone has already had a go. Your welcome!!! - James Strompolis Aleph Consultants, Inc. jimst@enteract.com > -----Original Message----- > From: firewalls-owner@GreatCircle.COM > [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Jasjit K Singh > Sent: Thursday, April 02, 1998 5:43 PM > To: Firewalls@GreatCircle.COM > Subject: Firewalls-Digest V7 #146-Auto Answer > > > I am on maternity leave from 04/06/98 till 05/29/98. Please > try me later. > > Thanks!!! > From firewalls-owner Sat Apr 4 05:01:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19202; Fri, 3 Apr 1998 23:37:53 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA22316 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:44:49 -0800 (PST) Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA15227 for ; Mon, 30 Mar 1998 01:28:53 -0800 (PST) Received: (qmail 9515 invoked from network); 30 Mar 1998 08:33:56 -0000 Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) by mesache.encomix.es with SMTP; 30 Mar 1998 08:33:56 -0000 Message-ID: <351F6625.B72FCDCE@encomix.es> Date: Mon, 30 Mar 1998 11:30:14 +0200 From: Roman Ramirez Organization: EncomIX X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) MIME-Version: 1.0 To: FW Subject: Help about ICMP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I have some questions about filtering ICMP in a firewall... Please, anyone can tell me what kind of icmp packets should be blocked by the firewall? What options and what packets should be rejected? What filtering rules must be applied by the firewall and what by the router? Thx in advance -- http://www.encomix.es/users/patowc mailto://rramirez@encomix.es From firewalls-owner Sat Apr 4 05:02:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA02350; Sat, 4 Apr 1998 04:33:23 -0800 (PST) Received: from terradir.com ([204.52.186.96]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA03508 for ; Fri, 3 Apr 1998 13:30:10 -0800 (PST) Received: by terradir.com from localhost (router,SLMail V2.6); Fri, 03 Apr 1998 16:37:08 -0500 Received: by terradir.com from system (204.52.186.96::mail daemon; unverified,SLMail V2.6); Fri, 03 Apr 1998 16:37:08 -0500 From: "A.R." To: firewalls@GreatCircle.com Date: Fri, 3 Apr 1998 16:37:07 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Message-Id: <19980403163708.5d0106d4.in@terradir.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all. I wanted to have some information on the fastest/best/reliable network interface card for a dual homed linux firewall machine. please make suggestions clear . thanks in advance A. Rahman Network Administrator From firewalls-owner Sat Apr 4 05:05:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19248; Fri, 3 Apr 1998 23:39:11 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA27413 for firewalls@greatcircle.com; Fri, 3 Apr 1998 18:08:44 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA03749 for ; Tue, 31 Mar 1998 06:09:20 -0800 (PST) From: harley@icrf.icnet.uk Received: (from harley@localhost) by europa.lif.icnet.uk (8.8.8/8.8.8) id PAA09808 for firewalls@greatcircle.com; Tue, 31 Mar 1998 15:14:07 +0100 (BST) Message-Id: <199803311414.PAA09808@europa.lif.icnet.uk> Subject: Virus checking at the firewall level To: firewalls@greatcircle.com Date: Tue, 31 Mar 1998 15:14:06 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Now my question to you people out there is: How do you do it ? Do you > not virus check at the firewall level ? You can, if you can afford the software, hardware and bandwidth. In which case it's a good supplementary defence. It shouldn't be the -only- defence though: there are too many other ways a virus can get in. > Do you count the end user to do > it ? Not if there's any way of making it transparent: running realtime desktop scanning updated automatically by login scripts is a good approach on local networks. > DO you have a miracle solution ? > Errrr...... -- David Harley | alt.comp.virus FAQ D.Harley@icrf.icnet.uk | & Anti-Virus Web Page Support & Security Analyst | Folk London On-Line gig-list Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/ From firewalls-owner Sat Apr 4 05:35:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19338; Fri, 3 Apr 1998 23:41:43 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA19072 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:28:09 -0800 (PST) Received: from master.netmaster.ca (netmaster.ca [204.244.213.44]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA10745 for ; Sun, 29 Mar 1998 11:46:32 -0800 (PST) Received: from netmaster.ca ([204.244.158.24]) by master.netmaster.ca with esmtp id m0yJO66-000HbMC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 29 Mar 1998 11:50:26 -0800 (PST) Message-ID: <351EA7D8.A4C0331F@netmaster.ca> Date: Sun, 29 Mar 1998 11:58:16 -0800 From: "Dana M. Epp" Organization: NetMaster Networking Solutions, Inc X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.0.32 i586) MIME-Version: 1.0 To: Magic Man CC: Daniel Todd , firewalls@greatcircle.com Subject: Re: linux based firewall cookbook... References: <365DC84A57F3D01187E700805FC19048A2A99D@mailhub.corp.usweb.com> <351BC07B.80676CF5@rarebird.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *Sigh* Ok, first off, in a regime in which you are applying serious security, physical security is a large portion of the security managment. You can pretty well hack into any system if you sit right at the damn thing. If someone can boot off a root disk in Linux.. you already blew away three key security policies one should have. #1) Physical security to the machine. #2) Installing or Mounting devices not required. If you don't physically remove the drives, you could be in trouble. Now, realisitically this is an extra step since physical security shouldn't be compromised in the first place. Anyways, long story short, you can boot off a CDRom, floppy or even the harddrive if you got physical security. (Not hard to remove the hard disk if you're at the console.) #3) Mounting FAT on ANY sort of "secure" machine :) OK, OK. Lecture over. However, assuming one can not hack your box because you have no floppy really is asking for trouble. There are a few HOWTOs on how to compromise Linux by simply mounting the file system after the fact, changing root passwd to "" and rebooting. At that point.. the machine is yours. Takes about 3 minutes to take the cover off... so don't assume physical security is NOT an issue, I've seen people carry harddrives around just for such occassions. BTW, I am curious to know WHY someone would have FAT of any sort in a machine used in a security policy. I must have missed the original message, since I can not fathem WHY it would be used in the first place. Magic Man wrote: > > Daniel Todd wrote: > > > This prevents having an insecure msdos file system on your box which is > > the "easy" thing to do with tarballs. It is especially dangerous if it > > is your root fs. You really don't want a root fs that can be edited by > > booting off a DOS floppy. > > If a floppy can be booted, then security is compromised right there. I > can boot any kind of OS via floppy and modify an internal filesystem. > > My firewall box has no floppy drive installed at all. I plugged one in > for the initial install...but it was immediately removed and there's > nothing on the box but a couple of LEDs and a power switch. > > -- > .\\agic .\\an > Rarebird Consulting Services -- Dana M. Epp NetMaster Networking Solutions, Inc. eppdm@netmaster.ca http://www.netmaster.ca " Connecting networks to the Internet..." From firewalls-owner Sat Apr 4 07:14:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09993; Sat, 4 Apr 1998 02:26:58 -0800 (PST) Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA26017 for ; Fri, 3 Apr 1998 06:36:14 -0800 (PST) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id JAA05942 for ; Fri, 3 Apr 1998 09:40:44 -0500 (EST) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQU005R5E3TNQ@lmco.com> for firewalls@greatcircle.com; Fri, 3 Apr 1998 09:40:43 -0500 (EST) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id JAA29518 for ; Fri, 03 Apr 1998 09:34:39 -0500 (EST) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id JAA00800; Fri, 03 Apr 1998 09:40:34 -0500 Date: Fri, 03 Apr 1998 09:40:34 -0500 (EST) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: firewalls@greatcircle.com Reply-to: Christopher Zarcone Message-id: <199804031440.JAA00800@data.camelot> MIME-version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-type: TEXT/plain; charset=us-ascii Content-MD5: P0v7imDjl33aA+WJ2GNt4Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon, Stateful inspection engines suffer the same disadvantages as packet filters, because THEY ARE packet filters. I would say that (my) single biggest problem with packet filtering is application-level security (e.g. how can a packet filter differentiate a sendmail server from a rogue webserver running on port 25? It can't. A proxy can.) OTOH, packet filters are generally faster, mainly because filtering decisions are made in the lower levels of the IP stack. I can't speak from experience, but I've also read stories of state tables becoming corrupt, usually with interesting consequences. Regards, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Date: Wed, 01 Apr 1998 23:27:59 -0500 >From: "Jon E. Price" >Subject: socks versus fw-1 stateful inspection vulnerabilities > >Are there any known or theoretical insecurities or vulnerabilities or other >shortcomings (eg. performance) using socks or the fw-1 stateful inspection >technologies? From firewalls-owner Sat Apr 4 07:20:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA19281; Fri, 3 Apr 1998 23:40:19 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA22565 for firewalls@greatcircle.com; Fri, 3 Apr 1998 17:45:53 -0800 (PST) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA21494 for ; Mon, 30 Mar 1998 08:22:11 -0800 (PST) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA26098; Mon, 30 Mar 1998 08:25:36 -0800 Message-Id: <3.0.3.32.19980330082851.00a2a560@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 30 Mar 1998 08:28:51 -0800 To: firewalls@greatcircle.com From: rkizer@sddpc.org (Kizer, Randall) Subject: SECURITY ADMINISTRATOR Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please forgive this posting, but I know a lot of qualified people subscribe to this listing, and I need someone very soon. This job is located in San Diego, CA. ESSENTIAL FUNCTIONS: * RACF Administrator * SAP Security Administrator RESPONSIBILITIES: * Participate in the conversion from TOP SECRET to RACF * Evaluate, implement and monitor security tools (UNIX, NT, etc.) * Review audit logs for abnormalities. May require some audit reduction scripts to be written using perl, ksh, etc. * Assist in the support of enterprise firewalls. * Assist in the evaluation and implementation of new information security products. * Assist departments with information security issues. * Periodically conduct security awareness classes. * Assist new projects with interpretation and implementation of security policy. * Assist in writing new security policies. SKILLS, EXPERIENCE & EDUCATION: * 3-5 years experience with RACF * 2-3 years experience with AIX or Solaris * C and/or shell script programming If you're interested, please e-mail me at rkizer@sddpc.org From firewalls-owner Sat Apr 4 07:20:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20342; Sat, 4 Apr 1998 03:05:27 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01794 for ; Fri, 3 Apr 1998 07:00:39 -0800 (PST) Received: from drew.sabre.com (drew.sabre.com [199.100.49.6]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA26800 for ; Fri, 3 Apr 1998 06:07:24 -0800 (PST) Received: (from mailer@localhost) by drew.sabre.com (8.8.7/8.7.4) id IAA00478 for ; Fri, 3 Apr 1998 08:08:36 -0600 (CST) X-Authentication-Warning: drew.sabre.com: mailer set sender to <> using -f Received: from ngw.sabre.com(192.168.133.149) by drew.sabre.com via smap (V2.0) id xma000471; Fri, 3 Apr 98 08:08:15 -0600 Received: from USGW-Message_Server by sabre.com with Novell_GroupWise; Fri, 03 Apr 1998 08:07:47 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 03 Apr 1998 08:13:36 -0600 From: Jasjit K Singh Reply-To: Jasjit_K_Singh@sabre.com To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V7 #147-Auto Answer Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am on maternity leave from 04/06/98 till 05/29/98. Please try me later. Thanks!!! From firewalls-owner Sat Apr 4 08:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA19310; Sat, 4 Apr 1998 08:26:01 -0800 (PST) Received: from m4.boston.juno.com (m4.boston.juno.com [205.231.101.198]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA19290 for ; Sat, 4 Apr 1998 08:25:52 -0800 (PST) Received: (from daemonman@juno.com) by m4.boston.juno.com (queuemail) id LZL29035; Sat, 04 Apr 1998 11:29:35 EST To: Tislam@acaonline.org Cc: Firewalls@GreatCircle.COM Date: Sat, 4 Apr 1998 08:28:18 -0800 Subject: Re: Sniffer Message-ID: <19980404.082823.3590.24.dAEMONMAN@juno.com> References: <815366BCD402D111960E0000F805887B307DB0@aca_exchange> X-Mailer: Juno 1.49 X-Juno-Line-Breaks: 0-5,7-21 From: daemonman@juno.com (Jack Riley) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try SniffIT..... DaemonMan ---------- Do NOT let them deceive you with the legitimization of their myth! DaemonMan@juno.com On Fri, 27 Mar 1998 15:20:56 -0700 Taufik Islam writes: >Is there a good Packet sniffer that runs on for NT 4.0 ? >Please help me with any information you may have >Thanks > >If you know of any good packet sniffer for UNIX please let me know >also. > >Taufik Islam >Network Engineer, ACA > > > > > _____________________________________________________________________ You don't need to buy Internet access to use free Internet e-mail. Get completely free e-mail from Juno at http://www.juno.com Or call Juno at (800) 654-JUNO [654-5866] From firewalls-owner Sat Apr 4 09:35:29 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA01634; Sat, 4 Apr 1998 09:21:44 -0800 (PST) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA01505 for ; Sat, 4 Apr 1998 09:21:18 -0800 (PST) Received: from nexus.eng.auburn.edu (20663@nexus.eng.auburn.edu [131.204.12.98]) by dns.eng.auburn.edu (8.8.5/8.6.4) with SMTP id LAA03020 for ; Sat, 4 Apr 1998 11:26:01 -0600 (CST) Received: from localhost by nexus.eng.auburn.edu (SMI-8.6/SMI-SVR4) id LAA15818; Sat, 4 Apr 1998 11:26:00 -0600 Date: Sat, 4 Apr 1998 11:26:00 -0600 (CST) From: Doug Hughes To: firewalls@greatcircle.com Subject: Re: SSH Questions In-Reply-To: <9803038916.AA891626021@yrelay.nsf.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Apr 1998 dmcewen@nsf.gov wrote: > SSH provides security via encryption, so it makes it much harder to > snoop your data including userid and password. However, if some one is > able to comprimise your userid/password, then you have made the > firewall a joke because it is so easy to tunnel other protocols via > ssh. I'd suggest that inbound ssh only be done with strong auth such > as SecurID. > It should be noted that you can disable this tunnelling feature by using 'no-port-forwarding'. Also compromising the userid and password is a lot harder than it sounds since it is encrypted. Somebody would have to be looking over your shoulder. But, it's a good point. ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Sat Apr 4 10:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09738; Sat, 4 Apr 1998 02:24:28 -0800 (PST) Received: from labtech.checklab.com ([208.221.175.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA23848 for ; Fri, 3 Apr 1998 06:26:26 -0800 (PST) From: dclydew@interhack.net Received: from thesquirrel ([207.0.233.62]) by labtech.checklab.com (Netscape Mail Server v2.02) with SMTP id AAA14127; Fri, 3 Apr 1998 09:46:42 -0500 To: "'Roy Stevens'" Cc: Subject: RE: SSH Questions Date: Fri, 3 Apr 1998 09:31:07 -0500 Message-ID: <93725FB2A665D1118E660000F698833C012522@POLPSO1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <93725FB2A665D1118E660000F698833C038C81@POLPSO1> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using ssh from my client (linux and Win 95) to my linux firewall and a remote login to a home network... I'm having no problems forwarding the session through the firewall to the remote client. Just make sure you have the necessary ports open...:) -----Original Message----- From: firewalls-owner@GreatCircle.COM [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Roy Stevens Sent: Thursday, April 02, 1998 11:40 To: firewalls@GreatCircle.COM Subject: SSH Questions I have started research into running ssh accross the INTERNET. My preliminary research has shown much promiss. I would appreciate any feedback on this. I am particularly interested in firewall issues, ie proxy or IP forwarding problems. Thanks for any correspondance. TOBOR From firewalls-owner Sat Apr 4 10:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA09631; Sat, 4 Apr 1998 02:23:31 -0800 (PST) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01802 for ; Fri, 3 Apr 1998 07:00:41 -0800 (PST) Received: from voland.freenet.bishkek.su (voland.freenet.bishkek.su [193.125.230.4]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA26614 for ; Fri, 3 Apr 1998 06:05:47 -0800 (PST) Received: from freenet.bishkek.su (fygrave@freenet.bishkek.su [193.125.230.1]) by voland.freenet.bishkek.su (8.8.4/8.8.4) with ESMTP id UAA17359 for ; Fri, 3 Apr 1998 20:08:25 +0500 Received: from localhost (fygrave@localhost) by freenet.bishkek.su (8.8.4/8.6.12) with SMTP id UAA17254 for ; Fri, 3 Apr 1998 20:07:35 -0500 Date: Fri, 3 Apr 1998 20:07:34 -0500 (GMT+5) From: Fyodor Reply-To: fygrave@usa.net To: "'firewalls mailing list'" Subject: masquerading on NT Message-ID: X-copyright: The content of this message is intellectual property of its author. So are all mistakes. X-lummer: Bill Gates MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello People, My friend wants to set up his NT box as firewall (Bad idea on my mind, but he doesn't like other oses), so the thing he stuck with, is the kind of similarity to IP masquerading used on Linux machines. I seem to have heard something like this called NAT on NT, but i would apprecuate if anyone could give some additional information. Best regards Fyodor --- Fyodor Yarochkin email:fygrave@usa.net http://www.tigerteam.net/linuxgroup/ tel:[996-3312] 474465 echo 'subscribe kalug' | mail majordomo@unslaved.freenet.bishkek.su From firewalls-owner Sat Apr 4 11:20:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28873; Sat, 4 Apr 1998 10:52:46 -0800 (PST) Received: from aspirin.bulnet.com ([212.36.3.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA28709 for ; Sat, 4 Apr 1998 10:52:13 -0800 (PST) From: mediplan@ssdnet.com.ar Received: from localhost (JAA1810@localhost) by aspirin.bulnet.com (8.8.6/8.8.5) with SMTP id WAA12120; Sat, 4 Apr 1998 22:00:22 +0300 Date: Sat, 4 Apr 1998 22:00:22 +0300 Message-Id: <199804041900.WAA12120@aspirin.bulnet.com> X-Authentication-Warning: aspirin.bulnet.com: JAA1810 owned process doing -bs Received: by mediplan.com (bulk_mailer v1.5); Sat, 4 Apr 1998 21:47:11 +0300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Einmalige Gelegenheit To: undisclosed-recipients:; Message-ID: Einmalige Gelegenheit !!! 80.000 Email-Adressen von Oesterreich Gegliedert in: Firmen ca. 18.000 Stk. Universitaeten ca. 30.000 Stk. Private ca. 32.000 Stk. !!!fuer nur OeS 1.390,--!!! und 120.000 Email-Adressen von Deutschland Gegliedert in: Firmen ca. 24.200 Stk. Universitaeten ca. 16.800 Stk. Private ca. 79.000 Stk. !!!fuer nur OeS 1.590,--!!! !!!SONDERPREIS!!! Bei Bestellung der Oesterreichischen und der Deutschen Email-Adressen gemeinsam zahlen Sie den Paketpreis von nur OeS 1.990,-- ! Alle Email-Adressen sind auf dem !aktuellsten! Stand (Jaenner 98) und werden auf je einer Diskette in ASCII-Text Format geliefert. Bei Bestellung innerhalb einer Woche erhalten Sie !kostenlos! ein Email-Programm zusaetzlich. Bestellungen mit Email bitte an: Mediplan@usa.net oder Mediplan@pemail.net Die Lieferung erhalten Sie dann per Postnachnahme. !!! Bitte nicht vergessen....Ihre genaue Postanschrift,Telefon,Fax Mit freundlichen Gruessen Ihr Mediplan-Team From firewalls-owner Sat Apr 4 12:46:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA17157; Sat, 4 Apr 1998 12:16:09 -0800 (PST) Received: from mailhost.pi.net (mailhost.pi.net [145.220.3.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA17045 for ; Sat, 4 Apr 1998 12:15:42 -0800 (PST) Received: from nlpc116 (ut112.pi.net [145.220.194.112]) by mailhost.pi.net (8.8.3/8.7.1) with ESMTP id WAA12087 for ; Sat, 4 Apr 1998 22:20:24 +0200 (MET DST) Posted-Date: Sat, 4 Apr 1998 22:20:24 +0200 (MET DST) Message-Id: <199804042020.WAA12087@mailhost.pi.net> From: "Johan Teekens" To: Subject: Re: masquerading on NT Date: Sat, 4 Apr 1998 22:21:15 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I had the same problem 3 months ago, I found Raptor, I think its a great product for the NT platorm. I don't want to say that there is no better firewall. Just check it out, I might be a good choice. regards Johan ---------- > From: Fyodor > To: 'firewalls mailing list' > Subject: masquerading on NT > Date: zaterdag 4 april 1998 03:07 > > > Hello People, > My friend wants to set up his NT box as firewall (Bad idea on my mind, > but he doesn't like other oses), so the thing he stuck with, is the kind > of similarity to IP masquerading used on Linux machines. I seem to have > heard something like this called NAT on NT, but i would apprecuate if > anyone could give some additional information. > > Best regards > Fyodor > --- > Fyodor Yarochkin email:fygrave@usa.net > http://www.tigerteam.net/linuxgroup/ tel:[996-3312] 474465 > echo 'subscribe kalug' | mail majordomo@unslaved.freenet.bishkek.su > From firewalls-owner Sat Apr 4 12:50:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA21470; Sat, 4 Apr 1998 12:39:16 -0800 (PST) Received: from puma.sirinet.net (puma.sirinet.net [198.203.196.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA21463 for ; Sat, 4 Apr 1998 12:38:59 -0800 (PST) From: debie@puma.sirinet.net Received: from localhost (debie@localhost) by puma.sirinet.net (8.8.8/8.8.6) with SMTP id OAA29677; Sat, 4 Apr 1998 14:43:15 -0600 Date: Sat, 4 Apr 1998 14:43:15 -0600 (CST) To: Jack Riley cc: Tislam@acaonline.org, Firewalls@GreatCircle.COM Subject: Re: Sniffer In-Reply-To: <19980404.082823.3590.24.dAEMONMAN@juno.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sniffit is wonderful... i also like something like trafshow to show the type of packets that are going across. -------------------------- Deborah Ann Beley Sirius Systems Group, Inc. (580) 355-6436 debie@sirinet.net On Sat, 4 Apr 1998, Jack Riley wrote: > Try SniffIT..... > DaemonMan > ---------- > Do NOT let them deceive you with the legitimization of their myth! > DaemonMan@juno.com > > On Fri, 27 Mar 1998 15:20:56 -0700 Taufik Islam > writes: > >Is there a good Packet sniffer that runs on for NT 4.0 ? > >Please help me with any information you may have > >Thanks > > > >If you know of any good packet sniffer for UNIX please let me know > >also. > > > >Taufik Islam > >Network Engineer, ACA > > > > > > > > > > > > _____________________________________________________________________ > You don't need to buy Internet access to use free Internet e-mail. > Get completely free e-mail from Juno at http://www.juno.com > Or call Juno at (800) 654-JUNO [654-5866] > From firewalls-owner Sat Apr 4 13:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA04256; Sat, 4 Apr 1998 13:42:56 -0800 (PST) Received: from spike1.pikeonline.net (spike1.pikeonline.net [209.48.17.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id NAA04240 for ; Sat, 4 Apr 1998 13:42:49 -0800 (PST) Received: from paladin [209.48.17.14] by spike1.pikeonline.net (SMTPD32-4.02) id AA54A00190; Sat, 04 Apr 1998 16:47:00 EST5EDT Message-Id: <3.0.5.32.19980404164808.007a07c0@spike1.pikeonline.net> X-Sender: sectech@spike1.pikeonline.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Sat, 04 Apr 1998 16:48:08 -0500 To: firewalls@greatcircle.com From: Keith Pachulski Subject: Re: SecurID & a Biometric & a PIN Cc: krenard@securitydynamics.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We've learned from passwords that "static" can be bad. Static passwords are a downfall, fact we all know this already.=20 >etc.). Therefore, I can easily generate the biometric data necessary to generate, ok..now replicate it.. >assume your identity. "Stealing" the data can be done much easier and >secretly than an attack on the body. I, for one, would barely notice a >missing coffee mug compared to a missing digit. Assume the data is >stolen. =20 heh, guess you wouldn`t notice then if I borrowed your pasword file then would you. It all comes down to the issue of security and to what degree an individual is involved in the security process. I for one would notice if anything were moved on my desk let alone turned up missing. >Now the problem is comparing that data >to a (remote?) database of data without allowing data to be inserted >between the measuring device and the compare operation. You must This area can become debatable and depends on the hardware installer and security company governing the biometric devices. I just finished installing a biometric reader in a 4000 office, office building in NYC. The reader is attached via serial port to a PC which stores the photo/info database. At the desk (24/7) is where a guard sits while the client must authenticate with both the biometric reader as well as photo identification. So, unless you can spoof both the facial and fingerprints of the subject, you are not getting into any of my buildings. And no you can`t just prance by the guard and hop into one of the 6 elevators. Accessing the elevators requires a pin number which is changed daily, and only the guard has the new PIN number.=20 Sound complicated? The whole process takes on average 30 seconds. On the other hand (pun intended): Your fingerprint device is connected via a serial port to your PC. An attacker could easily unplug the fingerprint device and plug in the coffee mug to give the same response (the stolen biometric data) unless the measuring device itself was authenticated. This is the type of biometric authentication I've seen demo-ed so far. I suggest you spend more time studying physical security devices before condeming them further. Most of the higher quality readers read the entire print. So your coffee mug scenario is something I can laugh about =3D) no offense. =20 The opinions expressed are mine and not that of my company, its agents, associates or any others I forgot to mention =3D) Have a nice day Just a thought, but how and why are we on the subject of biometrics for a firewalls list? =A7=A7=A7=A7=A7=A7=BB=BB=AD=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0= =B0=B0=B0=B0=B0=AD=AB=AB=A7=A7=A7=A7=A7=A7 Keith A. Pachulski PPS, CPI Guardian Group Agency ICQ#7768208 sectech@pikeonline.net =A7=A7=A7=A7=A7=A7=BB=BB=AD=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0=B0= =B0=B0=B0=B0=B0=AD=AB=AB=A7=A7=A7=A7=A7=A7 From firewalls-owner Sat Apr 4 20:50:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA02376; Sat, 4 Apr 1998 20:47:05 -0800 (PST) Received: from UPIMSSMTPUSR04 (smtp.email.msn.com [207.68.143.160]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA02369; Sat, 4 Apr 1998 20:46:58 -0800 (PST) Received: from dorian-hanzich - 153.34.103.166 by email.msn.com with Microsoft SMTPSVC; Sat, 4 Apr 1998 20:51:22 -0800 Message-ID: <003501bd604e$f1f32000$a6672299@dorian-hanzich> From: "Dorian Hanzich" To: , , , , , Subject: Polite Request Date: Sat, 4 Apr 1998 20:52:05 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Sirs I have received Unsolicited Bulk E-Mail (UBE) apparently from yourselves or from one of your direct or indirect customers. I don't like it and would ask for your cooperation to put a stop to it. Most of the UBE I receive looks dishonest to me. I am sure your company isn't like that but you would do well to avoid using or permitting the same methods as these "spammers" lest you be tarred with the same brush. Also, you may be aware that a growing number of ISPs are taking to blocking incoming mail from "spam" domains. I don't want that to happen because I might lose legitimate mail and you might be inconvenienced. --- Copy of offending material follows --- > Received: from UPIMSRGSMTP03 - 207.68.152.47 by email.msn.com with Microsoft SMTPSVC; > Sat, 4 Apr 1998 11:36:02 -0800 > Received: from relay7.UU.NET - 192.48.96.17 by msn.com with Microsoft SMTPSVC; > Sat, 4 Apr 1998 11:36:02 -0800 > Received: from honor.greatcircle.com by relay7.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejrq22395; Sat, 4 Apr 1998 14:35:27 -0500 (EST) > Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28873; Sat, 4 Apr 1998 10:52:46 -0800 (PST) > Received: from aspirin.bulnet.com ([212.36.3.67]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA28709 for ; Sat, 4 Apr 1998 10:52:13 -0800 (PST) > From: mediplan@ssdnet.com.ar > Received: from localhost (JAA1810@localhost) > by aspirin.bulnet.com (8.8.6/8.8.5) with SMTP id WAA12120; > Sat, 4 Apr 1998 22:00:22 +0300 > Date: Sat, 4 Apr 1998 22:00:22 +0300 > Message-Id: <199804041900.WAA12120@aspirin.bulnet.com> > X-Authentication-Warning: aspirin.bulnet.com: JAA1810 owned process doing -bs > Received: by mediplan.com (bulk_mailer v1.5); Sat, 4 Apr 1998 21:47:11 +0300 > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > To: undisclosed-recipients:; > Return-Path: firewalls-owner@GreatCircle.COM > > Einmalige Gelegenheit > To: undisclosed-recipients:; > Message-ID: > > > > > Einmalige Gelegenheit !!! > > 80.000 Email-Adressen von Oesterreich > > Gegliedert in: Firmen ca. 18.000 Stk. > Universitaeten ca. 30.000 Stk. > Private ca. 32.000 Stk. > > !!!fuer nur OeS 1.390,--!!! > > und > > 120.000 Email-Adressen von Deutschland > > Gegliedert in: Firmen ca. 24.200 Stk. > Universitaeten ca. 16.800 Stk. > Private ca. 79.000 Stk. > > !!!fuer nur OeS 1.590,--!!! > > > !!!SONDERPREIS!!! > > Bei Bestellung der Oesterreichischen und der Deutschen Email-Adressen > gemeinsam zahlen Sie den Paketpreis von nur OeS 1.990,-- ! > > Alle Email-Adressen sind auf dem !aktuellsten! Stand (Jaenner 98) und > werden auf je einer Diskette in ASCII-Text Format geliefert. > > Bei Bestellung innerhalb einer Woche erhalten Sie !kostenlos! ein > Email-Programm zusaetzlich. > > > Bestellungen mit Email bitte an: Mediplan@usa.net oder Mediplan@pemail.net > > Die Lieferung erhalten Sie dann per Postnachnahme. > > !!! Bitte nicht vergessen....Ihre genaue Postanschrift,Telefon,Fax > > > Mit freundlichen Gruessen > > Ihr Mediplan-Team > > > > > > > > > From firewalls-owner Sun Apr 5 01:35:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA18989; Sun, 5 Apr 1998 01:23:34 -0800 (PST) Received: from zika.zika.co.at (hp1.OOeNet.AT [193.81.245.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id BAA18893 for ; Sun, 5 Apr 1998 01:23:12 -0800 (PST) Received: from DialIN21.AS5200.ooenet.at by zika.zika.co.at with SMTP (1.38.193.4/16.2) id AA23935; Sun, 5 Apr 1998 11:35:08 +0200 Message-Id: <35274E8F.64C16169@linznet.at> Date: Sun, 05 Apr 1998 11:27:43 +0200 From: Manfred Hahn Reply-To: hahn@linznet.at Organization: ConnecT-GmbH X-Mailer: Mozilla 4.03 [de] (Win95; I) Mime-Version: 1.0 To: limsks@acapacific.com.sg, firewalls@GreatCircle.COM Subject: ATM-Firewall Content-Type: multipart/mixed; boundary="------------AEA46D04306CBBA153904186" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dies ist eine mehrteilige Nachricht im MIME-Format. --------------AEA46D04306CBBA153904186 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi there !!! have you ever heard of a system called ATLAS ??? ATM-Line-Access-And-Security. It is an ATM-Firewall filtering cells with a speed of 155 Mbs. It support Classical-IP, LAN-Emulation and FORE-IP over ATM. At the end of 1998 it will also support MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will. You can set more then 1000 Filter without any performance decredation. In addition, if two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well. So, what else do you need to secure your data on an ATM-Network. If you need more information here is my phonenumber: ...43-732-377080 or e-mail : hahn@connect-gmbh.de hope I can help !!! Regards --------------AEA46D04306CBBA153904186 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Visitenkarte für Manfred Hahn Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Manfred Hahn n: Hahn;Manfred org: ConnecT GmbH email;internet: hahn@linznet.at title: Netzwerk-Consultant x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard --------------AEA46D04306CBBA153904186-- From firewalls-owner Sun Apr 5 01:50:31 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id BAA20416; Sun, 5 Apr 1998 01:31:30 -0800 (PST) Received: from mail2.webzone.net (mail2.webzone.net [205.219.23.7]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA20368 for ; Sun, 5 Apr 1998 01:31:17 -0800 (PST) Message-Id: <199804050931.BAA20368@honor.greatcircle.com> Received: from snoopy ([208.152.102.101]) by mail2.webzone.net (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-0U10L2S100) with SMTP id AAC163 for ; Sun, 5 Apr 1998 04:35:57 -0500 From: "Greg Barnes" Organization: International Network Services To: "Dana M. Epp" Date: Sun, 5 Apr 1998 04:32:51 -0600 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: linux based firewall cookbook... Reply-to: greg_barnes@ins.com CC: Daniel Todd , firewalls@GreatCircle.COM In-reply-to: <351EA7D8.A4C0331F@netmaster.ca> X-PM-Encryptor: QDPGP, 4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Agreed. But once physical security is broken, the discussion should be over. Physical sec is the last bastion of hope. If you can't maintain that wall, then why wouldn't the individual just pocket the drive, rather than fart around booting up, poking around and generally just being a nuisance? Rather than bringing a drive, why not just bring a small handheld drill, whirr whirr whirr whirr, yank and pocket the drive(s)? I mean hey, since you have the RUN of the place, I doubt anyone would notice you doing it eh? It's ridiculous to discuss filesystem security measures after the physical layer has been breached, and I don't care what the filesystem is, if you KNOW what it is and you have physical access, it's game over.....FAT, minix, HPFS, NTFS, ext2, UFS whatever... When the physical layer is breached, you start talking about "Recovery", not "Security". Ok, now I'm off _my_ soap box. =) *grin* On 29 Mar 98, Dana M. Epp wrote about Re: linux based firewall cookbook..: > *Sigh* > > Ok, first off, in a regime in which you are applying serious security, physical > security is a large portion of the security managment. You can pretty well hack > into any system if you sit right at the damn thing. If someone can boot off a root > disk in Linux.. you already blew away three key security policies one should have. > > #1) Physical security to the machine. > #2) Installing or Mounting devices not required. If you don't physically remove > the drives, you could be in trouble. Now, realisitically this is an extra step > since physical security shouldn't be compromised in the first place. Anyways, long > story short, you can boot off a CDRom, floppy or even the harddrive if you got > physical security. (Not hard to remove the hard disk if you're at the console.) > #3) Mounting FAT on ANY sort of "secure" machine :) > > OK, OK. Lecture over. However, assuming one can not hack your box because you have > no floppy really is asking for trouble. There are a few HOWTOs on how to > compromise Linux by simply mounting the file system after the fact, changing root > passwd to "" and rebooting. At that point.. the machine is yours. Takes about 3 > minutes to take the cover off... so don't assume physical security is NOT an > issue, I've seen people carry harddrives around just for such occassions. > > BTW, I am curious to know WHY someone would have FAT of any sort in a machine used > in a security policy. I must have missed the original message, since I can not > fathem WHY it would be used in the first place. > > Magic Man wrote: > > > > Daniel Todd wrote: > > > > > This prevents having an insecure msdos file system on your box which is > > > the "easy" thing to do with tarballs. It is especially dangerous if it > > > is your root fs. You really don't want a root fs that can be edited by > > > booting off a DOS floppy. > > > > If a floppy can be booted, then security is compromised right there. I > > can boot any kind of OS via floppy and modify an internal filesystem. > > > > My firewall box has no floppy drive installed at all. I plugged one in > > for the initial install...but it was immediately removed and there's > > nothing on the box but a couple of LEDs and a power switch. > > > > -- > > .\\agic .\\an > > Rarebird Consulting Services > > -- > Dana M. Epp > > NetMaster Networking Solutions, Inc. > eppdm@netmaster.ca > http://www.netmaster.ca > > " Connecting networks to the Internet..." > > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNSdPwycppdVJoUCjEQI10QCgpD1NsAxpyWiEcBeKmTxEQHBeqskAoOfp 0Ewpyof45SrqHu7V3PKbJRaC =K7so -----END PGP SIGNATURE----- Regards, Greg Barnes Dot Dot : greg_barnes@ins.com Network Systems Engineer RingRing: (918)590-2676 INS // Tulsa Office BeepBeep: (888)485-3995 Woo Woo : (One day soon) "If your vision doesn't cost you something, then it's only a dream..." --Author Unknown From firewalls-owner Sun Apr 5 10:20:39 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA18931; Sun, 5 Apr 1998 10:18:48 -0700 (PDT) Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA18924 for ; Sun, 5 Apr 1998 10:18:43 -0700 (PDT) Received: (from mhw@localhost) by alcove.wittsend.com (8.8.7/8.8.7) id NAA16889 for firewalls@greatcircle.com; Sun, 5 Apr 1998 13:23:35 -0400 From: "Michael H. Warfield" Message-Id: <199804051723.NAA16889@alcove.wittsend.com> Subject: Encryption Survey at computer.org To: firewalls@greatcircle.com Date: Sun, 5 Apr 1998 13:23:35 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL33 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In consideration that encryption plays a big role in VPN's, firewalls, and other security issues, I thought that this might be of some interest to the members of the firewalls mailing list... I found this in the latest (April 1998) issue of "Computer" from IEEE: The IEEE Computer Society is conducting a poll on encryption policy. It says "members poll" but they are encouraging non-member participation. While it is unlikely to be a scientifically balanced poll (it's target audience is a little skewed) the more participants the better. They do ask to please only submit one response per person be it by mail, fax, or web... Go to http://www.computer.org and follow the member poll link from there. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Sun Apr 5 12:26:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA27215; Sun, 5 Apr 1998 12:13:51 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA27208 for ; Sun, 5 Apr 1998 12:13:45 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id MAA14304; Sun, 5 Apr 1998 12:20:29 -0700 (PDT) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA26111; Sun, 5 Apr 98 12:18:44 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DD.006A12F4 ; Sun, 5 Apr 1998 12:18:36 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Christopher Zarcone Cc: firewalls@GreatCircle.COM Message-Id: <882565DD.00698286.00@gwwest.sybase.com> Date: Sun, 5 Apr 1998 12:18:23 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Jon, > >Stateful inspection engines suffer the same disadvantages as packet filters, >because THEY ARE packet filters. But they are not JUST packet filters. >I would say that (my) single biggest problem with packet filtering is >application-level security (e.g. how can a packet filter differentiate a >sendmail server from a rogue webserver running on port 25? It can't. A proxy >can.) They can, in the same manner that a proxy can. >OTOH, packet filters are generally faster, mainly because filtering >decisions are made in the lower levels of the IP stack. Unfortunatly, it seems that so far, SPF vendors tend to do the minimum amount of work to get a protocol to pass successfully, which tends to make them run faster. >I can't speak from experience, but I've also read stories of state tables >becoming corrupt, usually with interesting consequences. No, you haven't. What you've heard is AG vendors claim that this could happen. The same vendors fail to point out that they suffer from the same issue if the very similar TCP connection tables built into the OS that they rely on become corrupt. If your hardware flakes out, all bets are off on the security software. Ryan >Regards, > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >Christopher Zarcone - Data Communications Design Analyst >Lockheed Martin Enterprise Information Systems >czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ > My opinions do not necessarily reflect those of my employer. >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ >Date: Wed, 01 Apr 1998 23:27:59 -0500 >From: "Jon E. Price" >Subject: socks versus fw-1 stateful inspection vulnerabilities > >Are there any known or theoretical insecurities or vulnerabilities or other >shortcomings (eg. performance) using socks or the fw-1 stateful inspection >technologies? From firewalls-owner Sun Apr 5 13:35:38 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA08747; Sun, 5 Apr 1998 13:26:17 -0700 (PDT) Received: from www.zdh.de (www.zdh.de [194.77.6.230]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA08689 for ; Sun, 5 Apr 1998 13:25:58 -0700 (PDT) Received: from www (xpl115.xnc.de [194.77.5.79]) by www.zdh.de (8.7.5/8.8.7) with SMTP id XAA12518; Sun, 5 Apr 1998 23:03:20 +0200 Message-ID: <3527E9C5.7644E053@edina.xnc.com> Date: Sun, 05 Apr 1998 22:29:57 +0200 From: Stepken Organization: Freie Software Systeme X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: Ryan Russell CC: Christopher Zarcone , firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <882565DD.00698286.00@gwwest.sybase.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan Russell wrote: > >I can't speak from experience, but I've also read stories of state tables > >becoming corrupt, usually with interesting consequences. > > No, you haven't. What you've heard is AG vendors claim that this could > happen. > The same vendors fail to point out that they suffer from the same issue if > the > very similar TCP connection tables built into the OS that they rely on > become corrupt. If your hardware flakes out, all bets are off on the > security > software. I did some very stressing tests on firewalls with SPF and dynamic rules. I was able to cause some memory overflow, which can be exploited as buffer overflow, depending on the memory model of the OS. Very often they use some well known hashfunctions (e.g. GNU), which also have collisions. Such attacks are very special ones, but theycan be done. regards, Guido Stepken From firewalls-owner Sun Apr 5 17:21:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA07197; Sun, 5 Apr 1998 17:05:18 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA07145 for ; Sun, 5 Apr 1998 17:05:01 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id RAA06163; Sun, 5 Apr 1998 17:11:42 -0700 (PDT) Received: from gwwest.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA11909; Sun, 5 Apr 98 17:09:55 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.0000E670 ; Sun, 5 Apr 1998 17:09:49 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Stepken Cc: firewalls@GreatCircle.COM Message-Id: <882565DE.0000A496.00@gwwest.sybase.com> Date: Sun, 5 Apr 1998 17:09:36 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My claim is that some folks, perhaps with vested interests in seeing leading SPF vendors lose market, have been trying to make people think that state tables are prone to corruption without providing any examples. If you've got details on the problem you've mentioned, I'd love to hear them. Ryan Stepken on 04/05/98 01:29:57 PM To: Ryan Russell/SYBASE cc: Christopher Zarcone , firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Ryan Russell wrote: > >I can't speak from experience, but I've also read stories of state tables > >becoming corrupt, usually with interesting consequences. > > No, you haven't. What you've heard is AG vendors claim that this could > happen. > The same vendors fail to point out that they suffer from the same issue if > the > very similar TCP connection tables built into the OS that they rely on > become corrupt. If your hardware flakes out, all bets are off on the > security > software. I did some very stressing tests on firewalls with SPF and dynamic rules. I was able to cause some memory overflow, which can be exploited as buffer overflow, depending on the memory model of the OS. Very often they use some well known hashfunctions (e.g. GNU), which also have collisions. Such attacks are very special ones, but theycan be done. regards, Guido Stepken From firewalls-owner Sun Apr 5 22:20:36 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA14058; Sun, 5 Apr 1998 18:01:40 -0700 (PDT) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id SAA14004 for ; Sun, 5 Apr 1998 18:01:26 -0700 (PDT) Received: from uu.inka.de (ms1.ka.inka.de [193.197.84.8]) by mail.ka.inka.de with smtp id 0yM0Mc-0004tF-00; Mon, 6 Apr 1998 03:06:18 +0200 Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 6 Apr 98 03:06 MET DST Received: by lina.inka.de id m0yM09n-000145C (Debian Smail-3.2.0.101 1997-Dec-17 #2); Mon, 6 Apr 1998 02:53:03 +0200 (CEST) Message-ID: <19980406025300.08447@lina> Date: Mon, 6 Apr 1998 02:53:00 +0200 From: Bernd Eckenfels To: Stepken Cc: firewalls@GreatCircle.COM Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <882565DD.00698286.00@gwwest.sybase.com> <3527E9C5.7644E053@edina.xnc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1 In-Reply-To: <3527E9C5.7644E053@edina.xnc.com>; from Stepken on Sun, Apr 05, 1998 at 10:29:57PM +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was able to cause some memory overflow, which can be exploited as > buffer overflow, depending on the memory model of the OS. Which OS generates buffer overflows from Memory shortage? > Very often they use some well known hashfunctions (e.g. GNU), which also > have collisions. Such attacks are very special ones, but theycan be > done. Which hash function has no collisions? Therefore which programmer forgets to check for equality in the resultset a hash-bucket delivers? Have you actually found an exploit? Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Apr 6 00:35:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id AAA21623; Mon, 6 Apr 1998 00:30:14 -0700 (PDT) Received: from dns.portcullis-security.com (dns.portcullis-security.com [194.203.128.120]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id AAA21612 for ; Mon, 6 Apr 1998 00:30:08 -0700 (PDT) Received: from tgb-mailhost.portcullis-security.com (unverified [194.203.128.123]) by dns.portcullis-security.com (Integralis SMTPRS 2.04) with ESMTP id ; Mon, 06 Apr 1998 08:34:19 +0100 Received: by tgb-mailhost.portcullis-security.com with Internet Mail Service (5.0.1457.3) id ; Mon, 6 Apr 1998 08:25:57 +0100 Message-Id: <21905E09B270D111815400C0DFAA15330B1060@tgb-mailhost.portcullis-security.com> From: Adrian S Ryan To: firewalls@GreatCircle.com, "'A.R.'" Subject: RE: Date: Mon, 6 Apr 1998 08:25:51 +0100 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMC8434BT (http://www.smc.com/network/lan/epower2.html) SMC9334BDT (http://www.smc.com/network/lan/fastdpci.html) > ---------- > From: A.R.[SMTP:arahman@terradir.com] > Sent: 03 April 1998 05:37 > To: firewalls@GreatCircle.com > > Greetings all. > > I wanted to have some information on the > fastest/best/reliable network interface card for a dual > homed linux firewall machine. > > please make suggestions clear . > > thanks in advance > > A. Rahman > Network Administrator > From firewalls-owner Mon Apr 6 03:09:32 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11019; Mon, 6 Apr 1998 02:55:32 -0700 (PDT) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11012 for ; Mon, 6 Apr 1998 02:55:26 -0700 (PDT) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yM8hb-0000Vu-00; Mon, 6 Apr 1998 06:00:32 -0400 X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Apr 1998 05:00:57 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: Re: SecurID & a Biometric & a PIN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: tamaster@technologist.com Date: Fri, 6 Feb 1998 12:30:18 -0600 (CST) To: cryptography@c2.net Subject: Biometric HA patent Method and apparatus for securely handling a personal identification number or cryptographic key using biometric techniques (assignee -- mytec technologies inc.) Patent Number: 5712912 Issue Date: 1998 01 27 Inventor(s): Tomko, George J.{#buStoianov, Alexei#} February 6, 1998 MicroPatent via Individual Inc. : Abstract: A method and apparatus using biometric information (such as a fingerprint, an iris structure, etc.) as a cipher for encrypting and decrypting a personal identification number (PIN) which is used as an input to a PIN requiring device. The method of encryption of a PIN includes generating a sequence of random characters representing a PIN to be encrypted; obtaining a generating function such that the random characters are coefficients in an expansion of a square of said generating function over basis functions; and dividing a transform of the generating function by Fourier transformed information image signal to obtain the encrypted PIN. The latter is stored digitally or as a hologram in a personal card or a database. To decrypt the PIN, a full-complex spatial light modulator is illuminated with an optical beam carrying the Fourier transform of the biometric image of an individual to be identified. The encrypted PIN may be also stored in a reflective hologram which is nondestructively attached to a personal card, and the decryption of a PIN comprises illuminating the hologram with the beam carrying the Fourier transform of the biometric image. In other embodiments of the invention, a cipher may be derived from an intensity distribution (captured directly by a camera) of the Fourier spectrum of the biometric image. The PIN may be encrypted and decrypted either optically (with phase conjugation techniques) or digitally (using an encryption algorithm). Ex Claim Text: A method for securely storing at least a personal identification number (PIN), comprising the following steps: obtaining a biometric information signal bearing information from a body part; generating a sequence of random characters to obtain a PIN; obtaining a generating function such that said random characters of said PIN are parameters of said generating function; obtaining a transform of said generating function; encrypting said transform of said generating function with said biometric information signal to obtain an encrypted PIN; and writing said encrypted PIN into a store. writing said encrypted PIN into a store. ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Mon Apr 6 03:25:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id CAA11201; Mon, 6 Apr 1998 02:57:10 -0700 (PDT) Received: from siren.shore.net (siren.shore.net [207.244.124.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id CAA11146 for ; Mon, 6 Apr 1998 02:56:57 -0700 (PDT) Received: from vin.shore.net ([198.115.179.81]) [198.115.179.81] by siren.shore.net with esmtp (Exim) id 0yM8iq-0000Z1-00; Mon, 6 Apr 1998 06:01:49 -0400 X-Sender: vin@shell1.shore.net Message-Id: In-Reply-To: <1.5.4.32.19980401162836.0096e910@mailhost.gov.yk.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Apr 1998 05:02:18 -0500 To: Larry Kwiat From: Vin McLellan Subject: Re: SecurID & a Biometric & a PIN Cc: "Paul D. Robertson" , krenard@securid.com, Jesse Brown , firewalls@greatcircle.com, sectech@pikeonline.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Keith A. Pachulski posted informed remarks on current biometric systems but asked: >>Just a thought, but how and why are we on the subject of biometrics for a >>firewalls list? User authentication technology is central to any attempt to restrict data flow through a firewall. Without authentication, there is no basis for access controls -- and without access/egress controls, why bother with a firewall at all? Earlier, Larry Kwiat had waded thru Robertson's wisdom and endured McLellan's grousing to offer summary judgement: >The subject here is risk management. Always is. >If you "wire" the people to the boxes, you make it worth the risk to >take the person with the box. You change the shape of the window of >possibility for the perpetrator, but you don't substantially change >the situation. With respect, Larry, I see this situation quite differently. The topic here is how to bring to bear additional degrees of relative certainty in user authentication. In search of higher degrees of assurance, it makes perfect sense to me to draw upon all three modes by which a computer can authenticate your pre-registered identity -- demands for what you know/hold/are -- in order to increase the certainty of that user authentication. The classical way of justifying this is to point out that using two or three different modes of authentication will, at minimum, require two or three different types of attacks to subvert or corrupt these procedures. Another way of putting it would be to simply point out that it makes a theft of identity much more difficult. Multiple layers of authentication demand a more elaborate attack, more planning, more equipment, and/or (to consider the potential of kidnapping) a vastly greater committment to criminal action, in the face of often much greater criminal penalties. No mechanism or protocol is invulnerable to attack. No assurance is perfect. Within that context, I think demanding a biometric can significantly (if only incrimentally) add to the assurance of an authentication process, and thus, "substantially change the situation." The question of how to do it right, with minimal risk to the integrity of the authentication process, and (in this case) with appropriate political concern for damage to the "owner" of the biometric are separate. (We should be careful not blur the concerns of the two respective "owners" here, particularly -- as may well be the case -- they vary or conflict.) If a thief has to take a person with the box (or, say, a token,) that's a big deal. Kidnapping is not a hacker crime. If subverting an authentication protocol takes a direct physical attack (or surgery;-) or a face-to-face con, or hidden sensors in the victim's steering wheel, that's a big deal too. Most cyberattacks are not the culmination of an extended "Mission Impossible" scam to get a user's bioprint. Paul, Ken, and others have noted that because a biometric is inherently static, it has some notable vulnerabilities, and that raises some scary possibilities if biometric records are lost, stolen, and mishandled as often as passwords, for example, are today. I agree. This raises some interesting design, protocol, and liability issues. Minimizing them will call for ingenuity from engineers, and it could give birth to a whole new legal framework if a citizen is allowed to claim some property right on his or her biometrics. (Europeans probably already have this, but US privacy rights are minimal when it comes to a citizen's right to claim or defend information about himself.) All this does nothing, however, to change the concrete fact that a demand for a biometric at some stage of a user-authentication process -- perhaps, as Ken Renard suggested, wholly internal to a hand-held authentication token, or even _within_ a single chip -- is almost certain to increase the assurance of that authentication. >Banks have had this problem for years over other types of access issue. > >Ideally, risks should be parcelled out as a management strategy. When >you allow them to aggregate, your risk-management picture is progressing >toward getting out of hand. That is not supportable in good risk management, >if there are no potential gains. I don't count increasing the risk exposure >on human life and limb in order to "raise the ante" and maybe create very >temporary deterrance as a gain of anything substantial. I think, Larry, you are too single-minded in looking to the risks involved in demanding or using a biometric. The whole point of a biometric (of _any_ authenticator) is to lessen the vulnerabilities inherent in identity-theft and illicit but privileged access to a protected site, network, or data-file. (Frankly, from the system-security point of view, threats to life and limb can often subvert an authentication mechanism, at least when only money is at stake. Attacks using armed robbery, burglary, "rubber-hose" cryptoanalysis, and leaving a gunman with the bank manager's wife and kid have always been with us, and must be addressed -- but not here, and not out of context.) The issue of whether the value of the biometric, as used, is slight or temporary or useless, is a matter of design, application, and legal context. (From a citizen's point of view, it may well be wise for users or potential users to refuse to allow their own biometric to be captured or used for authentication in some systems, at least until the legal, polical, and technical environment for handling these static and irreplacable identifiers is further developed -- but those concerns are unlikely to diminish pressures to use biometrics when they clearly _do_ help control illicit access or fraud in local systems. Are we gonna see technicians refuse corporate orders to install biometric authentication systems? Possible, but unlikely.) Bob Courtney of IBM, one of the industry's first security evangelists, used to say that nothing useful can be said about a security technology outside of the context of a specific and concrete application. Infosec is always about relative security, right? Sometimes a small incrimental increase in security is sufficient to have an enormous impact in the integrity of the system; or is all that the freight (value of the resources to be protected) will bear or justify. We just can't toss around qualitative terms like "temporary deterrence," or "substantial" and "insubtantial gains," and have them mean anything outside of a specific context. Keith A. Pachulski mentioned some of the physical access controls that are being widely installed today, using full-face, hand, voice, and fingerprint biometrics. This year, tens of millions of people will be registered in biometric authentication systems -- most in anti-fraud public benefits programs, in apps where the a scanner verifies that someone holding a card or permit is the person the card or permit says it belongs to (and that this particular person is in this program's database but once!) Proponents hope that these systems will, almost immediately, save billions in benefit fraud. (They may be right.) Immigration and border crossing stations in several nations will also likely see widespread use of these technologies in the immediate future. In IT apps soon to hit the market, fingerprints will be used to release a bootlock or decrypt the disk of a laptop. The cost of a quality biometric reader has dropped below $100 -- and with the new single-chip fingerprint readers, Moore's Law will rapidly drive the price down further -- so such an investment looks very reasonable, with one out of 13 corporate laptops reported lost or stolen. A brave new world, maybe -- but the world of biometrics is one we are going to have to deal with with reason and principle, not emotion. Suerte, _Vin ----- Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- From firewalls-owner Mon Apr 6 04:54:02 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27525; Mon, 6 Apr 1998 04:48:23 -0700 (PDT) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA27510 for ; Mon, 6 Apr 1998 04:48:15 -0700 (PDT) Received: by malraux.matranet.com; id NAA22536; Mon, 6 Apr 1998 13:34:46 +0200 (CEST) Received: from matranet.com ([192.0.2.22]) by victor.imatranet.com (post.office MTA v2.0 0813 ID# 0-18250U90) with ESMTP id AAA64; Mon, 6 Apr 1998 13:50:10 +0200 Message-ID: <3528C0F9.1E12E52F@matranet.com> Date: Mon, 06 Apr 1998 13:48:09 +0200 From: fauquet@matranet.com (Xavier Fauquet) X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Roman Ramirez CC: FW Subject: Re: Help about ICMP References: <351F6625.B72FCDCE@encomix.es> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Basically, I would block all icmp redirect on the firewall and source routing. If you do not want people to ping your firewall, you should also block the ping on the router itself. It is not always a good idea since you could have a DMZ with a Web Server. People like to ping machines... Max Roman Ramirez wrote: > > Hi: > > I have some questions about filtering ICMP in a firewall... > > Please, anyone can tell me what kind of icmp packets should be blocked > by the firewall? > > What options and what packets should be rejected? > > What filtering rules must be applied by the firewall and what by the > router? > > Thx in advance > > -- > http://www.encomix.es/users/patowc > mailto://rramirez@encomix.es From firewalls-owner Mon Apr 6 05:26:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA27653; Mon, 6 Apr 1998 04:50:21 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA27614 for ; Mon, 6 Apr 1998 04:50:05 -0700 (PDT) Received: from ben.edelweb.fr (ben.edelweb.fr [193.51.12.62]) by edelweb.fr with ESMTP id NAA20920; Mon, 6 Apr 1998 13:55:05 +0200 (MET DST) Received: (from ben@localhost) by ben.edelweb.fr (8.8.5/8.6.6) id NAA17811; Mon, 6 Apr 1998 13:57:09 +0200 (MET DST) Date: Mon, 6 Apr 1998 13:57:07 +0200 (MET DST) From: Ben To: Roman Ramirez cc: FW Subject: Re: The return of the ICMP :) In-Reply-To: <35233361.664CA16F@encomix.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > iii) ICMP types usually permitted are: [...] > 4 SOURCE-QUEND -> What's that? :) [...] Source Quench is when a router sends a message to the upstream host to tell that host that it is sending packets too quickly and needs to slow down. Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Mon Apr 6 06:05:58 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA29582; Mon, 6 Apr 1998 05:04:43 -0700 (PDT) Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id FAA29521 for ; Mon, 6 Apr 1998 05:04:29 -0700 (PDT) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id IAA08415; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQZ00AWJR3VIF@lmco.com>; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id IAA18880; Mon, 06 Apr 1998 08:03:29 -0400 (EDT) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id IAA01498; Mon, 06 Apr 1998 08:09:24 -0400 Date: Mon, 06 Apr 1998 08:09:24 -0400 (EDT) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: ryanr@sybase.com Cc: firewalls@greatcircle.com Reply-to: Christopher Zarcone Message-id: <199804061209.IAA01498@data.camelot> MIME-version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-type: TEXT/plain; charset=us-ascii Content-MD5: CkjcorbwPvMrA8MSvP8C1g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan, I suppose I should clarify what I said: Historically I have come to understand "packet filtering" as screening based on IP-level and transport level information. With such limited information, you can't determine with certainty the application-level service; you can only make a best guess. Of course, if you have a more advanced packet filter, you could arbitrarily examine any or all bits in the entire packet. At that point, though, you're basically performing application-level analysis, and incurring the performance penalty, so why not use a proxy? Regards, Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Jon, > > > >Stateful inspection engines suffer the same disadvantages as packet > filters, > >because THEY ARE packet filters. > > But they are not JUST packet filters. > > >I would say that (my) single biggest problem with packet filtering is > >application-level security (e.g. how can a packet filter differentiate a > >sendmail server from a rogue webserver running on port 25? It can't. A > proxy > >can.) > > They can, in the same manner that a proxy can. > From firewalls-owner Mon Apr 6 06:52:30 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA14470; Mon, 6 Apr 1998 06:21:00 -0700 (PDT) Received: from actionweb.com ([209.150.128.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA14457 for ; Mon, 6 Apr 1998 06:20:51 -0700 (PDT) Received: from putergirl.com ([199.227.242.215]) by actionweb.com (8.8.5/8.8.5) with ESMTP id IAA04989 for ; Mon, 6 Apr 1998 08:27:55 -0500 Message-ID: <352901A3.632E7756@putergirl.com> Date: Mon, 06 Apr 1998 09:24:03 -0700 From: Eileen Bonfiglio Organization: PuterGirl, Inc X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: web server set up Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all I am seeking some information on setting up an NT web server and would value any and all info/advice/recommendations. Thanks Eileen From firewalls-owner Mon Apr 6 07:27:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23443; Mon, 6 Apr 1998 07:12:58 -0700 (PDT) Received: from zika.zika.co.at (hp1.OOeNet.AT [193.81.245.34]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA23380; Mon, 6 Apr 1998 07:12:40 -0700 (PDT) Received: from DialIN18.AS5200.ooenet.at by zika.zika.co.at with SMTP (1.38.193.4/16.2) id AA20993; Mon, 6 Apr 1998 16:25:06 +0200 Message-Id: <3528E402.11ABD40C@linznet.at> Date: Mon, 06 Apr 1998 16:17:38 +0200 From: Manfred Hahn Reply-To: hahn@linznet.at Organization: ConnecT-GmbH X-Mailer: Mozilla 4.03 [de] (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM Subject: ATM-Firewall Content-Type: multipart/mixed; boundary="------------376637A72A207F33E659E89A" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dies ist eine mehrteilige Nachricht im MIME-Format. --------------376637A72A207F33E659E89A Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi there !!! have you ever heard of a system called ATLAS ??? ATM-Line-Access-And-Security. It is an ATM-Firewall filtering cells with a speed of 155 Mbs. It supports Classical-IP, LAN-Emulation and FORE-IP over ATM. At the end of 1998 it will also support MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS will. You can set more then 1000 Filter without any performance decredation. In addition, if two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well. So, what else do you need to secure your data on an ATM-Network. If you need more information here is my phonenumber: ...43-732-377080 or e-mail : hahn@connect-gmbh.de hope I can help !!! Regards --------------376637A72A207F33E659E89A Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Visitenkarte für Manfred Hahn Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Manfred Hahn n: Hahn;Manfred org: ConnecT GmbH email;internet: hahn@linznet.at title: Netzwerk-Consultant x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard --------------376637A72A207F33E659E89A-- From firewalls-owner Mon Apr 6 08:06:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA27165; Mon, 6 Apr 1998 07:33:40 -0700 (PDT) Received: from web02.globecomm.net (web02.nyc.globecomm.net [207.51.48.39]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA27141 for ; Mon, 6 Apr 1998 07:33:33 -0700 (PDT) From: mcbryde@iname.com Received: (from root@localhost) by web02.globecomm.net (8.8.8/8.8.0) id JAA00127; Mon, 6 Apr 1998 09:53:27 -0400 (EDT) Date: Mon, 6 Apr 1998 09:53:27 -0400 (EDT) Message-Id: <199804061353.JAA00127@web02.globecomm.net> Content-Type: text/plain MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Content-Transfer-Encoding: 7bit Subject: Opinions on firewall appliances Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading this list for a long time and have never seen firewall appliances like the Fort Knox Policy Router mentioned. For those of us with limited human and cash resources they look attractive. Anyone care to talk me in/out of one? --------------------------------------------------- Get free personalized email at http://www.iname.com From firewalls-owner Mon Apr 6 08:22:03 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA23245; Mon, 6 Apr 1998 07:11:32 -0700 (PDT) Received: from mailhost.unifiedtech.com (paulaner.unifiedtech.com [205.219.167.102]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id HAA23155 for ; Mon, 6 Apr 1998 07:11:12 -0700 (PDT) Received: from unifiedtech.com by mailhost.unifiedtech.com (SMI-8.6/SMI-SVR4) id KAA20153; Mon, 6 Apr 1998 10:14:33 -0400 Message-ID: <3528E32D.A3E4BDBA@unifiedtech.com> Date: Mon, 06 Apr 1998 10:14:05 -0400 From: Mike Jones Organization: Unified Technologies X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: Christopher Zarcone CC: ryanr@sybase.com, firewalls@greatcircle.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities References: <199804061209.IAA01498@data.camelot> Content-Type: multipart/mixed; boundary="------------62450AD3CF52D5F366EA1935" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------62450AD3CF52D5F366EA1935 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Christopher Zarcone wrote: > I suppose I should clarify what I said: > Historically I have come to understand "packet filtering" as screening based on > IP-level and transport level information. With such limited information, you > can't determine with certainty the application-level service; you can only make > a best guess. True enough. > > > Of course, if you have a more advanced packet filter, you could arbitrarily > examine any or all bits in the entire packet. At that point, though, you're > basically performing application-level analysis, and incurring the performance > penalty, so why not use a proxy? You're not necessarily incurring the performance penalty, though. If you're doing this in the kernel, you're not incurring the overhead of (at least) two context switches per UDP datagram or TCP message. Generally, I'm not an advocate of putting stuff like this in the kernel, but on a special purpose box I'm willing to make an exception. --------------62450AD3CF52D5F366EA1935 Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mike Jones Content-Disposition: attachment; filename="vcard.vcf" begin: vcard fn: Mike Jones n: Jones;Mike org: Unified Technologies email;internet: mike.jones@unifiedtech.com title: Senior Technology Advisor x-mozilla-cpt: ;0 x-mozilla-html: TRUE version: 2.1 end: vcard --------------62450AD3CF52D5F366EA1935-- From firewalls-owner Mon Apr 6 10:29:51 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA19977; Mon, 6 Apr 1998 09:32:33 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA08219 for ; Mon, 6 Apr 1998 08:33:14 -0700 (PDT) Received: from zeke.gov.yk.ca ([199.247.128.34]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id IAA10684 for ; Mon, 6 Apr 1998 08:36:33 -0700 (PDT) Received: by zeke.gov.yk.ca; id IAA20493; Mon, 6 Apr 1998 08:37:53 -0700 (PDT) Received: from unknown(199.247.130.34) by zeke.gov.yk.ca via smap (4.1) id xma020345; Mon, 6 Apr 98 08:36:54 -0700 Received: from 185580 ([199.247.134.102]) by raptor.gov.yk.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id 2D3MXYS2; Mon, 6 Apr 1998 08:36:54 -0700 Message-Id: <1.5.4.32.19980406153655.008ec940@mailhost.gov.yk.ca> X-Sender: ynet\kwiat\larry.kwiat@mailhost.gov.yk.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Apr 1998 08:36:55 -0700 To: "Ryan Russell" , "Stout, William" From: Larry Kwiat Subject: Re: Unwanted data appears inside firewalled network Cc: "'Firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:05 PM 4/3/98 -0800, Ryan Russell wrote: >No, layer 8 is economics, and layer 9 is politics. Since >OSI layers rely on the lower layers, it's not possible to >build an intelligence layer on top of that. > > Ryan ------------------------------------ >We're mentally confined to this completely artificial layer model. >Crackers aren't. We could build an AI system on the perimeter wall to >add intelligence on the firewall. Or we could build a network-wide >management system (tied into firewalls, virus scanners, & IDS probes) to >create a 'ceiling' across the perimeter walls. > >Bill Stout ...right. But I think they really are the first two layers, upon which all else depends. Solid decision making. You've got to come in "under the wire" with these two, before anything of little unforeseen consequence is possible. Ask any engineer. I agree we all too often ignore them. Sincerely, Larry Kwiat Security Coordinator Government of Yukon Larry.Kwiat@gov.yk.ca Phone: (867) 667-8081 From firewalls-owner Mon Apr 6 10:51:52 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA28564; Mon, 6 Apr 1998 10:48:20 -0700 (PDT) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA28544 for ; Mon, 6 Apr 1998 10:48:10 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA06215; Mon, 6 Apr 1998 13:53:09 -0400 Date: Mon, 06 Apr 1998 13:53:04 -0400 From: "Stout, William" Subject: Firewall Layers (was RE: Unwanted data appears inside firewalled network) To: "'Ryan Russell'" Cc: "'Firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ----- Original Message ----- > From: Ryan Russell [SMTP:ryanr@sybase.com] > Sent: Friday, April 03, 1998, 17:05:53 > To: Stout, William > Cc: 'Firewalls@GreatCircle.COM' > Subject: Re: Unwanted data appears inside firewalled network > > No, layer 8 is economics, and layer 9 is politics. Since > OSI layers rely on the lower layers, it's not possible to > build an intelligence layer on top of that. ROTFL - ;D - I knew someone was gonna say that. But you forgot to mention religion. That also adds a 'blind faith' element which often affects the intelligence layer. The thought I poorly expressed, is that we're mentally boxed in by this stupid 7-layer limit. Layer 7 is a catch-all for everything between the 'presentation' and 'user' layers. But the user still has to use the app based on real layers of knowledge, intellect, time, politics, money and other things. First there were (software) routers which had a list of static or learned routes, then gateways with the previous plus a user/password list, then application proxies with the previous plus a list of rules. Next there is a layer of knowledge or management required to run or 'train' that application which is missing. I'm thinking something along the lines of a virus scanner/IDS/e-mail surveillance app, which overseers other application proxies and data based on higher-level rules. This could use 'fuzzy searches' of a rule 'knowledge base' to look for and identify characteristics/sources of SPAM messages, viruses, sensitive files leaving the network, etc. In a firewall this would equate to an advanced rule management system (hmmm, user training is merely memorizing a set of rules). The next statement may be then correct: The next step in firewalls is an advanced rule system. Maybe I should say 'knowledge app' instead of 'AI'. I meant 'Intelligence' as in 'Military Intelligence', not real intellect. 'Conciousness' can be higher yet, I've tracked errors to malfunctions at that layer and the 'Intellect' layer. - :) Bill Stout ________________________________________________________________________ ________ Buy Gold & Silver Even if Y2K (stock market) crashes don't come, everyone else protecting their assets will raise the price. (Be safe - don't travel on Y2K) From firewalls-owner Mon Apr 6 11:20:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29551; Mon, 6 Apr 1998 10:56:18 -0700 (PDT) Received: from www.ctrl-alt-del.com (ctrl-alt-del.com [206.163.47.249]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA29517 for ; Mon, 6 Apr 1998 10:56:07 -0700 (PDT) Received: from localhost (alan@localhost) by www.ctrl-alt-del.com (8.9.0.Beta5/8.8.5) with SMTP id LAA01899; Mon, 6 Apr 1998 11:07:36 GMT Date: Mon, 6 Apr 1998 11:07:36 +0000 (/etc/localtime) From: Alan To: Eileen Bonfiglio cc: firewalls@GreatCircle.COM Subject: Re: web server set up In-Reply-To: <352901A3.632E7756@putergirl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Eileen Bonfiglio wrote: > I am seeking some information on setting up an NT web server and would > value any and all info/advice/recommendations. Check out Apache. The latest betas work great on NT. alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. From firewalls-owner Mon Apr 6 11:21:26 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA00594; Mon, 6 Apr 1998 11:02:35 -0700 (PDT) Received: from mailer.syr.edu (mailer.syr.edu [128.230.20.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA00583 for ; Mon, 6 Apr 1998 11:02:29 -0700 (PDT) Received: from rodan.syr.edu by mailer.syr.edu (LSMTP for Windows NT v1.1a) with SMTP id <0.5C51D560@mailer.syr.edu>; Mon, 6 Apr 1998 14:07:40 -0400 Received: from localhost (rgrimsha@localhost) by rodan.syr.edu (8.8.7/8.8.7) with SMTP id OAA18082; Mon, 6 Apr 1998 14:07:35 -0400 (EDT) X-Authentication-Warning: rodan.syr.edu: rgrimsha owned process doing -bs Date: Mon, 6 Apr 1998 14:07:35 -0400 (EDT) From: Randy Grimshaw X-Sender: rgrimsha@rodan.syr.edu To: Vin McLellan cc: firewalls@GreatCircle.COM Subject: Re: SecurID & a Biometric & a PIN In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The thought it provokes for me is to hurry up and patent all of the technology our government agencies have been using for years... but being a government agency, places these things in the public domain (after de-classification) and never informs the patent office. This one should tie up the courts for a while. <> Cryptography Mailing List. _Vin> > > Method and apparatus for securely handling a personal identification > number or cryptographic key using biometric techniques > (assignee -- mytec technologies inc.) > > Patent Number: 5712912 > > Issue Date: 1998 01 27 > > Inventor(s): Tomko, George J.{#buStoianov, Alexei#} From firewalls-owner Mon Apr 6 12:21:33 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA12202; Mon, 6 Apr 1998 12:17:48 -0700 (PDT) Received: from mail.eclipse.net (mail.eclipse.net [207.207.192.13]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id MAA12163 for ; Mon, 6 Apr 1998 12:17:37 -0700 (PDT) Received: from uart (or1-7.eclipse.net [207.207.200.7]) by mail.eclipse.net (8.8.6/8.8.6) with SMTP id PAA25429; Mon, 6 Apr 1998 15:22:32 -0400 (EDT) Date: Mon, 6 Apr 1998 15:22:02 -0400 (EDT) From: quiksilver X-Sender: quik@uart To: JonnyBoy85 cc: firewalls@greatcircle.com Subject: Re: Hi In-Reply-To: <5fa01b9b.3522baf1@aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk actually, T2 lines were invented and used for a short period of time. Today, no one uses them and they are virtually extinct. On Wed, 1 Apr 1998, JonnyBoy85 wrote: > Hi all, > thanks for the help and advice from my last post.. > > Maybe you can help me with another query. Can anybody explain about T1,T2, > and T3 lines, they're like ISDN I think. I have tried everywhere to find out > about them, and was starting to think that there was no such thing as a T3, > but I found out again today that there is. > > Thanks again everybody.. > > Jonathan > > > > From firewalls-owner Mon Apr 6 12:40:04 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id LAA05767; Mon, 6 Apr 1998 11:40:13 -0700 (PDT) Received: from ds5200.sistecol.com (ds5200.sistecol.com [200.9.31.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id LAA05646 for ; Mon, 6 Apr 1998 11:39:16 -0700 (PDT) Received: from texmail.sistecol.com (texmail.sistecol.com [200.9.22.7]) by ds5200.sistecol.com (8.8.8/8.8.8) with ESMTP id NAA18479 for ; Mon, 6 Apr 1998 13:56:50 -0500 Received: by TEXMAIL with Internet Mail Service (5.5.1960.3) id ; Mon, 6 Apr 1998 13:39:31 -0500 Message-ID: <21CD48C59A6AD1119A1F00805F297AFA1EA29B@TEXMAIL> From: Ezequiel Bautista To: Firewalls@GreatCircle.COM Subject: RE: Firewalls-Digest V7 #140 Date: Mon, 6 Apr 1998 13:39:23 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I interesting in "Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network",=20 Company Name: Texins s.a. Contact Person: Ezequiel Bautista Le=F3n Street Address: Cra. 20 # 88 - 20 City: Bogota State:Cundinamarca Zip or Postal Route: 90 1 Country: Colombia (South America) Telephone: + 57 1 218 53 00 Email: bautez@texins.sistecol.com URL: www.sistecol.com/@texins Services: Security Design Security Implemetation Network Management Thanks, Ezequiel Bautista L. Systems Engineer From firewalls-owner Mon Apr 6 12:42:20 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA29362; Mon, 6 Apr 1998 10:55:11 -0700 (PDT) Received: from cs.weber.edu ([137.190.16.18]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA29339 for ; Mon, 6 Apr 1998 10:54:59 -0700 (PDT) Received: from icarus.weber.edu by cs.weber.edu (4.1/SMI-4.1.1) id AA01048; Mon, 6 Apr 98 11:55:55 MDT Received: by icarus.weber.edu (SMI-8.6/SMI-SVR4) id MAA05017; Mon, 6 Apr 1998 12:06:14 -0600 Date: Mon, 6 Apr 1998 12:06:13 -0600 (MDT) From: Henry Hertz Hobbit X-Sender: hhhobbit@icarus To: Anonymous Cc: firewalls@greatcircle.com Subject: re: Hackers Suck In-Reply-To: <199803281915.UAA17135@basement.replay.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 28 Mar 1998, Anonymous wrote: > Received: from . (pm3-10-133.ama.arn.net [204.254.144.133]) > by arnet.arn.net (8.8.7/8.8.7) with SMTP id XAA10910 > From: Nobody > Message-Id: <199803280527.XAA10910@arnet.arn.net> > organization: Arnet Inc. > subject: Hackers Suck > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > To: undisclosed-recipients:; > X-UID: 372 > > > Hackers Suck. All they do is cause grief to innocent bystanders. > > is that an attempt at humor? kindly explain what hackers have to do > with bystanders and in what way they have, as you state, caused them 'grief'. > i would be very interested to know. Actually hackers are better people by far than the people trying to catch them. I am referring to the FBI. I forwarded a script in a previous email message that referred to them as the 'Filthy Beelzebub Infidels'. Perhaps I should explain myself. If you all would go to the largest library near you that has the *Journal* *of* *Parapsychology*, you might find that they have been doing hypnotic-induction programming involving *SATANIC* key words. Thus my statement that they are the 'Filthy Beelzebub Infidels'. Can we bust them free of it? HELL NO! Why not? Because [a] the insane Psychiatrists and Psychologists won't do it to themselves, and [b] they won't allow other Psychologists and and Psychiatrists outside their organization to do a peer review of what they are doing. I wonder why? What do hackers do? =================== 1. Waste a lot of time doing something that doesn't help anyone, including themselves. Unfortunately, they are too dumb to see this. 2. Cause a hell of a lot of grief to harried System Administrators that are frequently under-trained or not trained at all and are so busy keeping the systems going that they don't even have time to see that they have the latest patches, etc. In fact, they probably feel good the systems are running at all (thinking of the SCSI problem that plagues this site that wasn't there with an earlier version of the OS). 3. Destroy themselves. I know they don't see it this way, but if they look at what they are doing long and hard and then fast forward when they are in their 70s, 80s, or 90s and facing death square in the face I ask them to do one thing. Can you honestly say that you helped people by hacking into systems? So the people you hacked into made their systems a little more secure. That is like saying all rapists are improving society by making people take even more strigent measures to protect themselves. Do you actually consider this beneficial to others or yourselves? 4. You are proving the FBI's and other organizations claims that all people are bad (certifiably untrue) and giving them all the ammunition they need to ask for connection points on all major trunk lines and at all ISPs, and demanding total control of encryption. They are asking for it you know. Does that mean they will snoop in on everyone? NO! They don't even have the time to pursue more than 10% of computer break-ins (but over a year to develop the Satanic crap they are pursuing). Good ole J Gordon Liddy is now having his case that they should not be given these powers because of Ruby Ridge - Idaho, Waco - Texas, and Richard Jewell being shot down completely by you dumb jackass people hacking into systems. Hackers are you really helping? Do you care about what your activities are doing to totally destroy what the Electronic Frontier Foundation (EFF) does? No, I don't go to Porno sites; my only interest is to make sure there aren't significant government intrusions into this new medium that will severly limit the free flow of informationt that is beneficial to this society. I guess what I am saying is, before we all do our knee jerk reactions to what hackers are doing, *ALL* of us (that ESPECIALLY includes me) need to think about society as a whole. Societies that succeed depend on people doing to others as they would have others do to them. Am I a hacker? No. I can also honestly say that I have never hacked into a system in my life, and for the life of me cannot understand why somebody thinks it is helping somebody. No matter how many security holes that are plugged, more will continue to be exposed. In fact, I have finally concluded that the security holes are endless. Systems are too complex any more to find all of them. So, Mr. Hacker, think long and hard about what you are doing. Are you promoting some insane Pychiatrists/Psychologists at the FBI into destroying hundreds if not thousands of lives with their damn Satanic programming? The most amazing thing about this to me is that almost none of the Psychologists (I have a degree in that area as well as in Math and Computer Science) know they are doing it. I can well imagine why the Psych staff at the FBI want to keep it hidden. If they had what they were doing come up for peer review, it would not only be shot down - the Psychologists & Psychiatrists at the FBI would be locked up in a rubber room where they could not only stop destroying others, but they would not harm themselves as well. They are certifiably insane. So, I have only ONE last question to ask the hackers. If you can honestly say that you are showing your LOVE for others by hacking in then continue hacking in. If you can't answer this question in the affirmative, go do something useful with your lives that helps others. My 0.02 worth Henry Hertz Hobbit PS And I *STILL* claim that most of the people I meet are good people that don't want to harm others - they want to help them. My experience has proved that. From firewalls-owner Mon Apr 6 13:00:47 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id MAA09321; Mon, 6 Apr 1998 12:00:45 -0700 (PDT) Received: from pse02.pios.com ([199.33.129.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id MAA09302 for ; Mon, 6 Apr 1998 12:00:37 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA07818; Mon, 6 Apr 1998 15:05:39 -0400 Date: Mon, 06 Apr 1998 15:05:35 -0400 From: "Stout, William" Subject: RE: socks versus fw-1 stateful inspection vulnerabilities To: "'Ryan Russell'" Cc: "'firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk State vs. proxy is a religious issue for some, but then again, some swear by MS-Proxy as a firewall. I've seen the problem first hand, and the Checkpoint-1 report from the NSA points this out also. The NSA pointed out state-based specific vulnerabilities (which their report admits they did not fully test): Exploitation of an allowed service Insider threat - opening up ports to the outside Exploitation of ports opened by a legitimate user Subversion of the stateful packet filtering mechanism The test "Test 6: Overflow of internal tables" describes the overflow, results, and DOS attack. The problem should be fixed by now. Staunch defenders of the packet filter faith deny it ever happened. See http://mitten.ie.org/fw1/fw1.htm#statefulpacket Bill Stout > ----- Original Message ----- > From: Ryan Russell [SMTP:ryanr@sybase.com] > Sent: Sunday, April 05, 1998, 17:09:36 > To: Stout, William > Cc: firewalls@GreatCircle.COM > Subject: Re: socks versus fw-1 stateful inspection vulnerabilities > > My claim is that some folks, perhaps with vested > interests in seeing leading SPF vendors lose market, > have been trying to make people think that state tables > are prone to corruption without providing any examples. > > If you've got details on the problem you've mentioned, I'd > love to hear them. > > Ryan > > > > > > Stepken on 04/05/98 01:29:57 PM > > To: Ryan Russell/SYBASE > cc: Christopher Zarcone , firewalls@GreatCircle.COM > Subject: Re: socks versus fw-1 stateful inspection vulnerabilities > > > > > Ryan Russell wrote: > > > >I can't speak from experience, but I've also read stories of state > tables > > >becoming corrupt, usually with interesting consequences. > > > > No, you haven't. What you've heard is AG vendors claim that this could > > happen. > > The same vendors fail to point out that they suffer from the same issue > if > > the > > very similar TCP connection tables built into the OS that they rely on > > become corrupt. If your hardware flakes out, all bets are off on the > > security > > software. > I did some very stressing tests on firewalls with SPF and dynamic rules. > I was able to cause some memory overflow, which can be exploited as > buffer overflow, depending on the memory model of the OS. > Very often they use some well known hashfunctions (e.g. GNU), which also > have collisions. Such attacks are very special ones, but theycan be > done. > > regards, Guido Stepken > > > > > ----- End Of Original Message ----- From firewalls-owner Mon Apr 6 16:14:10 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20646; Mon, 6 Apr 1998 15:36:05 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id OAA03759 for ; Mon, 6 Apr 1998 14:05:56 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA14271 for ; Mon, 6 Apr 1998 14:09:23 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id OAA02425; Mon, 6 Apr 1998 14:12:26 -0700 (PDT) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB16129; Mon, 6 Apr 98 14:10:42 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.007453D8 ; Mon, 6 Apr 1998 14:10:36 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: Christopher Zarcone Cc: firewalls@greatcircle.com Message-Id: <882565DE.0073F39D.00@gwwest.sybase.com> Date: Mon, 6 Apr 1998 14:10:18 -0700 Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a number of reasons.. flexibility, speed (I believe that SPFs would be slightly faster than AGs when doing as much work, I might be wrong,) and the fact the SPFs can do more. I'll update my rant soon, and qualify that last point. But, now you've agreed with the short point I was trying to make (that SPFs can do the same thing as AGs if programmed to do so) and I've started into the "Why I think SPFs are cool" discussion, so I'll drop it. Ryan Christopher Zarcone on 04/06/98 05:09:24 AM Please respond to Christopher Zarcone To: Ryan Russell/SYBASE cc: firewalls@greatcircle.com Subject: Re: socks versus fw-1 stateful inspection vulnerabilities Ryan, I suppose I should clarify what I said: Historically I have come to understand "packet filtering" as screening based on IP-level and transport level information. With such limited information, you can't determine with certainty the application-level service; you can only make a best guess. Of course, if you have a more advanced packet filter, you could arbitrarily examine any or all bits in the entire packet. At that point, though, you're basically performing application-level analysis, and incurring the performance penalty, so why not use a proxy? Regards, Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Christopher Zarcone - Data Communications Design Analyst Lockheed Martin Enterprise Information Systems czarcone@vf.lmco.com * Chris.Zarcone@lmco.com * czarcone@acm.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ My opinions do not necessarily reflect those of my employer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ > >Jon, > > > >Stateful inspection engines suffer the same disadvantages as packet > filters, > >because THEY ARE packet filters. > > But they are not JUST packet filters. > > >I would say that (my) single biggest problem with packet filtering is > >application-level security (e.g. how can a packet filter differentiate a > >sendmail server from a rogue webserver running on port 25? It can't. A > proxy > >can.) > > They can, in the same manner that a proxy can. > Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 882565DE.0042E411; Mon, 6 Apr 1998 05:10:37 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id FAA26138 for ; Mon, 6 Apr 1998 05:09:41 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02951; Mon, 6 Apr 98 05:09:40 PDT Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23]) by inergen.sybase.com (8.8.4/8.8.4) with ESMTP id FAA22416 for ; Mon, 6 Apr 1998 05:11:23 -0700 (PDT) Received: from emss04g01.ems.lmco.com ([166.17.13.122]) by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id IAA08415; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from knight.vf.lmco.com ([166.17.3.50]) by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQZ00AWJR3VIF@lmco.com>; Mon, 6 Apr 1998 08:09:31 -0400 (EDT) Received: from data.camelot (data.vf.lmco.com [166.17.3.39]) by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id IAA18880; Mon, 06 Apr 1998 08:03:29 -0400 (EDT) Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id IAA01498; Mon, 06 Apr 1998 08:09:24 -0400 Date: Mon, 06 Apr 1998 08:09:24 -0400 (EDT) From: Christopher Zarcone Subject: Re: socks versus fw-1 stateful inspection vulnerabilities To: ryanr@sybase.com Cc: firewalls@greatcircle.com Reply-To: Christopher Zarcone Message-Id: <199804061209.IAA01498@data.camelot> Mime-Version: 1.0 X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc Content-Type: TEXT/plain; charset=us-ascii Content-Md5: CkjcorbwPvMrA8MSvP8C1g== From firewalls-owner Mon Apr 6 17:02:45 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02195; Mon, 6 Apr 1998 13:57:22 -0700 (PDT) Received: from inergen.sybase.com (inergen.sybase.com [192.138.151.43]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02082 for ; Mon, 6 Apr 1998 13:56:55 -0700 (PDT) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id OAA01665; Mon, 6 Apr 1998 14:03:42 -0700 (PDT) Received: from by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AB14883; Mon, 6 Apr 98 14:01:58 PDT Received: by gwwest.sybase.com(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id 882565DE.007384E8 ; Mon, 6 Apr 1998 14:01:46 -0700 X-Lotus-Fromdomain: SYBASENOTES From: "Ryan Russell" To: "Stout, William" Cc: "'firewalls@GreatCircle.COM'" Message-Id: <882565DE.0072A8FC.00@gwwest.sybase.com> Date: Mon, 6 Apr 1998 14:01:29 -0700 Subject: RE: socks versus fw-1 stateful inspection vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >State vs. proxy is a religious issue for some, but then again, some >swear by MS-Proxy as a firewall. Indeed, I've participated in such discussions. >I've seen the problem first hand, and the Checkpoint-1 report from the >NSA points this out also. You must be referring to the table filling up, and the firewall dropping connections. I've confirmed this on this list as well. I don't consider this to be a corruption of the table, as it behaves exactly as expected, and disallows new connections and doesn't crash. The one bad thing I will say is that it starts burning CPU time under those conditions, and I don't know why that should be. Perhaps it has to do with the algorithm it uses to clear old entries? Set the fwhmem parameter low, and run IS from ISS through it if you want to see it in action. >The NSA pointed out state-based specific vulnerabilities (which their >report admits they did not fully test): > Exploitation of an allowed service > Insider threat - opening up ports to the outside > Exploitation of ports opened by a legitimate user > Subversion of the stateful packet filtering mechanism In fact, the article states quite clearly that these are not SPF specific, except for the last one. >The test "Test 6: Overflow of internal tables" describes the overflow, >results, and DOS attack. The problem should be fixed by now. Staunch >defenders of the packet filter faith deny it ever happened. See >http://mitten.ie.org/fw1/fw1.htm#statefulpacket I don't deny it happened, and I think I qualify as a staunch SPF defender. As mentioned before, I can confirm those results. I've also seen my old AG go choke regularly, mostly due to slow hardware and an older OS (SunOS on Sparc 5.) The TCP SYN attack is a similar example. If your table fills up, and denies new requests, and doesn't overflow onto the stack or some such, that's really OK, and as it should be. Ryan >Bill Stout Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 882565DE.0068FDBD; Mon, 6 Apr 1998 12:06:47 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id MAA01172 for ; Mon, 6 Apr 1998 12:05:50 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA28776; Mon, 6 Apr 98 12:05:49 PDT Received: from pse02.pios.com ([199.33.129.3]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id MAA11843 for ; Mon, 6 Apr 1998 12:07:32 -0700 (PDT) Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA07796; Mon, 6 Apr 1998 15:05:39 -0400 Date: Mon, 06 Apr 1998 15:05:35 -0400 From: "Stout, William" Subject: RE: socks versus fw-1 stateful inspection vulnerabilities To: "'Ryan Russell'" Cc: "'firewalls@GreatCircle.COM'" Message-Id: Mime-Version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From firewalls-owner Mon Apr 6 17:29:40 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA04639; Mon, 6 Apr 1998 16:22:10 -0700 (PDT) Received: from guten.sddpc.org (guten.sddpc.org [156.29.3.236]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA04473 for ; Mon, 6 Apr 1998 16:21:33 -0700 (PDT) Received: from fiji ([156.29.5.200]) by guten.sddpc.org (Netscape Mail Server v2.02) with SMTP id AAA26391; Mon, 6 Apr 1998 16:26:37 -0700 Message-Id: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> X-Sender: rwk@guten.sannet.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 06 Apr 1998 16:29:38 -0700 To: firewalls@GreatCircle.Com From: rkizer@sddpc.org (Kizer, Randall) Subject: Novell Question Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe there's someone who can help me with this problem, since I'm not that familiar with Novell. We've recently experienced some problems with "someone" getting into some of our Novell servers with Admin authority, and deleting system files. Novell doesn't have any usable auditing tools, so we've been forced out into the market place to try and find something useable. Does anyone have any recommendations? Any and all suggestions will be most welcome. From firewalls-owner Mon Apr 6 17:54:05 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA20466; Mon, 6 Apr 1998 15:33:53 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA16025 for ; Mon, 6 Apr 1998 15:00:19 -0700 (PDT) Received: from avalon.netcom.net.uk (avalon.netcom.net.uk [194.42.225.7]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id OAA15081 for ; Mon, 6 Apr 1998 14:32:46 -0700 (PDT) Received: from netcomuk.co.uk (dialup-14-38.netcomuk.co.uk [194.42.231.166]) by avalon.netcom.net.uk (8.8.8/8.8.8) with ESMTP id WAA00681 for ; Mon, 6 Apr 1998 22:34:07 +0100 (BST) Message-ID: <35294A7F.6D965E6C@netcomuk.co.uk> Date: Mon, 06 Apr 1998 22:34:55 +0100 From: Pete Philips X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: fw-1 stateful inspection vulnerabilities References: <199804050901.BAA15922@honor.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I would say that (my) single biggest problem with packet filtering is > application-level security (e.g. how can a packet filter differentiate a > sendmail server from a rogue webserver running on port 25? It can't. A proxy > can.) OTOH, packet filters are generally faster, mainly because filtering > decisions are made in the lower levels of the IP stack. This is very interesting. While on the subject of stateful inspection engines, what do people perceive as the fundamental problems with such an approach? I'd be interested to hear what are thought of as the basic weaknesses. Pete. ------------------------------------------------------ | Pete Philips \|/ | | E-mail: alien@netcomuk.co.uk O | ------------------------------------------------------ From firewalls-owner Mon Apr 6 21:21:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA20791; Mon, 6 Apr 1998 20:21:22 -0700 (PDT) Received: from pike.sover.net (pike.sover.net [204.71.16.17]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA20580 for ; Mon, 6 Apr 1998 20:20:38 -0700 (PDT) Received: from granite.sover.net (cbrenton@granite.sover.net [204.71.16.16]) by pike.sover.net (8.8.5/8.8.5) with SMTP id XAA04385; Mon, 6 Apr 1998 23:25:47 -0400 (EDT) Date: Mon, 6 Apr 1998 23:25:47 -0400 (EDT) From: cbrenton To: "Kizer, Randall" cc: firewalls@GreatCircle.COM Subject: Re: Novell Question In-Reply-To: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Kizer, Randall wrote: > We've recently experienced some problems with "someone" getting into > some of our Novell servers with Admin authority, and deleting system > files. Novell doesn't have any usable auditing tools, so we've been > forced out into the market place to try and find something useable. If it's NetWare 3.1x, run "security.exe" If it's NetWare 4.x, run "auditcon.exe" > Does anyone have any recommendations? Any and all suggestions will > be most welcome. Kane will do this, but it's expensive Cheers, Chris From firewalls-owner Mon Apr 6 21:35:34 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26160; Mon, 6 Apr 1998 18:12:47 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA26138 for firewalls@greatcircle.com; Mon, 6 Apr 1998 18:12:40 -0700 (PDT) Received: from merlin.rtpnc.epa.gov (merlin.rtpnc.epa.gov [134.67.208.148]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA13379 for ; Fri, 3 Apr 1998 07:57:06 -0800 (PST) Received: from RT-MAIL2.RTPTOK.EPA.GOV by epamail.epa.gov (PMDF V5.1-8 #22480) with SMTP id <0EQUHLMUD007SW@epamail.epa.gov> for firewalls@greatcircle.com; Fri, 3 Apr 1998 10:56:10 -0500 (EST) Received: from RTPMAINHUB-Message_Server by RT-MAIL2.RTPTOK.EPA.GOV with Novell_GroupWise; Fri, 03 Apr 1998 11:00:36 -0500 Date: Fri, 03 Apr 1998 10:11:14 -0500 From: JOSEPH COSGRIFF Subject: help on telecom To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 X-Mailer: Novell GroupWise 4.1 Content-type: text/plain Content-disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am new to the computer security div. I am attempting to put together an audit program for security measures on a telecom. div., If anyone can provide me any info ref. this I would greatly appreciate it. Thanks, Joe From firewalls-owner Mon Apr 6 23:02:13 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA21724; Mon, 6 Apr 1998 17:49:12 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id RAA21683 for firewalls@greatcircle.com; Mon, 6 Apr 1998 17:49:04 -0700 (PDT) Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com [204.253.137.241]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA05438 for ; Wed, 1 Apr 1998 15:12:52 -0800 (PST) Received: from mailgate.freddiemac.com ([161.107.79.103]) by hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id RAA03258 for ; Wed, 1 Apr 1998 17:51:15 -0500 (EST) Received: from msmail.freddiemac.com (msmail.freddiemac.com [161.107.79.90]) by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id SAA09717 for ; Wed, 1 Apr 1998 18:14:23 -0500 (EST) Received: from Microsoft Mail (PU Serial #1065) by msmail.freddiemac.com (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm)) id AA-1998Apr01.181005.1065.1652681; Wed, 01 Apr 1998 18:24:46 -0500 From: Rick_McMaster@freddiemac.com (McMaster, Rick) To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez) Message-ID: <1998Apr01.181005.1065.1652681@msmail.freddiemac.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Freddie Mac Date: Wed, 01 Apr 1998 18:24:46 -0500 Subject: RE: Questions about ICMP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not have a real problem with ping to and from specific hosts, but I would never allow traceroute through my firewalls. Using traceroute a person can map your entire internal network. Rick ---------- >From: Roman Ramirez >To: firewalls >Subject: Questions about ICMP >Date: Wednesday, April 01, 1998 6:27AM > >Hello: > >I have some questions about ICMP filtering, what kind of icmp packets >should I filter? > >In other way, what icmp options can I permit in packets? > >Im seeking for a RESTRICTIVE policy, but I need to let ping and >traceroute get out and in... > >Thx in advance > >-- >http://www.encomix.es/users/patowc >mailto://rramirez@encomix.es > > > > >------ Message Header Follows ------ >Received: from mailgate.freddiemac.com by msmail.freddiemac.com > (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm)) > id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500 >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com >[204.253.137.238]) > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896 > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST) >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for >; Wed, 1 Apr 1998 05:54:00 -0500 (EST) >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP > (peer crosschecked as: honor.greatcircle.com [198.102.244.44]) > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST) >Received: (majordom@localhost) by honor.greatcircle.com >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800 >(PST) >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for >; Tue, 31 Mar 1998 22:14:28 -0800 (PST) >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000 >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22) > by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000 >Message-ID: <3521DBD2.B29513E0@encomix.es> >Date: Wed, 01 Apr 1998 08:16:50 +0200 >From: Roman Ramirez >Organization: EncomIX >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586) >MIME-Version: 1.0 >To: firewalls@GreatCircle.COM >Subject: Questions about ICMP >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > > From firewalls-owner Mon Apr 6 23:49:22 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA18827; Mon, 6 Apr 1998 17:34:40 -0700 (PDT) Received: from mail.trace.com.tw (mail.trace.com.tw [203.67.189.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA18799 for ; Mon, 6 Apr 1998 17:34:31 -0700 (PDT) Received: from localhost (ronald@localhost) by mail.trace.com.tw (8.8.6/8.8.6) with SMTP id IAA20335; Tue, 7 Apr 1998 08:38:08 +0800 X-Comments: ****** Message sent through an Trace account ****** X-http: ****** http://www.trace.com.tw ****** Date: Tue, 7 Apr 1998 08:38:08 +0800 (CST) From: Ronald Wiplinger To: Eileen Bonfiglio cc: firewalls@GreatCircle.COM Subject: Re: web server set up In-Reply-To: <352901A3.632E7756@putergirl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Apr 1998, Eileen Bonfiglio wrote: > Hi all > > I am seeking some information on setting up an NT web server and would > value any and all info/advice/recommendations. Directory info/advice/recommendations cannot be found on an NT server. (Sorry, I could not resist) > > Thanks > Eileen > From firewalls-owner Tue Apr 7 01:28:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA23139; Mon, 6 Apr 1998 23:04:52 -0700 (PDT) Received: from d06lmsgate.uk.ibm.com (d06lmsgate.uk.ibm.com [195.212.29.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id XAA23110 for ; Mon, 6 Apr 1998 23:04:40 -0700 (PDT) From: "CN=D15ML002/OU=15/OU=M/O=IBM@IBMNL"@us.ibm.com Received: from d06lms02.emea.ibm.com by d06lmsgate.uk.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA68934; Tue, 7 Apr 1998 07:03:12 +0100 Received: by UK.IBM.COM (Soft-Switch LMS 2.0) with snapi via D06AU012 id 5060200014030659; Tue, 7 Apr 1998 06:09:37 +0000 To: <"Firewalls@GreatCircle.COM@IBMLMS06"@us.ibm.com> Subject: Ellen M Wesselingh/Netherlands/IBM is out of the office. Message-Id: <5060200014030659000002L092*@MHS> Date: Tue, 7 Apr 1998 06:09:37 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am out of the office from 06-04-98, returning 09-04-98. You will rec= eive only this notification of my absence prior to my return, at which time = I will respond. I'm on a course 7 & 8 april, 1998. For urgent matters contact UITVM1(ISGRP). = From firewalls-owner Tue Apr 7 02:22:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA23082; Mon, 6 Apr 1998 23:04:16 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id WAA14196 for ; Mon, 6 Apr 1998 22:22:01 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/8.8.5) with SMTP id WAA19316 for ; Mon, 6 Apr 1998 22:25:30 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA25512; Mon, 6 Apr 1998 11:16:03 -0400 Date: Mon, 6 Apr 1998 11:16:00 -0400 (EDT) From: Rabid Wombat To: rkizer@guten.sddpc.org cc: firewalls@GreatCircle.COM Subject: Re: Novell Question In-Reply-To: <3.0.3.32.19980406162938.0098ae50@guten.sannet.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try LT Auditor+ at www.bluelance.com. You should also set up protocol analyzers (w/ filters in place to catch only login info at first, so you don't overflow, then set to the MAC address to catch the whole session) to try to obtain the MAC address. Check to determine which accounts have sufficient rights on the machines/directories in question. Change passwords, and keep track of who has access to the new passwords. Keep supervisory access to a minimum. You can also set up a script to run "userlist /a" on a regular basis and pipe the output to a file in an attempt to locate the offending MAC address, time/date, login name and station location. Set up logging on your dial-in access either via your terminal server (if it has this ability), and/or a protocol analyzer. Dial-up by a disgruntled ex-sysadmin is always a prime suspect. Document what you do, and what you find (date, time, who witnessed, what you did, what the intruder did, etc) in case you need this for court, if it comes to that. Oh, and by the way, check to make sure you haven't set up your new-fangled tape backup software to "archive" files older than a certain date. Last time I got called in to check out a situation like this, that is what the "intruder" turned out to be. :) -r.w. On Mon, 6 Apr 1998 rkizer@guten.sddpc.org wrote: > Maybe there's someone who can help me with this problem, since I'm not > that familiar with Novell. > > We've recently experienced some problems with "someone" getting into > some of our Novell servers with Admin authority, and deleting system > files. Novell doesn't have any usable auditing tools, so we've been > forced out into the market place to try and find something useable. > > Does anyone have any recommendations? Any and all suggestions will > be most welcome. > > From firewalls-owner Tue Apr 7 02:24:23 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA26134; Mon, 6 Apr 1998 18:12:39 -0700 (PDT) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id SAA26125 for firewalls@greatcircle.com; Mon, 6 Apr 1998 18:12:36 -0700 (PDT) Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA25637 for ; Sat, 4 Apr 1998 06:31:46 -0800 (PST) Received: from gargoyle.clark.net (pm1-67.dcwt.infi.net [208.136.65.67]) by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id GAA22747 for ; Sat, 4 Apr 1998 06:20:15 -0800 (PST) Received: by gargoyle.clark.net (VMailer, from userid 500) id 32DBB2F632; Sat, 4 Apr 1998 09:30:44 -0500 (EST) Date: Sat, 4 Apr 1998 09:30:43 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: "Renard, Kenneth" Cc: firewalls@GreatCircle.COM, Vin McLellan , Jesse Brown Subject: Re: SecurID & a Biometric & a PIN! (Was: Ammunition, please) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Mar 1998, Renard, Kenneth wrote: > Take an analytical step back and look at the biometric data. The > measurement that it takes is going to be transformed into a "signature" > of the scan, fingerprint, voice data. This signature/transform must > remove (most?) variations among different measurements over time and > various measuring devices. The data used (compared) will be relatively > static. We've learned from passwords that "static" can be bad. You're probably going to see two arguments from this in the near term, first of all, generally they'll be replacing static password systems (ATMs being the most visible case, because PIN numbers are static, and therefore *not* an additional layer of security, drivers' licenses are also static and generally fairly easily reproducable, checks (cheques) even easier to produce), and secondly for most applications, such as banking, something you are is better than something you lose or something you forget, since the customer service costs are much lower when taking care of the 95th percentile of everything working ok. The fraud numbers will have to be pretty high before the banks will look beyond the currently being fielded technology. > Biometric data has an extremely low degree of secrecy. I can get your > fingerprint from your coffee mug, a retinal scan from your eye doctor, a > face print from seeing you in the streets, etc. The signature/transform > algorithm is assumed to be known (autocorrelation function for voice, > etc.). Therefore, I can easily generate the biometric data necessary to > assume your identity. "Stealing" the data can be done much easier and > secretly than an attack on the body. I, for one, would barely notice a > missing coffee mug compared to a missing digit. Assume the data is > stolen. This is true. The three highest points of vulnerability outside of the biometric itself are being able to spoof the analog portion of the collection agent, being able to spoof the digital portion of the collection agent as it goes back to compare records, and being able to spoof a positive ack from the comparrison. I think what you'll see as storage costs drop is that like static passwords, biometric data will be stored at the local authenticating device unless there is some compelling reason (mostly legal) not to. Why wouldn't an ATM that you use regularly cache your biometrics locally, then authenticate you on the spot? Why should your workstation have to go over the network to authenticate you if the risk of compromise of the local authentication data is the same as the risk of spoofing the data itself? > The high degree of user authenticity afforded by biometrics comes from > the ability of _only_ the valid user to present the biometric data to > the "system". A warm, pulsing thumb set upon a measuring device is a > good indicator of who you are. Now the problem is comparing that data > to a (remote?) database of data without allowing data to be inserted > between the measuring device and the compare operation. You must Or in front of it > completely authenticate the dialogue between the measuring device and > the compare stage and only allow transactions with trusted measuring > devices. The transaction thing is generally solvable with digital signatures once you get the code into tamper-resistant packaged silicon. That's where we'll probably see the first "major" steps taken. Of course, if its done right, ATMs, authentication devices for network access, and store scanners won't be exportable from the US. At that point, ITAR either dies or the US drops a multi-billion dollar market, because a *lot* of companies in different countries won't accept the USG having bits of the keys that authenticate them and where they were at a certian time physically. For the same reasons the intel and law enforcement guys are going to want that data pretty badly. I think that US privacy laws need to be stronger to give us a tool in curbing abuses of the technologies. > wall) wiring into the authentication system. This would be a nice > closed system. Only those measuring devices that are securely hardwired > into the system are allow to authenticate. This is only a good model where the resources being authenticated against are local to the authentication mechanism. > What I'd like to see is a "tamper-proof" token (a la SecurID) that > measures the biometric, takes a PIN, and an internal seed to generate > authentication data and/or unlock a stored private key. The biometric > data would be utilized to its best potential without a significant > threat of data insertion. All 3 authentication factors in one > credit-card sized token! Well, someday. The problem is the same one we're seeing with firewalls, unless there's a concerted effort to educate the user populous (in this case the general population), "ease of use" and cost of support are the major factors, and nobody but us "raving paranoid lunatics" are going to fight for something you forget and something you lose. > The perverbial Guido and Mac the Knife are still a problem. How about a > duress finger? :-) Everytime I think about showing my boss my duress finger, I realize that it's an egress finger too... :) It really is a two edged sword, to be useful, the biometric must be unique, but if it's unique then once compromised it's irrevokable. It should be really interesting to see what happens if a program swaps two IDs and you have to try to "prove" you aren't someone else at the DMV... Also, as the technologies get cheaper, undercover law enforcement is going to have a hell of a time, someone with a portable camera sitting outside of the local police academy grabbing face maps will make a mint with the local bad guys. This means that there will be a "legitimate law enforcement need" to corrupt the databases. Running a match of those and the commercial banking records will pull out all the cops pretty quickly... If that's not an attractive target... Ok, I'll stop before it gets gruesome again... I'm not so sure that strong authentication permeating society isn't one of those "be careful what you wish for" things... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Apr 7 04:06:19 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id DAA20506; Tue, 7 Apr 1998 03:52:33 -0700 (PDT) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id DAA20492 for ; Tue, 7 Apr 1998 03:52:27 -0700 (PDT) Received: by castle.us-state.gov; id AA27023; Tue, 7 Apr 98 06:57:33 EDT Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap id sma026992; Tue Apr 7 06:57:14 1998 Received: by pubhost.us-state.gov; id AA23569; Tue, 7 Apr 98 06:57:11 EDT Received: by localhost with Microsoft MAPI; Tue, 7 Apr 1998 06:50:57 -0400 Message-Id: <01BD61F1.84441970@gcrum@us-state.gov> From: Gary Crumrine Reply-To: "gcrum@us-state.gov" To: "'firewalls@greatcircle.com'" Subject: Value Add comments Date: Tue, 7 Apr 1998 06:50:55 -0400 Organization: US Dept of State X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone. I am looking for opinions on a few subjects. Care to comment? 1) Justification comments concerning what value is added when they buy in to purchasing and deploying threat management techniques and hardware? 2) At which point do you think you have fulfilled due diligence requirements when employing firewalls, IDS, Usage tracking etc.? 3) Outsourcing. Does it make sense? Is there an expectation of good return on your investment? Are they trustworthy? 4) Periodic review/certification of systems. Are they a necessary evil? How often should they be accomplished? Thanks in advance. I appreciate your ideas From firewalls-owner Tue Apr 7 05:21:25 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA00131; Tue, 7 Apr 1998 05:06:06 -0700 (PDT) Received: from mail.adpims.com ([208.217.7.191]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA00124 for ; Tue, 7 Apr 1998 05:06:01 -0700 (PDT) From: rcerpa@adpims.com Received: by mail.adpims.com(Lotus SMTP MTA v1.1 (385.6 5-6-1997)) id 852565DF.00431812 ; Tue, 7 Apr 1998 08:12:50 -0400 X-Lotus-FromDomain: ADP To: rkizer@sddpc.org Message-ID: <852565DF.0042A85F.00@mail.adpims.com> Date: Tue, 7 Apr 1998 08:12:46 -0400 Subject: Re: Novell Question Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try Audit Track. I don't recall who sells it now, the original company got bought out. rkizer@sddpc.org on 04/06/98 07:29:38 PM To: firewalls@GreatCircle.Com cc: (bcc: Richard Cerpa/ADP/IMS) Subject: Novell Question Maybe there's someone who can help me with this problem, since I'm not that familiar with Novell. We've recently experienced some problems with "someone" getting into some of our Novell servers with Admin authority, and deleting system files. Novell doesn't have any usable auditing tools, so we've been forced out into the market place to try and find something useable. Does anyone have any recommendations? Any and all suggestions will be most welcome. From firewalls-owner Tue Apr 7 05:36:55 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA01293; Tue, 7 Apr 1998 05:24:35 -0700 (PDT) Received: from meijer.com (ftp.meijer.com [208.142.246.129]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id FAA01283 for ; Tue, 7 Apr 1998 05:24:28 -0700 (PDT) Received: from meijer.com ([204.74.134.7]) by meijer.com; Tue, 07 Apr 1998 08:29:38 -0400 Received: from MJR#u#Route-Message_Server by meijer.com with Novell_GroupWise; Tue, 07 Apr 1998 08:29:38 -0400 Message-Id: X-Mailer: Novell GroupWise 5.2 Date: Tue, 07 Apr 1998 08:29:18 -0400 From: "Joseph Pung" To: COSGRIFF.JOSEPH@epamail.epa.gov, firewalls@greatcircle.com Subject: Re: help on telecom Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe=20 There are a couple of programs at this site (I have never used them so I = have no opinion on their value) http://users.aol.com/auditnet/asap_ind.htm.= (Click on the top drop-down box and scroll to telecommunications.) Joe >>> JOSEPH COSGRIFF 04/03 10:11 AM >>> Hello, I am new to the computer security div. I am attempting to put = together an audit program for security measures on a telecom. div., If anyone can provide me any info ref. this I would = greatly appreciate it. Thanks, Joe From firewalls-owner Tue Apr 7 06:35:41 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13095; Tue, 7 Apr 1998 06:17:46 -0700 (PDT) Received: from mail.msen.com (conch.msen.com [148.59.19.5]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA13070 for ; Tue, 7 Apr 1998 06:17:37 -0700 (PDT) Received: (from mjo@localhost) by mail.msen.com (8.8.5/8.8.5) id JAA23277 for firewalls@greatcircle.com; Tue, 7 Apr 1998 09:22:55 -0400 (EDT) X-Authentication-Warning: conch.msen.com: mjo set sender to mjo@dojo.mi.org using -f Subject: Re: re: Hackers Suck To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 7 Apr 1998 09:22:54 -0400 (EDT) From: "Mike O'Connor" Reply-To: "Mike O'Connor" Message-Id: <980407092254.mjo@dojo.mi.org> X-Organization: :noitazinagrO-X Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :From: Henry Hertz Hobbit [...] :Beelzebub Infidels'. Perhaps I should explain myself. If you all :would go to the largest library near you that has the *Journal* :*of* *Parapsychology*, you might find that they have been doing :hypnotic-induction programming involving *SATANIC* key words. Thus [...] :3. Destroy themselves. I know they don't see it this way, but if : they look at what they are doing long and hard and then fast : forward when they are in their 70s, 80s, or 90s and facing : death square in the face I ask them to do one thing. Can you [...] : a year to develop the Satanic crap they are pursuing). Good : ole J Gordon Liddy is now having his case that they should not : be given these powers because of Ruby Ridge - Idaho, Waco - Texas, : and Richard Jewell being shot down completely by you dumb jackass [...] :So, Mr. Hacker, think long and hard about what you are doing. Are :you promoting some insane Pychiatrists/Psychologists at the FBI into :destroying hundreds if not thousands of lives with their damn Satanic :programming? The most amazing thing about this to me is that almost I thought there was another mailing list for conspiracy theorists and frothing-at-the-mount lunatics? Perhaps we should explore the use of firewalls and the firewalls mailing list as a "layer 7+" electronic prison? I wonder how much serious hacking a Berferd could do if he had to vomit every time he read crap life this? -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org InterNIC WHOIS: MJO | (has my PGP & Geek Code info) | Phone: +1 248-848-4481 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Why is it that the nuttiest people define reality?" -Dilbert From firewalls-owner Tue Apr 7 06:37:43 1998 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA13205; Tue, 7 Apr 1998 06:18:37 -0700 (PDT) Received: from egate2.citicorp.com (egate2.citicorp.com [192.193.196.194]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id GAA13141 for ; Tue, 7 Apr 1998 06:18:16 -0700 (PDT) Received: by egate2.citicorp.com id AA11786 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Tue, 7 Apr 1998 09:24:36 -0400 Message-Id: <199804071324.AA11786@egate2.citicorp.com> Received: by egate2.citicorp.com (Protected-side Proxy Mail Agent-1); Tue, 7 Apr 1998 09:24:36 -0400 Date: Tue, 07 Apr 1998 09:19:32 -0400 From: Yury German Reply-To: yury.german@citicorp.com Organization: Citicorp X-Mailer: Mozilla 4.04 [en] (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: "McMaster, Rick" Cc: firewalls Subject: Re: Questions about ICMP References: <1998Apr01.181005.1065.1652681@msmail.freddiemac.com> Content-Type: multipart/alternative; boundary="------------E96961FA606A753EEEDF6EEB" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------E96961FA606A753EEEDF6EEB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit McMaster, Rick wrote: > I do not have a real problem with ping to and from specific hosts, but I > would never allow traceroute through my firewalls. Using traceroute a > person can map your entire internal network. > > Rick > ---------- > >From: Roman Ramirez > >To: firewalls > >Subject: Questions about ICMP > >Date: Wednesday, April 01, 1998 6:27AM > > > >Hello: > > > >I have some questions about ICMP filtering, what kind of icmp packets > >should I filter? > With a traceroute you can map the network but with letting ping ICMP echo through the firewall you allow the intruder the freedom to bring internal servers down with ping of death. While most firewalls are immune I will make a strong assumption that you have internal hosts which are vulnerable, since most system admins do not pay that much attention to security patches. Letting Ping inside the firewall is as dangerous if not more dangerous then traceroute. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Yury German yury.german@citicorp.com Firewall Security Admin yury_german@yahoo.com --------------E96961FA606A753EEEDF6EEB Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit McMaster, Rick wrote:
I do not have a real problem with ping to and from specific hosts, but I
would never allow traceroute through my firewalls.  Using traceroute a
person can map your entire internal network.

Rick
 ----------
>From: Roman Ramirez
>To: firewalls
>Subject: Questions about ICMP
>Date: Wednesday, April 01, 1998 6:27AM
>
>Hello:
>
>I have some questions about ICMP filtering, what kind of icmp packets
>should I filter?
 




With a traceroute you can map the network but with letting ping



ICMP echo through the firewall you allow the intruder the



freedom to bring internal servers down with ping of death.






While most firewalls are immune I will make a strong assumption



that you have internal hosts which are vulnerable, since most



system admins do not pay that much attention to security patches.






Letting Ping inside the firewall is as dangerous if not more dangerous



then traceroute.






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Yury German                      yury.german@citicorp.com
 Firewall Security Admin          yury_german@yahoo.com

 

--------------E96961FA606A753EEEDF6EEB--


From firewalls-owner  Tue Apr  7 06:52:36 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id GAA15698; Tue, 7 Apr 1998 06:38:34 -0700 (PDT)
Received: from actionweb.com ([209.150.128.66]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id GAA15690 for ; Tue, 7 Apr 1998 06:38:28 -0700 (PDT)
Received: from putergirl.com ([199.227.242.215])
	by actionweb.com (8.8.5/8.8.5) with ESMTP id IAA01614
	for ; Tue, 7 Apr 1998 08:45:47 -0500
Message-ID: <352A5745.58549A3F@putergirl.com>
Date: Tue, 07 Apr 1998 09:41:41 -0700
From: Eileen Bonfiglio 
Organization: PuterGirl, Inc
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.com
Subject: Safe Credit?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Good Morning...

A few months ago I recall some postings on credit card security
issues/ecommerce , theft of such, and would love to have them now, is
there an archive of the postings on the web I missed?

Thanks
Eileen


From firewalls-owner  Tue Apr  7 07:54:15 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA25423; Tue, 7 Apr 1998 07:22:31 -0700 (PDT)
Received: from di2.disclosure.com (di2.disclosure.com [206.181.208.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA25306 for ; Tue, 7 Apr 1998 07:22:05 -0700 (PDT)
Received: from smtpgate.disclosure.com (smtpgate.disclosure.com [192.168.101.5])
	by di2.disclosure.com (8.8.7/8.8.7) with SMTP id KAA20834;
	Tue, 7 Apr 1998 10:25:46 -0400 (EDT)
Received: from ccMail by smtpgate.disclosure.com
  (IMA Internet Exchange 2.12 Enterprise) id 00094BCE; Tue, 7 Apr 1998 10:29:46 -0400
Mime-Version: 1.0
Date: Tue, 7 Apr 1998 09:55:22 -0400
Message-ID: <00094BCE.3452@disclosure.com>
From: Larry.Riley@disclosure.com (Larry Riley)
Subject: Re: Novell Question
To: firewalls@GreatCircle.COM, rkizer@guten.sddpc.org (Kizer; Randall)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Check out Kane Security Analyst by Intrusion Detection Inc.  


______________________________ Reply Separator _________________________________
Subject: Novell Question
Author:  rkizer@guten.sddpc.org (Kizer; Randall) at Internet
Date:    4/6/98 4:29 PM


Maybe there's someone who can help me with this problem, since I'm not 
that familiar with Novell.
     
We've recently experienced some problems with "someone" getting into 
some of our Novell servers with Admin authority, and deleting system 
files.  Novell doesn't have any usable auditing tools, so we've been 
forced out into the market place to try and find something useable.
     
Does anyone have any recommendations?  Any and all suggestions will 
be most welcome.
     

From firewalls-owner  Tue Apr  7 08:18:11 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA01244; Tue, 7 Apr 1998 07:48:22 -0700 (PDT)
Received: from lapis.cary.mci.net (lapis.cary.mci.net [159.24.13.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA01217 for ; Tue, 7 Apr 1998 07:48:13 -0700 (PDT)
Received: from chert (chert [159.24.13.55])
	by lapis.cary.mci.net (8.8.7/8.8.7) with SMTP id OAA00924;
	Tue, 7 Apr 1998 14:53:26 GMT
Date: Tue, 7 Apr 1998 10:53:20 -0400 (EDT)
From: Rusty Zickefoose 
X-Sender: rusty@chert
To: JonnyBoy85 
cc: Firewalls@GreatCircle.COM
Subject: Re: T1 question (verbose reply)
In-Reply-To: <352375FD.EB4185E8@sover.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 2 Apr 1998, Chris Brenton wrote:
> 
> 
> > I have tried everywhere to find out about them, and was starting to think that
> > there was no such thing as a T3, but I found out again today that there is.
> 
> Yup, there just not as common. A T3 is bundle of 30 T1's. Total potential
> bandwidth is around 45 Mb.
> 
> Hope this helps,
> Chris


see
http://www.oreilly.com/reference/dictionary/terms/D/Digital_Transmission_Rate_3.htm


- -- 
Rusty Zickefoose  |  The most exciting phrase to hear in science,
rusty@mci.net     |  the one that heralds new discoveries, is not
                  |  "Eureka!", but "That's funny ..."
                  |  -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNSo94u4+ch/bGDylAQHmkgQAoYnErEt/zLw0PyAwIxmZ7Slu00sqvZxF
O7a+1Ww5QgW7ypRUXvD3dm2cwNn0AsdpFT39Ak8A4lLbPOpL5EhDsKn6qjxs7j7M
PFjVRDgAr6fxoRQaFydaqsEW0YOE8KJLdNa3BKKnC5a3b+xm73hNED4v9avkrZw9
KY7E2VHR6PQ=
=D3cj
-----END PGP SIGNATURE-----


From firewalls-owner  Tue Apr  7 08:21:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id HAA00839; Tue, 7 Apr 1998 07:45:30 -0700 (PDT)
Received: from relay3.smtp.psi.net (relay3.smtp.psi.net [38.8.210.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id HAA00827 for ; Tue, 7 Apr 1998 07:45:24 -0700 (PDT)
Received: from jade by relay3.smtp.psi.net (8.8.5/SMI-5.4-PSI)
	id KAA24223; Tue, 7 Apr 1998 10:50:40 -0400 (EDT)
Received: by localhost with Microsoft MAPI; Tue, 7 Apr 1998 10:50:42 -0400
Message-ID: <01BD6213.02B21D90.cfrancis@intrusion.com>
From: Catherine Francis 
Reply-To: "cfrancis@intrusion.com" 
To: "'firewalls@greatcircle.com'" 
Subject: Re: Novell Question
Date: Tue, 7 Apr 1998 10:50:40 -0400
Organization: Intrusion Detection Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Actually, we'd be glad to send out a free eval copy of the Kane Security 
Analyst, which should give you a pretty good idea of what the security on 
your network looks like, including a list of the IDs with admin 
equivalence, if you want to shoot me an email, Randall.  I apologize for 
the plug, but I had to respond, since I don't think we're -that- expensive. 
:)

Catherine Francis
Research & Development
Intrusion Detection, Inc.
A Security Dynamics Company
(212) 348-8900
cfrancis@intrusion.com

>Date: Mon, 6 Apr 1998 23:25:47 -0400 (EDT)
>From: cbrenton 
>Subject: Re: Novell Question
>
>On Mon, 6 Apr 1998, Kizer, Randall wrote:
>
>> We've recently experienced some problems with "someone" getting into
>> some of our Novell servers with Admin authority, and deleting system
>> files.  Novell doesn't have any usable auditing tools, so we've been
>> forced out into the market place to try and find something useable.
>
>If it's NetWare 3.1x, run "security.exe"
>If it's NetWare 4.x, run "auditcon.exe"
>
>> Does anyone have any recommendations?  Any and all suggestions will
>> be most welcome.
>
>Kane will do this, but it's expensive
>
>Cheers,
>Chris


From firewalls-owner  Tue Apr  7 10:06:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id JAA24452; Tue, 7 Apr 1998 09:27:00 -0700 (PDT)
Received: from firewall.rarebird.net (ppp-207-179.california.com [207.33.25.179]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id JAA24353 for ; Tue, 7 Apr 1998 09:26:39 -0700 (PDT)
Received: from rarebird.net (markus@toucan.rarebird.net [192.168.2.1]) by firewall.rarebird.net (8.8.3/8.8.3) with ESMTP id JAA09433; Tue, 7 Apr 1998 09:12:48 -0700
Message-ID: <352A513C.310F0383@rarebird.net>
Date: Tue, 07 Apr 1998 09:15:56 -0700
From: Magic Man 
Organization: Rarebird Consulting Services
X-Mailer: Mozilla 4.03 [en] (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: greg_barnes@ins.com
CC: firewalls@greatcircle.com
Subject: Re: linux based firewall cookbook...
References: <199804050931.BAA20368@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greg Barnes wrote:

> It's ridiculous to discuss filesystem security measures after the
> physical layer has been breached, and I don't care what the
> filesystem is, if you KNOW what it is and you have physical access,
> it's game over.....FAT, minix, HPFS, NTFS, ext2, UFS whatever...

That's right...with the possible exception of a completely encrypted
filesystem of some sort.  Then, there are issues of performance and key
management.

-- 
	.\\agic .\\an
	Rarebird Consulting Services

From firewalls-owner  Tue Apr  7 11:06:50 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA08021; Tue, 7 Apr 1998 10:32:33 -0700 (PDT)
Received: from rajan.maricopa.gov (rajan.maricopa.gov [156.42.4.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id KAA07935 for ; Tue, 7 Apr 1998 10:32:13 -0700 (PDT)
Received: from smtpgw.maricopa.gov by rajan.maricopa.gov (5.4R3.10/1.34)
	id AA10579; Tue, 7 Apr 1998 10:55:23 -0700
Received: from SUPCOURT-Message_Server by smtpgw.maricopa.gov
	with Novell_GroupWise; Tue, 07 Apr 1998 10:38:49 -0700
Message-Id: 
X-Mailer: Novell GroupWise 4.1
Date: Tue, 07 Apr 1998 10:39:40 -0700
From: Tom Gardner 
To: firewalls@greatcircle.com
Subject:  Another Novell Question
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anyone know of a Syslogd client app for Netware 4.x ? I have all my Unix and NT hosts writing to a dedicated
syslog host. I want the Netware servers to do the same. Anyone seen such an animal?

Thx Tom G
 


From firewalls-owner  Tue Apr  7 11:17:18 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id IAA03236; Tue, 7 Apr 1998 08:01:53 -0700 (PDT)
Received: from connetsys.com (fw-01.connetsys.com [38.169.221.200]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id IAA03199 for ; Tue, 7 Apr 1998 08:01:42 -0700 (PDT)
Received: from fearless.connetsys.com (fw-mgmt-01 [10.0.2.10]) by connetsys.com (8.8.8/8.7.3) with ESMTP id IAA01197; Tue, 7 Apr 1998 08:07:00 -0700 (PDT)
Received: from fearless (mailhost [10.0.1.40])
	by fearless.connetsys.com (8.8.8/8.8.8) with SMTP id IAA25964;
	Tue, 7 Apr 1998 08:06:59 -0700 (PDT)
Date: Tue, 7 Apr 1998 08:06:59 -0700 (PDT)
From: "William L. Hamlin" 
X-Sender: whamlin@fearless
To: Yury German 
cc: "McMaster, Rick" ,
        firewalls 
Subject: Re: Questions about ICMP
In-Reply-To: <199804071324.AA11786@egate2.citicorp.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Actually, try the following little script:

--->8-------------------

#!/bin/sh
 
for ttl in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
    ping -t $ttl $1 1 2>&1 | head -1
done

---8<-------------------

This works on Solaris; syntax may need to change for other pings.

In short, this uses ping to simulate a traceroute (in a not as pretty way,
mind you).

Personally, I don't let either through.

   - Bill

---
William L. Hamlin
Intranet Systems Architect
Convergent Networking Systems, Inc.

On Tue, 7 Apr 1998, Yury German wrote:

> McMaster, Rick wrote:
> 
> > I do not have a real problem with ping to and from specific hosts, but I
> > would never allow traceroute through my firewalls.  Using traceroute a
> > person can map your entire internal network.
> >
> > Rick
> >  ----------
> > >From: Roman Ramirez
> > >To: firewalls
> > >Subject: Questions about ICMP
> > >Date: Wednesday, April 01, 1998 6:27AM
> > >
> > >Hello:
> > >
> > >I have some questions about ICMP filtering, what kind of icmp packets
> > >should I filter?
> >
> 
> With a traceroute you can map the network but with letting ping
> 
> ICMP echo through the firewall you allow the intruder the
> 
> freedom to bring internal servers down with ping of death.
> 
> While most firewalls are immune I will make a strong assumption
> 
> that you have internal hosts which are vulnerable, since most
> 
> system admins do not pay that much attention to security patches.
> 
> Letting Ping inside the firewall is as dangerous if not more dangerous
> 
> then traceroute.
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>  Yury German                      yury.german@citicorp.com
>  Firewall Security Admin          yury_german@yahoo.com
> 
> 
> 


From firewalls-owner  Tue Apr  7 11:22:08 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id KAA11967; Tue, 7 Apr 1998 10:54:59 -0700 (PDT)
Received: from SOLAIR.EUnet.yu (SOLAIR.EUnet.yu [194.247.192.52]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id KAA11906 for ; Tue, 7 Apr 1998 10:54:45 -0700 (PDT)
Received: from perun (P-198.112.EUnet.yu [194.247.198.112])
	by SOLAIR.EUnet.yu (8.8.8/8.8.8) with SMTP id TAA25981
	for ; Tue, 7 Apr 1998 19:59:59 +0200 (MET DST)
Message-ID: <352A699B.573A@Yugoslavia.EU.net>
Date: Tue, 07 Apr 1998 19:59:56 +0200
From: Srdjan Pantic 
Organization: EUnet Yugoslavia
X-Mailer: Mozilla 3.0Gold (Win95; I)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Cisco Centri 4.0 Firewall for NT
References: <199804041034.CAA11910@honor.greatcircle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
I tried to install my copy on two different machines and got only two
dead
NT. Of course, NT servers on both machines worked perfectly previously,
with two NIC.

  We are working very close with Cisco because we, as ISP, are using a
lot 
of Cisco hardware, but I'm very frustrate with that piece of software.

  Is there any advice regarding Centri or maybe a recommendation for
different 
firewalls for NT?

  And before we start war: yes, it must be software firewall and OS
must be NT. Customer request.

  Thank you in advance.


-- 
 ----- ___                        - Srdjan Pantic, System Engineer
 ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
 --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
 -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
3282760
 --                           ----- http://www.Yugoslavia.EU.net
 -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net


From firewalls-owner  Tue Apr  7 14:11:29 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id NAA02980; Tue, 7 Apr 1998 13:50:11 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA02971 for ; Tue, 7 Apr 1998 13:50:02 -0700 (PDT)
Received: from frankw.in.net (pm1-17.in.net [205.160.202.49]) by su1.in.net (8.8.8/8.6.9) with SMTP id UAA20326; Tue, 7 Apr 1998 20:49:34 GMT
Message-Id: <3.0.5.32.19980407155003.007e4d40@in.net>
X-Sender: frankw@in.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 07 Apr 1998 15:50:03 -0500
To: "Stout, William" 
From: Frank Willoughby 
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
Cc: firewalls@GreatCircle.com
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 03:05 PM 4/6/98 -0400, Stout, William wrote:

I'll be exceedingly kind and say that the Checkpoint Firewall-1 firewall
does not meet my level of expectations and I do not deem it worthy enough
to recommend to any of *my* valued customers.

I agree with the NSA's report on the stateful inspection.  The NSA does
good work.  (I also like their style of report-writing, but that's beside
the point).  8^)

I think that many people are overlooking some important criteria when 
evaluating firewalls.  The Stateful Inspection is just the tip of the
iceberg.  A few criteria are listed below, others are available in the 
*free* Firewall Evaluation Checklist which can be downloaded from my 
company's web site.  

Here are a few of my *many* crows to pick with the Firewall-1.  
o You have to put a deny all at the last of the rules to make up for 
   its default stance of being wide open
o It encourages people to do stupid (from a security point-of-view)
   things like permit dangerous (unproxied) services through the 
   firewall - a la' if they support it, it must be OK).
o I don't like the security architecture of the firewall
o Checkpoint came out and stated that proxies were bad and that SMLI
   (pronounced "smelly" - IMHO, appropriate somehow)  8^)
   is much better than proxies.  I find it interesting that Checkpoint
   uses "security servers" (which the rest of us mere mortals call proxies)
   as this is an apparent reversal of their previous position.  If proxies 
   were not secure as Checkpoint previously indicated, then why do they are
   they on the firewall now?
o The only common encryption algorithm used in User->Firewall & Firewall->
   Firewall encryption is their own (PROPRIETARY) FWZ1 encryption algorithm.
   To my knowledge, the source code to FWZ1 has *not* been published, nor has
   it been subjected to a peer review of expert cryptographers.  And this from
   a company which is supposed to provide security?   Bah Humbug.  Any
beginning
   InfoSec Analyst knows that proprietary encryption algorithms should be
avoided
   like the plague.  Only encryption algorithms which have been published and 
   reviewed by expert cryptographers should be used.  If the algorithm hasn't 
   been published and reviewed by expert cryptographers, then how do we know 
   it is strong enough & that there are no backdoors into it???   In the
past, 
   several companies would claim to have a secure (homegrown) encryption 
   algorithm and would post a challenge to the cypherpunks mailing list for 
   someone to crack it.  If they were to do so, they would sell their company
   for $1.00.   2-3 days later, someone would crack the supposedly unbreakable
   algorithm and state that the company can keep their dollar.
o With proxies & logging enabled, it is *slower* than proxy firewalls.  
o The NSA (who is no slouch in getting crypto to work) couldn't get
Checkpoint's
   VPN crypto to work.  
o Checkpoint's lack of support in notifying their customers about the
vulnerability
   that Secure Networks posted.
o Checkpoint's denial that the problem even exists (as visible in their
note in 
   the Computer Security Institute's Alert newsletter).

The above are a few, but how many security problems does a firewall have to
have 
before it is ultimately rejected.  You have to remember, we are talking
about a
security product, not what type of car to buy.  It should be evaluated
primarily
from a security point-of-view (it is, after all, a security product).  It
doesn't
rate a high rating in my book or that of other Information Security Officers I
have talked to.  But hey, what do we know?  We're only Information Security 
Officers - not Checkpoint marketing dweebs.  

I would recommend that the audience at large do their *own* research and come 
to their own conclusions.  'Nuff said.

Best Regards,


Frank





>State vs. proxy is a religious issue for some, but then again, some
>swear by MS-Proxy as a firewall.
>
>I've seen the problem first hand, and the Checkpoint-1 report from the
>NSA points this out also.  
>
>The NSA pointed out state-based specific vulnerabilities (which their
>report admits they did not fully test):
>     Exploitation of an allowed service 
>     Insider threat - opening up ports to the outside 
>     Exploitation of ports opened by a legitimate user 
>     Subversion of the stateful packet filtering mechanism  
>
>The test "Test 6: Overflow of internal tables" describes the overflow,
>results, and DOS attack.  The problem should be fixed by now.  Staunch
>defenders of the packet filter faith deny it ever happened.  See
>http://mitten.ie.org/fw1/fw1.htm#statefulpacket
>
>Bill Stout


8< [snip]

The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From firewalls-owner  Tue Apr  7 16:52:27 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA13224; Tue, 7 Apr 1998 15:11:54 -0700 (PDT)
Received: from poterne.mtl.dmr.ca (poterne.mtl.dmr.ca [198.168.250.4]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id PAA13217 for ; Tue, 7 Apr 1998 15:11:48 -0700 (PDT)
Received: from Montreal-NS002.Mtl.DMR.CA (montreal-ns002.mtl.dmr.ca [205.151.132.3]) by poterne.mtl.dmr.ca (8.6.11/8.6.6a) with SMTP id SAA18485; Tue, 7 Apr 1998 18:17:03 -0400
Received: by Montreal-NS002.Mtl.DMR.CA(Lotus SMTP MTA v1.1 (385.6 5-6-1997))  id 852565DF.007ABDBC ; Tue, 7 Apr 1998 18:20:39 -0400
X-Lotus-FromDomain: DMR-CANADA
From: "Dean Ethier"
To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com,
        firewall-wizards@nfr.net
Message-ID: <872565DF.0077AA4D.00@Montreal-NS002.Mtl.DMR.CA>
Date: Tue, 7 Apr 1998 16:17:15 -0600
Subject: DMZ config question
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


What's the accepted method for setting up a DMZ?  Do I just a hub into my
firewall and feed my DMZ from that?  If one host on the DMZ were
compromised, that would leave little protection for anything else on the
DMZ.  Should one also use a router instead of or in conjunction with a hub
to provide some isolation between hosts on the DMZ?  What is generally
done?

Dean Ethier
DMR Consulting Group Inc



From firewalls-owner  Tue Apr  7 17:10:05 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id PAA14784; Tue, 7 Apr 1998 15:23:27 -0700 (PDT)
Received: from vojuro.fi (vojuro.fi [195.10.151.217]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id PAA14740 for ; Tue, 7 Apr 1998 15:23:14 -0700 (PDT)
Received: from localhost (vojin@localhost)
	by vojuro.fi (8.8.5/8.8.5) with SMTP id BAA24615;
	Wed, 8 Apr 1998 01:28:17 +0300
Date: Wed, 8 Apr 1998 01:28:16 +0300 (EET DST)
From: Vojin Urosevic 
To: Srdjan Pantic 
cc: Firewalls@GreatCircle.COM
Subject: Re: Cisco Centri 4.0 Firewall for NT
In-Reply-To: <352A699B.573A@Yugoslavia.EU.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi!

Try this as an alternative www.ntguard.com/guardian3

regards,

Vojin Urosevic
Claxcom LLC
NT & Linux Solutions.





On Tue, 7 Apr 1998, Srdjan Pantic wrote:

> Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
> I tried to install my copy on two different machines and got only two
> dead
> NT. Of course, NT servers on both machines worked perfectly previously,
> with two NIC.
> 
>   We are working very close with Cisco because we, as ISP, are using a
> lot 
> of Cisco hardware, but I'm very frustrate with that piece of software.
> 
>   Is there any advice regarding Centri or maybe a recommendation for
> different 
> firewalls for NT?
> 
>   And before we start war: yes, it must be software firewall and OS
> must be NT. Customer request.
> 
>   Thank you in advance.
> 
> 
> -- 
>  ----- ___                        - Srdjan Pantic, System Engineer
>  ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
>  --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
>  -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
> 3282760
>  --                           ----- http://www.Yugoslavia.EU.net
>  -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net
> 


From firewalls-owner  Tue Apr  7 17:13:01 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id OAA10688; Tue, 7 Apr 1998 14:55:41 -0700 (PDT)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id OAA10680 for firewalls@greatcircle.com; Tue, 7 Apr 1998 14:55:37 -0700 (PDT)
Received: from server.alet.it (dns1.alet.it [195.120.14.11]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id EAA28223 for ; Mon, 6 Apr 1998 04:56:40 -0700 (PDT)
Received: from client2.alet.it (client2.alet.it [195.120.14.21]) by server.alet.it (8.6.12/8.6.9) with SMTP id OAA04157 for ; Mon, 6 Apr 1998 14:02:09 GMT
Message-Id: <199804061402.OAA04157@server.alet.it>
Comments: Authenticated sender is 
From: "Alessandro Battaglia" 
To: firewalls@GreatCircle.COM
Date: Mon, 6 Apr 1998 14:01:18 +0000
Subject: public web and ftp server
Reply-to: jama@alet.it
X-mailer: Pegasus Mail for Win32 (v2.41)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We mantain domains, web and ftp server in housing and virtual 
hosting.
We would like to purse the access to our web and ftp server by the 
proxy server  but i would like that any Internet user can obtain the 
information from our servers. 

Is it possible ?
What's the best software to obtain this goal?

Sorry for my english and many thanks in advance for your help. Any 
advice will be glad.

          _AB_
AleT system manager 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
AleTelematica personalizzata                    Tel. +39 50 894002 
Alessandro Battaglia                                 +39 50 981987
V. delle Palanche 2/E                           Fax  +39 50 894707
Madonna dell'Acqua (PI)ITALY                    http://www.alet.it
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


From firewalls-owner  Tue Apr  7 17:52:24 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28451; Tue, 7 Apr 1998 17:05:17 -0700 (PDT)
Received: from mail.isla.net (mail.isla.net [207.120.81.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id RAA28434 for ; Tue, 7 Apr 1998 17:05:09 -0700 (PDT)
Received: from isla.net [207.120.81.34] by mail.isla.net with ESMTP
  (SMTPD32-4.02) id A2426CF0154; Tue, 07 Apr 1998 20:09:54 -400
Message-ID: <352AC1A3.21BED3E1@isla.net>
Date: Tue, 07 Apr 1998 20:15:31 -0400
From: Carlos Roque 
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: Dean Ethier 
CC: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com,
        firewall-wizards@nfr.net
Subject: Re: [FW1] DMZ config question
References: <872565DF.0077AA4D.00@Montreal-NS002.Mtl.DMR.CA>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I use a hub between FW and the host at the DMZ (ie WWW server). It works great!.

regards
Carlos Roque

Dean Ethier wrote:

> What's the accepted method for setting up a DMZ?  Do I just a hub into my
> firewall and feed my DMZ from that?  If one host on the DMZ were
> compromised, that would leave little protection for anything else on the
> DMZ.  Should one also use a router instead of or in conjunction with a hub
> to provide some isolation between hosts on the DMZ?  What is generally
> done?
>
> Dean Ethier
> DMR Consulting Group Inc
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================





From firewalls-owner  Tue Apr  7 17:52:28 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id QAA23904; Tue, 7 Apr 1998 16:35:24 -0700 (PDT)
Received: from sparc.isl.net (sparc.isl.net [199.3.25.3]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id QAA23895 for ; Tue, 7 Apr 1998 16:35:15 -0700 (PDT)
From: admin8@mauimail.com
Received: from 199.3.25.3 (206-18-113-111.la.inreach.net [206.18.113.111])
	by sparc.isl.net (8.8.5/8.8.5) with SMTP id SAA22627;
	Tue, 7 Apr 1998 18:22:38 -0500 (CDT)
Posted-Date: Tue, 7 Apr 1998 18:22:38 -0500 (CDT)
Date: Tue, 07 Apr 98 16:00:08 EST
To: Friend@public.com
Subject: Registered mail
Message-ID: <>
Reply-To: everyone@somewhere.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You just stumbled upon something big !


Pt or FT
No competition !
No selling ! 
Not MLM !
$1 - $5,000 per week from home, within 30 days !
Daily conference calls !
Complete training and support !
Leads available !

Dear Friend,

	If your tired of the hype , then read on. Everyone wants more and we have the system that can get it. Over 20,000 doctors, lawyers, CPA's and business people, last year alone,  started using our system to create wealth in their spare time. Many are making in excess of $50,000 per month. Speak to them yourself ! 

" I'm a chiropractor in Hawaii and use this system in my spare time to consistently make over $4,000 per week ! " Michael F. Makawao, HI

" I'm a single nurse and mom with 5 kids, have been using the system for 18 months, and last year alone, earned $400,000 ! " Melissa F., Parkersburg, IA

" I was a practicing priest for many years, retired and started using this system. Last week I earned $33,000 and bought my wife a new van - CASH " Jim P., Port Angeles, WA

These people were taught how to turn a one time investment into big money ! 
Is the timing right for you ?

Find out on our discovery call. Risk free and pressure free ! We guarantee it ! 

888 354 3187

	
 To have your name removed form our list, send an email with remove in subject
 to remove.org. We filter against all universal remove lists.



From firewalls-owner  Tue Apr  7 18:06:19 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA28943; Tue, 7 Apr 1998 17:09:10 -0700 (PDT)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.1.89]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA28914 for ; Tue, 7 Apr 1998 17:09:00 -0700 (PDT)
Received: from zepher.milkyway.com (hdn106-020.hil.compuserve.com [206.175.107.20])
	by m6.sprynet.com (8.8.5/8.8.5) with SMTP id RAA13449;
	Tue, 7 Apr 1998 17:14:11 -0700 (PDT)
Message-Id: <3.0.3.32.19980407190402.006d6368@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 07 Apr 1998 19:04:02 -0400
To: Paul Boyer ,
        "'firewalls@GreatCircle.com'" 
From: Steve Kruse 
Subject: Re: FW: Virus checking at the firewall level.
In-Reply-To: <01BD5E83.40DBDF40.paulboyer@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

It seems to me that we are missing an important thread here...it is
NOT what CVP does to performance that is the real issue.  I think we
all know that for every level of security we add (be it electronic or
human) there is a performance hit.  The QUESTION is what price are we
willing to PAY to achieve (this particular) level of security???  If I
am willing to have minimalist security, I can go with a router with a
few filters and get X performance.  If I add an Application Gateway
Firewall like SecurIT (my brand...substitute yours here ;-) then I
have a lot of additional protection but I perhaps have X-1
performance.  If I want to add URL blocking, then I might have X-2
performance...etc.  Each security admin or manager must make the
decision as to what price will I pay for what level of performance. 
That, IMHO, is the real issue to deal with.  Once you make that
decision, then you can deal with whether brand X CVP is faster or
slower than Brand Y.

Steve Kruse

At 10:04 PM 4/2/98 +0200, Paul Boyer wrote:
>Yes, performance is a big issue :(
>
>I was told trend micro's one at http://www.trendmicro.com is not
using CVP for performance reasons.
>
>Has someone experince with it ?
>
>Paul
>
>-----Original Message-----
>From:	Doug Drake  
>Sent:	Wednesday, April 01, 1998 8:59 AM
>To:	Gordon LaSane ; Bruno
; firewalls mailing list

>Subject:	RE: Virus checking at the firewall level.
>
>Conceptually CVP is a wonderful thing but can you give me any numbers
on
>the latency that this process causes on your network? I have not seen
>anything that will show me benchmarks for CVP bsed virus scanning,
>especially with a firewall and even more with encryption.  If I could
get
>some good numbers I might be infavor of it.  But until then,  I like
>speed on my network and virus scaning on the desk top  :).
>
>
>
>
>At 04:04 PM 3/31/98 -0500, Gordon LaSane wrote: 
>[Paul BOYER]  -snip- 
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNSqw4eZ40Wmdt8j7EQLunQCgznK1cYgTKUwsL6s7nEIL6y3pXXgAoNoJ
kkWOhx23Q+b3FnwEH+vMhsXj
=2QkH
-----END PGP SIGNATURE-----

***************************************************************************
* Steve Kruse                                skruse@milkyway.com          *
* Milkyway Networks                          jsk347@sprynet.com           *
* Southern Region Sales Mgr.                 PGP Key on most Keyservers   *
* http://www.milkyway.com                    KEY ID: 0x9DB7C8FB           *
* Support your right to privacy.             Encrypt whenever possible!   *
*This sig made from 100% recycled hacking bits stopped by SecurIT Firewall*
       
***************************************************************************

From firewalls-owner  Tue Apr  7 18:33:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id RAA02439; Tue, 7 Apr 1998 17:35:33 -0700 (PDT)
Received: from MISsentry.el.nec.com ([192.216.82.86]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id RAA02424 for ; Tue, 7 Apr 1998 17:35:26 -0700 (PDT)
Received: from yginsburg.el.nec.com (yginsburg.el.nec.com [143.103.21.11]) by MISsentry.el.nec.com (8.7.1/8.7.1) with SMTP id RAA09846; Tue, 7 Apr 1998 17:28:41 -0700 (PDT)
Received: by yginsburg.el.nec.com (SMI-8.6/SMI-SVR4)
	id RAA21081; Tue, 7 Apr 1998 17:28:15 -0700
Date: Tue, 7 Apr 1998 17:28:15 -0700
From: rdew@el.nec.com (Bob De Witt)
Message-Id: <199804080028.RAA21081@yginsburg.el.nec.com>
To: firewalls@GreatCircle.COM, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com
Subject: RE: Questions about ICMP
Cc: rdew@el.nec.com
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Guys,

Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
how do you block the "traceroute" program?

Bob De Witt,
(old email address:   rdew@el.nec.com)
(new email address, after 4/10/98:   rdew@...tbd...)
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.


> From Rick_McMaster@freddiemac.com Mon Apr  6 23:48:50 1998
> From: Rick_McMaster@freddiemac.com (McMaster, Rick)
> To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez)
> Mime-Version: 1.0
> Date: Wed, 01 Apr 1998 18:24:46 -0500
> Subject: RE: Questions about ICMP
> 
> 
> I do not have a real problem with ping to and from specific hosts, but I 
> would never allow traceroute through my firewalls.  Using traceroute a 
> person can map your entire internal network.
> 
> Rick
>  ----------
> >From: Roman Ramirez
> >To: firewalls
> >Subject: Questions about ICMP
> >Date: Wednesday, April 01, 1998 6:27AM
> >
> >Hello:
> >
> >I have some questions about ICMP filtering, what kind of icmp packets
> >should I filter?
> >
> >In other way, what icmp options can I permit in packets?
> >
> >Im seeking  for a RESTRICTIVE policy, but I need to let ping and
> >traceroute get out and in...
> >
> >Thx in advance
> >
> >--
> >http://www.encomix.es/users/patowc
> >mailto://rramirez@encomix.es
> >
> >
> >
> >
> >------ Message Header Follows ------
> >Received: from mailgate.freddiemac.com by msmail.freddiemac.com
> >  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
> >  id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500
> >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
> >[204.253.137.238])
> > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896
> > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST)
> >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by
> >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for
> >; Wed, 1 Apr 1998 05:54:00 -0500 (EST)
> >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP
> > (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
> > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST)
> >Received: (majordom@localhost) by honor.greatcircle.com
> >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800
> >(PST)
> >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by
> >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for
> >; Tue, 31 Mar 1998 22:14:28 -0800 (PST)
> >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000
> >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22)
> >  by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000
> >Message-ID: <3521DBD2.B29513E0@encomix.es>
> >Date: Wed, 01 Apr 1998 08:16:50 +0200
> >From: Roman Ramirez 
> >Organization: EncomIX
> >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586)
> >MIME-Version: 1.0
> >To: firewalls@GreatCircle.COM
> >Subject: Questions about ICMP
> >Content-Type: text/plain; charset=us-ascii
> >Content-Transfer-Encoding: 7bit
> >Sender: firewalls-owner@GreatCircle.COM
> >Precedence: bulk
> >
> >
> 
> 
> 

From firewalls-owner  Tue Apr  7 21:16:34 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA12202; Tue, 7 Apr 1998 20:44:54 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA12077 for ; Tue, 7 Apr 1998 20:44:29 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804080344.UAA12077@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id A4841AA00F2; Tue, 07 Apr 1998 22:52:36 CST
Date: Tue, 07 Apr 1998 22:52:36 +0100
Subject: who is responsible?
To: Firewalls@GreatCircle.COM
Reply-To: alchodu@wetwetwet.com
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


jasjit, who is responsible for this?? i don't recall any encounter 
with you. but next time, i gotta love to be responsible for next 
one. thank you for your invitation. keep it limited, so that you can 
keep track. i shall give you a cut. is there any connection between 
you and sandra, available at Click here for 10 free 
pics - yours )(*&^%$#@! - chodu in Karachi.



> I am on maternity leave from 04/06/98 till 05/29/98. Please
> try me later.
>
> Thanks!!!
>






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Tue Apr  7 21:36:39 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA11808; Tue, 7 Apr 1998 20:43:37 -0700 (PDT)
Received: from myownemail.com (www.myownemail.com [207.204.37.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id UAA11659 for ; Tue, 7 Apr 1998 20:43:09 -0700 (PDT)
From: alchodu@wetwetwet.com
Message-Id: <199804080343.UAA11659@honor.greatcircle.com>
Received: from moby [207.204.37.70] by myownemail.com
  (SMTPD32-4.02c) id A4332C800DA; Tue, 07 Apr 1998 22:51:15 CST
Date: Tue, 07 Apr 1998 22:51:15 +0100
Subject: who is responsible?
To: Jasjit_K_Singh@sabre.com
Reply-To: alchodu@wetwetwet.com
Cc: Firewalls@GreatCircle.COM
Mime-Version: 1.0
X-Mailer: 
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


jasjit, who is responsible for this?? i don't recall any encounter 
with you. but next time, i gotta love to be responsible for next 
one. thank you for your invitation. keep it limited, so that you can 
keep track. i shall give you a cut. is there any connection between 
you and sandra, available at Click here for 10 free 
pics - yours )(*&^%$#@! - chodu in Karachi.



> I am on maternity leave from 04/06/98 till 05/29/98. Please
> try me later.
>
> Thanks!!!
>






_________________________________________
Get your free vanity email address at
http://www.MyOwnEmail.com





From firewalls-owner  Tue Apr  7 22:42:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id SAA10270; Tue, 7 Apr 1998 18:26:24 -0700 (PDT)
Received: from imo26.mx.aol.com (imo26.mx.aol.com [198.81.17.70]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id SAA10245 for ; Tue, 7 Apr 1998 18:26:15 -0700 (PDT)
Received: from Sumlatino@aol.com
	by imo26.mx.aol.com (IMOv13.ems) id FEUGa02204;
	Tue, 7 Apr 1998 20:19:59 -0500 (EDT)
From: Sumlatino 
Message-ID: <4e5fa8ca.352ac2b2@aol.com>
Date: Tue, 7 Apr 1998 20:19:59 EDT
Mime-Version: 1.0
Subject: hi
Content-type: multipart/mixed;
	boundary="part0_891994800_boundary"
X-Mailer: AOL 2.5 for Windows sub 2
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is a multi-part message in MIME format.

--part0_891994800_boundary
Content-ID: <0_891994800@inet_out.mail.aol.com.1>
Content-type: text/plain; charset=US-ASCII

 

--part0_891994800_boundary
Content-ID: <0_891994800@inet_out.mail.aol.com.2>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline

From: Sumlatino 
Return-path: 
To: Sumlatino@aol.com
Subject: hi
Date: Tue, 7 Apr 1998 20:09:29 EDT
Organization: AOL (http://www.aol.com)
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit

Click here for FREE
pictures

--part0_891994800_boundary--

From firewalls-owner  Tue Apr  7 22:51:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id VAA16621; Tue, 7 Apr 1998 21:11:21 -0700 (PDT)
Received: from xfrsparc.tic.com (xfrsparc.tic.com [206.225.55.37]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id VAA16554 for ; Tue, 7 Apr 1998 21:11:05 -0700 (PDT)
Received: from casa-pc.tic.com (root@casa-pc.tic.com [206.225.55.34])
	by xfrsparc.tic.com (8.8.8/8.8.8) with ESMTP id XAA08351
	for ; Tue, 7 Apr 1998 23:16:35 -0500 (CDT)
Received: from casa-pc.tic.com by casa-pc.tic.com (8.8.7/sub.1.6)
	id XAA02676; Tue, 7 Apr 1998 23:16:35 -0500
Message-Id: <199804080416.XAA02676@casa-pc.tic.com>
To: firewalls@greatcircle.com
Subject: Re: Questions about ICMP 
In-reply-to: Your message of "Tue, 07 Apr 1998 17:28:15 PDT."
             <199804080028.RAA21081@yginsburg.el.nec.com> 
Date: Tue, 07 Apr 1998 23:16:35 -0500
From: Smoot Carl-Mitchell 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packet
>s
>with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
>how do you block the "traceroute" program?

Traceroute uses UDP packets to a high port number with the TTL incremented by
one for each packet sent.  It listens for the ICMP Time Expired packets
returning.  That is where it derives the IP addresses of each hop.


Smoot Carl-Mitchell
Texas Internet Consulting
1106 Clayton Lane, Suite 500W
Austin, TX 78723

+1 512 451-6176

From firewalls-owner  Tue Apr  7 22:52:21 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA25339; Tue, 7 Apr 1998 19:33:52 -0700 (PDT)
Received: from sitc.sarawak.gov.my (sitc.sarawak.gov.my [202.185.166.10]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id TAA25307 for ; Tue, 7 Apr 1998 19:33:44 -0700 (PDT)
Received: from sis_gateway.sains.com.my (unverified [202.185.166.11]) by sitc.sarawak.gov.my
 (EMWAC SMTPRS 0.83) with SMTP id ;
 Wed, 08 Apr 1998 10:39:04 +0800
Message-Id: <199804080239-56977@sains.com.my>
Date: Wed, 08 Apr 1998 10:39:10
X-Mailer: Microsoft Mail with Intergate/SMTP (v1.Free)
From: TSWONG@sains.com.my (Wong Teck Seng,SAINS)
To: firewalls@GreatCircle.COM
Cc: TSWONG@sains.com.my
Subject: Server Sizing
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi, all:
  I wonder if the above topic is applicable here.  I am conducting   
 applies researches on the right sizing of server for the following   
application:
a) Proxy Server
b) Certificate Server
c) Directory Server

The mentioned servers are Netscape product.  Has anyone conducted these   
applies researches?  I would like to know if there are criterias and   
tools that I need to take into considerations for my researches.  Also, I   
wonder if there is any good web site for me to start on this topics.

I would be focusing on two major platforms:
a) WinTel (Window NT and Intel)
b) UNIX (RISC architectire); preferably SOLARIS on SUN.

Deeply appreciate your great advices and helps.

regards,
Teck Seng  


From firewalls-owner  Tue Apr  7 23:49:40 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA07212; Tue, 7 Apr 1998 20:24:12 -0700 (PDT)
Received: from mailman.cisco.com (mailman.cisco.com [171.68.225.9]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA07199 for ; Tue, 7 Apr 1998 20:24:05 -0700 (PDT)
Received: from clonvick-pc.cisco.com (clonvick-isdn.cisco.com [171.70.238.6]) by mailman.cisco.com (8.8.5-Cisco.2-SunOS.5.5.1.sun4/CISCO.SERVER.1.2) with SMTP id UAA11728; Tue, 7 Apr 1998 20:28:42 -0700 (PDT)
Message-Id: <3.0.32.19980407222630.0070c368@localhost>
X-Sender: clonvick@localhost
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 07 Apr 1998 22:26:37 -0500
To: "Dean Ethier", fw-1-mailinglist@us.checkpoint.com,
        firewalls@GreatCircle.COM, firewall-wizards@nfr.net
From: Chris Lonvick 
Subject: Re: DMZ config question
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

Some random thoughts:

Use a switch - If any one system on the DMZ is compromised, then an
  attacker may be able to set up tcpdump (or similar) to capture
  usernames and passwords.  With a switch, the attacker will only
  be able to get passwords on the same system that he has already
  compromised.  He could get that from running crack.  A hub will 
  allow the sniffer package to see all traffic. including the 
  traffic from your internal devices to the rest of the Internet.
  You could use a router, but that gets much more expensive if you 
  have several DMZ devices.  

Don't extend trust between the DMZ devices - If an attacker can 
  compromise one system, you don't want them to be able to use the
  same password to compromise the other devices.  Similarly, don't
  use trusting protocols like NFS between your DMZ devices.

Use your screening router to direct traffic - You want only sessions
  to tcp/80 (http) to go to your web server (..ok, maybe you also want
  tcp/443, but that depends upon what you're doing), tcp/21 and tcp/20
  to go to your FTP server, and tcp/25 to go to your mail server.  Do
  you want any inbound tcp sessions to go to your firewall?  If not,
  then set up filters to disallow them.  Do you want outbound sessions
  initiated from your web server or ftp server?  If not, then disallow
  those as well.

Use your screening router to filter traffic - You may want to stop such
  things as spoofing, directed broadcasts, and source routing.  You may
  also want to limit, or eliminate, ICMP messages.

Hope this helps,

Chris Lonvick
Cisco Systems
Consulting Engineering
Houston, TX, USA
+1.713.778.5663

At 04:17 PM 4/7/98 -0600, Dean Ethier wrote:
>
>What's the accepted method for setting up a DMZ?  Do I just a hub into my
>firewall and feed my DMZ from that?  If one host on the DMZ were
>compromised, that would leave little protection for anything else on the
>DMZ.  Should one also use a router instead of or in conjunction with a hub
>to provide some isolation between hosts on the DMZ?  What is generally
>done?
>
>Dean Ethier
>DMR Consulting Group Inc
>
>
>
>

From firewalls-owner  Tue Apr  7 23:51:14 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA24613; Tue, 7 Apr 1998 19:30:24 -0700 (PDT)
Received: from m6.sprynet.com (m6.sprynet.com [165.121.2.89]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA24555 for ; Tue, 7 Apr 1998 19:30:07 -0700 (PDT)
Received: from zepher.milkyway.com (hdn94-003.hil.compuserve.com [209.154.56.3])
	by m6.sprynet.com (8.8.5/8.8.5) with SMTP id TAA04524;
	Tue, 7 Apr 1998 19:35:17 -0700 (PDT)
Message-Id: <3.0.3.32.19980407210033.006d1b98@m6.sprynet.com>
X-Sender: jsk347@m6.sprynet.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 07 Apr 1998 21:00:33 -0400
To: "Stout, William" ,
        "'Firewalls@GreatCircle.COM'" 
From: Steve Kruse 
Subject: Re: Unwanted data appears inside firewalled network
In-Reply-To: 
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 04:00 PM 4/3/98 -0500, Stout, William wrote:
>
>Unwanted data continues to infiltrate our protected network via SMTP,
>HTTP, NNTP, floppy disks, RAS connections, and VPNs .
>
>We have a strong firewall.  What gives?
>
>
>Firewalls based on the OSI layers don't work.  We need AI/fuzzy logic
>(OSI layer 8 = intelligence?).
>
>Say a cracker builds network attack at OSI layer three.  You build a
>perimeter wall up to layer three, called a packet filter to his
traffic
>out of your domain.  

An early "solution"...only partly effective as you suggest.

>
>The cracker builds an application attack.  You raise your perimeter
wall
>to layer seven with a proxy. 
>The cracker builds onto that application (viruses, SPAM, etc).  The
>cracker is looking over your wall again.   Now what?  We ran out of
OSI
>layers to build our wall.

Did we?  By the addition of CVP, anti-spamming code, etc. we have
effectively 
built that sort of thing now, haven't we? Of course the more we add to
our
solution, the more price we pay in performance.  What am I missing
here?

>
>We're mentally confined to this completely artificial layer model.
>Crackers aren't.  We could build an AI system on the perimeter wall
to
>add intelligence on the firewall.  Or we could build a network-wide
>management system (tied into firewalls, virus scanners, & IDS probes)
to
>create a 'ceiling' across the perimeter walls.

The AI concept is good, of course, but at what price?  As network
connections
get faster and faster, the firewall performance vs. need for security 
paradigm gets fuzzier and fuzzier.  I don't think every organization
can
afford massively parallel computing for a firewall.  Nor do I believe
that
most can deal with multiple layers of security from multiple vendors
if, 
for no other reason than the training it would require, to maintain. 
I
don't like to think of myself as one who thinks only "inside the box"
but
I'm not sure I see how to implement AI in a reasonable package that
can 
keep up with increasing bandwidth demands (at least at an affordable
price)
at the Firewall Level.

Carrying the concept to a "big brother" syndrome where we have AI that
is 
tied to all of the pieces (Firewall, IDS, Routers, Servers,
Desktops...etc)
didn't IBM build that once (something called "Netview"??)  At least
the
idea was similar as I recall.  Design an interface that can talk to
one of
ANYTHING and report it on a single screen.  Interpret all of the
messages
from all of the devices, put them into plain english (or the language
of 
YOUR country) so the semi-skilled can watch a single monitor?  Maybe,
again,
I'm missing something big, but that concept hasn't flown for the
masses as
yet at least that I know of.  SNMP was going to do that too, but
became a 
big security headache all by itself.

I'd love to hear where we, as a firewall vendor community, can go with
this
to meet Bill's idea.  I'd love to see AI as an integral part of the
security
package.  But as our friends in Redmond don't quite ask, it's not
"Where do
you want to go today?", it's "How the heck do we get there today???"

Steve Kruse

>
>Bill  Stout
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNSrMMOZ40Wmdt8j7EQLT8wCfUjUUF77/A7n+W9ifId87wFUFWFMAn3qq
ixwtCiFRiLSamL213d9YIgKQ
=5R0p
-----END PGP SIGNATURE-----

***************************************************************************
* Steve Kruse                                skruse@milkyway.com          *
* Milkyway Networks                          jsk347@sprynet.com           *
* Southern Region Sales Mgr.                 PGP Key on most Keyservers   *
* http://www.milkyway.com                    KEY ID: 0x9DB7C8FB           *
* Support your right to privacy.             Encrypt whenever possible!   *
*This sig made from 100% recycled hacking bits stopped by SecurIT Firewall*
       
***************************************************************************

From firewalls-owner  Wed Apr  8 01:42:26 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id XAA17208; Tue, 7 Apr 1998 23:56:01 -0700 (PDT)
Received: from pugmarks.whowho.com (pugmarks.whowho.com [206.114.196.79]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id XAA16974 for ; Tue, 7 Apr 1998 23:55:03 -0700 (PDT)
Received: from localhost (natrajs@localhost) by pugmarks.whowho.com (8.8.7/8.7.3) with SMTP id CAA09172 for ; Wed, 8 Apr 1998 02:55:21 -0500 (CDT)
Date: Wed, 8 Apr 1998 02:55:21 -0500 (CDT)
From: Powertel Boca Ltd 
To: firewalls@greatcircle.com
Subject: Livingston's IRX211 firewall router
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi ,

Has anyone out there installed the IRX211 firewall route from Livingston .
How does the IRX211 compare with Cisco's PIX ?

And a basic question ...

Is a Firewall router better than the software implementation such as
through Checkpoint etc. Or do they complement each other ?

Thanks 


Nataraj,S



From firewalls-owner  Wed Apr  8 02:15:30 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA08717; Tue, 7 Apr 1998 20:32:55 -0700 (PDT)
Received: from tapti.hss.hns.com (tapti.hss.hns.com [139.85.242.19]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA04530 for ; Tue, 7 Apr 1998 20:13:23 -0700 (PDT)
Received: from gauravs (gauravs.hss.hns.com [139.85.242.160]) by tapti.hss.hns.com (8.8.2/8.7.3) with SMTP id IAA19691 for ; Wed, 8 Apr 1998 08:49:02 +0530 (IST)
From: "Gaurav Sabharwal" 
To: 
Subject: RE: Cisco Centri 4.0 Firewall for NT
Date: Wed, 8 Apr 1998 08:47:36 +0530
Message-ID: <000301bd629c$e1126020$a0f2558b@gauravs.hss.hns.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
In-Reply-To: <352A699B.573A@Yugoslavia.EU.net>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We had installed Cisco Centri eval copy about a month ago. If I am not
mistaken, Cisco recommends that the NT box should be running SP2 and NOT
SP3. I know that SP2 is hell but this is what Cisco recommended. It worked
perfectly for us on 2 NT boxes but we didn't go for the same.

If you are looking for a NT based firewall, I would suggest Raptor. Pretty
good.

Regards,

Gaurav Sabharwal
gauravs@hss.hns.com
http://www.hssworld.com
http://www.hns.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Always remember you're unique, just like everyone else.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




| -----Original Message-----
| From: firewalls-owner@GreatCircle.COM
| [mailto:firewalls-owner@GreatCircle.COM]On Behalf Of Srdjan Pantic
| Sent: Tuesday, April 07, 1998 11:30 PM
| To: Firewalls@GreatCircle.COM
| Subject: Cisco Centri 4.0 Firewall for NT
|
|
| Is there any experience regarding Cisco Centri 4.0 for NT Firewall?
| I tried to install my copy on two different machines and got only two
| dead
| NT. Of course, NT servers on both machines worked perfectly previously,
| with two NIC.
|
|   We are working very close with Cisco because we, as ISP, are using a
| lot
| of Cisco hardware, but I'm very frustrate with that piece of software.
|
|   Is there any advice regarding Centri or maybe a recommendation for
| different
| firewalls for NT?
|
|   And before we start war: yes, it must be software firewall and OS
| must be NT. Customer request.
|
|   Thank you in advance.
|
|
| --
|  ----- ___                        - Srdjan Pantic, System Engineer
|  ---- /     /  /   __   ___  _/_ -- EUnet Yugoslavia
|  --- /---  /  /  /  /  /__/  /  --- Obilicev venac 4, 11000 Beograd, YU
|  -- /___  /__/  /  /  /__   /  ---- tel:+381 11 3282608,fax:+381 11
| 3282760
|  --                           ----- http://www.Yugoslavia.EU.net
|  -- Connecting Europe since 1982  - e-mail: spantic@Yugoslavia.EU.net
|
|


From firewalls-owner  Wed Apr  8 02:15:37 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id TAA18751; Tue, 7 Apr 1998 19:04:46 -0700 (PDT)
Received: from alcove.wittsend.com (alcove.wittsend.com [130.205.0.20]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id TAA18691 for ; Tue, 7 Apr 1998 19:04:31 -0700 (PDT)
Received: (from mhw@localhost)
	by alcove.wittsend.com (8.8.7/8.8.7) id WAA03347;
	Tue, 7 Apr 1998 22:09:41 -0400
From: "Michael H. Warfield" 
Message-Id: <199804080209.WAA03347@alcove.wittsend.com>
Subject: Re: Questions about ICMP
In-Reply-To: <199804080028.RAA21081@yginsburg.el.nec.com> from Bob De Witt at "Apr 7, 98 05:28:15 pm"
To: rdew@el.nec.com (Bob De Witt)
Date: Tue, 7 Apr 1998 22:09:41 -0400 (EDT)
Cc: firewalls@GreatCircle.COM, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com, rdew@el.nec.com
X-Mailer: ELM [version 2.4ME+ PL33 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All,

Bob De Witt enscribed thusly:
> Guys,

> Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
> with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
> how do you block the "traceroute" program?

	Close but not quite.  Most traceroutes work by sending out UDP
packets to varying port numbers and varying TTL's.  Quite often you
start of with a particular port and a TTL of 1 and increment each for
each hop.  An ICMP return of TTL expired returns the IP address of that
hop.  The port number is a double check on the depth.

	What this means is that traceroute, in most cases, can be blocked
either by blocking UDP in the "outbound" direction or by blocking ICMP
on the "inbound" direction.

	I say most cases because I know of certain flavors of traceroute on
Windows NT which use ICMP on both sides, the sending and return.  Of course
the return side has to be ICMP.  The sending side, in this case, is also
ICMP due to some incredibly typical brain damage in the Windows socket
library that screws with the classical traceroute paradym of incrementing
TTL and incrementing ports on a UDP socket.

	So...  You can block someone from tracerouting around your network
just by inhibiting UDP at your firewall...  A WISE MOVE ANYWAYS!

> Bob De Witt,
> (old email address:   rdew@el.nec.com)
> (new email address, after 4/10/98:   rdew@...tbd...)
> The views expressed herein are my own,
> and are not attributable to any other
> source, be it employer, friend or foe.


> > From Rick_McMaster@freddiemac.com Mon Apr  6 23:48:50 1998
> > From: Rick_McMaster@freddiemac.com (McMaster, Rick)
> > To: firewalls@GreatCircle.COM (firewalls), rramirez@encomix.es (Roman Ramirez)
> > Mime-Version: 1.0
> > Date: Wed, 01 Apr 1998 18:24:46 -0500
> > Subject: RE: Questions about ICMP


> > I do not have a real problem with ping to and from specific hosts, but I 
> > would never allow traceroute through my firewalls.  Using traceroute a 
> > person can map your entire internal network.

> > Rick
> >  ----------
> > >From: Roman Ramirez
> > >To: firewalls
> > >Subject: Questions about ICMP
> > >Date: Wednesday, April 01, 1998 6:27AM
> > >
> > >Hello:
> > >
> > >I have some questions about ICMP filtering, what kind of icmp packets
> > >should I filter?
> > >
> > >In other way, what icmp options can I permit in packets?
> > >
> > >Im seeking  for a RESTRICTIVE policy, but I need to let ping and
> > >traceroute get out and in...
> > >
> > >Thx in advance
> > >
> > >--
> > >http://www.encomix.es/users/patowc
> > >mailto://rramirez@encomix.es
> > >
> > >
> > >
> > >
> > >------ Message Header Follows ------
> > >Received: from mailgate.freddiemac.com by msmail.freddiemac.com
> > >  (PostalUnion/SMTP(tm) v2.1.9f for Windows NT(tm))
> > >  id AA-1998Apr01.062736.1065.1051837; Wed, 01 Apr 1998 06:27:37 -0500
> > >Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com
> > >[204.253.137.238])
> > > by mailgate.freddiemac.com (8.8.5/8.8.5) with ESMTP id GAA19896
> > > for ; Wed, 1 Apr 1998 06:17:15 -0500 (EST)
> > >Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by
> > >hq1xfwa.freddiemac.com (8.8.5/nope) with ESMTP id FAA21482 for
> > >; Wed, 1 Apr 1998 05:54:00 -0500 (EST)
> > >Received: from honor.greatcircle.com by relay1.UU.NET with ESMTP
> > > (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
> > > id QQejfh19043; Wed, 1 Apr 1998 06:19:35 -0500 (EST)
> > >Received: (majordom@localhost) by honor.greatcircle.com
> > >(8.8.5/Honor-Lists-970926-1) id WAA26565; Tue, 31 Mar 1998 22:14:42 -0800
> > >(PST)
> > >Received: from mesache.encomix.es (mesache.encomix.es [194.143.192.3]) by
> > >honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id WAA26533 for
> > >; Tue, 31 Mar 1998 22:14:28 -0800 (PST)
> > >Received: (qmail 2500 invoked from network); 1 Apr 1998 06:16:35 -0000
> > >Received: from hell.encomix.es (HELO encomix.es) (root@194.143.192.22)
> > >  by mesache.encomix.es with SMTP; 1 Apr 1998 06:16:35 -0000
> > >Message-ID: <3521DBD2.B29513E0@encomix.es>
> > >Date: Wed, 01 Apr 1998 08:16:50 +0200
> > >From: Roman Ramirez 
> > >Organization: EncomIX
> > >X-Mailer: Mozilla 4.04 [en] (X11; I; Linux 2.1.91 i586)
> > >MIME-Version: 1.0
> > >To: firewalls@GreatCircle.COM
> > >Subject: Questions about ICMP
> > >Content-Type: text/plain; charset=us-ascii
> > >Content-Transfer-Encoding: 7bit
> > >Sender: firewalls-owner@GreatCircle.COM
> > >Precedence: bulk

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

From firewalls-owner  Wed Apr  8 05:18:53 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17580; Wed, 8 Apr 1998 04:40:42 -0700 (PDT)
Received: from nekkar.lr.isla.pt (mail.lr.isla.pt [195.60.166.220]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA09771 for ; Wed, 8 Apr 1998 01:55:20 -0700 (PDT)
Received: from pc042-L12-e2.lr.isla.pt (pc042-L12-E2.lr.isla.pt [195.60.166.161])
	by nekkar.lr.isla.pt (8.8.7/8.8.7) with SMTP id KAA17358
	for ; Wed, 8 Apr 1998 10:00:38 +0100
Message-Id: <3.0.1.32.19980408100029.00c8f100@mail.lr.isla.pt>
X-Sender: ngg@mail.lr.isla.pt
X-Mailer: Windows Eudora Light Version 3.0.1 (32)
Date: Wed, 08 Apr 1998 10:00:29 +0200
To: firewalls@GreatCircle.COM
From: Nuno Guarda 
Subject: RE: Questions about ICMP
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 17:28 07-04-1998 -0700, you wrote:
>Guys,
>
>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
packets
>with a specific Time-To-Live set in stages?  And if ICMP packets are
allowed, 
>how do you block the "traceroute" program?
>

Blocking "outbound" ICMP messages types 3 (destination unreachable: host,
network, port or other) and 11 (time exceeded).

Nuno
-----------------------------------------------------------
Nuno Guarda
Centro de Informatica (CI), ISLA - Leiria
Rua da Cooperativa, S.Romao, Leiria, 2410 Leiria - Portugal
Tel: +351 (44) 820650
Fax: +351 (44) 813021

From firewalls-owner  Wed Apr  8 05:22:55 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA16386; Wed, 8 Apr 1998 04:36:14 -0700 (PDT)
Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA16123 for ; Wed, 8 Apr 1998 04:35:13 -0700 (PDT)
Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr with ESMTP id NAA04447; Wed, 8 Apr 1998 13:33:54 +0200 (MET DST)
Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id NAA28648; Wed, 8 Apr 1998 13:33:53 +0200
Message-Id: <199804081133.NAA28648@champagne.edelweb.fr>
To: rdew@el.nec.com (Bob De Witt)
Cc: firewalls@greatcircle.com, rramirez@encomix.es,
        Rick_McMaster@freddiemac.com
Subject: Re: Questions about ICMP 
In-reply-to: <199804080028.RAA21081@yginsburg.el.nec.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Date: Wed, 08 Apr 1998 13:33:52 +0200
From: Jean-Christophe Touvet 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
> packets
> with a specific Time-To-Live set in stages?

 Actually, there are two main flavors of traceroute:

1. UNIX (Van Jacobson's): high-numbered UDP ports incoming (usually UDP ports
33434 + 3*TTL), ICMP_TIMXCEED or ICMP_UNREACH_PORT outgoing

2. Windows: ICMP_ECHO incoming, ICMP_TIMXCEED or ICMP_ECHOREPLY outgoing

 Any IP protocol could be used. Incidentally, we have developed a TCP variant
which works very well.

> And if ICMP packets are allowed,
> how do you block the "traceroute" program?

 You can't.

    -JCT-

From firewalls-owner  Wed Apr  8 05:24:51 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA17629; Wed, 8 Apr 1998 04:41:28 -0700 (PDT)
Received: from miles.greatcircle.com (miles.greatcircle.com [198.102.244.45]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id BAA00482 for ; Wed, 8 Apr 1998 01:00:37 -0700 (PDT)
Received: from nexus.idirect.com (nexus.idirect.com [207.136.80.55])
	by miles.greatcircle.com (8.8.5/8.8.5) with ESMTP id AAA11702
	for ; Wed, 8 Apr 1998 00:50:58 -0700 (PDT)
Received: from ntsvr9-30.idirect.com (x2-2-23.tor.idirect.com [207.136.98.23])
          by nexus.idirect.com (8.8.8/8.8.4) with SMTP
	  id DAA01115 for ; Wed, 8 Apr 1998 03:52:18 -0400 (EDT)
Received: by ntsvr9-30.idirect.com with Microsoft Mail
	id <01BD62A1.FAC96040@ntsvr9-30.idirect.com>; Wed, 8 Apr 1998 03:54:07 -0400
Message-ID: <01BD62A1.FAC96040@ntsvr9-30.idirect.com>
From: Frank Cini 
To: "'jama@alet.it'" ,
        "firewalls@GreatCircle.COM"
	 
Subject: RE: public web and ftp server
Date: Wed, 8 Apr 1998 03:52:43 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Alessandro,

I am not sure what you mean by "purse the access to our web and ftp servers by the proxy server"

I'm going to assume that "purse" is misspelled and you mean pause, or stop the access.  I can think
of two possible ways (without buying extra hardware or software).

1) From the FTP and Web Server
   - In your config files for the ftp and http server, you should be able to deny access from the Proxy IP.
This should work even if all three servers are on the same machine by denying access from 0.0.0.0

2) Alternatively blocking from the proxy to those sites may also be possible.

Both of these will only eliminate the proxy users from being able to access your FTP and Web sites.
... on second thought, these schemes would probably eliminate a majority of them since they wouldn't 
know how to remove the proxy configuration from their web browser and ftp client ;-)

My apologies if I have misinterpreted what you were trying to express.

Regards,

--Frank

-----Original Message-----
From:	Alessandro Battaglia [SMTP:jama@server.alet.it]
Sent:	April 6, 1998 10:01 AM
To:	firewalls@GreatCircle.COM
Subject:	public web and ftp server

We mantain domains, web and ftp server in housing and virtual 
hosting.
We would like to purse the access to our web and ftp server by the 
proxy server  but i would like that any Internet user can obtain the 
information from our servers. 

Is it possible ?
What's the best software to obtain this goal?

Sorry for my english and many thanks in advance for your help. Any 
advice will be glad.

          _AB_
AleT system manager 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
AleTelematica personalizzata                    Tel. +39 50 894002 
Alessandro Battaglia                                 +39 50 981987
V. delle Palanche 2/E                           Fax  +39 50 894707
Madonna dell'Acqua (PI)ITALY                    http://www.alet.it
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


From firewalls-owner  Wed Apr  8 05:27:32 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id FAA20180; Wed, 8 Apr 1998 05:02:30 -0700 (PDT)
Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA17851 for ; Wed, 8 Apr 1998 04:43:02 -0700 (PDT)
Received: by malraux.matranet.com; id NAA09243; Wed, 8 Apr 1998 13:29:40 +0200 (CEST)
Received: from matranet.com ([192.0.2.22]) by victor.imatranet.com
          (post.office MTA v2.0 0813 ID# 0-18250U90) with ESMTP id AAA72;
          Wed, 8 Apr 1998 13:45:18 +0200
Message-ID: <352B62DB.69019BB8@matranet.com>
Date: Wed, 08 Apr 1998 13:43:23 +0200
From: fauquet@matranet.com (Xavier Fauquet)
X-Mailer: Mozilla 4.04 [en] (Win95; I)
MIME-Version: 1.0
To: Powertel Boca Ltd 
CC: firewalls@greatcircle.com
Subject: Re: Livingston's IRX211 firewall router
References: 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I would say that they complement each other. You have better log
capabilities on a software firewall than on a router. 
You could also have fine tuning for specific filtering with software
than you can not have with hardware. 

That is my personal point of you. I have already installed filtering
router with proxies firewall.

Max

Powertel Boca Ltd wrote:
> 
> Hi ,
> 
> Has anyone out there installed the IRX211 firewall route from Livingston .
> How does the IRX211 compare with Cisco's PIX ?
> 
> And a basic question ...
> 
> Is a Firewall router better than the software implementation such as
> through Checkpoint etc. Or do they complement each other ?
> 
> Thanks
> 
> Nataraj,S

From firewalls-owner  Wed Apr  8 05:30:16 1998
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id EAA10532; Wed, 8 Apr 1998 04:14:22 -0700 (PDT)
Received: from bolero-x.rahul.net (bolero.rahul.net [192.160.13.1]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with SMTP id EAA10285 for ; Wed, 8 Apr 1998 04:13:27 -0700 (PDT)
Received: from waltz.rahul.net by bolero-x.rahul.net with SMTP id AA10013
  (5.67b8/IDA-1.5 for ); Wed, 8 Apr 1998 04:18:50 -0700
Received: by waltz.rahul.net (5.67b8/jive-a2i-1.0)
	id AA27838; Wed, 8 Apr 1998 04:18:48 -0700
Message-Id: <19980408041848.50142@waltz.rahul.net>
Date: Wed, 8 Apr 1998 04:18:48 -0700
From: Bennett Todd 
To: firewalls@greatcircle.com
Cc: alien@netcomuk.co.uk
Subject: Re: fw-1 stateful inspection vulnerabilities
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.85e
In-Reply-To: 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

1998-04-06-21:34:55 Pete Philips:
>While on the subject of stateful inspection engines, what do people
>perceive as the fundamental problems with such an approach?

``Stateful inspection'' is an interesting hack. In theory it can do
amazing things. Of course, the