>From rik Tue Feb 23 11:55:30 1993 remote from crow
Received: by crow.spirit.com (4.1/SMI-4.1)
id AA13798; Tue, 23 Feb 93 11:55:30 MST
Date: Tue, 23 Feb 93 11:55:30 MST
From: crow!rik (Rik Farrow)
Message-Id: <9302231855 .
Subject: Notes from Usenix BOF
These are the transcribed versions of the notes I took during the
Firewalls BOF, Tuesday Jan 26, 1993 (San Diego Winter Usenix '93).
Brent Chapman chaired this BOF. Chapman is the manager of the firewalls
mailing list, started after an impromptu firewalls BOF at the Third
Usenix Security Symposium (Sep 92 in Baltimore, MD). There were 600
subscribers in the first two days, now are 941 subscribers, about 75%
US. Of the "international" subscribers, most are from Australia,
Canada, and the UK.
Working definition of a firewall: any system which let's you take
advantage of the Internet without being totally exposed yourself to
attack from the Internet.
[BC opened the floor to questions.]
[Question:] Does Simson and Garfinkle's book do a good job of
BC: There are no good descriptions of firewalls in the trade press as
[Question:] Are firewalls a necessary evil?
BC: Given today's climate, firewalls are necessary.
Phil Karn (karn @
com): I can start a telnet
service on port 4391 and bypass the restrictions set up by router-based
filtering at my site.
BC: No absolute security, best to control channels of approach.
There's value in this even if it's not perfect.
[Question:] Is it possible do do WAIS through a firewall?
BC: No practical way to do WAIS through a firewall.
Brian Berliner [berliner @
com]: No way to do WAIS through a proxy
BC: Double reverse fingering is "evil". What FTP.UU.NET does is
OK. They merely want to see that they can map your IP address back to
a host name. A double reverse lookup takes that a step further: after
they look up your hostname, they then look up the IP addresses listed
for that hostname to see if the IP address you're using is one of
them. This is a problem, because it means you have to publish all
your internal host names, which some people don't want to do.
Question about using DNS.
BC: You can use DNS to hide internal network hostnames by running two DNS
servers, pointing gateway resolver at the internal server, and forwarding
external lookups to the gateway server.
[Someone's comment:] You can spoof IP addresses!
BC: If you use the wrong IP address, packets will not be returned to
their source because of routing. IP address is more useful than the
[Comment:] PPP or Appletalk IP tunneling assign a random host number.
[Comment:] Distinction between IP address and hostname for logging or
authentication. Double reverse not good for logging.
[Comment:] Public key system soon to be posted as RFC.
[BC:] Proxy servers break MAC/PC clients.
[Comment:] Do authentication at the IP level on each packet.
[Comment:] A Kerborized version of ftp software will be shipping soon.
[BC:] What do we want to do today?
Many companies don't want to allow telnet traffic in. [Discussion of
secure id's begins here.]
Secure ids provide a challenge-response method for aiding in
authentication. In some, a clock, synchronized with the server's clock,
provides a new key every minute (Security Dynamic, $75). Other
approaches use a challenge-response which relies also on entering a PIN
before the device can be used. These devices are bigger, and can also
be used as a calculator. They also cost more per unit.
[Then the discussion took off in a religious or moral direction.
Casey Leedom (casey @
gov) and one other gent made
remarks along the lines of "What
we need to do is educate people in appropriate Internet behavior. I
replied "Ever tried to teach appropriate behavior to 14 year old boys or
other rebels?" This continued for some time.]
[Question:} What are current technologies? What about filtering
capbilities of KA9Q?
[BC:] I haven't seen the filtering add-ons to KA9Q made by Dave
Mischler (mischler @
com) yet. As for current capabilities, read
[BC's paper on filtering inadequecies, 3rd Usenix Security Symposium].
Had anyone heard if Cisco is fixing their filtering to handle outbound
filters? Next release.
[BC:] Filtering outbound-only exposes the router. Plus, using more
than one interface creates an n-factorial filtering problem.
[Question:] What about using SLIP to connect small systems?
[BC:] Use PPP from Morningstar. Morningstar provides filtering.
Or, you can use SLIP, but don't use routed, use static
routing. But the gateway system is still fully exposed with SLIP.
If you provide SMTP, telnet, ftp, and ability to read netnews, 97% of
your users won't know that firewall is there.
[Question:] Can we truste PSI or UUNET? Treat service providers like a
public utility. [Someone else:] Don't trust service providers.
[Question:] Status of vendor security?
Jokes about Sun's host.equiv with the plus. I mention that this goes
away with Solaris 2.1 [and it does. The installed version doesn't have
either an /etc/hosts.equiv or and /.rhosts at all. rf] Vendors are
starting to pay attention.
Wall of dorks effect. Talking to sales techs, hard to reach a
technician who is also not a bozo.
Start with policy!
A request for a standard for ordering secure systems, maybe an RFC. I
mention the new Federal Criteria draft. It is available from NIST via
anonymous ftp csrc.nist.gov (18.104.22.168) in /pub/nistpubs as
fcvol1.ps.Z and fcvol2.ps.Z, or contact Nickilyn Lynch
(csmes.ncsl.nist.gov!lynch). Lynch made a posting to alt.secure Feb 3.
Comments about draft due to NIST by 3/31.
Phil Karn said he wanted a better way to do firewalls. "Let's just
solve the problem. Authenticate or encrypt the individual IP packets.
Implement it at gateways, use tunneling to get it to desired machines."
[Note: A spinoff of Xerox is selling a hardware/software solution which
performs authentication and encryption of Ethernet TCP/IP, using RISC-
based hardware, and DES or RSA, for $3500 for 16 PC nodes. The
company's name is Semaphore, a Xerox Technology Venture. This is from an
article appearing in the Feb 22 ComputerWorld, p. 48. I thought Xerox
was designing an Ethernet card which performed encryption of packet
contents, myself, but maybe I am wrong. rf]
[Question:] Is there a firewalls evaluation tool?
[BC:] Not yet [but it'd make a great cracker's tool!]
Rik Farrow, rik @
com, 602 282 0242 MST