Firewalls Digest Saturday, 2 April 1994 Volume 03 : Number 101
In this issue:
Re: Cisco 3101 as a firewall
INTERNET STILL VULNERABLE, encryption standard only reliable solution ( Vinton Cerf Testimony at a House Subcommittee )
My apologies for bogus Firewalls-Digest issues last night
Re: Cisco 3101 as a firewall
"ICMP redirects"
Re: Mixing Authentification Strategies
"FORGED ICMP REDIRECTS CORRECTION"
Re: INN on a Firewall vs Socks proxy NNTP
Re: "ICMP redirects"
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
From: Ray Hunter ECD <RHUNTER%ESOC .
BITNET @
vm .
gmd .
de>
Date: Fri, 1 Apr 94 11:06:22 EST
Subject: Re: Cisco 3101 as a firewall
fair comment Brent.
I think this discussion is a bit marginal to the list, but I beg your
indulgence. If you want even more Cisco opinions then have a look at the
newsnet group comp.dcom.sys.cisco.
I agree that the 4000 is almost certainly overkill in 95% of cases.
It depends how much budget you have!
If you are looking for a 2e 'choke router' aka packet filter, that is not
running much multiprotocol routing then a 3101 is fine.
However, the applications mentioned were:
(1) ethernet to ethernet
(2) involved large use of graphics (WWW etc)
(I assumed by the positioning that it involved large volumes)
Also the world (and especially Cisco) drop hardware as soon as it is out of
fashion. I have heard (a rumour) from a Cisco VAR that the 3000 has a limited
future. OK perhaps he was trying to sell us a more expensive box!
Since the design is now virtually the oldest in the range I tend to agree.
(if you agree the AGS+ on a CSC4 is very different from an AGS on CSC3;
and a 3000 is basically a reboxed IGS)
The 3000 is fixed hardware config, and stands little chance of re-use
if the topology changes.
The 4000 (with the addition of an NP-E module and the new ip packet filtering
on inbound packets) could conceivably be used as a screened subnet gateway
on its own for a small incremental cost.
One thing that is rarely metioned in testing, is that when a cisco rebuilds
routing tables it can stop forwarding. This can give a noticable 'pause'
of 0.5-1 second where NO packets are forwarded (yes I have seen this on the
4000 too). Here the larger processor comes into its own when running
multi-protocol routing.
To conclude:
If you are looking at a *cheap* packet filter with only 2e interfaces for
IP only with no fancy routing beyond IGRP/static then look at the 3101
with the basic software option. European list price= $4994
(plus $563 for bridging if you need it)
If you think your net is going to change or you have really *high* X/
graphics based applications or you are running a complex routing set up
then look at the 4000 with 1 NP2-e interface: European list=$9500
(plus $1001 for bridging)
It's only double the price.
I *know* our net is going to change (otherwise I'd be out of a job ;-)
______________________RHUNTER @
ESOC .
BITNET________________________
Ray Hunter: Cray Systems on contract to the European Space Agency
Tel. +49 6151 902953 FAX.+49 6151 902908
Room B107, ESOC, Robert Bosch Strasse 5, 64293 DARMSTADT, Germany
------------------------------
From: werner @
cs .
utexas .
edu (Werner Uhrig)
Date: Fri, 1 Apr 1994 04:48:06 -0600
Subject: INTERNET STILL VULNERABLE, encryption standard only reliable solution ( Vinton Cerf Testimony at a House Subcommittee )
>> INTERNET STILL VULNERABLE Testimony at a House Subcommittee on
>> Science indicates that threats to Internet security should be viewed
>> as on-going rather than isolated events. Internet Society President
>> Vinton Cerf says that development and use of an international
>> encryption standard is the only reliable solution to the problem.
>> (Chronicle of Higher Education 3/30/94 A22)
- ---
Werner Uhrig
<werner @
cs .
utexas .
edu>
------------------------------
From: Brent Chapman <brent @
mycroft .
GreatCircle .
COM>
Date: Fri, 01 Apr 1994 01:38:50 -0800
Subject: My apologies for bogus Firewalls-Digest issues last night
My apologies to the Firewalls-Digest subscribers who got the bogus
Firewalls-Digest issues last night. It wasn't an April Fool's prank,
at least not on my part (_my_ prank was going to be to rename the list
"Fireballs" for the day, but I never had time to get it set up).
I make the software I use for creating digests available via anonymous
FTP. The configuration files for Firewalls-Digest are included as
examples. Somebody somewhere apparently obtained the software,
installed it, and started running it using the unmodified sample
configuration files as their own. I've updated the examples in the
software distribution so that this won't happen again.
People who read the un-digested main Firewalls list never saw these
bogus digests, and weren't affected by the problem.
- -Brent
- --
Brent Chapman | Great Circle Associates | Call or email for info about
Brent @
GreatCircle .
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates
------------------------------
From: Steve Kennedy <steve @
gbnet .
org>
Date: Fri, 1 Apr 1994 12:52:47 +0000 (GMT)
Subject: Re: Cisco 3101 as a firewall
Ray et al,
> To conclude:
> If you are looking at a *cheap* packet filter with only 2e interfaces for
> IP only with no fancy routing beyond IGRP/static then look at the 3101
> with the basic software option. European list price= $4994
> (plus $563 for bridging if you need it)
> If you think your net is going to change or you have really *high* X/
> graphics based applications or you are running a complex routing set up
> then look at the 4000 with 1 NP2-e interface: European list=$9500
> (plus $1001 for bridging)
You could also use a KarlBrouter (only does static routes) - it's a LOT
cheaper.
Regards
Steve
- --
___ |_ ___ ___ Tel: +44 (0)71 483 1169 Voice
(___ | (___) \ / (___) Data: 483 2454 WorldBlazer T3000 PEP+/v32bis...
___) | (___ \/ (___ Data: 483 2455 WorldBlazer T3000 V32bis/PEP+...
ISDN: 722 7969/70
Email Snail Mail
steve @
gbnet .
{org,com,net} [home] Steve Kennedy
steve @
marvin .
demon .
co .
uk [DIS dialup internet] Flat 2, 43 Howitt Rd
stevek @
cellnet .
co .
uk [work] London, NW3 4LU
------------------------------
From: Luther Garcia <luth @
sprintlink .
net>
Date: Fri, 1 Apr 1994 12:54:38 -0500 (EST)
Subject: "ICMP redirects"
I was wondering if anyone out there knows a way to protect from
forged ICMP redirects. We can't just disable ICMP as we need the
ability to do pings. Any suggestions would be apprecitated and carefully
considered.
luth @
tiny .
sprintlink .
net
------------------------------
From: alastair @
cadence .
com (Alastair Young)
Date: Fri, 1 Apr 1994 10:00:51 -0800
Subject: Re: Mixing Authentification Strategies
>I've been looking at skey, one-time pads, etc. One issue which doesn't
>seem to be addressed is the mixing of authentication types. For example,
>inside a reasonably secure net one might chose to use `ordinary' unix
>authentication. When accessing from outside, one might want to normally
>use skey, but fall back to a set of memorized one-time passwords if no
>local/trustworthy skey generator is available.
>
>The trick is how to decide on the fly which to use. Alternate ports for
>alternate authentications involves excessive memorization. What I'd do
>if I were recoding login.c is to let one modify the login id to indicate
>desired authentication type:
Take a look at the firewalls toolkit from tis.com, this allows you to
specify a different authentication protocol by user and run everything from
a central authentication server over encrypted channels. I'll be expanding
our version of it to allow the same user to use strong authentication (in
our case SecurID or Skey), in some instances and passwords in others. This
will involve expanding the account record format somewhat. Marcus is
against adding too much functionality to the toolkit as complexity ->>
bugs, but we need this flexibility in our environment, particularly in the
transition from passwords to something better. Have source, will travel :-)
I am particularly keen on using the TIS authsrv daemon to do this,
specifically because it does allow multiple authentication protocols
simultaneously and you don't have to hack your client programs (login,
ftpd etc) every time you want to try out a new vendors authentication
token. We are using SecurID now because it is the simplest from the user's
point of view. What I'm really waiting for is the iPower card in SmartDisk
format. SecurID in SmartDisk format would be nice too, particularly for ppp
applications where the system drops the line when its quiet and
re-establishes the connection automatically when required. Having an
authentication daemon which acts as a clearing house for multiple protocols
gives real flexibility for future changes in technology.
Al
- ---------------------------------------------------------------------------
Alastair Young _ 2 Ariel NH Red Hunters
Cadence Design Systems, Information Services )/___ _
555 River Oaks Parkway, 4B1 __/(___)_*##/c 56 Red Menace
San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \
alastair @
cadence .
com (408)428-5278 \__/ ----'\__/ 49 TwinportKit
- ---------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
------------------------------
From: Luther Garcia <luth @
sprintlink .
net>
Date: Fri, 1 Apr 1994 13:09:13 -0500 (EST)
Subject: "FORGED ICMP REDIRECTS CORRECTION"
I previously (a few seconds ago) sent a message asking for help
about forced ICMP redirects. Well, reading my sent mailbox, I realized
that I made a typo, "forced ICMP redirects" should be changed to:
"forged ICMP redirects" thank you for your patience and understanding,
I have throttled myself appropriately for it. :)
luth @
tiny .
sprintlink .
net
------------------------------
From: Randy Bias <randyb @
kalpana .
com>
Date: Fri, 1 Apr 1994 10:19:52 -0800 (PST)
Subject: Re: INN on a Firewall vs Socks proxy NNTP
Brent Chapman says:
>I think you're right; it _is_ a big security risk to have private
>newsgroups on a bastion host. I generally recommend putting news on
>an internal host for exactly that reason.
OK. Your point about knowing the external hosts is well taken. A quick
digression; has anyone directly on the Internet ever had MX records created
in DNS for the purpose of routing all of your mail through one external host?
(a service provider for example). I don't know if that is very useful or not,
but it would make attacks on SMTP difficult from anywhere but the external
MX mail forwarder.
>See the pub/firewalls/topics/nntp.Z file from FTP.GreatCircle.COM for
>the code and discussion.
Thanks for the pointer.
- --Randy
------------------------------
From: alastair @
cadence .
com (Alastair Young)
Date: Fri, 1 Apr 1994 10:57:44 -0800
Subject: Re: "ICMP redirects"
> I was wondering if anyone out there knows a way to protect from
>forged ICMP redirects. We can't just disable ICMP as we need the
>ability to do pings. Any suggestions would be apprecitated and carefully
>considered.
>
> luth @
tiny .
sprintlink .
net
We selectively drop ICMP redirects using a modified version of the
Smallworks NetGate packet filter (info @
smallworks .
com). The capability to
select ICMP packets by type and code is not in the current release, but I
sent them the changes about a year ago.
Al
- ---------------------------------------------------------------------------
Alastair Young _ 2 Ariel NH Red Hunters
Cadence Design Systems, Information Services )/___ _
555 River Oaks Parkway, 4B1 __/(___)_*##/c 56 Red Menace
San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \
alastair @
cadence .
com (408)428-5278 \__/ ----'\__/ 49 TwinportKit
- ---------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
------------------------------
End of Firewalls Digest V3 #101
*******************************
To subscribe to Firewalls-Digest, send the command:
subscribe firewalls-digest
in the body of a message to "Majordomo @
GreatCircle .
COM". If you want
to subscribe something other than the account the mail is coming from,
such as a local redistribution list, then append that address to the
"subscribe" command; for example, to subscribe "local-firewalls":
subscribe firewalls-digest local-firewalls @
your .
domain .
net
A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".
Compressed back issues are available for anonymous FTP from
FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).
|
|
