Message-ID: <1995Oct05 .
103600 .
0 .
12572 @
cap .
au .
af .
mil>
X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Organization: Civil Air Patrol National Headquarters
Date: Thu, 05 Oct 1995 11:01:17 -0500
Subject: Re: Firewalls-Digest V4 #573
Received: from relay2.UU.NET by cap.au.af.mil
(PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm))
id AA-1995Oct05.103659.0.8957; Thu, 05 Oct 1995 10:37:00 -0500
Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP
id QQzkah20513; Wed, 4 Oct 1995 13:56:32 -0400
Received: (majordom @
localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1)
id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700
Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by
miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for
<Firewalls @
GreatCircle .
COM>; Wed, 4 Oct 1995 09:44:07 -0700
Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by
mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for
<Firewalls @
GreatCircle .
COM>; Wed, 4 Oct 1995 12:42:35 -0400
Message-ID: <n1399311904 .
47012 @
STAR9GATE .
MITRE .
ORG>
Date: 4 Oct 1995 12:46:35 -0500
From: "Pat Heinle" <Pat_Heinle @
STAR9GATE .
MITRE .
ORG>
Subject: Re: Firewalls-Digest V4 #573
To: Firewalls @
GreatCircle .
COM
X-Mailer: Mail*Link SMTP-QM 3.0.2
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
Reply to: RE>Firewalls-Digest V4 #573
From: pheinle @
mitre .
org
Subject: RE> Borderware vs. Firewall-1
Mr. Tate asks:
I am in the process of purchasing a firewall package for the
company I work for. I have narrowed my choices down to
Borderware and Firewall-1. Which is a better choice, and why? Is
there another package out there that is better I may not have
seen?
rtate @
folio .
com
--
Robert,
"Info Security News" just had a supplement to their magazine for Sept/Oct. 95
entitled "Internet Security." Within the "Internet Security" supplement was a
section -Shopping for Firewalls which contained a matrix of a majority of the
current firewall products and their attributes. It might provided some
additional insight. In addition, to your Security Policy which Luc noted in
his response, another issue to consider is how well the Firewall product
adjusts as your enterprise expands.
Good luck.
Patty
--------------------------------------
Date: 10/4/95 11:34 AM
To: Pat Heinle
From: Firewalls @
GreatCircle .
COM
!!! Original message was too large.
!!!
!!! It is contained in the enclosure whose name
!!! is the same as the subject of this message.
!!!
!!! A preview of the message follows:
Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573
In this issue:
-No Subject-
IRC
FLEXlm with proxy ...?
Re: NFS
Need Windows FTP client source
Borderware (was: Information, We want information)
Re: Encryption strength
Borderware vs. Firewall-1
Exact format for subscribing the info security list.
re: Encryption strength
re re nfs
Re: Mail Proxy
Re: FW to FW FTP w/ no port > 1023
re: Encryption strength
re: network address translation
RE: Borderware vs. Firewall-1
[none]
Re: Encryption strength
Re: Mail proxy
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
From: Joseph Urban <Joseph_Urban%PMUSA @
notes .
worldcom .
com>
Date: 3 Oct 95 14:12:00
Subject: -No Subject-
sunscribe firewalls-digest
------------------------------
From: oddboy @
vegas .
com
Date: Tue, 3 Oct 1995 11:42:44 -0700
Subject: IRC
I find myself in the position of having to put up a private IRC server
(private being not connected to either Undernet or Efnet). Basically this is
to allow "chat" forums for a few of my clients.
I would like to make these chat lines live outside of my firewall (and plan on
it) nut am curious what I should watch out for in terms of folks being able to
hack through and into an OS. (i run solaris2.4 but I think the IRC server
will run on a DEC box running OSF/DecUnix.
Any and all info will be greatly appreciated.
Gideon Wober
Systems Administrator
Digitainment Corporation
------------------------------
From: jordan @
Heuristicrat .
COM (Jordan M. Hayes)
Date: Tue, 3 Oct 95 12:09:16 PDT
Subject: FLEXlm with proxy ...?
Anyone built a FLEXlm proxy for FWTK?
/jordan
------------------------------
From: Doug Hughes <Doug .
Hughes @
Eng .
Auburn .
EDU>
Date: Tue, 3 Oct 1995 13:42:56 -0500
Subject: Re: NFS
>
>I am sure that this topic has been beaten to death, so if someone would
>just point me at the discussion (or tell me that there is no solution)
>I would be happy to take it from there. I remember reading a paper a
>couple years ago describing why NFS could never be made secure, but for
>the life of me I cant seem to find it now.
>
>The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half
>dozen file systems that are exported read-only to all the other machines
>in the domain. I would like to restrict their mounting to machines within
>the domain while maintaining connectivity to the outside world.
>SUN's software does not support this option, it only allows specifying
>specific machine names, and the list of *all* machine names overflows
>some internal limit in SUN's software.
>
>[ The machine uses DNS and not YP, it is rumored that possibly with YP one
>can get by this limit, but I have no interest in adding YP to my list of
>problems. ]
>
>So, the Questions
>
> (1) WITHOUT resorting to a firewall, is there any way to accomplish
>what I want to do?
>
> (2) If not, can it be done with a `simple' packet filter, or does it
>require a full blown firewall?
>
>
> Reg.Clemens
> clemens @
dwf .
com
>
>
>
Without necessary resorting to a firewall, you can have your router to
the outside world block:
port 2049/udp - NFS
port 111 udp/tcp - Sun RPC
source routed packets
outside packets with internal IP source addresses (IP spoofing)
This helps prevent a great deal of the most common attacks on NFS
by preventing it getting outside your domain at the interface to
the Internet.
also, installing the replacement tcp_wrappered version of portmap on your
NFS servers from ftp.win.tue.nl is also a good thing to do. This way
you can limit what networks are able to send RPC requests to your server.
- --
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug @
eng .
auburn .
edu
Apple T-shirt on Win95 - "Been there, done that"
------------------------------
From: Joe McGuckin <joe @
ns .
via .
net>
Date: Tue
|
|
