FYI gang. And "NO" we are NEVER going to use
FreeBSD!!
Mahalo, DPP. \m/ ^_^ \m/
++++++++++++++++++++++++++++++++++++
A Manager does the thing right.
A Leader does the right thing.
++++++++++++++++++++++++++++++++++++
>>> <firewalls-digest-owner @
uunet .
uu .
net> 01/05/96
11:00pm >>>
Firewalls-Digest Saturday, 6 January 1996 Volume
05 : Number 008
In this issue:
SSL and S-HTTP Proxy support
Re: Security managing Cisco Routers
Re: SSL and S-HTTP Proxy support
Steps in building a firewall, Right or Wrong?
See the end of the digest for information on subscribing to
the Firewalls or Firewalls-Digest mailing lists and on how to
retrieve back issues.
----------------------------------------------------------------------
From: cbk @
ingress .
com (Charles B. Kaplan)
Date: Fri, 5 Jan 1996 23:21:13 -0500
Subject: SSL and S-HTTP Proxy support
>From what I remember S-HTTP can be fully negotiated
within the 'standard'
HTTP ports/protocol. Therefor any proxy supporting HTTP
should work with
S-HTTP.
Next, while SSL COULD be implimented accross multiple
protocols, etc, the
'only' wide spread use presentally is via netscape, and that
makes use of port 443 'normally'.
The BorderWare Firewall Server, from BNTI out of the box
proxys port 80,
8001, 8080, and 443, all when its WWW proxy is enabled.
I don't see why however you couldn't say use plug-gw on
port 443 to do the same types of things. NOTE however,
putting your web server inside your firewall, and then
proxying to it is a BIG risk. That ofcourse is why
BorderWare provides a 3'rd network interface for 'secured
servers'. Well, enough plugging of BorderWare....if you
didn't guess I resell it.
Anyone care to either veryify or correct the above S-HTTP
notes ?
- -Charles Kaplan
for more information on BorderWare call 800-254-7159
------------------------------
From: Bill Husler <bhusler @
community .
net>
Date: Fri, 5 Jan 1996 20:22:58 -0800
Subject: Re: Security managing Cisco Routers
>>>At 02:15 PM 12/27/95 GMT, Pietro wrote:
>>>
>>>>My actual problem is to managed several Cisco
Routers situated
>>>>on a public network from a central site, from where there
is no
>>>>way to garantee secure communication.
>>>>
>
>>I have heard that Firewall-1 will manage the configurations
of CISCO >>routers remotely. I believe the way it works is
that you set up the >>configuration or a Firewall-1
Administrative Workstations and it send >>some sort of
encrypted/secured transmission to the router to downlowd
the >>new config.
>>Bill
>>
>
>Although I'm not intimately familiar with the internal
mechanisms of
>Firewall-1, I do have a problem with the above paragraph,
since we
>do not (yet) support encrypted transport mechanisms. :-)
>
>- paul
>
>--
>Paul Ferguson || ||
>Consulting Engineering || ||
>Reston, Virginia USA |||| ||||
>tel: +1.703.716.9538 ..:||||||:..:||||||:..
>e-mail: pferguso @
cisco .
com c i s c o S y s t e
m s
>
>
Paul,
Your absolutely right! I talked to our Firewall-1 dudes
(actually SUN) and they said that communication is in the
clear. I don't know what I heard that made me believe
otherwise. Sorry if I muddied the waters. I also asked them
to describe why we should have "warm fuzzies" that the
changes being made to the router configuration are indeed
being sent from the FW-1 admin and not some admin
wannabe. I will post their response.
Bill
------------------------------
From: Bill Husler <bhusler @
community .
net>
Date: Fri, 5 Jan 1996 20:46:16 -0800
Subject: Re: SSL and S-HTTP Proxy support
>From: Brian W. McKenney,
mckenney @
smiley .
mitre .
org
>
>I would like to have an update as to which commercial
firewall vendors
>support or plan to support (when) an SSL and/or S-HTTP
proxy. I will post
>a summary.
>
>This is the information that I have:
>
>1. TIS Gauntlet: SSL annd S-HTTP proxies in next release.
>2. KarlBridge/KarlBrouter: S-HTTP proxy
>3. Milkyway Blackhole: S--HTTP
>4. SOS Brimstone: S-HTTP proxy
>5. Technologic Interceptor: S-HTTP proxy
>6. V-One SmartWall: S-HTTP proxy
>
>License versions of TIS Gauntlet will support whatever the
next Gauntlet
>release supports.
>
You can add ANS Interlock to you list.
Bill
------------------------------
From: bart @
pu .
com (Bart Rivard)
Date: Sat, 6 Jan 1996 01:49:18 -0600
Subject: Steps in building a firewall, Right or Wrong?
Hi,
I think one of the things about building a firewall that has
surprised me is how really simple it really is. It makes me
wonder if I have done something wrong. Many people say
use the TIS toolkit but I really don't see any reason. Here is
the steps I have taken tell me what you think.
1) Installed FreeBSD on a Pentium 100 with 32 MB of Ram
and two Ethernet NICs
2) Configured the Kernel such that IP forwarding and Source
routing are
disabled.
3) Deleted all accounts on the system except root
4) Gave root a password with number, letters, uppercase
and lowercase, 10 long
5) Deleted everything out of inetd.conf except DNS
6) Configured DNS so that the only machine it knows about
is a Web server
which is in the DMZ and the firewall machine and wildcard
MX record.
7) Configured resolv.conf on firewall to point to the internal
network DNS.
8) Turned off source routing on the CISCO 2500 router and
added filters
which disabled all UDP traffic except port DNS/53, all TCP
inbound traffic except SMTP to firewall, News from specific
news server to firewall
http to web server in DMZ. Allow all outbound TCP traffic.
Thinking about disabling all ICMP traffic on router, what do
you think?
9) Configured CERN web server as a proxy on the firewall
using a weird port
number. Wrapped the port with TCP Wrappers and only
allow access from
internal IP addresses. Internal IP addresses are
192.168.0.0 thru
192.168.255.255. Wish I could limit access to web proxy by
network interface
but don't know how?
10)Modified a mail program so that it read mail from port 25
and writes to disk
mail messages. Completely dumb program. Does not
handle distribution list,
aliases or anything. I then pick mail up off of disk and send
it to
internal CC mail gateway. Was there shareware to do
equivalent? Can
sendmail pick mail up off of disk? Is it safe to have
sendmail pick mail
up off of disk and distribute?
11)Put TCP Wrapper around news server port to only
except connection from our
news provider at AT&T and internal network. Also use inn
access control to limit access from internal network for
reading news and news provider for dumping news.
Well that about it. We provide outbound Web, Gopher, FTP
and WAIS through the CERN Proxy. Is this safe? We don't
allow any UDP to pass firewall.
We don't allow anything to come in from the outside through
the firewall except mail. The firewall doubles as a news
server so we don't allow news to pass through firewall but
the firewall doubles as a news server. Is it safe to use a
firewall as a news server?
Please comment!! Send all comments to bart @
pu .
com .
TIA,
Bart
------------------------------
End of Firewalls-Digest V5 #8
*****************************
To unsubscribe from Firewalls-Digest, send the following
command in the body of a message to
"Majordomo @
GreatCircle .
COM":
unsubscribe firewalls-digest
To subscribe, send the command "subscribe
firewalls-digest" instead.
If you want to subscribe or unsubscribe something other
than the account the mail is coming from, such as a local
redistribution list, then append that address to the
command; for example, to subscribe
"local-firewalls":
subscribe firewalls-digest local-firewalls @
your .
domain .
net
A non-digest (direct mail) version of this list is also
available; to subscribe to that instead, replace all instances
of "firewalls-digest" in the commands above with "firewalls".
Compressed back issues are available for anonymous
FTP from
FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z
(where "NN" is the volume number, and "MMM" is the issue
number).
Follow-Ups:
|
|
