**** Main message start
To: Dean E Vaccher @
IS_WBRHQ@BAMSWB
BAMX400 @
MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM]
Cc:
Subject: Firewalls-Digest V5 #655
Message not delivered to recipients below.
VNM3043: Dean E Vaccher @
IS_WBRHQ@BAMSWB
**** Main message end
**** An attachment message follows ...
Firewalls-Digest Saturday, December 7 1996 Volume 05 : Number 655
In this issue:
Internet virus: can we drop it now?
Re: Cisco's PIX Firewall
Undeliverable Message
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
Date: Tue, 3 Dec 1996 14:24:53 +0000 (GMT)
From: harley @
icrf .
icnet .
uk
Subject: Internet virus: can we drop it now?
I think a server glitch probably chopped my previous attempt to post
this. Apologies if it turns up twice in your mailbox.
I really wish discussion on this stuff could be kept to more appropriate
lists. I spend a lot of time on virus control, and I'm happy to discuss
it with my peers, but that's not why I subscribe to this particular list.
So is there any chance we could dispose of the topics below and get back
to firewalls?
Michael Paris wrote:
> > If the virus was sent attached in a .zip or .exe and the infected file was
> > run it would infect the computer.
>
This is, of course, true. But irrelevant to this particular alert.
Nevertheless, mail programs and web browsers should not be configured
to execute downloaded executables or attachments automatically.
> >
> > I believe he was talking here of a Word Macro Virus, attached as a .DOC
> > file, that when opened by Microsoft Word would trash the hard disk.
> >
This is a possible attack. But Irina/Irenia/Irinia is a hoax. Please
check the CIAC bulletion H-05: I've previously posted the URL. And you're
talking about a hypothetical trojan, not a virus.
Irena was originally a publicity stunt generated by Penguin Books. It's
been seized upon by hoaxers and the technically-challenged.
>
> > Some users use a program CC Mail that would automagicly open Microsoft
> > Word and load the file sent in the e-mail. This could result in the loss
> > of the hard disk if the Macro Virus was opened in Microsoft word.
> >
This is a possible attack. Other mailreaders and web-browsers can be
configured similarly (and shouldn't be).
>
> > I do have a large collection of Word Viruses, one in my collection,
> > (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in
> > Microsoft Word.
> >
FormatC is a trojan, not a virus. It's too busy trying to trash your
disk to replicate. Destructive trojans and viruses are a possible threat,
though.
>
> > There was a wide spread message that went out about 'The Good Times Virus'
> > This indeed was a Hoax! No Virus can wipe the hard disk just by reading
> > an e-mail message. BUT, this message below told of an attachment that if
> > run would cause dammage!
>
It could be read that way. And such threats are perfectly feasible. But
this alert is untrue and unhelpful.
>
The Chinon CD trojan existed but is long past its best-by date.
EOT.
- --
David Harley \ | / alt.comp.virus FAQ
D .
Harley @
icrf .
icnet .
uk \ | / & Anti-Virus Web Page
Support & Security Analyst \ | / Folk London On-Line gig-list
Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/
------------------------------
Date: Thu, 05 Dec 1996 15:26:01 -0800
From: Matthew Howard <mhoward @
cisco .
com>
Subject: Re: Cisco's PIX Firewall
At 04:52 PM 12/4/96 CST, Jeromie Jackson wrote:
>> At 04:17 PM 12/4/96 CST, Jeromie Jackson wrote:
>> > The exploits of sendmail are not based on the vulerabilities associated
>> >with the sequence number, or the state of the connection. If you are
running
>> >sendmail 4.1 on both machines, looking @ such criteria is not fixing the
>> >problem. Sendmail is still VERY vulerable.
>>
>> MailGuard is an upcoming feature to be released real soon which
>> is designed specifically to protect the inside mailhubs'
>> sendmail daemons. Stay tuned.
>>
>> > For just a bit more money, it appears the user community can get an
>> >application level gateway that would provide more functionality, as well as
>> >better security. If someone is just wanting to do IP filtering & NAT for
>> >their i-net connection, something like a linux box running ipfw would be
>> MUCH cheaper,
>> >and @ T1 speeds, or below, I believe there would be minimal degregation.
>>
>> Speed and Scalability are 2 different things.
>> Degradation on proxy servers occur sharply when there is a large number of
>> client connections it has to "proxy for". With 3 clients pumping ftp data
>> across a proxy server firewall on ethernet you probably won't see a lot of
>> degradation.
>> Try using 100 clients going out to a remote site over a T1, you will
>> probably wonder why
>> your T1 is not saturated if you use a Linux box.
>>
>> > Here's the problem with packet-filtering in a nutshell...
>> >
>> > 1) Packet filtering cannot evaluate data-based attacks.
>> >
>> > 2) Packet filtering bases access control on header information
>> > (src,port,dst,port,flags). As we all know, this data is not
>> > authenticated whatsoever, thus spoofing can subvert the ACLs
>>
>> Not only is the PIX not a packet filter, it is spoof-proof and protocol
aware.
>>
>> Take the example of CuSeeMee, on ORDINARY PACKET FILTERS you'd have to say:
>>
>> access-list 101 permit tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 estab
>> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7648
>> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7649
>> or
>> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp estab
>> set fil inet.in 12 per 0.0.0.0/0 x.x.x.0/24 udp src eq 7648 dst eq 7649
>> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp src eq 7649 dst eq 7648
>>
>> This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including
>> attacks. Also there's that infamous estab statement where someone who
>> knows how to doctor the ACK bit can inject TCP packets into the customers'
>> net.
>
> Hmm, That certainly looks like packet filtering to me. Based on header
>information, you are making decisions about packet flow. As far as being
>'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I
>can send you a packet appearing as though it is originating from '1.2.3.4',
>you would believe me, because there is no authenticion built into IPV4. I
would
>agree, that the filtering mentioned above is better than that done w/ a
standard
>IP filtering device, although because decisions are being made on objects that
>are not authenticated (header information), ACL's can, and will be vulerable to
>spoofing/hijacking.
Do you consider Checkpoint a packet filter?
matt
>
>
>Jeromie Jackson
>Garrison Technologies
>jeromie @
garrison .
com
>
>
Matthew Howard
Product Line Manager mhoward @
cisco .
com
Internet Business Unit 408-526-4720 (voice)
Cisco Systems Inc. 408-527-8122 (fax)
170 West Tasman Drive
Building VM2 (corner of First & Vista Montana)
San Jose, CA 95134
------------------------------
Date: 7 DEC 96 03:29:07 EST
From: firewalls-owner
Subject: Undeliverable Message
To: Dean E Vaccher @
IS_WBRHQ@BAMSWB
BAMX400 @
MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM]
Cc:
Subject: Firewalls-Digest V5 #654
Message not delivered to recipients below.
VNM3043: Dean E Vaccher @
IS_WBRHQ@BAMSWB
**** Attachment message(s) will follow in 1 separate transmissions.
------------------------------
End of Firewalls-Digest V5 #655
*******************************
To unsubscribe from Firewalls-Digest, send the following command
in the body of a message to "Majordomo @
GreatCircle .
COM":
unsubscribe firewalls-digest
If you want to subscribe or unsubscribe an address other than the
account the mail is coming from, such as a local redistribution list,
then append that address to the command; for example, to subscribe
"local-firewalls":
subscribe firewalls-digest local-firewalls @
your .
domain .
net
A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".
Compressed back issues are available for anonymous FTP from
FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).
|
|
