From firewalls-owner Mon May 2 16:27:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA11323; Mon, 2 May 1994 16:27:37 GMT Received: from SCTC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA11317; Mon, 2 May 1994 09:27:31 -0700 Received: by SCTC.COM (4.1/SCTC-010592) id AA22454; Mon, 2 May 94 11:28:48 CDT From: endrizzi@SCTC.COM (Michael Endrizzi) Message-Id: <9405021628.AA22454@SCTC.COM> Subject: Network Management Proxies and Firewalls To: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@GreatCircle.COM Date: Mon, 2 May 94 11:28:47 CDT X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm working on a network management security problem and want to know what applies in the real world. If a organization is geographically distributed but interconnected via a public network (e.g. Exxon via Internet), and the organization has firewalls in place where the organizational network connects to the public network, how is the firewall typically configured to permit the flow of network management packets through the firewall: 1) IP filter 2) Network Management proxy 3) Don't care, No Op, Zilch, Nada thanks, dreez -- ================================================================= *Disclaimer: The opinions expressed above are not of my employer but of the American people. Michael J. Endrizzi endrizzi@sctc.com (612) 628-2732 SCC,2675 Long Lake Road, Roseville MN, 55113 USA ================================================================= From firewalls-owner Mon May 2 20:04:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA13347; Mon, 2 May 1994 20:04:33 GMT Received: from clavin.uprc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA13339; Mon, 2 May 1994 13:04:22 -0700 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA18955 for firewalls@greatcircle.com; Mon, 2 May 94 15:02:45 CDT Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA07335; Mon, 2 May 1994 15:02:42 +0600 Date: Mon, 2 May 1994 15:02:42 +0600 From: lacoursj@uprc.com (Jeffrey D. LaCoursiere) Message-Id: <9405022002.AA07335@cygnus.uprc.com> To: firewalls@greatcircle.com Subject: mail handling X-Sun-Charset: US-ASCII Content-Length: 717 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Just implemented the TIS toolkit's smap and smapd to handle mail for our domain. Configured the bastion host's sendmail.cf with a mail relay that points to our internal mail spooler. This works great for incoming mail. Outgoing mail at the moment is still handled by our internal spooler. We have opened a hole in the screened subnet for outgoing SMTP connections from internal machines. I would RATHER have the internal spooler send outgoing mail to the bastion host (smapd) and have the bastion host relay outgoing mail to our provider's mail hub. How can I configure the bastion host's sendmail to accomplish this selective forwarding?? Thanks in advance, Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX From firewalls-owner Mon May 2 22:04:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA13789; Mon, 2 May 1994 22:04:33 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA13783; Mon, 2 May 1994 15:04:26 -0700 Received: from relay.sgi.com (relay.sgi.com [192.26.51.36]) by sgigate.sgi.com (8.6.4/8.6.4) with SMTP id PAA25534; Mon, 2 May 1994 15:04:38 -0700 Received: from yeager.corp.sgi.com by relay.sgi.com via SMTP (920330.SGI/920502.SGI) for @sgigate.sgi.com:0003858921@mcimail.com id AA21544; Mon, 2 May 94 15:04:34 -0700 Received: by yeager.corp.sgi.com (931110.SGI/911001.SGI) for @sgi.com:firewalls@GreatCircle.COM id AA16051; Mon, 2 May 94 15:04:31 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9405021504.ZM16049@yeager.corp.sgi.com> Date: Mon, 2 May 1994 15:04:31 -0700 In-Reply-To: "Robert G. Moskowitz" <0003858921@mcimail.com> "Re: NATs" (Apr 29, 5:39am) References: <40940429103904/0003858921NA3EM@mcimail.com> X-Mailer: Z-Mail-SGI (3.1S.0 3mar94 MediaMail) To: "Robert G. Moskowitz" <0003858921@mcimail.com>, Eric Fleischman , brian , ipv4 ale , big internet , firewalls Subject: Re: NATs Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I think it's important to stress that network level security is in some sense orthoganol to application layer security. Used today, network layer security provides end to end privacy to the network code. It does you no good to have that privacy if the hosts on either end leak like sieves. On the other hand, if you're looking for a secure pipe, where you have secure ends on both sides, network layer security is just fine, regardless of the applications on either side. -- Eliot Lear [lear@sgi.com] From firewalls-owner Tue May 3 12:34:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA17338; Tue, 3 May 1994 12:34:34 GMT Received: from gateway.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA17331; Tue, 3 May 1994 05:34:26 -0700 From: lazear@dockside.mitre.org Received: from dockside.mitre.org by gateway.mitre.org (5.61/SMI-2.2) id AA04188; Tue, 3 May 94 08:35:06 -0400 Received: by dockside.mitre.org.mitre.org (4.1/SMI-4.1) id AA24794; Tue, 3 May 94 08:33:28 EDT Message-Id: <9405031233.AA24794@dockside.mitre.org.mitre.org> To: Michael Endrizzi Cc: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@greatcircle.com, lazear@dockside.mitre.org Subject: Re: Network Management Proxies and Firewalls In-Reply-To: Your message of "Mon, 02 May 94 11:28:47 CDT." <9405021628.AA22454@SCTC.COM> Date: Tue, 03 May 94 08:33:22 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A project I work on has a similar setup (pieces of an organization separately attached to the Internet). There was enough autonomy that they did not want central management, so the net management "hole" in the firewall could at first be entirely closed, then opened when some management station from behind the firewall needed to get to the outer router, for example. In this restricted case (one router being accessed), you could use the TIS toolkit "plug" to wire SNMP from a management station to the router. We handle console-style interactions with a serial line from the router console to an inside host (and then use "tip" to access the router). Distances between components can prevent this simple setup. The other approach is to devise the components so that they do not need "management". For example, static routing and a fixed configuration (access lists, addresses, etc) means you don't need to fiddle with the router very often. Monitoring the number of bytes and packets is easily done with the "plug" mentioned above. For notification of outages, you could consider using the "plug" to let echoes go from your inside station to some host, say, on your Internet provider's network. This gives you basic connectivity info, but without trying to accomodate SNMP traps. Firewalls can make you reexamine the "management" that *needs* to occur and how widespread your realm really is. You may find you don't need to monitor things like the NIC being up, when it's a pain to configure and justify through the firewall. Walt From firewalls-owner Tue May 3 13:33:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA17544; Tue, 3 May 1994 13:33:39 GMT Received: from volitans.MorningStar.Com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA17538; Tue, 3 May 1994 06:33:29 -0700 Received: from gefilte.MorningStar.Com by volitans.MorningStar.Com (5.65a/94040804) id AA13212; Tue, 3 May 94 09:33:36 -0400 From: Karl Fox Received: by gefilte.MorningStar.Com (5.65a/94012401) id AA00315; Tue, 3 May 94 09:33:34 -0400 Date: Tue, 3 May 94 09:33:34 -0400 Message-Id: <9405031333.AA00315@gefilte.MorningStar.Com> To: Luther Garcia Cc: firewalls@greatcircle.com Subject: Firewalls Digest V3 #101 Organization: Morning Star Technologies, Inc. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would think that a number of routers out there would be able to block ICMP packets based on type and code (ours does). If your vendor doesn't do this, ask them to add it -- it's a pretty simple addition, and obviously pretty useful, too. From: Luther Garcia Date: Fri, 1 Apr 1994 12:54:38 -0500 (EST) Subject: "ICMP redirects" I was wondering if anyone out there knows a way to protect from forged ICMP redirects. We can't just disable ICMP as we need the ability to do pings. Any suggestions would be apprecitated and carefully considered. luth@tiny.sprintlink.net From firewalls-owner Tue May 3 15:08:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA17979; Tue, 3 May 1994 15:08:59 GMT Received: from relay2.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA17973; Tue, 3 May 1994 08:08:51 -0700 Received: from uucp3.uu.net by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwoho01496; Tue, 3 May 94 11:09:33 -0400 Received: from ici6.UUCP by uucp3.uu.net with UUCP/RMAIL ; Tue, 3 May 1994 11:09:34 -0400 Received: from ici5.ici.com by ici6.ici.com (4.1/SMI-4.1.3) id AA07513; Tue, 3 May 94 10:48:50 EDT Received: from ws3.ici.com by ici5.ici.com (4.1/SMI-4.1) id AA10277; Tue, 3 May 94 10:48:49 EDT Date: Tue, 3 May 94 10:48:49 EDT From: lafko@ici.com (David A. Lafko) Message-Id: <9405031448.AA10277@ici5.ici.com> To: firewalls@greatcircle.com Subject: Router advice needed Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My company is in the process of connecting to the Internet through one of the commercial providers. We've contracted for a 9.6 Kbps metered service (at least initially). We will design and build a firewall prior to coming online. I just attended Brent's seminar on building a firewall and am now looking for some advice. We are going to use a Telebit NetBlazer PN-1 for the external router. Why? It was VERY aggressively priced. Also, it is a nice inexpensive match for our low speed connection today. If we go faster in the future, it will be replaced. Now I need an internal router between my peripheral net and interal net. I have 2 registered Class C networks (1 for peripheral, 1 for internal). What router can you recommend to use for the internal router? I am considering 2 options now, but others will be considered. 1) Telebit Netblazer ST with 2 ethernet cards Pro: don't need to learn new filter specification language 2) PC running BSDI with screend Pro: better routing algorithms Con: 1 more filter spec language to learn, more system configuration I'm assuming that both 1 and 2 will cost about the same (~$3500). Can anyone give me some insight? I also don't know some fundamental things like: Is screend bundled with BSDI? Do they support it? Also if someone could send me the proper Ethernet cards to get for the BSDI machine, I would be appreciative. If particular vendor recommendations are inappropriate for the forum, please mail me directly. --David Lafko (lafko@ici.com) ps. I don't yet have Internet access -- so thank you for pointers to documents out on the net they are appreciated -- but I can't readily download them. I have the Firewalls-FAQ. From firewalls-owner Tue May 3 15:33:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA18230; Tue, 3 May 1994 15:33:54 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA18224; Tue, 3 May 1994 08:33:46 -0700 Received: from Eng.Sun.COM (zigzag.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA03674; Tue, 3 May 94 08:34:18 PDT Received: from future.Eng.Sun.COM by Eng.Sun.COM (4.1/SMI-4.1) id AA28991; Tue, 3 May 94 08:33:27 PDT Received: from localhost by future.Eng.Sun.COM (5.x/SMI-SVR4) id AA02671; Tue, 3 May 1994 08:34:11 -0700 Message-Id: <9405031534.AA02671@future.Eng.Sun.COM> To: Stephen.L.Arnold@Arnold.Com Cc: Firewalls@GreatCircle.COM Subject: Re: Screend ports (other than ULTRIX and BSD/386)? In-Reply-To: Your message of "Thu, 28 Apr 94 08:16:59 CDT." <01HBPA75649O8WVYY9@Arnold.Com> Date: Tue, 03 May 94 08:34:10 PDT From: Geoff Mulligan Content-Length: 187 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Is there a reason that you must run screend and not an alternative that provides equal functionality without the overhead of screend's context switches from kernel to user space. geoff From firewalls-owner Tue May 3 16:33:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA18725; Tue, 3 May 1994 16:33:23 GMT Received: from sprintlink.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA18719; Tue, 3 May 1994 09:33:16 -0700 Received: by sprintlink.net (5.65/1.34) id AA00231; Tue, 3 May 94 12:33:47 -0400 Date: Tue, 3 May 1994 12:33:47 -0400 (EDT) From: Luther Garcia Subject: Re: Firewalls Digest V3 #101 To: Karl Fox Cc: firewalls@greatcircle.com In-Reply-To: <9405031333.AA00315@gefilte.MorningStar.Com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Tue, 3 May 1994, Karl Fox wrote: > I would think that a number of routers out there would be able to > block ICMP packets based on type and code (ours does). If your vendor > doesn't do this, ask them to add it -- it's a pretty simple addition, > and obviously pretty useful, too. > Thanks for your reply :), although we have already solved the issue by reconfiguring our routers to do just that. luth@sprintlink.net From firewalls-owner Tue May 3 17:22:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA18991; Tue, 3 May 1994 17:22:01 GMT Received: from nic.cerf.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA18985; Tue, 3 May 1994 10:21:43 -0700 Received: from world.picksys.com (world.picksys.com [192.215.148.2]) by nic.cerf.net (8.6.7/8.6.6) with SMTP id KAA23682; Tue, 3 May 1994 10:22:19 -0700 From: Jack Roth X-Mailer: SCO System V Mail (version 3.2) To: firewalls@greatcircle.com, jack@picksys.com, rearl@cerf.net Subject: Firewall Configuration - SCO Date: Tue, 3 May 94 10:10:25 PST Message-ID: <9405031010.aa07833@world.picksys.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm trying to put together a firewall. We're using SCO 3.2v4.2 on a Dec 433ST. We're having trouble adding a second ethernet card. The cards and driver's we're using are: 3Com 3C503 as e3B0 using the 3Com 503 Ethernet driver, board 0 (to router) 3Com 3C509 as e3E0 using the 3Com Ethernet Link III driver, board 0 (to lab) Has anyone gotten these two boards to work in a SCO box? Has anyone gotten 2 ethernet boards to work in a SCO box, if so which boards and drivers are you using? Any assistance is appreciated, jack@picksys.com, 714-261-7425 (v), 714-261-8187 (f) From firewalls-owner Wed May 4 02:52:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA21462; Wed, 4 May 1994 02:52:16 GMT Received: from BPAVMS.BPA.ARIZONA.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA21456; Tue, 3 May 1994 19:52:04 -0700 Date: Tue, 3 May 1994 19:52:39 -0700 (MST) From: RayK To: Firewalls@GreatCircle.COM CC: KAPLAN@BPA.ARIZONA.EDU Message-Id: <940503195239.20416f56@BPA.ARIZONA.EDU> Subject: A useful book - for sure Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Cross post to RISKS (via mail submission), comp.security.announce and comp.protocols.tcp-ip news groups, and a few other various places. Sorry if you see this more than once. Re: Firewalls and Internet Security - Repelling the Wily Hacker. Ray Kaplan - May 2, 1994 Buy this book Gentle folk, Here is a risk reducer. With the wholesale rush to Internet connectivity, its about time someone sat down and wrote a good book about how to do this exercise safely! And, sure enough, Cheswick and Bellovin have done just that, Heaping superlatives on something of which you are enamored is always problematic - the possibility of overstatement looms large. Accordingly I`ll cut to the chase. Buy this book! I do not get any money for saying this - I just believe you are well justified in getting it on your reading list - today. In May of this year, Addison Wesley is releasing an excellent new book by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security - Repelling the Wily Hacker. ISBN 0-201-63357-4. It will retail for $26.95. Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX 617-944-7273). Email orders over the Internet from bexpress@aw.com (no they don`t take plastic via Email). For those that are net-challenged, U.S. snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading, MA 01867 USA. Rumors loom large that at least one of the authors (Ches?) will be at Interop with copious quantities of this work of art. As dues of superlative authorship that is destined to be popular, I hope they both get writer`s cramp autographing! Details While worthwhile, well written, pace-setting, technically astute works of art are rare - this is certainly one of them. I am always hard pressed to identify any one thing as unique in its decade (especially when the decade is still in progress). Suffice it to say that this work is the most complete treatment of firewall technology and experience that is available. The availability of this work is exciting news for security firewall builders - including Internet security firewall builders - and, for the great number of people that seem to be befuddled by the complexity and the general issues of interconnecting networks. The book While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I think you can expect that it is close to the book`s final form: a standard (w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the ones that should already dot your shelves. (I don`t get any money for my obvious favorable bias toward this series. My bias is born out of the fact that the series (Brian Kernighan is the consulting editor for it) contains great authors and titles like Radia Pealman`s Interconnections - Bridges and Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.) 305 pages in 14 chapters, appendices, a bibliography, a list of "bombs" (security holes) and an index. Out of the box, the authors set the tone for their work by quoting F.T. Gramp and R.H. Morris: "It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and the terminals in a shielded room, and post a guard at the door." This is followed by a detailed discussion of the art and science of building a firewall. There is so much good stuff here, that all I can do is list the book`s contents - lest I write a tome which distracts you from picking up a copy of it ASAP. Chapters and content - from the table of contents. Getting started Introduction - Why security? - Picking a security policy - Strategies for a secure network - The ethics of computer security - Warning Overview of TCP/IP - The different layers - Routers and routing protocols - The Domain name service - Standard services - RPC-based protocols - The "r" commands - Information services - The X-11 service - Patterns of trust Building your own firewall Firewalls and gateways - Firewall philosophy - Situating firewalls - Packet-filtering gateways - Application-level gateways - Circuit-level gateways - Supporting inbound services - Tunnels - good and bad - Joint Ventures - What firewalls can`t do How to build an application-level gateway - Policy - Hardware configuration options - Initial installation - Gateway tools - Installing services - Protecting the protectors - Gateway administration - Safety analysis - why our setup is secure and fail-safe - Performance - The TIS firewall toolkit - Evaluating firewalls - Living without a firewall Authentication - User authentication - Host-to-host authentication Gateway tools - Proxylib - Syslog - Watching the network: Tcpdump and friends - Adding logging to standard demons Traps, lures and honey pots - What to log - Dummy accounts - Tracing the connection The hacker`s workbench - Introduction - Discovery - Probing hosts - Connection tools - Routing games - network monitors - Metastasis - Tiger teams - Further reading A look back Classes of attacks - Stealing passwords - Social engineering - Bugs and backdoors - Authorization failures - Protocol failures - Information leakage - Denial-of-service An evening with Berferd - Introduction - Unfriendly acts - An evening with Berferd - The day after - The jail - Tracing Berferd - Berferd comes home Where the wild things are: a look at the logs - A year of hacking Proxy use - Attack sources - Noise on the line Odds and ends Legal considerations - Computer crime statutes - Log files as evidence - Is monitoring legal? - Tort liability considerations Secure communications over insecure networks - An introduction to cryptography - The Kerberos authentication system - Link-level encryption - Network- and transport-level encryption - Application-level encryption Where do we go from here? Appendices Useful free stuff - Building firewalls - Network management and monitoring tools - Auditing packages - Cryptographic software - Information sources TCP and UDP ports - Fixed ports - MBone usage Recommendations to vendors - Everyone - Hosts - Routers - Protocols - Firewalls Bibliography - List of bombs - Index I have criticisms, complaints and suggestions. However, considering that this is such a darn fine piece of work - I hasten to get my recommendation that you buy this book out ASAP. Meantime, to whet your appitite: - Index - (a well done, 26 pages worth - you can actually find pointers to what you want to know! What a concept. - TCP ports discussion - a Comprehensive list and reasonable advice on what to do with them. - Bombs - a summarized list of the 43 major security holes that they identify. - Bibliography - Ahhhh. 19 pages of the best firewalls-related bibliography that I`ve seen. - Where to from here - excellent advice for techies and managers who don`t want to keep working at the job of firewalling or who simply want to spend a bit of resources on it only once. Kudos to the authors - buy this book. Of course - these are my own views, and they don`t necessarily reflect those of anyone - including my employer. However, in this case, they probably do. ---------- Ray Kaplan CyberSAFE, Corporation rayk@ocsg.com Formerly Open Computing Security Group (OCSG) (206) 883-8721 FAX at (206) 883-6951 2443 152nd Ave NE Redmond, WA 98052 Better living through authentication --------- From firewalls-owner Wed May 4 02:55:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA21484; Wed, 4 May 1994 02:55:34 GMT Received: from BPAVMS.BPA.ARIZONA.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA21478; Tue, 3 May 1994 19:55:24 -0700 Date: Tue, 3 May 1994 19:56:08 -0700 (MST) From: RayK To: Firewalls@GreatCircle.COM CC: KAPLAN@BPA.ARIZONA.EDU Message-Id: <940503195608.20416f56@BPA.ARIZONA.EDU> Subject: An event of note Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Just in case you have not seen it - (hey, I was sending mail to this list anyway. No, I don't get anything from the book or CLB). RayK 8) ---- AN EVENT AT COMPUTER LITERACY BOOKSHOPS ---------------------------------------------------------------------- THERE BE DRAGONS: Firewalls & Internet Security ---------------------------------------------------------------------- A free presentation by Steve Bellovin AT&Ts security gateway to the Internet, research.att.com, provides only a limited set of services. Most of the standard servers have been replaced by a variety of trap programs that look for attacks. Using these, Bellovin has detected a wide variety of pokes, ranging from simple doorknob-twisting to determined attempts to break in. The attacks range from simple attempts to log in as guest to forged NFS packets. Many other sites are being probed but are unaware of it: the standard network daemons do not provide administrators with either appropriate controls and filters or with the logging necessary to detect attacks. Find out what dragons will attack - or have attacked - your system. Steve Bellovin is also the author of "Firewalls and Internet Security". Date: Wednesday, May 18th, 1994 Time: 6:30 p.m. - 8:00 p.m. Location: Computer Literacy Bookshops 2590 North First Street (at Trimble) San Jose (408) 435-1118 Stay tuned. There are more events to come. Events at our stores are always free. ------------------------------------------------------------------------ If you would like to receive e-mail announcements for upcoming store events, simply write to: events_ca-request@clbooks.com (for events held at our California stores) events_va-request@clbooks.com (for events held at our Virginia store) ------------------------------------------------------------------------ If you have signed up for email announcements but have not received any, or wish to be removed from this list, please contact us. We add names by request only. **************************************************** Computer Literacy Bookshops, Inc. Cherrie C. Chiu eventinfo_ca@clbooks.com (408) 435-5015 x116 From firewalls-owner Wed May 4 16:14:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA26944; Wed, 4 May 1994 16:14:11 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA26932; Wed, 4 May 1994 09:13:52 -0700 Received: from nic (nic.state.mn.us) by mail.unet.umn.edu (5.65c) id AA04874; Wed, 4 May 1994 11:14:13 -0500 Received: from dor10.mdor.state.mn.us by nic (4.1/) id AA12185; Wed, 4 May 94 11:14:15 CDT Received: from DOR10/MAILQUEUE by dor10.mdor.state.mn.us (Mercury 1.11); Wed, 4 May 94 11:12:18 GMT+5 Received: from MAILQUEUE by DOR10 (Mercury 1.11); Wed, 4 May 94 11:12:08 GMT+5 From: "Steve Moubray" To: Firewalls@greatcircle.com Date: Wed, 4 May 1994 11:11:58 CST6CDT Subject: Resolving IP Addresses Priority: normal X-Mailer: Pegasus Mail/Windows (v1.11a) Message-Id: <23A26091622@dor10.mdor.state.mn.us> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk When trying to Anonymous FTP to some sites I get the responce that that my address can't be resolved. I have spoken with many of those responsible for the Internet connection and they seem to agree that we need to make some changes to our firwewall so that the FTP sites can properly resolve our addresses. Is this nuts or do we have a problem with our DNS? Thanks for any creative responces. Steve Moubray (612) 296-2991 e-mail: steve.moubray@state.mn.us Minnesota Department of Revenue 10 River Park Plaza St. Paul, MN 55107 From firewalls-owner Thu May 5 11:22:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA03298; Thu, 5 May 1994 11:22:24 GMT Received: from SCTC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA03292; Thu, 5 May 1994 04:22:15 -0700 Received: from sccmailhost.sctc.com (elvis.sctc.com) by SCTC.COM (4.1/SCTC-010592) id AA08394; Thu, 5 May 94 06:24:04 CDT Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 081840000; 5 May 94 6:23 CDT Received: from phantasm by sccmailhost.sctc.com id 077990000; 5 May 94 6:22 CDT Received: from dreez.sctc.com by phantasm.sctc.com (4.1/SMI-4.2) id AA18589; Thu, 5 May 94 06:21:27 CDT Received: by dreez.sctc.com (5.0/SMI-4.2) id AA10223; Thu, 5 May 1994 06:21:16 +0600 Message-Id: <9405051121.AA10223@dreez.sctc.com> To: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@GreatCircle.COM Reply-To: endrizzi@phantasm.sctc.com Subject: NMSs and Firewalls X-Mailer: exmh version 1.3delta 3/31/94 Date: Thu, 05 May 1994 06:21:15 -0500 From: Michael Endrizzi Content-Length: 1935 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm having a running debate with myself over where it makes most sense to place a network management station in an firewall architecture in the real world. Opinions are welcome.... dreez A firewall can be made up of IP filter in a router OR application level filtering on a (say) Unix dual-homed gateway. The NMS can be on the internal net OR on the firewall if it is a workstation OR off of the firewall if it is a IP router/filter. NMS | | | NMS ---------------------- | | | | | | --------------------- | Firewall | -------------------- internal | | public | | --------------------- NMS on internal network: ------------------------ Advantages: 1) Probably most common setup 2) NMS performs NMS functions and firewall performs firewall functions Disadvantages: 1) Must program firewall to pass net management packets 2) NMS might need access to DNS for full functionality so firewall must pass DNS information 3) NMS traffic from public network might impact internal LAN performance 4) Public network now has access to internal agents 5) Misc. esoteric security risks like running protocols over net management traffic effectively bypassing firewall, trojan horses leaking internal information through NMS traffic, NMS on/off of firewall: ----------------------- Advantages: 1) Internal agents protected from public network 2) Easier to achieve global view because of ready access to internal and public DNS systems 3) Internal and public net management traffic is kept separate 4) Closes some security holes mentioned above Disadvantages: 1) Mixed functionality/purpose of firewall 2) Firewall platform may not be robust enough to host NMS (e.g. firewall may be old/slow equipment with old OS, only firewall affordable is IP router) From firewalls-owner Thu May 5 15:20:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04409; Thu, 5 May 1994 15:20:09 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04301; Thu, 5 May 1994 08:09:08 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA18230; Tue, 3 May 1994 15:33:54 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA18224; Tue, 3 May 1994 08:33:46 -0700 Received: from Eng.Sun.COM (zigzag.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA03674; Tue, 3 May 94 08:34:18 PDT Received: from future.Eng.Sun.COM by Eng.Sun.COM (4.1/SMI-4.1) id AA28991; Tue, 3 May 94 08:33:27 PDT Received: from localhost by future.Eng.Sun.COM (5.x/SMI-SVR4) id AA02671; Tue, 3 May 1994 08:34:11 -0700 Message-Id: <9405031534.AA02671@future.Eng.Sun.COM> To: Stephen.L.Arnold@Arnold.Com Cc: Firewalls@GreatCircle.COM Subject: Re: Screend ports (other than ULTRIX and BSD/386)? In-Reply-To: Your message of "Thu, 28 Apr 94 08:16:59 CDT." <01HBPA75649O8WVYY9@Arnold.Com> Date: Tue, 03 May 94 08:34:10 PDT From: Geoff Mulligan Content-Length: 187 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Is there a reason that you must run screend and not an alternative that provides equal functionality without the overhead of screend's context switches from kernel to user space. geoff From firewalls-owner Thu May 5 15:22:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04426; Thu, 5 May 1994 15:22:00 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04305; Thu, 5 May 1994 08:10:10 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA18725; Tue, 3 May 1994 16:33:23 GMT Received: from sprintlink.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA18719; Tue, 3 May 1994 09:33:16 -0700 Received: by sprintlink.net (5.65/1.34) id AA00231; Tue, 3 May 94 12:33:47 -0400 Date: Tue, 3 May 1994 12:33:47 -0400 (EDT) From: Luther Garcia Subject: Re: Firewalls Digest V3 #101 To: Karl Fox Cc: firewalls@greatcircle.com In-Reply-To: <9405031333.AA00315@gefilte.MorningStar.Com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Tue, 3 May 1994, Karl Fox wrote: > I would think that a number of routers out there would be able to > block ICMP packets based on type and code (ours does). If your vendor > doesn't do this, ask them to add it -- it's a pretty simple addition, > and obviously pretty useful, too. > Thanks for your reply :), although we have already solved the issue by reconfiguring our routers to do just that. luth@sprintlink.net From firewalls-owner Thu May 5 08:43:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04209; Thu, 5 May 1994 14:59:58 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04201; Thu, 5 May 1994 07:59:49 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA17738; Fri, 29 Apr 1994 19:05:21 GMT Received: from ormail.intel.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA17732; Fri, 29 Apr 1994 12:05:15 -0700 Received: from ccm.hf.intel.com by ormail.intel.com (Smail3.1.28.1 #2) id m0pwxrF-000MNUC; Fri, 29 Apr 94 12:04 PDT Received: by ccm.hf.intel.com (ccmgate 3.0) Fri, 29 Apr 94 12:04:17 PST Date: Fri, 29 Apr 94 12:04:17 PST From: Gary L Morris Message-ID: <940429120417_1@ccm.hf.intel.com> To: firewalls@greatcircle.com Subject: Add to mail list for firewalls. Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Text item: Text_1 Please add to mail list for firewalls. From firewalls-owner Thu May 5 08:53:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04345; Thu, 5 May 1994 15:13:34 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04244; Thu, 5 May 1994 08:01:52 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA17854; Fri, 29 Apr 1994 19:31:03 GMT Received: from gatekeeper.mcimail.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA17848; Fri, 29 Apr 1994 12:30:56 -0700 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA20281; Fri, 29 Apr 94 14:32:20 -0500 Received: from mcimail.com by MCIGATEWAY.MCIMail.com id af19704; 29 Apr 94 19:22 GMT Date: Fri, 29 Apr 94 14:26 EST From: "Robert G. Moskowitz" <0003858921@mcimail.com> To: firewalls Subject: Number of processes for TIS TELNET proxy Message-Id: <41940429192614/0003858921NA4EM@mcimail.com> Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk How many processes are involved with TIS's toolkit TELNET proxy? One or One per connected user. Important question for planning for a VERY LARGE firewall... Oh, how much memory per connected user as well. Thanks. Bob Moskowitz Chrysler Corp (313) 758-8212 From firewalls-owner Thu May 5 09:03:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04131; Thu, 5 May 1994 14:52:43 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04121; Thu, 5 May 1994 07:52:36 -0700 Message-Id: <199405051452.HAA04121@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Disk problems have consumed the Firewalls list for the last few days Date: Thu, 05 May 1994 07:52:35 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I had a disk problem last week that apparently resulted in the Firewalls and Firewalls-Digest mailing lists getting truncated to zero-length. I thought I'd checked them after resolving the disk problem, but apparently I didn't check carefully enough. Anyway, the lists have now been restored to their full length. I'll be resending the messages from those dates. Gee, and I thought things were just quiet because everybody was at Interop... :-) -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu May 5 09:13:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04434; Thu, 5 May 1994 15:23:47 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04308; Thu, 5 May 1994 08:11:11 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA18991; Tue, 3 May 1994 17:22:01 GMT Received: from nic.cerf.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA18985; Tue, 3 May 1994 10:21:43 -0700 Received: from world.picksys.com (world.picksys.com [192.215.148.2]) by nic.cerf.net (8.6.7/8.6.6) with SMTP id KAA23682; Tue, 3 May 1994 10:22:19 -0700 From: Jack Roth X-Mailer: SCO System V Mail (version 3.2) To: firewalls@greatcircle.com, jack@picksys.com, rearl@cerf.net Subject: Firewall Configuration - SCO Date: Tue, 3 May 94 10:10:25 PST Message-ID: <9405031010.aa07833@world.picksys.com> Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm trying to put together a firewall. We're using SCO 3.2v4.2 on a Dec 433ST. We're having trouble adding a second ethernet card. The cards and driver's we're using are: 3Com 3C503 as e3B0 using the 3Com 503 Ethernet driver, board 0 (to router) 3Com 3C509 as e3E0 using the 3Com Ethernet Link III driver, board 0 (to lab) Has anyone gotten these two boards to work in a SCO box? Has anyone gotten 2 ethernet boards to work in a SCO box, if so which boards and drivers are you using? Any assistance is appreciated, jack@picksys.com, 714-261-7425 (v), 714-261-8187 (f) From firewalls-owner Thu May 5 09:23:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04291; Thu, 5 May 1994 15:07:08 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04283; Thu, 5 May 1994 08:07:03 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA17544; Tue, 3 May 1994 13:33:39 GMT Received: from volitans.MorningStar.Com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA17538; Tue, 3 May 1994 06:33:29 -0700 Received: from gefilte.MorningStar.Com by volitans.MorningStar.Com (5.65a/94040804) id AA13212; Tue, 3 May 94 09:33:36 -0400 From: Karl Fox Received: by gefilte.MorningStar.Com (5.65a/94012401) id AA00315; Tue, 3 May 94 09:33:34 -0400 Date: Tue, 3 May 94 09:33:34 -0400 Message-Id: <9405031333.AA00315@gefilte.MorningStar.Com> To: Luther Garcia Cc: firewalls@greatcircle.com Subject: Firewalls Digest V3 #101 Organization: Morning Star Technologies, Inc. Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would think that a number of routers out there would be able to block ICMP packets based on type and code (ours does). If your vendor doesn't do this, ask them to add it -- it's a pretty simple addition, and obviously pretty useful, too. From: Luther Garcia Date: Fri, 1 Apr 1994 12:54:38 -0500 (EST) Subject: "ICMP redirects" I was wondering if anyone out there knows a way to protect from forged ICMP redirects. We can't just disable ICMP as we need the ability to do pings. Any suggestions would be apprecitated and carefully considered. luth@tiny.sprintlink.net From firewalls-owner Thu May 5 09:33:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04181; Thu, 5 May 1994 14:56:46 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04172; Thu, 5 May 1994 07:56:42 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA08568; Fri, 29 Apr 1994 10:06:28 GMT Received: from ecmwf.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA08562; Fri, 29 Apr 1994 03:06:14 -0700 Received: from helena.ecmwf.co.uk by ecmwf.co.uk (4.1/SMI-4.1-MHS-7.0) id AA17897; Fri, 29 Apr 94 11:05:14 BST for firewalls@GreatCircle.COM From: syj@ecmwf.co.uk (Jean-Philippe Martin-Flatin) Message-Id: <9404291105.ZM13763@helena> Date: Fri, 29 Apr 1994 11:05:12 +0100 X-Mailer: Z-Mail (2.1.5 20sep93) To: firewalls@GreatCircle.COM Subject: Security aspects of Gopher, WAIS & WWW/Mosaic Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I've got to make a presentation about the security aspects of world wide information servers such as Gopher, WAIS and WWW/Mosaic. I'd be specially interested in the security holes closed over the past year in these products, as well as the known threats still in them. I've got plenty of material for the telnet URL hole in Mosaic 2.2 and lynx 2.2, but very little for the hole closed in Gopher 1.12 last summer or for the use of chroot in Gopher 1.13 or 2.014, and nothing at all for WAIS and freeWAIS. If you have written or read about this recently, I would be most grateful if you could send me a pointer. Please email direct to syj@ecmwf.co.uk. If interest is shown, I'll post a summary. Thanks in advance Jean-Philippe From firewalls-owner Thu May 5 09:43:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04263; Thu, 5 May 1994 15:04:00 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04255; Thu, 5 May 1994 08:03:56 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA13347; Mon, 2 May 1994 20:04:33 GMT Received: from clavin.uprc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA13339; Mon, 2 May 1994 13:04:22 -0700 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA18955 for firewalls@greatcircle.com; Mon, 2 May 94 15:02:45 CDT Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA07335; Mon, 2 May 1994 15:02:42 +0600 Date: Mon, 2 May 1994 15:02:42 +0600 From: lacoursj@uprc.com (Jeffrey D. LaCoursiere) Message-Id: <9405022002.AA07335@cygnus.uprc.com> To: firewalls@greatcircle.com Subject: mail handling X-Sun-Charset: US-ASCII Content-Length: 717 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Just implemented the TIS toolkit's smap and smapd to handle mail for our domain. Configured the bastion host's sendmail.cf with a mail relay that points to our internal mail spooler. This works great for incoming mail. Outgoing mail at the moment is still handled by our internal spooler. We have opened a hole in the screened subnet for outgoing SMTP connections from internal machines. I would RATHER have the internal spooler send outgoing mail to the bastion host (smapd) and have the bastion host relay outgoing mail to our provider's mail hub. How can I configure the bastion host's sendmail to accomplish this selective forwarding?? Thanks in advance, Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX From firewalls-owner Thu May 5 09:53:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04450; Thu, 5 May 1994 15:24:06 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04248; Thu, 5 May 1994 08:02:54 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA11323; Mon, 2 May 1994 16:27:37 GMT Received: from SCTC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA11317; Mon, 2 May 1994 09:27:31 -0700 Received: by SCTC.COM (4.1/SCTC-010592) id AA22454; Mon, 2 May 94 11:28:48 CDT From: endrizzi@SCTC.COM (Michael Endrizzi) Message-Id: <9405021628.AA22454@SCTC.COM> Subject: Network Management Proxies and Firewalls To: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@GreatCircle.COM Date: Mon, 2 May 94 11:28:47 CDT X-Mailer: ELM [version 2.3 PL11] Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm working on a network management security problem and want to know what applies in the real world. If a organization is geographically distributed but interconnected via a public network (e.g. Exxon via Internet), and the organization has firewalls in place where the organizational network connects to the public network, how is the firewall typically configured to permit the flow of network management packets through the firewall: 1) IP filter 2) Network Management proxy 3) Don't care, No Op, Zilch, Nada thanks, dreez -- ================================================================= *Disclaimer: The opinions expressed above are not of my employer but of the American people. Michael J. Endrizzi endrizzi@sctc.com (612) 628-2732 SCC,2675 Long Lake Road, Roseville MN, 55113 USA ================================================================= From firewalls-owner Thu May 5 09:56:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04276; Thu, 5 May 1994 15:05:10 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04264; Thu, 5 May 1994 08:04:58 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA13789; Mon, 2 May 1994 22:04:33 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA13783; Mon, 2 May 1994 15:04:26 -0700 Received: from relay.sgi.com (relay.sgi.com [192.26.51.36]) by sgigate.sgi.com (8.6.4/8.6.4) with SMTP id PAA25534; Mon, 2 May 1994 15:04:38 -0700 Received: from yeager.corp.sgi.com by relay.sgi.com via SMTP (920330.SGI/920502.SGI) for @sgigate.sgi.com:0003858921@mcimail.com id AA21544; Mon, 2 May 94 15:04:34 -0700 Received: by yeager.corp.sgi.com (931110.SGI/911001.SGI) for @sgi.com:firewalls@GreatCircle.COM id AA16051; Mon, 2 May 94 15:04:31 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9405021504.ZM16049@yeager.corp.sgi.com> Date: Mon, 2 May 1994 15:04:31 -0700 In-Reply-To: "Robert G. Moskowitz" <0003858921@mcimail.com> "Re: NATs" (Apr 29, 5:39am) References: <40940429103904/0003858921NA3EM@mcimail.com> X-Mailer: Z-Mail-SGI (3.1S.0 3mar94 MediaMail) To: "Robert G. Moskowitz" <0003858921@mcimail.com>, Eric Fleischman , brian , ipv4 ale , big internet , firewalls Subject: Re: NATs Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I think it's important to stress that network level security is in some sense orthoganol to application layer security. Used today, network layer security provides end to end privacy to the network code. It does you no good to have that privacy if the hosts on either end leak like sieves. On the other hand, if you're looking for a secure pipe, where you have secure ends on both sides, network layer security is just fine, regardless of the applications on either side. -- Eliot Lear [lear@sgi.com] From firewalls-owner Thu May 5 10:03:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04191; Thu, 5 May 1994 14:57:50 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04183; Thu, 5 May 1994 07:57:44 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA08159; Fri, 29 Apr 1994 09:39:07 GMT Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA08153; Fri, 29 Apr 1994 02:38:54 -0700 From: R.P.Handy@ste0411.wins.icl.co.uk X400-Received: by mta relay1.pipex.net in /PRMD=pipex/ADMD=pipex/C=GB/; Relayed; Fri, 29 Apr 1994 10:38:46 +0100 X400-Received: by /PRMD=icl/ADMD=gold 400/C=GB/; converted (ia5 text (2)); Relayed; Fri, 29 Apr 1994 10:35:12 +0100 Date: Fri, 29 Apr 1994 10:35:12 +0100 X400-Originator: R.P.Handy@ste0411.wins.icl.co.uk X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=icl/ADMD=gold 400/C=GB/;ste0411 0000042100003187] Original-Encoded-Information-Types: undefined (0) X400-Content-Type: P2-1984 (2) Content-Identifier: 3187 Message-ID: <"3187*/I=RP/S=Handy/OU=ste0411/O=icl/PRMD=icl/ADMD=gold 400/C=GB/"@MHS> To: firewalls@GreatCircle.COM Subject: FIREWALL CONSULTANCY REQUIRED (UK) Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk FIREWALL CONSULTANCY REQUIRED (UK) Is anyone interested in providing some firewall consultancy in the UK? World Integrated Network Services Ltd (WINS) has an Internet connection on which we would like a basion-type firewall. The requirements would involve (draft only, subject to change): A bastion system, providing proxy services. The usual services; telnet, ftp, SMTP, news, gopher, mosaic etc. Possibly an anonymous ftp server. Possibly World Wide Web server. The contract would involve the setting up of the firewall, providing full documentation & training to enable WINS staff to administer the service and possibly ongoing support. If you would like to discus this further, please contact: Richard Handy, WINS e-mail: r.p.handy@ste0411.wins.icl.co.uk Tel: 0438 313361 x2019 From firewalls-owner Thu May 5 10:07:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04300; Thu, 5 May 1994 15:08:12 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04292; Thu, 5 May 1994 08:08:05 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA17979; Tue, 3 May 1994 15:08:59 GMT Received: from relay2.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA17973; Tue, 3 May 1994 08:08:51 -0700 Received: from uucp3.uu.net by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwoho01496; Tue, 3 May 94 11:09:33 -0400 Received: from ici6.UUCP by uucp3.uu.net with UUCP/RMAIL ; Tue, 3 May 1994 11:09:34 -0400 Received: from ici5.ici.com by ici6.ici.com (4.1/SMI-4.1.3) id AA07513; Tue, 3 May 94 10:48:50 EDT Received: from ws3.ici.com by ici5.ici.com (4.1/SMI-4.1) id AA10277; Tue, 3 May 94 10:48:49 EDT Date: Tue, 3 May 94 10:48:49 EDT From: lafko@ici.com (David A. Lafko) Message-Id: <9405031448.AA10277@ici5.ici.com> To: firewalls@greatcircle.com Subject: Router advice needed Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My company is in the process of connecting to the Internet through one of the commercial providers. We've contracted for a 9.6 Kbps metered service (at least initially). We will design and build a firewall prior to coming online. I just attended Brent's seminar on building a firewall and am now looking for some advice. We are going to use a Telebit NetBlazer PN-1 for the external router. Why? It was VERY aggressively priced. Also, it is a nice inexpensive match for our low speed connection today. If we go faster in the future, it will be replaced. Now I need an internal router between my peripheral net and interal net. I have 2 registered Class C networks (1 for peripheral, 1 for internal). What router can you recommend to use for the internal router? I am considering 2 options now, but others will be considered. 1) Telebit Netblazer ST with 2 ethernet cards Pro: don't need to learn new filter specification language 2) PC running BSDI with screend Pro: better routing algorithms Con: 1 more filter spec language to learn, more system configuration I'm assuming that both 1 and 2 will cost about the same (~$3500). Can anyone give me some insight? I also don't know some fundamental things like: Is screend bundled with BSDI? Do they support it? Also if someone could send me the proper Ethernet cards to get for the BSDI machine, I would be appreciative. If particular vendor recommendations are inappropriate for the forum, please mail me directly. --David Lafko (lafko@ici.com) ps. I don't yet have Internet access -- so thank you for pointers to documents out on the net they are appreciated -- but I can't readily download them. I have the Firewalls-FAQ. From firewalls-owner Thu May 5 10:13:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04335; Thu, 5 May 1994 15:13:25 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04324; Thu, 5 May 1994 08:13:17 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA21484; Wed, 4 May 1994 02:55:34 GMT Received: from BPAVMS.BPA.ARIZONA.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA21478; Tue, 3 May 1994 19:55:24 -0700 Date: Tue, 3 May 1994 19:56:08 -0700 (MST) From: RayK To: Firewalls@GreatCircle.COM CC: KAPLAN@BPA.ARIZONA.EDU Message-Id: <940503195608.20416f56@BPA.ARIZONA.EDU> Subject: An event of note Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Just in case you have not seen it - (hey, I was sending mail to this list anyway. No, I don't get anything from the book or CLB). RayK 8) ---- AN EVENT AT COMPUTER LITERACY BOOKSHOPS ---------------------------------------------------------------------- THERE BE DRAGONS: Firewalls & Internet Security ---------------------------------------------------------------------- A free presentation by Steve Bellovin AT&Ts security gateway to the Internet, research.att.com, provides only a limited set of services. Most of the standard servers have been replaced by a variety of trap programs that look for attacks. Using these, Bellovin has detected a wide variety of pokes, ranging from simple doorknob-twisting to determined attempts to break in. The attacks range from simple attempts to log in as guest to forged NFS packets. Many other sites are being probed but are unaware of it: the standard network daemons do not provide administrators with either appropriate controls and filters or with the logging necessary to detect attacks. Find out what dragons will attack - or have attacked - your system. Steve Bellovin is also the author of "Firewalls and Internet Security". Date: Wednesday, May 18th, 1994 Time: 6:30 p.m. - 8:00 p.m. Location: Computer Literacy Bookshops 2590 North First Street (at Trimble) San Jose (408) 435-1118 Stay tuned. There are more events to come. Events at our stores are always free. ------------------------------------------------------------------------ If you would like to receive e-mail announcements for upcoming store events, simply write to: events_ca-request@clbooks.com (for events held at our California stores) events_va-request@clbooks.com (for events held at our Virginia store) ------------------------------------------------------------------------ If you have signed up for email announcements but have not received any, or wish to be removed from this list, please contact us. We add names by request only. **************************************************** Computer Literacy Bookshops, Inc. Cherrie C. Chiu eventinfo_ca@clbooks.com (408) 435-5015 x116 From firewalls-owner Thu May 5 10:21:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04200; Thu, 5 May 1994 14:58:54 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04192; Thu, 5 May 1994 07:58:46 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA08980; Fri, 29 Apr 1994 10:42:59 GMT Received: from gatekeeper.mcimail.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA08965; Fri, 29 Apr 1994 03:42:36 -0700 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA24915; Fri, 29 Apr 94 05:43:33 -0500 Received: from mcimail.com by MCIGATEWAY.MCIMail.com id aa10702; 29 Apr 94 10:34 GMT Date: Fri, 29 Apr 94 05:39 EST From: "Robert G. Moskowitz" <0003858921@mcimail.com> To: Eric Fleischman To: brian To: ipv4 ale To: big internet To: firewalls Subject: Re: NATs Message-Id: <40940429103904/0003858921NA3EM@mcimail.com> Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This was one the ALE list, but really belongs elsewhere... Appologies in advance to those that get multiple copies. Brian said: >>Semantics check: when I write NAT I mean IP-level address translation. >>Application level gateways are different and of course they work >>(they can even do application protocol translation if you want). >>They are however a pain to operate - we used to run a file transfer >>gateway, and we still have to run mail and terminal emulation gateways. Eric said: >Check. We have the same viewpoint once again and the only sticking point >was in wording/communication of that viewpoint. In my own mind I had >written off NATs as being impractical to implement but that the idea was >great. Thus, I had mentally substituted for that term (NAT) an entity >which is somewhat practical to implement (application layer gateways) and >which does the same thing. I prefer the term "NAT" because it represents >what is LOGICALLY happening. When Noel first told me about NATs, I got excited. Something that might be easier than application gateways, read firewalls. But I studied the NATs issues. And I listened in on the FIREWALLS list for a couple of months and came to an important realization: Network level security is worthless as long as there is application insecurity. And thus there will always be application gateways to institute corporate security policies. Yes I am fighting VERY hard to allow all employees to have public EMail, but nFrom firewalls-owner Fri Apr 29 16:33:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA11909; Fri, 29 Apr 1994 16:33:15 GMT Received: from uu.psi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA11901; Fri, 29 Apr 1994 09:33:01 -0700 Received: by uu.psi.com (5.65b/4.0.061193-PSI/PSINet) via UUCP; id AA10229 for ; Fri, 29 Apr 94 12:13:00 -0400 Received: from asgaard.rocket.com (asgaard.ARPA) by earth.rocket.com (4.1/3.2.083191-Olin Aerospace Company - Redmond Wa) id AA23664; Fri, 29 Apr 94 07:40:18 PDT Organization: Olin Aerospace Company Telephone: (206)885-5000 Fax: (206)882-5804 Received: by asgaard.rocket.com (4.1/SMI-4.1) id AA15079; Fri, 29 Apr 94 07:40:17 PDT Date: Fri, 29 Apr 94 07:40:17 PDT Message-Id: <9404291440.AA15079@asgaard.rocket.com> To: 0003858921@mcimail.com Cc: ericf@atc.boeing.com, brian@dxcoms.cern.ch, ipv4-ale@ftp.com, big-internet@munnari.oz.au, firewalls@greatcircle.com In-Reply-To: <40940429103904/0003858921NA3EM@mcimail.com> Subject: Re: NATs From: "Philip J. Nesser" Us-Snail: 15825 Leary Way NE #306, Redmond WA, 98052 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Date: Fri, 29 Apr 94 05:39 EST >From: "Robert G. Moskowitz" <0003858921@mcimail.com> >When Noel first told me about NATs, I got excited. Something that might be >easier than application gateways, read firewalls. >But I studied the NATs issues. And I listened in on the FIREWALLS list for >a couple of months and came to an important realization: >Network level security is worthless as long as there is application >insecurity. I don't think anyone will argue with you on that issue. >So all of you IETFers, continue the network level security work. That has >an important place. But DO NOT DELUDE YOURSELVES! It will not make the >internet secure anymore than C2 has made UNIX secure. The application >writers need to be indoctrinated also. Perhaps after there is a major >security incident at some big university or company that is all C2 UNIX and >IPng authenticated due to an application level attach, then we will raise >our eyes and tackle the last great frontier, the network applications. I don't think anyone is deluding themselves. Security is an issue at all levels. Just because some application writer doesn't take the time to do it right doesn't invalidate the validity of the work on making another layer as secure as possible. People, especially in the IETF, are taking security concerns much more seriously than ever before. Putting a deadbolt lock on your front door doesn't keep burglers out if you have open windows, but that doesn't mean its a bad idea to have one put in. >Bob ---> Phil From firewalls-owner Thu May 5 10:33:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04322; Thu, 5 May 1994 15:12:22 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04314; Thu, 5 May 1994 08:12:13 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA21462; Wed, 4 May 1994 02:52:16 GMT Received: from BPAVMS.BPA.ARIZONA.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA21456; Tue, 3 May 1994 19:52:04 -0700 Date: Tue, 3 May 1994 19:52:39 -0700 (MST) From: RayK To: Firewalls@GreatCircle.COM CC: KAPLAN@BPA.ARIZONA.EDU Message-Id: <940503195239.20416f56@BPA.ARIZONA.EDU> Subject: A useful book - for sure Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Cross post to RISKS (via mail submission), comp.security.announce and comp.protocols.tcp-ip news groups, and a few other various places. Sorry if you see this more than once. Re: Firewalls and Internet Security - Repelling the Wily Hacker. Ray Kaplan - May 2, 1994 Buy this book Gentle folk, Here is a risk reducer. With the wholesale rush to Internet connectivity, its about time someone sat down and wrote a good book about how to do this exercise safely! And, sure enough, Cheswick and Bellovin have done just that, Heaping superlatives on something of which you are enamored is always problematic - the possibility of overstatement looms large. Accordingly I`ll cut to the chase. Buy this book! I do not get any money for saying this - I just believe you are well justified in getting it on your reading list - today. In May of this year, Addison Wesley is releasing an excellent new book by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security - Repelling the Wily Hacker. ISBN 0-201-63357-4. It will retail for $26.95. Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX 617-944-7273). Email orders over the Internet from bexpress@aw.com (no they don`t take plastic via Email). For those that are net-challenged, U.S. snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading, MA 01867 USA. Rumors loom large that at least one of the authors (Ches?) will be at Interop with copious quantities of this work of art. As dues of superlative authorship that is destined to be popular, I hope they both get writer`s cramp autographing! Details While worthwhile, well written, pace-setting, technically astute works of art are rare - this is certainly one of them. I am always hard pressed to identify any one thing as unique in its decade (especially when the decade is still in progress). Suffice it to say that this work is the most complete treatment of firewall technology and experience that is available. The availability of this work is exciting news for security firewall builders - including Internet security firewall builders - and, for the great number of people that seem to be befuddled by the complexity and the general issues of interconnecting networks. The book While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I think you can expect that it is close to the book`s final form: a standard (w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the ones that should already dot your shelves. (I don`t get any money for my obvious favorable bias toward this series. My bias is born out of the fact that the series (Brian Kernighan is the consulting editor for it) contains great authors and titles like Radia Pealman`s Interconnections - Bridges and Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.) 305 pages in 14 chapters, appendices, a bibliography, a list of "bombs" (security holes) and an index. Out of the box, the authors set the tone for their work by quoting F.T. Gramp and R.H. Morris: "It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and the terminals in a shielded room, and post a guard at the door." This is followed by a detailed discussion of the art and science of building a firewall. There is so much good stuff here, that all I can do is list the book`s contents - lest I write a tome which distracts you from picking up a copy of it ASAP. Chapters and content - from the table of contents. Getting started Introduction - Why security? - Picking a security policy - Strategies for a secure network - The ethics of computer security - Warning Overview of TCP/IP - The different layers - Routers and routing protocols - The Domain name service - Standard services - RPC-based protocols - The "r" commands - Information services - The X-11 service - Patterns of trust Building your own firewall Firewalls and gateways - Firewall philosophy - Situating firewalls - Packet-filtering gateways - Application-level gateways - Circuit-level gateways - Supporting inbound services - Tunnels - good and bad - Joint Ventures - What firewalls can`t do How to build an application-level gateway - Policy - Hardware configuration options - Initial installation - Gateway tools - Installing services - Protecting the protectors - Gateway administration - Safety analysis - why our setup is secure and fail-safe - Performance - The TIS firewall toolkit - Evaluating firewalls - Living without a firewall Authentication - User authentication - Host-to-host authentication Gateway tools - Proxylib - Syslog - Watching the network: Tcpdump and friends - Adding logging to standard demons Traps, lures and honey pots - What to log - Dummy accounts - Tracing the connection The hacker`s workbench - Introduction - Discovery - Probing hosts - Connection tools - Routing games - network monitors - Metastasis - Tiger teams - Further reading A look back Classes of attacks - Stealing passwords - Social engineering - Bugs and backdoors - Authorization failures - Protocol failures - Information leakage - Denial-of-service An evening with Berferd - Introduction - Unfriendly acts - An evening with Berferd - The day after - The jail - Tracing Berferd - Berferd comes home Where the wild things are: a look at the logs - A year of hacking Proxy use - Attack sources - Noise on the line Odds and ends Legal considerations - Computer crime statutes - Log files as evidence - Is monitoring legal? - Tort liability considerations Secure communications over insecure networks - An introduction to cryptography - The Kerberos authentication system - Link-level encryption - Network- and transport-level encryption - Application-level encryption Where do we go from here? Appendices Useful free stuff - Building firewalls - Network management and monitoring tools - Auditing packages - Cryptographic software - Information sources TCP and UDP ports - Fixed ports - MBone usage Recommendations to vendors - Everyone - Hosts - Routers - Protocols - Firewalls Bibliography - List of bombs - Index I have criticisms, complaints and suggestions. However, considering that this is such a darn fine piece of work - I hasten to get my recommendation that you buy this book out ASAP. Meantime, to whet your appitite: - Index - (a well done, 26 pages worth - you can actually find pointers to what you want to know! What a concept. - TCP ports discussion - a Comprehensive list and reasonable advice on what to do with them. - Bombs - a summarized list of the 43 major security holes that they identify. - Bibliography - Ahhhh. 19 pages of the best firewalls-related bibliography that I`ve seen. - Where to from here - excellent advice for techies and managers who don`t want to keep working at the job of firewalling or who simply want to spend a bit of resources on it only once. Kudos to the authors - buy this book. Of course - these are my own views, and they don`t necessarily reflect those of anyone - including my employer. However, in this case, they probably do. ---------- Ray Kaplan CyberSAFE, Corporation rayk@ocsg.com Formerly Open Computing Security Group (OCSG) (206) 883-8721 FAX at (206) 883-6951 2443 152nd Ave NE Redmond, WA 98052 Better living through authentication --------- From firewalls-owner Thu May 5 10:46:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04490; Thu, 5 May 1994 15:28:20 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04346; Thu, 5 May 1994 08:14:21 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA26944; Wed, 4 May 1994 16:14:11 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA26932; Wed, 4 May 1994 09:13:52 -0700 Received: from nic (nic.state.mn.us) by mail.unet.umn.edu (5.65c) id AA04874; Wed, 4 May 1994 11:14:13 -0500 Received: from dor10.mdor.state.mn.us by nic (4.1/) id AA12185; Wed, 4 May 94 11:14:15 CDT Received: from DOR10/MAILQUEUE by dor10.mdor.state.mn.us (Mercury 1.11); Wed, 4 May 94 11:12:18 GMT+5 Received: from MAILQUEUE by DOR10 (Mercury 1.11); Wed, 4 May 94 11:12:08 GMT+5 From: "Steve Moubray" To: Firewalls@greatcircle.com Date: Wed, 4 May 1994 11:11:58 CST6CDT Subject: Resolving IP Addresses Priority: normal X-Mailer: Pegasus Mail/Windows (v1.11a) Message-Id: <23A26091622@dor10.mdor.state.mn.us> Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk When trying to Anonymous FTP to some sites I get the responce that that my address can't be resolved. I have spoken with many of those responsible for the Internet connection and they seem to agree that we need to make some changes to our firwewall so that the FTP sites can properly resolve our addresses. Is this nuts or do we have a problem with our DNS? Thanks for any creative responces. Steve Moubray (612) 296-2991 e-mail: steve.moubray@state.mn.us Minnesota Department of Revenue 10 River Park Plaza St. Paul, MN 55107 From firewalls-owner Thu May 5 10:53:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04496; Thu, 5 May 1994 15:28:42 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04237; Thu, 5 May 1994 08:00:51 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA17763; Fri, 29 Apr 1994 19:06:40 GMT Received: from MediaVis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA17757; Fri, 29 Apr 1994 12:06:33 -0700 Received: from mvimail.mediavis.com by MediaVis.com (Media Vision, Inc.) with SMTP (1.37.109.4/16.2) id AA05340; Fri, 29 Apr 94 12:07:10 -0700 Received: by MVIMAIL.MEDIAVIS.COM with Microsoft Mail id <2DC15AE3@MVIMAIL.MEDIAVIS.COM>; Fri, 29 Apr 94 12:07:15 PDT From: Alan Millar To: firewalls-owner , "Philip J. Zee" Cc: firewalls Subject: Re: What is a firewall Date: Fri, 29 Apr 94 12:06:00 PDT Message-Id: <2DC15AE3@MVIMAIL.MEDIAVIS.COM> Encoding: 28 TEXT X-Mailer: Microsoft Mail V3.0 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > On April 28, Paul Boots wrote: > > > > >Problem is, I don't know what a firewall is!!! > > > > > >Would somebody care to tell me please, what is it, > > >where can you get it, what do you pay for it etc... > > > > I am glad he asked this question. I am new here too. I kinda know what a > > firewall is, but not sure on the true meaning of it. I believe that there > > are more people like me or Paul on this mailing list would like to learn > > the answers too. > > > > Philip > > I hate to be the "RTFM" rain on the parade, but... Did you retrieve and read the FAQ and/or peruse the archives you were informed about when you joined the list? It has a good summary of many of the important terms and concepts. If you didn't read the message you got when you joined the list, send the command "info firewalls" to "majordomo@greatcircle.com" and read the reply. - Alan From firewalls-owner Thu May 5 11:03:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04570; Thu, 5 May 1994 15:43:24 GMT Received: from ariel.ncsl.nist.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04562; Thu, 5 May 1994 08:43:15 -0700 Received: from localhost (jwack@localhost) by ariel.ncsl.nist.gov (8.6.4/8.6.4) id LAA14208 for firewalls@greatcircle.com; Thu, 5 May 1994 11:43:31 -0400 From: John Wack Message-Id: <199405051543.LAA14208@ariel.ncsl.nist.gov> Subject: Mosaic/WWW Server Problems Summary To: firewalls@greatcircle.com Date: Thu, 5 May 94 11:43:31 EDT X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am part of a group at NIST that will be part of a newly formed consortium of US Gov agencies and NCSA, in cooperation with NSF. I understand that at least one of the purposes of the consortium is to promote use of NCSA Mosaic within the gov, and possibly ensure the long-term viability of NCSA Mosaic. There is a meeting with NCSA and the US Gov agencies participating in this in mid-May. We just had a meeting to discuss what we want to get out of this mid-May meeting. We are looking at it as an opportunity for access to the people developing the software and as an opportunity to influence the direction of the products - their server and the client. We're sending a group to the mid-May meeting to discuss security issues as well as other issues, such as possibly standardizing html. I'd like to ask some help of the list: could people familiar with the security issues of Mosaic and WWW servers summarize their concerns so that we could take them with us? I follow this list fairly well; I have saved some postings about Mosaic but would appreciate it if people could summarize all the issues once more. We plan to ask NCSA to respond to a summary of the concerns, which I anticipate being able to forward/summarize to this list. If Brent agrees, I will collect the responses and forward them to him for use as a mosaic/www topic file. Sincerely, John Wack -- John P. Wack Computer Scientist National Institute of Standards and Technology Technology A-216 Gaithersburg, Md. 20899 301-975-3411 301-948-0279 (Fax) JWack@nist.gov ------------------------------------------------------------- "Wack of all trades, master of none" ------------------------------------------------------------- All statements made are my own and do not reflect NIST policy ------------------------------------------------------------- From firewalls-owner Thu May 5 11:09:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04540; Thu, 5 May 1994 15:33:29 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04278; Thu, 5 May 1994 08:06:01 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA17338; Tue, 3 May 1994 12:34:34 GMT Received: from gateway.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA17331; Tue, 3 May 1994 05:34:26 -0700 From: lazear@dockside.mitre.org Received: from dockside.mitre.org by gateway.mitre.org (5.61/SMI-2.2) id AA04188; Tue, 3 May 94 08:35:06 -0400 Received: by dockside.mitre.org.mitre.org (4.1/SMI-4.1) id AA24794; Tue, 3 May 94 08:33:28 EDT Message-Id: <9405031233.AA24794@dockside.mitre.org.mitre.org> To: Michael Endrizzi Cc: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@greatcircle.com, lazear@dockside.mitre.org Subject: Re: Network Management Proxies and Firewalls In-Reply-To: Your message of "Mon, 02 May 94 11:28:47 CDT." <9405021628.AA22454@SCTC.COM> Date: Tue, 03 May 94 08:33:22 -0400 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A project I work on has a similar setup (pieces of an organization separately attached to the Internet). There was enough autonomy that they did not want central management, so the net management "hole" in the firewall could at first be entirely closed, then opened when some management station from behind the firewall needed to get to the outer router, for example. In this restricted case (one router being accessed), you could use the TIS toolkit "plug" to wire SNMP from a management station to the router. We handle console-style interactions with a serial line from the router console to an inside host (and then use "tip" to access the router). Distances between components can prevent this simple setup. The other approach is to devise the components so that they do not need "management". For example, static routing and a fixed configuration (access lists, addresses, etc) means you don't need to fiddle with the router very often. Monitoring the number of bytes and packets is easily done with the "plug" mentioned above. For notification of outages, you could consider using the "plug" to let echoes go from your inside station to some host, say, on your Internet provider's network. This gives you basic connectivity info, but without trying to accomodate SNMP traps. Firewalls can make you reexamine the "management" that *needs* to occur and how widespread your realm really is. You may find you don't need to monitor things like the NIC being up, when it's a pain to configure and justify through the firewall. Walt From firewalls-owner Thu May 5 11:13:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04548; Thu, 5 May 1994 15:33:42 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04369; Thu, 5 May 1994 08:15:23 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA03298; Thu, 5 May 1994 11:22:24 GMT Received: from SCTC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA03292; Thu, 5 May 1994 04:22:15 -0700 Received: from sccmailhost.sctc.com (elvis.sctc.com) by SCTC.COM (4.1/SCTC-010592) id AA08394; Thu, 5 May 94 06:24:04 CDT Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 081840000; 5 May 94 6:23 CDT Received: from phantasm by sccmailhost.sctc.com id 077990000; 5 May 94 6:22 CDT Received: from dreez.sctc.com by phantasm.sctc.com (4.1/SMI-4.2) id AA18589; Thu, 5 May 94 06:21:27 CDT Received: by dreez.sctc.com (5.0/SMI-4.2) id AA10223; Thu, 5 May 1994 06:21:16 +0600 Message-Id: <9405051121.AA10223@dreez.sctc.com> To: snmpv2@tis.com, nms@netmgrs.co.uk, firewalls@GreatCircle.COM Reply-To: endrizzi@phantasm.sctc.com Subject: NMSs and Firewalls X-Mailer: exmh version 1.3delta 3/31/94 Date: Thu, 05 May 1994 06:21:15 -0500 From: Michael Endrizzi Content-Length: 1935 Status: R Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm having a running debate with myself over where it makes most sense to place a network management station in an firewall architecture in the real world. Opinions are welcome.... dreez A firewall can be made up of IP filter in a router OR application level filtering on a (say) Unix dual-homed gateway. The NMS can be on the internal net OR on the firewall if it is a workstation OR off of the firewall if it is a IP router/filter. NMS | | | NMS ---------------------- | | | | | | --------------------- | Firewall | -------------------- internal | | public | | --------------------- NMS on internal network: ------------------------ Advantages: 1) Probably most common setup 2) NMS performs NMS functions and firewall performs firewall functions Disadvantages: 1) Must program firewall to pass net management packets 2) NMS might need access to DNS for full functionality so firewall must pass DNS information 3) NMS traffic from public network might impact internal LAN performance 4) Public network now has access to internal agents 5) Misc. esoteric security risks like running protocols over net management traffic effectively bypassing firewall, trojan horses leaking internal information through NMS traffic, NMS on/off of firewall: ----------------------- Advantages: 1) Internal agents protected from public network 2) Easier to achieve global view because of ready access to internal and public DNS systems 3) Internal and public net management traffic is kept separate 4) Closes some security holes mentioned above Disadvantages: 1) Mixed functionality/purpose of firewall 2) Firewall platform may not be robust enough to host NMS (e.g. firewall may be old/slow equipment with old OS, only firewall affordable is IP router) From firewalls-owner Thu May 5 12:03:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA05767; Thu, 5 May 1994 18:42:49 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA05761; Thu, 5 May 1994 11:42:40 -0700 Received: by relay.tis.com id AA07451; Thu, 5 May 94 14:43:16 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma007442; Thu May 5 14:42:17 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA25653; Thu, 5 May 94 14:41:38 EDT Date: Thu, 5 May 94 14:41:38 EDT From: Marcus J Ranum Message-Id: <9405051841.AA25653@tis.com> To: firewalls@GreatCircle.COM, lacoursj@uprc.com Subject: Re: mail handling Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I would RATHER have the internal spooler send outgoing mail to the >bastion host (smapd) and have the bastion host relay outgoing mail >to our provider's mail hub. How can I configure the bastion host's >sendmail to accomplish this selective forwarding?? Depends on your sendmail.cf, really. What you typically need to do is configure internal machines to send all mail that is *not* destined for somebox.*.your.organization to the firewall. The firewall, in turn is configured to send all mail that *is* destined for *.your.organization to the "inside" normally. Then you may need to advertise MX records pointing to the firewall as a secondary for internal machines, or just an MX for your.organization, and have it resolve locally or forward all mail for *.your.organization or your.organization to some internal smart mailhub. mjr. From firewalls-owner Thu May 5 12:13:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA05887; Thu, 5 May 1994 18:50:52 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA05871; Thu, 5 May 1994 11:50:34 -0700 Received: by relay.tis.com id AA07513; Thu, 5 May 94 14:51:17 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma007510; Thu May 5 14:50:35 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA26307; Thu, 5 May 94 14:49:57 EDT Date: Thu, 5 May 94 14:49:56 EDT From: Marcus J Ranum Message-Id: <9405051849.AA26307@tis.com> To: 0003858921@mcimail.com, firewalls@GreatCircle.COM Subject: Re: Number of processes for TIS TELNET proxy Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >How many processes are involved with TIS's toolkit TELNET proxy? > >One > >or > >One per connected user. > >Important question for planning for a VERY LARGE firewall... One per connected user. It's a relatively "lightweight" process, however, since all it does is copy bytes. >Oh, how much memory per connected user as well. This is pretty architecture dependent. Make sure your firewall system is configured with a lot of file descriptors if you're running a VERY LARGE firewall. Note too that you can use multiple machines, just use some kind of DNS shuffling records to provide a virtual address for "tn-gw.your.organization" That's if you're really worried about performance. My experience as an experimental computer scientist(*) would lead me to suggest that you profile your expected performance and be prepared to add hardware only when it looks like you need it. If, for example, you're connected via a T1 line, there's a pretty high likelihood that your traffic will tend to bottleneck at the T1 before it bottlenecks at the user processes running on the firewall machine. You may get some flogging due to context switching, etc, but just about any RISC machine out there nowadays can handle a full-bore T1 feed while it's picking its toes. mjr. (* experimental computer scientists prefer to bash on things and see if they break, rather than to worry about if things run in O(N) or whatever time) :) From firewalls-owner Thu May 5 12:23:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA05841; Thu, 5 May 1994 18:48:25 GMT Received: from george.arc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA05827; Thu, 5 May 1994 11:48:12 -0700 Received: from localhost.arc.nasa.gov by george.arc.nasa.gov (8.6.8/1.35) id LAA01275; Thu, 5 May 1994 11:48:47 -0700 Message-Id: <199405051848.LAA01275@george.arc.nasa.gov> To: firewalls@greatcircle.com Subject: Re: Router advice needed In-reply-to: Your message of Tue, 03 May 1994 10:48:49 -0400. <9405031448.AA10277@ici5.ici.com> Date: Thu, 05 May 1994 11:48:42 -0700 From: "Rob Tanner" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk lafko@ici.com (David A. Lafko) writes: >My company is in the process of connecting to the Internet through one >of the commercial providers. We've contracted for a 9.6 Kbps metered >service (at least initially). We will design and build a firewall >prior to coming online. I just attended Brent's seminar on building a >firewall and am now looking for some advice. I attended one a couple of months ago. Great seminar and I can honestly recommend it to anybody. > >Now I need an internal router between my peripheral net and interal >net. I have 2 registered Class C networks (1 for peripheral, 1 for >internal). > >What router can you recommend to use for the internal router? > >I am considering 2 options now, but others will be considered. >1) Telebit Netblazer ST with 2 ethernet cards > Pro: don't need to learn new filter specification language > >2) PC running BSDI with screend > Pro: better routing algorithms > Con: 1 more filter spec language to learn, more system > configuration > >I'm assuming that both 1 and 2 will cost about the same (~$3500). I've got a MorningStar router coming in for evaluation. The unit is about $2K. It supposedly filters on source and destination IP address and source and destination ports, both of which are super important as far as I'm concerned. Also can filter based on inbound vs outbound, origin of session, source routing, etc. On paper the unit looks real good. You can pickup a copy of the user's manual via annoymous ftp to ftp.morningstar.com (I've forgotten the path). If there's a general interest, I'll post my opinions after I've evaluated the unit. If anyone has suggestions for doing the evaluation, I'll be happy to give them a whirl. -- Rob _ _ _ _ _ _ _ _ _ _ /\_\_\_\_\ /\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ Robert J. Tanner /\/_/__\/_/ __ /\/_/ /\/_/ Ames Research Center /\/_/_/_/_/ /\_\ /\/_/ /\/_/ (415) 604-3451 (SETI) /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (415) 604-5347 (Kuiper) \/_/ \/_/ \/_/_/_/_/ \/_/ tanner@george.arc.nasa.gov ____________________________________________________________________ From firewalls-owner Thu May 5 20:04:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA06489; Thu, 5 May 1994 20:04:34 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA06483; Thu, 5 May 1994 13:04:22 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 5 May 94 15:51:32 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA07788; Thu, 5 May 94 16:02:59 EDT Date: Thu, 5 May 94 16:02:59 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405052002.AA07788@eng.xyplex.com> To: KAPLAN@BPA.ARIZONA.EDU Cc: Firewalls@GreatCircle.COM, KAPLAN@BPA.ARIZONA.EDU In-Reply-To: <940503195239.20416f56@BPA.ARIZONA.EDU> (message from RayK on Tue, 3 May 1994 19:52:39 -0700 (MST)) Subject: Re: A useful book - for sure Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >KAP> Re: Firewalls and Internet Security - Repelling the Wily Hacker. >KAP> Ray Kaplan - May 2, 1994 >KAP> Buy this book >KAP> Kudos to the authors - buy this book. I agree. I too am a reviewer of the book and have read most of it to date. Not only is this book an excellent source of information about security, particularly about firewalls, but almost just as importantly, it is clearly written and understandable, something I have not found in a reference book for sometime now. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Thu May 5 13:33:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA06652; Thu, 5 May 1994 20:24:10 GMT Received: from oxygen.house.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA06646; Thu, 5 May 1994 13:23:58 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA11332; Thu, 5 May 1994 16:13:23 -0400 Date: Thu, 5 May 1994 16:13:23 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9405052013.AA11332@oxygen.house.gov> To: firewalls@GreatCircle.COM, syj@ecmwf.co.uk Subject: Re: Security aspects of Gopher, WAIS & WWW/Mosaic Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Yes. Please post a summary of what you get. From firewalls-owner Thu May 5 21:18:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA07017; Thu, 5 May 1994 21:18:27 GMT Received: from amdahl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA07011; Thu, 5 May 1994 14:18:19 -0700 Received: by amdahl.com (/\==/\ Smail #25.33) id ; Thu, 5 May 94 14:19 PDT Received: from idontcare.eng.amdahl.com by cliffy.eng.amdahl.com (4.1/SMI-4.1) id AA16649; Thu, 5 May 94 14:18:28 PDT Date: Thu, 5 May 94 14:18:28 PDT From: pjh70@eng.amdahl.com (Patrick J. Horgan) Message-Id: <9405052118.AA16649@cliffy.eng.amdahl.com> To: SMOUBRAY@dor10.mdor.state.mn.us Subject: Re: Resolving IP Addresses Cc: firewalls@GreatCircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If the problem is only with some sites, then either it's not your site's dns problem, or else your dns server is flakey, responding sometimes, and not others. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | pjh70@eng.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 201 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu May 5 22:01:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA07367; Thu, 5 May 1994 22:01:18 GMT Received: from avalon.dpc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA07351; Thu, 5 May 1994 15:01:01 -0700 Received: by avalon.dpc.com (5.65/DEC-Ultrix/4.3) id AA20956; Thu, 5 May 1994 15:01:10 -0700 Received: from gate.dpc.com(192.215.72.47) by avalon via smap (V1.3mjr) id sma020954; Thu May 5 15:00:37 1994 Received: by gate.dpc.com (5.57/Ultrix3.0-C) id AA20838; Thu, 5 May 94 15:01:09 -0700 Received: from boomer(192.215.72.2) by gate via smap (V1.3mjr) id sma020836; Thu May 5 15:00:27 1994 Received: by boomer.local (5.57/Ultrix3.0-C) id AA04095; Thu, 5 May 94 14:59:39 -0700 Date: Thu, 5 May 94 14:59:39 -0700 From: cbenson@dpc.com (Chuck Benson) Message-Id: <9405052159.AA04095@boomer.local> To: firewalls@greatcircle.com Subject: Re: Resolving IP Addresses Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk pjh70@eng.amdahl.com (Patrick J. Horgan) said: If the problem is only with some sites, then either it's not your site's dns problem, or else your dns server is flakey, responding sometimes, and not others. I reply: It may also mean that those sites are doing reverse lookups to see if the host you say you are from exists, or that the user you indicate that you are exists. If either of these checks (or some others) is made by to a host with the DNS not set-up right, (according to the author of the check), you may get a problem indicated. Also, there are at least some sites that use finger or something else for their checks. If you wish to name the sites in question, either here, or in private mail, it may be possible to identify the issue. It would also make sense to contact the NIC indicated contact for the site, if it is not one of the newer ones that the NIC has declined to list. Chuck Benson From firewalls-owner Thu May 5 15:03:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA07269; Thu, 5 May 1994 21:58:17 GMT Received: from svcdudes.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA07263; Thu, 5 May 1994 14:58:10 -0700 From: moose@svcdudes.com (Michael Rutman) Message-Id: <9405052158.AA06551@svcdudes.com> Received: by moose.svcdudes.com (NX5.67d/NX3.0X) id AA05714; Thu, 5 May 94 14:50:41 -0700 Date: Thu, 5 May 94 14:50:41 -0700 Received: by NeXT.Mailer (1.99.1) Received: by NeXT Mailer (1.99.1) To: pjh70@eng.amdahl.com (Patrick J. Horgan) Subject: Re: Resolving IP Addresses Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I believe the problem is a reverse lookup problem. Some ftp sites want to do a reverse lookup before allowing you to Anonymous ftp. This is a problem if you are trying to hide behind a firewall. --- Michael Rutman | moose@svcdudes.com Cubist | makes me a NeXT programmer Software Ventures | maker of MicroPhone Pro #include | really offensive political statement Begin forwarded message: Date: Thu, 5 May 94 14:18:28 PDT From: pjh70@eng.amdahl.com (Patrick J. Horgan) To: SMOUBRAY@dor10.mdor.state.mn.us Subject: Re: Resolving IP Addresses Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If the problem is only with some sites, then either it's not your site's dns problem, or else your dns server is flakey, responding sometimes, and not others. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | pjh70@eng.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 201 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu May 5 22:45:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA07643; Thu, 5 May 1994 22:45:52 GMT Received: from imsl.imsl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA07636; Thu, 5 May 1994 15:45:43 -0700 Received: from baloo ([192.131.249.134]) by imsl.imsl.com (4.1/SMI-4.1) id AA05830; Thu, 5 May 94 17:45:43 CDT Received: from magoo.pvi (magoo) by baloo with SMTP id AA20313 (5.65c/IDA-1.4.4 for ); Thu, 5 May 1994 16:45:42 -0600 Date: Thu, 5 May 1994 16:45:42 -0600 From: Tim Lentz x3255 Message-Id: <199405052245.AA20313@baloo> To: firewalls@greatcircle.com Subject: List of proxy daemons Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am getting ready to re-work my firewall. I have looked at both the toolkit from tis and socks. Tis has a bunch of daemons in the kit. If there is a defacto list of daemons available for each please let me know. My questions are: 1) Which is more likely to ave proxies added? 2) What proxies are available for each? In particular we (like everyone else) want to be able to run Mosaic and X11 (at least have the ability to) through the firewall. 3) What is the concensus on which package to use for a new install? It looks like tis is great but the concern is futures and new additions. I'll summarize responses. Thank You, Tim Lentz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tim A. Lentz, lentz@boulder.vni.com Just a fool waiting on the wrong Computer Networks block. Putting a little ZEP in Visual Numerics, Inc. Boulder, Co your step. From firewalls-owner Fri May 6 00:59:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA08156; Fri, 6 May 1994 00:59:46 GMT Received: from SCTC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA08150; Thu, 5 May 1994 17:59:32 -0700 Received: from sccmailhost.sctc.com (elvis.sctc.com) by SCTC.COM (4.1/SCTC-010592) id AA10060; Thu, 5 May 94 19:56:07 CDT Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 138130000; 5 May 94 19:55 CDT Received: from phantasm by sccmailhost.sctc.com id 129880000; 5 May 94 19:54 CDT Received: from dreez.sctc.com by phantasm.sctc.com (4.1/SMI-4.2) id AA23484; Thu, 5 May 94 19:53:18 CDT Received: by dreez.sctc.com (5.0/SMI-4.2) id AA20294; Thu, 5 May 1994 19:53:08 +0600 Message-Id: <9405060053.AA20294@dreez.sctc.com> To: Eliot Lear Cc: "Robert G. Moskowitz" <0003858921@mcimail.com>, Eric Fleischman , brian , ipv4 ale , big internet , firewalls Reply-To: endrizzi@phantasm.sctc.com Subject: Re: NATs In-Reply-To: Your message of "Mon, 02 May 1994 15:04:31 PDT." <9405021504.ZM16049@yeager.corp.sgi.com> X-Mailer: exmh version 1.3delta 3/31/94 Date: Thu, 05 May 1994 19:53:06 -0500 From: Michael Endrizzi Content-Length: 711 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9405021504.ZM16049@yeager.corp.sgi.com>, Eliot Lear writes: >I think it's important to stress that network level security is in >some sense orthoganol to application layer security. Used today, >network layer security provides end to end privacy to the network >code. It does you no good to have that privacy if the hosts on >either end leak like sieves. > amen brother. Besides, if something is encrypted don't waste your time breaking the crypto but go after the keys. Keys are kept by application level programs protected by Unix permission bits.....wow. (According to Garfinkel and Spafford "Practical Unix Security" footnote page 282, this is a big problem with Kerberos) dreez From firewalls-owner Fri May 6 01:40:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA08555; Fri, 6 May 1994 01:40:41 GMT Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA08545; Thu, 5 May 1994 18:40:32 -0700 Received: from demon.demon.co.uk by post.demon.co.uk id ae18949; 6 May 94 2:38 GMT-60:00 Received: from cellnet.uucp by demon.demon.co.uk id aa18556; 6 May 94 2:38 BST From: Steve Kennedy Message-Id: <28957.9405060115@marvin.gbnet.org> Subject: Re: Router advice needed To: george.arc.nasa.gov!tanner@gbnet.org Date: Fri, 6 May 1994 01:15:00 +0000 (GMT) Cc: greatcircle.com!firewalls@gbnet.org In-Reply-To: <199405051848.LAA01275@george.arc.nasa.gov> from "Rob Tanner" at May 5, 94 11:48:42 am X-Subliminal-Message: Send large quantities of used bills. X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1279 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Rob, > I've got a MorningStar router coming in for evaluation. The unit is > about $2K. It supposedly filters on source and destination IP address > and source and destination ports, both of which are super important as > far as I'm concerned. Also can filter based on inbound vs outbound, > origin of session, source routing, etc. On paper the unit looks real > good. > You could also try a KarlBrouter that does all that and other exciting things (?) like :- encryption tunnelling bridging (if need be) is fast fully SNMP'able authenticated break-out (or in) look in nisca.acs.ohio-state.edu:/pub/kbridge for a demo version and docs. Email sales@kalrnet.com or sales@gbnet.com for sales info. Regards Steve -- ___ |_ ___ ___ Tel: +44 (0)71 483 1169 Voice (___ | (___) \ / (___) Data: 483 2454 WorldBlazer T3000 PEP+/v32bis... ___) | (___ \/ (___ Data: 483 2455 WorldBlazer T3000 V32bis/PEP+... ISDN: 722 7969/70 Email Snail Mail steve@gbnet.{org,com,net} [home] Steve Kennedy steve@marvin.demon.co.uk [DIS dialup internet] Flat 2, 43 Howitt Rd stevek@cellnet.co.uk [work] London, NW3 4LU From firewalls-owner Fri May 6 07:50:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA09703; Fri, 6 May 1994 07:50:54 GMT Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA09697; Fri, 6 May 1994 00:50:45 -0700 Received: from demon.demon.co.uk by post.demon.co.uk id aa03284; 6 May 94 8:38 GMT-60:00 Received: from cellnet.uucp by demon.demon.co.uk id aa20634; 6 May 94 8:38 BST Received: from demon with uucp; Fri, 6 May 94 06:25:29 Received: from post.demon.co.uk by demon.demon.co.uk id aa19968; 6 May 94 6:23 BST Received: from george.arc.nasa.gov by post.demon.co.uk id aa14912; 6 May 94 6:23 GMT-60:00 Received: from localhost.arc.nasa.gov by george.arc.nasa.gov (8.6.8/1.35) id WAA12082; Thu, 5 May 1994 22:22:56 -0700 Message-Id: <199405060522.WAA12082@george.arc.nasa.gov> To: steve@gbnet.org Cc: firewalls@gbnet.org Subject: Re: Router advice needed In-Reply-To: Your message of Fri, 06 May 1994 01:15:00 -0000. <28957.9405060115@marvin.gbnet.org> Date: Thu, 05 May 1994 22:22:54 -0700 From: Rob Tanner Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Rob, > >> I've got a MorningStar router coming in for evaluation. The unit is >> about $2K. It supposedly filters on source and destination IP address >> and source and destination ports, both of which are super important as >> far as I'm concerned. Also can filter based on inbound vs outbound, >> origin of session, source routing, etc. On paper the unit looks real >> good. >> > >You could also try a KarlBrouter that does all that and other exciting >things (?) like :- > Steve, I've made several attempts to get hold of the KarlBridge folks but they haven't seen fit to return an email. I need not only a good product, but dependable support behind it -- the networks are being relocated to Australia for an astronomical experiment and I can't afford problems. They may make a good product, but all the KarlBridge folks have done so far is to convince me that there is no dependable support behind it. Apologies for the directness of my comments, but I've paid the price for that lesson too many times to risk learning it again no matter what the product looks like. Thanks for your input. -- Rob From firewalls-owner Fri May 6 09:39:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA10354; Fri, 6 May 1994 09:39:53 GMT Received: from london.micrognosis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA10348; Fri, 6 May 1994 02:39:43 -0700 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA15788; Fri, 6 May 94 10:39:30 BST Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma015785; Fri May 6 10:39:18 1994 Received: from pmsls11 by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA08671; Fri, 6 May 94 10:39:15 BST From: imarr@london.micrognosis.com (Ian Marr) Received: by pmsls11 (4.1//ident-1.0) id AA19107; Fri, 6 May 94 10:39:15 BST Message-Id: <9405060939.AA19107@pmsls11> Subject: Re: DNS record shuffling ... To: mjr@tis.com (Marcus J Ranum) Date: Fri, 6 May 1994 10:39:14 +0100 (BST) Cc: 0003858921@mcimail.com, firewalls@GreatCircle.COM In-Reply-To: <9405051849.AA26307@tis.com> from "Marcus J Ranum" at May 5, 94 02:49:56 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 493 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marcus J Ranum writes: > > [...]. Note too that you can use multiple machines, > just use some kind of DNS shuffling records to provide a virtual > address for "tn-gw.your.organization" Marcus, please could you expand on this statement ? Ian. ------------------------------------------------------------------------------ Ian Marr, Systems Manager, Micrognosis, 63 Queen Victoria St, London, EC4N 4UD imarr@london.micrognosis.com +44-71-815-5254 From firewalls-owner Fri May 6 11:55:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA10711; Fri, 6 May 1994 11:55:50 GMT Received: from gate.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA10705; Fri, 6 May 1994 04:55:42 -0700 Received: from roverpte.demon.co.uk by gate.demon.co.uk id aa10819; 6 May 94 12:52 GMT-60:00 Received: from gd10.rover.com by roverpte.demon.co.uk (5.65c) id AA01225; Fri, 6 May 1994 12:19:16 +0100 Received: by gd10.rover.com (5.65c) id AA03925; Fri, 6 May 1994 12:17:21 +0100 Message-Id: <199405061117.AA03925@gd10.rover.com> To: firewalls@greatcircle.com Subject: Configuring sendmail for firewall Date: Fri, 06 May 94 12:17:20 +0100 From: Lyndon David Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jeff LaCoursiere asks: >I would RATHER have the internal spooler send outgoing mail to the >bastion host (smapd) and have the bastion host relay outgoing mail >to our provider's mail hub. How can I configure the bastion host's >sendmail to accomplish this selective forwarding?? Our internal spooler has its configuration file hacked so that anything that is not local and does not have rover.com as the destination must be for the outside and so is punted direct to the firewall and has the originators name changed so that it looks as if all mail to the outside world came from the firewall. All details can be found in Sendmail: Bryan Costales and Eric Allman pulished by O'Reilly. If it helps, I can send the relevent part of the sendmail.cf, aw what the hell, here it is, our rulesets for our internal mail hub. the macro $H is defined as the name of the firewall forwarding mail to the outside. S0 # Punt to hub with names changed looking like came from hub # if the mail is not local R$+@rover.com $@ $#local$:$1 R$* $#ether $@$R $:$1 S3 # local users made to look like they are from the hub R$*<$*<$*>$*>$* $3 denest R$*<$+>$* $2 basic RFC822 parsing R$*<>$* $n RFC1123 <> R$- $@ $1 @ $j user => user@thishost S10 R$+@$+ $: $1 @ $[$2$] canonify the hostname R$+@$+ $@ $1 @ $H user@thishost => user@hub R$+!$+ $@ $2 @ $H thishost!user => user@hub R$+%$+ $@ $>3 $1 @ $2 handle % hack thishost R$* $@ $1 default, unchanged Mether, P=[IPC], F=mDFMuCX, S=10, R=0, A=IPC $h Mlocal, P=/bin/mail, F=rlsDFMmn, S=0, R=0, A=/bin/mail -d -r $f $u Mprog, P=xxx, A=Required by sendmail but unused The Firewall machine has its configuration file similarly hacked so that anything not destined for domain rover.com is sent to our service provider. Hope this helps. This way the mail link at the Firewall is only at the application level and no holes for mail have to be opened. Lyndon David. From firewalls-owner Fri May 6 12:31:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10906; Fri, 6 May 1994 12:31:33 GMT Received: from mig.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA10900; Fri, 6 May 1994 05:31:20 -0700 Received: from localhost by mig.com (4.3/MIG-8.6.5) id GAA18608; Fri, 6 May 1994 06:32:00 -0600 From: jpf@mig.com (Jack Flory) Message-Id: <199405061232.GAA18608@mig.com> Subject: Re: Router advice needed To: firewalls@greatcircle.com Date: Fri, 6 May 1994 06:31:58 -0600 (MDT) In-Reply-To: <28957.9405060115@marvin.gbnet.org> from "Steve Kennedy" at May 6, 94 01:15:00 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1379 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >Rob, > >> I've got a MorningStar router coming in for evaluation. The unit is >> about $2K. It supposedly filters on source and destination IP address >> and source and destination ports, both of which are super important as >> far as I'm concerned. Also can filter based on inbound vs outbound, >> origin of session, source routing, etc. On paper the unit looks real >> good. >> > >You could also try a KarlBrouter that does all that and other exciting >things (?) like :- > >encryption >tunnelling >bridging (if need be) >is fast >fully SNMP'able >authenticated break-out (or in) Yes, Morningstart does all of this and then some... > >look in nisca.acs.ohio-state.edu:/pub/kbridge for a demo version and docs. > >Email sales@kalrnet.com or sales@gbnet.com for sales info. > >Regards > >Steve > >-- > ___ |_ ___ ___ Tel: +44 (0)71 483 1169 Voice >(___ | (___) \ / (___) Data: 483 2454 WorldBlazer T3000 PEP+/v32bis... > ___) | (___ \/ (___ Data: 483 2455 WorldBlazer T3000 V32bis/PEP+... > ISDN: 722 7969/70 >Email Snail Mail >steve@gbnet.{org,com,net} [home] Steve Kennedy >steve@marvin.demon.co.uk [DIS dialup internet] Flat 2, 43 Howitt Rd >stevek@cellnet.co.uk [work] London, NW3 4LU > > From firewalls-owner Fri May 6 13:57:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA11238; Fri, 6 May 1994 13:57:21 GMT Received: from relay1.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA11232; Fri, 6 May 1994 06:57:14 -0700 Received: from sco.sco.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwosl16854; Fri, 6 May 94 09:58:02 -0400 Received: from scocan.scocan.sco.COM by sco.sco.COM id aa27795; Wed, 6 May 70 7:03:10 PDT Received: from roc.scocan.sco.COM by scocan.scocan.sco.COM id aa12531; 6 May 94 9:55 EDT Subject: Re: Firewall Configuration - SCO To: Jack Roth Date: Fri, 6 May 1994 09:55:43 -0400 (EDT) From: Larry Philps Cc: rearl@cerf.net, firewalls@greatcircle.com In-Reply-To: <9405031010.aa07833@world.picksys.com> from "Jack Roth" at May 3, 94 10:10:25 am Organization: SCO Canada, Inc. X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1139 Message-Id: <9405060955.aa02804@roc.scocan.sco.COM> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From: Jack Roth > I'm trying to put together a firewall. We're using SCO 3.2v4.2 on a > Dec 433ST. We're having trouble adding a second ethernet card. The cards > and driver's we're using are: > > 3Com 3C503 as e3B0 using the 3Com 503 Ethernet driver, board 0 (to router) > 3Com 3C509 as e3E0 using the 3Com Ethernet Link III driver, board 0 (to lab) > > Has anyone gotten these two boards to work in a SCO box? > Has anyone gotten 2 ethernet boards to work in a SCO box, if so which boards > and drivers are you using? Multiple ethernet cards are definitely supported. I have several machines here with 4 cards in them at the moment (1 has cards from 4 different manufacturers). I personally have not used a 509 card, I would think it must be a configuration problem. Send me email directly with the symptoms, and I'll see if I can figure out what you did wrong. Larry --- Larry Philps Senior Software Engineer larryp@sco.com SCO Canada, Inc., 130 Bloor St. West, 10th floor, Toronto, Ontario. M5S 1N5 Phone: (416) 922-1937 Fax: (416) 922-2704 From firewalls-owner Fri May 6 14:36:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA11423; Fri, 6 May 1994 14:36:32 GMT Received: from relay.hp.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA11417; Fri, 6 May 1994 07:36:25 -0700 From: larryl@hpubvwa.nsr.hp.com Received: from hpubvwa.nsr.hp.com by relay.hp.com with SMTP (1.37.109.8/15.5+ECS 3.3) id AA26532; Fri, 6 May 1994 07:37:13 -0700 Received: from hpbvlgl.nsr.hp.com by hpubvwa.nsr.hp.com with SMTP (1.37.109.4/15.5+IOS 3.20) id AA08324; Fri, 6 May 94 07:38:03 -0700 Message-Id: <9405061438.AA08324@hpubvwa.nsr.hp.com> Received: by hpbvlgl.nsr.hp.com (1.38.193.4/16.2) id AA25912; Fri, 6 May 1994 07:35:23 -0700 Subject: help To: firewalls-digest@greatcircle.com Date: Fri, 6 May 94 7:35:22 PDT Mailer: Elm [revision: 70.85] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help index -- Regards, Larry Littlefield _______________ voice: (206) 643-8804 __ \ | voice mail: (206) 644-3344 then press 8804 \ \ | | FAX: (206) 643-8748 | \|* Bellevue | | \ | | WASHINGTON | | | hpdesk: Larry Littlefield/ HP2410 |_____ __| uucp: hplabs!hpubvwa!larryl \_________/ domain: larryl@bellevue.hp.com from hpdesk: 'larryl' / HPATC3/UM (larryl@bellevue.hp.com) US Mail: Hewlett-Packard P.O. Box C-156 Bellevue Wa. 98009-0156 From firewalls-owner Fri May 6 14:56:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA11513; Fri, 6 May 1994 14:56:33 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA11502; Fri, 6 May 1994 07:56:23 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id KAA22531; Fri, 6 May 1994 10:57:00 -0400 Date: Fri, 6 May 1994 10:57:00 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405061457.KAA22531@bedrock.cs.UMD.EDU> To: firewalls@greatcircle.com Subject: TIS portscan against a cisco Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I was using the TIS Toolkit's portscan the other day, within my employer's domain, just to verify general tightness, when it occured to me to run it against an interface on my cisco 4000. I made sure that I ran it from an IP address that the cisco will ignore TELNET SYNs from. IP, RIP, Vines and IEEE bridging are enabled on the router, but only RIP and IP are active on the particular interface, with RIP neighbors defined. The IP subnet I ran the test from, however, is generally "trusted" by the router. I expected the first three results, but the last five have made me curious. I'm hunting it down now, but thought it an interesting enough result to bring to general attention in the meantime. The only other routers that I can test against are Wellfleets and a Morning Star Express; haven't done it yet, though. I can apparently make a TCP connection on those numbered ports. Things that make you go "hmmmm"... although it's probably something trivial -- which I'll discover only minutes after sending this message out ;). echo discard finger 1993 2006 4006 6006 9006 Richard From firewalls-owner Fri May 6 15:12:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA11699; Fri, 6 May 1994 15:12:06 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA11693; Fri, 6 May 1994 08:11:58 -0700 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA19099; Fri, 6 May 94 08:12:48 PDT Received: from suneast.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA08603; Fri, 6 May 94 11:12:46 EDT Received: from cameron.East.Sun.COM by suneast.East.Sun.COM (4.1/SMI-4.1) id AA00772; Fri, 6 May 94 11:13:39 EDT Received: by cameron.East.Sun.COM (5.0/SMI-SVR4) id AA06382; Fri, 6 May 1994 11:10:50 +0500 Date: Fri, 6 May 1994 11:10:50 +0500 From: ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) Message-Id: <9405061510.AA06382@cameron.East.Sun.COM> To: firewalls@GreatCircle.COM Subject: Password Aging X-Sun-Charset: US-ASCII Content-Length: 734 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All, Does anyone have any expeirence with password aging using NIS???? Are there any password aging apps out there that are compatible with NIS??? We have tried ARM and it's a no go!!!! And I don't beleive the standard SunOS password aging works with NIS. Helppppppppppppppppppppppppppp!!!!!!!!!!!!!!! Ken /\ \\ \ \ \\ / Ken Harford / \/ / / SunNetworks, Inc. / / \//\ \//\ / / Sun Microsystems Inc. / / /\ / 2 Elizabeth Drive / \\ \ Chelmsford MA 01824 \ \\ ken.harford@East.Sun.COM \/ 508-250-5527 (Fax) \|||/ (o o) /-----oOO--(_)--OOo-----| <-----''' \=======================/ ``` Is It All Right To Come Up??? From firewalls-owner Fri May 6 15:25:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA11832; Fri, 6 May 1994 15:25:58 GMT Received: from cs.columbia.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA11825; Fri, 6 May 1994 08:25:43 -0700 Received: from pizza.cs.columbia.edu (pizza.cs.columbia.edu [128.59.26.43]) by cs.columbia.edu (8.6.8/8.6.6) with ESMTP id LAA20513 for ; Fri, 6 May 1994 11:26:18 -0400 Received: from localhost (jtt@localhost) by pizza.cs.columbia.edu (8.6.8/8.6.6) with SMTP id LAA12664 for ; Fri, 6 May 1994 11:26:17 -0400 Message-Id: <199405061526.LAA12664@pizza.cs.columbia.edu> to: firewalls@greatcircle.com reply-to: jtt@cs.columbia.edu followup-to: comp.mail.sendmail Subject: Re: Configuring sendmail for firewall In-reply-to: Your message of "Fri, 06 May 1994 12:17:20 BST." <199405061117.AA03925@gd10.rover.com> Date: Fri, 06 May 1994 11:26:16 -0400 From: James Tanis Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <199405061117.AA03925@gd10.rover.com>, Lyndon David avows: %--- Begin Cite ---% > Jeff LaCoursiere asks: > > If it helps, I can send the relevent part of the sendmail.cf, aw what th > e > hell, here it is, our rulesets for our internal mail hub. the macro > $H is defined as the name of the firewall forwarding mail to the outside > . > > > S0 # Punt to hub with names changed looking like came from hub > # if the mail is not local > > > R$+@rover.com $@ $#local$:$1 > > R$* $#ether $@$R $:$1 > > S3 # local users made to look like they are from the hub > R$*<$*<$*>$*>$* $3 denest > R$*<$+>$* $2 basic RFC822 parsing > R$*<>$* $n RFC1123 <> > R$- $@ $1 @ $j user => user@thishost Just a word of warning about modifying ruleset 3. Though I'm certain that this works for Mr. David, changing ruleset 3 is slightly dangerous and should be carefully considered. Any change there will be reflected in to *all* addresses which can cause very peculiar errors which may take the non-guru some time to debug. Sendmail comes with a rich set of post-cannonicallization rulesets. As much as possible, rewriting should be taken care of there. And since I have just taken this thread *completely* out of the firewalls arena, I'd ask that any further questions get posted as a new thread in another group (comp.mail.sendmail seems reasonable). > %--- End Cite ---% Cheers, /jtt From firewalls-owner Fri May 6 16:23:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA12159; Fri, 6 May 1994 16:23:42 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA12153; Fri, 6 May 1994 09:23:36 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id MAA00813; Fri, 6 May 1994 12:24:18 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id MAA09041; Fri, 6 May 1994 12:24:18 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id MAA03987; Fri, 6 May 1994 12:24:17 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA28936; Fri, 6 May 94 12:24:15 EDT Date: Fri, 6 May 94 12:24:15 EDT Message-Id: <9405061624.AA28936@delacroix.lsi.ny.jpmorgan.com> To: pjh70@eng.amdahl.com, moose@svcdudes.com Subject: Re: Resolving IP Addresses Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Actually if you use a proxy server, the reverse lookup is for the PROXY server, whose IP address SHOULD be available. chuck yerkes sr consultant OpenVision --------------------- I have no opinions. --------------------- >> > > I believe the problem is a reverse lookup problem. Some ftp sites want to do a > reverse lookup before allowing you to Anonymous ftp. This is a problem if you are > trying to hide behind a firewall. > > --- > Michael Rutman | moose@svcdudes.com > Cubist | makes me a NeXT programmer > Software Ventures | maker of MicroPhone Pro From firewalls-owner Fri May 6 10:03:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA12330; Fri, 6 May 1994 16:51:33 GMT Received: from ax.ibase.br by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA12324; Fri, 6 May 1994 09:51:22 -0700 Received: by ax.ibase.br (8.6.8.1/Revision: 1.10 ) id NAA11668; Fri, 6 May 1994 13:49:52 -0300 From: Fernando Cabral To: tanner@george.arc.nasa.gov, firewalls@greatcircle.com Subject: Re: Router advice needed -- Me too X-Mailer: ScoMail 1.0 Date: Fri, 6 May 1994 10:22:30 +0100 (BST) Message-ID: <9405061022.aa13864@boemia.pix.com.br> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi Tanner => You can pickup a copy of the user's manual via annoymous ftp to => ftp.morningstar.com (I've forgotten the path). => => If there's a general interest, I'll post my opinions after I've => evaluated the unit. If anyone has suggestions for doing the => evaluation, I'll be happy to give them a whirl. I wonder if you could compress and uuencode and send me a copy of that manual. Also, I am interested in your evaluation. - fernando Fernando Cabral fcabral@ibase.br PADRAO iX Sistemas Abertos voice: +55 61 274-6092 fax: +55 61 274-5302 Modem: +55 61 273-5559 From firewalls-owner Fri May 6 10:13:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA12322; Fri, 6 May 1994 16:50:44 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA12316; Fri, 6 May 1994 09:50:34 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id MAA01482; Fri, 6 May 1994 12:50:08 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id MAA09469; Fri, 6 May 1994 12:50:08 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id MAA04326; Fri, 6 May 1994 12:50:07 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA28991; Fri, 6 May 94 12:50:06 EDT Date: Fri, 6 May 94 12:50:06 EDT Message-Id: <9405061650.AA28991@delacroix.lsi.ny.jpmorgan.com> To: firewalls@GreatCircle.COM, ken@cameron.East.Sun.COM Subject: Re: Password Aging Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I IS reassuring to see that Sun can't get Sun support better than anyone else. No, I have never found a password aging this with NIS. The trick I've used it to have a program nightly look at the SOURCE map and store the information/user with the date. (using perl) Do a dbm lookup against USER to get PASSWORD (encrypted). If it's different, run CRACK on it and store it and note the date (a separate DBM map). After an aging time, send mail to the user, after a period (three weekdays) change it to "EXPIRED" and rebuild NIS. It's weak in that until this job is run, the password could be "password" and be vulnerable. But it's better than nothing. If you want to send us source for YPPASSWD, I'll be happy to improve it ;) chuck yerkes Sr Consultant, OpenVision Technologies. > > > Hi All, > > Does anyone have any expeirence with password aging using NIS???? Are > there any password aging apps out there that are compatible with NIS??? We have > tried ARM and it's a no go!!!! And I don't beleive the standard SunOS password > aging works with NIS. > > Helppppppppppppppppppppppppppp!!!!!!!!!!!!!!! > > > Ken From firewalls-owner Fri May 6 18:58:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA12842; Fri, 6 May 1994 18:58:34 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA12836; Fri, 6 May 1994 11:58:27 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA04909; Fri, 6 May 94 13:58:41 CDT Date: Fri, 6 May 94 13:58:41 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405061858.AA04909@tadpole> To: firewalls@GreatCircle.COM, ken@cameron.East.Sun.COM Subject: Re: Password Aging Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk No, it doesn't work. As a matter of fact, I'm trying to fix it (for local use only) as I type. (Stayed up all last night, sigh.) This isn't really a firewalls subject anyway. Jim From firewalls-owner Fri May 6 19:02:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA12884; Fri, 6 May 1994 19:02:45 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA12878; Fri, 6 May 1994 12:02:39 -0700 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA10172; Fri, 6 May 94 12:03:26 PDT Received: from suneast.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA03209; Fri, 6 May 94 15:02:42 EDT Received: from cameron.East.Sun.COM by suneast.East.Sun.COM (4.1/SMI-4.1) id AA07597; Fri, 6 May 94 15:03:35 EDT Received: by cameron.East.Sun.COM (5.0/SMI-SVR4) id AA06678; Fri, 6 May 1994 15:00:46 +0500 Date: Fri, 6 May 1994 15:00:46 +0500 From: ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) Message-Id: <9405061900.AA06678@cameron.East.Sun.COM> To: firewalls@GreatCircle.COM Subject: Password Aging Addendum X-Sun-Charset: US-ASCII Content-Length: 296 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All Again, I have gotten several messages replied back to me suggesting that I need to contact my internal support for help. The reason for my e-mail was for help in finding other password aging apps. That will teach me to hit the wrong alias button!!!! Sorry for the confusion!!!!! Ken From firewalls-owner Fri May 6 19:06:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA12907; Fri, 6 May 1994 19:06:36 GMT Received: from lobby2b.ti.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA12901; Fri, 6 May 1994 12:06:30 -0700 Received: from itg.ti.com by lobby2b.ti.com with SMTP (8.6.8.1/LAI-3.2) id OAA10670; Fri, 6 May 1994 14:04:36 -0500 Received: from u386.itg.ti.com by itg.ti.com (4.1/ITG-1.1) id AA08740; Fri, 6 May 94 14:06:17 CDT From: Larry Soucek To: Firewalls@greatcircle.com Subject: Change Mailing Address X-Mailer: ScoMail 1.0 Date: Fri, 6 May 1994 15:06:13 -0500 (CDT) Message-Id: <9405061506.aa10069@u386.itg.ti.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Thanks for sending the Firewalls Digest. Would you please change my address from lbs@u386.itg.ti.com to lbsou@lobby.ti.com. Regards, Larry From firewalls-owner Fri May 6 22:49:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA14037; Fri, 6 May 1994 22:49:29 GMT Received: from rand.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA14031; Fri, 6 May 1994 15:49:21 -0700 Received: from moose.rand.org by rand.org with SMTP id AA04264 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 May 1994 15:50:04 -0700 Received: from gruagach.rand.org.rcc by moose.rand.org; Fri, 6 May 94 15:50:03 PDT Received: by gruagach.rand.org.rcc (5.0/SMI-SVR4) id AA22101; Fri, 6 May 1994 15:50:02 +0800 Message-Id: <9405062250.AA22101@gruagach.rand.org.rcc> To: firewalls@greatcircle.com Subject: MBONE and SGI Date: Fri, 06 May 1994 15:50:02 -0700 From: Robert Schwartzkopf Content-Length: 861 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We're considering opening a tunnel through our firewall for MBONE, which uses encapsulated IP to move multicasts over nonmulticast networks. We'd like to use an SGI machine as our tunnel endpoint, and the question arises what security holes are we opening up. Some time ago Shawn Instenes sent a message to the firewalls list addressing MBONE through firewalls, and explained that at least the Sun implementation to support encapsulated IP dropped any non-multicast encapsulated packets. Unfortunately there doesn't seem to be source available for the SGI implementation, so I can't verify if it works similarly. Does anyone know how SGI's handle encapsulated IP? If they do accept non multicast encapsulated IP, can I at least prevent it from forwarding it to other hosts on my network by turning off ipforwarding? Thanks, Bob Schwartzkopf bobs@rand.org From firewalls-owner Sat May 7 03:43:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17772; Sat, 7 May 1994 10:33:13 GMT Received: from enuucp.eas.asu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA17766; Sat, 7 May 1994 03:32:51 -0700 Received: from titan.UUCP by enuucp.eas.asu.edu with UUCP id AA17496 (5.65c/IDA-1.4.4 for greatcircle.com!firewalls); Sat, 7 May 1994 03:40:40 -0700 Received: from localhost by titan with SMTP id <15633>; Fri, 6 May 1994 12:08:52 -0700 To: firewalls@greatcircle.com Subject: MTA's used on firewalls Date: Fri, 6 May 1994 12:12:23 -0700 From: Gustavo Vegas Message-Id: <94May6.120852mst.15633@titan> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, It appears to me that most people that are running some sort of E-mail through a firewall are running sendmail as the MTA. I was wondering if anyone is running other freely distributable MTA's like MMDFII or one of the commercial ones, like Zmail. I would like to read about experiences and setup. I would believe that there are concerns about using sendmail, since it has had so many security holes discovered. I am sorry if this info is in some kind of FAQ compilation, I have not found any references to this topic so far. Thanks, -------- ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Sat May 7 20:16:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA19706; Sat, 7 May 1994 20:16:11 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA19697; Sat, 7 May 1994 13:16:05 -0700 Message-Id: <199405072016.NAA19697@mycroft.GreatCircle.COM> To: Geoff Mulligan cc: Stephen.L.Arnold@Arnold.Com, Firewalls@GreatCircle.COM Subject: Re: Screend ports (other than ULTRIX and BSD/386)? In-reply-to: Your message of Tue, 03 May 94 08:34:10 PDT Date: Sat, 07 May 1994 13:16:03 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Geoff Mulligan writes: # Is there a reason that you must run screend and not an alternative that # provides equal functionality without the overhead of screend's context # switches from kernel to user space. Such as? And what difference does it make anyway, since screend on a 486 is fast enough to keep up with a T1 line? I mean, yeah, there's the architectural purity point of "oh, yuck, you mean it has to dip down into user space for every packet?", but as long as it's fast _enough_, who cares? -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Sun May 8 00:18:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA21743; Sun, 8 May 1994 00:18:06 GMT Received: from grendel.lut.fi by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA21733; Sat, 7 May 1994 17:17:36 -0700 Received: (from news@localhost) by grendel.lut.fi (8.6.9/8.6.9/1.20.kim) with netnews id DAA21178 for firewalls@greatcircle.com; Sun, 8 May 1994 03:15:05 +0300 To: firewalls@greatcircle.com Date: Sun, 8 May 1994 00:06:16 GMT From: Kimmo.Suominen@lut.fi (Kimmo Suominen) Message-ID: Organization: Lappeenranta University of Technology, Finland Subject: Cisco access list examples wanted Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi! The number of cracking attempts at LUT has gone up this spring, and we are finally tired enough of them to install a firewall at our Cisco routers. We (I?) have already thought of which services to let through and which will be only allowed to a gateway host and which ones will be totally blocked. Now I would like to see examples on how you have implemented the needed access lists on your Cisco. What might be problematic here is that we cannot just block traffic on our Internet connection, because we share the router with another organization (or perhaps we can, if they want to be behind a firewall as well - but even then we need a firewall between the two organizations). There's also a limited traffic Internet connection coming to our second cisco some time in the future. Here's a picture: LUT/IEM LUT/LNET PTT/Internet | | | +-+---+-+ +---+---+ Internet --+ | LUT Campus | | | Cisco +-------+--------+ Cisco +-- LUT/IT:CS-Lab SCP --+ | | | | +-+---+-+ +--+--+ +---+---+ | | | HUB | | LUT/AD LUT/PC +++++++ LUT/IT:DC-Lab ||||| ||+- LUT/CC |+-- cc.lut.fi +--- lut.fi (service gateway) Obviously we want everything flowing between the LUT nets, but we want a firewall against Internet, SCP and PTT. We must not block the Internet traffic of SCP, but we must block PTT from non-LUT networks. I'm not sure if SCP will be allowed to use the PTT/Internet connection, but I guess that is a routing problem more than a firewall problem. For this to work, I would figure we need to install access lists on three interfaces: 1) Internet 2) SCP 3) PTT/Internet Is this correctly assumed and also possible with a Cisco? We have quite a recent version of the OS running on the Ciscos (we use OSPF routing and needed to upgrade for that). I believe there were some problems in this approach with the earlier versions. So if anyone has done something similar with Ciscos, I'd really like to see examples on the access lists. I've only worked with Wellfleet routers before, and our Cisco manuals aren't actually up-to-date with the OS version. If there is interest, I could summarize once this is done. I would not be showing the examples you send me, but rather the configuration we will come up with. Any suggestions, comments and notes - even flames - are greatly appreciated. Cheers + Kim -- ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ( Kimmo Suominen ! Internet: Kimmo.Suominen@lut.fi ) ( "That's what ! Bitnet: KIM@FINFILES // Funet: LUOTI::KIM ) ( I think" ! Lappeenranta University of Technology ** Finland ) ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' From firewalls-owner Sun May 8 02:25:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA22128; Sun, 8 May 1994 02:25:03 GMT Received: from sunforest.mantis.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA22120; Sat, 7 May 1994 19:24:52 -0700 Received: from aleph-1 by sunforest.mantis.co.uk with uucp (Smail3.1.28.1 #5) id m0pzyYj-001JHFC; Sun, 8 May 94 03:25 BST Received: by aleph1.co.uk (5.51/Am23) id AA24020; Sun, 8 May 94 02:51:01 +0100 Received: by zebedee.aleph1.co.uk (5.51/Am23) id AA07557; Sun, 8 May 94 02:03:37 +0100 Received: by aleph1.co.uk (ReadNews 0.24); Sun, 8 May 1994 02:06:12 GMT Date: Sun, 8 May 1994 02:06:08 GMT From: torq@aleph1.co.uk (Andy Mell) To: Firewalls@GreatCircle.COM Subject: IMAP and a firewall Message-Id: <7DG5Ggj024n@aleph1.co.uk> References: <199405070800.BAA17118@mycroft.GreatCircle.COM> Reply-To: torq@aleph1.co.uk Organization: Home, Cambridge, UK. Lines: 37 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I've got a problem. (What else) At my site we have a mail hub which serves IMAP to all local clients, this is on the main campus network. Now, my network has about 40 machines (not unix or dos), and a firewall box sits between the local network and the campus network. I have been told that I am not permitted to run sendmail on the firewall box and that this is site policy - restricting incoming mail delivery to main mail hub servers only. Is there any way I can get IMAP clients on my network to get mail to and from the mail hub IMAP server through the firewall? given that there is only one real IP address available, and that is used for the firewall box. I have thought of three possible solutions. An IMAP server on the firewall which serves my network, then run the imapmove program which copies the inbox on the mail hub if theres anything in it to the firewall at regular intervals using cron. a two stage process and a little nasty. The second solution is for people to telnet to the firewall and then run pine there. I'd rather not, as my IMAP client program (!feMail) is streets ahead of pine. The other is some way of getting IMAP clients on my network to connect to the mail hub through the firewall - presenting a single IP address to the mail hub but the clients are binaries and I cannot recompile them. Appreciate any comments or any other ideas people might have? Andy -- E-mail: torq@aleph1.co.uk From firewalls-owner Sun May 8 04:27:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA22528; Sun, 8 May 1994 04:27:56 GMT Received: from gatekeeper.mcimail.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA22522; Sat, 7 May 1994 21:27:48 -0700 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA06916; Sat, 7 May 94 23:29:30 -0500 Received: from mcimail.com by MCIGATEWAY.MCIMail.com id ar00425; 8 May 94 4:19 GMT Date: Sat, 7 May 94 21:53 EST From: "Robert G. Moskowitz" <0003858921@mcimail.com> To: Firewalls Subject: MBONE and Firewalls... Message-Id: <71940508025317/0003858921NA1EM@mcimail.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Someone recently stated that to get MBONE access for their network, they had to route internal packets directly out to the MBONE. Can someone here tell me if the only way to support MBONE access is through some type of packet filtering, or is there a way to application gateway so the internal structure is masked. Bob Moskowitz Chrysler Corp From firewalls-owner Sun May 8 15:18:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA24891; Sun, 8 May 1994 15:18:15 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA24885; Sun, 8 May 1994 08:18:08 -0700 Received: from Eng.Sun.COM (zigzag.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA17740; Sun, 8 May 94 08:18:23 PDT Received: from jurassic.Eng.Sun.COM (camilla) by Eng.Sun.COM (4.1/SMI-4.1) id AA21259; Sun, 8 May 94 08:17:32 PDT Received: from localhost by jurassic.Eng.Sun.COM (5.x/SMI-SVR4) id AA13110; Sun, 8 May 1994 08:18:18 -0700 Message-Id: <9405081518.AA13110@jurassic.Eng.Sun.COM> To: Brent Chapman Cc: Geoff Mulligan , Stephen.L.Arnold@Arnold.Com, Firewalls@GreatCircle.COM Subject: Re: Screend ports (other than ULTRIX and BSD/386)? In-Reply-To: Your message of "Sat, 07 May 94 13:16:03 PDT." <199405072016.NAA19697@mycroft.GreatCircle.COM> Date: Sun, 08 May 94 08:18:18 PDT From: Geoff Mulligan Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk First not all Internet connections are T1; some folks have faster lines. Second, not all firewalls are built between the Internet and an internal network; firewalls can and are being used to separate internal networks. Is screend running on a 486 "fast enough" to keep up at ethernet speed? How about faster than a T1? geoff From firewalls-owner Sun May 8 15:49:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA24965; Sun, 8 May 1994 15:49:28 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA24959; Sun, 8 May 1994 08:49:20 -0700 Received: by relay.tis.com id AA02189; Sun, 8 May 94 11:50:15 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma002187; Sun May 8 11:49:37 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA17431; Sun, 8 May 94 11:48:52 EDT Date: Sun, 8 May 94 11:48:52 EDT From: Marcus J Ranum Message-Id: <9405081548.AA17431@tis.com> To: Geoffrey.Mulligan@Eng.Sun.COM, brent@GreatCircle.COM Subject: Re: Screend ports (other than ULTRIX and BSD/386)? Cc: Firewalls@GreatCircle.COM, Stephen.L.Arnold@Arnold.Com, mulligan@future.Eng.Sun.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Geoff Mulligan writes: >Is screend running on a 486 "fast enough" to keep up at ethernet speed? >How about faster than a T1? At ethernet speeds it adds something like 2-4ms to the latency. Not too bad, really. Not great, but for the price it's pretty good. You can have: a) Cheap b) Fast c) Good - Pick two. If you're playing T3 speed games, you're already buying very expensive sexy hardware just to move packets around. "Low cost firewall" is an oxymoron in that situation -- just buy high-end routers like an NSC that have really awesome screening capabilities. It's not fair to beat up on Brent when he assume T1 or lower speed connection. That's what the majority of the folks running firewalls are dealing with. Anything else is right out of the ballpark. By the time we are all running local T3 connects to the 'net, the future-equivalent of a '486 will handle the traffic just fine using the future-equivalent of screend. mjr. From firewalls-owner Sun May 8 16:07:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA25029; Sun, 8 May 1994 16:07:16 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA25023; Sun, 8 May 1994 09:07:10 -0700 Received: from Eng.Sun.COM (zigzag.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA17780; Sun, 8 May 94 08:20:10 PDT Received: from jurassic.Eng.Sun.COM (camilla) by Eng.Sun.COM (4.1/SMI-4.1) id AA21274; Sun, 8 May 94 08:19:19 PDT Received: from localhost by jurassic.Eng.Sun.COM (5.x/SMI-SVR4) id AA13127; Sun, 8 May 1994 08:20:07 -0700 Message-Id: <9405081520.AA13127@jurassic.Eng.Sun.COM> To: "Robert G. Moskowitz" <0003858921@mcimail.com> Cc: Firewalls Subject: Re: MBONE and Firewalls... In-Reply-To: Your message of "Sat, 07 May 94 21:53:00 EST." <71940508025317/0003858921NA1EM@mcimail.com> Date: Sun, 08 May 94 08:20:06 PDT From: Geoff Mulligan Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We have some application level gateways running to provide MBONE forwarding to our internal network. geoff From firewalls-owner Sun May 8 16:32:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA25141; Sun, 8 May 1994 16:32:24 GMT Received: from mig.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA25135; Sun, 8 May 1994 09:32:12 -0700 Received: from localhost by mig.com (4.3/MIG-8.6.5) id KAA05605; Sun, 8 May 1994 10:32:58 -0600 Date: Sun, 8 May 1994 10:32:58 -0600 From: jpf@mig.com (Jack Flory) Message-Id: <199405081632.KAA05605@mig.com> To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >First not all Internet connections are T1; some folks have faster lines. >Second, not all firewalls are built between the Internet and an internal >network; firewalls can and are being used to separate internal networks. > >Is screend running on a 486 "fast enough" to keep up at ethernet speed? > Yes! > >How about faster than a T1? > I use a PC with an AMD386/40 with 64 KB cache running NetBSD for the firewall. Note that this is an ISA bus machine. Calculating out the amount of time per packet from the CPU time used, I come up with about 2 MBytes / second. Now, a machine based on a 50 MHz DX with 256 KB of cache should be substantially faster. Using a 3c579 Ethernet card on an ESDI bus machine will double the Ethernet throughput. Still, you can't get 2 MBytes / second through a 1.25 MByte pipe. So, if you look at the real throughput of a DS3, you should be able to use a 50MHz DX ESDI bus PC to keep up with the traffic. From firewalls-owner Sun May 8 21:14:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA26150; Sun, 8 May 1994 21:14:51 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA26144; Sun, 8 May 1994 14:14:44 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA19999; Sun, 8 May 94 16:15:02 CDT Date: Sun, 8 May 94 16:15:02 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405082115.AA19999@tadpole> To: Geoffrey.Mulligan@Eng.Sun.COM, brent@GreatCircle.COM, mjr@tis.com Subject: Re: Screend ports (other than ULTRIX and BSD/386)? Cc: Firewalls@GreatCircle.COM, Stephen.L.Arnold@Arnold.Com, mulligan@future.Eng.Sun.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Geoff Mulligan writes: > >Is screend running on a 486 "fast enough" to keep up at ethernet speed? > >How about faster than a T1? > > At ethernet speeds it adds something like 2-4ms to the latency. > Not too bad, really. Not great, but for the price it's pretty good. I'm reluctant to believe this figure is accurate under loaded conditions. Sure, 'ping' probably shows 2-4ms, but what happens when 39 random users are all ftp-ing the latest X11Rn release across your internal firewall that connects both sides via ethernet? Jim From firewalls-owner Sun May 8 22:48:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA26711; Sun, 8 May 1994 22:48:12 GMT Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA26705; Sun, 8 May 1994 15:48:02 -0700 Received: from demon.demon.co.uk by post.demon.co.uk id ab13968; 8 May 94 23:39 GMT-60:00 Received: from cellnet.uucp by demon.demon.co.uk id aa05299; 8 May 94 23:39 BST From: Steve Kennedy Message-Id: <3129.9405082246@marvin.gbnet.org> Subject: Re: Screend ports (other than ULTRIX and BSD/386)? To: eng.sun.com!Geoffrey.Mulligan@gbnet.org Date: Sun, 8 May 1994 22:46:38 +0000 (GMT) Cc: greatcircle.com!brent@gbnet.org, future.eng.sun.com!mulligan@gbnet.org, arnold.com!Stephen.L.Arnold@gbnet.org, greatcircle.com!Firewalls@gbnet.org In-Reply-To: <9405081518.AA13110@jurassic.Eng.Sun.COM> from "Geoff Mulligan" at May 8, 94 08:18:18 am X-Subliminal-Message: Send large quantities of used bills. X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1243 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Geoff, > First not all Internet connections are T1; some folks have faster lines. > Second, not all firewalls are built between the Internet and an internal > network; firewalls can and are being used to separate internal networks. > Is screend running on a 486 "fast enough" to keep up at ethernet speed? > How about faster than a T1? A KarlBridge will do around 9500 packets/second (and the lastest version SHOULD support wire-speed r.s.n). By the time you have put a system together to run screend - the KB solution should sound reasonable. Contact sales@karlnet.com or sales@gbnet.com for sales info or nisca.acs.ohio-state.edu:/pub/kbridge for a demo version. Regards Steve -- ___ |_ ___ ___ Tel: +44 (0)71 483 1169 Voice (___ | (___) \ / (___) Data: 483 2454 WorldBlazer T3000 PEP+/v32bis... ___) | (___ \/ (___ Data: 483 2455 WorldBlazer T3000 V32bis/PEP+... ISDN: 722 7969/70 Email [MIME OK] Snail Mail steve@gbnet.{org,com,net} [home] Steve Kennedy steve@marvin.demon.co.uk [DIS dialup internet] Flat 2, 43 Howitt Rd stevek@cellnet.co.uk [work] London, NW3 4LU From firewalls-owner Sun May 8 17:43:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA27136; Mon, 9 May 1994 00:33:55 GMT Received: from mig.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA27129; Sun, 8 May 1994 17:33:30 -0700 Received: from localhost by mig.com (4.3/MIG-8.6.5) id SAA06309; Sun, 8 May 1994 18:34:00 -0600 From: jpf@mig.com (Jack Flory) Message-Id: <199405090034.SAA06309@mig.com> Subject: Re: Screend ports (other than ULTRIX and BSD/386)? To: steve@gbnet.org (Steve Kennedy) Date: Sun, 8 May 1994 18:33:59 -0600 (MDT) Cc: firewalls@greatcircle.com In-Reply-To: <3129.9405082246@marvin.gbnet.org> from "Steve Kennedy" at May 8, 94 10:46:38 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1784 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >> First not all Internet connections are T1; some folks have faster lines. >> Second, not all firewalls are built between the Internet and an internal >> network; firewalls can and are being used to separate internal networks. >> Is screend running on a 486 "fast enough" to keep up at ethernet speed? >> How about faster than a T1? > >A KarlBridge will do around 9500 packets/second (and the lastest version >SHOULD support wire-speed r.s.n). > Well, let see. The other day, your sales pitch was for a thing you called a KarlBrouter. This was to satisfy the routing specifications. Do I detect a bait and switch here? Is this the same unit? >By the time you have put a system together to run screend - the KB solution >should sound reasonable. > You can do the 486/50 DX for about $1750 if you build it yourself. Even cheaper if you just happen to have one laying around. Many businesses do. > >Contact sales@karlnet.com or sales@gbnet.com for sales info or >nisca.acs.ohio-state.edu:/pub/kbridge for a demo version. Can we please put this in a FAQ and deposit on ftp.greatcircle.com as suggested by Brent so all can make their own decision instead of the sales pitch. ThankX > >Regards > >Steve > >-- > ___ |_ ___ ___ Tel: +44 (0)71 483 1169 Voice >(___ | (___) \ / (___) Data: 483 2454 WorldBlazer T3000 PEP+/v32bis... > ___) | (___ \/ (___ Data: 483 2455 WorldBlazer T3000 V32bis/PEP+... > ISDN: 722 7969/70 >Email [MIME OK] Snail Mail >steve@gbnet.{org,com,net} [home] Steve Kennedy >steve@marvin.demon.co.uk [DIS dialup internet] Flat 2, 43 Howitt Rd >stevek@cellnet.co.uk [work] London, NW3 4LU > > From firewalls-owner Mon May 9 05:48:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA28326; Mon, 9 May 1994 05:48:47 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA28319; Sun, 8 May 1994 22:48:31 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id BAA28759; Mon, 9 May 1994 01:49:19 -0400 Date: Mon, 9 May 1994 01:49:19 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405090549.BAA28759@bedrock.cs.UMD.EDU> To: firewalls@greatcircle.com Subject: more on TIS portscan and Cisco routers Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A few days ago, I posted a short note about what I found when running the TIS Toolkit 'portscan' against a Cisco router: echo discard finger 1993 2006 4006 6006 9006 You can get some pretty unexpected behavior from your router if you don't add an, as far as I know, undocumented configuration for vty 4. At least, it sure surprised the daylights out of me. I was convinced I'd found a pretty big security bug in Cisco routers there for a hour or two. The reason the behavior is alarming is, like most folks I know, I set up access-classes to define which IP addresses can connect to the router. Not foolproof, of course, but (slightly) better than nothing. A typical config might look like this: rtr# config term access-list 1 permit access-list 1 permit line 1 5 access-class 1 in ^Z ...and (unless you know about this already) you might think that a connection attempt from IP_3 would get refused. Well it will -- unless you pass {2,4,6,9}006 as argv[2] to the telnet command. In those cases, the router will happily give a "password:" prompt to anybody. To get the expected behavior, you must also: rtr# config term access-list 2 deny 0.0.0.0 255.255.255.255 line vty 4 access-class 2 in ^Z ...which still permits access-class 1 to access the router, but disables the ability to connect on those {2,4,6,9}006 ports from IP addresses not in that class. I'm still looking for something in the Cisco docs that describes why vty 4 is special; if anyone knows, I'd appreciate hearing about it. I'd imagine there are other ways to get the desired behavior, as well. I'd like to thank the engineer at Cisco who worked with me on this one even though he was on vacation. One of the more esteemed members of this list also patiently listened to a rant or two, as well. Domo arigato. If you try to restrict the IP addresses which establish a tcp connection to the cisco router, you may want to look into all of this. I'd be very interested in learning a better way to achieve the same result. Richard From firewalls-owner Mon May 9 17:48:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA02382; Mon, 9 May 1994 17:48:21 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA02368; Mon, 9 May 1994 10:48:05 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id NAA00295; Mon, 9 May 1994 13:48:56 -0400 Date: Mon, 9 May 1994 13:48:56 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405091748.NAA00295@bedrock.cs.UMD.EDU> To: firewalls@greatcircle.com Subject: Final: Ciscos and TIS "portscan" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Actually, all of the hubba about undocumented listener ports on the Cisco routers can be traced to a misleading statement in their manuals (I've found it in the 8.2, 9.0 and 9.1 docs I personally have available). In the 9.1 docs, Chap 13 p 27, for example: " Controlling Line Access [....] Example 1 The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router. access-list 12 permit 192.89.55.0 0.0.0.255 line 1 5 ^ ^ access-class 12 in " Widening the range, to "line 1 6" appears to restore expected behavior. Please disregard my earlier posting about setting up an additional access list and class for line vty 4. It appears unnecessary if the line range is specified correctly. Of course, port 1993 is still listening. This port is reportedly useless unless SRB is enabled, and even then there are protections possible. I have been told that the manuals will be corrected in the next release. Well, it's been a fun weekend. Thank you, portscan. Richard From firewalls-owner Mon May 9 11:54:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA02790; Mon, 9 May 1994 18:41:10 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA02777; Mon, 9 May 1994 11:40:51 -0700 Received: from relay.sgi.com (relay.sgi.com [192.26.51.36]) by sgigate.sgi.com (8.6.4/8.6.4) with SMTP id LAA11274; Mon, 9 May 1994 11:41:14 -0700 Received: from yeager.corp.sgi.com by relay.sgi.com via SMTP (920330.SGI/920502.SGI) for @sgigate.sgi.com:bobs@gruagach.rand.org id AA02413; Mon, 9 May 94 11:40:47 -0700 Received: by yeager.corp.sgi.com (931110.SGI/911001.SGI) for @sgi.com:firewalls@GreatCircle.COM id AA28593; Mon, 9 May 94 11:41:11 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9405091141.ZM28591@yeager.corp.sgi.com> Date: Mon, 9 May 1994 11:41:11 -0700 In-Reply-To: Robert Schwartzkopf "MBONE and SGI" (May 6, 3:50pm) References: <9405062250.AA22101@gruagach.rand.org.rcc> X-Mailer: Z-Mail-SGI (3.1S.0 3mar94 MediaMail) To: Robert Schwartzkopf , firewalls@GreatCircle.COM Subject: Re: MBONE and SGI Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Oh, and in answer to your question, ipforwarding = 0, with mrouted turned on and configured properly. -- Eliot Lear [lear@sgi.com] From firewalls-owner Mon May 9 12:04:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA02788; Mon, 9 May 1994 18:41:09 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA02778; Mon, 9 May 1994 11:40:51 -0700 Received: from relay.sgi.com (relay.sgi.com [192.26.51.36]) by sgigate.sgi.com (8.6.4/8.6.4) with SMTP id LAA11153; Mon, 9 May 1994 11:40:28 -0700 Received: from yeager.corp.sgi.com by relay.sgi.com via SMTP (920330.SGI/920502.SGI) for @sgigate.sgi.com:bobs@gruagach.rand.org id AA02377; Mon, 9 May 94 11:40:00 -0700 Received: by yeager.corp.sgi.com (931110.SGI/911001.SGI) for @sgi.com:firewalls@GreatCircle.COM id AA28589; Mon, 9 May 94 11:40:22 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9405091140.ZM28587@yeager.corp.sgi.com> Date: Mon, 9 May 1994 11:40:22 -0700 In-Reply-To: Robert Schwartzkopf "MBONE and SGI" (May 6, 3:50pm) References: <9405062250.AA22101@gruagach.rand.org.rcc> X-Mailer: Z-Mail-SGI (3.1S.0 3mar94 MediaMail) To: Robert Schwartzkopf , firewalls@GreatCircle.COM Subject: Re: MBONE and SGI Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk SGI currently runs a tunnelling mrouted, configured so that packets with TTLs less than 32 will not be transmitted to the mbone (see threshold). Since no TCP services can be accessed via multicast, and since our machines cannot unicast back to sources, we deemed the risk to be acceptable. It's conceivable that someone could develop a kiss of death packet for some udp service. -- Eliot Lear [lear@sgi.com] From firewalls-owner Mon May 9 21:25:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA03567; Mon, 9 May 1994 21:25:53 GMT Received: from welch.ncd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA03561; Mon, 9 May 1994 14:25:45 -0700 Received: from bryant.ncd.com (mfrost@bryant.ncd.com [192.43.159.209]) by welch.ncd.com (8.6.8.1/8.6.6) with ESMTP id OAA10526; Mon, 9 May 1994 14:26:12 -0700 Received: (mfrost@localhost) by bryant.ncd.com (8.6.8.1/8.6.5.Beta11) id OAA27441; Mon, 9 May 1994 14:25:56 -0700 From: "Mark Frost" Message-Id: <9405091425.ZM27439@bryant.ncd.com> Date: Mon, 9 May 1994 14:25:55 -0700 In-Reply-To: Gustavo Vegas "MTA's used on firewalls" (May 7, 4:08) References: <94May6.120852mst.15633@titan> X-Mailer: Z-Mail (3.0.1 23feb94) To: Gustavo Vegas , firewalls@GreatCircle.COM Subject: Re: MTA's used on firewalls Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On May 7, 4:08, Gustavo Vegas wrote: > Subject: MTA's used on firewalls > Hello, > It appears to me that most people that are running some sort > of E-mail through a firewall are running sendmail as the MTA. I was > wondering if anyone is running other freely distributable MTA's like > MMDFII or one of the commercial ones, like Zmail. I would like to read > about experiences and setup. I would believe that there are concerns > about using sendmail, since it has had so many security holes discovered. > I am sorry if this info is in some kind of FAQ compilation, I have not > found any references to this topic so far. > > Thanks, > -------- > ===========================================+=========================== > ****** > * *** * > * * * > *** * * > * * * * > * * > * *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu > ********** CAD Systems Administrator Microchip Technology Inc. > ******* Chandler, Arizona > ===========================================+=========================== >-- End of excerpt from Gustavo Vegas Um, just so there's no confusion here (if that's possible :-) ), "Z-mail" is a mail user agent and is a commercial product (of a division of NCD no less! :-) ). "Zmailer" is an mail transfer agent. I thought it was not a commercial product... -mark frost network computing devices From firewalls-owner Mon May 9 21:41:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA03712; Mon, 9 May 1994 21:41:43 GMT Received: from interlock.reston.ans.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA03706; Mon, 9 May 1994 14:40:59 -0700 Received: by interlock.reston.ans.net id AA11392 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Mon, 9 May 1994 17:41:33 -0400 Message-Id: <199405092141.AA11392@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-2); Mon, 9 May 1994 17:41:33 -0400 Received: by interlock.reston.ans.net (Internal Mail Agent-1); Mon, 9 May 1994 17:41:33 -0400 Date: Mon, 9 May 1994 17:41:18 +0500 From: sangster@reston.ans.net (Paul Sangster) To: firewalls@greatcircle.com Subject: Re: Firewall Administrator (lack o'trust) X-Sun-Charset: US-ASCII Content-Length: 3289 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Stephen.L.Arnold@Arnold.Com wrote: > > The position description will be oriented to a large company with a > highly developed IS infrastructure and very high security needs. Among > the requirements is "separation of duties"--that is, it should be > impossible for a single individual, including a firewall manager, to > subvert the purpose of the firewall. What you call "separation of duties" is frequently referred to as "least privilege" by many security circles, but with a rather different twist. I believe that partitioning the privileges of the firewall administrator such that each person is only able to perform some limited security relevant tasks (eg. user account maintenance) is a reasonable think to ask for. However, at some point to have to trust your administrators not to subvert your security policies. Your customer seems to want the firewall machine(s) to avoid trusting any individual which is probably not doable. For instance, if someone can load new software (eg. upgrades) on the system, they could replace the authentication and/or authorization mechanisms and assume full control. Some government systems desire a similar security policy for their top secret systems. One *limited* approach is to employ a "2 designated man rule." This policy could just mean that 2 independent, authorized individuals approve each security relevant action. This is frequently not practical, but could be interpreted as requiring 2 authorized individuals authenticate before the administrator shell is invoked, and that both need to be present for all actions until the shell is exited. You could require a second dual authentication to occur to exit the shell. Also all actions are feverishly auditing for later accountability. Now both authenticated administrators are accountable for every action which occurred. An independent system auditor could be responsible for monitoring the logs. With that said, I think you should consider trying to solve this problem with administrative, physical, and personnel security. Good background investigations (in some cases), badges, walls, doors, guns and dogs :-) are quite effective means of security which *sometimes* can be replaced with technology, but not always. Maybe these along with a requirement of both being physically present at the console would suffice. The InterLock has plans to provide some mechanisms to promote least privilege of administrative functions in the upcoming release. However, in most models some administrator is responsible for assigning each of these privileges, so this individual could still decide to assign himself (or herself) all possible privileges (thus breaking your model.) Of course, many firewalls can have their privilege definitions circumvented by a savy person with physical access to the machine and a set of modified boot floppies :-(. Paul ____________________________________________________________________________ Paul Sangster Advanced Network & Services Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Mon May 9 14:54:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA03704; Mon, 9 May 1994 21:40:38 GMT Received: from amdext.amd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA03698; Mon, 9 May 1994 14:40:30 -0700 Received: from amdint.amd.com by amdext.amd.com with SMTP id AA02969 (5.67a/IDA-1.5+AMD for ); Mon, 9 May 1994 14:40:53 -0700 Received: from brahms.amd.com by amdint.amd.com with SMTP id AA22842 (5.67a/IDA-1.5+AMD for ); Mon, 9 May 1994 14:40:52 -0700 Received: from angelo.amd.com by brahms.amd.com (4.1/AMDSN-1.18) id AA21736; Mon, 9 May 94 14:40:52 PDT Received: by angelo.amd.com (4.1/AMDC-1.18) id AA06334; Mon, 9 May 94 14:40:25 PDT From: clark@brahms.amd.com (Brad D. Clark) Message-Id: <9405092140.AA06334@angelo.amd.com> Subject: boxx (??) for AIX security?? To: firewalls@greatcircle.com Date: Mon, 9 May 1994 14:40:24 -0700 (PDT) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 806 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Fellow firewallers: I was asked by my management to put out a call for info on the following product: it's _pronounced_ "bochs", so I assume it's boxx or some-such thing... it is a security product for aix, and I guess we want to bring it in house, but before that we'd like to find out any user experiences/horror stories. I realize that this isn't firewall-specific, but since most of the Data Security Guri either are active, hang about, or lurk occasionally, hope- fully I can get an answer back to Management..... eMail replies to the following, and I'll summarize if there's enuff interest. eMail to: clark@brahms.amd.com - or - brad.clark@amd.com Thanks in advance Brad Clark Data Security Administration Advanced Micro Devices 1 AMD Place Sunnyvale, CA 94088 (408)749-5192 std.disclaimer From firewalls-owner Tue May 10 00:47:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA04611; Tue, 10 May 1994 00:47:02 GMT Received: from nic.cerf.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA04605; Mon, 9 May 1994 17:46:50 -0700 Received: (from marty@localhost) by nic.cerf.net (8.6.7/8.6.6) id RAA04757 for firewalls@greatcircle.com; Mon, 9 May 1994 17:47:44 -0700 From: Marty Lyons Message-Id: <199405100047.RAA04757@nic.cerf.net> Subject: Re: more on TIS portscan and Cisco routers To: firewalls@greatcircle.com Date: Mon, 9 May 1994 17:47:44 -0700 (PDT) In-Reply-To: Message-Id: <199405090549.BAA28759@bedrock.cs.UMD.EDU> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 697 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Date: Mon, 9 May 1994 01:49:19 -0400 > From: reh@cs.UMD.EDU (Richard Huddleston) > Message-Id: <199405090549.BAA28759@bedrock.cs.UMD.EDU> > Subject: more on TIS portscan and Cisco routers > > > [...] > > ...and (unless you know about this already) you might think that a > connection attempt from IP_3 would get refused. Well it will -- unless > you pass {2,4,6,9}006 as argv[2] to the telnet command. In those cases, > the router will happily give a "password:" prompt to anybody. I tried to duplicate this on two seperate Ciscos, with no success. One is a 3000 running 9.1(10), and the other a 4000 running 9.14(5). What versions were you running that exhibited this behavior? /Marty From firewalls-owner Tue May 10 01:03:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA04672; Tue, 10 May 1994 01:03:52 GMT Received: from METEOR.SYSCON.HII.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA04666; Mon, 9 May 1994 18:03:42 -0700 Received: from NEBULA.SYSCON.HII.COM by METEOR.SYSCON.HII.COM (MX V3.3 VAX) with SMTP; Mon, 09 May 1994 21:04:07 EST Received: by nebula.syscon.hii.com (MX V3.3 VAX) id 11429; Mon, 09 May 1994 21:04:59 EST Date: Mon, 09 May 1994 21:04:58 EST From: "Gregory J. Donaldson" Reply-To: "Gregory J. Donaldson" To: firewalls@GreatCircle.COM Message-ID: <0097E307.88D44D00.11429@nebula.syscon.hii.com> Subject: Wellfleet Routers as Firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Folks, I am relatively new to the firewalls mailing list having been a subscriber since March. We are in the process of making a decision as to what router platform we will be using for our internal network. From an ease of management point of view I would like to use the same model router for my firewall. Right now it seems like we will be going with Wellfleet for the internal network. Since joining this mailing list I have seen numerous references to various types of hardware being used in firewalls but I have not seen any references to Wellfleet. Is anyone out there using Wellfleet routers as part of a firewall or am I overlooking some flaw that makes them a bad choice. Thanks! Greg Donaldson +------------------------------------------------------------------------------+ | Greg Donaldson, Senior Systems Analyst SYSCON Corporation | | GDonaldson@SYSCON.HII.COM 1000 Thomas Jefferson St. NW | | (202) 342-4123 Washington, DC 20007 | +------------------------------------------------------------------------------+ From firewalls-owner Tue May 10 02:39:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA05087; Tue, 10 May 1994 02:39:17 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA05080; Mon, 9 May 1994 19:39:07 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id WAA01862; Mon, 9 May 1994 22:39:42 -0400 Date: Mon, 9 May 1994 22:39:42 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405100239.WAA01862@bedrock.cs.UMD.EDU> To: marty@CERF.NET Subject: Re: more on TIS portscan and Cisco routers Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk * Marty Lyons: s * What version were you running that exhibited this behavior? A 4000 with 9.14(5). Actually, I was able to track it to a misconfiguration due to what appears to be an error in the manual (manuals for 8.2 9.0 and 9.1, and perhaps others). Example 1 in the manual(s) for Controlling Line Access (on Ch 13 P 27 of the 9.1 docs) says that you can prevent unwanted IP addresses from attaching to the vty ports on the router if you: " access-list 12 permit 192.89.55.0 0.0.0.255 line 1 5 access-class 12 in " ...which, if you modify the IP addresses in the example appropriately, but leave the line references at 1..5, shows {2,4,6,9}006 open for connections when I run TIS' portscan from an "unwelcomed" address. When I do the above, using "line 1 6", those open listeners disappear from the portscan listing (from an unwelcomed address). Interestingly, when I run portscan from a "welcomed" address, I've got ports galore: 23, {2,4,6,9}00{1,2,3,4,5,6} and 10000. When I saw that, the true cause of the open ports was obvious. Given the number of folks who have sent me email on this saying "it got us, too" I'd presume that the manual could be more specific and I could just be more careful. I have to be the resident expert on routers, IP, Unix, etc., at my place of employment, and this one just plain got by me. It's a pretty easy mistake to make, apparently. If the router's configured correctly to begin with, you *shouldn't* be able to duplicate the behavior I reported, or even see those ports using portscan from an unwanted IP node. Richard * From: Marty Lyons * Subject: Re: more on TIS portscan and Cisco routers * To: firewalls@GreatCircle.COM * Date: Mon, 9 May 1994 17:47:44 -0700 (PDT) * * > Date: Mon, 9 May 1994 01:49:19 -0400 * > From: reh@cs.UMD.EDU (Richard Huddleston) * > Message-Id: <199405090549.BAA28759@bedrock.cs.UMD.EDU> * > Subject: more on TIS portscan and Cisco routers * > * > * > [...] * > * > ...and (unless you know about this already) you might think that a * > connection attempt from IP_3 would get refused. Well it will -- unless * > you pass {2,4,6,9}006 as argv[2] to the telnet command. In those cases, * > the router will happily give a "password:" prompt to anybody. * * I tried to duplicate this on two seperate Ciscos, with no success. * One is a 3000 running 9.1(10), and the other a 4000 running 9.14(5). * What versions were you running that exhibited this behavior? * * /Marty * * From firewalls-owner Tue May 10 03:14:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA05215; Tue, 10 May 1994 03:14:05 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA05208; Mon, 9 May 1994 20:13:59 -0700 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA27625; Mon, 9 May 94 20:14:52 PDT Received: from suneast.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA15273; Mon, 9 May 94 09:37:44 EDT Received: from cameron.East.Sun.COM by suneast.East.Sun.COM (4.1/SMI-4.1) id AA05890; Mon, 9 May 94 09:38:39 EDT Received: by cameron.East.Sun.COM (5.0/SMI-SVR4) id AA06873; Mon, 9 May 1994 09:35:47 +0500 Date: Mon, 9 May 1994 09:35:47 +0500 From: ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) Message-Id: <9405091335.AA06873@cameron.East.Sun.COM> To: Firewalls@GreatCircle.COM Subject: Cisco Filtering X-Sun-Charset: US-ASCII Content-Length: 566 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All, Does Cisco do port filtering on their router products??? I know that Wellfleet does and I heard that Cisco was going to start!!!! Ken /\ \\ \ \ \\ / Ken Harford / \/ / / SunNetworks, Inc. / / \//\ \//\ / / Sun Microsystems Inc. / / /\ / 2 Elizabeth Drive / \\ \ Chelmsford MA 01824 \ \\ ken.harford@East.Sun.COM \/ 508-250-5527 (Fax) \|||/ (o o) /-----oOO--(_)--OOo-----| <-----''' \=======================/ ``` Is It All Right To Come Up??? From firewalls-owner Tue May 10 03:40:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA05304; Tue, 10 May 1994 03:40:06 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA05296; Mon, 9 May 1994 20:39:57 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA16941; Mon, 9 May 1994 20:40:18 -0700 From: tom@pserv1.dot.state.az.us (TOM BRINK) Message-Id: <199405100340.AA16941@pserv1.dot.state.az.us> Subject: Wellfleet Routers as Firewalls (fwd) To: firewalls@greatcircle.com Date: Mon, 9 May 94 20:40:17 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Gregory J. Donaldson writes: > Folks, > > I am relatively new to the firewalls mailing list > having been a subscriber since March. We are in the process > of making a decision as to what router platform we will be > using for our internal network. From an ease of management > point of view I would like to use the same model router > for my firewall. Right now it seems like we will be going > with Wellfleet for the internal network. > > Since joining this mailing list I have seen numerous > references to various types of hardware being used in firewalls > but I have not seen any references to Wellfleet. Is anyone > out there using Wellfleet routers as part of a firewall or am > I overlooking some flaw that makes them a bad choice. > > Thanks! > > Greg Donaldson Yep, we have a combination of VME routers (CN, LN and LOTS of AFNs). We are currently using a CN to provide firewall packet filtering. In the near future, we will be adding a bastion-host based firewall, not because of any problems with the WF, simply for the advantages of a UNIX based firewall. By in large, it was easy to configure and has been very reliable. If interested, I can give you some sample 'traffic filters'. tom -- Tom Brink Technical Support Specialist Computer Aided Engineering Section Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Tue May 10 05:01:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA05613; Tue, 10 May 1994 05:01:47 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA05607; Mon, 9 May 1994 22:01:41 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA04221; Tue, 10 May 94 00:01:34 CDT Date: Tue, 10 May 94 00:01:34 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405100501.AA04221@tadpole> To: marty@CERF.NET, reh@cs.UMD.EDU Subject: Re: more on TIS portscan and Cisco routers Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > " > access-list 12 permit 192.89.55.0 0.0.0.255 > line 1 5 > access-class 12 in > " Note that this only works when typed in from the 'configure terminal' command. You can't just drop those lines in the config file, write, and reload. Note to Ken Harford: Yes, of course they do. (sheesh!) Jim From firewalls-owner Tue May 10 13:54:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA07477; Tue, 10 May 1994 13:54:52 GMT Received: from mail.auburn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA07471; Tue, 10 May 1994 06:54:43 -0700 Received: from noc.noc.auburn.edu (noc.auburn.edu) by mail.auburn.edu (4.1/SMI-4.0 News-1.0) id AA07621; Tue, 10 May 94 08:46:12 CDT Received: by noc.noc.auburn.edu (5.0/SMI-SVR4) id AA02161; Tue, 10 May 1994 08:56:06 +0600 Date: Tue, 10 May 1994 08:56:06 +0600 From: owen@noc.auburn.edu Message-Id: <9405101356.AA02161@noc.noc.auburn.edu> To: firewalls@greatcircle.com Subject: courses/seminars/workshops? X-Sun-Charset: US-ASCII Content-Length: 555 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi. I'm kinda new to the firewalls list, and I suspect this is probably a FAQ, but it's not *in* the FAQ, so here goes: Can anyone recommend any courses/seminars/workshops on firewall construction/implementation/management? I know that there's a course at InterOp, but I missed this one, and don't want to wait until the Fall InterOp. Anything between now and then? Thanks. Larry Owen email: owen@noc.auburn.edu Campus Network Administrator phone: (205) 844-4110 Auburn University fax: (205) 844-9390 From firewalls-owner Tue May 10 14:45:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA07688; Tue, 10 May 1994 14:45:10 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA07682; Tue, 10 May 1994 07:45:03 -0700 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA22518; Tue, 10 May 94 07:45:28 PDT Received: from suneast.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AB28021; Tue, 10 May 94 10:45:16 EDT Received: from cameron.East.Sun.COM by suneast.East.Sun.COM (4.1/SMI-4.1) id AA02751; Tue, 10 May 94 10:45:00 EDT Received: by cameron.East.Sun.COM (5.0/SMI-SVR4) id AA07058; Tue, 10 May 1994 10:43:04 +0500 Date: Tue, 10 May 1994 10:43:04 +0500 From: ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) Message-Id: <9405101443.AA07058@cameron.East.Sun.COM> To: firewalls@GreatCircle.COM Subject: Cisco Filtering Addendum X-Sun-Charset: US-ASCII Content-Length: 745 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All Again, I need to clarify a question that I raised about Cisco routers. I asked if Cisco products did port filtering, however I failed focus my question on the particular filtering I was inquiring about "inbound source port filtering". I guess I need an e-mail proof reader!!! Hope this makes it clearer!!! :-) Ken /\ \\ \ \ \\ / Ken Harford / \/ / / SunNetworks, Inc. / / \//\ \//\ / / Sun Microsystems Inc. / / /\ / 2 Elizabeth Drive / \\ \ Chelmsford MA 01824 \ \\ ken.harford@East.Sun.COM \/ 508-250-5527 (Fax) \|||/ (o o) /-----oOO--(_)--OOo-----| <-----''' \=======================/ ``` Is It All Right To Come Up??? From firewalls-owner Tue May 10 15:28:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA07973; Tue, 10 May 1994 15:28:54 GMT Received: from enuucp.eas.asu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA07961; Tue, 10 May 1994 08:28:16 -0700 Received: from titan.UUCP by enuucp.eas.asu.edu with UUCP id AA05790 (5.65c/IDA-1.4.4 for enuucp!greatcircle.com!Firewalls); Tue, 10 May 1994 08:35:29 -0700 Received: from localhost by titan with SMTP id <15642>; Mon, 9 May 1994 15:17:25 -0700 To: Firewalls@greatcircle.com Subject: Re: MTA's used on firewalls Date: Mon, 9 May 1994 15:21:19 -0700 From: Gustavo Vegas Message-Id: <94May9.151725mst.15642@titan> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello again, Sections from message read: >However, you've gotten caught by a bit of similar naming. >Zmail, the commercial application, is not an MTA, it is an MUA. >Zmailer, which is an MTA, is freely available. I know it is I am aware of the 2 different products, what I was not aware of is that Z-mail(from Z-code Inc or something like that) is only an MUA. In my message, I meant Zmail, the commercial product, misconstrued as an MTA (begging pardons for such mistake!!!) Zmailer was developed mostly at University of Toronto, as far as I recall, by Rayan S. Zachariassen. It is a freely distributable MTA, which apparently has not been updated since 1988. My curiosity spawns from the fact that the proxy agents for mail included in the TIS kit are geared towards sendmail. I am wondering (since I have not used them) if they may be SMTP compatible, or directly sendmail-only, and if anyone has used them with other MTA's Thanks again, -------- ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Tue May 10 16:07:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA08158; Tue, 10 May 1994 16:07:11 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA08151; Tue, 10 May 1994 09:07:06 -0700 Message-Id: <199405101607.JAA08151@mycroft.GreatCircle.COM> To: owen@noc.auburn.edu cc: firewalls@greatcircle.com Subject: Re: courses/seminars/workshops? In-reply-to: Your message of Tue, 10 May 1994 08:56:06 +0600 Date: Tue, 10 May 1994 09:07:04 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk owen@noc.auburn.edu writes: # Hi. I'm kinda new to the firewalls list, and I suspect this is # probably a FAQ, but it's not *in* the FAQ, so here goes: # # Can anyone recommend any courses/seminars/workshops on firewall # construction/implementation/management? I know that there's a # course at InterOp, but I missed this one, and don't want to wait # until the Fall InterOp. Anything between now and then? # Thanks. Great Circle Associates offers a one-day "Internet Security Firewalls" tutorial. We present the tutorial publicly about once or twice a month in cities around the U.S., and I'm working on a deal to bring it to Europe this fall. We also present the tutorial in-house to various companies and organizations several times a month. For full information, including a course description, schedule of upcoming courses, and a registration form, send email to "Tutorial-Info@GreatCircle.COM". -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue May 10 10:14:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA08598; Tue, 10 May 1994 16:59:46 GMT Received: from ibeam.intel.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA08592; Tue, 10 May 1994 09:59:35 -0700 Received: from [134.134.208.67] by ibeam.intel.com with smtp (Smail3.1.28.1 #6) id m0q0v9K-0003VRC; Tue, 10 May 94 09:59 PDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 May 1994 10:02:17 -0800 To: firewalls@GreatCircle.COM From: altis@ibeam.intel.com (Kevin Altis) Subject: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Anybody here familiar with the Checkpoint FireWall-1 product? I can post a press release if anyone is interested, but I just want to know if their "unique, patent pending technology" is just so much hot air. Thanks, ka From firewalls-owner Tue May 10 10:24:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA08647; Tue, 10 May 1994 17:00:26 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA08599; Tue, 10 May 1994 09:59:50 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA16745; Tue, 10 May 1994 10:00:11 -0700 From: tom@pserv1.dot.state.az.us (TOM BRINK) Message-Id: <199405101700.AA16745@pserv1.dot.state.az.us> Subject: WF Traffic Filter To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 10 May 94 10:00:06 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Whew!! When I got in today my mail box was FULL of responses to my offer for a WF firewall 'traffic filter'! First my disclaimer, this is ONLY an example, no guarantees accompany this. Obviously I will not describe our configuration, but a simple example. We are using v5.77 on the VME based routers. I assume the traffic filter would be similiar on the 7.6, but I don't have any experience on this. These filters would be applied on the interface facing the Internet (or wherever one is firewalling). The following filters will block all TCP/UDP coming INBOUND on ports 0-24,26-1023 (covers well-known ports, allows SMTP inbound), and will allow _all_ TCP/UDP OUTBOUND. Filter 1- Precedence : 1 IP Dest (low) : 0.0.0.0 IP dest (high) : 255.255.255.255 Effect : Match IP source (low) : IP source (high) : Effect : Ignore Protocol : UDP or TCP Action : Drop UDP/TCP Dest Port (low) : 0 (high) : 24 Effect : Match UDP/TCP Source Port (low): (high) : Effect : Ignore Filter 2- Precedence : 1 IP Dest (low) : 0.0.0.0 IP dest (high) : 255.255.255.255 Effect : Match IP source (low) : IP source (high) : Effect : Ignore Protocol : UDP or TCP Action : Drop UDP/TCP Dest Port (low) : 26 (high) : 1023 Effect : Match UDP/TCP Source Port (low): (high) : Effect : Ignore I am by no means an expert on writing filters (see disclaimer above). I would recommend any WF users to join the Wellfleet mailing list (wellfleet-l@nstn.ns.ca). A couple of thoughts about this. One still needs to think about the ports 1024+, as NFS and other protocols are up there. Also, the major thing I do not like about router based firewalls is the lack of logging. If under attack, I want to know about it. Your mileage will no doubt vary... tom -- Tom Brink Technical Support Specialist Computer Aided Engineering Section Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Tue May 10 10:34:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA08524; Tue, 10 May 1994 16:52:55 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA08518; Tue, 10 May 1994 09:52:35 -0700 Received: from EBay.Sun.COM (female.EBay.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA16737; Tue, 10 May 94 09:53:17 PDT Received: from olympics.EBay.Sun.COM by EBay.Sun.COM (4.1(1/24/94)/SMI-4.1) id AA14832; Tue, 10 May 94 09:52:51 PDT Received: by olympics.EBay.Sun.COM (4.1 1/7/93 /SMI-4.1a_olympics) id AA23054; Tue, 10 May 94 09:51:48 PDT Date: Tue, 10 May 94 09:51:48 PDT From: Brad.Powell@EBay.Sun.COM ( Brad Powell - Sun CIS) Message-Id: <9405101651.AA23054@olympics.EBay.Sun.COM> To: firewalls@GreatCircle.COM, clark@brahms.amd.com Subject: Re: boxx (??) for AIX security?? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Its pronounced/spelled " BoKS " It is a product by Dynasoft Ltd. of Sweeden. The U.S. distributor is Securix Inc. Out of San Francisco. I can track down a phone number or contact for anyone interested. The product does MainFrame-like access controls on a network. The granularity is at both the user as well as system level, thus, you can restrict userA to only be allowed to use ftp to systems D, E, and F. While userB can use rlogin *to* system "G" but not *out* of system "G". Some very interesting configuration/access control examples come to mind.... ======================================================================= Brad Powell : brad.powell@Sun.COM | | Full Time: Sr. Network Security Analyst |Part time: Cyberspace PI ENS Network Security Group | and Consultant Sun Microsystems Inc. | ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= >From firewalls-owner@GreatCircle.COM Mon May 9 15:54:08 1994 >Subject: boxx (??) for AIX security?? >To: firewalls@GreatCircle.COM >Date: Mon, 9 May 1994 14:40:24 -0700 (PDT) >Mime-Version: 1.0 >Content-Type>: >text/plain>; >charset=US-ASCII> >Content-Transfer-Encoding: 7bit >Precedence: bulk >X-Lines: 28 > >Fellow firewallers: > >I was asked by my management to put out a call for info on the following >product: > >it's _pronounced_ "bochs", so I assume it's boxx or some-such thing... >it is a security product for aix, and I guess we want to bring it in house, >but before that we'd like to find out any user experiences/horror stories. > >I realize that this isn't firewall-specific, but since most of the Data >Security Guri either are active, hang about, or lurk occasionally, hope- >fully I can get an answer back to Management..... > >eMail replies to the following, and I'll summarize if there's enuff >interest. > >eMail to: clark@brahms.amd.com - or - brad.clark@amd.com > >Thanks in advance > >Brad Clark >Data Security Administration >Advanced Micro Devices >1 AMD Place >Sunnyvale, CA 94088 >(408)749-5192 > >std.disclaimer > From firewalls-owner Tue May 10 17:52:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA09277; Tue, 10 May 1994 17:52:29 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA09270; Tue, 10 May 1994 10:52:21 -0700 Received: by relay.tis.com id AA11946; Tue, 10 May 94 13:49:27 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma011940; Tue May 10 13:49:02 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA04026; Tue, 10 May 94 13:48:16 EDT Date: Tue, 10 May 94 13:48:16 EDT From: Marcus J Ranum Message-Id: <9405101748.AA04026@tis.com> To: Firewalls@GreatCircle.COM, titan!gustavo@enuucp.eas.asu.edu Subject: Re: MTA's used on firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > My curiosity spawns from the fact that the proxy agents for >mail included in the TIS kit are geared towards sendmail. I am wondering >(since I have not used them) if they may be SMTP compatible, or directly >sendmail-only, and if anyone has used them with other MTA's They're intended for use with sendmail but should work with just about any MTA that can read a message on its standard input, with a minimal amount of fiddling. mjr. From firewalls-owner Tue May 10 18:24:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA09678; Tue, 10 May 1994 18:24:44 GMT Received: from nacm.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA09661; Tue, 10 May 1994 11:23:11 -0700 Received: from portmgr1.NACM.COM by nacm.com with SMTP id AA00614 (5.65c/IDA-1.4.4 for ); Tue, 10 May 1994 11:21:51 -0700 Received: by portmgr1.nacm.com (NX5.67d/NX3.0X) id AA07498; Tue, 10 May 94 11:21:51 -0700 Date: Tue, 10 May 1994 11:18:10 -0700 (PDT) From: Barry Lustig Subject: Re: Checkpoint FireWall-1 sanity check To: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Tue, 10 May 1994, Kevin Altis wrote: > Anybody here familiar with the Checkpoint FireWall-1 product? I can post a > press release if anyone is interested, but I just want to know if their > "unique, patent pending technology" is just so much hot air. > I talked with one of their guys at their booth at Interop. He, unfortunately couldn't answer my question about the "patent pending" technology. He did say that they do all of their filtering in the kernel and that the filtering module can keep some amount of history for additional decision making. It comes with a pretty GUI and runs on a SparcClassic. barry From firewalls-owner Tue May 10 18:52:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA09921; Tue, 10 May 1994 18:52:18 GMT Received: from ibeam.intel.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA09893; Tue, 10 May 1994 11:51:19 -0700 Received: from [134.134.208.67] by ibeam.intel.com with smtp (Smail3.1.28.1 #6) id m0q0wtX-0003UyC; Tue, 10 May 94 11:51 PDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 May 1994 11:54:06 -0800 To: firewalls@GreatCircle.COM From: altis@ibeam.intel.com (Kevin Altis) Subject: Requested Press Release for Checkpoint Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Apologies in advance! Several people asked me to go ahead and post this. I have no affiliation with this company, nor are we using this stuff, I just want to know what it really is. No flames please... ka --- CHECKPOINT INTRODUCES REVOLUTIONARY INTERNET ... Friday, May 6, 1994 LAS VEGAS, May 6 -- Checkpoint Software Technologies Ltd. today announced the FireWall-1 Internet security software product. The Checkpoint FireWall-1 provides each user with full, transparent Internet connectivity while protecting the organization's network from Internet security risks. Checkpoint Firewall-1 operates at the Internet gateway controlling all traffic across heterogeneous networks, implementing the organization's network-wide security policy. FireWall-1 inspects each packet using a unique, patent pending, packet filtering technology, which promptly blocks all unwanted communication attempts. FireWall-1 utilizes protocol-independent, application-level, packet filtering technology delivering unmatched connectivity with security. Using an intuitive object-oriented graphical user interface (GUI), the system defines, verifies, implements and enforces the organization's security policy. Checkpoint FireWall-1 provides full and flexible control, detailed logging, and alerting capabilities. Installation and security policy setup or changes performed in minutes. Checkpoint FireWall-1 is the only Internet security solution to provide transparent access to ALL Internet services, such as FTP, Mosaic, Archie, TCP as well as UDP based services including RPCI without compromising security or degrading network performance. Checkpoint FireWall-1 runs on any Sun Microsystems SPARC workstation or gateway, operating under SunoS 4.1.3 or Solario 2.3 operating systems using XllR5 openlook GUI. SNMP client and agent support are included. Additional modules support automated access list generation and verification for routers and integration with enterprise-wide network management packages. Checkpoint FireWall-1 delivers full transparent Internet connectivity to any TCP/IP based client (PCs, Mac, Unixes, etc.) Press contact Marius Nacht or Gil Shwed of Checkpoint Software Technologies, INTEROP BOOTH No. 2494, 800-429-4391, or David Blumberg, 415-346-4131, or Internet: infoCheckPoint.Com From firewalls-owner Tue May 10 19:28:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA10274; Tue, 10 May 1994 19:28:18 GMT Received: from erenj.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10265; Tue, 10 May 1994 12:28:09 -0700 Posted-Date: Tue, 10 May 1994 15:28:52 -0400 From: bdboyle@maverick1.erenj.com (Bryan D. Boyle) Message-Id: <9405101528.ZM14902@maverick1.erenj.com> Date: Tue, 10 May 1994 15:28:52 -0400 In-Reply-To: Barry Lustig "Re: Checkpoint FireWall-1 sanity check" (May 10, 11:18am) References: X-Mailer: Z-Mail (2.1.0 10/1/92) To: firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On May 10, 11:18am, Barry Lustig wrote: > Subject: Re: Checkpoint FireWall-1 sanity check > > On Tue, 10 May 1994, Kevin Altis wrote: > > > Anybody here familiar with the Checkpoint FireWall-1 product? I can post a > > press release if anyone is interested, but I just want to know if their > > "unique, patent pending technology" is just so much hot air. > > > > I talked with one of their guys at their booth at Interop. He, > unfortunately couldn't answer my question about the "patent pending" > technology. He did say that they do all of their filtering in the kernel > and that the filtering module can keep some amount of history for > additional decision making. It comes with a pretty GUI and runs on a > SparcClassic. > > > barry > > >-- End of excerpt from Barry Lustig You know, if you read Ches' and Belovin's book, this package disturbs me on a stark level: all the pretty coding, GUIs, and so forth hide you from the probable complexity of the code. And complexity = problems. The firewall is not a system that needs an interactive GUI display, load meters, and all the other hype displayed on a 17' color monitor. It is a system that sits in a demilitarized area, protecting your net from the world and vice versa. Its configuration is not an interactive, touchie- feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO). It should be secure (and complexity adds a whole level of assurance that the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't, last I checked. I had quite an involved discussion with these gentlemen over dinner (their booth at the show was shared by Global Enterprise Services (JvNCnet))-- concerning their view of firewalling in general, and their understanding of the work that had gone on over here (CheckPoint.com is headquartered in Israel, btw). They were unaware of much of the pioneering work done at AT&T, DEC, and TIS, and what the technology, as well as the uses of simple and manageable solutions without the overhead of all the fancy interfaces and the like... One thing that they didn't answer was my (admittedly baiting) question as to why anyone would want to block UDP packets across the firewall... IMO, they are not adding value to the discussion of firewalling in general, and certainly not contributing any added value (unless you want to keep a pretty display up on the screen with stop signs and green flags that tell you what the firewall is doing...). Invest in solid hardware and simple, easily configured software. Screw it down tight, and it will provide a real firewall instead of a filter (which is what they are selling: a GUI-based router filter...). Just my $.02 -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com "If everyone is thinking alike, then someone isn't thinking." -Patton Pardon me, I'm lost, can you direct me to the information superhighway? From firewalls-owner Tue May 10 12:34:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA10212; Tue, 10 May 1994 19:23:45 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10206; Tue, 10 May 1994 12:23:39 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA11647; Tue, 10 May 94 14:23:17 CDT Date: Tue, 10 May 94 14:23:16 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405101923.AA11647@tadpole> To: barry@nacm.com, firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Interesting. If Firewall-1 gets a patent, I may be able to show prior art. From firewalls-owner Tue May 10 12:44:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA10221; Tue, 10 May 1994 19:24:40 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10215; Tue, 10 May 1994 12:24:30 -0700 Received: from opus.UUCP by csn.org with UUCP id AA16186 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Tue, 10 May 1994 13:25:18 -0600 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus) id AA05434; Tue, 10 May 94 13:13:29 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA01351; Tue, 10 May 94 13:20:46 MDT Date: Tue, 10 May 94 13:20:46 MDT From: qjohnson@intellistor.com (Quentin Johnson) Message-Id: <9405101920.AA01351@whizbang.Intellistor.COM> To: firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk altis@ibeam.jf.intel.com (Kevin Altis) writes: >Anybody here familiar with the Checkpoint FireWall-1 product? I picked up a glossy at Interop but didn't talk with them. I'm still waiting for my call to be returned - seems like a very small company. It seems that their product is meant to help control security on internal hosts -- I sure wouldn't want to run it on a bastion host! Quent From firewalls-owner Tue May 10 19:48:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA10385; Tue, 10 May 1994 19:48:58 GMT Received: from orca.es.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10379; Tue, 10 May 1994 12:48:51 -0700 Received: from dsd.ES.COM ([130.187.85.113]) by orca.es.com (4.1/SMI-4.1) id AA00790; Tue, 10 May 94 13:47:49 MDT Received: from yukon.dsd.ES.COM by dsd.ES.COM (4.1/SMI-4.1/e&s_server-2.1/dsd) id AA27363; Tue, 10 May 94 13:49:21 MDT From: nick@dsd.es.com (Nick Nickerson) Message-Id: <9405101949.AA27363@dsd.ES.COM> Received: by yukon.dsd.ES.COM (4.1/e&s-dsd/fullname/sunos/4.2) id AA13661; Tue, 10 May 94 13:49:20 MDT To: info@CheckPoint.Com Cc: firewalls@GreatCircle.COM, nick@dsd.es.com Subject: Re: Press Release for Checkpoint In-Reply-To: Your message of "Tue, 10 May 94 11:54:06 -0800." Date: Tue, 10 May 94 13:49:19 -0600 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Please send info. +------------------------------------+------------------------------------+ | Nick Nickerson - (nick@dsd.es.com) | Experience is the worst teacher. | | Division Operations Manager - MIS | It always gives the test first | | Evans & Sutherland Computer Corp. | and the instruction afterward. | +------------------------------------+------------------------------------+ From firewalls-owner Tue May 10 13:34:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA10704; Tue, 10 May 1994 20:21:16 GMT Received: from ac.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA10691; Tue, 10 May 1994 13:20:55 -0700 Received: (mayojoh@localhost) by ac.com (8.6.8/8.6.7) id PAA27870 for firewalls@GreatCircle.COM; Tue, 10 May 1994 15:19:33 -0500 From: Jack Mayo Message-Id: <199405102019.PAA27870@ac.com> Subject: Re: Checkpoint FireWall-1 sanity check To: firewalls@GreatCircle.COM Date: Tue, 10 May 1994 15:19:32 -0500 (CDT) In-Reply-To: <9405101920.AA01351@whizbang.Intellistor.COM> from "Quentin Johnson" at May 10, 94 01:20:46 pm X-Mailer: ELM [version 2.4 PL23beta] Content-Type: text Content-Length: 899 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > altis@ibeam.jf.intel.com (Kevin Altis) writes: > > >Anybody here familiar with the Checkpoint FireWall-1 product? > > I picked up a glossy at Interop but didn't talk with them. I'm still > waiting for my call to be returned - seems like a very small company. > > It seems that their product is meant to help control security on internal > hosts -- I sure wouldn't want to run it on a bastion host! > > Quent My boss picked up a glossy too and asked me to look into it. We run SOCKS and part of the TIS toolkit (plug-gw), so I sent email to info@checkpoint.com asking for clarification of the glossy and how the product compares with SOCKS. The email I got in reply was the text of the marketing glossy (verbatim), with the addendum "...I hope this also clarifies the difference between CheckPoint FireWall-1 and socks...." The address on the email was Boston, BTW. Jack Mayo From firewalls-owner Tue May 10 13:44:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA10675; Tue, 10 May 1994 20:19:47 GMT Received: from wintermute.imsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA10668; Tue, 10 May 1994 13:19:26 -0700 Received: from relay.imsi.com by wintermute.imsi.com id QAA13915 for ; Tue, 10 May 1994 16:20:14 -0400 Received: from lorax.imsi.com by relay.imsi.com id QAA29983 for ; Tue, 10 May 1994 16:20:14 -0400 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA22716; Tue, 10 May 94 16:20:13 EDT Message-Id: <9405102020.AA22716@lorax.imsi.com> To: firewalls@greatcircle.com Subject: Re: Requested Press Release for Checkpoint In-Reply-To: Your message of "Tue, 10 May 1994 11:54:06 -0800." Reply-To: rens@imsi.com Date: Tue, 10 May 1994 16:20:13 -0400 From: Rens Troost Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> On Tue, 10 May 1994 11:54:06 -0800, altis@ibeam.jf.intel.com (Kevin Altis) said: altis> Checkpoint Firewall-1 operates at the Internet gateway altis> controlling all traffic across heterogeneous networks, altis> implementing the organization's network-wide security policy. altis> FireWall-1 inspects each packet using a unique, patent pending, ^^^^^^^^^^^^^^ altis> packet filtering technology, which promptly blocks altis> all unwanted communication attempts. FireWall-1 utilizes altis> protocol-independent, application-level, packet filtering altis> technology delivering unmatched connectivity with security. I guess neither me nor my clients will be using this. Also, I hope they are not infringing on ATTs patent on XOR cursors in their GUI front end. -Rens From firewalls-owner Tue May 10 18:49:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA12208; Wed, 11 May 1994 01:15:34 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA12194; Tue, 10 May 1994 18:15:23 -0700 Received: from opus.UUCP by csn.org with UUCP id AA13790 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Tue, 10 May 1994 19:16:17 -0600 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus) id AA08878; Tue, 10 May 94 19:06:31 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA01637; Tue, 10 May 94 19:13:50 MDT Date: Tue, 10 May 94 19:13:50 MDT From: qjohnson@intellistor.com (Quentin Johnson) Message-Id: <9405110113.AA01637@whizbang.Intellistor.COM> To: firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I spoke with someone at Checkpoint; they're about to publish a white paper. I'll be interested in reading it but the idea of running X on my gateway still disturbs me! Quent From firewalls-owner Wed May 11 06:26:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA13403; Wed, 11 May 1994 06:26:33 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA13396; Tue, 10 May 1994 23:26:27 -0700 Message-Id: <199405110626.XAA13396@mycroft.GreatCircle.COM> To: ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) cc: firewalls@GreatCircle.COM Subject: Re: Cisco Filtering Addendum In-reply-to: Your message of Tue, 10 May 1994 10:43:04 +0500 Date: Tue, 10 May 1994 23:26:25 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ken@cameron.East.Sun.COM (Ken Harford - Network Architecture Consultant) writes : # # Hi All Again, # # I need to clarify a question that I raised about Cisco routers. I asked # if Cisco products did port filtering, however I failed focus my question on # the particular filtering I was inquiring about "inbound source port filtering". "Inbound filtering" and "source port filtering" are really two separate things. The current Cisco code does inbound filtering (i.e., it lets you filter packets on their way into the router, as well as on their way out), but does NOT do source port filtering (i.e., it only lets you look at TCP/UDP destination port, not source port, in making filtering decisions). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Wed May 11 12:44:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA15376; Wed, 11 May 1994 12:44:29 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA15370; Wed, 11 May 1994 05:44:19 -0700 Received: by relay.tis.com id AA16451; Wed, 11 May 94 08:45:24 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma016445; Wed May 11 08:44:48 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA04243; Wed, 11 May 94 08:43:57 EDT Message-Id: <9405111243.AA04243@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: altis@ibeam.jf.intel.com (Kevin Altis) Cc: firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check In-Reply-To: Your message of Tue, 10 May 94 10:02:17 -0800. Date: Wed, 11 May 94 08:43:56 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It is slick. FIlter based. Runs on Sun platforms. Cool management interface. It is filtering. Fred From firewalls-owner Wed May 11 12:59:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA15453; Wed, 11 May 1994 12:59:28 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA15447; Wed, 11 May 1994 05:59:19 -0700 Received: by relay.tis.com id AA16627; Wed, 11 May 94 09:00:26 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma016623; Wed May 11 08:59:48 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA05073; Wed, 11 May 94 08:59:00 EDT Message-Id: <9405111259.AA05073@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: bdboyle@maverick1.erenj.com (Bryan D. Boyle) Cc: firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check In-Reply-To: Your message of Tue, 10 May 94 15:28:52 -0400. <9405101528.ZM14902@maverick1.erenj.com> Date: Wed, 11 May 94 08:58:55 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It is possible, Bryan, that you spoke with the wrong guy. Check Point did not have all of their people at Interop. The people we've talked to seem pretty clueful. I'm not selling their stuff, here. I have stuff of my own to sell. :-) But, the complexity of the management interface probably should not be considered part of the equation. Or maybe it should but it should bre pointed out that it might serve to CLARIFY things rather than make things more complex. Complexity in management of security procedures and practices also is coutner to good security. I haven't looked at their code. It employs filtering and philosophically I (we, TIS -- and smb and ches for that matter and others) don't want to trust filtering alone; I don't want to have to have direct connections between the outside and the inside. But that is a philosophy that some (:-)) on this list disagree with. > You know, if you read Ches' and Belovin's book, this package disturbs me on > a stark level: all the pretty coding, GUIs, and so forth hide you from the > probable complexity of the code. And complexity = problems. > > The firewall is not a system that needs an interactive GUI display, load > meters, and all the other hype displayed on a 17' color monitor. It is > a system that sits in a demilitarized area, protecting your net from the > world and vice versa. Its configuration is not an interactive, touchie- > feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO). > It should be secure (and complexity adds a whole level of assurance that > the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't, > last I checked. > > I had quite an involved discussion with these gentlemen over dinner (their > booth at the show was shared by Global Enterprise Services (JvNCnet))-- > concerning their view of firewalling in general, and their understanding of > the work that had gone on over here (CheckPoint.com is headquartered in > Israel, btw). They were unaware of much of the pioneering work done > at AT&T, DEC, and TIS, and what the technology, as well as the uses of > simple and manageable solutions without the overhead of all the fancy > interfaces and the like... > > One thing that they didn't answer was my (admittedly baiting) question as > to why anyone would want to block UDP packets across the firewall... > > IMO, they are not adding value to the discussion of firewalling in general, > and certainly not contributing any added value (unless you want to keep a > pretty display up on the screen with stop signs and green flags that tell > you what the firewall is doing...). Invest in solid hardware and simple, > easily configured software. Screw it down tight, and it will provide a > real firewall instead of a filter (which is what they are selling: a GUI-based > router filter...). > > Just my $.02 > > -- > Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 > #include |Virtual: bdboyle@erenj.com > "If everyone is thinking alike, then someone isn't thinking." -Patton > Pardon me, I'm lost, can you direct me to the information superhighway? From firewalls-owner Wed May 11 13:50:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA15841; Wed, 11 May 1994 13:50:29 GMT Received: from applicom.co.il by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA15833; Wed, 11 May 1994 06:49:21 -0700 Received: by applicom.co.il id AA19208 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 11 May 1994 16:49:28 +0300 Date: Wed, 11 May 1994 16:49:28 +0300 From: "Jonathan B. Horen" Message-Id: <199405111349.AA19208@applicom.co.il> To: firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > You know, if you read Ches' and Belovin's book, this package disturbs me on > a stark level: all the pretty coding, GUIs, and so forth hide you from the > probable complexity of the code. And complexity = problems. The GUI is exceedingly clear and straightforward. I am not concerned about "complexity of [the] code", probable or otherwise. I AM quite concerned, however, about controlling who accesses our corporate network, from where, to do what, etc., etc. I have been using CheckPoint Software's FireWall-1 product, as a beta- tester, for more than half-a-year now. When I initially set-up our firewall, I used a combination of Wietse Venema's tcpd-wrapper and Marcus J. Ranum's FireWall ToolKit. They worked well, but tcpd-wrapper was difficult to maintain in a heterogeneous environment (Sun, AIX, HPUX, PC), across an ever-growing number of hosts (yes, complexity DOES = problems :) > The firewall is not a system that needs an interactive GUI display, load > meters, and all the other hype displayed on a 17' color monitor. It is > a system that sits in a demilitarized area, protecting your net from the > world and vice versa. Its configuration is not an interactive, touchie- > feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO). > It should be secure (and complexity adds a whole level of assurance that > the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't, > last I checked. A firewall needs *exactly* what it needs to enable its configurer(s)/ maintainer(s) to provide for its "care-and-feeding" -- not that FireWall-1 has any "load meters... [or] all the other hype...". My job is to administer our corporate system/network, to work with my employer's department/project heads and plan for the system/network's near- and long-term growth, and to provide (within the constraints of my humanness) realtime user-support. CheckPoint Software's FireWall-1 helps me to do that. Period. I have to add/(re)move hosts on a regular basis; I have to allow access from external hosts at an ever-growing number of external (local and international) sites with whom we are involved in the joint-development of software projects, and for whose products (Informix, for one) we are the sole Israeli representative; I have to allow access from external hosts to an ever-growing number of employees who are also external users, who want to log-in from their accounts at Israeli universities, as well as from customer sites; and so-on and so-forth... This is a perfectly normal situation in a commercial environment, and it is my job to make sure that even on such a large drum as this one the lid stays screwed-down tight. CheckPoint Software's FireWall-1 helps me to do that. Period. I also use the tn-/ftp-/rlogin-gw clients from TIS's FireWall ToolKit, and would like it *very* much if it was integrated via the GUI with FireWall-1... However; FireWall-1 *does* have a command-line interface, and from it I can (and do -- especially when logged-in from home and working on my VT220) do everything that I do from its GUI (with the exception of filtering the logfile output. I run it on our firewall -- a Sun SPARCstation 1+ w/24MB RAM and a monochrome monitor -- and using both source- and source-/destination- packet filtering I have suffered no throughput problems. > I had quite an involved discussion with these gentlemen over dinner (their > booth at the show was shared by Global Enterprise Services (JvNCnet))-- > concerning their view of firewalling in general, and their understanding of > the work that had gone on over here (CheckPoint.com is headquartered in > Israel, btw). They were unaware of much of the pioneering work done > at AT&T, DEC, and TIS, and what the technology, as well as the uses of > simple and manageable solutions without the overhead of all the fancy > interfaces and the like... Now, perhaps, you are aware of one part of the continuing work done over here (CheckPoint Software *is* headquartered in Israel, together with Intel's 386/486 development center, among other departments...) > One thing that they didn't answer was my (admittedly baiting) question as > to why anyone would want to block UDP packets across the firewall... Well, if keeping score, and if (master)baiting is your thing, than that's great. > IMO, they are not adding value to the discussion of firewalling in general, > and certainly not contributing any added value (unless you want to keep a > pretty display up on the screen with stop signs and green flags that tell > you what the firewall is doing...). Invest in solid hardware and simple, > easily configured software. Screw it down tight, and it will provide a > real firewall instead of a filter (which is what they are selling: a GUI- > based router filter...). Perhaps not to the "discussion", but to the "real-life stories of honest, working-class sys/network admins" the add *plenty* of value. FireWall-1 has been in daily use not only at our site, but also (for the same half-year) at Motorola's center here in Tel-Aviv (with over 300 Unix hosts), at Tadiran (similar setup), at Sun's Israeli center, and at numerous other small- and middle-sized operations. I know this, 'cuz I am in daily contact with the sys/network admins at these sites. Uh-h-h, no -- they are selling a kernel-based router-filter, which happens to include one helluva user-friendly GUI-based rule-editor. You write "...Invest in solid hardware and simple, easily configured software." Well, that's *exactly* what we (and others) have done, by purchasing and installing FireWall-1. Your opinion is just that, and no more. For facts, ask the men (and women) who own/drive/smoke one. ---------------------------horen@applicom.co.il--------------------------- Jonathan B. Horen Sr. System Administrator Applicom Systems, Ltd. From firewalls-owner Wed May 11 14:53:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA16092; Wed, 11 May 1994 14:53:48 GMT Received: from mail.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA16086; Wed, 11 May 1994 07:53:41 -0700 Received: from Compatible.COM by mail.netcom.com (8.6.8.1/Netcom) id HAA23028; Wed, 11 May 1994 07:54:42 -0700 Received: from MattsMac (MattsMac.Compatible.COM) by Compatible.COM (4.1/SMI-4.1) id AA27973; Wed, 11 May 94 08:54:08 MDT X-Mailer: InterCon TCP/Connect II 1.2 Message-Id: <9405110856.AA23448@MattsMac.compat> Date: Wed, 11 May 1994 08:56:23 -0700 From: Matt McConnell To: Firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Your opinion is just that, and no more. For facts, ask the men (and > women) who own/drive/smoke one. > Boy I hate it when someone who actually knows something butts in and ruins some good idle speculation based on hearsay and a one page data sheet... Matt McConnell matt@Compatible.COM From firewalls-owner Wed May 11 15:27:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA16338; Wed, 11 May 1994 15:27:48 GMT Received: from clavin.uprc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA16332; Wed, 11 May 1994 08:27:32 -0700 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA24072 for Firewalls@GreatCircle.COM; Wed, 11 May 94 10:25:42 CDT Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA05093; Wed, 11 May 1994 10:25:41 +0600 Date: Wed, 11 May 1994 10:25:41 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9405111525.AA05093@cygnus.uprc.com> To: Firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity check X-Sun-Charset: US-ASCII Content-Length: 702 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > > Your opinion is just that, and no more. For facts, ask the men (and > > women) who own/drive/smoke one. > > > > Boy I hate it when someone who actually knows something butts in and ruins > some good idle speculation based on hearsay and a one page data sheet... > Noone has actually discussed the implications of the GUI running on the firewall and what dangers it may represent, if any? Have all the listening ports been plugged? Do they export the GUI front end to client machines? I won't pretend to be an experienced cracker, but I have heard that X has many security implications to consider - can anyone expand on this? Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX From firewalls-owner Wed May 11 15:42:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA16413; Wed, 11 May 1994 15:42:51 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA16407; Wed, 11 May 1994 08:42:45 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id LAA25360; Wed, 11 May 1994 11:43:42 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA04066; Wed, 11 May 1994 11:43:37 -0400 Date: Wed, 11 May 1994 11:43:37 -0400 (EDT) From: Peter von Zirpolo Subject: Firewall Configurations To: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I've been going through the TIS Toolkit documentation and am having some difficulty understanding (And thus explaining to management) the differences between the Screened Host and Screened Subnet approaches. Could someone please try to clear this up for me beyond what's presented in the documentation in regards to the advantages/disadvantages to each. Thanks, Peter von Zirpolo Boston, MA From firewalls-owner Wed May 11 15:53:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA16510; Wed, 11 May 1994 15:53:24 GMT Received: from lightstream.LightStream.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA16504; Wed, 11 May 1994 08:53:16 -0700 Received: from netman.LightStream.COM by lightstream.LightStream.COM (4.1/SMI-4.1) id AA06102; Wed, 11 May 94 11:53:43 EDT Received: by netman.LightStream.COM (4.1/SMI-4.1) id AA25912; Wed, 11 May 94 11:53:43 EDT Date: Wed, 11 May 94 11:53:43 EDT From: wegrzyn@LightStream.COM (Chuck Wegrzyn) Message-Id: <9405111553.AA25912@netman.LightStream.COM> To: Firewalls@GreatCircle.com Subject: Checkpoint's Firewall-1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My only problem with Checkpoint's stuff is one of philosophy. I guess I believe in the Axioms and Theorems stated in Cheswick & Bellovin: "Exposed machines should run as few programs as possible; the ones that are run should be as small as possible." By adding more code to the Sun, it seems to be the contra-positive of this theorem. That worries me ... I've seen too many large systems have all types of traps in them to feel comfortable about the Checkpoint system. But, that is just my hesitation and thoughts. Chuck Wegrzyn. From firewalls-owner Wed May 11 16:25:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA16915; Wed, 11 May 1994 16:25:37 GMT Received: from issi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA16888; Wed, 11 May 1994 09:25:05 -0700 Received: from xyzzy.issi.com (xyzzy-bb.issi.com) by issi.com (4.1/3.1.012693-ISSI); id AA00788 for Firewalls@greatcircle.com; Wed, 11 May 94 11:25:41 CDT Received: by xyzzy.issi.com (4.1/server.1.1) id AA02657; Wed, 11 May 94 11:25:39 CDT Date: Wed, 11 May 94 11:25:39 CDT From: rg@issi.com (Ron Gilmer) Message-Id: <9405111625.AA02657@xyzzy.issi.com> To: pvz@world.std.com Subject: Re: Firewall Configurations Cc: Firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From postmaster Wed May 11 10:58:52 1994 > Date: Wed, 11 May 1994 11:43:37 -0400 (EDT) > From: Peter von Zirpolo > Subject: Firewall Configurations > To: Firewalls@greatcircle.com > Mime-Version: 1.0 > Content-Type > : > TEXT/PLAIN > ; > charset=US-ASCII > > Sender: Firewalls-Owner@greatcircle.com > Content-Length: 396 > > > I've been going through the TIS Toolkit documentation and am having some > difficulty understanding (And thus explaining to management) the differences > between the Screened Host and Screened Subnet approaches. > > Could someone please try to clear this up for me beyond what's presented in > the documentation in regards to the advantages/disadvantages to each. > > Thanks, > > Peter von Zirpolo > Boston, MA > One advantage I like is being able to have a public access server on the screened subnet separate from my bastion host and on the opposite side of the gateway host from my internal machines. This machine handles WWW, FTP, Gopher, and whatever else you might want to make public. I can let the internal and the external users see the public access server, but restrict access back into my internal systems. If for some reason a system(s) becomes compromised on the Screened Subnet, I am still (somewhat) protected internally by my Gateway Host. I like it and so does Mikey.... -rg- Internet --------- | | | | --------- | | Bastion Host --------- | | | | --------- | | Screened Subnet (Less-Trusted Public Backbone) ============================================================ | | | | Public Access Server | Gateway Host --------- --------- | | | | | | | | --------- --------- | | Company Backbone (Trusted) ============================================================= From firewalls-owner Wed May 11 17:11:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA17347; Wed, 11 May 1994 17:11:14 GMT Received: from sgi1.phlab.missouri.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17335; Wed, 11 May 1994 10:11:04 -0700 Received: from sgi5.phlab.missouri.edu (sgi5.phlab.missouri.edu [128.206.115.35]) by sgi1.phlab.missouri.edu (8.6.8.1/8.6.6) with SMTP id MAA12119; Wed, 11 May 1994 12:12:07 -0500 Received: by sgi5.phlab.missouri.edu (931110.SGI/931108.SGI.AUTO.ANONFTP) for @sgi1.phlab.missouri.edu:Firewalls@GreatCircle.COM id AA02863; Wed, 11 May 94 12:12:05 -0500 Date: Wed, 11 May 1994 12:12:02 -0500 (CDT) From: Justin Bhansali Subject: Re: Checkpoint FireWall-1 sanity check To: "LaCoursiere J. D." Cc: Firewalls@GreatCircle.COM In-Reply-To: <9405111525.AA05093@cygnus.uprc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, LaCoursiere J. D. wrote: > > Noone has actually discussed the implications of the GUI running on the > firewall and what dangers it may represent, if any? > > Have all the listening ports been plugged? > > Do they export the GUI front end to client machines? > > I won't pretend to be an experienced cracker, but I have heard > that X has many security implications to consider - can anyone > expand on this? > Two primary holes exist in X. (and they aren't realy holes) 1) Intercepting keystrokes from the keyboard 2) Viewing another users window. A Firewall should fix both. From firewalls-owner Wed May 11 17:20:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA17450; Wed, 11 May 1994 17:20:38 GMT Received: from clavin.uprc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17443; Wed, 11 May 1994 10:20:03 -0700 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA25785 for Firewalls@GreatCircle.COM; Wed, 11 May 94 12:18:50 CDT Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA05787; Wed, 11 May 1994 12:18:46 +0600 Date: Wed, 11 May 1994 12:18:46 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9405111718.AA05787@cygnus.uprc.com> To: z056716@clavin.uprc.com, c626544@sgi5.phlab.missouri.edu Subject: Re: Checkpoint FireWall-1 sanity check Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 946 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > > Noone has actually discussed the implications of the GUI running on the > > firewall and what dangers it may represent, if any? > > > > Have all the listening ports been plugged? > > > > Do they export the GUI front end to client machines? > > > > I won't pretend to be an experienced cracker, but I have heard > > that X has many security implications to consider - can anyone > > expand on this? > > > > > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. > Again, we are talking about this RUNNING on the firewall. Looking at it from the cracker perspective, what would be a weakness to exploit if a firewall was known to be running X? Perhaps forge X packets and run a "lookalike" of the GUI for the unsuspecting admin to type away at? Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX > From firewalls-owner Wed May 11 17:36:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA17600; Wed, 11 May 1994 17:36:19 GMT Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17589; Wed, 11 May 1994 10:36:05 -0700 Received: from uucp2.uu.net by relay3.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA11537; Wed, 11 May 94 13:36:49 -0400 Received: from uworld.UUCP by uucp2.uu.net with UUCP/RMAIL ; Wed, 11 May 1994 13:36:47 -0400 Reply-To: crow!rik@uunet.UU.NET Received: by crow.spirit.com (4.1/SMI-4.1) id AA06594; Wed, 11 May 94 09:09:08 MST Date: Wed, 11 May 94 09:09:08 MST From: crow!rik@uunet.UU.NET (Rik Farrow 602 282 0242 MST) Message-Id: <9405111609.AA06594@crow.spirit.com> To: Firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity chec Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I also looked at the CheckPoint product at InterOp. For people capable of "rolling-their-own" firewalls, this product is NOT interesting, especially for the given price ($20,000 for a binder and a diskette with the software). It will also run on SunOS 4.1.2, they told me. For those who are not net-experts, this provides an easy-to-use solution. It is a dual-homed host approach, capturing packets just above the device driver level--avoiding passing data between kernel space and user space as with the screend approach. The GUI lets the administrator create filters based on services while taking care of much of the complexity. And the filters DO examine packets at the application layer. With FTP, for example, when an internal client makes a PORT request to an external server, FireWall remembers the PORT request, and dynamically makes an opening for the incoming data connection coming from the specific server to the particular port on the client. You can also configure it to permit a client to get, but not put, so outgoing ftp transfers can be prohibited. They offer other dynamic filter features for other applications, including some RPC services, where the window for the reply automatically times out. New filters can be adding using a text-based configuration language. I'm sorry, but I don't remember how they deal with logging. The CheckPoint solution is in the same class as ANS Interlock--but provides more control for the product's owner. It is also in the same price range. ANS, a few booths over, claim to have a software only product under development (their RS/6000-based system goes for $18k to $25 A YEAR, depending on configuration). Neosoft was demonstrating in the BSDI booth. Another kernel-based solution, they plan to move it other platforms when they get through the legal barriers involved in getting "a tiny piece of kernel source". It uses plaintext config file (TCL-like), which gets compiled, to permit or deny routing of packets between interfaces. Source address, source port, destination address and port. Everything can be logged, rules apply to both TCP and UDP. The rules get compiled into the kernel for performance reasons. info@neosoft.com, 1 800 438-6367, 713 684 5922 FAX. NeoSoft is also an Internet access provider, and they created this for their own customers. The firewall software costs $995. Rik Farrow rik@uworld.com From firewalls-owner Wed May 11 11:59:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA17636; Wed, 11 May 1994 17:39:08 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17630; Wed, 11 May 1994 10:38:59 -0700 Received: by relay.tis.com id AA18487; Wed, 11 May 94 13:39:48 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma018485; Wed May 11 13:39:47 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA26306; Wed, 11 May 94 13:39:00 EDT Message-Id: <9405111739.AA26306@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Peter von Zirpolo Cc: Firewalls@greatcircle.com Subject: Re: Firewall Configurations In-Reply-To: Your message of Wed, 11 May 94 11:43:37 -0400. Date: Wed, 11 May 94 13:38:59 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Functionally and logically, all three configurations -- screened host, screened subnet, and dual homed -- are the same. A dual-homed gateway is somewhat easier to *see* as is a screened subnet. A screened subnet allows expansion. We often recommend starting with a dual-homed gateway with the idea of expanding to a screened subnet if required (to split up services, etc.). Fred From firewalls-owner Wed May 11 12:19:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA18041; Wed, 11 May 1994 18:14:35 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA18035; Wed, 11 May 1994 11:14:26 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA10290; Wed, 11 May 1994 13:15:22 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 13:15:21 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: c626544@sgi5.phlab.missouri.edu (Justin Bhansali) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: Lines: 26 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:12:02 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, LaCoursiere J. D. wrote: > > Noone has actually discussed the implications of the GUI running on the > firewall and what dangers it may represent, if any? > > Have all the listening ports been plugged? > > Do they export the GUI front end to client machines? > > I won't pretend to be an experienced cracker, but I have heard > that X has many security implications to consider - can anyone > expand on this? > Two primary holes exist in X. (and they aren't realy holes) 1) Intercepting keystrokes from the keyboard 2) Viewing another users window. A Firewall should fix both. From firewalls-owner Wed May 11 19:22:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA18522; Wed, 11 May 1994 19:22:30 GMT Received: from sgi1.phlab.missouri.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA18516; Wed, 11 May 1994 12:22:18 -0700 Received: from sgi9.phlab.missouri.edu (sgi9.phlab.missouri.edu [128.206.115.39]) by sgi1.phlab.missouri.edu (8.6.8.1/8.6.6) with SMTP id OAA13768; Wed, 11 May 1994 14:23:15 -0500 Received: by sgi9.phlab.missouri.edu (931110.SGI/931108.SGI.AUTO.ANONFTP) for @sgi1.phlab.missouri.edu:firewalls@greatcircle.com id AA01038; Wed, 11 May 94 14:23:10 -0500 Date: Wed, 11 May 1994 14:23:05 -0500 (CDT) From: Justin Bhansali Subject: Re: Checkpoint FireWall-1 sanity check To: Adam Shostack Cc: firewalls@greatcircle.com In-Reply-To: <199405111821.OAA07583@spl.bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, Adam Shostack wrote: > Justin Bhansali wrote: > > | Two primary holes exist in X. (and they aren't realy holes) > | > | 1) Intercepting keystrokes from the keyboard > | 2) Viewing another users window. > > I'm not sure what you mean by saying "these aren't really > holes," but in any event, a hacker can also take control of your mouse > and keyboard if things are not well configured, and cause arbitrary > events to happen on your machine. I mean "xhost -" fixes that problem. And proper use of xhost will prevent most crackers from abusing your X server. At least, unless they have cracked security on the X client. This is what I mean by "not realy holes" > > Thus, if ports in the area of 600* aren't well covered, a > remote user might be able to exploit the use of X in the product to > cause certain mouse actions, keypresses &c in ways you do not want to > occur. I was under the impression that xhost - prevents contol of the keyboard mouse or terminal, and prevents intercepting keystrokes, mouse movements, and the display. > > I am not saying that this is a hole in Checkpoint, but a hole > in X that Checkpoint may or may not protect itself against properly. > Now if the product used Curses or termcap instead of X, this > vulnerability would not exist in the same fashion. > There's only so much that any firewall can do. Preventing outside access to the machines behind the firewall solves the above problem. But on the firewall itself, there needs to be a good amount of X security already. If the firewall machine isn't very secure, then neither will any of the machines behind it. From firewalls-owner Wed May 11 19:34:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA18601; Wed, 11 May 1994 19:34:00 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA18595; Wed, 11 May 1994 12:33:41 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA11322; Wed, 11 May 1994 14:34:34 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 14:34:33 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: avolio@tis.com (Frederick M Avolio) Subject: Re: Firewall Configurations Message-Id: <9405111739.AA26306@tis.com> Lines: 8 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:38:59 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Functionally and logically, all three configurations -- screened host, screened subnet, and dual homed -- are the same. A dual-homed gateway is somewhat easier to *see* as is a screened subnet. A screened subnet allows expansion. We often recommend starting with a dual-homed gateway with the idea of expanding to a screened subnet if required (to split up services, etc.). Fred From firewalls-owner Wed May 11 12:49:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA17693; Wed, 11 May 1994 17:47:16 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA17686; Wed, 11 May 1994 10:46:55 -0700 Received: by relay.tis.com id AA18559; Wed, 11 May 94 13:47:50 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma018553; Wed May 11 13:47:23 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA26883; Wed, 11 May 94 13:46:36 EDT Message-Id: <9405111746.AA26883@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Justin Bhansali Cc: "LaCoursiere J. D." , Firewalls@greatcircle.com Subject: Re: Checkpoint FireWall-1 sanity check In-Reply-To: Your message of Wed, 11 May 94 12:12:02 -0500. Date: Wed, 11 May 94 13:46:34 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. If you mean a firewall *should* fix this, I agree. Many firewalls do not. Especially since 1 and 2 can be combined to say "allowing total access from a foreign machine -- for any process that can use X to a workstation -- to a workstation's keyboard, screen, and screen memory. That's all. Someone on another host could just send keystrokes to your workstation on your behalf. Oh, and mouse events too. :-) From firewalls-owner Wed May 11 20:11:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA18815; Wed, 11 May 1994 20:11:21 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18809; Wed, 11 May 1994 13:11:10 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA11864; Wed, 11 May 1994 15:11:44 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 15:11:43 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: c626544@sgi5.phlab.missouri.edu (Justin Bhansali) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: Lines: 26 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:12:02 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, LaCoursiere J. D. wrote: > > Noone has actually discussed the implications of the GUI running on the > firewall and what dangers it may represent, if any? > > Have all the listening ports been plugged? > > Do they export the GUI front end to client machines? > > I won't pretend to be an experienced cracker, but I have heard > that X has many security implications to consider - can anyone > expand on this? > Two primary holes exist in X. (and they aren't realy holes) 1) Intercepting keystrokes from the keyboard 2) Viewing another users window. A Firewall should fix both. From firewalls-owner Wed May 11 20:13:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA18823; Wed, 11 May 1994 20:13:09 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18817; Wed, 11 May 1994 13:12:57 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA11878; Wed, 11 May 1994 15:13:43 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 15:13:42 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: c626544@sgi9.phlab.missouri.edu (Justin Bhansali) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: Lines: 49 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 19:23:05 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, Adam Shostack wrote: > Justin Bhansali wrote: > > | Two primary holes exist in X. (and they aren't realy holes) > | > | 1) Intercepting keystrokes from the keyboard > | 2) Viewing another users window. > > I'm not sure what you mean by saying "these aren't really > holes," but in any event, a hacker can also take control of your mouse > and keyboard if things are not well configured, and cause arbitrary > events to happen on your machine. I mean "xhost -" fixes that problem. And proper use of xhost will prevent most crackers from abusing your X server. At least, unless they have cracked security on the X client. This is what I mean by "not realy holes" > > Thus, if ports in the area of 600* aren't well covered, a > remote user might be able to exploit the use of X in the product to > cause certain mouse actions, keypresses &c in ways you do not want to > occur. I was under the impression that xhost - prevents contol of the keyboard mouse or terminal, and prevents intercepting keystrokes, mouse movements, and the display. > > I am not saying that this is a hole in Checkpoint, but a hole > in X that Checkpoint may or may not protect itself against properly. > Now if the product used Curses or termcap instead of X, this > vulnerability would not exist in the same fashion. > There's only so much that any firewall can do. Preventing outside access to the machines behind the firewall solves the above problem. But on the firewall itself, there needs to be a good amount of X security already. If the firewall machine isn't very secure, then neither will any of the machines behind it. From firewalls-owner Wed May 11 13:22:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA18116; Wed, 11 May 1994 18:18:14 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA18110; Wed, 11 May 1994 11:17:33 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA10330; Wed, 11 May 1994 13:18:13 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 13:18:12 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: <9405111718.AA05787@cygnus.uprc.com> Lines: 34 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 06:18:46 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > > Noone has actually discussed the implications of the GUI running on the > > firewall and what dangers it may represent, if any? > > > > Have all the listening ports been plugged? > > > > Do they export the GUI front end to client machines? > > > > I won't pretend to be an experienced cracker, but I have heard > > that X has many security implications to consider - can anyone > > expand on this? > > > > > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. > Again, we are talking about this RUNNING on the firewall. Looking at it from the cracker perspective, what would be a weakness to exploit if a firewall was known to be running X? Perhaps forge X packets and run a "lookalike" of the GUI for the unsuspecting admin to type away at? Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX > From firewalls-owner Wed May 11 20:26:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA18950; Wed, 11 May 1994 20:26:20 GMT Received: from VNET.IBM.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18944; Wed, 11 May 1994 13:26:11 -0700 Message-Id: <199405112026.NAA18944@mycroft.GreatCircle.COM> Received: from RHQVM19 by VNET.IBM.COM (IBM VM SMTP V2R2) with BSMTP id 1049; Wed, 11 May 94 16:25:55 EDT X-Mailer: IPERNOTE 5.00m Date: Wed, 11 May 94 16:26:45 EDT From: "Matthew R. Ganis (914) 684-4575" To: firewalls@greatcircle.com Subject: DNS on a dual-homed host Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk What exposures are there in running named on a dual-homed gateway (ip forwarding turned, off, etc, etc) given that the named.boot records only point to the root nameservers (ie, this named has no authority records). Is there any known attack or any major risk here ? Matt Ganis (ganis@vnet.ibm.com) From firewalls-owner Wed May 11 20:31:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA18986; Wed, 11 May 1994 20:31:07 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18980; Wed, 11 May 1994 13:30:55 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA24219; Wed, 11 May 94 15:31:19 CDT Date: Wed, 11 May 94 15:31:19 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405112031.AA24219@tadpole> To: Firewalls@GreatCircle.COM, crow!rik@uunet.uu.net Subject: Re: Checkpoint FireWall-1 sanity chec Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Smallworks "NETGATE" software firewall is $1500 (binary) and $5000 (source!). From the descriptions, it is most like the Netsoft router. Jim From firewalls-owner Wed May 11 13:49:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA18137; Wed, 11 May 1994 18:21:19 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA18131; Wed, 11 May 1994 11:21:07 -0700 Received: from spl.bwh.harvard.edu (spl.bwh.harvard.edu [134.174.81.53]) by bwh.harvard.edu (8.6.4/8.6.4) with ESMTP id OAA22706; Wed, 11 May 1994 14:21:20 -0400 From: Adam Shostack Received: from localhost by spl.bwh.harvard.edu (8.6.4) id OAA07583; Wed, 11 May 1994 14:21:16 -0400 Message-Id: <199405111821.OAA07583@spl.bwh.harvard.edu> Subject: Re: Checkpoint FireWall-1 sanity check To: c626544@sgi5.phlab.missouri.edu (Justin Bhansali) Date: Wed, 11 May 94 14:21:15 EDT Cc: firewalls@greatcircle.com In-Reply-To: ; from "Justin Bhansali" at May 11, 94 12:12 pm Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Justin Bhansali wrote: | Two primary holes exist in X. (and they aren't realy holes) | | 1) Intercepting keystrokes from the keyboard | 2) Viewing another users window. I'm not sure what you mean by saying "these aren't really holes," but in any event, a hacker can also take control of your mouse and keyboard if things are not well configured, and cause arbitrary events to happen on your machine. Thus, if ports in the area of 600* aren't well covered, a remote user might be able to exploit the use of X in the product to cause certain mouse actions, keypresses &c in ways you do not want to occur. I am not saying that this is a hole in Checkpoint, but a hole in X that Checkpoint may or may not protect itself against properly. Now if the product used Curses or termcap instead of X, this vulnerability would not exist in the same fashion. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Wed May 11 13:52:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA18143; Wed, 11 May 1994 18:21:27 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA18122; Wed, 11 May 1994 11:20:16 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA10376; Wed, 11 May 1994 13:21:11 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 13:21:10 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: crow!rik@uunet.uu.net (Rik Farrow 602 282 0242 MST) Subject: Re: Checkpoint FireWall-1 sanity chec Message-Id: <9405111609.AA06594@crow.spirit.com> Lines: 43 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 16:09:08 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I also looked at the CheckPoint product at InterOp. For people capable of "rolling-their-own" firewalls, this product is NOT interesting, especially for the given price ($20,000 for a binder and a diskette with the software). It will also run on SunOS 4.1.2, they told me. For those who are not net-experts, this provides an easy-to-use solution. It is a dual-homed host approach, capturing packets just above the device driver level--avoiding passing data between kernel space and user space as with the screend approach. The GUI lets the administrator create filters based on services while taking care of much of the complexity. And the filters DO examine packets at the application layer. With FTP, for example, when an internal client makes a PORT request to an external server, FireWall remembers the PORT request, and dynamically makes an opening for the incoming data connection coming from the specific server to the particular port on the client. You can also configure it to permit a client to get, but not put, so outgoing ftp transfers can be prohibited. They offer other dynamic filter features for other applications, including some RPC services, where the window for the reply automatically times out. New filters can be adding using a text-based configuration language. I'm sorry, but I don't remember how they deal with logging. The CheckPoint solution is in the same class as ANS Interlock--but provides more control for the product's owner. It is also in the same price range. ANS, a few booths over, claim to have a software only product under development (their RS/6000-based system goes for $18k to $25 A YEAR, depending on configuration). Neosoft was demonstrating in the BSDI booth. Another kernel-based solution, they plan to move it other platforms when they get through the legal barriers involved in getting "a tiny piece of kernel source". It uses plaintext config file (TCL-like), which gets compiled, to permit or deny routing of packets between interfaces. Source address, source port, destination address and port. Everything can be logged, rules apply to both TCP and UDP. The rules get compiled into the kernel for performance reasons. info@neosoft.com, 1 800 438-6367, 713 684 5922 FAX. NeoSoft is also an Internet access provider, and they created this for their own customers. The firewall software costs $995. Rik Farrow rik@uworld.com From firewalls-owner Wed May 11 14:05:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA18067; Wed, 11 May 1994 18:16:04 GMT Received: from ttown.apci.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA18058; Wed, 11 May 1994 11:15:48 -0700 Received: by ttown.apci.com (5.57/Ultrix3.0-C) id AA04055; Wed, 11 May 94 14:18:22 -0400 Date: Wed, 11 May 94 14:18:22 -0400 From: gaulse@ttown.apci.com (that kid in research...) Message-Id: <9405111818.AA04055@ttown.apci.com> To: c626544@sgi5.phlab.missouri.edu, z056716@clavin.uprc.com, z056716@uprc.com Subject: Re: Checkpoint FireWall-1 sanity check Cc: Firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Pardon me if this is a duplicate...I didn't get my first post back. Hmmm, I have a few questions/comments about all of this... > No one has actually discussed the implications of the GUI running on the > firewall and what dangers it may represent, if any? Exactly, I'd like to hear/read anyone's comments on this. > Have all the listening ports been plugged? ^^^^ ^^^ ^^^ ^^^^^^^^^ ^^^^^ ^^^^ ^^^^^^^ Can some who "own/drive/smoke's one" please answer this? > Do they export the GUI front end to client machines? ^^ ^^^^ ^^^^^^ ^^^ ^^^ ^^^^^ ^^^ ^^ ^^^^^^ ^^^^^^^^ Again, can some who "own/drive/smoke's one" please answer this one too? > I won't pretend to be an experienced cracker, but I have heard > that X has many security implications to consider - can anyone > expand on this? I won't pretend either but having "played around"... X11R5 defines, and the way I see the MIT releases implemented, are two mechanisms that can be used for secure access control. XDM-AUTHORIZATION-1, which is similiar to the MAGIC-COOKIE stuff, but uses DES encryption to encrypt the authorization data that is passed between client and server. Now, to compile that scheme you need an implementation of DES in the file: /mit/Xdmcp/Wraphelp.c Due to U.S. export regulations, I certainly hope this wasn't in the SunOS distribution to Israel. If this was developed in Israel, please explain how FireWall-1 dealt with this? I can only assume they used SUN-DES-1, and this is based on the public key Sun Secure RPC system included with the SunOS releases. Most servers also use a host access list file (/etc/X.hosts or equivalent if it is a UNIX based box) to determine whether to grant access. If the client is running on a host that is on the server's host access list, the connection is granted (even if the authorization data is wrong!). The host access list will be empty if an authorization mechanism is in use. Now, as far as I am aware "X" DOES NOT provide any protection from unauthorized access to individual windows, pixmaps, or other obsenities, once a connection has been made. Let me demonstrate... If I'm a cracker and I write a program that gets or even guesses a windows ID that my program didn't create, using a querytree request you can manipulate or destroy the window. One of the oldest tricks is... cat /dev/fb > [filename]; xloadimage -onroot FULL [filename] here, you would have succesfully grabbed whatever was on the screen of that Sun classic and wrote it to a file that you could redisplay for yourself. Of course, this assumes that the SysAdmin didn't change the fb privleges, if so, well I guess the cracker would have to obtain root permission first. > Interesting. If Firewall-1 gets a patent, I may be able to > show prior art. Can Firewall-1 get a patent in the U.S.A. w/o breaching anyone else's work? > Again, we are talking about this RUNNING on the firewall. Looking at > it from the cracker perspective, what would be a weakness to exploit if > a firewall was known to be running X? Perhaps forge X packets and run > a "lookalike" of the GUI for the unsuspecting admin to type away at? Well, I hope what I tried to depict above serves as a weakness that one may try to exploit. At any rate, enough of this...can anyone help me out with the prior questions? Thanx, I'm also lost, can you direct me to the information superhighway? ______________________________________________________________________ /// / /// Stephen E. Gaul, Jr. / /// /\ Air Products and Chemicals, Inc. / __/// /__\ Lehigh Valley, PA 18001 / ///_ ______ __ INET: gaulse@ttown.apci.com || gaulS@moravian.edu / ///// /______\ \/ VOICE: (215) 481-7054 / ///______________ FAX: (215) 481-3988 / //////////////////____________________________________________________/ NOTE: These statements and opinions are mine, not those of APCI... From firewalls-owner Wed May 11 21:30:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA19697; Wed, 11 May 1994 21:30:43 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA19500; Wed, 11 May 1994 14:20:04 -0700 Message-Id: <199405112120.OAA19500@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Firewalls loop Date: Wed, 11 May 1994 14:20:02 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Somebody is looping Firewalls postings back to the list, so I've put the list back on temporary moderated status until I get it sorted out. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Wed May 11 14:51:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA18970; Wed, 11 May 1994 20:29:12 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18964; Wed, 11 May 1994 13:28:57 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA12075; Wed, 11 May 1994 15:29:44 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 15:29:43 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: avolio@tis.com (Frederick M Avolio) Subject: Re: Firewall Configurations Message-Id: <9405111739.AA26306@tis.com> Lines: 8 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:38:59 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Functionally and logically, all three configurations -- screened host, screened subnet, and dual homed -- are the same. A dual-homed gateway is somewhat easier to *see* as is a screened subnet. A screened subnet allows expansion. We often recommend starting with a dual-homed gateway with the idea of expanding to a screened subnet if required (to split up services, etc.). Fred From firewalls-owner Wed May 11 14:59:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA19208; Wed, 11 May 1994 21:00:22 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA19186; Wed, 11 May 1994 14:00:00 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA12463; Wed, 11 May 1994 16:00:55 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 16:00:54 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: c626544@sgi5.phlab.missouri.edu (Justin Bhansali) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: Lines: 26 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:12:02 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 11 May 1994, LaCoursiere J. D. wrote: > > Noone has actually discussed the implications of the GUI running on the > firewall and what dangers it may represent, if any? > > Have all the listening ports been plugged? > > Do they export the GUI front end to client machines? > > I won't pretend to be an experienced cracker, but I have heard > that X has many security implications to consider - can anyone > expand on this? > Two primary holes exist in X. (and they aren't realy holes) 1) Intercepting keystrokes from the keyboard 2) Viewing another users window. A Firewall should fix both. From firewalls-owner Wed May 11 15:19:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA19134; Wed, 11 May 1994 20:54:19 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA19122; Wed, 11 May 1994 13:53:59 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id QAA18333; Wed, 11 May 1994 16:54:46 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id QAA00522; Wed, 11 May 1994 16:54:46 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id QAA17356; Wed, 11 May 1994 16:54:45 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA07002; Wed, 11 May 94 16:54:43 EDT Date: Wed, 11 May 94 16:54:43 EDT Message-Id: <9405112054.AA07002@delacroix.lsi.ny.jpmorgan.com> To: c626544@sgi5.phlab.missouri.edu Subject: Re: Checkpoint FireWall-1 sanity check Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Do they export the GUI front end to client machines? > > > > I won't pretend to be an experienced cracker, but I have heard > > that X has many security implications to consider - can anyone > > expand on this? > > > > > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. The sense *I* get is that it's a GUI client - an X-Windows client. This should be listening on ports, this doesn't pose X-Server security problems. Yes, the program itself may have bugs (can I send an X series of keystrokes to the program from elsewhere?), but that's not an X-problem per se, it's an application program. Obviously, I'm not saying that these problems EXIST, but rather that this is the area of attack. I have no qualms about X-clients on a firewall machine - XTerm is not a security hole. Have a GUI front end (or a curses front end) should be welcome for non-expert users. If the front end simply writes (ASCII?) config files and makes configuration easier, then so be it. If inetd had an inet*GUI front end to write out an /etc/services file, it's not a problem. Now $20 Grand to run a firewall on a Sun kernel (not the most hack proof) is another story.... chuck yerkes consultant ------------------------------------------------------ the opinions i have aren't my company's, my clients, and, often, not even mine. From firewalls-owner Wed May 11 15:27:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA19058; Wed, 11 May 1994 20:43:28 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA19052; Wed, 11 May 1994 13:43:15 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA12243; Wed, 11 May 1994 15:44:12 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 15:44:11 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: avolio@tis.com (Frederick M Avolio) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: <9405111746.AA26883@tis.com> Lines: 15 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 17:46:34 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. If you mean a firewall *should* fix this, I agree. Many firewalls do not. Especially since 1 and 2 can be combined to say "allowing total access from a foreign machine -- for any process that can use X to a workstation -- to a workstation's keyboard, screen, and screen memory. That's all. Someone on another host could just send keystrokes to your workstation on your behalf. Oh, and mouse events too. :-) From firewalls-owner Wed May 11 15:49:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA19132; Wed, 11 May 1994 20:54:15 GMT Received: from interlock.reston.ans.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA19121; Wed, 11 May 1994 13:53:57 -0700 Received: by interlock.reston.ans.net id AA10333 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Wed, 11 May 1994 16:54:45 -0400 Message-Id: <199405112054.AA10333@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-2); Wed, 11 May 1994 16:54:45 -0400 Received: by interlock.reston.ans.net (Internal Mail Agent-1); Wed, 11 May 1994 16:54:45 -0400 Date: Wed, 11 May 1994 16:54:36 +0500 From: sangster@reston.ans.net (Paul Sangster) To: firewalls@greatcircle.com Subject: Re: Checkpoint Firewall-1 sanity check X-Sun-Charset: US-ASCII Content-Length: 3262 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk crow!rik@uunet.uu.net wrote: > > The CheckPoint solution is in the same class as ANS Interlock--but provides > more control for the product's owner. It is also in the same price > range. ANS, a few booths over, claim to have a software only product under > development (their RS/6000-based system goes for $18k to $25 A YEAR, depending > on configuration). It appears that Checkpoint's goal was to provide the transparency of a screening router, but at the cost of not performing user authentication. This would be a fundamental difference from most application gateway class approaches (like the InterLock.) Its a user friendly vs. security tradeoff that will be attractive to some portion of the Internet population but not others. Not authenticating the user has ramifications through out a firewall, for instance loss of user accountability in the logs. Also comparing pricing models is difficult since our offering includes hardware, software and 7x24 support, not to mention a stratum 1 NTP and optional NNTP feed. I don't know what Rik had in mind when he says "more control", but from my *admittedly limited* understanding of the Checkpoint product it seems to have LESS control and flexibility. The InterLock offers per-user controls, control over how users are authenticated in each direction (SecurId, Pinpad, Passwd...), when encryption will (optionally) be used and many other combinations of granular security policies criteria. Did anyone else notice that the Checkpoint marketing literature mentioned support for passing a number of the dangerous protocols (eg. NFS, RPC). Has anyone heard their position on forwarding these protocols? As for their discussed GUI, its alittle disturbing that they provide a *potentially* large X client which could open up vulnerabilities at a very dangerous time (during security policy definition). IMHO, it is important to have some type of user friendly interface for novice network and security administrators to define and manipulate rules (access controls) for many customers. This interface should also allow for the verification of the effect of the rule changes prior to putting them into effect on the firewall. This can be accomplished without graphical widgetry which has the benefit of being able to run in non X environments. As most people know, after fighting the internal battles of what security policy should be enforced, its frequently very tough to communicate and then verify that policy to a firewall. Due to this difficulty, administrator configuration mistakes due occur on many filtering router firewalls (as seen on this list) which can lead to breakins. > > Neosoft was demonstrating in the BSDI booth. Another kernel-based I didn't get to see their product, but did get their nifty bumper sticker... "I'd rather be NetSurfing" :-). Paul ____________________________________________________________________________ Paul Sangster Advanced Network & Services Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Wed May 11 16:19:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA19436; Wed, 11 May 1994 21:15:29 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA19421; Wed, 11 May 1994 14:15:06 -0700 Received: from s5.math.umn.edu by mail.unet.umn.edu (5.65c) id AA12622; Wed, 11 May 1994 16:15:56 -0500 Received: by s5.math.umn.edu; Wed, 11 May 94 16:15:55 CDT Newsgroups: local.firewalls Path: greatcircle.com!firewalls-owner From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: <9405111718.AA05787@cygnus.uprc.com> Lines: 34 Organization: Math Department, University of Minnesota Date: Wed, 11 May 1994 06:18:46 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > > Noone has actually discussed the implications of the GUI running on the > > firewall and what dangers it may represent, if any? > > > > Have all the listening ports been plugged? > > > > Do they export the GUI front end to client machines? > > > > I won't pretend to be an experienced cracker, but I have heard > > that X has many security implications to consider - can anyone > > expand on this? > > > > > Two primary holes exist in X. (and they aren't realy holes) > > 1) Intercepting keystrokes from the keyboard > 2) Viewing another users window. > > A Firewall should fix both. > Again, we are talking about this RUNNING on the firewall. Looking at it from the cracker perspective, what would be a weakness to exploit if a firewall was known to be running X? Perhaps forge X packets and run a "lookalike" of the GUI for the unsuspecting admin to type away at? Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX > From firewalls-owner Thu May 12 00:10:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA20886; Thu, 12 May 1994 00:10:55 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA20692; Wed, 11 May 1994 16:41:07 -0700 Received: from s6.math.umn.edu by mail.unet.umn.edu (5.65c) id AA13751; Wed, 11 May 1994 18:42:05 -0500 Date: Wed, 11 May 94 18:42:01 CDT From: "Erik E. Rantapaa" Message-Id: <9405112342.AA29799@s6.math.umn.edu> Received: by s6.math.umn.edu; Wed, 11 May 94 18:42:01 CDT To: firewalls@greatcircle.com Subject: Apology for recent mail loop Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My sincere apologies for creating a infinite mail loop and refeeding firewalls mail back to the list. I have been archiving mailing lists I am on with C-news and reading them with nn and trn, and today I thought of the bright idea of making them moderated so I could "post" to lists from within news readers. Needless to say, it didn't work as expected. Again, please accept my apologies for any inconvenience this has caused. -- Erik E. Rantapaa -- rantapaa@math.umn.edu -- "I'm in the book" From firewalls-owner Thu May 12 01:17:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA21146; Thu, 12 May 1994 01:17:32 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA21054; Wed, 11 May 1994 17:49:10 -0700 Received: from opus.UUCP by csn.org with UUCP id AA15991 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 11 May 1994 18:49:39 -0600 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus) id AA20693; Wed, 11 May 94 17:21:35 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA03058; Wed, 11 May 94 17:28:55 MDT Date: Wed, 11 May 94 17:28:55 MDT From: qjohnson@intellistor.com (Quentin Johnson) Message-Id: <9405112328.AA03058@whizbang.Intellistor.COM> To: firewalls@greatcircle.com Subject: Re: DNS on a dual-homed host Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From: "Matthew R. Ganis (914) 684-4575" > > What exposures are there in running named on a dual-homed gateway > (ip forwarding turned, off, etc, etc) given that the named.boot > records only point to the root nameservers (ie, this named has no > authority records). Is there any known attack or any major risk here ? > > Matt Ganis > (ganis@vnet.ibm.com) In Firewalls and Internet Security, by Cheswick and Bellovin, the authors bring up these points about using a dual-homed gateway host: How does DNS provide host address translations for both inside and outside access, without leaking naming information to the outside? Is IP forwarding really off; will ICMP redirects change it? What about IP source routing? You can only be sure by examining kernel source code and carefully experimenting. This host will offer different services on each interface. What mechanism is used to implement this? On most hosts the same services are offered on all network interfaces. Standard software tends to lack a mechanism for restricting access in this way. What are the consequences if a hacker subverts the gateway host? How would you detect this event? Quent Johnson From firewalls-owner Thu May 12 01:42:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA21236; Thu, 12 May 1994 01:42:20 GMT Received: from soda.berkeley.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA21230; Wed, 11 May 1994 18:41:54 -0700 Received: (uucp@localhost) by soda.berkeley.edu (8.6.9/PHILMAIL-1.10) with UUCP id SAA16897 for firewalls@GreatCircle.COM; Wed, 11 May 1994 18:35:53 -0700 Received: from [127.0.0.1] by merde.dis.org (8.6.8.1/MERDE-940323) id SAA23912; Wed, 11 May 1994 18:31:30 -0700 Message-Id: <199405120131.SAA23912@merde.dis.org> X-Authentication-Warning: merde.dis.org: Host [127.0.0.1] didn't use HELO protocol To: firewalls@GreatCircle.COM Subject: Livingston Firewall Configurations Phone: (510) 849-2230 Snail-address: 2560 Bancroft way #51;Berkeley CA 94704-1700 In-reply-to: Your message of Wed, 11 May 1994 17:38:59 +0000. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <23905.768706280.1@merde.dis.org> Date: Wed, 11 May 1994 18:31:29 -0700 From: Evil Pete Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk does anyone have any examples and advise on setting ip filtering on a Livinston IRX and portmaster routers? I am familiar with ciscos and the concepts and I just trying not to reinvent the wheel? brent: maybe the firewalls ftp site should have some examples made available. This will be very useful in that it will enable many people to set up firewalls faster and more easily -Pete From firewalls-owner Wed May 11 21:19:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA21677; Thu, 12 May 1994 04:15:45 GMT Received: from lloyd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA21671; Wed, 11 May 1994 21:15:38 -0700 Received: from [158.222.2.1] by lloyd.com with smtp (Smail3.1.28.1 #3) id m0q1SBk-000ERuC; Wed, 11 May 94 21:16 PDT Message-Id: Date: Wed, 11 May 94 21:16 PDT X-Sender: brian@harry.lloyd.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: brian@lloyd.com (Brian Lloyd) Subject: Livingston Firewall Router Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Livingston announced their answer to a firewall router at Interop. They now have a two-ethernet version of their IRX router. Packet filtering seems very complete. It can filter inbound or outbound on an interface. The sync WAN interface supports both PPP and Frame Relay. Looks like what I have been wanting. Brian Lloyd, President Lloyd Internetworking brian@lloyd.com 3031 Alhambra Drive (916) 676-1147 - voice Suite 102 (916) 676-3442 - fax Cameron Park, CA 95682 From firewalls-owner Thu May 12 04:49:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA21804; Thu, 12 May 1994 04:49:20 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA21798; Wed, 11 May 1994 21:49:13 -0700 Received: from duke.bwh.harvard.edu (duke.bwh.harvard.edu [134.174.81.56]) by bwh.harvard.edu (8.6.4/8.6.4) with ESMTP id AAA24210; Thu, 12 May 1994 00:49:29 -0400 From: Adam Shostack Received: from localhost (adam@localhost) by duke.bwh.harvard.edu (8.6.4/8.6.4) id AAA00792; Thu, 12 May 1994 00:49:26 -0400 Message-Id: <199405120449.AAA00792@duke.bwh.harvard.edu> Subject: Re: Checkpoint FireWall-1 sanity check To: yerkes_chuck@jpmorgan.com Date: Thu, 12 May 94 0:49:25 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9405112054.AA07002@delacroix.lsi.ny.jpmorgan.com>; from "yerkes_chuck@jpmorgan.com" at May 11, 94 4:54 pm Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Chuck Yerkes: | that this is the area of attack. I have no qualms about X-clients | on a firewall machine - XTerm is not a security hole. Have a See CA-93:17. Xtermm, installed setuid or setgid (often to log to utmp) can be exploited to gain root access. | configuration easier, then so be it. If inetd had an inet*GUI front | end to write out an /etc/services file, it's not a problem. I beg to differ. A gui requires more complexity than an editor, and complexity is always a source of bugs. Every now and then, these bugs won't be security problems. IMHO, anyone who needs a GUI to modify inetd.conf should not be managing a firewall. If you really want the gui, use it on an internal machine, and move the file it generates. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Thu May 12 12:10:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA23319; Thu, 12 May 1994 12:10:58 GMT Received: from p-o.ans.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA23311; Thu, 12 May 1994 05:10:51 -0700 Received: by p-o.ans.net id AA14277 (5.65c/IDA-1.4.4 for Firewalls mailing list ); Thu, 12 May 1994 07:57:29 -0400 Message-Id: <199405121157.AA14277@p-o.ans.net> Date: Thu, 12 May 94 07:48:38 EST From: "Andrew T. Robinson" To: Firewalls mailing list Subject: Potential firewall consulting opportunity (humorous) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brent may slap me for this, but I couldn't resist. People who do security consulting may want to consider getting in contact with Canter & Siegel--I suspect, given some of the things I've heard on other mailing lists, that they'll need it... :-) > LAWYERS CAPITALIZE ON INTERNET FLAMING > Canter & Siegel, a husband-and-wife law firm that found itself > scorched by flame mail last month for advertising on the Internet, has > decided to launch a new service, Cybersell, to help other businesses do the > same thing. Cybersell will charge $500 for access to 6,000 news groups. > "People like Canter & Siegel are taking grotesque advantage of liberating > technology that supports the free and open exchange of ideas," says the > president of the Internet Company. Retorts Siegel, "Our fate has been that > we're making a lot of money. If a bunch of hysterics want to scream and > yell and make fools of themselves, then I don't feel they warrant respect." > (Wall Street Journal 5/9/94 B2) Andy From firewalls-owner Thu May 12 13:05:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23536; Thu, 12 May 1994 13:05:49 GMT Received: from dxmint.cern.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23530; Thu, 12 May 1994 06:05:36 -0700 Received: from ptsun00.cern.ch by dxmint.cern.ch (5.65/DEC-Ultrix/4.3) id AA21928; Thu, 12 May 1994 15:06:00 +0200 Received: from ptsun03.cern.ch by ptsun00.cern.ch (4.1/SMI-4.1) id AA08064; Thu, 12 May 94 15:06:15 +0200 From: luotonen@ptsun00.cern.ch (Ari Luotonen) Received: by ptsun03.cern.ch (4.1/client-1.5) id AA06474; Thu, 12 May 94 15:07:42 +0200 Date: Thu, 12 May 94 15:07:42 +0200 Message-Id: <9405121307.AA06474@ptsun03.cern.ch> To: www-talk@www0.cern.ch, www-announce@www0.cern.ch, firewalls@greatcircle.com Subject: Forced cache refresh and no_proxy in Mosaic Cc: mosaic-x@ncsa.uiuc.edu Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Dear WWW proxy (cern_httpd) users, As release notes of CERN httpd 3.0preX let understand, httpd as a proxy understands the Pragma: no-cache header, causing a forced cache refresh. This header line has been added to the HTTP spec. Clients should start supporting this, but since nobody has time to do that, enclosed you will find 3 patch files for Mosaic 2.4 which cause it to send this pragma when you press Reload. Another addition is the support of no_proxy environment variable. For example, now I can set for my patched Mosaic: setenv no_proxy cern.ch and no request to domain cern.ch goes thru the proxy but rather directly to the server inside CERN. Local requests going through the proxy have been an annoying side effect of WWW proxy usage, but this no longer has to be so. Precompiled stripped gzipped Mosaic 2.4 for SunOS 4.1.3 with and without -lresolv is also available from directory: ftp://info.cern.ch/pub/www/proxy-support/Mosaic-2.4 Patched versions of HTAccess.c, HTTP.c and gui-documents.c, and patches themselves are also in that directory. I guarantee no further support whatsoever for this, you should rather pressure NCSA to put the patches in, these are *important* changes and should be supported by the official version! Cheers, -- Ari Luotonen | World-Wide Web Project | CERN | phone: +41 22 767 8583 CH - 1211 Geneve 23 | email: luotonen@dxcern.cern.ch --clip---clip---clip---clip---clip---clip---clip---clip---clip---clip-- *** HTAccess.c.ORIG Thu May 12 14:18:55 1994 --- HTAccess.c Thu May 12 14:25:36 1994 *************** *** 108,113 **** --- 108,192 ---- } + /* override_proxy() + ** + ** Check the no_proxy environment variable to get the list + ** of hosts for which proxy server is not consulted. + ** + ** no_proxy is a comma- or space-separated list of machine + ** or domain names, with optional :port part. If no :port + ** part is present, it applies to all ports on that domain. + ** + ** Example: + ** no_proxy="cern.ch,some.domain:8001" + ** + */ + PRIVATE BOOL override_proxy ARGS1(CONST char *, addr) + { + CONST char * no_proxy = getenv("no_proxy"); + char * p = NULL; + char * host = NULL; + int port = 0; + int h_len = 0; + + if (!no_proxy || !addr || !(host = HTParse(addr, "", PARSE_HOST))) + return NO; + if (!*host) { free(host); return NO; } + + if (p = strchr(host, ':')) { /* Port specified */ + *p++ = 0; /* Chop off port */ + port = atoi(p); + } + else { /* Use default port */ + char * access = HTParse(addr, "", PARSE_ACCESS); + if (access) { + if (!strcmp(access,"http")) port = 80; + else if (!strcmp(access,"gopher")) port = 70; + else if (!strcmp(access,"ftp")) port = 21; + free(access); + } + } + if (!port) port = 80; /* Default */ + h_len = strlen(host); + + while (*no_proxy) { + CONST char * end; + CONST char * colon = NULL; + int templ_port = 0; + int t_len; + + while (*no_proxy && (WHITE(*no_proxy) || *no_proxy==',')) + no_proxy++; /* Skip whitespace and separators */ + + end = no_proxy; + while (*end && !WHITE(*end) && *end != ',') { /* Find separator */ + if (*end==':') colon = end; /* Port number given */ + end++; + } + + if (colon) { + templ_port = atoi(colon+1); + t_len = colon - no_proxy; + } + else { + t_len = end - no_proxy; + } + + if ((!templ_port || templ_port == port) && + (t_len > 0 && t_len <= h_len && + !strncmp(host + h_len - t_len, no_proxy, t_len))) { + free(host); + return YES; + } + if (*end) no_proxy = end+1; + else break; + } + + free(host); + return NO; + } + + /* Find physical name and access protocol ** -------------------------------------- ** *************** *** 137,143 **** */ #define USE_GATEWAYS #ifdef USE_GATEWAYS ! { char *gateway_parameter, *gateway, *proxy; /* search for gateways */ --- 216,226 ---- */ #define USE_GATEWAYS #ifdef USE_GATEWAYS ! ! /* make sure the using_proxy variable is false */ ! using_proxy = NO; ! ! if (!override_proxy(addr)) { char *gateway_parameter, *gateway, *proxy; /* search for gateways */ *************** *** 168,176 **** gateway = DEFAULT_WAIS_GATEWAY; } #endif - - /* make sure the using_proxy variable is false */ - using_proxy = NO; /* proxy servers have precedence over gateway servers */ if (proxy) { --- 251,256 ---- --clip---clip---clip---clip---clip---clip---clip---clip---clip---clip-- *** HTTP.c.ORIG Thu May 12 13:25:33 1994 --- HTTP.c Thu May 12 13:34:09 1994 *************** *** 40,46 **** char *post_data = NULL; extern BOOL using_gateway; /* are we using an HTTP gateway? */ extern BOOL using_proxy; /* are we using an HTTP proxy gateway? */ ! /* Load Document from HTTP Server HTLoadHTTP() ** ============================== --- 40,46 ---- char *post_data = NULL; extern BOOL using_gateway; /* are we using an HTTP gateway? */ extern BOOL using_proxy; /* are we using an HTTP proxy gateway? */ ! PUBLIC BOOL reloading = NO; /* reloading => send no-cache pragma to proxy */ /* Load Document from HTTP Server HTLoadHTTP() ** ============================== *************** *** 195,201 **** StrAllocCat(command, line); } } ! sprintf(line, "User-Agent: %s/%s libwww/%s%c%c", HTAppName ? HTAppName : "unknown", HTAppVersion ? HTAppVersion : "0.0", --- 195,210 ---- StrAllocCat(command, line); } } ! ! /* ! * When reloading give no-cache pragma to proxy server to make ! * it refresh its cache. -- Ari L. ! */ ! if (reloading) { ! sprintf(line, "Pragma: no-cache%c%c", CR, LF); ! StrAllocCat(command, line); ! } ! sprintf(line, "User-Agent: %s/%s libwww/%s%c%c", HTAppName ? HTAppName : "unknown", HTAppVersion ? HTAppVersion : "0.0", --clip---clip---clip---clip---clip---clip---clip---clip---clip---clip-- *** gui-documents.c.ORIG Mon Apr 11 20:58:02 1994 --- gui-documents.c Thu May 12 14:13:11 1994 *************** *** 487,494 **** post_gave_encrypt = 0; #endif /* PEM_AUTH */ ! win->current_node->text = mo_pull_er_over (win->current_node->url, ! &win->current_node->texthead); { /* Check use_this_url_instead from HTAccess.c. */ /* IS THIS GOOD ENOUGH FOR THIS CASE??? */ --- 487,503 ---- post_gave_encrypt = 0; #endif /* PEM_AUTH */ ! { ! /* ! * Reload should force a cache refresh on a proxy ! * -- Ari L. ! */ ! extern char reloading; /* is really a BOOL */ ! reloading = 1; ! win->current_node->text = mo_pull_er_over (win->current_node->url, ! &win->current_node->texthead); ! reloading = 0; ! } { /* Check use_this_url_instead from HTAccess.c. */ /* IS THIS GOOD ENOUGH FOR THIS CASE??? */ --clip---clip---clip---clip---clip---clip---clip---clip---clip---clip-- From firewalls-owner Thu May 12 13:14:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23567; Thu, 12 May 1994 13:14:05 GMT Received: from VNET.IBM.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23561; Thu, 12 May 1994 06:13:58 -0700 Message-Id: <199405121313.GAA23561@mycroft.GreatCircle.COM> Received: from RHQVM19 by VNET.IBM.COM (IBM VM SMTP V2R2) with BSMTP id 4958; Thu, 12 May 94 09:13:57 EDT X-Mailer: IPERNOTE 5.00m Date: Thu, 12 May 94 09:15:14 EDT From: "Matthew R. Ganis (914) 684-4575" To: firewalls@Greatcircle.com Subject: Re: DNS on a dual-homed host Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >In Firewalls and Internet Security, by Cheswick and Bellovin, the authors >bring up these points about using a dual-homed gateway host: > thanks for the reply, but my question is more: what dangers or pitfalls are there in running bind *ON* the firewall. Do I open myself up to new and (exciting ;-) attacks ? if so, what ? I know DNS uses udp and tcp port 53 (tcp for zone xfers only I believe) (and I have no zone to xfer). I've tried telneting to port 53 of a host with named running and I just hang - there doesn't seem to be any ill-effects on the nameserver (at least none that I can detect) So, I guess the question is, short of a denial of service (where somebody clobbers my machine with queries) what other exposures do I open myself up to ? Matt. From firewalls-owner Thu May 12 13:32:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23707; Thu, 12 May 1994 13:32:16 GMT Received: from suc1a.harris.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23700; Thu, 12 May 1994 06:32:08 -0700 Received: from itp.corp.harris.com by suc1a.harris.com (4.1/SMI-4.0) id AA05212; Thu, 12 May 94 09:33:00 EDT Received: from lazarus.corp.harris.com by itp.corp.harris.com (5.0/SMI-SVR4) id AA03762; Thu, 12 May 1994 09:33:59 +0500 Received: by lazarus.corp.harris.com (5.0/SMI-SVR4) id AA03573; Thu, 12 May 1994 09:33:32 +0500 Date: Thu, 12 May 1994 09:33:32 +0500 From: dconklin@itp.corp.harris.com (Dave Conklin) Message-Id: <9405121333.AA03573@lazarus.corp.harris.com> To: firewalls@greatcircle.com Subject: Looking for Net Monitoring Pkg X-Sun-Charset: US-ASCII Content-Length: 346 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I am looking for packages that will allow me to monitor packets on my net and report traffic statistics by packet type for each source & destination DNS name (or IP addr if not listed). A bonus would be the ability to filter on DNS name (or IP addr). Can someone point me in a likely direction? Dave Conklin dconklin@itp.corp.harris.com From firewalls-owner Thu May 12 13:40:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23795; Thu, 12 May 1994 13:40:20 GMT Received: from panix.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23788; Thu, 12 May 1994 06:40:09 -0700 Received: by panix.com id AA14066 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 12 May 1994 09:40:48 -0400 From: Andy Finkenstadt Message-Id: <199405121340.AA14066@panix.com> Subject: What is IP Source Routing? To: firewalls@greatcircle.com Date: Thu, 12 May 1994 09:40:48 -0400 (EDT) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1130 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In the context of firewall discussions, I saw this quote from the Firewalls & Internet Security book fly by: Is IP forwarding really off; will ICMP redirects change it? What about IP source routing? You can only be sure by examining kernel source code and carefully experimenting. I understand what IP Forwarding is - where packets for a network which is (presumably) not on the current network is sent to a machine who will act as a gateway to the other network. A simple example of this might be a dual-homed Sun host, with machines on one network configured to have a default route to the Sun, which straddles the line between the protected network and the DMZ network. Which RFC and other documents should I read to learn all about ICMP and why a redirect might change the status of IP forwarding? What is IP Source Routing? The only definition I can come up with on my own would have been the same as the IP forwarding. Andy -- andy@genie.geis.com | Andy Finkenstadt, GEnie Sysop, GEnie Postmaster andy@tml.com | Systems Engineer, TML Information Services, Inc. genie@panix.com | +1 718-793-9099 From firewalls-owner Thu May 12 13:49:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23853; Thu, 12 May 1994 13:49:29 GMT Received: from cayuga.cs.rochester.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23847; Thu, 12 May 1994 06:49:08 -0700 From: bukys@cs.rochester.edu Received: from otter.cs.rochester.edu (otter.cs.rochester.edu [192.5.53.121]) by cayuga.cs.rochester.edu (8.6.7/G) with ESMTP id JAA28223 for ; Thu, 12 May 1994 09:49:53 -0400 Received: (from bukys@localhost) by otter.cs.rochester.edu (8.6.7/G) id JAA07703; Thu, 12 May 1994 09:49:52 -0400 Date: Thu, 12 May 1994 09:49:52 -0400 Message-Id: <199405121349.JAA07703@otter.cs.rochester.edu> To: Firewalls@GreatCircle.COM Subject: LSLI Portus Cc: bukys@cs.rochester.edu Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Yet another firewall product. As seen in RS/Magazine, May 1994 (page 35): "PORTUS (TM) was developed at the IBM Thomas J. Watson Research Center (WRC) to secure its private network when connected to the Internet and has been in production since 1988..." The company is Livermore Software Laboratories, Inc (LSLI (TM)), and their phone number is 800-240-5754. Fax number is 1-713-379-5225. I have no connection with this product. I saw the ad, and figured that many readers of this list are keeping track. It seems like firewall products are popping out from the woodwork this week. From firewalls-owner Thu May 12 14:00:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA23915; Thu, 12 May 1994 14:00:07 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA23899; Thu, 12 May 1994 06:59:55 -0700 Received: by relay.tis.com id AA24873; Thu, 12 May 94 10:00:59 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma024869; Thu May 12 10:00:33 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA06252; Thu, 12 May 94 09:59:45 EDT Date: Thu, 12 May 94 09:59:45 EDT From: Marcus J Ranum Message-Id: <9405121359.AA06252@tis.com> To: dconklin@itp.corp.harris.com, firewalls@GreatCircle.COM Subject: Re: Looking for Net Monitoring Pkg Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I am looking for packages that will allow me to monitor packets on my >net and report traffic statistics by packet type for each source & >destination DNS name (or IP addr if not listed). A bonus would be the >ability to filter on DNS name (or IP addr). Can someone point me in a >likely direction? Depends on the type of monitoring you want to do. If you need to look at and somehow report statistics about what is *in* the packets, then you might consider using tcpdump and reducing the logs with awk or perl or whatever. If you want just traffic statistics, an excellent system is NNStat. NNStat should be FTPable from various places on the 'net. It's a traffic statistics gathering tool that is extremely powerful. It's also somewhat obscure and not especially aesthetic code, but for the price it's a great system. mjr. From firewalls-owner Thu May 12 14:09:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24016; Thu, 12 May 1994 14:09:55 GMT Received: from lvhgate.lvh.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA24010; Thu, 12 May 1994 07:09:48 -0700 Message-Id: <199405121409.HAA24010@mycroft.GreatCircle.COM> Received: by lvhgate.lvh.com (1.37.109.4/16.2) id AA20036; Thu, 12 May 94 10:12:24 -0400 From: Mark Stickler Subject: FTP Security To: Firewalls@GreatCircle.COM Date: Thu, 12 May 94 10:12:23 EDT Mailer: Elm [revision: 70.85] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We are working on some security policies for our firewall and I need some advice on ftp. First, a little background. Our firewall is not yet the bastion host type. I consists of a router, connected to the Internet, then an isolated ethernet to a dual-homed Unix box which has ip-forwarding turned off. As a result, user which need to ftp files from the Internet must log into their account on the gateway host and then ftp from there (I know this isn't the preferred method but I have no choice at the moment). Our question is what should we do to limit the chances that an executable which a user may bring through the gateway machine has a virus? Do most ftp sites scan their executables for viruses or a regular basis? Is there a virus scanner, which runs under unix, which can check for viruses in both unix and dos executables? TIA for any suggestions. Private email is fine. +----------------------------+-----------------------------+ | Mark G. Stickler | Voice: (215) 402-1459 | | Lehigh Valley Hospital | FAX: (215) 402-1409 | | Information Services | Internet: mstickler@lvh.com | | 2024 Lehigh Street | Title: Technical Analyst | | Allentown, PA 18103 | | +----------------------------+-----------------------------+ From firewalls-owner Thu May 12 14:29:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24120; Thu, 12 May 1994 14:29:03 GMT Received: from envoy.wl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA24114; Thu, 12 May 1994 07:28:54 -0700 Received: by envoy.wl.com (5.65/allen-042593); id AA23122; Thu, 12 May 1994 10:29:50 -0400 Received: by mst3k.research.aa.wl.com (5.65/al042593); Received: by mst3k.research.aa.wl.com (5.65/al042593); id AA09780; Thu, 12 May 94 10:30:03 -0400 Date: Thu, 12 May 94 10:30:03 -0400 From: leibowa@wl.com (Allen Leibowitz) Message-Id: <9405121430.AA09780@mst3k.research.aa.wl.com> To: dconklin@itp.corp.harris.com, firewalls@GreatCircle.COM Subject: Re: Looking for Net Monitoring Pkg Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I am looking for packages that will allow me to monitor packets on my > net and report traffic statistics by packet type for each source & > destination DNS name (or IP addr if not listed). A bonus would be the > ability to filter on DNS name (or IP addr). Can someone point me in a > likely direction? I looked into commercial packages about 9 months ago. By far, the best was NetMetrix. Now part of HP. Contact Boyd.baumgartner@nashua.hp.com (603) 888-7700. It was also expensive as you needed rmon agents and a central station. Marcus mentioned NNStat. This can filter by protocol type or by source and destination pairs, but not by packet type between pairs. You can do what you describe by setting up a lot of "filters" as you say. You may find you have too much data. Allen Leibowitz Parke-Davis/Warner-Lambert Ann Arbor, MI 48104 USA +1 313.998.3314 Either CONFESS now or we go to ``PEOPLE'S COURT''!! -- zippy From firewalls-owner Thu May 12 15:09:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA24312; Thu, 12 May 1994 15:09:27 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA24306; Thu, 12 May 1994 08:09:16 -0700 Received: by relay.tis.com id AA25387; Thu, 12 May 94 11:09:04 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma025385; Thu May 12 11:08:34 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA10173; Thu, 12 May 94 11:07:44 EDT Date: Thu, 12 May 94 11:07:44 EDT From: Marcus J Ranum Message-Id: <9405121507.AA10173@tis.com> To: Firewalls@GreatCircle.COM, mstickle@lvh.com Subject: Re: FTP Security Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >We are working on some security policies for our firewall and I >need some advice on ftp. First, a little background. Our firewall >is not yet the bastion host type. I consists of a router, connected >to the Internet, then an isolated ethernet to a dual-homed Unix >box which has ip-forwarding turned off. As a result, user which >need to ftp files from the Internet must log into their account on >the gateway host and then ftp from there (I know this isn't the >preferred method but I have no choice at the moment). If I understand your configuration correctly, you should be able to use an FTP proxy of some sort, to permit FTP traffic without requiring a login on the firewall machine. [One place to look for such a proxy is in our firewall toolkit] >Our question is what should we do to limit the chances that an executable >which a user may bring through the gateway machine has a virus? Nothing. Joking aside, this is a really tough problem. There are two issues to consider: -> encoding -> consistency of security Encoding is the technical gotcha. There are just too many ways that files get encoded for transmission over the 'net to be able to have a prayer of finding a virus in them. What about if it's in a uuencoded file? Or a uuencoded .ZIP file? Or a uuencoded tar of a bunch of .ZIP archives? What about a MIME document? Or a .hqx file? Or... You get the idea. There's a chance you'll find something by scanning, but it's very, very slim. It's so slim, in fact, that it's probably only "warm fuzzies" security -- it looks good on paper but that's all. Consistency of security is another issue. Many of the folks I have talked to who are concerned about bringing virii in from the internet don't have any kind of policy that controls bringing data into the corporate network on floppy disks. It's not consistent security practice to worry a whole lot about virii coming in from over the 'net when anyone can bring one in on a floppy -- and in fact I suspect that's how a majority of virii are transmitted. A firewall isn't a panacea and doesn't replace educating your users. A better approach to the virus problem is to educate staff to understand that they should scan stuff before they install it, whether it came from over the 'net, or a BBS, or a shareware disk, or from their buddy's machine down the hall. That way you're attacking the whole class of virus related problems across the board, rather than fighting a losing battle to try to implement a technical solution on your firewall itself. >Do most ftp sites scan their executables for viruses or a regular basis? No. Some do before uploading them. >Is there a virus scanner, which runs under unix, which can check for >viruses in both unix and dos executables? UNIX virii are hard to check for and I suspect that anyone who is claiming they have a "virus scanner" for UNIX is doing some creative marketing. Probably the best way to "scan" for virii under UNIX is to checksum all your system files and make sure they haven't changed -- it gets around the operating system dependencies nicely. Look at tools like Tripwire as possible options. Scanning for DOS virii on a UNIX box is also a bit of a wild goose chase. Why? Because any DOS executable that's being transmitted through the UNIX box is probably encoded for transmission and then you have the whole issue of figuring out what the encoding is and means... mjr. From firewalls-owner Thu May 12 09:19:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA24587; Thu, 12 May 1994 16:04:29 GMT Received: from gatekeeper.es.dupont.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA24578; Thu, 12 May 1994 09:04:16 -0700 Received: by gatekeeper.es.dupont.com (5.65/ULTRIX-mjr-062991); id AA10830; Thu, 12 May 94 12:05:04 -0400 Received: from barkeep (barkeep.es.dupont.com) by eplrx7.es.duPont.com (4.1/kdm-082991-main) id AA26737; Thu, 12 May 94 12:03:20 EDT From: tkevans@eplrx7.es.duPont.com (Tim Evans) Received: by barkeep (5.0) id AA07167; Thu, 12 May 1994 12:03:55 +0500 Message-Id: <9405121603.AA07167@barkeep> Subject: Re: FTP Security To: mjr@tis.com (Marcus J Ranum) Date: Thu, 12 May 1994 12:03:54 -0400 (EDT) Cc: Firewalls@greatcircle.com, mstickle@lvh.com In-Reply-To: <9405121507.AA10173@tis.com> from "Marcus J Ranum" at May 12, 94 11:07:44 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 808 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Sez Marcus J Ranum (for which I'm grateful): > > Scanning for DOS virii on a UNIX box is also a bit of a >wild goose chase. Why? Because any DOS executable that's being >transmitted through the UNIX box is probably encoded for transmission >and then you have the whole issue of figuring out what the encoding >is and means... > IBM's AIX does have a 'virscan' command which can examine DOS executables for a pre-set list of well-known virus "signatures." As Marcus notes, encoded stuff can't be scanned, but if it's unpacked under AIX, 'virscan' might be useful. -- Tim Evans | E.I. du Pont de Nemours & Co. tkevans@eplrx7.es.dupont.com | Experimental Station (302) 695-9353/8638 (FAX) | P.O. Box 80357 EVANSTK AT A1 AT ESVAX | Wilmington, Delaware 19880-0357 From firewalls-owner Thu May 12 10:19:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA25304; Thu, 12 May 1994 17:05:39 GMT Received: from panix.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA25298; Thu, 12 May 1994 10:05:25 -0700 Received: by panix.com id AA15677 (5.65c/IDA-1.4.4 for Firewalls Mailing List ); Thu, 12 May 1994 13:06:15 -0400 Date: Thu, 12 May 1994 13:06:15 -0400 From: Andy Finkenstadt Message-Id: <199405121706.AA15677@panix.com> To: Firewalls Mailing List Subject: SUMMARY: What is IP Source Routing? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Here is a summary of what IP Source Routing is, many thanks to smb@research.att.com (Steve Bellovin) Icarus Sparry blu@jericho.mc.com (Brian Utterback) -Andy Steve Bellovin said: >IP Source Routing is where the packet itself contains a list of >hops to take, rather than relying on routing tables. See RFC791 (the >IP spec) for details, or any decent book on IP (i.e., Comer or Stevens). >For details on security issues, see an old paper of mine: > > research.att.com:/dist/internet_security/ipext.ps.Z. > > --Steve Bellovin Icarus Sparry said: >In normal IP, each router decides where to send the packet, >based on the destination IP address > >In Loose Source routeing, each router decides where to send the >packet, based on the next address in the list of addresses that the >packet must go through. > >Source routing is just like Loose source routing, except that ALL >addresses have to be specified. > >This stuff is covered in the basic RFC's describing IP. > Brian Utterback says: >Source routing occurs when the packet source pre-determines the route >that the packet should take to a destination, overriding the routing >choices of the routers along the way. It can be used to bypass >certain firewall configurations. Many single-homed systems can be >compelled into routing via this method. It is used primarily for >debugging and network management purposes. If a router goes bonkers >and stops advertising routes, you can still talk to it via source >routing to fix it. > -- andy@genie.geis.com | Andy Finkenstadt, GEnie Sysop, GEnie Postmaster andy@tml.com | Systems Engineer, TML Information Services, Inc. genie@panix.com | +1 718-793-9099 From firewalls-owner Thu May 12 10:49:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA25556; Thu, 12 May 1994 17:32:31 GMT Received: from duke.group1.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA25550; Thu, 12 May 1994 10:32:24 -0700 Subject: Ports that SHOULDN't be blocked To: firewalls@greatcircle.com Date: Thu, 12 May 1994 10:33:13 -0700 (PDT) From: Ken Jones X-Mailer: ELM [version 2.4 PL20] Content-Type: text Content-Length: 442 Message-ID: <9405121033.aa10439@duke.group1.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All, I am getting ready to block incomming traffic to our net. What I am trying to determine is which tcp and udp ports not to block (generically) from the internet. I plan on allowing telnet (23) and mail (25), but what other ports should I leave open. Thanks - Ken -- Ken Jones | Group One, Ltd. | kenj@group1.com | 220 Bush St. #350 | Systems / Network | San Francisco, Ca. | Administrator | 94104 | From firewalls-owner Thu May 12 10:50:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA25294; Thu, 12 May 1994 17:04:58 GMT Received: from dixon.DeLong.SJ.CA.US by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA25288; Thu, 12 May 1994 10:04:48 -0700 Received: by dixon.DeLong.SJ.CA.US (8.6.9/SMI-4.1) id KAA06052; Thu, 12 May 1994 10:09:23 -0700 From: owen@DeLong.SJ.CA.US (Owen DeLong) Message-Id: <199405121709.KAA06052@dixon.DeLong.SJ.CA.US> Subject: Re: Firewalls Digest V3 #140 To: Firewalls@GreatCircle.COM Date: Thu, 12 May 1994 10:09:23 -0700 (PDT) In-Reply-To: <199405120800.BAA22390@mycroft.GreatCircle.COM> from "Firewalls-Digest-Owner@GreatCircle.COM" at May 12, 94 01:00:11 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2089 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > The sense *I* get is that it's a GUI client - an X-Windows client. > This should be listening on ports, this doesn't pose X-Server > security problems. Yes, the program itself may have bugs (can > I send an X series of keystrokes to the program from elsewhere?), > but that's not an X-problem per se, it's an application program. How can the application differentiate betwen a spoofed packet that has the correct source address, but did not come from the correct source host and a legitimate packet from the source host. It seems to me that this would be virtually impossible unless you could tell the kernel not to accept packets from a certain source address through the exterior interface. i.e. [A] -----INET-----[B] ---internal-net---[C] Xserver runs on C GUI (Xclient) runs on B which is dual-homed firewall A is hackers system A sends packet out masquerading as C to B's Xclient claiming that certain keyboard/mouse events have occured. How can the X client protect itself against this type of attack? Admittedly, this requires A have knowledge of a few things that are hard to know, but they are not impossible. Also, if anyone cracks B at all, they may be able to send the display of your GUI right to their host and use your GUI to change your firewall in interesting ways. > Obviously, I'm not saying that these problems EXIST, but rather > that this is the area of attack. I have no qualms about X-clients > on a firewall machine - XTerm is not a security hole. Have a Yes it is. > GUI front end (or a curses front end) should be welcome for non-expert > users. If the front end simply writes (ASCII?) config files and makes > configuration easier, then so be it. If inetd had an inet*GUI front > end to write out an /etc/services file, it's not a problem. True, but I would not want to run an X client or Server directly on a firewall host. Rather I would suggest running the GUI on some other machine, and then using an ftp client on the firewall to obtain the files created by the GUI. > > chuck yerkes > consultant Owen DeLong Netcom Network Operations From firewalls-owner Thu May 12 18:13:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA25949; Thu, 12 May 1994 18:13:30 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA25943; Thu, 12 May 1994 11:13:21 -0700 Received: from nic (nic.state.mn.us) by mail.unet.umn.edu (5.65c) id AA22039; Thu, 12 May 1994 13:14:12 -0500 Received: from dor10.mdor.state.mn.us by nic (4.1/) id AA05599; Thu, 12 May 94 13:14:22 CDT Received: from DOR10/MAILQUEUE by dor10.mdor.state.mn.us (Mercury 1.11); Thu, 12 May 94 13:12:01 GMT+5 Received: from MAILQUEUE by DOR10 (Mercury 1.11); Thu, 12 May 94 13:11:29 GMT+5 From: "Steve Moubray" To: Firewalls@greatcircle.com Date: Thu, 12 May 1994 13:11:22 CST6CDT Subject: IPX SAP Filtering using Cisco 4000 Priority: normal X-Mailer: Pegasus Mail/Windows (v1.11a) Message-Id: <2FC28DC00BE@dor10.mdor.state.mn.us> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We have a group of individuals that want to send IPX across our WAN. I don't like the idea but it is only for a test and will be up for about 1 week. I can't stop it (the powers that be insist). Using an IP Tunnel is out of the question because they think that the tunnel is causing the problems. We have a person that manages a Cisco 4000 that will route the IPX. He doesn't believe that we can do IPX SAP filtering on the Cisco. We should be able to create a SAP table of devices that we want to let through but since I don't have the documentation for the Cisco and probably won't be able to get my hands on it until after the hole is opened up, I was hoping that someone could give me enough information so I can point this person in the right direction. I know of one company that uses Cisco routers on every subnet and they filter out most of the SAPs. I just don't know what that table looks like. Any help will be greatly appreciated. Thanks!!! Steve Moubray (612) 296-2991 e-mail: steve.moubray@state.mn.us Minnesota Department of Revenue 10 River Park Plaza St. Paul, MN 55107 From firewalls-owner Thu May 12 11:19:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA25848; Thu, 12 May 1994 18:05:29 GMT Received: from emory.mathcs.emory.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA25827; Thu, 12 May 1994 11:05:15 -0700 Received: from kd4nc.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.25) via UUCP id AA20668 ; Thu, 12 May 94 14:06:09 -0400 Received: by kd4nc (/\==/\ Smail3.1.28.1 #28.1) id ; Thu, 12 May 94 13:06 EDT Received: by willard.atl.ga.us (4.1/SMI-4.1) id AA09708; Thu, 12 May 94 10:48:02 EDT Newsgroups: willard.firewalls Path: willard!wdawson From: wdawson@willard.atl.ga.us (Willard Dawson) Subject: Re: Checkpoint FireWall-1 sanity check Message-Id: Organization: Willard's House References: <199405111349.AA19208@applicom.co.il> Date: Thu, 12 May 1994 14:46:08 GMT Content-Type: text Content-Length: 616 Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk horen@applicom.co.IL (Jonathan B. Horen) writes: >When I initially set-up our >firewall, I used a combination of Wietse Venema's tcpd-wrapper and >Marcus J. Ranum's FireWall ToolKit. They worked well, but tcpd-wrapper >was difficult to maintain in a heterogeneous environment (Sun, AIX, >HPUX, PC), across an ever-growing number of hosts (yes, complexity DOES >= problems :) I've got the same systems on my LAN. I cannot say that I agree with your statment that tcpd-wrapper is difficult to maintain. No, I'd say that it's the easiest thing in the world to configure. What problems did you have, specifically? From firewalls-owner Thu May 12 18:38:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA26109; Thu, 12 May 1994 18:38:41 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA26103; Thu, 12 May 1994 11:38:32 -0700 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA05575; Thu, 12 May 94 11:38:49 PDT Received: from maui.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA03337; Thu, 12 May 1994 11:34:17 +0800 Received: from twiddle.West.Sun.COM by maui.West.Sun.COM (4.1/SMI-4.1) id AA25869; Thu, 12 May 94 11:34:16 PDT Received: by twiddle.West.Sun.COM (5.0/SMI-SVR4) id AA17696; Thu, 12 May 1994 11:35:10 +0800 Date: Thu, 12 May 1994 11:35:10 +0800 From: Paul.Danielson@West.Sun.COM (Paul Danielson) Message-Id: <9405121835.AA17696@twiddle.West.Sun.COM> To: dconklin@itp.corp.harris.com Subject: Re: Looking for Net Monitoring Pkg Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 1319 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk For Solaris, there is a program called "snoop" which provides all the requested functionality for a TCP/IP based net. You can monitor packet traffic, filter on source and destination, save as much of each packet as you want, generate reports on various criteria, etc, etc. Really useful for general network debug, as well as security monitoring. It comes bundled with Solaris 2.x; a limited functionality version is available for Solaris 1.x (SunOS 4.x). It only runs on SPARC hardware right now, as far as I know. The Solaris for x86 version with snoop should be available around August. Paul paul.danielson@west.sun.com > From firewalls-owner@GreatCircle.COM Thu May 12 07:07:13 1994 > Date: Thu, 12 May 1994 09:33:32 +0500 > From: dconklin@itp.corp.harris.com (Dave Conklin) > To: firewalls@GreatCircle.COM > Subject: Looking for Net Monitoring Pkg > X-Sun-Charset: US-ASCII > Content-Length: 346 > Sender: Firewalls-Owner@GreatCircle.COM > > Hello, > > I am looking for packages that will allow me to monitor packets on my > net and report traffic statistics by packet type for each source & > destination DNS name (or IP addr if not listed). A bonus would be the > ability to filter on DNS name (or IP addr). Can someone point me in a > likely direction? > > Dave Conklin > dconklin@itp.corp.harris.com > From firewalls-owner Thu May 12 11:49:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA25802; Thu, 12 May 1994 18:03:17 GMT Received: from ecmwf.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA25785; Thu, 12 May 1994 11:01:14 -0700 Received: from helena.ecmwf.co.uk by ecmwf.co.uk (4.1/SMI-4.1-MHS-7.0) id AA25717; Thu, 12 May 94 19:01:35 BST for firewalls@GreatCircle.COM From: syj@ecmwf.co.uk (Jean-Philippe Martin-Flatin) Message-Id: <9405121901.ZM29128@helena> Date: Thu, 12 May 1994 19:01:34 +0100 X-Mailer: Z-Mail (2.1.5 20sep93) To: firewalls@GreatCircle.COM Subject: SUMMARY: Security aspects of Gopher, WAIS & WWW/Mosaic Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Here is a summary of the answers I received about the security aspects of Gopher, WAIS and WWW/Mosaic. Many thanks to all these people. I also add a collection of pointers at the end. Enjoy Jean-Philippe -------------------------------------------------------------------------------- From: smb@research.att.com If you don't do chroot in gopher, the code has to check for allowable pathnames itself. It got the check wrong. -------------------------------------------------------------------------------- From: smb@research.att.com There are a certain set of files that are supposed to be available via gopher. There's a much larger set that should not be. The right way to make that distinction is to use the chroot() system call, which (in effect) declares a subtree of the file system to be all there is. Gopher normally operates that way. However, it has an option to do the checking itself -- you pass the root to gopherd, and it tries to tell if any given file reference is to something that's a descendant of the specified root. That code was buggy. -------------------------------------------------------------------------------- From: "Stephen C. Trier" Pathnames: Unix paths are flexible, which means these have been a perpetual problem for gopher and WWW servers. A recent discovery was that paths including "." or ".." could open holes in servers that had world-writable directories elsewhere on their machines and which did not use chroot for the gopher server. Metacharacters: Properly guarding against shell metacharacters is a perpetual problem. Gn had a bug in which all metacharacters but one were guarded against. This led to possible shell access. (This hole is not known to have been exploited.) I got fed up with trying to keep gopherd safe running non-chroot and finally set it up chroot. Since there is no longer any reason not to run it chroot, perhaps the non-chroot feature should be removed entirely. Strangely, I trust gn's non-chroot operation, because it has other mechanisms that make up for chroot. Stephen -------------------------------------------------------------------------------- From: mlachow@maverick1.erenj.com (Michael Lachowski) The Gopher telnet hole was the same as in Mosaic -------------------------------------------------------------------------------- From: kshores@cclink.draper.com The UMinn Gopher 1.12 server code had a problem similar to the Mosaic client Telnet URL bug, which was fixed by adding some simple tests for semi-colons and other delimiters (gopher used "popen" instead of "system", but both use a shell program to start the desired process and that is the real root of the problem). I wasn't really using gopher prior to 1.12S so there may have been other problems that I had not heard about. In addition to the client security issues (which have been heavily discussed on this list) when running a proxy server you have the security issues inherent in the server. Running chroot is an attempt to isolate the system from such problems. I haven't really dealt with those issues beyond some mods to 1.12S (which were sent to UMinn a few months ago, I don't know if they ever did anything with them) to support our Gopher proxy. Those mods replaced the popen with fork-and-exec and removed some code which allowed implicit execution of shell scripts on the server. If you're interested and can't get the code from UMinn just ask and I'll send a copy to you. Ken -------------------------------------------------------------------------------- From: Bill Hefley May I commend to you the repository of CERT Advisories available via FTP on cert.org? I know that the gopher problem of last summer had an advisory issued. -------------------------------------------------------------------------------- From: Ronald L. Sharp I do not have direct information but I would highly recommend a new book called "Firewalls and Internet Security, Repelling the Willy Hacker", by William Cheswick and Steven Bellovin. I have read an early copy it covers many security vulnerabilities. The book is just now going to the book stores. You may have seen a notice already for this book on the firewalls mailing list. Ron Sharp -------------------------------------------------------------------------------- POINTERS -------------------------------------------------------------------------------- Mailing lists ------------- firewalls@greatcircle.com www-talk@info.cern.ch gopher-news@boombox.micro.umn.edu Usenet News ----------- comp.security.unix comp.infosystems.www comp.infosystems.gopher comp.infosystems.wais FAQs ---- http://www.cis.ohio-state.edu/hypertext/faq/usenet/security-faq/faq.html http://info.cern.ch/hypertext/WWW/FAQ/List.html http://siva.cshl.org/~boutell/www_faq.html http://www.cis.ohio-state.edu/hypertext/faq/usenet/gopher-faq/faq.html http://www.cis.ohio-state.edu/hypertext/faq/usenet/wais-faq/getting-started/faq.html ftp://rtfm.mit.edu/pub/usenet/news.answers/security-faq ftp://rtfm.mit.edu/pub/usenet/news.answers/gopher-faq ftp://rtfm.mit.edu/pub/usenet/news.answers/wais-faq/getting-started NCSA Security documents ----------------------- http://south.ncsa.uiuc.edu/security.html http://hoohoo.ncsa.uiuc.edu/cgi/security.html http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/executing-shell-scripts.html From firewalls-owner Thu May 12 18:59:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA26246; Thu, 12 May 1994 18:59:54 GMT Received: from mjt.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA26240; Thu, 12 May 1994 11:59:44 -0700 Received: from mjt.com (postoffice.durango.mjt.com [198.135.68.94]) by mjt.com (8.6.9/8.6.5) with SMTP id NAA08258 for ; Thu, 12 May 1994 13:03:02 GMT Received: by mjt.com with Microsoft Mail id <2DD28AD8@mjt.com>; Thu, 12 May 94 13:00:24 PDT From: Terry Guder To: "'firewalls@greatcircle.com'" Subject: firewalls Terry Guder Date: Thu, 12 May 94 12:58:00 PDT Message-ID: <2DD28AD8@mjt.com> Encoding: 1 TEXT X-Mailer: Microsoft Mail V3.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu May 12 19:09:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA26406; Thu, 12 May 1994 19:09:24 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA26400; Thu, 12 May 1994 12:09:04 -0700 From: cyerkes@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id PAA13840; Thu, 12 May 1994 15:09:56 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id PAA22202; Thu, 12 May 1994 15:09:55 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id PAA05650; Thu, 12 May 1994 15:09:54 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA16569; Thu, 12 May 94 15:09:54 EDT Date: Thu, 12 May 94 15:09:54 EDT Message-Id: <9405121909.AA16569@delacroix.lsi.ny.jpmorgan.com> To: owen@DeLong.SJ.CA.US Subject: Re: Firewalls Digest V3 #140 Cc: Firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > The sense *I* get is that it's a GUI client - an X-Windows client. > > This should be listening on ports, this doesn't pose X-Server > > security problems. Yes, the program itself may have bugs (can > > I send an X series of keystrokes to the program from elsewhere?), > > but that's not an X-problem per se, it's an application program. > > How can the application differentiate betwen a spoofed packet that > has the correct source address, but did not come from the correct > source host and a legitimate packet from the source host. It seems > to me that this would be virtually impossible unless you could tell > the kernel not to accept packets from a certain source address through > the exterior interface. > > i.e. > > [A] -----INET-----[B] ---internal-net---[C] > > Xserver runs on C > GUI (Xclient) runs on B which is dual-homed firewall > A is hacker's system -- Uh, that would be *Cracker's* system -I'm a hacker. > A sends packet out masquerading as C to B's Xclient claiming that > certain keyboard/mouse events have occured. > > How can the X client protect itself against this type of attack? > > Admittedly, this requires A have knowledge of a few things that > are hard to know, but they are not impossible. > > Also, if anyone cracks B at all, they may be able to send the > display of your GUI right to their host and use your GUI to change > your firewall in interesting ways. You forget a step B1, which is my ROUTER infront of B, that limits ports. This can be a setup where the bastion host (B) has knowledge of which port a packet came from and denies invalid one or the more common dedicated router. Otherwise, I'm open to a spoof whether I'm using telnet and vi, or a fancy GUI.... If someone cracks B, I'm screwed anyway, GUI or not. Bottom line, if I can convince B that a packet is from the internal net (C), I'm open to attack. I'm not a GUI advocate (although curses bases programs, like vi, are sometimes helpful), but if it makes management clearer, then it's good. Being an X-Client is not inherently any worse than be a telnet client - The program (the x-client) can have whole, but that's an application issue, rather than an X issue. I can have holes in VI (actually, there are some) - same level of risk. A BAD program is always a bad program -regardless of X or curses. Someone brought up that XTerm, set uid, or set gid, can pose a risk. Of course it can, but hopefully we set up our firewalls intelligently. Someone else (same person??) complained that my example of a GUI to /etc/services would be bad and dangerous, as it could make errors. So do humans. Programmatically, enforcing policies is fine. A front end is a simpler way to do it than rewriting portmap or inetd. chuck ------- chuck yerkes, consultant yerkes_chuck@jpmorgan.com From firewalls-owner Thu May 12 12:19:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA26473; Thu, 12 May 1994 19:14:03 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA26466; Thu, 12 May 1994 12:13:43 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA16822; Thu, 12 May 1994 12:13:50 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405121913.AA16822@pserv1.dot.state.az.us> Subject: Ports that SHOULDN't be blocked (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Thu, 12 May 94 12:13:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ken Jones writes: > Hi All, > > I am getting ready to block incomming traffic to our net. > What I am trying to determine is which tcp and udp > ports not to block (generically) from the internet. > > I plan on allowing telnet (23) and mail (25), but what > other ports should I leave open. > > Thanks > - Ken > > -- > Ken Jones | Group One, Ltd. | > kenj@group1.com | 220 Bush St. #350 | > Systems / Network | San Francisco, Ca. | > Administrator | 94104 | > If you are going to NOT block telnet, why block at all? -- Tom Brink Technical Support Specialist Computer Aided Engineering Section Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Thu May 12 12:22:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA25411; Thu, 12 May 1994 17:23:37 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA25403; Thu, 12 May 1994 10:23:30 -0700 Message-Id: <199405121723.KAA25403@mycroft.GreatCircle.COM> To: Andy Finkenstadt cc: firewalls@greatcircle.com Subject: Re: What is IP Source Routing? In-reply-to: Your message of Thu, 12 May 1994 09:40:48 -0400 (EDT) Date: Thu, 12 May 1994 10:23:28 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Andy Finkenstadt writes: # In the context of firewall discussions, I saw this quote from the # Firewalls & Internet Security book fly by: # # Is IP forwarding really off; will ICMP redirects change it? # What about IP source routing? You can only be sure by examining # kernel source code and carefully experimenting. # # I understand what IP Forwarding is - where packets for a network # which is (presumably) not on the current network is sent to a machine # who will act as a gateway to the other network. A simple example of # this might be a dual-homed Sun host, with machines on one network # configured to have a default route to the Sun, which straddles the # line between the protected network and the DMZ network. # # Which RFC and other documents should I read to learn all about ICMP # and why a redirect might change the status of IP forwarding? # # What is IP Source Routing? The only definition I can come up # with on my own would have been the same as the IP forwarding. In my opinion, the best general reference for this info is Doug Comer's book "Internetworking with TCP/IP, Volume I: Principles, Protocols, and Architecture" (1991, Prentice Hall; ISBN 0-13-468505-9). I have the Second Edition; there may be a later edition available now. The book provides a good introduction to all the nitty-gritty IP details, and pointers to the relevant RFCs and so forth for the real scoop. When I want to know something about some particular facet of IP, I check Comer's book first, and then if I feel I still need more detail than he provides, check the referenced RFCs. ICMP is covered in Chapter 9; ICMP Redirect is specificly covered in Section 9.11, on page 131. Basicly, an ICMP Redirect tells the recipient to over-ride something in its routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal route to a particular destination, i.e. the host is sending it to the wrong router. The wrong router sends the host back an ICMP Redirect packet that tells the host what the right router is. Obviously, if you can forge ICMP Redirect packets, and if your host pays attention to them, you can muck with the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path the network manager didn't intend. IP source routing is covered in section 7.8.2, on page 103. Basicly, an IP packet can include an option that specifies (in the packet headers) the route the packet should take to its destination. If a router pays attention to IP source routing at all (firewall routers should probably configured NOT to pay attention to such information), this information can be used to over-ride what the router would normally do with the packet and thus possibly subvert security. Many UNIX kernels will forward a source-routed packet EVEN IF "IP Forwarding" has supposedly been disabled on that kernel. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu May 12 12:49:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA24967; Thu, 12 May 1994 16:47:39 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA24960; Thu, 12 May 1994 09:47:14 -0700 Received: from opus.UUCP by csn.org with UUCP id AA23821 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 12 May 1994 10:48:00 -0600 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus) id AA28024; Thu, 12 May 94 10:02:26 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA03707; Thu, 12 May 94 10:09:48 MDT Date: Thu, 12 May 94 10:09:48 MDT From: qjohnson@intellistor.com (Quentin Johnson) Message-Id: <9405121609.AA03707@whizbang.Intellistor.COM> To: firewalls@greatcircle.com Subject: Re: What is IP Source Routing? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Andy Finkenstadt writes: > > In the context of firewall discussions, I saw this quote from the > Firewalls & Internet Security book fly by: > > Is IP forwarding really off; will ICMP redirects change it? > What about IP source routing? You can only be sure by examining > kernel source code and carefully experimenting. > > I understand what IP Forwarding is - where packets for a network > which is (presumably) not on the current network is sent to a machine > who will act as a gateway to the other network. A simple example of > this might be a dual-homed Sun host, with machines on one network > configured to have a default route to the Sun, which straddles the > line between the protected network and the DMZ network. > > Which RFC and other documents should I read to learn all about ICMP > and why a redirect might change the status of IP forwarding? > > What is IP Source Routing? The only definition I can come up > with on my own would have been the same as the IP forwarding. > > Andy Section 7.8.2 of Comer's TCP/IP book discusses it. Source routing permits the originator of a packet to specify the complete route to the destination. Normally, routing decisions are made along the way, by routers receiving the packet. Source routing seems to come from that golden, innocent age -- before 1987 :-} If a router believes an ICMP redirect message from the outside, then attackers can teach your router (in our discussion a dual-homed host is acting as a router) to use incorrect routes. This is badness! Quent From firewalls-owner Thu May 12 19:57:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA26826; Thu, 12 May 1994 19:57:36 GMT Received: from sgi1.phlab.missouri.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA26813; Thu, 12 May 1994 12:57:20 -0700 Received: from sgi7.phlab.missouri.edu (sgi7.phlab.missouri.edu [128.206.115.37]) by sgi1.phlab.missouri.edu (8.6.8.1/8.6.6) with SMTP id OAA25664 for <@sgi1.phlab.missouri.edu:firewalls@GreatCircle.COM>; Thu, 12 May 1994 14:58:15 -0500 Received: by sgi7.phlab.missouri.edu (931110.SGI/931108.SGI.AUTO.ANONFTP) for @sgi1.phlab.missouri.edu:firewalls@GreatCircle.COM id AA07252; Thu, 12 May 94 14:58:15 -0500 Date: Thu, 12 May 1994 14:58:11 -0500 (CDT) From: Justin Bhansali Subject: Re: Looking for Net Monitoring Pkg To: firewalls@GreatCircle.COM In-Reply-To: <9405121835.AA17696@twiddle.West.Sun.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk For Silicon Graphics MAchines theres a really good connection monitor called TCPview. if you want to actually insect the packets, then TCPdump is the program you are looking for, just do an archie for it. From firewalls-owner Thu May 12 13:08:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA24818; Thu, 12 May 1994 16:33:48 GMT Received: from sd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA24810; Thu, 12 May 1994 09:33:31 -0700 Received: from thedog.tessi.com.tessi.com by sd.com (4.1/SMI-4.1) id AA29373; Thu, 12 May 94 09:33:46 PDT Date: Thu, 12 May 94 09:33:45 PDT From: kozowski@sd.com (Eric Kozowski) Message-Id: <9405121633.AA29373@sd.com> To: firewalls@GreatCircle.COM, shipley@merde.dis.org Subject: Re: Livingston Firewall Configurations Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >does anyone have any examples and advise on setting ip filtering >on a Livinston IRX and portmaster routers? I am familiar with ciscos >and the concepts and I just trying not to reinvent the wheel? > Here is an example: permit tcp estab permit udp estab permit 0.0.0.0/0 host.domain.com/24 tcp dst eq telnet permit 0.0.0.0/0 host.domain.com/24 tcp dst eq nntp permit 0.0.0.0/0 host.domain.com/24 tcp dst eq smtp permit 0.0.0.0/0 host.domain.com/24 tcp dst eq domain permit 0.0.0.0/0 host.domain.com/24 tcp dst eq ftp-data permit 0.0.0.0/0 host.domain.com/24 tcp dst eq ftp permit tcp src eq ftp-data dst gt 1023 permit 0.0.0.0/0 host.domain.com/24 udp dst eq domain permit 0.0.0.0/0 host.domain.com/24 icmp permit 0.0.0.0/0 gateway.domain.com/24 icmp permit tcp dst eq ntp deny tcp deny udp deny icmp Eric Kozowski Summit Design, Inc. kozowski@sd.com 9305 SW Gemini Drive Systems Administrator Beaverton, OR 97005 VOICE: 503/643-9281 FAX: 503/646-4954 From firewalls-owner Thu May 12 13:19:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA27056; Thu, 12 May 1994 20:16:20 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA27044; Thu, 12 May 1994 13:16:06 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id QAA11005; Thu, 12 May 1994 16:16:36 -0400 Date: Thu, 12 May 1994 16:16:36 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405122016.QAA11005@bedrock.cs.UMD.EDU> To: brent@GreatCircle.COM, genie@panix.com Subject: Re: What is IP Source Routing? Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk [...Comer, Comer, Comer, Comer, Comer...] And, in the interest of equal time, another superb reference to IP is the recent book by W.Richard Stevens: TCP/IP Illustrated, Volume 1. ISBN 0-201-63346-9. Many people, myself among them, prefer the Stevens text to Comer. The book is good enough to mention as an alternative to the reflexive grabbing of the Comer texts off of the bookstore shelf, IMHO. I've found that I prefer the RFCs to Comer, but that I prefer Stevens to the RFCs :). Personal preference; your mileage may vary. May this please not start a pointless flame trade. Richard From firewalls-owner Thu May 12 13:19:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA24901; Thu, 12 May 1994 16:39:27 GMT Received: from sd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA24886; Thu, 12 May 1994 09:39:10 -0700 Received: from thedog.tessi.com.tessi.com by sd.com (4.1/SMI-4.1) id AA29445; Thu, 12 May 94 09:39:33 PDT Date: Thu, 12 May 94 09:39:33 PDT From: kozowski@sd.com (Eric Kozowski) Message-Id: <9405121639.AA29445@sd.com> To: Firewalls@GreatCircle.COM Subject: Re: Looking for Net Monitoring Pkg Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> I am looking for packages that will allow me to monitor packets on my >> net and report traffic statistics by packet type for each source & >> destination DNS name (or IP addr if not listed). A bonus would be the >> ability to filter on DNS name (or IP addr). Can someone point me in a >> likely direction? > >I looked into commercial packages about 9 months ago. By far, the best >was NetMetrix. Now part of HP. Contact Boyd.baumgartner@nashua.hp.com >(603) 888-7700. It was also expensive as you needed rmon agents and a >central station. > I recently evaluated most of the major products (Sun NetManager, HP OpenView, NetMetrix, Spectrum) and by far the best, most complete solution was Spectrum from Cabletron. It's pricey ($20k), but you get what you pay for. They also have an extremely good eval policy. I got a 30 day eval license _and_ the flew a tech guy up here for two days! It's a great product. Eric Kozowski Summit Design, Inc. kozowski@sd.com 9305 SW Gemini Drive Systems Administrator Beaverton, OR 97005 VOICE: 503/643-9281 FAX: 503/646-4954 From firewalls-owner Thu May 12 13:49:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA27335; Thu, 12 May 1994 20:44:16 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA27327; Thu, 12 May 1994 13:44:07 -0700 Received: (jc@localhost) by shadow.net (8.6.8.1/jc-1.0) id QAA29135; Thu, 12 May 1994 16:46:50 -0400 Date: Thu, 12 May 1994 16:46:50 -0400 (EDT) From: Justin Subject: Re: Ports that SHOULDN't be blocked (fwd) To: Tom Brink cc: Firewalls Mailing List In-Reply-To: <199405121913.AA16822@pserv1.dot.state.az.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 12 May 1994, Tom Brink wrote: > > If you are going to NOT block telnet, why block at all? I trust telnetd and login more than say, syslogd, ftpd, imapd, popd, portmap, etc... Here I (have to) allow connections to telnetd, and ftpd, but there is no reason to allow access to my portmapper or my syslog daemon, so I block them. What's wrong with that? -jc From firewalls-owner Thu May 12 21:07:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA27637; Thu, 12 May 1994 21:07:33 GMT Received: from alpha.xerox.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA27631; Thu, 12 May 1994 14:07:26 -0700 Received: from 13.1.248.3 ([13.1.248.3]) by alpha.xerox.com with SMTP id <14636(8)>; Thu, 12 May 1994 14:05:45 PDT X-Sender: jlarson@vertigo.parc.xerox.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 May 1994 14:06:09 PDT To: kozowski@sd.com (Eric Kozowski), firewalls@greatcircle.com, shipley@merde.dis.org From: John Larson Subject: Re: Livingston Firewall Configurations Message-Id: <94May12.140545pdt.14636(8)@alpha.xerox.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >permit tcp estab >permit udp estab Apparently "estab" means established mode. Does anyone know how Livingston implements this (securely) for UDP ? For TCP it is easier since you have state bits to look at in the TCP header. John ________________________________________________________________________ Email: jlarson@jnl.com (from Xerox: jlarson@parc.xerox.com) Voice: 408-662-9755, Fax: 408-662-9756, Pager: 408-662-4174 US Mail: PO Box 1120 Aptos, CA 95003 From firewalls-owner Thu May 12 21:24:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA27749; Thu, 12 May 1994 21:24:01 GMT Received: from camus.sni-usa.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA27743; Thu, 12 May 1994 14:23:53 -0700 Received: from hugo.sni-usa.com by camus.sni-usa.com (5.61/4.7) id AA02078; Thu, 12 May 94 17:24:24 -0400 Received: by hugo.sni-usa.com (5.61/4.7) id AA01841; Thu, 12 May 94 14:25:47 -0700 To: tom@pserv1.dot.state.az.us Cc: firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Re: Ports that SHOULDN't be blocked (fwd) In-Reply-To: <199405121913.AA16822@pserv1.dot.state.az.us> References: <199405121913.AA16822@pserv1.dot.state.az.us> X-Mailer: Poste 2.1 From: Tom Bechard Date: Thu, 12 May 94 17:25:46 -0400 Message-Id: <940512172546.1645@hugo.-debug> Encoding: 35 TEXT, 6 TEXT SIGNATURE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Ken Jones writes: > > Hi All, > > > > I am getting ready to block incomming traffic to our net. > > What I am trying to determine is which tcp and udp > > ports not to block (generically) from the internet. > > > > I plan on allowing telnet (23) and mail (25), but what > > other ports should I leave open. > > > > Thanks > > - Ken > > > Tom Brink writes: > > If you are going to NOT block telnet, why block at all? > -- > Tom Brink > Technical Support Specialist > Computer Aided Engineering Section > Arizona Department of Transportation > tom@dot.state.az.us Well, he might be wanting to use 'skey' or SDI's secure-card, or a similar one-time password scheme, and he didn't say he was going to open port 23 for *all* hosts. Of course, a bastion host with SOCKS and a KarlBridge are a much better idea, but not everyone has the resources. At least Ken is making an effort to provide some security, although he will have to be more specific about what services he wants to allow across the firewall, and allowing telnet with passwords in the clear is obviously dangerous. Regards, --Tom ******************************************************************** * SIEMENS Tom Bechard Internet: tom@sni-usa.com * * _______ RDD USENET: ...!uunet!tom@sni-usa.com * * 200 Wheeler Rd. Ph: [usa](617)273-0480 * * NIXDORF Burlington, MA 01803 FAX: [usa](617)221-0236 * ******************************************************************** From firewalls-owner Thu May 12 14:33:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA27324; Thu, 12 May 1994 20:43:20 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA27318; Thu, 12 May 1994 13:43:10 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 12 May 94 16:31:11 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA01395; Thu, 12 May 94 16:42:45 EDT Date: Thu, 12 May 94 16:42:45 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405122042.AA01395@eng.xyplex.com> To: qjohnson@intellistor.com Cc: firewalls@GreatCircle.COM In-Reply-To: <9405121609.AA03707@whizbang.Intellistor.COM> (qjohnson@intellistor.com) Subject: Re: What is IP Source Routing? Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > What is IP Source Routing? The only definition I can come up > with on my own would have been the same as the IP forwarding. >qj> If a router believes an ICMP redirect message from the outside, >qj> then attackers can teach your router (in our discussion a >qj> dual-homed host is acting as a router) to use incorrect routes. >qj> This is badness! IP source routing is, in general, a bad thing, and you should make sure that all of your routers disregard source-routed packets, or ignore the source route portion of an IP packet. IP source routing should *only* be used for debugging networks. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Thu May 12 14:49:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA27707; Thu, 12 May 1994 21:17:35 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA27693; Thu, 12 May 1994 14:17:11 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 12 May 94 17:00:53 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA01440; Thu, 12 May 94 17:16:40 EDT Date: Thu, 12 May 94 17:16:40 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405122116.AA01440@eng.xyplex.com> To: kozowski@sd.com Cc: Firewalls@GreatCircle.COM In-Reply-To: <9405121639.AA29445@sd.com> (kozowski@sd.com) Subject: Re: Looking for Net Monitoring Pkg Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "kozowski" == Eric Kozowski writes: >kozowski> the best, most complete solution was Spectrum from >kozowski> Cabletron. It's pricey ($20k), but you get what you pay >kozowski> for. They also have an extremely good eval policy. I got >kozowski> a 30 day eval license _and_ the flew a tech guy up here for >kozowski> two days! It's a great product. The problem with ctron's Spectrum is that it is huge, and as you mentioned, *very* pricy. In addition, the word out is that it is bug prone. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Thu May 12 15:19:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA27691; Thu, 12 May 1994 21:16:36 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA27683; Thu, 12 May 1994 14:16:26 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 12 May 94 16:58:04 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA01436; Thu, 12 May 94 17:13:43 EDT Date: Thu, 12 May 94 17:13:43 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405122113.AA01436@eng.xyplex.com> To: c626544@sgi7.phlab.missouri.edu Cc: firewalls@GreatCircle.COM In-Reply-To: (message from Justin Bhansali on Thu, 12 May 1994 14:58:11 -0500 (CDT)) Subject: Re: Looking for Net Monitoring Pkg Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >c626544> For Silicon Graphics MAchines theres a really good >c626544> connection monitor called TCPview. >c626544> if you want to actually insect the packets, then TCPdump is >c626544> the program you are looking for, just do an archie for it. We use a package called NetMetrix, which we run on our SparcStations. It is very good, and rather flexible, as it allows one to define filters used for selective viewing of various types of data (ie: by protocols, or by protocol address). It also allows one to generate packets, which is something that is *very* useful when debugging networks, or new implementations of network software. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Thu May 12 15:28:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA27723; Thu, 12 May 1994 21:19:39 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA27717; Thu, 12 May 1994 14:19:25 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 12 May 94 17:03:25 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA01445; Thu, 12 May 94 17:19:06 EDT Date: Thu, 12 May 94 17:19:06 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405122119.AA01445@eng.xyplex.com> To: reh@cs.UMD.EDU Cc: brent@GreatCircle.COM, genie@panix.com, firewalls@GreatCircle.COM In-Reply-To: <199405122016.QAA11005@bedrock.cs.UMD.EDU> (reh@cs.UMD.EDU) Subject: Re: What is IP Source Routing? Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "reh" == Richard Huddleston writes: >reh> And, in the interest of equal time, another superb reference to >reh> IP is the recent book by W.Richard Stevens: TCP/IP Illustrated, >reh> Volume 1. ISBN 0-201-63346-9. >reh> Many people, myself among them, prefer the Stevens text to >reh> Comer. The book is good enough to mention as an alternative to >reh> the reflexive grabbing of the Comer texts off of the bookstore >reh> shelf, IMHO. I've found that I prefer the RFCs to Comer, but >reh> that I prefer Stevens to the RFCs :). Another excellent, yet rather unobvious explanation of TCP/IP/UDP is in chapter two of Cheswick and Bellovin's new book "Firewalls and Internet Security...". --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Thu May 12 22:35:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA28404; Thu, 12 May 1994 22:35:14 GMT Received: from s0052dev.schwab.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA28398; Thu, 12 May 1994 15:35:02 -0700 Received: from s0043dev.schwab.com by s0052dev.schwab.com (4.1/SMI-4.1/CS940228) id AA17860; Thu, 12 May 94 18:37:16 EDT Received: from w2011phx.schwab.com by s0043dev.schwab.com (4.1/SMI-4.1) id AA05214; Thu, 12 May 94 18:45:35 EDT Received: by w2011phx.schwab.com (4.1/SMI-4.1.3C-schwab) id AA04045; Thu, 12 May 94 15:35:57 MST Date: Thu, 12 May 94 15:35:57 MST From: dknierim@schwab.com (David Knierim) Message-Id: <9405122235.AA04045@w2011phx.schwab.com> To: Firewalls@GreatCircle.COM Subject: Re: Looking for Net Monitoring Pkg Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Thu May 12 15:30:50 1994 > Date: Thu, 12 May 94 17:16:40 EDT > From: tdn@tdn.xyplex.com (Thomas D. Nadeau) > To: kozowski@sd.com > Cc: Firewalls@GreatCircle.COM > Subject: Re: Looking for Net Monitoring Pkg > Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII> > Sender: Firewalls-Owner@GreatCircle.COM > Content-Length: 1463 > > "kozowski" == Eric Kozowski writes: > > > >kozowski> the best, most complete solution was Spectrum from > >kozowski> Cabletron. It's pricey ($20k), but you get what you pay > >kozowski> for. They also have an extremely good eval policy. I got > >kozowski> a 30 day eval license _and_ the flew a tech guy up here for > >kozowski> two days! It's a great product. > > The problem with ctron's Spectrum is that it is huge, and as you > mentioned, *very* pricy. In addition, the word out is that it is > bug prone. > > --tOm > > We have found Spectrum to be a real pain to keep working. Modeling is a fair amount of work, and we are constantly losing link information if we don't reload the database often (every day or so....) I will be installing the latest release Real Soon Now and hopefully that will get it working better.... At the moment, I could not recommend the product. Dabe Standard disclaimers apply. From firewalls-owner Thu May 12 16:19:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA28438; Thu, 12 May 1994 22:38:01 GMT Received: from Controls.Eurotherm.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA28432; Thu, 12 May 1994 15:37:49 -0700 Date: Thu, 12 May 94 18:36:53 EDT Received: from maple.Controls.Eurotherm.Com (maple.R_D.Controls.Eurotherm.COM) by Controls.Eurotherm.COM (4.1/3.1.090690-Eurotherm Controls Inc) id AA03545; Thu, 12 May 94 18:36:53 EDT Message-Id: <9405122236.AA03545@Controls.Eurotherm.COM> To: Firewalls@GreatCircle.COM Subject: NFS and X -- Internet tunnel to a "trusted" remote site Cc: Brad.Sipes@Controls.Eurotherm.COM, Jon.Wagner@Controls.Eurotherm.COM From: Mike.Geipel@Controls.Eurotherm.COM (Mike Geipel) Reply-To: Mike.Geipel@Controls.Eurotherm.COM Reply-To: Brad.Sipes@Controls.Eurotherm.COM Reply-To: Jon.Wagner@Controls.Eurotherm.COM Organization: Eurotherm Controls Inc Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Our company has several sites, world-wide. A few of those sites need to have their IP networks linked together for a cooperative development project. We currently use dial-up (on-demand) connections, and pay the long-distance charges for PPP modem connections. But we need 64K or better. Within the US, leased lines are no problem. But a DS-0 to the UK would cost each side $3000 per month. The obvious alternative is to use the Internet connections at each end. So, if two sites on the Internet want to allow unlimited IP access to each other but need to filter all other packets as usual... what do they need to do (or buy) to make this tunnel through the firewalls? And yes, this would include services like NFS and X. :-( Is there a way to make this point-to-point tunnel "safe" without encryption at each end? What are the problems? If IP-level encryption is required, is there a vendor that can supply the UK without !@#$%^&* US export problems? Please respond via e-mail; I'll summarize if there's interest. advTHANKSance (THANKS in advance), -- Mike Geipel (N4IXJ) | Eurotherm Controls Inc. Telephone: (703) 471-4870 x387 | 11485 Sunset Hills Road "Mike.Geipel@Controls.Eurotherm.COM" | Reston, VA 22090-5286 From firewalls-owner Fri May 13 00:09:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA28884; Fri, 13 May 1994 00:09:28 GMT Received: from stjohns.ohsu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA28878; Thu, 12 May 1994 17:09:19 -0700 Received: by stjohns.ohsu.edu (Smail3.1.28.1 #18) id m0q1kmM-0007BqC; Thu, 12 May 94 17:07 PDT Message-Id: Message-Version: 2 >To: firewalls@GreatCircle.COM From: messmanj@ohsu.edu (John Messman,PC-D,Metro) Date: Thu May 12 17:05:20 PDT 1994 UA-Content-ID: Email-Version: 2 Subject: FW config help UA-Message-ID: To: firewalls@GreatCircle.COM Content-Type: Text Content-Length: 2735 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have been given the challange to setup our Internet security. I took on this task with some trepidation but figured that I could overcome my abundance of ingnorance about what it requires to setup a firewall system by reading and exploring what other people have been saying and doing about security. I am at the point now where I am being driven to provide access but am not yet confident in my ability to make good decisions when setting up our security. Thus I ask for your assistance/guidance in what apporach I should take. The tools: InetCloud ---- ----- DMZ Network -------------------- | | Firewall | ------------------------ Magic Kingdom---- | | Terminal Hub Gateway Box router1 job: Initial packet filtering Firewall job: DMZ DNS, Sendmail, anonymous ftp, C-news router2 job: Packet filtering terminal hub job: In-bound telnet (must do) Gateway job: Magic Kingdom DNS, mail hub, outbound ftp and telnet router2 needs to allow: NNTP from firewall c-news database and magic kingdom hosts. Out bound FTP and telnet. Mosaic and Gohper in the future. Questions: 1. Is it bad to have C-news database on firewall. 2. Do I need to use TCPwrappers for NNTP connections to the firewall from magic kingdom boxes? Some of the boxes will be PCs and Macs. 2. What is the best way to configure router1 for filtering? I am looking at router2 to filter out unwanted packets for the magic kingdom 3. What can be done to make outbound FTP and telnet more secure. I remember reading about a special ftp program that doesn't require/use the standard return connection port (in layman terms). Is this important? 4. Since I must allow in-bound telnet from known remote hosts on a case by case basis, what else could I do/use besides password token generators? I figured a terminal hub would be pretty restrictive. Besides the obvious danger of telnet-passwords what other dangers exist with this part of the confiugration? 5. Anyone have any special advice for configuring HP/UX on a Firewall system. I am looking at the Trusted Host package and also wonder how effective the /usr/adm/inetd.sec file would be as an additional hoop for social deviants to jump through? 6. Any general advice about what I can do to make my configuration better/safer would be welcomed. Thanks in advance and sorry if this is a redunant set of questions. From firewalls-owner Fri May 13 00:44:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA29066; Fri, 13 May 1994 00:44:06 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA29060; Thu, 12 May 1994 17:43:58 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Thu, 12 May 94 20:35:24 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA02134; Thu, 12 May 94 20:43:41 EDT Date: Thu, 12 May 94 20:43:41 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405130043.AA02134@eng.xyplex.com> To: messmanj@ohsu.edu Cc: firewalls@GreatCircle.COM In-Reply-To: (messmanj@ohsu.edu) Subject: Re: FW config help Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >mesms> Questions: >mesms> 4. Since I must allow in-bound telnet from known remote hosts >mesms> on a case by case basis, what else could I do/use besides >mesms> password token generators? I figured a terminal hub would be >mesms> pretty restrictive. Besides the obvious danger of >mesms> telnet-passwords what other dangers exist with this part of >mesms> the confiugration? There is a publically available version of telnet which supports data encryption (if you are in the U.S. or Canada). It is available via anonymous ftp from ftp.cray.com and is located in /src/telnet/telnet.94.02.07.NE.tar.Z. I have not yet had a chance to use it, but the manual's description seems pretty inviting. >mesms> 6. Any general advice about what I can do to make my >mesms> configuration better/safer would be welcomed. 1) Read this discussion group. ;-) 2) Read "Firewalls and Internet Security...", by Cheswick and Bellovin. Great discussion of how to set up a good firewall, as well as the pros and cons of such systems. From firewalls-owner Thu May 12 18:55:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA29492; Fri, 13 May 1994 01:21:17 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA29486; Thu, 12 May 1994 18:21:08 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id VAA12203; Thu, 12 May 1994 21:21:51 -0400 Date: Thu, 12 May 1994 21:21:51 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405130121.VAA12203@bedrock.cs.UMD.EDU> To: Brad.Sipes@Controls.Eurotherm.COM, Jon.Wagner@Controls.Eurotherm.COM, Mike.Geipel@Controls.Eurotherm.COM Subject: Re: NFS and X -- Internet tunnel to a "trusted" remote site Cc: bob@morningstar.com, firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk You might considered tunneling PPP through IP packets. PPP will support complete IP, which you then encapsulate into IP and squirt through your firewall. The Morning Star PPP product does this *extremely* well, I think -- and I don't make a dime for saying it. I've included bob@morningstar.com as a recipient, simply because that's who I remember there (Sorry, Bob). Richard * Date: Thu, 12 May 94 18:36:53 EDT * Subject: NFS and X -- Internet tunnel to a "trusted" remote site * Cc: Brad.Sipes@Controls.Eurotherm.COM, Jon.Wagner@Controls.Eurotherm.COM * From: Mike.Geipel@Controls.Eurotherm.COM (Mike Geipel) * Organization: Eurotherm Controls Inc * * Our company has several sites, world-wide. A few of those * sites need to have their IP networks linked together for a * cooperative development project. We currently use dial-up * (on-demand) connections, and pay the long-distance charges * for PPP modem connections. But we need 64K or better. * * Within the US, leased lines are no problem. But a DS-0 to * the UK would cost each side $3000 per month. The obvious * alternative is to use the Internet connections at each end. * * * So, if two sites on the Internet want to allow unlimited IP * access to each other but need to filter all other packets * as usual... what do they need to do (or buy) to make this * tunnel through the firewalls? * * And yes, this would include services like NFS and X. :-( * * Is there a way to make this point-to-point tunnel "safe" * without encryption at each end? What are the problems? * If IP-level encryption is required, is there a vendor that * can supply the UK without !@#$%^&* US export problems? * * * Please respond via e-mail; I'll summarize if there's interest. * * advTHANKSance (THANKS in advance), * -- * Mike Geipel (N4IXJ) | Eurotherm Controls Inc. * Telephone: (703) 471-4870 x387 | 11485 Sunset Hills Road * "Mike.Geipel@Controls.Eurotherm.COM" | Reston, VA 22090-5286 * * From firewalls-owner Fri May 13 05:31:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA00718; Fri, 13 May 1994 05:31:53 GMT Received: from doors.brm.co.il by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA00712; Thu, 12 May 1994 22:31:35 -0700 Received: by doors.brm.co.il (4.1/SMI-4.0) id AA28398; Fri, 13 May 94 08:33:09 IDT Date: Fri, 13 May 94 08:33:09 IDT From: Shlomo Kramer Message-Id: <9405130533.AA28398@doors.brm.co.il> To: firewalls@GreatCircle.COM Subject: CheckPoint FireWall-1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Reading the discussion about > ..the implications of the GUI running on the firewall and what dangers it > may represent... I think that some information about the architecture of CheckPoint FireWall-1 (FW-1) is in place. FW-1 is a distributed system comprised of a single ``control module'' (typically residing on the sys-admin station) and any number of ``packet filtering modules'' (in the simplest case, a single packet filter module residing on the gateway to the Internet). All Communication between the control module and the packet filtering modules is done through an authenticated control link. The control module can also drive cisco routers by generating and downloading access lists to them. So the picture can look something like this: Internet | | _ -------|X|-------- --------------------- | - | Gateway | | Sys. Admin. | PACKET FILTERING | | CONTROL MODULE | Station | MODULE | | | | _ | | | -------|X|-------- --------------------- - | | | | | -------------------------------------------------------- | LocalNet | _ ______|X|________ | - | | Cisco Router | | _ | ------|X|-------- OtherNet - | -------------------------------------------------------- Sometimes the control module (containing the GUI) may reside on the gateway itself. This is entirely up to the local administrator's decision. In any case, the GUI (as Chuck Yerkes already noted) is just an X *client*. Furthermore, the gateway itself (as any other internal machine) should be protected by FW-1 against access to X from the internet. The GUI is a relatively small application with the following functional components: o Network Objects & Services Managers: used to define new network objects (hosts, networks, domains, groups etc.) and services (TCP, UDP, RPC etc.). o Rule Base Editor: used to create a set of security rules. o System Status: reporting the status of all packet filter modules in the system (number of packets passed/rejected/logged name of filter etc.). o Log Viewer: allows to analyze all log events. The work flow is something like this: First, the security policy is molded into a rule-base (using the Object Managers and Rule-Base Editor). Then, when instructed to apply this security policy, the control module generate from the rule-base a filter-script, compiles it and disseminates the filter code to the appropriate packet filter modules (and cisco routers). Once this is done, all logs and alerts generated are collected back to the control module. The control module generates real time notifications (customizable) upon alert events and allows for online viewing of log events. The control module monitors and displays the status of the packet filtering modules using the System Status screen. Finally, the administrator will use the Log Viewer in order to assess her security policy, produce reports, etc. Some concern has been raised about the "complexity = problems" equation. I absolutely agree with Frederiko Avolio about this: complexity in the management of security is bad for your security. More specifically, I personally feel that there are three important *management* goals for a system such as FW-1: o Easy implementation of a security policy to security rules. o A tight feedback loop on communication attempts and system status. o An Extensive mechanism for "post-mortem" analysis. I believe that the FW-1's GUI provides an easy-to-use answer to these goals, while not being too complex by itself. ---------------------------- F i r e W a l l - 1 ----------------------------- Shlomo Kramer, CheckPoint Software Technologies | Email: shlomo@CheckPoint.COM 437 Boylston Street | Voice: 1-800-429-4391 Boston MA 02116 | Fax: 617-859-9052 ------------------------------------------------+----------------------------- From firewalls-owner Fri May 13 03:49:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA02973; Fri, 13 May 1994 10:20:56 GMT Received: from cairo.anu.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA02967; Fri, 13 May 1994 03:20:41 -0700 Received: (hem@localhost) by cairo.anu.edu.au (8.6.9/8.6.4av) id UAA04768; Fri, 13 May 1994 20:21:31 +1000 From: Manjuka Herath Message-Id: <199405131021.UAA04768@cairo.anu.edu.au> Subject: help To: firewalls@greatcircle.com Date: Fri, 13 May 1994 20:21:28 +1000 (EST) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 11 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help info From firewalls-owner Fri May 13 10:54:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03400; Fri, 13 May 1994 10:54:03 GMT Received: from cairo.anu.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA03394; Fri, 13 May 1994 03:53:44 -0700 Received: (hem@localhost) by cairo.anu.edu.au (8.6.9/8.6.4av) id UAA07555; Fri, 13 May 1994 20:54:27 +1000 From: Manjuka Herath Message-Id: <199405131054.UAA07555@cairo.anu.edu.au> Subject: info To: firewalls@greatcircle.com Date: Fri, 13 May 1994 20:54:25 +1000 (EST) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 11 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk info help From firewalls-owner Fri May 13 04:19:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA02764; Fri, 13 May 1994 09:08:53 GMT Received: from mrc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA02758; Fri, 13 May 1994 02:08:40 -0700 From: tws@mrc.com Received: by mrc.com (4.1/SMI-4.1) id AA20964; Fri, 13 May 94 05:04:08 EDT Received: by mrcs1 (5.64/X1.00) id AA19869; Fri, 13 May 94 05:05:20 -0400 Date: Fri, 13 May 94 05:05:20 -0400 Message-Id: <9405130905.AA19869@mrcs1> To: mjr@tis.com, tkevans@eplrx7.es.duPont.com Subject: Re: FTP Security Cc: Firewalls@GreatCircle.COM, mstickle@lvh.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> Sez Marcus J Ranum (for which I'm grateful): >> > >> > Scanning for DOS virii on a UNIX box is also a bit of a >> >wild goose chase. Why? Because any DOS executable that's being >> >transmitted through the UNIX box is probably encoded for transmission >> >and then you have the whole issue of figuring out what the encoding >> >is and means... >> > >> IBM's AIX does have a 'virscan' command which can examine DOS executables >> for a pre-set list of well-known virus "signatures." As Marcus >> notes, encoded stuff can't be scanned, but if it's unpacked under >> AIX, 'virscan' might be useful. Got a question for you folks: How do other virii checkers work? Ie., there are a cuple of virii checking programs for Macintosh that I know of. Windows 3.1 (or is is DOS?) comes with some check- ing program. How do they scan virus? Do they just look at known characteristics of known virii? If that's the case, they are pretty weak against newly written worms, aren't they? UNIXisahouseholdwordUNIXisahouseholdwordU N N I Tenna W Sakai I X tws@mrc.com X i Miles Research Center i s 400 Morgan Lane s a West Haven, CT 06516 a h 203.937.2856 h o o useholdword###################drowdlohesu From firewalls-owner Fri May 13 11:22:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA03561; Fri, 13 May 1994 11:22:24 GMT Received: from lokkur.dexter.mi.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA03555; Fri, 13 May 1994 04:22:12 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.7/8.6.5) id HAA10606; Fri, 13 May 1994 07:21:51 -0400 From: Steve Simmons Message-Id: <199405131121.HAA10606@lokkur.dexter.mi.us> Subject: Re: What is IP Source Routing? To: reh@cs.UMD.EDU (Richard Huddleston) Date: Fri, 13 May 1994 07:21:50 -0400 (EDT) Cc: brent@GreatCircle.COM, genie@panix.com, firewalls@GreatCircle.COM In-Reply-To: <199405122016.QAA11005@bedrock.cs.UMD.EDU> from "Richard Huddleston" at May 12, 94 04:16:36 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1046 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >[...Comer, Comer, Comer, Comer, Comer...] > >And, in the interest of equal time, another superb reference to IP >is the recent book by W.Richard Stevens: TCP/IP Illustrated, Volume 1. >ISBN 0-201-63346-9. > >Many people, myself among them, prefer the Stevens text to Comer. The >book is good enough to mention as an alternative to the reflexive grabbing >of the Comer texts off of the bookstore shelf, IMHO. I've found that I >prefer the RFCs to Comer, but that I prefer Stevens to the RFCs :). Agreed, Stevens is brilliant. However, Stevens and Comer serve (IMHO) different purposes. Comer is the book you want to start with - his explainations are clearer, and the book is better organized for those who are just starting to learn the protocols. However, once you've read Comer you should set it aside and get Stevens. Comers tells you how it's supposed to work. Stevens shows you how it works in the real world, how to diagnose, and what broken and semi-broken things look like. I *teach* TCP/IP, and learned a lot from Stevens. From firewalls-owner Fri May 13 11:43:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA03726; Fri, 13 May 1994 11:43:20 GMT Received: from gatekeeper.es.dupont.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA03720; Fri, 13 May 1994 04:43:08 -0700 Received: by gatekeeper.es.dupont.com (5.65/ULTRIX-mjr-062991); id AA25325; Fri, 13 May 94 07:44:07 -0400 Received: from fallst.es.dupont.com by eplrx7.es.duPont.com (4.1/kdm-082991-main) id AA22750; Fri, 13 May 94 07:42:19 EDT Received: by fallst.es.dupont.com (AIX 3.2/UCB 5.64/4.03) id AA19720; Fri, 13 May 1994 07:41:10 -0400 From: tkevans@fallst.es.dupont.com (Tim Evans) Message-Id: <9405131141.AA19720@fallst.es.dupont.com> Subject: Re: FTP Security To: tws@mrc.com Date: Fri, 13 May 1994 07:41:09 -0400 (EDT) Cc: mjr@tis.com, Firewalls@GreatCircle.COM, mstickle@lvh.com In-Reply-To: <9405130905.AA19869@mrcs1> from "tws@mrc.com" at May 13, 94 05:05:20 am Phone: (410) 569-2825; (302) 695-9353 Reply-To: tkevans@eplrx7.es.duPont.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1225 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Sez tws@mrc.com (for which I'm grateful): > > >> IBM's AIX does have a 'virscan' command which can examine DOS executables > >> for a pre-set list of well-known virus "signatures." As Marcus > >> notes, encoded stuff can't be scanned, but if it's unpacked under > >> AIX, 'virscan' might be useful. > >Got a question for you folks: How do other virii >checkers work? Ie., there are a cuple of virii >checking programs for Macintosh that I know of. >Windows 3.1 (or is is DOS?) comes with some check- >ing program. How do they scan virus? Do they >just look at known characteristics of known virii? >If that's the case, they are pretty weak against >newly written worms, aren't they? > Yes, and no. Any virus scan is better than nothing at all, and the same ones do keep reappearing periodically, such as Michealangelo. Scanning for common ones won't, of course, turn up new ones, but defending against old ones doesn't hurt and may well save someone's whole day. -- Tim Evans | E.I. du Pont de Nemours & Co. tkevans@eplrx7.es.dupont.com | Experimental Station (302) 695-9353/7395 | P.O. Box 80357 EVANSTK AT A1 AT ESVAX | Wilmington, Delaware 19880-0357 From firewalls-owner Fri May 13 13:12:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA04209; Fri, 13 May 1994 13:12:56 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA04203; Fri, 13 May 1994 06:12:37 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id JAA16607; Fri, 13 May 1994 09:13:03 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA20915; Fri, 13 May 1994 09:13:01 -0400 Date: Fri, 13 May 1994 09:13:01 -0400 From: jmclip@world.std.com (Jim R McLeanLipinski) Message-Id: <199405131313.AA20915@world.std.com> To: firewalls@greatcircle.com Subject: Re: What is IP Source Routing? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brent writes . . . >Many UNIX kernels will forward a source-routed packet EVEN IF "IP >Forwarding" has supposedly been disabled on that kernel. > Does anyone know how to determine if ones kernel has that problem, or, have a list of kernels that are either known to be bad or know to be good. I am specificaly interested in the status of the BSDI BSD/386 kernel -- Jim McLean-Lipinski EMail - jmclip@world.std.com Network Administrator Vermont Dept. of Public Safety Phone - (802) 244 8786 103 South Main Street Waterbury, VT USA 05671 FAX - (802) 244 1106 From firewalls-owner Fri May 13 14:34:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04547; Fri, 13 May 1994 14:34:25 GMT Received: from wintermute.imsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA04540; Fri, 13 May 1994 07:34:09 -0700 Received: from relay.imsi.com by wintermute.imsi.com id KAA19357; Fri, 13 May 1994 10:20:05 -0400 Received: from lorax.imsi.com by relay.imsi.com id KAA23049; Fri, 13 May 1994 10:20:05 -0400 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA00366; Fri, 13 May 94 10:20:04 EDT Message-Id: <9405131420.AA00366@lorax.imsi.com> To: tdn@tdn.xyplex.com (Thomas D. Nadeau) Cc: kozowski@sd.com, Firewalls@greatcircle.com Subject: Re: Looking for Net Monitoring Pkg In-Reply-To: Your message of "Thu, 12 May 1994 17:16:40 EDT." <9405122116.AA01440@eng.xyplex.com> Reply-To: rens@imsi.com Date: Fri, 13 May 1994 10:20:04 -0400 From: Rens Troost Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> On Thu, 12 May 94 17:16:40 EDT, tdn@tdn.xyplex.com (Thomas D. Nadeau) said: tdn> The problem with ctron's Spectrum is that it is huge, and as tdn> you mentioned, *very* pricy. In addition, the word out is that tdn> it is bug prone. It is pretty huge, and overly flashy. On the other hand, the architecture (server process gathers stats and organizes them, client consoles attach to this) is the correct one, and it's topology management is impressive; if you lose a section of your network, you only get one alarm, not a thousand. It alos lets you build really cool event-driven scripts, and take actions from those scripts that affect the state of the operator consoles. It does have it's share of bugs, especailly display-related ones. On the other hand, I bought it because SunNetManager's trap handling was so buggy as to be useless. All these management packages are full of bugs; you choose the ones you are comfortable with. This is all a bit afield of firewalls, though... -Rens From firewalls-owner Fri May 13 15:18:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04820; Fri, 13 May 1994 15:18:51 GMT Received: from UACSC2.ALBANY.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04812; Fri, 13 May 1994 08:18:40 -0700 Received: from ALBNYDH2 by UACSC2.ALBANY.EDU (IBM VM SMTP V2R2) with BSMTP id 9893; Fri, 13 May 94 11:17:07 EDT Received: from ALBNYDH2 (WRM01) by ALBNYDH2 (Mailer R2.10 ptf000) with BSMTP id 1223; Fri, 13 May 94 11:17:39 EDT Message-Id: 19940513.111738.WRM01@ALBNYDH2 Date: 13 May 94 11:17:38 EDT From: Bill Moyer To: firewalls@greatcircle.com Subject: Re: Looking for Net Monitoring Pkg In-Reply-To: note of Thu, 12 May 94 15:35:57 MST from Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We have been using Network General's Ethernet Analyzer and are very happy with it. In Analyzer mode, it keeps track of conversations at all levels of the stack - including the application level. It tracks "symptoms" and with an "explain" key, it provides an explanation of the problem and suggests possible solutions. It is also the only analyzer that I have used that will deliver to you *bad* packets for examination, including short/runt packets and those with bad CRC. Very helpful in finding bad Ethernet cards. Bill Moyer wrm01@albnydh2.bitnet From firewalls-owner Fri May 13 15:36:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA05024; Fri, 13 May 1994 15:36:17 GMT Received: from telemann.inoc.dl.nec.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA05018; Fri, 13 May 1994 08:36:08 -0700 Received: by telemann.inoc.dl.nec.com (4.1/YDL1.9-920831.09) id AA17247(telemann.inoc.dl.nec.com); Fri, 13 May 94 10:36:52 CDT Received: by texas.syl.dl.nec.com (8.6.4/YDL1.9-930614.17) id KAA11452(texas.syl.dl.nec.com); Fri, 13 May 1994 10:36:16 -0500 Received: by florida.syl.dl.nec.com (4.1/YDL1.9-920708.13) id AA21246(florida.syl.dl.nec.com); Fri, 13 May 94 10:36:50 CDT Date: Fri, 13 May 94 10:36:50 CDT From: ylee@syl.dl.nec.com (Ying-Da Lee) Message-Id: <9405131536.AA21246@florida.syl.dl.nec.com> To: Firewalls@GreatCircle.COM Subject: Re: Checkpoint FireWall-1 sanity chec Cc: ylee@syl.dl.nec.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >And the filters DO examine >packets at the application layer. With FTP, for example, when an internal >client makes a PORT request to an external server, FireWall remembers >the PORT request, and dynamically makes an opening for the incoming data >connection coming from the specific server to the particular port on the >client. This assumes that the firewall/router/proxy can understand the data portion of the packets. What happens if that is encrypted? Ying-Da Lee (214)518-3490 (214)518-3552 (FAX) Principal Member, Technical Staff NEC Systems Laboratory, C&C Software Technology Center ylee@syl.dl.nec.com From firewalls-owner Fri May 13 08:49:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04903; Fri, 13 May 1994 15:26:19 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA04897; Fri, 13 May 1994 08:26:07 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA07434; Fri, 13 May 1994 08:25:20 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405131525.AA07434@pserv1.dot.state.az.us> Subject: Re: Ports that SHOULDN't be blocked To: jc@shadow.net (Justin) Date: Fri, 13 May 94 8:25:18 MST Cc: firewalls@greatcircle.com (Firewalls Mailing List) Reply-To: tom@pserv1.dot.state.az.us In-Reply-To: ; from "Justin" at May 12, 94 4:46 pm X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Justin writes: > > On Thu, 12 May 1994, Tom Brink wrote: > > > > > If you are going to NOT block telnet, why block at all? > > I trust telnetd and login more than say, syslogd, ftpd, imapd, popd, > portmap, etc... Here I (have to) allow connections to telnetd, and ftpd, > but there is no reason to allow access to my portmapper or my syslog > daemon, so I block them. What's wrong with that? > > -jc Humm, the problem I have with telnet (port 23 variety), is that typically the password is transmitted in clear text (unless you do something fancy). I have personal experience with that one, as our T1 goes thru Arizona State University. Seems students were stealing passwords from packets going across the wire. -- Tom Brink Technical Support Specialist Computer Aided Engineering Section Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Fri May 13 16:20:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA05563; Fri, 13 May 1994 16:20:39 GMT Received: from bastion1.dbisna.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA05557; Fri, 13 May 1994 09:20:21 -0700 From: morganw@dbisna.com Received: by bastion1.dbisna.com (5.67/1.37) id AA13101; Fri, 13 May 94 16:21:02 GMT Received: from netservr.us.dbisna.com(159.137.86.246) by bastion1.dbisna.com via smap (V1.3mjr) id sma013097; Fri May 13 16:20:37 1994 Received: from bh007051.us.dbisna.com by (5.67/1.37) id AA28070; Fri, 13 May 94 12:20:37 -0400 Message-Id: Date: Fri, 13 May 94 12:08:23 PDT Reply-To: morganw@dbisna.com To: firewalls@greatcircle.com To: fwall-users@tis.com Subject: FTP access from the Internet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have a challange that I thought some of the members of these mailing lists may be able to help me with. We have a requirement to provide specific users on the Internet with the ability to ftp files from/to a server in our network. We have secured the access to this server(s) using the TIS filewall toolkit. No problem there. The challage enters into the picture once the customers have entered the server, I'd like to be able to chroot them into their own file structure. I don't want them browsing around. Through the TIS toolbox there's a way to limit the commands that a person can enter (e.g. don't let then cd to another directory). This isn't bad, I just wondered if anyone else has any thoughts on this or has done something similar. I'd also be interested in anyone has any dire warnings about his as well. The server sits out on our firewall and can not access our trusted network directly (it is accessable through our bastion host - this is true for trusted network nodes as well as Internet nodes). We are also looking at a challange-response single use password facility to authenticate the users coming in. thanks for your suggestions and assistance. Bill Morgan (morganw@dbisna.com) From firewalls-owner Fri May 13 09:49:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA05694; Fri, 13 May 1994 16:33:31 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA05688; Fri, 13 May 1994 09:33:19 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Fri, 13 May 94 12:18:58 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA00277; Fri, 13 May 94 12:32:57 EDT Date: Fri, 13 May 94 12:32:57 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405131632.AA00277@eng.xyplex.com> To: jmclip@world.std.com Cc: firewalls@GreatCircle.COM In-Reply-To: <199405131313.AA20915@world.std.com> (jmclip@world.std.com) Subject: Re: What is IP Source Routing? Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "jmp" == Jim R McLeanLipinski writes: >jmp> Brent writes . . . >Many UNIX kernels will forward a source-routed packet EVEN IF "IP >Forwarding" has supposedly been disabled on that kernel. > >jmp> Does anyone know how to determine if ones kernel has that >jmp> problem, or, have a list of kernels that are either known to be >jmp> bad or know to be good. >jmp> I am specificaly interested in the status of the BSDI BSD/386 kernel Well, this sounds like a bug in the kernel to me. If routing is administratively "off", then it should not be forwarding *any* traffic. Since we are not sure whether or not setting the switch actually does the job, I would suggest firing some source-routed IP packets at the kernel in question (with IP routing off) and then use a sniffer to see if it is really forwarding the traffic. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Fri May 13 16:54:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA05957; Fri, 13 May 1994 16:54:35 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA05951; Fri, 13 May 1994 09:54:15 -0700 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id MAA06455 for firewalls@greatcircle.com; Fri, 13 May 1994 12:57:02 -0400 From: Christopher Klaus Message-Id: <199405131657.MAA06455@shadow.net> Subject: trojans on ftp sites To: firewalls@greatcircle.com Date: Fri, 13 May 94 12:57:02 EDT X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk An idea that could be a possible solution for trojan files on ftp archives. Modify archie to do checksums for files on their sites that they are keeping updates with. Maybe if the checksum changes for the same file from archives from place to place, it would indicate possible trojan. I dont see how a cracker/intruder could install trojans on all the ftp sites that contain that file. I think more people would use archie's with this feature over the old one, if they knew they were definitely getting files that havent been tampered with. I do not know who is updating and working on archie, but maybe this can be forwarded to them for adding to their Todo list. -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive,Dunwoody GA 30350-2430. (404)998-5871. From firewalls-owner Fri May 13 17:27:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA06197; Fri, 13 May 1994 17:27:01 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA06191; Fri, 13 May 1994 10:26:53 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA01326 for (5.67a/IDA-1.5/bs03); Fri, 13 May 1994 19:27:22 +0200 Message-Id: <199405131727.AA01326@srv.cip.physik.tu-muenchen.de> To: Christopher Klaus Cc: firewalls@greatcircle.com Subject: Re: trojans on ftp sites In-Reply-To: Your message of "Fri, 13 May 94 12:57:02 EDT." <199405131657.MAA06455@shadow.net> Date: Fri, 13 May 94 19:27:21 +0200 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <199405131657.MAA06455@shadow.net> you write: > I think > more people would use archie's with this feature over the old one, if they > knew they were definitely getting files that havent been tampered with. Yeah, great ... when you can trust everybody who runs an archie server. I don't know any of those people personally, so how can I trust them that checksums they announce are real? \Bernhard. From firewalls-owner Fri May 13 10:34:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA05627; Fri, 13 May 1994 16:30:35 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA05612; Fri, 13 May 1994 09:30:16 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Fri, 13 May 94 12:16:00 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA00267; Fri, 13 May 94 12:29:59 EDT Date: Fri, 13 May 94 12:29:59 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9405131629.AA00267@eng.xyplex.com> To: ylee@syl.dl.nec.com Cc: Firewalls@GreatCircle.COM, ylee@syl.dl.nec.com In-Reply-To: <9405131536.AA21246@florida.syl.dl.nec.com> (ylee@syl.dl.nec.com) Subject: Re: Checkpoint FireWall-1 sanity chec Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "ylee" == Ying-Da Lee writes: >And the filters DO examine packets at the application layer. With >FTP, for example, when an internal client makes a PORT request to an >external server, FireWall remembers the PORT request, and dynamically >makes an opening for the incoming data connection coming from the >specific server to the particular port on the client. >ylee> This assumes that the firewall/router/proxy can understand the >ylee> data portion of the packets. What happens if that is encrypted? Then packet filtering will only work at the network layer. This is not a problem for inbound traffic, as it will not make it up to the correct application layer without that station knowing how to decrypt the packet. However, if a company's policy is to prevent outbound file transfers, this is a problem because as long as the recipient of the packets knows how to decrypt them, they are golden. --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Fri May 13 10:49:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA06260; Fri, 13 May 1994 17:32:32 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA06254; Fri, 13 May 1994 10:32:22 -0700 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id NAA06727; Fri, 13 May 1994 13:35:11 -0400 From: Christopher Klaus Message-Id: <199405131735.NAA06727@shadow.net> Subject: Re: trojans on ftp sites To: Bernhard.Schneck@Physik.TU-Muenchen.DE Date: Fri, 13 May 94 13:35:11 EDT Cc: cklaus@shadow.net, firewalls@greatcircle.com In-Reply-To: <199405131727.AA01326@srv.cip.physik.tu-muenchen.de>; from "Bernhard.Schneck@Physik.TU-Muenchen.DE" at May 13, 94 7:27 pm X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > In message <199405131657.MAA06455@shadow.net> you write: > > I think > > more people would use archie's with this feature over the old one, if they > > knew they were definitely getting files that havent been tampered with. > > Yeah, great ... when you can trust everybody who runs an archie server. > I don't know any of those people personally, so how can I trust them that > checksums they announce are real? That would be a big conspiracy for the archie server admins to correct their database after an intruder modified the programs. And if you tried different archie sites, all the admins at all the archie servers must be part of this conspiracy. Umm, Okay. -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive,Dunwoody GA 30350-2430. (404)998-5871. From firewalls-owner Fri May 13 11:19:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA06148; Fri, 13 May 1994 17:18:11 GMT Received: from kilby.local by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA06142; Fri, 13 May 1994 10:17:59 -0700 Received: by kilby.local (5.57/Ultrix3.0-C) id AA21200; Fri, 13 May 94 10:18:34 -0700 Date: Fri, 13 May 1994 10:18:34 -0700 (PDT) From: Psynopsis Subject: Re: Looking for Net Monitoring Pkg To: Dave Conklin Cc: firewalls@greatcircle.com In-Reply-To: <9405121333.AA03573@lazarus.corp.harris.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 12 May 1994, Dave Conklin wrote: > Hello, > > I am looking for packages that will allow me to monitor packets on my > net and report traffic statistics by packet type for each source & > destination DNS name (or IP addr if not listed). A bonus would be the > ability to filter on DNS name (or IP addr). Can someone point me in a > likely direction? > > Dave Conklin > dconklin@itp.corp.harris.com > I have found that a file called NETCUR.ZIP works well for such statistics. It can run on a PC, saving you some CPU cycles. It can be found on several ftp sites, though the names escape me. I will send a uuencoded copy to anyone who requests it. nate -- When a cat is dropped it always lands on its feet. I propose to shove the sucker, feet first, into a garbage disposal set on high. When it reaches the proper consistency, spread on buttered toast. Serves a whole family. From firewalls-owner Fri May 13 18:21:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA06496; Fri, 13 May 1994 18:21:41 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA06490; Fri, 13 May 1994 11:21:30 -0700 Date: Fri, 13 May 94 14:20:41 EDT From: bret@real.com (Bret McDanel) Received: by real.com (4.1/3.2.012693-Realistic Technologies); id AA01392 for firewalls@GreatCircle.COM; Fri, 13 May 94 14:20:41 EDT Message-Id: <9405131820.AA01392@real.com> To: firewalls@GreatCircle.COM Subject: trojans on ftp sites Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Fri May 13 13:34:31 1994 >From: Christopher Klaus Subject: trojans on ftp sites To: firewalls@GreatCircle.COM Date: Fri, 13 May 94 12:57:02 EDT X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Content-Length: 927 An idea that could be a possible solution for trojan files on ftp archives. Modify archie to do checksums for files on their sites that they are keeping updates with. Maybe if the checksum changes for the same file from archives from place to place, it would indicate possible trojan. I dont see how a cracker/intruder could install trojans on all the ftp sites that contain that file. I think more people would use archie's with this feature over the old one, if they knew they were definitely getting files that havent been tampered with. I do not know who is updating and working on archie, but maybe this can be forwarded to them for adding to their Todo list. -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive,Dunwoody GA 30350-2430. (404)998-5871. ---------- I dont think that the files would vary in checksum all that much.. You have to remember that unlike viruses (or virii, depending on which side of the fence you sit :) ) trojans do not modify the file, or replicate or anything like that.. So an infected file (ie someone altered it after production to put in a backdoor et al) may or may not have a different checksum, but it most probally will have a different file size.. Then what about programs like mail that had the 'wiz' backdoor.. That would classify as a trojan.. So if someone wrote a program, and it had a backdoor in it, the checksums and file size would be the same everywhere (unless someone else put in another backdoor et al).. I dunno, maybe its just me.. Oh, and since I see theese disclaimers all over, here goes: These are my thoughts and mine only, not my employers, so there :) From firewalls-owner Fri May 13 13:19:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA07048; Fri, 13 May 1994 19:49:45 GMT Received: from bagout.BELL-ATL.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA07042; Fri, 13 May 1994 12:49:36 -0700 Received: by bagate.BELL-ATL.COM (O) id ; Fri, 13 May 94 15:52 EDT Received: by bagate.BELL-ATL.COM (I1) id ; Fri, 13 May 94 15:49 EDT Received: from localhost (bjp@localhost) by is000796.bell-atl.com (8.6.5/8.6.4) with SMTP id PAA15372; Fri, 13 May 1994 15:46:23 -0400 Message-Id: <199405131946.PAA15372@is000796.bell-atl.com> To: Bernhard.Schneck@Physik.TU-Muenchen.DE cc: Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: trojans on ftp sites In-reply-to: Your message of "Fri, 13 May 94 19:27:21 +0100." <199405131727.AA01326@srv.cip.physik.tu-muenchen.de> Date: Fri, 13 May 94 15:46:22 -0400 From: Brad Passwaters Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > In message <199405131657.MAA06455@shadow.net> you write: > > I think > > more people would use archie's with this feature over the old one, if they > > knew they were definitely getting files that havent been tampered with. > > Yeah, great ... when you can trust everybody who runs an archie server. > I don't know any of those people personally, so how can I trust them that > checksums they announce are real? Heh I ran an archie and I resent that :-). There are a couple of other problems. The first is that archie searches are done in cycles so there is a window of time in which the checksums are out of date. Also a number of archies mirror stuff off of each other so they would have to establish some kind of trust model as well as increase the security of archie. The biggest hurdle I could see is that the people running the archie server might find that by providing this service they had incurred some liability for the files they index. Brad Passwaters bjp@nsm.bell-atl.com BAINET Technical Services bf5t0p6@bell-atl.com (OSIN) Voice:301-236-6221 FAX:301-236-1061 ------------------------------------------------------------------------------- "...and he never wondered what was right or wrong, he just knew, he just knew" David Crosby and Phil Collins "HERO" From firewalls-owner Fri May 13 20:42:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA07479; Fri, 13 May 1994 20:42:49 GMT Received: from volitans.MorningStar.Com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA07473; Fri, 13 May 1994 13:42:36 -0700 Received: from cowfish.MorningStar.Com by volitans.MorningStar.Com (5.65a/94040804) id AA03863; Fri, 13 May 94 16:42:33 -0400 From: Bob Sutterfield Received: by cowfish.MorningStar.Com (5.65a/94010301) id AA04792; Fri, 13 May 94 16:42:31 -0400 Date: Fri, 13 May 94 16:42:31 -0400 Message-Id: <9405132042.AA04792@cowfish.MorningStar.Com> To: reh@cs.UMD.EDU (Richard Huddleston) Cc: Brad.Sipes@redwood.Controls.Eurotherm.COM, Jon.Wagner@redwood.Controls.Eurotherm.COM, Mike.Geipel@redwood.Controls.Eurotherm.COM, firewalls@greatcircle.com, marketing@MorningStar.Com, engineering@MorningStar.Com In-Reply-To: Richard Huddleston's message of Thu, 12 May 1994 21:21:51 -0400 <199405130121.VAA12203@bedrock.cs.UMD.EDU> Subject: NFS and X -- Internet tunnel to a "trusted" remote site Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Date: Thu, 12 May 1994 21:21:51 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) To: Brad.Sipes@redwood.Controls.Eurotherm.COM, Jon.Wagner@redwood.Controls.Eurotherm.COM, Mike.Geipel@redwood.Controls.Eurotherm.COM Subject: Re: NFS and X -- Internet tunnel to a "trusted" remote site Cc: bob@MorningStar.Com, firewalls@greatcircle.com You might considered tunneling PPP through IP packets. PPP will support complete IP, which you then encapsulate into IP and squirt through your firewall. The Morning Star PPP product does this *extremely* well, I think -- and I don't make a dime for saying it. I've included bob@morningstar.com as a recipient, simply because that's who I remember there (Sorry, Bob). Thanks for your kind comments! * Date: Thu, 12 May 94 18:36:53 EDT * Subject: NFS and X -- Internet tunnel to a "trusted" remote site * Cc: Brad.Sipes@Controls.Eurotherm.COM, Jon.Wagner@Controls.Eurotherm.COM * From: Mike.Geipel@Controls.Eurotherm.COM (Mike Geipel) * Organization: Eurotherm Controls Inc * * Our company has several sites, world-wide. A few of those sites * need to have their IP networks linked together for a cooperative * development project. We currently use dial-up (on-demand) * connections, and pay the long-distance charges for PPP modem * connections. But we need 64K or better. * * Within the US, leased lines are no problem. But a DS-0 to the UK * would cost each side $3000 per month. The obvious alternative is * to use the Internet connections at each end. * * So, if two sites on the Internet want to allow unlimited IP * access to each other but need to filter all other packets as * usual... what do they need to do (or buy) to make this tunnel * through the firewalls? * * And yes, this would include services like NFS and X. :-( * * Is there a way to make this point-to-point tunnel "safe" without * encryption at each end? What are the problems? If IP-level * encryption is required, is there a vendor that can supply the UK * without !@#$%^&* US export problems? * * Please respond via e-mail; I'll summarize if there's interest. * -- * Mike Geipel (N4IXJ) | Eurotherm Controls Inc. * Telephone: (703) 471-4870 x387 | 11485 Sunset Hills Road * "Mike.Geipel@Controls.Eurotherm.COM" | Reston, VA 22090-5286 Yes, our UNIX PPP/SLIP software and the members of our Express router line can all do PPP-over-TCP tunneling, and selective gateway encryption. I did a talk on this recently; get the slides from ftp.MorningStar.Com:pub/papers/Interop93August-Security.ps.Z if you're interested. Our encryption scheme leaves the IP header alone and encrypts the rest of the datagram (TCP header, user payload) using DES. This way, the packet can traverse an internet as needed, or it can pass through a PPP tunnel. Hosts, applications, and users don't know their traffic is being encrypted - it all happens in the routers. "Selective gateway encryption" means that you can specify that traffic exchanges with certain [sub]networks get encrypted with certain DES keys, and all other traffic goes in the clear. Our tunneling scheme opens a TCP stream to a designated port (e.g. 57/tcp) at a designated address, then progresses just like a normal PPP connection. The answering system's inetd.conf line looks like ppp stream tcp nowait root /usr/etc/pppd pppd nodetach requirechap You open a crack in your packet filter that's just wide enough to pass the tunnel's port number. Then you designate (with static routes or RIP or OSPF configurations) the tunnel endpoint (UNIX system or Express) as the router for all traffic bound for the other network. I see several problems with your application, and with using our products in your application: 1) NFS would be painful, as it is over any multihop internet. TCP NFS or AFS etc. might reduce the agony. 2) We do DES in software. Different members of our product line have different amounts of CPU steam, and can therefore encrypt various fractions of your network's bandwidth. The 68K-based low end router can encrypt 30-40Kbps. PPP running on a big UNIX system can probably encrypt most of a T1. 4) Encrypting in software takes time, and adds some latency to the packets flowing through that are being encrypted. On the low-end router, it adds 8-10ms to the packets that are being encrypted. 3) We have no license to export DES outside the USA, so your "several sites world-wide" are out of luck anyway. We're looking into exportable encryption schemes, but there's nothing concrete yet. Write your congressman to complain. -- Bob Sutterfield, Tech Support Manager Morning Star Technologies +1 614 451 1883 1760 Zollinger Rd, Columbus Ohio USA, 43221-2856 +1 800 558 7827 support@MorningStar.Com +1 614 459 5054 (FAX) (soon: 3518 Riverside Dr, Suite 101, Columbus Ohio USA, 43221-1754) From firewalls-owner Fri May 13 14:49:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA07720; Fri, 13 May 1994 21:23:18 GMT Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA07714; Fri, 13 May 1994 14:23:03 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Fri, 13 May 1994 17:19:06 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA07005; Fri, 13 May 1994 17:19:04 -0400 Date: Fri, 13 May 1994 17:19:04 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199405132119.AA07005@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM Subject: re: Denial of service attacks on Domain Name Servers (DNS) possible? Cc: kaufman@nic.near.net Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I didn't get very many responses back as a result of my query for comments on the idea of using denial of service attacks (both qty and make-work) on the nameservers of people like the C&S spammers. Except for an ingenious and interesting idea Elizabeth Kaufman of NearNet came up with where you may be able to pass bad glue records to someone's nameserver - for the root name servers (forwarded with permission) : I have always personally favored the DNS-sabotage method of sending out bad glue records. For example, I could send bad glue out identifying my own evil Domain Nasty Server as the root name server. Of course, that would be wrong.... I have not had time to review the source, but the most recent version of bind seems to make some effort to address this with VALIDATE. I do know that this type of attack will work on most vendor releases of named, having tested as part of some off-line security work. -elk Presumably the IETF DNSSEC work goes even further in protection against this sort of attack on nameservers? - Morrow From firewalls-owner Fri May 13 15:19:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA07750; Fri, 13 May 1994 21:24:48 GMT Received: from optics.optics.rochester.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA07740; Fri, 13 May 1994 14:24:23 -0700 Received: from UOROPT by UOROPT (PMDF V4.2-14 #4191) id <01HCAQYXA19C90MTNW@UOROPT>; Fri, 13 May 1994 17:24:35 EST Date: Fri, 13 May 1994 17:24:35 -0500 (EST) From: Joseph Parker Subject: DEC providing firewalls services To: firewalls@greatcircle.com Message-id: <01HCAQYXBDHE90MTNW@UOROPT> X-Envelope-to: firewalls@greatcircle.com X-VMS-To: IN%"firewalls@greatcircle.com" MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm passing along a recent announcement from DEC on their firewall service. This is not a pitch to use their services it's just for your information. Joe Parker University of Rochester gira@acs.rochester.edu 716-275-9117 -------------------------------------------------------------------------------- From: IN%"DECTEI-L@UBVM.BITNET" "DEC's The Education Initiative Discussion List" 3-MAY-1994 19:53:07.39 To: IN%"DECTEI-L@UBVM.BITNET" "Multiple recipients of list DECTEI-L" Subj: I: Press Release - Internet Security Systems 5/2/94 1 COMPREHENSIVE INTERNET SECURITY SERVICES ANNOUNCED BY DIGITAL EQUIPMENT CORPORATION MAYNARD, Mass. -- May 2, 1994 -- Digital Equipment Corporation today announced comprehensive Internet Security Services to help make private computer networks and databases more secure from intrusion from the Internet. Provided by Digital Consulting, a business unit of Digital, these Internet Security Services combine expert security consulting and software capabilities to deliver a protected and programmable "firewall" through a screened intelligent gateway that guards private networks, while giving users controlled links and access to the Internet and other networks. "These comprehensive security services are designed to allow our clients to tap the power of the Internet without allowing unwanted guests to tap into their business," said Robert McNulty, Digital's Chief Information Officer and Vice President of Digital Consulting's Operations Management Services. These services provide reliable connectivity and a high degree of security between trusted private networks and the Internet or other potentially hostile TCP/IP networks. These services can also be used to protect sensitive areas of internal networks. Internet Security Services provide secured connections to and from the Internet through a number of "application gateways" to support popular applications like electronic mail, file transfer (FTP and Archie), remote terminal access (Telnet), client/server information services (Gopher, or World-Wide Web), and notes conferences. These services also support access to the World-Wide Web through trusted Mosaic browsers. Digital's Internet Security Services include: * SEAL (Screening External Access Link) - a combination of custom security consulting, Internet security policy development and rules definitions, installation and configuration of customized software, training in all facets of SEAL's operation, and post-delivery telephone support. * Optional components and consulting which include: additional customized application gateways; configuration of public domain software; cryptographic and authentication capabilities; and computer and network security consulting. In unveiling the new security services, McNulty said "the critical need for comprehensive security has become an ever-growing concern of major businesses around the globe - particularly as millions of new users seek data on the Internet and other information super-highways. "Those businesses and organizations need to feel confident that they have the best protection available from the networks and systems to which they seek connections. "Digital's Internet Security Services, customized to each client's needs, are cost-effective, and embody the capabilities required to provide the level of confidence and security clients seek," McNulty added. SEAL's customized software provides the best detection available today to unauthorized connections between a user's private network and the Internet. Digital's tested Internet Security Services deliver real-world benefits like high-level security, reliable connectivity, detection of unauthorized network probing, enhanced auditing, and on-line support. "Internet security is not new to Digital," McNulty also noted. "These services are the result of more than a decade of our research and practical use of the Internet. They have been extensively used to secure Digital's own Internet connections, and have already been delivered to major multi-national corporations and organizations. "It is very common for Internet users to have no security through a direct connection to the Internet, or some security which can be provided by routers," McNulty noted. "But, ultimately, users need the high level of security and connectivity provided by a 'programmable' firewall coupled with a screened intelligent gateway which is available today through Digital's SEAL." Internet Security Services are available immediately in the United States, Canada, Latin America and Europe, and will be available in Asia later this calendar year. These services are part of an extensive Digital portfolio of security products and services designed to secure clients' business and computing environments. Internet Security Services are custom quoted. Prices for SEAL services begin at $25,000. Digital Equipment Corporation is the world's leader in open client/server solutions from personal computing to integrated worldwide information systems. Digital's scalable Alpha AXP platforms, storage, networking, software and services, together with industry-focused solutions from business partners, help organizations compete and win in today's global marketplace. #### Note to Editors: Digital, the Digital Logo, and Alpha AXP are trademarks of Digital Equipment Corporation. Mosaic is a trademark of the National Center for Supercomputing Applications. CORP/94/441 From firewalls-owner Fri May 13 22:26:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA08138; Fri, 13 May 1994 22:26:50 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA08132; Fri, 13 May 1994 15:26:38 -0700 Date: Fri, 13 May 94 18:25:52 EDT From: bret@real.com (Bret McDanel) Received: by real.com (4.1/3.2.012693-Realistic Technologies Inc); id AA11690 for firewalls@GreatCircle.COM; Fri, 13 May 94 18:25:52 EDT Message-Id: <9405132225.AA11690@real.com> To: firewalls@GreatCircle.COM Subject: Telnet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone know where I can FTP telnet source? Or, does anyone know the BASIC shell for telnet (in C).. I dont need anything other than to be able to connect to a remote host, and a specific port.. I am going to try to write an app that will connect to a remote machine in a certain way, and possibly (with some help, prayers, and luck) write some software that will recieve ONLY that program, and log them in.. Sorta an rsh, type thing.. But again, all I need to be able to do is connect to a SPECIFIC port on a remots host (maybe local, maybe internet).. Thanx in advance.. bret@real.com (if you feel like it, e-mailing me with it would be great).. From firewalls-owner Sat May 14 00:02:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA08614; Sat, 14 May 1994 00:02:19 GMT Received: from lokkur.dexter.mi.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA08608; Fri, 13 May 1994 17:02:10 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.7/8.6.5) id UAA11463; Fri, 13 May 1994 20:00:36 -0400 From: Steve Simmons Message-Id: <199405140000.UAA11463@lokkur.dexter.mi.us> Subject: Re: FTP access from the Internet To: morganw@dbisna.com Date: Fri, 13 May 1994 20:00:35 -0400 (EDT) Cc: firewalls@GreatCircle.COM, fwall-users@tis.com In-Reply-To: from "morganw@dbisna.com" at May 13, 94 12:08:23 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 966 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >The challage enters into the picture once the customers have entered >the server, I'd like to be able to chroot them into their own file >structure. I don't want them browsing around. Here's an idea: treat all incoming ftps like anon ftp and do the chroot even if they give a password. This can probably be done with a simple hack to ftpd. Set up the directory tree like: bin mode 555, owner/group root etc mode 555, owner/group root lib mode 555, owner/group root pub mode 555, owner/group root clients mode 551, owner root, group your-staff clientA mode 770, owner clientA, group your-staff clientB mode 770, owner clientB, group your-staff clientC mode 770, owner clientC, group your-staff All client ftp accounts are group `other'. Each client can view bin, etc, lib, pub, etc (I love that sequence). No client can do an ls on /clients, can only cd to the directory they own, and your trusted staff can read/write the client areas. From firewalls-owner Sat May 14 02:44:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA09059; Sat, 14 May 1994 02:44:58 GMT Received: from gatekeeper.nsc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA09053; Fri, 13 May 1994 19:44:48 -0700 Received: from nsc.nsc.com by gatekeeper.nsc.com (5.65/fma-120691) with SMTP; id AA25161 for firewalls@GreatCircle.COM; Fri, 13 May 94 19:45:51 -0700 Received: from mirage.nsc.com by nsc.nsc.com (5.65/1.34) with SMTP id AA16979 for firewalls@GreatCircle.COM; Fri, 13 May 94 19:45:50 -0700 Received: from jedi.nsc.com by mirage.nsc.com (4.1/SMI-4.1) id AA03216; Fri, 13 May 94 19:45:15 PDT Date: Fri, 13 May 94 19:45:15 PDT From: arielf@mirage.nsc.com (Ariel Faigon) Message-Id: <9405140245.AA03216@mirage.nsc.com> To: firewalls@GreatCircle.COM Subject: One more vote for checkpoint/FW1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I'm new to this list. I saw some lively discussion about Checkpoint Firewall-1. I thought I may have a bit to contribute from first hand experience. I've been beta-testing Checkpoint/FW1 for few months now. The product exceeded my expectations. I've seen few firewall packages, and I think nothing compares with it. What impressed me: Centralized friendly easy to use GUI that can be used remotely (i.e. packet filter and UI can reside on any host, not necessarily the same one.) Note that the packet filter is completely separated from the GUI, I don't see any added complexity to the packet-filter due to the GUI as some previous posters were concerned. Extremely intuitive. No need to read heavy manuals, All operations work as expected from the UI (a firewall language is supported and the config files are editable ASCII but you may do all common operations from the GUI by point and click.) You can define arbitrary 'network objects' such as subnets, groups of hosts, routers etc. (The most obvious object partition will of course be your whole LAN vs. the rest of the Internet. but you can do much more than that.) Can selectively enable/disable access for any service or groups or services from/to any network object by the click of a mouse (incoming FTP: yes incoming telnet: no, outgoing connections: all enabled etc.) Excellent view of the filters (rules) that are installed. Can log or alert by email upon requested events Very good views of log data. Can select a "drop" option (rather than "reject" for each filter rule. Loadable module, no kernel recompilation needed, installation is a snap, works straight from the box. Multiple packet filters on various network objects can be installed. SNMP support Still missing: No (supposedly optional, user-customizable) packet data encryption, Kerberos or authentication support Runs only on SunOs I installed FW1 on an internal server and immediately put it to work, without reading the manual (there's a displayable PostScript guide online, but I didn't feel I need it.) It blocked access to the services I told it to, and alerted me of everything I wanted, I didn't notice any degradation in performance while the packet filter was running on my Sun workstation. In fact, the GUI and its intuitive, simple graphical design, make FW1 more secure IMHO than comparable tools which don't show you the situation in a easy to grasp one screen view. It is like WYSIWYG in the sense that what you see is exactly how your network is protected, and what you see is very thoughtully and professionaly displayed. As if to corroborate this: FW-1 just won the McGraw-Hill best-of-show award in the security category in InterOp. I realize that the McGraw-Hill referees are not necessarily security experts, but I have a strong conviction that the Checkpoint guys are. All in all, an awsome product. Disclaimer: I have no affiliation with Checkpoint, I'm just a highly impressed user. -- Peace, Ariel From firewalls-owner Sat May 14 12:24:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA11310; Sat, 14 May 1994 12:24:05 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA11304; Sat, 14 May 1994 05:23:58 -0700 Date: Sat, 14 May 94 08:23:12 EDT From: bret@real.com (Bret McDanel) Received: by real.com (4.1/3.2.012693-Realistic Technologies Inc); id AA23559 for Firewalls@GreatCircle.COM; Sat, 14 May 94 08:23:12 EDT Message-Id: <9405141223.AA23559@real.com> To: Firewalls@GreatCircle.COM Subject: Telnet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Thanx for all the replies (several more than expected), but I think I have all I need, so if it pleases the rest of you we can resume talking about other things :) ... Thanx again for all the help.. From firewalls-owner Sat May 14 21:31:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA12730; Sat, 14 May 1994 21:31:26 GMT Received: from sirius.kbsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA12724; Sat, 14 May 1994 14:31:18 -0700 Received: from sirius.kbsi.com by sirius.kbsi.com id <10993>; Sat, 14 May 1994 16:40:20 -0500 Received: from csrcot1.kbsi.com(192.203.191.177) by sirius via smap (V1.0mjr) id sma011310; Sat May 14 16:39:44 1994 Received: from CSRCOT1/MAILQUEUE by csrcot1.kbsi.com (Mercury 1.11); Sat, 14 May 94 16:31:17 GMT-6 Received: from MAILQUEUE by CSRCOT1 (Mercury 1.11); Sat, 14 May 94 16:30:55 GMT-6 From: "Michael T. Futrell" Organization: CALS Shared Resource Center/Orange To: firewalls@GreatCircle.COM Date: Sat, 14 May 1994 17:30:50 -0500 Subject: TIS Toolkit and Mosaic -- ideas? Reply-to: mfutrell@csrc.kbsi.com Priority: normal X-mailer: Pegasus Mail v3.1 (R0) Message-ID: <291C5B246E@csrcot1.kbsi.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello All-- Anyone had any success using the TIS Toolkit firewall software with Mosaic? In my case, the firewall is a Sun and the potential Mosaic machines are PCs. Any thoughts would be appreciated. Thanks, Mike Futrell ------------ mfutrell@csrc.kbsi.com CALS Shared Resource Center 409 882-3950 300 N. Fourth Street Orange, TX 77630 From firewalls-owner Sun May 15 03:42:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA13783; Sun, 15 May 1994 03:42:50 GMT Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA13777; Sat, 14 May 1994 20:42:34 -0700 Received: from localhost (mail@localhost) by gatekeeper.Bridge.COM (8.6.5/8.6.5) id WAA08441; Sat, 14 May 1994 22:41:31 -0500 Received: from racerx.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma008439; Sat May 14 22:41:01 1994 Received: from bert.bridge.com (ernie.bridge.com) by racerx.bridge.com with SMTP id AA02575 (5.67b/IDA-1.5); Sat, 14 May 1994 22:44:03 -0500 Received: by bert.bridge.com (4.1/SMI-4.1) id AA24051; Sat, 14 May 94 22:43:28 CDT Date: Sat, 14 May 1994 22:33:50 -0500 (CDT) From: Ken Hardy Subject: Re: TIS Toolkit and Mosaic -- ideas? To: "Michael T. Futrell" Cc: firewalls@greatcircle.com In-Reply-To: <291C5B246E@csrcot1.kbsi.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Sat, 14 May 1994, Michael T. Futrell wrote: > Anyone had any success using the TIS Toolkit firewall software with > Mosaic? In my case, the firewall is a Sun and the potential Mosaic > machines are PCs. Any thoughts would be appreciated. The CERN httpd operating as a proxy works fine with netacl. Beware that it has to be launched and read its config file for _each_ access when used this way. But the config file is typically very small when being used soley as a proxy. I've tried it running from inetd (netacl) and as a daemon, and I don't really notice any performance difference. I'd be interested in hearing others' experiences with the same. Can anyone vouch for CERN httpd's access protection? It should give almost as much protection as netacl (when configured properly and run explicitly chrooted), but I'm apprehensive about giving up netacl in which I have confidence. Ken Hardy ken@bridge.com --__-_____--__-__--_--__-___-__-__-___---- From firewalls-owner Sun May 15 00:19:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA16738; Sun, 15 May 1994 07:11:46 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA16730; Sun, 15 May 1994 00:11:40 -0700 Message-Id: <199405150711.AAA16730@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Firewalls archive and FAQ now available by WAIS Date: Sun, 15 May 1994 00:11:39 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Firewalls archive (actually, the Firewalls-Digest archive; it was easier to convert that to a WAIS database) and the FAQ written by Marcus Ranum are both now available by WAIS. Both are on host WAIS.GreatCircle.COM, port 210 (the standard WAIS port), under database names "firewalls-digest" and "firewalls-faq", respectively. The servers have both been registered with the WAIS directory-of-servers folks, though I don't know how long it takes for such registrations to propagate. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon May 16 00:34:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA20769; Mon, 16 May 1994 00:34:42 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA20762; Sun, 15 May 1994 17:34:36 -0700 Message-Id: <199405160034.RAA20762@mycroft.GreatCircle.COM> To: messmanj@ohsu.edu (John Messman,PC-D,Metro) cc: firewalls@GreatCircle.COM Subject: Re: FW config help In-reply-to: Your message of Thu May 12 17:05:20 PDT 1994 Date: Sun, 15 May 1994 17:34:35 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk messmanj@ohsu.edu (John Messman,PC-D,Metro) writes: # 1. Is it bad to have C-news database on firewall. In general, I don't like having the bastion host be a news server for several reasons. First, you can't have any private or confidential newsgroups, because you don't want them exposed if the bastion host is broken into. Second, access to the news on the bastion host is a hassle for users; either they have to use NNTP-based newsreaders (maybe not a problem, as long as your users don't want readers that don't fully support NNTP, like NN), or you have to export the /var/spool/news via NFS (very bad), or you have to let the users onto the bastion host to read news (VERY bad). I think it's safe enough to open a peephole in your packet filtering (or set up a proxy, if you're doing application-level gateways instead) to allow for NNTP across the firewall, as long as you restrict it to ONLY NNTP and ONLY between your internal news server and your news feed (or feeds). One of the key differences between NNTP and SMTP from a network security point of view is, you know exactly where your NNTP connections will be coming from, and it's a short list (unlike SMTP, where you might get connections from anywhere on the Internet to send you mail). In order to attack you through this NNTP peephole, your feed site would first have to be compromised (because that's where the attack would have to come from), and there would have to be a bug in your NNTP server to exploit (I'm not saying that there aren't any, but I don't _know_ of any, and NNTP (or at least the standard "nntpd" release) has had a much more trouble-free history with security bugs than things like Sendmail). # 2. Do I need to use TCPwrappers for NNTP connections to the firewall from # magic kingdom boxes? Some of the boxes will be PCs and Macs. Probably a good idea. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon May 16 12:32:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA23888; Mon, 16 May 1994 12:32:59 GMT Received: from gatekeeper.ray.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA23882; Mon, 16 May 1994 05:32:50 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id IAA19245 for ; Mon, 16 May 1994 08:32:58 -0400 Received: from rayssd.ssd.ray.com by gatekeeper.ray.com; Mon May 16 08:32:48 1994 Received: from fluke.ssd.ray.com (fluke.ssd.ray.com [138.125.192.34]) by rayssd.ssd.ray.com (8.6.5/8.6.5) with ESMTP id IAA27850 for ; Mon, 16 May 1994 08:32:18 -0400 Received: from localhost (dhb@localhost) by fluke.ssd.ray.com (8.6.4/8.6.4) id IAA16977 for firewalls@GreatCircle.COM; Mon, 16 May 1994 08:32:17 -0400 Message-Id: <199405161232.IAA16977@fluke.ssd.ray.com> From: dhb@ssd.ray.com (David H. Brierley) Date: Mon, 16 May 1994 08:32:17 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@GreatCircle.COM Subject: Re: trojans on ftp sites Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On May 13, 13:35, Christopher Klaus wrote: > > > > Yeah, great ... when you can trust everybody who runs an archie server. > > I don't know any of those people personally, so how can I trust them that > > checksums they announce are real? > That would be a big conspiracy for the archie server admins to correct > their database after an intruder modified the programs. And if > you tried different archie sites, all the admins at all the archie servers > must be part of this conspiracy. Umm, Okay. Let's assume that I am a bad guy who has managed to infiltrate a site that is providing anonymous ftp services. I proceed to replace various popular programs with modified versions that have various trojan horses or back doors or whatever. Knowing that the various archie servers are going to request a checksum for my files and then set off various alarms if my checksums do not match everybody elses checksums, what makes you think I would not be smart enough to modify the program that produces the checksums so that it reports the same value that all the other sites are reporting? The only problem I now have is if someone gets a copy of a modified program from me and then puts it up for anonymous ftp. When they generate the checksum it would not match everybody else and eventually the problem could be tracked down to the site that I compromised. -- David H. Brierley; Raytheon Company, Submarine Signal Directorate Work: dhb@ssd.ray.com Home: dave@galaxia.network23.com From firewalls-owner Mon May 16 14:43:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24433; Mon, 16 May 1994 14:43:44 GMT Received: from MSC.ARL.MIL by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA24427; Mon, 16 May 1994 07:43:32 -0700 Message-Id: <199405161443.HAA24427@mycroft.GreatCircle.COM> Date: Mon, 16 May 94 10:44:21 EDT From: "Robert Rosen, AMSRL-CI-T, 301-394-5442" To: firewalls@greatcircle.com Subject: unsuscribe Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk unsuscribe From firewalls-owner Mon May 16 15:15:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA24609; Mon, 16 May 1994 15:15:13 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA24595; Mon, 16 May 1994 08:15:00 -0700 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id LAA28084; Mon, 16 May 1994 11:17:56 -0400 From: Christopher Klaus Message-Id: <199405161517.LAA28084@shadow.net> Subject: Re: trojans on ftp sites To: dhb@ssd.ray.com (David H. Brierley) Date: Mon, 16 May 94 11:17:56 EDT Cc: firewalls@GreatCircle.COM In-Reply-To: <199405161232.IAA16977@fluke.ssd.ray.com>; from "David H. Brierley" at May 16, 94 8:32 am X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > On May 13, 13:35, Christopher Klaus wrote: > > > > > > Yeah, great ... when you can trust everybody who runs an archie server. > > > I don't know any of those people personally, so how can I trust them that > > > checksums they announce are real? > > That would be a big conspiracy for the archie server admins to correct > > their database after an intruder modified the programs. And if > > you tried different archie sites, all the admins at all the archie servers > > must be part of this conspiracy. Umm, Okay. > > Let's assume that I am a bad guy who has managed to infiltrate a site that is > providing anonymous ftp services. I proceed to replace various popular programs > with modified versions that have various trojan horses or back doors or whatever. > Knowing that the various archie servers are going to request a checksum for my > files and then set off various alarms if my checksums do not match everybody > elses checksums, what makes you think I would not be smart enough to modify the > program that produces the checksums so that it reports the same value that all > the other sites are reporting? The only problem I now have is if someone gets > a copy of a modified program from me and then puts it up for anonymous ftp. When > they generate the checksum it would not match everybody else and eventually the > problem could be tracked down to the site that I compromised. > That is why we would use md5 or stronger checksum. It should be virtually impossible to make your files chekcsums match. -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive,Dunwoody GA 30350-2430. (404)998-5871. From firewalls-owner Mon May 16 15:59:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA24915; Mon, 16 May 1994 15:59:00 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA24909; Mon, 16 May 1994 08:58:45 -0700 From: cyerkes@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id LAA14955; Mon, 16 May 1994 11:59:43 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id LAA26200; Mon, 16 May 1994 11:59:42 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id LAA28231; Mon, 16 May 1994 11:59:41 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA00156; Mon, 16 May 94 11:59:41 EDT Date: Mon, 16 May 94 11:59:41 EDT Message-Id: <9405161559.AA00156@delacroix.lsi.ny.jpmorgan.com> To: Firewalls@GreatCircle.COM Subject: Re: FTP Security Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> >Sez Marcus J Ranum (for which I'm grateful): >> > >> > Scanning for DOS virii on a UNIX box is also a bit of a >> >wild goose chase. Why? Because any DOS executable that's being >> >transmitted through the UNIX box is probably encoded for transmission >> >and then you have the whole issue of figuring out what the encoding >> >is and means... >> IBM's AIX does have a 'virscan' command which can examine DOS executables >> for a pre-set list of well-known virus "signatures." As Marcus >> notes, encoded stuff can't be scanned, but if it's unpacked under >> AIX, 'virscan' might be useful. > > Got a question for you folks: How do other virii > checkers work? Ie., there are a cuple of virii > checking programs for Macintosh that I know of. > Windows 3.1 (or is is DOS?) comes with some check- > ing program. How do they scan virus? Do they > just look at known characteristics of known virii? > If that's the case, they are pretty weak against > newly written worms, aren't they? Well, Yes. They are. But first, (worm != virus). A virus often modifies binaries of idle programs - virtually impossible with Unix. Worms are usually separate programs that find a way to run on a target computer to do something. New viri come out fairly regularly. That's why Symantic (for example; one of many like companies) has updates for their virus scanner data every couple months. Pretty much they scan the binaries for a known series of bytes. Or a background task watches for modifications to sensitive files.. Or they generate checksums for all the files on your disk and will let you know when they change. Or all of the above. It seems that it SHOULD be possible to look for certain series of bytes in a program, assuming it's uncompressed in anyway but, as Mr. Ranum pointed out (less colorfully), relying on the fact that a program is coming through in a known format is like assuming you can spot a murderer because he's carrying a bloody knife - there are just too many options for formats to transfer programs in. I DID hear of a program to scan a Unix file system for DOS viruses in programs stored for NFS mounting - unzipped, etc, but that was YEARS ago and it would seem to be have disappeared. chuck -- chuck yerkes consultant - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I have no opinions that my employers would care to share. From firewalls-owner Mon May 16 17:21:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA25521; Mon, 16 May 1994 17:21:49 GMT Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA25515; Mon, 16 May 1994 10:21:38 -0700 Received: from localhost (mail@localhost) by gatekeeper.Bridge.COM (8.6.5/8.6.5) id MAA09736; Mon, 16 May 1994 12:20:31 -0500 Received: from racerx.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma009734; Mon May 16 12:20:28 1994 Received: from bert.bridge.com (ernie.bridge.com) by racerx.bridge.com with SMTP id AA00509 (5.67b/IDA-1.5); Mon, 16 May 1994 12:23:42 -0500 Date: Mon, 16 May 1994 12:23:42 -0500 From: Ken Hardy Message-Id: <199405161723.AA00509@racerx.bridge.com> To: cyerkes@jpmorgan.com Subject: Re: virus scanning (was: FTP Security) Cc: Firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Take this to comp.virus and return to firewalls, please. From firewalls-owner Mon May 16 20:57:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA26850; Mon, 16 May 1994 20:57:09 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA26844; Mon, 16 May 1994 13:56:53 -0700 Received: from sgsjsco.sextantgroup.com by netcomsv.netcom.com with ESMTP (8.6.4/SMI-4.1) id NAA02789; Mon, 16 May 1994 13:57:38 -0700 Received: from smtplink.sextantgroup.com by sgsjsco.sextantgroup.com with SMTP (8.6.8.1/1.2-eef) id NAA09216; Mon, 16 May 1994 13:54:57 -0700 Received: from ccMail by smtplink.sextantgroup.com id AA769122135 Mon, 16 May 94 14:02:15 PST Date: Mon, 16 May 94 14:02:15 PST From: "Rhett, Joe" Message-Id: <9404167691.AA769122135@smtplink.sextantgroup.com> To: Brent Chapman , Firewalls@GreatCircle.Com Subject: Re[2]: FW config help Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >In general, I don't like having the bastion host be a news server for >several reasons. First, you can't have any private or confidential >newsgroups, because you don't want them exposed if the bastion host is >broken into. Second, access to the news on the bastion host is a >hassle for users; either they have to use NNTP-based newsreaders >(maybe not a problem, as long as your users don't want readers that >don't fully support NNTP, like NN), or you have to export the >/var/spool/news via NFS (very bad), or you have to let the users onto >the bastion host to read news (VERY bad). All very well and true, but you are forgetting one something a few people seem to miss. You can safely (not really, but safer) access to data "from" a firewall by having the firewall itself mount the volume from another machine, and the users mount from this safe machine as well. Not safe, but safer than having everyone mount from the firewall. This assumes that one of the above is your only choice, for whatever reason. In general, I employ packet filtering (and maybe proxy forwarding in the future) to allow the news to go in and out while protecting the internal systems. From firewalls-owner Mon May 16 22:46:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA27619; Mon, 16 May 1994 22:46:24 GMT Received: from wintermute.imsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA27608; Mon, 16 May 1994 15:46:14 -0700 Received: from relay.imsi.com by wintermute.imsi.com id SAA23708; Mon, 16 May 1994 18:45:42 -0400 Received: from webster.imsi.com by relay.imsi.com id SAA26778; Mon, 16 May 1994 18:45:40 -0400 Received: from localhost by webster.imsi.com (4.1/SMI-4.1) id AA19537; Mon, 16 May 94 18:45:40 EDT Message-Id: <9405162245.AA19537@webster.imsi.com> To: "Rhett, Joe" Cc: Firewalls@greatcircle.com Subject: Re: Re[2]: FW config help In-Reply-To: Your message of "Mon, 16 May 1994 14:02:15 PST." <9404167691.AA769122135@smtplink.sextantgroup.com> Reply-To: rens@imsi.com Date: Mon, 16 May 1994 18:45:39 -0400 From: Rens Troost Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> On Mon, 16 May 94 14:02:15 PST, "Rhett, Joe" said: JRhett> All very well and true, but you are forgetting one something JRhett> a few people seem to miss. You can safely (not really, but JRhett> safer) access to data "from" a firewall by having the JRhett> firewall itself mount the volume from another machine, and JRhett> the users mount from this safe machine as well. Safer than what? It's pretty hazardous to allow NFS on your firewall. Even if you (think you) have exported nothing, are you certain that the right filehandle won't be the key to the city? Have you read all thatr code? I like my areas of exposure to be well defined/understood. I do not consider NFS to be in that category. -Rens From firewalls-owner Tue May 17 03:25:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA29028; Tue, 17 May 1994 03:25:14 GMT Received: from gatekeeper.open.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA29022; Mon, 16 May 1994 20:25:03 -0700 Received: (from mail@localhost) by gatekeeper.open.ch (8.6.8/8.6.6) id FAA07101 for ; Tue, 17 May 1994 05:25:38 +0200 Received: from pizza.open.ch(192.94.233.11) by gatekeeper via smap (V1.3mjr) id sma009915; Tue May 17 05:25:28 1994 Received: from slice.open.ch (slice [192.94.233.12]) by pizza (8.6.8/8.6.6) with SMTP id FAA10348 for ; Tue, 17 May 1994 05:25:26 +0200 From: Goetz von Escher Message-Id: <199405170325.FAA10348@pizza> Received: by slice.open.ch (NX5.67d/NX3.0X) id AA01162; Tue, 17 May 94 05:25:25 +0200 Subject: NTP and firewalls To: firewalls@greatcircle.com Date: Tue, 17 May 1994 05:25:24 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1655 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm interested in other peoples opinion regarding the network time protocol and firewalls: In the notes.txt file of the xntpd distribution the 'preferred configuration' is defined as follows: "The preferred configuration is at least three administratively coordinated time servers providing service throughout the administrative domain including campus networks and subnetworks. Each of these should obtain service from at least two different outside sources of synchronization, preferably via different gateways and access paths." There are two problems with this in a network that is connected to the Internet through a firewall: 1. The firewall is a single access point and therefore also a single point of failure. Once it fails the internal network is cut off from the Internet and synchronization is no longer possible. 2. To achieve the setup proposed in the notes.txt file (see above) you must install multiple NTP tunnels through the firewall. Do you consider NTP (with authentication enabled) a secure protocol? Have there been any security problems? I'm interested in all comments to this. I will summarize the answers if there is any interest. --- Goetz von Escher email: Goetz.von-Escher@Open.CH Open Systems AG voice: +41 (61) 262-0505 Basel, Switzerland FAX: +41 (61) 262-0510 -- Goetz von Escher email: Goetz.von-Escher@Open.CH Open Systems AG voice: +41 (61) 262-0505 Basel, Switzerland FAX: +41 (61) 262-0510 From firewalls-owner Tue May 17 04:00:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA29141; Tue, 17 May 1994 04:00:59 GMT Received: from DUKEMC.MC.DUKE.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA29135; Mon, 16 May 1994 21:00:52 -0700 Received: from orion (orion.mc.duke.edu) by mc.duke.edu (PMDF V4.2-15 #5528) id <01HCFC9O02R4009MII@mc.duke.edu>; Tue, 17 May 1994 00:06:45 EDT Received: from ipl.orion.mc.duke.edu by orion (4.1/SMI-4.1) id AA26563; Tue, 17 May 94 00:01:14 EDT Date: Mon, 16 May 1994 23:57:18 -0400 (EDT) From: ajl@Orion.MC.Duke.EDU (Arne J. Ludwig) Subject: Re: What is IP Source Routing? In-reply-to: <9405131632.AA00277@eng.xyplex.com> from "Thomas D. Nadeau" at May 13, 94 12:32:57 pm To: tdn@tdn.xyplex.com (Thomas D. Nadeau) Cc: jmclip@world.std.com, firewalls@GreatCircle.COM Message-id: <9405170401.AA26563@orion> X-Mailer: ELM [version 2.4 PL21] Content-type: text Content-transfer-encoding: 7BIT Content-Length: 708 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >Many UNIX kernels will forward a source-routed packet EVEN IF "IP > >Forwarding" has supposedly been disabled on that kernel. > > > >jmp> Does anyone know how to determine if ones kernel has that [...] > > Well, this sounds like a bug in the kernel to me. If routing is > administratively "off", then it should not be forwarding *any* > traffic. To me this doesn't sound like a bug. Source routing is a debugging tool to bypass a router when it is broken for some reason, so it seems to me that it should *always* work. A firewall router is a special case, that needs special treatment, so disabling source routing should be an additional kernel option (and not be hidden under ip_forwarding). Arne From firewalls-owner Tue May 17 04:33:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA29644; Tue, 17 May 1994 04:33:08 GMT Received: from london.micrognosis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA29638; Mon, 16 May 1994 21:32:56 -0700 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA28026; Tue, 17 May 94 05:33:23 BST Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma028023; Tue May 17 05:33:11 1994 Received: from pmips01 by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA14024; Tue, 17 May 94 05:33:10 BST From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by pmips01 (4.1//ident-1.0) id AA02660; Tue, 17 May 94 05:33:09 BST Message-Id: <9405170433.AA02660@pmips01> Subject: Re: NTP and firewalls To: Goetz.von-Escher@open.ch (Goetz von Escher) Date: Tue, 17 May 1994 05:33:08 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199405170325.FAA10348@pizza> from "Goetz von Escher" at May 17, 94 05:25:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1262 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I'm interested in other peoples opinion regarding the network time > protocol and firewalls: Personally I run NTP on the firewall itself and let it sync to our IP provider. The firewall serves time to the internal net. How accurate do you want your clocks to be? For us it is useful to have all the machines on the network in sync but I wouldn't be too bothered if we synced the internal master by phoning up the speaking clock once a week :-) > 1. Once [the firewall] fails the internal network is cut off from > the Internet and synchronization is no longer possible. You can no longer sync to outside sources but your internal server should keep the rest of the machines drifting in sync. If you lose IP connectivity then inaccurate time will be the last thing your users will be screaming about :-) > Do you consider NTP (with authentication enabled) > a secure protocol? Have there been any security problems? I know of no problems with NTP. Somehow I just have a warm fuzzy feeling about it :-) That's more than be said for some of the other software that our firewall runs (like sendmail). Neil. -- nreadwin@micrognosis.co.uk Phone: +1 718 273 8234 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Tue May 17 06:35:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA00595; Tue, 17 May 1994 06:35:41 GMT Received: from research.att.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA00582; Mon, 16 May 1994 23:35:32 -0700 From: smb@research.att.com Message-Id: <199405170635.XAA00582@mycroft.GreatCircle.COM> Date: Mon, 16 May 94 23:32:41 EDT To: Goetz.von-Escher@open.ch, nreadwin@london.micrognosis.com Subject: Re: NTP and firewalls Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Do you consider NTP (with authentication enabled) > a secure protocol? Have there been any security problems? I know of no problems with NTP. Somehow I just have a warm fuzzy feeling about it :-) That's more than be said for some of the other software that our firewall runs (like sendmail). Neil. There's a paper by Matt Bishop on ntp security; you can pick it up from louie.udel.edu:/pub/ntp/doc/bishop.ps.Z. The risk, even in the worst case, is only to your time setting; however, if you use a time-based authentication scheme (SecureID, Kerberos, etc.), that could be a problem. Personally, I rate the real risk as comparatively low. But we use challenge/response.... From firewalls-owner Tue May 17 08:23:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA00921; Tue, 17 May 1994 08:23:29 GMT Received: from emma.ruc.dk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA00915; Tue, 17 May 1994 01:23:22 -0700 Received: by emma.ruc.dk (4.1/JBA-1.18) id AA08272; Tue, 17 May 94 10:24:52 +0200 From: lsd@ruc.dk (Lauge Stendahl Johansen) Message-Id: <9405170824.AA08272@emma.ruc.dk> Subject: unsuscribe To: firewalls@greatcircle.com Date: Tue, 17 May 1994 10:24:51 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 13 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk unsuscribe From firewalls-owner Tue May 17 03:49:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA01225; Tue, 17 May 1994 09:01:35 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA01196; Tue, 17 May 1994 02:01:19 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA00111 for (5.67a/IDA-1.5/bs03); Tue, 17 May 1994 11:01:44 +0200 Message-Id: <199405170901.AA00111@srv.cip.physik.tu-muenchen.de> To: Christopher Klaus Cc: dhb@ssd.ray.com (David H. Brierley), firewalls@greatcircle.com Subject: Re: trojans on ftp sites In-Reply-To: Your message of "Mon, 16 May 94 11:17:56 EDT." <199405161517.LAA28084@shadow.net> Date: Tue, 17 May 94 11:01:44 +0200 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <199405161517.LAA28084@shadow.net> you write: > That is why we would use md5 or stronger checksum. It should be virtually > impossible to make your files chekcsums match. Then either every archie server has to retrieve every file and run the checksum itself, or it has to believe the MD5 signature the FTP server tells it. The first option wastes too much bandwith, the second one is too much fun for the bad-guy ftp admin. While it could be nice, I don't think this feature is practical at this time. From firewalls-owner Tue May 17 12:13:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA01911; Tue, 17 May 1994 12:13:04 GMT Received: from gatekeeper.ray.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA01905; Tue, 17 May 1994 05:12:54 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id IAA19504 for ; Tue, 17 May 1994 08:13:02 -0400 Received: from rayssd.ssd.ray.com by gatekeeper.ray.com; Tue May 17 08:13:11 1994 Received: from fluke.ssd.ray.com (fluke.ssd.ray.com [138.125.192.34]) by rayssd.ssd.ray.com (8.6.5/8.6.5) with ESMTP id IAA22394 for ; Tue, 17 May 1994 08:12:40 -0400 Received: from localhost (dhb@localhost) by fluke.ssd.ray.com (8.6.4/8.6.4) id IAA27508 for firewalls@GreatCircle.COM; Tue, 17 May 1994 08:12:39 -0400 Message-Id: <199405171212.IAA27508@fluke.ssd.ray.com> From: dhb@ssd.ray.com (David H. Brierley) Date: Tue, 17 May 1994 08:12:39 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@GreatCircle.COM Subject: Re: trojans on ftp sites Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A few people have sent responses both to me and to this list about my message the other day. Unfortunately, most of them seemed to misunderstand what I was trying to say. Let me try again. Assume I am a bad-guy hacker. I break into an ftp site somewhere, or perhaps I even am the official administrator of an ftp site. I decide I want to have some fun so I modify several popular packages on this site to have trojan horses or back doors or whatever other fun stuff I want. I know that when the archie servers collect information from me about what packages I have, they are also going to collect checksums for those files. Assuming the checksums are being generated by md5 or something better, I know that making my modified program produce the same checksum is very difficult. So, how do I solve this problem? Easy, I replace the md5 program with a modified version that *reports* the checksum that everybody else is expecting to see. Eventually this would break down becuase someone would download my copy and then attempt to generate a new checksum but it would not match. This is partially solveable by only having the modified program available for a week or so, then put the original back and go modify some other program. One person made the comment that becuase of these problems, the suggestion of having the archie servers collect and report checksum information is not workable. I dont think that this is neccesarily the case. Despite what I said above about how you could put fake stuff on your server and then generate fake checksums, I think this suggestion could still prove useful. However, I would not recommend to anyone that they assume that the checksum listed by the archie server is correct. I would also not recommend that just because site A reports back the expected checksum that you assume the copy on site A is ok. If you query archie for a particular package and all of the entries found report back the same checksum then you should download the package from the closest/best ftp site and then run the checksum program against it to verify the checksum. This means that everyone needs to have a trusted copy of the program that is used to generate the checksums but this is no different from having a virus scanner for your PC software (i.e. did you scan the virus scanner for viruses and if so, how did you do it?). -- David H. Brierley; Raytheon Company, Submarine Signal Directorate Work: dhb@ssd.ray.com Home: dave@galaxia.network23.com From firewalls-owner Tue May 17 14:42:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA02654; Tue, 17 May 1994 14:42:10 GMT Received: from grex.cyberspace.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA02648; Tue, 17 May 1994 07:42:00 -0700 Received: by grex.cyberspace.org (Smail3.1.28.1 #4) id m0q3QMD-0001aXC; Tue, 17 May 94 10:42 EDT Message-Id: Date: Tue, 17 May 94 10:42 EDT From: thod@cyberspace.org (Patrick Killourhy) To: -s@cyberspace.org, Re:@cyberspace.org, firewalls@greatcircle.com, ftp@cyberspace.org, on@cyberspace.org, sites@cyberspace.org, trojans@cyberspace.org Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I dont think that the files would vary in checksum all that much.. You have > to remember that unlike viruses (or virii, depending on which side of the > fence you sit :) ) trojans do not modify the file, or replicate or anything > like that.. So an infected file (ie someone altered it after production > to put in a backdoor et al) may or may not have a different checksum, but it > most probally will have a different file size.. If this is really an issue (And I would venture to say that this is slightly too paranoid), you could use any number of one-way hash algorithms. I'm sure the folks in sci.crypt would be more than happy to recommend one. From firewalls-owner Tue May 17 15:23:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA02954; Tue, 17 May 1994 15:23:39 GMT Received: from firewall.meaddata.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA02948; Tue, 17 May 1994 08:23:25 -0700 Received: from meaddata.com ([138.12.96.71]) by firewall.meaddata.com (4.1/SMI-4.1) id AA26536; Tue, 17 May 94 11:24:26 EDT Received: from plasma.meaddata.com by meaddata.com (4.1/SMI-4.1) id AA23289; Tue, 17 May 94 11:23:59 EDT Received: by plasma.meaddata.com (4.1/SMI-4.1) id AA22604; Tue, 17 May 94 11:23:56 EDT From: sdw@meaddata.com (Stephen Williams) Message-Id: <9405171523.AA22604@plasma.meaddata.com> Subject: Re: trojans on ftp sites To: Bernhard.Schneck@Physik.TU-Muenchen.DE Date: Tue, 17 May 1994 11:23:55 -0400 (EDT) Cc: cklaus@shadow.net, dhb@ssd.ray.com, firewalls@GreatCircle.COM In-Reply-To: <199405170901.AA00111@srv.cip.physik.tu-muenchen.de> from "Bernhard.Schneck@Physik.TU-Muenchen.DE" at May 17, 94 11:01:44 am X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1327 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > In message <199405161517.LAA28084@shadow.net> you write: > > That is why we would use md5 or stronger checksum. It should be virtually > > impossible to make your files chekcsums match. > > Then either every archie server has to retrieve every file and run the > checksum itself, or it has to believe the MD5 signature the FTP server > tells it. The first option wastes too much bandwith, the second one is > too much fun for the bad-guy ftp admin. > > While it could be nice, I don't think this feature is practical at this > time. Sounds like we could use some cross-pollination from the Cypherpunks list. The simple solution to this is to digitally sign all binaries with the private key of the author/publishing entity. All receivers could then use the public key to check the signature and be sure the binary wasn't modified. PGP has this stuff builtin... sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 513 496-5223APager LIG dev./sales Internet: sdw@lig.net OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Comm. Consulting ICBM: 39 34N 85 15W I love it when a plan comes together Newbie Notice: (Surfer's know the score...) I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From firewalls-owner Tue May 17 16:27:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA03388; Tue, 17 May 1994 16:27:05 GMT Received: from welch.ncd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA03371; Tue, 17 May 1994 09:26:54 -0700 Received: from bryant.ncd.com (mfrost@bryant.ncd.com [192.43.159.209]) by welch.ncd.com (8.6.8.1/8.6.6) with ESMTP id JAA14301 for ; Tue, 17 May 1994 09:28:03 -0700 Received: (mfrost@localhost) by bryant.ncd.com (8.6.8.1/8.6.5.Beta11) id JAA11941 for firewalls@greatcircle.com; Tue, 17 May 1994 09:27:57 -0700 From: "Mark Frost" Message-Id: <9405170927.ZM11939@bryant.ncd.com> Date: Tue, 17 May 1994 09:27:56 -0700 X-Mailer: Z-Mail (3.0.1 23feb94) To: firewalls@greatcircle.com Subject: how to automatically put files on external ftp server Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We're trying to set up an anonymous ftp archive. We use a "screened subnet" approach as defined in the firewall toolkit docs for our internet gateway. The ftp server sits on the screened subnet and can only talk with one host internally that is moderately secure. There are numerous organizations inside the company who want/need to put data on the ftp server. I don't want to have to make accounts for them on the ftp server, but yet I'm not sure how to get file trees out there automatically either. I'm currently trying to use USC's rdist (more like a smart rsh - doesn't require root privs), but this scheme means that I have to copy the data to the intermediate internal host (the only one that can talk to the ftp server) and then from there to the external ftp server. My problem with this is that I have to have equal amounts of disk space on this intermediate machine which just temporarily holds the data. Might there be a way (short of me spending all of my time running to the machine with a tape every few minutes) that I can copy the data out in a secure fashion? Thanks -mark frost network computing devices From firewalls-owner Tue May 17 17:31:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA03786; Tue, 17 May 1994 17:31:43 GMT Received: from eurogate.bnr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03768; Tue, 17 May 1994 10:31:30 -0700 Received: from bnr.co.uk by eurogate.bnr.co.uk with SMTP (PP) id <14878-0@eurogate.bnr.co.uk>; Tue, 17 May 1994 18:24:31 +0100 Received: from bhars452.bnr.co.uk by hedera.bnr.co.uk with SMTP (PP); Tue, 17 May 1994 18:24:27 +0100 To: Mark Frost cc: firewalls@GreatCircle.COM Subject: Re: how to automatically put files on external ftp server In-reply-to: Message from Mark Frost on Tue, 17 May 94 09:27:56 -0800. Organisation: Information Networks, Northern Telecom, c/o BNR Europe, London Road, HARLOW, Essex CM17 9NA, GB Phone: +44 279 402423 (fax; +44 279 403030) Date: Tue, 17 May 94 18:24:25 +0100 Message-ID: <18522.769195465@bhars452.bnr.co.uk> From: Andrew Macpherson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Frost wrote: | Might there be a way (short of me spending all of my time running to the | machine with a tape every few minutes) that I can copy the data out in a | secure fashion? consuder using mirror to pull the trees to the intermediate machine, push them to the public system, local delete cyclicly. Alternatively (shock-horror) use NFS to provide a writable ftp area when seen from the inside mounted on your internal machine, and a different ftp uid/gid when run on the external host. From firewalls-owner Tue May 17 17:59:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA04035; Tue, 17 May 1994 17:59:27 GMT Received: from gatekeeper.nsc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA04029; Tue, 17 May 1994 10:59:19 -0700 Received: from nsc.nsc.com by gatekeeper.nsc.com (5.65/fma-120691) with SMTP; id AA13539 for firewalls@greatcircle.com; Tue, 17 May 94 11:00:25 -0700 Received: from mirage.nsc.com by nsc.nsc.com (5.65/1.34) with SMTP id AA28206 for firewalls@greatcircle.com; Tue, 17 May 94 11:00:24 -0700 Received: from jedi.nsc.com by mirage.nsc.com (4.1/SMI-4.1) id AA05771; Tue, 17 May 94 10:59:46 PDT Date: Tue, 17 May 94 10:59:46 PDT From: arielf@mirage.nsc.com (Ariel Faigon) Message-Id: <9405171759.AA05771@mirage.nsc.com> To: firewalls@greatcircle.com Subject: Re: trojans on ftp sites Cc: dhb@ssd.ray.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk David H. Brierley wrote: > > Easy, I replace the md5 program with a modified version that *reports* > the checksum that everybody else is expecting to see. Eventually this > would break down becuase someone would download my copy and then > attempt to generate a new checksum but it would not match. This is > partially solveable by only having the modified program available for a > week or so, then put the original back and go modify some other > program. A clean solution to the problem described would be to use 4.4BSD and make the md5 program "immutable". If this has anything to do with firewalls, it is that 4.4BSD machines make more secure systems and that includes firewalls. I believe that the immutability kernel concept will become more and more popular with time. Best regards, Ariel Faigon From firewalls-owner Tue May 17 18:02:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA04080; Tue, 17 May 1994 18:02:46 GMT Received: from welch.ncd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA04074; Tue, 17 May 1994 11:02:38 -0700 Received: from bryant.ncd.com (mfrost@bryant.ncd.com [192.43.159.209]) by welch.ncd.com (8.6.8.1/8.6.6) with ESMTP id LAA20252; Tue, 17 May 1994 11:03:46 -0700 Received: (mfrost@localhost) by bryant.ncd.com (8.6.8.1/8.6.5.Beta11) id LAA19222; Tue, 17 May 1994 11:03:44 -0700 From: "Mark Frost" Message-Id: <9405171103.ZM19220@bryant.ncd.com> Date: Tue, 17 May 1994 11:03:43 -0700 In-Reply-To: Andrew Macpherson "Re: how to automatically put files on external ftp server" (May 17, 10:54) References: <18522.769195465@bhars452.bnr.co.uk> X-Mailer: Z-Mail (3.0.1 23feb94) To: Andrew Macpherson , Mark Frost Subject: Re: how to automatically put files on external ftp server Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On May 17, 10:54, Andrew Macpherson wrote: > Subject: Re: how to automatically put files on external ftp server > > Mark Frost wrote: > > | Might there be a way (short of me spending all of my time running to the > | machine with a tape every few minutes) that I can copy the data out in a > | secure fashion? > > consuder using mirror to pull the trees to the intermediate machine, push them > to the public system, local delete cyclicly. > > Alternatively (shock-horror) use NFS to provide a writable ftp area when seen > from the inside mounted on your internal machine, and a different ftp uid/gid > when run on the external host. >-- End of excerpt from Andrew Macpherson My problem isn't really how to get the files onto the intermediate machine and vice versa, it's more that I don't want to have the files sit on the intermediate machine. It's going to be kind of strange to have to justify say, a 2gb disk on this internal machine that no one uses just so it can match the needed 2gb on the external machine. "Because it's more secure" is the only justification I can think of, and if there's an easier way that may only be slightly less secure, then that would be better for us. I don't really like the idea of using nfs to the external machine (our screening routers don't currently like it either :-) ), however I was thinking that maybe doing nfs mounts on the internal "intermediate-hop" machine (the only machine internally that can reach the ftp server) where I can do rdists from might be ok. Thanks -mark frost network computing devices From firewalls-owner Tue May 17 18:46:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA04507; Tue, 17 May 1994 18:46:32 GMT Received: from CITB.CITADEL.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA04494; Tue, 17 May 1994 11:46:21 -0700 Received: from citadel.edu by citadel.edu (PMDF V4.2-11 #4957) id <01HCG6REKLZK8WW0UT@citadel.edu>; Tue, 17 May 1994 14:47:42 EDT Date: Tue, 17 May 1994 14:47:42 -0400 (EDT) From: "George C. Russ: 803-953-6817" Subject: How secure is Vax VMS Sites as opposed to Unix Sites...... To: Firewalls@GreatCircle.COM Message-id: <01HCG6REM7V68WW0UT@citadel.edu> X-VMS-To: IN%"Firewalls@GreatCircle.COM" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In regard to Firewall issues. // George C. Russ 803-953-6817 (FAX 953-2212) Network Services Manager Internet:russg@citadel.edu The Citadel, Charleston SC 29409 BITNET:russg@citadel ** GO 'NOLES ** From firewalls-owner Tue May 17 19:27:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA04868; Tue, 17 May 1994 19:27:47 GMT Received: from gatekeeper.open.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA04862; Tue, 17 May 1994 12:27:31 -0700 Received: (from mail@localhost) by gatekeeper.open.ch (8.6.8/8.6.6) id VAA04826 for ; Tue, 17 May 1994 21:27:56 +0200 Received: from pizza.open.ch(192.94.233.11) by gatekeeper via smap (V1.3mjr) id sma009944; Tue May 17 21:27:30 1994 Received: from slice.open.ch (slice [192.94.233.12]) by pizza (8.6.8/8.6.6) with SMTP id VAA01699 for ; Tue, 17 May 1994 21:27:28 +0200 From: Goetz von Escher Message-Id: <199405171927.VAA01699@pizza> Received: by slice.open.ch (NX5.67d/NX3.0X) id AA02276; Tue, 17 May 94 21:27:23 +0200 Subject: SUMMARY: NTP and firewalls To: firewalls@greatcircle.com Date: Tue, 17 May 1994 21:27:22 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 3413 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk 1. Loosing The Link ------------------- The common opinion seems to be: it's not that bad to loose external synchronization as long as your internal timeservers keep synchronized. But make sure your internal network has something to synchronize to: > A server that is not in sync sets its startum to 16 (infinity). > Other servers will no longer synchronize to it. Quite a few sites achieve this by running NTP on the firewall itself. > The firewall is also setup to synchronize to its system clock at a > lower stratum (numerically higher) than the outside source. When > it looses connectivity, the firewall (and the internal clients) > keep a common synchronisation (although it may drift from the "real" > time). [This is done by having a line that says: > server 127.127.1.X > Where X is the stratum you want the local clock to run at. X should > be a numerically higher stratum than the outside source.] The other (obvious) possibility is to install a local stratum1 clock: > GPS clocks are pretty cheap, and you should also be able to get > a good DCF77 signal. I would suggest that you invest in at least > one clock, have your stratum-1 server peer with a couple of outside > ones as a sanity check, and also have your stratum-2 servers peer > with (different) outside servers as well as your internal one, > again for a sanity check. 2. The Delay Problem -------------------- When forcing NTP through a program on the firewall host (eg through plug-gw of the TIS firewall toolkit) or when connecting to the Internet through a slow link you can have unpredictable delays. > An other point to consider is (in our case at least) that often > firewall are at the end of a relatively slow link, with often > quite asymetrical propagation delays. This limits the quality > of the synchronisation. > ...or (2) have one of your machines use a different (non-IP > network) method to obtain the time from an atomic clock (ie. via > a serial line, modem dialup or radio frequency broadcast). 3. NTP security --------------- Regarding NTP security it seems like people are unusually confident about the security of the NTP protocol. Nobody mentionned a breakin and some even said: the WORST thing that can happen is your clocks getting out of sync. > I know of no problems with NTP. Somehow I just have a warm fuzzy > feeling about it :-) That's more than be said for some of the other > software that our firewall runs (like sendmail). > There's a paper by Matt Bishop on ntp security; you can pick it up > from louie.udel.edu:/pub/ntp/doc/bishop.ps.Z. The risk, even in > the worst case, is only to your time setting; however, if you use a > time-based authentication scheme (SecureID, Kerberos, etc.), that For their answers I'd like to thank: Steven Bellovin Neil Readwin Adrian Ho George Ross David H. Wolfskill H Morrow Long Brian Utterback Marc P. Rinfret -- Goetz von Escher email: Goetz.von-Escher@Open.CH Open Systems AG voice: +41 (61) 262-0505 Basel, Switzerland FAX: +41 (61) 262-0510 From firewalls-owner Tue May 17 19:32:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA04908; Tue, 17 May 1994 19:32:32 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA04902; Tue, 17 May 1994 12:32:18 -0700 From: cyerkes@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id PAA18714; Tue, 17 May 1994 15:33:16 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id PAA26980; Tue, 17 May 1994 15:33:15 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id PAA09245; Tue, 17 May 1994 15:33:15 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA01856; Tue, 17 May 94 15:33:14 EDT Date: Tue, 17 May 94 15:33:14 EDT Message-Id: <9405171933.AA01856@delacroix.lsi.ny.jpmorgan.com> To: Firewalls@GreatCircle.COM, RUSSG@Citadel.edu Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites...... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Exceedingly secure. Most Large Banks use VMS. Partly because it's TCP is turned ON one port at a time, rather than being an actual part of the OS. A Good Unix person can make a Unix Box (like a DECStation) secure, though. From firewalls-owner Tue May 17 19:51:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA05062; Tue, 17 May 1994 19:51:07 GMT Received: from tadpole by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA05056; Tue, 17 May 1994 12:51:00 -0700 Received: from ribit.tadpole.com by tadpole (4.1/SMI-4.1-jim) id AA17387; Tue, 17 May 94 14:51:33 CDT Date: Tue, 17 May 94 14:51:33 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9405171951.AA17387@tadpole> To: Firewalls@GreatCircle.COM, RUSSG@Citadel.edu, cyerkes@jpmorgan.com Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites...... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Exceedingly secure. Not. From firewalls-owner Tue May 17 13:49:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA05243; Tue, 17 May 1994 20:25:56 GMT Received: from george.arc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA05237; Tue, 17 May 1994 13:25:10 -0700 Received: from localhost.arc.nasa.gov by george.arc.nasa.gov (8.6.8/1.35) id NAA24982; Tue, 17 May 1994 13:25:48 -0700 Message-Id: <199405172025.NAA24982@george.arc.nasa.gov> To: firewalls@greatcircle.com Subject: PROBLEMS porting xforward to HP-UX 9 Date: Tue, 17 May 1994 13:25:47 -0700 From: "Rob Tanner" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk FIREWALLS ARE A REAL EDUCATION!!! I'm trying to port xforward (from DEC CRL) to hp-ux. I seem to have fixed just about everything until I get down to one unsatisfied symbol (a function call) that I can't identify: getdtablesize. I presume that's an Ultrix library routine. Does anyone know what I need to change it to? It returns an INT value, is there a particular value I can just plug in? (That option sounds dangerous however) Any help would be greatly appreciated, and if anyone knows of an HP security archive, I'd love to know about that to. Thanks, Rob _ _ _ _ _ _ _ _ _ _ /\_\_\_\_\ /\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ Robert J. Tanner /\/_/__\/_/ __ /\/_/ /\/_/ Ames Research Center /\/_/_/_/_/ /\_\ /\/_/ /\/_/ (415) 604-3451 (SETI) /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (415) 604-5347 (Kuiper) \/_/ \/_/ \/_/_/_/_/ \/_/ tanner@george.arc.nasa.gov ____________________________________________________________________ From firewalls-owner Tue May 17 20:59:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA05509; Tue, 17 May 1994 20:59:04 GMT Received: from acasun.eckerd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA05503; Tue, 17 May 1994 13:58:42 -0700 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA11456; Tue, 17 May 1994 16:56:10 +0500 From: pfalzgmh@eckerd.edu (Marisa H. Pfalzgraf) Message-Id: <9405172056.AA11456@acasun.eckerd.edu> Subject: Advice on Firewall Politics To: firewalls@GreatCircle.COM Date: Tue, 17 May 1994 16:56:09 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1406 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm from a small liberal arts college and I am trying to fight a political battle with a few faculty to implement a firewall at our site. The computer science faculty at our college believe that security is only a hindrance and that a firewall will hamper their "academic freedom". Of those other schools out there that have addressed this same issue, how did you compromise? (Or were you able to overrule or convince the faculty?) Our situation is a little different from most, where both administrative and academic computing for the campus are supported by the same department. We have looked at various scenarios and besides for barricading the administrative machine alone behind the firewall (which would severely limit present access) or disconnecting the administrative machine entirely from the network (worse still!) it is an all or nothing situation. I would greatly appreciate any words of wisdom and recommendations out there. -------------------------------------------------------------------------- EEEE CCCCC Marisa Pfalzgraf pfalzgmh@eckerd.edu EE CC Assistant Director, Computer Center EEEEE CC Eckerd College, St. Petersburg, Florida EE CC EEEE CCCCC If everything is coming your way, your probably in the wrong lane. -------------------------------------------------------------------------- From firewalls-owner Tue May 17 14:19:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA05407; Tue, 17 May 1994 20:50:52 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA05399; Tue, 17 May 1994 13:49:50 -0700 Received: from arthur.bwh.harvard.edu (arthur.bwh.harvard.edu [134.174.81.48]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id QAA12039; Tue, 17 May 1994 16:49:50 -0400 From: Adam Shostack Received: from localhost (adam@localhost) by arthur.bwh.harvard.edu (8.6.4/8.6.4) id QAA28637; Tue, 17 May 1994 16:50:11 -0400 Message-Id: <199405172050.QAA28637@arthur.bwh.harvard.edu> Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites...... To: cyerkes@jpmorgan.com Date: Tue, 17 May 94 16:50:10 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9405171933.AA01856@delacroix.lsi.ny.jpmorgan.com>; from "cyerkes@jpmorgan.com" at May 17, 94 3:33 pm Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk No commercial OS in and of itself is secure; some ship highly insecurely out of the box by having things like service accounts set up by default. Any OS should be examined by a guru for security considerations. Many UNIX versions have shipped badly secured; many are examined in great detail for security bugs. That does not make them inhernetly more or less secure, it makes their security bugs better known. In some cases, having your bugs better known makes well maintained machines more secure. In my experience, many people believe that VMS is magically 'secure;' this leads them to administrate it poorly, and make it insecure. In contrast, management tends to think UNIX is 'insecure' and devote more resources to securing it. Asking which is better, UNIX or VMS, is the wrong question. What you need to do is ask which of these machines, in the environment we will drop them into, will be easier to secure while meeting our buisness goals? Which of these machines makes it easier to implement our corporate security policies? Which of these machines do we have the in house experience to maintain in a secure & usable way? Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Tue May 17 21:34:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05791; Tue, 17 May 1994 21:34:39 GMT Received: from tamarin.bath.ac.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05785; Tue, 17 May 1994 14:34:30 -0700 Received: from ss1.bath.ac.uk by tamarin.bath.ac.uk with SMTP (PP) id <22454-0@tamarin.bath.ac.uk>; Tue, 17 May 1994 22:35:27 +0100 To: Rob Tanner CC: firewalls@greatcircle.com Subject: Re: PROBLEMS porting xforward to HP-UX 9 In-reply-to: Your message of "Tue, 17 May 1994 13:25:47 PDT." <199405172025.NAA24982@george.arc.nasa.gov> Date: Tue, 17 May 1994 22:35:28 +0100 From: Icarus Sparry Message-ID: <9405172235.aa06338@uk.ac.bath.ss1> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I'm trying to port xforward (from DEC CRL) to hp-ux. I seem to have >fixed just about everything until I get down to one unsatisfied symbol >(a function call) that I can't identify: getdtablesize. I presume >that's an Ultrix library routine. Does anyone know what I need to >change it to? It returns an INT value, is there a particular value I >can just plug in? (That option sounds dangerous however) getdtablesize returns the number of open files you can have. The following may work on your system as a replacement. #include #include getdtablesize(){ struct rlimit limit; getrlimit(RLIMIT_NOFILE,&limit); return limit.rlim_cur; } If not, you need to have a look at the code, and see how it is being used. If it is being used in a loop to close file descriptors, then a number such as 256 may well be suitable. If it is being used to see if it is able to open another connection, then a small number such as 20 would be in order. But I would check to see if my replacement function works as it is better to be accurate. Icarus From firewalls-owner Tue May 17 21:42:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05871; Tue, 17 May 1994 21:42:58 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05865; Tue, 17 May 1994 14:42:42 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 17 May 94 16:43 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.quick_f) id ; Tue, 17 May 94 16:43 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: PROBLEMS porting xforward to HP-UX 9 To: tanner@george.arc.nasa.gov (Rob Tanner) Date: Tue, 17 May 1994 16:43:44 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199405172025.NAA24982@george.arc.nasa.gov> from "Rob Tanner" at May 17, 94 01:25:47 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 545 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk plug in the value that is _NFILE in your stdio.h and you will be okay. >From ultrix: getdtablesize(2) Name getdtablesize - get descriptor table size Syntax nds = getdtablesize() int nds; Description Each process has a fixed size descriptor table that is guaranteed to have at least 64 slots. The entries in the descriptor table are num- bered with small integers starting at 0. The getdtablesize call returns the size of this table. See Also close(2), dup(2), open(2) From firewalls-owner Tue May 17 22:03:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06027; Tue, 17 May 1994 22:03:56 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06021; Tue, 17 May 1994 15:03:41 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA01571; Tue, 17 May 1994 15:03:51 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405172203.AA01571@pserv1.dot.state.az.us> Subject: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 17 May 94 15:03:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > I'm from a small liberal arts college and I am trying to fight a political > battle with a few faculty to implement a firewall at our site. The > computer science faculty at our college believe that security is only a > hindrance and that a firewall will hamper their "academic freedom". ...much deleted I would think the real question is, how much 'data/information' are you willing to lose? Is the threat coming from outside or inside your net? What kind of a firewall did you have in mind? In know, questions, questions. Perhaps a simple firewall consisting of a router that blocks packets coming from the threat would be appropriate? -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Tue May 17 23:07:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06379; Tue, 17 May 1994 23:07:45 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06373; Tue, 17 May 1994 16:07:31 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA17506 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 17:07:38 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqhr19455; Tue, 17 May 94 13:47:11 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA03786; Tue, 17 May 1994 17:31:43 GMT Received: from eurogate.bnr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03768; Tue, 17 May 1994 10:31:30 -0700 Received: from bnr.co.uk by eurogate.bnr.co.uk with SMTP (PP) id <14878-0@eurogate.bnr.co.uk>; Tue, 17 May 1994 18:24:31 +0100 Received: from bhars452.bnr.co.uk by hedera.bnr.co.uk with SMTP (PP); Tue, 17 May 1994 18:24:27 +0100 To: Mark Frost Cc: firewalls@greatcircle.com Subject: Re: how to automatically put files on external ftp server In-Reply-To: Message from Mark Frost on Tue, 17 May 94 09:27:56 -0800. Organisation: Information Networks, Northern Telecom, c/o BNR Europe, London Road, HARLOW, Essex CM17 9NA, GB Phone: +44 279 402423 (fax; +44 279 403030) Date: Tue, 17 May 94 18:24:25 +0100 Message-Id: <18522.769195465@bhars452.bnr.co.uk> From: Andrew Macpherson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Frost wrote: | Might there be a way (short of me spending all of my time running to the | machine with a tape every few minutes) that I can copy the data out in a | secure fashion? consuder using mirror to pull the trees to the intermediate machine, push them to the public system, local delete cyclicly. Alternatively (shock-horror) use NFS to provide a writable ftp area when seen from the inside mounted on your internal machine, and a different ftp uid/gid when run on the external host. From firewalls-owner Tue May 17 23:14:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06428; Tue, 17 May 1994 23:14:36 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06422; Tue, 17 May 1994 16:14:12 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA18944 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 17:14:02 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqim17605; Tue, 17 May 94 19:12:59 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06379; Tue, 17 May 1994 23:07:45 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06373; Tue, 17 May 1994 16:07:31 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA17506 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 17:07:38 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqhr19455; Tue, 17 May 94 13:47:11 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA03786; Tue, 17 May 1994 17:31:43 GMT Received: from eurogate.bnr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03768; Tue, 17 May 1994 10:31:30 -0700 Received: from bnr.co.uk by eurogate.bnr.co.uk with SMTP (PP) id <14878-0@eurogate.bnr.co.uk>; Tue, 17 May 1994 18:24:31 +0100 Received: from bhars452.bnr.co.uk by hedera.bnr.co.uk with SMTP (PP); Tue, 17 May 1994 18:24:27 +0100 To: Mark Frost Cc: firewalls@greatcircle.com Subject: Re: how to automatically put files on external ftp server In-Reply-To: Message from Mark Frost on Tue, 17 May 94 09:27:56 -0800. Organisation: Information Networks, Northern Telecom, c/o BNR Europe, London Road, HARLOW, Essex CM17 9NA, GB Phone: +44 279 402423 (fax; +44 279 403030) Date: Tue, 17 May 94 18:24:25 +0100 Message-Id: <18522.769195465@bhars452.bnr.co.uk> From: Andrew Macpherson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Frost wrote: | Might there be a way (short of me spending all of my time running to the | machine with a tape every few minutes) that I can copy the data out in a | secure fashion? consuder using mirror to pull the trees to the intermediate machine, push them to the public system, local delete cyclicly. Alternatively (shock-horror) use NFS to provide a writable ftp area when seen from the inside mounted on your internal machine, and a different ftp uid/gid when run on the external host. From firewalls-owner Tue May 17 23:28:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06550; Tue, 17 May 1994 23:28:50 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06544; Tue, 17 May 1994 16:28:35 -0700 Received: from uswat.advtech.uswest.com by csn.org with SMTP id AA22428 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 17 May 1994 17:29:25 -0600 Received: from relay1.UU.NET by uswat.advtech.uswest.com with SMTP id AA26719 (5.67b/IDA-1.5 for ); Tue, 17 May 1994 17:29:20 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqin20953; Tue, 17 May 94 19:26:35 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06379; Tue, 17 May 1994 23:07:45 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06373; Tue, 17 May 1994 16:07:31 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA17506 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 17:07:38 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqhr19455; Tue, 17 May 94 13:47:11 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA03786; Tue, 17 May 1994 17:31:43 GMT Received: from eurogate.bnr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03768; Tue, 17 May 1994 10:31:30 -0700 Received: from bnr.co.uk by eurogate.bnr.co.uk with SMTP (PP) id <14878-0@eurogate.bnr.co.uk>; Tue, 17 May 1994 18:24:31 +0100 Received: from bhars452.bnr.co.uk by hedera.bnr.co.uk with SMTP (PP); Tue, 17 May 1994 18:24:27 +0100 To: Mark Frost Cc: firewalls@greatcircle.com Subject: Re: how to automatically put files on external ftp server In-Reply-To: Message from Mark Frost on Tue, 17 May 94 09:27:56 -0800. Organisation: Information Networks, Northern Telecom, c/o BNR Europe, London Road, HARLOW, Essex CM17 9NA, GB Phone: +44 279 402423 (fax; +44 279 403030) Date: Tue, 17 May 94 18:24:25 +0100 Message-Id: <18522.769195465@bhars452.bnr.co.uk> From: Andrew Macpherson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Frost wrote: | Might there be a way (short of me spending all of my time running to the | machine with a tape every few minutes) that I can copy the data out in a | secure fashion? consuder using mirror to pull the trees to the intermediate machine, push them to the public system, local delete cyclicly. Alternatively (shock-horror) use NFS to provide a writable ftp area when seen from the inside mounted on your internal machine, and a different ftp uid/gid when run on the external host. From firewalls-owner Tue May 17 16:35:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06214; Tue, 17 May 1994 22:37:52 GMT Received: from voyager.datatools.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06208; Tue, 17 May 1994 15:37:40 -0700 Message-Id: <199405172237.PAA06208@mycroft.GreatCircle.COM> Received: by voyager.datatools.com (4.1/4.7); Tue, 17 May 94 15:39:17 PDT Date: Tue, 17 May 94 15:39:17 PDT From: greep@datatools.com (Steven Tepper) To: "Rob Tanner" , firewalls@GreatCircle.COM Subject: Re: PROBLEMS porting xforward to HP-UX 9 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=us-ascii Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > getdtablesize(){ > struct rlimit limit; > getrlimit(RLIMIT_NOFILE,&limit); > return limit.rlim_cur; > } Or you can use sysconf(): #include int getdtablesize() { return sysconf(_SC_OPEN_MAX); } From firewalls-owner Tue May 17 17:19:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA06510; Tue, 17 May 1994 23:23:54 GMT Received: from uai.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06502; Tue, 17 May 1994 16:23:40 -0700 Received: from hp.uai.com by uai.com with SMTP id AA15275 (5.65c/IDA-1.4.4 for ); Tue, 17 May 1994 16:24:07 -0700 From: "Mark R. Ludwig" Received: by hp.uai.com id ; Tue, 17 May 94 16:24:04 -0700 Message-Id: <9405172324.AA27323@hp.uai.com> To: Rob Tanner Cc: firewalls@greatcircle.com Subject: Re: PROBLEMS porting xforward to HP-UX 9 X-Mailer: MH [Version 6.8] Date: Tue, 17 May 1994 16:24:04 -0700 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk |> I'm trying to port xforward (from DEC CRL) to hp-ux. I seem to have |> fixed just about everything until I get down to one unsatisfied symbol |> (a function call) that I can't identify: getdtablesize. I presume |> that's an Ultrix library routine. Does anyone know what I need to |> change it to? It returns an INT value, is there a particular value I |> can just plug in? (That option sounds dangerous however) Enough speculation. I confess to also sitting in front of an HP box.$$ Newsgroups: comp.sys.hp From: system@alchemy.chem.utoronto.ca (System Admin (Mike Peterson)) Subject: BSD to HP-UX porting tricks (LONG) (last updated: 01-Nov-1993) Date: Wed, 1 Dec 1993 06:00:05 GMT Organization: University of Toronto Chemistry Department getdtablesize: -------------- /* * getdtablesize () * * Returns the maximum number of file descriptors allowed. */ #include int getdtablesize () { return(sysconf(_SC_OPEN_MAX)); } -- INET: Mark-Ludwig@UAI.COM NIC: ML255 ICBM: USA; Lower Left Coast "Cigarettes ... are not a drug." -- Tom Lorea from the Tobacco Institute From firewalls-owner Tue May 17 17:49:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06234; Tue, 17 May 1994 22:39:43 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06226; Tue, 17 May 1994 15:39:28 -0700 From: cyerkes@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id SAA23069; Tue, 17 May 1994 18:40:36 -0400 Received: by tcpg01a.ny.jpmorgan.com (8.6.4/fma-120691); id SAA00977; Tue, 17 May 1994 18:40:35 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id SAA10208; Tue, 17 May 1994 18:40:35 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA02148; Tue, 17 May 94 18:40:34 EDT Date: Tue, 17 May 94 18:40:34 EDT Message-Id: <9405172240.AA02148@delacroix.lsi.ny.jpmorgan.com> To: firewalls@greatcircle.com Subject: VMS as FireWall Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewallers, Ok, I blasted off a quick message. Too quick. Let me qualify. In my experience, a well configured VMS machine can be made VERY secure by an experienced SA. One can ALSO make a well configured Unix Machine secure. I am not remotely saying that a machine setup by an inexperienced user or not set up at all is going to work. THAT can be a problem. Yes, I can break into Vaxen or Unix boxes without much trouble. It helps as an SA. This is usually because of inexperienced SA's, or known holes in the OS. This is why we have firewalls - to keep Internet people from breaking in. However, with Unix, you want to modify the kernel so that the packets can be analyzed WITH INFORMATION REGARDING WHICH PORT IT CAME FROM. You want to be able to give SOME priviledges to users, but not all (ie. nobody except a console logged in SA gets "Set-priv"). You want to be sure that it's not possible to crash the kernel and getting in. I have experienced many kernel bugs on popular machines. I have found that VMS is less hackable by coming through sendmail or finger or DNS spoofing or grabbing Joe Jr Operator's password. I can take a combination of a router and a solidly patched Unix box and add some tools to it (screend, and an interface aware packet filter) and some socket wrappers, and disable everything I don't explicitely want and have a Good Firewall. However, I stand by what I say, VMS can be very secure and a number of Large Banks use these - they also have VMS experts who administer them. Given a choice, I'd setup a Unix box, and edit the kernel and appropriate files and audit changes to those files and watch everybit of unusual activity (like a login or ftp) and turn off certain mailers (like the prog mailer), and use one-time passwords for logins, and so on, and on, and on. Chuck Yerkes consultant --------------------------- The opinions and diatribes rendered here do not reflect the views of my employers. From firewalls-owner Tue May 17 23:49:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA09527; Wed, 18 May 1994 06:00:55 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA09007; Tue, 17 May 1994 20:23:16 -0700 Received: by relay.tis.com id AA11638; Tue, 17 May 94 23:24:26 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma011636; Tue May 17 23:23:47 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA21862; Tue, 17 May 94 23:23:07 EDT Date: Tue, 17 May 94 23:23:07 EDT From: Marcus J Ranum Message-Id: <9405180323.AA21862@tis.com> To: firewalls@GreatCircle.COM, pfalzgmh@eckerd.edu Subject: Re: Advice on Firewall Politics Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I'm from a small liberal arts college and I am trying to fight a political >battle with a few faculty to implement a firewall at our site. The >computer science faculty at our college believe that security is only a >hindrance and that a firewall will hamper their "academic freedom". The easy answer is to request them all to sign a memo of understanding that they are responsible for damage or loss to the systems, will be billed for maintenance time related to security incidents, and that they're responsible for any other security related incidents that may pose a liability to the college [e.g.: warez dumps, cracker bases, child porno, etc] If they sign it, you're off the hook. :) mjr. From firewalls-owner Wed May 18 00:14:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA09470; Wed, 18 May 1994 05:59:33 GMT Received: from uwila.cfht.hawaii.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA08889; Tue, 17 May 1994 20:00:07 -0700 Received: from saturn.cfht.hawaii.edu (atlas.cfht.hawaii.edu) by uwila.cfht.hawaii.edu with SMTP id AA23716 (5.65c/IDA-1.4.4 for ); Tue, 17 May 1994 17:01:11 -1000 Message-Id: <199405180301.AA23716@uwila.cfht.hawaii.edu> Received: by saturn.cfht.hawaii.edu (1.38.193.4/16.2) id AA17421; Tue, 17 May 1994 17:01:05 -1000 From: jwright@cfht.hawaii.edu (Jim Wright) Date: Tue, 17 May 1994 17:01:01 -1000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Firewalls@greatcircle.com Subject: Re: PROBLEMS porting xforward to HP-UX 9 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From: "Rob Tanner" > (a function call) that I can't identify: getdtablesize. > From: Icarus Sparry > #include > #include > getdtablesize(){ > struct rlimit limit; > getrlimit(RLIMIT_NOFILE,&limit); > return limit.rlim_cur; > } > From: doug@seas.smu.edu (Doug Davis) > plug in the value that is _NFILE in your stdio.h and you will be okay. I believe the correct answer (for HP-UX, as requested) is /* * getdtablesize () * * Returns the maximum number of file descriptors allowed. */ #include int getdtablesize () { return(sysconf(_SC_OPEN_MAX)); } From firewalls-owner Wed May 18 00:19:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA09491; Wed, 18 May 1994 06:00:13 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA08925; Tue, 17 May 1994 20:09:46 -0700 Received: by relay.tis.com id AA11608; Tue, 17 May 94 23:10:26 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma011606; Tue May 17 23:09:30 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA21684; Tue, 17 May 94 23:08:50 EDT Date: Tue, 17 May 94 23:08:50 EDT From: Marcus J Ranum Message-Id: <9405180308.AA21684@tis.com> To: firewalls@GreatCircle.COM, mfrost@ncd.com Subject: Re: how to automatically put files on external ftp server Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >There are numerous organizations inside the company who want/need to put >data on the ftp server. I don't want to have to make accounts for them on >the ftp server, but yet I'm not sure how to get file trees out there >automatically either. Using FTP mirroring is one approach that is pretty simple and fairly reliable. Just have an "anonymous" FTP area on the inside machine that everyone who is permitted to can manage. Then have the firewall mirror the area automatically. Another option is to use NFS, but that's a little uglier since it means the firewall machine now needs to be running portmapper and all that stuff. I believe that this can be done securely with a little care and a lot of attention to detail, but the FTP approach is more "bulletproof". The disadvantage of the FTP approach is that you waste a lot of disk space and your files don't get updated "instantly" and transparently. The advantage is you don't have to worry about some weird NFS hole nailing you. mjr. From firewalls-owner Wed May 18 00:42:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA09514; Wed, 18 May 1994 06:00:37 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA08996; Tue, 17 May 1994 20:20:20 -0700 Received: by relay.tis.com id AA11625; Tue, 17 May 94 23:21:26 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma011623; Tue May 17 23:21:05 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA21828; Tue, 17 May 94 23:20:13 EDT Date: Tue, 17 May 94 23:20:13 EDT From: Marcus J Ranum Message-Id: <9405180320.AA21828@tis.com> To: Firewalls@GreatCircle.COM, RUSSG@Citadel.edu, cyerkes@jpmorgan.com, jim@Tadpole.COM Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites...... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> Exceedingly secure. > >Not. Yucks and witticisms aside, let me make a few observations: 1) What is "secure" ?? ---------------------- It's meaningless to say, "is XYZ more secure than PDQ for a MYR?" unless you talk a little more specifically about what you're trying to *do*, how much you have at *risk*, what you are trying to protect *against*, and how badly it will *hurt* you if your defenses fail. If you ask a meaningless question, you will get meaningless answers [see above]: such is USENET, and the firewalls mailing list sounds more like an extension of USENET all the time. "Secure" is a meaningless word when used without context. --------------------------------------------------------- 2) What do you know?? --------------------- If someone asks me to set up a firewall on a PDP-11 running RSX, can I set it up so that I have a prayer of accomplishing my goals? That depends on whether I know anything about RSX, doesn't it? I am VMS illiterate. So any firewall I build on VMS is not likely to be as high quality as one I build on UNIX. I'm a little familiar with routers -- some routers -- so I'm more likely to be able to accomplish a security target if I build my firewall with routers. I'm really fairly skilled with UNIX by now, so my chances of knowing how to set up a firewall on a UNIX box are pretty good. Which should I use? The answer is "UNIX is more secure when configured by a UNIX guru than VMS is when configured by a UNIX guru." And "VMS is more secure when configured by a VMS guru when when configured by a UNIX guru." [assuming no overlap of guruhood] If you have someone who is an absolute master of both then they can decide what fits the operational requirements *best*. Use tools you know and are skilled with. ---------------------------------------- mjr. From firewalls-owner Wed May 18 03:49:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA10507; Wed, 18 May 1994 08:47:11 GMT Received: from gw.home.vix.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA10501; Wed, 18 May 1994 01:47:03 -0700 Received: by gw.home.vix.com id AA07092; Wed, 18 May 94 01:48:14 -0700 Message-Id: <9405180848.AA07092@gw.home.vix.com> X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us To: Firewalls@greatcircle.com Subject: re: screend performance Date: Wed, 18 May 1994 01:48:13 -0700 From: Paul A Vixie Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk geoff mulligan wrote: > Is screend running on a 486 "fast enough" to keep up at ethernet speed? no. i don't think a unix kernel can context switch that fast. maybe a dec alpha could do it, and i'd love to try it on a 90MHz pentium. but on a 486DX2-66 with two DMA ethernet controllers... > How about faster than a T1? ...it's faster than a T1 but not by much. with an average mix of packet sizes (some max, some min, most ~1K) it'll do about an E1 worth of bandwidth. i'm not on the firewalls list so if you want me to see your replies to this, please cc me. From firewalls-owner Wed May 18 04:19:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA10891; Wed, 18 May 1994 09:50:38 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA10881; Wed, 18 May 1994 02:50:23 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA13065 (5.67b/IDA-1.5); Tue, 17 May 1994 16:49:18 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqil11829; Tue, 17 May 94 18:47:45 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06027; Tue, 17 May 1994 22:03:56 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06021; Tue, 17 May 1994 15:03:41 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA01571; Tue, 17 May 1994 15:03:51 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405172203.AA01571@pserv1.dot.state.az.us> Subject: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 17 May 94 15:03:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > I'm from a small liberal arts college and I am trying to fight a political > battle with a few faculty to implement a firewall at our site. The > computer science faculty at our college believe that security is only a > hindrance and that a firewall will hamper their "academic freedom". ...much deleted I would think the real question is, how much 'data/information' are you willing to lose? Is the threat coming from outside or inside your net? What kind of a firewall did you have in mind? In know, questions, questions. Perhaps a simple firewall consisting of a router that blocks packets coming from the threat would be appropriate? -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Wed May 18 04:26:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA11148; Wed, 18 May 1994 10:31:13 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA11138; Wed, 18 May 1994 03:30:57 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA13156 (5.67b/IDA-1.5); Tue, 17 May 1994 16:49:44 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqhs26623; Tue, 17 May 94 14:11:35 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA03786; Tue, 17 May 1994 17:31:43 GMT Received: from eurogate.bnr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA03768; Tue, 17 May 1994 10:31:30 -0700 Received: from bnr.co.uk by eurogate.bnr.co.uk with SMTP (PP) id <14878-0@eurogate.bnr.co.uk>; Tue, 17 May 1994 18:24:31 +0100 Received: from bhars452.bnr.co.uk by hedera.bnr.co.uk with SMTP (PP); Tue, 17 May 1994 18:24:27 +0100 To: Mark Frost Cc: firewalls@greatcircle.com Subject: Re: how to automatically put files on external ftp server In-Reply-To: Message from Mark Frost on Tue, 17 May 94 09:27:56 -0800. Organisation: Information Networks, Northern Telecom, c/o BNR Europe, London Road, HARLOW, Essex CM17 9NA, GB Phone: +44 279 402423 (fax; +44 279 403030) Date: Tue, 17 May 94 18:24:25 +0100 Message-Id: <18522.769195465@bhars452.bnr.co.uk> From: Andrew Macpherson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Frost wrote: | Might there be a way (short of me spending all of my time running to the | machine with a tape every few minutes) that I can copy the data out in a | secure fashion? consuder using mirror to pull the trees to the intermediate machine, push them to the public system, local delete cyclicly. Alternatively (shock-horror) use NFS to provide a writable ftp area when seen from the inside mounted on your internal machine, and a different ftp uid/gid when run on the external host. From firewalls-owner Wed May 18 04:49:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA10952; Wed, 18 May 1994 10:05:57 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA10939; Wed, 18 May 1994 03:05:39 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AA12435 (5.67b/IDA-1.5); Tue, 17 May 1994 16:46:48 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqil10250; Tue, 17 May 94 18:45:14 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05871; Tue, 17 May 1994 21:42:58 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05865; Tue, 17 May 1994 14:42:42 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 17 May 94 16:43 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.quick_f) id ; Tue, 17 May 94 16:43 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: PROBLEMS porting xforward to HP-UX 9 To: tanner@george.arc.nasa.gov (Rob Tanner) Date: Tue, 17 May 1994 16:43:44 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199405172025.NAA24982@george.arc.nasa.gov> from "Rob Tanner" at May 17, 94 01:25:47 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 545 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk plug in the value that is _NFILE in your stdio.h and you will be okay. >From ultrix: getdtablesize(2) Name getdtablesize - get descriptor table size Syntax nds = getdtablesize() int nds; Description Each process has a fixed size descriptor table that is guaranteed to have at least 64 slots. The entries in the descriptor table are num- bered with small integers starting at 0. The getdtablesize call returns the size of this table. See Also close(2), dup(2), open(2) From firewalls-owner Wed May 18 04:52:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA10883; Wed, 18 May 1994 09:50:25 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA10875; Wed, 18 May 1994 02:50:14 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA12317 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM (Firewalls Mailing List)); Tue, 17 May 1994 16:46:13 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqik10439; Tue, 17 May 94 18:42:02 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06027; Tue, 17 May 1994 22:03:56 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06021; Tue, 17 May 1994 15:03:41 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA01571; Tue, 17 May 1994 15:03:51 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405172203.AA01571@pserv1.dot.state.az.us> Subject: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 17 May 94 15:03:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > I'm from a small liberal arts college and I am trying to fight a political > battle with a few faculty to implement a firewall at our site. The > computer science faculty at our college believe that security is only a > hindrance and that a firewall will hamper their "academic freedom". ...much deleted I would think the real question is, how much 'data/information' are you willing to lose? Is the threat coming from outside or inside your net? What kind of a firewall did you have in mind? In know, questions, questions. Perhaps a simple firewall consisting of a router that blocks packets coming from the threat would be appropriate? -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Wed May 18 04:58:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA10905; Wed, 18 May 1994 09:51:03 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA10897; Wed, 18 May 1994 02:50:44 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA13211 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM (Firewalls Mailing List)); Tue, 17 May 1994 16:50:10 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqil11364; Tue, 17 May 94 18:46:15 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06027; Tue, 17 May 1994 22:03:56 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06021; Tue, 17 May 1994 15:03:41 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA01571; Tue, 17 May 1994 15:03:51 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405172203.AA01571@pserv1.dot.state.az.us> Subject: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 17 May 94 15:03:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > I'm from a small liberal arts college and I am trying to fight a political > battle with a few faculty to implement a firewall at our site. The > computer science faculty at our college believe that security is only a > hindrance and that a firewall will hamper their "academic freedom". ...much deleted I would think the real question is, how much 'data/information' are you willing to lose? Is the threat coming from outside or inside your net? What kind of a firewall did you have in mind? In know, questions, questions. Perhaps a simple firewall consisting of a router that blocks packets coming from the threat would be appropriate? -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Wed May 18 12:02:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA11615; Wed, 18 May 1994 12:02:20 GMT Received: from mwunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA11597; Wed, 18 May 1994 05:02:05 -0700 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id IAA09406; Wed, 18 May 1994 08:03:04 -0400 Received: from [128.29.140.130] (mckenney-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA25946; Wed, 18 May 94 08:02:51 EDT Date: Wed, 18 May 94 08:02:50 EDT Message-Id: <9405181202.AA25946@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM, pfalzgmh@eckerd.edu From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Advice on Firewall Politics Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I'm from a small liberal arts college and I am trying to fight a political >battle with a few faculty to implement a firewall at our site. The >computer science faculty at our college believe that security is only a >hindrance and that a firewall will hamper their "academic freedom". The faculty needs to understand why "wide open" access is not good from a security and risk perspective. The campus Enterprise will be exposed to all forms of attacks from numerous network services. Would suggest that you build a case as to why a firewall is needed. You have a lot of sources to back up your claims. You should look at the recent USENIX security proceedings, they have articles on particular break-ins. The breakin at Texas A&M University is a good example of the different types of attacks that can be launched at an unprotected Enterprise. The CERT incident figures are also good to cite. You also have to identify your major security concerns. What will happen if the University President reads about a breakin to his University in the morning paper. Is this acceptable? The other thought is that you can make a case that a firewall can save money. Without a firewall, one has to ensure that all of the campus computers are secure on a daily basis. With a firewall, you can reduce your zone of risk to the firewall machines. Security for campus machines is still important. However, without a firewall, the University is relying on daily security of its machines. This is not practical, especially if the campus has hundreds of machines. I like Marcus' suggestion. I wonder if this issue has to be raised to a higher faculty level (e.g., President), since the potential damage may embarrass the University as a whole. -Brian From firewalls-owner Wed May 18 05:19:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA10899; Wed, 18 May 1994 09:50:50 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA10889; Wed, 18 May 1994 02:50:33 -0700 Received: from relay1.UU.NET by csn.org with SMTP id AA13073 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM (Firewalls Mailing List)); Tue, 17 May 1994 16:49:19 -0600 Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqil11236; Tue, 17 May 94 18:45:31 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA06027; Tue, 17 May 1994 22:03:56 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06021; Tue, 17 May 1994 15:03:41 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA01571; Tue, 17 May 1994 15:03:51 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405172203.AA01571@pserv1.dot.state.az.us> Subject: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 17 May 94 15:03:49 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > I'm from a small liberal arts college and I am trying to fight a political > battle with a few faculty to implement a firewall at our site. The > computer science faculty at our college believe that security is only a > hindrance and that a firewall will hamper their "academic freedom". ...much deleted I would think the real question is, how much 'data/information' are you willing to lose? Is the threat coming from outside or inside your net? What kind of a firewall did you have in mind? In know, questions, questions. Perhaps a simple firewall consisting of a router that blocks packets coming from the threat would be appropriate? -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Wed May 18 05:30:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA10963; Wed, 18 May 1994 10:06:27 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA10955; Wed, 18 May 1994 03:06:00 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AA12728 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 16:47:45 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqik09867; Tue, 17 May 94 18:43:26 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05871; Tue, 17 May 1994 21:42:58 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05865; Tue, 17 May 1994 14:42:42 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 17 May 94 16:43 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.quick_f) id ; Tue, 17 May 94 16:43 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: PROBLEMS porting xforward to HP-UX 9 To: tanner@george.arc.nasa.gov (Rob Tanner) Date: Tue, 17 May 1994 16:43:44 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199405172025.NAA24982@george.arc.nasa.gov> from "Rob Tanner" at May 17, 94 01:25:47 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 545 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk plug in the value that is _NFILE in your stdio.h and you will be okay. >From ultrix: getdtablesize(2) Name getdtablesize - get descriptor table size Syntax nds = getdtablesize() int nds; Description Each process has a fixed size descriptor table that is guaranteed to have at least 64 slots. The entries in the descriptor table are num- bered with small integers starting at 0. The getdtablesize call returns the size of this table. See Also close(2), dup(2), open(2) From firewalls-owner Wed May 18 05:47:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA10941; Wed, 18 May 1994 10:05:41 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA10933; Wed, 18 May 1994 03:05:23 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AB11584 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 16:42:55 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqik08760; Tue, 17 May 94 18:38:27 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05871; Tue, 17 May 1994 21:42:58 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05865; Tue, 17 May 1994 14:42:42 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 17 May 94 16:43 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.quick_f) id ; Tue, 17 May 94 16:43 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: PROBLEMS porting xforward to HP-UX 9 To: tanner@george.arc.nasa.gov (Rob Tanner) Date: Tue, 17 May 1994 16:43:44 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199405172025.NAA24982@george.arc.nasa.gov> from "Rob Tanner" at May 17, 94 01:25:47 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 545 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk plug in the value that is _NFILE in your stdio.h and you will be okay. >From ultrix: getdtablesize(2) Name getdtablesize - get descriptor table size Syntax nds = getdtablesize() int nds; Description Each process has a fixed size descriptor table that is guaranteed to have at least 64 slots. The entries in the descriptor table are num- bered with small integers starting at 0. The getdtablesize call returns the size of this table. See Also close(2), dup(2), open(2) From firewalls-owner Wed May 18 05:49:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA10957; Wed, 18 May 1994 10:06:07 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA10947; Wed, 18 May 1994 03:05:49 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AA12635 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 16:47:26 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqik09698; Tue, 17 May 94 18:42:33 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05871; Tue, 17 May 1994 21:42:58 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05865; Tue, 17 May 1994 14:42:42 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 17 May 94 16:43 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.quick_f) id ; Tue, 17 May 94 16:43 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: PROBLEMS porting xforward to HP-UX 9 To: tanner@george.arc.nasa.gov (Rob Tanner) Date: Tue, 17 May 1994 16:43:44 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199405172025.NAA24982@george.arc.nasa.gov> from "Rob Tanner" at May 17, 94 01:25:47 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 545 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk plug in the value that is _NFILE in your stdio.h and you will be okay. >From ultrix: getdtablesize(2) Name getdtablesize - get descriptor table size Syntax nds = getdtablesize() int nds; Description Each process has a fixed size descriptor table that is guaranteed to have at least 64 slots. The entries in the descriptor table are num- bered with small integers starting at 0. The getdtablesize call returns the size of this table. See Also close(2), dup(2), open(2) From firewalls-owner Wed May 18 05:55:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA11137; Wed, 18 May 1994 10:30:56 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA11130; Wed, 18 May 1994 03:30:43 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AA11629 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 16:43:05 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqik08550; Tue, 17 May 94 18:37:29 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA05791; Tue, 17 May 1994 21:34:39 GMT Received: from tamarin.bath.ac.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA05785; Tue, 17 May 1994 14:34:30 -0700 Received: from ss1.bath.ac.uk by tamarin.bath.ac.uk with SMTP (PP) id <22454-0@tamarin.bath.ac.uk>; Tue, 17 May 1994 22:35:27 +0100 To: Rob Tanner Cc: firewalls@greatcircle.com Subject: Re: PROBLEMS porting xforward to HP-UX 9 In-Reply-To: Your message of "Tue, 17 May 1994 13:25:47 PDT." <199405172025.NAA24982@george.arc.nasa.gov> Date: Tue, 17 May 1994 22:35:28 +0100 From: Icarus Sparry Message-Id: <9405172235.aa06338@uk.ac.bath.ss1> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I'm trying to port xforward (from DEC CRL) to hp-ux. I seem to have >fixed just about everything until I get down to one unsatisfied symbol >(a function call) that I can't identify: getdtablesize. I presume >that's an Ultrix library routine. Does anyone know what I need to >change it to? It returns an INT value, is there a particular value I >can just plug in? (That option sounds dangerous however) getdtablesize returns the number of open files you can have. The following may work on your system as a replacement. #include #include getdtablesize(){ struct rlimit limit; getrlimit(RLIMIT_NOFILE,&limit); return limit.rlim_cur; } If not, you need to have a look at the code, and see how it is being used. If it is being used in a loop to close file descriptors, then a number such as 256 may well be suitable. If it is being used to see if it is able to open another connection, then a small number such as 20 would be in order. But I would check to see if my replacement function works as it is better to be accurate. Icarus From firewalls-owner Wed May 18 06:09:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA11157; Wed, 18 May 1994 10:31:29 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA11149; Wed, 18 May 1994 03:31:13 -0700 Received: from relay2.UU.NET by csn.org with SMTP id AA12726 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 17 May 1994 16:47:45 -0600 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqhu13417; Tue, 17 May 94 14:38:56 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA04080; Tue, 17 May 1994 18:02:46 GMT Received: from welch.ncd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA04074; Tue, 17 May 1994 11:02:38 -0700 Received: from bryant.ncd.com (mfrost@bryant.ncd.com [192.43.159.209]) by welch.ncd.com (8.6.8.1/8.6.6) with ESMTP id LAA20252; Tue, 17 May 1994 11:03:46 -0700 Received: (mfrost@localhost) by bryant.ncd.com (8.6.8.1/8.6.5.Beta11) id LAA19222; Tue, 17 May 1994 11:03:44 -0700 From: "Mark Frost" Message-Id: <9405171103.ZM19220@bryant.ncd.com> Date: Tue, 17 May 1994 11:03:43 -0700 In-Reply-To: Andrew Macpherson "Re: how to automatically put files on external ftp server" (May 17, 10:54) References: <18522.769195465@bhars452.bnr.co.uk> X-Mailer: Z-Mail (3.0.1 23feb94) To: Andrew Macpherson , Mark Frost Subject: Re: how to automatically put files on external ftp server Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On May 17, 10:54, Andrew Macpherson wrote: > Subject: Re: how to automatically put files on external ftp server > > Mark Frost wrote: > > | Might there be a way (short of me spending all of my time running to the > | machine with a tape every few minutes) that I can copy the data out in a > | secure fashion? > > consuder using mirror to pull the trees to the intermediate machine, push them > to the public system, local delete cyclicly. > > Alternatively (shock-horror) use NFS to provide a writable ftp area when seen > from the inside mounted on your internal machine, and a different ftp uid/gid > when run on the external host. >-- End of excerpt from Andrew Macpherson My problem isn't really how to get the files onto the intermediate machine and vice versa, it's more that I don't want to have the files sit on the intermediate machine. It's going to be kind of strange to have to justify say, a 2gb disk on this internal machine that no one uses just so it can match the needed 2gb on the external machine. "Because it's more secure" is the only justification I can think of, and if there's an easier way that may only be slightly less secure, then that would be better for us. I don't really like the idea of using nfs to the external machine (our screening routers don't currently like it either :-) ), however I was thinking that maybe doing nfs mounts on the internal "intermediate-hop" machine (the only machine internally that can reach the ftp server) where I can do rdists from might be ok. Thanks -mark frost network computing devices From firewalls-owner Wed May 18 06:27:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA10497; Wed, 18 May 1994 08:44:53 GMT Received: from doors.brm.co.il by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA10491; Wed, 18 May 1994 01:44:38 -0700 Received: from monk.UUCP by doors.brm.co.il (4.1/SMI-4.0) id AA27460; Thu, 12 May 94 19:49:49 IDT Received: by CheckPoint.COM (4.1/SMI-4.1) id AA01966; Thu, 12 May 94 19:47:35 IDT Date: Thu, 12 May 94 19:47:35 IDT From: shlomo@CheckPoint.COM (Shlomo Kramer) Message-Id: <9405121647.AA01966@CheckPoint.COM> To: Firewalls@GreatCircle.COM Subject: Re: CheckPoint FireWall-1 Sanity Check Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Reading the discussion about > ..the implications of the GUI running on the firewall and what dangers it > may represent... I think that some information about the architecture of CheckPoint FireWall-1 (FW-1) is in place. FW-1 is a distributed system comprised of a single ``control module'' (typically residing on the sys-admin station) and any number of ``packet filtering modules'' (in the simplest case, a single packet filter module residing on the gateway to the Internet). All Communication between the control module and the packet filtering modules is done through an authenticated control link. The control module can also drive cisco routers by generating and downloading access lists to them. So the picture can look something like this: Internet | | _ -------|X|-------- --------------------- | - | Gateway | | Sys. Admin. | PACKET FILTERING | | CONTROL MODULE | Station | MODULE | | | | _ | | | -------|X|-------- -------------------- - | | | | | -------------------------------------------------------- | LocalNet | _ _______|X|_______ | - | | Cisco Router | | _ | -------|X|------- OtherNet - | -------------------------------------------------------- Sometimes the control module (containing the GUI) may reside on the gateway itself. This is entirely up to the local administrator's decision. In any case, the GUI (as Chuck Yerkes already noted) is just an X *client*. Furthermore, the gateway itself (as any other internal machine) should be protected by FW-1 against access to X from the internet. The GUI is a relatively small application with the following functional components: o Network Objects & Services Managers: used to define new network objects (hosts, networks, domains, groups etc.) and services (TCP, UDP, RPC or other). o Rule Base Editor: used to create a set of security rules. o System Status: reporting the status of all packet filter modules in the system (number of packets passed/dropped/rejected/logged name of filter etc.). o Log Viewer: allows to analyze all log events. The work flow is something like this: First, the security policy is molded into a rule-base (using the Object Managers and Rule-Base Editor). Then, when instructed to apply this security policy, the control module generate from the rule-base a filter-script, compiles it and disseminates the filter code to the appropriate packet filter modules (and cisco routers). Once this is done, all logs and alerts generated are collected back to the control module. The control module generates real time notifications (customizable) upon alert events and allows for online viewing of log events. The control module monitors and displays the status of the packet filtering modules using the System Status screen. Finally, the administrator will use the Log Viewer in order to assess her security policy, produce reports, etc. Some concern has been raised about the "complexity = problems" equation. I absolutely agree with Frederiko Avolio about this: complexity in the management of security is bad for your security. More specifically, I personally feel that there are three important *management* goals for a system such as FW-1: o Easy implementation of a security policy to security rules. o A tight feedback loop on communication attempts and system status. o An Extensive mechanism for "post-mortem" analysis. I believe that the FW-1's GUI provides an easy-to-use answer to these goals, while not being too complex by itself. ---------------------------- F i r e W a l l - 1 ----------------------------- Shlomo Kramer, CheckPoint Software Technologies | Email: shlomo@CheckPoint.COM 437 Boylston Street | Voice: 1-800-429-4391 Boston MA 02116 | Fax: 617-859-9052 ------------------------------------------------+----------------------------- From firewalls-owner Wed May 18 14:47:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA13237; Wed, 18 May 1994 14:47:33 GMT Received: from chx400.switch.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA13231; Wed, 18 May 1994 07:47:24 -0700 X400-Received: by mta chx400.switch.ch in /PRMD=switch/ADMD=arcom/C=CH/; Relayed; Wed, 18 May 1994 16:47:15 +0200 X400-Received: by /PRMD=UBS/ADMD=ARCOM/C=CH/; Relayed; Wed, 18 May 1994 16:45:47 +0200 Date: Wed, 18 May 1994 16:45:47 +0200 X400-Originator: Angelo.Ruggiero@zh014.ubs.ubs.ch X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=ubs/ADMD=arcom/C=ch/;zhflur.zh0.135:18.04.94.14.45.51] X400-Content-Type: P2-1984 (2) Content-Identifier: Authenticatio... Alternate-Recipient: Allowed From: Ruggiero Angelo Message-ID: <"7146 Wed May 18 16:46:09 1994"@zh014.ubs.ubs.ch> To: Firewalls-Digest@GreatCircle.com Subject: Authentication/Encryption Telnet & Terminal Emulators for PCs? Phone: +41 1 236 7041 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Does anyone know of any PC (Windows on DOS) telnet software with some sort of authenticated login or encrypted session. It does not matter if kerberos or some other system is used challenge/response etc. It only should allow a PC to talk to a UNIX system in a secure way, which does not involve the password being sent over the network in clear text. This might be the wrong list, but I just thought you might know. thanks Angelo Ruggiero Union Bank of Switzerland Email: Angelo.Ruggiero@zh014.ubs.ubs.ch X.400: /S=Ruggiero/G=Angelo/OU=zh014/O=ubs/PRMD=ubs/ADMD=arcom/C=CH Fax: +41 1 236 7084 From firewalls-owner Wed May 18 09:19:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA13598; Wed, 18 May 1994 15:50:51 GMT Received: from kssib.ksc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA13592; Wed, 18 May 1994 08:50:44 -0700 Received: from escact.ksc.nasa.gov by kssib.ksc.nasa.gov with SMTP (5.65/25-eef) id AA09890; Wed, 18 May 94 11:52:08 -0400 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA00550; Wed, 18 May 94 11:50:52 EDT Date: Wed, 18 May 94 11:50:52 EDT From: mark@escact.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9405181550.AA00550@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@GreatCircle.COM Subject: USENIX security proceedings Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk speaking of which, is there an on-line source for the USENIX security proceedings? thanks, meg From firewalls-owner Wed May 18 10:30:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA14281; Wed, 18 May 1994 17:10:57 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA14091; Wed, 18 May 1994 09:58:26 -0700 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id NAA02100 for firewalls@greatcircle.com; Wed, 18 May 1994 13:01:36 -0400 From: Christopher Klaus Message-Id: <199405181701.NAA02100@shadow.net> Subject: Src routing packets To: firewalls@greatcircle.com Date: Wed, 18 May 94 13:01:36 EDT X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Do almost all platforms of Unix support src routing packets and is there a way to turn off accepting src routing packets [probably via kernel mod?] for Sun, Solaris, HPUX, Ultrix, Sgi, bsdi, sco, and AIX? -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive, Atlanta,GA 30350-2430. (404)998-5871. From firewalls-owner Wed May 18 10:40:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA14224; Wed, 18 May 1994 17:09:29 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA13955; Wed, 18 May 1994 09:36:21 -0700 Message-Id: <199405181636.JAA13955@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Firewalls is looped again Date: Wed, 18 May 1994 09:36:17 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Someone (CSN.ORG, this time) is looping Firewalls and several other lists, like FlexFAX and BugTraq. That's what's causing the duplicates everyone's been seeing. The problem first cropped up yesterday; I noticed it fairly early on (I happened to be logged in when it started), and made the list temporarily moderated in order to catch the duplicates. Later last night, I talked to the folks who run CSN.ORG, and the problem was supposedly fixed; I wasn't seeing any more duplicates coming in, so I turned the list back on. I guess they were wrong about it being fixed, because when I came in this morning, more messages had been looping overnight. I've put the list back on temporarily-moderated status. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Wed May 18 11:00:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA14423; Wed, 18 May 1994 17:21:42 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA14341; Wed, 18 May 1994 10:18:41 -0700 Received: from localhost by bedrock.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id NAA27077; Wed, 18 May 1994 13:19:44 -0400 Date: Wed, 18 May 1994 13:19:44 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405181719.NAA27077@bedrock.cs.UMD.EDU> To: Angelo.Ruggiero@zh014.ubs.ubs.ch Subject: Re: Authentication/Encryption Telnet & Terminal Emulators for PCs? Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I understand that the PCTCP package (FTP Software: info@ftp.com) does support Kerberos. If you feel like coding, there's a crypted TELNET client/server package on FTP at Cray.Com -- you'll be required to port the client to DOS/Windows. If you port it to Windows, you'll be better off -- there's a WinSock.DLL that has very-close-to-BSD syntax and semantics. You can find out more by checking alt.winsock or comp.os.ms-windows.networking.tcp-ip and filtering out all of the "How Do I Get Trumpet To Work?" messages. Richard * Hi, * * Does anyone know of any PC (Windows on DOS) telnet software with * some sort of authenticated login or encrypted session. * * It does not matter if kerberos or some other system is used * challenge/response etc. * * It only should allow a PC to talk to a UNIX system in a secure way, * which does not involve the password being sent over the network in clear * text. * * This might be the wrong list, but I just thought you might know. * * thanks * * Angelo Ruggiero * Union Bank of Switzerland * Email: Angelo.Ruggiero@zh014.ubs.ubs.ch * X.400: /S=Ruggiero/G=Angelo/OU=zh014/O=ubs/PRMD=ubs/ADMD=arcom/C=CH * Fax: +41 1 236 7084 * From firewalls-owner Wed May 18 11:09:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA14283; Wed, 18 May 1994 17:10:57 GMT Received: from enuucp.eas.asu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA14077; Wed, 18 May 1994 09:53:51 -0700 Received: from titan.UUCP by enuucp.eas.asu.edu with UUCP id AA24436 (5.65c/IDA-1.4.4 for greatcircle.com!firewalls); Wed, 18 May 1994 10:01:57 -0700 Received: from localhost by titan with SMTP id <15662>; Wed, 18 May 1994 08:41:22 -0700 To: firewalls@greatcircle.com Subject: Re: how to automatically put files on external ftp server In-Reply-To: Your message of "Tue, 17 May 1994 10:24:25 MST." <18522.769195465@bhars452.bnr.co.uk> Date: Wed, 18 May 1994 08:46:24 -0700 From: Gustavo Vegas Message-Id: <94May18.084122mst.15662@titan> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, Sections from message <18522.769195465@bhars452.bnr.co.uk> read: > >Mark Frost wrote: > >| Might there be a way (short of me spending all of my time running to the >| machine with a tape every few minutes) that I can copy the data out in a >| secure fashion? > Perhaps you should take a look at SUP(Software Upgrade Protocol). I am not a SUP user, but it may be the answer to your problems. As far as I have read the documentation, SUP is used (primarily) to automatically distribute updates and even full releases of the Mach Operating System (from Carnegie-Mellon). It can be compiled and used under plain good-old Unix, and used to distribute files across the network. I do not know what security implications one must consider with respect to this protocol, and would be interesting if someone experienced with SUP could shed some light on the security aspects of SUP, (if this has not been discussed in the past) for the benefit of the list. Cheers, -------- ===========================================+=========================== Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu CAD Systems Administrator Microchip Technology Inc. Chandler, Arizona ===========================================+=========================== From firewalls-owner Wed May 18 11:10:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA14285; Wed, 18 May 1994 17:11:01 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA14188; Wed, 18 May 1994 10:07:29 -0700 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id MAA15141; Wed, 18 May 1994 12:02:33 -0400 From: Adam Shostack Message-Id: <199405181602.MAA15141@bwh.harvard.edu> Subject: Re: Advice on Firewall Politics To: mckenney@smiley.mitre.org (Brian W. McKenney) Date: Wed, 18 May 94 12:02:32 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9405181202.AA25946@smiley.mitre.org.sit>; from "Brian W. McKenney" at May 18, 94 8:02 am Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk | >I'm from a small liberal arts college and I am trying to fight a political | >battle with a few faculty to implement a firewall at our site. The | >computer science faculty at our college believe that security is only a | >hindrance and that a firewall will hamper their "academic freedom". | The other thought is that you can make a case that a firewall can save | money. Without a firewall, one has to ensure that all of the campus | computers are secure on a daily basis. With a firewall, you can reduce | your zone of risk to the firewall machines. Security for campus machines | is still important. However, without a firewall, the University is relying I've been working closely with my alma mater, Simon's Rock, which is just such a small liberal arts college, on security issues. There, we expected some threat from the outside, but couldn't justify the expense of a PC based firewall + administrating it without a demonstrated outside threat. It turns out that the big problem has not been external, but local. Quite a few students have attempted to break in. I strongly suspect that local attacks will be much more of a problem at small schools. Often, there isn't very much worth breaking into from the point of view of outsiders. This is the opposite of large, well known institutions like AT&T or banks, or even MIT, where the target has interesting stuff on their computers. At companies, the employer has control over every employee, and has a variety of disciplinary actions that they can take, up to and including firing &/or suing employees who violate their security policies. At a school, the institution has much less control over the students. Expulsions for hacking are close to unheard of, although I suspect that some will occur soon. | I like Marcus' suggestion. I wonder if this issue has to be raised to a | higher faculty level (e.g., President), since the potential damage may | embarrass the University as a whole. I agree that the issues should be raised with the top levels of the administration, not because of embarrassment, but because the school should have a clear cut policy directive that comes from the top, that the administration is willing to stand behind about what to do with your student hackers when you catch them. Again, I think a firewall, while it may be useful, fails to address the big problem that you will see with a small college, which is students with too much time on their hands breaking in. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Wed May 18 12:20:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA15612; Wed, 18 May 1994 19:13:19 GMT Received: from databus.databus.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA15571; Wed, 18 May 1994 12:09:54 -0700 Date: Wed, 18 May 94 15:15 EDT Message-ID: <9405181516.AA17633@databus.databus.com> From: Barney Wolff To: firewalls@GreatCircle.COM Subject: Re: Advice on Firewall Politics Content-Length: 938 Content-Type: text Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Date: Wed, 18 May 94 08:02:50 EDT > From: mckenney@smiley.mitre.org (Brian W. McKenney) > > The other thought is that you can make a case that a firewall can save > money. Without a firewall, one has to ensure that all of the campus > computers are secure on a daily basis. With a firewall, you can reduce > your zone of risk to the firewall machines. Security for campus machines > is still important. However, without a firewall, the University is relying > on daily security of its machines. This is not practical, especially if > the campus has hundreds of machines. Is there a real difference between inside and outside threats in a campus environment? I'd say not, unless it's a divinity school :-). Seems to me that any machine that somebody really cares about needs its own protection. The people with the most motive to mess with the administraton's computers live right on campus. Barney Wolff From firewalls-owner Wed May 18 19:45:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA15910; Wed, 18 May 1994 19:45:35 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA15739; Wed, 18 May 1994 12:21:00 -0700 Received: from EBay.Sun.COM (female.EBay.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA14342; Wed, 18 May 94 12:22:12 PDT Received: from olympics.EBay.Sun.COM by EBay.Sun.COM (4.1(1/24/94)/SMI-4.1) id AA25243; Wed, 18 May 94 12:22:11 PDT Received: by olympics.EBay.Sun.COM (4.1 1/7/93 /SMI-4.1a_olympics) id AA04690; Wed, 18 May 94 12:21:11 PDT Date: Wed, 18 May 94 12:21:11 PDT From: Brad.Powell@EBay.Sun.COM ( Brad Powell - Sun CIS) Message-Id: <9405181921.AA04690@olympics.EBay.Sun.COM> To: firewalls@GreatCircle.COM, cklaus@shadow.net Subject: Re: Src routing packets Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Chris writes: >Subject: Src routing packets >To: firewalls@GreatCircle.COM >Date: Wed, 18 May 94 13:01:36 EDT > > >Do almost all platforms of Unix support src routing packets and is there >a way to turn off accepting src routing packets [probably via kernel mod?] >for Sun, Solaris, HPUX, Ultrix, Sgi, bsdi, sco, and AIX? > > > > Can't speak for HP, SCO, AIX, or SGI :-) but in Solaris 2.x its an ndd option and in 4.1.X it a trivial kernel hack. Brad From firewalls-owner Wed May 18 13:20:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA16168; Wed, 18 May 1994 20:08:41 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA16029; Wed, 18 May 1994 12:55:26 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA24696; Wed, 18 May 1994 12:55:52 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199405181955.AA24696@pserv1.dot.state.az.us> Subject: Re: Advice on Firewall Politics (fwd) To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Wed, 18 May 94 12:55:51 MST Reply-To: firewalls@greatcircle.com X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Adam Shostack writes: > From: Adam Shostack > Subject: Re: Advice on Firewall Politics > To: mckenney@smiley.mitre.org (Brian W. McKenney) > Date: Wed, 18 May 94 12:02:32 EDT > Cc: firewalls@greatcircle.com > Sender: Firewalls-Owner@greatcircle.com > Precedence: bulk > ...much stuff deleted > It turns out that the big problem has not been external, but > local. Quite a few students have attempted to break in. I strongly > suspect that local attacks will be much more of a problem at small > schools. Often, there isn't very much worth breaking into from the > point of view of outsiders. This is the opposite of large, well known > institutions like AT&T or banks, or even MIT, where the target has > interesting stuff on their computers. > > At companies, the employer has control over every employee, > and has a variety of disciplinary actions that they can take, up to > and including firing &/or suing employees who violate their security > policies. At a school, the institution has much less control over the > students. Expulsions for hacking are close to unheard of, although I > suspect that some will occur soon. A college student here (at a community college) was recently convicted of computer fraud (class 6 felony) for breaking into the school computer (a rather unsecured VAX). Utimately he was expelled from that school and is currently on probation. -- Tom Brink Technical Support Specialist Arizona Department of Transportation tom@dot.state.az.us From firewalls-owner Wed May 18 20:39:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA16456; Wed, 18 May 1994 20:39:15 GMT Received: from inesc.inesc.pt by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA16201; Wed, 18 May 1994 13:10:33 -0700 Received: from avila.inesc.pt by inesc.inesc.pt with SMTP; id AA12661 (5.67a/SunOS4.1.3); Wed, 18 May 1994 22:08:59 +0200 Received: by avila.inesc.pt (4.1/SunOS4.1.2) id AA18839; Wed, 18 May 94 22:11:27 +0200 From: prc@avila.inesc.pt (Pedro Ramalho Carlos) Message-Id: <9405182011.AA18839@avila.inesc.pt> Subject: Re: Authentication/Encryption Telnet & Terminal Emulators for PCs? To: Angelo.Ruggiero@zh014.ubs.ubs.ch (Ruggiero Angelo) Date: Wed, 18 May 1994 22:11:26 +0200 (MET DST) Cc: Firewalls-Digest@GreatCircle.COM In-Reply-To: <"7146 Wed May 18 16:46:09 1994"@zh014.ubs.ubs.ch> from "Ruggiero Angelo" at May 18, 94 04:45:47 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 663 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > Hi, > > Does anyone know of any PC (Windows on DOS) telnet software with > some sort of authenticated login or encrypted session. > > It does not matter if kerberos or some other system is used > challenge/response etc. > > It only should allow a PC to talk to a UNIX system in a secure way, > which does not involve the password being sent over the network in clear > text. FTP Software PC/TCP for dos/windoze has a kerberos "client". never used it, though hope it helps (Try info@ftp.com for more) --- pedro ramalho carlos email: prc@inesc.pt INESC tel: +351-1-3100050 Av. Duque de Avila, 23 fax: +351-1-3100008 1017 Lisboa Codex - PORTUGAL From firewalls-owner Thu May 19 09:30:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA21192; Thu, 19 May 1994 16:10:23 GMT Received: from holmes.bed.ns.doe.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA21184; Thu, 19 May 1994 09:10:04 -0700 Message-Id: <199405191610.JAA21184@mycroft.GreatCircle.COM> Received: from DEMO.dart.ns.doe.CA by holmes.bed.ns.doe.ca with SMTP (1.37.109.6/16.2) id AA12789; Thu, 19 May 94 16:08:31 GMT X-Sender: fred@holmes Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 19 May 1994 16:05:14 -0300 To: Goetz.von-Escher@open.ch, nreadwin@london.micrognosis.com, smb@research.att.com, firewalls@GreatCircle.COM From: fred@bed.ns.doe.ca (Fred Karg) Subject: I need mail X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bruce: I need some mail to demo on PC Eudora Please forward some messages from your account to me. thanks,Fred From firewalls-owner Thu May 19 19:07:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA22775; Thu, 19 May 1994 19:07:56 GMT Received: from jaws by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA22769; Thu, 19 May 1994 12:07:46 -0700 Received: by jaws (1.37.109.4/16.2) id AA26921; Thu, 19 May 94 14:10:09 -0500 Date: Thu, 19 May 1994 14:10:09 -0500 (CDT) From: Don Maxwell Subject: Re: I need mail To: Fred Karg Cc: Goetz.von-Escher@open.ch, nreadwin@london.micrognosis.com, smb@research.att.com, firewalls@greatcircle.com In-Reply-To: <199405191610.JAA21184@mycroft.GreatCircle.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi! On Thu, 19 May 1994, Fred Karg wrote: > Bruce: > > I need some mail to demo on PC Eudora > > Please forward some messages from your account to me. > > thanks,Fred > > ==================================================================== Don R. Maxwell (214)718-6558 National Router Network Planner (214)718-6947 FAX GTE Telephone Operations Irving, TX dmaxwell@gtetel.com -------------------------------------------------------------------- From firewalls-owner Thu May 19 19:10:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA22805; Thu, 19 May 1994 19:10:32 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA22612; Thu, 19 May 1994 11:44:15 -0700 Received: from EBay.Sun.COM (female.EBay.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA03730; Thu, 19 May 94 11:45:24 PDT Received: from olympics.EBay.Sun.COM by EBay.Sun.COM (4.1(1/24/94)/SMI-4.1) id AA07854; Thu, 19 May 94 11:45:19 PDT Received: by olympics.EBay.Sun.COM (4.1 1/7/93 /SMI-4.1a_olympics) id AA06311; Thu, 19 May 94 11:44:18 PDT Date: Thu, 19 May 94 11:44:18 PDT From: Brad.Powell@EBay.Sun.COM ( Brad Powell - Sun CIS) Message-Id: <9405191844.AA06311@olympics.EBay.Sun.COM> To: Firewalls@GreatCircle.COM Subject: source routing kernel hack Content-Type: X-sun-attachment Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 31 Public Appologies to Brent for my posting this incorrectly to the wrong alias as well as goofing on the attachment last time around. trying again. Brad ======================================================================= THIS IS NOT A SUN OR SUN SUPPORTED PATCH!!! Don't call Sun if it doesn't work as you expected. ======================================================================= Okay, whew, sorry for that, but I wanted to make sure that was clear. Below is the kernel changes to drop source routed packets for SunOS 4.1.X This isn't needed in solaris 2.X, since its a configurable option using ndd(1m) Bug reports to me. Test this yourself, and don't make any assumption that I did things right. uuencoded compressed tarfile. ---------- X-Sun-Data-Type: default X-Sun-Data-Description: default X-Sun-Data-Name: source.route.block.hack.tar.Z.uu X-Sun-Content-Lines: 501 begin 600 source.route.block.hack.tar.Z M'YV01XHX*2(ER1 "!,J7,BPH<.'$"-*G(@0A$4;-&B &#Q!HP:-39:M!A# MALB1)&_$^&BQQHP;,F!\C.%R9 V:-#A2W,FSI\^?0(,*'4JTJ-&C2)-*'*%@ M! @@*$:D !%P8,$A(,S(>=,&1)LP<^B4D0,BA@L9.$#D@/$"1HX7,F* F-(D M2=.F(*B@23,'Q)@W;LRD.9,U#9LR(,B4F3-&3AHQBT&$ 7&FC)NQ:<;,K>.F M!0W-:\9>9L,"1!HW8]C4(7.:3-GSN/#(,*&<4,FC!PRB,;\1LX=-( GN/BKE.]B,V\@?WF3FL0;$Y'/IUZ->(Y=>#,ED,G MZQNRK]EL[OP9Q! H54#0R0-G>=F3!X5MT8]3!AF]XW5?%'*4A!T(>;]3AU6!HM <6 M"'>4 1MX981A!V)T!-A5?*:Y\9\"7XVQUV4))" ">FY\)H("8\!11Y,B3%&% M$S0,\84-,(B0@%-3<.;9"V!:A(*!)_1587P3@BC9CD$B5B9]8[29@@+6@>!$ M&&T N5=?HRN%Z=/05AA@QMI=6 M'7.,19U%0\3X* B (4;J6.Z1U:.2>$47Z!QH^/;=JW*4UFJL(,R*!HZGD=&= M?KFV!Z.,^\&1&9P@O%J:<:Q>AI>97>)8I&V-N8_WH@D67]D4@ M8&Q,N)MDZFV%1QI?10=8M*624>N"?SVZE7QUYI:&'LZ9 8(=NL9(J&@Z)A8& M'9.%)4<=8]!11X4L@N#&&S:"D.MO!;9AX)%?X<'K' G@P"=33B6!FFJ*S2G? M;+7==EYRRS7'*G32N4&=I0&"D,1 5.QLKQNF];5Q>V_"-N%S1[^V0[ _RC%A MI@VW06I[Y,$\(!U'0MTSRD,704633HD!5F8:E['<>VM\MZF'(+3@E7$/OY?' MRGAAYQYWWFEH]-B252AS8=WF$9:%%.KX*'MFW<>1&FP3\N;GZ=/09 5!$G.Q!.G2_8\%:?CI3/KF"L&7!JAQWB" MX:1^%_"=?KI]!]QSXMF'"+@;P\^8(K;I)"!YGD,;[M8 @CC4@6,WDA,;WD \^; F=QNLH<\2 M #L="B9QB^O*7V(F1"*^9H=)Y)D-G7"Z(3 A"0(YFU.X&+O4I'!5MHG9%,N@ M "6BC(S2DP+UI# FZ,6N5'*HFL#4^ ;%M%&+2[S>Z70XQ.>H;0P\?.)B%">6 MKM@M?*Z3D)^D]\>CH8Q[4] A'5;H,]5D<%6*G ,C&??(,D NDA-R B7=F J M- $*@ZPC'=H !Q"@8#> R<.%2.45"^EM*HK,S2C;4,FQ):!_L72*"<\PK"FD M4 XKM&4'GZ 6$<)@*@IDH ,1=YYA%M.&4!A",E_GAC3@X8(9])8%FS"%%A#A M";$+IBBCR#< 96<[0PP<8=Q8N'O"!X.JBH[@J!6&U1BH-9*;0A:F$(0J$"$) M5, +KF+$A@@AQG@8DL?8(+V!!,4JH2.68_6>F1Q3 6-D"B3*$, M'<(0SE9'.&PEG9X"*&<$>H86F1*==$"!#*9B@MR$ 04XV!,K8=K0AXK1/B8I M*&MX"JR27LQ >P/:/0'W'7[J3$X(W3#&]\<1WXZ,U9DEC9 9%EH6FP(4HR8Z5=W50@OKXK0A.YTA"7$CEK("12R MTO";%HB(/1-"CG+F5X:66C(!20AG$XHP!88&I(Y3*.M90XN56\TA#)51*UO# MLY]O+I&UTFM"$*" A"=(H0BH52U:L5*JK\ !#>_)SEK;6EM6XA8)HVU"<*-H MUN'FYF.0:T&@+F0UV3(WJRS+2]"TPU7!*3%IU1(@),=7/AE1L#T6?)5?]2,' MZ.#E+VWXRO,LJ!@QU($P5+@/"&SZ!C$H8X"A$!S_ MGN$,K?$ID.H;U*364[Q;S6=7 5FD\BBF+P'3;,X,U^ [IH=3I5DOZ/"RK/.Y MRC:"LZKAR,@JLN@8,5((IV>-.00I9 $*-'6*BCD;+-18#9 ?]AMY11S2]PUN M.OU,[^5,24#R=11'NX'O@N0KA=,-V89EGH*"$V"%Z'F."FK6ZM^H3)BW7=EG M69:QG,"2!]2@ 7]C3<(+GG#F0%X!"CK$&L#^W",R9/&S05"H$X: A"0\H8Y\ M]K/0!FW+"OF0LI%APJ'W).H.EQN>IS4OB6+-Z;NP!UIVLD,([E 4$:HB1 MH5Z#T+NP\@I#FX(5E*##:5?[VMF^F!NXG6-7LX=/\';*2I&6'(.E 0X@FA]K M-,0G?HH@M$;P[16"((6'.N$(/6A!#"J%%S',)D<[BD$,6C #$,X @L_17F:U MG4$*A4@DY%RLXUNI@UB $_+0= HO_$2)141P M[R^H')%?<+D<,OB%F,^\!PO'N1D,=G(8@.#DQM(8QQ@T1$3FAN,7_3C-UVKS M#9;PK/_O+RY!VF4,.Z94*KQ#J8!C@ M_*K6:LM7M2;;E\"SK5^".4Q,X8/N\S$ MYY$]L(A$,]O,>L"E6LT;6J"8VN>Z;^.E;%A2:FV=72@L NQ7!@WE.N\$J6UO M(P=QHR&[HSK715$TMQ5J8V#NP@;"UQ>'03I^52I%O&"KS M18?',D^-9(% J('NEP!K( :)5@:K&&P@\XER)@+/81D@4 1% 4-U 0B@'Z M&(29B%Z>QG<5 ARF*'YU@A>F1&!2Q!7Z%3EJN(MMF #)B#DV54> P8H@$WV+ MEVI.8 52$ 1- (IS)HKH58H+Z.(V\R(%D (Q.P1H"^0;G M9(SA)67*ID_H)2N(." MP1NEL4EAL'2941HK5%]DX#S P1N@PC&18Q%!X"D4@FNL8C!!4@=M( 8L@!=$ MB5ZO<7\VXH!AH#@#Y#KW$C'E BL$Q09LV395@Q-28V]Z ;^908ZE):;:0:8(3C%AFLV M.9'?02 6&30BD!JM$HT>B2_]9R##LI,:>8>[DRXB29*NXV6BTS7FD1N)J9%I M^86ED6:^ A^O9U!O@!=M.)B8R8&LR21U%)T=F8FE65ZCV!=R0@5?="[?YS43 M."#M!685-&84F&;:0P8O$(OR%C39!#:"L8<9GVZ8;1(0=W MD)_)AIT524(!,V%Y\47 ^29=$2"Q=BZX26##<6*W\YXM@'CO(3+\YA2G49EF ML%:NIQ\9EQPX I+#(CJA]Y5(@Y[&L9YD4: (&A[RZ1OT*5X$PA=X<8V@IE@@ M@)+E:)#G2 =5@B!I, ,R<)UT1BX5TS/!X8B/$1EW0*+ B3<@TX80E 95@V*# M@A>U]H4)UH;L%T%C<7W^A3)U= )D *9R< )5-:9%PJ$>J@!>>J96&J9B< =O MPXF 041_QA79L4*2]9EC :>9^*5S:H-C< 9!\H@ZA ,M( 8&XA?;04): 2B( M :B6&:=HF@"':AMXL*B-^JAKE4&'L4*S]Q=#1!:3^J=UL'2!BJF%JJF("G$_ M4D5NJJ@>:F#*J=5DP!D\!4Z9*9HJJ9RDJR3 M81D8=AF#-P=LNJ%CT:$9)*CN1ZC'NA@MZ11%H#6'<4Y3, 13 )_8*@?:RD:N M>JQF0 8Z9 1#I!X3"(0?S]S' $;/PB:]- MFSM/*Q>?Q[./X;/ZX1M8>VU;"P)=JV1$"QC (;9S@:YENRUGRT-S0 91);5M M2[5O>[63:1)S6[>3!3)Z2[8[]+=/>W%KF[1C6K5P.YE.M[A>JVW_][A\&[D0 M,Y-A$;6Y8;EN:[5QJQ&[F'&[FR[:XJ[J3:0/@ 9",FTW/.+-LI #&2RJV&RPL*;1UI!A%:S@EY;ML MN[0;A*]/JQ&5.[5R@;Q9N[Q[Z9VQYRP;N< MZKX@ [EF*[Z!J[SV.Z;XB[CMH;C,ZY+"$2[# KHR&\!.&[@W(!FW2[VYJ[GJ M2[=U5 8TXK]C&[IF2[MA,;BG:[X9W!ZLN\#M25DA#+S9-[LQ#)R4>\%S<,"Z MN\&,JQT7\W^Q&\/"*P?5.[TWG,(@H+R\*P//X[S;U(9\0L0F'+1"NY!$>R*& M WS%F+3@.[]I4<"D8A+H"P):R\(:LZ$/_+X [+<"3 8Y8,$G7+A@G+]R2\9B M\2AG_+\BK,833 8KX<90;,0*O+Y.H:L_8L>C@\<1K,=H&[@2Y\>H.P=QC,!T MJ\.R!''*<<W%A/,:"W+AB MX<"'G,F1N\8QX,E$S,IRO+]DS,/L84J&#,&:C,KD:\.Z+,F!S,&NV[[ #,+P M6\M[3!.J7+C''+>;2\;]V\R8_,QFJP"+X;*0X97;=WGSX1F@P3"D46(P\QWQ M(1NT87ZX05>],:69Z"G/LV3?XU)'8D_Y2)'A<1GJ\C*_>8I[MB-W8L[V@1_Z MP1^Y!F*&0R"TA2! LB -<@8/712(F@B).H2(9XR*B(S+, M9+,XHB/R$8&V4R=#LB.G03)K)3Q8 B520B56@B5:PB5> B9B0B9F0@-HXG2V MQ"9NTB-.,WYT$C0'_1EZ\F%_(EG MS#\)Q^2 BJYAP._%01$,%I*\=9PS1$7D1$GX1$@<1(D81)RK7,S('%R 0(@(4(P M(0,(:Q(M 0,QD!,;$=>,W=B._=B0'=F2/=E",07;H2M](0-GD9[@\3AR4!T* M4 13!0(OX#9C\ )#=Q8NH)Y38 ,YX +B82,,FRL:$KV\ 1PM4"KM\0+M]P+W M9AICEV]V]1TPH "W73>Z3=J]_=L]UW/"_1M!-W1U-WO%K0 5DI5@PR_=W@'=[B/=[>K0!W D^5Z )F@04*@)L$,AF786V[!QB)MWCG%U9I,&R( M<7RN\W8_9W9"1W1&!SE3\J29@08?J8RZW2+T @<"=*;/8<\34B$9-*=;)W*= MXGGM03S0-"$IAG76_7%W=BH@5ACGY&Q>"9K6]L^188J*\P(;&]N^[09?0& * MX@*:81S2^^(QOK&^/7:G825@,P:@[3*Z 1LZP"?883@Z8V4 #5B&Y/9D!HQ@=:B)<@S0! M:*!-JWY"9OP#%[XA1M8 >D/4\O :^$9(ML 9@,&A"H 0__@5!+G,N ML" O .JB/G3#4NJG_@2IONJM#C9OX )&@*YXT>F?SN-N(^-T;N.]KAFQ3NP" MY38S7N<7S%=\@H&BE\14#R-%7G"Q^)>E? M3AC!)#KRQ1Q]\2NOB%8!)P4#5W!#VA/NJU;NHO@'AX<0854DL )W $ M9W 8+_)20/(F/UH*@!*B,U$FY^6)!P)(K_0G?U_ X0+87O=%4/)WS^EA M$!KD3MK4UWR$SWSF].H5-?B%;TZ'7WUX(%%]-@8[($JH4?F3?Z-E@-U*OB!B M$19)K@!/69F"OOF9WAY#-*U0GF*I]SQE&/J#K"0+XM]E)W=#1W<#3@8_0 31 MR >Q)@:/WWP*L"P^AEQ13RYED.2L/G;_;?L"KG7*WW/-'^"X#_TZ-Q(QP"Q$KA9)Q4 <,7JC0(E&,G[@2]^3]Z$J".E%0TFS)&)@*,2 'X 9 M4!H"(0Y07E*@#%2>#">B L8 +%2V :6(J"' ;4!$.0D#U0$$X,$@L"/X8(U( M:GCD1Y C37@'=Q3DX N;I&VE&FHA7X@/]>-LCFK==)<6XBD,1W^0 R+C0&0. M35@#(]3O,7A53>J0B $1DS!&70(.U")(?!YC@Q@:PRF\91PO!@"?.;&Q,"8R$T'(89Y3?X&\RSAI"0"?+"KW YIDZ#.$H6Q#(8 M"[#E'$+$5K@08J$&&IN*T1<4 Y@"#EJ!*Q">4HC/#,DQHZM& N! ML0Z6P@GS D)+#500IDJMB(QVH0/02FDP"*^$>1 !*% :)DPF5 %7<4,E@)X3 M*H0<"I!$/:=B#!&98QM3P Y0 +)1SQF(V\@">LXVX@T0QYYSIB[:;?R- MP7$,T!)6M^=DSG,$CH\B :P&(%<=@XHDVHY?0#?NNNLH&\$CJ8 F(XD\9D?P M>!J&HV_$CI"B,E+'WL@"Y*-X[([J,3Y6B2]P'CT-<;2/"*(V6L?W*!OE8WOT MCO5Q/W:HL) <_^-^/([=H4%*(OG8'$]#?DP CH$[TL<,^04$)(+DD+K10U[' ME%B9W,!L7!4KY [PQ^'E']^C6(Q79B')BO$9:8.UB6V99PMT M@:<# O: M@#=(L%- D3$-N>I!L0DS! 3": --GTPF23H(V\4>:@237))BU" MG01NU-% S,DW.78@I)VB%V] 3#+'%7(:SE(?.$M@TH,,@27P!8C $:A'34!, MDLF-92;%9&AQ1IWC"7P!A\(:$X S^@)!@ HX$(/ !SXE6_,U9\DBL,?NN">U MXXT,CT**5<[&'AD@XR08:I/FD46.I%09+5[E@6R5:;))L,E#^27GPA-8E%]@ M"E"!M18I$\"D=))DU;6;.%)MBDVPV!2%I!A1 JB#%&)Q$HN*PN& VQ)DG+KR:]K)QWDZAZ6AC)(2(TDF M!KG9)$LG\>P!;=(B@,D@8 2^0-F@ J6!YSP*AD$'1$!I2)-A,GLFSY& )>] M:2"=6=(V$(SDL"8V5N9) ;%N8)0!\MD]MP ,Z (I8$OV@2BI&3EB<'L/^N8[ M](M-LAWZPI.B0;""A/ 5"_+<+ES727*:<%9^@0+Z'7K R5$X%F&[Z25844"G MQF70(TIB-\268(@P5$-GJ8G.#7\.-\'A0.UD!+4;QL(-G( /(4)_P]1(;AST M-=2!B79M_J><>Q\U46BMJW95"UT%''B-"I2!DM"34.,E'A$S^(=G*;@YL0#%+5Z4A3C%;<@R1N&9'"\G_YIA!*&DU/U*I[1HY]V MT'["':!#_::;Z]B?_\)_!H@=!!XR'0722:F02E*_4IC[!HQDRG!-CJ(A!MI& M!@[#5A(:]H;YU;XVVD=M%"_<&)V!8&R%TTAA(H\1V0JUA/S\477!-(B6![,# M6.KSL,6 P02F@!20 J5P!9E2*3#B)(=GM*3DH@(B#:.YI 0*X[D7G.%-9-!9 M4PI="VRI5$FH&@:-5_CHO![Q*!6N%!J.,V@Q&$#!-( S,"ZW1%:: (M0?[<&9$(PF=!/ F"#UT(3QL;L*!]+!6]@21X*G<* 6J4": !T)*[[ MD<*!TM:C7)FK<^43@76W%HRP$QK*0"8-#S\B&A&8<"9."^1^[*X.3AF=G'1Z M5[7&_&D0D%22+@@Y00,V&WX1$73 ;F"!_2I<5^M^/!#RX>1,F&O)G<8JYG1S MA16^T L:"E[]R6&% G]UN.K'L;,Q%,.)L#IU]:[.F[!D,"SL6W(=7&=CW %# M6AD@:X3UKV,'O38*W"!@[P,5L )?0.0U(^=)!)A $3"P>%!.+(%OU *XS8\X ML>8UQ7ZC#64' NR#?;$QEAE!@:'Q8BDJGRB/KQ*1H(>ND&$U;#6]%Q9$21 M M'E)4EFD^W(YC;\M.62"['E\E@.628,*N'MC6:E@O(Y1KL,""4YY8!9!=;6N" M?1VK<6FQ*A^C/GLKTOBMBR&X?DXHVR?E(7+M."=G+<@$-8L'FX8 *1D. V( M/4"A7?LKH2TZ1&NZ)M>3(P-4 I0M#!@!8C/]6D&&M&4G"LKQ]G(@13@&TD; M'C0).& ))(9)JY'>*@=*1]_(!I4A6]BT=*:AY!RB9(D4B1&-)&_8@; M.36 Q)#8P$"J3^Q>PA/BV'8@P+6MAS#1[L&9XE K+>TH7) M"V--U8@.)O!N5"9JBX>>!\?XK/4",[R&I'8B9L\VHA6\\.,ZAI"KI%@A!0JQ MW8'$"HK/\^$VB\YP>+1'S/4':(H')0DZ9+A/P^%6PHB;WTH#.!1 NFI&E3AS MV @#1"E2 M&- 6@F(C*XI'\1Z^CJ78%-6;TPF*,N MX "5T5\%XV]RBR^@*SY&O9@8^2+V M=8R043'VQ1?W%\U ^/6^=E%NGM_!R!7%75SDOI$1U)U%F[-^KR^H4R$;H_[6 MQ1=W&?4O601UBB8P=M_!".[,+_P5OY+1, XX 1P9&6->5(L->#(:QF,W!L2 M_VV+#IC&@=\#['T=\ _EP 18 J^ZL'*!$["Q W+2\0-#8 3,&"MC"<[ 7X $ MZT4%4 ?"X\=0H,@.#VP!NIDIOX!NP0)=X+E"BGL3!TK&84 :9-0(1 $?' 2P M@(UU K\Q>%:,$\GJ.M2J(0LJ@,Z1#U5K5^_JZXISDTG5&D# FD;QX!78;UR& MT4F@@.$9^0GQ.:8(I$J&QO?2\C#&;. -U'!!O ORP!6^0\V93!FE10W3ES?@ M9$? ^,/MP9FVAQJT$?$@2"$,GO$5#CH"A"Z\7AZZ WVA7UR&)'4O%@/$,#!\ M 0U UO342R]:'3.MB,&&ECY\N.7RW,-[/4H(?LQUH"(G8:\,+[\#$OK M4BDL$V M.*N_-F/?<'V&#M38P5"@&E.!+X ]3H?9 $KH"P$X;LJCJV /2T-3^ )<[9R M+#V*QNL8#26T'QM0M MC4]$/A ?SXCL0F/F,1 AZ1,?AHE;<>5P_Z2\+M%"A(O=A#1JC3.%:!(BHIR, M 13P=@ZD",#*9;)@-[IG M3T[+7/GD ,V+MMJX K13$)FG)Z,$KNR6!_-,NXN'V4HZ :(Y!:[ U+ I<[DN M>YFMG%9]@$WY F:R!?@ R-RA1N.$**%-^7F" !-@ BQG EC,G?DS5^3ML)J+ MBDT1S;)9W(7&$$!&,68/CIAUV2Y'.QU\FSVS'(C,IDHOI[DFY)F_=, .!!VBM9KI%AY8.DN'.SL+?T&= MR4<<>*V*]0AS22)LA"W#;^P#3^S4SDI-V'/>1&VXCE(84LQ?54L=@=L^/CG+ MLWFJYODI)8\QI"C$]Z: %AV$C%W+L-"H);N.'S<[R3$$R-X:F+*P, _D0^Q3 M2QB4/W2E!F-2G0'(N@OQX";Q<&2(R[V6LK21+0+7@U2TY*PBD.>AHD>Q#Q%! M6VY>A(6,<40ZY\2% C>%)>HSBP %P$++B\X\XD=,.=5Z;S:4'+B-,MDGUV32 M%Z"!&W^&QC/Y)]OD!"4\RZ\F; ,]N4N;:170!H1QF-[207E5#.4W#91OLH.> MSIK0#(!I+5VGR30RIG%;^ KSYS"0IG$R3YU,65A/<^=5@0:.<(N(DM$YR9%5 MR\D+C\!D@M*]0=+Z*0Y;)(1<#YFA,Y2SQ2W/:*(#U6O&@\3G"WN%S50=3O55 MO#YF777"'F34_6C*<:D4H=E2R&:T-D0'.00<%-ICPPF4+N M?-FA'FJ#9&N=0>$^J0X,/2MT>&HJ !-@ G59$5.T6*.>=0/8N#=SX LH"(C!!N8R=];*** -B.8VT"&7 M#@CP 2"@"?S@<@P"^ ?\ H;^PO(9[<\:D64J;W3]X;5UF9*/1(R-I?DV%8" M-J2'C,W@QJ=6[M(Q6V:7T&O2)5TSQ";&L.T"26P[^A5@@\5VS0J[;52AGHR? M]_/):0,*@@SP;#_--6J)"L#*C5J] C?1W',:=5MTRS+@8MN2L(TT6+;Z))] MVUA/A3W07MLC8_48C096'&%$-2SN\:QTV$D[8JL-,L"VGW:3B-J#FVK_Z[4M MGT%VRRZU<5MF,^.L;$M0 -O^V"C;!W#L(TQ4B@H*L-E7N\:9"-4 ![8VVQ;: M7AD$S&W7_+>1-L3V.;&F<*^ GGRXHYW4IM!-HFI;;:^0M;=VW-:$6)ERE\_P M^*')DNGFW.49!N !(\"\C<#JUJ$7R'4K[<$]90UW[09T#-LU5^T^$"S@'F)@ MQA8!6X\$/+@BZL 5@<,P[S2T !:GDK6LE"5+^+I5C^^K&%+S*;6"V)6;,]@& MG.4Z)DJT^=HQVVA;!,%\@=PG07Z3Z)B SX$M$ ,.^&Q,X,!M@7=O)TW.CYJ'QMD#\7@K;1.CA^HW$IKAB_OYCT5TK%:]@$ZW :P6MH=Q)O. M$&?>3!Q@/V\^";A?-_4F2]8[ 2#N[)V[FP)G<',1W'+B9\LIOO%@JK ?8^%# MI)"*TO*0R_P)>L;P44Q=V;&)-8B,DM^?TVR"@! @4B%'QAX#-@ 'L-O.O11O W,@<]=@_TW'>B]<("1JVS+ *TSN0_HSEP2 MDDOR->')NW,GU^3U)I0KB%&. BHYY)^\D2LCMWRZ MBS85E]Z".]8<8>N]Q MPE.@/B[7'K1&2+H1;)C"E.J'J.C0'"])B?VA8N#QO. 8ND+Y51<&8XC4-D'\ M+G)$L%")1*M?\T(B@$G]*(:3'98<5BA#I&'/T7D^Q^.ONH?7C58>=%[Y)<(]^0V?;/_,@E! 3M@!TSQ"GZU4[9$-]I:66-K[B\ I8=V<)9//6(-T&XJ MF[DY=G16W+=\CZ?NR;V9VS+=FN*M^V$$[J5-&QQZ%F?I;9IV:W';G;BU-TC' MX3R@HX]TSLVZ1?KF5D8M0##3;AU1*IKZ%X@U:B!C8\\6D :PPD73K8>#X31< M$40,Y1J$5N R*0"A.V=?'.'6UQFBS.!MR6M!S!:23(KW3T[>4WQO /$4GLZI6@QO MX0>V V7=* &B)\RPP.55;7 >ZA9DQ OUFE[*Q[R'[_)&.;S#^(UEY;5JF0?Q MK!O-+P@US[JQ=9/@A4P@TR42$A(?6@ ,:!,>0Z[XT6B# K9#A/CO635@JIHS M)8G /![T8'14"=8!A0J(R<+&:M5_WF_'2U4>R=D *>?P9/[#4_HUKY6WJIRG M\D%GTV^L,R_B+P:)9]V;V=6_>%@_Z_-\K0=;0MW/9VLCH-F=QK3(5=!!9B@< M1._&V\-'ZPL-#&G8\E#/(""]5IWT&&.Y9QD8JH=A@Z%O$Z ^6SN!N\VOD+N8+6TWG;S M^2Z> ,;X70WL00#9MX_\UK>%N2Y '#&2#Y)F]D M@DHGD 56?IIO^<&]C/N)T_/627RLT#>RH_S8#,YV8BB+?JON(32,_@;=#CJ, M=4^.VL"]C=AZ22WT;W2]26XD)+3X8".P[=U&P-L:C<-)6XA9L\Z?P [R#J4B MQGS=[Q ^%ET*_:#9&@6<84AU_ H)#Z'F:=];T^@)\:-#=7-G(]GZN0<-SHYW MK;-T(!4"I$>/Y*H4V,TU4J.\2^C_!(S+.#74 -H_JWZE*[C94.$"OK)KY_BR MW&"8@!\N]HF #9_ B'-:2VHU\;6_:+KZ?FL MG:$SB3R*M80WKV8BC/RYI)X6S=$Y.+-Y3=XH"/;SS^7ON?JS9C#//3O^\")R MJC[.9X4V_YZ__YT?V-M?:(7YCM_AS[_XO_Y$..:[_YFM_KN_)I?Q)P?^:^<: M%_ )J*HPYJ[9\%=7*0 \#&\0^IQVR5RV%@20 9[?_!'1*2,6!%^Q\AP&5-(X M%]?)=9-)S]$&>&Q>!G?1I\ 6)E:68= A=I0?M=N^>F+?)(0U1G5# MV!>L7$=7RI' ^0U(DQ3%[LAP?=:+W?IO85 M(%[(4%]0.WP''F!6L$*L:#J+C8<'M40KX$A$>04,JMKM=RM1>P]#(Y'L^6?% M!0/"EMD;/4BN CED# 1&!I'QP8!'W>?VL@E/]\8.N ;V@%)@+@<$>FPNG@Q8 M;^!T1YM.][K9@7- %O?;$'"8EI/&!#*"3B 4B,F5!KP=JW?4X'\WG:_WVQU_ M31V71(AP!:1<\,:]476('[S'V^5YSLTC4FJE@F)<]U;5\4F:G'Q6 [)M1)G0 M-P7X'R$)+6)!S&9L **7H4UB>)\VA@)D8>;3'; %]!PYV#;8\<$!74 74)T= M9[M."K"UT7A7WRLXM2D @YNDQK%]=A9"QH:587VPX!B775$!@<^ @!KT88)# M&$AIV8$]5W>A(/!1,MK:AQLX.I#,@7G$?* MTQU4=TY=QV8P@'#(H.44&!J#)T=AN!8J9"G:T:(&@H"6W34&3I 6E0GU8F ,YTB6"\=[-] 5@+"M $-$K<$A4P<$ 4I4$3,(X9 9Z# M$&!CH6X%V\$6XMEN$ Z^L0;2;@(@[]9'Q'LM FUG%'YM3)S/\*.A 'K:]T2$ M!6_ZWWMV9O5F1D ]<@10 056 $C^U3C$W_W'&UZ'U5]8V)UMAXS<>U;2C7_A M89TC''!)BR R5@I>A2F HF8=EH??'WJ8'G9MD& *H,E]?^ A]A?SR8!40NL(&K@H$3DD & MTXJGH!P(=%[/KZ!7_ S^6O!'%J R)YJ!^^=#V$3.?D586FH**6(IX<<< 4 M&/TE@C$BS)?*@6R6X"S'NJ%T@4\RF,PQAG[%0^.5K$09Q+ZQ(3Q6X0*QULV] M);W01W1U2!;)06!7>DAS)H-("LA%MDUM,YP-XA[J<&]#_+0BY MH8HFU'%L6!T*\!36@L1:\#8K#8H@W)P&O2&*-*!49]05?$'?CVB&[06X@3T7 MB)T(M01Z( @:B1-B")@*B7Y"0H\1UW%$78\PDF7<5SI:_A&(00Y:XD@"JFDY MCU&<^(; BH@!B6@G%H@M8BW!FBF*1N!@B"U6BIA;H2@8;G3H88ZH+UH?WX=#A_%V'^*'EY#S2AU'@?\@^(/OXE16% M1^%OE!1.A;!"XW@@"FLJ )AF.:5E,,)4/V9,B:LD8&3 54I/I("_)V[Y$]:*'A M'K*-EP80^B4B9/Z1*\PTI1 3D ;\COO.CU8:F&NSP;I"%XH,JP9N(*($:+[' M2_8%P(Q;66E ,])I2V$3^!/JB7! :=!#+HPV9'#7YO%X=>)>)AST9)/DX<@E M66=.).[&21J.T9G">!X>99CDU@A*DDB;I 9)9UEH5,""^#*Z 4;AC6 \_&CH MA0511\Y0@J1B$#,::X@D5:A("HT]9"1I.662GV3EB$H>99TD)ME)BI+7V8#! M3*J2V95G=!EM7CA%:_ ; 8NWPS1YSSD+&,/@,1FTD7L#+U3[:8FUX_LR,E!I M?9+!="%@:3H:L(*3HFG61YF.S M]JS1;E\C3)6+2.-VLS,"6-OA] C]P8*ZH"=73.Y_SR%H"+U5 M<0WD&G@9A0J>( QI2OR"%N7": N*<=9C^?A%LAYL@+,6B4"3%AH_QR2E*VQBGWY51V(4@AI$5P&+:821;D#^@)6XFU+H2S*"7N7 EH41:I$ES$;C7)4X1D]&X[A9$U"@0)19 M.S%<9ODQ &^DW T7 V!E8\"J$,/)@ #D4-&$/&XK8A.(EEUT:^.J\"B6E^U! M#0@UB);6#@BW7G)R2"/4P"55">"8.$:.(1GN&!- P6EE\F4)%5K8ET5 /';2 MO0G^(KS77_9F]B4U!@4$9^\E$E863'7>&]*(CH268AM]^5\B&>380*8*-GH4 M9MO6=)1L)UN#B;EEEY>DFN&8,$YDEJ3T"]V@0D@+V39S!T:VG<0\W&[:G0;B!.-H=)IB8B0E*FRE ]%$Q8:MA.$1GC":A>2^P!A2. MFXE.Q)7GQZ?G!KY[Z-N%.8Z54J=4D5EJLIC)TBI59 IOC5X5Z!? ?4EADF/ MF0WP4UN$5MB7=0$UQKSA="=FS("=K9CVY:U)!<"8-)\-YAO0F*X@]@8 "BT& M'[R'5@(X:B6?"6PV"X@!&=5:)H%;PEI#:=28G(>VZ5IVFT5 $$!I)$M2@#@1 M!"0!3A;V4LP)=='FK+3E57@'VK88\ZUYX%UX"5Q685?EF;>%56&OR%AY)\YW MPF4*D)V9>1LF=J=1ZE#\9;+G7[*:I<4I!6S&2ZNEN,EM>DOEYK>9YP6;V:;0 ML&UN2ABGN8D$H)OJ)KM98]J811WVHKLA@'F>[$<;9!TRAPY$+? 5GP>FYHEU MF3U#RXD'\6L6U-P74F"*EQ<>D$$D>TJ4SOGN&9D$)KS)NM4;VTT7ACDY'>]! M9H4<>]B+L96OU@]]A,$AB'T="T0%9%, "G(B] M '\[)NDPH94!BETC:6]^?Z)B G!DLFXKI[#'"S%4^5"HX$R=)M,3N_*FJ'^B MGACP%_1;GQOQ0-]=85=@*_92/"XD7+SII8' MXHF*F]F/2;"9FJWF*47__7G<$Z 6!@ &&PO[1..TGJ56(UAY>IZ4WE1@TH&8 MW)^:@-WA26+E%<9YSI['Y>=)L/F3V NVR5J.FR&GQHF]A)L>)_+I;8Z\FWHGKL7_EAWG> M>(KGF2*QF8/M)8>E+VZ>7277*2H2F[8F\U:/;4D@'/VY=2*<.V+2&=QI*F ! M8D!ZIIJX'L:6RIT<^&>+J7_BFE.!6T9Z]IKE&+#)?*J8M";I:6PBFS+F=!D% MUIC5)[39YR6 V=J-MC&P'LF5\7#19 R#P<90(81[;"?3V0(XG7@0U,D'$1]4 M)W_IL8%L(J;=X'\:E_9GGG=W"BW>)^(9>2Z>YF!VANI=O4+NF77&GB+"]FGFB8IZ)Q[$=SH',L??*3@(FKE@B CO27C$WX0V5D:A MGTWZN6K9G@MGDV!\6IP@Y_,);J*8="BY*7)^ ;V%L@2"$G4XIHYI9!Z>>0#X MB82: .,GA&=^YC?H)Q5:Z=5_:H(3^GXVGNG8XWF% HW!9^TIU#6@Y-@#>FQ" M<#_HO@F $J$"J&NV:MJ7<,:KR7Q:.S&F=+EL?J#7IW0&-%I&"Y9NZ;6E )QE M KH*YE>Y'!TP ^J:-<"E>&,^F](F=,#(^:+0 5F (QJCO>@OZH/*=K;$R =L M;F9SV;W!BUJC'9L#,GR>>2AG(&IW"J BJ-""8Z"']6>_28D"-]_"B<8;$0 2:?0,KFS:/K*%F0CFV>R^6"5<2UG)JG;(>) IHN=GEI>)5J%K9\TFB5YR.$;/ M1FIMI%MHC>F1-J/)*"BJD9:C(%Z->7?FHP7HKKF/3@&OY6\Q!4 !*)5#RO%! MI$'I1*J15J2!PD5:DUH$H>B?QI$NHQ I4X>]=*/$Z"#Z?1ZA+6D*D)/Z0>$G MY2F%NJ&89^;)E0ZE_^?GZ9,";!T*P"F;")SR7:KU51J<;"@=/JIBRHW9##+!^9J0^&PJ E98!#2/T1I6RH_WG52JQ6:2TV_86 MIFU8&20[&&LHD"G8(#G876GWAFK9'YR6BL%N9_7MIABD.\HP;9"5FC2D:)YU M!H/-&1;@G/<"X3F:: =I&^!9[O2V=T88PAE MP.8P8N)4_1FH"9? 45@),?B>'9[I1Y0.;-]C.TD4XF0$)SDX=2:7C>4[Z97. MIUA8?D.4C:,$(H#JE[J?."A1$:&U4&3 A.8"; 7W9G#'YDEH0@F&&FT,;2!F M8O#Q[6/*'XXAD\)Y[M]&Q_%QJ&"#APIDLFY2 /?P6Q0!I!R+>J&^ 1,:Z(EO M4*@6JHNZEOV+)JH/4.&59H;!:49Q*6A$ ^T6I+JALF!8P.2)E=S!6):=L:A7 MY(;*HW:H..J'.JU=3>$IV+B1(JC F]3H.8( 5.9TFLV=12MD;/)_^)W*VAB: MGGHHU=UU1Y(&E]S==]?=S6=37GYS.&IF %N>2MX5:P3;A"KU5:A8ZH0FFK$' M,=Z 29 RIU C(PI3ED)3@ 1RK\D-JETA)B>07(U#T;48U)64W4:B[D4+M439 M!2M($LE88R#B*'XK8X6C1]0H@:-?9;L*B>GGI%TOUALU>AAG1JH)XJMDC:7 MZ'ZZ:OVKWQ^6VH_U'&Y P#J7*6??HQG9<;D-CD$#4V+P@QM"I2KB7*H4"/$1 M]( ++$(I!/C-:/Y$5W"42!*ZS?P%-4Q<4H9C^(NA%PZ.AV)1@ A:SHCCBA@& M\D&# (!!Z+J9U,3,H55DZEKWJ5REW8H6UY7]ZIS6%1!F; M!["6=B8=M=:E$I!$ZZH2INJ/HV%I>!J^$^C2:@@]A6SCF :CA6LYEC1D([)!8>K MCQC8$7M6CE%A.ZAJ,ZN<,$ ..,XB$YF=13>-08OZ<7B#5RLPEIH><)X6UO8; M;HZW)14*O-F>.UG3V2H&=OS6TT!B" 8Z JM!+62AN*)K^AQ,!19$^>4R8JY" MR3-&4[&:"F9/%J^RI/3JY=JP@B&^H=9&NH*F-QS@ZHC^BB,!X5J/69?6)596 M(O*D?VG&UKLMK^$G.D:SS:6MJ<):Q"FE#FCA2KT>KEB9T/=GO@? P0")7PT+ M-\*[$(EYK';'K]AH-3!@B_JP^#T,/F8>&7CV4%)'_1$>\&]?9'7G4VYE'QLH M>+S>J'9'7885SF5<4@^INOIDO&D%^:@JF:E0+4&+M&$NQ;2PB-$(@V<#, M#+H9;0;X!6"0ZMU2 5TM9(EE1R#H5A:$A0B+N!2E$"S5(!P/R")G,T!V4*$: M"Q@@4!8\@H80) B2;.9LX%)0?1<"=#!#/I9@):]:IA6M22R%QHP)95%K(OG$ MQJUH6H'J%TB>1L.M=R+5=1^=Y32M;I<=7Z.F!7J7SZC/IF^JAV KU $_+J<3 M9H83PX&FU27ZZO)%L5-<%+NWA\76,!W->1+(@E%Y^RQ2YWG:$M M,<9NJ12LNM&380B&+'30%SB>HN4AZ\@63I!L5R<_+G7O8K]Z-8YVFIS9QIC2 MI>)E#E<6JI*Y:O&D&ZD0QL46X(QX"9-&$T $3 '*&3,6-O5.<=TZ6P3TH53 M.W$%. %BTCL+3U !>BBE$=F*%E $ +3WK$ +++6SO!/.9#D)!-58W22.,4S7 MI#=35AH*7RR>)$2= ;_15)G2:F%O:CK1TIZT)I)05FCQ!C%5IWGKK9(@0 HK MGMP.G!W:Z!M8#=\!JLE*J5*FIQLQ<7D9CHX70K_.')4A<3>+/2K.5&1 BP1B M\P7*VJ9D*V]*+F;P/"K$@V1!? 1B\2DQQC:84WQFA[0&+)8[H4UX;SBQR-AD MV1Y@E9:E;PDK=+,J0"Z*CQVHV]V@UED:#:"E1',FC984FN4$72:;,Z9]]]O8 ML8:M=KD*5K/R 5F(QEZA:VS7-EZ.B.@EYB:,$;9UP\G18%:&M81[V6%."B6$&F A; +JH&IBM+?GZ!2B8#&:'B4Y!F!1(I"AB M,J 9**OI8CH!#ISP)F)N@2U>B*G;@FPDYIDW0/:F.6;H*5\J?Z2G44O(B9[4 M+<2Y2N%W34)AZ@8WHJH#KCD9%$6=7VW(JI8]PJR4%2J$#M'P411A9;SG#**F 0 MME[CL&&E&/)0"(L'[6&/'2(VE'1>*\T6JT*U)4^.EQ6'!0J[06M@!I@()NMC MYTO%%I#!8A>R/G8?XH8[.D@0G0WBTF0,%L-"T)/&*6N'A9QI,*P1]HPVPM"X MD*60"4KT#:K?P59V5XZ0*6Y!08'8V'6Q=2"4?D3O\$+X5WRU=*":DD6DUB^5L+*!WB7U65: M[0K9W.WP3753X:2+UH_P*?_3"VH1( '= ?[JBB &[M4V1W/!G%0%-!@<7!$1 MS\PE2!90;"TON;0:J-CC6UM<,H)R+7_F'OJG8]I!I4*\!\9IQXD]K1%5[&^I M1SVH JHF1*#NM=T<%$N(PK6.J:_JB96Z3*OP],OX"Q.""L >$&5LW?PW .IQ M?)S]YL>U 8"<("<3$'+!+E)UR%T6?Q U"_-UAQZ#@N S^(_+&I T5<&:45^9 M2Q@H?]>E;1<"H+4SAUH;Z7:=.1T#&;&%'N JA6J]49$(XQL;FP:SA@+6B/K! M?&?6%AA:4(=,0(,Q!$QQ25ORUNH?JA#()"* M\PZI@$*1RB4Q3TZ9V:"D;KVF*Z68H5)K%%O5\:NQO'9%CDI0KKQ5;]M[]>)N M8YP>9\C]<8'<(!>BWKV(7+,[-I*IDM[[VH3X"%ZD5T"(HH*/B%5RSSDEZ5[Q M)D6T,XE?=;H@U'T$% B9)'*G%&_CP&GF98#HI8R058LP7SEZ6^QD&&CULE)O>W ML@>'JB\*J"I_@&KZ)Y=2"+PH MHJKC?7) H,60P-J;\IGON_Y!MF\K-DL*3@5(7 "YTD+>C M< ]?P!$0*A4! T?/Q[HQJ)7MU8%($&@1ZFJ&^_H B.J=*WPP<>'BHQ#+P7P@ MFA&W\>:[*-79!@(D%5?@?4B6S&+24"E&:N,L$KMZT&BXDGZ*,=OU1*QA*)_;AC+_/H"#+4;0,(ZI-]I*BP-7 M?%F75DN&-G-@[75P61F1$)2/\@'"Q"ZF/VJ[Q@,C-^-P%>0G7RF+TL6 MY H2SH@3VB%\<$^@-#RYN)EO3IO/R0Y:,&,W&4RF3,/'(27"!ZN=K4$&P*XZ M"AN\^:ISSJ+U:]L]P+KO9UCUT7\W'BSD?2O#DT091GBV(;3ML&?]K7#)>U6\^48TN,CM\J9>C*@^1?^!6_G,&'0X9%ZC9I[ M.Z(6I0-HZ+E[EJ1:)4HJMYV>-5M\6%3H>_0>Q3=+@ 5K@&!*$.NI_-Z+BGK> M=5J9+5R/XL+EV2[L_2Y5X6]PQM;%:NM=,YP N[]O22,ZD])N*,$(+)EZ8MDA M@.BDVG@C0>R'$GR!-S"7Z38J*02"+A4@I,*EL 71[,69+S%ZX9W'-YA=3Q$6%1?S]9L3;:#Z*AR:\ M=[%'-8[!LW.Q18 + @MH:';';UYA=^JKIZ>BB-(?QC8/#\1^:GEW$/][@6II M/.M)F&%>G[KO&<3^'@_!^ZK&_1Y"?.:A!'7QQQD9YU1\Z#TKU*$$0VB.V1IK MJ]_J7)467S]\5;)*EFG"5!(*<*[BK@M""8 'I*OKZAJ1+-ZJN2E*:3D5P&FH MB,0$&VL4<-=J,,BMRF'<"]VP!Q>@V#?QF%$73]MJ2VS #J,'##@FJR=P3W89 MYWH,C686O6F"2AMSW"F$"X;;94S3A72$:'!6]"+!_18/MQ^;NR;PH&J]*;TZ M9K1&B!)L3H#!%MNFP,+L:'>S;:^';^EZB^:-%6?"*]"F:.1:'FL.9:W>"W':4I\C)"- BT MDAKZQL_*LTY D5G3T3A#\1I*\W*W'.?Q>7$^G[VQ'^J:F<3=[6/L%@NTMZW8 M6\A&ID;R1%O1%@&JII;\<7+) P%'%1T& 4< [08D&\E0J130!)3)".^6[,^^ MEKZ%6/4E+ZJ&;5(*TCX8IT.162.[EAY$%9!N%@&YVJ2!!-!NS.?-.)#VB,&= MD0S/(LE%LI\#XW,*H=W [5JA@EZL*ZZJ87D5Q:JXCUA JP(&MNHE!ZPJF[HJ( 'K!JZ^ MZDK,C#VR&(TT:Q_3M,;JM@JN[K3HB"-W9YRVP^T!5W4V;@%8])%O)07>%A;4 M$81;>$T7%"ZC!&&01@#8A$$V@$I ]@ ,0 :=,2 "?+68K,MS\OT$($@=^T%.2?[]@4Z0 M :E ]L$04 M9?1D/0Q'VO!PL#1EP<11<>0 %\>6^'0QPK.'OK8R#!XI1]EQ.(#,K!V&$_?D M'#H'[5-.59M'1](17@2RH^S"9S*CS ;4R(%SN!W3IO-3_?"9:T>EP#*C!"YS M6CEWN%%D -[!)W"GO-\@O#<\Q!;!&\CQ(! 'PE-\E4PF4C%53(%8Q?YQ5KP4 M;\5WPX3@%7<\[T%8++..Q9XO'=40H\6%,6QT+[_-<'/<+#?/S71SW6PWW\UX M<]ZL-^_-CXWP!MLEK+0=N1MZ_LV'(7QYWX)NYV/.1KH=;YR<8$JT88(+\DXW MN,EN0AT]^$0*HL=C(NN[,;$9\%'C\SJ^C+.EF+P]<:\?"5OS&RR M;,G5AP(<\;? O4_P;ZE8P#5PS?,%-\%%SR%W/5!EU7&1G-8AVP.[=2^SFO<>NM\OW,KN*7,F<: MPRHWR-P>_$LPJF5R8%WI MYARTA\^QPMD:%=#.U85SE>R@Y'&(]5R0EL[IHZ8]*5+$C:U.VQ-:"IF !@R9>C MO:C5E09<5GW5< MV";0Q%WI$1X@S&;JIOH&_[1;;@Z,FA1]<>I%MP_3J=U=9[SK?<9'HY>$WNE3 MRS![]UJ\=]>C^;L&H+]3ISEX4==EQ:I-"YKY=UA5@(< #G@%7J.)X)$@"U;U M!>^]I.5G3)KSSJ2^KMG;_KW#K-NOY\5BNR<>PQ<6L'@AZD+\I\K"-!Y 7+,) MU0HP\7L+_WCEF9 75'U5816YJQVI;#:??E"0;F85=92'5%MY9AXT7'F"?%\> M)&IOWM1<9[.YYP%]#.=CJQ+7O%Z>9TS>T7GEWCU,Z9G5Q1VP-X):>B! H/<& MG(S*WJ%G!BIZ'XTOZP'YU#8"B+=^7GJR"06EDQC$W*FH27@>G=*9*,<.T[PI MZH:IZR'5#;$P.O#!>YPKNYLLGUTMM'2A9&JQURX<>T-G6\(&+'M_]?SQ M[%$-RLBTEZT1U@$U ,OM]=7@'EX][BU\<76&DR,8#B8CB,7NX7V(8%HM&I90 M^"UY!Q2?;"A OE<:-\2Q,;_?SB=;3WUI=4R>;(U_)I_-9 M+.(OZ\SGC:E.P)"++QQ%!*Z7H?2=']1"T[="L'WE=(.L;XR[Z6 $" MJ?6#+ MQ1C8>7U+!]A'%HA]30#9IS.(/85N[F@0%H\@@-M7@]BRJ;L&0QXW@^"D,D9_E.SV5@+R0Y4<'('I\ M1>8W+&Q^"U;G]_F]IXS#Z.?JF'[&X[P[0Z]^:$6C5#JSG-2>7LU7SXZNHY!] M6?=8WFH_;5F M8G4[G-J$?]8?]?AG@WR^[^][7K/5[Y_WB%Z?GH;V-QAHEX>2+O5INQ6 Q&AO MZ*91V@>@<*< ,H!H'Q4,Y4B ,1(%N(CE;30I!MBU48'VAL&0!G*"(N 8#=4R MFB=@&I<" F)Q8&?G H*(9F@/W=G^T(DT?#>++I+0H^$8!/ZH=O:BJ/IEV1WV M$OAK Y/^(='#, DLEH@H%GMACH&X0&9>"+BP8F%S=E&TAF MDP6*7XVB-$P==*!C: ?&F1.N+D1+=%)FHQ\H.SPJMJ(AZ&@8DDG:(9AK8VR- !" 6* end From firewalls-owner Thu May 19 19:42:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA23002; Thu, 19 May 1994 19:42:25 GMT Received: from pwfl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA22995; Thu, 19 May 1994 12:41:06 -0700 Received: by pwfl.com (4.1/SMI-4.1) id AA22594; Thu, 19 May 94 15:33:02 EDT From: murkland@pwfl.com (Richard Murkland 407-796-5249) Message-Id: <9405191933.AA22594@pwfl.com> Subject: password aging on SunOS 4.1.x firewall To: Firewalls@GreatCircle.COM Date: Thu, 19 May 94 15:33:01 EDT X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have a firewall running SunOS 4.1.1 that doesn't have password aging turned on. The firewall doesn't use NIS, so Sun's password aging should be OK, right? Does anyone know of any technical reason that I would not want to use this feature? While I'm making changes to the password setup, any suggestions to make passwords more secure (already have the C2 security feature) are also welcome. TIA -- Richard Murkland (407)796-5249 Pratt & Whitney, West Palm Beach, Fl murkland@pwfl.com From firewalls-owner Thu May 19 19:46:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA23024; Thu, 19 May 1994 19:46:29 GMT Received: from eos.ap.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA23017; Thu, 19 May 1994 12:45:05 -0700 Received: by eos.ap.org (4.1/SMI-4.1) id AA11802; Thu, 19 May 94 15:37:21 EDT Date: Thu, 19 May 1994 15:37:20 -0400 (EDT) From: "Daniel C. Lanzi" Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites..... To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk IMHO, VMS/IP is more secure that UNIX/IP because: 1. IP on VMS (at least the one I use) has security features that are missing or are after-thoughts on UNIX. For example, VMS/IP has a built in tcpwrapper-like feature that accepts/rejects requests based on net number/host address and logs them. 2. There seem to be far more UNIX Bad Guys on the Internet than VMS Bad Guys. The probability of being hacked is probably lower if you use VMS. If someone wants to spend a week trying to steal /etc/passwd off a VMS system then more power to 'em ;-) I'd be interested in hearing from those who want to use VMS systems to build firewalls, mainly 'cause I've gots lots of them lying around not doing anything. - Dan From firewalls-owner Thu May 19 13:40:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA23305; Thu, 19 May 1994 20:31:01 GMT Received: from relay1.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23298; Thu, 19 May 1994 13:30:47 -0700 Received: from uucp7.UU.NET by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AAwqpm13806; Thu, 19 May 94 16:32:01 -0400 Received: from uworld.UUCP by uucp7.UU.NET with UUCP/RMAIL ; Thu, 19 May 1994 16:32:09 -0400 Reply-To: crow!rik@uunet.UU.NET Received: by crow.spirit.com (4.1/SMI-4.1) id AA10980; Thu, 19 May 94 11:38:07 MST Date: Thu, 19 May 94 11:38:07 MST From: crow!rik@uunet.UU.NET (Rik Farrow 602 282 0242 MST) Message-Id: <9405191838.AA10980@crow.spirit.com> To: Firewalls@greatcircle.com Subject: Re: Authentication/Encryption Telnet & Terminal Emulators for PCs? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk CyberSafe, formerly OSCG, in Redmond Washington has a commercial Kerberos product, which includes clients for many UNIX platforms, and for Windows and Macs. There is also an encrypting telnet client. Try bobg@ocsg.com (Bob Gassen). Rik Farrow rik@uworld.com From firewalls-owner Thu May 19 13:50:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA23296; Thu, 19 May 1994 20:30:38 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23283; Thu, 19 May 1994 13:30:10 -0700 Received: from spl.bwh.harvard.edu (spl.bwh.harvard.edu [134.174.81.53]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id QAA20136 for ; Thu, 19 May 1994 16:30:32 -0400 From: Adam Shostack Received: from localhost by spl.bwh.harvard.edu (8.6.4) id QAA15924; Thu, 19 May 1994 16:30:24 -0400 Message-Id: <199405192030.QAA15924@spl.bwh.harvard.edu> Subject: I don't need mail :) To: firewalls@greatcircle.com Date: Thu, 19 May 94 16:30:22 EDT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If you want to reply to Fred, please leave the Firewalls mailing list out of the loop. Thanks, Adam | Hi! | | On Thu, 19 May 1994, Fred Karg wrote: | | > Bruce: | > | > I need some mail to demo on PC Eudora | > | > Please forward some messages from your account to me. | > | > thanks,Fred -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Thu May 19 20:57:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA23413; Thu, 19 May 1994 20:57:17 GMT Received: from freenet3.carleton.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA23407; Thu, 19 May 1994 13:57:00 -0700 Received: from localhost (xx247@localhost) by freenet3.carleton.ca (8.6.4/8.6.4) id QAA05833; Thu, 19 May 1994 16:57:53 -0400 From: "G.J.W. Hagenaars" Message-Id: <199405192057.QAA05833@freenet3.carleton.ca> Subject: Re: password aging on SunOS 4.1.x firewall To: murkland@pwfl.com (Richard Murkland 407-796-5249) Date: Thu, 19 May 1994 16:57:53 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9405191933.AA22594@pwfl.com> from "Richard Murkland 407-796-5249" at May 19, 94 03:33:01 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 772 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Richard Murkland: % I have a firewall running SunOS 4.1.1 that doesn't have password aging % turned on. The firewall doesn't use NIS, so Sun's password aging should % be OK, right? Does anyone know of any technical reason that I would not % want to use this feature? % % While I'm making changes to the password setup, any suggestions to make % passwords more secure (already have the C2 security feature) are also % welcome. I just got back (virtually that is) from a search for passwd sources. One of them is shadow-3.3 that allows you to do lots of neat stuff. You may want to take a look at that too (just a thought). Cheers, G.J.W. Hagenaars | postmaster National Capital Freenet xx247@freenet.carleton.ca | Freenet security scrutinist From firewalls-owner Thu May 19 21:14:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA23575; Thu, 19 May 1994 21:14:36 GMT Received: from bwh.harvard.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA23569; Thu, 19 May 1994 14:14:10 -0700 Received: from spl.bwh.harvard.edu (spl.bwh.harvard.edu [134.174.81.53]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id RAA20320; Thu, 19 May 1994 17:14:30 -0400 From: Adam Shostack Received: from localhost by spl.bwh.harvard.edu (8.6.4) id RAA16052; Thu, 19 May 1994 17:14:28 -0400 Message-Id: <199405192114.RAA16052@spl.bwh.harvard.edu> Subject: Re: password aging on SunOS 4.1.x firewall To: murkland@pwfl.com (Richard Murkland 407-796-5249) Date: Thu, 19 May 94 17:14:28 EDT Cc: Firewalls@GreatCircle.COM In-Reply-To: <9405191933.AA22594@pwfl.com>; from "Richard Murkland 407-796-5249" at May 19, 94 3:33 pm Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Richard Murkland: | I have a firewall running SunOS 4.1.1 that doesn't have password aging | turned on. The firewall doesn't use NIS, so Sun's password aging should | be OK, right? Does anyone know of any technical reason that I would not | want to use this feature? | | While I'm making changes to the password setup, any suggestions to make | passwords more secure (already have the C2 security feature) are also | welcome. I would not use a password aging feature because I would use a one time password scheme, like S/Key. Aging only partially protects you against Cracking attacks; it does nothing against sniffing, which I think (but have no evidence for this thought) is becoming more common. I also would not use an aging scheme for a political reason which is that I find that aging causes users to write down their passwords. The other thing that they do is start rotaing passwords: secRet1, secRet2, secRet3, etc. Also, unless there is a compelling reason not to, I'd update your firewall to SunOS 4.1.3+. There are a fair number of security patches integrated in, and you get the nifty fast-fsck.. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker. From firewalls-owner Thu May 19 23:14:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA24450; Thu, 19 May 1994 23:14:39 GMT Received: from holmes.bed.ns.doe.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA24441; Thu, 19 May 1994 16:14:28 -0700 Message-Id: <199405192314.QAA24441@mycroft.GreatCircle.COM> Received: by holmes.bed.ns.doe.ca (1.37.109.6/16.2) id AA14415; Thu, 19 May 94 23:14:10 GMT From: Fred Karg Subject: Apology for Mass Mailing To: firewalls@GreatCircle.COM Date: Thu, 19 May 94 23:14:10 GMT Mailer: Elm [revision: 70.85] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Many apologies to one & all for the "I Need Mail" message..... and thanks to the 37 who answered. The message was of course intended for one user. I'm still not sure how I managed the mass mailing. (Please don't acknowledge the apology!) :-) -- |-----------------------------------------------------------------------| | Fred Karg | A.E.S. Environment Canada | | | | Bedford, N.S. Canada | fred@holmes.bed.ns.doe.ca | |-----------------------------------------------------------------------| From firewalls-owner Fri May 20 02:25:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA25094; Fri, 20 May 1994 02:25:25 GMT Received: from svs6.svh.unsw.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA25088; Thu, 19 May 1994 19:25:15 -0700 Received: from OMS002 (OMS002::TOROBIN) by SVS6 (MX V4.0-1 VAX) with SMTP (DECnet); Fri, 20 May 1994 12:30:07 EDT Received: by oms002.dnet.svh.unsw.EDU.AU (MX V4.0-1 VAX) id 1; Fri, 20 May 1994 12:24:18 EDT Date: Fri, 20 May 1994 12:24:18 EDT From: Robin Garner Reply-To: R.Garner@svh.unsw.EDU.AU To: firewalls@GreatCircle.COM CC: torobin%oms002.dnet@svh.unsw.EDU.AU Message-ID: <0097EB63.9EDECBC0.1@oms002.dnet.svh.unsw.EDU.AU> Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites..... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > IMHO, VMS/IP is more secure that UNIX/IP because: ... > I'd be interested in hearing from those who want to use VMS systems to > build firewalls, mainly 'cause I've gots lots of them lying around not > doing anything. This is something I'm working on (as a background task) at the moment. One of the advantages of IP on VMS (at least the DEC supplied UCX) is that in addition to having accept/reject lists built in, you also have hooks to a user-written driver for implementing local screening policies. This allows you to do screend type things without either hacking the kernel or incurring context switches. This still doesn't mean that I'm wholly in favour of using a VMS system as a firewall. I'm having difficulties convincing my management that the firewall should *only* be the firewall, because they don't view VMS systems as single purpose boxes. A PC or even Sun would be much more palatable in terms of management perceptions. The major disadvantage of VMS is the lack of software for implementing firewalls - it's strictly "roll your own" beyond the simple address filtering that comes with UCX. The key point here (IMHO) is assurance. A firewall platform that has been in wide use for many years, installed by someone with experience with the tool is easier to accept as "secure" than an unproven platform with home-grown software, no matter what its technical merits. - Robin -- Robin Garner Email: R.Garner@svh.unsw.EDU.AU St. Vincent's Hospital Phone: +61 2 361 2903 Darlinghurst, Sydney, N.S.W. [Contractor] From firewalls-owner Fri May 20 02:44:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA25138; Fri, 20 May 1994 02:44:50 GMT Received: from mbunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA25132; Thu, 19 May 1994 19:44:38 -0700 From: bede@scotty.mitre.org Received: from scotty.mitre.org by mbunix.mitre.org (8.6.4/4.7) id WAA22516; Thu, 19 May 1994 22:45:50 -0400 Posted-from: The MITRE Corporation, Bedford, MA Received: by scotty.mitre.org (8.6.7/ITF-Bedford) id WAA05652; Thu, 19 May 1994 22:45:25 -0400 Date: Thu, 19 May 1994 22:45:25 -0400 Message-Id: <199405200245.WAA05652@scotty.mitre.org> To: dlanzi@ap.org CC: firewalls@GreatCircle.COM In-reply-to: "Daniel C. Lanzi"'s message of Thu, 19 May 1994 15:37:20 -0400 (EDT) Subject: RE: How secure is Vax VMS Sites as opposed to Unix Sites..... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Date: Thu, 19 May 1994 15:37:20 -0400 (EDT) From: "Daniel C. Lanzi" [ . . . ] 2. There seem to be far more UNIX Bad Guys on the Internet than VMS Bad Guys. The probability of being hacked is probably lower if you use VMS. [ . . . ] It's no big thing, but I'm afraid this doesn't actually say much about the relative security of UNIX versus VMS, Dan; there are simply far more UNIXes and UNIX users than VMSes and VMS users directly attached to the net, so it's far more likely that you'll find UNIX-flavered crackers than other kinds. Once upon a time, not *that* long ago, most of the *real* crackers on the net had a strong TOPS-20 or maybe an ITS background, which also said less about security than about the relative ubiquity of these operating systems. For better or worse, UNIX is also much better documented than other operating systems, and having complete BSD UNIX source code is commonplace. It's easier to figure out where the problems are and how to exploit them if you have such detailed information available. Proprietary operating systems don't generally suffer from this type of "security" problem. I'd be interested in hearing from those who want to use VMS systems to build firewalls, mainly 'cause I've gots lots of them lying around not doing anything. Damn, there I go again. I *knew* there was something fishy about (1) and (2)... ;-) - Bede McCall The MITRE Corporation Bedford, Massachusetts From firewalls-owner Fri May 20 03:21:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA25304; Fri, 20 May 1994 03:21:07 GMT Received: from kilby.elee.calpoly.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA25297; Thu, 19 May 1994 20:20:54 -0700 Received: by kilby.elee.calpoly.edu (5.57/Ultrix3.0-C) id AA10956; Thu, 19 May 94 20:21:45 -0700 Date: Thu, 19 May 94 20:21:45 -0700 From: nlawson@kilby.elee.calpoly.edu (Nathaniel Lawson) Message-Id: <9405200321.AA10956@kilby.elee.calpoly.edu> To: Firewalls@greatcircle.com Subject: Netcure.zip Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Sorry to interrupt, but is there anyone that wanted a copy of NetCure.Zip? It is a network analysis tool that shows percentages of packets from which host and other statistical facts. I will send a uuencoded copy to anyone who requests it. I think I didn't fill two requests because of some system problems. -Nate From firewalls-owner Fri May 20 03:40:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA26756; Fri, 20 May 1994 09:36:21 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA26750; Fri, 20 May 1994 02:36:04 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA06096 for (5.67a/IDA-1.5/bs03); Fri, 20 May 1994 11:36:09 +0200 Message-Id: <199405200936.AA06096@srv.cip.physik.tu-muenchen.de> To: murkland@pwfl.com (Richard Murkland 407-796-5249) Cc: Firewalls@greatcircle.com Subject: Re: password aging on SunOS 4.1.x firewall In-Reply-To: Your message of "Thu, 19 May 94 15:33:01 EDT." <9405191933.AA22594@pwfl.com> Date: Fri, 20 May 94 11:36:08 +0200 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is not really a firewall issue, but ... In message <9405191933.AA22594@pwfl.com> you write: > I have a firewall running SunOS 4.1.1 that doesn't have password aging > turned on. The firewall doesn't use NIS, so Sun's password aging should > be OK, right? Does anyone know of any technical reason that I would not > want to use this feature? Password aging, implemented the AT&T way, is a Bad Thing imho. Thinking up a good password is nothing to be done on the fly, it ususally takes me a week or so to find a good, easy to remember and easy to type password. Forcing users to think up a password within a few seconds or minutes when logging in (when their mind is set to get their oh so urgent work done) will get the users into an uncooperative mood and probably *reduce* the security of your system. One way to do password aging is to remember when a users password was changed last (you do keep track of the changes in /etc/passwd anyway, don't you?) and send them a warning message when the password is getting stale (whenever this is based on your policy). Then, if they don't change their password within some specified time (eg. 2 weeks), disable their account. You might want to use something like passwd+ or npasswd to check the `quality' of passwords entered by users. This may (or may not) improve the security of your site more then any aging scheme. Of course, your mileage may vary. \Bernhard. From firewalls-owner Fri May 20 11:28:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA27192; Fri, 20 May 1994 11:28:51 GMT Received: from gate.ggr.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA27185; Fri, 20 May 1994 04:28:43 -0700 Received: from mailhub.ggr.co.uk by gate.ggr.co.uk; Fri, 20 May 1994 12:28:06 +0100 Received: from uk0x04 by mailhub.ggr.co.uk; Fri, 20 May 1994 12:24:13 +0100 Received: by uk0x04 (8.6.8.1/imd160294) id MAA27197; Fri, 20 May 1994 12:28:43 +0100 Date: Fri, 20 May 1994 12:28:42 +0100 (BST) From: Ian Dunkin Subject: Re: How secure is Vax VMS Sites as opposed to Unix Sites..... To: "Daniel C. Lanzi" cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 19 May 1994, Daniel C. Lanzi wrote: > IMHO, VMS/IP is more secure that UNIX/IP because: [...] > 2. There seem to be far more UNIX Bad Guys on the Internet than VMS > Bad Guys. The probability of being hacked is probably lower if > you use VMS. The absolute numbers may be different, but there certainly are `bad guys' out there with a partiality for VMS systems. Remember the large-scale penetration of the NASA `SPAN' network's VMS systems in 1987 by some German VMS enthusiasts (see RISKS 5.64 if you don't). I. -- Ian Dunkin -- From firewalls-owner Fri May 20 12:11:57 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA27363; Fri, 20 May 1994 12:11:57 GMT Received: from kelvin.aspentec.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA27357; Fri, 20 May 1994 05:11:51 -0700 Received: from hubble.aspentec.com by kelvin.aspentec.com (MX V3.4-Beta-3 AXP) with SMTP; Fri, 20 May 1994 08:12:25 EDT Date: Fri, 20 May 1994 08:10:24 -0400 (EDT) From: "Fred R. Ziegler" Subject: Re: Netcure.zip To: Nathaniel Lawson CC: Firewalls@GreatCircle.COM In-Reply-To: <9405200321.AA10956@kilby.elee.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk yes... please send me a copy. Thanks! fred ---- Fred R. Ziegler Email: Aspen Technology, Inc. tel: +1-617-577-0100 x262 Ten Canal Park fax: +1-617-577-0303 Cambridge, Ma. 02141-2201 telex: 948-038(ASPEN TECH) U.S.A. http://www.aspentec.com/~ziegler/ Internet Society Member (#1315080) since Feb 1992 On Thu, 19 May 1994, Nathaniel Lawson wrote: > Sorry to interrupt, but is there anyone that wanted a copy of NetCure.Zip? > It is a network analysis tool that shows percentages of packets from which > host and other statistical facts. I will send a uuencoded copy to anyone > who requests it. I think I didn't fill two requests because of some system > problems. > > -Nate > > From firewalls-owner Fri May 20 15:02:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA28171; Fri, 20 May 1994 15:02:55 GMT Received: from elvis.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA28165; Fri, 20 May 1994 08:02:48 -0700 Received: from localhost by elvis.cs.UMD.EDU (8.6.5/UMIACS-0.9/04-05-88) id LAA21682; Fri, 20 May 1994 11:03:47 -0400 Date: Fri, 20 May 1994 11:03:17 -0400 (EDT) From: John Subject: Re: Netcure.zip To: Nathaniel Lawson cc: Firewalls@GreatCircle.COM In-Reply-To: <9405200321.AA10956@kilby.elee.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 19 May 1994, Nathaniel Lawson wrote: > Sorry to interrupt, but is there anyone that wanted a copy of NetCure.Zip? > It is a network analysis tool that shows percentages of packets from which > host and other statistical facts. I will send a uuencoded copy to anyone > who requests it. I think I didn't fill two requests because of some system > problems. I just recently joined the list, what type of operating system does NetCure apply to? ------------------------------------------------------------------------------- John | To err is human... lgas@cs.umd.edu | ...to forgive is not University policy. ------------------------------------------------------------------------------- WWW URL -> http://deep13.cs.umd.edu/~lgas/ From firewalls-owner Fri May 20 18:34:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA28880; Fri, 20 May 1994 18:34:43 GMT Received: from hac2arpa.hac.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA28873; Fri, 20 May 1994 11:34:20 -0700 From: NAKAMURA@eden.hac.com Received: from eden.hac.com by hac2arpa.hac.com (4.1/SMI-DDN) id AA26678; Fri, 20 May 94 11:33:51 PDT Received: from eden.HAC.COM by eden.HAC.COM (PMDF #2669 ) id <01HCK6X2DGVG8XD8WE@eden.HAC.COM>; Fri, 20 May 1994 11:33:44 PST Date: 20 May 1994 11:33:43 -0800 (PST) Subject: Texture? To: firewalls@greatcircle.com Message-Id: <01HCK6X2DGVI8XD8WE@eden.HAC.COM> X-Vms-To: IN%"firewalls@greatcircle.com" X-Vms-Cc: NAKAMURA Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Someone mentioned that there was a Mosaic related security product called Texture(?) from Amdahl(?). Can someone provide more info? Tom Nakamura Hughes Aircraft nakamura@eden.hac.com From firewalls-owner Fri May 20 20:03:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA29209; Fri, 20 May 1994 20:03:52 GMT Received: from rocket by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA29203; Fri, 20 May 1994 13:03:32 -0700 Received: from grumpy.spcot (grumpy.sanders.com) by rocket (SPCOT.6) id AA00756; Fri, 20 May 94 16:03:37 EDT Received: by grumpy.spcot (4.1/SMI-4.1) id AA10721; Fri, 20 May 94 16:03:32 EDT Message-Id: <9405202003.AA10721@grumpy.spcot> To: Ian Dunkin Cc: Dean Krafft , firewalls@greatcircle.com, streeter@sanders.com Subject: Re: X through a firewall In-Reply-To: Your message of "Wed, 16 Mar 1994 19:29:51 GMT." Date: Fri, 20 May 1994 16:03:30 -0400 From: Ken Streeter Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ian writes: > On Wed, 16 Mar 1994, Dean Krafft wrote: > > > I am also thinking of using the > > DEC CRL Xforward program to handle our need for running remote > > X clients. > > > I have heard that there are problems with using Xforward on SUN > > systems (connections don't get made reliably, etc.). Does anyone > > have any experience with this? > > Yes. Change line 502 from: > inet_ntoa(dummy.sin_addr.s_addr)); > ..to: > inet_ntoa(dummy.sin_addr)); > > ..or you'll find that the xforward bombs if it receives _any_ disallowed > connections. This is probably what you've heard about. > We have it in use on SUN systems (customised, trivially, yet further, to > allow users to fire up their forwarders from their home systems) with no > problems, after extensive use. I'd recommend it. Would you will be willing to share your changes with me? I've been using it for a short time on Suns, and am looking to possibly make further modifications which take the desired screen # (port#) as input, etc. I would be interested in seeing the changes you've already made. --ken Kenneth B. Streeter | ARPA: streeter@sanders.com Lockheed Sanders | UUCP: ...!uunet!sanders.com!streeter PTP2-A001 | 65 River Road | Voice: (603) 885-9604 Hudson, NH 03051 | Fax: (603) 885-0631 From firewalls-owner Fri May 20 21:52:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA29510; Fri, 20 May 1994 21:52:03 GMT Received: from callisto.eci-esyst.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA29504; Fri, 20 May 1994 14:51:56 -0700 Received: from gorgon.ESYSTEMS ([191.254.10.111]) by callisto.eci-esyst.com (4.1/SMI-4.1) id AA15758; Fri, 20 May 94 17:48:02 EDT Date: Fri, 20 May 94 17:48:02 EDT From: sdeb@callisto.eci-esyst.com (Steve Eason) Message-Id: <9405202148.AA15758@callisto.eci-esyst.com> To: firewalls@GreatCircle.com Subject: Off the subject a bit - but I need some help... Cc: drfc@qmgate.eci-esyst.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have a need for some input that is somewhat related to firewalls. It has to do with E-mail itself. There are some individuals within our company that contend that the probability of a security breach from the Internet is proportional to the number of users that have access to Internet via E-mail. While they have mgmt's ear, they do not have any technical data to support their charges. I need some practical input to refute this. Does any company out there limit the number of users that have access to Internet E-mail for security reasons? If yes, then what exactly are these security issues and how are they related to the number of users that can send or receive E-mail? Are these problems rectified by a properly set up firewall, mail relayer and/or packet filtering router? Any help would be greatly appreciated! =============================================================== S.D.Eason, Engineer | "And whatsoever ye do, do it E-Systems, ECI Division | heartily, as to the Lord, and 1501 72nd Street North | and not unto men..." St. Pete, Florida 33710 | Colossians 3:23 --------------------------------------------------------------- E-mail : sdeb@eci-esyst.com | Phone : (813)381-2000 X2124 =============================================================== From firewalls-owner Fri May 20 22:13:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA29619; Fri, 20 May 1994 22:13:58 GMT Received: from colossus.apple.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA29613; Fri, 20 May 1994 15:13:51 -0700 Received: from [129.38.12.6] by colossus.apple.com with SMTP (5.65/8-Oct-1993-eef) id AA02635; Fri, 20 May 94 15:13:19 -0700 Received: by entropy.ibmoto.com id AA23914 (5.65c/IDA-1.5 for Firewalls@GreatCircle.COM); Fri, 20 May 1994 17:10:47 -0500 From: Keith Pyle Message-Id: <199405202210.AA23914@entropy.ibmoto.com> Subject: Security hole in AIX rlogin To: Firewalls@GreatCircle.COM Date: Fri, 20 May 1994 17:10:46 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 718 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk There is a security hole in the rlogin, and possibly telnet, capabilities on IBM's AIX. News of this vulnerability is now circulating on the net. Through this hole, it is possible for any user to gain access to an AIX system as any user with no password. This includes root. The method is extremely simple and involves only a variation of the normal rlogin syntax. My information is that IBM is working on an emergency patch for the problem. Until the patch is available, you may wish to disable rlogin, and possibly telnet, for any AIX system of significance to you. The IBM APAR is IX44254. -- Keith Pyle Project Manager, Systems/Network Engineering Motorola Somerset PowerPC Design Center keith@ibmoto.com From firewalls-owner Fri May 20 22:24:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA29667; Fri, 20 May 1994 22:24:11 GMT Received: from brazos.is.rice.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA29659; Fri, 20 May 1994 15:24:01 -0700 Received: by brazos.is.rice.edu (AA28036); Fri, 20 May 94 17:25:11 CDT From: bmanning@is.rice.edu (William Manning) Message-Id: <9405202225.AA28036@brazos.is.rice.edu> Subject: Re: Off the subject a bit - but I need some help... To: sdeb@callisto.eci-esyst.com (Steve Eason) Date: Fri, 20 May 1994 17:25:11 -0500 (CDT) Cc: firewalls@greatcircle.com, drfc@qmgate.eci-esyst.com In-Reply-To: <9405202148.AA15758@callisto.eci-esyst.com> from "Steve Eason" at May 20, 94 05:48:02 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 514 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Steve Eason > > the probability of a security breach from the Internet is proportional to > the number of users that have access to Internet via E-mail. Sure. The more people read, the better informed they are. From a truely pessemistic view, if all they have is email, then they will read about and implement tools to get the services they need/desire. But this assumes an internal problem only. The way you word the query, you are just as vulnerable from external attack. -- Regards, Bill Manning From firewalls-owner Fri May 20 22:52:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA29865; Fri, 20 May 1994 22:52:31 GMT Received: from shadow.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA29859; Fri, 20 May 1994 15:52:23 -0700 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id SAA16511; Fri, 20 May 1994 18:51:38 -0400 From: Christopher Klaus Message-Id: <199405202251.SAA16511@shadow.net> Subject: Re: Security hole in AIX rlogin To: keith@ibmoto.com (Keith Pyle) Date: Fri, 20 May 94 18:51:37 EDT Cc: Firewalls@GreatCircle.COM In-Reply-To: <199405202210.AA23914@entropy.ibmoto.com>; from "Keith Pyle" at May 20, 94 5:10 pm X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > There is a security hole in the rlogin, and possibly telnet, > capabilities on IBM's AIX. News of this vulnerability is now > circulating on the net. Through this hole, it is possible for any user > to gain access to an AIX system as any user with no password. This > includes root. The method is extremely simple and involves only a > variation of the normal rlogin syntax. > > My information is that IBM is working on an emergency patch for the > problem. > > Until the patch is available, you may wish to disable rlogin, and > possibly telnet, for any AIX system of significance to you. This will have no effect. You want to disable rlogind, not rlogin. I tested the hole and it only affective in rlogind. An emergency patch is probably a good idea since someone who has found out about it has decided to give one week before posting it on usenet. The sad thing is this hole has been known for quite some time. -- Christopher William Klaus Internet Security Systems, Inc. 2209 Summit Place Drive, Atlanta,GA 30350-2430. (404)998-5871. From firewalls-owner Sat May 21 04:00:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA00935; Sat, 21 May 1994 04:00:48 GMT Received: from apple.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA00928; Fri, 20 May 1994 21:00:40 -0700 Received: from [129.38.12.6] by apple.com with SMTP (5.61/8-Oct-1993-eef) id AA24735; Fri, 20 May 94 21:01:57 -0700 for firewalls@greatcircle.com Received: by entropy.ibmoto.com id AA25344 (5.65c/IDA-1.5 for firewalls@greatcircle.com); Fri, 20 May 1994 23:01:52 -0500 From: Keith Pyle Message-Id: <199405210401.AA25344@entropy.ibmoto.com> Subject: Re:Security hole in AIX rlogin To: firewalls@greatcircle.com Date: Fri, 20 May 1994 23:01:51 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2181 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have received a few messages in response to my earlier message to this list concerning the security exposure in the AIX rlogin capability. I will try to respond to these messages via the information below. To be precise, I believe the problem is in the login program in AIX and is due to an undocumented option which permits normal authentication to be completely bypassed. This problem can be exercised by using a particular syntax with the rlogin command. It may be possible to exercise it via other means, although I have no direct proof of this at this time. When rlogin is used in the manner referenced above, anyone who can reach the rlogind on a target AIX system can access any account which permits remote access. No password is required. Both local and NIS accounts are vulnerable, including root. There are methods by which you may be able to secure such an AIX system. You may disable rlogin access. You may do this by filtering on your router if this is appropriate to your specific configuration. You may disable rlogind by commenting out the "login...rlogind" line in /etc/inetd.conf, killing inetd, and restarting it (using kill -HUP does not seem to be sufficient on all levels of AIX, particularly if a rlogind is running). You may disable remote access on all accounts on all of your AIX systems. The truly paranoid may chose to do all of these and more. The information above is a summary of that which I have received to date. I have verified that the security exposure is real and that it affects multiple revision levels of AIX. I was personally able to access any account I selected on multiple systems at my site. Members of my staff, working with another site, were able to access multiple accounts at that site. Several users at my site reported getting and/or seeing messages on the net describing the exposure. We have since taken measures to limit our vulnerability. If you are concerned about this problem, I suggest that you contact IBM AIX Support and request assistance and/or information, contact CERT, etc. -- Keith Pyle Project Manager, Systems/Network Engineering Motorola Somerset PowerPC Design Center keith@ibmoto.com From firewalls-owner Sat May 21 05:55:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA01185; Sat, 21 May 1994 05:55:09 GMT Received: from nntp.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA01179; Fri, 20 May 1994 22:55:01 -0700 Received: from [192.187.163.65] by nntp.netcom.com (8.6.4/SMI-4.1) id WAA07640; Fri, 20 May 1994 22:56:20 -0700 Message-Id: <199405210556.WAA07640@nntp.netcom.com> X-Sender: ghall@netcom.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 20 May 1994 22:55:50 -0800 To: Firewalls@GreatCircle.COM From: ghall@netcom.com (George Hall) Subject: Subscription to Firewalls Mailing list Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Please place me on your mailing list for issues of Firewalls. What is its frequency of cisculation and when can I expect to see my first issue? ================= "Knowledge is good" George Hall ghall@netcom.com ================= From firewalls-owner Sat May 21 18:09:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA03453; Sat, 21 May 1994 18:09:09 GMT Received: from rambone.psi.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA03447; Sat, 21 May 1994 11:09:01 -0700 Received: by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA20292; Sat, 21 May 94 14:05:38 EDT Received: from belegost.aule-tek (belegost.ARPA) by aule-tek.com (4.1/3.2.083191-Aule-Tek/Camber-Roth) id AA29979; Sat, 21 May 94 13:45:09 EDT Received: by belegost.aule-tek (5.0/SMI-SVR4) id AA05556; Sat, 21 May 1994 13:43:04 +0500 Date: Sat, 21 May 1994 13:43:04 +0500 From: jonesmd@aule-tek.com (Mike Jones) Message-Id: <9405211743.AA05556@belegost.aule-tek> To: sdeb@callisto.eci-esyst.com Subject: Re: Off the subject a bit - but I need some help... Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 2730 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Steve Eason writes... > There are some individuals within our company that contend that the > probability of a security breach from the Internet is proportional to > the number of users that have access to Internet via E-mail. While they > have mgmt's ear, they do not have any technical data to support their > charges. I need some practical input to refute this. > Does any company out there limit the number of users that have access > to Internet E-mail for security reasons? If yes, then what exactly are > these security issues and how are they related to the number of users > that can send or receive E-mail? Are these problems rectified by a > properly set up firewall, mail relayer and/or packet filtering router? First off, could you please limit your line length to about 72 or so? Thanks. As for the main problem, I have a few bits of information that may be useful to you. First, there are a lot of people who can interchange email with "the Internet" but who don't have fulltime connections and hence can't telnet, rlogin, etc. I, for instance, am one of those at the moment. We get email through a traditional uucp arrangement with PSI and arrange "jonesmd@aule-tek.com" addressing through the magic of MX records. PSI also offers a service to PC users which gets them both mail and news via a download/offline reader arrangement. Thus, the number of people who can email you has only a tenuous connection to the number of people who (physically) have the opportunity to hack you. A number of companies do limit Internet access in various ways. I can tell you from personal experience that both IBM and Sun do, for instance. You can exchange email with virtually anyone inside IBM at this point, but only a very small fraction of those people have the ability to ftp or rlogin outside of the company. Sun is a bit more open, but any external connections must go through a restricted gateway machine which would, at minimum, make it much easier to track any hacking attempts from inside Sun. Your average Sun employee is bright enough to realize this and therefore is *extremely* unlikely to go hacking through this avenue (which is not to imply that the average Sun employee goes hacking at all). You can do *a lot* to protect yourself with a properly configured firewall setup. Perhaps your best avenue of attack is to present to your management a realistic assessment of the risks, and then point out the advantages and tell them that the technology shouldn't make this anything other than a straightforward cost/benefit business decision. Mike Jones | jonesmd@aule-tek.com You cannot stand like Clemente, throw like Clemente, be like Clemente, when you are Ruben Sierra. - Texas Rangers coach Tom House From firewalls-owner Sun May 22 20:14:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA08040; Sun, 22 May 1994 20:14:49 GMT Received: from gossip.pyramid.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA08034; Sun, 22 May 1994 13:14:39 -0700 Received: from sword.eng.pyramid.com by gossip.pyramid.com (5.61/OSx5.1a Pyramid-Internet-Gateway) id AA27773; Sun, 22 May 94 13:16:34 -0700 Received: by sword.eng.pyramid.com (5.61/Pyramid_Internal_Configuration) id AA06358; Sun, 22 May 94 13:17:09 -0700 From: pauld@pyramid.com (Paul Daw) Message-Id: <9405222017.AA06358@sword.eng.pyramid.com> Subject: Re: Off the subject a bit - but I need some help... To: Firewalls@GreatCircle.COM Date: Sun, 22 May 94 13:17:09 PDT In-Reply-To: <199405210800.BAA01726@mycroft.GreatCircle.COM>; from "Firewalls-Digest-Owner@GreatCircle.COM" at May 21, 94 1:00 am X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >From: sdeb@callisto.eci-esyst.com (Steve Eason) >Date: Fri, 20 May 94 17:48:02 EDT >Subject: Off the subject a bit - but I need some help... > >I have a need for some input that is somewhat related to firewalls. It >has to do with E-mail itself. > >There are some individuals within our company that contend that the >probability of a security breach from the Internet is proportional to >the number of users that have access to Internet via E-mail. While they >have mgmt's ear, they do not have any technic>al data to support their >charges. I need some practical input to refute this. > >Does any company out there limit the number of users that have access >to Internet E-mail for security reasons? If yes, then what exactly are >these security issues and how are they related to the number of users >that can send or receive E-mail? Are these p>roblems rectified by a >properly set up firewall, mail relayer and/or packet filtering router? First, what do these people mean by "security breach"? Most of us on the firewalls mailing list are concerned with unauthorized intrusion into our networks and machines via the Internet. In this regard, Email (and I'm talking the *content* of messages sent out over the Internet) has little bearing, assuming that the messages sent don't tell the world about a vulnerability on your firewall. History shows that the message transport agent that is used to receive and deliver Email is more of a concern than the content of the messages themselves. Second, limiting electronic mail access to the Internet for *some* people would be a difficult exercise. You could segregate those people by the machine that they work on, and even then, I could probably spoof a hapless sendmail daemon somewhere, and get my mail out anyway. In many cases, management *is* concerned that employees will divulge sensitive or proprietary information via email. They feel the same way about someone using anonymous FTP to put sensitive information in the hands of the enemy as well. This is a valid concern, but it is somewhat myopic. Information leaks have been around a lot longer than email or ftp. This is an issue of ethics, not technology. If anyone at Pyramid insists that the Internet connection makes it too easy for someone to steal code from Pyramid, I just reach for the nearest 8mm tape, drop it into my briefcase, and smile! :-) pauld@pyramid.com From firewalls-owner Mon May 23 03:33:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA09274; Mon, 23 May 1994 03:33:05 GMT Received: from bronze.lcs.mit.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA09268; Sun, 22 May 1994 20:32:58 -0700 Received: by bronze.lcs.mit.edu id AA20943; Sun, 22 May 94 23:34:18 EDT Date: Sun, 22 May 94 23:34:18 EDT From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <9405230334.AA20943@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: kerberized telnet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I've used the FTP product [I used to work there]. It works, but you need to build the kerberized telnetd for the server side of any machine you want "protected" AND have a kerberos server available to serve both ends. It's a biggish and expensive project. It took forever to even get a testing environment for it working right. Your time would probably be better spent playing with s/key. _H* From firewalls-owner Mon May 23 04:10:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA09483; Mon, 23 May 1994 04:10:43 GMT Received: from scopus.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA09476; Sun, 22 May 1994 21:10:35 -0700 Received: from zion.corporate (BIF.CENDATA.COM) by scopus.com (4.1/SMI-4.1) id AA29630; Sun, 22 May 94 21:09:02 PDT Date: Sun, 22 May 94 21:09:01 PDT From: girish@scopus.com (Girish Pradhan) Message-Id: <9405230409.AA29630@scopus.com> To: firewalls@GreatCircle.COM Subject: Network Sniffer Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have a basic question - Can a sniffer trace packets on different subnets ? If so can anybody shed some light as to which would be a better buy for less $$ or any free-ware software that can do the same. Any help will be appreciated. Thanks Girish S Pradhan (girish@scopus.com) From firewalls-owner Mon May 23 03:41:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA10816; Mon, 23 May 1994 08:57:40 GMT Received: from apollo.is.co.za by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA10810; Mon, 23 May 1994 01:57:24 -0700 Received: by apollo.is.co.za (5.0/SMI-SVR4) id AA22802; Mon, 23 May 94 10:58:42 GMT Date: Mon, 23 May 94 10:58:42 GMT From: andras@apollo.is.co.za (Andras Salamon) Message-Id: <9405230858.AA22802@apollo.is.co.za> To: Firewalls@GreatCircle.COM Subject: kerberized telnet Content-Length: 1015 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From: hobbit@bronze.lcs.mit.edu (*Hobbit*) > Date: Sun, 22 May 94 23:34:18 EDT > > I've used the FTP product [I used to work there]. It works, but you need to > build the kerberized telnetd for the server side of any machine you want > "protected" AND have a kerberos server available to serve both ends. It's a > biggish and expensive project. It took forever to even get a testing > environment for it working right. How about using the SRA extended telnet/ftp package from TAMU? It negotiates a session key by swapping public keys generated from random private/public key pairs and doesn't need kerberos. Works on SunOS 4 and 5, Linux and (as soon as I finish testing my patches) on SGI IRIX 4. Fairly simple to build, though it's really a proof-of-concept prototype at this stage and may not be appropriate in a production environment. > Your time would probably be better spent playing with s/key. That's certainly true if the main concern is password snooping. -- Andras Salamon From firewalls-owner Mon May 23 03:51:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA11173; Mon, 23 May 1994 09:21:19 GMT Received: from uniwa.uwa.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA11166; Mon, 23 May 1994 02:21:03 -0700 Received: (daemon@localhost) by uniwa.uwa.edu.au (8.6.8/8.6.4) id RAA11650 for Firewalls-Digest@GreatCircle.COM; Mon, 23 May 1994 17:22:05 +0800 Message-Id: <9405230911.AA06424@rhino.qpsx.oz.au> From: davidp@qpsx.oz.au (Firewalls-Digest-Owner) Date: Mon, 23 May 1994 01:00 WAT To: Firewalls-Digest@GreatCircle.COM Subject: Firewalls Digest V3 #157 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewalls Digest Monday, 23 May 1994 Volume 03 : Number 157 In this issue: Re: Off the subject a bit - but I need some help... kerberized telnet Network Sniffer See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: pauld@pyramid.com (Paul Daw) Date: Sun, 22 May 94 13:17:09 PDT Subject: Re: Off the subject a bit - but I need some help... >From: sdeb@callisto.eci-esyst.com (Steve Eason) >Date: Fri, 20 May 94 17:48:02 EDT >Subject: Off the subject a bit - but I need some help... > >I have a need for some input that is somewhat related to firewalls. It >has to do with E-mail itself. > >There are some individuals within our company that contend that the >probability of a security breach from the Internet is proportional to >the number of users that have access to Internet via E-mail. While they >have mgmt's ear, they do not have any technic>al data to support their >charges. I need some practical input to refute this. > >Does any company out there limit the number of users that have access >to Internet E-mail for security reasons? If yes, then what exactly are >these security issues and how are they related to the number of users >that can send or receive E-mail? Are these p>roblems rectified by a >properly set up firewall, mail relayer and/or packet filtering router? First, what do these people mean by "security breach"? Most of us on the firewalls mailing list are concerned with unauthorized intrusion into our networks and machines via the Internet. In this regard, Email (and I'm talking the *content* of messages sent out over the Internet) has little bearing, assuming that the messages sent don't tell the world about a vulnerability on your firewall. History shows that the message transport agent that is used to receive and deliver Email is more of a concern than the content of the messages themselves. Second, limiting electronic mail access to the Internet for *some* people would be a difficult exercise. You could segregate those people by the machine that they work on, and even then, I could probably spoof a hapless sendmail daemon somewhere, and get my mail out anyway. In many cases, management *is* concerned that employees will divulge sensitive or proprietary information via email. They feel the same way about someone using anonymous FTP to put sensitive information in the hands of the enemy as well. This is a valid concern, but it is somewhat myopic. Information leaks have been around a lot longer than email or ftp. This is an issue of ethics, not technology. If anyone at Pyramid insists that the Internet connection makes it too easy for someone to steal code from Pyramid, I just reach for the nearest 8mm tape, drop it into my briefcase, and smile! :-) pauld@pyramid.com ------------------------------ From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Date: Sun, 22 May 94 23:34:18 EDT Subject: kerberized telnet I've used the FTP product [I used to work there]. It works, but you need to build the kerberized telnetd for the server side of any machine you want "protected" AND have a kerberos server available to serve both ends. It's a biggish and expensive project. It took forever to even get a testing environment for it working right. Your time would probably be better spent playing with s/key. _H* ------------------------------ From: girish@scopus.com (Girish Pradhan) Date: Sun, 22 May 94 21:09:01 PDT Subject: Network Sniffer I have a basic question - Can a sniffer trace packets on different subnets ? If so can anybody shed some light as to which would be a better buy for less $$ or any free-ware software that can do the same. Any help will be appreciated. Thanks Girish S Pradhan (girish@scopus.com) ------------------------------ End of Firewalls Digest V3 #157 ******************************* To subscribe to Firewalls-Digest, send the command: subscribe firewalls-digest in the body of a message to "Majordomo@GreatCircle.COM". If you want to subscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the "subscribe" command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Mon May 23 12:08:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA11805; Mon, 23 May 1994 12:08:16 GMT Received: from runner.knoware.nl by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA11798; Mon, 23 May 1994 05:07:05 -0700 Received: by runner.knoware.nl (5.64/A/UX-3.00) id AA18432; Mon, 23 May 94 14:07:11 WET DST Date: Mon, 23 May 1994 14:05:32 +0100 (WET DST) From: "J.P. Mante" Subject: Re: kerberized telnet To: Andras Salamon Cc: Firewalls@GreatCircle.COM In-Reply-To: <9405230858.AA22802@apollo.is.co.za> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Mon, 23 May 1994, Andras Salamon wrote: > > How about using the SRA extended telnet/ftp package from TAMU? It > negotiates a session key by swapping public keys generated from random > private/public key pairs and doesn't need kerberos. Works on SunOS 4 > and 5, Linux and (as soon as I finish testing my patches) on SGI IRIX > 4. Fairly simple to build, though it's really a proof-of-concept > prototype at this stage and may not be appropriate in a production > environment. > Sound like a pretty good concept, could anyone tell me where I could recieve a Linux version? Thanking in Advance -Peter From firewalls-owner Mon May 23 14:47:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA12963; Mon, 23 May 1994 14:47:31 GMT Received: from apollo.is.co.za by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA12957; Mon, 23 May 1994 07:47:23 -0700 Received: by apollo.is.co.za (5.0/SMI-SVR4) id AA28869; Mon, 23 May 94 16:48:45 GMT Date: Mon, 23 May 94 16:48:45 GMT From: andras@apollo.is.co.za (Andras Salamon) Message-Id: <9405231448.AA28869@apollo.is.co.za> To: Firewalls@GreatCircle.COM Subject: Re: kerberized telnet References: <9405230858.AA22802@apollo.is.co.za> Content-Length: 1036 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In response to several requests for clarification of the following: > How about using the SRA extended telnet/ftp package from TAMU? It > negotiates a session key by swapping public keys generated from random > private/public key pairs and doesn't need kerberos. Works on SunOS 4 > and 5, Linux and (as soon as I finish testing my patches) on SGI IRIX > 4. Fairly simple to build, though it's really a proof-of-concept > prototype at this stage and may not be appropriate in a production > environment. David Safford's SRA telnet/ftp package is documented in a paper at the third Usenix security symposium. Available as net.tamu.edu:pub/security/TAMU/sra.ps.gz while sra.README in the same location also includes a brief description. Otherwise, the files to get are srasrc-1.3.tar.gz and (for those in the US) srasrc-des-1.3.tar.gz. Fon non-US sites, the sra.README contains pointers to alternative DES libraries; I used the DES-2.2 from Chalmers with success (though it is not bugfree). -- Andras Salamon From firewalls-owner Mon May 23 16:36:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA13873; Mon, 23 May 1994 16:36:40 GMT Received: from crdems.ge.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA13668; Mon, 23 May 1994 09:05:08 -0700 Received: from crdns.crd.ge.com by crdems.ge.com (5.65/GE 1.77) id AA03828; Mon, 23 May 94 12:02:33 -0400 Received: from alydar.crd.ge.com by crdns.crd.ge.com (5.65/sendmail.ease_1.79(3/22/94))id AA24841(crdns.crd.ge.com); Mon, 23 May 94 12:00:31 -0400 Received: from einstein.crd.Ge.Com by alydar.crd.Ge.Com (4.1/SMI-4.0/GE-CRD @(#)sun4.ease1.15 01/12/94)id AA21677; Mon, 23 May 94 12:00:17 EDT Date: Mon, 23 May 94 12:00:17 EDT From: barnett@alydar.crd.ge.com (Bruce Barnett) Message-Id: <9405231600.AA21677@alydar.crd.Ge.Com> To: Firewalls-Digest@GreatCircle.COM Subject: Trojan Horse Checker source Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Here is a perl script I wrote that will check your searchpath to see if you are succeptible to a trojan horse. execute it by typing perl trojan.pl I hope this helps some sites... #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh trojan.pl <<'END_OF_trojan.pl' X##!/bin/sh -- # wish I were -*-Perl-*- X#eval 'exec perl -S $0 ${1+"$@"}' X# if !$$; X#!/bin/perl X X# Look for trojan horses... X X# A trojan horse looks like a regular program. X# however, if you execute it, the program may set up a back door to X# your account, or modify one of your files, etc. X# X# This script reports on the different ways someone can drop a trojan hourse X# in your searchpath. X# X# It does not check for set UID or GID programs on your file system, X# and does not check NFS permissions of directories. X# It only checks for executables in your searchpath, and reports who and how X# someone can create a trojan horse. X# X# This program also provides a measurement of how vunerable you are to a X# trojan horse. X# X# Bruce Barnett X# Copyright 1994 GE X# All commercial Rights reserved X# X# @(#)trojan.pl 1.7 23 May 1994 X# X# usage: X# X# perl trojan.pl [options] X# X# where options are any combination of the following X# -b - brief report. Don't show reasons or executables X# -a - analyze all files. Normally when a file is world writable, X# don't check for group or user writable X# the -a means look at all problems, and not the first X# -w - just report on world writable problems (no group or user) X# -g - report on group writable problems ( sets -w, no user) X# -u - report on world, group and user writable problems (Default) X# -A - report all files that cause a problem with a group writable X# permission, not just the first one X# X# for debugging purposes, and for more information, try the following options X# -v - verbose X# -d - debug X# X# Examples X# trojan.pl - reports world, group and user problems X# shows reasons for problem X# trojan.pl -b - reports world, group and user problems X# Doesn't show reasons X# trojan.pl -b -a - reports world, group and user problems X# Doesn't show reasons X# reports on ALL world, group and user X# writable problems X# trojan.pl -b -a -A - reports world, group and user problems X# Doesn't show reasons X# reports on ALL world, group and user X# writable problems X# Also reports all files that cause group write access X# X# X# trojan.pl -w - reports world writable problems and reasons X# trojan.pl -g - reports world + group writable problems and reasons X X# you probably want to start with trojan.pl -b X# and fix some of those problems first X# If you don't understand why it's a problem, omit the -b option X X# A malicious cracker will often use your co-workers accounts X# as a stepping stone to getting root (or bin, daemon, sys, etc.) X# access. Therefore you have to trust that none of the people who X# could drop a trojan horse in front of you have had their accounts X# compromised. If you don't trust them, then don't allow their X# binaries in your searchpath. X# X X$not_a_csh_script = 0; # this is used in case someone tries X # "csh trojan.pl" X# command line OPTIONS X$all = 0; # print out a more detailed report, (all tests) X$report_all = 0; # report all files, not just the first one X$do_world = 1; # print out world writable items X$do_group = 1; # print out group writable items X$do_user = 1; # print out user specific info X$brief = 0; # a short report X X$verbose=0; # print more information X$debug = 0; # X X X X# VARIABLES X$dot = 0; # have I seen the "." directory in the path yet? X$programsafterdot = 0; # how many files were found after the dot? X$TotalFiles = 0; # total programs or files found in the $PATH directories X$FilesAfterGroupWritable = 0; # files found after a group writable directory found X$GroupWritableDirectoryFound = 0; # boolean, true if a group writable diectory found X$FilesAfterWorldWritable = 0; # files found after a world writable directory found X$WorldWritableDirectoryFound = 0; # boolean, true if a world writable diectory found X$world_writable_programs = 0; X$group_writable_programs = 0; X$ProgramsInSomeDir = 0; X X X# constants X X$SEARCHPATH=1; X$NOSEARCHPATH=0; X# PERL variables X$| = 1; # write to pipes immediately X X$revision = "1.7"; # SCCS fills 1.7 in X$program = "trojan.pl"; # SCCS fills trojan.pl in Xif ($program =~ /.M./) { # does it match the trojan.pl SCCS string? X $program = "Trojan"; # yes, fill in the name of the program X} Xif ($revision =~ /%/) { # is '%' part of the revision X $beta = 1; # A beta version X} else { X $beta = 0; X} X Xprintf("%s, %s, a study in trust...\n", X $program, X $beta ? "Beta release" : "Revision $revision"); X&getswitches(); X&main(); X&report(); Xexit 0; X X# --- SUBROUTINES --- X Xsub getswitches { X $FIRST = $[; X# parse command line arguments X while ($ARGV[$FIRST] =~ /^-/) { X# 0 && printf("checkion option %s\n", $ARGV[$FIRST]); X# verbose X $ARGV[$FIRST] =~ /^-v/ && ($verbose++,shift(@ARGV),next); X# debug flag X $ARGV[$FIRST] =~ /^-d/ && ($debug++,shift(@ARGV),next); X# all flag X $ARGV[$FIRST] =~ /^-a/ && ($all++,shift(@ARGV),next); X# report_all flag X $ARGV[$FIRST] =~ /^-A/ && ($report_all++,shift(@ARGV),next); X# brief flag X $ARGV[$FIRST] =~ /^-b/ && ($brief++,shift(@ARGV),next); X# -w flag X $ARGV[$FIRST] =~ /^-w/ && ($do_world++,$do_group = 0, $do_user = 0,shift(@ARGV),next); X# -g flag X $ARGV[$FIRST] =~ /^-g/ && ($do_world++,$do_group++, $do_user = 0,shift(@ARGV),next); X# -u flag X $ARGV[$FIRST] =~ /^-u/ && ($do_world++,$do_group++, $do_user++,shift(@ARGV),next); X last; X X } X} Xsub main { X &getusers(); X &getgroups(); X &dotrojans(); X} Xsub dotrojans { X &checkrootdir(); X @dirs = split(/:/,$ENV{'PATH'}); X foreach $dir (@dirs) { X $debug && $verbose && printf("%s: \n",$dir); X $reason = "$dir is in your searchpath"; X if ($dir eq ".") { X $dot++; X $dir = `pwd`; X chop $dir; X } X if ( -l $dir) { X $link = readlink($dir); X $debug && printf("$dir points to $link\n"); X $reason .= " AND $dir -> $link"; X if ($link !~ /^\// ) { X # a relative link X $link = &resolve($dir,$link); X $reason .= " ($link) "; X } X &checkupdir($link,$reason,$SEARCHPATH); X while ( -l $link ) { X $oldlink = $link; X $link = readlink($oldlink); # X if ($link !~ /^\// ) { X # a relative link X $newlink = &resolve($dir,$link); X $reason .= " ($newlink) "; X } X $reason .= "$oldlink -> $link AND"; X &checkupdir($link,$reason,$SEARCHPATH); X } X if ( -d $link ) { X &checkdir($link, $reason); X &checkupdir($link,$reason,$SEARCHPATH); X &checkexecsindir($link, $reason); X X X } X } elsif ( -d $dir ) { X &checkdir($dir, $reason); X &checkupdir($dir,$reason,$SEARCHPATH); X &checkexecsindir($dir, $reason); X } X X } X} Xsub checkdir { X # check the directory itself - it was in the searchpath X local($dir, $reason) = @_; X # does the directory exist? X if ( -l $dir ) { X printf(STDERR "ERROR: I am testing $dir and it is a link.\n"); X } elsif ( -d $dir ) { X &testdir($dir,$reason); X } else { X printf(STDERR "Missing Directory in searchpath : %s\n", $dir); X } X} Xsub testdir { X # check the directory itself X local($dir,$reason) = @_; X local($hit) = 0; X # does the directory exist? X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($dir); X if ($mode & 002) { X $hit = 1; X $WorldWritableDirectoryFound = 1; X &addworld_directory("$reason AND $dir is WORLD writable", $dir); X } X # if group writable AND (not world writable or all) X if ((!$hit || $all) && ($mode & 020)) { X $hit = 1; X $GroupWritableDirectoryFound = 1; X &addgroup_directory($gid,"$reason AND directory $dir is group writable", X $dir); X } X if (!$hit || $all) { X &adduser($uid,"$reason AND directory $dir writable by owner"); # owner can write to directory X } X} Xsub checkexecsindir { X # check each executable in the directory X local($dir, $problem) = @_; X local($hit); X local($program); X local($myproblem); X $verbose && printf("check execs in dir $dir, reason: $problem\n"); X opendir(D, $dir) || return 0; X while ($file = readdir(D)) { X $myproblem = $problem; X (($file eq ".") || ($file eq "..")) && next; X $TotalFiles++; # increase number of files found X $GroupWritableDirectoryFound && $FilesAfterGroupWritable++; X $WorldWritableDirectoryFound && $FilesAfterWorldWritable++; X # this is either a file, a directory, or a symbolic link. X # if a directory, then don't worry about it. X $program = "$dir/$file"; X # if file, only worry about it if it's executable, X X if ( -l $program) { X # this is a link. Does it point to a file or to a directory? X # the file in the searchpath is a symbolic link X # if it points to a directory, then check who owns the directory X # it is pointing to X while ( -l $program ) { X $link = readlink($program); X $myproblem .= " AND $program -> $link"; X if ($link !~ /^\// ) { X # a relative link X $link = &resolve($program,$link); X $myproblem .= " ($link) "; X } X $debug && printf("Problem is now: %s, new program is %s\n", X $myproblem, $link); X $newdir = $link; X $newdir =~ s,/[^/]+$,,; # remove the executable from the path, and check the directory X $debug && printf("YES: The directory to check now is %s\n", X $newdir); X &ProgramUsesDir($newdir); X &checkupdir($newdir, "$myproblem ", $NOSEARCHPATH); X $program = $link; X } X # no longer a link, it might be a file of directory X # get the stat on the final file X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($link); X if (!defined($dev)) { X # find where it's pointing X !$brief && printf("Warning: symbolic link %s/%s pointing to missing file: %s\n", X $dir,$file, $link); X &checkmissingdir($link,$program); X } elsif ( -d $link ) { X # a symbolic link points to a directory. X # this is only a problem if the directory pointing to is inside X # a directory that can be modified X $verbose && printf("\n$dir/$file points to directory $link\n"); X $newdir = $link; X $newdir =~ s,/[^/]+$,,; X $verbose && printf("HEY: $link is a directory, and $newdir should be checked\n"); X &checkupdir($newdir, "$dir/$file -> $link AND ",$NOSEARCHPATH); X } else { X# printf("$program points to file $link\n"); X $hit = 0; X X if ($mode & 0111) { # is this file executable? X ($hit = ($mode & 002)) && &addworld_file("$dir/$file -> $link AND $link is WORLD writable", "$dir/$file"); X ($hit = ($mode & 020)) && ($all || !$hit) && &addgroup_file($gid,"file $dir/$file -> $link AND $link is group writable", "$dir/$file"); X } X ($all || !$hit) && &adduser($uid,"file $dir/$file -> $link modifiable by owner"); # owner can modify the target file, and make it executable if it isn't X # also check by going up the tree of the executable X $newdir = $link; X $newdir =~ s,/[^/]+$,,; X X $debug && printf("YO: link: $link, newdir: $newdir, calling checkupdir\n"); X &ProgramUsesDir($newdir); X &checkupdir($newdir, "$dir/$file -> $link AND ",$NOSEARCHPATH); # did I do this twice? X } X # X # if it is a file, check the permission of the file X # X } elsif ( -d "$dir/$file" ) { # Not a link, maybe a directory? X # yes a directory in our search path. Does this mean anything? X # I guess not. We already go up the directory path X X } else { # not a link or directory - a file X # stat the file X X &ProgramUsesDir($dir); X &testfile("$dir/$file", "$dir/$file executable in path"); X } X } X close(D); X} X Xsub testfile { X local($file,$reason) = @_; X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($file); X $hit = 0; X if ($mode & 0111) { # is this file executable? X# printf("Executable $dir/$file seen\n"); X # increase the number of programs seen X # if the "." directory has been seen, then X # this program can be trojanized X $dot && $programsafterdot++; X X if ($mode & 002) { X # world writable X $hit = 1; X &addworld_file("$reason AND $file is WORLD writable", "$file"); X } X # if group writable AND (not world writable or all) X if ((!$hit || $all) && ($mode & 020)) { X $hit = 1; X &addgroup_file($gid,"$reason AND file $file is group writable", "$file"); X } X } X # it doesn't matter if the file is executable or not, X # the owner can make it executable X ($all || !$hit) && &adduser($uid,"$reason AND file $file modifiable by owner"); X} X X Xsub adduser { X local($user,$dir) = @_; X if (defined($user{$user})) { X if ($report_all) { X ($user != "0" && $user != $< ) && printf("user %s can do it because of %s\n", $user, $dir); X } else { X $debug && $verbose && printf("user %s can do it because of %s\n", $user, $dir); X } X X # add it to the list X $user{$user} .= "\n$dir"; X $usercount{$user}++; X X } else { X $user{$user} = $dir; X $usercount{$user} = 1; X $verbose && printf("user %s can do it because of %s\n", $user, $dir); X } X} Xsub addgroup_directory { X local($gid,$reason,$dir) = @_; X# $GroupWritableDirectoryFound = 1; X if (!defined($group_writable{$dir})) { X &addgroup($gid, $reason, $dir); X $group_writable{$dir} = 1; X } else { X $group_writable{$dir}++ ; X $verbose && printf("Directory '$dir' found again\n"); X } X} Xsub addgroup_file { X local($gid, $reason,$file) = @_; X $verbose && printf("Group Writable program, gid: %d, file: %s, reasons: %s\n", X $gid, $file, $reason); X $group_writable_programs++; X &addgroup($gid, "File $reason", $file); X} Xsub addgroup { X local($gid,$reason) = @_; X X if (defined($group{$gid})) { X if ($report_all) { X $all && printf("group %s can do it because of %s\n", $gid, $reason); X } else { X $all && $verbose && printf("group %s can do it because of %s\n", $gid, $reason); X X } X # add it to the list X $group{$gid} .= "\n$reason"; X $groupcount{$gid}++; X } else { X $group{$gid} = $reason; X $groupcount{$gid} = 1; X $verbose && printf("group %s can do it because of %s\n", $gid, $reason); X } X} Xsub addworld_directory { X local($reason,$dir) = @_; X# $WorldWritableDirectoryFound = 1; X if (!defined($world_writable{$dir})) { X &addworld($reason); X $world_writable{$dir} = 1; X } else { X $world_writable{$dir}++ ; X $verbose && printf("Directory '$dir' found again\n"); X } X} Xsub addworld_file { X local($reason,$file) = @_; X $world_writable_programs++; X &addworld("File $reason"); X} Xsub addworld { X local($reason) = @_; X $reason =~ s/-\>/\n\t\t->/g; X $reason =~ s/AND/\n\t\tAND/g; X # remember world writable directories X X !$brief && printf("ANYONE can do it because of %s\n", $reason); X} Xsub checkupdir { X # check the paths leading to the directory X local($dir, $reason,$onpath) = @_; X # $onpath is true if this directory is on the searchpath, else false X if (defined($did_checkup_dir{$dir})) { X $debug && printf("already checked updir %s\n", $dir); X return 0; # did it X } else { X $did_checkup_dir{$dir} = 1; X } X if ($dir eq "." ) { X die " I should not see a dot in $dir while in checkupdir"; X } elsif ( $dir =~ /^\.\// ) { X die " I should not see a ./ in $dir while in checkupdir"; X } elsif ( $dir =~ /\/\.\.\// ) { X die " I should not see a /../ in $dir while in checkupdir"; X } elsif ( $dir =~ /^\.\.\// ) { X die " I should not see a ../ in $dir while in checkupdir"; X } X $verbose && printf("checking up dir %s, reason: %s\n", X $dir, $reason); X # $dir is the file we are checking, and $reason is why (i.e. "a/b -> /c and") X# $origfile = $dir; X while ($dir ne "") { X #remove the last path X 1 && $verbose && printf("checkupdir: checking %s\n", $dir); X if ( -d $dir ) { X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$dir"); X $hit = 0; X if ($hit = ($mode & 002)) { X $onpath && ($WorldWritableDirectoryFound = 1); X &addworld_directory("$reason AND $dir is WORLD writable", $dir); X } X if ($hit = ($mode & 020)) { X $onpath && ($GroupWritableDirectoryFound = 1); X ($all || !$hit) && &addgroup_directory($gid,"$reason $dir is group writable", $dir); X } X ($all || !$hit) && &adduser($uid,"$reason $dir is writable by owner"); # owner can write to directory X } elsif ( ! -e $dir ) { X !$brief && printf(STDERR "WARNING: non-existing directory used: $dir\n"); X } else { X !$brief && printf(STDERR "WARNING: non-directory used: $dir\n"); X } X $dir =~ s,/[^/]*$,,; # remove last directory from path X } X} Xsub checkrootdir { X # check the paths leading to the directory X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat("/"); X $hit = 0; X ($hit = ($mode & 002)) && &addworld_directory("'/' is WORLD writable", "/"); X ($hit = ($mode & 020)) && ($all || !$hit) && &addgroup_directory($gid,"Directory '/' is group writable", "/"); X ($all || !$hit) && &adduser($uid,"Directory '/' is writable by owner"); # owner can write to directory X} Xsub checkmissingdir { X # this argument is a file that is missing X # check to see if each directory up the ladder X # has permission problems. X local($file, $where) = @_; X $origfile = $file; X while ($file =~ s,/[^/]*$,, && $file ne "") { X #remove the last path X $debug && $verbose && printf("checking %s\n", $file); X if ( -d $file ) { X ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev, X $size,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$file"); X $hit = 0; X ($hit = ($mode & 002)) && &addworld_directory("$where -> $origfile AND $file is WORLD writable", $file); X ($hit = ($mode & 020)) && ($all || !$hit) && &addgroup_directory($gid,"$where -> $origfile AND $file is group writable", $file); X ($all || !$hit) && &adduser($uid,"$where -> $origfile AND directory $file is writable by owner"); # owner can write to directory X } X } X} Xsub report { X# final report X if ($debug || $verbose ) { X printf("Options: "); X $brief && printf("brief "); X $all && printf("all "); X $do_world && printf("do_world "); X $do_group && printf("do_group "); X $do_user && printf("do_user "); X $debug && printf("debug "); X $verbose && printf("verbose "); X printf("\n"); X } X $WorldWritableProgramsByDirectory = 0; X foreach $d (keys %world_writable) { X printf("World writable directory %s makes %d files vulnerable\n", X $d, $ProgramsInDir{$d}); X $WorldWritableProgramsByDirectory += $ProgramsInDir{$d}; X } X # now for each group X if ($do_group) { X $GroupWritableProgramsByDirectory = 0; X foreach $d (keys %group_writable) { X printf("Group writable directory %s makes %d files vulnerable\n", X $d, $ProgramsInDir{$d}); X $GroupWritableProgramsByDirectory += $ProgramsInDir{$d}; X } X foreach $g (keys %group) { X $members = $ingroup{$g}; X $name = $gid_to_name{$g}; X $files = $group{$g}; X $files =~ s/\n/\n\t/g; X $files =~ s/AND/AND\n\t\t/g; X # truncate all files but the first X if (!$brief) { X printf("\nGroup %s can do it %d ways: \n\t%s\n", X $name, $groupcount{$g}, $files); X if ($do_user) { X if (defined($members)) { X printf("\tmembers of this group are:\n"); X undef(%dummy); X foreach $m (split(/ /,$members)) { X if (!defined($dummy{$m})) { X printf("\t\t%s\n", $m); X $dummy{$m}=1; X } X } X } X } X } X } X } X# now look for each user X if ($do_user) { X $NumberOfProgramsOwnerByOtherUsers = 0; X foreach $u (keys %user) { X $name = $inuid{$u}; X $files = $user{$u}; X if (!defined($name)) { X printf("UNKNOWN USER, UID = %d, ", $u); X } else { X if (defined($user_to_passwd{$name})) { X printf("User %s, UID: %d, ", X $name, $u); X } elsif ($name =~ / /) { X # more than one person has this UID... X printf("Users %s, UID: %d, ", X $name, $u); X } else { X printf("Users %s, UID: %d, ", X $name, $u); X } X } X if ($u == 0) { X printf("owns %d file, but you should be able to trust root", X $usercount{$u}); X } elsif ($u == $>) { X printf("owns %d file, (but you should be able to trust yourself :-)", X $usercount{$u}); X } else { X # truncate all files but the first X ($file) = split("\n", $files); X printf("owns %d file%s", X $usercount{$u}, X ($usercount{$u} == 1) ? "" : "s"); X !$brief && printf(", Example %s", X $file); X $NumberOfProgramsOwnerByOtherUsers +=$usercount{$u}; X } X printf("\n"); X } X } X# printf("Number of executable programs: %d\n", $programs); X printf(" ---- Score (lower percentages are better) ----\n"); X X $ProgramsInSomeDir = $TotalFiles; X printf("Number of programs/files in searchpath: %d\n", $ProgramsInSomeDir); X $do_user && printf("Number of programs writable by others (excluding root and self): %d (%4.2f%%)\n", X $NumberOfProgramsOwnerByOtherUsers, X ( $NumberOfProgramsOwnerByOtherUsers/$ProgramsInSomeDir)*100 ); X if ($do_group) { X printf("Number of group writable programs: %d (%4.2f%%)\n", X $group_writable_programs, X ($group_writable_programs/$ProgramsInSomeDir)*100 ); X $debug && printf("Number of executables in group writable directories: %d (%4.2f%%)\n", X $GroupWritableProgramsByDirectory, X ( $GroupWritableProgramsByDirectory /$ProgramsInSomeDir)*100 ); X } X printf("Number of world writable programs: %d (%4.2f%%)\n", X $world_writable_programs, X ($world_writable_programs/$ProgramsInSomeDir)*100 ); X $debug && printf("Number of executables in world writable directories: %d (%4.2f%%)\n", X $WorldWritableProgramsByDirectory, X ( $WorldWritableProgramsByDirectory /$ProgramsInSomeDir)*100 ); X if ($dot) { X printf("You have included '.' (current working directory) in your searchpath\n"); X if ($programsafterdot) { X X printf("%d files out of %d executable files (%4.2f%%) can be intercepted by a trojan horse depending on your current directory\n", X $programsafterdot, $ProgramsInSomeDir, ($programsafterdot/$ProgramsInSomeDir)*100.0); X printf("You are 100%% susceptible to a misspelled program in your current directory (e.g. 'mroe')\n"); X } X } X if ($WorldWritableDirectoryFound) { X printf("%6.2f%% of your files (%d out of %d) may be intercepted because of world writable directories\n", X ($FilesAfterWorldWritable/$TotalFiles)*100, X $FilesAfterWorldWritable, X $TotalFiles); X } X if ($GroupWritableDirectoryFound) { X printf("%6.2f%% of your files (%d out of %d) may be intercepted because of group writable directories\n", X ($FilesAfterGroupWritable/$TotalFiles)*100, X $FilesAfterGroupWritable, X $TotalFiles); X } X printf("----\n"); X printf("You may also want to check for set user or set group commands, using..\n"); X printf("\tfind / -type f -perm -4000 -print\n"); X printf("\tfind / -type f -perm -2000 -print\n"); X printf("... but this will take a while.\n"); X printf("You must also trust the systems that provide you with NFS directories\n"); X X X X X} X X Xsub getusers { X local($login,$passwd,$uid,$gid); X# learn about all of the users via the /etc/passwd file X setpwent(); # # initialize the passwd scan X while (@list = getpwent) { # fetch the next entry X ($login,$passwd,$uid,$gid) = @list[0,1,2,3]; #grab the first 4 fields X if ($debug && (($uid == 2) || ($uid == 3) || ($gid == 2) || ($gid == 3))) { X printf("User %s, UID: %d, GID: %d\n", $login, $uid, $gid); X } X &add_to_group($gid,$login); # list of people who belong to the group X &add_to_uid($uid,$login); # list of accounts who have the same UID X X if (length($passwd) == 13) { X $user_to_passwd{$login} = $passwd; # do they have a password? X } else { X# printf("user %s doesn't have a password\n", $login); X# printf("length of password %s is %d\n", $passwd, length($passwd)); X } X } X endpwent(); # end the scan X} Xsub getgroups { X# learn about all of the groups via the /etc/group file X local($login,$passwd,$uid,$members); X setgrent(); # # initialize the group scan X while (@list = getgrent()) { # fetch the next entry X ($login,$passwd,$gid,$members) = @list[0,1,2,3]; #grab the first 4 fields X if ($debug && (($gid == 2) || ($gid == 3))) { X printf("Group %s, GID: %d\n", $login, $gid); X } X if (!defined($gid_to_name{$gid})) { X $gid_to_name{$gid} = $login; X } else { X # group already defined X if ($gid_to_name{$gid} ne $login) { X $verbose && printf("Group ID #%d, name: %s, also called %s - ignoring new name\n", X $gid, $gid_to_name{$gid}, $login); X } X } X X # each of the members should be added to the group list X foreach $m (split(/ /,$members)) { X 0 && $debug && printf("adding %s to group %s(%d)\n", X $m, $login, $gid); X &add_to_group($gid,$m); # list of people who belong to the group X } X if (length($passwd) == 13) { X# $group_to_passwd{$login} = $passwd; # do they have a password? X } else { X# printf("group %s doesn't have a password\n", $login); X# printf("length of password %s is %d\n", $passwd, length($passwd)); X } X } X endgrent(); # end the scan X X} Xsub add_to_group { X local ($gid,$login) = @_; # list of people who belong to the group X # add user $login to group $gid X if (defined($ingroup{$gid})) { X $ingroup{$gid} .= " $login"; X } else { X $ingroup{$gid} = "$login"; X } X} Xsub add_to_uid { X local($uid,$login) = @_; # list of accounts who have the same UID X# create map of UID -> USERS X if (defined($inuid{$uid})) { X # check to see if name is in the list X $found = 0; X foreach $u (split(/ /,$inuid{$uid})) { X ($u eq $login) && $found++; X } X (!$found) && $inuid{$uid} .= " $login"; X } else { X $inuid{$uid} = "$login"; X } X# check for map of user -<> UIDs. X#; if more than one, error X if (defined($inuser{$login})) { X if ($uid != $inuser{$login}) { X X $inuser{$login} .= " $uid"; X printf(STDERR " User %s (UID: %d) has duplicate UID's : %s\n", $login, $uid, $inuser{$login}); X } else { X # saw this user twice, but the UID was the same X } X } else { X $inuser{$login} = "$uid"; X } X X} Xsub resolve { X local($current,$link) = @_; X local($newlink,$newcurrent); X # we are faces with a relative symbolic link X # that is, the firct character of $link is NOT a '/' X # examples X # /a/b -> c/d - same as /a/c/d X # /a/b/c -> ../d - same as /a/d X # /a/b/c -> ./d - same as /a/c/d X # /a/b/c -> ./../d - same as /a/d X # /a/b/c -> ../../d - same as /d X # /a/b/c -> . - same as /a/b X X $newlink = ""; X if ($current =~ /^\.\.\// ) { X die "ERROR : left side can't start with ../"; X } elsif ($current =~ /^\.\// ) { X die "ERROR : left side can't start with ./"; X } elsif ($current =~ /^[^\/]/ ) { X die "ERROR : left side can't start with non-/"; X } X X if ($link =~ /^\.\.\//) { # ../ X #resolve relative link -> ../ X X # remove last two items on current X $newcurrent = $current; X # change /a/b/c/d to /a/b X $newcurrent =~ s,[^\/]+\/[^\/]+$,,; X X # remove ../ from ../xxxx X $newlink = $link; X $newlink =~ s,^\.\.\/,,; X X # combine two pieces X $newlink = "$newcurrent$newlink"; X X # there may still be a ../ in there X # change x/v/../ to nothing X $newlink =~ s,[^\/]+\/\.\.,,g; X X $debug && printf("RESOLVE: $current -> $link becomes $newlink\n"); X } elsif ($link eq "." ) { # X #resolve relative link -> . X # remove last part of path X $newcurrent = $current; X # change /a/b/c/d to /a/b/c X $newcurrent =~ s,\/[^\/]+$,,; # /a/b/c -> /a/b X X $newlink = "$newcurrent"; X $debug && printf("RESOLVE: $current -> $link becomes $newlink\n"); X } elsif ($link =~ /^\.\//) { # starts with ./ X #resolve relative link -> ./usr X # remove last part of path X $newcurrent = $current; X # change /a/b/c/d to /a/b/c X $newcurrent =~ s,\/[^\/]+$,,; X X # remove ./ from ./xxxx X $newlink = $link; X $newlink =~ s,^\.\/,,; # ./xyz -> xyz X X # combine two pieces X $newlink = "$newcurrent/$newlink"; X X $debug && printf("RESOLVE: $current -> $link becomes $newlink\n"); X } elsif ($link =~ /^[^\/]/) { # starts with aaa/ X #resolve relative link -> usr/ X # remove last part of path X $newcurrent = $current; X # change /a/b/c/d to /a/b/c X $newcurrent =~ s,\/[^\/]+$,,; # /a/b/c -> /a/b X X $newlink = $link; X X # combine two pieces X $newlink = "$newcurrent/$newlink"; X $debug && printf("RESOLVE: $current -> $link becomes $newlink\n"); X } else { X printf(STDERR "$current/$link becomes ?????\n"); X } X $newlink =~ s,\/\/,\/,g; X X# John P. Rouillard suggested: X $newlink =~ s,^/\./,\/,g; # change /./ to / X X if ($newlink !~ /^\//) { X die "return value from RESOLVE ($newlink) invalid"; X } elsif ($newlink =~ /\/\.\.\//) { X die "return value from RESOLVE ($newlink) invalid"; X } elsif ($newlink =~ /\/\.\//) { X die "return value from RESOLVE ($newlink) invalid"; X } X return $newlink; X} Xsub ProgramUsesDir { X# this procedure is called once for each program. X# this input is a directory X local($dir) = @_; X if ( ! -d $dir ) { X if (! -e $dir ) { X # file doesn't exist X return; X } else { X die "Directory $dir NOT a directory, serious bug, aborting"; X } X } X $ProgramsInSomeDir++; X if (defined($ProgramsInDir{$dir})) { X $ProgramsInDir{$dir}++; X } else { X $ProgramsInDir{$dir} = 1; X } X X# now do the same thing with each step up the directory tree X while ($dir ne "/") { X $dir =~ s,\/[^\/]+$,,; X if ($dir eq "") { X $dir = "/"; X } X if (defined($ProgramsInDir{$dir})) { X $ProgramsInDir{$dir}++; X } else { X $ProgramsInDir{$dir} = 1; X } X X } X X} END_OF_trojan.pl if test 29353 -ne `wc -c Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA13957; Mon, 23 May 1994 16:41:28 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA13947; Mon, 23 May 1994 09:41:13 -0700 Received: from syncrude by mail.uunet.ca with UUCP id <238761-4>; Mon, 23 May 1994 12:42:01 -0400 Received: from yamvax.vax.syncrude.com (yamvax.vax.syncrude.com [142.69.192.52]) by hp06.ux.syncrude.com (8.6.8/8.6.6) with SMTP id KAA05744 for ; Mon, 23 May 1994 10:28:39 -0600 Received: by yamvax.vax.syncrude.com (MX V4.0-1 VAX) id 1; Mon, 23 May 1994 10:32:00 MDT Date: Mon, 23 May 1994 12:32:09 -0400 From: Glenn Davis To: Firewalls@GreatCircle.COM CC: davis@yamvax.vax.syncrude.com Message-ID: <0097EDAF.733C4B20.1@yamvax.vax.syncrude.com> Subject: Writing an RFP for a firewall Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello all, We will be installing a firewall, and will be hiring a consultant to do the work. So my question is: how should an RFP for a firewall be written? The scope will be to provide all software, hardware (or use existing h/w), training, and consulting/configuration. I have been reading this list for a while now, and have followed up on pointers to background material on firewalls (I now have a nice stack of paper for reference :-) I have not seen anything that is directly related to writing a spec for a consultant. Obviously I am not the first to write such a document! If others can assist in pointing out potential pitfalls, or areas that should be covered in the RFP; I would be grateful. The folks that I will be sending this to are: DEC, HP, and TIS. Are there any other reputable firms that you can recommend? (Not sure if GreatCircle does this type of work.) Thanks, Glenn -- Glenn Davis +1 403 790 4626 / davis@syncrude.com (Days) Syncrude Canada Ltd +1 403 743 9675 / davis@realtime.ab.ca (Else) From firewalls-owner Mon May 23 18:31:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA16640; Tue, 24 May 1994 01:15:31 GMT Received: from mullian.ee.mu.OZ.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA15859; Mon, 23 May 1994 15:14:56 -0700 Received: from munagin (munagin.ee.mu.OZ.AU) by mullian.ee.mu.OZ.AU with SMTP id AA24727 (5.67b/IDA-1.5 for ); Tue, 24 May 1994 07:45:50 +1000 raob (rfc931-sender: raob@munagin (munagin.ee.mu.OZ.AU)) Message-Id: <199405232145.AA24727@mullian.ee.mu.OZ.AU> To: ray@ariel.ucs.unimelb.EDU.AU Subject: Re: kerberized telnet To: Firewalls@greatcircle.com Subject: Re: kerberized telnet References: <9405230858.AA22802@apollo.is.co.za> Content-Length: 1036 Date: Tue, 24 May 1994 07:45:48 +1000 From: richard oxbrow Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In response to several requests for clarification of the following: > How about using the SRA extended telnet/ftp package from TAMU? It > negotiates a session key by swapping public keys generated from random > private/public key pairs and doesn't need kerberos. Works on SunOS 4 > and 5, Linux and (as soon as I finish testing my patches) on SGI IRIX > 4. Fairly simple to build, though it's really a proof-of-concept > prototype at this stage and may not be appropriate in a production > environment. David Safford's SRA telnet/ftp package is documented in a paper at the third Usenix security symposium. Available as net.tamu.edu:pub/security/TAMU/sra.ps.gz while sra.README in the same location also includes a brief description. Otherwise, the files to get are srasrc-1.3.tar.gz and (for those in the US) srasrc-des-1.3.tar.gz. Fon non-US sites, the sra.README contains pointers to alternative DES libraries; I used the DES-2.2 from Chalmers with success (though it is not bugfree). - -- Andras Salamon ------- End of Forwarded Message From firewalls-owner Mon May 23 18:41:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA16658; Tue, 24 May 1994 01:17:05 GMT Received: from firewall.nielsen.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA16490; Mon, 23 May 1994 17:31:22 -0700 Received: by firewall.nielsen.com (/\KD/\ Smail3.1.21.1 #21.3) id ; Mon, 23 May 94 19:32 CDT Received: from localhost by ibis.dun.nielsen.com (5.67ufl/4.12) id AA16070; Mon, 23 May 94 20:32:34 -0400 Message-Id: <9405240032.AA16070@ibis.dun.nielsen.com> To: girish@scopus.com (Girish Pradhan) Cc: firewalls@greatcircle.com, ipsarr@ibis.dun.nielsen.com Subject: Re: Network Sniffer In-Reply-To: Your message of "Sun, 22 May 1994 21:09:01 PDT." <9405230409.AA29630@scopus.com> Date: Mon, 23 May 1994 20:32:30 -0400 From: "\"\"Andrew R. Reese - LAN Coordinator\"\"" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I believe that the listening device has to be on the subnet that it wants to listen to. Sniffer can snoop all packets that come accross the subnet, even filter on specific contents. However, not accross subnets. You can use something like HP-LanProbe with a probe on your important subnets. Then from the management console you can collect packets and review them remotely. One thing I hate about sniffer or expert sniffer, you can only filter on say four ip addresses. Example say I had ten w/s and I wanted to so how much bandwidth they were taking, I could not do. Sniffer limits you to four 4,3,2,1, or all. Good Luck, Andy O O _____ \ / /~~~~~\ \ / |o o| I was born a ------------------------ \ / | L | ------------ Andrew R. Reese | ================ |\___/| couch potato! LAN Coordinator, IPS | |----------- | | | Nielsen Media Research | || Nielsen | O | \___/ a Dun & Bradstreet Co. | || TV | O | 375 Patricia Avenue | || Ratings |...| If it is shown we... Mail Stop: B2F2P3 | |----------- | (+) RATE IT (-) Dunedin, FL 34698 | ================ ---------------------------------------------------------------------------- ipsarr@ibis.dun.nielsen.com (813)738-3127 FAX (813)738-3113 ---------------------------------------------------------------------------- From firewalls-owner Mon May 23 22:21:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA17646; Tue, 24 May 1994 05:06:54 GMT Received: from dcv4kd.phs.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA17127; Mon, 23 May 1994 20:13:23 -0700 Received: from DCV4KD.PHS.COM by DCV4KD.PHS.COM (PMDF V4.2-10 #4056) id <01HCOW19B31S0015RA@DCV4KD.PHS.COM>; Mon, 23 May 1994 20:14:42 PST Date: Mon, 23 May 1994 20:14:42 -0800 (PST) From: Urban Surfer Subject: Re: Network Sniffer To: firewalls@GreatCircle.COM Reply-to: matt@phs.com Message-id: <01HCOW19BVZ60015RA@DCV4KD.PHS.COM> Organization: Pacificare_Health_Systems X-VMS-To: IN%"firewalls@GreatCircle.COM" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I believe that the listening device has to be on the subnet that it >wants to listen to. Sniffer can snoop all packets that come accross the >subnet, even filter on specific contents. However, not accross subnets. Sniffers can most certainly probe multiple subnets. Sniffers work at lower levels and don't care about IP addresses unless you set filters for them. Since they work at the lower levels, Ethernet sniffers cannot probe across a bridge or router. But FDDI sniffers can since FDDI traffic by design must traverse the whole ring. Matt Holdrege matt@phs.com MH235 From firewalls-owner Mon May 23 23:19:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA17930; Tue, 24 May 1994 05:40:51 GMT Received: from rodan.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA14823; Wed, 18 May 1994 11:06:17 -0700 Received: by rodan.UU.NET (5.61/UUNET-mail-drop) id AA19024; Wed, 18 May 94 14:07:09 -0400 Message-Id: <9405181807.AA19024@rodan.UU.NET> To: mckenney@smiley.mitre.org (Brian W. McKenney) Cc: firewalls@GreatCircle.COM, pfalzgmh@eckerd.edu From: "Louis A. Mamakos" Subject: Re: Advice on Firewall Politics In-Reply-To: Your message of "Wed, 18 May 1994 08:02:50 EDT." <9405181202.AA25946@smiley.mitre.org.sit> Date: Wed, 18 May 1994 14:07:06 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk [ Manager's note: This message got lost in the shuffle during the last mail loop on Firewalls. My apologies for the delay. -Brent ] Prior to October of last year, I used to be in the group that ran the campus network at a large University.. It is just not obvious to me that a firewall is so obviously a requirement in a University environment. We didn't have firewalls. And yes, we did have security problem from time to time. > >I'm from a small liberal arts college and I am trying to fight a political > >battle with a few faculty to implement a firewall at our site. The > >computer science faculty at our college believe that security is only a > >hindrance and that a firewall will hamper their "academic freedom". Well, the "academic freedom" thing does have something to say for it. While you may precieve it as being thrown in your face as an unassailable argument, it does have it merits, too. When your Computer Science Department does research on computer networks, it is very likely that a firewall will be a real problem. Firewalls also tend to stifle the deployment of new and interesting network applications, and Universities is where a lot of this stuff happens. Finally, it seems to me that a firewall is most useful when you can draw a line between the "good guys" that are "inside" and the "bad guys" that are somewhere "outside". Well, when you have tens of thousands of undergrad students, public workstations labs, network connections in dorm room, just where do you put the firewall? Who are you protecting from whom? There are probably some sites that might argue that the firewall should be protecting the Internet from the University. While its true that the threats are probably different, it is hard to imagine not putting some non-trivial effort into securing individual systems on the network. Louis A. Mamakos louie@alter.net UUNET Technologies, Inc. uunet!louie 3110 Fairview Park Drive., Suite 570 Voice: +1 703 204 8023 Falls Church, Va 22042 Fax: +1 703 204 8001 From firewalls-owner Tue May 24 11:50:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA20260; Tue, 24 May 1994 11:50:54 GMT Received: from ub4b.eunet.be by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA20254; Tue, 24 May 1994 04:50:44 -0700 Received: from sunbim.sunbim.be by ub4b.eunet.be (5.65c/ub4b_03) id AA19100; Tue, 24 May 1994 13:53:11 +0200 Received: from prince.sunbim.be (prince-x) by sunbim.sunbim.be (4.1/SMI-4.1) id AA04552; Tue, 24 May 94 13:47:32 +0200 Received: from dvorak.sunbim.be by prince.sunbim.be (4.1/SMI-4.1) id AA28889; Tue, 24 May 94 13:49:41 +0200 Date: Tue, 24 May 94 13:49:41 +0200 From: pc@sunbim.be (Philippe Cayphas) Message-Id: <9405241149.AA28889@prince.sunbim.be> To: firewalls@GreatCircle.COM Subject: PC-NFS firewall Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, Someone asks me about a PC-NFS firewall. He wants to offer NFS services to PC users in a secure way. NFS is certainly not secure and PC-NFS seems to be worse! So, in my opinion, such a configuration can't be secure and must be avoided. Am I right? Has somebody such a firewall experience? Thanks, Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@sunbim.be (or uunet!mcsun!ub4b!sunbim!pc) Telephone: +32(10)45.48.72 Fax : +32(10)45.49.34 Postal Mail : Ph. Cayphas BIM sa Parc Scientifique de L.L.N. 7, rue du Bosquet 1348 Louvain-La-Neuve Belgium From firewalls-owner Tue May 24 12:56:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA20574; Tue, 24 May 1994 12:56:38 GMT Received: from cayuga.cs.rochester.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA20568; Tue, 24 May 1994 05:56:24 -0700 From: bukys@cs.rochester.edu Received: from slate.cs.rochester.edu (slate.cs.rochester.edu [192.5.53.101]) by cayuga.cs.rochester.edu (8.6.7/G) with ESMTP id IAA29408 for ; Tue, 24 May 1994 08:57:43 -0400 Received: from otter.cs.rochester.edu (otter.cs.rochester.edu [192.5.53.121]) by slate.cs.rochester.edu (8.6.7/G) with SMTP id IAA16866; Tue, 24 May 1994 08:57:41 -0400 Message-Id: <199405241257.IAA16866@slate.cs.rochester.edu> To: Firewalls@GreatCircle.COM cc: bukys@cs.rochester.edu Subject: SRA telnet and ftp Date: Tue, 24 May 94 08:57:40 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk After hearing about David Safford's SRA telnet/ftp package from numerous sources, I finally went and got a copy (from ftp://net.tamu.edu/pub/security/TAMU). It's nice work. I would like to clarify one point, though: This package uses the Diffie-Hellman code from the Secure RPC implementation, to securely compute a session key which the SRA code uses to encrypt an authentication transaction. The code does NOT use the session key to encrypt the whole session. It would probably be relatively easy to add, but it's not in there in the current code. This is from my perusal of the code, and correspondence with the author. FYI From firewalls-owner Tue May 24 12:58:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA20598; Tue, 24 May 1994 12:58:51 GMT Received: from ub4b.eunet.be by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA20592; Tue, 24 May 1994 05:58:38 -0700 Received: from csl.sni.be by ub4b.eunet.be (5.65c/ub4b_03) id AA22785; Tue, 24 May 1994 15:01:08 +0200 Received: from tintin.csl.sni.be by snibru.cb.sni.be (5.65c/snibru-1) id ; Tue, 24 May 1994 14:42:48 +0200 with SMTP Received: from charly.csl.sni.be by tintin.csl.sni.be (5.65c/csl-0) id ; Tue, 24 May 1994 14:42:25 +0200 with SMTP Message-Id: <199405241242.AA07226@tintin.csl.sni.be> X-Sender: eric@darling.csl.sni.be Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 24 May 1994 14:37:27 +0200 To: dconklin@itp.corp.harris.com From: Eric.Vyncke@csl.sni.be (Eric Vyncke) Subject: Re: Looking for Net Monitoring Pkg Cc: Firewalls@GreatCircle.COM X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am looking for packages that will allow me to monitor packets on my net and report traffic statistics by packet type for each source & destination DNS name (or IP addr if not listed). A bonus would be the ability to filter on DNS name (or IP addr). Can someone point me in a likely direction? You may try Ethload 1.04 (I'm the author :-)). It is a MS-DOS program and should do what you want. You may fetch it from ub4b.eunet.be:/pub/ub4b/network/msdos/ethld104.zip --- Eric Vyncke, Project Leader Siemens Nixdorf - Centre Software de Liege - Belgium EUnet: vyncke@csl.sni.be Phone: +32-41-201654 Fax: +32-41-201642 From firewalls-owner Tue May 24 13:04:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA20648; Tue, 24 May 1994 13:04:03 GMT Received: from mentor.cc.purdue.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA20642; Tue, 24 May 1994 06:03:52 -0700 Received: from freh-02.adpc.purdue.edu by mentor.cc.purdue.edu (5.61/Purdue_CC) id AA00330; Tue, 24 May 94 08:05:14 -0500 Received: from FREH-02/MERCURY_MAIL by freh-02.adpc.purdue.edu (Mercury 1.11); Tue, 24 May 94 8:05:27 Received: from MERCURY_MAIL by FREH-02 (Mercury 1.11); Tue, 24 May 94 8:04:58 To: firewalls@greatcircle.com From: "Michael S. Hines" Organization: Purdue University Date: 24 May 94 08:04:50 EST Subject: Re: Advice on Firewall Politics Priority: normal X-Mailer: Pegasus Mail v2.3 (R5). Message-Id: <23F614B43DD@freh-02.adpc.purdue.edu> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Louis, et al: >Prior to October of last year, I used to be in the group that ran the >campus network at a large University.. > >It is just not obvious to me that a firewall is so obviously a requirement >in a University environment. We didn't have firewalls. And yes, we >did have security problem from time to time. The University is traditionally made up of two branches in the computing realm. The academic computing is certainly a commodity whos use is encouraged. This is in line with the educational role of the University. However, as we move to client/server computing on the administrative side of the house, we are linking computers together over the same communications lines (fibre, copper, etc on ethernet, token ring, etc) using the same communications protocol (TCP/IP is becoming defacto standard). In this environment, we only want authorized users accessing the administrative applications (we hardly protect academic integrity if students can alter their grades and grant themselves degrees). In this case, we do want firewalls between the universe of users and the applications. In fact, what we want is two nets...an open net and a protected net running on the same infrastructure. The firewall is the classical answer to this need. So the firewall is an essesntial part of the campus network, contrary to your thoughts. >> >I'm from a small liberal arts college and I am trying to fight a political >> >battle with a few faculty to implement a firewall at our site. The >> >computer science faculty at our college believe that security is only a >> >hindrance and that a firewall will hamper their "academic freedom". > >Well, the "academic freedom" thing does have something to say for it. >While you may precieve it as being thrown in your face as an >unassailable argument, it does have it merits, too. When your >Computer Science Department does research on computer networks, it is >very likely that a firewall will be a real problem. Firewalls also >tend to stifle the deployment of new and interesting network >applications, and Universities is where a lot of this stuff happens. And when your CS faculty are working on grants and contracts, they may see the advantage of blocking the outside world (and even the inside world of student "researchers" or other faculty) away from their work. Not all work done is public domain freeware :) >Finally, it seems to me that a firewall is most useful when you can >draw a line between the "good guys" that are "inside" and the "bad >guys" that are somewhere "outside". It makes more sense to frame the question in terms of those with a need to know and those with no need to know. Just because I can do or see something, it doesn't mean I should. > Well, when you have tens of >thousands of undergrad students, public workstations labs, network >connections in dorm room, just where do you put the firewall? At the access point to the computing resource... its like a lock and key... with the right key (ie IP address) you can get in, and without it access is more difficult (though not absolute). > Who are >you protecting from whom? There are probably some sites that might >argue that the firewall should be protecting the Internet from the >University. While its true that the threats are probably different, >it is hard to imagine not putting some non-trivial effort into >securing individual systems on the network. On the contrary, it makes perfectly good sense. We find staff routinely thinks of things on the desktop computers as secure, while there is absolutely no security of the data on the computer, no power on protection (locks, passwords, etc.), and sometimes the offices are even unlocked. This is a perception problem. With the use of networks increasing rapidly, the domain of information available is increasing rapidly, yet the most fundamental "personal" computer data is public information. Security, such as access control, is being ignored in the fundamental computing base. Well, enough plugging of firewalls, and access security if probabily another list. ---------------------------------------------------------------------- Internet: mshines@ia.purdue.edu | Michael S. Hines Bitnet: michaelh@purccvm | Sr. Information Systems Auditor Purdue WIZARD Mail: MSHINES | Purdue University GTE Net Voice: (317) 494-5845 | 1065 Freehafer Hall GTE Net FAX: (317) 496-1814 | West Lafayette, IN 47907-1065 CompuServe: 73240,1631 | America On-Line: mysterios | From firewalls-owner Tue May 24 13:39:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA20878; Tue, 24 May 1994 13:39:04 GMT Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA20872; Tue, 24 May 1994 06:38:48 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 24 May 1994 09:39:51 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA15154; Tue, 24 May 1994 09:39:50 -0400 Date: Tue, 24 May 1994 09:39:50 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199405241339.AA15154@SPARKY.CF.CS.YALE.EDU> To: MSHINES@freh-02.adpc.purdue.edu, firewalls@GreatCircle.COM Subject: Re: Advice on Firewall Politics Cc: long-morrow@CS.YALE.EDU Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Michael S. Hines wrote: >of the house, we are linking computers together over the same >communications lines (fibre, copper, etc on ethernet, token ring, etc) >using the same communications protocol (TCP/IP is becoming defacto >standard). In this environment, we only want authorized users accessing >the administrative applications (we hardly protect academic integrity if >students can alter their grades and grant themselves degrees). In this >case, we do want firewalls between the universe of users and the >applications. In fact, what we want is two nets...an open net and a >protected net running on the same infrastructure. The firewall is the >classical answer to this need. If you have a need to two different networks with two different purposes (one - an open academic network for research, etc., the other an internal production network for administrative systems and MIS) why not set them up as different physical networks (with their own cables and fiber connections, their own bridges and routers, etc.) and put a firewall between the two of them??? $$$$$ of course :-) But it seems logical (if expensive) to me. It is what I'd recommend if asked to try to implement a network with two almost contradictory missions. There are precedents for running parallel networks (e.g. a hospital environment where you may have a need for a network with real-time deterministic behaviour - such as a critical care patient monitoring system - as well as a network for normal administrative functions - billing, patient records, etc. In the case of a hospital both would need to be very secure however!). I would hope that hospitals don't skimp on the required equipment just because of costs... - Morrow From firewalls-owner Tue May 24 06:41:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA20751; Tue, 24 May 1994 13:18:44 GMT Received: from sematech1.SEMATECH.ORG by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA20735; Tue, 24 May 1994 06:18:24 -0700 Received: by sematech1.SEMATECH.ORG (AIX 1.3/1.1); Tue, 24 May 94 08:19:37 -0500 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.2-15 #5463) id <01HCPLI3YWXC8Y5619@GateV1.SEMATECH.Org>; Tue, 24 May 1994 08:19:34 -0500 (CDT) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (4.1/SS-1.6) id AA09340; Tue, 24 May 94 08:19:32 CDT Date: Tue, 24 May 1994 08:19:31 -0500 From: Quentin Fennessy Subject: re: Writing an RFP for a firewall To: Firewalls@greatcircle.com Cc: Glenn Davis Message-Id: <9405241319.AA09340@thecount.eng.sematech.org> Content-Transfer-Encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Glenn- If you want a well-done spec for a firewall I suggest you use one of the companies you mentioned. I am sure the folks at TIS, or the DEC Seal folks, or Paul Vixie even could write up a spec that would be very well done. I used to work for a consulting company and customers would often pay us to construct an RFP, that we would then bid on. (And no, we did not win all the bids for those RFPs!) Quentin Fennessy From firewalls-owner Tue May 24 06:51:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA20757; Tue, 24 May 1994 13:19:11 GMT Received: from ub4b.eunet.be by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA20748; Tue, 24 May 1994 06:18:41 -0700 Received: from csl.sni.be by ub4b.eunet.be (5.65c/ub4b_03) id AA23724; Tue, 24 May 1994 15:21:10 +0200 Received: from tintin.csl.sni.be by snibru.cb.sni.be (5.65c/snibru-1) id ; Tue, 24 May 1994 15:14:38 +0200 with SMTP Received: from charly.csl.sni.be by tintin.csl.sni.be (5.65c/csl-0) id ; Tue, 24 May 1994 15:14:19 +0200 with SMTP Message-Id: <199405241314.AA07817@tintin.csl.sni.be> X-Sender: eric@darling.csl.sni.be Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 24 May 1994 15:09:21 +0200 To: Firewalls@GreatCircle.COM From: Eric.Vyncke@csl.sni.be (Eric Vyncke) Subject: Re: Network Sniffer X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I have a basic question - Can a sniffer trace packets on different subnets ? >If so can anybody shed some light as to which would be a better buy for >less $$ or any free-ware software that can do the same. Any help will >be appreciated. As the author of a free MS-DOS sniffer, ETHLOAD, I can say: 1) it is _VERY_ easy to receive all frames on a Ethernet segment with a _VERY_ small program 2) due to firmware implementation, it is _OFTEN_ impossible to receive all frames on a Token Ring 3) it is _IMPOSSIBLE_ to receive frames transmitted on a Ethernet segment which is not local (my Sniffer in Belgium cannot receive your Ethernet frames!) or which is repeated. Obvious exceptions: if the frame is bridged to the destination via the LAN segment where the sniffer is tapped _OR_ if the frame is routed (IP, DECnet, ...) via the LAN segment where the sniffer is tapped. Please be aware, that a TCP sniffing program can be developped in about 20 hours on a PC (or TCPdump ported to another Unix in a matter of hours) and this program can get password (telnet, ftp, rlogin, ... send password as clear text) very _EASILY_... Sorry, for the obviousness of the answer and comment :-) --- Eric Vyncke, Project Leader Siemens Nixdorf - Centre Software de Liege - Belgium EUnet: vyncke@csl.sni.be Phone: +32-41-201654 Fax: +32-41-201642 From firewalls-owner Tue May 24 14:15:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA21252; Tue, 24 May 1994 14:15:54 GMT Received: from Texaco.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA21246; Tue, 24 May 1994 07:15:47 -0700 Received: by Texaco.COM (4.1/SMI-4.1) id AA02709; Tue, 24 May 94 09:16:57 CDT Date: Tue, 24 May 94 09:16:57 CDT From: hernae@Texaco.COM (Emma Hernandez) Message-Id: <9405241416.AA02709@Texaco.COM> To: firewalls@greatcircle.com, hernae@Texaco.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Please register hernae@texaco.com to the firewalls mailing list Thank You From firewalls-owner Tue May 24 14:25:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA21327; Tue, 24 May 1994 14:25:37 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA21319; Tue, 24 May 1994 07:25:27 -0700 Received: from localhost by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id HAA22707; Tue, 24 May 1994 07:18:11 -0700 Received: from avalle.insoft.com by insoft1.insoft.com (4.1/RHP-1.0) id AA14424; Tue, 24 May 94 09:41:45 EDT Received: by avalle.insoft.com (5.0/SMI-SVR4) id AA05132; Tue, 24 May 1994 09:37:31 +0500 Date: Tue, 24 May 1994 09:37:31 +0500 From: francis@avalle.insoft.com (John [Francis] Stracke) Message-Id: <9405241337.AA05132@avalle.insoft.com> To: firewalls@GreatCircle.COM In-Reply-To: "Louis A. Mamakos"'s message of Wed, 18 May 1994 14:07:06 -0400 <9405181807.AA19024@rodan.UU.NET> Subject: Advice on Firewall Politics Content-Length: 1197 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Finally, it seems to me that a firewall is most useful when you can >draw a line between the "good guys" that are "inside" and the "bad >guys" that are somewhere "outside". Well, when you have tens of >thousands of undergrad students, public workstations labs, network >connections in dorm room, just where do you put the firewall? Who are More to the point, what good will it do, when a sufficiently frustrated (yes, and skilled) student or prof can plug in hir modem & open up a PPP connection? (No, I'm not suggesting this PPP link could route for the whole campus net--the route wouldn't be advertised--but it could route to any machine whose owner wanted it [or where somebody local cracked root], by doing PPP/TCP.) /===========================================================================\ |John (Francis) Stracke | My opinions are my own. | |InSoft, Inc. |==================================================| |Mechanicsburg, PA | "Vlad was not a vampire, but that's about the | |francis@insoft.com | only nice thing that could be said about him." | \===========================================================================/ From firewalls-owner Tue May 24 14:47:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA21505; Tue, 24 May 1994 14:47:32 GMT Received: from babble.cob.ohio-state.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA21499; Tue, 24 May 1994 07:47:21 -0700 Received: from curiosity.cob.ohio-state.edu (curiosity.cob.ohio-state.edu [128.146.109.24]) by babble.cob.ohio-state.edu (8.6.9/8.6.9) with ESMTP id KAA11966 for ; Tue, 24 May 1994 10:48:43 -0400 Received: (from maf@localhost) by curiosity.cob.ohio-state.edu (8.6.9/8.6.9) id KAA24010 for Firewalls@GreatCircle.COM; Tue, 24 May 1994 10:48:42 -0400 From: Mark Fullmer Message-Id: <199405241448.KAA24010@curiosity.cob.ohio-state.edu> Subject: Re: Network Sniffer To: Firewalls@GreatCircle.COM Date: Tue, 24 May 1994 10:48:41 -0400 (EDT) Reply-To: maf+@osu.edu X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 849 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Eric.Vyncke@csl.sni.be writes: >3) it is _IMPOSSIBLE_ to receive frames transmitted on a Ethernet segment >which is not local (my Sniffer in Belgium cannot receive your Ethernet >frames!) or which is repeated. Obvious exceptions: if the frame is bridged >to the destination via the LAN segment where the sniffer is tapped _OR_ if >the frame is routed (IP, DECnet, ...) via the LAN segment where the sniffer >is tapped. Many bridges can have their learn tables faked into letting through traffic.. Exceptions are bridges that have a learn table lockdown, or a reasonably long timeout before re-learning a mac address. Even with a learn table lockdown, if you are using a bridge to isolate traffic for security reasons, that bridge should somehow log (ie syslog, snmp trap, etc) when an mac address switches ports. -- mark maf+@osu.edu From firewalls-owner Tue May 24 08:01:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA21568; Tue, 24 May 1994 14:53:24 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA21562; Tue, 24 May 1994 07:53:15 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id KAA13225; Tue, 24 May 1994 10:54:40 -0400 Received: from athena1.lsi.ny.jpmorgan.com (athena1.lsi.ny.jpmorgan.com [146.149.246.28]) by tcpg01a.ny.jpmorgan.com (8.6.4/cjy.sub.1.0) with ESMTP id KAA18144 for ; Tue, 24 May 1994 10:54:39 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id KAA25574; Tue, 24 May 1994 10:54:38 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA11447; Tue, 24 May 94 10:54:37 EDT Date: Tue, 24 May 94 10:54:37 EDT Message-Id: <9405241454.AA11447@delacroix.lsi.ny.jpmorgan.com> To: firewalls@greatcircle.com Subject: Firewalling a university. (Advice on Firewall politics) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At my college, we indeed wanted free access to/from the internet. However, the admin net did not want that free access from the Internet. The way to do this would be to have a firewall between the admin net and the general college network. This would screen packets and authenticate incoming connections. The general network would have a machine doing similiar, but with no authentication - it would simply leave an audit trail of connections. You are responsible to the Net for the actions of your users, if only morally, in my view. If you have a user who has shown that they can't be trusted, you have to be able to limit their access (yes, they can use a different account, but...). You also may need to shut of access to certain outsiders. To this end, you need (1) A use policy. Rice had their OwlNet use policy available at the last LISA conference and it's a reasonable starting point. This will essentially lay out your rules and students who break them will be denied service. You need your administration to back you on that. This policy is the LEAST you should have. (2) A machine to act as a gateway. If nothing else, it's a router to the internet, but a full Unix box (or similiar), that is secure, will keep track of connections and leave an audit trail. Besides securing, this can be used to justify better resources for your department. A using a screend type of package, you can simply pass all packets through. This means that you are not limiting service, simply keeping an eye on them. Could be Big Brother-like. Your policy (1) must explicitly say that you will never do packet by packet monitoring or under what circumstances you *might* do it. Protect yourself and your users. In summary, firewall your admin net (this means a separate network for them) and put a gateway on your WHOLE network. Create a policy that outlines the rules by which you expect your users to play and by which you will play. Why would that administration buy in? Because you are providing the same server, but you also are protecting the school from legal actions (even if just a hassle, lawyers cost) and laying down guidelines for use and punishment for abuse. Chuck ---- Chuck Yerkes consultant, JPMorgan.COM "My opinions are often not ever listened to by my employers and clients and therefore are often not held by them." ----- End Included Message ----- From firewalls-owner Tue May 24 08:11:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA21655; Tue, 24 May 1994 15:02:22 GMT Received: from gossip.pyramid.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA21649; Tue, 24 May 1994 08:02:12 -0700 Received: from sword.eng.pyramid.com by gossip.pyramid.com (5.61/OSx5.1a Pyramid-Internet-Gateway) id AA19941; Tue, 24 May 94 08:04:09 -0700 Received: by sword.eng.pyramid.com (5.61/Pyramid_Internal_Configuration) id AA11084; Tue, 24 May 94 08:04:53 -0700 Date: Tue, 24 May 94 08:04:53 -0700 From: pauld@pyramid.com (Paul Daw) Message-Id: <9405241504.AA11084@sword.eng.pyramid.com> To: firewalls@greatcircle.com Subject: Allowing Magic Kingdom Access. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I spoke to Brent about this at the computer literacy Firewalls lecture last week (thanks for the input, Brent!) but I wanted to throw this out for comments. We are currently using a firewall configuration that consists of the TCP wrapper and SOCKS, and we have done all of the right things with regard to packet forwarding, disabling of unnecessary services, etc. On occasion, engineers and customer support folk from our site go out into the big bad world, and want to get back into the network via the Internet connection. There are some obvious advantages to this - cost, convenience and speed being the most significant. This activity is usually done from a customer site that is connected to the Internet. Brent's suggestion was to go ahead and allow this (i.e. enable the specific IP address from the internet to get through the wrapper to telnetd,) using a one time password, smart card or challenge response system to protect the family jewels. This seems like a good first step, but after sitting around drinking beer and eating pizza with the other security paranoids in the sysadm group here, we saw a second potential problem. Since these people are at customer sites, there is a real potential for local eavesdropping. While the one-time-password scheme protects the firewall from intrusion, it doesn't protect all of the internal machines that the user might log into once he is on the gateway, and those passwords will still be sent in the clear. The Internet gateway isn't the only way in, and there is a possibility that the passwords used on internal machines might also be used on modem servers and the like. It seems like the only safe way to do this is to actually give the remote user an encrypted telnet capability so that even the clear passwords aren't sniffable at the remote site. Given this, I have two questions: 1) Am I *too* paranoid about all of this? Are we going too far? 2) If not, what are the restrictions for running encrypted telnet in other countries? Should we be concerned about this? Comments Appreciated. Paul Daw, Pyramid Technology Corporation From firewalls-owner Tue May 24 16:02:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA22118; Tue, 24 May 1994 16:02:44 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA22112; Tue, 24 May 1994 09:02:06 -0700 Received: by relay.tis.com id AA11705; Tue, 24 May 94 12:01:56 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma011703; Tue May 24 12:01:04 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA23767; Tue, 24 May 94 12:00:13 EDT Date: Tue, 24 May 94 12:00:13 EDT From: Marcus J Ranum Message-Id: <9405241600.AA23767@tis.com> To: firewalls@GreatCircle.COM, pauld@pyramid.com Subject: Re: Allowing Magic Kingdom Access. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Since these people are at customer sites, there is a real potential for >local eavesdropping. While the one-time-password scheme protects the >firewall from intrusion, it doesn't protect all of the internal >machines that the user might log into once he is on the gateway, and >those passwords will still be sent in the clear. The Internet gateway >isn't the only way in, and there is a possibility that the passwords >used on internal machines might also be used on modem servers and the >like. What you really need to do is make sure that the same level of access control is (within reason) applied across the board. If your only internet access route is through the firewall, and it requires strong authentication (challenge/response or one time) then you theoretically don't have to worry about disclosing internal passwords. However, if, as you say, those passwords might also be used on dialup terminal servers, then you might want to consider either securing your terminal servers the same way, or encouraging your users to have different terminal server passwords. The latter isn't particularly strong. Generally, you want to make sure you've got a consistent level of security around your perimeter. So if you're paranoid enough to require strong authentication for incoming internet accesses (you should be) you should also consider being paranoid enough to require it for dialin. Sometimes practicality and business considerations may make it too unattractive and you need to just identify that threat as a residual risk, keep your eye on it, and proceed with business as usual. Figure out where you're most likely to be attacked from and block it first (direct internet password sniffs is a good bet) and then worry about the other stuff. >It seems like the only safe way to do this is to actually give the >remote user an encrypted telnet capability so that even the clear >passwords aren't sniffable at the remote site. This means that the remote site will need to have a copy of your encrypting telnet, and will have to be capable of running it. I.e.; it can't be a terminal server or something dumb like that. Also, if you're getting *that* paranoid, consider that the remote machine itself could be logging your keystrokes in the tty driver, either by someone scanning clists or by a hacked kernel... That's paranoid for you. :) But make sure that the level of attack you're worrying about resisting is consistent. Someone who might sniff your password and telnet into you isn't necessarily going to go to the effort to tap your phone, or social engineer your modem pool numbers out of your secretaries, or whatever. mjr. From firewalls-owner Tue May 24 16:25:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA22284; Tue, 24 May 1994 16:25:35 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA22269; Tue, 24 May 1994 09:25:05 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id MAA15538; Tue, 24 May 1994 12:26:02 -0400 Received: from athena1.lsi.ny.jpmorgan.com (athena1.lsi.ny.jpmorgan.com [146.149.246.28]) by tcpg01a.ny.jpmorgan.com (8.6.4/cjy.sub.1.0) with ESMTP id MAA20471; Tue, 24 May 1994 12:26:02 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id MAA26371; Tue, 24 May 1994 12:26:01 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA11685; Tue, 24 May 94 12:26:00 EDT Date: Tue, 24 May 94 12:26:00 EDT Message-Id: <9405241626.AA11685@delacroix.lsi.ny.jpmorgan.com> To: pauld@pyramid.com Subject: Re: Allowing Magic Kingdom Access. Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Date: Tue, 24 May 94 08:04:53 -0700 > From: pauld@pyramid.com (Paul Daw) > ...> we saw a second potential problem. > > Since these people are at customer sites, there is a real potential for > local eavesdropping. While the one-time-password scheme protects the > firewall from intrusion, it doesn't protect all of the internal > machines that the user might log into once he is on the gateway, and > those passwords will still be sent in the clear. The Internet gateway > isn't the only way in, and there is a possibility that the passwords > used on internal machines might also be used on modem servers and the > like. A firewall isn't a firewall if there are holes elsewhere. Protect modem servers with one-time passwords (skey,secure-id,etc). Protect any perimeter accesses. If my car's Firewall (that barrier between the engine and me) had a hole at the passenger seat, then it's not being a firewall. It just preventing access from that point. Same for your setup. > It seems like the only safe way to do this is to actually give the > remote user an encrypted telnet capability... > 1) Am I *too* paranoid about all of this? Are we going too far? You can never be too paranoid. Just don't act it or They'll notice ;). It's not practical to give out a disk with a new version of telnet for every platform that your people might be on. I've done field work and logged in through PCs and Mac and Sun's and VMS machines - whatever the client had that was on the Internet. Often I wouldn't have been allowed to put a binary onto their machine. > 2) If not, what are the restrictions for running encrypted telnet > in other countries? Should we be concerned about this? You SHOULD be concerned about this. Phil Zimmerman (PGP) can tell you about the governments lack of appreciation for exported encryption tools. But mostly, it's not practical. Nonetheless, onward through the fog... Clear text password are not viable in the networked world we live in so here's an idea: How about when you log in (with a one time password or sitting at the local machine), you get something that proves it's you - lets call it, I know, a "ticket". Then when you access other machines, telnetd or rlogind look for a ticket. If you have none, it asks for passwords or rejects you. If an authenticated user is not allowed on a particular machine, it rejects you. This way there are no passwords used, even on the local net - you get authenticated by the machine you come in through. When you come in from outside (modem, Internet, any perimeter crossing way), you use a one time password and get authenticated. This is Kerberos. It can be very useful for this kind of problem. Chuck From firewalls-owner Tue May 24 10:11:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA22782; Tue, 24 May 1994 16:57:55 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA22768; Tue, 24 May 1994 09:57:23 -0700 Received: from sgsjsco.sextantgroup.com by netcomsv.netcom.com with ESMTP (8.6.4/SMI-4.1) id JAA25504; Tue, 24 May 1994 09:58:29 -0700 Received: from smtplink.sextantgroup.com by sgsjsco.sextantgroup.com with SMTP (8.6.8.1/1.2-eef) id JAA22719; Tue, 24 May 1994 09:56:04 -0700 Received: from ccMail by smtplink.sextantgroup.com id AA769799278 Tue, 24 May 94 10:07:58 PST Date: Tue, 24 May 94 10:07:58 PST From: "Rhett, Joe" Message-Id: <9404247697.AA769799278@smtplink.sextantgroup.com> To: "\"\"Andrew R. Reese - LAN Coordinator\"\"" , Firewalls@GreatCircle.Com Subject: Re[2]: Network Sniffer Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Re: Can a sniffer view packets on a different subnet. Actually, that is incorrect. A Sniffer looks at all packets moving across any particular network segment. IP Networks/SubNetworks are absolutely irrelevant in this regard. It is actually a matter of physical network connectivity, and regardless of IP network addressing. -On the other hand- if you were equating a physical network with an IP network, then you are correct. I do apologize, however, what you said and what you meant don't necessarily map one-to-one. ______________________________ Reply Separator _________________________________ Subject: Re: Network Sniffer Author: "\"\"Andrew R. Reese - LAN Coordinator\"\"" I believe that the listening device has to be on the subnet that it wants to listen to. Sniffer can snoop all packets that come across the subnet, even filter on specific contents. However, not across subnets. You can use something like HP-LanProbe with a probe on your important subnets. Then from the management console you can collect packets and review them remotely. From firewalls-owner Tue May 24 17:58:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA23416; Tue, 24 May 1994 17:58:39 GMT Received: from kssib.ksc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA23409; Tue, 24 May 1994 10:58:12 -0700 Received: from escact.ksc.nasa.gov by kssib.ksc.nasa.gov with SMTP (5.65/25-eef) id AA09136; Tue, 24 May 94 13:59:15 -0400 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA05419; Tue, 24 May 94 13:58:19 EDT Date: Tue, 24 May 94 13:58:19 EDT From: mark@escact.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9405241758.AA05419@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@GreatCircle.COM Subject: Re: Allowing Magic Kingdom Access. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk pauld@pyramid.com (Paul Daw) (appearently) write: . . . stuff deleted . . . > > 1) Am I *too* paranoid about all of this? Are we going too far? I don't think so, you have to "guess" how much of a threat you have. We are concerned enough that I have hacked together a scipt set for use while off base. I create an account on a machine not normally accessable from the outside world, which is not my "usual" username. An expect script changes my password each time I login. I forward my mail to the new account & put files I may need into it also. I have someone on-site allow access the day before I need it & disable it the day I am done. This is not perfect, but any little bit helps. If anyone wants details I will give you an outline of what I do. > Comments Appreciated. > > Paul Daw, Pyramid Technology Corporation > > meg ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: mark e. gibbons mark@luke.ksc.nasa.gov M.S. INI-18 (v)407.867.4847 mark-gibbons@ksc.nasa.gov Kennedy Space Center, (f)407.867.4079 Florida 32899 "it isn't paranoia if people are really out to get you." From firewalls-owner Tue May 24 11:01:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA23384; Tue, 24 May 1994 17:52:11 GMT Received: from uai.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA23378; Tue, 24 May 1994 10:51:49 -0700 Received: from hp.uai.com by uai.com with SMTP id AA02966 (5.65c/IDA-1.4.4 for ); Tue, 24 May 1994 10:52:32 -0700 From: "Mark R. Ludwig" Received: by hp.uai.com id ; Tue, 24 May 94 10:52:30 -0700 Message-Id: <9405241752.AA05581@hp.uai.com> To: pauld@pyramid.com (Paul Daw) Cc: firewalls@greatcircle.com Subject: Re: Allowing Magic Kingdom Access. In-Reply-To: <9405241504.AA11084@sword.eng.pyramid.com> from "Paul Daw" on Tue, 24 May 1994 08:04:53 PDT. X-Mailer: MH [Version 6.8] Date: Tue, 24 May 1994 10:52:27 -0700 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> On Tue, 24 May 94 08:04:53 -0700, pauld@pyramid.com (Paul Daw) said: |> Brent's suggestion was to go ahead and allow this (i.e. enable the specific |> IP address from the internet to get through the wrapper to telnetd,) using |> a one time password, smart card or challenge response system to protect the |> family jewels. This seems like a good first step, but after sitting around |> drinking beer and eating pizza with the other security paranoids in the |> sysadm group here, we saw a second potential problem. |> |> Since these people are at customer sites, there is a real potential for |> local eavesdropping. While the one-time-password scheme protects the |> firewall from intrusion, it doesn't protect all of the internal |> machines that the user might log into once he is on the gateway, and |> those passwords will still be sent in the clear. The Internet gateway |> isn't the only way in, and there is a possibility that the passwords |> used on internal machines might also be used on modem servers and the |> like. I haven't heard anything about putting S/Key together with Kerberos, yet, so perhaps it's either not possible or unwise, but that would do it. Give the next key in sequence to authenticate your Kerberos identity.$$ -- INET: Mark-Ludwig@UAI.COM NIC: ML255 ICBM: USA; Lower Left Coast "Cigarettes ... are not a drug." -- Tom Lorea from the Tobacco Institute From firewalls-owner Tue May 24 20:09:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA24401; Tue, 24 May 1994 20:09:15 GMT Received: from anon.penet.fi by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA24395; Tue, 24 May 1994 13:08:49 -0700 Received: by anon.penet.fi (5.67/1.35) id AA00622; Tue, 24 May 94 22:44:04 +0300 Message-Id: <9405241944.AA00622@anon.penet.fi> To: firewalls@greatcircle.com From: an35331@anon.penet.fi X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an35331@anon.penet.fi Date: Tue, 24 May 1994 19:44:02 UTC Subject: No subject Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Apologies for the anon posting, but I'm not entirely confident of my present firewall strategy (but that's fodder for another thread...). Hence my paranoia. I had tried to follow up on Ray Kaplan's posting for ordering the hot new book by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security - Repelling the Wily Hacker. ISBN 0-201-63357-4. Unfortunately, the two "800" numbers he gives don't work in Canada (at least not in the Toronto area). Response from bexpress@aw.com was sluggish, but at least they gave me an 800 fax number. They haven't responded to my subsequent request for a voice number that I can actually get through to.... At any rate, I jotted a few lines down and faxed them to the new fax number. Much to my delight, I received a phone call from a Rhonda Sharp of Addison-Wesley who was more than helpful. Naturally I placed my order right away. I realize that Ray's message said that the book sold for $26.95, I presume in US dollars. Interestingly, the book sells up here for the same price, in Canadian funds. This price includes shipping. :-) The fax number for my fellow Canucks is 800-465-0536. You can also reach Rhonda at either rhondas@aw.com or 416-442-3219. Hope someone else finds this helpful. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Tue May 24 20:22:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA24523; Tue, 24 May 1994 20:22:30 GMT Received: from uxc.cso.uiuc.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA24517; Tue, 24 May 1994 13:22:23 -0700 Received: by uxc.cso.uiuc.edu id AA06165 (5.67b8/IDA-1.5 for firewalls@GreatCircle.COM); Tue, 24 May 1994 15:23:28 -0500 Date: Tue, 24 May 1994 15:23:28 -0500 From: Paul Pomes Message-Id: <199405242023.AA06165@uxc.cso.uiuc.edu> To: firewalls@GreatCircle.COM Subject: University firewalls - where? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm interested in learning which universities have installed firewalls. Where were the firewall(s) placed? How tight are they (innocent till proven guilty or vice-versa)? What policy goals do they implement? Replies to me will be summarized in a few days time. /pbp -- Academic politics is the most vicious and bitter form of politics, because the stakes are so low. -- Wallace Sayre From firewalls-owner Tue May 24 20:43:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA24662; Tue, 24 May 1994 20:43:51 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA24656; Tue, 24 May 1994 13:43:44 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id QAA22566; Tue, 24 May 1994 16:45:09 -0400 Received: by tcpg01a.ny.jpmorgan.com.ny.jpmorgan.com (8.6.9/fma-120691); id QAA27207; Tue, 24 May 1994 16:45:08 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id QAA28296; Tue, 24 May 1994 16:45:08 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA12524; Tue, 24 May 94 16:45:06 EDT Date: Tue, 24 May 94 16:45:06 EDT Message-Id: <9405242045.AA12524@delacroix.lsi.ny.jpmorgan.com> To: pauld@pyramid.com, Mark-Ludwig@uai.com Subject: S/Key and Kerberos Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From Mark-Ludwig@uai.com Tue May 24 14:54:59 1994 > From: "Mark R. Ludwig" > To: pauld@pyramid.com (Paul Daw) > Cc: firewalls@GreatCircle.COM > Subject: Re: Allowing Magic Kingdom Access. > > > I haven't heard anything about putting S/Key together with Kerberos, > yet, so perhaps it's either not possible or unwise, but that would do > it. Give the next key in sequence to authenticate your Kerberos > identity.$$ It possible. I just had a conv. with someone who sez, "Jeff Schiller at MIT integrated S/Key and Kerberos. It was posted to the kerberos@mit.edu list a while back ...." From firewalls-owner Tue May 24 21:15:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA24960; Tue, 24 May 1994 21:15:55 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24954; Tue, 24 May 1994 14:15:48 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 24 May 94 16:17 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.hyper_f) id ; Tue, 24 May 94 16:17 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: University firewalls - where? To: P-Pomes@uiuc.edu (Paul Pomes) Date: Tue, 24 May 1994 16:17:10 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199405242023.AA06165@uxc.cso.uiuc.edu> from "Paul Pomes" at May 24, 94 03:23:28 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1154 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > I'm interested in learning which universities have installed firewalls. Hello > Where were the firewall(s) placed? On the network ( ;-) ) Specifically, between the SEAS networks and the rest of the world. > How tight are they (innocent till proven guilty or vice-versa)? Very. Access thru it is limited to a few ip sockets, I can provide a list if you want. > What policy goals do they implement? reduced hacking, and monitoring of network traffic. We log all connections and produce summaries by users. (if outbound) (inbound connections are logged) Inorder to establish a connection on a non-standard ip port a user must make a request in the form of localmachine->destinationmachine & port This summery information provides increased awareness of what traffic is actually going on, as well as the "hacking attempts" Its amasing how may rejects we do over a month on port 111. We also force all incoming connections to have an inverse-A recored for their origination hosts and encourage the usage of pident. > Replies to me will be summarized in a few days time. Please send me a copy. If you need more information let me know. From firewalls-owner Wed May 25 01:39:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA26185; Wed, 25 May 1994 01:39:15 GMT Received: from cs.umb.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA26179; Tue, 24 May 1994 18:39:00 -0700 Received: from terminus.cs.umb.edu by cs.umb.edu with SMTP id AA01351 (5.65c/IDA-1.4.4 for ); Tue, 24 May 1994 21:40:12 -0400 Message-Id: <199405250140.AA01351@cs.umb.edu> To: pauld@pyramid.com (Paul Daw) Cc: firewalls@greatcircle.com Subject: Re: Allowing Magic Kingdom Access. In-Reply-To: Your message of "Tue, 24 May 1994 08:04:53 PDT." <9405241504.AA11084@sword.eng.pyramid.com> Date: Tue, 24 May 1994 21:40:10 -0400 From: "John P. Rouillard" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9405241504.AA11084@sword.eng.pyramid.com>, Paul Daw writes: > We are currently using a firewall configuration that consists of the > TCP wrapper and SOCKS, and we have done all of the right things with > regard to packet forwarding, disabling of unnecessary services, etc. > > On occasion, engineers and customer support folk from our site go out > into the big bad world, and want to get back into the network via the > Internet connection. There are some obvious advantages to this - cost, > convenience and speed being the most significant. This activity is > usually done from a customer site that is connected to the Internet. > > Brent's suggestion was to go ahead and allow this (i.e. enable the specific > IP address from the internet to get through the wrapper to telnetd,) using > a one time password, smart card or challenge response system to protect the > family jewels. This seems like a good first step, but after sitting around > drinking beer and eating pizza with the other security paranoids in the > sysadm group here, we saw a second potential problem. > > Since these people are at customer sites, there is a real potential for > local eavesdropping. While the one-time-password scheme protects the > firewall from intrusion, it doesn't protect all of the internal > machines that the user might log into once he is on the gateway, and > those passwords will still be sent in the clear. The Internet gateway > isn't the only way in, and there is a possibility that the passwords > used on internal machines might also be used on modem servers and the > like. I never (well almost never) set up a real telnet capability onto the firewall. Set up the tcp wrapper with a twist option that opens a telnet connection to the authentication machine on the inner net (you can probably use the TIS plug-gw (I think that is the tool) for this). Then the single use password authentication is done on an internal machine. Once that is done, use rlogin (you do allow rsh/rlogin for all internal machines right?) to get from machine to machine. Also, what I have also done is the following: Internet -> gateway -> internal machine @ port 2300 I use the tcp wrapper on internal machines so that any telnet/rlogin connections from the gateway cause the internet connection to be severed. The connection at port X (2300 in this example) is the only safe conduit for telnet from the outside to the inside anything else triggers the network shutdown. This trick won't get crackers that really know what they are doing since they will sit on the firewall and wait for somebody to open a real connection and watch the ports etc that are used to create a safe conduit (or they will just look around the configuration files and dope it out for themselves), but it will trip up less sophisticated crackers. While counting on obscurity to provide security is a bad idea, there is nothing to say that a little obscurity won't make your chances a bit better. Also for the new skey from crimelab.com I have a set of patches for the replacement login program that will drop into skey request mode if the password is "secret". This way I can always get an skey authentication even if I am coming from a host that normally wouldn't require an skey authentication. This assumes that the engineers that you have coming in across the internet will volutarily choose to use skey instead of regular passwords. (As an aside, you should probably consider requiring single use passwords when logging into any machine from an "external" connection, terminal servers, with modems, modems directly on a computer etc. Harden the perimeter so that all sessions on your computers start with a single use password authentication. People can hop from computer to computer uinside your perimeter using rsh/rlogin or telnet with regular passwords if they want (modulo evesdropping problems) but to get a foothold on one of your computers they must provide the proper single use key.) > It seems like the only safe way to do this is to actually give the > remote user an encrypted telnet capability so that even the clear > passwords aren't sniffable at the remote site. Given this, I have > two questions: > > 1) Am I *too* paranoid about all of this? Are we going too far? No. Passwords that are used internally should never go over the net. Have the single use password authentication connect through the firewall host so the authentication occurs on a "trusted" (rsh/rlogin) machine on the internal net. You can also require double authetication, once on the firewall and once on the internal machine, although this get tedious to use if you make lots of short connections. > 2) If not, what are the restrictions for running encrypted telnet > in other countries? Should we be concerned about this? I don't think this is an option. As a sysadmin I wouldn't let you install some random binary on any system I administered. Also who is to say that the box for which you have the encrypted-telnet binary is allowed to connect to the outside world? -- John John Rouillard Senior Systems Consultant (SERL Project) University of Massachusetts at Boston rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480 ============================================================================== My employers don't acknowledge my existence much less my opinions. From firewalls-owner Wed May 25 06:01:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA29598; Wed, 25 May 1994 12:48:51 GMT Received: from bronze.lcs.mit.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA29587; Wed, 25 May 1994 05:48:40 -0700 Received: by bronze.lcs.mit.edu id AA11599; Wed, 25 May 94 08:49:43 EDT Date: Wed, 25 May 94 08:49:43 EDT From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <9405251249.AA11599@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: requiring PTR records Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk While at FTP, I went around tcpd-izing machines, and had configured tcpd on the "accessible" machines to require valid DNS PTRs as well as matching As. A lot of people thought this was horribly restrictive. My argument was that we wanted to only accept connections from machines for which *someone* had taken responsibility by placing them in their DNS files, which doesn't buy you all that much when it still lets in things like "public-dialup-port6.boston-ppp. psi.net" ... Since there wasn't really any stated policy one way or the other, it was just a perpetual pissing fight. _H* From firewalls-owner Wed May 25 13:35:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA29969; Wed, 25 May 1994 13:35:42 GMT Received: from vaxb.acs.uwlax.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA29952; Wed, 25 May 1994 06:34:49 -0700 Received: from VMSmail by vaxb.acs.uwlax.edu; Wed, 25 May 94 08:36 CDT Message-Id: <24052508362877@vaxb.acs.uwlax.edu> Date: Wed, 25 May 94 08:36 CDT From: MICHAEL NITTMANN Subject: Re: Allowing Magic Kingdom Access To: firewalls@greatcircle.com X-VMS-To: IN%"firewalls@greatcircle.com" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Some thoughts of mine: Mark E. Gibbons proposed a scheme where a script on a 'normally not accessible' machine changes his password. This is, I would say, violation of the first principle of any security: do not write your pw nowhere, especially not on storage media. We have the problem of 'magic kingdom access' too, and it will become really wild when we open up to functions via the Internet. I rule out 'protection' through obscurity. As most agree, mere IP address discrimination is not a protection, the address can be spoofed, e.g. from router tables, and is public. Dial in via a provider is an option we pursue: the dial nodes are PPP nodes within an IP network. Again: can be spoofed by inspecting routing tables. The only valid protection is here in my opinion a dual mode protection: knowledge and posession: the user must know a password, and posess a one time token that allows authentication on the target hosts within the private network, that are accessible from the outside. How do I posess a one time token: the most simple thing is a password list of one time passwords. Disadvantage: most people strike out the ones used and do not use the proper matrix algorithm each time to retrieve the next password. Periodic schemes (one for each day) are out, I would say. Disadvantage: written down passwords. Posession of a one time password generator (Enigma, SecurID): that's probably the best solution for access authentication. This is the smartcard thing where time synchronized number generators generate an access key on the remote user's smart card, and in sync (with some tolerance for wariation) the same calculation takes place on the authentication host. Authentication is done by a physically secured machine within the network, the traffic between the authentication client (host to be accessed) and the authentication server is encrypted (don't choose DES if you expect overseas clients to be authenticated centrally too). Just: ... don't write it down, no matter in what form, no matter on what storage. Hand scribble is btw. ways more secure than binary information on a harddisk. I don't think that Mark's 'normally inaccessible' host has security on disk block level. Probably anyone could get a handle request to his block where the passwords are, if the person may use NFS, as an example. The best scheme for 'magic kingdom access' is for me: authentication by means of a partially known and partially one time generated key towards Kerberos, key distribution within Kerberos tickets, and PGP for all traffic between public and private network (PGP is RSA in US and Canada, public domain elsewhere since it is the result of a publicly published research effort, not 'exported'). Key length can vary dependent on the key validity interval. A pointer to good security info ( the 'don't write it down'): get on the mailing list of the NSA. The last document issued details security testing and evaluation. Although most of it is for government stuff and beyond scope for 'normal' people, the NSA documents contain very useful info from people who know it. I got on the list by writing to: INFOSEC Awareness Division ATTN: X711/IAOC Ft. George G. Meade, MD 20755-6000 (410) 766 8729 Barbara Keller this was in '92, maybe the address changed. Mike From firewalls-owner Wed May 25 14:24:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA00321; Wed, 25 May 1994 14:24:18 GMT Received: from MVSA.ADMIN.UCALGARY.CA by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA00315; Wed, 25 May 1994 07:24:09 -0700 Message-Id: <199405251424.HAA00315@mycroft.GreatCircle.COM> Received: from UCDASVM1.ADMIN.UCALGARY.CA by MVSA.ADMIN.UCALGARY.CA (IBM MVS SMTP V2R2.1) with BSMTP id 5541; Wed, 25 May 94 08:25:13 MST X-Delivery-Notice: SMTP MAIL FROM does not correspond to sender. Received: from UCDASVM1 (62623) by UCDASVM1.ADMIN.UCALGARY.CA (Mailer R2.07) with BSMTP id 5229; Wed, 25 May 94 08:25:19 GMT Date: Wed, 25 May 94 08:25:11 MDT From: Don Barker <62623@UCDASVM1.ADMIN.UCALGARY.CA> Subject: Firewalls and Internet Security To: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk FROM: Don Barker Department of Administrative Systems, University of Calgary phone (403) 220-5441 fax (403) 282-9361 Hello this is a follow up regarding a 1-800 number for Addison Wesley publishers in Canada. This is the publisher that carries the new book Firewalls and Internet Security which Ray Kaplan had mentioned. The number is 1-800-387-8028 for the rest of you Canadians. Regards Don. From firewalls-owner Wed May 25 14:38:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA00434; Wed, 25 May 1994 14:38:18 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA00428; Wed, 25 May 1994 07:38:05 -0700 Received: from elegant by mail.uunet.ca with UUCP id <116414-4>; Wed, 25 May 1994 10:39:10 -0400 Received: by elegant (Smail3.1.28.1 #2) id m0q6Jtk-0004nkC; Wed, 25 May 94 10:25 EDT Message-Id: From: jmm@Elegant.COM (John Macdonald) Date: Wed, 25 May 1994 10:25:32 -0400 Newsgroups: mail.firewalls In-Reply-To: <9405241504.AA11084@sword.eng.pyramid.com> Organization: ECI X-Mailer: Mail User's Shell (7.2.4 2/2/92) To: firewalls@GreatCircle.COM, pauld@pyramid.com Subject: Re: Allowing Magic Kingdom Access. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In article <9405241504.AA11084@sword.eng.pyramid.com> Paul Daw writes: |On occasion, engineers and customer support folk from our site go out |into the big bad world, and want to get back into the network via the |Internet connection. There are some obvious advantages to this - cost, |convenience and speed being the most significant. This activity is |usually done from a customer site that is connected to the Internet. | [ ... ] | |It seems like the only safe way to do this is to actually give the |remote user an encrypted telnet capability so that even the clear |passwords aren't sniffable at the remote site. Given this, I have |two questions: | |1) Am I *too* paranoid about all of this? Are we going too far? | |2) If not, what are the restrictions for running encrypted telnet | in other countries? Should we be concerned about this? (Hi Paul :-) If you are going to do this, then you have to worry about the difficulty of setting up such an encrypted telnet capability at the customer's site. In your case, you could "just" add the encrypted telnet function to the standard OS release and then after it gets out into the field, you'd be set (subject to the export regulations you were rightly worrying about). For people who have immediate needs, or who can't add things to the OS release for their customers another approach is needed. Taking a tape and compiling the encrypted telnet application is one possibility. Equiping the travelling engineers with a portable machine that already has the application installed is another. In either case, there might be security concerns on the part of the customer - access to a tape drive and compiling a program is not such a concern, but attaching a new outside machine to the company's internal network might be a real concern. (Although, if the customer is already letting your engineers connect out through the network, the main extra exposure in an internally connected machine is the increased bandwidth available for potential misuse - while a connected portable machine could run some sort of data collection in the background, so could the encrypted telnet application.) Either method has a certain amount of activity required before the engineer can get around to doing their real job. (Either finding a compatible tape drive, compiler, and account to use, and building the application, or else setting up a network address and telling the rest of the network about it, including setting up any tighter than normal restrictions.) The portable machine has the significant advantage that the engineer can take along their standard environment - preferred shell, utility functions, window manager, etc. - and be able to use some of these in their activity on behalf of the customer. This is an approach that can be very useful as long as your relationship with the customer is such that they can extend a significant degree of trust to your engineers - that is more of a business/political/personal concern than an technical one, as many security issues are. -- That is 27 years ago, or about half an eternity in | John Macdonald computer years. - Alan Tibbetts | jmm@Elegant.COM From firewalls-owner Wed May 25 08:31:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA00757; Wed, 25 May 1994 15:23:22 GMT Received: from rockwell.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA00751; Wed, 25 May 1994 08:23:11 -0700 From: MSKRAUSE@rockwell.com Message-Id: <199405251523.IAA00751@mycroft.GreatCircle.COM> Date: 25 May 94 08:24:00 PDT Subject: Commercial Offerings To: "firewalls" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm compiling a listing of commercial firewall/bastion host offerings, along with any positive/negative evaluations of said products. Please send me any pertinent information - I'll make the information available on this list when it's complete. Thanks, Micki mskrause@beach.remnet.rockwell.com From firewalls-owner Wed May 25 16:01:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA01352; Wed, 25 May 1994 16:01:19 GMT Received: from duke.group1.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA01346; Wed, 25 May 1994 09:01:11 -0700 Subject: ICMP Messages To: firewalls@greatcircle.com Date: Wed, 25 May 1994 09:02:03 -0700 (PDT) From: Ken Jones X-Mailer: ELM [version 2.4 PL20] Content-Type: text Content-Length: 535 Message-ID: <9405250902.aa01379@duke.group1.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All, In setting up our router to filter packets, I think I have everything in place with one exception ... ICMP packets. On some of our hosts, I need to allow ICMP messages for the testing of our remote sites. What nasty things can be done with icmp packets ?? Is there any documentation about ICMP packets available on the net ?? Thanke for any input. - Ken -- Ken Jones | Group One, Ltd. | kenj@group1.com | 220 Bush St. #350 | Systems / Network | San Francisco, Ca. | Administrator | 94104 | From firewalls-owner Wed May 25 16:44:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA01847; Wed, 25 May 1994 16:44:47 GMT Received: from kssib.ksc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA01832; Wed, 25 May 1994 09:44:02 -0700 Received: from escact.ksc.nasa.gov by kssib.ksc.nasa.gov with SMTP (5.65/25-eef) id AA26290; Wed, 25 May 94 12:45:10 -0400 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA06219; Wed, 25 May 94 12:44:13 EDT Date: Wed, 25 May 94 12:44:13 EDT From: mark@escact.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9405251644.AA06219@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@GreatCircle.COM, NITTMANN@UWLAX.EDU Subject: Re: Allowing Magic Kingdom Access Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Mark E. Gibbons proposed a scheme where a script on a 'normally not > accessible' machine changes his password. No, There is a misunderstanding here. I use a machine not normally connected to the network as my host while off-base. That way it is less likly to be avalible later. The password change takes place on that machine for the only account on it -- my off-base acount. My mail is forwarded to this new account and needed files placed there prior to leaving. Sorry if there was a lack of clarity on my part. me From firewalls-owner Wed May 25 19:18:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA03094; Wed, 25 May 1994 19:18:24 GMT Received: from falcon.ewu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA03088; Wed, 25 May 1994 12:18:17 -0700 Received: by falcon.ewu.edu (5.65/DEC-Ultrix/4.3) id AA20978; Wed, 25 May 1994 12:22:52 -0700 Message-Id: <9405251922.AA20978@falcon.ewu.edu> To: Firewalls@greatcircle.com Subject: Firewalls and Internet Security is sold out! Date: Wed, 25 May 94 12:22:51 -0700 From: ""Mark Powell@falcon.ewu.edu, "mpowell@ewu.edu +1 509 359 2849\"\"" X-Mts: smtp Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Book Express poeple said that it went like hotcakes. They are reprinting it now and will backorder it for you. It should be available mid June. Regards, Mark Powell Internet Manager Eastern Washington University +1 509 359 2849 From firewalls-owner Wed May 25 19:38:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA03213; Wed, 25 May 1994 19:38:23 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA03207; Wed, 25 May 1994 12:38:10 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA04432 for (5.67a/IDA-1.5/bs03); Wed, 25 May 1994 21:34:29 +0200 Message-Id: <199405251934.AA04432@srv.cip.physik.tu-muenchen.de> To: MICHAEL NITTMANN Cc: firewalls@greatcircle.com Subject: Re: Allowing Magic Kingdom Access In-Reply-To: Your message of "Wed, 25 May 94 08:36:00 CDT." <24052508362877@vaxb.acs.uwlax.edu> Date: Wed, 25 May 94 21:34:28 +0200 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <24052508362877@vaxb.acs.uwlax.edu> you write: > A pointer to good security info ( the 'don't write it down'): get on > the mailing list of the NSA. The last document issued details > security testing and evaluation. Although most of it is for > government stuff and beyond scope for 'normal' people, the NSA > documents contain very useful info from people who know it. > > I got on the list by writing to: > > INFOSEC Awareness Division > ATTN: X711/IAOC > Ft. George G. Meade, MD 20755-6000 > (410) 766 8729 Barbara Keller > > this was in '92, maybe the address changed. Any chance they'd also put non US citizens on their mailing list? Does anyone have a FAX number? From firewalls-owner Wed May 25 20:17:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA03552; Wed, 25 May 1994 20:17:50 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA03546; Wed, 25 May 1994 13:17:40 -0700 Date: Wed, 25 May 94 16:17:28 EDT From: bret@real.com (Bret McDanel) Received: by real.com (4.1/3.2.012693-Realistic Technologies Inc); id AA17023 for firewalls@GreatCircle.COM; Wed, 25 May 94 16:17:28 EDT Message-Id: <9405252017.AA17023@real.com> To: firewalls@GreatCircle.COM Subject: A bit off it :) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is a bit off the subject, however I would like to get the opinion of various people (mostly system administrators, but all are welcome to reply).. The questions: Is it UNETHICIAL for a person to read a file in a directory that is owned by someone else, but that person did not set file permissions to turn people away? (oh the person who owns the directory has a great deal of experience and knowledge with file permissions) The other side of this, should the person that read the file be punished for reading something that was totally unprotected? Please (for the sake of the firewalls net traffic) reply in e-mail to: bret@real.com Thank you.. From firewalls-owner Wed May 25 14:10:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA03760; Wed, 25 May 1994 20:46:23 GMT Received: from palantir.p.tvt.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA03754; Wed, 25 May 1994 13:46:07 -0700 Received: from lekstugan by palantir.p.tvt.se with smtp (Smail3.1.28.1 #2) id m0q6Prh-000ABmC; Wed, 25 May 94 22:47 WET DST Message-Id: X-Sender: perra@131.115.15.84 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Wed, 25 May 1994 20:47:11 +0200 To: firewalls@greatcircle.com From: perra@telia.se (Per-Erik Eriksson) Subject: Re: Allowing Magic Kingdom Access X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > government stuff and beyond scope for 'normal' people, the NSA=20 > > documents contain very useful info from people who know it. > >=20 > > I got on the list by writing to: > >=20 > > INFOSEC Awareness Division > > ATTN: X711/IAOC > > Ft. George G. Meade, MD 20755-6000 > > (410) 766 8729 Barbara Keller > >=20 > > this was in '92, maybe the address changed.=20 > >Any chance they'd also put non US citizens on their mailing list? you took the words right out of my mouth... :-) Hmmm I guess I had better add "or non US citizens working for the swedish government owned telecommunications company Telia...?"=20 >Does anyone have a FAX number? > or an e-mail address? Per-Erik Eriksson Per-Erik Eriksson, Telia AB, S-403 35 G=F6teborg, Sweden=20 Internet: perra@telia.se Phone: +46 31 770 18 79; Fax: +46 31 11 49 57 X.400: G=3Dper-erik; S=3Deriksson; I=3Dpee; O=3Dwest; P=3Dtelia; A=3D400net;= C=3Dse =20 Telia is the telecommunications company owned by the Swedish government. "We sell Internet access in Sweden" From firewalls-owner Wed May 25 21:10:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA03933; Wed, 25 May 1994 21:10:52 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA03927; Wed, 25 May 1994 14:10:34 -0700 Date: Wed, 25 May 94 17:09:52 EDT From: bret@real.com (Bret McDanel) Received: by real.com (4.1/3.2.012693-Realistic Technologies Inc); id AA21790 for firewalls@GreatCircle.COM; Wed, 25 May 94 17:09:52 EDT Message-Id: <9405252109.AA21790@real.com> To: firewalls@GreatCircle.COM Subject: a bit off it :) part 2 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In my previous post, I am realizing that I did not give enough info (judging by some of the replies).. so here is the rest.. A student at a school (which has stated NO policies, either verbal, physical or electronic) is going before a diciplanary commitiee because he copied some files that were world readable.. The computer department is seeking expulsion because of a catch in the student manual which basically states that students are expected to behave according to the higest set of ethics.. Nothing more, no descriptions of what those ethics are, not even an ethics class (computer or otherwise).. So, with that said, was it ethical for the student to copy the file? And (more importantly) should the student be expelled (or even diciplined)? and if so, what should that be? Thank you, and hopefully I wont post any more off base messages.. From firewalls-owner Wed May 25 21:28:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA04102; Wed, 25 May 1994 21:28:25 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04089; Wed, 25 May 1994 14:28:15 -0700 Received: by relay.tis.com id AA20916; Wed, 25 May 94 17:29:51 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma020913; Wed May 25 17:29:20 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA24714; Wed, 25 May 94 17:28:28 EDT Date: Wed, 25 May 94 17:28:28 EDT From: Marcus J Ranum Message-Id: <9405252128.AA24714@tis.com> To: bret@real.com, firewalls@GreatCircle.COM Subject: Re: a bit off it :) part 2 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is nothing to do with firewalls. The signal to noise ratio of this mailing list is already perilously close to that of some of the USENET alt groups -- please, let's refrain from discussions of policy, the law, ethics, etc, unless they somehow relate to firewalls. Discussions of issues like that could be more productively held in: comp.security.unix, comp.society.privacy, comp.security.misc, or someplace that's intended for a more general discussion. mjr. From firewalls-owner Wed May 25 14:42:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA04197; Wed, 25 May 1994 21:34:30 GMT Received: from sjc.erg.sri.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04191; Wed, 25 May 1994 14:34:21 -0700 Received: from localhost.erg.sri.com by sjc.erg.sri.com (5.65/2.7davy) id AA10481; Wed, 25 May 94 14:35:34 -0700 Message-Id: <9405252135.AA10481@sjc.erg.sri.com> To: bret@real.com (Bret McDanel) Cc: firewalls@greatcircle.com Subject: Re: a bit off it :) part 2 In-Reply-To: Your message of Wed, 25 May 94 17:09:52 -0400. <9405252109.AA21790@real.com> Date: Wed, 25 May 94 14:35:33 -0700 From: Bryan McDonald Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk While interesting, your right,this is not a firewalls question. However, I do know someplace that it would be appropraite: the SAGE organization has a working group on ethics to discuss such issues. If you join the sage-ethics mailing list you can ask them. You can send email to majordomo@usenix.org for info on joining, etc. Bryan ps. you might check in the sage-policies mailing list for the work they are doing collecting policy statements from various sites. From firewalls-owner Wed May 25 21:46:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA04299; Wed, 25 May 1994 21:46:24 GMT Received: from nammu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04288; Wed, 25 May 1994 14:46:14 -0700 Message-Id: To: firewalls@GreatCircle.COM cc: surya@premenos.com Subject: syslog time stamps From: lai@premenos.com (C. Patrick Lai) Date: Wed, 25 May 1994 14:47:03 -0700 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm experimenting with the TIS firewall toolkit, and notice that the various log messages generated by ftp-gw and tn-gw have GMT/UTC time stamps, whereas those put out by authsrv and smap/smapd are local. Did I build the toolkit incorrectly? Here's some configuration information: OS: BSD/386 v1.1 and Linux FWTK: v1.2 Skey: v1.1b DES: Eric Young's (93-10-18) -- Patrick Lai lai@premenos.com From firewalls-owner Wed May 25 15:01:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA04163; Wed, 25 May 1994 21:32:24 GMT Received: from callisto.eci-esyst.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA04157; Wed, 25 May 1994 14:32:08 -0700 Received: from gorgon.ESYSTEMS ([191.254.10.111]) by callisto.eci-esyst.com (4.1/SMI-4.1) id AA21257; Wed, 25 May 94 17:28:13 EDT Date: Wed, 25 May 94 17:28:13 EDT From: sdeb@callisto.eci-esyst.com (Steve Eason) Message-Id: <9405252128.AA21257@callisto.eci-esyst.com> To: firewalls@greatcircle.com Subject: Mosaic and E-mail Cc: drfc@qmgate.eci-esyst.com, admin@callisto.eci-esyst.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We are setting up the following: =============================================================== Internet | +----------+ | Router | IP/Port Filtering +----------+ | (a) | +-------------+ DNS Server | Firewall | Mail Relayer | Workstation | +-------------+ (b) | | +------------------+----------------+---------+------+ | | | | | +------------+ +-----------+ +------------+ | Mac/PC | Quickmail | | Unix Mail | | CC-mail | | Clients | Server(Mac)| | Server | | Server(PC) | | +------------+ +-----------+ +------------+ | Unix Clients NOTE: (a) is a registered class C net, and (b) is an internal unregister class B. Internal systems are managed by NIS (the firewall is NOT an NIS client or server). ======================================================================= I have two questions about this setup. (1) Must I have an internal DNS server in order to have the firewall function as a mail relayer to all three internal mail servers, or will a properly configured sendmail.cf on the firewall suffice? Does the Registered to Unregistered addresses pose a problem? (2a) I have read some articles describing iftp and itelnet. These appear to allow a user to ftp or telnet out to the Internet without having to have an account on the firewall. A telnet or ftp session is started by the firewall on behalf of the requesting user. Is there something similar (or the same) for the Macintosh and IBM compatible PC's? (2b) How can I run Mosaic from Unix, Mac and PC's transparently (as in 2a) to the user without having to provide an account on the firewall. Will the same mechanism from 2a provide this capability? Thanks for any help you may be able to provide. :-) =============================================================== S.D.Eason, Engineer | "And whatsoever ye do, do it E-Systems, ECI Division | heartily, as to the Lord, and 1501 72nd Street North | and not unto men..." St. Pete, Florida 33710 | Colossians 3:23 --------------------------------------------------------------- E-mail : sdeb@eci-esyst.com | Phone : (813)381-2000 X2124 =============================================================== From firewalls-owner Wed May 25 22:46:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA04960; Wed, 25 May 1994 22:46:41 GMT Received: from cheetah.llnl.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA04947; Wed, 25 May 1994 15:46:27 -0700 Received: (from karyn@localhost) by cheetah.llnl.gov (8.6.8.1/8.6.6) id PAA07734; Wed, 25 May 1994 15:47:41 -0700 Date: Wed, 25 May 1994 15:47:41 -0700 From: Karyn Pichnarczyk Message-Id: <199405252247.PAA07734@cheetah.llnl.gov> To: firewalls@greatcircle.com Subject: Allowing Magic Kingdom Access. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk |On occasion, engineers and customer support folk from our site go out |into the big bad world, and want to get back into the network via the |Internet connection. There are some obvious advantages to this - cost, |convenience and speed being the most significant. This activity is |usually done from a customer site that is connected to the Internet. | [ ... ] | |It seems like the only safe way to do this is to actually give the |remote user an encrypted telnet capability so that even the clear |passwords aren't sniffable at the remote site. Given this, I have |two questions: | |1) Am I *too* paranoid about all of this? Are we going too far? | |2) If not, what are the restrictions for running encrypted telnet | in other countries? Should we be concerned about this? You've got more options other than encrypted telnet: like perhaps a smart card with a one-time-only password. It might be a little hard and cost something, but it's another option. Yet another option is other one-time password technologies, such as s/key (but I don't know if there's any international restrictions). Then you have the bastion host idea as well. karyn From firewalls-owner Wed May 25 23:11:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA05267; Wed, 25 May 1994 23:11:46 GMT Received: from jpmorgan by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA05261; Wed, 25 May 1994 16:11:37 -0700 From: yerkes_chuck@jpmorgan.com Received: by jpmorgan (8.6.4/fma-120691.2); id TAA29699; Wed, 25 May 1994 19:13:00 -0400 Received: from athena1.lsi.ny.jpmorgan.com (athena1.lsi.ny.jpmorgan.com [146.149.246.28]) by tcpg01a.ny.jpmorgan.com (8.6.9/cjy.sub.1.0) with ESMTP id TAA28777; Wed, 25 May 1994 19:12:59 -0400 Received: from delacroix.lsi.ny.jpmorgan.com by athena1.lsi.ny.jpmorgan.com with SMTP id TAA07706; Wed, 25 May 1994 19:12:58 -0400 Received: by delacroix.lsi.ny.jpmorgan.com (4.1/4.7) id AA14574; Wed, 25 May 94 19:12:57 EDT Date: Wed, 25 May 94 19:12:57 EDT Message-Id: <9405252312.AA14574@delacroix.lsi.ny.jpmorgan.com> To: sdeb@callisto.eci-esyst.com Subject: Re: Mosaic and E-mail Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > ...Internal systems are managed by NIS > (the firewall is NOT an NIS client or server). > I have two questions about this setup. > > (1) Must I have an internal DNS server in order to have the firewall > function as a mail relayer to all three internal mail servers, > or will a properly configured sendmail.cf on the firewall suffice? > Does the Registered to Unregistered addresses pose a problem? You SHOULD have an internal DNS server, if only on the "SMTP Mailhost" for caching and to provide DNS service for the Macs, PC and Unix clients. Are the quickmail and CCMail servers directly talking to the firewall, or do they talk to the Unix mailhost, which would then talk to the firewall? Are you planning not to run DNS anywhere but on the Firewall? > (2a) I have read some articles describing iftp and itelnet. These appear to > allow a user to ftp or telnet out to the Internet without having to have an > account on the firewall. A telnet or ftp session is started by the firewall > on behalf of the requesting user. Is there something similar (or the same) for > the Macintosh and IBM compatible PC's? Others will answer this, it's almost an FAQ. > (2b) How can I run Mosaic from Unix, Mac and PC's transparently (as in 2a) to the > user without having to provide an account on the firewall. Will the same > mechanism from 2a provide this capability? Proxified Mosaic. The current versions for the platforms support a proxy server. The Mac version is not quite done. SOCKS is your friend. This lets you use it for http and gopher but not telnet, if you set it up so. There's a config line regarding proxying each service (X Resources, in Unix). This can also let you telnet/ftp out through the firewall transparently (provided your routes are setup right) while denying people incoming connections. chuck From firewalls-owner Thu May 26 01:59:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA06642; Thu, 26 May 1994 01:59:31 GMT Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA06636; Wed, 25 May 1994 18:59:22 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 25 May 1994 22:00:38 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA20281; Wed, 25 May 1994 22:00:37 -0400 Date: Wed, 25 May 1994 22:00:37 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199405260200.AA20281@SPARKY.CF.CS.YALE.EDU> To: sdeb@callisto.eci-esyst.com, yerkes_chuck@jpmorgan.com Subject: Re: Mosaic and E-mail Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> (2b) How can I run Mosaic from Unix, Mac and PC's transparently (as in 2a) to the >> user without having to provide an account on the firewall. Will the same >> mechanism from 2a provide this capability? > >Proxified Mosaic. The current versions for the platforms support a >proxy server. The Mac version is not quite done. SOCKS is your friend. >This lets you use it for http and gopher but not telnet, if you set it >up so. There's a config line regarding proxying each service (X Resources, >in Unix). This can also let you telnet/ftp out through the firewall >transparently (provided your routes are setup right) while denying people >incoming connections. > >chuck If you use the new CERN server as a proxy server for a version of Mosaic supporting it you also gain the side benefit that it can maintain a cache of fetched files by URL. You can set up 2 caches (by file size) and expiration times for each. It should be a real win if your Internet connection is a slow link. You also shouldn't need SOCKS support in Mosaic clients if you run the CERN server on a multi-homed firewall host or a bastion host in a DMZ - just set the proxy server. - Morrow From firewalls-owner Thu May 26 02:28:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA06770; Thu, 26 May 1994 02:28:06 GMT Received: from zebedee.manukau.ac.nz by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA06764; Wed, 25 May 1994 19:27:44 -0700 From: eric!chris@zebedee.manukau.ac.nz Received: from eric.UUCP by zebedee.manukau.ac.nz with UUCP (5.65/25-eef) id AA11147; Thu, 26 May 94 14:26:54 -1200 Date: Thu, 26 May 94 14:26:54 -1200 Message-Id: <9405270226.AA11147@zebedee.manukau.ac.nz> To: firewalls@greatcircle.com Subject: Can you help me please? Content-Length: 2413 Content-Type: text Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm new to the list and quite inexperienced with firewalls and security issues as discussed on this list. I'm acting as Systems Administrator at the Polytechnic and we have recently attached to the internet. Due to serious worries w.r.t. security of our systems I did not attach our network directly to the internet. The only 'internet activity' users on our network can partake in is email. To do anything else they dial in to zebedee, the system connected to the internet. See below. Little bit of ethernet ====================================================================== | | with just zebedee and the | | PC Router. | | +--------------+ +-----------------------+ |ZEBEDEE | |PC Router with SLIP | |Unix system | |link to local | |with dial in | |University | |access | | | +--------------+ +-----------------------+ || || UUCP link || +--------------+ |Unix system | | | | | +--------------+ | Big bit of ethernet on ====================================================================== which all our clients live Presently this seems to work fine, with mail. As our clients are becoming more aware of the facilities available to them from the internet I must allow them access to the internet from our 'Big bit of ethernet'. So, the question! Where do I start? Is there any literature I can read that will help identify strategies I should adopt? Is there any hardware that I should consider purchasing to help me out? Any comments/ideas/pointers would be very greatly received. Chris. +--------------------------------------------------------------+ | Chris Stott | Telephone(H): +64 (0)9 266 1169 | | Systems Administrator | Telephone(W) DDI: +64 (0)9 273 0734 | | Manukau Polytechnic | Telephone(W): +64 (0)9 274 6009 | | Auckland | Facsimile: +64 (0)9 273 0747 | | New Zealand | Email: chris@manukau.ac.nz| +--------------------------------------------------------------+ From firewalls-owner Thu May 26 03:18:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id DAA06972; Thu, 26 May 1994 03:18:53 GMT Received: from cray.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA06966; Wed, 25 May 1994 20:18:43 -0700 Received: from matrix.cray.com by cray.com (Bob mailer 1.2) id AA25021; Wed, 25 May 94 21:48:58 CDT Received: by matrix.cray.com id AA11084; 4.1/CRI-5.6a; Wed, 25 May 94 21:48:52 CDT From: btk@matrix.cray.com (Bryan Koch) Message-Id: <9405260248.AA11084@matrix.cray.com> Subject: Re: a bit off it :) part 2 To: bret@real.com (Bret McDanel) Date: Wed, 25 May 94 21:48:51 CDT Cc: firewalls@greatcircle.com In-Reply-To: <9405252109.AA21790@real.com>; from "Bret McDanel" at May 25, 94 5:09 pm X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > A student at a school (which has stated NO policies, either verbal, physical > or electronic) is going before a diciplanary commitiee because he copied some > files that were world readable.. > > The computer department is seeking expulsion because of a catch in the > student manual which basically states that students are expected > to behave according to the higest set of ethics.. Nothing more, no > descriptions of what those ethics are, not even an ethics class (computer > or otherwise).. > > So, with that said, was it ethical for the student to copy the file? > And (more importantly) should the student be expelled (or even diciplined)? > and if so, what should that be? If the file was, say, /etc/passwd, and the purpose was to run crack, and the user is not an administrator, then I agree with the administration decision. If the file was another student's project, and the user turned it in as his own work, again, more power to the administration. One reading of your question is, can people be held responsible for their actions if the incompetence of others allows them to do things they should not be doing? My answer is "yes, but it is easier to do if the rules are written down". Bryan Koch Data Security Leader VOICE: +1-612-683-3129 (1-800-284-2729 x33129) Cray Research, Inc. FAX: +1-612-683-3099 Eagan, Minnesota, USA EMAIL: btk@cray.com From firewalls-owner Thu May 26 12:38:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA10093; Thu, 26 May 1994 12:38:28 GMT Received: from mwunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA10087; Thu, 26 May 1994 05:38:20 -0700 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id IAA03161; Thu, 26 May 1994 08:39:32 -0400 Received: from [128.29.140.151] (woycke-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA29794; Thu, 26 May 94 08:39:08 EDT Message-Id: <9405261239.AA29794@smiley.mitre.org.sit> X-Sender: woycke@128.29.140.20 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 26 May 1994 08:39:24 -0400 To: lai@premenos.com (C. Patrick Lai), firewalls@GreatCircle.COM, fwtk-users@tis.com From: woycke@mitre.org (Daniel W. Woycke) Subject: Re: syslog time stamps Cc: surya@premenos.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, I am having problems with this also. It seems that ftp-gw and tn-gw have the problem. I haven't looked at anything else. I tried writing a test program that ran just the time and ctime calls that vsyslog() makes and I didn't have the problem. I wish I had time to persue it, but it also happens on SunOS 4.1.3_U1. At 2:47 PM 5/25/94 -0700, C. Patrick Lai wrote: >I'm experimenting with the TIS firewall toolkit, and notice that the >various log messages generated by ftp-gw and tn-gw have GMT/UTC time >stamps, whereas those put out by authsrv and smap/smapd are local. Did >I build the toolkit incorrectly? Here's some configuration information: > > OS: BSD/386 v1.1 and Linux > FWTK: v1.2 > Skey: v1.1b > DES: Eric Young's (93-10-18) > >-- Patrick Lai > lai@premenos.com ---------- Thank You, Daniel W. Woycke |"It is not that life _is_ an illusion; Information Engineer (c) 1992|rather life is _like_ an illusion." The MITRE Corporation |--The Dalai Lama 7525 Colshire Drive (MS Z231)| McLean, VA 22102 |These opinions are mine and are not phone: (703) 883-1362 |and will not be held by anyone else. From firewalls-owner Thu May 26 13:14:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA10314; Thu, 26 May 1994 13:14:07 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA10308; Thu, 26 May 1994 06:13:57 -0700 Received: by relay.tis.com id AA24985; Thu, 26 May 94 09:15:14 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma024982; Thu May 26 09:15:03 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA13857; Thu, 26 May 94 09:14:11 EDT Date: Thu, 26 May 94 09:14:11 EDT From: Marcus J Ranum Message-Id: <9405261314.AA13857@tis.com> To: firewalls@GreatCircle.COM, fwtk-users@tis.com, lai@premenos.com, woycke@mitre.org Subject: Re: syslog time stamps Cc: surya@premenos.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I am having problems with this also. It seems that ftp-gw and tn-gw have >the problem. I haven't looked at anything else. I tried writing a test >program that ran just the time and ctime calls that vsyslog() makes and I >didn't have the problem. If you're running anything chrooted at startup, make sure there's a timezone file in the chrooted area for it to decode. mjr. From firewalls-owner Thu May 26 06:21:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA10349; Thu, 26 May 1994 13:17:49 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA10343; Thu, 26 May 1994 06:17:41 -0700 Received: by relay.tis.com id AA25082; Thu, 26 May 94 09:19:16 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma025072; Thu May 26 09:18:35 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA14088; Thu, 26 May 94 09:17:43 EDT Date: Thu, 26 May 94 09:17:43 EDT From: Marcus J Ranum Message-Id: <9405261317.AA14088@tis.com> To: eric!chris@zebedee.manukau.ac.nz, firewalls@GreatCircle.COM Subject: Re: Can you help me please? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >So, the question! Where do I start? Is there any literature I can read that >will help identify strategies I should adopt? Is there any hardware that I >should consider purchasing to help me out? Well, there's a FAQ, available on ftp.greatcircle.com and on ftp.tis.com: pub/firewalls/FAQ, and of course there's Cheswick and Bellovin's book. There are interesting papers all over the place (check the FAQ). Some of the firewall papers are online for web-viewing http://www.tis.com mjr. From firewalls-owner Thu May 26 14:11:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA10654; Thu, 26 May 1994 14:11:41 GMT Received: from vaxb.acs.uwlax.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA10647; Thu, 26 May 1994 07:11:32 -0700 Received: from VMSmail by vaxb.acs.uwlax.edu; Thu, 26 May 94 09:13 CDT Message-Id: <24052609134587@vaxb.acs.uwlax.edu> Date: Thu, 26 May 94 09:13 CDT From: MICHAEL NITTMANN Subject: Re: Allowing Magic Kingdom Access To: firewalls@greatcircle.com X-VMS-To: IN%"firewalls@greatcircle.com" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ... the best thing is probably: have the remote have her/his laptop (gateway 2000 will do already) and do dial-up to a 1-800 number with ppp. The remote is integrated into the Kingdom, and runs encrypted, can use public terminal servers (e.g., ANSRemote dial up service for $35/month+8.50/h connect). Any customer will let you hook up a PC to a phone line and dial an 800 number. I would share the concerns of requesting/letting hook up a machine to a network, already the addressing is an issue, as well as routing. Not everybody has a guest network outside the firewall to allow for guests to hook up to their home base. ... and to who believes in letting a visitor connecting a machine to the LAN: if I know how to write drivers, others know far better. And a driver can very well have background activities spoofing everything, tracking tcp connections, watch for SYN and follow tcp option negotioation until the magic characters pass by. In my world: only outside of the firewall. I like visitors, but I don't share my bed. Mike From firewalls-owner Thu May 26 08:11:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA11011; Thu, 26 May 1994 15:08:12 GMT Received: from chenas.inria.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA11005; Thu, 26 May 1994 08:07:59 -0700 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA24595; Thu, 26 May 1994 17:09:17 +0200 (MET) Received: from cli55ca.der.edf.fr by edf.edf.fr with SMTP id AA18573 (5.65c8/IDA-1.4.4 for ); Thu, 26 May 1994 17:09:42 +0200 Received: by cli55ca.der.edf.fr (4.1/SMI-4.1) id AA15321; Thu, 26 May 94 17:08:34 +0200 Date: Thu, 26 May 94 17:08:34 +0200 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt) Message-Id: <9405261508.AA15321@cli55ca.der.edf.fr> To: firewalls@greatcircle.com Subject: rsh through a firewall Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does a rexec and/or rsh proxy exist somewhere ? It may seem foolish but could be used together with a telnet proxy. (once the telnet proxy process is up, and after -strong- authentication of the user, then the rsh proxy can be launched, and it dies with the telnet proxy process). This could allow a more elaborate dialog across a firewall between 2 hosts than a simple telnet. I looked at TIS plug-gw, but it doesn't fit in that case. Thank you Yves Dherbecourt From firewalls-owner Thu May 26 09:21:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA11471; Thu, 26 May 1994 16:04:19 GMT Received: from rigel.nemc.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA11464; Thu, 26 May 1994 09:04:00 -0700 Received: from localhost.nemc.org by rigel.nemc.org id aa29608; 26 May 94 12:14 EDT To: firewalls@greatcircle.com cc: src@rigel.nemc.org Subject: Multi-Protocol Firewalls Date: Thu, 26 May 1994 12:14:10 -0400 From: "Scott R. Corzine" Message-ID: <9405261214.aa29608@rigel.nemc.org> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Background: We have several projects being planned as separate WANs interconnecting lots (>20 near-term) of different insitutions and practices (with hundreds of sites planned long-term). These are being independently developed and are calling for a bunch of different protocol suites, OS's, and WAN technologies connecting through our planned (strong) firewall perimeter and into our core network. All of this data is for health care and pretty confidential. We will be running IP through the firewall, Banyan Vines is planned, SNA and Novell and NetBIOS have been requested, and I wouldn't be surprised if someone wants AppleTalk and whatever Microsoft is backing for Windows for Workgroups (and NT). Since we can't route everything we'll be bridging too. Also Vines, Novell, and AppleTalk do/can have both IP and SNA traffic tunnelled through them. Questions: -Can a multi-protocol firewall realisticly be built and secured? -Is this a good idea? -Is anyone else doing this? -Are there any firewall products or kits available for protocols other than IP? -Can bridged traffic meaningfully be secured through a firewall? -Are these proprietary protocols secure and/or well documented? -Are there any studies/proofs of the security/insecurity of these protocols? -How do I refute vendor claims that their proprietary protocols are so secure they don't need a firewall (or are they right)? -What are the risks of doing all of this when some of the protocols aren't completely understood by the staff who has to run this? -Does it make sense to spend a lot of effort building a solid IP-only firewall if there are these other backdoor protocols? Personally, I don't think this is a good idea. But since there's a lot of political weight behind these projects, the burden is on me to prove any problems (there are outside technical people promoting this). Any documentation, references, or other evidence would be very appreciated. I would be happy to submit a summary document to the GreatCircle archives (as long as I can assemble meaningful answers). Thank you, -Scott R. Corzine- New England Medical Center From firewalls-owner Thu May 26 19:17:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA12914; Thu, 26 May 1994 19:17:44 GMT Received: from utrcgw.utc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA12908; Thu, 26 May 1994 12:17:35 -0700 Received: from caesv1.norden.utc.com (155.104.1.11) by utrcgw.utc.com (PMDF #2906 ) id <01HCSSPIB4AO005BTR@utrcgw.utc.com>; Thu, 26 May 1994 15:17:57 EDT Received: from caeip2.norden.utc.com ([155.104.1.8]) by caesv1.norden.utc.com (4.1/SMI-4.1) id AA26619; Thu, 26 May 94 15:19:30 EDT Date: 26 May 1994 15:19:29 -0400 (EDT) From: merola@caesv1.norden.utc.com (joe merola) Subject: virus checking utilities To: firewalls@greatcircle.COM Message-id: <9405261919.AA26619@caesv1.norden.utc.com> X-Envelope-to: firewalls@greatcircle.COM Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone know of virus-scanning software which will play on a unix (sparc-2, sunos 4.1.3) bastion host running with TIS Firewall Toolkit. The goal is to scan ftp'd data. Thanks Joe Merola Norden Systems Inc. From firewalls-owner Thu May 26 15:31:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA14538; Thu, 26 May 1994 22:26:15 GMT Received: from cheetah.llnl.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA14508; Thu, 26 May 1994 15:25:14 -0700 Received: (from karyn@localhost) by cheetah.llnl.gov (8.6.8.1/8.6.6) id PAA12792; Thu, 26 May 1994 15:26:21 -0700 Date: Thu, 26 May 1994 15:26:21 -0700 From: Karyn Pichnarczyk Message-Id: <199405262226.PAA12792@cheetah.llnl.gov> To: firewalls@greatcircle.com Subject: virus checking utilities Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone know of virus-scanning software which will play on a unix (sparc-2, sunos 4.1.3) bastion host running with TIS Firewall Toolkit. The goal is to scan ftp'd data. I'm not aware of anything that can check for PC or MAC viruses while the file is on a UNIX host. The big problem I see is that ftp'd data is usually not in executible form, it's usually zip'ed, uuencoded, or at least has gone through some sort of compression algorithm. Standard virus scanning packages just can't take into consideration all the modifications a file goes through when it's compressed, so I doubt that this sort of virus scanning can be done. Karyn Pichnarczyk CIAC Team From firewalls-owner Fri May 27 02:43:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id CAA15336; Fri, 27 May 1994 02:43:14 GMT Received: from bottom.magnus.acs.ohio-state.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA15330; Thu, 26 May 1994 19:43:06 -0700 Received: from localhost by bottom.magnus.acs.ohio-state.edu (8.6.4/4.940426) id WAA12600; Thu, 26 May 1994 22:44:33 -0400 Date: Thu, 26 May 1994 22:24:15 -0400 (EDT) From: Doug Karl Subject: NFS and X -- Internet tunnel to a "trusted" remote site To: reh@cs.umd.edu cc: Brad.Sipes@redwood.controls.eurotherm.com, Jon.Wagner@redwood.controls.eurotherm.com, Mike.Geipel@redwood.controls.eurotherm.com, firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Date: Tue, 17 May 1994 13:55:18 +0000 (GMT) In-Reply-To: Richard Huddleston's message of Thu, 12 May 1994 21:21:51 -0400 <199405130121.VAA12203@bedrock.cs.UMD.EDU> Subject: NFS and X -- Internet tunnel to a "trusted" remote site Sender: Firewalls-Owner@greatcircle.com * Our company has several sites, world-wide. A few of those sites * need to have their IP networks linked together for a cooperative * development project. We currently use dial-up (on-demand) * connections, and pay the long-distance charges for PPP modem * connections. But we need 64K or better. * * Within the US, leased lines are no problem. But a DS-0 to the UK * would cost each side $3000 per month. The obvious alternative is * to use the Internet connections at each end. * * So, if two sites on the Internet want to allow unlimited IP * access to each other but need to filter all other packets as * usual... what do they need to do (or buy) to make this tunnel * through the firewalls? * * And yes, this would include services like NFS and X. :-( * * Is there a way to make this point-to-point tunnel "safe" without * encryption at each end? What are the problems? If IP-level * encryption is required, is there a vendor that can supply the UK * without !@#$%^&* US export problems? * * Please respond via e-mail; I'll summarize if there's interest. * -- * Mike Geipel (N4IXJ) | Eurotherm Controls Inc. * Telephone: (703) 471-4870 x387 | 11485 Sunset Hills Road * "Mike.Geipel@Controls.Eurotherm.COM" | Reston, VA 22090-5286 Mike, The KarlBridge / KarlBrouter with encryption option will provide the firewall features and also will do the encryption you require. Since the Encryption algorithm was developed and implemented in the KarlBridge / KarlBrouter in the UK and then sent to the USA it is available outside the USA by purchasing the UK version of the KarlBridge / KarlBrouter for the sites outside USA and purchasing the USA version inside the USA. You can encrypt either the UDP/TCP portion of the IP packet and hence it will pass thru routers. You can also setup a virtual encrypted Ethernet between your remote offices where each Ethernet LAN in each of your remote offices looked like they are "bridged" together. This is nice if you have non-IP based machines (such as Novell, Apple, LanManager, etc.) The transport mechanism between each of these bridge boxes is IP over the Internet. The Ethernet payload is optionally encrypted. doug karl From firewalls-owner Fri May 27 04:39:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA15810; Fri, 27 May 1994 04:39:34 GMT Received: from merlin.resmel.bhp.com.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA15797; Thu, 26 May 1994 21:37:58 -0700 Received: from [134.18.1.150] (gryphon.resmel.bhp.com.au) by merlin.resmel.bhp.com.au with SMTP id AA25281 (5.67b/IDA-1.5 for ); Fri, 27 May 1994 14:36:39 +1000 X-Sender: ianh@monster.resmel.bhp.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 27 May 1994 14:37:25 +1000 To: firewalls@greatcircle.com From: ianh@resmel.bhp.com.au (Ian Hoyle) Subject: TIS gateways not observing timeout Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I've been using v1.2 (and the newer 1.3 beta) of the TIS ftp-gw on my SGI gateway host for several weeks now and have noticed that I can have many ftp-gw processes running that are several days old. Right now I have 20 of them and while they are relatively "lightweight", they do still consume resources. I have a "timeout 3600" in my netperms file, but I'm still getting lots of these things hanging around, obviously _long_ after any real data has passed through them. Should they be dying off ?? Marcus Ranum (the toolkit's author) says so: > They *should* be, yes. Basically the timeout value is passed to >select (for all descriptors) so complete inactivity on all of them, for >the time stated in the timeout, should cause the program to exit. So, has anyone else seen this problem at all?? Is it a possible problem with the use of select() under Irix 5.x ?? ian PS this is under Irix 5.1.1.3 on an Indy. --- : Ian Hoyle, Senior Research Scientist /\/\ : BHP Research / / /\ : 245 Wellington Rd, Mulgrave, 3170, AUSTRALIA / / / \ : Phone +61-3-560-7066 / / / /\ \ : E-mail ianh@resmel.bhp.com.au \ \/ / / / : "Now I've got the bead on you with MY disintegrating gun. \ / / / : And when it disintegrates, brother it disintegrates. (pulls \/\/\/ : trigger). Well, what do you know, it disintegrated." : -- Duck Dodgers in the 24th and a half century From firewalls-owner Fri May 27 05:05:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA15944; Fri, 27 May 1994 05:05:21 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA15938; Thu, 26 May 1994 22:05:10 -0700 Received: by bedrock.cs.UMD.EDU (8.6.9/UMIACS-0.9/04-05-88) id BAA05637; Fri, 27 May 1994 01:06:29 -0400 Date: Fri, 27 May 1994 01:06:29 -0400 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <199405270506.BAA05637@bedrock.cs.UMD.EDU> To: firewalls@GreatCircle.COM Subject: Re: Multi-Protocol Firewalls Cc: src@rigel.nemc.org Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk * Subject: Multi-Protocol Firewalls * From: "Scott R. Corzine" * * We have several projects being planned as separate WANs * interconnecting lots (>20 near-term) of different insitutions and * practices (with hundreds of sites planned long-term). These are * being independently developed and are calling for a bunch of * different protocol suites, OS's, and WAN technologies connecting * through our planned (strong) firewall perimeter and into our core * network. All of this data is for health care and pretty * confidential. For starters, you have my sincere sympathy. Particularly on the part about each of these projects being independently developed. Here's my $0.02 : The number one problem I personally face, in a not-exactly-but-pretty similar situation, is getting a good description of just what kind of functionality the given project requires from its link. I don't think you can begin to do security management until the requirements are defined, and I think you (or your capable staffmembers) want to be involved at the very earliest planning stages of the project. You can explore alternatives, do reality-checking, and get a head start on equipment requisitions this way. There's nothing more dangerous to your network than a net-clueless project manager with a desire to win a potential client. Not only that, but by being informed of the requirements in advance you avoid being paged at 4:00 AM because the PM arranged a major demo of the app your company is building for a client in Europe -- and everybody's screaming because Europe can't reach your development application server via Internet :). (Please pardon the US-centricity of the example.) Next, I think a great deal depends on how those WAN links are coming in to your site. If you've got several data lines running in to your site, and your LAN is well segmented, then multi-protocol routers can be easily configured to create vnets that are limited to a particular segment. Protocol-specific access lists then put a barrier to packet penetration into the outside-facing interface. I'm not above being Draconian, either: two of six WAN links coming into my employer's site terminate at stand-alone machines with no local LAN access. Two other links terminate into stub networks that're also not physically connected to the local LAN. My personal experience is that the folks running projects couldn't care less how it's wired as long as the requirements are being met. So, my security problem is essentially reduced to two lines. Multi-protocol b-hosts: Perhaps I'm just cranked at Solaris 2, but I am more or less resigned to having to beat Windows NT/AS into a multi-protocol bastion host OS. Unix vendors just aren't moving fast or reliably enough, IMHO. The design problems faced in using WinNT/AS this way are far from resolved, but I really don't see a better alternative on the horizon. This, of course, is a personal opinion: flames/comments to e-mail, please. * We will be running IP through the firewall, Banyan Vines is planned, * SNA and Novell and NetBIOS have been requested, and I wouldn't be * surprised if someone wants AppleTalk and whatever Microsoft is * backing for Windows for Workgroups (and NT). Since we can't route * everything we'll be bridging too. Also Vines, Novell, and AppleTalk * do/can have both IP and SNA traffic tunnelled through them. My suggestion here would be to make at least one good multi-protocol router an important part of your firewall -- in *addition* to whatever you're currently using to secure your Internet link. It will probably be a pain in the rear to configure this router to do what you want; may as well focus your administrative discomfort on one device. * Questions: Most addressed above... * -Can bridged traffic meaningfully be secured through a firewall? I personally don't see how, but I welcome enlightenment ;). * -Are these proprietary protocols secure and/or well documented? They do not seem to be documented in the same sense that SNA or IP is. * -How do I refute vendor claims that their proprietary protocols are * so secure they don't need a firewall (or are they right)? I captured, diddled, and played back the essentials from a Vines session for a client who'd heard that from Banyan representatives; I was able to successfully gain server access without any significant trouble at all. I haven't completely figured out the Vines protocol, but what made it easy was that the spoof was conducted from a "Vines serverless" segment. There may be other, greater, weaknesses in Vines that are inherent to the protocol. I wish I knew. Novell reps can usually be silenced by a reference to HACK.EXE... There's probably an IPX/SAP whiz lurking here that can speak to this one. AppleTalk seems about as secure as Vines, from what very little I've seen of it. * -What are the risks of doing all of this when some of the protocols * aren't completely understood by the staff who has to run this? To paraphrase Marcus Ranum, the way to trouble is marked by using tools that you don't understand very well. * -Does it make sense to spend a lot of effort building a solid * IP-only firewall if there are these other backdoor protocols? I think so. How much of your traffic, and from what source, is IP-based? If the answer is "most of it, from Internet" then attacks are more likely going to reach you via IP. * -Scott R. Corzine- * New England Medical Center * Richard From firewalls-owner Thu May 26 23:21:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA16250; Fri, 27 May 1994 06:14:36 GMT Received: from swissbank.swissbank.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA16244; Thu, 26 May 1994 23:14:23 -0700 Received: by swissbank.swissbank.com with UUCP (4.1/BK-1.9) id AA02147; Fri, 27 May 94 01:16:42 CDT Received: from il.us.swissbank.com (oconnor) by gatekeeper.swissbank.com (4.1/BK-1.8) id AA19275; Fri, 27 May 94 01:14:32 CDT Received: from chmail.ch.swissbank.com (chmailhost) by il.us.swissbank.com (4.1/SMI-4.1) id AA15158; Fri, 27 May 94 01:15:49 CDT Received: from chbslu01 by chmail.ch.swissbank.com with SMTP id AA19650 (5.67a/IDA-1.5 for ); Fri, 27 May 1994 08:15:57 +0200 Received: from merlin. by chbslu01 (5.0/SMI-SVR4) id AA02023; Fri, 27 May 1994 08:18:18 --100 From: Tschopp.Adrian@ch.swissbank.com (Tschopp Adrian) Message-Id: <9405270618.AA02023@chbslu01> Received: by merlin. (NX5.67c/NX3.0X) id AA00601; Fri, 27 May 94 08:15:49 +0200 Date: Fri, 27 May 94 08:15:49 +0200 Received: by NeXT.Mailer (1.87.1) Received: by NeXT Mailer (1.87.1) To: Firewalls@GreatCircle.COM Subject: Re: Netcure.zip Content-Length: 818 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Sorry to interrupt, but is there anyone that wanted a > copy of NetCure.Zip? It is a network analysis tool that > shows percentages of packets from which host and other > statistical facts. I will send a uuencoded copy to anyone > who requests it. I think I didn't fill two requests > because of some system problems. > > -Nate Can you please send a copy to me! Thanks Adrian PS: Sorry, that I'm sending this mail to the list, but I got an error replying this mail directly to nlawson@kilby.elee.calpoly.edu (Nathaniel Lawson)! --- ------------------------------------------------------------- Adrian U. Tschopp Tel: +41-61-288 42 06 Swiss Bank Corporation Fax: +41-61-288 78 47 CH-4002 Basel Mail: Tschopp.Adrian@ch.swissbank.com ------------------------------------------------------------- From firewalls-owner Fri May 27 06:36:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA16427; Fri, 27 May 1994 06:36:28 GMT Received: from enuucp.eas.asu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA16421; Thu, 26 May 1994 23:36:06 -0700 Received: from titan.UUCP by enuucp.eas.asu.edu with UUCP id AA20146 (5.65c/IDA-1.4.4 for greatcircle.com!firewalls); Thu, 26 May 1994 23:44:39 -0700 Received: from localhost by titan with SMTP id <15530>; Wed, 25 May 1994 09:08:21 -0700 To: pc@sunbim.be (Philippe Cayphas) Cc: firewalls@greatcircle.com Subject: Re: PC-NFS firewall In-Reply-To: Your message of "Tue, 24 May 1994 04:49:41 MST." <9405241149.AA28889@prince.sunbim.be> Date: Wed, 25 May 1994 09:14:15 -0700 From: Gustavo Vegas Message-Id: <94May25.090821mst.15530@titan> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I believe some terms are confused here. A firewall is used to protect and restrict access to the services provided on a network, especially if the services may be abused in order to gain unauthorized access to administrative accounts and perhaps gather or destroy proprietary information. NFS is one of such services. Offering it through a "firewall" would create an oxymoron. Perhaps what your friend should look into, is a "server" configured to offer Secure RPC an secure NFS, which gives an extra level of authentication. Such a server should not be( or be considered) a firewall. Other possibilities are to use as well NFS over TCP(instead of UDP), implementations. I am not aware if any of these configurations would be usable/useful by the Sun product called PC/NFS. There may be other implementations of NFS for MSDOS/Windows that would use secure NFS and/or NFS over TCP. IMHO, you ought to shop around. Cheers, -------- ===========================================+=========================== Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu CAD Systems Administrator Microchip Technology Inc. Chandler, Arizona ===========================================+=========================== From firewalls-owner Fri May 27 11:24:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA17955; Fri, 27 May 1994 11:24:03 GMT Received: from callisto.eci-esyst.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id EAA17949; Fri, 27 May 1994 04:23:54 -0700 From: fwnews@callisto.eci-esyst.com Received: from gorgon.ESYSTEMS ([191.254.10.111]) by callisto.eci-esyst.com (4.1/SMI-4.1) id AA23652; Fri, 27 May 94 07:18:54 EDT Date: Fri, 27 May 94 07:18:54 EDT Message-Id: <9405271118.AA23652@callisto.eci-esyst.com> To: pc@sunbim.be, titan!gustavo@enuucp.eas.asu.edu Subject: Re: PC-NFS firewall Cc: firewalls@GreatCircle.COM, admin@callisto.eci-esyst.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone know of a product that offers NFS for the PC (and/or others) layered on TCP instead of UDP? Thanks. :-) =============================================================== S.D.Eason, Engineer | "And whatsoever ye do, do it E-Systems, ECI Division | heartily, as to the Lord, and 1501 72nd Street North | and not unto men..." St. Pete, Florida 33710 | Colossians 3:23 --------------------------------------------------------------- E-mail : sdeb@eci-esyst.com | Phone : (813)381-2000 X2124 =============================================================== From firewalls-owner Fri May 27 06:22:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18488; Fri, 27 May 1994 13:17:33 GMT Received: from mentor.cc.purdue.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA18474; Fri, 27 May 1994 06:17:18 -0700 Received: from freh-02.adpc.purdue.edu by mentor.cc.purdue.edu (5.61/Purdue_CC) id AA26619; Fri, 27 May 94 08:18:43 -0500 Received: from FREH-02/MERCURY_MAIL by freh-02.adpc.purdue.edu (Mercury 1.11); Fri, 27 May 94 8:18:54 Received: from MERCURY_MAIL by FREH-02 (Mercury 1.11); Fri, 27 May 94 8:18:24 To: firewalls@Greatcircle.com From: "Michael S. Hines" Organization: Purdue University Date: 27 May 94 08:18:21 EST Subject: Re: virus checking utilities Priority: normal X-Mailer: Pegasus Mail v2.3 (R5). Message-Id: <2879CBC7BC5@freh-02.adpc.purdue.edu> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Karyn, et al... (disclaimer: this is probabily not firewalls related) There was talk at last years FIRST Workshop in St. Louis about such a product that could search various forms of compressed files as well as native binaries on UNIX ftp servers, for Intel type MS/PC-DOS programs. The value was that the anonymous ftp site could periodically scan its holdings for "unfriendly" software. I don't know if the concept advanced beyound the talk stages or not. Seems like a good idea, with numerous UNIX systems holding millions of bytes of DOS programs for worldwide distribution. Of course, this in no way reduced the individual users responsibility to monitor the integrity of programs on his/her computer. While were off subject.... does anyone know of a Tripwire like product for MS-DOS or Windows that will monitor operating system integrity? Seems like the risk and vulnerabilities are just as great, and the installed base even larger. (running for cover, before mjr. "fires at Will".. :) Thx. > Does anyone know of virus-scanning software which will play on a unix > (sparc-2, sunos 4.1.3) bastion host running with TIS Firewall Toolkit. > > The goal is to scan ftp'd data. > >I'm not aware of anything that can check for PC or MAC viruses while >the file is on a UNIX host. > >The big problem I see is that ftp'd data is usually not in executible >form, it's usually zip'ed, uuencoded, or at least has gone through >some sort of compression algorithm. Standard virus scanning packages >just can't take into consideration all the modifications a file goes >through when it's compressed, so I doubt that this sort of virus >scanning can be done. > >Karyn Pichnarczyk >CIAC Team ---------------------------------------------------------------------- Internet: mshines@ia.purdue.edu | Michael S. Hines Bitnet: michaelh@purccvm | Sr. Information Systems Auditor Purdue WIZARD Mail: MSHINES | Purdue University GTE Net Voice: (317) 494-5845 | 1065 Freehafer Hall GTE Net FAX: (317) 496-1814 | West Lafayette, IN 47907-1065 CompuServe: 73240,1631 | America On-Line: mysterios | From firewalls-owner Fri May 27 13:29:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA18547; Fri, 27 May 1994 13:29:27 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id GAA18541; Fri, 27 May 1994 06:29:10 -0700 Received: by relay.tis.com id AA05483; Fri, 27 May 94 09:30:33 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma005477; Fri May 27 09:29:48 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA09951; Fri, 27 May 94 09:28:47 EDT Message-Id: <9405271328.AA09951@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ianh@resmel.bhp.com.au (Ian Hoyle) Cc: firewalls@greatcircle.com Subject: Re: TIS gateways not observing timeout In-Reply-To: Your message of Fri, 27 May 94 14:37:25 +1000. Date: Fri, 27 May 94 09:28:40 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm not enforcing policy here, since it is not my job. Let me suggest that TIS Firewall specific questions might be better stated to a smaller audience such as the list specific to the TIS Firewall (requests to fwall-users-request@tis.com, list is fwall-users@tis.com). Fred > Hi, > > I've been using v1.2 (and the newer 1.3 beta) of the TIS ftp-gw on my SGI > gateway host for several weeks now and have noticed that I can have many > ftp-gw processes running that are several days old. Right now I have > 20 of them and while they are relatively "lightweight", they do still > consume resources. > > I have a "timeout 3600" in my netperms file, but I'm still getting lots > of these things hanging around, obviously _long_ after any real data has > passed through them. Should they be dying off ?? > > Marcus Ranum (the toolkit's author) says so: > > > They *should* be, yes. Basically the timeout value is passed to > >select (for all descriptors) so complete inactivity on all of them, for > >the time stated in the timeout, should cause the program to exit. > > So, has anyone else seen this problem at all?? Is it a possible problem > with the use of select() under Irix 5.x ?? > > ian > > PS this is under Irix 5.1.1.3 on an Indy. > > > --- > : Ian Hoyle, Senior Research Scientist > /\/\ : BHP Research > / / /\ : 245 Wellington Rd, Mulgrave, 3170, AUSTRALIA > / / / \ : Phone +61-3-560-7066 > / / / /\ \ : E-mail ianh@resmel.bhp.com.au > \ \/ / / / : "Now I've got the bead on you with MY disintegrating gun. > \ / / / : And when it disintegrates, brother it disintegrates. (pulls > \/\/\/ : trigger). Well, what do you know, it disintegrated." > : -- Duck Dodgers in the 24th and a half century > From firewalls-owner Fri May 27 16:08:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA19446; Fri, 27 May 1994 16:08:40 GMT Received: from clavin.uprc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA19440; Fri, 27 May 1994 09:08:28 -0700 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA25943 for firewalls@greatcircle.com; Fri, 27 May 94 11:07:45 CDT Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA06945; Fri, 27 May 1994 11:07:42 +0600 Date: Fri, 27 May 1994 11:07:42 +0600 From: lacoursj@uprc.com (Jeffrey D. LaCoursiere) Message-Id: <9405271607.AA06945@cygnus.uprc.com> To: firewalls@greatcircle.com Subject: SNK checksum generation X-Sun-Charset: US-ASCII Content-Length: 3333 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At long last, an snkkey that will spit out checksum info when loading your keys... Sorry took so long to get this posted - had to wait for permission from the Digital Pathways folks. Many thanks to mjr and Steve Bellovin for putting up with my constant queries. Thanks also to jayb@qsun.att.com for the observations that eventually led to cracking the algorithm used :-> Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX /********************************************************************** THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE **********************************************************************/ /*- * Copyright (c) 1993, Trusted Information Systems, Incorporated * All rights reserved. * * Redistribution and use are governed by the terms detailed in the * license document ("LICENSE") included with the toolkit. */ /* * Author: Marcus J. Ranum, Trusted Information Systems, Inc. */ static char RcsId[] = "$Header: snkkey.c,v 1.1 93/10/20 11:14:40 mjr rel $"; #include #include extern long random(); #include "des.h" /* This is a simple hack to produce pretty random shared secrets for Digital Pathways SNK units. mjr. */ main() { char buf[BUFSIZ]; des_key_schedule keysched; des_cblock cblock; char cbuf[12]; int seed,i,j; long now; long quad1; long quad2; unsigned char *p1,*p2; unsigned long kval=0; /* generate a seed from user typomatic */ fprintf(stderr,"Enter a line of text as a seed: "); fgets(buf,sizeof(buf),stdin); des_string_to_key(buf,cblock); des_set_key(cblock,keysched); des_ecb_encrypt(buf,cbuf,keysched,DES_ENCRYPT); /* stuff raw cipherstuff into the seed */ bcopy(cbuf,&seed,sizeof(int)); time(&now); srandom(seed ^ (int)now); /* that should satisfy casual users */ quad1 = random(); quad2 = random(); p1 = (unsigned char *)&quad1; p2 = (unsigned char *)&quad2; /* * set up key using generated octals */ for (i=0; i<4; i++) { cblock[i]=p1[i]; cblock[i+4]=p2[i]; } des_set_key(cblock,keysched); /* * encrypt string of nulls for checksum */ /* zeroize the entire buffer */ for(i = 0; i < 9; i++) buf[i] = '\0'; des_ecb_encrypt(buf,cbuf,keysched,DES_ENCRYPT); /* pull some bits out of the ciphertext into a long */ for(i=0; i<4; i++) for(j = 0; j < 8; j++) kval = (kval << 1) | ((cbuf[i] >> (7 - j)) & 1); /* * make a hex string - strip off last two chars */ sprintf(buf,"%08x",kval); buf[6]='\0'; /* ugly but effective :-> */ printf("Enter into snk:"); printf("%3.3o %3.3o %3.3o %3.3o ",p1[0],p1[1],p1[2],p1[3]); printf("%3.3o %3.3o %3.3o %3.3o\n",p2[0],p2[1],p2[2],p2[3]); printf("Checksum: %s\n",buf); exit(0); } From firewalls-owner Fri May 27 17:44:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA19903; Fri, 27 May 1994 17:44:14 GMT Received: from firewall.mainsoft.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA19897; Fri, 27 May 1994 10:44:05 -0700 Received: from mainsoft.mainsoft.com ([192.187.191.210]) by firewall.mainsoft.com (4.1/SMI-4.1) id AA02748; Fri, 27 May 94 10:34:35 PDT Received: from bamako.mainsoft.com by mainsoft.mainsoft.com (4.1/SMI-4.1) id AA28191; Fri, 27 May 94 10:49:35 PDT Date: Fri, 27 May 94 10:49:35 PDT From: jluu@mainsoft.com (Jose Luu) Message-Id: <9405271749.AA28191@mainsoft.mainsoft.com> To: firewalls@greatcircle.com Subject: Firewalls and internet security book available Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewalls and internet security book: There are still some at Computer literary bookshop info@clbooks.com This book is a real jewel for the hacker too !!! From firewalls-owner Fri May 27 18:20:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA20084; Fri, 27 May 1994 18:20:12 GMT Received: from cae.retix.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA20076; Fri, 27 May 1994 11:19:59 -0700 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by cae.retix.com (8.6.7/8.6.4) with ESMTP id LAA04384; Fri, 27 May 1994 11:17:45 -0700 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id LAA04584; Fri, 27 May 1994 11:20:42 -0700 Date: Fri, 27 May 1994 11:20:42 -0700 Message-Id: <199405271820.LAA04584@sleepy.retix.com> To: firewalls@GreatCircle.COM, jluu@mainsoft.com Subject: Re: Firewalls and internet security book available Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Fri May 27 11:15:48 1994 > Date: Fri, 27 May 94 10:49:35 PDT > From: jluu@mainsoft.com (Jose Luu) > To: firewalls@GreatCircle.COM > Subject: Firewalls and internet security book available > Sender: Firewalls-Owner@GreatCircle.COM > Content-Length: 158 > > > > Firewalls and internet security book: > There are still some at Computer literary bookshop > info@clbooks.com > > This book is a real jewel for the hacker too !!! > do you have a point? josh From firewalls-owner Fri May 27 18:46:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA20273; Fri, 27 May 1994 18:46:02 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA20262; Fri, 27 May 1994 11:45:13 -0700 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA07166; Fri, 27 May 94 11:45:31 PDT Received: from maui.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA08774; Fri, 27 May 1994 11:45:16 +0800 Received: from twiddle.West.Sun.COM by maui.West.Sun.COM (4.1/SMI-4.1) id AA11775; Fri, 27 May 94 11:45:15 PDT Received: by twiddle.West.Sun.COM (5.0/SMI-SVR4) id AA28293; Fri, 27 May 1994 11:46:14 +0800 Date: Fri, 27 May 1994 11:46:14 +0800 From: Paul.Danielson@West.Sun.COM (Paul Danielson) Message-Id: <9405271846.AA28293@twiddle.West.Sun.COM> To: merola@caesv1.norden.utc.com Subject: Re: virus checking utilities Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Content-Length: 580 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If you run a PC or MAC emulator on your Sun, you should be able to run any of the standard virus checking programs. So the only problem is to get the ftp'ed stuff into a format that the programs can read. You could try modifying the ftp proxy service to duplicate the downloaded file. Send one copy to whoever asked for it, as usual, and send the other copy off to a checking directory. Decrypt based on the filename, and then scan. If the decryption fails, send yourself a note. I think that this is as close to automatic virus scanning as you are going to get right now. Paul From firewalls-owner Fri May 27 19:36:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA20554; Fri, 27 May 1994 19:36:26 GMT Received: from sealex.kaman.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA20548; Fri, 27 May 1994 12:36:14 -0700 Received: by sealex.kaman.com (5.65/fma-120691); id AA28861; Fri, 27 May 94 15:36:45 -0400 Received: by mach10.utica1.kaman.com (4.1/1.34/Kaman-1.2) id AA14198; Fri, 27 May 94 15:37:50 EDT Date: Fri, 27 May 94 15:37:50 EDT From: edk@mach10.utica1.kaman.com (Edward F Killian) Message-Id: <9405271937.AA14198@mach10.utica1.kaman.com> To: firewalls@greatcircle.com, jluu@mainsoft.com, joshua@cae.retix.com Subject: Re: Firewalls and internet security book available Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I know that I am replying to the whole list, but is there a way that we can stop replying to the whole list please. I would hope that discussions betwwen users to be directed to just those users. Please reply to "sender" and not to all. Thanks. Ed > From firewalls-owner@GreatCircle.COM Fri May 27 15:34:54 1994 > From: joshua geller > Date: Fri, 27 May 1994 11:20:42 -0700 > To: firewalls@GreatCircle.COM, jluu@mainsoft.com > Subject: Re: Firewalls and internet security book available > Sender: Firewalls-Owner@GreatCircle.COM > Content-Length: 498 > > > > From firewalls-owner@GreatCircle.COM Fri May 27 11:15:48 1994 > > Date: Fri, 27 May 94 10:49:35 PDT > > From: jluu@mainsoft.com (Jose Luu) > > To: firewalls@GreatCircle.COM > > Subject: Firewalls and internet security book available > > Sender: Firewalls-Owner@GreatCircle.COM > > Content-Length: 158 > > > > > > > > Firewalls and internet security book: > > There are still some at Computer literary bookshop > > info@clbooks.com > > > > This book is a real jewel for the hacker too !!! > > > > do you have a point? > > josh > From firewalls-owner Fri May 27 22:16:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA21250; Fri, 27 May 1994 22:16:26 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA21244; Fri, 27 May 1994 15:16:16 -0700 Received: by relay.tis.com id AA10486; Fri, 27 May 94 18:18:02 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma010480; Fri May 27 18:17:08 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA14735; Fri, 27 May 94 18:16:12 EDT Message-Id: <9405272216.AA14735@tis.com> To: firewalls@greatcircle.com Subject: Call for Papers - 1995 ISOC Symp. on Netw. and Distr. Sys. Security Date: Fri, 27 May 94 18:16:10 -0400 From: "David M. Balenson" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security 16-17 February 1995, Catamaran Hotel, San Diego, California GOAL: The symposium will bring together people who are building software and/or hardware to provide network and distributed system security services. The symposium is intended for those interested in the more practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than in theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy and advance the state of the available security technology. Symposium proceedings will be published by the Internet Society. Topics for the symposium include, but are not limited to, the following: * Design and implementation of security services -- access control, authentication, availability, confidentiality, integrity, and non-repudiation. * Design and implementation of security mechanisms and support services -- encipherment, authentication, and key management systems, including fair cryptography -- access control, authorization and audit systems -- and intrusion detection systems. * Requirements and designs for securing distributed applications and network functions -- message handling, file transport, remote file access, directories, time synchronization, interactive sessions, remote data base management and access, routing, voice and video multicast and conferencing, news groups, network management, boot services, mobile computing, and remote I/O. * Requirements and designs for securing networked information resources and tools -- Archie servers, the Wide Area Information Servers (WAIS), the Internet Gopher, and the WorldWide Web (WWW). * Design and implementation of measures for controlling internetwork communication and services in a coherent manner -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the international Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. GENERAL CHAIR: Jim Ellis, CERT Coordination Center PROGRAM CHAIRS: David Balenson, Trusted Information Systems Rob Shirey, The MITRE Corporation PROGRAM COMMITTEE: Tom Berson, Anagram Laboratories Matt Bishop, University of California at Davis Ravi Ganesan, Bell Atlantic Burt Kaliski, RSA Laboratories Steve Kent, BBN Communications Paul Lambert, Motorola John Linn, OpenVision Technologies Clifford Neuman, Information Sciences Institute Hilarie Orman, University of Arizona Michael Roe, Cambridge University (UK) Rob Rosenthal, U.S. National Institute of Standards and Technology Jeff Schiller, Massachusetts Institute of Technology Mike St. Johns, Advanced Research Projects Agency Peter Yee, U.S. National Aeronautics and Space Administration Roberto Zamparo, Telia Research (Sweden) SUBMISSIONS: The committee invites both technical papers and proposals for panel discussions on technical and other topics of general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages in length, and should describe the panel topic, name the panel chair, explain the format of the panel, and list three to four potential panelists. The technical papers will appear in the proceedings. Panel chairs and panelists will have the option of having written statements appear in the proceedings. All submissions should contain a separate title page which includes the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and the point of contact, if more than one author. Since the review process will be anonymous, the author's names, affiliations and other information should appear only on the separate title page. Deadline for paper submission: August 15, 1994 Notification sent to authors by: October 17, 1994 Deadline for camera-ready copy: November 15, 1994 Submissions must be made by 15 August 1994. Submissions should be made via electronic mail. Submissions may be in either of two formats: PostScript or ASCII. If the committee is unable to print a PostScript submission, it will be returned and ASCII requested. Therefore, PostScript submissions should arrive well before 15 August. If electronic submission is absolutely impossible, submissions should be sent via postal mail. All submissions and other correspondence should be directed to the Program Co-Chair: David M. Balenson Trusted Information Systems, Inc. 3060 Washington Road (Rt. 97) Glenwood, Maryland 21738 USA Phone: 301-854-6889 FAX: 301-854-5363 Email: balenson@tis.com Each submission will be acknowledged through the medium by which it is received. If acknowledgment is not received within seven days, please contact the Program Co-Chair as indicated above. Authors and panelists will be notified of acceptance by 17 October 1994. Instructions for preparing camera-ready copy for the proceedings will be postal mailed at that time. The camera-ready copy must be received by 15 November 1994. ----- From firewalls-owner Fri May 27 23:19:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id XAA21468; Fri, 27 May 1994 23:19:46 GMT Received: from ax.ibase.br by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA21462; Fri, 27 May 1994 16:19:33 -0700 Received: by ax.ibase.br (8.6.8.1/Revision: 1.11 ) id UAA01148; Fri, 27 May 1994 20:18:43 -0300 From: Fernando Cabral To: fwnews@callisto.eci-esyst.com, pc@sunbim.be, enuucp.eas.asu.edu!titan!gustavo@boemia.pix.com.br Subject: Re: PC-NFS firewall Cc: firewalls@greatcircle.com, admin@callisto.eci-esyst.com X-Mailer: ScoMail 1.0 Date: Fri, 27 May 1994 16:40:13 +0100 (BST) Message-ID: <9405271640.aa03376@boemia.pix.com.br> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk => => Does anyone know of a product that offers NFS for the PC (and/or others) => layered on TCP instead of UDP? On the DOS side: PC/TCP (FTP/Software). You can use either UDP or TCP. If the server only knows UDP, then it falls back to UDP. On the UNIX side: HP-UX, for one. - fernando Fernando Cabral fcabral@ibase.br PADRAO iX Sistemas Abertos voice: +55 61 274-6092 fax: +55 61 274-5302 Modem: +55 61 273-5559 From firewalls-owner Sat May 28 07:45:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA23553; Sat, 28 May 1994 07:45:47 GMT Received: from chinacat.unicom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA23547; Sat, 28 May 1994 00:45:37 -0700 Received: from coldsnap.unicom.com by chinacat.unicom.com with smtp (smail3.1.28.1) id m0q7J6V-0001F2C; Sat, 28 May 94 02:46 CDT Received: from localhost by coldsnap.unicom.com (smail3.1.28.1) id m0q7J6i-0002LzC; Sat, 28 May 94 02:47 CDT To: firewalls@greatcircle.com Newsgroups: local.maillist.firewalls Path: chip From: chip@chinacat.unicom.com (Chip Rosenthal) Subject: Re: virus checking utilities Organization: Unicom Systems Development, Austin, TX Date: Sat, 28 May 1994 07:46:47 GMT Message-ID: References: <199405262226.PAA12792@cheetah.llnl.gov> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In article <199405262226.PAA12792@cheetah.llnl.gov>, Karyn Pichnarczyk wrote: > > Does anyone know of virus-scanning software which will play on a unix > (sparc-2, sunos 4.1.3) bastion host running with TIS Firewall Toolkit. > > The goal is to scan ftp'd data. > >I'm not aware of anything that can check for PC or MAC viruses while >the file is on a UNIX host. Check out entry "930514.11" in the comp.newprod archives. (Sorry...looks like keyword searching is busted at the moment. Will try to fix that this weekend.) The newprod archives are available at: http://www.metronet.com/ gopher://gopher.metronet.com/ I'm not vouching for the product. I just recall approving the posting in the dark distant past. -- Chip Rosenthal 512-447-0577 | I figure the odds be fifty-fifty Unicom Systems Development | I just might have some thing to say. | -FZ From firewalls-owner Sat May 28 01:22:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA23648; Sat, 28 May 1994 08:00:36 GMT Received: from anon.penet.fi by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id BAA23640; Sat, 28 May 1994 01:00:28 -0700 Received: by anon.penet.fi (5.67/1.35) id AA01768; Sat, 28 May 94 10:50:28 +0300 Message-Id: <9405280750.AA01768@anon.penet.fi> To: firewalls@greatcircle.com From: an35331@anon.penet.fi X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an35331@anon.penet.fi Date: Sat, 28 May 1994 07:50:27 UTC Subject: Cisco software update? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, it's me, the paranoid one again. If memory serves, I believe a Cisco employee had let it be known that Cisco was planning on upgrading their router software to include source port based filtering, and if I rightly recall, this was supposed to happen early this year. Does anybody have the latest status of this tidbit? I'm keen to get it installed. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Sat May 28 14:00:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24778; Sat, 28 May 1994 14:00:58 GMT Received: from runix.runit.sintef.no by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA24772; Sat, 28 May 1994 07:00:51 -0700 Received: from runit.sintef.no by runix.runit.sintef.no id <01421-0@runix.runit.sintef.no>; Sat, 28 May 1994 16:02:09 +0200 Date: Sat, 28 May 1994 16:02:06 +0200 (MET DST) From: Steinar Haug Subject: Re: Cisco software update? To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > If memory serves, I believe a Cisco employee had let it be known that > Cisco was planning on upgrading their router software to include > source port based filtering, and if I rightly recall, this was > supposed to happen early this year. I haven't heard anything about source port filtering, sorry. I *do* know that *inbound* filtering is available on cisco routers now; it is in 9.21 as far as I remember. It has a serious performance penalty, though: It turns off fast switching in the entire router. Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY Email: Steinar.Haug@runit.sintef.no From firewalls-owner Sat May 28 14:05:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA24816; Sat, 28 May 1994 14:05:32 GMT Received: from runix.runit.sintef.no by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA24810; Sat, 28 May 1994 07:05:25 -0700 Received: from runit.sintef.no by runix.runit.sintef.no id <01588-0@runix.runit.sintef.no>; Sat, 28 May 1994 16:06:56 +0200 Date: Sat, 28 May 1994 16:06:53 +0200 (MET DST) From: Steinar Haug Subject: Re: PC-NFS firewall To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > => Does anyone know of a product that offers NFS for the PC (and/or > => others) layered on TCP instead of UDP? > > On the DOS side: PC/TCP (FTP/Software). You can use either UDP or TCP. > If the server only knows UDP, then it falls back to UDP. > > On the UNIX side: HP-UX, for one. Maybe you have access to a newer release of HP-UX than the rest of us. The newest release I have access to is 9.03, and as far as I know there is no NFS over TCP in 9.03. Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY Email: Steinar.Haug@runit.sintef.no From firewalls-owner Sun May 29 05:08:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id FAA27322; Sun, 29 May 1994 05:08:55 GMT Received: from alsys1.aecom.yu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id WAA27316; Sat, 28 May 1994 22:08:48 -0700 Received: from yu1.yu.edu by alsys1.aecom.yu.edu with SMTP id AA11373 (5.67b/IDA-1.5/AECOM-RIT for ); Sun, 29 May 1994 01:10:20 -0400 Received: by yu1.yu.edu (AIX 3.2/UCB 5.64/4.03) id AA27969; Sun, 29 May 1994 01:10:06 -0400 Date: Sun, 29 May 1994 01:10:05 -0400 (EDT) From: Mervyn Frankel Subject: internet firewalls using cisco routers To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I found your address in some correspondences on the cisco@spot.colorado.com list.. Do you have examples of created firewalls? Merv From firewalls-owner Sun May 29 17:54:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA29361; Sun, 29 May 1994 17:54:43 GMT Received: from lloyd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id KAA29355; Sun, 29 May 1994 10:54:33 -0700 Received: from [158.222.2.1] by lloyd.com with smtp (Smail3.1.28.1 #3) id m0q7p5e-000ERyC; Sun, 29 May 94 10:56 PDT Message-Id: Date: Sun, 29 May 94 10:56 PDT X-Sender: brian@harry.lloyd.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: brian@lloyd.com (Brian Lloyd) Subject: Re: Firewalls Digest V3 #162 Cc: support@lloyd.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >From: eric!chris@zebedee.manukau.ac.nz >Date: Thu, 26 May 94 14:26:54 -1200 >Subject: Can you help me please? > >I'm new to the list and quite inexperienced with firewalls and security >issues as discussed on this list. I'm acting as Systems Administrator at >the Polytechnic and we have recently attached to the internet. Due to serious >worries w.r.t. security of our systems I did not attach our network directly >to the internet. The only 'internet activity' users on our network can >partake in is email. To do anything else they dial in to zebedee, the system >connected to the internet. See below. > > Little bit of ethernet > ====================================================================== > | | with just zebedee and the > | | PC Router. > | | > +--------------+ +-----------------------+ > |ZEBEDEE | |PC Router with SLIP | > |Unix system | |link to local | > |with dial in | |University | > |access | | | > +--------------+ +-----------------------+ > || > || UUCP link > || > +--------------+ > |Unix system | > | | > | | > +--------------+ > | Big bit of ethernet on > ====================================================================== > which all our clients live > >Presently this seems to work fine, with mail. As our clients are becoming >more aware of the facilities available to them from the internet I must allow >them access to the internet from our 'Big bit of ethernet'. > >So, the question! Where do I start? Is there any literature I can read that >will help identify strategies I should adopt? Is there any hardware that I >should consider purchasing to help me out? > >Any comments/ideas/pointers would be very greatly received. > >Chris. > >+--------------------------------------------------------------+ >| Chris Stott | Telephone(H): +64 (0)9 266 1169 | >| Systems Administrator | Telephone(W) DDI: +64 (0)9 273 0734 | >| Manukau Polytechnic | Telephone(W): +64 (0)9 274 6009 | >| Auckland | Facsimile: +64 (0)9 273 0747 | >| New Zealand | Email: chris@manukau.ac.nz| >+--------------------------------------------------------------+ I saw your recent posting on the Firewalls mailing list. We (Lloyd Internetworking) do a good bit of this sort of work for schools and companies here in the United States. We even have several clients whom we have never physically seen (all work has been performed via telephone and Internet). We configure their systems remotely. We can do that for you also if you would like. Of course we can do as much or as little as your budget allows. We are quite experienced with the various toolkits and security tools available to secure those systems that are attached to the Internet. Please let me know if we can help you also. Brian Lloyd, President Lloyd Internetworking brian@lloyd.com 3031 Alhambra Drive (916) 676-1147 - voice Suite 102 (916) 676-3442 - fax Cameron Park, CA 95682 From firewalls-owner Sun May 29 18:24:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id SAA29472; Sun, 29 May 1994 18:24:24 GMT Received: from lloyd.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id LAA29466; Sun, 29 May 1994 11:24:18 -0700 Received: from [158.222.1.3] by lloyd.com with smtp (Smail3.1.28.1 #3) id m0q7pYV-000ERzC; Sun, 29 May 94 11:25 PDT Message-Id: Date: Sun, 29 May 94 11:25 PDT X-Sender: brian@harry.lloyd.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: brian@lloyd.com (Brian Lloyd) Subject: Re: Firewalls Digest V3 #162 Cc: support@lloyd.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 10:56 5/29/94 -0700, Brian Lloyd wrote: >I saw your recent posting on the Firewalls mailing list. We (Lloyd >Internetworking) do a good bit of this sort of work for schools and My humblest appologies for apparently advertising on the list. It was not my intention to do so. Brent, if you could expunge the message before it hits the digest I would appreciate it. Brian Lloyd, President Lloyd Internetworking brian@lloyd.com 3031 Alhambra Drive (916) 676-1147 - voice Suite 102 (916) 676-3442 - fax Cameron Park, CA 95682 From firewalls-owner Sun May 29 21:32:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA29931; Sun, 29 May 1994 21:32:31 GMT Received: from alsys1.aecom.yu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA29924; Sun, 29 May 1994 14:32:22 -0700 Received: from yu1.yu.edu by alsys1.aecom.yu.edu with SMTP id AA24346 (5.67b/IDA-1.5/AECOM-RIT for ); Sun, 29 May 1994 17:33:54 -0400 Received: by yu1.yu.edu (AIX 3.2/UCB 5.64/4.03) id AA12585; Sun, 29 May 1994 17:33:40 -0400 Date: Sun, 29 May 1994 17:33:39 -0400 (EDT) From: Mervyn Frankel Subject: Re: access list examples (fwd) To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Sun, 29 May 1994 11:26:23 -0400 (EDT) From: Mervyn Frankel To: Paul Traina Cc: cisco@spot.colorado.edu, firewals@greatcircle.com, bpinsky@cisco.com Subject: Re: access list examples I was able to download acl-examples and passive-ftp. These are programs to be put in effect.. Is there a document to be had that describes what one can do with access lists. At first we want to allow only mail into us and out. We also want to make sure that improper mail is not sent back and forth. Any suggestions and examples would be helpful. Thanks in advance... Merv From firewalls-owner Sun May 29 17:52:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id AAA01478; Mon, 30 May 1994 00:47:35 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id RAA01470; Sun, 29 May 1994 17:47:29 -0700 Message-Id: <199405300047.RAA01470@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: How to post messages to Firewalls Date: Sun, 29 May 1994 17:47:28 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk There have been a whole lot of people submitting postings for Firewalls to wrong addresses lately. Here's a quick reminder: Postings (which you want _everbody_ to see) should be sent as messages to "Firewalls@GreatCircle.COM". Commands (like "subscribe", "unsubscribe", and so forth) should be sent as messages to "Majordomo@GreatCircle.COM". Anything list-related that doesn't fit those two categories (i.e., questions about list policies, the FTP archives, and so forth), should be sent to "Firewalls-Owner@GreatCircle.COM". -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon May 30 15:27:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id PAA06187; Mon, 30 May 1994 15:27:16 GMT Received: from chenas.inria.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id IAA06181; Mon, 30 May 1994 08:27:04 -0700 Received: from ost.fr (orion.ost.fr.38.104.193.in-addr.arpa) by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA14528; Mon, 30 May 1994 17:28:17 +0200 (MET) Received: by ost.fr (5.0/SMI-SVR4) id AA02372; Mon, 30 May 1994 17:26:51 --100 Date: Mon, 30 May 1994 17:26:51 --100 From: jle@ost.fr (Jean-Marc LAFAYE) Message-Id: <9405301526.AA02372@ost.fr> To: Firewalls@GreatCircle.COM Subject: TCP-IP suite and Firewalls X-Sun-Charset: US-ASCII Content-Length: 884 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi All, I'm new to this list and I'm interested about firewalls and security issues because our company -recently attached to the internet- wishes to offer internet's services to many people, without damages for our integrity. So, I have to plan the interconnection between a registered network -used to access to the internet- and an unregistered one -used for internal purposes, such as text processing or spreadsheet-. Reading various articles, it seems that firewalls and TIS-toolkit are designed for full-IP networks. Is it right ? If internal network is not based on TCP/IP suite, does an appropriate gateway insure a good protection ? At least, what type of data could I leave on the machine directly attached to internet ? Is there any risk with NIS or DNS data bases ? Thanks for any help you me be able to provide. PS : Appologize for my scholar english :-). From firewalls-owner Mon May 30 16:43:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id QAA06541; Mon, 30 May 1994 16:43:02 GMT Received: from nic.near.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id JAA06535; Mon, 30 May 1994 09:42:52 -0700 Received: from platinum.near.net by nic.near.net id ab23742; 30 May 94 12:44 EDT To: Jean-Marc LAFAYE cc: Firewalls@greatcircle.com Subject: Re: TCP-IP suite and Firewalls In-reply-to: Your message of Mon, 30 May 1994 17:26:51. <9405301526.AA02372@ost.fr> Date: Mon, 30 May 1994 12:43:31 -0400 From: John Curran Message-ID: <9405301244.ab23742@nic.near.net> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk -------- ] From: Jean-Marc LAFAYE ] Subject: TCP-IP suite and Firewalls ] Date: Mon, 30 May 1994 17:26:51 --100 ] ] Hi All, ] ] I'm new to this list and I'm interested about firewalls and security issues ] because our company -recently attached to the internet- wishes to offer ] internet's services to many people, without damages for our integrity. ] So, I have to plan the interconnection between a registered network -used to ] access to the internet- and an unregistered one -used for internal purposes, ] such as text processing or spreadsheet-. By "unregistered one", do you mean an IP network number which is not registered to your organization? Using an unregistered IP network numbers does nothing to improve your security (i.e. a registered network can be made just as secure as an unregistered one), and creates the very real possibility of future address conflicts when an important external customer/supplier turns out to be assigned the same network.... ] Reading various articles, it seems that firewalls and TIS-toolkit are ] designed for full-IP networks. Is it right ? If "full IP" networks means "IP protocol running on boths sides", I'd say that that's generally correct about the commecial marketplace. ] If internal network is not based on TCP/IP suite, does an appropriate ] gateway insure a good protection ? The fact that the internal network is based on something other than IP does not significantly improve its security. Somewhere, there is a host which is connected to both the internal network and IP; once that host falls, it's generally trivial to move about internally. (unless the internal network protocol is absolutely devoid of functionality... :-) ] At least, what type of data could I leave on the machine directly ] attached to internet ? Is there any risk with NIS or DNS data bases ? I would not recommend NIS unless you know someone who believes in secure RPC and has lots of free time. DNS isn't a problem as long as you start with the assumption that such DNS data is visible to the public. If you're just getting started, you might want to bring in one of the many Internet security consultants to help with your initial configuration. /John From firewalls-owner Mon May 30 19:16:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA07118; Mon, 30 May 1994 19:16:52 GMT Received: from vm.gmd.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA07112; Mon, 30 May 1994 12:16:44 -0700 Message-Id: <199405301916.MAA07112@mycroft.GreatCircle.COM> Received: from VM.GMD.DE by vm.gmd.de (IBM VM SMTP V2R2) with BSMTP id 6493; Mon, 30 May 94 21:14:27 +0200 Received: from ESOC.BITNET (NJE origin MAILER@ESOC) by VM.GMD.DE (LMail V1.2a/1.8a) with BSMTP id 3089; Mon, 30 May 1994 21:14:27 +0200 Received: from ESOC (NJE origin RHUNTER@ESOC) by ESOC.BITNET (LMail V1.2a/1.8a) with BSMTP id 9309; Mon, 30 May 1994 21:17:59 -0500 Comments: Converted from PROFS to RFC822 format by PUMP V2.2X Date: Mon, 30 May 94 21:17:57 EST From: Ray Hunter ECD Subject: pointer to info To: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Some time back Paul Mauvais (mauvais@llnl.gov) in issue 081 stated that the list of smart card vendors was almost ready... I seem to have lost the reference for where I can get hold of this. (I did look in the archives but couldn't find it easily) Can anyone point me at the list? I'm trying to get US email addresses for Digital Pathways & Enigma Logic. ta, Ray ______________________RHUNTER@ESOC.BITNET________________________ Ray Hunter: Cray Systems on contract to the European Space Agency Tel. +49 6151 902953 FAX.+49 6151 902908 Room B107, ESOC, Robert Bosch Strasse 5, 64293 DARMSTADT, Germany From firewalls-owner Mon May 30 19:55:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id TAA07342; Mon, 30 May 1994 19:55:40 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id MAA07336; Mon, 30 May 1994 12:55:31 -0700 Received: by relay.tis.com id AA27145; Mon, 30 May 94 15:57:24 EDT Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3mjr) id sma027133; Mon May 30 15:56:54 1994 Received: from otter.tis.com by tis.com (4.1/SUN-5.64) id AA19957; Mon, 30 May 94 15:55:57 EDT Date: Mon, 30 May 94 15:55:57 EDT From: Marcus J Ranum Message-Id: <9405301955.AA19957@tis.com> To: Firewalls@GreatCircle.COM, RHUNTER%ESOC.BITNET@vm.gmd.de Subject: Re: pointer to info Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I'm trying to get US email addresses for Digital Pathways & Enigma Logic. This is mjr's crypto/authentication hardware address list. The various authentication device makers are near the bottom. [This list does not imply endorsement of products] mjr. --- Mobius Encryption Technologies: International Square 1825 I Street, NW, Suite 400 Washington, DC 20006 Tel: (202)429-2079 Fax: (202)429-9574 Products: FAX encryption Encrypting modems (internal for PC) Encryption boards (internal for PC) --- CE Infosys: 512A Herndon Parkway Herndon, VA 22070 Tel: (703)435-3800 Fax: (703)435-5129 Products: SuperCrypt DES chip CryptLine DES encryptor for SCSI devices --- Cylink: 310 N. Mary Ave Sunnyvale, CA 94086 Tel: (408)735-5800 Fax: (408)720-8294 Products: 9600 baud DES modems 56kb-7.0mbps DES CSU/DSUs 34mbps-45mbps DES CSU/DSUs FAX encryption --- Fischer International: 4073 Merchantile Ave Naples, FL 33942 Tel: 1-800-237-4510 Products: PC hard disk DES encryption software PC hard disk DES encryption hardware LAN monitoring software --- UsrEZ Software Inc: 1202 E. Pike St. Seattle, WA 98122 Tel: (206)672-5387 Products: Mac hard disk DES encryption software --- Microlink Technologies: 1260 Lake Blvd, Suite 280 Davis, CA 95616 Tel: (916)757-1180 Fax: (916)757-6314 Products: UNIX hard disk encryption (Sun, ULTRIX) PC hard disk encryption VMS hard disk encryption --- Digital Pathways 201 Ravendale Drive Mountain View, CA 94043 Tel: (415) 964-0707 Fax: (415) 961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) --- Security Dynamics One Alewife Center Cambridge, MA 02140 Tel: (617) 547-7820 Fax: (617) 354-8836 Products: SecurID changing number authentication card ACE server software --- Racal Guardata 480 Spring park place Herndon, VA 22070 Tel: 1-800-521-6261 ext 217 Products: Watchword authentication calculator Encrypting modems Terminal servers --- Enigma Logic, Inc 2151 Salvio St, Ste. 301 Concord, CA 94520 Tel: (510)827-5707 Fax: (510)827-2593 Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator --- Semaphore Communications Corporation 2040 Martin Ave Santa Clara, CA 95050 Tel: (408)980-7750 Fax: (408)980-7769 From firewalls-owner Mon May 30 21:30:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA08067; Mon, 30 May 1994 21:30:00 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA08059; Mon, 30 May 1994 14:29:53 -0700 Message-Id: <199405302129.OAA08059@mycroft.GreatCircle.COM> To: brian@lloyd.com (Brian Lloyd) cc: Firewalls@GreatCircle.COM, support@lloyd.com Subject: Re: Firewalls Digest V3 #162 In-reply-to: Your message of Sun, 29 May 94 11:25 PDT Date: Mon, 30 May 1994 14:29:52 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk brian@lloyd.com (Brian Lloyd) writes: # At 10:56 5/29/94 -0700, Brian Lloyd wrote: # >I saw your recent posting on the Firewalls mailing list. We (Lloyd # >Internetworking) do a good bit of this sort of work for schools and # # My humblest appologies for apparently advertising on the list. It was not # my intention to do so. # # Brent, if you could expunge the message before it hits the digest I would # appreciate it. Sorry, I missed it. I don't think anybody really minded, since it was clearly a slip of the "reply" function and not something really intended for posting to Firewalls. In general, my policy is to only remove messages from the archives when there is some legal or ethical reason to do so. I've only ever deleted one message from the Firewalls archive: a cracking tool that someone posted before the "no posting of cracking tool source code" policy was clearly stated. And please, this message is NOT an invitation to reopen that debate. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue May 31 14:20:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA12790; Tue, 31 May 1994 14:20:02 GMT Received: from relay.tandy.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id HAA12782; Tue, 31 May 1994 07:19:39 -0700 Received: from tcgw.tandy.com by relay.tandy.com (5.65/3.1.090690) id AA14548; Tue, 31 May 94 09:13:52 -0500 Received: from abacus.tis.tandy.com by tcgw.tandy.com (5.65/3.1.090690) id AA29019; Tue, 31 May 94 09:12:01 -0500 Received: by abacus.tis.tandy.com (931110.SGI/930416.SGI) for firewalls@GreatCircle.COM id AA24631; Tue, 31 May 94 09:11:28 -0500 From: criney1@abacus.tis.tandy.com (Chris Riney) Message-Id: <9405311411.AA24631@abacus.tis.tandy.com> Subject: Re: Cisco software update? To: an35331@anon.penet.fi Date: Tue, 31 May 1994 09:11:27 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9405280750.AA01768@anon.penet.fi> from "an35331@anon.penet.fi" at May 28, 94 07:50:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1138 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Hi, it's me, the paranoid one again. > > If memory serves, I believe a Cisco employee had let it be known that > Cisco was planning on upgrading their router software to include > source port based filtering, and if I rightly recall, this was > supposed to happen early this year. > > Does anybody have the latest status of this tidbit? I'm keen to get > it installed. > > ------------------------------------------------------------------------- > To find out more about the anon service, send mail to help@anon.penet.fi. > Due to the double-blind, any mail replies to this message will be anonymized, > and an anonymous id will be allocated automatically. You have been warned. > Please report any problems, inappropriate use etc. to admin@anon.penet.fi. > I seem to recall a CISCO rep stating something similar at the USENIX security conference back in October in San Fransisco. --- Chris Riney E-mail: chris@sasoom.tis.tandy.com Tandy Information Services chris.riney@tandy.com Tandy Technology Sqr, Suite 200 Fort Worth, TX 76102 Phone: 817/878-0308; 8:00am-5:00pm CST,Mo-Fr From firewalls-owner Tue May 31 20:24:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA15325; Tue, 31 May 1994 20:24:05 GMT Received: from longbow.usace.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA15319; Tue, 31 May 1994 13:23:59 -0700 Received: from tabarzin.usace.mil by longbow.usace.mil (4.0/SMI-4.0(USACE 2.0)) id AA00308; Tue, 31 May 94 13:25:03 PDT Received: by tabarzin.usace.mil (4.0/SMI-4.0(SPK MX)) id AA02466; Tue, 31 May 94 13:25:01 PDT Date: Tue, 31 May 94 13:25:01 PDT From: pace@usace.mil (Joe Pace) Message-Id: <9405312025.AA02466@tabarzin.usace.mil> To: firewalls@GreatCircle.COM Subject: Re: Cisco software update? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Hi, it's me, the paranoid one again. > > If memory serves, I believe a Cisco employee had let it be known that > Cisco was planning on upgrading their router software to include > source port based filtering, and if I rightly recall, this was > supposed to happen early this year. > > Does anybody have the latest status of this tidbit? I'm keen to get > it installed. Yes, it's available -- I think it's 9.1.2, but not sure of the numbers.. they also have a newer release for Cisco 7000 users that has some nice features. Joe From firewalls-owner Tue May 31 20:30:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id UAA15397; Tue, 31 May 1994 20:30:51 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id NAA15383; Tue, 31 May 1994 13:30:42 -0700 Message-Id: <199405312030.NAA15383@mycroft.GreatCircle.COM> To: pace@usace.mil (Joe Pace) cc: firewalls@GreatCircle.COM Subject: Re: Cisco software update? In-reply-to: Your message of Tue, 31 May 94 13:25:01 PDT Date: Tue, 31 May 1994 13:30:40 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk pace@usace.mil (Joe Pace) writes: # > Hi, it's me, the paranoid one again. # > # > If memory serves, I believe a Cisco employee had let it be known that # > Cisco was planning on upgrading their router software to include # > source port based filtering, and if I rightly recall, this was # > supposed to happen early this year. # > # > Does anybody have the latest status of this tidbit? I'm keen to get # > it installed. # # Yes, it's available -- I think it's 9.1.2, but not sure of the numbers.. # they also have a newer release for Cisco 7000 users that has some nice # features. # # Joe I'm pretty sure this is incorrect. 9.1.2 (I think; it was _some_ recent Cisco release) includes filters on inbound interfaces, but NOT source port filtering. I'd love to be proven wrong, though; source port filtering is the last major missing feature in Cisco's packet filtering. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue May 31 21:37:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA15852; Tue, 31 May 1994 21:37:30 GMT Received: from large.cisco.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA15846; Tue, 31 May 1994 14:37:22 -0700 Received: from localhost.cisco.com by large.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id OAA08469; Tue, 31 May 1994 14:38:32 -0700 Message-Id: <199405312138.OAA08469@large.cisco.com> X-Authentication-Warning: large.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: Brent Chapman Cc: pace@usace.mil (Joe Pace), firewalls@GreatCircle.COM Subject: Re: Cisco software update? In-Reply-To: Your message of "Tue, 31 May 1994 13:30:40 PDT." <199405312030.NAA15383@mycroft.GreatCircle.COM> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 31 May 1994 14:38:32 -0700 From: David Carrel Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I'd love to be proven wrong, though; source port filtering is the last > major missing feature in Cisco's packet filtering. Brent, honestly, why do you think that source port filtering is important? (I am asking quite seriously.) We have looked at the issue many times and always come up deciding that adding source ports to filters adds risks but adds no real security. Recently, I have had some long rounds of discussions on this topic. I have yet to be convinced, but I am always open. My concept of firewall design has no need for source port filtering. In fact, I can see of no way to use them securely. Generally when people talk to me about source ports, they are interested in a way to allow standard outbound ftp traffic (initiated inside their net) without allowing inbound TCP connections (used for the data channel) on all destination ports greater than 1024. The problem is that you have no control of machines outside of your net and what software can be run on them. So to allow inbound connections from source port 20 (ftp-data) to any destination port > 1024 is equivalent just allowing any connection to a destination port > 1024 with some "security through obscurity" tossed in. It's trivial for me to change my telnet program to always use source port 20. The right solution for ftp traffic is to use an ftp client with the PASV patches or to use some form of proxy agent. I know that ftp is only one example, but it is the most common one due to the nature of the program. Other examples that I am aware of fall into the same trust model. If you can't trust the information, how can you use it as a basis for your security model. Dave ---------------------------------------------------------------------------- David Carrel | E-mail: carrel@cisco.com Security Development, cisco Systems | phone: (415) 324-5207 P.O. Box 3075, 1525 O'Brien Dr. | fax: (415) 428-5080 Menlo Park, Ca, 94025-1435 | ---------------------------------------------------------------------------- From firewalls-owner Tue May 31 21:45:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id VAA15894; Tue, 31 May 1994 21:45:38 GMT Received: from runix.runit.sintef.no by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103) id OAA15888; Tue, 31 May 1994 14:45:19 -0700 Received: from runit.sintef.no by runix.runit.sintef.no id <26813-0@runix.runit.sintef.no>; Tue, 31 May 1994 23:46:31 +0200 Date: Tue, 31 May 1994 23:46:28 +0200 (MET DST) From: Steinar Haug Subject: Re: Cisco software update? To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > # Yes, it's available -- I think it's 9.1.2, but not sure of the numbers.. > # they also have a newer release for Cisco 7000 users that has some nice > # features. > > I'm pretty sure this is incorrect. 9.1.2 (I think; it was _some_ > recent Cisco release) includes filters on inbound interfaces, but NOT > source port filtering. We run 9.21 on several of our routers. As far as I know this is the newest official release, though 10.0 is supposed to be just around the corner. 9.21 does *not* have source port filtering. Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY Email: Steinar.Haug@runit.sintef.no