From firewalls-owner Wed Aug 31 17:31:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25194; Wed, 31 Aug 1994 20:43:29 GMT Received: from oxygen.house.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25188; Wed, 31 Aug 1994 13:43:19 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA17451; Wed, 31 Aug 1994 16:47:18 -0400 Date: Wed, 31 Aug 1994 16:47:18 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9408312047.AA17451@oxygen.house.gov> To: firewalls@GreatCircle.com Subject: Network Security consultants for Microsoft Windows NT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Some time ago (August 4) I solicited leads for Windows NT network security consulting. Now I am fulfilling my promise to summarize the replies. Note that there is no endorsement implied. I cannot even say if we followed up on any of these leads ourselves. :-) -- John Eugene Schultz & Associates, which specializes in commercial operational security issues, offers NT consulting services. 510-606-9875. Philip R. Moyer, prm@netcom.com Managing Partner, Eugene Schultz & Associates Bernie.Manderville@inet.com has been through the Redmond Wringer for NT, and has a good deal of experience with it. He's in Bethesda, MD. Larrry Avidan +33 1 43 29 53 74 or +33 09 11 89 10 He is based in Paris, but I think the company is US based. He specialises in all aspects of Windows NT and NTAS Peter Davis+Associates is an alliance of former "Big Few" consultants. Our associates were either Principals or Senior Managers at Ernst & Young, Peats or Coopers & Lybrand. We have experience in security and audit for most LAN platforms, including, LAN Server, LAN Manager, NetWare, AppleShare and UNIX. From: "Peter T. Davis" <72734.36@compuserve.com> I am very interested. NT Advanced server is my life. Although probably not important I am a MS Certified Systems Engineer. I have access to the folks at MS that build probably the first NT web. I have done some Unix to NT porting. I expect to do much more. Gregg Rosenberg | Consulting Service Director of Systems and Technology | Education / Training Applied Computer Services | Demand Printing Service gregg@acsil.com | Graphics Arts Service From firewalls-owner Wed Aug 31 17:45:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA26106; Wed, 31 Aug 1994 22:31:11 GMT Received: from gatekeeper.es.dupont.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA26094; Wed, 31 Aug 1994 15:30:47 -0700 Received: by gatekeeper.es.dupont.com; id AA21184; Wed, 31 Aug 94 18:35:20 -0400 Received: by esds01.es.dupont.com; id AA14847; Wed, 31 Aug 94 18:02:15 -0400 Message-Id: <9408312202.AA14847@esds01.es.dupont.com> Received: from esvax.dnet; by esds01.dnet; Wed, 31 Aug 94 18:05:17 EDT Date: Wed, 31 Aug 94 18:05:17 EDT From: David Pensak E-328/104 695-3650 To: tjk@nuxi.ucc.nau.edu Cc: firewalls@greatcircle.com Apparently-To: firewalls@greatcircle.com, tjk@nuxi.ucc.nau.edu Subject: RE: Eagle software from Concorde Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Eagle is a product of Raptor Systems Inc, not Concorde. Vendor information is available from ftp.delmarva.com via ftp as /pub/raptor/Eagle.manual.ps.z and /pub/security/gentle.ps.Z The corporate phone number is (302)-996-3331 From firewalls-owner Wed Aug 31 18:17:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA26033; Wed, 31 Aug 1994 22:25:09 GMT Received: from mail.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA26025; Wed, 31 Aug 1994 15:24:59 -0700 Received: from nic (nic.state.mn.us) by mail.unet.umn.edu (5.65c) id AA26017; Wed, 31 Aug 1994 17:02:47 -0500 Received: from dor10.mdor.state.mn.us by nic (4.1/) id AA17898; Wed, 31 Aug 94 17:02:47 CDT Received: from DOR10/MAILQUEUE by dor10.mdor.state.mn.us (Mercury 1.11); Wed, 31 Aug 94 16:53:53 GMT+5 Received: from MAILQUEUE by DOR10 (Mercury 1.11); Wed, 31 Aug 94 16:53:25 GMT+5 From: "Steve Moubray" To: Firewalls@greatcircle.com Date: Wed, 31 Aug 1994 16:53:24 CST6CDT Subject: Re: Novel (yuck!) security ?? Priority: normal X-Mailer: Pegasus Mail/Windows (v1.11a) Message-Id: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk There are some protocol issues when using Novell on WANs but I've heard of very few security issues. Novell 4.x seems to be extremely secure and although I'm not a hacker, the ones that I've known well (some of them have been arrested for hacking) were never very successful bypassing NetWare security. They bragged about many UNIX operating systems, a few IBM mainframes and MAC networks but never bragged about Novell exploits. Even when I asked they didn't seem to like it much. You can run TCP/IP on your Novell LAN and skip IPX but that is new technology and I don't know anyone that has installed that it in a large environment. The Novell server can be used as the Internet router but it won't provide any packet filtering, you won't be able to block certain address or ports and you can't use it for any kind of a firewall. To some it all up. I like Novell, I've used it for years and I beleive that it's very secure but a good UNIX box or a dedicated router is a better solution for an Internet connection. Steve Moubray (612) 296-2991 e-mail: steve.moubray@state.mn.us Minnesota Department of Revenue 10 River Park Plaza St. Paul, MN 55146-7120 From firewalls-owner Wed Aug 31 18:25:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA26645; Wed, 31 Aug 1994 23:20:44 GMT Received: from research.att.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA26639; Wed, 31 Aug 1994 16:20:38 -0700 From: smb@research.att.com Message-Id: <199408312320.QAA26639@mycroft.GreatCircle.COM> Received: by gryphon; Wed Aug 31 19:22:22 EDT 1994 To: RAS@cacdvax.cacd.rockwell.com cc: firewalls@GreatCircle.COM, Larry_Chin@cchtor.ca.cch.com Subject: Re: Proposed Firewall Configuration Date: Wed, 31 Aug 94 19:22:21 EDT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We thought that connecting each bastion host to the perimeter network via a bridge would limit the traffic that could be sniffed to just the traffic exchanged by the bastion host. For example, if an intruder captured the anonymous ftp bastion host and installed a sniffer, the intruder would not be able to capture any SMTP traffic (which is handled by a different bastion host). We believe the bridges to be sufficient for this purpose and do not understand how adding an additional router on the perimeter network would achieve the same affect. Such bridges are a good idea. Another possibility is to use a ``smart'' 10BaseT hub. From firewalls-owner Wed Aug 31 18:29:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA26888; Wed, 31 Aug 1994 23:58:59 GMT Received: from rockall.qdeck.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA26880; Wed, 31 Aug 1994 16:58:45 -0700 Received: from ccmail-gateway.qdeck.com by rockall.qdeck.com (4.1/SMI-4.1) id AA26920; Wed, 31 Aug 94 16:58:55 PDT Received: from cc:Mail by ccmail-gateway.qdeck.com (1.30/SMTPLink) id A24444; Wed, 31 Aug 94 17:07:06 PDT Date: Wed, 31 Aug 94 17:07:06 PDT From: Ken Beames Message-Id: <9408311707.A24444@ccmail-gateway.qdeck.com> To: mjs@tiaa.org, firewalls@GreatCircle.COM Subject: Re: I hate DNS... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk But mostly only because I don't fully understand it. What I want to do is set up to do as Brent and others recommend: bastion host lies like hell, but is authoritative for the domain; establishes MX records to forward everything for the domain to the "inside"; provides bogus, but sufficient, information for A and PTR records (so I can still use e.g., ftp.uu.net). Does anyone have a template they can mail to me, or is there an example available via ftp somewhere?!? Thanks, Marty -- Marty Shannon | SunOS System Administrator | You can't borrow TIAA-CREF 3rd Floor | SVR3 System Administrator | enough to make 730 3rd Avenue | UUCP Guru (Don't Tell!) | me do Windows! New York City, NY 10017 | Solaris System Administrator, too! | NYAH! ---------------------====================== Grab the O'reiley book on DNS, and BIND. What I did was build a table of all possible hosts (class b network=write a program to generate it): host-0.0 IN A 149.17.0.0 host-0.1 IN A 149.17.0.1 host-0.2 IN A 149.17.0.2 host-0.3 IN A 149.17.0.3 host-0.4 IN A 149.17.0.4 host-0.5 IN A 149.17.0.5 host-0.6 IN A 149.17.0.6 host-0.7 IN A 149.17.0.7 host-0.8 IN A 149.17.0.8 host-0.9 IN A 149.17.0.9 These are basically bugus answers, we have different host names for these address inside, but the world doesn't know that, and wouldn't care. Hope it helps. -Ken. Ken Beames Quarterdeck Office Systems beames@qdeck.com From firewalls-owner Wed Aug 31 19:28:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA27851; Thu, 1 Sep 1994 02:06:50 GMT Received: from subasic.sciatl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA27839; Wed, 31 Aug 1994 19:06:38 -0700 Received: from ss4.sciatl.com ([192.133.150.135]) by subasic.sciatl.com (4.1/3.1.012693-Scientific Atlanta-SubAsic_Engineering); id AA27270 for Firewalls@GreatCircle.COM; Wed, 31 Aug 94 22:11:05 EDT Received: by ss4.sciatl.com (4.1/SMI-4.1) id AA01820; Wed, 31 Aug 94 22:11:19 EDT Date: Wed, 31 Aug 1994 22:11:18 -0400 (EDT) From: Rodney Subject: Re: Novel (yuck!) security ?? To: Steve Moubray Cc: Firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Novel has implemented TCP/IP it will not work with a lot of Unix systems. We had to give up on using TCP/IP on novell. I would not trust a novel server on the internet. When Novel fixes TCP/IP I will take a second look at it, but not for internet access. rodney From firewalls-owner Wed Aug 31 20:28:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA28430; Thu, 1 Sep 1994 03:19:52 GMT Received: from acad3.alaska.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA28411; Wed, 31 Aug 1994 20:19:34 -0700 From: FTGAB@aurora.alaska.edu Received: from mr.alaska.edu by aurora.alaska.edu (PMDF V4.3-8 #6358) id <01HGKJJQNSUOAFXPNV@aurora.alaska.edu>; Wed, 31 Aug 1994 19:23:45 -0800 Received: with PMDF-MR; Wed, 31 Aug 1994 19:23:36 -0800 MR-Received: by mta ACAD3A; Relayed; Wed, 31 Aug 1994 19:23:36 -0800 Date: Wed, 31 Aug 1994 19:23:36 -0800 Subject: Kerberos software To: firewalls@greatcircle.com Message-id: <01HGKJJRW9XYAFXPNV@mr.alaska.edu> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT X400-MTS-identifier: [;63329113804991/4538190@ACAD3A] Hop-count: 1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Sorry to diverge ... is this the right place to ask about kerberos software? as to where I can find it and what the pros and cons might be as to using it on an educational site network between the local LAN and WAN/Internet connection .. specifically I am macintosh based on the LAN and the WAN is an IBM AIX box at the moment any help would be appreciated ... Thanks From firewalls-owner Wed Aug 31 21:05:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA28405; Thu, 1 Sep 1994 03:18:48 GMT Received: from vgr.arl.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA28398; Wed, 31 Aug 1994 20:18:28 -0700 Date: Thu, 1 Sep 94 3:19:40 GMT From: Doug Gwyn (ACISD/MCSB) To: Mike Muuss cc: "Esh, Andrew" , Firewalls@greatcircle.com, Shirl@ARL.MIL, CSWG@ARL.MIL Subject: Re: "Firewalls are Bad" Message-ID: <9409010319.aa14361@VGR.ARL.MIL> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I think firewalls are fairly convenient ways to apply a "quick fix" while better forms of network security are devised. The fundamental problem with firewalls is that they do not have access to all the information necessary to determine what is safe to pass and what is not. There are many forms of inter-host "trust" performed at various levels in the protocol stack, including end user, and the firewall system cannot possibly evaluate all packets against the higher levels of trust. Consequently the firewall is instructed to apply relatively dumb rules to filter packets. If the filtering at that level is going to be really secure, it will also (as you said) interfere with legitimate services; conversely if it is to allow all legitimate services, it will have to leave higher levels of security open to possible intrusion. I don't think the current suite of Internet protocols is anywhere near as secure as it ought to be (without losing legitimate services), however. It is horrible that IP addresses cannot be trusted. There needs to be foolproof authentication of *some* sort at these lower levels, if we are not going to have to implement security policies within nearly *every* protocol built on top of IP. On the other hand, since there can be a security hole at any level, it would appear that every protocol that matters *will* need to perform its own authentication anyway. Some of us in MCSB have been conducting research in this area and have devised a fairly general yet simple authentication scheme which could feasibly be implemented in a general program support library. From firewalls-owner Wed Aug 31 22:29:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA29158; Thu, 1 Sep 1994 05:20:47 GMT Received: from gatekeeper.wellsfargo.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA29152; Wed, 31 Aug 1994 22:20:39 -0700 Received: by gatekeeper.wellsfargo.com; id AA01071; Wed, 31 Aug 1994 22:26:54 -0700 Received: from (by rurapenthe.ipd.wellsfargo.com (8.6.9/8.6.9) with ESMTP id WAA16815; Wed, 31 Aug 1994 22:25:05 -0700 Message-Id: <199409010525.WAA16815@rurapenthe.ipd.wellsfargo.com> To: FTGAB@aurora.alaska.edu Cc: firewalls@greatcircle.com Subject: Re: Kerberos software In-Reply-To: Your message of "Wed, 31 Aug 1994 19:23:36 -0800." <01HGKJJRW9XYAFXPNV@mr.alaska.edu> Date: Wed, 31 Aug 1994 22:25:04 -0700 From: Ted Lemon Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Kerberos software is available from athena-dist.mit.edu under pub/kerberos. You have to grab the README file - you won't find it from just poking around. The technology is good, but I've yet to see any good guides to how to use it well and securely other than a bunch of random Usenix papers and the like. The book market is really crying for a tome that collects together enough information to help a new site use it wisely. _MelloN_ From firewalls-owner Thu Sep 1 04:47:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29757; Thu, 1 Sep 1994 07:27:14 GMT Received: from miriworld.its.unimelb.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA29751; Thu, 1 Sep 1994 00:27:05 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id RAA00795; Thu, 1 Sep 1994 17:30:48 +1000 Date: Thu, 1 Sep 1994 17:30:47 +1000 (EST) From: "Daniel O'Callaghan" Subject: Re: I hate DNS... To: Ken Beames cc: mjs@tiaa.org, firewalls@GreatCircle.COM In-Reply-To: <9408311707.A24444@ccmail-gateway.qdeck.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Wed, 31 Aug 1994, Ken Beames wrote: > is set up to do as Brent and others recommend: bastion host lies like > hell, but is authoritative for the domain; establishes MX records to > forward everything for the domain to the "inside"; provides bogus, but > sufficient, information for A and PTR records (so I can still use e.g., > ftp.uu.net). Does anyone have a template they can mail to me, or is > there an example available via ftp somewhere?!? For the mail bit, start by reading Sendmail.cf which comes with sendmail8.6.9 I noticed the other day the following macro: # if we are the best MX host for a site, try it directly instead of # config err OwFalse Set it to true, then put in DNS site.com.au IN A 123.24.43.665 MX 10 bastion.site.com.au mailhost.site.com.au IN A 123.24.43.665 bastion.site.com.au IN A 123.24.43.667 Plus all the rest.... I have not tested it... been too busy, but I intend to. Danny From firewalls-owner Thu Sep 1 06:29:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA01593; Thu, 1 Sep 1994 12:59:47 GMT Received: from bcm.tmc.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA01587; Thu, 1 Sep 1994 05:59:37 -0700 Received: from msmail-gw.tmh.tmc.edu (msmail-gw.tmh.tmc.edu [128.249.14.129]) by bcm.tmc.edu (8.6.9/8.6.6) with SMTP id IAA22534 for ; Thu, 1 Sep 1994 08:04:35 -0500 Received: by msmail-gw.tmh.tmc.edu with Microsoft Mail id <2E65D191@msmail-gw.tmh.tmc.edu>; Thu, 01 Sep 94 08:05:21 CDT From: "Vegsund, Richard" To: Firewall Mailing List Subject: FW: Are we amusing? Date: Thu, 01 Sep 94 08:05:00 CDT Message-ID: <2E65D191@msmail-gw.tmh.tmc.edu> Encoding: 65 TEXT X-Mailer: Microsoft Mail V3.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have been following this for several days now. Let me give an example from our location that will show why a firewall is a good thing to have. I work at a large hospital in Houston, and before we connect to the internet, we are designing a firewall and all workstation level security. Looking just at the Internet for starters, what would happen if an attacker entered our network, and started changing patient data such as blood type, rooms, medications, etc. Now, you tell me - which is more important, the need to run Mosaic (which can be done through a firewall) for some users, or keeping the information correct about the patients. Yes, I realize there are internal threats, but that is not a firewalls issue. ---------- From: firewalls-owner To: Firewalls Subject: Re: Are we amusing? Date: Wednesday, August 31, 1994 4:08AM At 2:34 PM 8/30/94, Esh, Andrew wrote: >which are just as capable of a denial-of-service attack as any hacker is. >Once security is obtained, further efforts to provide or restore access >to the network are not pursued, in the name of "security". Paths to petty >tyranny lead in many directions from this point, with the system >administrator (and the network policy wonks behind him/her) as the prime >suspects. I suspect this depends heavily on your definition of "service." Is it a "denial of service" if the firewall doesn't let you use the golly-gee-wiz-neato new net toy that is currently all the rave? It rests on the question of what the needs of the site are (which don't always match with the wants of the user). Some sites have a strong need for security, because the potential damage from an intruder is greater than the potential benefit of having a open firewall that is user-friendly. Other sites don't. If you think your site should be more open, demonstrate the benefits of such a policy to the powers-that-be, be they managers, provosts, or the board of directors of an organization. >Do not misunderstand me. I am not denouncing firewalls, just their >misuse. In fact, due to my personal (negative) experiences with them, I >plan to become a great deal more educated in their use. My hope is to aid >the design of better ones which provide both security AND common user >access. I feel we must guard against the mindset that security is worth >(even partial) denial of access. We must also guard against becoming You are making sweeping generalizations that may not be true of places other than your site. In some cases, security is worth limiting access, and taking a "that which isn't explicitly allowed is disallowed" attitude. In some cases, it isn't. There is, of course, always the option of seeking out your own connection to the Internet, and setting your own policy. Bob -- Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted snyderra@post.drexel.edu PGP & RIPEM keys on key servers When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. From firewalls-owner Thu Sep 1 07:14:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01633; Thu, 1 Sep 1994 13:01:25 GMT Received: from PCC.SSW.DHHS.GOV by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01622; Thu, 1 Sep 1994 06:01:15 -0700 Received: from PHSATL.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 01 Sep 1994 09:02:09 GMT Message-Id: Date: 01 Sep 1994 09:02:09 GMT From: "Kenneth Aveirls" Subject: Novell Security To: FIREWALLS@GREATCIRCLE.COM Comment: MEMO 09/01/94 09:01:00 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi Ya! Been listenin to all the talk bout Novell (TCP/IP and security). Well I am using TCP/IP from Novell and have not encountered any problems (knock on wood). I have a 3COM NetBuilder II router that I use for packet and address filtering. In the arena of security, NetWare 3.12 comes with a gizmo called "NCP Packet Signature". This feature is designed to protect the LAN from experienced hackers who forge data packets or pose as unauthenticated clients -- NetWare Incognito. As I said earlier, I haven't encountered any problems yet. kaveirls@phsatl.ssw.dhhs.gov From firewalls-owner Thu Sep 1 07:31:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01671; Thu, 1 Sep 1994 13:10:17 GMT Received: from norge.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01665; Thu, 1 Sep 1994 06:10:10 -0700 Received: by norge.unet.umn.edu (5.65c) id AA21371; Thu, 1 Sep 1994 08:15:08 -0500 Date: Thu, 1 Sep 1994 08:15:08 -0500 From: "Craig A. Finseth" Message-Id: <199409011315.AA21371@norge.unet.umn.edu> To: SMOUBRAY@dor10.mdor.state.mn.us Cc: Firewalls@greatcircle.com In-Reply-To: "Steve Moubray"'s message of Wed, 31 Aug 1994 16:53:24 CST6CDT Subject: Novel (yuck!) security ?? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ... There are some protocol issues when using Novell on WANs but I've heard of very few security issues. Novell 4.x seems to be extremely secure and although I'm not a hacker, the ones that I've known well (some of them have been arrested for hacking) were never very successful bypassing NetWare security. They bragged about many UNIX ... Of course, this is a tautology. Since most Novell systems have not been "exposed" on the Internet, how could they be attacked? I suspect that Novell will go the same as any other "high quality" OS (e.g., VMS and the IBM mainframe OS's): once it becomes an interesting target, it will be shot full of holes. operating systems, a few IBM mainframes and MAC networks but never bragged about Novell exploits. Even when I asked they didn't seem to like it much. This is exactly the point. You don't get bragging points for breaking into a Novell server. Today. If that should change, all bets are off. Craig From firewalls-owner Thu Sep 1 08:22:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01839; Thu, 1 Sep 1994 13:44:03 GMT Received: from rohrer.rohrer.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01833; Thu, 1 Sep 1994 06:43:52 -0700 Received: by rohrer.rohrer.com (5.65/DEC-Ultrix/4.3) id AA13054; Thu, 1 Sep 1994 09:48:14 -0400 Message-Id: <9409011348.AA13054@rohrer.rohrer.com> X-Sender: matuscak@rohrer.rohrer.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 1 Sep 1994 09:48:19 -0400 To: Firewalls@greatcircle.com From: matuscak@rohrer.com (Joe Matuscak) Subject: Archie through a screening router Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Can anyone tell me what ports & protocols Archie uses? Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth OH 44281 (216)335-1541 Matuscak@Rohrer.com From firewalls-owner Thu Sep 1 08:30:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01804; Thu, 1 Sep 1994 13:34:42 GMT Received: from elvis.mcc-care.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01798; Thu, 1 Sep 1994 06:34:33 -0700 Received: from emily.mcc-care.com (emily.mcc-care.com [199.199.4.2]) by elvis.mcc-care.com (8.6.9/8.6.9) with SMTP id IAA12655; Thu, 1 Sep 1994 08:35:59 -0500 Received: from cyclops.is.mcc-care.com by emily.mcc-care.com (5.4R3.00/140.4) id AA29563; Thu, 1 Sep 1994 08:36:25 -0500 Message-Id: <9409011336.AA29563@emily.mcc-care.com> From: "Eric Pederson" Organization: MCC Behavioral Care, Inc. To: firewalls@greatcircle.com Date: Thu, 1 Sep 1994 08:39:18 CST6CDT Subject: (Fwd) "Hackers List" Thread Lives Reply-To: eric@mcc-care.com Cc: probsite-l@mcc-care.com Priority: normal X-Mailer: Pegasus Mail/Windows (v1.11a) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewallers, We have created a mailing list to for those intersted in continuing the discussion regarding the Hackers List thread. Our aim is to construct a document outlining appropriate measures to be taken by system administrators or other management parties in the event of break-in attempts. Our am is NOT to promote the construction of a "black list", but simply to instigate open though and discussion about this issue. We plan on publishing this document in the near future in such places as the Firewalls group and other appropriate mailing lists so that we can get feedback from a much wider and diverse audience. Although the document outlines actions to be taken by system administrators, we encourage the participation of all interested parties. Those who wish to participate in the discussion and definition of this document should send mail to probsite-l-request@mcc-care.com and I will add them to the list. eric --------------------------------------------- Eric L. Pederson eric@mcc-care.com System Administrator (612) 996-2751 MCC Behavioral Care, Inc. From firewalls-owner Thu Sep 1 09:29:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01931; Thu, 1 Sep 1994 13:56:44 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01925; Thu, 1 Sep 1994 06:56:18 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA07939; Thu, 1 Sep 94 09:30:21 -0400 Date: Thu, 1 Sep 94 09:30:21 -0400 Message-Id: <9409011330.AA07939@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Firewalls are not bad, just only part of the answer. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The problem is that we seem to forget that there is a world outside of firewalls yet there is much, much, more. They are very good (even a necessity) at what they do, just that is not enough. It is partially a matter of performance, to make every possible decison on every possible packet at FDDI or ATM rates would take a MASPAR, not a relatively inexpensive router. At the same time, it is not fair to blame the Internet, it also does its job very well, it delivers the packets. The Internet is not concerned with what is in the packet, where it came from, or why it was sent, just that it arrives even if it takes days. That is the nets strength and the addition or the reliance on the net for security is misplaced trust. The answer begins with a policy definition of what is allowed and what is not (or even if security is needed at all). Firewalls are decision makers facing the outside and determine how much of an organization an outsider is allowed to "see". Bastion hosts and proxy servers do the same. If directly connected to certain machines (such as a mail server) then the firewall can perform packet steering also. Once inside an Enterprise, filters perform the same function for subnets but in this case face in both directions, determining which packets are allowed to pass from the subnet to the backbone. At the finest level active hubs can direct packets to specific machines. One very important issue that has not been addressed is the effect on performance and the suprising thing is that for such a distributed system, the performance increases since unwanted packets never reach the system. Security can be viewed as a performance enhancement ! Consider that in such a system, every node could be set in "promiscuous" mode since only packets for that machine will reach it. The fact that sniffers at nodes become obsolete is just an extra added attraction. The next step should be obvious: with an active system, single-sign-on becomes simple as hubs/filters/firewalls are dynamically configured to the user's needs. No longer do the firewalls have to be open to all required traffic at all times, instead paths are dynamically created and discarded as needed. Networks go from party lines to individual subscribers. Performance and reliability are enhanced while security rides along for free or just the cost of logging/alarming. True, it takes a different way of looking at the problem and it takes moving control of the architecture from the individual platform be it a 3090 or a PC to the network itself. Think of it as evolution in action. Warmly, Padgett ps thanks to all who sent headers since this made it much easier for me to figure out by remote control what was going on. Evidently, at some point in our system the logic was picking up what was usually (but not always) the correct line in the header for reply. It is being checked out now. From other reports, this does not seem uncommon in the VAX world. From firewalls-owner Thu Sep 1 10:33:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA02179; Thu, 1 Sep 1994 14:28:27 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA02173; Thu, 1 Sep 1994 07:28:18 -0700 Received: from sq.com ([192.31.6.128]) by mail.uunet.ca with SMTP id <95244-1>; Thu, 1 Sep 1994 10:32:54 -0400 Received: by sq.com (/\==/\ Smail3.1.25.1 #25.8) id ; Thu, 1 Sep 94 10:30 EDT Received: by squilgee.sq.com (5.x//ident-1.0) id AA02474; Thu, 1 Sep 1994 10:28:45 -0400 Date: Thu, 1 Sep 1994 10:28:45 -0400 From: ian@sq.com Message-Id: <9409011428.AA02474@squilgee.sq.com> To: HIST1A@Jetson.UH.EDU, firewalls@GreatCircle.COM, mjr@tis.com Subject: Re: Questions for firewall users X-Sun-Charset: US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > The guy you were responding to was referring to a "build your > own" firewall, and you're talking about a product. It's worse than that. In fairness to TIS, I did a lot of enhancements to it for extra logging and some traps (all of which will eventually get posted back to TIS and maybe elsewhere - don't ask yet, ok?) AND some of that time was included in my time estimate. So the difference is less than what I said for a "build your own vanilla TIS". Ian From firewalls-owner Thu Sep 1 11:07:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA02241; Thu, 1 Sep 1994 14:34:46 GMT Received: from wor-srv.wam.umd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA02235; Thu, 1 Sep 1994 07:34:36 -0700 Received: from rac7.wam.umd.edu (reh@rac7.wam.umd.edu [128.8.70.123]) by wor-srv.wam.umd.edu (8.6.9/8.6.9) with ESMTP id KAA09399; Thu, 1 Sep 1994 10:39:14 -0400 From: Richard Huddleston Received: (reh@localhost) by rac7.wam.umd.edu (8.6.9/8.6.9) id KAA10037; Thu, 1 Sep 1994 10:39:03 -0400 Date: Thu, 1 Sep 1994 10:39:03 -0400 Message-Id: <199409011439.KAA10037@rac7.wam.umd.edu> To: FTGAB@aurora.alaska.edu, firewalls@GreatCircle.COM Subject: Re: Kerberos software Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk You can usually find a USENET newsgroup for most of the specific questions that get asked on this list (other than firewall design, that is). Kerberos is no exception: ' comp.protocols.kerberos' will get you there (assuming you have a newsfeed, etc.). Since kerberos is an authentication and key-exchange system, other appropriate groups might be sci.crypt and comp.security.misc. There's undoubtably a mailing list for kerberos, as well, I would assume. There's even a misc.test newsgroup, for those who want to send a test message to thousands of people. Richard * Sorry to diverge ... is this the right place to ask about kerberos software? * as to where I can find it and what the pros and cons might be as to using it * on an educational site network between the local LAN and WAN/Internet * connection.. specifically I am macintosh based on the LAN and the WAN is an * IBM AIX box at the moment any help would be appreciated ... Thanks From firewalls-owner Thu Sep 1 11:31:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA03128; Thu, 1 Sep 1994 16:27:38 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA03121; Thu, 1 Sep 1994 09:27:32 -0700 Message-Id: <199409011627.JAA03121@mycroft.GreatCircle.COM> To: matuscak@rohrer.com (Joe Matuscak) cc: Firewalls@greatcircle.com Subject: Re: Archie through a screening router In-reply-to: Your message of Thu, 1 Sep 1994 09:48:19 -0400 Date: Thu, 01 Sep 1994 09:27:31 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk matuscak@rohrer.com (Joe Matuscak) writes: # Can anyone tell me what ports & protocols Archie uses? If you're using a native Archie client, it uses UDP; port 1525 on the server, random port above 1023 on the client. Most Archie servers also support TELNET and E-Mail (SMTP) access. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu Sep 1 12:07:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA02788; Thu, 1 Sep 1994 15:39:01 GMT Received: from sextant.hri.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA02782; Thu, 1 Sep 1994 08:38:52 -0700 Received: (from rali@localhost) by sextant.hri.com (8.6.9/8.6.9) id LAA00659 for firewalls@greatcircle.com; Thu, 1 Sep 1994 11:43:51 -0400 From: Reto Lichtensteiger Message-Id: <199409011543.LAA00659@sextant.hri.com> Subject: Usefulness of Split DNS? To: firewalls@greatcircle.com Date: Thu, 1 Sep 1994 11:43:51 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 454 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello all ... I have been considering this one for a while & the "I hate DNS" thread prompts me to ask for clarification ... What is, indeed, the usefulness of hiding "inside" names via a split DNS? I can see that it might hinder a "bad guy" if there was *no* way to determine the inside net ID, but in a majority of cases the inside net is known ... -Reto -- R A Lichtensteiger rali@hri.com System Administrator Horizon Research Inc (617) 466-8304 From firewalls-owner Thu Sep 1 12:29:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA03562; Thu, 1 Sep 1994 17:02:42 GMT Received: from tiaa.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA03536; Thu, 1 Sep 1994 10:02:20 -0700 Received: from sys001.tiaa.org by tiaa.org (4.1/3.1.090690-TIAA-CREF-gw) id AA01710; Thu, 1 Sep 94 13:06:55 EDT Received: by sys001.tiaa.org (4.1/SMI-4.1) id AA12448; Thu, 1 Sep 94 13:06:53 EDT Date: Thu, 1 Sep 94 13:06:53 EDT From: mjs@tiaa.org (marty shannon) Message-Id: <9409011706.AA12448@sys001.tiaa.org> To: firewalls@greatcircle.com Subject: I still hate DNS.... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk But thanks to lots and lots of you who responded, I have my answer(s). For the record, the best starting place for the bastion's DNS master file is page 61 of Cheswick & Bellovin's Firewalls and Internet Security. If anyone out there doesn't yet have it, get it. Thanks again all! Marty P.S. Those that requested individual responses will be gotten to, but probably not until after the weekend. All in all, I'm just another brick in the (fire)wall.... (apologies to Pink Floyd) -- Marty Shannon | SunOS System Administrator | You can't borrow TIAA-CREF 3rd Floor | SVR3 System Administrator | enough to make 730 3rd Avenue | UUCP Guru (Don't Tell!) | me do Windows! New York City, NY 10017 | Hacker -- and proud of it! | NYAH! From firewalls-owner Thu Sep 1 12:45:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA02657; Thu, 1 Sep 1994 15:29:20 GMT Received: from arthur.cs.purdue.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA02646; Thu, 1 Sep 1994 08:28:54 -0700 Received: from uther.cs.purdue.edu (root@uther.cs.purdue.edu [128.10.2.20]) by arthur.cs.purdue.edu (8.6.4/PURDUE_CS-1.3) with ESMTP id ; Thu, 1 Sep 1994 10:32:57 -0500 Received: from localhost (spaf@localhost [127.0.0.1]) by uther.cs.purdue.edu (8.6.4/PURDUE_CS-1.3) with SMTP id ; Thu, 1 Sep 1994 10:32:04 -0500 Message-Id: <199409011532.KAA08047@uther.cs.purdue.edu> To: first-info@first.org, sage-security@usenix.org, pcert-advisory@cs.purdue.edu, bugtraq@crimelab.com, firewalls@GreatCircle.COM, ids@uow.edu.au, virus-l@assist.mil, cert-tools@cert.org, menkus@dockmaster.ncsc.mil, sharon@tis.com Cc: gkim@cs.arizona.edu Subject: Re: Tripwire V1.2 Release (Finally!) X-followup-to: My message of "Tue, 30 Aug 1994 10:14:32 -0500" Date: Thu, 01 Sep 1994 10:32:02 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Tue, 30 Aug 1994 10:14:32 -0500 I wrote: > [...] > > A mailserver exists for distribution and to provide a means of > reporting bugs. To use the mail server, send e-mail to > "tripwire-request@cs.purdue.edu" with a message body consisting solely > of the word "help". The server will respond with instructions on how > to get sources, patches (if any are issued), and how to report a bug > (which we hope doesn't happen!). That was a typo. I thought I had deleted it. It was supposed to have read: As of this release, the mailing list will be deleted, and the "tripwire-request" address at Purdue will be shut down. Any future news about Tripwire will be announced in the major security-related mailing lists (e.g., cert-tools, firewalls) and on the COAST mailing list. If you'd like to have yourself added to the COAST mailing list, send a request to coast-request@cs.purdue.edu. In the unlikely event you find bugs or problems, you can report them to "tripwire@cs.purdue.edu" -- an alias for both Genes. Sorry about the confusion. --spaf From firewalls-owner Thu Sep 1 13:32:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA05362; Thu, 1 Sep 1994 19:24:04 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA05354; Thu, 1 Sep 1994 12:23:48 -0700 Message-Id: <199409011923.MAA05354@mycroft.GreatCircle.COM> To: Reto Lichtensteiger cc: firewalls@greatcircle.com Subject: Re: Usefulness of Split DNS? In-reply-to: Your message of Thu, 1 Sep 1994 11:43:51 -0400 (EDT) Date: Thu, 01 Sep 1994 12:23:46 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Reto Lichtensteiger writes: # Hello all ... # # I have been considering this one for a while & the "I hate DNS" thread # prompts me to ask for clarification ... # # What is, indeed, the usefulness of hiding "inside" names via a split # DNS? # # I can see that it might hinder a "bad guy" if there was *no* way to # determine the inside net ID, but in a majority of cases the inside net is # known ... Let me hopefully cut short the religious war that seems to start every time we discuss this topic... Some sites believe that host names and other internal DNS data should be treated as "confidential" data, much like their internal company telephone directories. The case for hiding things like HINFO records is clear: while these are very useful for sysadmins (they tell them what kind of machine it is and what OS it's running), they're also very useful for crackers (they tell them what kind of machine it is and what OS it's running :-). The case for hiding other things, like A records, is less clear and varies by site. At some sites, the hostnames reflect the hardware type. At some sites, hosts are named after projects, and you can determine things like how big a project is by seeing how many hosts are assigned to it. At some sites, hosts are named something offensive that's funny to insiders, but that management doesn't want leaking out to the general public. At some sites, they just want to hide the host names on general principles. Let's not beat this into the ground again; this horse has already been beaten to death, buried, dug up, beaten again, and buried again several times. If you really want to see the past discussion, see the Firewalls archives (ftp://ftp.greatcircle.com/pub/firewalls) or WAIS database (host wais.greatcircle.com, database firewalls-digest). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu Sep 1 13:50:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA05315; Thu, 1 Sep 1994 19:18:09 GMT Received: from nic.cerf.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA05307; Thu, 1 Sep 1994 12:17:56 -0700 Received: from opti-gw.sd.optigfx.com (optigfx.com [134.24.10.246]) by nic.cerf.net (8.6.8/8.6.6) with SMTP id MAA27686; Thu, 1 Sep 1994 12:21:30 -0700 Received: from optigfx.com (optigfx.optigfx.com) by opti-gw.sd.optigfx.com (4.1/1.07-opti) id AA05449; Thu, 1 Sep 94 12:21:24 PDT Received: from optisun17.optigfx.com by optigfx.optigfx.com (4.1/SMI-4.1-3) id AA16014; Thu, 1 Sep 94 12:21:15 PDT Received: by optisun17.optigfx.com (4.1/SMI-4.1) id AA12547; Thu, 1 Sep 94 12:19:36 PDT Date: Thu, 1 Sep 94 12:19:36 PDT From: mrm@optigfx.com (Mike Murphy) Message-Id: <9409011919.AA12547@optisun17.optigfx.com> To: gwyn@ARL.MIL Subject: Re: "Firewalls are Bad" Cc: Firewalls@GreatCircle.COM, mrm@sceard.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >[...] >I don't think the current suite of Internet protocols is anywhere >near as secure as it ought to be (without losing legitimate services), >however. It is horrible that IP addresses cannot be trusted. There >needs to be foolproof authentication of *some* sort at these lower >levels, if we are not going to have to implement security policies >within nearly *every* protocol built on top of IP. On the other hand, >since there can be a security hole at any level, it would appear that >every protocol that matters *will* need to perform its own authentication >anyway. Some of us in MCSB have been conducting research in this area >and have devised a fairly general yet simple authentication scheme which >could feasibly be implemented in a general program support library. > If I get it, your point 1. IP not secure enough. your point 2. evil that IP addresses can't be trusted. your point 3. foolproof authentication required at low levels, e.g., IP. your point 4. if not 3, then security required on every protocol above IP. your point 5. regardless of 1-4, every protocol must provide its security. I'll disagree with 1-4 and suggest that the _current_ state of IP is OK. Let me explain by poor analogy and mixed metaphor before folks yell :-) Imagine that as a firewall is the "hard shell around the chewy center", the packet is a marshmallow around a very hard nut, where that hard nut is a strongly authenticated higher level protocol. I don't much care about the marshmallow. I care that the nut is hard to crack. What this might mean is that depending upon a firewall that does not take into account the inherent insecurity in the current IP may lead to a very false sense of security. Filtering by network, filtering by protocol, any of that sort of filtering of the marshmallow might well be only superficially useful security. Only if the nut and its contents are correct should the firewall let through the contents of the nut. In either direction. In such case the firewall is in fact a semi-permeable membrane. I think. :-) You willing to speak of the "fairly general yet simple scheme?" -- Mike Murphy mrm@Optigfx.COM ucsd!optigfx!mrm +1 619 625 3000 x 265 ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 The opinions expressed above are mine and not those of my employer. From firewalls-owner Thu Sep 1 14:30:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA06608; Thu, 1 Sep 1994 21:25:41 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA06602; Thu, 1 Sep 1994 14:25:33 -0700 Received: by csn.org with SMTP id AB07710 (5.65c/IDA-1.4.4 for ); Thu, 1 Sep 1994 15:29:24 -0600 Message-Id: <199409012129.AB07710@csn.org> To: mrm@optigfx.com (Mike Murphy) Cc: gwyn@ARL.MIL, Firewalls@greatcircle.com, mrm@sceard.com Subject: Re: "Firewalls are Bad" In-Reply-To: Your message of "Thu, 01 Sep 1994 12:19:36 PDT." <9409011919.AA12547@optisun17.optigfx.com> Date: Thu, 01 Sep 1994 15:29:22 -0600 From: Brad Huntting Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Sep 1 14:52:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA05346; Thu, 1 Sep 1994 19:23:37 GMT Received: from nando.yak.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA05340; Thu, 1 Sep 1994 12:23:03 -0700 Received: from localhost (strick@localhost) fnord by nando.yak.net (8.6.5/8.6.5) id MAA02456; Thu, 1 Sep 1994 12:27:59 -0700 Message-Id: <199409011927.MAA02456@nando.yak.net> From: strick Subject: infilt-0.5 : firewall-style filtering for dp-2.3 (fwd) To: firewalls@GreatCircle.COM Date: Thu, 1 Sep 1994 02:02:13 -0700 (PDT) Cc: strick@yak.net Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Several people asked about my PPP firewall software that fits inside the dp-2.3 DialupPPP module. FTP it from ftp.yak.net (140.174.114.1) /pub/infilt/infilt-0.5.tar.gz and here's my announcement to the dplist. ( For more info about dp-2.3, look in ftp://www.yak.net/pub/faq/ppp-faq/part5 ) strick ================================================================== >From strick@nando.yak.net Thu Sep 1 01:45:55 1994 Message-Id: <199409010842.BAA00433@nando.yak.net> To: dplist@phoenix.acn.purdue.edu cc: strick@yak.net Subject: infilt-0.5 : firewall-style filtering for dp-2.3 Date: Thu, 01 Sep 1994 01:42:32 -0700 From: strick ANNOUNCING FIREWALL-STYLE PACKET FILTERING FOR dp-2.3 -- infilt-0.5 Enclosed is a package named "infilt-0.5" that is a patch to DialupPPP dp-2.3. (It may also work on other SunOS/BSD streams-based PPP drivers.) This package implements firewall-style filtering on packets coming into a host over a PPP connection. Please give me feedback if you attempt to use this package; let me know of both success and failure. I'm particularly interested in what platforms and drivers it works with. This is the first release, named version "0.5", and you should consider it alpha quality. I have been using it for several weeks now, while developing it. strick@yak.net Henry Strickland strick@netcom.com ------------------------------------------------------------------------ ------------------------------------------------------------------------ Here is an excerpt from "infilt.doc". The package itself is small, so it is enclosed at the end, gzip'ed and uuencoded. ------------------------------------------------------------------------ FIREWALL-STYLE FILTERING FOR INPUT PPP PACKETS This package provides simple firewall-style packet filtering. It is designed for a local network that is connected to the big internet through a single PPP link. It runs inside the operating system kernel on the "local host", the machine in the local network that has the PPP interface to the big internet: ----------------- --------------------- | | | | (filtered) | local | the | incoming-> | | | -------- network | big <======PPP=link========> local| | | | host | | internet | <-outgoing -------- | | (undisturbed) | | | | | ----------------- --------------------- The package looks at packets coming into the local network though this PPP link ("incoming packets"), and it quietly drops packets that it deems to be evil, using some simple criteria. Packets leaving the local network through the PPP link ("outgoing packets") are unaffected and are never dropped. FIVE ACTIONS The infilt package may be configured to do any or all of five different things to incoming packets: 1. Drop selected TCP packets, based on destination port. 2. Drop selected UDP packets, based on destination port. 3. Drop selected ICMP packets, based on icmp_type. 4. Drop packets containing IP header options. 5. Write zeros over IP header options, rendering them impotent. ------------------------------------------------------------------------ ------------------------------------------------------------------------ To ftp the package: ftp.yak.net (140.174.114.1) /pub/infilt/infilt-0.5.tar.gz From firewalls-owner Thu Sep 1 15:31:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA06467; Thu, 1 Sep 1994 21:06:58 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA06460; Thu, 1 Sep 1994 14:06:51 -0700 Message-Id: <199409012106.OAA06460@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: And the Funky Hostname Award for this week goes to: Date: Thu, 01 Sep 1994 14:06:50 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Reference the current discussion of DNS information hiding... :-) -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates ------- Forwarded Message Date: Thu, 1 Sep 1994 16:26:37 -0400 From: bostic@CS.Berkeley.EDU (Keith Bostic) Message-Id: <199409012026.QAA26232@python.bostic.com> To: /dev/null@python.bostic.com Subject: And the Funky Hostname Award for this week goes to: Forwarded-by: Sean Eric Fagan From: Egotists Anonymous (koreth@spud.Hyperion.COM) Subject: And the Funky Hostname Award for this week goes to: 129_179_75_12.cdc.com Now, I've heard of uncreative host naming, but that's ridiculous. ------- End of Forwarded Message From firewalls-owner Thu Sep 1 15:40:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA05949; Thu, 1 Sep 1994 20:18:56 GMT Received: from fx.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA05942; Thu, 1 Sep 1994 13:18:41 -0700 Received: from fxgrp.fx.com (fxgrp2.fx.com) by fx.com (4.1/SMI-4.1) id AA08495; Thu, 1 Sep 94 13:22:41 PDT Received: by fxgrp.fx.com (4.1/SMI-4.1) id AA09058; Thu, 1 Sep 94 13:23:16 PDT Date: Thu, 1 Sep 94 13:23:16 PDT From: ericw@fx.com (Eric Wedaa) Message-Id: <9409012023.AA09058@fxgrp.fx.com> To: firewalls@GreatCircle.COM, rali@mailgate.hri.com Subject: Re: Usefulness of Split DNS? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > What is, indeed, the usefulness of hiding "inside" names via a split > DNS? > > I can see that it might hinder a "bad guy" if there was *no* way to > determine the inside net ID, but in a majority of cases the inside net is > known ... Says who? My inside networks are not known outside the company. In fact, my inside networks aren't even registered. Hiding them means that we can create/destroy random class C networks at will. Our firewall and router don't advertise those routes, so no other site is going to get burnt by our random Class C networks. And as long as we don't have to connect to any of the sites that have those addresses, we're ok. (So far, so good.) >>>>>Ericw From firewalls-owner Thu Sep 1 20:28:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA08780; Fri, 2 Sep 1994 03:16:28 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA08774; Thu, 1 Sep 1994 20:16:18 -0700 Received: from torrie by mail.uunet.ca with UUCP id <95249-2>; Thu, 1 Sep 1994 23:21:39 -0400 Received: by torrie.org (1.65/waf) via UUCP; Thu, 01 Sep 94 22:54:11 EDT for firewalls@greatcircle.com To: firewalls@greatcircle.com Subject: And the Funky Hostname Award for this week goes to: Summary: There may be a method behind this apparent madness. From: gordon@torrie.org (Gordon Torrie) Message-ID: Date: Thu, 1 Sep 1994 22:50:17 -0400 Organization: Torrie Communication Services Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brent Chapman writes: | Reference the current discussion of DNS information hiding... :-) [...] | | From: Egotists Anonymous (koreth@spud.Hyperion.COM) | Subject: And the Funky Hostname Award for this week goes to: | | 129_179_75_12.cdc.com | | Now, I've heard of uncreative host naming, but that's ridiculous. Well it does have the advantage of not revealing either the hardware type or the name of the project that this host has been assigned to. :-) -- gordon@torrie.org Gord Torrie From firewalls-owner Thu Sep 1 22:28:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA09184; Fri, 2 Sep 1994 05:07:59 GMT Received: from crab.cssc-syd.tansu.com.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA09178; Thu, 1 Sep 1994 22:07:48 -0700 Received: from tiger.cssc-syd.tansu.com.au.tansu.com.au (charlesb@tiger.cssc-syd.tansu.com.au [149.135.108.67]) by crab.cssc-syd.tansu.com.au (8.6.9/8.6.5) with SMTP id OAA06318 for ; Fri, 2 Sep 1994 14:29:09 +1000 From: Charles Butcher Message-Id: <199409020429.OAA06318@crab.cssc-syd.tansu.com.au> Subject: Re: And the Funky Hostname Award for this week goes to: To: firewalls@greatcircle.com Date: Fri, 2 Sep 1994 14:29:07 +1000 (EST) In-Reply-To: from "Gordon Torrie" at Sep 1, 94 10:50:17 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 739 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > | Subject: And the Funky Hostname Award for this week goes to: > | > | 129_179_75_12.cdc.com > | > | Now, I've heard of uncreative host naming, but that's ridiculous. > Pity the poor buggers who have to update all the references to this host when it moves to another network.... and it _will_ You know, hundreds of very clever people have spent a lot of time writing a lot of complex software for the express purpose of allowing us to give machines names that are meaningful to humans instead of just a bunch of numbers..... Mind you, what can you expect from a mainframe manufacturer ;-) -- Charles Butcher +61 2 395 3216 FAX: +61 2 395 3225 charlesb@ind.tansu.com.au From firewalls-owner Fri Sep 2 00:29:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA09667; Fri, 2 Sep 1994 07:23:21 GMT Received: from Mailer.Uni-Marburg.DE by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA09661; Fri, 2 Sep 1994 00:23:04 -0700 Received: from pcmbi03.Informatik.Humanmedizin.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) id AA46931; Fri, 2 Sep 1994 09:28:28 +0200 From: "Dirk A. Meyer" Date: Fri, 2 Sep 94 09:25:23 +0200 Message-Id: <1331.meyerd@mailer.uni-marburg.de_POPMail_3.1.8> X-Popmail-Charset: German To: firewalls@GreatCircle.COM Subject: hardware Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Are there any experiences with - 3Com Netbuilder II - Cisco 4000 - Ungermann-Bass 53xx used as a Firewall-Router (ease and capabilities in configuring, performance)? -Dirk From firewalls-owner Fri Sep 2 01:06:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA09627; Fri, 2 Sep 1994 07:02:52 GMT Received: from awadi.com.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA09621; Fri, 2 Sep 1994 00:02:29 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA28709; Fri, 2 Sep 94 16:34:52 CST Received: from mallee.awadi by bunya.awadi (5.0/SMI-SVR4) id AA21564; Fri, 2 Sep 1994 16:24:42 --9-30 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9409020654.AA21564@bunya.awadi> Subject: Re: And the Funky Hostname Award for this week goes to: To: charlesb@ind.tansu.com.au (Charles Butcher) Date: Fri, 2 Sep 1994 16:24:40 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199409020429.OAA06318@crab.cssc-syd.tansu.com.au> from "Charles Butcher" at Sep 2, 94 02:29:07 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Length: 1304 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk According to Charles Butcher: > >> | From: Egotists Anonymous (koreth@spud.Hyperion.COM) >> | Subject: And the Funky Hostname Award for this week goes to: >> | >> | 129_179_75_12.cdc.com >> | >> | Now, I've heard of uncreative host naming, but that's ridiculous. >> > >Pity the poor buggers who have to update all the references to this host >when it moves to another network.... and it _will_ > >You know, hundreds of very clever people have spent a lot of time writing >a lot of complex software for the express purpose of allowing us to give >machines names that are meaningful to humans instead of just a bunch of >numbers..... > >Mind you, what can you expect from a mainframe manufacturer ;-) > Humpf, would you believe we _have_ (supposedly) meaningful names for our workstations but I had a representation from some of our users to have "logical" names based on which building the machine is in - i.e bld_114_a, bld_114_b..... Yeesh some people! -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Aha! Pronoun problems. It's not `shoot you, shoot you', it's `shoot me, shoot me'. So, go ahead, shoot ME, shoot ME ... You're Despicable" -- Daffy Duck From firewalls-owner Fri Sep 2 01:29:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA09910; Fri, 2 Sep 1994 08:13:25 GMT Received: from dalkey.hea.ie by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA09904; Fri, 2 Sep 1994 01:13:17 -0700 Received: from localhost by dalkey.hea.ie (5.65/Ultrix3.0-C) id AA08895; Fri, 2 Sep 1994 09:18:09 +0100 Message-Id: <9409020818.AA08895@dalkey.hea.ie> To: gordon@torrie.org (Gordon Torrie) Cc: firewalls@greatcircle.com, mnorris@dalkey.hea.ie Subject: Re: And the Funky Hostname Award for this week goes to: In-Reply-To: Your message of "Thu, 01 Sep 94 22:50:17 EDT." Date: Fri, 02 Sep 94 09:18:08 +0100 From: "Mike Norris" X-Mts: smtp Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >| Reference the current discussion of DNS information hiding... :-) >[...] >| >| From: Egotists Anonymous (koreth@spud.Hyperion.COM) >| Subject: And the Funky Hostname Award for this week goes to: >| >| 129_179_75_12.cdc.com >| >| Now, I've heard of uncreative host naming, but that's ridiculous. > >Well it does have the advantage of not revealing either the hardware >type or the name of the project that this host has been assigned to. >:-) Sure, RFC1178 advises against such things, but it also says to avoid a hostname beginning with a digit - maybe there should be a leading underscore ;-) Maybe they've run out of really useful names - it's bound to happen. Mike Norris From firewalls-owner Fri Sep 2 05:34:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA11286; Fri, 2 Sep 1994 11:44:21 GMT Received: from pwfl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA11280; Fri, 2 Sep 1994 04:43:55 -0700 Received: by pwfl.com (4.1/SMI-4.1) id AA17410; Fri, 2 Sep 94 07:46:10 EDT From: murkland@pwfl.com (Richard Murkland 407-796-5249) Message-Id: <9409021146.AA17410@pwfl.com> Subject: Re: Usefulness of Split DNS? To: firewalls@GreatCircle.COM Date: Fri, 2 Sep 94 7:46:08 EDT In-Reply-To: <9409012023.AA09058@fxgrp.fx.com>; from "Eric Wedaa" at Sep 1, 94 1:23 pm X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk You might look at RFC1597 for network numbers that you can use internally without conflicting with other sites' registered addresses - maybe for that day when you _do_ find you have a conflict... :-) Eric Wedaa writes: > > Says who? My inside networks are not known outside the company. In fact, my > inside networks aren't even registered. Hiding them means that we can > create/destroy random class C networks at will. Our firewall and router > don't advertise those routes, so no other site is going to get burnt by > our random Class C networks. And as long as we don't have to connect to > any of the sites that have those addresses, we're ok. (So far, so good.) > > >>>>>Ericw -- Richard Murkland (407)796-5249 Pratt & Whitney, West Palm Beach, Fl murkland@pwfl.com From firewalls-owner Fri Sep 2 06:34:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA11637; Fri, 2 Sep 1994 12:35:57 GMT Received: from play.nyc.ov.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA11631; Fri, 2 Sep 1994 05:35:44 -0700 Received: from lizard.nyc.ov.com by nygate with ESMTP id IAA07797 ;Fri, 2 Sep 1994 08:40:29 -0400 Received: by lizard.nyc.ov.com (8.6.9/8.6.4) id IAA24481 for firewalls@GreatCircle.COM; Date: Fri, 2 Sep 1994 08:40:28 -0400 From: Mike Fischbein Message-Id: <199409021240.IAA24481@lizard.nyc.ov.com> To: firewalls@GreatCircle.COM Subject: Re: And the Funky Hostname Award for this week goes to: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >| Reference the current discussion of DNS information hiding... :-) > >| From: Egotists Anonymous (koreth@spud.Hyperion.COM) > >| Subject: And the Funky Hostname Award for this week goes to: > >| > >| 129_179_75_12.cdc.com People, it is worse than you think, unless you've seen NOS/VE. That OS's entire user interface is filled with commands like that. mike From firewalls-owner Fri Sep 2 07:52:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA11812; Fri, 2 Sep 1994 13:00:19 GMT Received: from norge.unet.umn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA11788; Fri, 2 Sep 1994 06:00:06 -0700 Received: by norge.unet.umn.edu (5.65c) id AA23878; Fri, 2 Sep 1994 08:03:53 -0500 Date: Fri, 2 Sep 1994 08:03:53 -0500 From: "Craig A. Finseth" Message-Id: <199409021303.AA23878@norge.unet.umn.edu> To: charlesb@ind.tansu.com.au Cc: firewalls@greatcircle.com In-Reply-To: Charles Butcher's message of Fri, 2 Sep 1994 14:29:07 +1000 (EST) <199409020429.OAA06318@crab.cssc-syd.tansu.com.au> Subject: And the Funky Hostname Award for this week goes to: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > | Subject: And the Funky Hostname Award for this week goes to: > | > | 129_179_75_12.cdc.com Pity the poor buggers who have to update all the references to this host when it moves to another network.... and it _will_ You know, hundreds of very clever people have spent a lot of time writing a lot of complex software for the express purpose of allowing us to give machines names that are meaningful to humans instead of just a bunch of numbers..... Mind you, what can you expect from a mainframe manufacturer ;-) We use names of a similar form quite regularly (CDC may, in fact, have gotten the idea from us). I'd like to see _you_ deal with a user who comes to you with "here are 150 PCs going onto the network as clients." You really want to invent 150 names and then try to convince the user to use them? Remember, these are _clients_ that are not running network services (you'll never telnet/ftp/gopher/etc. to them). However, they still need names in the DNS so that they can X/Windows and FTP _out_. When we invent dummy names, we make it clear to the user that they can't use them for servers. (Real servers get real names.) We also change the dummy names from time to time without any prior notification. We have several thousand such dummy names. Craig From firewalls-owner Fri Sep 2 08:37:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA12506; Fri, 2 Sep 1994 14:22:41 GMT Received: from oxygen.house.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA12499; Fri, 2 Sep 1994 07:22:16 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA16251; Fri, 2 Sep 1994 10:26:22 -0400 Date: Fri, 2 Sep 1994 10:26:22 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9409021426.AA16251@oxygen.house.gov> To: firewalls@GreatCircle.COM Subject: Re: And the Funky Hostname Award for this week goes to: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk %> >| Reference the current discussion of DNS information hiding... :-) % %> >| From: Egotists Anonymous (koreth@spud.Hyperion.COM) %> >| Subject: And the Funky Hostname Award for this week goes to: %> >| %> >| 129_179_75_12.cdc.com % %People, it is worse than you think, unless you've seen NOS/VE. %That OS's entire user interface is filled with commands %like that. This is one good reason to keep your internal DNS unreachable from outside: other people might make fun of it at your expense. A valid reason for introducing security barriers is to avoid embarrassment. People outside often misunderstand internal reasons for site-specific things. Brent - I apologize for beating this horse so soon after your remark. But we MUST stop picking on others here or the sages we rely on will go away. From firewalls-owner Fri Sep 2 09:29:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA13280; Fri, 2 Sep 1994 15:53:43 GMT Received: from noc4.dccs.upenn.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13274; Fri, 2 Sep 1994 08:53:23 -0700 Received: from GYNKO.CIRC.UPENN.EDU by noc4.dccs.upenn.edu id AA09790; Fri, 2 Sep 94 11:57:56 -0400 Received: by gynko.circ.upenn.edu id AA00340; Fri, 2 Sep 94 11:56:13 EDT From: rsk@gynko.circ.upenn.edu (Rich Kulawiec) Posted-Date: Fri, 2 Sep 1994 11:56:13 -0400 (EDT) Message-Id: <9409021556.AA00340@gynko.circ.upenn.edu> Subject: Re: And the Funky Hostname Award for this week goes to: To: blymn@awadi.com.au (Brett Lymn) Date: Fri, 2 Sep 1994 11:56:13 -0400 (EDT) Cc: charlesb@ind.tansu.com.au, firewalls@greatcircle.com In-Reply-To: <9409020654.AA21564@bunya.awadi> from "Brett Lymn" at Sep 2, 94 04:24:40 pm Organization: Ditka Policy Institute X-Last-River: Lower Yough X-Last-Cd: Spin Doctor, "Turn It Upside Down" X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 626 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Humpf, would you believe we _have_ (supposedly) meaningful names for >our workstations but I had a representation from some of our users to >have "logical" names based on which building the machine is in - i.e >bld_114_a, bld_114_b..... Yeesh some people! At one of the Martin Marietta sites (East Windsor, New Jersey), hostnames are assigned in a similarly silly fashion -- mostly due to the intractability of one of the more powerful members of the user community. As a result, the systems administration team there enjoys the challenge of trying to keep names like "a7798" and "a7998" separated in their heads. ---Rsk From firewalls-owner Fri Sep 2 09:48:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA12440; Fri, 2 Sep 1994 14:19:25 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA12428; Fri, 2 Sep 1994 07:18:31 -0700 Received: by csn.org with SMTP id AA17997 (5.65c/IDA-1.4.4 for ); Fri, 2 Sep 1994 08:22:44 -0600 Message-Id: <199409021422.AA17997@csn.org> To: blymn@awadi.com.AU (Brett Lymn) Cc: charlesb@ind.tansu.com.au (Charles Butcher), firewalls@greatcircle.com Subject: Re: And the Funky Hostname Award for this week goes to: In-Reply-To: Your message of "Fri, 02 Sep 1994 16:24:40 +0930." <9409020654.AA21564@bunya.awadi> Date: Fri, 02 Sep 1994 08:22:44 -0600 From: Brad Huntting Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> | Subject: And the Funky Hostname Award for this week goes to: >> | 129_179_75_12.cdc.com >Pity the poor buggers who have to update all the references to this host >when it moves to another network.... and it _will_ Are you sure this is the same name the host uses _inside_ the firewall? My workstation at U S WEST used to be known to the Internet at large as H130-13-17-11.uswest.com or some such (at least that's what the PTR records told the rest of the world). But the internal DNS called it futureworld.advtech.uswest.com. Dont blaim me, I inherited the DNS hiding mandate. The 129_179_75_12.cdc.com domain name is a bad choice for two reasons: First, it begins with a number (this may not violate an rfc, but it will break plenty of other things), second it uses underscores (which will make it difficult for you to send mail to ibm :-). brad From firewalls-owner Fri Sep 2 10:28:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA13304; Fri, 2 Sep 1994 15:57:18 GMT Received: from rodan.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13296; Fri, 2 Sep 1994 08:56:59 -0700 Received: by rodan.UU.NET id QQxfqa21271; Fri, 2 Sep 1994 11:03:13 -0400 Message-Id: To: gordon@torrie.org (Gordon Torrie) cc: firewalls@GreatCircle.COM From: "Louis A. Mamakos" Subject: Re: And the Funky Hostname Award for this week goes to: In-reply-to: Your message of "Thu, 01 Sep 1994 22:50:17 EDT." Date: Fri, 02 Sep 1994 11:03:12 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Brent Chapman writes: > > | Reference the current discussion of DNS information hiding... :-) > [...] > | > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > | Subject: And the Funky Hostname Award for this week goes to: > | > | 129_179_75_12.cdc.com > | > | Now, I've heard of uncreative host naming, but that's ridiculous. > > Well it does have the advantage of not revealing either the hardware > type or the name of the project that this host has been assigned to. This is wasteful of DNS name space. Perhaps you missed the note that I sent out on April 1, 1994 where I suggested that we just re-use IN-ADDR.ARPA? For example, lookup the address for 42.42.202.144.IN-ADDR.ARPA. (Or an MX record, for that matter.) Louis A. Mamakos louie@alter.net UUNET Technologies, Inc. uunet!louie 3110 Fairview Park Drive., Suite 570 Voice: +1 703 204 8023 Falls Church, Va 22042 Fax: +1 703 204 8001 From firewalls-owner Fri Sep 2 10:30:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA13271; Fri, 2 Sep 1994 15:52:32 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13265; Fri, 2 Sep 1994 08:52:17 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15132; Fri, 2 Sep 94 11:40:33 -0400 Date: Fri, 2 Sep 94 11:40:33 -0400 Message-Id: <9409021540.AA15132@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: It's not a bug, it's a feature. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I don't think the current suite of Internet protocols is anywhere >near as secure as it ought to be (without losing legitimate services), >however. It is horrible that IP addresses cannot be trusted. There >needs to be foolproof authentication of *some* sort at these lower >levels, if we are not going to have to implement security policies >within nearly *every* protocol built on top of IP. I disagree. IMHO the Internet (and its TCP/IP protocols as defined by RFCs) does exactly what it is supposed to: maximise the probability that a packet intended for node N will in fact be received at node N. *Everything* else is subservient to this charter. What node N does with the packet is entirely up to node N. Authentication is the responsibility of the user (RFC 1281). What some look on as "trivial to forge" E-Mail makes it simple for me to use your computer and sign the messages as myself and have replies go to my mailserver. Without "mix and match" IPs, BOOTP would be much more difficult to impliment and IPs would have to be assigned to every machine and not just those in use. - an IP is merely a mailing address and like a surface address does not constitute a legal description of the property *nor should it*. The fact is that the Internet is positioned squarely on the "A" for availability of the CIA triangle deliberately and would probably have not been nearly as successful if it had not been. Our job is to add-in whatever security those systems we are responsible require and to do so invisibly to the users. The tools are here, the literature is available on how to do it, and "getting there is half the fun". Do not bemoan the aerodynamic qualities of the pig, just strap on a bigger engine. Warmly, Padgett From firewalls-owner Fri Sep 2 10:51:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA12519; Fri, 2 Sep 1994 14:23:00 GMT Received: from twogwn.canada.ncr.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA12497; Fri, 2 Sep 1994 07:21:48 -0700 Message-Id: <199409021421.HAA12497@mycroft.GreatCircle.COM> Subject: Re: And the Funky Hostname Award for this week goes to: To: firewalls@greatcircle.com Date: Fri, 2 Sep 1994 10:25:35 -0400 (EDT) From: Greg Nenych In-Reply-To: <199409020429.OAA06318@crab.cssc-syd.tansu.com.au> from "Charles Butcher" at Sep 2, 94 02:29:07 pm Reply-To: greg.nenych@canada.ncr.com X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Content-Length: 1587 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Charles Butcher writes: > > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > > | Subject: And the Funky Hostname Award for this week goes to: > > | > > | 129_179_75_12.cdc.com > > | > > | Now, I've heard of uncreative host naming, but that's ridiculous. > > > > Pity the poor buggers who have to update all the references to this host > when it moves to another network.... and it _will_ If the host becomes 129.179.80.12, I suppose the outside will see it as 129_179_80_12.cdc.com. When I get a LOT of time, one of the bind hacks I have been thinking of is to add a new named.boot command with a syntax something like cloak 150.150.0.0 ncr.com. This would effectively load bogus but "correct" A and PTR records for all hosts on the 150.150.0.0 network without having to generate a named.hosts and named.rev. A PTR query on 150.150.150.150.in-addr.arpa returns h150-150-150-150.ncr.com. An A query on h150-150-150-150.ncr.com would return, of course, 150.150.150.150. Very useful for a "complete" external DNS that should make any FTP site that does reverse lookups happy and at the same time not give out useful information to the outside. The implementation would not really load all of the RR's into the cache. Real entries in named.hosts and named.rev should override the generated RR's. From discussions I've had with people, it seems doable. Has anyone actually tried anything like this? - Greg -- Greg Nenych 1.905.819.4122 AT&T Global Information Solutions Canada Ltd. 6865 Century Ave, Mississauga, Ontario, Canada, L5N 2E2 From firewalls-owner Fri Sep 2 11:29:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA13242; Fri, 2 Sep 1994 15:44:02 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13236; Fri, 2 Sep 1994 08:43:37 -0700 Received: from anubis.network.com (anubis-e4.network.com) by nsco.network.com (4.1/1.34) id AA17063; Fri, 2 Sep 94 10:48:51 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA05938; Fri, 2 Sep 94 10:48:00 CDT Date: Fri, 2 Sep 94 10:48:00 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9409021548.AA05938@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: And the Funky Hostname Award for this week goes to: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk CDC is using a split DNS deal with automagically generated reverse maps which map 129.179.x.y to 129_179_x_y.cdc.com. I forget if they've gotten around to making the externally visible maps go both forward and back, to fake out those dumb FTP servers that want to do triple reverse lookups with a half twist to 'improve security', but that's certainly planned, if not implemented. The internally visible names are, of course, much nicer. They are also none of the outside world's business, so the outside world doesn't get to see them. It's not hard at all. A little awk or perl to regenerate the named config files every day from a master config file, and you're golden. Computers are good at this sort of thing. Andrew P.S. presumably this was obvious to many people on the list, but I'm really getting worn out with the comments by those who are still a little new to all this. From firewalls-owner Fri Sep 2 11:50:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA13540; Fri, 2 Sep 1994 16:21:22 GMT Received: from mprgate.mpr.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA13521; Fri, 2 Sep 1994 09:20:42 -0700 Received: from norton.mpr.ca by mprgate.mpr.ca with SMTP id AA15437 (5.67b+/IDA-1.5 for ); Fri, 2 Sep 1994 09:25:17 -0700 Received: by norton.mpr.ca (4.1/SMI-4.1) id AA19438; Fri, 2 Sep 94 09:25:17 PDT Date: Fri, 2 Sep 94 09:25:17 PDT From: parker@mprgate.mpr.ca (Ross Parker) Message-Id: <9409021625.AA19438@norton.mpr.ca> To: firewalls@greatcircle.com Subject: Screening routers... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I'm in the process of looking for a screening router for a satellite office of my company. I've looked at Cisco, Ascom-Timeplex, Proteon, and the NetBlazer so far - I can see different capabilities in each (I'm mainly concerned with filtering capabilities), and am unclear on what all the pros/cons are. >From what I can see: Cisco Pros: - Source routing can be disabled - Can filter based on 'established' vs. non-'established' connections Cisco Cons: - Filters only on interface output - Filters only on destination port Ascom-Timeplex Pros: - Filters on interface input or output Ascom-Timeplex Cons: - Can't disable source routing (? - not positive about this) - Can't filter based on established vs. non-established connections - Can't filter on source port Proteon Pros: - Relatively easy to specify port ranges Proteon Cons: - Can't disable source routing (? - not positive about this) - Can't filter based on established vs. non-established connections - Can't filter on source port - Filters only on interface output NetBlazer Pros: - Very easy to specify port ranges - Can filter based on interface input or output - 'filter lookup' command to test filters NetBlazer Cons: - Filters only on destination port - Can't disable source routing (any mods to this list would be welcome - some of this was done by looking for info in the manuals, which is often not the best way to find 'tricks' that the vendors may have done!) I'd really like to find a router (inexpensive, of course ;^) that will allow me to: - filter based on source or destination port - filter based on the input or the output of an interface - filter based on 'established' vs. non-'established' connections - disable source routing Is there such a beast? Any other experiences would be great - if you email me, I'll summarize to the list (assuming Brent doesn't mind ;^) Thanks, Ross -- Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc) MPR Teltech Ltd. | Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal parker@mprgate.mpr.ca | with fingernail clippings mixed in" -- Larry Wall From firewalls-owner Fri Sep 2 12:29:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA14041; Fri, 2 Sep 1994 17:23:35 GMT Received: from clavin.lanhouse.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14035; Fri, 2 Sep 1994 10:23:19 -0700 Received: from localhost (john@localhost) by clavin.lanhouse.com (8.6.5/8.6.5) id JAA00694; Fri, 2 Sep 1994 09:29:51 -0401 Date: Fri, 2 Sep 1994 09:29:51 -0401 From: John Barry Message-Id: <199409021330.JAA00694@clavin.lanhouse.com> To: firewalls@greatcircle.com X-Mailer: AIR Mail 2.X (SPRY, Inc.) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk add to mailinglist please jb From firewalls-owner Fri Sep 2 12:32:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA14103; Fri, 2 Sep 1994 17:30:16 GMT Received: from lehman.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14097; Fri, 2 Sep 1994 10:30:05 -0700 Received: from relay.lehman.com by lehman.com (8.6.4/LB 0.1) id NAA07166; Fri, 2 Sep 1994 13:34:33 -0400 Received: from newsu.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA15924; Fri, 2 Sep 94 13:34:25 EDT Received: from admin8452a.lehman.com by newsu.lehman.com (4.1/SMI-SVR4) id AA13381; Fri, 2 Sep 94 13:34:24 EDT Date: Fri, 2 Sep 94 13:34:24 EDT From: lshields@lehman.com (Larry Shields) Message-Id: <9409021734.AA13381@newsu.lehman.com> To: firewalls@GreatCircle.com Subject: network management tools Cc: lshields@lehman.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone know if there is a mail list for network management tools out there. Larry 5-1902 From firewalls-owner Fri Sep 2 12:59:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA13856; Fri, 2 Sep 1994 17:03:58 GMT Received: from gatekeeper.ray.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA13850; Fri, 2 Sep 1994 10:03:48 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id NAA02264; Fri, 2 Sep 1994 13:09:26 -0400 Received: from tif162.ed.ray.com by gatekeeper.ray.com; Fri Sep 2 13:07:50 1994 Received: (heiser@localhost) by tif162.ED.RAY.COM (8.6.9/8.6.5-BH-011794) id NAA24313; Fri, 2 Sep 1994 13:10:44 -0400 From: Bill Heiser Message-Id: <199409021710.NAA24313@tif162.ED.RAY.COM> Subject: Re: And the Funky Hostname Award for this week goes to: To: fin@unet.umn.edu (Craig A. Finseth) Date: Fri, 2 Sep 94 13:10:43 EDT Cc: charlesb@ind.tansu.com.au, firewalls@GreatCircle.COM In-Reply-To: <199409021303.AA23878@norge.unet.umn.edu>; from "Craig A. Finseth" at Sep 2, 94 8:03 am X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Craig A. Finseth wrote > >a whole bunch of stuff about funny hostnames. What does this have to do with FIREWALLS??? -- These are my opinions and not those of my employer. Bill Heiser --> Work: heiser@ed.ray.com + + + + Home: bill@bhhome.ci.net From firewalls-owner Fri Sep 2 13:27:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA14414; Fri, 2 Sep 1994 18:07:16 GMT Received: from apollo.is.co.za by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14408; Fri, 2 Sep 1994 11:07:06 -0700 Received: by apollo.is.co.za (5.0/SMI-SVR4) id AA13278; Fri, 2 Sep 94 20:12:32 GMT Date: Fri, 2 Sep 1994 20:12:31 +0200 (GMT) From: Andras Salamon To: Firewalls@GreatCircle.COM Subject: Re: Archie through a screening router In-Reply-To: <199409012240.PAA07187@mycroft.GreatCircle.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 580 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brent Chapman writes: > matuscak@rohrer.com (Joe Matuscak) writes: > # Can anyone tell me what ports & protocols Archie uses? > > If you're using a native Archie client, it uses UDP; port 1525 on the > server, random port above 1023 on the client. To lay all these recurring questions to rest: is there a well-stocked services file available somewhere? I am looking for something that does more than just summarize RFC1610 (STD 1), and preferably comments on things like SGI's `dogfight' ports, standard ports for widely used MUDs, and the ICS. From firewalls-owner Fri Sep 2 13:29:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA14212; Fri, 2 Sep 1994 17:43:00 GMT Received: from Orca.DREP.DND.Ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14206; Fri, 2 Sep 1994 10:42:44 -0700 From: D.Michael.Francis@DREP.DND.Ca Received: from drep.dnd.ca by drep.dnd.ca (PMDF V4.3-7 #6643) id <01HGMTWRV20I0000F1@drep.dnd.ca>; Fri, 2 Sep 1994 10:42:09 PDT Date: Fri, 02 Sep 1994 10:42:08 -0700 (PDT) Subject: Re: And the Funky Hostname Award for this week goes to: In-reply-to: <199409021303.AA23878@norge.unet.umn.edu> To: "Craig A. Finseth" Cc: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Fri, 2 Sep 1994, Craig A. Finseth wrote: > > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > > | Subject: And the Funky Hostname Award for this week goes to: > > | > > | 129_179_75_12.cdc.com > > Pity the poor buggers who have to update all the references to this host > when it moves to another network.... and it _will_ [...] > > I'd like to see _you_ deal with a user who comes to you with "here are > 150 PCs going onto the network as clients." > You really want to invent 150 names and then try to convince the user > to use them? Pronounceable password generator ? :) Cheers, --mike. From firewalls-owner Fri Sep 2 14:24:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA15055; Fri, 2 Sep 1994 19:18:02 GMT Received: from sbei.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15049; Fri, 2 Sep 1994 12:17:53 -0700 Reply-To: garyh@sbei.com Received: from sbe1.sbei.com by sbei.com (Internet Gateway) (4.1/SMI-5.2) id AA24869; Fri, 2 Sep 94 12:24:00 PDT Received: from sbe54.sbe by sbe1.sbei.com (4.1/SMI-4.2) id AA03125; Fri, 2 Sep 94 12:24:59 PDT Date: Fri, 2 Sep 94 12:24:59 PDT From: garyh@sbei.com (Gary Hasenfus) Message-Id: <9409021924.AA03125@sbe1.sbei.com> X-Mailer: Mail User's Shell (7.1.1 5/02/90) To: firewalls@GreatCircle.COM Subject: Listserver software Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I am tasked with setting up a mail list server as an adjunct to to my anonymous ftp server. I am concerned about the security and flexability of the available packages. Can some knowlegeable person(s) post on the security implications of having a list server on a firewall. My goal for the server is to have automated account management (add/drop) and perhaps file request by mail access to my anonymous ftp tree. Do I need to use a seperate ftp-by-mail package to allow this? How secure are those packages? Thanks, -- garyh@sbei.com -- /-----------------------\_/----------------------------------\ | SBE Inc. | Internet: garyh@sbei.com | | Gary D. Hasenfus | UUNET: uunet.uu.net!sbei!garyh | | 4550 Norris Canyon Rd. | Voice: (510) 355-7726 | | San Ramon, Ca. 94583 | FAX: (510) 355-2020 | \_______________________/-\__________________________________/ --EOM-- From firewalls-owner Fri Sep 2 14:26:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA15104; Fri, 2 Sep 1994 19:21:17 GMT Received: from chinacat.unicom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15084; Fri, 2 Sep 1994 12:20:41 -0700 Received: (from chip@localhost) by chinacat.unicom.com (8.6.9/8.6.9) id OAA25276 for firewalls@greatcircle.com; Fri, 2 Sep 1994 14:23:12 -0500 (CDT) From: Chip Rosenthal Message-Id: <199409021923.OAA25276@chinacat.unicom.com> Subject: is port 20 a requirement? To: firewalls@greatcircle.com (The Firewalls Mailing List) Date: Fri, 2 Sep 1994 14:23:10 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1256 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My packet filter refuses inbound attempts to establish a TCP connection unless either: (1) the destination host and protocol are allowed (e.g. port SMTP on host chinacat.unicom.com) or (2) the request looks like an attempt to establish an FTP data backchannel. Part of #2 is ensuring that the request comes from port 20 on the originating machine. I have since stumbled across one anon ftp site that originates the backchannel from a random unpriviliged port and not port 20. (I contacted the hostmaster and confirmed my guess he is running an ftpd that renounces root privs.) Two questions. First, is the use of port 20 for ftp-data mandated? I've been through both the FTP and Host Requirements RFCs and did not see anything that said it was. The Assigned Numbers RFC references the FTP RFC for port 20, but RFC959 makes no mention of it. If port 20 *is* mandated, can anybody furnish a reference? Second, is the non-use of port 20 common enough such that I need to rethink my packet filter strategy? Please...no flames on the (un)trustworthiness of remote port numbers. -- Chip Rosenthal 512-447-0577 | I figure the odds be fifty-fifty Unicom Systems Development | I just might have some thing to say. | -FZ From firewalls-owner Fri Sep 2 14:28:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA16451; Fri, 2 Sep 1994 21:20:51 GMT Received: from LABS-N.BBN.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA16444; Fri, 2 Sep 1994 14:20:40 -0700 Message-Id: <199409022120.OAA16444@mycroft.GreatCircle.COM> Date: Fri, 2 Sep 94 17:24:29 EDT From: Michael Laufer To: firewalls@greatcircle.com cc: mlaufer@BBN.COM Subject: Router Filter Testing Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone have experience or suggestions about doing automated testing of router filters for Wellfleet (or other) routers? I am dealing with a client with a large network of Wellfleet routers (100+) and we will be implementing filter rules on all of the interfaces of every router (3-6+ interfaces per/router). This is to help enforce security and connectivity selectively per interface and subnet as well as interfaces to external nets. This means IP filters on source and destination addresses as well as on IP protocols and TCP and UDP ports. This results in a lot of rules for each interface and often very complicated rules. We know what we are doing (I hope) and we sometimes do not get the rules right. With this level of complication it is not reasonable to expect normal network administrators/operators to get it right all of the time. We have been using HP Net Advisor's and Alantec PowerBits in the lab to test things out but for this scale and number of filters we would really like to find some automated tools. Michael Laufer mlaufer@bbn.com (410)290-5008 From firewalls-owner Fri Sep 2 15:16:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA14698; Fri, 2 Sep 1994 18:32:52 GMT Received: from shadow.aga.cdc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14690; Fri, 2 Sep 1994 11:32:33 -0700 Received: by shadow.aga.cdc.com (940406.SGI/890607.SGI/930716.cgj) (for firewalls@GreatCircle.COM) id AA15335; Fri, 2 Sep 94 14:35:35 -0400 From: gordon@shadow.aga.cdc.com (C. Gordon Jenkins) Message-Id: <9409021835.AA15335@shadow.aga.cdc.com> Subject: Re: And the Funky Hostname Award for this week goes to: To: huntting@csn.org (Brad Huntting) Date: Fri, 2 Sep 1994 14:35:34 -0400 (EDT) Cc: blymn@awadi.com.au, charlesb@ind.tansu.com.au, firewalls@GreatCircle.COM In-Reply-To: <199409021422.AA17997@csn.org> from "Brad Huntting" at Sep 2, 94 08:22:44 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1950 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brad Huntting writes: > > > >> | Subject: And the Funky Hostname Award for this week goes to: > > >> | 129_179_75_12.cdc.com > > >Pity the poor buggers who have to update all the references to this host > >when it moves to another network.... and it _will_ > > Are you sure this is the same name the host uses _inside_ the > firewall? > > My workstation at U S WEST used to be known to the Internet at large as > H130-13-17-11.uswest.com or some such (at least that's what the PTR > records told the rest of the world). But the internal DNS called it > futureworld.advtech.uswest.com. Dont blaim me, I inherited the DNS > hiding mandate. > > The 129_179_75_12.cdc.com domain name is a bad choice for two reasons: > First, it begins with a number (this may not violate an rfc, but it > will break plenty of other things), second it uses underscores (which > will make it difficult for you to send mail to ibm :-). > > > brad > While I'm not in charge of our DNS and can't speak with utmost authority wrt this particular address, in general we hide most of our internal DNS structure (or we are supposed to). In addition, we have many workstations (like Macintoshes) which sit behind routers that provide their IP address dynamically and have little requirement for a friendly name but do need _some_ name for reverse mapping in order to access places like uunet, etc. I agree that 129_179_75_12.cdc.com is a poor choice and will bring it to the attention of the appropriate folks. p.s. We don't manufacture mainframes or anyframes these days, we're into that systems integration thing with a strong focus in providing electronic messaging integration with X.400/SMTP backbones and X.500 directory services. -- gj -- C. Gordon Jenkins tel: +1 404 641 4522 fax: +1 404 641 4502 Control Data Systems, Inc. email: Gordon.Jenkins@cdc.com From firewalls-owner Fri Sep 2 15:21:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA14689; Fri, 2 Sep 1994 18:32:21 GMT Received: from zeus.cdc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14682; Fri, 2 Sep 1994 11:31:50 -0700 Received: from localhost by zeus.cdc.com; Fri, 2 Sep 94 13:36:09 -0500 Default-Recipient-Options: report nonreceipt, no reply, return content To: gordon@torrie.org (Gordon Torrie), mnorris@dalkey.hea.ie, koreth@spud.Hyperion.COM cc: firewalls@GreatCircle.COM Subject: Re: And the Funky Hostname Award for this week goes to: (fwd) In-reply-to: Your message of Fri, 02 Sep 94 09:15:34 EDT. <9409021315.AA14403@shadow.aga.cdc.com> Sensitivity: personal Importance: normal Priority: non-urgent Delivery-Options: allow alternate recipients, return content, allow conversion, mask P1 recipients X-Mailer: xemh [version 2.11] Organization: Control Data Systems, Inc. Date: Fri, 02 Sep 94 13:36:08 -0500 From: Bill Gaupp Message-Id: <2e67709971ce002@zeus.cdc.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Mike Norris writes: > > From firewalls-owner@GreatCircle.COM Fri Sep 2 05:04:49 1994 > > Date: Fri, 02 Sep 1994 09:18:08 +0100 > > From: Mike Norris > > Subject: Re: And the Funky Hostname Award for this week goes to: > > In-Reply-To: Your message of "Thu, 01 Sep 94 22:50:17 EDT." > > > > Sender: Firewalls-Owner@GreatCircle.COM > > To: gordon@torrie.org (Gordon Torrie) > > Cc: firewalls@GreatCircle.COM, mnorris@dalkey.hea.ie > > > > > > >| Reference the current discussion of DNS information hiding... :-) > > >[...] > > >| > > >| From: Egotists Anonymous (koreth@spud.Hyperion.COM) > > >| Subject: And the Funky Hostname Award for this week goes to: > > >| > > >| 129_179_75_12.cdc.com > > >| > > >| Now, I've heard of uncreative host naming, but that's ridiculous. > > > > > >Well it does have the advantage of not revealing either the hardware > > >type or the name of the project that this host has been assigned to. > > >:-) > > > > Sure, RFC1178 advises against such things, but it also says to avoid > > a hostname beginning with a digit - maybe there should be a leading > > underscore ;-) > > > > Maybe they've run out of really useful names - it's bound to happen. > > > > Mike Norris Thanks for the award! :-) To end the speculation, the name algorithm _was_, in fact, picked for information hiding. (Mostly to satisfy all the servers using the &^%$#@! double-reverse DNS lookup algorithm.) All of our internal nameservers return more traditional names. I wasn't aware of the RFC1178 advisory against beginning a hostname with a digit (so many RFCs, so little time) so I may have to rethink that. How about "internal_129_179_75_12.cdc.com" ? That long enough for all you typing-phobics? Thanks, Bill Gaupp internet: wvg@cdc.com Enterprise Management Center X.400: /pn=William.V.Gaupp/ou=zeus/o=/ Control Data Systems, Inc. /prmd=cdc/admd=attmail/c=us/ 4201 Lexington Avenue North AT&T: (612) 482-4127 Arden Hills, MN 55126-6198 pager: (612) 530-1237 From firewalls-owner Fri Sep 2 15:23:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA15590; Fri, 2 Sep 1994 20:05:12 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA15578; Fri, 2 Sep 1994 13:04:52 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16961; Fri, 2 Sep 94 15:54:48 -0400 Date: Fri, 2 Sep 94 15:54:48 -0400 Message-Id: <9409021954.AA16961@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Why assign names to *everyone* ? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Craig rites: >However, they still need names in the DNS so that they can X/Windows >and FTP _out_. Do not understand, why do you need to assign *names* ? We have several thousand TCP/IP platforms here and while a large number have been given names, this is by no means all and names must be requested. All do have IP addresses (or BOOTP ranges) and many are able to perform all necessary functions without a name (in this case the IP address appears in the PATH or Received: from header line). I have even seen FTP and SMTP servers set up this way. Certainly a firewall or filter has no need of a name (and security does not benefit from using someting like xxx_7000 for routers - particularly if the password is five letters ending in "o"). Warmly, Padgett From firewalls-owner Fri Sep 2 17:23:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA17164; Fri, 2 Sep 1994 22:25:51 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA17158; Fri, 2 Sep 1994 15:25:41 -0700 Received: from seagate.UUCP by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id PAA07473; Fri, 2 Sep 1994 15:18:03 -0700 Received: by notes.seagate.com (UUPC/extended 1.11q); Fri, 02 Sep 1994 13:16:43 EDT Date: Fri Sep 02 13:16:43 1994 From: "Dan Thorson" Message-ID: <2e675dfc.seagate@notes.seagate.com> Organization: Seagate Technology Reply-To: "Dan Thorson" To: firewalls@GreatCircle.COM Subject: Re: And the Funky Hostname Award for this week goes to: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Has anybody else figured out that this is a bogus hostname in CDC's "external" dns? Obviously CDC is not using an xx_xx_xx_xx.cdc.com style address "inside". dct -- Dan Thorson -- Dan_Thorson@notes.seagate.com ------------------------------------------------------------------------- Seagate Technology - 920 Disc Drive - Scotts Valley, CA 95066 USA Main Phone 408-438-6550 - Email Problems postmaster@notes.seagate.com Technical Support: BBS 408-438-8771 Fax 408-438-8137 Voice 408-438-8222 ------------------------------------------------------------------------- ### OGATE Version 8 message trace and attachment information: ### MsgFileName: m:\mgate\outbound\332.MSG ### Org Date: 09-02-94 09:46:11 AM ### From: Dan Thorson@SEAGATE ### To: firewalls @ GreatCircle.COM @ internet ### Subject: Re: And the Funky Hostname Award for this week goes to: ### Attachments: none From firewalls-owner Fri Sep 2 17:29:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA18090; Fri, 2 Sep 1994 23:52:08 GMT Received: from vms.macc.wisc.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA18083; Fri, 2 Sep 1994 16:52:00 -0700 Received: from VMSmail by vms.macc.wisc.edu; Fri, 02 Sep 94 18:56 CDT Message-Id: <24090218564989@vms.macc.wisc.edu> Date: Fri, 02 Sep 94 18:56 CDT From: Larry Caruso Subject: Help To: FIREWALLS@GREATCIRCLE.COM X-VMS-To: IN%"firewalls@greatcircle.com",CARUSOLR Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help From firewalls-owner Fri Sep 2 18:06:57 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA17970; Fri, 2 Sep 1994 23:28:48 GMT Received: from unixg.ubc.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA17964; Fri, 2 Sep 1994 16:28:38 -0700 Received: by unixg.ubc.ca (4.1/1.14) id AA05662; Fri, 2 Sep 94 16:33:45 PDT Date: Fri, 2 Sep 1994 16:33:45 -0700 (PDT) From: Jim Hamlin To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk signoff firewalls From firewalls-owner Fri Sep 2 18:30:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA18372; Sat, 3 Sep 1994 00:30:26 GMT Received: from cs.umb.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA18366; Fri, 2 Sep 1994 17:30:16 -0700 Received: from terminus.cs.umb.edu by cs.umb.edu with SMTP id AA09689 (5.65c/IDA-1.4.4 for ); Fri, 2 Sep 1994 20:34:55 -0400 Message-Id: <199409030034.AA09689@cs.umb.edu> To: firewalls@greatcircle.com Subject: Re: Proposed Firewall Configuration In-Reply-To: Your message of "Wed, 31 Aug 1994 19:22:21 EDT." <199408312320.QAA26639@mycroft.GreatCircle.COM> Date: Fri, 02 Sep 1994 20:34:54 -0400 From: "John P. Rouillard" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <199408312320.QAA26639@mycroft.GreatCircle.COM>, smb@research.att.com writes: > We thought that connecting each bastion host to the perimeter > network via a bridge would limit the traffic that could be > sniffed to just the traffic exchanged by the bastion host. > For example, if an intruder captured the anonymous ftp bastion > host and installed a sniffer, the intruder would not be able > to capture any SMTP traffic (which is handled by a different > bastion host). We believe the bridges to be sufficient for > this purpose and do not understand how adding an additional > router on the perimeter network would achieve the same > affect. > >Such bridges are a good idea. Another possibility is to use a ``smart'' >10BaseT hub. Riding on smb's coat tails, I agree. The real question is what you want to do with the "bridges". If you are looking for some extra filtering/logging to add suspenders to the bastion belts, then a filtering bridge (e.g. Karl Bridge) will do the trick. If on the other hand you are simply worried about sniffing attacks, the intelligent 10bT hubs are a better (dummer, less easily attacked) bet. It again depends on what you are defending against. Depending on the client I have used both, however I do make sure that I have some way of disabling the hub remotely just in case I need to chop the internet connection due to anomalies on the interior nets. -- John John Rouillard Senior Systems Administrator IDD Information Services rouilj@dstar.iddis.com Waltham, MA (617) 890-1576 x225 Senior Systems Consultant (SERL Project) University of Massachusetts at Boston rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480 =============================================================================== My employers don't acknowledge my existence much less my opinions. From firewalls-owner Fri Sep 2 19:28:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA19052; Sat, 3 Sep 1994 01:43:58 GMT Received: from twogwn.canada.ncr.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA19042; Fri, 2 Sep 1994 18:43:41 -0700 Message-Id: <199409030143.SAA19042@mycroft.GreatCircle.COM> Subject: Re: Screening routers... To: firewalls@greatcircle.com Date: Fri, 2 Sep 1994 21:48:16 -0400 (EDT) From: Greg Nenych In-Reply-To: <9409021625.AA19438@norton.mpr.ca> from "Ross Parker" at Sep 2, 94 09:25:17 am Reply-To: greg.nenych@canada.ncr.com X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Content-Length: 288 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ross Parker writes: > Cisco Cons: > > - Filters only on interface output Not true as of IOS release 9.21 and above. - Greg -- Greg Nenych 1.905.819.4122 AT&T Global Information Solutions Canada Ltd. 6865 Century Ave, Mississauga, Ontario, Canada, L5N 2E2 From firewalls-owner Fri Sep 2 20:18:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA19324; Sat, 3 Sep 1994 02:19:00 GMT Received: from netcom13.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA19311; Fri, 2 Sep 1994 19:18:44 -0700 Received: by netcom13.netcom.com (8.6.8.1/Netcom) id TAA00451; Fri, 2 Sep 1994 19:24:18 -0700 Date: Fri, 2 Sep 1994 19:24:18 -0700 From: pascal@netcom.com (Richard A Childers) Message-Id: <199409030224.TAA00451@netcom13.netcom.com> To: Firewalls@GreatCircle.COM Subject: It's Not A Bug - It's A Feature Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "From: padgett@tccslr.dnet.mmc.com ... Date: Fri, 2 Sep 94 11:40:33 -0400 Subject: It's not a bug, it's a feature. ">I don't think the current suite of Internet protocols is anywhere >near as secure as it ought to be (without losing legitimate services), >however. It is horrible that IP addresses cannot be trusted. ... etc. < omitted > "Without "mix and match" IPs, BOOTP would be much more difficult to impliment and IPs would have to be assigned to every machine and not just those in use. - an IP is merely a mailing address and like a surface address does not constitute a legal description of the property *nor should it*." Hear, hear !!! "The fact is that the Internet is positioned squarely on the "A" for availability of the CIA triangle deliberately and would probably have not been nearly as successful if it had not been." < ahem > Would you be so kind as to expand on this "CIA" triangle ? Direct email would be fine if it doesn't pertain to firewalls management. < insert sound of UUNET filters going off :-> -- richard ( dude what newgrp'd alt.conspiracy :-) Law : The science of assigning responsibility. Politics : The art of _distributing_ responsibility. richard childers san francisco, california pascal@netcom.com From firewalls-owner Sat Sep 3 10:30:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA23716; Sat, 3 Sep 1994 16:40:43 GMT Received: from unixg.ubc.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA23698; Sat, 3 Sep 1994 09:40:25 -0700 Received: by unixg.ubc.ca (4.1/1.14) id AA23307; Sat, 3 Sep 94 08:52:08 PDT Date: Sat, 3 Sep 1994 08:52:08 -0700 (PDT) From: Jim Hamlin To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help From firewalls-owner Sat Sep 3 12:29:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA24389; Sat, 3 Sep 1994 18:29:15 GMT Received: from unixg.ubc.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA24381; Sat, 3 Sep 1994 11:29:08 -0700 Received: by unixg.ubc.ca (4.1/1.14) id AA00321; Sat, 3 Sep 94 11:34:18 PDT Date: Sat, 3 Sep 1994 11:34:17 -0700 (PDT) From: Jim Hamlin To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk LEAVE FIREWALLS From firewalls-owner Sat Sep 3 14:29:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA24950; Sat, 3 Sep 1994 20:37:04 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA24943; Sat, 3 Sep 1994 13:36:58 -0700 Message-Id: <199409032036.NAA24943@mycroft.GreatCircle.COM> To: Jim Hamlin cc: firewalls@greatcircle.com In-reply-to: Your message of Sat, 3 Sep 1994 11:34:17 -0700 (PDT) Date: Sat, 03 Sep 1994 13:36:57 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jim Hamlin writes: # LEAVE FIREWALLS By long-standing convention on the Internet, administrative requests concerning Internet mailing lists should be sent to "-request" at the site where the list lives; for example, administrative requests concerning Firewalls@GreatCircle.COM should be sent to Firewalls-Request@GreatCircle.COM. This is true for almost every mailing list on the Internet (I'm tempted to say "every mailing list", but I'm sure there are a small handful of exceptions). In the particular case of Firewalls, you'll get back a recording from Firewalls-Request that tells you how to use Majordomo to handle your request. People get very annoyed when other people send administrative requests to the list as a whole. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Sat Sep 3 18:30:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA26489; Sun, 4 Sep 1994 01:12:36 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA26483; Sat, 3 Sep 1994 18:12:27 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18951; Sat, 3 Sep 94 21:01:46 -0400 Date: Sat, 3 Sep 94 21:01:46 -0400 Message-Id: <9409040101.AA18951@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: CIA Triangle Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Since I have received a large number of requests from Firewalls readers for clarification, a short divergence from strict Firewalls comment to a bit of background would seem appropriate (is this in a FAQ ?). The CIA triangle as brilliantly put forth by SRI's Donn Parker (gratuitous comparison to the national bird omitted) is very simple: Envision an equilateral triangle. On one corner place "Confidentiality", on another "Integrity", and on the third "Availability". All systems exist somewhere within this logical space. In order to increase Confidentiality you must take away from either or both of the other two. In general, most domains exist somewhere in the middle with attention paid to all three and compromises accepted. The "Orange Book" and "Rainbow Series" address Confidentiality only. The "Federal Criteria" (now becomming the international "Common Criteria") attempts to address all three. The Arpanet/Milnet/Internet (25th birthday next month 8*) had one purpose and one purpose *only*: survivable communications in the event of a nuclear attack. C & I are the responsibility of the user (RFC 1281). That's it in a nutshell (and one screen). Warmly, Padgett From firewalls-owner Sat Sep 3 23:29:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA28057; Sun, 4 Sep 1994 05:31:55 GMT Received: from networx.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA28051; Sat, 3 Sep 1994 22:31:46 -0700 Received: from iridium (iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id WAA06136 for ; Sat, 3 Sep 1994 22:36:18 -0700 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA10606; Sat, 3 Sep 1994 22:36:06 +0800 Date: Sat, 3 Sep 1994 22:36:06 +0800 Message-Id: <9409040536.AA10606@iridium> To: firewalls@greatcircle.com Subject: I'm lazy.. Reply-To: stewart@networx.com content-length: 578 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk So if someone has done the following could you share it? I would like a version of the cu-sudo-v1.3 that uses the S/Key code from logdaemon-6.3.. If not I'll do the work, but I thought I'd check first.. I haven't seen this anywhere, so sorry if I'm going over old territory.. -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Sun Sep 4 08:28:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA00604; Sun, 4 Sep 1994 14:50:41 GMT Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA00598; Sun, 4 Sep 1994 07:50:32 -0700 Received: from smtpgty.saicuk.co.uk by relay1.pipex.net with SMTP (PP) id <29288-0@relay1.pipex.net>; Sun, 4 Sep 1994 15:54:28 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2E69EA20@smtpgty.saicuk.co.uk>; Sun, 04 Sep 94 15:39:12 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Assurance, Availability, & Integrity Date: Sun, 04 Sep 94 14:46:00 GMT Message-ID: <2E69EA20@smtpgty.saicuk.co.uk> Encoding: 39 TEXT X-Mailer: Microsoft Mail V3.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At the risk of generating flame mail on obscure subjects, I would make some observations on the 'CIA triangle' conversations. The first known use of the particular diagram was in the mid 1940s in the UK by the Royal Signals and Radar Establishment, some years before the advent of the CIA. The RSRE electronics specialist who made that presentation claims to have based it on a view expressed in ancient Greece, so nothing is new. The ITSEC driving countries, UK, Netherlands, Germany and France agreed the ITSEC draft in 1990 and although TCSEC does not measure outside Assurance, ITSEC certainly does. Products and systems evaluated and certified under ITSEC since January 1991 are reported on this basis. For example, TCSEC C2 = ITSEC F-C2/E2 FC-FIPS drew heavily on ITSEC. The international Common Criteria is supposed to develop from the joint efforts of the sponsors who are: European Union (representing the ITSEC driving countries and the existing and prospective Member countries of the EU), the Government of the United States of America ( through NCSC and NIST) and the Government of Canada. The objective is to establish a common criteria for mutual acceptance by these nations and the encouragement of other nations to mutually accept the CC. That means that the CC will evolve before being accepted and, at present, existing criteria continue in use. The International Invitational Workshop held in June 94 in support of the CC programme produced several divergent views and demonstrated a number of vested interests Therefore, progress may not be as rapid as many of us hope. I would suggest that this activity should be of keen interest to firewallers because it has many implications for the development of risk policies and for procurement of technology. The primary objective behind the ITSEC programme was make effective and appropriate risk management of IT systems available and affordable to all users. Ian J-B. From firewalls-owner Sun Sep 4 17:29:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA03051; Sun, 4 Sep 1994 23:53:39 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA03045; Sun, 4 Sep 1994 16:53:33 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma027000; Sun Sep 4 19:58:40 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA25471; Sun, 4 Sep 94 19:56:59 EDT Date: Sun, 4 Sep 94 19:56:59 EDT From: Marcus J Ranum Message-Id: <9409042356.AA25471@tis.com> To: firewalls@greatcircle.com Subject: fyi Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Path: shemesh.tis.com!uunet!gatech!udel!news.sprintlink.net!sun.cais.com!news.cais.com!cais.cais.com!bass From: bass@cais.cais.com (Tim Bass (Network Systems Engineer)) Newsgroups: comp.security.unix Subject: ALERT: HP LanProbes and NetMetrix Date: 4 Sep 1994 03:31:40 GMT Organization: Capital Area Internet Service Lines: 14 Message-ID: <34bf2s$68l@news.cais.com> NNTP-Posting-Host: cais.com X-Newsreader: TIN [version 1.2 PL2] I debated a week to post this, but thought that if the shoe was on the other foot, I would want to know this...... I just set up NetMetrix from HP to talk to our HP LanProbes. The protocol analyzer tool in NetMetrix can capture packets remotely with the LanProbes. The HP LanProbes ship with default SNMP community strings. Anyone with NetMetrix can capture packets and PASSWORDS if LanProbe users are negligent and do not change the default community strings and access control configuration. Beware LanProbe users! Change your community strings to GOOD passwords and put in IP address access control. The default configuration is a gaping security hole. From firewalls-owner Mon Sep 5 06:29:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA06856; Mon, 5 Sep 1994 13:04:57 GMT Received: from ixgate02.dfnrelay.d400.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA06850; Mon, 5 Sep 1994 06:04:50 -0700 From: netadm@dwd.d400.de X400-Received: by mta d400relay in /PRMD=dfnrelay/ADMD=d400/C=de/; Relayed; Mon, 5 Sep 1994 15:11:08 +0200 X400-Received: by /PRMD=dwd/ADMD=d400/C=de/; Relayed; Mon, 5 Sep 1994 15:09:07 +0200 Date: Mon, 5 Sep 1994 15:09:07 +0200 X400-Originator: netadm@dwd.d400.de X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=dwd/ADMD=d400/C=de/;19CE2E6B1873001-mailer.t25] X400-Content-Type: P2-1984 (2) Content-Identifier: 19CE2E6B1873001 Priority: Non-Urgent Alternate-Recipient: Allowed Message-ID: <9409051308.AA06602@mfc.za-offenbach.dwd.d400.de> To: firewalls@greatcircle.com (Non Receipt Notification Requested) (IPM Return Requested) Sensitivity: Personal Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help From firewalls-owner Mon Sep 5 07:29:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA07364; Mon, 5 Sep 1994 14:25:48 GMT Received: from uu10.psi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA07358; Mon, 5 Sep 1994 07:25:41 -0700 Received: from sbi.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA23240 for firewalls@greatcircle.com; Mon, 5 Sep 94 10:30:10 -0400 Received: from wet (dry) by internet.sbi.com (4.1/SMI-4.1) id AA20206; Mon, 5 Sep 94 10:17:02 EDT Received: from denmark.sbil.co.uk by wet (4.1/SMI-4.0) id AA14988; Mon, 5 Sep 94 15:17:01 BST Received: by denmark.sbil.co.uk (4.1/SMI-4.1) id AA13627; Mon, 5 Sep 94 15:17:00 BST Date: Mon, 5 Sep 94 15:17:00 BST Message-Id: <9409051417.AA13627@denmark.sbil.co.uk> From: Tim Kempster Subject: Remove from mail list To: firewalls@greatcircle.com X-Affiliation: Salomon Brothers International Limited X-Mailer: Sendmail/Ream version 5.1.23 (The Choice for a New Generation) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk remove tim.kempster@sbil.co.uk From firewalls-owner Mon Sep 5 18:28:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA10700; Tue, 6 Sep 1994 00:30:29 GMT Received: from PCC.SSW.DHHS.GOV by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA10694; Mon, 5 Sep 1994 17:30:16 -0700 Received: from OSPSNADS.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 05 Sep 1994 20:33:20 GMT Message-Id: Date: 05 Sep 1994 20:33:20 GMT From: "Soft*Switch Gateway/" Subject: Undeliverable Message To: Firewalls@GREATCIRCLE.COM Comment: MEMO 1994/09/05 20:33:06 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: SSWGATE@B11WDC-OV06B@Servers[OSPAFHAS.ALC] ÿÿ SSWGATE@B11WDC-OV06B@Servers[*Firewalls-Digest@GreatCircle.COM] Cc: Subject: Firewalls Digest V3 #302 Message not delivered to recipients below. Press F1 for help with VNM error codes. ÿVNM3036: ALC@OSPAFHAS ---------------------------- [Message Follows] --------------------------------- Enclosure: Memo Text Format: PC Text File ÿ From firewalls-owner Mon Sep 5 21:29:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA11687; Tue, 6 Sep 1994 04:10:34 GMT Received: from uu10.psi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA11681; Mon, 5 Sep 1994 21:10:25 -0700 Received: from sbi.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA06933 for Firewalls-Digest@greatcircle.com; Tue, 6 Sep 94 00:18:41 -0400 Received: from sbi.sbi.com by internet.sbi.com (4.1/SMI-4.1) id AA06763; Tue, 6 Sep 94 00:15:31 EDT Received: from mr_magoo.sbi.com by sbi.sbi.com (4.1/SMI-4.1) id AA17213; Tue, 6 Sep 94 00:15:30 EDT Received: from barney.spt1.sbi.com by mr_magoo.sbi.com (4.1/SMI-4.1) id AA04476; Tue, 6 Sep 94 00:15:29 EDT Date: Tue, 6 Sep 94 00:15:29 EDT From: wayne@internet.sbi.com (Wayne Schmidt) Message-Id: <9409060415.AA04476@mr_magoo.sbi.com> To: Firewalls-Digest@greatcircle.com Subject: suscribe Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk add wayne@barney.sbi.com From firewalls-owner Mon Sep 5 22:29:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA12266; Tue, 6 Sep 1994 05:17:39 GMT Received: from sdwsys by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA12255; Mon, 5 Sep 1994 22:17:24 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0qhpQh-0009yzC; Tue, 6 Sep 94 01:34 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: TIS firewall on a PC? To: mjr@tis.com (Marcus J Ranum) Date: Tue, 6 Sep 1994 01:34:35 +0000 (GMT) Cc: firewalls@GreatCircle.COM, steveg@cseic.saic.com In-Reply-To: <9408300229.AA18945@tis.com> from "Marcus J Ranum" at Aug 29, 94 10:29:06 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1327 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > >Is there a version of the TIS firewall toolkit that can run on a PC? > > Not under DOS, Windows or NT. :) ... > You can run it on SCO with a little bit of fiddling. > > I'll observe that BSDI is a real nice platform to run the > toolkit on. It's fast, cheap, and kernel sources are affordable, > if you want to make sure that source-routing is *REALLY* squelched. :) > The toolkit's next version will be targetted with BSDI being the > host platform, instead of SunOS/BSD [this is not a big deal, it's just > a few flags in Makefile.conf]. The TIS Gauntlet is a 486/66 running > BSDI, with the toolkit and a few other nice things. > > mjr. It is a near-term project of mine to run TIS toolkit and screend on Linux. Certain versions are very stable and networking-complete and I'm very familiar with the networking portions of the kernel. sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 513 496-5223APager LIG dev./sales Internet: sdw@lig.net OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Comm. Consulting ICBM: 39 34N 85 15W I love it when a plan comes together Newbie Notice: (Surfer's know the score...) I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From firewalls-owner Tue Sep 6 00:29:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA12722; Tue, 6 Sep 1994 06:31:35 GMT Received: from bronze.lcs.mit.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA12716; Mon, 5 Sep 1994 23:31:28 -0700 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id CAA19070; Tue, 6 Sep 1994 02:36:24 -0400 Date: Tue, 6 Sep 1994 02:36:24 -0400 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199409060636.CAA19070@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: netfind Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Not really a firewalls thing, but just quickly: You can keep netfind out of your face by inserting a DNS record into your top level, the same place you keep your SOA: foo.com IN TXT "wp-noop://" This is actually documented in the netfind stuff, not that most of us give a wet fart about reading same... _H* From firewalls-owner Tue Sep 6 01:29:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA13221; Tue, 6 Sep 1994 07:56:32 GMT Received: from picasso.cssc-syd.tansu.com.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA13215; Tue, 6 Sep 1994 00:56:19 -0700 Received: from renoir.cssc-syd.tansu.com.au.tansu.com.au (rodney@renoir.cssc-syd.tansu.com.au [149.135.44.23]) by picasso.cssc-syd.tansu.com.au (8.6.9/8.6.5) with SMTP id SAA11294 for ; Tue, 6 Sep 1994 18:01:00 +1000 From: Rodney Campbell Message-Id: <199409060801.SAA11294@picasso.cssc-syd.tansu.com.au> Subject: TANSU WWW Mailing List Archive... To: Firewalls@GreatCircle.COM Date: Tue, 6 Sep 1994 18:00:58 +1000 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2079 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have set up an automatic HyperMail HyperMail Mailing List Archive of the Firewalls mailing List available in the World Wide Web. Mail archives are databases of electronic mail sent to distribution lists. These archives have been indexed for conversational threads and pointers into the World Wide Web by a program called Hypermail. Each mailing list archive consists of: A set of cross-referenced HTML documents. Each file that is created represents a separate message in the mail archive and contains links to other articles, so that the entire archive can be browsed in a number of ways by following links. Each HTML file that is generated for a message contains (where applicable): the subject of the article, the name and email address of the sender, the date the article was sent, links to the next and previous messages in the archive, a link to the message the article is in reply to, and a link to the message next in the current thread. To complement each set of HTML messages, four index files are created which sort the articles by date received, thread, subject, and author. Each entry in these index files are links to the individual articles and provide a bird's-eye view of every archived message. Note: as new items are mailed to the Firewalls mailing lists they will automatically be added to the hypermail archive. The top level index for the mailing lists can be found at URL: HyperMail Mailing List Archive OR can be obtained from the "Local Index at TANSU" from the TANSU Home Page at URL: TANSU Home Page Rodney... -- Rodney Campbell |Email : rodney@tansu.com.au Telecom Australia |Snail : PO Box A792, Sydney South 2000, Australia. Information Technology Group| : Level 1, 18-20 Orion Rd, Lane Cove West. Network Systems |Phone : +61 (0)2 911 3123 Fax: +61 2 911 3199 | http://www.tansu.com.au/NS/People/rodney.html From firewalls-owner Tue Sep 6 04:32:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA14108; Tue, 6 Sep 1994 09:12:19 GMT Received: from PCC.SSW.DHHS.GOV by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA14102; Tue, 6 Sep 1994 02:11:36 -0700 Received: from OSPSNADS.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 06 Sep 1994 04:42:04 GMT Message-Id: Date: 06 Sep 1994 04:42:04 GMT From: "Soft*Switch Gateway/" Subject: Undeliverable Message To: Firewalls@GREATCIRCLE.COM Comment: MEMO 1994/09/06 4:42:46 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: SSWGATE@B11WDC-OV06B@Servers[OSPAFHAS.ALC] ÿÿ SSWGATE@B11WDC-OV06B@Servers[*Firewalls-Digest@GreatCircle.COM] Cc: Subject: Firewalls Digest V3 #303 Message not delivered to recipients below. Press F1 for help with VNM error codes. ÿVNM3036: ALC@OSPAFHAS ---------------------------- [Message Follows] --------------------------------- Received: from RELAY2.UU.NET by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 02 Sep 1994 04:37:00 GMT Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP id QQxfoz17646; Fri, 2 Sep 1994 04:27:38 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA09809; Fri, 2 Sep 1994 08:00:26 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA09792; Fri, 2 Sep 1994 01:00:16 -0700 Date: Fri, 2 Sep 1994 01:00:16 -0700 Message-Id: <199409020800.BAA09792@mycroft.GreatCircle.COM> From: Firewalls-Digest-Owner@GreatCircle.COM To: Firewalls-Digest@GreatCircle.COM Subject: Firewalls Digest V3 #303 Reply-To: Firewalls@GreatCircle.COM Sender: Firewalls-Digest-Owner@GreatCircle.COM Precedence: bulk Firewalls Digest Friday, 2 September 1994 Volume 03 : Number 303 In this issue: And the Funky Hostname Award for this week goes to: Re: And the Funky Hostname Award for this week goes to: hardware See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gordon@torrie.org (Gordon Torrie) Date: Thu, 1 Sep 1994 22:50:17 -0400 Subject: And the Funky Hostname Award for this week goes to: Brent Chapman writes: | Reference the current discussion of DNS information hiding... :-) [...] | | From: Egotists Anonymous (koreth@spud.Hyperion.COM) | Subject: And the Funky Hostname Award for this week goes to: | | 129_179_75_12.cdc.com | | Now, I've heard of uncreative host naming, but that's ridiculous. Well it does have the advantage of not revealing either the hardware type or the name of the project that this host has been assigned to. :-) - -- gordon@torrie.org Gord Torrie ------------------------------ From: Charles Butcher Date: Fri, 2 Sep 1994 14:29:07 +1000 (EST) Subject: Re: And the Funky Hostname Award for this week goes to: > | From: Egotists Anonymous (koreth@spud.Hyperion.COM) > | Subject: And the Funky Hostname Award for this week goes to: > | > | 129_179_75_12.cdc.com > | > | Now, I've heard of uncreative host naming, but that's ridiculous. > Pity the poor buggers who have to update all the references to this host when it moves to another network.... and it _will_ You know, hundreds of very clever people have spent a lot of time writing a lot of complex software for the express purpose of allowing us to give machines names that are meaningful to humans instead of just a bunch of numbers..... Mind you, what can you expect from a mainframe manufacturer ;-) - -- Charles Butcher +61 2 395 3216 FAX: +61 2 395 3225 charlesb@ind.tansu.com.au ------------------------------ From: "Dirk A. Meyer" Date: Fri, 2 Sep 94 09:25:23 +0200 Subject: hardware Are there any experiences with - - 3Com Netbuilder II - - Cisco 4000 - - Ungermann-Bass 53xx used as a Firewall-Router (ease and capabilities in configuring, performance)? - -Dirk ------------------------------ End of Firewalls Digest V3 #303 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). ÿ From firewalls-owner Tue Sep 6 05:29:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15140; Tue, 6 Sep 1994 12:21:14 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA15134; Tue, 6 Sep 1994 05:21:06 -0700 Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <95110-4>; Tue, 6 Sep 1994 08:26:40 -0400 Received: by fujitsu.ca (4.1/SMI-4.1) id AA17966; Tue, 6 Sep 94 08:27:32 EDT Received: from falcon.fsbc.ca(192.10.1.205) by jay via smap (V1.3mjr) id sma017792; Tue Sep 6 08:26:33 1994 Received: by falcon.fujitsu.ca (4.1/SMI-4.1) id AA00462; Tue, 6 Sep 94 08:25:53 EDT Date: Tue, 6 Sep 1994 08:25:53 -0400 From: smartin@fujitsu.ca (Steve Martin) Message-Id: <9409061225.AA00462@falcon.fujitsu.ca> To: firewalls@GreatCircle.com Subject: Brixton PPP as a packet filter Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Is anyone out there using brixton PPP as their connection to the Internet. If so, are you using the packet filter capability and can you provide me with some same filters and recommendations. Steve -------------------------------------------------------------------------------- Stephen Martin oO Fujitsu Systems Business of Canada, Inc. smartin@fujitsu.ca Fujitsu Box 30 Phone: (416)512-0342 x3137 5140 Yonge St., Suite 2000 Fax: (416)512-0344 North York, Ontario, Canada. M2N 6L7 -------------------------------------------------------------------------------- From firewalls-owner Tue Sep 6 06:30:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA15450; Tue, 6 Sep 1994 13:11:01 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA15444; Tue, 6 Sep 1994 06:10:51 -0700 From: fin@unet.umn.edu Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22758; Tue, 6 Sep 94 09:14:24 -0400 Date: Tue, 6 Sep 94 09:14:23 -0400 Message-Id: <9409061314.AA22758@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Why assign names to *everyone* ? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >However, they still need names in the DNS so that they can X/Windows >and FTP _out_. Do not understand, why do you need to assign *names* ? We have several thousand ... By "name" I mean a text string with an A record, and a corresponding PTR record that points back to the same text string. I do _not_ mean to imply that this string is particularly meaningful in isolation. I would hope that the FTP case would be obvious and understood by all. Some X/Windows systems _appear_ to take the IP address of the other end of the connection, turn it into a name (via PTR), then later turn it back into an address. They, of course, expect the same address that they started with. I say _appear_ to because when we ran into this (we used to have our dynamic pools as 25 addresses per one name), many X sessions would not work properly. Changing the DNS to one address per name fixed this problem. It may have had another cause (life is short and debugging time is too). Craig From firewalls-owner Tue Sep 6 08:31:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA15932; Tue, 6 Sep 1994 14:28:12 GMT Received: from seas.smu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA15926; Tue, 6 Sep 1994 07:28:05 -0700 Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.31) id ; Tue, 6 Sep 94 09:33 CDT Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.hyper_f) id ; Tue, 6 Sep 94 09:33 CDT Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: netfind To: hobbit@bronze.lcs.mit.edu (*Hobbit*) Date: Tue, 6 Sep 1994 09:33:20 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199409060636.CAA19070@bronze.lcs.mit.edu> from "*Hobbit*" at Sep 6, 94 02:36:24 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 553 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Not really a firewalls thing, but just quickly: > > You can keep netfind out of your face by inserting a DNS record into your > top level, the same place you keep your SOA: > > foo.com IN TXT "wp-noop://" > > This is actually documented in the netfind stuff, not that most of us give > a wet fart about reading same... 'cept that some of the varients of netfind running around ignore same and still try to finger your laserprinters, coke machines and other meaningless drek. ... and now back to your regularly scheduled firewall discussion. From firewalls-owner Tue Sep 6 09:36:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA16195; Tue, 6 Sep 1994 15:09:23 GMT Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA16189; Tue, 6 Sep 1994 08:09:14 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQxgeu02196; Tue, 6 Sep 1994 11:14:29 -0400 Received: from wrkgrp.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Tue, 6 Sep 1994 11:14:30 -0400 Received: from zaphod.wrkgrp.com by wrkgrp.wrkgrp.COM (4.1/SMI-4.1) id AA13835; Tue, 6 Sep 94 10:11:04 CDT Received: by zaphod.wrkgrp.com (5.0/SMI-SVR4) id AA01161; Tue, 6 Sep 1994 10:15:18 +0600 Date: Tue, 6 Sep 1994 10:15:18 +0600 From: wrkgrp!zaphod!jac@uunet.uu.net (John A Cifonelli) Message-Id: <9409061515.AA01161@zaphod.wrkgrp.com> To: uunet!GreatCircle.COM!firewalls@uunet.uu.net, uunet!notes.seagate.com!Dan_Thorson@uunet.uu.net Subject: Re: And the Funky Hostname Award for this week goes to: X-Sun-Charset: US-ASCII Content-Length: 1388 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk See also - "Firewalls and Internet Security", Cheswick & Bellovin, Addison-Wesley, 1994, page 64, for advice on setting up an "external" DNS. > From uunet!GreatCircle.COM!firewalls-owner Mon Sep 5 06:34 CDT 1994 > Date: Fri Sep 02 13:16:43 1994 > From: "Dan Thorson" > To: uunet!GreatCircle.COM!firewalls > Subject: Re: And the Funky Hostname Award for this week goes to: > > Has anybody else figured out that this is a bogus hostname in CDC's > "external" dns? Obviously CDC is not using an xx_xx_xx_xx.cdc.com style > address "inside". > > dct > -- > Dan Thorson -- Dan_Thorson@notes.seagate.com > ------------------------------------------------------------------------- > Seagate Technology - 920 Disc Drive - Scotts Valley, CA 95066 USA > Main Phone 408-438-6550 - Email Problems postmaster@notes.seagate.com > Technical Support: BBS 408-438-8771 Fax 408-438-8137 Voice 408-438-8222 > ------------------------------------------------------------------------- > > ### OGATE Version 8 message trace and attachment information: > ### MsgFileName: m:\mgate\outbound\332.MSG > ### Org Date: 09-02-94 09:46:11 AM > ### From: Dan Thorson@SEAGATE > ### To: firewalls @ GreatCircle.COM @ internet > ### Subject: Re: And the Funky Hostname Award for this week goes to: > ### Attachments: none From firewalls-owner Tue Sep 6 14:29:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA19254; Tue, 6 Sep 1994 20:46:49 GMT Received: from mbunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA19242; Tue, 6 Sep 1994 13:46:34 -0700 Received: from vanity.mitre.org by mbunix.mitre.org (8.6.4/4.7) id QAA23863; Tue, 6 Sep 1994 16:51:42 -0400 Posted-from: The MITRE Corporation, Bedford, MA Received: from localhost.mitre.org (localhost.mitre.org [127.0.0.1]) by vanity.mitre.org (8.6.4/8.6.4) with SMTP id QAA15169 for ; Tue, 6 Sep 1994 16:51:32 -0400 Message-Id: <199409062051.QAA15169@vanity.mitre.org> X-Authentication-Warning: vanity.mitre.org: Host localhost.mitre.org didn't use HELO protocol To: Firewalls@greatcircle.com Subject: MITRE X gateway project Date: Tue, 06 Sep 1994 16:51:29 -0400 From: "Brian L. Kahn" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The MITRE X Gateway Project Enabling X window connections across a firewall is straightforward and well understood. X protocol requires a reliable transport connection, which in practice is either DECNet or TCP/IP between machines. To move X packets across a firewall it is only necessary to start a proxy running on a boundary host that listens at an agreed port and forwards the packets to the intended X server. The outside client sees the boundary host as the X server host, and the client neither knows nor cares that the X packets are being forwarded inside the firewall. Enabling X across the firewall is not a problem; the problem is making a safe way for outside clients to share the X server with inside clients. The MITRE X Gateway project (Xgate) enforces a security policy on the client/server channel that isolates the outside X clients from the inside clients. Xgate enforces client isolation by imposing restrictions on use of the X protocol. The Xgate module examines the client/server protocol stream and modifies packets as necessary to prevent outside clients from interfering with other clients. The outside clients do not have the same capabilities as inside clients, but the available functionality is adequate and appropriate for most applications. Any application which is entirely self contained will work normally, and many applications which optionally interact with other clients work with a restricted functionality. Xgate Client Isolation Policy The Xgate policy describes isolation of outside clients. 1) Client object access: Xgate shall isolate outside clients by restricting object use; an outside client may not use objects created by any other client. 2) Server resource access: Xgate shall protect normal operations by regulating access from outside clients to server state or control resources. 3) Selection requests: Xgate shall protect the client selection mechanism by regulating use of the inter-client exchange initiated by ConvertSelection. 4) User Notification: Xgate shall notify the user of significant changes that are allowed by policy but significantly affect the access control profile, such as client connections and keyboard focus. 5) Image Capture: Xgate shall prohibit outside clients from accessing portions of the screen image generated by other clients. 6) Denial of Service: Xgate shall provide some counter to denial of service attacks. 7) Audit: Xgate shall provide a mechanism for auditing security relevant events and should also support audit of normal X protocol and audit reduction. Unless otherwise stated, X protocol requests that do not meet the policy requirements are simply dropped from the client/server stream without any error notification. The dropped packets are replaced in the stream by X protocol NOP (no operation) packets in order to maintain synchronization of sequence numbering in the client/server stream. Xgate Prototype MITRE has built a prototype of Xgate. The prototype is built on top of a public domain package named Xmon. The base software is well structured, an important trait both for maintenance and for subsequent analysis. The analysis phase is crucial to gain confidence in the security critical Xgate implementation. We planned to restrict Xgate processing to requests flowing from the clients to the server. It is possible to enforce policy simply by blocking some requests, and our early tests showed that many clients continued to run normally under this restriction because the blocked packets are not critical to their operations. Some may choose to build an Xgate implementation in this way, resulting in simpler and faster code. We found that some of our favored applications couldn't run under this simple blocking implementation, but that most applications could be persuaded to run within the isolation policy by returning canned responses to several specific requests. MITRE has determined that some added complexity is worthwhile considering the larger number of clients supported. There is also a performance penalty, because this manipulation of the protocol requires Xgate to scan both the incoming request stream and the outgoing reply/event/error stream. Performance is a concern for our users, but we do not see any problem with Xgate in place. On an ethernet based network, there is a slight but noticeable difference between a plain application and one running through Xgate. Our experience shows that network connections (such as a T1 link) impose more delay than the Xgate prototype. Furthermore, the prototype has not yet been tuned for performance, yet it's performance is more than adequate for our users. Brian L. Kahn "In theory, there is no difference between theory and practice. blk@mitre.org In practice, of course, there is." From firewalls-owner Tue Sep 6 17:29:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA20943; Wed, 7 Sep 1994 00:23:34 GMT Received: from PCC.SSW.DHHS.GOV by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA20936; Tue, 6 Sep 1994 17:23:20 -0700 Received: from OSPSNADS.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 06 Sep 1994 20:27:20 GMT Message-Id: Date: 06 Sep 1994 20:27:20 GMT From: "Soft*Switch Gateway/" Subject: Undeliverable Message To: Firewalls@GREATCIRCLE.COM Comment: MEMO 1994/09/06 20:27:02 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: SSWGATE@B11WDC-OV06B@Servers[OSPAFHAS.ALC] ÿÿ SSWGATE@B11WDC-OV06B@Servers[*Firewalls-Digest@GreatCircle.COM] Cc: Subject: Firewalls Digest V3 #304 Message not delivered to recipients below. Press F1 for help with VNM error codes. ÿVNM3036: ALC@OSPAFHAS ---------------------------- [Message Follows] --------------------------------- Enclosure: Memo Text Format: PC Text File ÿ From firewalls-owner Tue Sep 6 19:31:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA21515; Wed, 7 Sep 1994 01:30:23 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA21508; Tue, 6 Sep 1994 18:30:15 -0700 Message-Id: <199409070130.SAA21508@mycroft.GreatCircle.COM> To: "Soft*Switch Gateway/" cc: Firewalls@GREATCIRCLE.COM Subject: Re: Undeliverable Message In-reply-to: Your message of 06 Sep 1994 20:27:20 GMT Date: Tue, 06 Sep 1994 18:30:13 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "Soft*Switch Gateway/" writes: # To: SSWGATE@B11WDC-OV06B@Servers[OSPAFHAS.ALC] # ÿÿ SSWGATE@B11WDC-OV06B@Servers[*Firewalls-Digest@GreatCircle.COM] # Cc: # Subject: Firewalls Digest V3 #304 # # Message not delivered to recipients below. Press F1 for help with VNM # error codes. # # ÿVNM3036: ALC@OSPAFHAS # # # ---------------------------- [Message Follows] --------------------------------- # # # Enclosure: Memo Text # Format: PC Text File # ÿ Sorry abut this, gang. This one screwed up site keeps sending these bounces back to the main mailing list. We've tried contacting their Postmaster, but that bounces too. I'm really beginning to hate this Soft*Switch product, whatever it is; it seems to be responsible for more of the really screwed up bounces (like these, sending the bounces back to the "Reply-To:" address) we get than any other package. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue Sep 6 20:29:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA22062; Wed, 7 Sep 1994 02:35:53 GMT Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA22056; Tue, 6 Sep 1994 19:35:43 -0700 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQxggo28970; Tue, 6 Sep 1994 22:41:00 -0400 Received: from bps.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Tue, 6 Sep 1994 22:40:58 -0400 Received: by euclid.Heuristicrat.COM id AA15394 (5.65c/IDA-1.5 for Firewalls@GreatCircle.COM); Tue, 6 Sep 1994 19:13:01 -0700 Date: Tue, 6 Sep 1994 19:13:01 -0700 From: Jordan Hayes Message-Id: <199409070213.AA15394@euclid.Heuristicrat.COM> To: Firewalls@GreatCircle.COM Subject: S/Key knows more than we think ... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Saw this one recently: COLD WAR DENT FISK RAT LORE :-) /jordan From firewalls-owner Wed Sep 7 04:33:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA24015; Wed, 7 Sep 1994 08:28:17 GMT Received: from PCC.SSW.DHHS.GOV by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA24009; Wed, 7 Sep 1994 01:28:10 -0700 Received: from OSPSNADS.SSW.DHHS.GOV by PCC.SSW.DHHS.GOV (Soft-Switch Central V4L380P3); 07 Sep 1994 04:32:04 GMT Message-Id: Date: 07 Sep 1994 04:32:04 GMT From: "Soft*Switch Gateway/" Subject: Undeliverable Message To: Firewalls@GREATCIRCLE.COM Comment: MEMO 1994/09/07 4:32:06 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: SSWGATE@B11WDC-OV06B@Servers[OSPAFHAS.ALC] ÿÿ SSWGATE@B11WDC-OV06B@Servers[*Firewalls-Digest@GreatCircle.COM] Cc: Subject: Firewalls Digest V3 #305 Message not delivered to recipients below. Press F1 for help with VNM error codes. ÿVNM3036: ALC@OSPAFHAS ---------------------------- [Message Follows] --------------------------------- Enclosure: Memo Text Format: PC Text File ÿ From firewalls-owner Wed Sep 7 05:30:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25487; Wed, 7 Sep 1994 12:09:32 GMT Received: from interlock.amoco.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA25464; Wed, 7 Sep 1994 05:08:32 -0700 Received: by interlock.amoco.com id AA07874 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Wed, 7 Sep 1994 07:12:16 -0500 Received: by interlock.amoco.com (Internal Mail Agent-3); Wed, 7 Sep 1994 07:12:16 -0500 Received: by interlock.amoco.com (Internal Mail Agent-2); Wed, 7 Sep 1994 07:12:16 -0500 Received: by interlock.amoco.com (Internal Mail Agent-1); Wed, 7 Sep 1994 07:12:16 -0500 Date: Wed, 7 Sep 94 07:16:50 CDT From: dmburns@amoco.com (David Burns) Message-Id: <9409071216.AA05510@pulsar.hou.amoco.com> To: firewalls@greatcircle.com Subject: Re: Undeliverable Message Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Soft*Switch is a mainframe gateway product, typically runs on VM or MVS. We use it, and you're right, its a pain in the arse. The product uses a number of PCs to gateway to X.400, SMTP, etc... with the directory portion residing on the mainframe. The main difficulties are (1) managing directory enties (2) explaining to users how SMTP and X.400 addresses map into IBM's 8x8 address space. (there is *no* way to explicitly address to an SMTP or X.400 recipient for example; one must "pre-register" them in a directory somehow.) (3) all outbound SMTP must be delivered to *one* specific node. The advantages are ease of central administration... so our mainframe support people like it. And to be fair, all the mainframe SMTP solutions we've seen have awkward solutions to the addressing problem. They are coming out with a risc-based version; we tried it and its a piece of junk. Unfortunately Lotus just bought the company, so they will probably be around for awhile. From firewalls-owner Wed Sep 7 12:30:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA28458; Wed, 7 Sep 1994 19:21:09 GMT Received: from spanky.ov.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA28452; Wed, 7 Sep 1994 12:21:02 -0700 From: Mark.Hickey@ov.com Received: from ccgate.pls.ov.com by spanky.ov.com with SMTP on Wed, 7 Sep 1994 12:26:20 -0700 Received: from ccMail by ccgate.pls.ov.com id AA778965931 Wed, 07 Sep 94 12:25:31 PST Date: Wed, 07 Sep 94 12:25:31 PST Message-Id: <9408077789.AA778965931@ccgate.pls.ov.com> To: firewalls@GreatCircle.COM, request-firewalls@GreatCircle.COM Subject: Please subscribe me Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am interested in subscribing to this list. How do I do it? Mark Hickey Senior consultant OpenVision Technologies Mark.Hickey@ov.com From firewalls-owner Wed Sep 7 13:31:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA28680; Wed, 7 Sep 1994 19:52:49 GMT Received: from wor-srv.wam.umd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA28672; Wed, 7 Sep 1994 12:52:36 -0700 Received: from rac4.wam.umd.edu (root@rac4.wam.umd.edu [128.8.70.120]) by wor-srv.wam.umd.edu (8.6.9/8.6.9) with ESMTP id PAA18951; Wed, 7 Sep 1994 15:57:40 -0400 From: Richard Huddleston Received: (reh@localhost) by rac4.wam.umd.edu (8.6.9/8.6.9) id OAA02446; Wed, 7 Sep 1994 14:11:28 -0400 Date: Wed, 7 Sep 1994 14:11:28 -0400 Message-Id: <199409071811.OAA02446@rac4.wam.umd.edu> To: firewalls@greatcircle.com Subject: Livingston vs MorningStar routers Cc: bob@morningstar.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk God forgive me for opening the doors to a Firewalls opinionfest. Please, please, please, please, please: reply to me directly via email, and I'll post a summary. You won't miss anything, I promise, except a bunch of e-mail. I need to hear from folks who actually build firewalls (you know who you are) regarding any experience they may have with the Livingston "FireWall IRX" and/or MorningStar Express Plus routers. I'm putting another firewall together, and normally use a Cisco on all sides--but I'm constrained this time to just those two choices on the external router. I've used an earlier model of the MSE, and while I found its filtering and logging facilities to excellent (ICMP by type, etc.) I'll also say it seemed to choke on a Switched 56 Frame Relay data link. I'll head off any potential flamage and just say I couldn't figure out how to get it to work with 95% + reliability. The MSE+ is said to be improved immensely, and I'm certainly willing to give it a shot. I know nothing about Livingston except that, as I recall, Brent likes 'em. Informed opinion welcomed. I've invited MorningStar in on this, as well, since I'm not sure if they normally pick up this list. Richard From firewalls-owner Wed Sep 7 15:29:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA29494; Wed, 7 Sep 1994 21:30:26 GMT Received: from sanjose.ssds.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA29488; Wed, 7 Sep 1994 14:30:08 -0700 Received: (from pcc@localhost) by sanjose.ssds.com (8.6.9/dcc-ssds/940901) id OAA03062; Wed, 7 Sep 1994 14:34:04 -0700 Date: Wed, 7 Sep 1994 14:34:03 -0700 (PDT) From: Phil Cox Subject: Need info on security plan.. To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would be interested in seeing the portion of any security plan which addresses the implementation and use of a firewall. Thanks in advance, Phil *********************************************************************** * Philip C. Cox | Quote of the Day: * * | * * SSDS, Inc. | "When opportunity knocks, about all * * pcc@ssds.com | some people do is complain about * * VOICE: (510) 294-3557 | the noise." * * PAGER: (510) 734-7983 | - Mary Jess * *********************************************************************** From firewalls-owner Thu Sep 8 05:31:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA05277; Thu, 8 Sep 1994 11:40:22 GMT Received: from granite.corsof.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA05271; Thu, 8 Sep 1994 04:40:12 -0700 Message-Id: <199409081140.EAA05271@mycroft.GreatCircle.COM> Received: from dave.corsof.com by granite.corsof.com with SMTP (1.37.109.4/16.2) id AA14253; Thu, 8 Sep 94 07:34:12 -0400 X-Sender: dave@pop.corsof.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 08 Sep 1994 07:39:46 -0400 To: firewalls@greatcircle.com From: DaveBelliveau@corsof.com (Dave Belliveau) Subject: Dialup routers???? X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I'm shopping for a low cost dialup router with enough filtering capability to make it suitable for use as a firewall. Does anyone have any suggestions. --------------------------------- Dave Belliveau Cornerstone Software, Inc. 11 Trafalgar Square Nashua, NH 03063 email: DaveBelliveau@corsof.com phone: 603-595-7480 fax: 603-882-7313 --------------------------------- From firewalls-owner Thu Sep 8 06:06:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA05473; Thu, 8 Sep 1994 12:21:33 GMT Received: from gate.globalx.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA05467; Thu, 8 Sep 1994 05:21:23 -0700 Received: (from mswanson@localhost) by gate.globalx.net (8.6.9/8.6.6.Beta5) id IAA02352; Thu, 8 Sep 1994 08:47:06 -0400 Date: Thu, 8 Sep 1994 08:47:06 +0100 From: Mark Swanson Subject: Re: Livingston vs MorningStar routers To: Richard Huddleston cc: firewalls@GreatCircle.COM, bob@morningstar.com In-Reply-To: <199409071811.OAA02446@rac4.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > I need to hear from folks who actually build firewalls (you know > who you are) regarding any experience they may have with the > Livingston "FireWall IRX" and/or MorningStar Express Plus routers. > Just set up a Livingston Router. It was shipped with obsolete software that didn't work with the LMI protocol, and can NOT have more than one subnet mask type. This is a FATAL flaw. My frame relay service provider had to provide me with an entire class C address just so they could have a dedicated circuit to our Livingston router. IE: Insinc (frame relay service provider) netmask (router-router) was 255.255.255.252. Perfect, gate the routers their own little net - 1,2 for the routers and 0 and 3 for network and broadcast address. The Livingston IRX portmaster could not do this as I required a netmask of 255.255.255.0 for my internal network. In short, I needed the frm1 interface to have a netmask of 255.255.255.252. I needed my ether0 interface to have a netmask of 255.255.255.0. The Livingston portmaster could not handle this. Yuck. Mark Swanson -----------------------------| Systems Architect, Global -X- Change Inc. | mswanson@globalx.net ---------------------| From firewalls-owner Thu Sep 8 07:37:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA06252; Thu, 8 Sep 1994 14:08:56 GMT Received: from cacd1.cacd.rockwell.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA06246; Thu, 8 Sep 1994 07:08:46 -0700 From: RAS@cacdvax.cacd.rockwell.com Date: Thu, 8 Sep 1994 8:43:06 -0500 (CDT) To: sirrianj@cc.ims.disa.mil CC: firewalls@GreatCircle.COM Message-Id: <940908084306.2d001f47@cacdvax.cacd.rockwell.com> Subject: RE: Re[2]: Proposed Firewall Configuration Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Yes, using a multiple port router as Screening Router #1 and homing each bastion hosts on a different port would provide the same effect. However, this would significantly (perhaps exponetially) increase the complexity of the filtering table for that router. Also, in many cases, the additional ports come with a hefty price tag, especially compared to *used* bridges. Another advantage for individual bridges is to reduce single point failures (e.g. failed hardware or hung software). It is not uncommon for a router or hub device (e.g. 10BaseT) to suffer from a software failure, but I've never experienced such a failure with a bridge. Replacing a failed bridge is generally easier than replacing a router port card (and has less impact on the other bastion hosts). Keeping a spare used bridge on hand would be cheaper than a spare router port card (especially considering the costs of h/w and s/w maintenance. Bob - - - - - - - - - - - O R I G I N A L M E S S A G E - - - - - - - - - - - On Wed, 31 Aug 94 16:01:13 EST, sirrianj@cc.ims.disa.mil wrote: Could homing the bastion hosts on a separate interface port on Screening Router #1 provide the isolation that you are looking for without having to using the bridges or router #3? ______________________________ Reply Separator _________________________________ Subject: Re: Proposed Firewall Configuration Author: RAS@cacdvax.cacd.rockwell.com at smtp Date: 8/31/94 2:33 PM >> Also, a firewall expert suggested the configuration below, which evolved >> to the configuration presented above. A vendor has also seconded the >> configuration below. Personnally I don't see the advantage of this second >> configuration over the one presented above, but perhaps someone out there >> does and can explain it to me. > >> The purpose of Screening Router #3 is the same as that of the bridges in the >> previous illustration - limit sniffer software installed on a compromised >> Bastion Host from seeing any traffic besides what is directed to the >> compromised Bastion Host. >> >I *think* the idea is that a router is more flexible and some may say >more "powerful" than a bridge, what with access lists, routing tables etc., >as opposed to a bridge which simply allows or disallows traffic. Hence you >have more control over what traffic crosses/does not cross that third >security point before your bastion hosts. It is true that a router will provide more control of what reaches the bastion hosts, but is that extra control necessary? The thought was that router #1 (connected to outside) and router #2 (connected to inside) provide all the control necessary to create a perimeter network. However, if the assumption is made that one or more bastion hosts will be compromised at some point in time, then we were concerned about the traffic that could could be sniffed on the perimeter network. We thought that connecting each bastion host to the perimeter network via a bridge would limit the traffic that could be sniffed to just the traffic exchanged by the bastion host. For example, if an intruder captured the anonymous ftp bastion host and installed a sniffer, the intruder would not be able to capture any SMTP traffic (which is handled by a different bastion host). We believe the bridges to be sufficient for this purpose and do not understand how adding an additional router on the perimeter network would achieve the same affect. >Wed Aug 31 06:13:16 EDT 1994 >=========================================================================== >Larry Chin {larry@cchtor.ca.cch.com} System/Network Administrator >CCH Canadian Ltd. (416) 441-4001 ext. 349 >=========================================================================== > >Everything you've learned in school as "obvious" becomes less and less >obvious as you begin to study the universe. For example, there are no >solids in the universe. There's not even a suggestion of a solid. >There are no absolute continuums. There are no surfaces. There are no >straight lines. > -- R. Buckminster Fuller Bob Schneider Enterprise Core Network Team ras@cacd1.cacd.rockwell.com Design Support Engineering ras@131.198.128.108 Rockwell International ras%27746.decnet@consort.rockwell.com 400 Collins Road NE M/S 106-103 Cedar Rapids, IA 52498 Voice: 319/395-3863 Comments expressed are strictly my own and are not to FAX: 319/395-5999 be construed as statements endorsed by my employer. From firewalls-owner Thu Sep 8 08:31:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA06485; Thu, 8 Sep 1994 14:45:35 GMT Received: from SPARKY.CS.NYU.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA06479; Thu, 8 Sep 1994 07:45:25 -0700 Received: by SPARKY.CS.NYU.EDU (5.61/1.34) id AA22015; Thu, 8 Sep 94 10:50:45 -0400 From: m-kf2480@SPARKY.CS.NYU.EDU (Kuojueng Fung) Message-Id: <9409081450.AA22015@SPARKY.CS.NYU.EDU> Subject: Re: Livingston vs MorningStar routers To: firewalls@greatcircle.com Date: Thu, 8 Sep 94 10:50:45 EDT X-Mailer: ELM [version 2.3 PL2] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > Just set up a Livingston Router. It was shipped with obsolete software > that didn't work with the LMI protocol, and can NOT have more than one > subnet mask type. This is a FATAL flaw. My frame relay service provider > had to provide me with an entire class C address just so they could have > a dedicated circuit to our Livingston router. IE: > Insinc (frame relay service provider) netmask (router-router) was > 255.255.255.252. Perfect, gate the routers their own little net - 1,2 > for the routers and 0 and 3 for network and broadcast address. The > Livingston IRX portmaster could not do this as I required a netmask of > 255.255.255.0 for my internal network. > In short, I needed the frm1 interface to have a netmask of 255.255.255.252. > I needed my ether0 interface to have a netmask of 255.255.255.0. > The Livingston portmaster could not handle this. Yuck. > Funny thing, I just replaced my Livingston with Cisco 2500, the Livingston was grabbing my internal packets and bouncing it off the router at my service provider. What I actually had to do was create permanent arp entries in my bastion host to get around this problem. Granted I have had the Cisco for about an hour but it seems to be handling the routing much better. Kuojueng Fung Manager, System & Architecture Prentice Hall Legal & Financial Services From firewalls-owner Thu Sep 8 10:30:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA07843; Thu, 8 Sep 1994 17:17:35 GMT Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA07835; Thu, 8 Sep 1994 10:17:25 -0700 Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <95314-2>; Thu, 8 Sep 1994 13:22:48 -0400 Received: by fujitsu.ca (4.1/SMI-4.1) id AA20194; Thu, 8 Sep 94 13:23:40 EDT Received: from falcon.fsbc.ca(192.10.1.205) by jay via smap (V1.3mjr) id sma020187; Thu Sep 8 13:23:38 1994 Received: by falcon.fujitsu.ca (4.1/SMI-4.1) id AA17449; Thu, 8 Sep 94 13:22:57 EDT Date: Thu, 8 Sep 1994 13:22:57 -0400 From: smartin@fujitsu.ca (Steve Martin) Message-Id: <9409081722.AA17449@falcon.fujitsu.ca> To: firewalls@greatcircle.com Subject: Filtering all IP Packets that contain options Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I'm trying to set up some filters on my gateway. Unfortunately the software that I'm using is somewhat limited and requires that you match patterns in the packets. In order to do this I have to make sure that the fields in the TCP header are always in the same place. To do this the size of the IP header must be fixed. I am therefore thinking of tossing all incoming IP packets that do not have an IP header length of 5 words. This means that I will be tossing all packets that contain options. Is there a problem with this? From what I've read, you want to get rid of any packets that contain source routing options anyway, are any other options common and desirable? -------------------------------------------------------------------------------- Stephen Martin oO Fujitsu Systems Business of Canada, Inc. smartin@fujitsu.ca Fujitsu Box 30 Phone: (416)512-0342 x3137 5140 Yonge St., Suite 2000 Fax: (416)512-0344 North York, Ontario, Canada. M2N 6L7 -------------------------------------------------------------------------------- From firewalls-owner Thu Sep 8 11:32:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA08034; Thu, 8 Sep 1994 17:42:10 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA08027; Thu, 8 Sep 1994 10:42:03 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id NAA10798; Thu, 8 Sep 1994 13:47:27 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA28659; Thu, 8 Sep 1994 13:47:25 -0400 Message-Id: <199409081747.AA28659@world.std.com> To: firewalls@greatcircle.com Cc: twj@world.std.com Subject: Building TIS on Solaris 2.3 using ucblib's Date: Thu, 08 Sep 1994 13:47:24 -0400 From: Todd W Joseph Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi Folks, I have built the TIS toolkit on Solaris 2.3 using the Sun C compiler and the /ucb/ucb/cc shell script -- which uses /usr/ucblib instead of /usr/lib. Everything except ftpd built cleanly with little effort. Has anyone else built the TIS toolkit in this way? If so, are there any gotchas? I'll summarize if there is signifigant interest. Todd todd@world.std.com From firewalls-owner Thu Sep 8 13:33:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA09408; Thu, 8 Sep 1994 19:59:14 GMT Received: from sinagua.ucc.nau.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA09402; Thu, 8 Sep 1994 12:59:07 -0700 Received: (from tjk@localhost) by sinagua.ucc.nau.edu (8.6.9/2.2-nau) id NAA22700 for firewalls@GreatCircle.com; Thu, 8 Sep 1994 13:03:57 -0700 Date: Thu, 8 Sep 1994 13:03:57 -0700 From: "Tobias J. Kreidl" Message-Id: <199409082003.NAA22700@sinagua.ucc.nau.edu> To: firewalls@GreatCircle.com Subject: dual ethernet ports Content-Length: 661 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have two ethernet ports on a Sun: le0 and le1. le0 has my PI address that's used for nomal communications to the net and it's associated name is registered with the NIC. If I don't want to use the second ethernet port as a different subnet, but want to split incoming and outgoing ethernet traffic to take advantage of both ethernet ports simultaneously, is there any way to configre to achieve this? The tough part is that each ethernet device needs its own IP address, so how can I fool the machine into splitting the routing between two (or potentially, more) ethernet devices? -- Tobias Kreidl Northern Arizona Univ. Computing Technology Services From firewalls-owner Thu Sep 8 16:29:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA11022; Thu, 8 Sep 1994 23:24:20 GMT Received: from versant.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA11016; Thu, 8 Sep 1994 16:24:08 -0700 Received: from gwarn.versant.com by versant.com (4.1/SMI-4.1) id AA13485; Thu, 8 Sep 94 16:32:16 PDT Message-Id: <9409082332.AA13485@versant.com> To: smartin@fujitsu.ca (Steve Martin) Cc: firewalls@GreatCircle.COM Subject: Re: Filtering all IP Packets that contain options In-Reply-To: Your message of "Thu, 08 Sep 94 13:22:57 EDT." <9409081722.AA17449@falcon.fujitsu.ca> Date: Thu, 08 Sep 94 16:27:51 -0700 From: strick -- henry strickland Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk THUS SPAKE smartin@fujitsu.ca (Steve Martin): # I am therefore thinking of tossing all incoming IP packets that do not # have an IP header length of 5 words. This means that I will be tossing all # packets that contain options. Is there a problem with this? From what I've read, I find that only exotic things, the kinds you don't want, have ip_hl != 5. You should do fine like that. (However there is a TCP header option (not ip header options) that happens on most TCP streams -- the Max Segment Size option.) strick From firewalls-owner Thu Sep 8 17:29:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA11067; Thu, 8 Sep 1994 23:28:27 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA11061; Thu, 8 Sep 1994 16:28:19 -0700 Received: from Corp.Sun.COM (lemay.Corp.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA04689; Thu, 8 Sep 94 16:33:43 PDT Received: from toma.Corp.Sun.COM by Corp.Sun.COM (4.1(1/24/94)/elliemay (corpmail1 inbound)) id AA12612; Thu, 8 Sep 94 16:33:42 PDT Received: by toma.Corp.Sun.COM (5.0/SMI-SVR4) id AA16247; Thu, 8 Sep 1994 16:36:22 +0800 Date: Thu, 8 Sep 1994 16:36:22 +0800 From: Tom.Ajayebi@Corp.Sun.COM (Tom Ajayebi) Message-Id: <9409082336.AA16247@toma.Corp.Sun.COM> To: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 26 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Majordomo@GreatCircle.COM From firewalls-owner Thu Sep 8 18:02:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA11401; Fri, 9 Sep 1994 00:10:06 GMT Received: from iphase.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA11392; Thu, 8 Sep 1994 17:09:56 -0700 Received: from chip.iphase.com by iphase.com (4.1/1.34) id AA23653; Thu, 8 Sep 94 19:14:46 CDT Received: by chip.iphase.com (4.1/SMI-4.1) id AA26770; Thu, 8 Sep 94 19:14:45 CDT From: plarkin@iphase.com (Patrick Larkin Jr) Message-Id: <9409090014.AA26770@chip.iphase.com> Subject: SLIP/PPP and Authenticators To: firewalls@greatcircle.com Date: Thu, 8 Sep 1994 19:14:44 -0500 (CDT) Reply-To: plarkin@iphase.com X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1742 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I need some help from you folks on what may seem like a REAL newbie type question. I have no experience with SLIP/PPP on a Unix host. The extent of it my knowledge is watching someone setup an account on a NetBlazer for a number of users with Suns at home to connect to our net. It was decided that we would require the use of password tokens (one-time password generators) for ALL remote access to our net (Remote being "not in this building"). I've been looking very closely to SecurID which is supported by the NetBlazer as the solution to use for SLIP/PPP users (SNK-004s would be used for dial-up and telnet only users due to its lower cost of support via the FWTK). The problem is that one of my SLIP/PPP-users-at-home is telling me that there is no way to interact with the Solaris <--> NetBlazer negotiation sequence. Is this true (and I'm getting a load of crap from the SecurID guy)? Or is this user feeding me a line of crap? Is this the case with MOST Unix SLIP/PPP implementations? What do YOU do about SLIP/PPP at YOUR site? (Most of my SLIP/PPP users are Engineering types if that makes a difference.) Please respond directly to me due to the 'newbie-esque' nature of my question. Thanks, -- +========================================================================+ | PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas | |>----------------------------------------------------------------------<| | Internet: PLarkin@Iphase.COM | Home: ..uunet!iphase!mustang!patrick | | "Ma-Bell Net": 214-919-9000 | "Snail Mail Net": 13800 Senlac Dr. | | "Faxnet": 214-919-9200 | Dallas TX 75234 | +========================================================================+ From firewalls-owner Thu Sep 8 22:30:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA12727; Fri, 9 Sep 1994 04:39:31 GMT Received: from escape.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA12721; Thu, 8 Sep 1994 21:39:24 -0700 Received: (kc@localhost) by escape.com (8.6.9/8.6.5) id AAA09231 for firewalls@GreatCircle.COM; Fri, 9 Sep 1994 00:46:07 -0400 From: kc Message-Id: <199409090446.AAA09231@escape.com> Subject: remove from mail list To: firewalls@GreatCircle.COM Date: Fri, 9 Sep 1994 00:46:06 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 22 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk remove kc@escape.com From firewalls-owner Fri Sep 9 04:46:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13757; Fri, 9 Sep 1994 08:44:27 GMT Received: from heifetz.msen.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA13751; Fri, 9 Sep 1994 01:44:19 -0700 Received: from cfctech.UUCP by heifetz.msen.com with UUCP (Smail3.1.28.1 #12) id m0qj0YX-000ZYUC; Fri, 9 Sep 94 03:39 EDT Received: from opusnet by cfctech.cfc.com with uucp (Smail3.1.27.1 #3) id m0qixQx-00031fC; Fri, 9 Sep 94 00:19 EDT From: opus@opusnet.mi.org (Rory Savageau) Received: by opusnet.mi.org (UMAIL 3.3/MINIX) with UUCP; Fri, 9 Sep 94 00:32:40 EDT To: firewalls@GreatCircle.COM Subject: Firewalls for a VAX/VMS X-Mailer: W-MAIL 3.63+/MINIX Message-Id: <940909.AA0051@opusnet.mi.org> Date: Fri, 8 Sep 94 23:58:20 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi! I'm wondering if anyone out there has VAX (or cluster) running VMS that also has a firewall. I am in the process of evaluating what I need now and 'set a direction' for what I will need in the future. Although I would appreciate hearing from anyone, I am particularly interested in the above. So as not to waste a whole lot of net bandwidth, please reply to me directly. Thanks! Rory Savageau opus@opusnet.mi.org User Services, Lawrence Technological University From firewalls-owner Fri Sep 9 05:18:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14650; Fri, 9 Sep 1994 11:08:57 GMT Received: from p-o.ans.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14644; Fri, 9 Sep 1994 04:08:50 -0700 Received: by p-o.ans.net id AA16643 (5.65c/IDA-1.4.4 for Firewalls mailing list ); Fri, 9 Sep 1994 07:14:10 -0400 Message-Id: <199409091114.AA16643@p-o.ans.net> Date: Fri, 9 Sep 94 07:02:28 EST From: "Andrew T. Robinson" To: Firewalls mailing list , American Nuclear Society Subject: Internet Firewalls -- REAL POSTSCRIPT this time Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk As promised weeks ago, I have stored a REAL POSTSCRIPT version of "Internet Firewalls -- An Introduction" on maine.net's anonymous FTP service. To retrieve the file: ftp maine.net user anonymous binary get firewall.ps.Z The file is compressed using the UNIX compress command; Use compress -d or uncompress to restore the file to printable format. PLEASE NOTE that OS/2-inserted ^Ms have NOT been removed from this file. This is relevant only when downloading to a UNIX system. ALSO NOTE that this is a work in progress, and as such I would appreciate any and all constructive input and suggestions. Andy From firewalls-owner Fri Sep 9 05:30:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14869; Fri, 9 Sep 1994 11:41:32 GMT Received: from phyto.rsmas.miami.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14857; Fri, 9 Sep 1994 04:41:21 -0700 Date: Fri, 9 Sep 1994 7:47:30 -0400 (EDT) From: Charlie Byrne To: firewalls@GreatCircle.COM CC: BYRNE@phyto.rsmas.miami.edu Message-Id: <940909074730.128@phyto.rsmas.miami.edu> Subject: Need all firewall info Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I need all the info I can get on firewalls. Pointers to info sources owuld be much appreciated. TIA. --- Charlie Byrne * University of Miami * Div of Marine Biology and Fisheries 4600 Rickenbacker Causeway, Miami, FL 33149 * Voice: (305) 361-4705 Usual disclamers apply. From firewalls-owner Fri Sep 9 05:52:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14494; Fri, 9 Sep 1994 10:43:40 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA14488; Fri, 9 Sep 1994 03:43:24 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA09543; Fri, 9 Sep 1994 12:50:42 GMT Message-Id: <9409091250.AA09543@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 12:49:54 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Re: mail failed, sending to postmaster X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from sunic.sunet.se by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qipqb-000aFfa; Thu, 8 Sep 94 22:13 WET DST >Received: from relay2.UU.NET by sunic.sunet.se (8.6.8/2.03) > id VAA21972; Thu, 8 Sep 1994 21:16:26 +0200 >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxgmu26796; Thu, 8 Sep 1994 15:12:39 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id RAA08034; Thu, 8 Sep 1994 17:42:10 GMT >Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id KAA08027; Thu, 8 Sep 1994 10:42:03 -0700 >Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) > id NAA10798; Thu, 8 Sep 1994 13:47:27 -0400 >Received: by world.std.com (5.65c/Spike-2.0) > id AA28659; Thu, 8 Sep 1994 13:47:25 -0400 >Message-Id: <199409081747.AA28659@world.std.com> >To: firewalls@GreatCircle.COM >Cc: twj@world.std.com >Subject: Building TIS on Solaris 2.3 using ucblib's >Date: Thu, 08 Sep 1994 13:47:24 -0400 >From: Todd W Joseph >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > > >Hi Folks, > >I have built the TIS toolkit on Solaris 2.3 using the Sun C compiler >and the /ucb/ucb/cc shell script -- which uses /usr/ucblib instead of >/usr/lib. Everything except ftpd built cleanly with little effort. > >Has anyone else built the TIS toolkit in this way? If so, are there >any gotchas? > >I'll summarize if there is signifigant interest. > >Todd >todd@world.std.com > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 06:07:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14882; Fri, 9 Sep 1994 11:42:46 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14876; Fri, 9 Sep 1994 04:42:32 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA28771; Fri, 9 Sep 1994 13:49:50 GMT Message-Id: <9409091349.AA28771@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 13:49:03 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Dialup routers???? X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from sunic.sunet.se by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qipxl-000aFja; Thu, 8 Sep 94 22:20 WET DST >Received: from relay2.UU.NET by sunic.sunet.se (8.6.8/2.03) > id OAA26367; Thu, 8 Sep 1994 14:54:19 +0200 >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxglv21712; Thu, 8 Sep 1994 08:51:11 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id LAA05277; Thu, 8 Sep 1994 11:40:22 GMT >Received: from granite.corsof.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id EAA05271; Thu, 8 Sep 1994 04:40:12 -0700 >Message-Id: <199409081140.EAA05271@mycroft.GreatCircle.COM> >Received: from dave.corsof.com by granite.corsof.com with SMTP > (1.37.109.4/16.2) id AA14253; Thu, 8 Sep 94 07:34:12 -0400 >X-Sender: dave@pop.corsof.com >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >Date: Thu, 08 Sep 1994 07:39:46 -0400 >To: firewalls@GreatCircle.COM >From: DaveBelliveau@corsof.com (Dave Belliveau) >Subject: Dialup routers???? >X-Mailer: >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >Hi, > >I'm shopping for a low cost dialup router with enough filtering >capability to make it suitable for use as a firewall. Does anyone >have any suggestions. > >--------------------------------- >Dave Belliveau >Cornerstone Software, Inc. >11 Trafalgar Square >Nashua, NH 03063 > >email: DaveBelliveau@corsof.com >phone: 603-595-7480 >fax: 603-882-7313 >--------------------------------- > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 06:31:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15093; Fri, 9 Sep 1994 12:12:08 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA15074; Fri, 9 Sep 1994 05:11:50 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA08386; Fri, 9 Sep 1994 14:19:12 GMT Message-Id: <9409091419.AA08386@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 14:18:24 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: dual ethernet ports X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from relay2.UU.NET by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qiqoq-000aFfa; Thu, 8 Sep 94 23:15 WET DST >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxgnc02240; Thu, 8 Sep 1994 17:07:56 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id TAA09408; Thu, 8 Sep 1994 19:59:14 GMT >Received: from sinagua.ucc.nau.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id MAA09402; Thu, 8 Sep 1994 12:59:07 -0700 >Received: (from tjk@localhost) by sinagua.ucc.nau.edu (8.6.9/2.2-nau) id NAA22700 for firewalls@GreatCircle.com; Thu, 8 Sep 1994 13:03:57 -0700 >Date: Thu, 8 Sep 1994 13:03:57 -0700 >From: "Tobias J. Kreidl" >Message-Id: <199409082003.NAA22700@sinagua.ucc.nau.edu> >To: firewalls@GreatCircle.COM >Subject: dual ethernet ports >Content-Length: 661 >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >I have two ethernet ports on a Sun: le0 and le1. le0 has my >PI address that's used for nomal communications to the net and it's >associated name is registered with the NIC. If I don't want to use the >second ethernet port as a different subnet, but want to split incoming >and outgoing ethernet traffic to take advantage of both ethernet >ports simultaneously, is there any way to configre to achieve this? >The tough part is that each ethernet device needs its own IP address, so >how can I fool the machine into splitting the routing between two (or >potentially, more) ethernet devices? >-- Tobias Kreidl > Northern Arizona Univ. > Computing Technology Services > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 06:41:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14551; Fri, 9 Sep 1994 10:58:46 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA14545; Fri, 9 Sep 1994 03:58:35 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA14507; Fri, 9 Sep 1994 13:05:58 GMT Message-Id: <9409091305.AA14507@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 13:05:09 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Filtering all IP Packets that contain options X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from sunic.sunet.se by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qipt5-000aFka; Thu, 8 Sep 94 22:16 WET DST >Received: from relay2.UU.NET by sunic.sunet.se (8.6.8/2.03) > id TAA10656; Thu, 8 Sep 1994 19:59:03 +0200 >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxgmp02702; Thu, 8 Sep 1994 13:56:20 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id RAA07843; Thu, 8 Sep 1994 17:17:35 GMT >Received: from seraph.uunet.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id KAA07835; Thu, 8 Sep 1994 10:17:25 -0700 >Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <95314-2>; Thu, 8 Sep 1994 13:22:48 -0400 >Received: by fujitsu.ca (4.1/SMI-4.1) > id AA20194; Thu, 8 Sep 94 13:23:40 EDT >Received: from falcon.fsbc.ca(192.10.1.205) by jay via smap (V1.3mjr) > id sma020187; Thu Sep 8 13:23:38 1994 >Received: by falcon.fujitsu.ca (4.1/SMI-4.1) > id AA17449; Thu, 8 Sep 94 13:22:57 EDT >Date: Thu, 8 Sep 1994 13:22:57 -0400 >From: smartin@fujitsu.ca (Steve Martin) >Message-Id: <9409081722.AA17449@falcon.fujitsu.ca> >To: firewalls@GreatCircle.COM >Subject: Filtering all IP Packets that contain options >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >Hi, > > I'm trying to set up some filters on my gateway. Unfortunately the software >that I'm using is somewhat limited and requires that you match patterns in the >packets. In order to do this I have to make sure that the fields in the TCP >header are always in the same place. To do this the size of the IP header must be >fixed. I am therefore thinking of tossing all incoming IP packets that do not >have an IP header length of 5 words. This means that I will be tossing all >packets that contain options. Is there a problem with this? From what I've read, >you want to get rid of any packets that contain source routing options anyway, >are any other options common and desirable? >--------------------------------------------------------------------------- ----- >Stephen Martin oO Fujitsu Systems Business of Canada, Inc. >smartin@fujitsu.ca Fujitsu Box 30 >Phone: (416)512-0342 x3137 5140 Yonge St., Suite 2000 >Fax: (416)512-0344 North York, Ontario, Canada. M2N 6L7 >--------------------------------------------------------------------------- ----- > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 07:04:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14626; Fri, 9 Sep 1994 11:05:32 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14620; Fri, 9 Sep 1994 04:05:22 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA16705; Fri, 9 Sep 1994 13:12:45 GMT Message-Id: <9409091312.AA16705@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 13:11:57 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Re: Livingston vs MorningStar routers X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from sunic.sunet.se by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qipvq-000aFpa; Thu, 8 Sep 94 22:18 WET DST >Received: from relay2.UU.NET by sunic.sunet.se (8.6.8/2.03) > id RAA23652; Thu, 8 Sep 1994 17:57:20 +0200 >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxgmh01089; Thu, 8 Sep 1994 11:55:03 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id OAA06485; Thu, 8 Sep 1994 14:45:35 GMT >Received: from SPARKY.CS.NYU.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id HAA06479; Thu, 8 Sep 1994 07:45:25 -0700 >Received: by SPARKY.CS.NYU.EDU (5.61/1.34) > id AA22015; Thu, 8 Sep 94 10:50:45 -0400 >From: m-kf2480@SPARKY.CS.NYU.EDU (Kuojueng Fung) >Message-Id: <9409081450.AA22015@SPARKY.CS.NYU.EDU> >Subject: Re: Livingston vs MorningStar routers >To: firewalls@GreatCircle.COM >Date: Thu, 8 Sep 94 10:50:45 EDT >X-Mailer: ELM [version 2.3 PL2] >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >> > >> Just set up a Livingston Router. It was shipped with obsolete software >> that didn't work with the LMI protocol, and can NOT have more than one >> subnet mask type. This is a FATAL flaw. My frame relay service provider >> had to provide me with an entire class C address just so they could have >> a dedicated circuit to our Livingston router. IE: >> Insinc (frame relay service provider) netmask (router-router) was >> 255.255.255.252. Perfect, gate the routers their own little net - 1,2 >> for the routers and 0 and 3 for network and broadcast address. The >> Livingston IRX portmaster could not do this as I required a netmask of >> 255.255.255.0 for my internal network. >> In short, I needed the frm1 interface to have a netmask of 255.255.255.252. >> I needed my ether0 interface to have a netmask of 255.255.255.0. >> The Livingston portmaster could not handle this. Yuck. >> >Funny thing, I just replaced my Livingston with Cisco 2500, the Livingston >was grabbing my internal packets and bouncing it off the router at my service >provider. What I actually had to do was create permanent arp entries in my >bastion host to get around this problem. > >Granted I have had the Cisco for about an hour but it seems to be handling >the routing much better. > >Kuojueng Fung >Manager, System & Architecture >Prentice Hall Legal & Financial Services > > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 07:21:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15394; Fri, 9 Sep 1994 12:55:06 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA15377; Fri, 9 Sep 1994 05:54:53 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA22343; Fri, 9 Sep 1994 15:02:00 GMT Message-Id: <9409091502.AA22343@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 15:01:13 +0100 To: smartin@fujitsu.ca (Steve Martin) From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Re: Filtering all IP Packets that contain options Cc: firewalls@greatcircle.com X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from relay1.UU.NET by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qitKZ-000aFfa; Fri, 9 Sep 94 01:56 WET DST >Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP > id QQxgnn07592; Thu, 8 Sep 1994 19:53:35 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id XAA11022; Thu, 8 Sep 1994 23:24:20 GMT >Received: from versant.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id QAA11016; Thu, 8 Sep 1994 16:24:08 -0700 >Received: from gwarn.versant.com by versant.com (4.1/SMI-4.1) > id AA13485; Thu, 8 Sep 94 16:32:16 PDT >Message-Id: <9409082332.AA13485@versant.com> >To: smartin@fujitsu.ca (Steve Martin) >Cc: firewalls@GreatCircle.COM >Subject: Re: Filtering all IP Packets that contain options >In-Reply-To: Your message of "Thu, 08 Sep 94 13:22:57 EDT." > <9409081722.AA17449@falcon.fujitsu.ca> >Date: Thu, 08 Sep 94 16:27:51 -0700 >From: strick -- henry strickland >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >THUS SPAKE smartin@fujitsu.ca (Steve Martin): ># I am therefore thinking of tossing all incoming IP packets that do not ># have an IP header length of 5 words. This means that I will be tossing all ># packets that contain options. Is there a problem with this? From what I've read, > >I find that only exotic things, the kinds you don't want, have ip_hl != 5. > >You should do fine like that. > >(However there is a TCP header option (not ip header options) >that happens on most TCP streams -- the Max Segment Size option.) > > strick > > > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 07:32:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14660; Fri, 9 Sep 1994 11:10:47 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14654; Fri, 9 Sep 1994 04:10:35 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA17987; Fri, 9 Sep 1994 13:16:43 GMT Message-Id: <9409091316.AA17987@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 13:16:57 +0100 To: reh@wam.umd.edu From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: Re: Livingston vs MorningStar routers Cc: firewalls@greatcircle.com, bob@morningstar.com X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from sunic.sunet.se by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qipxe-000aFfa; Thu, 8 Sep 94 22:20 WET DST >Received: from relay2.UU.NET by sunic.sunet.se (8.6.8/2.03) > id PAA02467; Thu, 8 Sep 1994 15:32:01 +0200 >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxglx28732; Thu, 8 Sep 1994 09:28:23 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id MAA05473; Thu, 8 Sep 1994 12:21:33 GMT >Received: from gate.globalx.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id FAA05467; Thu, 8 Sep 1994 05:21:23 -0700 >Received: (from mswanson@localhost) by gate.globalx.net (8.6.9/8.6.6.Beta5) id IAA02352; Thu, 8 Sep 1994 08:47:06 -0400 >Date: Thu, 8 Sep 1994 08:47:06 +0100 >From: Mark Swanson >Subject: Re: Livingston vs MorningStar routers >To: Richard Huddleston >cc: firewalls@GreatCircle.COM, bob@morningstar.com >In-Reply-To: <199409071811.OAA02446@rac4.wam.umd.edu> >Message-ID: >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >> >> >> I need to hear from folks who actually build firewalls (you know >> who you are) regarding any experience they may have with the >> Livingston "FireWall IRX" and/or MorningStar Express Plus routers. >> >Just set up a Livingston Router. It was shipped with obsolete software >that didn't work with the LMI protocol, and can NOT have more than one >subnet mask type. This is a FATAL flaw. My frame relay service provider >had to provide me with an entire class C address just so they could have >a dedicated circuit to our Livingston router. IE: >Insinc (frame relay service provider) netmask (router-router) was >255.255.255.252. Perfect, gate the routers their own little net - 1,2 >for the routers and 0 and 3 for network and broadcast address. The >Livingston IRX portmaster could not do this as I required a netmask of >255.255.255.0 for my internal network. >In short, I needed the frm1 interface to have a netmask of 255.255.255.252. >I needed my ether0 interface to have a netmask of 255.255.255.0. >The Livingston portmaster could not handle this. Yuck. > > >Mark Swanson -----------------------------| >Systems Architect, Global -X- Change Inc. | >mswanson@globalx.net ---------------------| > > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 08:31:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15412; Fri, 9 Sep 1994 12:56:18 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA15406; Fri, 9 Sep 1994 05:56:08 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA22817; Fri, 9 Sep 1994 15:03:28 GMT Message-Id: <9409091503.AA22817@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 15:02:41 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from relay1.UU.NET by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qiuDM-000aFfa; Fri, 9 Sep 94 02:53 WET DST >Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP > id QQxgnr18134; Thu, 8 Sep 1994 20:48:58 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id XAA11067; Thu, 8 Sep 1994 23:28:27 GMT >Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id QAA11061; Thu, 8 Sep 1994 16:28:19 -0700 >Received: from Corp.Sun.COM (lemay.Corp.Sun.COM) by Sun.COM (sun-barr.Sun.COM) > id AA04689; Thu, 8 Sep 94 16:33:43 PDT >Received: from toma.Corp.Sun.COM by Corp.Sun.COM (4.1(1/24/94)/elliemay (corpmail1 inbound)) > id AA12612; Thu, 8 Sep 94 16:33:42 PDT >Received: by toma.Corp.Sun.COM (5.0/SMI-SVR4) > id AA16247; Thu, 8 Sep 1994 16:36:22 +0800 >Date: Thu, 8 Sep 1994 16:36:22 +0800 >From: Tom.Ajayebi@Corp.Sun.COM (Tom Ajayebi) >Message-Id: <9409082336.AA16247@toma.Corp.Sun.COM> >To: firewalls@GreatCircle.COM >X-Sun-Charset: US-ASCII >Content-Length: 26 >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >Majordomo@GreatCircle.COM > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 09:29:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA15434; Fri, 9 Sep 1994 12:57:31 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA15418; Fri, 9 Sep 1994 05:57:11 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA23165; Fri, 9 Sep 1994 15:04:32 GMT Message-Id: <9409091504.AA23165@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 15:03:44 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: SLIP/PPP and Authenticators X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from relay1.UU.NET by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qiuje-000aFfa; Fri, 9 Sep 94 03:26 WET DST >Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP > id QQxgnt23868; Thu, 8 Sep 1994 21:23:07 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id AAA11401; Fri, 9 Sep 1994 00:10:06 GMT >Received: from iphase.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id RAA11392; Thu, 8 Sep 1994 17:09:56 -0700 >Received: from chip.iphase.com by iphase.com (4.1/1.34) > id AA23653; Thu, 8 Sep 94 19:14:46 CDT >Received: by chip.iphase.com (4.1/SMI-4.1) > id AA26770; Thu, 8 Sep 94 19:14:45 CDT >From: plarkin@iphase.com (Patrick Larkin Jr) >Message-Id: <9409090014.AA26770@chip.iphase.com> >Subject: SLIP/PPP and Authenticators >To: firewalls@GreatCircle.COM >Date: Thu, 8 Sep 1994 19:14:44 -0500 (CDT) >Reply-To: plarkin@iphase.com >X-Mailer: ELM [version 2.4 PL21] >Mime-Version: 1.0 >Content-Type: text/plain; charset=US-ASCII >Content-Transfer-Encoding: 7bit >Content-Length: 1742 >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >I need some help from you folks on what may seem like a REAL newbie type >question. I have no experience with SLIP/PPP on a Unix host. The extent >of it my knowledge is watching someone setup an account on a NetBlazer for >a number of users with Suns at home to connect to our net. > >It was decided that we would require the use of >password tokens (one-time password generators) for ALL remote access to >our net (Remote being "not in this building"). I've been looking very >closely to SecurID which is supported by the NetBlazer as the solution >to use for SLIP/PPP users (SNK-004s would be used for dial-up and telnet >only users due to its lower cost of support via the FWTK). > >The problem is that one of my SLIP/PPP-users-at-home is telling me >that there is no way to interact with the Solaris <--> NetBlazer >negotiation sequence. Is this true (and I'm getting a load of >crap from the SecurID guy)? Or is this user feeding me a line of >crap? Is this the case with MOST Unix SLIP/PPP implementations? > >What do YOU do about SLIP/PPP at YOUR site? (Most of my SLIP/PPP >users are Engineering types if that makes a difference.) >Please respond directly to me due to the 'newbie-esque' nature of my question. >Thanks, >-- >+========================================================================+ >| PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas | >|>----------------------------------------------------------------------<| >| Internet: PLarkin@Iphase.COM | Home: ..uunet!iphase!mustang!patrick | >| "Ma-Bell Net": 214-919-9000 | "Snail Mail Net": 13800 Senlac Dr. | >| "Faxnet": 214-919-9200 | Dallas TX 75234 | >+========================================================================+ > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Fri Sep 9 09:52:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA15744; Fri, 9 Sep 1994 13:37:39 GMT Received: from anjou.data.telia.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA15738; Fri, 9 Sep 1994 06:37:28 -0700 Received: by anjou.data.telia.se (5.65/DEC-Ultrix/4.3) id AA06377; Fri, 9 Sep 1994 15:44:48 GMT Message-Id: <9409091544.AA06377@anjou.data.telia.se> X-Sender: ingemar@anjou.data.telia.se Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 09 Sep 1994 15:44:01 +0100 To: firewalls@greatcircle.com From: ingemar@anjou.data.telia.se (Ingemar Lundqvist) Subject: remove from mail list X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >|------------------------- Message log follows: -------------------------| > Xfail: <> reason: (ERR_133) transport local: failed to open output file: No such file or directory >|------------------------- Failed addresses follow: ---------------------| > ... transport local: failed to open output file: No such file or directory >|------------------------- Message text follows: ------------------------| >Received: from relay2.UU.NET by palantir.p.tvt.se with smtp > (Smail3.1.28.1 #2) id m0qiyxc-000aFfa; Fri, 9 Sep 94 07:57 WET DST >Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP > id QQxgol11596; Fri, 9 Sep 1994 01:50:12 -0400 >Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id EAA12727; Fri, 9 Sep 1994 04:39:31 GMT >Received: from escape.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) > id VAA12721; Thu, 8 Sep 1994 21:39:24 -0700 >Received: (kc@localhost) by escape.com (8.6.9/8.6.5) id AAA09231 for firewalls@GreatCircle.COM; Fri, 9 Sep 1994 00:46:07 -0400 >From: kc >Message-Id: <199409090446.AAA09231@escape.com> >Subject: remove from mail list >To: firewalls@GreatCircle.COM >Date: Fri, 9 Sep 1994 00:46:06 -0400 (EDT) >MIME-Version: 1.0 >Content-Type: text/plain; charset=US-ASCII >Content-Transfer-Encoding: 7bit >Content-Length: 22 >Sender: Firewalls-Owner@GreatCircle.COM >Precedence: bulk > >remove kc@escape.com > > > ------------------------------------ ! ! ! Ingemar Lundqvist ! ! Telia Data AB ! ! Sweden ! ------------------------------------ e-mail: ingemar@han.data.telia.se phone: 08 - 707 24 13 minicall: 0746 - 49 20 14 From firewalls-owner Sun Sep 11 01:35:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29512; Sun, 11 Sep 1994 07:34:58 GMT Received: from paranor.ca.cch.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA00949; Thu, 1 Sep 1994 03:56:05 -0700 Received: by paranor.ca.cch.com id AA29568; Thu, 1 Sep 94 07:04:33 EDT Received: from cchtor.ca.cch.com(192.139.241.2) by paranor via smap (V1.3mjr) id sma029565; Thu Sep 1 07:04:10 1994 Received: (from larry@localhost) by cchtor.ca.cch.com (8.6.9/8.6.9) id HAA14204; Thu, 1 Sep 1994 07:04:02 -0400 Date: Thu, 1 Sep 1994 07:04:02 -0400 From: Larry Chin Message-Id: <199409011104.HAA14204@cchtor.ca.cch.com> To: mjs@tiaa.org Subject: Re: I hate DNS... Cc: firewalls@greatcircle.com Content-Type: X-sun-attachment Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 48 >> But mostly only because I don't fully understand it. What I want to do >> is set up to do as Brent and others recommend: bastion host lies like >> hell, but is authoritative for the domain; establishes MX records to >> forward everything for the domain to the "inside"; provides bogus, but >> sufficient, information for A and PTR records (so I can still use e.g., >> ftp.uu.net). Does anyone have a template they can mail to me, or is >> there an example available via ftp somewhere?!? This is actually not too hard to do ( once you've done it yourself :-) ). In a nutshell: Put a full set of DNS db files on the bastion complete with SOA records and named.boot records that make the bastion look like the primary. The trick here is to put only the hosts you want the world to know about in the hosts file on the bastion. You then create a resolv.conf file that points at the real primary behind the firewall, to allow resolution of addresses behind the firewall. In addition, the real primary has a forwarders line in the named boot file that points at the bastion. This latter is necessary since the real primary cannot connect directly to the Internet. Hence if an inquiry is sent to the real primary that requires a look up on an external host, the inquiry is sent to the bastion which does the lookup and returns the answer to the real primary. One other thing, you probably want to get a separate Class C for your perimter net, you didn't mention that anywhere, so just in case ...... Examples ? See the attached. I have tried to make them generic and hopefully I haven't made too many typos in doing so - caveat emptor. Hope this helps. Thu Sep 1 07:01:15 EDT 1994 =========================================================================== Larry Chin {larry@cchtor.ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== "I don't care who does the electing as long as I get to do the nominating" -- Boss Tweed ---------- X-Sun-Data-Type: default X-Sun-Data-Description: default X-Sun-Data-Name: example.dns.tar X-Sun-Encoding-Info: uuencode X-Sun-Content-Lines: 368 begin 600 example.dns.tar M9&(N,3(W+C N, M M " @(#8V," (" @,S$U( @(" @,3(@ " @(" @(" @-#$R M(" U-C,Q,S(U,C,W(" @-3$W-@ @ M M M M M M M M ! "4E."5-/00EY;W5R+F1O;6%I;BX)4&]S=&UA M7EM;61D=F5R2 S M(&AO=7)S"@D),S8P, D[(')E=')Y(&EN(#$@:&]U<@H)"38P-#@P," ).R!E M>'!I2!O9B Q M(&1A>0H)"2D*"@E)3@E.4PEB87-T:6]N+GEO=7(N9&]M86EN+@HQ"4E."5!4 M4@EL;V-A;&AO6]U6]U0H) M"3,V,# ).R!R971R>2!I;B Q(&AO=7(*"0DV,#0X,# @"3L@97AP:7)E(&EN M(#$@=V5E:PH)"3@V-# P"3L@9&5F875L="!E>'!I0 M (" @-C8P( @(" S M,34@ " @(" Q,B (" @(" @(" S-S$@(#4V,S$S,C4T,C8@(#$P-#(U " M M M M M M M M #L@;F%M M960N8F]O="!F:6QE(&9O0D\9&ER96-T;W)Y(&9O0D)>6]U6]U6]U2!M87-T97(@;F%M92!S97)V97(*.PID:7)E8W1O2!W:71H($1.4R!M87!S/@IC86-H90D)+@D)"0EN86UE9"YC M86-H90IP"!Y;W4@=V]U;&0@96YT97(*.R!S M='5F9B!A0D),"XP+C$R-RYI;BUA M9&1R+F%R<&$)"0ED8BXQ,C2!)4"!A9&1R97-S97,@>6]U M('-E8V]N9&%R>2!G;R!H97)E"CL*6]U M+G-E8V]N9&%R>2YI;BUA9&1R+F%R<&$):&]S=',N2]B M87-T:6]N/@IS;&%V90H M M M M M M M ;F%M960N8V%C:&4 M M " @(#8V," (" @,S$U( @ M(" @,3(@ " @(" @(" Q-S2!O9B Q(&1A>0H)"2D*.PH[(&1E9FEN92!N M86UE('-E6]U6]U7EM M;61D=F5R2!O;F-E(&$@9&%Y M"@D),S8P, D[(')E=')Y(&EN(#$@:&]U<@H)"38P-#@P," ).R!E>'!I2!O9B Q(&1A>0H) M"2D*"@E)3@E.4PEB87-T:6]N+GEO=7(N9&]M86EN+@H*/'EO=7(@25 @861D M6]U('!R:6UA0 M M (" @-C8P( @(" S,34@ " @(" Q M,B (" @(" @(#$S,#$@(#4V,S$S,S$R-C$@(#$P-#0V " M M M M M M M M #L@;F%M960N8F]O="!F M:6QE(&9O0D\9&ER96-T;W)Y('=I=&@@1$Y3(&UA<',^"F-A8VAE"0DN"0D)"6YA;65D M+F-A8VAE"G!R:6UA6]U(&-A;B!H879E(&UU;'1I<&QE6]U M"YX('EO=2!W;W5L9"!E;G1E<@H[ M('-T=69F(&%S(#$N,3 P+C$R.2YI;BUA9&1R+F%R<&$@*"!F;W(@=&AE(#$R M.2XQ,# N,2!N970@*0H["G!R:6UA6]U+G!R:6UA M6UM9&1V97)S:6]N M"@D),3 X,# ).R!R969R97-H(&5V97)Y(#,@:&]U&-H M86YG97)S"CL*"4E."4U8"3$P"6)A6]U Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29651; Sun, 11 Sep 1994 07:42:29 GMT Received: from server.uwindsor.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA17615; Fri, 9 Sep 1994 09:24:56 -0700 Received: by server.uwindsor.ca (931110.SGI/931108.SGI.AUTO.ANONFTP) for firewalls@greatcircle.com id AA16249; Fri, 9 Sep 94 12:30:01 -0400 Date: Fri, 9 Sep 1994 12:29:59 -0400 (EDT) From: Keren Nick Subject: Rtip To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Our firewall has caught someone trying to access a host via port 771 (rtip). We have looked everywhere we can but still have no idea what rtip actually is. Can anyone shed some light on this mistery port number. From firewalls-owner Sun Sep 11 02:30:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29677; Sun, 11 Sep 1994 07:42:57 GMT Received: from mprgate.mpr.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA19252; Fri, 9 Sep 1994 11:29:15 -0700 Received: from norton.mpr.ca by mprgate.mpr.ca with SMTP id AA18970 (5.67b+/IDA-1.5 for ); Fri, 9 Sep 1994 11:34:01 -0700 Received: by norton.mpr.ca (4.1/SMI-4.1) id AA13159; Fri, 9 Sep 94 11:33:57 PDT Date: Fri, 9 Sep 94 11:33:57 PDT From: parker@mprgate.mpr.ca (Ross Parker) Message-Id: <9409091833.AA13159@norton.mpr.ca> To: firewalls@greatcircle.com Subject: Multi-port vs. multiple routers. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We're in the process of designing a firewall for our network. This will include a 'screened' subnet with a bastion host running proxy agents to permit specific incoming/outgoing services between our main network and the Internet. The most common setup I've seen for such is as follows (crude ASCII 'art'): ------ ---------- ------ | | | | | | -------|router| |bastion | |router|------ Inter- | | | | | |internal net | |-- | | --| | net | | | | | | | | ------ | ---------- | ------ | screened subnet | | |___________________|____________________| Question... Is there any reason that I can't accomplish the same goals using a multi-port router in place of the two separate routers - as follows (yet more crude ASCII art): ------------------------ | Multi-port router | | | | | |________________________| | | | | | | ---------- | --------------- Internet | Internal net | | Screened | -------------- subnet | | | | | | |--------| Bastion | | | | |______________| I.e. can the two above examples be made functionally equivalent? As it happens, I need the multi-port router anyway, so if I can avoid purchasing a separate screening router, I'm a few $$$ ahead... Thanks all! Ross -- Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc) MPR Teltech Ltd. | Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal parker@mprgate.mpr.ca | with fingernail clippings mixed in" -- Larry Wall From firewalls-owner Sun Sep 11 10:29:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA02343; Sun, 11 Sep 1994 16:53:19 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA02337; Sun, 11 Sep 1994 09:53:11 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25299; Sun, 11 Sep 94 12:45:44 -0400 Date: Sun, 11 Sep 94 12:45:43 -0400 Message-Id: <9409111645.AA25299@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Rtip Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Our firewall has caught someone trying to access a host via port 771 >(rtip). We have looked everywhere we can but still have no idea what rtip >actually is. Can anyone shed some light on this mistery port number. Still not seeing actual sender (sorry) so could not send reply privately. The only possibly relevant reference I find in the RFCs (other than in "assigned numbers") is RFC 951 ("Bootstrap Protocol" - BOOTP - 1985) which refers to "Ethertip". From the context it would seem to be a bootable operating system. Warmly, Padgett ps Having the RFCs on CD-ROM and a text search program makes searches easy 8*). From firewalls-owner Sun Sep 11 16:30:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA03749; Sun, 11 Sep 1994 22:45:58 GMT Received: from INDY.NAVY.MIL by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20645; Fri, 9 Sep 1994 14:23:29 -0700 From: MENSOE@INDY.NAVY.MIL Message-Id: <199409092123.OAA20645@mycroft.GreatCircle.COM> Date: Fri, 9 Sep 94 16:28:44 EST To: Firewalls@GreatCircle.COM Subject: RE: Firewalls Digest V3 #311 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Regarding "used bridges" --BEWARE! We have used bridges from 7 different vendors. Four of them had SERIOUS reliability problems, three were junk and the vendors were unable/unwilling to fix them. These were mostly well known products too! And the problems we had were so bad that we finally sucked up the money and bought replacements. SO BEWARE OF CHEAP/USED BRIDGES! From firewalls-owner Mon Sep 12 01:30:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA06196; Mon, 12 Sep 1994 08:22:33 GMT Received: from NE.MAIL.UFL.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA06190; Mon, 12 Sep 1994 01:22:16 -0700 Received: by NE.MAIL.UFL.EDU (Soft*Switch Central V4L380P6) id 070527040094255FNE; 12 Sep 1994 04:27:04 GMT Message-Id: Date: 12 Sep 1994 04:27:04 GMT From: "Postmaster" Subject: DISTRIBUTION STATUS To: Firewalls@GREATCIRCLE.COM Comment: MEMO 09.12.94 04.27 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk UFNET.FIREWALL DISTRIBUTION STATUS INFORMATION 09/12/94 04:28: 00 ======================================================================= DISTRIBUTION ID: UFNET.FIREWALL.0321 SUBJECT : Firewalls Digest V3 #313 DATE SENT : 09/12/94 TIME SENT: 04:26:00 ======================================================================= YOUR MAIL WAS NOT DELIVERED FOR THE FOLLOWING REASON: SNADS STATUS : 0401 EXPLANATION : INVALID DOCUMENT CLASS ======================================================================= RECIPIENT : DMS.MARTINT LAST NAME : FIRST NAME : MIDDLE INITIAL : INITIALS : NATIVE NAME : COUNTRY : ADMD : PRMD : ORGANIZATION : ORG UNIT 1 : ORG UNIT 2 : ORG UNIT 3 : ORG UNIT 4 : DDA : TITLE : DESCRIPTION : USERDATA : TELEPHONE : From firewalls-owner Mon Sep 12 05:30:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA07863; Mon, 12 Sep 1994 12:12:58 GMT Received: from ntigate.rich.nt.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA07857; Mon, 12 Sep 1994 05:12:51 -0700 X400-Received: by mta NT.COM in /PRMD=NT/ADMD=MCI/C=US/; Relayed; Mon, 12 Sep 1994 12:17:55 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Mon, 12 Sep 1994 12:17:38 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Mon, 12 Sep 1994 12:14:28 +0000 X400-Received: by /PRMD=NT/ADMD=MCI/C=US/; Relayed; Mon, 12 Sep 1994 12:14:27 +0000 Date: Mon, 12 Sep 1994 12:14:27 +0000 X400-Originator: Kirby.Kraft.KRAFT@nt.com X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=NT/ADMD=MCI/C=US/;mcigate.nt.606:12.08.94.12.17.38] X400-Content-Type: P2-1984 (2) Content-Identifier: Re: Firewalls... From: Kirby.Kraft.KRAFT@nt.com Message-ID: <"26627 Mon Sep 12 07:17:42 1994"@nt.com> To: Firewalls In-Reply-To: <199409090800.BAA13394@mycroft.GreatCircle.COM> Subject: Re: Firewalls Digest V3 #311 Mailer: Elm [revision: 70.85] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk unsubscibe firewall -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Kirby Kraft Technical Services Internet: kraft@nt.com Global Information Networks Northern Telecom Inc. Phone: (214) 684-7543 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Mon Sep 12 08:34:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA09884; Mon, 12 Sep 1994 14:50:45 GMT Received: from stoneship.intellistor.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA09878; Mon, 12 Sep 1994 07:50:36 -0700 Received: (from mail@localhost) by stoneship.intellistor.com (8.6.9/8.6.9) id IAA22299 for ; Mon, 12 Sep 1994 08:55:44 -0600 Received: from opus.intellistor.com(192.138.254.13) by stoneship via smap (V1.3mjr) id sma022295; Mon Sep 12 08:54:50 1994 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus2) id AA16450; Mon, 12 Sep 94 08:54:24 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA04027; Mon, 12 Sep 94 08:55:03 MDT Date: Mon, 12 Sep 94 08:55:03 MDT From: quent@Intellistor.COM (Quentin Johnson) Message-Id: <9409121455.AA04027@whizbang.Intellistor.COM> To: firewalls@GreatCircle.COM Subject: Re: Multi-port vs. multiple routers. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk parker@mprgate.mpr.ca (Ross Parker) asks: > ... [Text and diagram deleted...] > > Question... Is there any reason that I can't accomplish the same goals > using a multi-port router in place of the two separate routers - as > follows (yet more crude ASCII art): > [other diagram removed] > I.e. can the two above examples be made functionally equivalent? > I think the main reason for two routers is added security. If one router is compromised the other still protects. This design may also have become popular with Cisco routers when only output filtering was available -- with only two interfaces, the access-list stuff is simpler. Functionally the two should be almost equivalent. Another reason might be that this is the configuration suggested by Cisco in their documentation. Cynical folks might conclude it's a way of selling more routers :-) Quent Johnson quent@Intellistor.COM Network Administrator Fujitsu Computer Products of America, Inc. Intellistor R&D Operation Longmont, CO From firewalls-owner Mon Sep 12 11:31:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA11603; Mon, 12 Sep 1994 17:29:46 GMT Received: from stoneship.intellistor.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA11597; Mon, 12 Sep 1994 10:29:39 -0700 Received: (from mail@localhost) by stoneship.intellistor.com (8.6.9/8.6.9) id LAA22657 for ; Mon, 12 Sep 1994 11:34:48 -0600 Received: from opus.intellistor.com(192.138.254.13) by stoneship via smap (V1.3mjr) id sma022655; Mon Sep 12 11:34:00 1994 Received: from whizbang.Intellistor.COM by opus (4.1/SMI-opus2) id AA18012; Mon, 12 Sep 94 11:33:33 MDT Received: by whizbang.Intellistor.COM (4.1/SMI-4.1) id AA04236; Mon, 12 Sep 94 11:34:12 MDT Date: Mon, 12 Sep 94 11:34:12 MDT From: quent@Intellistor.COM (Quentin Johnson) Message-Id: <9409121734.AA04236@whizbang.Intellistor.COM> To: quent@intellistor.com Subject: Re: Multi-port vs. multiple routers. Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk paul@hawksbill.sprintmrn.com (Paul Ferguson) said: > > > Yes, but those of us who know better can attest that a router should > not be used _in_place_ of a well constructed/administered firewall, but > rather, should be use to augment its operation. > > Cheers, > > Who is "us" and what is it that they know? I did not imply that one should only use a router for a firewall; my reply was intended to help the person asking the question. His diagram showed a bastion host, which *was* augmented by the use of router(s). Maybe Cisco makes that implication but I sure don't! Quent From firewalls-owner Mon Sep 12 15:34:57 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA13958; Mon, 12 Sep 1994 21:48:23 GMT Received: from utrcgw.utc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA13951; Mon, 12 Sep 1994 14:48:14 -0700 Received: from caesv1.norden.utc.com (155.104.1.11) by utrcgw.utc.com (PMDF #2906 ) id <01HH0Z9HX8VK003M3I@utrcgw.utc.com>; Mon, 12 Sep 1994 13:46:16 EDT Received: from caeip2.norden.utc.com ([155.104.1.8]) by caesv1.norden.utc.com (4.1/SMI-4.1) id AA09189; Mon, 12 Sep 94 13:09:21 EDT Date: 12 Sep 1994 13:09:21 -0400 (EDT) From: merola@caesv1.norden.utc.com (joe merola) Subject: Trying to like DNS To: firewalls@greatcircle.COM Message-id: <9409121709.AA09189@caesv1.norden.utc.com> X-Envelope-to: firewalls@greatcircle.COM Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Excerpt of recent interchange (Subject: I hate DNS...) >>> Does anyone have a template they can mail to me, or is >>> there an example available via ftp somewhere?!? >> In a nutshell: >> Put a full set of DNS db files on the bastion complete with SOA records >> and named.boot records that make the bastion look like the primary. >> The trick here is to put only the hosts you want the world to know >> about in the hosts file on the bastion. You then create a resolv.conf >> file that points at the real primary behind the firewall, to allow >> resolution of addresses behind the firewall. Is it *at all NECESSARY* to place an address record for the "real" primary in the named.hosts file? Can resolv.conf alone do this? I recall from Ches & Bellovin something to the effect of DNS not using resolv.conf. I noted your example files listed the 'real' server in named.hosts. I am in the process of setting up a firewall ala TIS and have not yet configured DNS. ... I plan the use of resolve.conf to forward mail internally (Chapman), but for nothing else. I don't want to list my internal machines anyplace else. Is there something I am missing here? ...Also, regarding the mail forwarding to internal machines; to make this happen using resolve.conf (on a sparc2 sunos4.1.3), is it as simple as the 'I' option in sendmail.cf, or is this going to be another bad dream? Joe Merola merola@caesv1.norden.utc.com Norden Systems Inc. 203-852-4569 Computer Aided Engineering From firewalls-owner Mon Sep 12 16:23:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA13880; Mon, 12 Sep 1994 21:39:44 GMT Received: from rome.software.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA13871; Mon, 12 Sep 1994 14:39:31 -0700 Received: from venice (venice.software.com [198.17.234.5]) by rome.software.com with SMTP id AAA15550 for ; Mon, 12 Sep 1994 14:44:29 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Sep 1994 14:43:01 -0700 To: firewalls@GreatCircle.COM From: "John L. MacFarlane" Subject: Looking for Firewall package and opinions Message-ID: <19940912214428.AAA15550@venice.software.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I am trying to find packaged (commercial or otherwise) firewall solutions. Specifically I am looking for features, pricing and opinions but if you just have a contact I will follow up myself. I know and use the fwtk so please don't send me any info on this. I am looking for something slightly more user friendly for the non-expert. Thanks in advance, John L. MacFarlane (John.MacFarlane@Software.com) President Software.com 203 Chapala Street (805) 899-4274 Santa Barbara, California 93101 (805) 962-5188 Fax. From firewalls-owner Mon Sep 12 16:30:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA14937; Mon, 12 Sep 1994 23:11:16 GMT Received: from mprgate.mpr.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA14931; Mon, 12 Sep 1994 16:11:07 -0700 Received: from norton.mpr.ca by mprgate.mpr.ca with SMTP id AA14989 (5.67b+/IDA-1.5 for ); Mon, 12 Sep 1994 16:16:05 -0700 Received: by norton.mpr.ca (4.1/SMI-4.1) id AA04827; Mon, 12 Sep 94 16:16:05 PDT Date: Mon, 12 Sep 94 16:16:05 PDT From: parker@mprgate.mpr.ca (Ross Parker) Message-Id: <9409122316.AA04827@norton.mpr.ca> To: firewalls@greatcircle.com Subject: Re: Multi-port vs. multiple routers. - thanks! Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk (I wrote in requesting comments on multiport router plus two port router versus multiport router alone for Internet security): > I.e. can the two above examples be made functionally equivalent? Thanks all for the overwhelming response! To summerize, the vast majority of the people who replied favour the multiple-router setup, for the fairly simple reason that if one of the routers gets compromised, you still have a defence in place. With a single multi-port router splitting off your screened subnet as well as your internal network, your eggs are all in one basket - a cracker gets past that router and he's on your internal net... Thanks again, Ross -- Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc) MPR Teltech Ltd. | Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal parker@mprgate.mpr.ca | with fingernail clippings mixed in" -- Larry Wall From firewalls-owner Mon Sep 12 17:31:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA15497; Tue, 13 Sep 1994 00:22:04 GMT Received: from mugu.navy.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA15491; Mon, 12 Sep 1994 17:21:54 -0700 Received: from qmsmtpgw (qmsmtpgw.mugu.navy.mil) by mugu.navy.mil (4.1/SMI-4.1) id AA14081; Mon, 12 Sep 94 17:28:52 PDT Message-Id: <9409130028.AA14081@mugu.navy.mil> Date: 12 Sep 1994 17:19:03 U From: "Doug Lakin" Subject: PowerBroker and root access To: firewalls@GreatCircle.COM Cc: "A. Ramos" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Subject: Time:5:05 PM OFFICE MEMO PowerBroker and root access Date:9/12/94 I just received a mailing from Freedman Sharp and Associates regarding their PowerBroker root access software. According to the literature, the software partitions root functionality to allow many different users to carry out system administration actions, and creates an indelible audit trail of such actions. I don't know if this came up during the root access thread awhile back (I turned my noise filter on :<) ), but it appears to be the perfect complement to firewalls administration. Anyone have any experience with the product? From firewalls-owner Mon Sep 12 20:29:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA16467; Tue, 13 Sep 1994 03:12:42 GMT Received: from staff.cs.su.OZ.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA16461; Mon, 12 Sep 1994 20:12:30 -0700 Received: from citec.qld.gov.au by staff.cs.su.OZ.AU (mail from sgcccdc for firewalls@GreatCircle.COM) with MHSnet (insertion MHSnet site: citecub.citec.qld.gov.au); Tue, 13 Sep 1994 13:18:00 +1000 Received: by citec.qld.gov.au (5.0/SMI-SVR4) id AA29830; Tue, 13 Sep 1994 13:18:14 --1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9409130318.AA29830@citec.qld.gov.au> Subject: Quit now or keep going? To: firewalls@GreatCircle.COM Date: Tue, 13 Sep 94 13:18:13 EST X-Mailer: ELM [version 2.3 PL11] content-length: 789 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Greetings! Should I quit now or keep going? I am in the ignominious position of having to implement a firewall to protect several organisations over which I have absolutely no control. Let me explain. Internet | | Firewall | | -----------+------------------ | Router(s) | --+--------+-------+--------+- | | | | | | | | OrgA OrgB OrgC Us Everybody wants news/mail/mosaic/everything. There is no traffic permitted between any two `Org's. We (Us) have access to all `Org's and they to us. We have absolutely no control over most of the hosts in any Org. If any one Org gets broken, chances are everyone gets broken. All Orgs and Us are `sensitive'. Anyone got any comments? Colin From firewalls-owner Tue Sep 13 00:29:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA17386; Tue, 13 Sep 1994 06:42:58 GMT Received: from neptunus.rivm.nl by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA17380; Mon, 12 Sep 1994 23:42:47 -0700 Received: from floyd.rivm.nl by neptunus.rivm.nl with SMTP (PP); Tue, 13 Sep 1994 08:48:11 +0200 Received: by floyd.rivm.nl (4.1/SMI-4.1) id AA04991; Tue, 13 Sep 94 08:46:00 +0100 Date: Tue, 13 Sep 94 08:46:00 +0100 From: Rens.Schipper@rivm.nl (Rens Schipper) Message-Id: <9409130746.AA04991@floyd.rivm.nl> To: sgcccdc@citec.qld.gov.au Subject: Re: Quit now or keep going? Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Tue Sep 13 05:50:32 1994 > From: sgcccdc@citec.qld.gov.au (Colin Campbell) > Subject: Quit now or keep going? > To: firewalls@GreatCircle.COM > Date: Tue, 13 Sep 94 13:18:13 EST > X-Mailer: ELM [version 2.3 PL11] > Content-Length: 790 > Sender: Firewalls-Owner@GreatCircle.COM > > Greetings! > > Should I quit now or keep going? I am in the ignominious position of having to > implement a firewall to protect several organisations over which I have absolutely > no control. Let me explain. > > Internet > | > | > Firewall > | > | > -----------+------------------ > | Router(s) | > --+--------+-------+--------+- > | | | | > | | | | > OrgA OrgB OrgC Us > > Everybody wants news/mail/mosaic/everything. There is no traffic permitted between > any two `Org's. We (Us) have access to all `Org's and they to us. We have absolutely > no control over most of the hosts in any Org. If any one Org gets broken, chances are > everyone gets broken. All Orgs and Us are `sensitive'. > > Anyone got any comments? > > Colin > > Hi Colin, I should say, keep going. Your in a very pleasant position (IMHO) because you don't have to trust anyone (that's one problem less :-)). Offer you firewall as a service. Only take responsibility over things you can support with your firewall. The basic functions of the firewall could be; 1) blocking of services 2) Registration of sessions 3) Autorisation 4) Authentication All these functions should be policy based by people of the 'Orgs". You only provide a mechanism to support these policy based decisions! Every session between 'Us' and the Internet and the other 'Orgs' must be permitted by the firewall. Every 'Org' should control their own net and THEY should tell YOU what is allowed and what's not! In this way you are only responsable for the technical aspect of the firewall and persons of any of the 'Orgs' are responsable for the policy aspects of security. By using ACL's in the router(s) you can force every session out of any 'Org' to go through the firewall. Traffic between 'Orgs' can be blocked by the same ACL. If any one 'Org' is broken, you can offer loggings to prove who or what was responsable for the incident if the 'attack' came through your firewall. If the incident was a internal affair of any of the 'Orgs' it should not be your problem (unless they give you full control over their nets) Hope this helps, Just my personal opinion :-) Rens Schipper _/_/_/ _/ _/ _/ _/_/ _/_/Rens Schipper EMAIL:rens@rivm.nl,bnf@rivm.nl _/ _/ _/ _/ _/ _/ _/_/ _/Network Management and Facilities (BNF) _/_/_/ _/ _/ _/ _/ _/ _/National Institute Of Public Health And _/ _/ _/ _/_/ _/ _/Environmental Protection(RIVM), The Netherlands, _/ _/ _/ _/ _/ _/PO box 1, 3720 BA, BILTHOVEN, tel:3130-743123 From firewalls-owner Tue Sep 13 04:33:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA19173; Tue, 13 Sep 1994 10:46:19 GMT Received: from remus.ultranet.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA19156; Tue, 13 Sep 1994 03:45:59 -0700 Received: by remus.ultranet.com; (5.65/1.1.8.2/22Aug94-0201PM) id AA21616; Tue, 13 Sep 1994 06:51:28 -0400 Date: Tue, 13 Sep 1994 06:51:28 -0400 From: Joe Provo Message-Id: <9409131051.AA21616@remus.ultranet.com> To: firewalls@greatcircle.com Subject: re: Trying to like DNS Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk [Hmmm... am I the only weirdo who actually _likes_ DNS?] >Is it *at all NECESSARY* to place an address record for the "real" primary >in the named.hosts file? Can resolv.conf alone do this? I recall from >Ches & Bellovin something to the effect of DNS not using resolv.conf. No, yes, conditional yes. The crux of the cleverness of the strategy is that all services on a machine are told in what order to consult resources (nis, /etc/hosts, bind) and where to find said reources, regardless of it they are running said services for someone else. The "conditional yes" comes from the loose terminology -- had your sentence read "something to the effect of DNS servers not using resolv.conf" then it would be unequivocal; a name server runs, regardless of who asks it for info. If the machine it is running on does not ask it for any info, it could care less. Sorry, I'm not familiar enough w/sunos to address your other question (sendmail 8 I presume?). Joe, hoping this made sense before the first cup of coffee... Systems and Network Admin, Ultranet Communications Inc. 508-229-8400(voice) jprovo@ultranet.com 508-229-8111(data) A network service provider in Marlboro, MA - mail info@ultranet.com From firewalls-owner Tue Sep 13 07:30:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20281; Tue, 13 Sep 1994 14:26:00 GMT Received: from inet-gw-1.pa.dec.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA20275; Tue, 13 Sep 1994 07:25:50 -0700 Received: from us4rmc.pko.dec.com by inet-gw-1.pa.dec.com (5.65/10Aug94) id AA18537; Tue, 13 Sep 94 07:27:28 -0700 Received: from rtpvl1.enet by us4rmc.pko.dec.com (5.65/rmc-22feb94) id AA07536; Tue, 13 Sep 94 10:30:22 -0400 Message-Id: <9409131430.AA07536@us4rmc.pko.dec.com> Received: from rtpvl1.enet; by us4rmc.enet; Tue, 13 Sep 94 10:30:23 EDT Date: Tue, 13 Sep 94 10:30:23 EDT From: "k.poulsen" To: firewalls@greatcircle.com Apparently-To: firewalls@greatcircle.com Subject: Re: Firewalls Digest V3 #314 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk sounds like the rare machine that really does have tcp/ip turned off. odd. kathleen From firewalls-owner Tue Sep 13 08:31:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20428; Tue, 13 Sep 1994 14:40:16 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA20422; Tue, 13 Sep 1994 07:40:00 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma008285; Tue Sep 13 10:45:06 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA20523; Tue, 13 Sep 94 10:42:53 EDT Date: Tue, 13 Sep 94 10:42:53 EDT From: Marcus J Ranum Message-Id: <9409131442.AA20523@tis.com> To: firewalls@GreatCircle.COM, sgcccdc@citec.qld.gov.au Subject: Re: Quit now or keep going? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Should I quit now or keep going? [...] >Everybody wants news/mail/mosaic/everything. [...] >All Orgs and Us are `sensitive'. What you need to figure out is how much assurance you need that the networks are secured. If the answer is "absolutely, a whole lot" then line #2 of your question would imply that a reasonable answer for line #1 of your question is "yes." If the requirement for assurance is more reasonble -- I.e.; you're not dealing with launch codes, and there's some willingness on the part of upper management to accept some risk, then you might be OK. What tends to happen is that the requirements for the firewall become "we want to do news/mail/mosaic/everything and we must totally eliminate risk" -- that's simply not realistic. mjr. From firewalls-owner Tue Sep 13 09:31:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20303; Tue, 13 Sep 1994 14:29:00 GMT Received: from igw.fmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA20297; Tue, 13 Sep 1994 07:28:46 -0700 From: joe_kretz@fmc.com Received: by igw.fmc.com id AA02818 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Tue, 13 Sep 1994 09:33:34 -0500 Received: by igw.fmc.com (Internal Mail Agent-1); Tue, 13 Sep 1994 09:33:34 -0500 Date: Tue, 13 Sep 94 09:00:12 CDT Encoding: 44 Text Message-Id: <9408137794.AA779473830@ccgate.fmc.com> To: firewalls@greatcircle.com, sgcccdc@citec.qld.gov.au (Colin Campbell) Subject: Re: Quit now or keep going? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk COLIN STATED: >Should I quit now or keep going? I am in the ignominious position of having to >implement a firewall to protect several organisations over which I have >absolutely no control. Let me explain. Internet | | Firewall | | -----------+------------------ | Router(s) | --+--------+-------+--------+- | | | | | | | | OrgA OrgB OrgC Us >Everybody wants news/mail/mosaic/everything. There is no traffic permitted >between any two `Org's. We (Us) have access to all `Org's and they to us. >We have absolutely no control over most of the hosts in any Org. If any one >Org gets broken, chances are everyone gets broken. All Orgs and Us are >`sensitive'. THE ISSUE, IN MY HUMBLE OPINION, IS NOT ONE OF "WHO HAS CONTROL" BUT RATHER IS THERE A COMPREHENSIVE INFORMATION SECURITY PROGRAM THAT ENCOMPASSES ALL THESE ORGANIZATIONS INCLUDING THEIR GENERAL COMPLIANCE WITH IT. A FIREWALL IS JUST ONE TYPE OF CONTROL WITHIN THE BROADER NETWORK SECURITY COMPONENT AND THE NETWORK SECURITY COMPONENT IS JUST ONE OF THE FIFTEEN COMPONENTS THAT COMPRISE OUR TOTAL PROGRAM HERE AT FMC. OUR ORGANIZATIONAL SITUATION IS SIMILAR TO THE ONE DESCRIBED WHERE NO ONE PERSON OR ORGANIZATION HAS ABSOLUTE CONTROL BUT YET WE HAVE, ACCORDING TO INTERNAL AND EXTERNAL REVIEWS, A REASONABLE LEVEL OF SECURITY. WITHOUT THIS OVERALL FRAMEWORK, OUR INTERNET FIREWALL, FOR EXAMPLE, WOULD NOT HAVE OFFERED US MUCH SECURITY BY ITSELF. MY RECOMMENDATION WOULD BE TO KEEP GOING BUT CHANGE DIRECTIONS IF AN OVERALL SECURITY FRAMEWORK IS MISSING. IN THE EXAMPLE DESCRIBED BY COLIN, A FIREWALL BY ITSELF WOULD SEEM TO HAVE A VERY LOW PROBABILITY OF IMPROVING SECURITY WITHOUT BEING PART OF AN MORE COMPREHENSIVE PROGRAM. STAY SECURE! JOE From firewalls-owner Tue Sep 13 10:31:16 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA21772; Tue, 13 Sep 1994 17:20:23 GMT Received: from dsi.bc.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA21766; Tue, 13 Sep 1994 10:20:06 -0700 Received: by dsi.bc.ca (5.65/DEC-Ultrix/4.3-DSIa) id AA16002; Tue, 13 Sep 1994 10:23:44 -0700 Received: by oldsailor.dsi.bc.ca (NX5.67c/NX3.0S) id AA02749; Tue, 13 Sep 94 08:15:31 -0700 From: Rob Ballantyne Message-Id: <9409131515.AA02749@oldsailor.dsi.bc.ca> Subject: Security Policy setting To: firewalls@greatcircle.com Date: Tue, 13 Sep 94 8:15:30 PDT X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello everyone, I've just added myself to this mailing list as I am implementing a firewall. I guess that didn't really need to be said :-). Most of what I know indicates that setting a policy is the first step. So the question is: Does anyone have a list of questions that a security policy should answer? I'm not looking for specific questions here, not like "What routes should be on the firewall?", but more like "What rights/responsibilities do the users have?" or "What is it that is important to protect?." ^^^ (An intersting punctuation dilemma, eh?) Thanks for any info can you provide. Rob -------------------------------------------------------------------------- | Rob Ballantyne | _____ | | email: rsb@dsi.bc.ca | | | | Dynapro Systems Inc | -----------O----------- | | New Westminster, BC, CANADA | | -------------------------------------------------------------------------- From firewalls-owner Tue Sep 13 11:34:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22006; Tue, 13 Sep 1994 17:51:57 GMT Received: from coeds.eng.miami.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22000; Tue, 13 Sep 1994 10:51:36 -0700 Received: by coeds.eng.miami.edu (5.65/DEC-Ultrix/4.3) id AA21147; Tue, 13 Sep 1994 13:59:34 -0400 Received: by bibiana.eng.miami.edu (4.1/SMI-4.1) id AA26411; Tue, 13 Sep 94 13:53:29 EDT Date: Tue, 13 Sep 94 13:53:29 EDT From: andres@bibiana.eng.miami.edu (Andres Rios) Message-Id: <9409131753.AA26411@bibiana.eng.miami.edu> To: firewalls@greatcircle.com Subject: CIA TRIANGLE Please REPOST! Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk HI All, please if somebody can send me a copy of the post where the CIA triangle was mentioned (just recently) I will be thankful. I need to see the references that are mentioned in that post! Thanks Andres Rios University of Miami From firewalls-owner Tue Sep 13 11:39:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA21301; Tue, 13 Sep 1994 16:28:24 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA21294; Tue, 13 Sep 1994 09:27:11 -0700 From: rens@imsi.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA06008; Tue, 13 Sep 94 12:30:34 -0400 Date: Tue, 13 Sep 94 12:30:34 -0400 Message-Id: <9409131630.AA06008@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Rtip Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> "A" == A Padgett Peterson, P E Information Security writes: A> Still not seeing actual sender (sorry) so could not send reply A> privately. The only possibly relevant reference I find in the A> RFCs (other than in "assigned numbers") is RFC 951 ("Bootstrap A> Protocol" - BOOTP - 1985) which refers to "Ethertip". From the A> context it would seem to be a bootable operating system. Warmly, A> Padgett ps Having the RFCs on CD-ROM and a text search program A> makes searches easy 8*). More likely a remote serial port access protocol. -Rens From firewalls-owner Tue Sep 13 12:30:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA22227; Tue, 13 Sep 1994 18:04:58 GMT Received: from paranor.ca.cch.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA19330; Tue, 13 Sep 1994 04:19:44 -0700 Received: by paranor.ca.cch.com id AA23823; Tue, 13 Sep 94 07:28:37 EDT Received: from cchtor.ca.cch.com(192.139.241.2) by paranor via smap (V1.3mjr) id sma023821; Tue Sep 13 07:28:34 1994 Received: (from larry@localhost) by cchtor.ca.cch.com (8.6.9/8.6.9) id HAA27670; Tue, 13 Sep 1994 07:28:24 -0400 Date: Tue, 13 Sep 1994 07:28:24 -0400 From: Larry Chin Message-Id: <199409131128.HAA27670@cchtor.ca.cch.com> To: merola@caesv1.norden.utc.com Subject: Re: Trying to like DNS Cc: firewalls@GreatCircle.COM Content-Type: X-sun-attachment Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 59 >> Is it *at all NECESSARY* to place an address record for the "real" primary >> in the named.hosts file? I believe that the records that you are referring to are name server address record and the mailhub address record. I seem to recall needing to put this record in so that the named would know where to go to get the *real* info. As you noted, named does not use resolv.conf so it has to use something to get the address of the real name server, hence the address record under the name server section of the named.hosts file. ( see next comment ). >> Can resolv.conf alone do this? I recall from Ches & Bellovin something to >> the effect of DNS not using resolv.conf. named does not use the resolv.conf file you are right, but the *client* programs need it. >> I noted your example files listed the 'real' server in named.hosts. I am in >> the process of setting up a firewall ala TIS and have not yet configured DNS. >> ... I plan the use of resolve.conf to forward mail internally (Chapman), but >> for nothing else. I don't want to list my internal machines anyplace else. >> Is there something I am missing here? TIS, Chapman etc. is the same setup that I have here. Forward mail internally ? Do you mean forward the mail from the Bastion to the internal net or from the internal net out ? Mail forwarding is handled via MX records. Obviously I am not too sure what you mean here. As for listing internal machines. I think the only one that has to be listed anywhere outside of the internal net is the real bastion host as mentioned above. >> ...Also, regarding the mail forwarding to internal machines; to make this >> happen using resolve.conf (on a sparc2 sunos4.1.3), is it as simple as >> the 'I' option in sendmail.cf, or is this going to be another bad dream? Try the attached sendmail.main.cf in conjunction with the Sun shipped sendmail.mx. Just substitute your domain name where is says: DPYOUR_DOMAIN This is the same sendmail that I am currently using ( minus some site specific mods ), and which I got from TIS. Hopefully this will prevent your recurring nightmares. There are no warranties offered with this sendmail.main.cf, use it as you see fit. Hope this all helps somewhat. Tue Sep 13 07:28:15 EDT 1994 =========================================================================== Larry Chin {larry@cchtor.ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== "There was a boy called Eustace Clarence Scrubb, and he almost deserved it." -- C. S. Lewis, The Chronicles of Narnia ---------- X-Sun-Data-Type: default X-Sun-Data-Description: default X-Sun-Data-Name: sendmail.main.cf X-Sun-Content-Lines: 444 ############################################################ ############################################################ ##### ##### SENDMAIL CONFIGURATION FILE ##### ##### WRL internal version -- works on servers or workstations ##### ##### Paul Vixie, forked off on 9-December-90 ##### Paul Vixie, major MAIL11/MR work on 17-July-1991 ##### Paul Vixie, Todd Kaehler and Fred Avolio: parameterized, August 1992 ##### ##### $Header: /usr/src/kjs-930504a/RCS/book.cf,v1.11 1993/08/05 21:53:43 ##### ############################################################ ############################################################ ## predefined # $w fully-qualified hostname or not... depends on sendmail # $j FQDN ## ############################################################ ### local info ############################################################ # parent domain DPYOUR_DOMAIN # my domain DN$P # name exported on external internet mail DW$N # my official hostname Dj$w # # usernames which will be @host qualified on outbound localdom mail # CNroot news uucp mailer-daemon rdist nobody daemon # # trash top-level domains -- don't use $[...$] on names ending with these # CTUUCP USENET ENET ############################################################ # # General configuration information # ############################################################ ########################## ### Special macros ### ########################## # my name DnMAILER-DAEMON # UNIX header format DlFrom $g $d # delimiter (operator) characters Do.:%@!^=/[] # format of a total name Dq$?x$x $.<$g> DV26AUG93-fma/dave-1.1 # SMTP login message De$j Sendmail $v ($V) $b ################### ### Options ### ################### # wait 5 minutes for newaliases to complete Oa # location of alias file OA/etc/aliases # default delivery mode (deliver in background) Odbackground # temporary file mode OF0600 # default UID Ou1 # default GID Og1 # location of help file OH/usr/lib/sendmail.hf # log level OL9 # include sender if she's on an alias to which she's sending Om # queue directory OQ/var/spool/mqueue # read timeout -- violates protocols Or1h # status file OS/etc/sendmail.st # queue up everything before starting transmission Os # use separate envelope/header rewriting rulesets (IDA) #O/ # default timeout interval OT3d # load average for forcing "Odq" behaviour Ox20 # load average for refusing connections OX12 ############################### ### Message precedences ### ############################### Pfirst-class=0 Pspecial-delivery=100 Pjunk=-100 ######################### ### Trusted users ### ######################### Troot daemon uucp news ############################# ### Format of headers ### ############################# H?P?Return-Path: <$g> HReceived: by $j id $i; $b H?D?Resent-Date: $a H?D?Date: $a H?F?Resent-From: $q H?F?From: $q H?x?Full-Name: $x HSubject: H?M?Resent-Message-Id: <$t.$i@$j> H?M?Message-Id: <$t.$i@$j> ########################### ### Rewriting rules ### ########################### ################################ # Sender Field Pre-rewriting # ################################ S1 # empty ################################### # Recipient Field Pre-rewriting # ################################### S2 # empty ########################### # Name Canonicalization # ########################### S3 # handle "from:<>" special case R<> $@@ turn into magic token # simplest case, after an empty address, is a single token R$~N $1@$N R$- $@$1 # route-addr's look canonical but aren't R<@$+:$+>$* @$1:$2 unfocus # already canonical? R$*<@$+>$* $@$>7$1<@$2>$3 idempotency is good # basic textual canonicalization -- note lack of RFC733 heuristic here R$*<$*<$*<$+>$*>$*>$* $4 3-level <> nesting R$*<$*<$+>$*>$* $3 2-level <> nesting R$*<$+>$* $2 basic RFC821/822 parsing R$*<$*>$* $1$2$3 in case recursive # make sure <@a,@b,@c:user@d> syntax is easy to parse -- undone later R@$+,$+ @$1:$2 change all "," to ":" R@$+:$+ $@$>7<@$1>:$2 handle # more miscellaneous cleanup R$+:$*;$* $@$1:$2;$3 list syntax R$+@$+ $:$1<@$2> focus on domain R$+<$+@$+> $1$2<@$3> move gaze right R$+@$+<@$+> $1%$2<@$3> a@b@c@d ->a%b%c@d # things that are still in @-form are ready to eat R$+<@$+> $@$>7$1<@$2> now canonical # UUCP conversions R$-.$+!$+ $@$>7$3<@$1.$2> host.domain!user R$-!$+ $@$>7$2<@$1.UUCP> resolve uucp names # convert rightmost % to @ (ruleset 7 has the rest of the magic for this) R$+%$+ $@$>7$1<@$2> user%host # (ruleset 3 ends here. we don't exit through # $>7 here as with the other exits from ruleset 3 # since we only exit through S7 when we make a # change.) ##### special local conversions (exit path from S3) S7 R$*<@$+%$+>$* $1%$2<@$3>$4 move @ right after % R$*<@$+.$E>$* $@$1<@$2.$E.$P>$3 hide .$E under $P R$*<@$->$* $@$1<@$2.$N>$3 qualify hostnames ################################# # Final Output Post-rewriting # ################################# S4 R@ $@ handle <> error addr R$*<$+>$* $1$2$3 defocus R@$+:$+:$+ @$1,$2:$3 canonical #FMAR@$+:$+ $@<@$1:$2> route-addr needs <> ################################# # (IDA) header senders # ################################# S5 R$+ $@$>1$1 same as envelope ################################# # (IDA) header recipients # ################################# S6 R$+ $@$>2$1 same as envelope ################################# # Utility: strip local domain # ################################# # this is neccessarily tricky. S0 needs to strip off the local host(s) and # it may take several passes to do that (consider $-%$j%$j%$j or $U!$-@$j). # this requires iterate-until-no-change, which is a semantic not directly # provided by sendmail. sendmail does permit recursion, though, which we # use. S0 calls S8, which calls itself whenever it makes a change, else falls # out the bottom when it has nothing left to strip. # # S8 starts by calling S3 since on the subsequent recursive calls, a change # will have been made and the canonicalization will have been lost. we would # like to use $>8$>3 but that doesn't work the way you'd expect. the cost # here is that S3 gets called once at the top even though S3 was called before # S0 so there's nothing for it to do. this is why S3 must be idempotent and # also why S3's "no change needed" condition is so close to its top. S8 R$+ $:$>3$1 needed for recursions R$*<@$j>$* $:$1<@>$2 @myfqdm R$*<@$=w>$* $:$1<@>$3 @my alias R$*<@$=w.$N>$* $:$1<@>$3 @my alias # next two lines only gen'd if have aliases for all and $N isn't LOCAL # R$*<@$N>$* $:$1<@>$2 @mydomain # R$*<@$=d.$P>$* $:$1<@>$3 @codomain R$*<@$U.UUCP>$* $:$1<@>$2 myuucpname! # here's where we recurse if a change was made R<@>:$* $@$>8$1 localhost/route-addr R$*<@>$* $@$>8$1$2 localhost ######################################## # Utility: canonicalize local domain # ######################################## S9 R$*<@$->$* $:$1<@$2.$N>$3 qualify R$*<@$+.$=T>$* $@$1<@$2.$3>$4 trash pseudodom, leave alone R$*<@$+.$=T.$P>$* $@$1<@$2.$3.$P>$4 qualified trash, leave alone ############################################################ ############################################################ ##### ##### RULESET 0 ##### ############################################################ ############################################################ S0 # special cases # R@ $#local $:$n handle <> form R$*<@[$+]>$* $#smtp $@[$2] $:$1<@[$2]>$3 numeric internet spec # localize if possible (rip off @DOMAINs for which we are authoritative) # R$*<@$+>$* $:$>8$1<@$2>$3 #R$+.USENET $:$1.USENET<@usenet.$N> groupname.USENET R$*<@$-.UUCP> $#smtp $@uunet.uu.net $:$2!$1 #mjr #R$*<@$-.UUCP> $#smtp $@uucp-relay.$N $:$2!$1<@uucp-relay.$N> # Fake hosts in my domain # #R$+<@POP> $#pop $@$j $:$1 username@POP # Real hosts in my domain # R$*<@$*$N>$* $#smtp $@mailhub.$P $:$1<@$2$N>$3 our domain # Parent domain # R$*<@$*$P>$* $#smtp $@mailhub.$P $:$1<@$2$P>$3 our domain # Nonlocal mail # R$*<@$+>$* $#smtp $@$2 $:$1<@$2>$3 everything else # Local mail # R$+.POP $#pop $@$j $:$1 username.POP R$+ $#local $:$1 must be local ############################################################ ############################################################ ##### ##### Local, POP and Program mailers ##### ############################################################ ############################################################ Mlocal, P=/bin/mail, F=rlsDFMmn, S=10, R=20, A=mail -d $u Mprog, P=/bin/sh, F=lsDFM, S=10, R=20, A=sh -c $u Mpop, P=/usr/lib/mh/spop, F=nsmFDM, S=10, R=20, A=pop $u S10 R@ $n errors to mailer-daemon S20 ############################################################ ############################################################ ##### ##### SMTP to hosts inside the local domain ##### ############################################################ ############################################################ Msmtpl, P=[TCP], F=mDFMuX, S=11, R=21, A=IPC $h, E=\r\n # (we pull off the local hostname in all cases, and then selectively add it # back on. we would add it back if the aliases aren't shared across all # hosts in this domain, or if the user is root or one of the others that # we want to know the hostname for.) # S11 R$*<@$j>$* $>3$1$2 strip local host name R$*<@$+>$* $:$>9$1<@$2>$3 canonicalize domain # (include if aliases are shared across localdom) R$=N $@$1<@$j> qualify nonhidden users # (by running S11 on recipients, we get the above behaviour on To: and Cc: # headers, as well as for the envelope recipient. this is good since we # always call $#smtpl with hostname attached, which means that we won't be # down here at all if $j is in the address (that would have been stripped # in S0), and we will therefore qualify any domain-less addresses with our # own hostname before sending them to other hosts in our domain. this is # all ugly but it's what you have to do if your aliases aren't shared. --vix) # S21 R$+ $@$>11$1 nothing special here ############################################################ ############################################################ ##### ##### SMTP to hosts outside the local domain ##### ############################################################ ############################################################ Msmtp, P=[TCP], F=mDFMuXL, S=12, R=22, A=IPC $h, E=\r\n S12 R<@$+>$* $@<@$1>$2 syntax R$*<@[$+]>$* $@$1<@[$2]>$3 numeric, lv alone R$*<@$+$N>$* $>3$1$3 strip local hostnames R$*<@$+>$* $@$>9$1<@$2>$3 canonicalize domain R$=N $@$1<@$j> Add $j to local R$+ $@$1<@$W> fix up return addr S22 R$+ $@$>12$1 nothing special here ############################################################ ############################################################ ##### ##### SMTP to relay host ##### ############################################################ ############################################################ Msmtpr, P=[TCP], F=mDFMuX, S=13, R=23, A=IPC $h, E=\r\n # (we pull off the local hostname in all cases, and then selectively add it # back on. we would add it back if the user is root or one of the others # for which we want to know the hostname. Otherwise we want to look like we # are a local user on the relay machine. This is to allow for "cleaner" # addresses when crossing mail domains. --FMA) # S13 R$*<@$j>$* $>3$1$2 strip local host name R$*<@$+>$* $:$>9$1<@$2>$3 canonicalize domain R$=N $@$1<@$j> qualify nonhidden users S23 R$+ $@$>13$1 nothing special here ############################################################ ############################################################ ##### ##### DECNET/MAIL11 ##### ############################################################ ############################################################ # (note that you will need an ultrix or osf1 sendmail binary to use this) Mmail11, P=, F=mnSXxH, S=14, R=24/29, A=mail11 $f $x $h # (mail11 senders) S14 # (phase IV) R$+<@$+.$E.$P> $@$2::$1 phaseIV back to :: form # (mail11 recip env) S24 R$+ $@$>14$1 nothing special here # (mail11 recip hdr) S29 # next line is for CC: headers which most mail11 receivers won't qualify R$- $@$y::$1 tack on our nodename R$+ $@$>14$1 nothing special here From firewalls-owner Tue Sep 13 13:31:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA22801; Tue, 13 Sep 1994 18:42:35 GMT Received: from mugu.navy.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA22795; Tue, 13 Sep 1994 11:42:15 -0700 Received: from qmsmtpgw (qmsmtpgw.mugu.navy.mil) by mugu.navy.mil (4.1/SMI-4.1) id AA15020; Tue, 13 Sep 94 10:57:58 PDT Message-Id: <9409131757.AA15020@mugu.navy.mil> Date: 13 Sep 1994 10:56:04 U From: "Doug Lakin" Subject: Re: PowerBroker and root acc Priority: Urgent To: firewalls@GreatCircle.COM Cc: "David Wolfskill" , "Mike Papais" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mail*Link(r) SMTP RE>PowerBroker and root access According to the very well documented literature package, PowerBroker comprises three main programs: pbrun, pbmasterd, pblocald. Users submit their requests from a submitting machine using pbrun. The master daemon, pbmasterd, on a secure machine examines each request from pbrun and either accepts or rejects it based on the information in the PowerBroker configuration file. There can be multiple pbmasterd daemons running on the network to avoid having a single point of failure. If the request is accepted, the pblocald on the target execution machine runs the program, piping all input and output back to the user. It appears that the secure machine acts as a proxy for root access and records all keystrokes and output generated during a root session, preventing tampering of the log by the user. Some of the other features of PowerBroker are: * provides a replay program to see the exact input and output as recorded by the secure machine, and when each line of input was typed; * a powerful Perl-like scripting language for the configuration file; * encryption of the root session over the network to prevent sniffing; * administration over a heterogenous network (Sun, HP, SGI, DEC, IBM, etc.). Pricing was not available. They will be at USENIX LISA, booth 6, 9/21-22. Contact them at: Freedman Sharp and Associates Inc. 1011 First Street SW Suite 508 Calgary, Alberta, Canada T2R 1J2 (403)-264-4822 info@fsa.ca >Date: 9/12/94 6:33 PM >From: David Wolfskill >I would expect that a person with root access could modify any of: >* the audit trail iteslf; >* the programs that control who has access to what; >* the programs that create the audit trail; or >* the files that control who has access to what uids From firewalls-owner Tue Sep 13 14:32:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA23159; Tue, 13 Sep 1994 19:16:30 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA23147; Tue, 13 Sep 1994 12:16:18 -0700 Received: from megabyt.UUCP by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id MAA00784; Tue, 13 Sep 1994 12:10:12 -0700 Received: by megabyt (4.1/SMI-4.1) id AA16239; Tue, 13 Sep 94 12:11:01 PDT Date: Tue, 13 Sep 94 12:11:01 PDT From: jeromie@mmp.com (jeromie) Message-Id: <9409131911.AA16239@megabyt> To: firewalls@greatcircle.com Subject: Routing Protocols Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am in the process of creating a bastion host, and am curious as to the configuration of the routing protocols. We most likely will only be using RIP & EGP(if necessary). My question is reguarding weather the routes should be only static, or if there is a secure way for the routing protocol metrics to be used. Obviously if someone could change the metrics they would be able to spoof (from what I've read). A system having several viable connections to the same place would then require the administrator to go in and change the metrics for a link if there was line problems,etc,etc..? Any and all mail/posts would be appreciated, and I will post the conclusion once one has been made. From firewalls-owner Tue Sep 13 16:31:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA25368; Tue, 13 Sep 1994 22:57:27 GMT Received: from bclcl1.im.battelle.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA25361; Tue, 13 Sep 1994 15:57:09 -0700 Received: from ccmailgw.im.battelle.org by BCLCL1 (PMDF V4.3-9 #3705) id <01HH2OLXH38WAAVTWT@BCLCL1>; Tue, 13 Sep 1994 19:02:31 -0500 (EST) Received: from ccMail by ccmailgw.im.battelle.org id AA779507933 Tue, 13 Sep 94 18:58:53 EST Date: Tue, 13 Sep 1994 18:58:53 -0500 (EST) From: George H Phillips Subject: Classes on firewalls To: firewalls@greatcircle.com Message-id: <9408137795.AA779507933@ccmailgw.im.battelle.org> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm trying to find a class on how to build a firewall using a Cisco router, does anyone know of anything. Also does anyone have a config file they could share that shows how to a cisco might be configured, I have looked at the different doc at greatcircle but it still is so confusing to me> What I want is to allow our users to be able to use different internet utils to get out but restrict things comming in, but don't not clear on which ports to block and which to allow, and how to configure the cisco. Thanks From firewalls-owner Tue Sep 13 21:29:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA27357; Wed, 14 Sep 1994 04:13:28 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA27351; Tue, 13 Sep 1994 21:13:09 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma015949; Wed Sep 14 00:18:24 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA24890; Wed, 14 Sep 94 00:16:14 EDT Date: Wed, 14 Sep 94 00:16:14 EDT From: Marcus J Ranum Message-Id: <9409140416.AA24890@tis.com> To: firewalls@GreatCircle.COM, lakind1@qmsmtpgw.mugu.navy.mil Subject: Re: PowerBroker and root acc Cc: MJPapais-0@is.chrysler.com, david@greatbasin.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Mail*Link(r) SMTP RE>PowerBroker and root access >According to the very well documented literature package, PowerBroker >comprises three main programs: pbrun, pbmasterd, pblocald. Users submit their >requests from a submitting machine using pbrun. The master daemon, pbmasterd, >on a secure machine examines each request from pbrun and either accepts or >rejects it based on the information in the PowerBroker configuration file. >There can be multiple pbmasterd daemons running on the network to avoid >having a single point of failure. If the request is accepted, the pblocald on >the target execution machine runs the program, piping all input and output >back to the user. I'm probably giving away the farm here for mjr's Quick 'N Dirty Hack #19201 which I always thought would make a fun white paper, but I never manage to write the documentation for it.... If you use this idea, please buy me a cup of coffee next time you see me.... :) mjr's Quick 'N Dirty Hack #19201: --------------------------------- Imagine, if you will, a setuid root program called "adminsh" or something like that. Adminsh is set up on a system in /etc/aliases, so that mail to adminsh@host gets piped to adminsh immediately upon receipt. Adminsh is real simple. It takes the message, and saves the From:/Reply-To: address (a la vacation) and strips it until it sees a header for a PGP message [you can use RIPEM or PEM if you prefer, whatever]. If the message isn't a PGP message, it is returned to sender with a nice error explanation. If the message is a PGP message, it's run through PGP to check the signature. The signature is pulled, and validated. If the signature/checksum is invalid, the message is returned to sender (and Bcc'ed to root) with a warning. If the message is valid and comes from someone whose certificate is on file by the Adminsh program, it's accepted as valid input, and is treated as a list of shell commands. Perhaps one might want to interpret the file instead o allowing direct shell access -- one could have a little table like sudo or whatnot that says who can do what. Perhaps one might want to have a table mapping PGP certificates to UIDs to control execution. I emphasize, however, that there is *NO* need for this to be feature-rich. We're not talking rocket science, here. When the message is processed and run, you just dup stdout/stderr to a subshell that is mailing a return message to the original sender. When the command is completed (unless the command was "reboot" :) the sender gets a transaction report automatically. What are the advantages of this approach? 1) Cheap 2) Easy 3) Uses known trust technologies that are carefully designed to ensure validity and integrity of operation 4) Works remotely -- even over uucp or X.400 [well, maybe not X.400] 5) Requires no special software on invoking system 6) Works asynchronously 7) Trivial to set up 8) Takes advantage of existing retransmit/queueing/error propagation systems 9) Takes advantage of existing user interface and mail management systems [Pipe the output of mailq through perl and you can make it look like a real queuing system!] 10) NOT feature rich I may be insane (this should be news to nobody) but I suspect this would work Real Well if you just wrapped a few shell scripts around PGP and mail and aliases. For example, I could imagine giving someone a "create user" script that simply read arguments, then packaged a mail message to invoke /usr/local/etc/create-user with system-specific parameters, and PGP it and then mail it off to an alias. There's something satisfying about the idea of having an alias in my .mailrc for suns and sending my suns mail telling them to please reboot. :) A little fiddling and one could feed the Reply-to: address through some kind of horribly feature rich mail processor that summarized the results of the command, and perhaps listed which systems hadn't answered yet, etc, etc. Gosh! UNIX can be *FUN* if you think like a UNIX programmer! Perhaps I need more coffee so I don't go on these rambling jags... mjr. From firewalls-owner Tue Sep 13 23:29:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA28206; Wed, 14 Sep 1994 06:10:18 GMT Received: from znanost.mz.hr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA28200; Tue, 13 Sep 1994 23:10:07 -0700 Received: from gaus@localhost by znanost.mz.hr (8.6.9/Ultrix 4.2A) id IAA02913; Wed, 14 Sep 1994 08:15:25 +0100 From: gaus@znanost.mz.hr (Damir Rajnovic) Message-Id: <199409140715.IAA02913@znanost.mz.hr> Subject: Firewall-1 To: firewalls@greatcircle.com Date: Wed, 14 Sep 1994 08:15:24 +0100 (MET) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 710 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I just read (Open Computing, october) about Firewall-1 from Checkpoint Software Technologies Ltd. Rik Farrow praised it's ability to pass any network service (is it advantage?). Does anybody try Firewall-1? I am just curious, have no intention to buy it. Gaus |-----------------------------------------------------------------| | Damir Rajnovic | E-mail: gaus@znanost.hr | | Ministry of Science and Technology | Voice: (+385 41)46 14 37 | | Strossmayerov trg 4, 41000 Zagreb | | |-----------------------------------------------------------------| |=================================================================| From firewalls-owner Wed Sep 14 04:33:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA29165; Wed, 14 Sep 1994 08:44:13 GMT Received: from yarrina.connect.com.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA29159; Wed, 14 Sep 1994 01:44:02 -0700 Received: by yarrina.connect.com.au with UUCP id AA19013 (5.67b8/IDA-1.5 for firewalls@GreatCircle.Com); Wed, 14 Sep 1994 18:49:04 +1000 Received: from melba by melba.bby.com.au with SMTP id AA12412 (5.65c/IDA-1.4.4 for ); Wed, 14 Sep 1994 18:22:53 +1000 Message-Id: <199409140822.AA12412@melba.bby.com.au> To: firewalls@GreatCircle.Com Subject: TIS on BSD/386 X-Mailer: exmh version 1.3 4/7/94 Date: Wed, 14 Sep 1994 18:22:52 +1000 From: Olga Aronov Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello there, Sorry if my question is not relevant to the list. Has any one out there tried to compile TIS on BSD/386? Any hints and suggestions would be greatly appreciated. TIA, Olga From firewalls-owner Wed Sep 14 06:29:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA00944; Wed, 14 Sep 1994 12:58:38 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA00938; Wed, 14 Sep 1994 05:58:30 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma018263; Wed Sep 14 09:03:59 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA03999; Wed, 14 Sep 94 09:01:46 EDT Message-Id: <9409141301.AA03999@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Olga Aronov Cc: firewalls@greatcircle.com Subject: Re: TIS on BSD/386 In-Reply-To: Your message of Wed, 14 Sep 94 18:22:52 +1000. <199409140822.AA12412@melba.bby.com.au> Date: Wed, 14 Sep 94 09:01:44 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "TIS" is a company. The TIS FWTK is what you're asking about. If you're using it get added to "fwtk-users@tis.com" (send to fwtk-users-request@tis.com) and ask there for better results. Fred > Hello there, > Sorry if my question is not relevant to the list. > Has any one out there tried to compile TIS on BSD/386? > Any hints and suggestions would be greatly appreciated. > > TIA, Olga From firewalls-owner Wed Sep 14 07:29:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA01081; Wed, 14 Sep 1994 13:31:19 GMT Received: from venera.isi.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01074; Wed, 14 Sep 1994 06:31:11 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-18) id ; Wed, 14 Sep 1994 06:36:43 -0700 Posted-Date: Wed, 14 Sep 1994 06:36:04 -0700 (PDT) Message-Id: <199409141336.AA08061@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Wed, 14 Sep 1994 06:36:04 -0700 Subject: Re: Routing Protocols To: jeromie@mmp.com (jeromie) Date: Wed, 14 Sep 1994 06:36:04 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9409131911.AA16239@megabyt> from "jeromie" at Sep 13, 94 12:11:01 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 589 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > I am in the process of creating a bastion host, and am curious as to the > configuration of the routing protocols. We most likely will only be using > RIP & EGP(if necessary). EGP has recently been moved to HISTORIC status and should probably be avoided. If you must use an exterior routing protocol, BGPv4 is the currently acccepted standard. > > My question is reguarding weather the routes should be only static, or if there > is a secure way for the routing protocol metrics to be used. Static routes have the advantage that they can be audited a lot easier. -- --bill From firewalls-owner Wed Sep 14 08:23:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA01382; Wed, 14 Sep 1994 14:03:49 GMT Received: from spanky.ov.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA01373; Wed, 14 Sep 1994 07:03:40 -0700 From: Mark.Hickey@ov.com Received: from ccgate.pls.ov.com by spanky.ov.com with SMTP on Wed, 14 Sep 1994 07:05:48 -0700 Received: from ccMail by ccgate.pls.ov.com id AA779551472 Wed, 14 Sep 94 07:04:32 PST Date: Wed, 14 Sep 94 07:04:32 PST Message-Id: <9408147795.AA779551472@ccgate.pls.ov.com> To: George H Phillips , firewalls@greatcircle.com Subject: Re: Classes on firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk George, I have not looked there, but there is an anonymous ftp site at Cisco that allegedly has stuff like this. You can also refer to the firewalls faq which contains an example of doing this along with a line by line example. Information on getting the FAQ is available at the bottom of the Majordomo response to your subscription request, or you can find it at archives.cis.ohio-state.edu in the directory pub/firewalls/topics. Mark "also a newbie, but I read the FAQ" hickey I'm trying to find a class on how to build a firewall using a Cisco router, does anyone know of anything. Also does anyone have a config file they could share that shows how to a cisco might be configured, I have looked at the different doc at greatcircle but it still is so confusing to me> What I want is to allow our users to be able to use different internet utils to get out but restrict things comming in, but don't not clear on which ports to block and which to allow, and how to configure the cisco. Thanks From firewalls-owner Wed Sep 14 08:30:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA01965; Wed, 14 Sep 1994 15:24:55 GMT Received: from sidney.novatel.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA01958; Wed, 14 Sep 1994 08:24:41 -0700 Received: (hpeyerl@localhost) by sidney.novatel.ca (8.6.9/8.6.5) id JAA04228; Wed, 14 Sep 1994 09:29:12 -0600 From: Herb Peyerl Message-Id: <199409141529.JAA04228@sidney.novatel.ca> Subject: Powerbroker. To: firewalls@greatcircle.com Date: Wed, 14 Sep 1994 09:29:11 -40962758 (MDT) Cc: dan@fsa.ca X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2639 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk [I've been forwarding the Powerbroker discussion to Dan Freedman of Freedman Sharp and have received the following. Arguably; this isn't related to discussion of Firewalls so I would imagine further discussion should probably be taken offline in private mail. Also; I'm in no way related to this company other than a personal aquaintance. ie: Don't shoot the messenger. :-) ] Forwarded message: : From dan@fsa.ca Wed Sep 14 09:06:53 1994 : X-Sender: dan@newt : Message-Id: : Mime-Version: 1.0 : Content-Type: text/plain; charset="us-ascii" : Date: Wed, 14 Sep 1994 09:17:26 -0700 : To: Herb Peyerl : From: dan@fsa.ca (Dan Freedman) : Subject: Re: The discussion continues.... : : Hi Herb, : Thanks for the forward. I have a couple of comments on this post, : just in case anyone wants to jump in and defend PowerBroker. Thanks for : keeping me up to date! : : Dan : : : : >: >Date: 9/12/94 6:33 PM : >: >From: David Wolfskill : >: >I would expect that a person with root access could modify any of: : >: : >: >* the audit trail iteslf; : >: >* the programs that control who has access to what; : >: >* the programs that create the audit trail; or : >: >* the files that control who has access to what uids : >: : : Hmm. The interesting point is that root access is only typically granted on : machines other than the one running pbmasterd (which also stores the log : files and configuration files). : : : Marcus (below) has a good idea, but not if you want to run anything : interactive like a shell, or vi or emacs. : : : : > : >: From: Marcus J Ranum : >: Date: Wed, 14 Sep 94 00:16:14 EDT : >: Subject: Re: PowerBroker and root acc : >: : : : ________________________________________________________________________________ : Dan Freedman, Director, Freedman Sharp and Associates Inc. : 508, 1011 First Street SW, Calgary, Alberta, Canada T2R 1J2 : phone (403) 264 4822, fax (403) 264 0873, email: dan@fsa.ca : ________________________________________________________________________________ : : *************************************************************************** : *See PowerBroker and FSA in San Diego at USENIX LISA, Sept. 21-22, booth 6* : *************************************************************************** [End of forward] hpeyerl@novatel.ca | NovAtel Communications Ltd. hpeyerl@fsa.ca | "A sucking chest wound is nature's way of telling you to slow down." From firewalls-owner Wed Sep 14 09:31:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA02481; Wed, 14 Sep 1994 16:04:59 GMT Received: from clark.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA02472; Wed, 14 Sep 1994 09:04:30 -0700 Received: (hcb@localhost) by clark.net (8.6.9/8.6.5) id MAA17909; Wed, 14 Sep 1994 12:09:43 -0400 From: Howard Berkowitz Message-Id: <199409141609.MAA17909@clark.net> Subject: Re: Classes on firewalls To: phillips@battelle.org (George H Phillips) Date: Wed, 14 Sep 1994 12:09:42 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9408137795.AA779507933@ccmailgw.im.battelle.org> from "George H Phillips" at Sep 13, 94 06:58:53 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 6921 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > I'm trying to find a class on how to build a firewall using a > Cisco router, does anyone know of anything. The standard Cisco Router Software Configuration class contains a modules on standard and extended access lists for IP, and a module on Novell SAP filtering. When I teach the course, especially in a private on-site setting, I expand this if there is interest. Different instructors do this to different degrees. RSC, however, is not a security-oriented course; it's about general router administration. I am exploring whether or not it would be commercially viable to do an advanced course on security in a Cisco environment, including the differing roles of the router and bastion, DNS, Cisco-oriented authentication services, syslogd auditing, tftp protection, etc. I'd very much appreciate feedback on this, because I would first have to justify expending development dollars internally! > > Also does anyone have a config file they could share that shows > how to a cisco might be configured, I have looked at the > different doc at greatcircle but it still is so confusing to me> > > What I want is to allow our users to be able to use different > internet utils to get out but restrict things comming in, but > don't not clear on which ports to block and which to allow, and > how to configure the cisco. > I am attaching a contribution on access control that I made to the Cisco newsgroup; it's in the FAQ. Do note that this primarily deals with Release 9.1 and earlier; there are substantial enhancements in 9.2 and the 10.x series that, for example, allow you to filter unicasts on incoming ports. Howard Berkowitz Technology Manager/Certified Cisco Systems Instructor PSC International, a Cisco Training Partner (703)998-5819 voice ----- From: cisco-faq Date: 5 July 1994 Subject: How to use access lists Frequently Asked Questions contributed by Howard C. Berkowitz PSC International hcb@clark.net PSC's domain is in mid-setup Where in the router are access lists applied? In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases of the Cisco code, such as 9.2 and 10, do have increased ability to filter on incoming ports. Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases. There are also special cases involving console access. Rules, written as ACCESS-LIST statements, are global for the entire Cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering. +-------------------+ | GLOBAL | | | | Routing | | ^ v Access | | ^ v Lists | +-^--v--------^---v-+ | ^ v ^ v | | ^ v ^ v | A----------->|-| |>>>>Access >>----------->B |1 Group 2 | <------------| |<----------- | | | | +-------------------+ Some types of "filter," using "filter" as a broader class than ACCESS-LIST, can operate on incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general, incoming filtering can only be done for "system" rather than user traffic. Rules of thumb in defining access lists. First, define what you want to do and in which directions. An informal drawing is a good first step. As opposed to the usual connectivity drawings among routers, it's often convenient to draw unidirectional links between routers. Second, informally write out your filtering rules. In general, it is best to go from most specific to least specific. Modify the order of writing things to minimize the number of rules needed. Third, determine which rules need to be on which routers. Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter. Can a Cisco router be a "true" firewall? This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _Practical UNIX Security_) define a firewall as a host on which an "inside" and/or an "outside" application process run, with application-level code linking the two. For example, a firewall might provide FTP access to the outside world, but it would not also provide direct FTP service to the inside world. To place a file on the FTP external server, a designated user would explicitly log onto the FTP server, transfer a file to the server, and log off. The firewall prevents direct FTP connectivity between the inside and outside networks; only indirect, application-level connectivity is allowed. Firewalls of this sort are complemented by chokes, which filter on network addresses and/or port numbers. Cisco routers cannot do application-level control with access control lists. Other authors do not distinguish between chokes and filters. Using the loose definition that a firewall is anything that selectively blocks access from the inside to the outside, routers can be firewalls. IP Specific ----------- Can the "operand" field be used with a protocol keyword of IP to filter on protocol ID? No. Operand filtering only works for TCP and UDP port numbers. How can I prevent traffic for a certain Internet application to flow in one direction but not the other? Remember that Internet applications flow from client port to server port. Denying traffic from port 23, for example, blocks flow from the client to the server. +-------------------+ | | A----------->| |----------->B |1 2| <------------| |<----------- | | +-------------------+ If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked A's ability to telnet to B, but not B's ability to telnet to A. A second filter at interface A would be needed to block telnet in both directions. Assume that we only have the filter at interface 2. Telnets to A from B will not be affected because the filter at 2 does not check incoming traffic. From firewalls-owner Wed Sep 14 10:30:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA02653; Wed, 14 Sep 1994 16:26:53 GMT Received: from snyflcc.fingerlakes.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA02647; Wed, 14 Sep 1994 09:26:45 -0700 Received: from localhost (krampwd@localhost) by snyflcc.fingerlakes.edu (8.6.5/8.6.5) id MAA15624; Wed, 14 Sep 1994 12:09:14 -0400 Date: Wed, 14 Sep 1994 12:09:14 -0400 (EDT) From: "William D. Kramp" Subject: DNS on BAstion host To: firewalls group Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am working on setting up a firewall system (2 - routers, 1 - bastion). I have been reading many different books and articles, and I am down to figuring out how to handle DNS. Should I make the bastion host the Primary DNS server, a secondary, or no DNS services on it at all? I will be using the TIS kit on a BSDi Unix system. +===============================================================+ | Bill Kramp - System Admin. Finger Lakes Community College | | krampwd@snyflcc.fingerlakes.edu | +===============================================================+ From firewalls-owner Wed Sep 14 11:30:20 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA02661; Wed, 14 Sep 1994 16:27:23 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA02655; Wed, 14 Sep 1994 09:27:07 -0700 Received: from megabyt.UUCP by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id JAA26675; Wed, 14 Sep 1994 09:26:07 -0700 Received: by megabyt (4.1/SMI-4.1) id AA21297; Wed, 14 Sep 94 09:13:20 PDT Date: Wed, 14 Sep 94 09:13:20 PDT From: jeromie@mmp.com (jeromie) Message-Id: <9409141613.AA21297@megabyt> To: firewalls@greatcircle.com Subject: Re: Firewall-1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewall-1 is a bum deal in my opinion. They claim to do secure UDP packets to begin with (as we all know that is rather a pathetic claim unless the link in encrypted). I called them on it. The only thing they do to help insure security is to only open up the ports when an outgoing call is made. IE: When FTP is started from the inside there is a port made available for the return connection. Yes, this may be a good idea, although I don't necessarily see it making it a 'secure' connection. The cost ($15,000) is also rather costly in contrast to doing something along the lines of TIS. The only good thing I would say for the company is the GUI is nice.. From firewalls-owner Wed Sep 14 12:29:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA03372; Wed, 14 Sep 1994 17:40:30 GMT Received: from sun2.nsfnet-relay.ac.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA03366; Wed, 14 Sep 1994 10:40:17 -0700 From: TEX@RMCS.CRANFIELD.AC.UK Via: uk.ac.cranfield.rmcs; Wed, 14 Sep 1994 18:45:56 +0100 Date: Wed, 14 SEP 94 18:48:55 BST To: firewalls Subject: RE: Firewalls for a VAX/VMS Actually-to: Message-Id: <000055B9_00598588.00984789BA207280$16_2@UK.AC.CRANFIELD.RMCS> Reply-to: Brian {Hamilton Kelly} Originally-to: CBS%UK.AC.CRANFIELD::ORG.MI.OPUSNET::OPUS Originally-from: TEX "Brian {Hamilton Kelly} " Mailer: Janet_Mailshr V3.5 ( 13-OCT-1989 14:07:27 ) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <940909.AA0051@opusnet.mi.org> of Fri, 8 Sep 94 23:58:20, opus@opusnet.mi.org (Rory Savageau) wrote: > I'm wondering if anyone out there has VAX (or cluster) running VMS that also > has a firewall. I am in the process of evaluating what I need now and 'set a > direction' for what I will need in the future. Although I would appreciate > hearing from anyone, I am particularly interested in the above. > > So as not to waste a whole lot of net bandwidth, please reply to me directly. Well, I can't help with your query, and it looks like I'll never be able to, since it's most likely that the next firewall I shall see will be _not_ be running VMS :( But you never made the traditional promise that you'd summarize any responses to the list: a week has passed; with any luck, you'll have had some positive replies (?) So do please summarize to the list when you've got something to report! Brian {Hamilton Kelly} +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + JANET: tex@rmcs.cran.ac.uk + + UUCP: {mcsun,uknet,uunet}!rmcs.cran.ac.uk!tex + + Smail: School of Electrical Engineering & Science, Royal Military + + College of Science, Shrivenham, SWINDON SN6 8LA, U.K. + + Phone: Swindon (01793) 785252 (UK), +44-1793-785252 (International) + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ From firewalls-owner Wed Sep 14 14:30:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA05164; Wed, 14 Sep 1994 20:32:20 GMT Received: from holonet.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA05158; Wed, 14 Sep 1994 13:32:10 -0700 Received: from localhost (rodnite@localhost) by holonet.net (Andrew T. Rodnite) id NAA01268; Wed, 14 Sep 1994 13:34:24 -0700 Message-Id: <199409142034.NAA01268@holonet.net> Subject: Document listing MOSAIC vulnerabilities To: firewalls@GreatCircle.COM Date: Wed, 14 Sep 94 13:34:21 PDT From: "Andrew T. Rodnite" Cc: bugtraq@crimelab.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Does anybody have either an article, document or list of known MOSAIC vulnerabilites? If available I'm looking for a document suitable for a manager to read and not a bunch of disjoint mail messages :-). A group of us are trying to convince management that just slamming MOSIAC clients on every PC and MAC in the building and then letting people surf the net may not be the smartest thing from a security stand point. If no list exists I'd still be interested in hearing people's opinions anyway via e-mail. Thanks, Andy Rodnite rodnite@holonet.net (612) 937-4667 From firewalls-owner Wed Sep 14 15:32:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA05968; Wed, 14 Sep 1994 21:55:14 GMT Received: from epiwrl.entropic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA05962; Wed, 14 Sep 1994 14:55:07 -0700 Received: from client.entropic.com (sparc2.entropic.com [192.86.164.15]) by epiwrl.entropic.com (8.6.9/8.6.9) with ESMTP id SAA05835; Wed, 14 Sep 1994 18:00:28 -0400 Message-Id: <199409142200.SAA05835@epiwrl.entropic.com> X-Notice: The site "wrl.epi.com" is now known as "entropic.com" To: "Andrew T. Rodnite" cc: firewalls@GreatCircle.COM, bugtraq@crimelab.com Subject: Re: Document listing MOSAIC vulnerabilities In-reply-to: Your message of "Wed, 14 Sep 1994 13:34:21 PDT." <199409142034.NAA01268@holonet.net> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Wed, 14 Sep 1994 18:00:27 -0400 From: Ken Hornstein Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Does anybody have either an article, document or list of known > MOSAIC vulnerabilites? Isn't there such a thing on the NCSA Home Page? (I think it's called something like "In Response to your Security Concerns about Mosaic"). --Ken From firewalls-owner Wed Sep 14 16:32:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA06163; Wed, 14 Sep 1994 22:06:59 GMT Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA06155; Wed, 14 Sep 1994 15:06:47 -0700 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQxhjk10008; Wed, 14 Sep 1994 18:12:20 -0400 Received: from harker.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Wed, 14 Sep 1994 18:12:07 -0400 Received: from science.harker.com (science.harker.com) by harker.com (4.1/simpleuucp1.0a) id AA19158; Wed, 14 Sep 94 15:08:45 PDT Date: Wed, 14 Sep 94 15:08:45 PDT From: harker@harker.com (Robert Harker) Message-Id: <9409142208.AA19158@harker.com> To: firewalls@GreatCircle.COM, krampwd@snyflcc.fingerlakes.edu Subject: Re: DNS on BAstion host Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Should your firewall be the Primary DNS server? Depends on your DNS configuration If you run a traditional DNS domain were you make all your internal DNS information available to the Internet, then the bastion host should never be the primary DNS server. If someone broke into your bastion host and it was the Primary DNS server, they would be able to change your DNS data and it would be replicated on all of your DNS servers. In this configuration the primary DNS server should always be an internal protected host. Also note, the primary DNS server does not have to be a listed DNS server for your domain in the root DNS servers. The NIC could simply advertise your bastion DNS server and your external (service provider's) DNS server through the root name servers. After the SOA record on your primary DNS server would need to advertise the primary DNS server as well as any other internal DNS servers. This avoids problems with external hosts timing out trying to connect to your internal DNS servers before trying the bastion and external DNS servers. There are two drawbacks to this, first some diagnostic tools like "dig" will complain about the configuration, second the external DNS server will have to copy its database from a peer secondary (the bastion DNS server) rather than the primary. If you are running a split DNS domain in which you have a private internal DNS domain that does not advertise data to the Internet (or do not run DNS interally) and a second external DNS domain (server) which advertises a minimal amount of information to the Internet (host information for the hosts on the DMZ network and a wildcard MX record for the domain) then the bastion host can (should) be the primary DNS server for this external domain. You should watch the data on the external DNS server, but it is not as big an internal security concern because its DNS information is not used by the internal domain. (note: both of the domains are the same name, they simply have different information) ***Commercial Plug*** I explain how to configure this as well as how to set-up and maintain DNS in my "Advanced Sendmail and Electronic Mail Domains" class. For information about this class or my "Sendmail Made Simple" class please send mail to info@harker.com or call (408) 295-6239 ***End Commercial Plug*** I hope this help Thanks in advance RLH Robert Harker sendmail and TCP/IP Network Training Harker Systems Network and Sysadmin Consulting harker@harker.com 1180 Hester Ave netcom!harker!harker San Jose, CA 95126 uunet!harker!harker 408-295-9432 From firewalls-owner Wed Sep 14 18:29:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA07469; Thu, 15 Sep 1994 01:08:07 GMT Received: from munnari.oz.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA07463; Wed, 14 Sep 1994 18:07:35 -0700 Received: from peking.barwonwater.vic.gov.au by munnari.oz.au with SMTP (5.83--+1.3.1+0.50) id AA24354; Thu, 15 Sep 1994 08:42:49 +1000 (from csb@BarwonWater.Vic.Gov.Au) Received: from oahu by peking with SMTP id AA08546 (5.67b/IDA-1.5 for ); Thu, 15 Sep 1994 08:42:46 +1000 Received: by oahu id AA03993 (5.67b/IDA-1.5 for firewalls@GreatCircle.COM); Thu, 15 Sep 1994 08:42:44 +1000 Date: Thu, 15 Sep 1994 08:42:44 +1000 From: Craig.Bishop@BarwonWater.Vic.Gov.Au Message-Id: <199409142242.AA03993@oahu> To: firewalls@GreatCircle.COM Subject: Re: Firewall-1 X-Sun-Charset: US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I just finished reading the glossies and the paper and I was impresssed. Date: Wed, 14 Sep 94 09:13:20 PDT From: jeromie@mmp.com (jeromie) Firewall-1 is a bum deal in my opinion. They claim to do secure UDP packets to begin with (as we all know that is rather a pathetic claim unless the link in encrypted). I called them on it. The only thing they do to help insure security is to only open up the ports when an outgoing call is made. The main problem with UPD is allowing it in at all. With this product an outgoing UPD service has a window of opportunity back to the originating machine. As usual with help from the inside this could be used to do very nasty things but otherwise it is a better than allowing blocks of unprivileged UPD ports back in. IE: When FTP is started from the inside there is a port made available for the return connection. Yes, this may be a good idea, although I don't necessarily see it making it a 'secure' connection. Works the same way. Many people allow unpriviliged tcp ports back in to enable FTP through the firewall. Even when that is via a proxy. The dynamic nature of the windows which are being opened in this product are the attraction. The only good thing I would say for the company is the GUI is nice.. The thing I really like is the control over the filtering because the majority of it is being done on the bastion host not on a router (which gives you ZERO logging capability). With the filtering happening at the bastion host there are many more options for logging. Your firewall is only as good as it's logging. If you don't know you door is being knocked on, and how it is being knocked on then all you have is a smaller door which someone will squeeze through and you will never know. Cheers, Craig Craig Bishop csb@BarwonWater.Vic.Gov.Au Information Systems, Barwon Water Ph: +61 52 262506 61-67 Ryrie St Geelong 3220 Australia Fx: +61 52 218236 From firewalls-owner Wed Sep 14 19:29:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA07837; Thu, 15 Sep 1994 02:12:05 GMT Received: from coombs.anu.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA07831; Wed, 14 Sep 1994 19:11:56 -0700 Message-Id: <199409150211.TAA07831@mycroft.GreatCircle.COM> Received: by coombs.anu.edu.au (1.37.109.8/16.2) id AA05608; Thu, 15 Sep 1994 12:14:35 +1000 From: Darren Reed Subject: writing packet filters. To: firewalls@GreatCircle.COM Date: Thu, 15 Sep 1994 12:14:34 +1000 (EST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 622 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It has often been said that having a filter list for both the in AND out side of the IP in a router is desirable (for obvious reasons). In writing some filter software myself, for SunOS 4, I'm pondering the wisdom of having 3 filter lists: * inbound * outbound * general A packet going in would then be applied against the inbound and general and one going out would be checked against the outbound and general lists. Does this seem excessive (ie complicating this issue too much) ? If not, which order would people prefer - the "general" list being checked before or after the `direction' specific list ? Darren From firewalls-owner Wed Sep 14 20:29:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA08132; Thu, 15 Sep 1994 02:38:34 GMT Received: from [143.191.19.72] by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA08119; Wed, 14 Sep 1994 19:38:21 -0700 Message-Id: <199409150238.TAA08119@mycroft.GreatCircle.COM> X-Sender: brent@mycroft.greatcircle.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 Sep 1994 22:43:39 -0500 To: Marcus J Ranum , firewalls@GreatCircle.COM, lakind1@qmsmtpgw.mugu.navy.mil From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: PowerBroker and root acc Cc: MJPapais-0@is.chrysler.com, david@greatbasin.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 00:16 9/14/94 -0400, Marcus J Ranum wrote: > I'm probably giving away the farm here for mjr's >Quick 'N Dirty Hack #19201 which I always thought would make >a fun white paper, but I never manage to write the documentation >for it.... If you use this idea, please buy me a cup of coffee >next time you see me.... :) PLEASE, make it decaf! :-) -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Wed Sep 14 21:04:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA08344; Thu, 15 Sep 1994 03:06:40 GMT Received: from [143.191.19.72] by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA08337; Wed, 14 Sep 1994 20:06:28 -0700 Message-Id: <199409150306.UAA08337@mycroft.GreatCircle.COM> X-Sender: brent@mycroft.greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 Sep 1994 23:11:43 -0500 To: Craig.Bishop@BarwonWater.Vic.Gov.Au, firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewall-1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 08:42 9/15/94 +1000, Craig.Bishop@BarwonWater.Vic.Gov.Au wrote: >The thing I really like is the control over the filtering >because the majority of it is being done on the bastion host not >on a router (which gives you ZERO logging capability). With >the filtering happening at the bastion host there are many more >options for logging. This depends on the particular router. Many packet filtering routers (such as Livingston PortMasters and their new FireWall IRX product) have excellent logging capabilities. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Wed Sep 14 21:29:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA08600; Thu, 15 Sep 1994 03:33:36 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA08590; Wed, 14 Sep 1994 20:33:28 -0700 Received: by tadpole.tadpole.com (4.1/SMI-4.1-jim) id AA12119; Wed, 14 Sep 94 22:38:23 CDT Date: Wed, 14 Sep 94 22:38:23 CDT From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9409150338.AA12119@tadpole.tadpole.com> To: avalon@coombs.anu.edu.au Subject: Re: writing packet filters. Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I've always been confused by the heat surrounding inbound/outbound filters. If you've got inbound filters, and you can prevent the packet from appearing on the IP input queue, why do you have to worry about the outbound queue? Really the only traffic that can be generated that isn't subjected to the filter list is locally generated traffic. And hey, if you don't have control of your firewall (or filterning router), what security do you have? Jim From firewalls-owner Thu Sep 15 08:30:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA12751; Thu, 15 Sep 1994 14:29:00 GMT Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA12745; Thu, 15 Sep 1994 07:28:53 -0700 Received: from uucp1.UU.NET by relay3.UU.NET with SMTP id QQxhly21390; Thu, 15 Sep 1994 10:34:26 -0400 Received: from uworld.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Thu, 15 Sep 1994 10:34:23 -0400 Reply-To: crow!rik@uunet.uu.net Received: by crow.spirit.com (4.1/SMI-4.1) id AA01423; Wed, 14 Sep 94 12:56:11 MST Date: Wed, 14 Sep 94 12:56:11 MST From: crow!rik@uunet.uu.net (Rik Farrow 602 282 0242 MST) Message-Id: <9409141956.AA01423@crow.spirit.com> To: uworld!uunet!znanost.mz.hr!gaus@uunet.uu.net Subject: Re: Firewall-1 Cc: uworld!uunet!greatcircle.com!firewalls@uunet.uu.net Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Gaus: I did have some negative things to say about Firewall-1. Most were in a parapgraph toward the end, which was removed by the magazine's staff so the story would finish on that page (aren't magazines great!): [The deleted paragraph] FireWall-1 drops source routed packets by default, which is good for security, but may be bad if you need to use source routing to contact certain difficult-to-reach sites. Other firewall implementations also offer improved authentication using one-time passwords-- something FireWall-1 currently does not support. Finally, the nice GUI- interface could lead a novice system administrator into a false sense of security. It is quite possible to permit potentially dangerous services, like NFS, through CheckPoint's FireWall-1. While FireWall-1 works great with outgoing NFS, it won't protect against incoming attacks on NFS based on improperconfiguration of computers behind the firewall.` [End] Rik Farrow rik@uworld.com From firewalls-owner Thu Sep 15 09:30:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA13329; Thu, 15 Sep 1994 16:06:49 GMT Received: from lehman.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA13323; Thu, 15 Sep 1994 09:06:39 -0700 Received: from relay.lehman.com by lehman.com (8.6.4/LB 0.1) id MAA18953; Thu, 15 Sep 1994 12:11:18 -0400 Received: from newsu.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA17680; Thu, 15 Sep 94 12:11:14 EDT Received: from admin8452a.lehman.com by newsu.lehman.com (4.1/SMI-SVR4) id AA22724; Thu, 15 Sep 94 12:11:13 EDT Date: Thu, 15 Sep 94 12:11:13 EDT From: lshields@lehman.com (Larry Shields) Message-Id: <9409151611.AA22724@newsu.lehman.com> To: firewalls@greatcircle.com Subject: WellFleet Cc: lshields@lehman.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Has anyone had experiance setting up Wellfleet Routers in a firewall scenrio? Pluses and minuses of the product in this scenerio would be appreciated. Thanx in advance..................... Larry Shields lshields@lehman.com From firewalls-owner Thu Sep 15 10:30:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA13034; Thu, 15 Sep 1994 15:28:43 GMT Received: from tiaa.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13028; Thu, 15 Sep 1994 08:28:30 -0700 Received: from sys001.tiaa.org by tiaa.org (4.1/3.1.090690-TIAA-CREF-gw) id AA06667; Thu, 15 Sep 94 11:33:33 EDT Received: by sys001.tiaa.org (4.1/SMI-4.1) id AA07577; Thu, 15 Sep 94 11:33:26 EDT Date: Thu, 15 Sep 94 11:33:26 EDT From: mjs@tiaa.org (marty shannon) Message-Id: <9409151533.AA07577@sys001.tiaa.org> To: firewalls@greatcircle.com Subject: Logging Routers Cc: Craig.Bishop@BarwonWater.Vic.Gov.Au Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Craig Bishop wrote (about Firewall-1): ] The thing I really like is the control over the filtering ] because the majority of it is being done on the bastion host not ] on a router (which gives you ZERO logging capability). With ] the filtering happening at the bastion host there are many more ] options for logging. However, there are routers out there that do logging as part of their filtering (Wellfleet I know does this; I don't know of any others). I think logging from the router could help catch attacks that don't use all the old standard tricks. Just My $.02, Marty -- Marty Shannon | SunOS System Administrator | You can't borrow TIAA-CREF 3rd Floor | SVR3 System Administrator | enough to make 730 3rd Avenue | UUCP Guru (Don't Tell!) | me do Windows! New York City, NY 10017 | Hacker -- and proud of it! | NYAH! From firewalls-owner Thu Sep 15 11:31:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA14042; Thu, 15 Sep 1994 17:43:45 GMT Received: from rambone.psi.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA14036; Thu, 15 Sep 1994 10:43:37 -0700 Received: from mail.IConNet.COM by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA18377; Thu, 15 Sep 94 13:31:31 EDT Received: from mail.IConNet.COM (mail.ARPA) by IConNet.COM (4.1/3.2.083191-Integration_Consortium) id AA15017; Thu, 15 Sep 94 12:43:04 EDT Received: from cc:Mail by mail.IConNet.COM id AA779658061; Thu, 15 Sep 94 12:40:27 EST Date: Thu, 15 Sep 94 12:40:27 EST From: "Nayfield, Rod" Encoding: 24 Text Message-Id: <9408157796.AA779658061@mail.IConNet.COM> To: rodnite@holonet.net, Ken Hornstein Cc: firewalls@GreatCircle.COM, bugtraq@crimelab.com Subject: Re[2]: Document listing MOSAIC vulnerabilities Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ______________________________ Reply Separator _________________________________ Subject: Re: Document listing MOSAIC vulnerabilities Author: Ken Hornstein at Internet Date: 9/15/94 8:13 AM > Does anybody have either an article, document or list of known > MOSAIC vulnerabilities? Isn't there such a thing on the NCSA Home Page? (I think it's called something like "In Response to your Security Concerns about Mosaic"). --Ken Yes, there is - also check out using cern's httpd - it allows proxy connections and caching - we have 800mb of cache for mosaic, so 85% of the time a request from a pc results in a cache hit, transferring instantly the entire page. It works great for slow connections; you can just set it up and let it go - automatic expiry, etc... rod From firewalls-owner Thu Sep 15 12:29:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA14548; Thu, 15 Sep 1994 18:50:24 GMT Received: from nuchat.sccsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA14542; Thu, 15 Sep 1994 11:50:17 -0700 Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Thu, 15 Sep 94 13:51 CDT Received: from gw.lsli.com by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA11317; Thu, 15 Sep 1994 13:51:19 -0500 Received: gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA09501; Thu, 15 Sep 1994 13:51:39 -0500 Date: Thu, 15 Sep 1994 13:51:39 -0500 From: ted@gw.lsli.com (Ted Airedale) Message-Id: <9409151851.AA09501@gw> To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: firewalls@greatcircle.com Subject: Is there a conference in Galveston? If I recall properly there is a conference coming up in Galveston, Texas. I think it involves network security (firewalls, etc.). I think its in December. Does anyone out there in TV land have any info on it they could send me, or repost, or whatever makes you happy? thanks Ted From firewalls-owner Thu Sep 15 14:30:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA15067; Thu, 15 Sep 1994 20:26:52 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA15052; Thu, 15 Sep 1994 13:26:01 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14026; Thu, 15 Sep 94 16:27:14 -0400 Date: Thu, 15 Sep 94 16:27:14 -0400 Message-Id: <9409152027.AA14026@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Logging routers Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Craig Bishop wrote (about Firewall-1): ] The thing I really like is the control over the filtering ] because the majority of it is being done on the bastion host not ] on a router (which gives you ZERO logging capability). With ] the filtering happening at the bastion host there are many more ] options for logging. Marty Shannon replied: >I think logging from the router could help catch attacks that don't use >all the old standard tricks. Even for standard attacks, it helps to have early warning of probes via Telnet or Finger or other means. Just rejecting the packet allows the intruder to continue to try different approaches whereas if failed connections are logged, other defenses and alerts can be established. Warmly, padgett@tccslr.dnet.mmc.com From firewalls-owner Thu Sep 15 15:32:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA15703; Thu, 15 Sep 1994 22:08:08 GMT Received: from [143.191.19.72] by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA15695; Thu, 15 Sep 1994 15:07:55 -0700 Message-Id: <199409152207.PAA15695@mycroft.GreatCircle.COM> X-Sender: brent@mycroft.greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Sep 1994 18:13:13 -0500 To: jim@Tadpole.COM (Jim Thompson), avalon@coombs.anu.edu.au From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: writing packet filters. Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 22:38 9/14/94 -0500, Jim Thompson wrote: >I've always been confused by the heat surrounding inbound/outbound filters. > >If you've got inbound filters, and you can prevent the packet from appearing >on the IP input queue, why do you have to worry about the outbound queue? > >Really the only traffic that can be generated that isn't subjected to the >filter >list is locally generated traffic. And hey, if you don't have control of your >firewall (or filterning router), what security do you have? > >Jim It's primarily an issue for routers with >2 interfaces. If you've got multiple interfaces, it's really nice to be able to put all the Internet- related filtering rules on the Internet interface, and all the finance-net related filtering fules on the finance-net interface, and so forth. First, it makes the rules much simpler; trying to merge 4 nets' worth of filtering constraints into 4 different outbound-only (or inbound-only) filter lists can be a reach headache, and may not be possible at all (depends on the filter syntax). Second, it's a performance issue; being able to put all the filtering rules on a single interface means that traffic between other interfaces isn't subject to packet filtering performance delays. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu Sep 15 16:31:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA15829; Thu, 15 Sep 1994 22:19:41 GMT Received: from ns.draper.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA15823; Thu, 15 Sep 1994 15:19:25 -0700 Message-Id: <199409152219.PAA15823@mycroft.GreatCircle.COM> Received: from surname.draper.com by ns.draper.com id aa28101; 15 Sep 94 18:24 EDT Received: from kss1376.draper.com by surname.draper.com id aa04067; 15 Sep 94 18:24 EDT X-Sender: kss1376@pop.draper.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Sep 1994 18:24:08 -0400 To: Jim Thompson , avalon@coombs.anu.edu.au MMDF-Warning: Unable to confirm address in preceding line at ns.draper.com From: Ken Shores Subject: Re: writing packet filters. Cc: firewalls@greatcircle.com X-Mailer: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 10:38 PM 9/14/94 CDT, Jim Thompson wrote: > >I've always been confused by the heat surrounding inbound/outbound filters. > >If you've got inbound filters, and you can prevent the packet from appearing >on the IP input queue, why do you have to worry about the outbound queue? True. But, especially when dealing with multiport filtering routers implementing separate policies on each port, keeping filters with different logical functions separate helps keep filter lists shorter, and hence more easily understood by a human. The same could also be done with a software front end which generated the active filters from the configuration, but then you'd have to either trust it or manually check the big filters anyway. It's a managability issue, not a functional one. Actually, in a router you lose functionality by having bidirectional filters, because every packet needs to be compared to at least two lists, increasing the per-packet overhead which router vendors strive to avoid. Ken ----- Ken Shores, Sr. Network Analyst The Charles Stark Draper Laboratory, Inc. kss1376@pop.draper.com 555 Technology Square, Cambridge, MA 02139-3563 (617) 258-2529 Mail Stop 33 From firewalls-owner Fri Sep 16 01:30:57 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA18956; Fri, 16 Sep 1994 06:46:09 GMT Received: from sug.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA02152; Wed, 14 Sep 1994 08:40:14 -0700 Received: from bridge.sug.org by sug.org (5.61+++/Spike-2.1) id AA27472; Wed, 14 Sep 94 11:45:42 -0400 From: troll@sug.org (Alex Newman) Received: by bridge.sug.org (4.1/Spike-2.0) id AA29817; Wed, 14 Sep 94 11:45:40 EDT Date: Wed, 14 Sep 94 11:45:40 EDT Message-Id: <9409141545.AA29817@bridge.sug.org> To: firewalls@greatcircle.com Subject: "UNIX & The Law" Symposium, Nov 14-17, Austin, TX Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk SUN USER GROUP Annual Technical Symposium "UNIX & The Law" November 14-17, 1994 Austin, TX As computers are utilized in more and more aspects of everyday life, the once distinct areas of technology, legislature, and law enforcement draw closer together. This unique technical conference provides a forum in which members of these three fields can meet to share experiences and ideas. The four day technical program (a day of tutorials, two days of talks, and another day of tutorials) will provide you with essential knowledge, whether your field is technical, legal, or law enforcement. +-----------------------------------------------------------------------+ | IMPORTANT DATES TO REMEMBER: | | Earlybird Savings Deadline: October 3, 1994 | | Registrations must be received at the Sun User Group offices | | by October 3, 1994 to be eligible for Earlybird savings | | | | Hotel Discount Reservation Deadline: October 21, 1994 | +-----------------------------------------------------------------------+ CONFERENCE OVERVIEW: MONDAY, November 14, 1994 - TUTORIAL PROGRAM TUESDAY, November 15, 1994 - TECHNICAL SESSIONS WEDNESDAY, November 16, 1994 - TECHNICAL SESSIONS THURSDAY, November 17, 1994 - TUTORIAL PROGRAM TUTORIALS: ---------- The SUG Tutorial Program brings experienced training professionals to you. Courses are presented by skilled teachers who are hands-on experts in their topic areas. The tutorials will cover a variety of topics relating to Sun/SPARC and x86-based machines, running any of a number of operating systems. Those who attend the tutorials will benefit from this unique opportunity to develop essential skills in a unique combination of UNIX system security, ethical, and legal topics. The tutorial program at Austin is divided into two days, with both full- and half-day tutorials offered. Attendees may select any non-overlapping set of classes. To ensure adequate seating and to reduce crowding, we are requiring that registrants pre-register for specific classes. Please note that some prior knowledge is required for the advanced tutorials. SUG's tutorial program is always in demand, and some tutorials are almost guaranteed to sell out before registration closes. Attendance is limited, and pre-registration is strongly recommended. On-site registration is possible ONLY if space permits. Monday, November 14, 1994 Tutorials ----------------------------------- M1 - 9:00am-5:00pm Advanced UNIX Security Matt Bishop, UC Davis Prerequisites: an understanding of the basic protection mechanisms of UNIX systems (real and effective UIDs and GIDs, file protection modes, etc.) Intended audience: system administrators, system programmers, and users, especially those interested in the underpinnings of UNIX system security; those needing to write programs which change privileges of their users; those worried about computer worms, viruses, and other nasties and who want to learn how to limit their damage; and those interested in more than a simple cookbook list of ways to protect a UNIX system * UNIX and passwords: how passwords are stored, details of the hashing (password encryption) algorithm, password cracking, password management; schemes for selecting and/or assigning passwords. This part involves a somewhat technical discussion of the cryptographic techniques used in the UNIX password hashing function. * how to manage privileges: managing a super-user account; managing less powerful system management accounts; managing system resources * Writing setuid programs: when not to use them; when to use them; approaches, alternatives, common pitfalls, considerations, some details about which library functions and system calls are safe to use, and which have dangerous effects or side effects. We will examine a setuid program designed to give temporary privileges as part of this. * Trojan horses, computer worms, and other malicious logic: how malicious logic works, how UNIX security mechanisms interact with it; ways to protect yourself and your system; some famous incidents (Internet worm of 1988, etc.) and what lessons they teach. * UNIX and network security: overview of Kerberos, Privacy-Enhanced electronic mail, and Secure RPC (including a technical discussion of the role of cryptography, and how the ciphers work) NFS and NIS (formerly YP); how to forge and intercept network traffic; network-based daemons; well-known security holes and why they arise; the many lives of UUCP. * X11 Window System security: how to set it up, and its limits and benefits * Some of the better-known, and pernicious, security holes and how to plug them or detect their use * Suggestions for detecting intrusions, what to look for, and what to do; planning for an attack; resources M2 - 9:00am-5:00pm Internet & The Law Dan Appelman, Heller, Ehrman, McAuliffe & White Intended Audience: Anyone interested in the legal issues that arise out of the increasing use and popularity of the Internet. The examination of the intersection of technology, law, and public policy is of particular interest to system administrators, contract administrators, and company executives who need to develop policies about doing business electronically. The focus of this tutorial is an examination of the kinds of problems which arise as commercial institutions make increasing use of electronic data communications and the legal bases for resolving those problems. We examine the areas of law involved when commercial institutions use the Internet, namely: privacy, confidentiality, and security; the ownership of proprietary information; the enforceability of legal transactions; criminal activities; and export compliance. We begin by presenting "case studies" of problems from each of these areas, and then giving the participants background knowledge of the general principles of law in each area. Next, we guide the attendees as they attempt to apply those principles (from "old law") to the modern context. In most cases, we see that such application, however necessary, puts fascinating stresses and strains on the legal system and forces it to confront new questions of public policy. This tutorial will make you aware of the emerging issues in electronic data communication and will help you become an informed participant in the larger debate. Most importantly, however, armed with the information presented in this tutorial, you will be better prepared to deal with the ever-changing face of technology in your day-to-day work. Thursday, November 17, 1994 Tutorials ----------------------------------- T1 - 9:00am-5:00pm Network Security: The Kerberos Approach Daniel V. Geer, OpenVision Technologies Intended Audience: * Systems administrators who are concerned about, or must mitigate, the inherent lack of security and accountability in conventional UNIX network services environments now * Systems developers responsible for applications for networked workstation environments, particularly those whose environments include networks which are not themselves physically secure (i.e. "open networks") * Technical managers in enterprises where the flow of electronic information is the core of that enterprise and must be protected without imposing the costs of a "security culture" We will focus on the practical challenges of providing security for the cooperative electronic workplace, workplaces that aspire to location and scale independence in the client-server idiom. We begin by briefly describing network security from a general point of view, so that you will understand the kinds of threats which result from operating conventional systems in an open environment. We then describe what effective approaches can exist to meeting these threats, with the emphasis more on the practical than the theoretic. We will show you where common fallacies are, such as the idea that your organization's security is materially dependent on close control of external access (rather than competent internal security mechanisms). We will explain the Kerberos network security system primarily, but we will also touch on public-key techniques, the X.509 authentication model and the Internet's Privacy Enhanced Mail (PEM). Kerberos is the core of the Open Software Foundation's Distributed Computing Environment (OSF/DCE), and we will thoroughly discuss the DCE extensions and enhancements to Kerberos that made it into the de facto standard for network security. We will stress throughout nuts-and-bolts of making this work in your environment, including administration and integration of this technology with your existing environments. By the end of the day, you will be able to go home and start work on a computing environment that is both open and accountable. T2 - 9:00am-5:00pm Joining the Internet Safely Using UNIX and Firewalls Tina Darmohray, Lawrence Livermore National Laboratory Intended Audience: System and network administrators; Technical and operational managers; Those considering an Internet connection for their site Pre-requisites: knowledge of TCP/IP, DNS/BIND, and sendmail Connecting to the Internet is an exciting event for every organization. The security implications can often bring hesitation, though. This practical tutorial outlines details and examples of UNIX network security and Internet connectivity issues. Site policies and topologies that implement them will be covered, including packet-filtering, application-level, and circuit-level gateways. Overviews of current, publically-available solutions, will be provided, focusing on complete examples for configuring an Internet firewall. T3a - 9:00am-12:30pm Ethics and Systems Administration S.Lee Henry, Johns Hopkins University System administrators find themselves increasingly involved in ethical dilemmas that pit security against privacy, and threaten to disrupt the delicate balance between personal interests and work commitment. What if someone works 12 hours a day, but plays games during lunch? What if someone personally profits from software they develop and use on the job or from knowledge that they gain at the company's expense? And what do you do when the infractions are clearly illegal? When a colleague is reading someone else's mail or trying to break into another organization's system? What if the violator is your boss? Can you establish and administer security and ethics policies that are comprehensive but not invasive? Policies that guard against abuse while not handcuffing on the people whose commitment and creativity your organization most needs for it to succeed? This highly interactive, fast-paced tutorial will challenge system administrators to come to grips with some difficult ethical dilemmas. T3b - 1:30pm- 5:00pm Catching the Wily Hacker John Smith, Computer Crime Unit, Santa Clara County District Attorney's Office An intruder has gained access to your computer system. How do you explain what was stolen and how to a police detective who thinks you're speaking a foreign language? How can you, the system administrator, help the detectives write the report or explain to them that they might have to do the examination of any recovered evidence such as a copied account? Actual cases of computer crimes in Silicon Valley are used as examples. Students will follow what has to be done in an investigation, step by step, including the initial reports that would be the basis of any search warrants or restraining orders. The Santa Clara County District Attorney's Officer Hi Tech/Computer Crime Team has had years of experience investigating and prosecuting trade secret thefts, network intrusions, chip thefts, and other types of high tech thefts in Silicon Valley. This experience is interesting and can serve as a means of educating computer administrators how to protect their computers and systems, how to prepare an investigation, how to get the appropriate law enforcement support, and how to prepare to testify in court if necessary. Topics covered include: How to find law enforcement personnel with sufficient expertise to assist you. Law enforcement associations you can contact for help. When do you need a search warrant to recover lost property/data or to recover evidence. Initiating civil litigation. What law enforcement agents need from system administrators. What to expect if the case goes to trial. How you can protect proprietary or trade secret documents related to the case. What to expect if you are called as a witness. ABOUT THE INSTRUCTORS: Daniel Appelman is a Partner in the law firm, Heller, Ehrman, White & McAuliffe. He practices computer, telecommunications and intellectual property law in its Palo Alto office. Dan frequently writes and speaks about topics of current interest in the computer and telecommunications industries. He is particularly interested in the legal issues resulting from the merging of products and services in those industries, the commercialization of the Internet and the proposals for the National Information Infrastructure. Matt Bishop, Ph.D. was a research scientist at the University of California at Davis. His research areas include computer and network security, and he teaches both, along with operating systems and software engineering. He chaired the first two UNIX Security Workshops, and his column on computer security appears regularly in the Best Practises newsletter. Tina Darmohray is a computer scientist at Lawrence Livermore National Laboratory. Tina built her first firewall five years ago. Since that time she has lectured extensively on the topic of firewalls and their configuration, giving tutorials at conferences in the US and Europe. Recently she has begun consulting and has installed numerous firewalls at sites connecting to the Internet. Daniel E. Geer, Jr., Sc.D., is Chief Scientist and VP of Open Vision Technologies. Dr. Geer has worked in network security and distributed systems management, and he was Manager of Systems Development for MIT's Project Athena. At MIT, he was responsible for all technical development, including X, Kerberos, Hesiod, Zephyr, Moira, and all other aspects of the Project Athena Network Services System. He is a frequent speaker, popular teacher and member of several professional societies. S. Lee Henry is a columnist for SunExpert magazine. She manages Computer Systems and Networking for the Physics and Astronomy Department at Johns Hopkins University and is on the Board of Directors of the Sun Users Group. Prior to working at JHU, she spent almost ten years as a UNIX systems administrator in the CIA. KEYNOTE SPEAKERS: ----------------- The Sun User Group is pleased to present two topical and informative keynote speakers, one on each day of the symposiums technical sessions. STEVE JACKSON, founder, Steve Jackson Games "Privacy, Responsibility, and Computers" Tuesday, November 15, 9 a.m. - 10:30 a.m. DENISE VOIGHT CRAWFORD, commissioner, Texas Securities Commission "Cyberfraud, or How to lose your money in the blink of an eye" Wednesday, November 16, 9 a.m. - 10:00 p.m. TECHNICAL SESSIONS (Tuesday, November 15 & Wednesday, November 16): ------------------------------------------------------------------- "UNIX & The Law" features three distinct parallel tracks of talks: Technical; Legal; and Law Enforcement. The TECHNICAL track will focus on nuts and bolts of maintaining a UNIX or Sun system. These talks will cover the all of the newest developments in the changing world of technology. There are talks from the experts on: UNIX and network security; encryption; software distribution in a client/server environment; firewalls. The LEGAL track will cover up-to-date issues of privacy and morality, as well as in-depth examinations of the current and changing laws pertaining to software and hardware. Legal professionals from all over the country will examine how changing technologies will necessitate changes in the law. The LAW ENFORCEMENT track discusses computers as tools. Tools which can help in the prevention of crimes -- or in the commission of them. Join or experts in high-tech crime as the discuss the discovery, investigation, apprehension, and prosecution of crackers, software pirates, and bandits on the information on the information superhighway. SPECIAL FEATURE: Panel: "The Future of Computer Crime" Join noted futurist Bruce Sterling (author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier") as he and a panel of experts from both sides of the law discuss and predict the uses and abuses of computers into the next century. Scheduled Papers: ----------------- Issues in the Development of Practical Tests in Computer Programming Dr Keith Carter, Griffith University Software Licensing Flexibility Complements the Digital Age Fred M. Greguras, Fenwick & West Cryptography, the Legal and Policy Morass Chad Huston, Schlumberger Austin Research So you Want To Be a Multimedia Star? Chad Huston, Schlumberger Austin Research CERT Internet Security Update Moira J. West, Technical Coordinator, Computer Emergency Response Team Someone's been reading my E-mail! Privacy protection for electronic mail users in the US and the EC. Charisse Castagnoli, University of Texas Law School The future of High-technology crime - a parallel delphi study Inspector Larry Coutorie, Office of the Director of Police, The University of Texas System Post-Mortem Analysis of an Incident Randy Marchany, VA Tech Computing Center Computer law in the international context: a view from Russia. Ilya Nikiforov, Case Western Reserve University License Management Matt Christiano and Richard Mirabella, Globetrotter Software How to Protect Your Software With the Copyright, Patent and Trade Secret and Trademark Laws Susan Nycum, Baker & McKenzie E-Mail Privacy and the UNIX Sysadmin Edward Cavazos, Andrews & Kurth L.L.P. The US Department of Justice and our National Software Interests: Getting to the Source Michael Tiemann & Wendell Baker, Cygnus Support Securing a Single Signon Environment Dr. Daniel Webb, CyberSAFE Corp BIRDS-OF-A-FEATHER SESSIONS --------------------------- Birds-of-a-Feather Sessions (BOFs) allow attendees to meet and discuss topics of interest to them. BOF Sessions are intended to be highly interactive and much less formal than the Technical Sessions. Birds-of-a-Feather Sessions will be held Wednesday evening at the Driskill Hotel. We would particularly like to encourage Birds-of-a-Feather Sessions on topics which would not normally be discussed during typical technical presentations (for instance, discussions on professional and technical issues, non-professional interests common to Systems Administrators, etc.) To schedule a BOF Session, or to request more information, direct your e-mail to office@sug.org. BOFs may also be scheduled on-site in the Conference Information Room. RECEPTION --------- You are invited to join in the fun, mingle with old and new friends, and enjoy the plentiful hors d'oeuvres and beverages. The Sun User Group Reception is Tuesday, November 15, from 6:00-8:00pm at the Driskill Hotel. The Reception is included in the technical sessions registration fee. Additional Reception tickets may be purchased for a nominal fee at the conference. CONFERENCE PUBLICATIONS ----------------------- One copy of the Conference Proceedings, which contains all refereed papers, and one copy of the Invited Talks Submitted Notes may be picked up at the conference by all technical sessions registrants. Additional copies may be purchased at the conference. After the conference, the Proceedings are available for purchase; contact the Sun User Group Office, Telephone (617) 232-0514 or via-e-mail to office@sug.org. Also, the full text of the proceedings will be contained on the Sun User Group's Security CD-ROM. Additionally, the Security CD-ROM will contain security- and privacy oriented technical papers, and source code and binaries for a variety of useful UNIX security tools. Wherever possible, the binaries will be compiled for both Solaris and SunOS. The Sun User Group Security CD-ROM is free with any early-bird registration. Once the early-bird deadline has passed, the CD will be available for purchase at the symposium. After the symposium, the CD can purchased by contacting the SUG offices at the information above. TERMINAL ROOM ------------- A terminal room will be available to attendees of the UNIX & The Law symposium. An internet connection is provided by Zilker Internet Park. Services available at the terminal Room will include Internet Access, Dial-Out Access, and a messaging service. An electronic message service will be available Monday, November 14 through noon Thursday November 17, 1994. Electronic messages to conference attendees should be addressed: first_lastname@sug.org. Telephone messages may be left by telephoning the Driskill Hotel at (512) 474-5911 and asking for the Sun User Group Message Center. The Message Center will be open Sunday, November 13, 4:00-9:00 pm, and continue to be open during conference hours. THE SUN USER GROUP ------------------ The Sun User Group (SUG) brings people together to share information and ideas about using Sun/SPARC equipment. You can discover new ways to save time and money in the pages of _Readme_. You can get quick answers to important questions on our electronic mailing list. At our seminars you can learn more about the capabilities of your workstation. At our conferences, you can meet other people who are doing progressive and innovative work with their Sun/SPARC equipment. Now is a better time than ever to join the Sun User Group. We're reorganized, reinvented and growing every day. We've recently introduced exciting new services specifically for our official LUGs. Our members-only electronic mailing list has become one of the most popular routes on the information highway. Our annual conferences feature respected teachers - from Sun Microsystems as well as many other areas of the industry. HOTEL INFORMATION ----------------- Driskill Hotel, (UNIX & The Law Symposium Headquarters) 604 Brazos Street (at Sixth Street) Austin, TX 78701 Telephone (512) 474-5911 or (800) 527-2008 Fax: (512)474-2214 Nestled in the heart of downtown Austin in the city's treasured Sixth Street Historic District stands the famous Driskill Hotel, a 19th century frontier palace and grand dame of vintage hostelries. More than just bricks and mortar of pure architectural delight, she is alive with the sights and sounds of yesterday. Although The Driskill is renowned for its historic charm, conference attendees will appreciate a host of state-of-the-art amenities like newly renovated guest rooms with modem-equipped phones, a business center with FAX and secretarial service, and video check out. Contact the Hotel directly to make your reservation. Be sure to mention that you are attending the Sun User Group Conference to take advantage of our special rate of $89 per night. A first nights deposit is required to reserve your room. NOTE: For special room rates, hotel reservations must be made no later than October 21, 1994. If you wish to cancel your hotel reservation and receive a refund, you must give notice at least 48 hours in advance of your planned arrival date. REGISTRATION INFORMATION AND FEES --------------------------------- +-------------------------------------------------------------------+ | Sun User Group members save $50.00! | +-------------------------------------------------------------------+ For more information please call (617) 232-0514. Mail, Email, or FAX registration to: SUG Symposium 1330 Beacon Street, Suite 315 Brookline, MA 02146 USA Email: registration@sug.org Fax: (617) 232-1347 You may also register over the telephone with a Master Card or Visa. Please print or type the information required. To join or renew your membership to Sun User Group when registering for the conference technical sessions, pay the full registration fee and check the appropriate box below. A portion of your registration fee will be designated as dues in full for a one year individual Sun User Group membership. Sun User Group Membership Status * * PLEASE CHECK ONLY ONE * * [ ] I am a current Sun User Group member. SUG ID#__________________ Exp. Date__________ Both SUG ID# and exp. date MUST be filled in to be eligible for the "Current SUG member" discount below. If you do not know your SUG ID# or expiration date, please call (617)232-0514 or contact SUG at office@sug.org. [ ] I am not a current Sun User Group member and would like SUG to apply a portion of my registration fee to a one-year SUG membership. [ ] I am not a current Sun User Group member but do not wish to join at this time. +---------------------------------------+---------------+ |[ ] Sessions, one-day only | $200 | | Please indicate day: | | | [ ] Tuesday, November 15, 1994 | | | [ ] Wednesday, November 16, 1994| | +---------------------------------------+---------------+ |[ ] Sessions, both days | $350 | +---------------------------------------+---------------+ |[ ] One Tutorial only | $350 | | Please indicate choice below | | +---------------------------------------+---------------+ |[ ] One Tutorial and Sessions | $650 | | Please indicate choice below | | +---------------------------------------+---------------+ |[ ] Full Conference | $900 | | Full Conference includes two | | | days of tutorials, plus two days| | | of sessions. A savings of $200!| | | Please indicate choices below | | +---------------------------------------+---------------+ DISCOUNTS: +---------------------------------------+---------------+ |[ ] Current SUG Member Discount | | | You *must* provide your SUG ID | | | number to get this discount. | -$ 50 | |---------------------------------------+---------------+ |[ ] Early-bird! Register before | -$ 50 | | October 3, 1994 and save fifty | | | dollars PLUS get the new SUG | | | Security CD FREE!! | | +---------------------------------------+---------------+ +---------------------------------------+---------------+ |Total Payment Enclosed | | --------------------------------------------------------+ ** NOTE: November 1, 1994 is the last day for advance registration. A $100 on-site fee will be applied to all registrations received after November 1, 1994. ** TUTORIAL SELECTION: ------------------- You can select either one full-day tutorial or two half day tutorials (Half-day tutorial registration fees are not available). Please indicate tutorial(s) below: Monday, November 14, 1994 [ ] M1 - Advanced UNIX Security [ ] M2 - The Internet and The Law Thursday, November 17, 1994 [ ] T1 - Network Security: The Kerberos Approach [ ] T2 - Joining the Internet Safely Using UNIX and Firewalls [ ] T3a - Ethics and Systems Administration and T3b - Catching the Wily Hacker - All payments must be in US dollars; - Checks must be drawn on a US bank. - Purchase Orders must be paid in full before your registration will be released. - The Sun User Group does not accept American Express [ ] Check [ ] Purchase Order [ ] MasterCard [ ] Visa Credit Card Number:___________________________________________________ Expiration Date:______________________________________________________ Signature of cardholder:______________________________________________ Name:_________________________________________________________________ Title:________________________________________________________________ Company Name:_________________________________________________________ Department:___________________________________________________________ Mail Stop/Suite:______________________________________________________ Street Address:_______________________________________________________ City:_________________________________________________________________ State:________________________________________________________________ Zip/Postal Code:______________________________________________________ Country:______________________________________________________________ Email Address:________________________________________________________ Phone:________________________________________________________________ REFUND CANCELLATION POLICY If you must cancel, all refund requests must be in writing and postmarked no later than October 1, 1994. Direct your letter to the Sun User Group office. You may telephone to substitute another in your place. FOR FURTHER CONFERENCE INFORMATION, PLEASE CONTACT: Sun User Group 1330 Beacon Street Suite 315 Brookline, MA 02146 Telephone: (617) 232-0514 Fax: (617) 232-1347 Electronic Mail Address: conference@sug.org You may FAX your registration form if paying by credit card or purchase order to (617) 232-1347. If you FAX registration, to avoid duplicate billing, do not mail additional copy. You may telephone our office to confirm receipt of your fax. ********************************************************************* PAYMENT MUST ACCOMPANY REGISTRATION FORM. REGISTRATION VIA EMAIL IS ACCEPTABLE WITH A CREDIT CARD ********************************************************************* From firewalls-owner Fri Sep 16 07:33:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA22254; Fri, 16 Sep 1994 14:09:03 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA22248; Fri, 16 Sep 1994 07:08:54 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma005717; Fri Sep 16 10:14:14 1994 Received: from hilo.tis.com by tis.com (4.1/SUN-5.64) id AA20760; Fri, 16 Sep 94 10:12:15 EDT Message-Id: <9409161412.AA20760@tis.com> To: "Andrew T. Rodnite" Cc: firewalls@greatcircle.com, bugtraq@crimelab.com Subject: Re: Document listing MOSAIC vulnerabilities In-Reply-To: Your message of "Wed, 14 Sep 1994 13:34:21 PDT." <199409142034.NAA01268@holonet.net> Date: Fri, 16 Sep 1994 10:14:14 -0400 From: "David I. Dalva" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anybody have either an article, document or list of known MOSAIC vulnerabilites? See my article, written for the June 1994 issue of the Data Security Letter. It's available in http://www.tis.com/Home/NetworkSecurity/WWW/Article.html ftp://ftp.tis.com/pub/www/article Dave Dalva Trusted Information Systems, Inc. +1.301.854-6889 Glenwood, MD 21738 +1.301.854-5363 FAX From firewalls-owner Fri Sep 16 08:25:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA22088; Fri, 16 Sep 1994 13:50:02 GMT Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA22079; Fri, 16 Sep 1994 06:49:53 -0700 Received: from localhost (mail@localhost) by gatekeeper.Bridge.COM (8.6.5/8.6.5) id IAA01599 for ; Fri, 16 Sep 1994 08:55:22 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma001597; Fri Sep 16 08:55:00 1994 Received: from bert.bridge.com (ernie.bridge.com) by racerx.bridge.com with SMTP id AA23493 (5.67b/IDA-1.5 for ); Fri, 16 Sep 1994 08:59:09 -0500 Date: Fri, 16 Sep 1994 08:59:09 -0500 From: Ken Hardy Message-Id: <199409161359.AA23493@racerx.bridge.com> Subject: Re: Document listing MOSAIC vulnerabilities Content-Type: text/plain Mime-Version: 1.0 X-Courtesy-Of: NCSA Mosaic 2.4 on Sun X-Url: http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/Docs/security.html Apparently-To: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mosaic Security Issues and Responses 1. Mosaic 2.2, and all previous version of the NCSA Mosaic for the X Window System have a serious security hole that allows telnet URLs to execute an arbitrary UNIX command. The immediate action was to inform people how to disable telnet URLs. As of Mosaic 2.3 this bug has been fixed, for more information read about the details of the telnet URL problem. 2. There was once a concern with Mosaic using ghostview as a postscript viewer, because postscript can be insecure. The new version of ghostscript (Version 2.6.1) used by ghostview runs in secure mode by default, so this is no longer an issue. 3. There is a way (involving reconfiguration of both client and server) to have Mosaic execute any arbitrary shell script that is passed over the network. This is a documented feature that cannot be activated accidentally, you should read about Executing Shell Scripts in Mosaic before activating this feature. THAT IS ALL! If there are any other security problems that any of you know of, please mail mosaic@ncsa.uiuc.edu. If you post security concerns to the net, please be kind enough to be specific. Vague alarmist postings just make more busy work for us. Mosaic Project, National Center for Supercomputing Applications From firewalls-owner Fri Sep 16 09:32:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA22961; Fri, 16 Sep 1994 15:41:06 GMT Received: from tc.pw.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA22955; Fri, 16 Sep 1994 08:40:59 -0700 From: Umesh_Reghuram@notes.pw.com Received: from orchid.tc.pw.com by tc.pw.com (4.1/SMI-4.1) id AA25790; Fri, 16 Sep 94 08:49:49 PDT Received: by orchid.tc.pw.com (4.1/SMI-4.1) id AA29487; Fri, 16 Sep 94 08:50:25 PDT Message-Id: <9409161550.AA29487@orchid.tc.pw.com> Date: Fri, 16 Sep 94 08:42:41 PDT To: firewalls@greatcircle.com Subject: COPS shareware utility - any feedback? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Can anybody provide feedback on a shareware utility called COPS? It apparently is designed to control network access... From firewalls-owner Fri Sep 16 10:28:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA23219; Fri, 16 Sep 1994 16:17:46 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA23213; Fri, 16 Sep 1994 09:17:35 -0700 From: ted.doty@nsco.network.com Received: from doty.network.com by nsco.network.com (4.1/1.34) id AA06136; Fri, 16 Sep 94 11:23:46 CDT Date: Fri, 16 Sep 94 12:15:46 PDT Subject: RE: Logging Routers To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > >Craig Bishop wrote (about Firewall-1): > >] The thing I really like is the control over the filtering >] because the majority of it is being done on the bastion host not >] on a router (which gives you ZERO logging capability). With >] the filtering happening at the bastion host there are many more >] options for logging. > >However, there are routers out there that do logging as part of their >filtering (Wellfleet I know does this; I don't know of any others). Network Systems' routers have supported logging since (at least) 1989. Works great, lasts a long time. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Sep 16 10:31:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA23186; Fri, 16 Sep 1994 16:12:07 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA23180; Fri, 16 Sep 1994 09:12:00 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id MAA02354; Fri, 16 Sep 1994 12:17:33 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA09400; Fri, 16 Sep 1994 12:17:29 -0400 Message-Id: <199409161617.AA09400@world.std.com> To: firewalls@greatcircle.com Cc: twj@world.std.com Subject: Summary: Building TIS on Solaris 2.3 Date: Fri, 16 Sep 1994 12:17:29 -0400 From: Todd W Joseph Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I received several replies asking me to summarize responses to my original mail. My original mail is enclosed. Many people suggested I swith to SunOS 4.1.3. I wish I could. I am saddled with Solaris 2.3 for various reasons at my site. Most people were curious about how well the TIS toolkit I built worked. It is still a bit early to tell, but tn-gw, ftp-gw, netacl, and smap/smapd all seem to work well after limited testing. One person said that building with the /usr/ucblib libs is crazed and that things will fail in random ways. I have heard this statement before regarding SVR4 in general (thus my original mail), but I wonder if this is a problem with Solaris 2.3. Because Sun has strong BSD ties & is trying to sell SVR4 to their BSD installed base, I would expect them to have the best ucblibs of all the SVR4 vendors. I contacted Sun support to find out what condition the /usr/ucblib's are in. I had to explain what the /usr/ucblib's were and wait a few days to hear back. Sun told me that some things work well and others don't. I asked for more specifics and have not heard back from them (it's been roughly a week). I'll keep the list up to date as things change. Todd Joseph twj@world.std.com -------- Original Mail to Firewalls: Hi Folks, I have built the TIS toolkit on Solaris 2.3 using the Sun C compiler and the /ucb/ucb/cc shell script -- which uses /usr/ucblib instead of /usr/lib. Everything except ftpd built cleanly with little effort. Has anyone else built the TIS toolkit in this way? If so, are there any gotchas? I'll summarize if there is signifigant interest. Todd twj@world.std.com From firewalls-owner Fri Sep 16 11:29:41 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA24092; Fri, 16 Sep 1994 17:48:48 GMT Received: from pilot.stu.cowan.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA24085; Fri, 16 Sep 1994 10:48:33 -0700 Received: by pilot.stu.cowan.edu.au (AIX 3.2/UCB 5.64/4.03) id AA20915; Sat, 17 Sep 1994 01:47:11 GMT Date: Sat, 17 Sep 1994 01:43:04 +22310826 (CUT) From: The Soupy One Subject: Re: COPS shareware utility - any feedback? To: Umesh_Reghuram@notes.pw.com Cc: firewalls@GreatCircle.COM In-Reply-To: <9409161550.AA29487@orchid.tc.pw.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Can anybody provide feedback on a shareware utility called COPS? It > apparently is designed to control network access... >From what I've managed to accumulate(which is pathetically little), COPS is a UNIX-based program that monitors users' actions, and searches their directories for files which are deemed to have some hacking properties(whatever that might be), and inform the sysadmin about this. Can comeone correct me if I'm wrong(which is the most probable probability). From firewalls-owner Fri Sep 16 11:55:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA23634; Fri, 16 Sep 1994 16:58:22 GMT Received: from dee.retix.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA23623; Fri, 16 Sep 1994 09:58:13 -0700 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by dee.retix.com (8.6.9/8.6.4) with ESMTP id KAA16352; Fri, 16 Sep 1994 10:05:15 -0700 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id KAA02771; Fri, 16 Sep 1994 10:04:28 -0700 Date: Fri, 16 Sep 1994 10:04:28 -0700 Message-Id: <199409161704.KAA02771@sleepy.retix.com> To: Umesh_Reghuram@notes.pw.com CC: firewalls@GreatCircle.COM In-reply-to: <9409161550.AA29487@orchid.tc.pw.com> (Umesh_Reghuram@notes.pw.com) Subject: Re: COPS shareware utility - any feedback? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Can anybody provide feedback on a shareware utility called COPS? It > apparently is designed to control network access... it's not shareware, it's free software. it doesn't control network access, it checks for known security holes. it is a good package. josh From firewalls-owner Fri Sep 16 12:36:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA24887; Fri, 16 Sep 1994 19:09:24 GMT Received: from decuac.DEC.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA24880; Fri, 16 Sep 1994 12:08:55 -0700 Received: from vbv03.vbv.dec.com by decuac.DEC.COM (5.65/Ultrix-rhm) id AA06761; Fri, 16 Sep 94 15:16:15 -0400 XXX Received: by vbv03.vbv.dec.com (5.65/fma-100391); id AA19944; Fri, 16 Sep 1994 15:23:39 -0400 Message-Id: <9409161923.AA19944@vbv03.vbv.dec.com> To: ted.doty@nsco.network.com Cc: firewalls@GreatCircle.COM, byrum@vbv03.vbv.dec.com Subject: Re: Logging Routers In-Reply-To: Your message of "Fri, 16 Sep 94 12:15:46 PDT." Date: Fri, 16 Sep 94 15:23:38 -0400 From: "Frank Byrum" X-Mts: smtp Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Network Systems' routers have supported logging since (at least) 1989. > Works great, lasts a long time. What exactly do you to make sure that the logging information gets to a host? Is it possible for information that is useful to determining if a "hacker" is trying to break in could be lost during some heavy loading or some other event? Frank From firewalls-owner Fri Sep 16 12:50:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA24344; Fri, 16 Sep 1994 18:25:43 GMT Received: from nova.unix.portal.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA24338; Fri, 16 Sep 1994 11:25:24 -0700 Received: from Clark-Comm.COM (jacksun.clark-comm.com [198.17.128.1]) by nova.unix.portal.com (8.6.7/8.6.5) with SMTP id LAA25734 for ; Fri, 16 Sep 1994 11:30:54 -0700 Received: from localhost by Clark-Comm.COM (4.1/SMI-4.1) id AA07378; Fri, 16 Sep 94 11:24:42 PDT Message-Id: <9409161824.AA07378@Clark-Comm.COM> To: firewalls@greatcircle.com Subject: SUMMARY: SCSI disks with write protect jumpers X-Mailer: exmh version 1.5beta 8/10/94 Date: Fri, 16 Sep 1994 11:24:42 PDT From: Don Jackson Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello: Several months ago I sent a message to this list inquiring about SCSI disks that supported a write protect jumper, and I promised to summarize the responses. I then got very busy with a client, and am just now coming up for air. So, belatedly, the summary follows. Thanks again to all the wonderful people who responded to my query. There seems to be quite a few options. There aren't too many low capacity (less than 300 MB) drives though. Howard Chu gets the award for the most complete and creative response! Now I'm also wondering if there are any IDE drives that support a write protect jumper... =================================== From: Casper Dik Well, the one GB I have is a FUJITSU-M2694ES (has write protect) I did find the 2622/2623/2624 manual (290-550MB). Those disks have write protect (CNH7, jumper 7-8) Also the M2652 (2GB) also has write protect. =================================== From: jpf@mig.com (Jack Flory) Some Fujitsu disks (m2624) and dec (rz26m-e) have jumpers. Great for adding a remote switch. =================================== From: "Dan Thorson" All of the Seagate Twin-cities designed drives support hardware write protect. That is, the Barracuda (3.5"), Elite (5.25"), and Sabre (8") products. =================================== From: randy@megatek.com (Randy Davis) Well, from experience, I know that the Maxtor XT-4380S does (about 300 MB formatted) =================================== From: Jack Stewart I know that the Micropolis 4110 will support it as well. =================================== From: howard@lloyd.com (Howard Chu) I saw your query on the firewalls list, I've been looking into this already. The easiest solutions have all been removable media drives: Syquest cartridges, magneto-optical, and floppy disk. In each case, the removable media has a write-protect switch on the cartridge, making it relatively easy to change over for updating purposes. Aside from that, they offer pretty widely varying features. Hm, I guess I should add Bernoulli cartridges to the list, never used them myself though. Media Capacity/Size Speed Drive cost Media cost Floptical 21MB, 3-1/2" slow $250 $20 Syquest 88MB, 5-1/4" 20ms $250 $100 Syquest 105MB, 3-1/2" 14.5ms $220 $65 MO, Fujitsu 128MB, 3-1/2" 30ms $730 $40 Bernoulli 150MB, 5-1/4" 18ms $250 $100 MO, HP 650MB, 5-1/4" 27ms $2000 $100 MO, Maxoptix 1.0GB, 5-1/4" 24ms $2200-$2400 $190 MO, Maxoptix 1.3GB, 5-1/4" 19ms $3000-$3500 $190 The prices aren't current, they're from a February listing. They're probably all around 5-10% cheaper by now. Which drive you choose will depend on how much you want to pay, and how much you want to store. If you're just storing a tripwire database, a 1.44 MB floppy drive would do fine, and speed wouldn't be a big issue. If you want a minimal read-only root partition, you only need from 16-32 MB, which any of these drives could handle, but I would only consider the Syquest or Bernoulli drives for performance reasons. For root and usr, you might be able to squeeze a minimal OS distribution onto a Syquest or Bernoulli, or you might be forced onto the larger magneto-optical media. My personal feeling is that MO drives are too expensive for this purpose, but I haven't gone thru the numbers to find the actual break-even point. (The MO drive prices vary because the cache size varies from 1 to 4MB.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Don Jackson Clark Communications Internet: don_jackson@clark-comm.com Phone: (408) 395-3516 Fax: (408) 395-3275 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Fri Sep 16 13:45:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25001; Fri, 16 Sep 1994 19:17:10 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA24993; Fri, 16 Sep 1994 12:16:22 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id PAA09753; Fri, 16 Sep 1994 15:21:35 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA00188; Fri, 16 Sep 1994 15:21:28 -0400 Message-Id: <199409161921.AA00188@world.std.com> To: firewalls@GreatCircle.COM Cc: twj@world.std.com Subject: Summary: Building TIS on Solaris 2.3 Date: Fri, 16 Sep 1994 15:21:27 -0400 From: Todd W Joseph Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I received several replies asking me to summarize responses to my original mail. My original mail is enclosed. Many people suggested I swith to SunOS 4.1.3. I wish I could. I am saddled with Solaris 2.3 for various reasons at my site. Most people were curious about how well the TIS toolkit I built worked. It is still a bit early to tell, but tn-gw, ftp-gw, netacl, and smap/smapd all seem to work well after limited testing. One person said that building with the /usr/ucblib libs is crazed and that things will fail in random ways. I have heard this statement before regarding SVR4 in general (thus my original mail), but I wonder if this is a problem with Solaris 2.3. Because Sun has strong BSD ties & is trying to sell SVR4 to their BSD installed base, I would expect them to have the best ucblibs of all the SVR4 vendors. I contacted Sun support to find out what condition the /usr/ucblib's are in. I had to explain what the /usr/ucblib's were and wait a few days to hear back. Sun told me that some things work well and others don't. I asked for more specifics and have not heard back from them (it's been roughly a week). I'll keep the list up to date as things change. Todd Joseph twj@world.std.com - -------- Original Mail to Firewalls: Hi Folks, I have built the TIS toolkit on Solaris 2.3 using the Sun C compiler and the /ucb/ucb/cc shell script -- which uses /usr/ucblib instead of /usr/lib. Everything except ftpd built cleanly with little effort. Has anyone else built the TIS toolkit in this way? If so, are there any gotchas? I'll summarize if there is signifigant interest. Todd twj@world.std.com From firewalls-owner Fri Sep 16 14:32:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25278; Fri, 16 Sep 1994 19:46:37 GMT Received: from pjl53ig.i-p.attmail.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25272; Fri, 16 Sep 1994 12:46:27 -0700 From: TSNL!TSMAIL01!kwan@torstar.attmail.com Date: Fri, 16 Sep 1994 15:37:00 +0000 Received: from torstar by attmail; Fri Sep 16 19:46 GMT 1994 Subject: Gauntlet Default-Options: /RECEIPT To: Firewalls@GreatCircle.COM Content-Type: Text Message-ID: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Has anyone out there heard about or is using the firewall software product called Gauntlet, supplied by Trusted Information Systems, Inc. (In Canada, it is carried by LANhouse Communications Ltd.) ? Any information will be helpful. Thanks. Kenny Wan, EDP Auditor, Torstar Corp., Toronto tsnl!tsmail01!kwan@torstar.attmail.com Tel:(416) 869-4035 Fax: (416) 869-4183 From firewalls-owner Fri Sep 16 15:15:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25076; Fri, 16 Sep 1994 19:26:56 GMT Received: from explorer.clark.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25070; Fri, 16 Sep 1994 12:26:45 -0700 From: farsight@clark.net Received: (farsight@localhost) by explorer.clark.net (8.6.9/8.6.5) id PAA09709; Fri, 16 Sep 1994 15:31:58 -0400 Date: Fri, 16 Sep 1994 15:31:57 -0400 (EDT) Subject: Re: COPS shareware utility - any feedback? To: The Soupy One cc: Umesh_Reghuram@notes.pw.com, firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Sat, 17 Sep 1994, The Soupy One wrote: > > > > Can anybody provide feedback on a shareware utility called COPS? It > > apparently is designed to control network access... > > > From what I've managed to accumulate(which is pathetically little), COPS > is a UNIX-based program that monitors users' actions, and searches their > directories for files which are deemed to have some hacking > properties(whatever that might be), and inform the sysadmin about this. > Can comeone correct me if I'm wrong(which is the most probable > probability). > > > > > COPS is a collection of scripts and programs that allows a system administrator to check their site for possible vulnerabilities. -Kurt- From firewalls-owner Fri Sep 16 15:31:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25140; Fri, 16 Sep 1994 19:31:34 GMT Received: from tamarin.bath.ac.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25134; Fri, 16 Sep 1994 12:31:21 -0700 Received: from ss1.bath.ac.uk by tamarin.bath.ac.uk with SMTP (PP) id <22408-0@tamarin.bath.ac.uk>; Fri, 16 Sep 1994 20:26:23 +0100 To: The Soupy One cc: firewalls@greatcircle.com Subject: Re: COPS shareware utility - any feedback? In-reply-to: Your message of "Sat, 17 Sep 1994 01:43:04." Date: Fri, 16 Sep 1994 20:26:12 +0100 From: Icarus Sparry Message-ID: <9409162026.ab03716@ss1.bath.ac.uk> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >From what I've managed to accumulate(which is pathetically little), COPS >is a UNIX-based program that monitors users' actions, and searches their >directories for files which are deemed to have some hacking >properties(whatever that might be), and inform the sysadmin about this. >Can comeone correct me if I'm wrong(which is the most probable >probability). OK, you are wrong. More usefully, you are wrong for the following reasons. Cops examines the sytem configuration and reports problems. These problems include such things as users with world (or group) writable directories System files which are world (or group) writable Critical system files which are writable Versions of files which are older than known patches to fix problems Icarus From firewalls-owner Fri Sep 16 16:18:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25367; Fri, 16 Sep 1994 19:51:55 GMT Received: from xap.xyplex.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25360; Fri, 16 Sep 1994 12:51:39 -0700 Received: from tdn.xyplex.com by xap.xyplex.com id ; Fri, 16 Sep 94 15:35:56 -0500 Received: by eng.xyplex.com (4.1/SMI-4.1) id AA07240; Fri, 16 Sep 94 15:57:09 EDT Date: Fri, 16 Sep 94 15:57:09 EDT From: tdn@tdn.xyplex.com (Thomas D. Nadeau) Message-Id: <9409161957.AA07240@eng.xyplex.com> To: joshua@dee.retix.com Cc: Umesh_Reghuram@notes.pw.com, firewalls@GreatCircle.COM In-Reply-To: <199409161704.KAA02771@sleepy.retix.com> (message from joshua geller on Fri, 16 Sep 1994 10:04:28 -0700) Subject: Re: COPS shareware utility - any feedback? Content-Type: TEXT/PLAIN; charset=US-ASCII Reply-To: tdnadeau@xap.xyplex.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk "joshua" == joshua geller writes: >joshua> it doesn't control network access, it checks for known >joshua> security holes. >joshua> it is a good package. There are lots of other such packages at Purdue for doing the same sorts of things: ftp://coast.cs.purdue.edu/pub/tools/unix/ --tOm -- /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau ======== ======== / \ Internetworking Software ======= ========= \ / Xyplex, Inc. ======= ====== / \ 295 Foster Street, ======== == \ / Littleton, MA 01460 -------======= ------- / \ ======== == \ / Voice: (508) 952-4837 ======= ====== / \ FAX: (508) 952-4887 ======= ========= \ / email: tdnadeau@eng.xyplex.com ======== ========== / \ \ /---------------------------------------------------------------------/ From firewalls-owner Fri Sep 16 16:32:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25592; Fri, 16 Sep 1994 20:00:55 GMT Received: from ec.sdcs.k12.ca.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25537; Fri, 16 Sep 1994 13:00:05 -0700 Received: from mac13.sdcs.k12.ca.us by ec.sdcs.k12.ca.us (5.67/1.37) id AA05779; Fri, 16 Sep 94 12:48:07 -0700 Message-Id: <9409161948.AA05779@ec.sdcs.k12.ca.us> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 16 Sep 1994 13:07:26 -0800 To: firewalls@GreatCircle.COM From: bhonaker@sdcs.k12.ca.us (Bill Honaker) Subject: Router Comparison Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi! Can anyone point me to a comparison of Wellfleet and Cisco routers? Please e-mail me privately, Thanks, Bill Honaker bhonaker@ec.sdcs.k12.ca.us From firewalls-owner Fri Sep 16 17:06:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25765; Fri, 16 Sep 1994 20:12:23 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25755; Fri, 16 Sep 1994 13:12:05 -0700 Date: Fri, 16 Sep 1994 16:16:04 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id QAA16333 for firewalls@greatcircle.com; Fri, 16 Sep 1994 16:16:04 -0400 Message-Id: <199409162016.QAA16333@real.com> To: firewalls@greatcircle.com Subject: security packages Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On the thread of COPS, I noticed another security program.. It is ISS (Internet Security Scanner).. it remotely scans for various network vulnerabilities, you can get it at ftp.uu.net:/usenet/comp.sources.misc/volume40/iss Hope this helps anyone looking for such a product.. From firewalls-owner Fri Sep 16 17:25:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25670; Fri, 16 Sep 1994 20:04:30 GMT Received: from real.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25662; Fri, 16 Sep 1994 13:04:13 -0700 Date: Fri, 16 Sep 1994 16:09:34 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id QAA16323 for firewalls@greatcircle.com; Fri, 16 Sep 1994 16:09:34 -0400 Message-Id: <199409162009.QAA16323@real.com> To: firewalls@greatcircle.com Subject: Re: COPS shareware utility - any feedback? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Can anybody provide feedback on a shareware utility called COPS? It > > apparently is designed to control network access... COPS (Computer Oracle and Password System) is available vis anon ftp from archive.cis.ohio-state.edu:/pub/cops/1.04+ (maybe newer version dunno) From firewalls-owner Fri Sep 16 17:29:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25730; Fri, 16 Sep 1994 20:08:29 GMT Received: from mctssa-gw.usmc.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25702; Fri, 16 Sep 1994 13:07:01 -0700 Received: from cppmctssa12.usmc.mil. ([143.211.12.250]) by mctssa-gw.usmc.mil (8.6.9/8.6.6) with SMTP id NAA15384 for ; Fri, 16 Sep 1994 13:10:19 -0700 Received: by cppmctssa12.usmc.mil.; Fri, 16 Sep 94 13:11:16 PDT Date: Fri, 16 Sep 94 13:08:22 PDT Message-ID: From: (julie b vandruff) To: firewalls@greatcircle.com Subject: re: Re: COPS shareware utility - any feedback? X-Incognito-SN: 362 X-Incognito-Format: VERSION=1.60g ENCRYPTED=NO Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk COPS takes a snapshot of a system and generates a report. It is available at: coast.cs.purdue.edu. /pub/tools/unix/cops Julie From firewalls-owner Fri Sep 16 17:30:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25456; Fri, 16 Sep 1994 19:56:15 GMT Received: from snyflcc.fingerlakes.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25443; Fri, 16 Sep 1994 12:56:02 -0700 Received: from localhost (krampwd@localhost) by snyflcc.fingerlakes.edu (8.6.5/8.6.5) id PAA03000; Fri, 16 Sep 1994 15:37:50 -0400 Date: Fri, 16 Sep 1994 15:37:49 -0400 (EDT) From: "William D. Kramp" Subject: 2 networks, 1 bastion To: firewalls group Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I need to configure two firewalled networks, "protected" from the Internet and each other. The only traffic between the two will be mail. Can both networks/routers point to the same bastion host, or should each network have its own bastion host? I have seen references in the TIS toolkit for two different network addresses using the same bastion host. But I am not sure of the ramifications of doing this. The two net's would be protected from the Internet, but would they be protected from each other? +===============================================================+ | Bill Kramp - System Admin. Finger Lakes Community College | | krampwd@snyflcc.fingerlakes.edu | +===============================================================+ From firewalls-owner Fri Sep 16 17:42:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA25469; Fri, 16 Sep 1994 19:57:27 GMT Received: from ax.ibase.br by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA25462; Fri, 16 Sep 1994 12:56:57 -0700 Received: by ax.ibase.br (8.6.8.1/Revision: 1.13 ) id QAA07191; Fri, 16 Sep 1994 16:59:45 -0300 From: "Nelson Murilo O. Rufino" To: Umesh_Reghuram@notes.pw.com Subject: COPS shareware utility - any feedback? Cc: firewalls@greatcircle.com, nelson@boemia.pix.com.br X-Mailer: ScoMail 1.0 Date: Fri, 16 Sep 1994 15:32:55 +0100 (BST) Message-ID: <9409161533.aa05997@boemia.pix.com.br> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk |> From: Umesh_Reghuram@notes.pw.com |> Subject: COPS shareware utility - any feedback? |> |> |> Can anybody provide feedback on a shareware utility called COPS? It |> apparently is designed to control network access... COPS is a collection of files and C programs that perform checks. Incluided are checks for permisssions of files and directories, bad passwd, etc. COPS is a good package, but if you want more, you could look for the tcp_wapper package. You can find this packages in cert.org, using anonymous ftp. If you want more info mail to me directly.fire Nelson Murilo | _---------------------_ nelson@boemia.ibase.br | | 1 2 3 4 5 6 7 8 9 10 | Fax : +55 61 274-5202 | | |-|-|-|-|-|-|-|-|-|-| | Voice: +55 61 274-6092 | |_|_|_|_|_|_|_|_|_|_|_|_| Modem: +55 61 274-5559 | --------------------- From firewalls-owner Fri Sep 16 18:22:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25599; Fri, 16 Sep 1994 20:01:11 GMT Received: from pentagon.io.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25563; Fri, 16 Sep 1994 13:00:28 -0700 Received: from localhost by pentagon.io.com (8.6.5/PERFORMIX-0.9/08-16-92) id PAA19522; Fri, 16 Sep 1994 15:05:57 -0500 From: mccoy@io.com (Jim McCoy) Message-Id: <199409162005.PAA19522@pentagon.io.com> Subject: Re: COPS shareware utility - any feedback? To: amin8588@pilot.stu.cowan.edu.au (The Soupy One) Date: Fri, 16 Sep 1994 15:05:57 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "The Soupy One" at Sep 17, 94 01:43:04 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 865 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Can anybody provide feedback on a shareware utility called COPS? It > > apparently is designed to control network access... > > From what I've managed to accumulate(which is pathetically little), COPS > is a UNIX-based program that monitors users' actions, and searches their > directories for files which are deemed to have some hacking > properties(whatever that might be), and inform the sysadmin about this. COPS is a utility which will check out your system and notify you of any noticable vulnerabilities (directory permissions set wrong, setuid scripts, etc) It also includes an expert system and a crack-like password checker. It does not actually monitor user actions, but you can tell if to examine user directories for setuid files, etc. It is mostly for checking the non-user areas of your system for known problems and vulnerabilities. jim From firewalls-owner Fri Sep 16 18:29:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA25777; Fri, 16 Sep 1994 20:12:45 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25763; Fri, 16 Sep 1994 13:12:19 -0700 Received: from Eng.Sun.COM (mxchange.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA00361; Fri, 16 Sep 94 13:17:18 PDT Received: from jurassic.Eng.Sun.COM by Eng.Sun.COM (SMI-8.6.9/mh) id NAA10540; Fri, 16 Sep 1994 13:16:32 -0700 Received: by jurassic.Eng.Sun.COM (5.x/SMI-SVR4) id AA20559; Fri, 16 Sep 1994 13:16:48 -0700 Date: Fri, 16 Sep 1994 13:16:48 -0700 From: Kelly.Goen@Eng.Sun.COM (Kelly Goen [CONTRACTOR]) Message-Id: <9409162016.AA20559@jurassic.Eng.Sun.COM> To: firewalls@GreatCircle.COM, twj@world.std.com Subject: Re: Summary: Building TIS on Solaris 2.3 X-Sun-Charset: US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have currently built TIS under 2.4 FCS Sparc and x86... I am currently testing it here... so far so good except for some funkiness in the /usr/ucblib stuff... let me know what you find out... kelly p.s. I am working with TIS alpha... > From firewalls-owner@GreatCircle.COM Fri Sep 16 12:08 PDT 1994 > To: firewalls@GreatCircle.COM > Cc: twj@world.std.com > Subject: Summary: Building TIS on Solaris 2.3 > Date: Fri, 16 Sep 1994 12:17:29 -0400 > From: Todd W Joseph > > > I received several replies asking me to summarize responses to my > original mail. My original mail is enclosed. > > Many people suggested I swith to SunOS 4.1.3. I wish I could. I am > saddled with Solaris 2.3 for various reasons at my site. > > Most people were curious about how well the TIS toolkit I built > worked. It is still a bit early to tell, but tn-gw, ftp-gw, netacl, > and smap/smapd all seem to work well after limited testing. > > One person said that building with the /usr/ucblib libs is crazed and > that things will fail in random ways. I have heard this statement > before regarding SVR4 in general (thus my original mail), but I wonder > if this is a problem with Solaris 2.3. > > Because Sun has strong BSD ties & is trying to sell SVR4 to their BSD > installed base, I would expect them to have the best ucblibs of all > the SVR4 vendors. > > I contacted Sun support to find out what condition the /usr/ucblib's > are in. I had to explain what the /usr/ucblib's were and wait a few > days to hear back. Sun told me that some things work well and others > don't. I asked for more specifics and have not heard back from them > (it's been roughly a week). > > I'll keep the list up to date as things change. > > Todd Joseph > twj@world.std.com > > -------- Original Mail to Firewalls: > Hi Folks, > > I have built the TIS toolkit on Solaris 2.3 using the Sun C compiler > and the /ucb/ucb/cc shell script -- which uses /usr/ucblib instead of > /usr/lib. Everything except ftpd built cleanly with little effort. > > Has anyone else built the TIS toolkit in this way? If so, are there > any gotchas? > > I'll summarize if there is signifigant interest. > > Todd > twj@world.std.com > > > > > From firewalls-owner Fri Sep 16 19:28:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA26060; Fri, 16 Sep 1994 20:39:25 GMT Received: from gateway.Stoner.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA24888; Fri, 16 Sep 1994 12:09:38 -0700 Received: from uhura1.Stoner.COM (uhura1.Stoner.COM [198.64.192.11]) by gateway.Stoner.COM (8.6.9/8.6.4) with ESMTP id LAA22781; Fri, 16 Sep 1994 11:31:03 -0700 Received: from crusher.Stoner.COM (crusher.Stoner.COM [198.64.192.28]) by uhura1.Stoner.COM (8.6.9/8.6.9) with ESMTP id OAA02731; Fri, 16 Sep 1994 14:12:10 -0500 From: Bryan Curnutt Received: from localhost (curnutt@localhost) by crusher.Stoner.COM (8.6.5/8.6.5) id OAA28248; Fri, 16 Sep 1994 14:12:08 -0500 Message-Id: <199409161912.OAA28248@crusher.Stoner.COM> Subject: Re: COPS shareware utility - any feedback? To: amin8588@pilot.stu.cowan.edu.au (The Soupy One) Date: Fri, 16 Sep 1994 14:12:06 -0500 (CDT) Cc: Umesh_Reghuram@notes.pw.com, firewalls@GreatCircle.COM In-Reply-To: from "The Soupy One" at Sep 17, 94 01:43:04 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 12654 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Soupy One writes: > > > Can anybody provide feedback on a shareware utility called COPS? It > > apparently is designed to control network access... > > >From what I've managed to accumulate(which is pathetically little), > is a UNIX-based program that monitors users' actions, and searches their > directories for files which are deemed to have some hacking properties COPS is basically just a collection of programs that check for security vulnerabilities. Here's the README.1 file from COPS 1.04; COPS may be obtained from, among other places, cert.org:/pub/tools/cops/1.04/cops_104.tar.Z and ftp.uu.net:/pub/security/cops_104.tar.Z ---------------------------------------------------------------------- Welcome! You now hold in your hands (terminal?) a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft-neglected area of computer security. If you're the kind of boy/girl/rock who thinks "man pages are for weenies, let's type 'make' and run the damn thing," then you might read one file, "quickstart", for a lightning-fast intro. Otherwise, reading this now might prove enlightening. The package, which will henceforth be referred to as COPS (Computer Oracle and Password System), can be broken down into three key parts. The first is the actual set of programs that attempt to automate security checks that are often performed manually (or perhaps with self- written short shell scripts or programs) by a systems administrator. The second part is the documentation, which details how to set up, operate, and interpret the results of the programs. It also includes a paper or two on COPS itself. Third, COPS is an evolving beast, so it includes a list of possible extensions that might appear in future releases. In addition, it includes some short papers on various topics in UNIX security and pointers to other works in UNIX security that could not be included at this time, due to space or other restrictions. This document contains four sections: 1) What is COPS? 2) What is COPS _not_? 3) Installation, Execution, and Continuing Use of COPS 4) Disclaimer and End Notes 1) What is COPS? ----------------- The heart of COPS is a collection of about a dozen (actually, a few more, but a dozen sounds so good) programs that each attempt to tackle a different problem area of UNIX security. Here is what the programs currently check, more or less (they might check more, but never less, actually): o file, directory, and device permissions/modes. o poor passwords. o content, format, and security of password and group files. o the programs and files run in /etc/rc* and cron(tab) files. o existance of root-SUID files, their writeability, and whether or not they are shell scripts. o a CRC check against important binaries or key files to report any changes therein. o writability of users home directories and startup files (.profile, .cshrc, etc.) o anonymous ftp setup. o unrestricted tftp, decode alias in sendmail, SUID uudecode problems, hidden shells inside inetd.conf, rexd running in inetd.conf. o miscellaneous root checks -- current directory in the search path, a "+" in /etc/host.equiv, unrestricted NFS mounts, ensuring root is in /etc/ftpusers, etc. o dates of CERT advisories vs. key files. This checks the dates that various bugs and security holes were reported by CERT against the actual date on the file in question. A positive result doesn't always mean that a bug was found, but it is a good indication that you should look at the advisory and file for further clues. A negative result, obviously, does not mean that your software has no holes, merely that it has been modified in SOME way (perhaps merely "touch"'ed) since the advisory was sent out. o the Kuang expert system. This takes a set of rules and tries to determine if your system can be compromised (for a more complete list of all of the checks, look at the file "release.notes" or "cops.report"; for more on Kuang, look at at "kuang.man".) All of the programs merely warn the user of a potential problem -- COPS DOES NOT ATTEMPT TO CORRECT OR EXPLOIT ANY OF THE POTENTIAL PROBLEMS IT FINDS! COPS either mails or creates a file (user selectable) of any of the problems it finds while running on your system. Because COPS does not correct potential hazards it finds, it does _not_ have to be run by a privileged account (i.e. root or whomever.) The only security check that should be run by root to get maximum results is the SUID checker: although it can be run as an unprivileged user, it should be run as root so that it can find all the SUID files in a system. In addition, if key binaries are not world-readable, only executable, the CRC checking program ("crc.chk") needs to be run as a privileged user to read the files in question to get the result.) Also note that COPS cannot used to probe a host remotely; all the tests and checks made require a shell that is on the host being tested. The programs that make up COPS were originally written primarily in Bourne shell (using awk, sed, grep, etc.) for (hopefully) maximum portability, with a few written in C for speed (most notably parts of the Kuang expert system and the implementation of fast user home directory searching), but the entire system should run on most BSD and System V machines with a minimum of tweaking. In addition, a perl version is included that, while perhaps not as portable as the shell/C version, has some advantages. COPS includes various support programs as well. The primary one is CARP (COPS Analysis and Report Program). CARP is a results interpreter that is designed to analyze and generate a summary on various COPS reports from a complete network or set of hosts. 2) What is COPS _not_? ----------------------- COPS mostly provides a method of checking for common procedural errors. It is not meant to be used as a replacement for common sense or user/operator/administrative alertness! Think of it as an aid, a first line of defense, not as an impenetrable shield against security woes. An experienced wrong-doer could easily circumvent *any* protection that COPS can give. However, COPS *can* aid a system in protecting its users from (their own?) ignorance, carelessness, and the occasional malcontent user. Once again, COPS does not correct any errors found. There are several reasons for this: first and foremost, computer security is a slippery beast. What is a major breach in security at one site may be a standard policy of openness at another site. Additionally, in order to correct all problems it finds, it would have to be run as a privileged user; I'm not going to go into the myriad problems of running SUID shell scripts (see the bibliography at the end of the technical report "cops.report" for pointer to a good paper on this subject by Matt Bishop; look at the included paper "SU" for pointers on how to write a SUID program) -- suffice to say it's a bad idea that can give an attacker privileges equal to whatever account the shell is SUID to. 3) Installation, Execution, and Continuing Use of COPS ------------------------------------------------------- There are two versions of COPS that can be run. The original ("COPS classic"?) needs nothing more than a C compiler and the standard shell tools that any (or most any) UNIX system should have: awk, sed, grep, etc. For information on how to configure and run this version, look at the file "README.2.sh". The most important thing to do is to run the shell program "reconfig" if you have a system V or a non-standard Berkeley UNIX system -- the paths to the programs that COPS uses are hard-coded, and this will reconfigure the paths so that COPS can find these programs. If you have installed perl on your system (I think it works with perl versions > 3.18) and would like to try the perl version, look at the file "README.2.pl" for details on how to use that. There are several advantages and disadvantages to using the perl version, so if you have perl, I would advise trying both packages to see which one better suits your environment. If you need help to interpret the results of COPS, look in the file "warnings", in the "doc" directory. All of the individual programs in the COPS package have a man page there as well. For continuing use, multiple architecture sites, or other advanced COPS topics, check out "README.3". There are additional "readme" files for the following topics: Apollo and Xenix machines, C2 and other shadow passord files, NIS/Yellow Pages, and the COPS filter. Look at the corresponding readme (note lower case) file for these in the "docs" directory -- e.g. "docs/readme.apollo." 4) Disclaimer and End Notes ---------------------------- COPS is meant to be a tool to aid in the tightening of security, not as a weapon to be used by an enemy to find security flaws in a system. It may be argued that allowing anyone to have access to such a tool may be dangerous, but hopefully the overall benefit for systems that use this package will outweigh any negative impact. To me it is akin to a law enforcement problem -- although telling the public how to break into a house may foster a slight rise in break-in attempts, the overall rise in public awareness of what to defend themselves against would actually result in a drop in break-ins. The crackers with black hats already know how to crush system defenses and have similar tools, I'm sure. It's time we fought back. COPS is not the final answer to anyone's security woes. You can use the system as long as you realize that COPS has no warranty, implied or otherwise, and that any problems that you may have with it are not my or any of the other authors' fault. I will certainly attempt to help you solve them, if I am able. If you have ideas for additional programs or a better implementation of any of the programs here, I would be very interested in seeing them. COPS was the work of a LOT of people, both in writing code and in the testing phase (thanks, beta testers!). For a complete list of contributors, look at the file "XTRA_CREDIT". So, good luck, and I hope you find COPS useful as we plunge into UNIX of the 1990's. dan farmer January 31, 1989 (Now January 31, 1990) (Now November 17, 1991... how time goes on...) # include "./disclaimer" p.s. Just for snix, here are some of the machine/OS's I know this sucker works on; far and away the most common problem was getting that stupid password cracking program to compile, followed by systems without the -ms package to nroff. Some minor problems with config files -- I *think* these are all ok: DECstation 2100, 3100, 5000, Ultrix 2.x, 3.x, 4.x (Ultrix is braindead.) Sun 3's, 4's (incl. Solbourne and clones) -- 3.x, 4.x Gould 9080 Powernode, hacked up Gould OS (whatever it is) sequent S-87 symmetry, dynix V3.x (both att & bsd universes; att required "BRAINDEADFLAGS = -lcrypt" to be uncommented. ETA-10P, Sys V R3 based Convex boxes, all types, OS's (up to 9.x, the most recent) Apollo dn3000 & dsp90, Domain SR 9.7, 10.x (see "readme.apollo") Vax 11/780, 4.x BSD (Mt. Xinu, tahoe and stock) Vaxstation, MicroVax, Vax 6320 & 8800, Ultrix 2.x, 3.x, 4.x HP900/370, HP-UX 6.x, 7.x Cray 2 & Y-MP, UNICOS 5.x, 6.x Amdahl 5880, UTS 580-1.2.3 SGI 2500's, IRIX GL 3.6 SGI 4D's, IRIX System V Release 3.x '286 & '386 Boxes, running Xenix (see "readme.xenix") AT&T 3B2 & 3B1, SysVR[3-4] CADMUS box (R3000 & 68020 cpu), SysVR3.2 Pyramid, running 4.4c and 5.1a Apple Mac IIci, running AUX 2.x. The "test -z" seemed broken on this, but I only had a brief chance to test it out, but kuang didn't like it as a result. I'll get a working version soon; everything seemed ok (change the /etc/servers line in "misc.chk"). NeXT, 1.x (password stuff is different on this machine, though; cracking is strange. Diffs anyone? Also, /bin/test vs. shell builtin "test" is *weird*.) Multimax 320, 12 Processors, 64Mb Memory, Encore Mach Version B1.0c (Beta) (no crypt(3) on this machine. Sigh.) IBM rs6000, AIX 3.1 (DEADBEEF about sums it up.) I've lost track of the others. If you have some bizzare piece of hardware that you've run it on, I'd like to hear about it... ---------------------------------------------------------------------- -- Bryan Curnutt Stoner Associates, Inc. bryan.curnutt@stoner.com (713)626-9568 voice (713)622-7832 fax From firewalls-owner Fri Sep 16 19:48:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA26443; Fri, 16 Sep 1994 21:03:21 GMT Received: from nag.cs.Colorado.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA26428; Fri, 16 Sep 1994 14:01:59 -0700 Received: from nag.cs.Colorado.EDU (localhost.cs.colorado.edu [127.0.0.1]) by nag.cs.Colorado.EDU (8.6.9/8.6.9) with ESMTP id PAA24447; Fri, 16 Sep 1994 15:06:40 -0600 Message-Id: <199409162106.PAA24447@nag.cs.Colorado.EDU> To: The Soupy One cc: Umesh_Reghuram@notes.pw.com, firewalls@greatcircle.com, nielsenc@nag.cs.Colorado.EDU Subject: Re: COPS shareware utility - any feedback? In-reply-to: Your message of "Sat, 17 Sep 1994 01:43:04." Date: Fri, 16 Sep 1994 15:06:36 -0600 From: Christopher Nielsen Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> Can anybody provide feedback on a shareware utility called COPS? It >> apparently is designed to control network access... >From what I've managed to accumulate(which is pathetically little), COPS >is a UNIX-based program that monitors users' actions, and searches their >directories for files which are deemed to have some hacking >properties(whatever that might be), and inform the sysadmin about this. >Can comeone correct me if I'm wrong(which is the most probable >probability). COPS does not monitor users' actions, nor does it search users' directories for files that may be used for hacking. The following is from the README as to what COPS *IS*: The heart of COPS is a collection of about a dozen (actually, a few more, but a dozen sounds so good) programs that each attempt to tackle a different problem area of UNIX security. Here is what the programs currently check, more or less (they might check more, but never less, actually): o file, directory, and device permissions/modes. o poor passwords. o content, format, and security of password and group files. o the programs and files run in /etc/rc* and cron(tab) files. o existance of root-SUID files, their writeability, and whether or not they are shell scripts. o a CRC check against important binaries or key files to report any changes therein. o writability of users home directories and startup files (.profile, .cshrc, etc.) o anonymous ftp setup. o unrestricted tftp, decode alias in sendmail, SUID uudecode problems, hidden shells inside inetd.conf, rexd running in inetd.conf. o miscellaneous root checks -- current directory in the search path, a "+" in /etc/host.equiv, unrestricted NFS mounts, ensuring root is in /etc/ftpusers, etc. o dates of CERT advisories vs. key files. This checks the dates that various bugs and security holes were reported by CERT against the actual date on the file in question. A positive result doesn't always mean that a bug was found, but it is a good indication that you should look at the advisory and file for further clues. A negative result, obviously, does not mean that your software has no holes, merely that it has been modified in SOME way (perhaps merely "touch"'ed) since the advisory was sent out. o the Kuang expert system. This takes a set of rules and tries to determine if your system can be compromised (for a more complete list of all of the checks, look at the file "release.notes" or "cops.report"; for more on Kuang, look at at "kuang.man".) Sorry for the length, but this should answer your questions and clear up the misconceptions. From firewalls-owner Fri Sep 16 20:46:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA26925; Fri, 16 Sep 1994 21:45:07 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA26917; Fri, 16 Sep 1994 14:44:58 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma012319; Fri Sep 16 17:50:20 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA03792; Fri, 16 Sep 94 17:48:17 EDT Message-Id: <9409162148.AA03792@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: TSNL!TSMAIL01!kwan@torstar.attmail.com Cc: Firewalls@greatcircle.com Subject: Re: Gauntlet In-Reply-To: Your message of Fri, 16 Sep 94 15:37:00 -0000. Date: Fri, 16 Sep 94 17:48:12 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, I have. I'm the product manager. :-) And we use it. Fred > Has anyone out there heard about or is using the firewall software product > called Gauntlet, supplied by Trusted Information Systems, Inc. (In Canada, > it is carried by LANhouse Communications Ltd.) ? > Any information will be helpful. Thanks. > > Kenny Wan, EDP Auditor, Torstar Corp., Toronto > tsnl!tsmail01!kwan@torstar.attmail.com > Tel:(416) 869-4035 > Fax: (416) 869-4183 From firewalls-owner Fri Sep 16 21:29:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA28401; Fri, 16 Sep 1994 23:44:43 GMT Received: from cheetah.llnl.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA28388; Fri, 16 Sep 1994 16:44:16 -0700 Received: (from karyn@localhost) by cheetah.llnl.gov (8.6.8.1/8.6.6) id QAA18364; Fri, 16 Sep 1994 16:49:36 -0700 Date: Fri, 16 Sep 1994 16:49:36 -0700 From: Karyn Pichnarczyk Message-Id: <199409162349.QAA18364@cheetah.llnl.gov> To: firewalls@greatcircle.com Reply-To: karynp@llnl.gov Subject: Re: COPS - Please Stop Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Please refrain from continuing the thread on COPS in this firewalls newsgroup. I think all the necessary information was given on that package, and since it doesn't relate specifically to firewalls, we should declare the topic concluded. Any replies to me only. Do NOT cc: firewalls on any replies. Thank you, karyn From firewalls-owner Fri Sep 16 21:30:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA26727; Fri, 16 Sep 1994 21:32:16 GMT Received: from nic.cerf.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA26713; Fri, 16 Sep 1994 14:32:00 -0700 Received: from miteksys.com (miteksys.com [134.24.10.46]) by nic.cerf.net (8.6.8/8.6.6) with SMTP id NAA02544 for ; Fri, 16 Sep 1994 13:33:54 -0700 Received: from spike.miteksys.com by miteksys.com (4.1/SMI-4.1) id AA17171; Fri, 16 Sep 94 13:34:13 PDT Received: by spike.miteksys.com (5.0/SMI-SVR4) id AA01561; Fri, 16 Sep 1994 13:34:05 +0800 Date: Fri, 16 Sep 1994 13:34:05 +0800 From: jsm@miteksys.com (Shane McRoberts) Message-Id: <9409162034.AA01561@spike.miteksys.com> To: firewalls@GreatCircle.COM Subject: Re: COPS shareware utility - any feedback? X-Sun-Charset: US-ASCII Content-Length: 1029 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The Soupy One wrote: > Umesh_Reghuram@notes.pw.com wrote: > > Can anybody provide feedback on a shareware utility called COPS? It > > apparently is designed to control network access... > > > From what I've managed to accumulate(which is pathetically little), COPS > is a UNIX-based program that monitors users' actions, and searches their > directories for files which are deemed to have some hacking > properties(whatever that might be), and inform the sysadmin about this. > Can comeone correct me if I'm wrong(which is the most probable > probability). COPS does not control network access, nor does it monitor users' actions. What it does is very simple and _very_ useful. It looks around on your system for common security holes--it knows about lots of things that give crackers a foot in the door--then it tells you about them so you can fix them. If you have never run it, you are almost certainly vulnerable unless you already have a firewall (maybe even if you do). Shane From firewalls-owner Fri Sep 16 22:12:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA01925; Sat, 17 Sep 1994 04:00:17 GMT Received: from pg2-srv.wam.umd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA01889; Fri, 16 Sep 1994 21:00:00 -0700 Received: from rac3.wam.umd.edu (reh@rac3.wam.umd.edu [128.8.70.33]) by pg2-srv.wam.umd.edu (8.6.9/8.6.9) with ESMTP id AAA25821 for ; Sat, 17 Sep 1994 00:05:26 -0400 From: Richard Huddleston Received: (reh@localhost) by rac3.wam.umd.edu (8.6.9/8.6.9) id AAA23648 for firewalls@greatcircle.com; Sat, 17 Sep 1994 00:05:25 -0400 Date: Sat, 17 Sep 1994 00:05:25 -0400 Message-Id: <199409170405.AAA23648@rac3.wam.umd.edu> To: firewalls@greatcircle.com Subject: NFS proxies Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Before posting this, I read and posted to comp.protocols.{nfs,tcp-ip} and comp.unix.admin -- as well as examined the archives and topic "library" at Great Circle (ftp.GreatCircle.com). No luck, and sorry to bother everybody with this: Some time back, there was some mention of NFS proxies--either a paper, an implementation, or both. If anyone can supply a reference or an FTP site, I'd be grateful. As so typically happens, I didn't need the information when I saw it. Yes, it's firewall related. ;) Thanks, Richard From firewalls-owner Fri Sep 16 22:29:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA02792; Sat, 17 Sep 1994 05:03:34 GMT Received: from delta.eecs.nwu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA02786; Fri, 16 Sep 1994 22:03:24 -0700 Received: by delta.eecs.nwu.edu (4.1/SMI-4.0-proxy) id AA15256; Sat, 17 Sep 94 00:09:03 CDT Date: Sat, 17 Sep 94 00:09:03 CDT From: bonomi@delta.eecs.nwu.edu (Robert Bonomi) Message-Id: <9409170509.AA15256@delta.eecs.nwu.edu> To: firewalls@GreatCircle.COM Subject: Re: SUMMARY: SCSI disks with write protect jumpers Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Don Jackson writes: [... much good stuff deleted ...] + Howard Chu wrote: + I saw your query on the firewalls list, I've been looking into this already. + The easiest solutions have all been removable media drives: Syquest cart., + magneto-optical, and floppy disk. In each case, the removable media has a + write-protect switch on the cartridge, making it relatively easy to change + over for updating purposes. Aside from that, they offer pretty widely varying + features. + Hm, I guess I should add Bernoulli cartridges to the list, never used them + myself though. + Media Capacity/Size Speed Drive cost Media cost + Floptical 21MB, 3-1/2" slow $250 $20 + Syquest 88MB, 5-1/4" 20ms $250 $100 + Syquest 105MB, 3-1/2" 14.5ms $220 $65 + MO, Fujitsu 128MB, 3-1/2" 30ms $730 $40 + Bernoulli 150MB, 5-1/4" 18ms $250 $100 + MO, HP 650MB, 5-1/4" 27ms $2000 $100 + MO, Maxoptix 1.0GB, 5-1/4" 24ms $2200-$2400 $190 + MO, Maxoptix 1.3GB, 5-1/4" 19ms $3000-$3500 $190 Question: does anybody have experience with the durability/reliability of any of these when used as 'permanently mounted and spun-up" media ?? Particularlly Syquest, Bernoulli, or Fujitsu MO. I'm real curious how these hold up in an 'continuous duty' environment. Direct e-mail responses encouraged. I'll summarize to the list, if there's interest. Robert Bonomi bonomi@delta.eecs.nwu.edu From firewalls-owner Fri Sep 16 23:29:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA03352; Sat, 17 Sep 1994 06:03:22 GMT Received: from explorer.clark.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA03339; Fri, 16 Sep 1994 23:03:08 -0700 From: farsight@clark.net Received: (farsight@localhost) by explorer.clark.net (8.6.9/8.6.5) id CAA13120; Sat, 17 Sep 1994 02:08:46 -0400 Date: Sat, 17 Sep 1994 02:08:46 -0400 (EDT) Subject: Re: SUMMARY: SCSI disks with write protect jumpers To: Robert Bonomi cc: firewalls@GreatCircle.COM In-Reply-To: <9409170509.AA15256@delta.eecs.nwu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Sat, 17 Sep 1994, Robert Bonomi wrote: > Don Jackson writes: > > [... much good stuff deleted ...] > > > Question: does anybody have experience with the durability/reliability of > any of these when used as 'permanently mounted and spun-up" media ?? > > Particularlly Syquest, Bernoulli, or Fujitsu MO. > I've always thought that optical media, used for backups storage, would last virtually forever, with proper care, etc. The drives, I've found, like all mechanical drives, have a limited life under heavy use. -Kurt- From firewalls-owner Sat Sep 17 11:29:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA06990; Sat, 17 Sep 1994 17:32:55 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA06983; Sat, 17 Sep 1994 10:32:49 -0700 Message-Id: <199409171732.KAA06983@mycroft.GreatCircle.COM> To: Richard Huddleston cc: firewalls@greatcircle.com Subject: Re: NFS proxies In-reply-to: Your message of Sat, 17 Sep 1994 00:05:25 -0400 Date: Sat, 17 Sep 1994 10:32:47 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Richard Huddleston writes: # Before posting this, I read and posted to comp.protocols.{nfs,tcp-ip} # and comp.unix.admin -- as well as examined the archives and topic # "library" at Great Circle (ftp.GreatCircle.com). No luck, and sorry # to bother everybody with this: Yeow, the "topics" files are still there?!? Those are _ancient_! I stopped updating them when I put the WAIS server in; they haven't been updated in over a year. Sorry, they should have been deleted when I stopped updating them; I've corrected that error, and apologize to anyone who got outdated or incomplete information from them. Now, if you want to do topic searches on past Firewalls postings, either use WAIS (machine WAIS.GreatCircle.COM, database "firewalls-digest"), or use the new "HyperMail" interface that Rodney Campbell posted about last week (the URL is http://www.tansu.com.au/hypermail/index.html). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Sat Sep 17 12:29:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA07246; Sat, 17 Sep 1994 18:54:06 GMT Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA07240; Sat, 17 Sep 1994 11:53:59 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Sat, 17 Sep 1994 14:59:29 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA05072; Sat, 17 Sep 1994 14:59:29 -0400 Date: Sat, 17 Sep 1994 14:59:29 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199409171859.AA05072@SPARKY.CF.CS.YALE.EDU> To: firewalls@GreatCircle.COM, reh@wam.umd.edu Subject: Re: NFS proxies Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk An NFS proxy running over TCP (as opposed to UDP) socket connections is described in the Bellovin and Cheswick book (the bible of this mailing list) "Firewalls and Internet Security". And as with the other services described in the book, they developed, implemented and use it at AT&T Bell Labs. I don't think that they give it away though (it may have unfreed AT&T source code in it). The list of net resources in the back points the reader at the Linus source code's user level NFS server as a good place to begin writing an NFS proxy. ISBN 0-201-63357 - Morrow From firewalls-owner Sat Sep 17 21:29:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA09818; Sun, 18 Sep 1994 04:19:49 GMT Received: from sequoia.itd.uts.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA09812; Sat, 17 Sep 1994 21:19:40 -0700 Received: from matt.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA29215 (5.65c/IDA-1.4.4 for ); Sun, 18 Sep 1994 13:46:15 +1000 Received: by matt.itd.uts.edu.au (5.0/SMI-SVR4) id AA17578; Sun, 18 Sep 1994 14:26:52 +1000 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9409180426.AA17578@matt.itd.uts.edu.au> Subject: fwtk Solaris Port To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Sun, 18 Sep 1994 14:26:50 +1000 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1543 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk well guys considering the bit of convo on the list about fwtk for Solaris, i decided to waste a day (12 hours) and port it (well maybe not waste but..). anyway, i dont know mjr's email address (amazingly i havent saved any mail that he has authored :| ), so i cant mail this directly to him. The way i have set the proceedure up is that you should be able to compile both bsd and SVR4 all off the same source. it took quite a bit, and some of the bsd code was really really archaic so it took a bit to convince it to talk more standard Un*x. anyway hopefully i can get mjr's email address when he responds to this, and i'll give him my stuff and let him distribute it if he wants. If you really want, you can mail me and i'll put your names in a list to mail when it does become publicly available. till then... Matt (PS. it is a proper port to SVR4 there is no need for ucblib thank goodness it should work on any SVR4 machine, but i only have DG/UX and Solaris to test it on here, and it compiles fine here.) -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Mon Sep 19 01:32:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA17363; Mon, 19 Sep 1994 08:08:09 GMT Received: from zaphod.axion.bt.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA17357; Mon, 19 Sep 1994 01:07:57 -0700 Received: from everest.srd.bt.co.uk (actually 132.146.201.181) by zaphod.axion.bt.co.uk with SMTP (PP); Mon, 19 Sep 1994 09:12:38 +0100 Received: from ariel.srd.bt.co.uk by everest.srd.bt.co.uk; Mon, 19 Sep 94 08:12:44 GMT From: Jake Hill Date: Mon, 19 Sep 94 09:11:21 BST Message-Id: <5627.9409190811@ariel.srd.bt.co.uk> To: firewalls@greatcircle.com Subject: [Umesh_Reghuram@notes.pw.com: COPS shareware utility - any feedback?] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk From: Umesh_Reghuram@notes.pw.com Date: Fri, 16 Sep 94 08:42:41 PDT To: firewalls@GreatCircle.COM Subject: COPS shareware utility - any feedback? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Can anybody provide feedback on a shareware utility called COPS? It >apparently is designed to control network access... COPS is a set of tools for finding potential security holes in Unix systems. It includes things for searching suid executables, aswell as the enevitable passwd cracker. [PEOPLE, please correct me if I'm wrong here, I haven't actually looked at COPS since I went on a Unix security course several months ago]. Anyway, if want the source, give me a shout (anybody know where you might find a validated distribution?). Jake A.A.&.T..I.N.F.O.R.M.A.T.I.O.N..S.Y.S.T.E.M.S JakeyBaby% mail jhill@srd.bt.co.uk Techno.Crypto.Emusic From firewalls-owner Mon Sep 19 08:34:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA19548; Mon, 19 Sep 1994 14:38:17 GMT Received: from ms.gpt.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA19542; Mon, 19 Sep 1994 07:38:07 -0700 Received: from cvhp99 (cvhp99.gpt.co.uk) by ms.gpt.co.uk with ESMTP (1.37.109.11/ms-03) id AA132795892; Mon, 19 Sep 1994 15:44:52 +0100 Received: from cvsu251 (cvsu251.gpt.co.uk) by cvhp99 with SMTP (1.37.109.11/99-05) id AA061155794; Mon, 19 Sep 1994 15:43:14 +0100 Received: from cvsu76.nsg.ncp.gpt.co.uk.LOCAL by cvsu251 (4.1/MAIL-13) id AA07214; Mon, 19 Sep 94 15:43:13 BST Received: by cvsu76.nsg.ncp.gpt.co.uk.LOCAL (4.1/GPT(S)-05) id AA00676; Mon, 19 Sep 94 15:43:02 BST Date: Mon, 19 Sep 94 15:43:02 BST From: "Neil Chick" Message-Id: <9409191443.AA00676@cvsu76.nsg.ncp.gpt.co.uk.LOCAL> To: firewalls@greatcircle.com Subject: Encrypted WANs via the Internet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Does anyone have an experience of using encrypted links via the Internet to join two remote sites together ? + How is it done? + Hardware can be bought to make it happen? + How do the firewalls distinguish between the two? ( I know bit a vague question just pointer would be helpful as I'm currently in the dark ;-) ) + Any idea of costs? + Security implications of course;) Any ideas welcomed.... Thanks, Neil Chick GPT UK. Wot no sig! chickna@ncp.gpt.co.uk. From firewalls-owner Mon Sep 19 10:30:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA20765; Mon, 19 Sep 1994 16:33:34 GMT Received: from hermes.intel.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA20759; Mon, 19 Sep 1994 09:33:26 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Mon, 19 Sep 94 09:38:33 -0700 Received: by argus.intel.com (5.65/10.0i); Mon, 19 Sep 94 09:38:32 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9409191638.AA22787@argus.intel.com> Subject: Re: Encrypted WANs via the Internet To: chickna@ncp.gpt.co.uk (Neil Chick) Date: Mon, 19 Sep 94 9:38:30 PDT Cc: firewalls@GreatCircle.COM In-Reply-To: <9409191443.AA00676@cvsu76.nsg.ncp.gpt.co.uk.LOCAL> from "Neil Chick" at Sep 19, 94 03:43:02 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 1378 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Hi, > Does anyone have an experience of using encrypted links via the > Internet to join two remote sites together ? We have done this with a link to one of our vendors and would like to do it more often. > + How is it done? We are currently using a Morningstar router to do this. It does DES encryption selectively by looking at addresses that you can specify. > + Hardware can be bought to make it happen? We are currently using a Morningstar router, but I am looking into using a Semaphore box or Hughes Lan systems Netlock. The morningstar doesn't do so well at T1 speeds (at least the model that we have). > + How do the firewalls distinguish between the two? > ( I know bit a vague question just pointer would be > helpful as I'm currently in the dark ;-) ) I am assume that you are saying how do you tell what to encrypt and what not to encrypt. The router does it based on IP addresses. > + Any idea of costs? A Morningstar costs around US$2000. For more, info check out http://www.morningstar.com/ or sales@morningstar.com > + Security implications of course;) Since you are in the UK, you might have problems getting the product out of North America. > Any ideas welcomed.... > Thanks, > Neil Chick > GPT > UK. Wot no sig! > chickna@ncp.gpt.co.uk. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Mon Sep 19 13:32:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA23420; Mon, 19 Sep 1994 19:55:39 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA23414; Mon, 19 Sep 1994 12:55:26 -0700 From: ted.doty@nsco.network.com Received: from doty.network.com by nsco.network.com (4.1/1.34) id AA17435; Mon, 19 Sep 94 14:57:55 CDT Date: Mon, 19 Sep 94 15:53:34 PDT Subject: Re: Logging Routers To: Frank Byrum Cc: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> Network Systems' routers have supported logging since (at least) 1989. >> Works great, lasts a long time. > >What exactly do you to make sure that the logging information gets to a host? >Is it possible for information that is useful to determining if a "hacker" >is trying to break in could be lost during some heavy loading or some other >event? Sorry if this is being posted twice, I seem to be getting multiple copies of this message. You can use either a reliable datalink layer, like X.25 (ugly, but not too hard to set up), or you can use the DNSIX Audit Trail Monitor, which adds a reliable delivery layer on top of UDP. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Mon Sep 19 19:30:24 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA27706; Tue, 20 Sep 1994 01:59:09 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA27700; Mon, 19 Sep 1994 18:58:59 -0700 From: bobshpoh@solomon.technet.sg Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA24007; Mon, 19 Sep 94 22:03:52 -0400 Date: Mon, 19 Sep 94 22:03:52 -0400 Message-Id: <9409200203.AA24007@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Logging routers Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I agree with padgett's view that in security it is better to be able to know if an attempt was made at getting into the network than not knowing at all, so that preventive action could be taken early (proactive approach as oppose to reactive). My $0.02 worth comments. Best Regards ==================================================================== POH, Sin Hock Robert Head, Data Security Internet: bobshpoh@solomon.technet.sg UOB Limited ID Email: 156 Cecil Street #10-06 Phone : (65)-539-3470 FEB Building Fax : (65)-227-4232 Singapore 0106 ===================================================================== On Thu, 15 Sep 1994 padgett@tccslr.dnet.mmc.com wrote: > > Craig Bishop wrote (about Firewall-1): > ] The thing I really like is the control over the filtering > ] because the majority of it is being done on the bastion host not > ] on a router (which gives you ZERO logging capability). With > ] the filtering happening at the bastion host there are many more > ] options for logging. > > Marty Shannon replied: > >I think logging from the router could help catch attacks that don't use > >all the old standard tricks. > > Even for standard attacks, it helps to have early warning of probes via > Telnet or Finger or other means. Just rejecting the packet allows the > intruder to continue to try different approaches whereas if failed > connections are logged, other defenses and alerts can be established. > > Warmly, > padgett@tccslr.dnet.mmc.com > From firewalls-owner Mon Sep 19 20:29:37 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA28092; Tue, 20 Sep 1994 02:37:01 GMT Received: from sequoia.itd.uts.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA28086; Mon, 19 Sep 1994 19:36:43 -0700 Received: from matt.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA08144 (5.65c/IDA-1.4.4 for ); Tue, 20 Sep 1994 12:03:24 +1000 Received: by matt.itd.uts.edu.au (5.0/SMI-SVR4) id AA01362; Tue, 20 Sep 1994 12:44:14 +1000 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9409200244.AA01362@matt.itd.uts.edu.au> Subject: Garth: Returned mail: Host unknown To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Tue, 20 Sep 1994 12:44:13 +1000 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1337 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mail Delivery Subsystem wrote this... > From MAILER-DAEMON@cc.umanitoba.ca Tue Sep 20 05:57 EST 1994 > Date: Mon, 19 Sep 94 14:55:29 CDT > From: Mail Delivery Subsystem > Message-Id: <9409191955.AA16541@canopus.CC.UManitoba.CA> > Subject: Returned mail: Host unknown > To: > Content-Type: text > Content-Length: 1954 > > ----- Transcript of session follows ----- > 421 Host secure not found for mailer ether. > 550 ... Host unknown > Garth, I cant mail you, both mail address i tried to mail you at bounced. If you could mail me with your canonical mail address it would be appreciated. apologies to anyone who is ticked because i mailed this to the list, but i couldnt find any other way of contacting him. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Mon Sep 19 21:29:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA28872; Tue, 20 Sep 1994 03:34:51 GMT Received: from pg2-srv.wam.umd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA28801; Mon, 19 Sep 1994 20:28:39 -0700 Received: from rac1.wam.umd.edu (reh@rac1.wam.umd.edu [128.8.70.3]) by pg2-srv.wam.umd.edu (8.6.9/8.6.9) with ESMTP id XAA23938; Mon, 19 Sep 1994 23:33:07 -0400 From: Richard Huddleston Received: (reh@localhost) by rac1.wam.umd.edu (8.6.9/8.6.9) id XAA16389; Mon, 19 Sep 1994 23:33:05 -0400 Date: Mon, 19 Sep 1994 23:33:05 -0400 Message-Id: <199409200333.XAA16389@rac1.wam.umd.edu> To: firewalls@greatcircle.com Subject: Summary: Livingston vs Morning Star routers Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is a summary of the responses I received for an informed comparison between Livingston "Firewall IRX" and Morning Star Express Plus routers. In the interest of brevity and privacy, I've removed most information which might identify the source, and otherwise trimmed at will. I believe I was careful to keep the substance of the response. I wish to express my appreciation to everyone who took the time to send me your comments. They were very helpful. Richard -- #2. We use a MorningStar Express Router on a 56k Frame Relay and I have had no problems with it (barring that one electrical storm) so far. Reliability is much better than 95% to date. -- I am using a Livingston Firewall IRX router to setup a firewall for a company I do consulting for. We replaced our older model IRX router with the new Firewall IRX router because it has two ethernet connectors instead on just one. The Firewall IRX model seem to have all of the features people on this list talk about. It drops source routed packets by default. Packets can be filtered by source and destination address, source and destination port and connection status. It is possible to log activity to a host on the internal net. -- > Just set up a Livingston Router. It was shipped with obsolete software > that didn't work with the LMI protocol, and can NOT have more than one > subnet mask type. This is a FATAL flaw. My frame relay service provider > had to provide me with an entire class C address just so they could have > a dedicated circuit to our Livingston router. IE: > Insinc (frame relay service provider) netmask (router-router) was > 255.255.255.252. Perfect, gate the routers their own little net - 1,2 > for the routers and 0 and 3 for network and broadcast address. The > Livingston IRX portmaster could not do this as I required a netmask of > 255.255.255.0 for my internal network. > In short, I needed the frm1 interface to have a netmask of 255.255.255.252. > I needed my ether0 interface to have a netmask of 255.255.255.0. > The Livingston portmaster could not handle this. Yuck. Funny thing, I just replaced my Livingston with Cisco 2500, the Livingston was grabbing my internal packets and bouncing it off the router at my service provider. What I actually had to do was create permanent arp entries in my bastion host to get around this problem. Granted I have had the Cisco for about an hour but it seems to be handling the routing much better. -- Our MorningStar Express is now at SW version 1.1.85, in which they seem to have finally plugged the mbuf leak that was causing the older versions of their software to crash. It's been up for a couple of months now without further hiccups. I have no experience with Livingstone equipment, so I'll skip the compare-and-contrast part of the test... -- I haven't used the Livingston products but was impressed that I could FTP a PostScript version of the manual from them. -- > Informed opinion welcomed. I've invited MorningStar in on this, as well, > since I'm not sure if they normally pick up this list. Actually, it might have been useful to send it to "support@MorningStar.Com". Some Morning Star employees are on (and read) firewalls [I am one of them]. You won't tend to see much posted by me about Express routers since I feel that firewalls is not a marketing list. > God forgive me for opening the doors to a Firewalls opinionfest. As long as you specify to reply only to you [as you did] you do not need to be forgiven. > I need to hear from folks who actually build firewalls (you know > who you are) regarding any experience they may have with the > Livingston "FireWall IRX" and/or MorningStar Express Plus routers. You won't find anyone with an Express Plus router at this time. We have not officially released the Express Plus router. The filtering capabilities will be the same as the Express router. > I've used an earlier model of the MSE, and while I found its filtering > and logging facilities to excellent (ICMP by type, etc.) I'll also say > it seemed to choke on a Switched 56 Frame Relay data link. I'll head > off any potential flamage and just say I couldn't figure out how to get > it to work with 95% + reliability. Do you remember what software release you had? I cannot find any communications from you since February. We've gone through a few software revisions since then and feel the product is higher than 95% reliable at this point. You can obtain the RELEASE-NOTES for the Express via anonymous FTP. We feel the Express can keep up with a switched 56K frame relay link (in fact we use Express routers at T1 speeds). > The MSE+ is said to be improved immensely, and I'm certainly willing > to give it a shot. The Express Plus will have much better performance. The Express Plus is more expandable than the Express router and can support more interfaces. > I know nothing about Livingston except that, as I recall, Brent likes 'em. Livingston makes fine products and Morning Star has always had good relations with them. We would of course prefer you bought our product but you should be happy either way. We would be interested in any feedback you receive. If your correspondents would not mind, we would like to see how people with experience compare the two routers and how our customers feel we are doing. Thanks. -- I'm interested in any responses you get. I too have primarily installed CISCOs, but I have installed 2 MorningStar PPP links to remote sites which required high confidentiality (Hospital/Med School related). -- While not precisely the same thing, we are using MST PPP on a BSDI box for a firewall. The box is a lowly 386 and we stripped BSDI to its bare minimum. We are connected at 38,400 to start so we could get things settled down before we dealt with any potential transimssion issues. At this speed we are achieving close to theoretical max on throughput. Will be moving to 56k either this week or next and will let you know about performance at a later date. As to its effectiveness, we chose this route because we liked the ability to do a lot of logging and real-time monitoring. So far its a good choice (Our provider couldn't find us on the net and so took 4 weeks to re-direct our domain to us!) More to your question, I am very satisfied with MST PPP's filtering capabilities and understand them to be the same in their router product. My conversations with Kate Murphy at MST also indicated that their router now handles up to T1 so 56k _should_ be no problem :) -- > I need to hear from folks who actually build firewalls (you know > who you are) regarding any experience they may have with the > Livingston "FireWall IRX" and/or MorningStar Express Plus routers. > Just set up a Livingston Router. It was shipped with obsolete software that didn't work with the LMI protocol, and can NOT have more than one subnet mask type. This is a FATAL flaw. My frame relay service provider had to provide me with an entire class C address just so they could have a dedicated circuit to our Livingston router. IE: Insinc (frame relay service provider) netmask (router-router) was 255.255.255.252. Perfect, gate the routers their own little net - 1,2 for the routers and 0 and 3 for network and broadcast address. The Livingston IRX portmaster could not do this as I required a netmask of 255.255.255.0 for my internal network. In short, I needed the frm1 interface to have a netmask of 255.255.255.252. I needed my ether0 interface to have a netmask of 255.255.255.0. The Livingston portmaster could not handle this. Yuck. -- From firewalls-owner Tue Sep 20 04:31:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA01831; Tue, 20 Sep 1994 11:04:02 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA01823; Tue, 20 Sep 1994 04:03:36 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA14368 for (5.67a/IDA-1.5/bs03); Tue, 20 Sep 1994 13:07:35 +0200 Message-Id: <199409201107.AA14368@srv.cip.physik.tu-muenchen.de> To: "Neil Chick" Cc: firewalls@greatcircle.com, schneck@Physik.TU-Muenchen.DE Subject: Re: Encrypted WANs via the Internet In-Reply-To: Your message of "Mon, 19 Sep 94 15:43:02 BST." <9409191443.AA00676@cvsu76.nsg.ncp.gpt.co.uk.LOCAL> Date: Tue, 20 Sep 94 13:07:34 +0200 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9409191443.AA00676@cvsu76.nsg.ncp.gpt.co.uk.LOCAL> you write: > Hi, > > Does anyone have an experience of using encrypted links via the > Internet to join two remote sites together ? Take a look at the `swIPe' internet draft (I think the original one has expired, but I couldn't find a revised one) Ask archie or look at an internet drafts archive near you (I got my stuff from Hamburg, Germany) \Bernhard. From firewalls-owner Tue Sep 20 06:30:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA02545; Tue, 20 Sep 1994 12:49:19 GMT Received: from remus.ultranet.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA02537; Tue, 20 Sep 1994 05:48:59 -0700 Received: by remus.ultranet.com; (5.65/1.1.8.2/22Aug94-0201PM) id AA07439; Tue, 20 Sep 1994 08:54:33 -0400 Date: Tue, 20 Sep 1994 08:54:33 -0400 From: Joe Provo Message-Id: <9409201254.AA07439@remus.ultranet.com> To: firewalls@greatcircle.com Subject: Re: Encrypted WANs via the Internet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Take a look at the `swIPe' internet draft (I think the original >one has expired, but I couldn't find a revised one) > >Ask archie or look at an internet drafts archive near you (I got my >stuff from Hamburg, Germany) ftp://research.att.com/dist/mab/swipeusenix.ps ...for a starting point. Joe Systems and Network Admin, Ultranet Communications Inc. 508.229.8400(voice) jprovo@ultranet.com 508.229.8111(data) A network service provider in Marlboro, MA - mail info@ultranet.com From firewalls-owner Tue Sep 20 08:32:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA03366; Tue, 20 Sep 1994 15:03:56 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA03359; Tue, 20 Sep 1994 08:03:41 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma004563; Tue Sep 20 11:09:00 1994 Received: by tis.com (4.1/SUN-5.64) id AA10510; Tue, 20 Sep 94 11:06:48 EDT Date: Tue, 20 Sep 94 11:06:48 EDT From: Frederick M Avolio Message-Id: <9409201506.AA10510@tis.com> To: firewalls@greatcircle.com Subject: CPF: 5th USENIX UNIX Security Symposium Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ANNOUNCEMENT and PRELIMINARY CALL FOR PAPERS 5th USENIX UNIX Security Symposium June 5-7, 1995 Salt Lake City Marriott Hotel Salt Lake City, Utah Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association In cooperation with: The Computer Emergency Response Team (CERT), IFIP WG 11.4, and UniForum IMPORTANT DATES DATES FOR REFEREED PAPER SUBMISSIONS Extended abstracts due: Feb 13, 1995 Program Committee decisions made: Mar 8, 1995 Camera-ready final papers due: May 1, 1995 Registration Materials Available: March 1995 PROGRAM COMMITTEE Program Chair: Fred Avolio, Trusted Information Systems, Inc. Steve Bellovin, AT&T Bell Laboratories Bill Cheswick, AT&T Bell Laboratories Ed DeHart, CERT Ed Gould, Digital Equipment Corporation Marcus Ranum, Trusted Information Systems, Inc. Jeff Schiller, MIT Gene Spafford, COAST Laboratory, Purdue University OVERVIEW The goal of this symposium is to bring together security practitioners, researchers, system administrators, systems programmers, and others with an interest in computer security as it relates to networks and the UNIX operating system. This will be a 3 day, single-track symposium. The symposium will consist of tutorials, refereed and invited technical presentations, and panel sessions. The first day will be devoted to tutorial presentations. Two days of technical sessions will follow the tutorials. TUTORIALS [June 5] This one-day tutorial program is designed to address the needs of both technical and management attendees. The tutorials will supply overviews of various security mechanisms and policies. Each will provide specifics to the system and site administrator for implementing numerous local and network security precautions, firewalls, and monitoring systems. KEYNOTE AND TECHNICAL SESSIONS [June 6-7] The keynote address by Stephen T. Walker, Founder and President of Trusted Information Systems, will begin the technical sessions program. Mr. Walker will speak on information security and privacy in computing. Mr. Walker is an electronics engineer and computer systems analyst with over 25 years of experience in system design and program management; particularly extensive is his experience with the design and implementation of large scale computer networks and information systems. He is nationally recognized for his pioneering work on the DoD Computer Security Initiative, the establishment of the National Computer Security Center, and the formation of the Defense Data Network. He is a member of the Computer System Security and Privacy Advisory Board, established by the Computer Security Act of 1987. The technical sessions program, in addition to presentations of refereed papers, will include invited talks, and possibly panel sessions. There will also be two evenings available for Birds-of-a-Feather sessions (BoFs) and Works-in-Progress Reports (WiPs). The program committee invites you to submit proposals, ideas, or suggestions for these presentations; your suggestions may be submitted to the program chair via email to: securitypapers@usenix.org or by post to the address given below. Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings. Proceedings of the symposium will be published by USENIX and will be provided free to technical session attendees; additional copies will be available for purchase from USENIX. SYMPOSIUM TOPICS Presentations are being solicited in areas including but not limited to: *User/system authentication *File system security *Network security *Security and system management *Security-enhanced versions of the UNIX operating system *Security tools *security incident investigation and response *computer misuse and anomaly detection *security in heterogeneous environments *configuration management to support security *security-related testing methods *case studies REFEREED PAPER SUBMISSIONS Submissions must be received by Feb 13, 1995. Full papers should be 10 to 15 pages. Instead of a full paper, authors may submit an extended abstract which discusses key ideas. Extended abstracts should be 5-7 pages long (about 2500-3500 words), not counting references and figures. The body of the extended abstract should be in complete paragraphs. The object of an extended abstract is to convince the reviewers that a good paper and presentation will result. All submissions will be judged on originality, relevance, and correctness. Each accepted submission will be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due May 1, 1995. Please accompany each submission by a cover letter stating the paper title and authors along with the name of the person who will act as the contact to the program committee. Please include a surface mail address, daytime and evening phone number, and, if available, an email address and fax number for the contact person. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: securityauthors@usenix.org or telephone the USENIX Association office at +1 510 528 8649. The UNIX Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by "non-disclosure agreement" forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. WHERE TO SUBMIT Please send one copy of a full paper or an extended abstract to the program committee via two of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript or ASCII) to: securitypapers@usenix.org o Alternate Method: postal delivery to Fred Avolio Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 +1 410 442 1673 o Fax: +1 301 854 5363 REGISTRATION MATERIALS Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available beginning in March 1995. If you wish to receive the registration materials, please contact USENIX at: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 +1 714 588 8649; Fax: +1 714 588 9706 email: conference@usenix.org From firewalls-owner Tue Sep 20 10:30:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA04154; Tue, 20 Sep 1994 16:58:27 GMT Received: from Portal.XAIT.Xerox.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA04148; Tue, 20 Sep 1994 09:58:11 -0700 Received: by Portal.XAIT.Xerox.COM (4.1/SMI-4.1) id AA27525; Tue, 20 Sep 94 13:04:09 EDT Received: from redwood.xait.xerox.com(192.5.105.27) by Portal via smap (V1.3mjr) id sma027521; Tue Sep 20 13:04:00 1994 Received: from Balkis.XAIT.Xerox.COM by XAIT.Xerox.COM (4.1/SMI-4.1) id AA10817; Tue, 20 Sep 94 13:03:54 EDT Date: Tue, 20 Sep 94 13:03:54 EDT From: marie@XAIT.Xerox.COM (Marie Reale) Message-Id: <9409201703.AA10817@XAIT.Xerox.COM> To: firewalls@GreatCircle.COM Subject: internet programs accessible on internal machines? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My understanding of a firewall is that all internet programs such as mosaic and xarchie cannot be used on internal workstations. Is this true? Would users have to directly logon to the firewall to use these programs? Is there a way they may use these programs on their workstations? Thanks for any information, Marie From firewalls-owner Tue Sep 20 11:29:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA04584; Tue, 20 Sep 1994 17:59:51 GMT Received: from rodan.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA04578; Tue, 20 Sep 1994 10:59:31 -0700 Received: from babar.UU.NET by rodan.UU.NET with SMTP id QQxiey01914; Tue, 20 Sep 1994 14:05:05 -0400 Received: by babar.UU.NET id OAAxiey06455; Tue, 20 Sep 1994 14:05:04 -0400 Date: Tue, 20 Sep 1994 14:05:04 -0400 Message-Id: From: Bob Stratton To: firewalls-digest@greatcircle.com Subject: Encrypted WANs via the Internet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Jeffrey C. Sedayo writes: >>Neil Chick writes: >> + Hardware can be bought to make it happen? >We are currently using a Morningstar router, but I am looking into using a >Semaphore box or Hughes Lan systems Netlock. The morningstar doesn't do so >well at T1 speeds (at least the model that we have). UUNET Technologies also sells a DES-based device named the "LanGuardian" which clips right along at T1 or Ethernet speeds. It's our own product, not an OEM job. Last I checked, the actual engine was rated at approximately 40Mbps, but in practice I think we've run it to 7 or 8Mbps. >> + How do the firewalls distinguish between the two? >> ( I know bit a vague question just pointer would be >> helpful as I'm currently in the dark ;-) ) >I am assume that you are saying how do you tell what to encrypt and what >not to encrypt. The router does it based on IP addresses. Specifically, we use an IP tunnel. The device does have a "clamp-on" mode for some additional functionality. I believe all the standard non-US caveats apply to our product as well, but I'd love to be wrong. Check with our sales people. Contact "sales@uunet.uu.net" for more information. Bob Stratton strat@uunet.uu.net UUNET Technologies, Inc. uunet!strat 3110 Fairview Park Dr., Suite 570 Voice) +1 703 204 8000 Falls Church, Va 22042 Fax) +1 703 204 8001 From firewalls-owner Tue Sep 20 12:20:13 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA04652; Tue, 20 Sep 1994 18:03:40 GMT Received: from muse.microunity.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA04646; Tue, 20 Sep 1994 11:03:31 -0700 Received: from gaea.microunity.com by muse.microunity.com (4.1/ericm1.1) id AA01665; Tue, 20 Sep 94 11:07:23 PDT Received: from angst.microunity.com by gaea.microunity.com (4.1/muse1.3) id AA01258; Tue, 20 Sep 94 11:07:27 PDT Received: by angst.microunity.com (5.61/muse.mw-2) id AA11361; Tue, 20 Sep 94 11:07:24 -0700 From: ericm@MicroUnity.com (Eric Murray) Message-Id: <9409201807.AA11361@angst.microunity.com> Subject: Re: internet programs accessible on internal machines? To: marie@XAIT.Xerox.COM (Marie Reale) Date: Tue, 20 Sep 94 11:07:22 MDT Cc: firewalls@GreatCircle.COM In-Reply-To: <9409201703.AA10817@XAIT.Xerox.COM>; from "Marie Reale" at Sep 20, 94 1:03 pm X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marie Reale wrote: > > My understanding of a firewall is that all internet programs such as > mosaic and xarchie cannot be used on internal workstations. Is this > true? no. > Would users have to directly logon to the firewall to use > these programs? no. > Is there a way they may use these programs on their > workstations? yes. > Thanks for any information, what you do is run what's called a 'proxy server' on the firewall. for mosaic you need socks. for *archie, since it's udp based, you need udprelay. basically, these programs act as surrogates for the real external mosaic or archie servers. your client programs connect to the proxy server, which validates that the client is coming from the correct network, then makes the connection to the outside server. once the connections' made, the proxy merely pumps the bits back and forth. you have to recompile clients to use socks, although some client packages are coming already socks-compliant. udprelay doesn't require recompilation. neither require you to put end-user's accounts on the filewall, in fact that's a bad idea, as it makes the firewall host less secure and more work to administer. check out the papers for ftp in ftp.tis.com:/pub/firewalls. -- ericm ericm@microunity.com From firewalls-owner Tue Sep 20 12:30:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA05075; Tue, 20 Sep 1994 19:03:34 GMT Received: from relay2.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA05069; Tue, 20 Sep 1994 12:03:25 -0700 Received: from outpost.wg.waii.com by relay2.UU.NET with SMTP id QQxifc01991; Tue, 20 Sep 1994 15:07:52 -0400 Received: from airgun.wg.waii.com by outpost.wg.waii.com with SMTP id AA10581 (5.65c/IDA-1.4.4); Tue, 20 Sep 1994 14:07:48 -0500 Received: from de01.denver.waii.com by airgun.wg.waii.com with SMTP id AA02218 (5.65c/IDA-1.4.4); Tue, 20 Sep 1994 14:07:44 -0500 Received: from de11.denver.waii.com by de01.denver.waii.com (4.1/SMI-4.1) id AA17167; Tue, 20 Sep 94 13:03:40 MDT Received: by de11.denver.waii.com (AIX 3.2/UCB 5.64/4.03) id AA43080; Tue, 20 Sep 1994 13:06:56 -0600 Date: Tue, 20 Sep 1994 13:06:56 -0600 From: greg@de11.denver.waii.com (Greg Wimpey) Message-Id: <9409201906.AA43080@de11.denver.waii.com> To: marie@xait.xerox.com Cc: firewalls@greatcircle.com In-Reply-To: <9409201703.AA10817@XAIT.Xerox.COM> (marie@xait.xerox.com) Subject: Re: internet programs accessible on internal machines? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > My understanding of a firewall is that all internet programs such as > mosaic and xarchie cannot be used on internal workstations. Is this > true? Would users have to directly logon to the firewall to use > these programs? Is there a way they may use these programs on their > workstations? > > Thanks for any information, > > Marie > Not necessarily. While I don't have any personal experience, as our firewall keeps out everything (except mail), there are ways to set up Mosaic, for instance, to use a proxy server. I believe Mosaic uses the SOCKS pacakage to accomplish this. Hope this helps. From firewalls-owner Tue Sep 20 13:31:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA05586; Tue, 20 Sep 1994 20:10:27 GMT Received: from gatekeeper.ddp.state.me.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA05580; Tue, 20 Sep 1994 13:10:17 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id QAA23688; Tue, 20 Sep 1994 16:13:50 -0400 Date: Tue, 20 Sep 1994 16:13:49 -0400 (EDT) From: David Miller Subject: Re: internet programs accessible on internal machines? To: Greg Wimpey cc: marie@xait.xerox.com, firewalls@GreatCircle.COM In-Reply-To: <9409201906.AA43080@de11.denver.waii.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Tue, 20 Sep 1994, Greg Wimpey wrote: > > > My understanding of a firewall is that all internet programs such as > > mosaic and xarchie cannot be used on internal workstations. Is this > > true? Would users have to directly logon to the firewall to use > > these programs? Is there a way they may use these programs on their > > workstations? > > > > Thanks for any information, > > > > Marie > > > Not necessarily. While I don't have any personal experience, as our firewall keeps > out everything (except mail), there are ways to set up Mosaic, for instance, to > use a proxy server. I believe Mosaic uses the SOCKS pacakage to accomplish this. There is a socksified version of mosaic out there, but another solution is to use the cern httpd server on the firewall, or on a host outside the firrewall to relay all the requests. We use it here and are quite happy with it. Now, if they'd just get a robust pc win client...... > > Hope this helps. > > > > > > > ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Sep 20 14:29:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA05997; Tue, 20 Sep 1994 20:53:11 GMT Received: from names.telcom.wvu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA05924; Tue, 20 Sep 1994 13:49:40 -0700 Received: from WVUCBLC1.hsc.wvu.edu by names.telcom.wvu.edu (4.1/SMI-4.0:JF-052892) id AA18555; Tue, 20 Sep 94 16:59:21 EDT Received: from WVUCBLC1/MAILQUEUE by WVUCBLC1.hsc.wvu.edu (Mercury 1.11); Tue, 20 Sep 94 16:56:42 +1100 Received: from MAILQUEUE by WVUCBLC1 (Mercury 1.11); Tue, 20 Sep 94 16:56:05 +1100 To: firewalls@GreatCircle.com From: "TYLER LUTZ" Organization: RCB HSC of WVU, CBLC Date: Tue, 20 Sep 1994 16:55:58 EDT Subject: IBM NetSP X-Pmrqc: 1 Priority: normal X-Mailer: WinPMail v1.0 (R2) Message-Id: <15947965D0E@WVUCBLC1.hsc.wvu.edu> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Has anyone any info on the IBM NetSP Firerwall product???? From firewalls-owner Tue Sep 20 15:55:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA06290; Tue, 20 Sep 1994 21:28:50 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA06283; Tue, 20 Sep 1994 14:28:38 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma009877; Tue Sep 20 17:34:03 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA14435; Tue, 20 Sep 94 17:31:43 EDT Message-Id: <9409202131.AA14435@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ericm@microunity.com (Eric Murray) Cc: marie@xait.xerox.com (Marie Reale), firewalls@greatcircle.com Subject: Re: internet programs accessible on internal machines? In-Reply-To: Your message of Tue, 20 Sep 94 11:07:22 -0600. <9409201807.AA11361@angst.microunity.com> Date: Tue, 20 Sep 94 17:31:30 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To add 2 cents to Eric's note.... SOCKS etc. is *one* way to do this. The proxies in the FWTK (and that come with a few commercial products including ours) don't use (don't have to) use SOCKS and so don't need modified clients. Fred > Marie Reale wrote: > > > > My understanding of a firewall is that all internet programs such as > > mosaic and xarchie cannot be used on internal workstations. Is this > > true? > > no. > > > Would users have to directly logon to the firewall to use > > these programs? > > no. > > > Is there a way they may use these programs on their > > workstations? > > yes. > > > Thanks for any information, > > what you do is run what's called a 'proxy server' on the firewall. > for mosaic you need socks. for *archie, since it's udp based, you > need udprelay. basically, these programs act as surrogates > for the real external mosaic or archie servers. your client programs > connect to the proxy server, which validates that the client > is coming from the correct network, then makes the connection > to the outside server. once the connections' made, the proxy > merely pumps the bits back and forth. > > you have to recompile clients to use socks, although some client > packages are coming already socks-compliant. udprelay doesn't > require recompilation. neither require you to put end-user's > accounts on the filewall, in fact that's a bad idea, as it makes > the firewall host less secure and more work to administer. > > check out the papers for ftp in ftp.tis.com:/pub/firewalls. > > > -- > ericm ericm@microunity.com From firewalls-owner Tue Sep 20 18:30:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA08503; Wed, 21 Sep 1994 01:13:35 GMT Received: from gatekeep.genmagic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA08497; Tue, 20 Sep 1994 18:13:27 -0700 Received: from (genmagic.genmagic.com) by gatekeep.genmagic.com (4.1/SMI-4.1/JBS) id AA07140; Tue, 20 Sep 94 18:18:35 PDT Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA15221; Tue, 20 Sep 94 18:18:32 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:ericm@microunity.com id AA07331; Tue, 20 Sep 94 18:18:21 -0700 Date: Tue, 20 Sep 94 18:18:21 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9409210118.AA07331@abulafia.genmagic.com> To: Frederick M Avolio Cc: ericm@microunity.com (Eric Murray), marie@xait.xerox.com (Marie Reale), firewalls@GreatCircle.COM In-Reply-To: <9409202131.AA14435@tis.com> Subject: Re: internet programs accessible on internal machines? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Frederick M Avolio writes: >To add 2 cents to Eric's note.... SOCKS etc. is *one* way to do this. The >proxies in the FWTK (and that come with a few commercial products including >ours) don't use (don't have to) use SOCKS and so don't need modified clients. Yes, but do we get source for the FWTK? :-) From firewalls-owner Tue Sep 20 20:29:53 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA09186; Wed, 21 Sep 1994 02:56:24 GMT Received: from gatekeep.genmagic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA09180; Tue, 20 Sep 1994 19:56:13 -0700 Received: from (genmagic.genmagic.com) by gatekeep.genmagic.com (4.1/SMI-4.1/JBS) id AA07835; Tue, 20 Sep 94 20:01:31 PDT Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA15973; Tue, 20 Sep 94 20:01:26 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@greatcircle.com id AA07559; Tue, 20 Sep 94 20:01:21 -0700 Date: Tue, 20 Sep 94 20:01:21 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9409210301.AA07559@abulafia.genmagic.com> To: firewalls@greatcircle.com In-Reply-To: <9409210258.AA02037@matt.itd.uts.edu.au> Subject: Re: internet programs accessible on internal machines? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk J. Eric Townsend wrote this... > Yes, but do we get source for the FWTK? :-) So, I'm a pinhead, ok? I thought that FWTK was a non-source product. Musta confused it with something else... --eric From firewalls-owner Wed Sep 21 04:43:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA12995; Wed, 21 Sep 1994 10:44:33 GMT Received: from chenas.inria.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA12970; Wed, 21 Sep 1994 03:43:59 -0700 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA18340; Wed, 21 Sep 1994 12:49:19 +0200 (MET) Received: from cli57aa.asr.ici (cli57aa.der.edf.fr) by edf.edf.fr with SMTP id AA24036 (5.65c8/IDA-1.4.4); Wed, 21 Sep 1994 12:50:22 +0200 Received: by cli57aa.asr.ici (5.0/SMI-SVR4) id AA12591; Wed, 21 Sep 1994 12:50:17 --100 Date: Wed, 21 Sep 1994 12:50:17 --100 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Message-Id: <9409211050.AA12591@cli57aa.asr.ici> To: chickna@ncp.gpt.co.uk, firewalls@greatcircle.com Subject: Re: Encrypted WANs via the Internet Content-Length: 1404 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk We designed a box to make DES encryption over IP unsecure networks, together with "Bull Ingenierie", a branch of the Bull company specialized in security. Bull Ingenierie is now selling it. Its main characteristics : - name : "BNE" (project name = DCC), - throughput 5 Mb/s, - encryption DES CBC - 3 types of traffic, depending on IP adresses : . encrypted (key also depending on IP adresses) . by-pass with no encryption . denied - Interfaces : 2 Ethernet ports (same as Ethernet bridge) - Price : about 55 000 FF (Dont know in pounds :) As far as I know, they have rights to export it. For more info, you may contact at Bull Ingenierie : M. Muntzinger 12 rue de Paris - BP 59 78230 LE PECQ Phone : 33-1 30 87 11 00 Fax : 33-1 30 61 51 08 Hope this helps. #----------------------------------------------------------------------------# # Yves Dherbecourt | Tel : 33-1 47 65 37 90 # # Electricite de France | Fax : 33-1 47 65 35 23 # # DER / IMA / ICI / ASR | Tlx : 631576 # # 1, avenue du General de Gaulle | # # 92141 CLAMART Cedex | Email : Yves.Dherbecourt@der.edf.fr # # France | # #----------------------------------------------------------------------------# From firewalls-owner Wed Sep 21 05:19:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA13307; Wed, 21 Sep 1994 11:11:31 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA13300; Wed, 21 Sep 1994 04:11:22 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma013448; Wed Sep 21 07:16:47 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA02772; Wed, 21 Sep 94 07:14:33 EDT Message-Id: <9409211114.AA02772@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: jet@abulafia.genmagic.com (J. Eric Townsend) Cc: ericm@microunity.com (Eric Murray), marie@xait.xerox.com (Marie Reale), firewalls@greatcircle.com Subject: Re: internet programs accessible on internal machines? In-Reply-To: Your message of Tue, 20 Sep 94 18:18:21 -0700. <9409210118.AA07331@abulafia.genmagic.com> Date: Wed, 21 Sep 94 07:14:31 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Yes, as well as for Gauntlet. > Yes, but do we get source for the FWTK? :-) From firewalls-owner Wed Sep 21 05:30:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA13873; Wed, 21 Sep 1994 12:25:49 GMT Received: from csparc.drc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA13867; Wed, 21 Sep 1994 05:25:40 -0700 From: Rich=Gautier%SP-23DC%DRC@S1.drc.com Received: from S1.DRC.COM by csparc.drc.com (4.1/SMI-4.1) id AA11324; Wed, 21 Sep 94 08:29:16 EDT Message-Id: <9409211229.AA11324@csparc.drc.com> Received: by S1.DRC.COM with VINES ; Wed, 21 Sep 94 08:28:31 EDT Date: Wed, 21 Sep 94 08:26:28 EDT Subject: Couple Questions To: Firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone on this list remember a discussion paper that looked at the advantage of having a double-router firewall? I would be interested in not only a pointer to that paper, but also personal feelings and professional opinions on having a dual-router firewall. Rich Gautier rg%seta%drc@s1.drc.com (Happy now?) From firewalls-owner Wed Sep 21 06:31:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA13899; Wed, 21 Sep 1994 12:28:27 GMT Received: from csparc.drc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA13893; Wed, 21 Sep 1994 05:28:07 -0700 From: Rich=Gautier%SP-23DC%DRC@S1.drc.com Received: from S1.DRC.COM by csparc.drc.com (4.1/SMI-4.1) id AA11328; Wed, 21 Sep 94 08:31:33 EDT Message-Id: <9409211231.AA11328@csparc.drc.com> Received: by S1.DRC.COM with VINES ; Wed, 21 Sep 94 08:30:16 EDT Date: Wed, 21 Sep 94 08:29:02 EDT Subject: DES Routing Encryption To: Firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Do any of you on the list utilize DES Encryption between routers on the Internet to help secure your communications? If yes, 1. How does it affect your router's net-load? Does communication seem to slow down to any noticeable degree? Are there studies on it? 2. What type of router are you using? Morningstar? Cisco? Rich Gautier rg%seta%drc@s1.drc.com (Happy now?) From firewalls-owner Wed Sep 21 07:31:14 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA14509; Wed, 21 Sep 1994 13:43:49 GMT Received: from seachange.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA14502; Wed, 21 Sep 1994 06:43:34 -0700 Received: by seaport.seachange.com id <4537>; Wed, 21 Sep 1994 09:54:01 -0400 From: flint@seachange.com (Andrew Flint) Subject: Re: internet programs accessible on internal machines? To: marie@xait.xerox.com (Marie Reale) Date: Wed, 21 Sep 1994 09:46:17 -0400 Cc: firewalls@GreatCircle.COM In-Reply-To: <9409201703.AA10817@XAIT.Xerox.COM> from "Marie Reale" at Sep 20, 94 01:03:54 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 974 Message-Id: <94Sep21.095401edt.4537@seaport.seachange.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk According to Marie Reale: > > My understanding of a firewall is that all internet programs such as > mosaic and xarchie cannot be used on internal workstations. Is this > true? Would users have to directly logon to the firewall to use > these programs? Is there a way they may use these programs on their > workstations? On most firewalls some sort of proxy server or special application is required to run mosaic or xarchie through the firewall. Or you have to log onto the firewall to get out. However, we carry the JANUS Firewall Server which, due to a built in proxy service, is transparent to your internal network so mosaic and all your other networking software is unnaffected. ______________________________________________________________________________ Andrew Flint Sea Change Corporation Software Support Engineer (905) 542-9484 flint@seachange.com Firewalls & Networking Solutions From firewalls-owner Wed Sep 21 08:32:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA14777; Wed, 21 Sep 1994 14:16:42 GMT Received: from alpha.xerox.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA14771; Wed, 21 Sep 1994 07:16:35 -0700 Received: from reynaldo.parc.xerox.com ([13.2.116.96]) by alpha.xerox.com with SMTP id <14407(7)>; Wed, 21 Sep 1994 07:21:48 PDT Received: from localhost by reynaldo.parc.xerox.com with SMTP id <25545>; Wed, 21 Sep 1994 07:21:35 -0700 To: marie@xait.xerox.com (Marie Reale) Subject: Re: internet programs accessible on internal machines? Cc: web_discuss.all_areas@xerox.com, Firewalls-Digest@greatcircle.com In-reply-to: Your message of "Tue, 20 Sep 94 13:03:54 EDT." Date: Wed, 21 Sep 1994 07:21:32 PDT From: Berry Kercheval Message-Id: <94Sep21.072135pdt.25545@reynaldo.parc.xerox.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >My understanding of a firewall is that all internet programs such as >mosaic and xarchie cannot be used on internal workstations. Is this >true? Would users have to directly logon to the firewall to use >these programs? Is there a way they may use these programs on their >workstations? As others have so succinctly put it, "no, no, yes". In particular, Xerox maintains a proxy Web server; depending on your machine there are modified clients available to make use of it. I suggest you join the Web-Discuss DL (Web-Discuss:All Areas:Xerox) to get more info. I will send some under separate cover to avoid boring the denizens of Firewalls with internal Xerox matters. --berry From firewalls-owner Wed Sep 21 10:30:49 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA15805; Wed, 21 Sep 1994 16:39:55 GMT Received: from nisc.jvnc.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA15799; Wed, 21 Sep 1994 09:39:47 -0700 Received: from shaddam.usb.ve (shaddam.usb.ve [159.90.10.10]) by nisc.jvnc.net (8.6.4/8.6.4) with SMTP id MAA03513 for ; Wed, 21 Sep 1994 12:44:58 -0400 Received: from scytale.usb.ve by shaddam.usb.ve (4.1/USB-4.5) id AA21308; Wed, 21 Sep 94 12:49:38-040 Message-Id: <9409211649.AA21308@shaddam.usb.ve> To: Firewalls@greatcircle.com Subject: Info on DEC equipment Date: Wed, 21 Sep 1994 12:43:41 -0400 From: "LDC - Luis E. Mun~oz" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi: I've seen a lot of questions like this in the list, so I assume they're ok (sorry if I'm wrong). I would like to hear any comments/info/horror stories you may have about DEC routers and terminal servers, specially about the DECbrouter 90. If there's enough interest, I'll summarize the responses. Thanks a lot, and please accept my appologies if this is too off topic. PS. Please reply directly via email. __________________________________________________________ | Luis E. Mu~oz R. | PGP2.1 Key available via | | Internet: lem@usb.ve | `finger lem@jihad.usb.ve' | | NIC: LEM (lat), LM39 | | | uucp: sun!emsca!usb!lem |==============================| | Phone/Fax: 582-9431402 | These opinions are mine alone| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Sep 21 11:32:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA16334; Wed, 21 Sep 1994 17:55:18 GMT Received: from netcom13.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA16328; Wed, 21 Sep 1994 10:55:10 -0700 Received: by netcom13.netcom.com (8.6.9/Netcom) id KAA13024; Wed, 21 Sep 1994 10:55:30 -0700 Date: Wed, 21 Sep 1994 10:55:29 -0700 (PDT) From: Bob Bosen Subject: Re: Need all firewall info To: Charlie Byrne cc: firewalls@GreatCircle.COM, BYRNE@phyto.rsmas.miami.edu In-Reply-To: <940909074730.128@phyto.rsmas.miami.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Fri, 9 Sep 1994, Charlie Byrne wrote: > I need all the info I can get on firewalls. > Pointers to info sources owuld be much appreciated. > TIA. > > --- > Charlie Byrne * University of Miami * Div of Marine Biology and Fisheries > 4600 Rickenbacker Causeway, Miami, FL 33149 * Voice: (305) 361-4705 > Usual disclamers apply. > Charlie: We specialize in the subset of firewalls that emphasize positive user authentication: If the most important criteria to you is knowing _who_ is requesting a session into your protected network, we have a lot of information that may be useful to you. You can retrieve this from our anonymous ftp archive site at: ftp.netcom.com /pub/bbosen/Enigma Get the "read.me" file and it will guide you further. From your request, it seems to me that you would find the information in these directories to be especially useful: /pub/bbosen/Enigma/Cisco /pub/bbosen/Enigma/Pubs/WindowsWrite /pub/bbosen/Enigma/Tutorials/VGA/Grasp/Firewall /pub/bbosen/Enigma/Tutorials/VGA/Grasp/Cisco /pub/bbosen/Enigma/Radius Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Wed Sep 21 12:30:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA17278; Wed, 21 Sep 1994 19:22:35 GMT Received: from relay1.UU.NET by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA17272; Wed, 21 Sep 1994 12:22:27 -0700 Received: from uucp5.UU.NET by relay1.UU.NET with SMTP id QQxiiv07131; Wed, 21 Sep 1994 15:28:13 -0400 Received: from aadt.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Wed, 21 Sep 1994 15:28:26 -0400 Received: from shadow.sdt.com by aadt (4.1/SUN-2.0hub) id AA13600; Wed, 21 Sep 94 14:13:27 CDT Received: by shadow.sdt.com (5.61) id AA09148; Wed, 21 Sep 94 14:14:14 -0500 From: aaron@sdt.com (Aaron Gair) Message-Id: <9409211414.ZM9146@shadow.sdt.com> Date: Wed, 21 Sep 1994 14:14:14 -0500 X-Mailer: Z-Mail (2.1.5 20sep93) To: firewalls@greatcircle.com Subject: Q: Packet screening on Bastion hosts Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am interested in any packet screening products that run on SunOS 5.3. Any information is appreciated. What platforms will DEC's screend run on these days? Is screend freely available? Is the main reason to perform packet screening on bastion hosts to check out source port ( that which packet filtering can not do )? Advantages? Thanks in advance, Aaron aaron@sdt.com From firewalls-owner Wed Sep 21 13:31:44 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA17562; Wed, 21 Sep 1994 19:58:41 GMT Received: from cacd1.cacd.rockwell.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA17554; Wed, 21 Sep 1994 12:58:31 -0700 From: RAS@cacdvax.cacd.rockwell.com Date: Wed, 21 Sep 1994 15:03:54 -0500 (CDT) To: firewalls@GreatCircle.COM Message-Id: <940921150354.32403d3e@cacdvax.cacd.rockwell.com> Subject: (Un)Private Mail Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is a tangential issue that has come up in our firewall development. Due to the need to have "secure" communications with nonUS sites (which apparently precludes the use of DES-based products) some of our users are promoting the use of "encrypting" functions of compression software (e.g. PKZIP). However, I found the following note on the cc:Mail listserver which tends to discredit this idea. Would anyone on the list care to comment on alternatives to DES and the ease of cracking files encoded by compression software? To: Multiple recipients of list CCMAIL-L On Thu, 1 Sep 1994 09:22:58 EDT Tom Vogl said: > QUESTION: > I am looking for any packages that will allow me to automatically > encrypt messages and their attachments between two postoffices. It's not automatic, but you should consider PGP from ViaCrypt, 602-944-0773, so long as all your users are in the USA. > I would imagine that such a product would be sold as a gateway? Does > anyone know of any products? MIME gateways are starting to add PGP support. But you are limited to US access > CHALLANGE: > I've been playing with the idea of using a program such as PKZIP and > setting up some sort of tunneling process between post offices where > outgoing mail to a "secure" post-office would be EXPORTED (text and > attachments) and PKZIPed using the "encrypt with password" option, > IMPORTED, sent to the tunnel user on the report postoffice - exported > unziped and re-imported and delivered to the user. > > Is this feasible? Does anyone have any idea how to set this up? Sure, send me one of your encrypted zip files! I'll download the zip cracker from Garbo (in Finland) and tell you what your password is ;-) (i.e. it is NOT very secure) Bob Schneider Enterprise Network & Computers ras@cacdvax.cacd.rockwell.com Technical Planning Team ras@131.198.128.114 Rockwell International 400 Collins Road NE M/S 106-103 Cedar Rapids, IA 52498 Voice: 319/395-3863 Comments expressed are strictly my own and are not to FAX: 319/395-5999 be construed as statements endorsed by my employer. From firewalls-owner Wed Sep 21 16:30:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA19249; Wed, 21 Sep 1994 22:36:55 GMT Received: from MUWAYB.UCS.UNIMELB.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA19242; Wed, 21 Sep 1994 15:36:37 -0700 Received: from cardiology.medrmh.unimelb.edu.au by muwayb.ucs.unimelb.edu.au (PMDF V4.2-14 #7200) id <01HHENIDLJW0004R7U@muwayb.ucs.unimelb.edu.au>; Thu, 22 Sep 1994 08:41:00 +1000 Received: from CARDIOLOGY/SpoolDir by cardiology.medrmh.unimelb.edu.au (Mercury 1.13); Thu, 22 Sep 94 8:40:44 +1000 Received: from SpoolDir by CARDIOLOGY (Mercury 1.13); Thu, 22 Sep 94 8:40:25 +1000 Date: Thu, 22 Sep 1994 08:40:24 +1000 From: "Peter Summers, Computer Engineer, Cardiolog" Subject: Re: (Un)Private Mail To: RAS@cacdvax.cacd.rockwell.com, firewalls@GreatCircle.COM Message-id: <33EAE776274@cardiology.medrmh.unimelb.edu.au> Organization: Royal Melbourne Hospital X-Mailer: Pegasus Mail v3.22 Content-transfer-encoding: 7BIT Priority: normal X-Confirm-Reading-To: "Peter Summers, Computer Engineer, Cardiolog" X-pmrqc: 1 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > It's not automatic, but you should consider PGP from ViaCrypt, > 602-944-0773, so long as all your users are in the USA. > > > I would imagine that such a product would be sold as a gateway? Does > > anyone know of any products? If you have non-US users, get them to pull a copy of PGP off a non-US BBS. :-) Peter Summers Cardiology Department Phone (+613/03) 342 8727 (B) Royal Melbourne Hospital (+613/03) 387 4203 (H) AUSTRALIA 3050 Fax (+613/03) 347 2808 From firewalls-owner Wed Sep 21 18:30:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA20011; Thu, 22 Sep 1994 00:43:18 GMT Received: from dunx1.ocs.drexel.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA20005; Wed, 21 Sep 1994 17:42:56 -0700 Received: from DialupEudora (ts1.noc.drexel.edu [129.25.12.13]) by dunx1.ocs.drexel.edu (8.6.9/8.6.4) with SMTP id UAA12077; Wed, 21 Sep 1994 20:46:49 -0400 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 21 Sep 1994 20:48:19 -0400 To: "Peter Summers, Computer Engineer, Cardiolog" From: snyderra@dunx1.ocs.drexel.edu (Bob Snyder) Subject: Re: (Un)Private Mail Cc: RAS@cacdvax.cacd.rockwell.com, firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk At 6:40 PM 9/21/94, "Peter Summers, Computer Engineer, Cardiolog" > It's not automatic, but you should consider PGP from ViaCrypt, >> 602-944-0773, so long as all your users are in the USA. >> >> > I would imagine that such a product would be sold as a >>gateway? Does >> > anyone know of any products? > >If you have non-US users, get them to pull a copy of PGP off a >non-US BBS. :-) The problem with this, if I recall correctly, is that IDEA (the symetric algorithm used by PGP) is patented world-wide, and is licensed for PGP non-commercial use. ViaCrypt has (again, if I recall correctly) negotiated a deal with the patenters to use their alogrithm in a commercial product. If you want patent free algorithms, DES is available legally outside the US, despite what the NSA might have you believe. You just need to purchase the devices overseas (for your overseas corrospondants, or for you. No law against importing cryptography. :-) ) Bob -- Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted snyderra@post.drexel.edu PGP & RIPEM keys on key servers When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. From firewalls-owner Wed Sep 21 19:07:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA20098; Thu, 22 Sep 1994 00:56:19 GMT Received: from MUWAYB.UCS.UNIMELB.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA20092; Wed, 21 Sep 1994 17:56:09 -0700 Received: from cardiology.medrmh.unimelb.edu.au by muwayb.ucs.unimelb.edu.au (PMDF V4.2-14 #7200) id <01HHESFQ5IBK004N1D@muwayb.ucs.unimelb.edu.au>; Thu, 22 Sep 1994 11:01:37 +1000 Received: from CARDIOLOGY/SpoolDir by cardiology.medrmh.unimelb.edu.au (Mercury 1.13); Thu, 22 Sep 94 11:01:20 +1000 Received: from SpoolDir by CARDIOLOGY (Mercury 1.13); Thu, 22 Sep 94 11:00:40 +1000 Received: from SpoolDir by CARDIOLOGY (Mercury 1.13); Thu, 22 Sep 94 9:32:00 +1000 Received: from MUWAYB.UCS.UNIMELB.EDU.AU by cardiology.medrmh.unimelb.edu.au (Mercury 1.13) with ESMTP; Thu, 22 Sep 94 9:31:51 +1000 Received: from hermes.ucs.unimelb.EDU.AU by muwayb.ucs.unimelb.edu.au (PMDF V4.2-14 #7200) id <01HHEP5KDK1C004X0T@muwayb.ucs.unimelb.edu.au>; Thu, 22 Sep 1994 09:28:00 +1000 Received: from ucsvc.ucs.unimelb.edu.au by ucsvc.ucs.unimelb.edu.au (PMDF V4.2-14 #6219) id <01HHEP532TDS8WXOAB@ucsvc.ucs.unimelb.edu.au>; Thu, 22 Sep 1994 09:27:29 +1000 Resent-date: Thu, 22 Sep 1994 11:00:33 +1000 Date: Thu, 22 Sep 1994 09:27:28 +1000 Resent-from: "Peter Summers, Computer Engineer, Cardiolog" From: "PETER SUMMERS, CARDIOLOGY, RMH" Subject: Using IPXPKT to isolate an IP network Resent-to: firewalls@greatcircle.com To: peter@cardiology.medrmh.unimelb.edu.au Resent-message-id: <01HHESFQ61MA004N1D@muwayb.ucs.unimelb.edu.au> Message-id: <01HHEP534OW28WXOAB@ucsvc.ucs.unimelb.edu.au> X-VMS-To: u5533129 MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk X-News: ucsvc.ucs.unimelb.edu.au bit.listserv.novell:46485 From: u5533129@ucsvc.ucs.unimelb.edu.au (Peter Summers, Cardiology, RMH) Subject:Using IPXPKT to isolate an IP network Date: 22 Sep 94 09:26:34 +1000 Message-ID:<1994Sep22.092634.7153@ucsvc.ucs.unimelb.edu.au> We're about to install a UNIX box here which needs to be kept off the Internet. We have very few UNIX machines here, but considerable interest in accessing the Internet from PCs. We have a CISCO AGS+ router, which has no packet filtering set up; IP is passed freely to and from the Internet, but IPX is not being passed. It's not clear that we have the UNIX expertise required to run a firewall. As a quick and dirty fix to protect the UNIX box, I'm proposing the following: The UNIX box sits on an isolated network with one PC. The PC has two ethernet cards, and runs PCROUTE (an IP router program) using packet drivers. The card on the network with the UNIX box runs a standard packet driver. The other card is connected to the rest of the hospital, and runs the IPXPKT driver, which looks like a packet driver to the layers above but encapsulates its IP in IPX. Any machine that wants to talk to the UNIX box has to use the IPXPKT packet driver (or sit behind a similar arrangement to the above). Hence, PCs can connect to the UNIX box, but the UNIX machine is invisible to the Internet, and the Internet is invisible to the UNIX box. All the encapsulated IP networks will use private internet addresses (RFC1597). Additionally, the UNIX box may run a process which checks for Internet machines and raises an alarm if it sees any. The arrangement will fail if the CISCO is changed to route IPX to the world (unlikely), an IPX to IPXPKT router is set up to connect the two networks, or someone sets up an IPTUNNEL to get IPX through the router. Apart from these possiblities, are there any flaws in this design? Also, does anyone know of a version of IPXPKT which can be unloaded? Thanks, -- Peter Summers Cardiology Department Phone (+613/03) 342 8727 (B) Royal Melbourne Hospital (+613/03) 387 4203 (H) AUSTRALIA 3050 Fax (+613/03) 347 2808 From firewalls-owner Wed Sep 21 19:30:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA19559; Wed, 21 Sep 1994 23:48:48 GMT Received: from wolf.arl.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA19552; Wed, 21 Sep 1994 16:48:34 -0700 Date: Wed, 21 Sep 94 23:16:57 GMT From: Mike Muuss To: Yves Dherbecourt - IMA/ICI/ASR - 47653790 cc: chickna@ncp.gpt.co.uk, firewalls@greatcircle.com Subject: Re: Encrypted WANs via the Internet Message-ID: <9409211916.aa25270@wolf.arl.mil> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > We designed a box to make DES encryption over IP unsecure networks, > together with "Bull Ingenierie", a branch of the Bull company > specialized in security. This whole thread is a bit off the topic of "firewalls". However, since firewalls are bad, and encryption is good (*grin*), I thought I'd chime in. There are similar devices available in the USA. In particular, two of them employ stronger encryption algorithms than DES and are NSA approved for handling classified information, when used with suitable keying material. Xerox makes the XEU (Xerox Encryption Unit?). Wang make the TIU (Trusted Interface Unit?). Both of these devices operate on (at least) Ethernet style host connections. In their simplest form, the device is installed between the host and the Ethernet transceiver, using a second piece of AUI cable. Contact the respective vendors if you need more information. I am also aware of a software package called SWIPE (SoftWare IP Encryption) which provides similar functionality, but uses DES, is not NSA approved, and is freely available in the USA. Best, -Mike Muuss Leader, Advanced Computer Systems Team Survivability and Lethality Analysis Directorate The US Army Research Laboratory Attn: AMSRL-SL-BV APG, MD 21005-5068 USA From firewalls-owner Wed Sep 21 19:52:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA19550; Wed, 21 Sep 1994 23:46:36 GMT Received: from wolf.arl.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA19543; Wed, 21 Sep 1994 16:46:28 -0700 Date: Wed, 21 Sep 94 22:44:35 GMT From: Mike Muuss To: RAS@cacdvax.cacd.rockwell.com cc: firewalls@greatcircle.com Subject: Re: (Un)Private Mail Message-ID: <9409211844.aa24986@wolf.arl.mil> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Compression algorithms do offer a degree of privacy, but only for the most casual interception. I include "encrypted" ZIP and the Enigma algorithms in this same group. You get a comparable level of privacy by using UUENCODE or a hex dump to protect your E-mail. PGP and PEM are the only tools that I know of which offer a reasonable degree of privacy without being "controlled cryptographic equipment". PGP does it's encryption using the European IDEA algorithm. Friends of mine into crypto tell me it is better than DES. Certainly it supports longer key lengths, for what that is worth. At the moment, I'm taking the quality of PGP largely on faith. If you care enough to protect your E-mail at all, check out PGP and/or PEM. Best, -Mike Muuss Leader, Advanced Computer Systems Team The US Army Research Laboratory APG, MD 21005-5068 USA -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4kgCkAAAEEAOEIP/3JgGpXeoq2CG15dYxt9DrT6lkbequll4KVIt1I0OF+ Y3VkfVD+/TOTtIJwI8m7BH1n/xo6vprt+H2nbSGleIPwcz1Lzw/EtteieAtPvbwq /ljeElqv4ADwqyMnljiSvwF5ZjGeHkgRhMqnCXK4ZI18EHBrkY9kvhmCnpPxAAUR tBlNaWtlIE11dXNzIDxtaWtlQGFybC5taWw+iQB1AgUQLiqdtVJQh0FaNkV1AQHy QwMAlryiW13RraO4UzISKpCKW41lwAnOBwb/Yq4Jo8DL2ys2EuTZKe1uXPceUeNs H9VeLAF0EJVMz8e7EIbyEYH6eu+XiXlgPyIPnuazBVe+a4BE4GUuZO+tv9078L1h wNYGiQCVAgUQLi1X8Y9kvhmCnpPxAQFOgAQAkvaP32ioGKVRWznijAmHVF29J53s BSjM+L1HTOfgWc0ZWDCnwg2aVEsp7Y/e81yuUGr5GHbwJ1Xf4oTF84n1wDNBdG/v S5QjEsuqbI2frCgFy/uNUAd40KBUdQEV8vq8DOwkxmTMRNDvLCHLROlGaSzW8dgR MmDp/+FM6ENK+Y2JAJUCBRAuLVQtBF66rtwyDXkBARUbBADg7kVScFksD2ZSQ5aC tmT3BlpgvNMEtVGNqdjjV65fgrBFUBsvqYjv0vXZKYaAjVu+ETMMU122wGFpoytw Q61pWyXQg4eMKgKZ/dg6H1qv2TcRh/0gu0tIDvFpYJ1hCjbmBlxHhcfQLz+YVmWw Flbf8guELu+rxHwyBazDE40iFokAVQIFEC4loOjmFV1iTuBXPQEB93gB/3vmDHqT q2YufkRKpykpDzohyq9SlpQvpwk5irp9s0YPydPK10rLxIc8m+OfEl+hWiBntoUi BAoC77ueRpLKnuw= =u4g1 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Sep 21 22:29:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA22034; Thu, 22 Sep 1994 05:00:33 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA22028; Wed, 21 Sep 1994 22:00:20 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA02608; Thu, 22 Sep 94 00:53:35 -0400 Date: Thu, 22 Sep 94 00:53:35 -0400 Message-Id: <9409220453.AA02608@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Encryption Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Can say that the encryption used un PKZIP appears to have the following vulnerabilities: less than eight char is vulnerable to brute force attacks while any legth key now appears to be vulnerable to a known plaintext attack. PGP is felt to be vulnerable in 384 bit mode, less so in 512 bit mode, and safe for the immediate future in 1024 bit mode. DES is felt to be attackable in single mode by a well-funded government agency. Triple DES is felt to be safe for the immediate future. Since the algoritm in Skipjack is unknown, its strength has not been independantly verified though it is probably effective. Proprietary algorithms are generally viewed with suspician. Hope this helps, Warmly, Padgett ps the breaking of a specific RSA-129 cipher "ossifrage" is not felt to indicate that RSA as used today is vulnerable though pure RSA is felt to be too slow (PGP uses RSA only for initial key management and IDEA for the actual encryption) for general use. pps to really understand what is going on, get Bruce's book (plug). From firewalls-owner Wed Sep 21 23:29:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA22282; Thu, 22 Sep 1994 05:42:26 GMT Received: from gatekeep.genmagic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA22276; Wed, 21 Sep 1994 22:42:19 -0700 Received: from (genmagic.genmagic.com) by gatekeep.genmagic.com (4.1/SMI-4.1/JBS) id AA17862; Wed, 21 Sep 94 22:47:30 PDT Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA27468; Wed, 21 Sep 94 22:47:24 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:Yves.Dherbecourt@der.edf.fr id AA09173; Wed, 21 Sep 94 22:47:08 -0700 Date: Wed, 21 Sep 94 22:47:08 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9409220547.AA09173@abulafia.genmagic.com> To: Mike Muuss Cc: Yves Dherbecourt - IMA/ICI/ASR - 47653790 , chickna@ncp.gpt.co.uk, firewalls@GreatCircle.COM In-Reply-To: <9409211916.aa25270@wolf.arl.mil> Subject: Re: Encrypted WANs via the Internet Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mike Muuss writes: > There are similar devices available in the USA. In particular, two of > them employ stronger encryption algorithms than DES and are NSA approved > for handling classified information, when used with suitable keying > material. Yes, but I believe that some (all?) of these devices are themselves classified, correct? The last time I didn't work with that sort of equipment, it appeared "off-the-shelf" (vendor name/model number on the box) but I was told its existence was classified. (ie: I can't buy one for home or tell people anything about it.) --jet From firewalls-owner Thu Sep 22 06:30:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA25467; Thu, 22 Sep 1994 13:09:19 GMT Received: from mbunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA25461; Thu, 22 Sep 1994 06:09:10 -0700 Received: from bistromath.mitre.org by mbunix.mitre.org (8.6.4/4.7) id JAA14334; Thu, 22 Sep 1994 09:14:50 -0400 Posted-from: The MITRE Corporation, Bedford, MA Received: from localhost by bistromath.mitre.org (4.1/SMI-4.1-MHS-7.0) id AA28584; Thu, 22 Sep 94 09:12:35 EDT Message-Id: <9409221312.AA28584@bistromath.mitre.org> To: Firewalls@GreatCircle.COM Cc: Firewalls-Digest@GreatCircle.COM, ptrei@mbunix.mitre.org Subject: Re: (Un)private mail. In-Reply-To: Your message of "Thu, 22 Sep 94 01:00:14 PDT." <199409220800.BAA23401@mycroft.GreatCircle.COM> Date: Thu, 22 Sep 94 09:12:35 -0400 From: "Peter G. Trei" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk For non-commercial use, PGP is probably the way to go - interoperable versions are available both inside and outside the US, and scripts to integrate it with a number of popular SMTP mail packages are available. For commercial use, Viacrypt PGP is available in the US, but I'm not sure if there is a non-US version which can be (legally) used commercially (this depends on the patent and licensing status of the IDEA cipher, which is used in PGP for bulk encryption.) While private communication is (for the moment) legal in the US, other countries may have other ideas. In particular, I seem to remember hearing of problems sending encrypted data across the borders of France and Japan. You may wish to check on local laws. The source code for RC4 (a commercial stream cipher) was recently posted to the Internet. Since it was not patented, but kept only as a trade secret, it *may* (note emphasis) be legal to use if you have not signed an NDA with RSADSI. Peter Trei ptrei@mitre.org Disclaimer: I am not speaking for my employer. From firewalls-owner Thu Sep 22 07:30:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA25904; Thu, 22 Sep 1994 14:16:27 GMT Received: from source.isd.state.in.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA25888; Thu, 22 Sep 1994 07:16:13 -0700 Received: from ima.isd.state.in.us by source.isd.state.in.us with SMTP (1.38.193.5/16.2) id AA00105; Thu, 22 Sep 1994 09:23:00 -0500 Received: from ccMail by IMA.ISD.STATE.IN.US (IMA Internet Exchange) with VIM id e81932d0; Thu, 22 Sep 94 09:22:37 -0500 Mime-Version: 1.0 Date: Thu, 22 Sep 1994 09:21:56 -0500 Message-Id: From: "KEVIN_T._LIKES"@IMA.ISD.STATE.IN.US To: firewalls@greatcircle.com Subject: Speed of Firewalls Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm looking into implementing a firewall for our organization. I've gotten a lot of useful information from this mailing list, as well as from the firewalls book and other net sources. I've realized of late that there are a couple of requirements we have that I haven't seen much talked about. The first item is the speed of traffic through the firewall. My manager would like us to design the firewall to be capable of passing about an ethernet's worth of traffic, the idea of course being to plan for future capacity now. If we were just doing packet screening, this would be fairly simple (as far as I can tell), but we need an application gateway that can handle PC-based applications which are not necessarily designed to be used through a firewall. I realize that this is probably unrealistic, but we do want to get as much speed as possible. Another concern is the user interface. We have a large number of users who are not technically sophisticated and are used to having GUI interfaces for everything. A lot of firewall solutions I have seen involved the user telnetting to one host, and getting out from there with a text based interface. Can the firewall machine intercept the traffic and pass it on in a way which is transparent to these users? The configuration we will be using will look something like the Plan B setup in the Firewalls book. That is, screening routers on either side of a dual-homed gateway host. We want to allow outward access to HTTP, NNTP, Telnet, Gopher, and FTP. Incoming, we would allow only Telnet and FTP with authentication. My big concerns are what hardware/OS to use for the gateway host, and what firewall software would fit into our plans. We really need off-the-shelf solutions, because we don't have the in house manpower to do the development. Any information you can give me would be appreciated. Kevin T. Likes email: Kevin_T._Likes@ima.isd.state.in.us klikes@ideanet.doe.state.in.us. phone: (317) 233-0521 fax: (317) 232-0748 100 N. Senate Avenue Room N551 Indianapolis, IN 46204 From firewalls-owner Thu Sep 22 14:30:42 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA28264; Thu, 22 Sep 1994 20:48:29 GMT Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA28257; Thu, 22 Sep 1994 13:48:13 -0700 Received: from demon.demon.co.uk by post.demon.co.uk id ab25852; 22 Sep 94 21:42 GMT-60:00 Received: from cellnet.co.uk by demon.demon.co.uk id aa25545; 22 Sep 94 21:42 BST Received: from ford with uucp; Thu, 22 Sep 94 20:34:14 From: Steve Kennedy Message-Id: <9336.9409221934@ford.gbnet.org> Subject: Re: (Un)Private Mail To: dunx1.ocs.drexel.edu!snyderra@cellnet.co.uk Date: Thu, 22 Sep 1994 20:34:14 +0100 (BST) Cc: cardiology.medrmh.unimelb.edu.au!PETER@cellnet.co.uk, cacdvax.cacd.rockwell.com!RAS@cellnet.co.uk, greatcircle.com!firewalls@cellnet.co.uk In-Reply-To: from "Bob Snyder" at Sep 21, 94 08:48:19 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1088 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk According to Bob Snyder > The problem with this, if I recall correctly, is that IDEA (the symetric > algorithm used by PGP) is patented world-wide, and is licensed for PGP > non-commercial use. ViaCrypt has (again, if I recall correctly) negotiated > a deal with the patenters to use their alogrithm in a commercial product. IDEA is licensed by ASCOM Tech in Switzerland, they hold the patent. They have developed a chip called 'Vinci' that implements IDEA in hardware, as far as I know this in the ONLY hardware implementation. IDEA may be used freely in software for non commercial use. I have their number if anyone wants it. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)71 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) steve@marvin.demon.co.uk Demon Internet Dial-up WWW http://www.demon.co.uk/subscribers/m/marvin/ steve.kennedy@nomura.co.uk work tel +44 71 320 2402 From firewalls-owner Thu Sep 22 23:30:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA01038; Fri, 23 Sep 1994 06:11:04 GMT Received: from staff.cs.su.OZ.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA01032; Thu, 22 Sep 1994 23:10:54 -0700 Received: from citec.qld.gov.au by staff.cs.su.OZ.AU (mail from sgcccdc for firewalls@GreatCircle.COM) with MHSnet (insertion MHSnet site: citecub.citec.qld.gov.au); Fri, 23 Sep 1994 16:16:46 +1000 Received: by citec.qld.gov.au (5.0/SMI-SVR4) id AA25734; Fri, 23 Sep 1994 16:15:50 --1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9409230615.AA25734@citec.qld.gov.au> Subject: TIS ftp-gw and PASV To: firewalls@GreatCircle.COM Date: Fri, 23 Sep 94 16:15:49 EST X-Mailer: ELM [version 2.3 PL11] content-length: 1449 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Have I missed the boat or what? I do not understand what I am seeing. I am testing ftp-gw and passive ftp in the following config: ----------+-----------------+-----------------+------- | | | | | | hosta hostb hostc I run ftp (with passive modifications) to ftp-gw on hostb. A netstat shows hosta.xxxx hostb.ftp At the prompt (Name:hostb:blah) I type user@hostc. The connection gets established and netstats show: hosta.xxxx hostb.ftp hostb.yyyy hostc.ftp This I understand and expect. BUT, whenever I do something on hostc, for example an `ls' what I see is: 227 Entering Passive Mode (hostc,133,126) 150 ASCII data connection for /bin/ls (hosta,39096) (0 bytes). So what netstat shows is: hosta.xxxx hostb.ftp hostb.yyyy hostc.ftp hosta.zzzz hostc.wwww Why is this happening? I fully expected there to be a connection from hosta.zzzz to hostb.vvvv and hostb.uuuu to hostc.wwww. I am testing so I can develop filters for a firewall that looks like this: outside | router1 | --+------------+---- | | router2 bastion | inside What I am seeing says the firewall must let any connection from the inside go through without going to the bastion first. Is this correct? Colin From firewalls-owner Fri Sep 23 01:32:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA01826; Fri, 23 Sep 1994 08:20:08 GMT Received: from zaphod.axion.bt.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA01815; Fri, 23 Sep 1994 01:19:48 -0700 Received: from everest.srd.bt.co.uk by zaphod.axion.bt.co.uk with SMTP (PP); Fri, 23 Sep 1994 09:24:52 +0100 Received: from ariel.srd.bt.co.uk by everest.srd.bt.co.uk; Fri, 23 Sep 94 08:24:59 GMT From: Jake Hill Date: Fri, 23 Sep 94 09:23:37 BST Message-Id: <914.9409230823@ariel.srd.bt.co.uk> To: firewalls@greatcircle.com In-Reply-To: Steve Kennedy's message of Thu, 22 Sep 1994 20:34:14 +0100 (BST) <9336.9409221934@ford.gbnet.org> Subject: (Un)Private Mail Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > IDEA may be used freely in software for non commercial use. I know this crypto stuff is a little off the firewalls track, but lemme just mention SAFER K64, which is another of Massey's ciphers. Unlike IDEA, it is comletely non-proprietary. You can use it anywhere. It is designed to be implemented simply in software (it is byte oriented). Anyway, I've mentioned it now. If anyone is interested in more info, gimme a shout directly an I'll see what I can find. Regards, Jake A.A.&.T..I.N.F.O.R.M.A.T.I.O.N..S.Y.S.T.E.M.S JakeyBaby% mail jhill@srd.bt.co.uk Techno.Crypto.Emusic From firewalls-owner Fri Sep 23 05:30:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA03372; Fri, 23 Sep 1994 12:26:45 GMT Received: from znanost.mz.hr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA03366; Fri, 23 Sep 1994 05:26:13 -0700 Received: from gaus@localhost by znanost.mz.hr (8.6.9/Ultrix 4.2A) id OAA12701; Fri, 23 Sep 1994 14:31:09 +0100 From: gaus@znanost.mz.hr (Damir Rajnovic) Message-Id: <199409231331.OAA12701@znanost.mz.hr> Subject: fs mount on firewall To: firewalls@greatcircle.com Date: Fri, 23 Sep 1994 14:31:08 +0100 (MET) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 887 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, We have little discussion about is it dangerouos that firewall mounts some partitions form inside (protected) hosts. I have feeling that that maneuver is dangerous (jeopardize security of inside hosts) but can't explain how. Is it really dangerous to do that kind of thing (firewall mount partition of inside host)? Gaus |-----------------------------------------------------------------| | Damir Rajnovic | E-mail: gaus@znanost.hr | | Ministry of Science and Technology | Voice: (+385 41)46 14 37 | | Strossmayerov trg 4, 41000 Zagreb | | |-----------------------------------------------------------------| | There is no unsolvable problems, but question is - can you | | accept solution. | |=================================================================| From firewalls-owner Fri Sep 23 09:34:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA04566; Fri, 23 Sep 1994 15:48:11 GMT Received: from nuchat.sccsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA04559; Fri, 23 Sep 1994 08:48:02 -0700 Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Fri, 23 Sep 94 10:49 CDT Received: from gw.lsli.com by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA09883; Fri, 23 Sep 1994 10:48:56 -0500 Received: gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA16993; Fri, 23 Sep 1994 10:49:25 -0500 Date: Fri, 23 Sep 1994 10:49:25 -0500 From: ted@gw.lsli.com (Ted Airedale) Message-Id: <9409231549.AA16993@gw> To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To: firewalls@greatcircle.com Subject: Musings on Speed and PORTUS firewall >From: "KEVIN_T._LIKES"@IMA.ISD.STATE.IN.US >Date: Thu, 22 Sep 1994 09:21:56 -0500 >Subject: Speed of Firewalls >I'm looking into implementing a firewall for our organization. I've gotten a >lot of useful information from this mailing list, as well as from the firewalls >book and other net sources. I've realized of late that there are a couple of >requirements we have that I haven't seen much talked about. >The first item is the speed of traffic through the firewall. My manager would >like us to design the firewall to be capable of passing about an ethernet's >worth of traffic, the idea of course being to plan for future capacity now. If >we were just doing packet screening, this would be fairly simple (as far as I >can tell), but we need an application gateway that can handle PC-based >applications which are not necessarily designed to be used through a firewall. >I realize that this is probably unrealistic, but we do want to get as much speed >as possible. PORTUS provides high levels performance. FTP performance has been measured using an RS/6000 model 230 and an RS/6000 model 250. Based on these measurements we can project the following ftp throughput for PORTUS. RS/6000 SPEC Type FTP CPU BYTES/ Model MHZ Int92 LAN KBS % CPU Sec 230 45 28.5 E/N 705 98 700KBS 250 66 62.6 E/N 1000 65 1500KBS C10 80 90.5 E/N 1000 45 2200KBS 390 67 114.3 E/N 1000 36 2777KBS R24 71.5 131.5 E/N 1000 31 3228KBS Ethernet is the obvious bottleneck for RS/6000s models 250 and above. If the LANs are 16 megabit Token Rings we can project the following thruput. RS/6000 SPEC Type FTP CPU Model MHZ Int92 LAN KBS % 230 45 28.5 T/R 705 98 250 66 62.6 T/R 1538 98 C10 80 90.5 T/R 2000 90 390 67 114.3 T/R 2000 72 R24 71.5 131.5 T/R 2000 62 Token Ring is the bottleneck for models C10 and above. If you want more information on PORTUS please e-mail portusinfo@gw.lsli.com, or call LSLI at 1-800-240-5754, or 713-496-1580. Ted From firewalls-owner Fri Sep 23 12:31:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA06338; Fri, 23 Sep 1994 19:05:51 GMT Received: from mwunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA06331; Fri, 23 Sep 1994 12:05:11 -0700 From: jkahn@smiley.mitre.org Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id PAA07129 for ; Fri, 23 Sep 1994 15:10:32 -0400 Received: from [128.29.140.105] (jkahn-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA26779; Fri, 23 Sep 94 15:10:56 EDT Date: Fri, 23 Sep 94 15:10:54 EDT Message-Id: <9409231910.AA26779@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM Subject: Questions on the Meaning of Life & Security Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Having read half a hundred or so Firewall Digests, full of debate on lots of things that really don't seem security or firewall related, I must say that to date I have been disappointed. But, rather than complain, I decided to write this, present a few real questions about some hard problems, throw it out on firewalls, and see what comes back. So, here goes. Two administrative things: First, because I, like you, get a paycheck from my company, I have to make a declaration that everything I am writing represents my own opinions and not necessarily those of my employer. I want to do that early in this message in case you get bored easily and stop reading. To be really honest, I won't really claim that all of the things that follow are my own opinions and brand new original ideas so that: 1) I can anonymously quote opinions expressed by other people, and 2) I can have fun playing the role of devil's advocate if I want. Second, because I like getting that paycheck, I don't have time to answer personalized questions sent directly to me. They are gonna be ignored. If it's is worth your time to ask the question, (and there aren't any stupid questions left because some else already asked them), keep it on the firewalls group and give everyone a crack at it. OK, on to security. I have come away from reading the last month's traffic with the impression that some people think that security is like a one-bedroom condo; once you have it, you have it for life. It ain't that easy as many of us really know. Threats change, technology evolves, the powers-that-be make modifications to the system to meet new mission requirements, and smart people leave without writing down all the good things they knew. So, security is ephemeral. We built a firewall to counter some of the threats to our system. We use the firewall to reduce risks, but we should have our eyes open enough to know that we can never really remove all risks all the time, short of turning the system off. We just aren't smart enough to counter every risk. Also, we start from behind. When vendors make new products, functionality is often imprefect and security is immature. For competative reasons, very few products if any have been held back from the martket because the security features weren't ready. So, we are finding that we can't remove all risks.Therefore, we spend need to invest our limited money where we can get the biggest bang for the buck. That might be a firewall. A firewall acts as armor for the system, but armor can be pierced. Put in different words, having the firewall is not a guarantee. Worse, we know that things ain't perfect, and even if they somehow were, changing factors in the environments, the data processes, the threats, or even the education of system hackers should mean we have to keep working at it. This means that just because we have a reasonably adequate firewall, we don't want to turn off all the other security mechanisms in our protected system. We also think of software as kinda different from most other things we engineer because it can be used maliciously. Depending on what kind of work we are doing, there are two alternative worst cases. o One worst case attack is one where we have privacy or secrecy as our major concern and someone is reading our stuff and we don't even know we have been compromised. o For others, the worst case is when the attacker wrecks havoc by deleting files, corrupting data, and generally putting the system off the air. This is a lead to the first of my questions: Question 1) If your goal (the goal for your system) is integrity and for my system, it is confidentiality, how does this affect the design of the firewall between them? Would the design be different if both systems have the same security policy? How? Why? We know that a function works when we test it. We may need automated test drivers, a couple of statisticians to formulate the meaningful set of test data, and tools to analyze the results, but we can generally get warm fuzzy feels that the function works as described in the specifications nearly all the time. Security is harder in that we need to know that no only do things work as described in the specifications, but that there are no unanticipated things. For example, we need to know that a routine checks a password to verify that it is valid, but we also need to know that it won't accept any invalid passwords, null passwords, etc., or that we can't play tricks with the file containing password parameters. Some people call this positive (it works) and negative (and does nothing else) testing. Dykstra has a quote which when paraphrased says exhaustive testing exhausts the testers. The fact that testers didn't find bugs don't mean that they aren't still there. In fact, someone called long dormant bugs "Methuselah Bugs." Question 2) How the dickens can we measure how good a firewall is? Before we think about the parameters going into making some kind of metric, what should we be measuring? How can we quantify anything except the number of dollars spent on the firewall, and what makes a useful measure? Question 3) How much testing is enough? In the real world, where time and money are limited, how hard do we test these suckers? Do we test till the time runs out? Do we put them on-line half-tested and fix bugs after the fact? Now, this is not a trick question. I know that there are methodologies with unit testing, ....., but how many times is it really used? Even in the DOD arena, sometimes we just seem to go through the motions. Because a firewall system is often smaller than a procurement of a battleship, we don't have the detailed tasking statements, requirement and mission need documents, etc. I mean, lets be real. There is a need to have a computer A connect to computer B and somebody at site A says there are risks here, so lets have a firewall. These things aren't always fully planned. If you accept that we have firewalls to manage risks, and that a firewall cannot absolutely, positively, totally, completely, absolutely, you-bet-your-life guaranteed stop all threats, we have a need to have contingency security mechanism to deal with things that come through the firewall. My question here is basic: Question 4) Does anyone really do analysis of their firewall to see what can go wrong and then specifically build a down-hill protection mechanism or reparation mechanism to deal with possible damage? Stated simply, are there firewall risk analyses, and do they affect the system the firewall was built to protect? Do we make changes in a deployed system to rectify bad things that the firewall might not stop? Does analysis of either system affect the other? Do we really analyze anything? Well, there are certainly lots more questions that could be asked, but before I recycle too many electrons, I am going to put these three out and see if there are comments or brickbats. Either will actually be welcome--what I dread most is feeling that no one out there cares about firewalls enough to have opinions. Again, everything said is intented to stimulate discussion, not lawyers, and does not represent my employeer's views. Jay Kahn jkahn@mitre.org telephone 703-883-6622 The MITRE Corporation, secretary 703-883-5397 7525 Colshire Drive, facsimile 703-883-1397 McLean, VA 22102-3481 From firewalls-owner Fri Sep 23 13:31:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA06895; Fri, 23 Sep 1994 20:10:50 GMT Received: from names.telcom.wvu.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA06879; Fri, 23 Sep 1994 13:08:27 -0700 Received: from WVUCBLC1.hsc.wvu.edu by names.telcom.wvu.edu (4.1/SMI-4.0:JF-052892) id AA06346; Fri, 23 Sep 94 16:18:28 EDT Received: from WVUCBLC1/MAILQUEUE by WVUCBLC1.hsc.wvu.edu (Mercury 1.11); Fri, 23 Sep 94 16:15:14 +1100 Received: from MAILQUEUE by WVUCBLC1 (Mercury 1.11); Fri, 23 Sep 94 16:14:59 +1100 From: "Tyler Lutz" Organization: RCB HSC of WVU, CBLC To: firewalls@GreatCircle.COM Date: Fri, 23 Sep 1994 16:14:51 EDT Subject: Raptor sys. X-Confirm-Reading-To: "Tyler Lutz" X-Pmrqc: 1 Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Message-Id: <1A09A404D8C@WVUCBLC1.hsc.wvu.edu> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone have info on a product from Raptor systems inc. called Eagle? TYLER LUTZ TLUTZ@WVUCBLC1.HSC.WVU.EDU 304-293-4683 BOX 9015 HEALTH SCIENCES CENTER WEST VIRGINIA UNIVERSITY MORGANTOWN WV 26506 From firewalls-owner Fri Sep 23 20:40:46 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA11703; Sat, 24 Sep 1994 02:50:34 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA07675; Fri, 23 Sep 1994 14:37:08 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma013859; Fri Sep 23 17:43:00 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA13806; Fri, 23 Sep 94 17:40:39 EDT From: Marcus J Ranum Message-Id: <9409232140.AA13806@tis.com> Subject: Re: Questions on the Meaning of Life & Security To: jkahn@smiley.mitre.org Date: Fri, 23 Sep 1994 17:44:14 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9409231910.AA26779@smiley.mitre.org.sit> from "jkahn@smiley.mitre.org" at Sep 23, 94 03:10:54 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 12726 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Many of these questions are very old questions. They're what the Orange Book, etc, were written in response to. It's likely that they're unanswerable. :) jkahn@smiley.mitre.org writes: > Question 1) If your goal (the goal for your system) is integrity and > for my system, it is confidentiality, how does this affect the design of > the firewall between them? Very interesting question. I can imagine some cases where data confidentiality and data integrity were achieved on a fairly open system. This would entail a lot of use of cryptography to protect the files that needed to be protected, and then the rest of the system is pretty much freely accessible. This doesn't mean that security on the system is no longer needed, but if *ALL* you need to protect is your data, then you could (let's imagine) build a secure data dump that was designed for maximum integrity, and have it accessed from systems that were much less strictly managed. Let's pretend I have a black box in my vault, which is physically protected. All the data on that system is stored encrypted, keyed (let's imagine, using PGP or something like it) to the individual users who need access to the data, and to the systems administrator for data that is corporately owned. Let's further imagine that the Data Vault is inherently archival -- all copies of files are retrievable. Whenever a file is modified, its digital signature is generated, with the key of the person who modified it, etc, etc. Let's pretend that the only way to access the Data Vault is to be on a workstation with a smart card reader, and every time you open or write a file it validates the transaction. [I'm waving my hands over some implementation details here, I know -- such as assurance of the client/server link's integrity and the client system's integrity] What you've just built is a firewall for your data. You're protecting the *data* from unauthorized access. That might be a sensible approach for an organization that needs high integrity data. Personally, I find this somewhat attractive. Periodically you could completely trash the hard disk on your workstation, knowing that the Important Data (like my .newsrc) was on the Data Vault. Look at it as a spectrum. You can attempt to secure your assets at any level of granularity, with associated costs. Data level security->Host-based security->Network security ========================================================== If you secure your data at the level of each individual datum, then you're essentially firewalling off your trusted Data Vault, and requiring strong authentication for each data access. There's some mechanism that needs to be in place to "remeber" that you are you, the authenticated user, and the data vault system relies on that. With host-based security, you prove who you are to the host, which then "remembers" that you are you, and permits you to do whatever you're permitted to do on that host. Here the issue is how to bypass the integrity of that host. Many firewallers argue that this approach doesn't scale very well, since most hosts running general purpose software are pretty easy to break into once you've got access to them. There's also the problem of how to maintain host security on a network, if the networking applications are full of security holes. NFS' transitive trust problems, sendmail, etc, etc -- all combine to make host security in a tightly coupled network environment pretty tricky to achieve. I know some folks who *do* achieve it, but mostly at the expense of fixing huge amounts of broken code and effectively maintaining their own versions of UNIX. [right, Mike? :)] So, firewalls are added, to provide network-level access control, because host-level (or data level) access control is considered too weak. Here, the user proves who they are to the firewall, and thereby is granted access to the (often) entire network. Clearly, as lots of folks have pointed out, this results in Cheswick's "crunchy shell around a soft, chewy center." > Security is harder in that we need to know that no only do things work as > described in the specifications, but that there are no unanticipated > things. For example, we need to know that a routine checks a password to > verify that it is valid, but we also need to know that it won't accept any > invalid passwords, null passwords, etc., or that we can't play tricks with > the file containing password parameters. Some people call this positive > (it works) and negative (and does nothing else) testing. Here's where I usually say something homey about how one thing that helps a lot is to separate the security critical parts of your software from the other parts, and to make them as simple as possible, and as readable as possible. The security critical part of a system should be simple enough to review in the amount of time it takes to drink a cup of coffee (in my case that is about 2 seconds, so make it a pot). Centralizing security-relevant software results in the "all the eggs in one basket" approach. This is fine, as long as it's a simply designed basket made of titanium. Then you can easily estimate if it is of sufficient strength for what you're trying to protect. > Question 2) How the dickens can we measure how good a firewall is? > Before we think about the parameters going into making some kind of metric, > what should we be measuring? How can we quantify anything except the > number of dollars spent on the firewall, and what makes a useful measure? There's this notion of "assurance." When an engineer builds a bridge, he can calculate the amount of strength required by materials, add a "fudge factor" appropriate to how important it is that the material NOT break, and then select a material. So, if you're building a firewall, do the same thing. That's what we here at TIS have been (in so many words) trying to do, and encourage others to do, for some time now. The important part of the engineering process is where the engineer calculates the strength required by materials. In computer security, this is the risk assessment. You sit down and think real hard about how strong your firewall has to be. What's at stake? What level of attack might you come under? What are the threats? Then the rest is easy!!! If you've done your risk assessment right, you *CANNOT* make the wrong decisions. :) Like a bridge builder, you've decided what your requirements are, and the strength of your materials, and you'd be criminally negligent to deviate from them. After all, if your bridge must support 500 cars at rush hour, you *CANNOT* spec materials that you believe will only support 200. Assurance comes from knowing the engineering goals of your system inside and out, and identifying the critical components, and deriving ways to test that they are up to spec. That's why we did the firewall toolkit as an application-level relay. If you set up a dual-homed bastion host with ip forwarding turned off, you should be unable to drive a packet through it. If you can, then you've found a problem. So you *TEST* that and *VERIFY* that you cannot, in fact, drive a packet through it. Once you have verified that, then you *KNOW* that the only way any traffic is going to get through is by passing through some kind of application that forwards it. Then you check the implementation of each application forwarder, and if you're comfortable with them, you have a degree of assurance that you control the situation. I think it was the Golden Gate, where the engineers built some humongous testing-rig to actually stretch the cables to make sure that they were as strong, and stronger than they were supposed to be. That is assurance. Orange book systems are really into assurance. That's really what the orange book is about. What I see happening all too often in the firewalls game is that the requirements process drives the implementation, and the actual risk assessment is performed in a smoky room by a bunch of engineers who have already *DECIDED* that they *WILL* have access to services X, Y, and Z. The approach is "we already know what we're going to do -- we're just trying to figure out how." It's somewhat like deciding to make the Golden Gate bridge out of glass, before calculating how strong the materials need to be. Our approach in the firewall toolkit is to be able to trace the dependency on each component for its security. It's a conservative approach. It's a bit more comforting than, "well, we screened off these ports in the router, so presumably there's no way anyone can talk to our NFS file server." Assurance in a security system stems from having a clear model of how the system works, including how to verify that each of the pieces that have to work right are indeed working right. The dependencies need to be clear. The rest then becomes implementation details. :) > Question 3) How much testing is enough? In the real world, where time > and money are limited, how hard do we test these suckers? Do we test till > the time runs out? Do we put them on-line half-tested and fix bugs after > the fact? See above. You design the system so that you can assert (loudly) what the dependencies and assumptions are. Then you can test them to whatever degree you want. if the system is designed right, the testing falls out of the design. If you can even *describe* a verification strategy, you're heading the right direction. Let me try to (briefly) explain a verification strategy for a dual-homed bastion machine running the TIS firewall toolkit (basically, our Gauntlet product): 1) We disable IP routing and forwarding through the system. Postulate: No traffic can now pass between the 2 nets Verify-by: *TRY* it. try source-routing, whatever Assumptions: There are no mysterious backdoor routing hacks in the kernel that nobody has seen fit to tell anyone about. 2) We disable all network services on the firewall system. Postulate: Now there are no applications that will forward traffic, either. Verify-by: Use system tools to check for network services that are still running. keep shutting them off one by one. Assumptions: There are no mysterious in-kernel processes that might forward traffic, yet which do not appear in ps, netstat, or other system analysis tools 3) Enable services one by one, testing each one. For each service you are enabling { Postulate: Understand threats that service may represent even at an application level e.g.: SMTP may be used to trigger sendmail holes on the inside. Verify-by: Each subsystem should have a clearly defined set of tests of proper operation. Also, potentially liable to code review. Assumptions: List assumptions for each service forwarder. } Example of a single service from the toolkit, ftp-gw: Postulate: May be run w/o privs under chroot() to a restricted area. Does no local file I/O other than to system logs and reading its config file. Does not execute any subshells. Verify-by: Code examination. Verify that setuid and chroot worked properly using ps to verify process uid and ofiles to verify process root filesystem. Assumptions: There is no backdoor way that a chrooted process w/o root privs can gain them, and un-chroot. What you're left with is a list of assumptions and a list of tests that can be performed if needed to verify that things are working properly. No, this isn't easy. But it's *POSSIBLE*. The same methodology could, I suppose, be applied to a screening router-based firewall. For each service permitted in or out, list the threats and how they are blocked, etc, etc. What you should see quite obviously is that the more services -- the larger your "footprint" the more you need to worry about and the less easy it is achieve a comfort level that everything is functioning as it's supposed to. This is one reason why rushing out and installing the latest version of something c00l is not always a good idea. Besides the risk of a trojan horse the the wu-ftpd one, there might be a protocol flaw introduced in a new version of some protocol. > Question 4) Does anyone really do analysis of their firewall to see > what can go wrong and then specifically build a down-hill protection > mechanism or reparation mechanism to deal with possible damage? Stated > simply, are there firewall risk analyses, and do they affect the system the > firewall was built to protect? Do we make changes in a deployed system to > rectify bad things that the firewall might not stop? Does analysis of > either system affect the other? Do we really analyze anything? Well, I think I've already answered this one. :) mjr. From firewalls-owner Sat Sep 24 01:29:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA13857; Sat, 24 Sep 1994 08:13:12 GMT Received: from racerx by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA13851; Sat, 24 Sep 1994 01:13:03 -0700 Received: from beauty_fddi.qgraph.com by hub.qgraph.com (PMDF V4.3-11 #6156) id <01HHH4L7F68G000ATC@hub.qgraph.com>; Sat, 24 Sep 1994 03:11:10 -0500 (CDT) Received: from hop.qgraph.com by hop.qgraph.com (PMDF V4.3-7 #6156) id <01HHH4OK2P8WAOKLL7@hop.qgraph.com>; Sat, 24 Sep 1994 03:13:51 CDT Date: Sat, 24 Sep 1994 03:13:51 -0500 (CDT) From: "If it's not smokin' it's a software bug - Dave - IS 2136" Subject: E-MAIL TO DGOETZEL To: Firewalls Message-id: <01HHH4OK2Q76AOKLL7@hop.qgraph.com> X-VMS-To: IN%"Firewalls@GreatCircle.COM" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk YOUR MESSAGE HAS BEEN SAVED IN MY ACCOUNT - YET I WILL NOT BE ABLE TO REVIEW IT UNTIL OCTOBER 10TH. PLEASE CONTACT... THANK YOU Dave Goetzel From firewalls-owner Sun Sep 25 18:30:07 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA23745; Mon, 26 Sep 1994 00:59:32 GMT Received: from gatekeep.genmagic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA23739; Sun, 25 Sep 1994 17:59:26 -0700 Received: from (genmagic.genmagic.com) by gatekeep.genmagic.com (4.1/SMI-4.1/JBS) id AA20102; Sun, 25 Sep 94 18:04:56 PDT Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA29982; Sun, 25 Sep 94 18:04:54 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@greatcircle.com id AA14570; Sun, 25 Sep 94 18:04:44 -0700 Date: Sun, 25 Sep 94 18:04:44 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9409260104.AA14570@abulafia.genmagic.com> To: firewalls@greatcircle.com Subject: info on challenge/response password calc vendors Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Investigating this technolgoy as a security solution. If you have any information you'd like to share, whether it be "Company X sells it" or "Company Y is great", please let me know. -- jet@genmagic.com vox #: USA 415.335.7463 no time for fancy sigs. From firewalls-owner Sun Sep 25 18:59:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA23840; Mon, 26 Sep 1994 01:14:51 GMT Received: from acasun.eckerd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA23834; Sun, 25 Sep 1994 18:14:41 -0700 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA22816; Sun, 25 Sep 1994 21:16:55 +0500 From: pfalzgmh@eckerd.edu (Marisa H. Pfalzgraf) Message-Id: <9409260116.AA22816@acasun.eckerd.edu> Subject: Poor Response on Firewall To: firewalls@GreatCircle.COM Date: Sun, 25 Sep 1994 21:16:54 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1332 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm trying to set up a Sun running Solaris 2.3 as a firewall with IP forwarding turned off and using SOCKS to re-establish functionality for internal machines. Response to any commands such as "ftp", "telnet", etc. is greatly degraded either run directly from the firewall or using SOCKSified software from an internal machine. There is no improvement in response if an IP address is used in the commands in place of a site name. The lag in the response occurs AFTER the "Connected to site.name. Escape character it '^]'." message. Pings to remote systems from the firewall give a normal reponse time. In.routed -q (quiet mode) runs on the firewall. In.rdisc (router discovery) is not being run on the firewall or internal machines. When the Internet router is modified to allow connections to an internal machine vs. the firewall, response is back to normal. The firewall is the primary server for DNS with an internal machine serving as secondary. Snoop has not revealed anything enlightening nor do memory or disk space appear to be causing the problem. I've monitored this list for several months now, picking up quite a lot of helpful information. I'm looking forward to any suggestions or ideas anyone may offer to help me try and correct this problem. Thank you in advance! Marisa Pfalzgraf pfalzgmh@eckerd.edu From firewalls-owner Sun Sep 25 20:33:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA24354; Mon, 26 Sep 1994 02:31:36 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA24344; Sun, 25 Sep 1994 19:31:29 -0700 Message-Id: <199409260231.TAA24344@mycroft.GreatCircle.COM> To: pfalzgmh@eckerd.edu (Marisa H. Pfalzgraf) cc: firewalls@GreatCircle.COM Subject: Re: Poor Response on Firewall In-reply-to: Your message of Sun, 25 Sep 1994 21:16:54 -0400 (EDT) Date: Sun, 25 Sep 1994 19:31:27 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk pfalzgmh@eckerd.edu (Marisa H. Pfalzgraf) writes: # I'm trying to set up a Sun running Solaris 2.3 as a firewall with IP # forwarding turned off and using SOCKS to re-establish functionality for # internal machines. Response to any commands such as "ftp", "telnet", etc. # is greatly degraded either run directly from the firewall or using # SOCKSified software from an internal machine. There is no improvement in # response if an IP address is used in the commands in place of a site name. # The lag in the response occurs AFTER the "Connected to site.name. Escape # character it '^]'." message. Pings to remote systems from the firewall # give a normal reponse time. # # In.routed -q (quiet mode) runs on the firewall. In.rdisc (router # discovery) is not being run on the firewall or internal machines. When # the Internet router is modified to allow connections to an internal # machine vs. the firewall, response is back to normal. The firewall is the # primary server for DNS with an internal machine serving as secondary. # Snoop has not revealed anything enlightening nor do memory or disk space # appear to be causing the problem. I'm pretty sure you have some sort of DNS problem. It sounds like you're getting timeouts when telnet/login tries to figure out the host name of the host you're connecting from. This happens after you get the "Connected ... Escape character is ..." message, and before you get the "login:" prompt. Same with FTP. Apparently, the packet filtering setup and/or DNS setup you're using for your firewall don't allow the firewall host to do name lookups of IP addresses (or at least not of the addresses you're coming from). If you check your logs, you'll probably find that logins under such circumstances (after the hostname lookup times out) are getting logged with IP address rather than hostname. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Sun Sep 25 20:36:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA24392; Mon, 26 Sep 1994 02:34:12 GMT Received: from motgate.mot.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA24381; Sun, 25 Sep 1994 19:33:58 -0700 Received: from pobox.mot.com ([129.188.137.100]) by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA28012; Sun, 25 Sep 1994 21:39:28 -0500 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com) by pobox.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA13487; Sun, 25 Sep 1994 21:39:27 -0500 Received: from dragon.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA27420; Sun, 25 Sep 94 19:39:25 PDT Received: from sun11k.mdd.comm.mot.com by dragon.mdd.comm.mot.com (4.1/SMI-4.1) id AA21115; Sun, 25 Sep 94 19:39:23 PDT Date: Sun, 25 Sep 94 19:39:23 PDT From: dhami@mdd.comm.mot.com (Mandeep S Dhami) Message-Id: <9409260239.AA21115@dragon.mdd.comm.mot.com> Received: by sun11k.mdd.comm.mot.com (4.1/SMI-4.1) id AA12376; Sun, 25 Sep 94 19:39:18 PDT To: firewalls@greatcircle.com Subject: Re: Questions on the Meaning of Life & Security Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Posting by Marcus J Ranum seems to imply => You can have data security WITHOUT complete host security (using encryption/smart card etc). I disagree. If I wanted to get to your data and your data is VERY secure, I will first attack your host (which access the data), plant a trojan horse to read your smart-card/password/key as it is retrived and use that to impersonate as you (with respect to the data box) and get to your data. The bottom line being, IF I want to protect X, not only must X be secure; but so must ALL means to access it. As usual, you are only as secure as the weakest link. Of course he does mention: > [I'm waving my hands over some implementation details here, I know -- > such as assurance of the client/server link's integrity and the client > system's integrity] I would be interested how could that be done without COMPLETE security on accessing machine. In orange book's terms how do I get a secure path to data's TCB if I have to go thru' host's _insecure_ TCB? Or what prevents a trojan horse reading my smart card? Or what prevents a phoney superuser on insecure host from mapping my reading processes image and geting to my data? Regards, Mandeep From firewalls-owner Sun Sep 25 21:30:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA25469; Mon, 26 Sep 1994 04:22:20 GMT Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA25463; Sun, 25 Sep 1994 21:22:09 -0700 Received: from localhost (mail@localhost) by gatekeeper.Bridge.COM (8.6.5/8.6.5) id XAA07869; Sun, 25 Sep 1994 23:27:24 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma007867; Sun Sep 25 23:26:54 1994 Received: from bert.bridge.com (ernie.bridge.com) by racerx.bridge.com with SMTP id AA03627 (5.67b/IDA-1.5); Sun, 25 Sep 1994 23:31:13 -0500 Received: by bert.bridge.com (4.1/SMI-4.1) id AA28253; Sun, 25 Sep 94 23:30:53 CDT Date: Sun, 25 Sep 1994 23:30:52 -0500 (CDT) From: Ken Hardy Subject: Re: Poor Response on Firewall To: "Marisa H. Pfalzgraf" Cc: firewalls@greatcircle.com In-Reply-To: <9409260116.AA22816@acasun.eckerd.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Are you sure that your externally-accessible DNS is working properly? You could be experiencing delays from failed reverse lookups on your firewall's IP address. Long delays upon connection were common for us when we first had a system connected but did not have DNS yet set up to serve queries from the world. Many, many sites do an IP addr to name translation, for logging, I suppose. Some will disallow connections if the lookup cannot be satisfied (ftp.uu.net, e.g.) On Sun, 25 Sep 1994, Marisa H. Pfalzgraf wrote: > I'm trying to set up a Sun running Solaris 2.3 as a firewall with IP > forwarding turned off and using SOCKS to re-establish functionality for > internal machines. Response to any commands such as "ftp", "telnet", etc. > is greatly degraded either run directly from the firewall or using > SOCKSified software from an internal machine. There is no improvement in > response if an IP address is used in the commands in place of a site name. > The lag in the response occurs AFTER the "Connected to site.name. Escape > character it '^]'." message. Pings to remote systems from the firewall > give a normal reponse time. > > In.routed -q (quiet mode) runs on the firewall. In.rdisc (router > discovery) is not being run on the firewall or internal machines. When > the Internet router is modified to allow connections to an internal > machine vs. the firewall, response is back to normal. The firewall is the > primary server for DNS with an internal machine serving as secondary. > Snoop has not revealed anything enlightening nor do memory or disk space > appear to be causing the problem. > > I've monitored this list for several months now, picking up quite a lot of > helpful information. I'm looking forward to any suggestions or ideas > anyone may offer to help me try and correct this problem. > > Thank you in advance! > > Marisa Pfalzgraf > > pfalzgmh@eckerd.edu > Ken Hardy ken@bridge.com ----__-_____--__-__--_--__-___-__-__-___------ From firewalls-owner Sun Sep 25 22:31:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA25675; Mon, 26 Sep 1994 05:16:58 GMT Received: from gatekeep.genmagic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA25669; Sun, 25 Sep 1994 22:16:52 -0700 Received: from (genmagic.genmagic.com) by gatekeep.genmagic.com (4.1/SMI-4.1/JBS) id AA21332; Sun, 25 Sep 94 22:22:21 PDT Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA01335; Sun, 25 Sep 94 22:22:19 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA14951; Sun, 25 Sep 94 22:22:09 -0700 Date: Sun, 25 Sep 94 22:22:09 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9409260522.AA14951@abulafia.genmagic.com> To: firewalls@GreatCircle.COM In-Reply-To: <9409260116.AA22816@acasun.eckerd.edu> Subject: Re: Poor Response on Firewall Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > SOCKSified software from an internal machine. There is no improvement in > response if an IP address is used in the commands in place of a site name. > The lag in the response occurs AFTER the "Connected to site.name. Escape > character it '^]'." message. Pings to remote systems from the firewall > give a normal reponse time. Two diagnostic suggestions: - run a client from within truss(1) and watch the output in realtime. This sometimes gives insight as to which calls are "stalling". - put a packet sniffer (or use snoop(1M)) on the line and see if something is timing out. I recently saw a problem where a flaky router would stall on the first few packets to be routed to a "new" host. (Took a while to load a new entry into the arp table.) --eric From firewalls-owner Mon Sep 26 01:10:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA26163; Mon, 26 Sep 1994 07:04:47 GMT Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22054; Sun, 25 Sep 1994 10:38:41 -0700 Received: from smtpgty.saicuk.co.uk by relay1.pipex.net with SMTP (PP) id <23312-0@relay1.pipex.net>; Sun, 25 Sep 1994 18:44:06 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2E85C0FE@smtpgty.saicuk.co.uk>; Sun, 25 Sep 94 18:27:10 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: 51.7742 (RE: Questions on the Meaning of Life & Security) Date: Sun, 25 Sep 94 17:33:00 GMT Message-ID: <2E85C0FE@smtpgty.saicuk.co.uk> Encoding: 291 TEXT X-Mailer: Microsoft Mail V3.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Before some Galactic Hitch Hiker claims that the meaning of life is not 51.7742, we can get together at the end of time to see who got closest and we will probably do better than the people who tried to put a specific value on 'security'. Jay posed some interesting questions. To be contentious, - firewalls are the perfect marketing product. They contain something for everyone, make a number of generic claims, promise much, but guarantee nothing. That does not of course make them an invalid solution, but it does explain some of the content on 'firewalls'. There are enough products on the market to generate endless discussion about the fine technical detail of each product and that should satisfy the technically biassed. The policeman is happy because he could ensure that nothing passes through the firewall, the only stronger solution being to seal every computer in concrete. The non-technical are also happy because firewall is a simple concept which anyone can understand. None of this necessarily makes the firewall a good product or a bad product. What it does mean is that it is a very easy product to identify with. 'Security' is a warm feeling and has no specific value. 'Risk' can be quantified to some extent, subject to some conditions. Discussing firewalls (as the subject is often addressed here) is a bit like addressing the subject of tyres and saying that wheels, suspension systems, and any other vehicle parts, are outside the scope of valid discussion. Thats probably the fault of the firewall being such as simple concept. So many folk believe that the only 'security' threat on Internet linked systems is hackers and the only total solution is a firewall. If you accept that proposition, and many people seem to, there is little point wasting time looking at other risks because that will only introduce confusion and may even question the validity of the firewall approach for a specific system. That may move to the core of the problem. There are a growing number of 'security experts' who have read the books, seen the movie, built a firewall and now know everything there is to know about 'security', provided that it spells out FIREWALL. They are very comfortable talking about arcane firewall details because it avoids having to acknowledge that there are any other issues, especially that there will be some situations where a firewall is a very inappropriate solution. To address Jay's questions: Question 1) If your goal (the goal for your system) is integrity and for my system, it is confidentiality, how does this affect the design of the firewall between them? Would the design be different if both systems have the same security policy? How? Why? Comment 1) If Risk has been carefully analysed, it is highly unlikely that any two sites/users will be the same, even within the same organisation. If two sites adopt a common generic security policy it is likely that they will have fairly similar solutions, but their risk reduction factors will be very different because the policy will apply to different bases and therefore produce different levels of risk modification. That may be the difference between buying clothing designed to fit someone else, or having it made to fit you. In either case, the body is clothed whether the objective was public decency, or protection and warmth. Custom designed clothing might meet both requirements fully at a cost. Off-the-shelf clothing might partly meet both objectives for some people but meet neither for others. Many firewall implementations avoid these difficult areas by deciding that the solution is a firewall and then working backwards to produce a risk policy and identify a risk to justify the decision to implement. Maybe the real problem is the way we use words and the levels of real interest they conceal, hence the enthusiastic debate in some quarters about the need for formal methods in risk evaluation to avoid the confusion and poor definition of natural language. Most folk really do want to believe that there is a simple quick fix for every possible problem and, once executed, that it removes the problem for all time. If we talk about it long enough we will believe that it will become possible. Sadly thats not true and today's risks are probably not tomorrow's risks. Fear and, specifically, fear of hackers sells firewalls. Many people appear to start with the assumption that the firewall is the natural and only way to deal with hackers and that the Internet is crawling with hackers. One recent article actually stated that 83% of the Internet population were hackers. That raises some interesting questions. Passing over how the journalist came up with his figure, or how another writer was prompted to claim that there are 1000 hackers for every company linked to the Internet, it paints an intriguing picture. If we believe the claims, only a very small number of people use the Internet for non-malicious purposes. Therefore, it could be argued that only malicious users should be connected to the Internet which would then be avoided by every non-malicious user. This could be what happens when new Information Superhighways become available and is the basic conclusion of a number of government reports in different countries. Having decided that the problems are hackers and the automatic total solution is firewall the only thing left to do is decide how to make it work faster, or finer, or something. This opens up exciting conversations about who has the biggest firewall, or the thickest firewall. Identifying the real problem is really tedious when you can just take a simple of-the-shelf solution. Realising that nothing stays the same and risk policies have to be monitored, tested, and modified, the whole thing sounds like real hard work. Trying to decide what 'integrity' and 'confidentiality' are can get very tiring. In some respects, the various evaluation criteria do not help much. The 'Orange Book' concentrates primarily on 'Assurance/Confidence' and the European ITSEC addresses Integrity and Availability, but tries to achieve some nominal mapping to the old US system. FC-FIPS and the international CC talk about the need to marry risk evaluation criteria to 'Standards' and quality management and currently view the levels of assurance most firewallers aim for as too trivial to warrant independent testing. That opens a whole new exciting area for discussion, including whether any vendor should be allowed to present a security product for evaluation unless he already has an ISO9000 ticket. It also extends to questions about the use of computers by people who do not hold certificates of competence and do not have certified and accredited systems. This may be the consequence of developing data protection legislation and raises the question of whose confidentiality should be protected and what level of integrity should be maintained. It may also question who authorises access to what data. Inhabitants of the European Union are already familiar with the joys of 'standardisation' as evidenced by the considerable sums of money expended by the Commission to define how straight a banana should be and then to draft legislation to exclude unacceptably curved bananas. Another recent triumph has been the efforts to encourage production of square tomatoes. Some of the denizens of 'firewalls' may be about to hit delete, if they havent already done so, because this has obviously nothing to do with firewalls. NOT SO. You can only imagine what the European Commission could do with firewalls when they get round to it. The first thing would be to rename the concept/product because it does not conform to the Euro Standard for walls (recently condensed to 15 volumes for ease of reading) and it clearly has nothing to do with fires (unless of course someone out there has just developed a coal fired, steam powered model, if they had produced a wheat burning model they would probably qualify for some massive grant aid). Firewallers should start to get concerned because the bureaucrats are getting closer and not all of the legislation will be welcome or helpful. Question 2) How the dickens can we measure how good a firewall is? Before we think about the parameters going into making some kind of metric, what should we be measuring? How can we quantify anything except the number of dollars spent on the firewall, and what makes a useful measure? Comment 2) Maybe we should turn the question around and look at the risk policy testing. If an enterprise has produced an enterprise policy, all of the necessary components will fall out naturally, including the risk policy. Within the risk policy there will be various sub-sections, such as Internet risk management. From this is built a specification against which every measure can be tested, including any firewall. It also provides the basis for enterprise modelling so that we know in advance what the probable consequences of the forthcoming re-organisation will be. The major problem is that most enterprises have no formal enterprise policy, much less an enterprise-wide risk policy. Instead, they fire-fight and some people attempt to address what they see as a problem but someone else might see as a benefit. For example, a sales manager might consider that getting information to and from his salesmen in the field was a real benefit, while the someone else might wish to exclude this option in the interests of 'security'. Some of the dilemmas facing firewall implementors may result from executive decisions being taken, or attempted, too far down the authority chain and therefore without access to sufficient information on requirements and objectives through out the enterprise. One unattractive aspect of firewalls is the way that they become status symbols. Even IF most Internet users are really hackers, what makes a particular user think that his data holds any interest for hackers. A prime target will be people like Defence Departments who are usually bright enough to make sure that their really sensitive activities dont take place over something like the Internet, but a hacker breaking into a system which allows military personnel to order their lunch for the next five days will be able to claim he broke into a military system and the world assumes he was a heart beat away from launching a nuclear strike on someone. Even ordering lunch may be considered sensitive data in the military because it would potentially enable an enemy to locate all personnel for the next five days and then produce a picture of current deployment and movement. A commercial organisation might consider the information sensitive but probably would not. However, the CEO who ordered a nine course lunch with the finest wines might not wish his workers to know that when he is resisting their latest pay claim. The question of authority levels returns. During the 1990/91 Gulf War, the Coalition Forces made extensive use of a number of systems, including the Internet, for transmission of sensitive data without any real protection. Under normal circumstances, that data would not have been allowed anywhere near unprotected systems, but at several stages, speed (availability) was a much greater need than data security (assurance), but accurate transmission (integrity) was also very important. The Internet only failed in terms of strict assurance but that was an acceptable risk at the time and under the conditions operating then. However, there is the question about who should authorise such an action. There is also the question about how well we understand the implications of some new communications techniques and technology. The military might have to ask if it is really worth spending billions of dollars and some lives to take out an enemy Command & Control network (and slow their own C4I2 systems through heavy security overhead), when politicians and journalists broadcast vital highly sensitive information through satelite news programmes which the enemy can pick up on his TV set. Commercial users may have to ask similar questions, because some carefully protected information may appear in annual reports and marketing communications. The US SEAL teams may have asked similar questions when they approached a hostile coast under cover of darkness ( using costly covert equipment and years of training), only to be greeted by the massed floodlights of the TV news companies as they swam ashore. The only way any individual risk reduction system can be measured in any meaningful way is to measure it against the risk policy. The only way to produce a reliable risk policy is to produce an enterprise policy. As life is dynamic, requirements will change and that change must be recognised and addressed through modelling before expensive mistakes are made.. Question 3) How much testing is enough? In the real world, where time and money are limited, how hard do we test these suckers? Do we test till the time runs out? Do we put them on-line half-tested and fix bugs after the fact? Now, this is not a trick question. I know that there are methodologies with unit testing, ....., but how many times is it really used? Even in the DOD arena, sometimes we just seem to go through the motions. Because a firewall system is often smaller than a procurement of a battleship, we don't have the detailed tasking statements, requirement and mission need documents, etc. Good question. The security evaluation criteria all assume that every one buys computers the same way they buy battleships. The international CC could take this even further by building all sorts of quality control standards and methodologies into the criteria. Unfortunately most vendors dont work that way and neither do most customers, including government agencies. The IT industry is still a cottage industry with innovative products most frequently coming from very small enterprises which do not employ methodologies and seem to operate by writing code on the back of cigarette packs. Many developers consider methodologies as a constraint on their creativity. They produce some attractive functionality and we all rush out and buy it, putting up with the fact that the product has not been tested adequately, has no security functionality and may not be well supported by a vendor struggling to keep up with demand. Eventually the little company becomes a massive corporation. At that point, it becomes more interested in squeezing margin and controlling markets to deny them to new innovative competitors. Somewhere along the way, the company has started to implement methodologies and to document product, probably changing several times over the years. Now, in a more security aware environment, the vendor tries to add security functionality to a mature product but no one can remember who wrote which bits of early code and what those bits now do. In some cases the product has been layered and patched so many times that it is no longer obvious where any bits of coding sit today. That product cannot successfully pass through independent evaluation under any existing criteria, but it may do if the vendor support folk are determined and creative enough in presenting and re-documenting a mature volume product to make it look like a product specially built to meet a single specific requirement, employing current recognised design methodologies. Vendors do test products for security functionality/performance/compliance and some of these will be reliable. There are products, such as UNIX OS and RDBMS, which have certificates from one or more of the security evaluation groups and this has the benefit of independent testing. Tested modules can be assembled into an integrated solution and tested. The complete system, including administration and other supporting activities and procedures (outside the computer system but which impact on its security) can be accredited and the environment will be monitored regularly and will provide scope for modification to remove weakness and address new forms of attack. Question 4) Does anyone really do analysis of their firewall to see what can go wrong and then specifically build a down-hill protection mechanism or reparation mechanism to deal with possible damage? Stated simply, are there firewall risk analyses, and do they affect the system the firewall was built to protect? Do we make changes in a deployed system to rectify bad things that the firewall might not stop? Does analysis of either system affect the other? Do we really analyze anything? Comment 4) Probably most people dont. As security and system administration are often handled by one person, who was originally the system administrator, the first priority is dealing with operational matters and security is something to do in any spare moments. Thats one good reason for dividing the duties. We have also got used to having supported product packages. That probably doesnt mean that the vendor is adequately testing a product so much as relying on customers to tell him about the faults they have found. That said, some users take all aspects of risk very seriously and employ extreme methods to reduce them. That may include running private change control procedures for every item of hardware and software and may eventually produce systems which are built from custom modules each of which is very different from the commercially available products they were originally developed from. Others users may consider this unnecessary and costly, but the enterprise which does work this way obviously justified the effort and continues to justify it. The other time issue is how to analyse the information which is available through audit trails. Many systems are able to carryout much more detailed checks that the owners enable. The hope is that potentially hostile actions are picked up as suspect and further checks can be carried out. That may be too late to prevent serious damage but the owner does not have sufficient time to read every report on every possible check. Some highly secure systems would produce so much print out every day that the security officer would have to cut his way into the office with a machete. The answer may be the automated analysis packages which are starting to come onto the market but that does mean that the security officer is depending on someone and something which he may not understand or control. Ian J-B From firewalls-owner Mon Sep 26 04:39:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA28084; Mon, 26 Sep 1994 10:20:57 GMT Received: from databus.databus.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA28078; Mon, 26 Sep 1994 03:20:46 -0700 Date: Mon, 26 Sep 94 06:17 EDT Message-ID: <9409260617.AA24766@databus.databus.com> From: Barney Wolff To: firewalls@GreatCircle.COM Subject: Re: Poor Response on Firewall Content-Length: 481 Content-Type: text Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marisa H. Pfalzgraf writes: > SOCKSified software from an internal machine. There is no improvement in > response if an IP address is used in the commands in place of a site name. > The lag in the response occurs AFTER the "Connected to site.name. Escape > character it '^]'." message. Pings to remote systems from the firewall > give a normal reponse time. I bet it's that the site is using the ident protocol and getting no response. Barney Wolff From firewalls-owner Mon Sep 26 07:36:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA29435; Mon, 26 Sep 1994 13:38:06 GMT Received: from torga.ci.uminho.pt by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA29429; Mon, 26 Sep 1994 06:37:48 -0700 Received: from pessoa by torga.ci.uminho.pt (5.4.1/140.2) id AA18834; Mon, 26 Sep 1994 15:42:18 GMT Received: by pessoa.ci.uminho.pt (5.4R2.10/140.2) id AA08156; Mon, 26 Sep 1994 14:37:59 +0100 Date: Mon, 26 Sep 1994 14:37:59 +0100 From: mc213012@ci.uminho.pt (tiago faro lima pedroso) Message-Id: <9409261337.AA08156@pessoa.ci.uminho.pt> To: firewalls@greatcircle.com Subject: help Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Sep 26 08:38:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA29985; Mon, 26 Sep 1994 14:50:58 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29979; Mon, 26 Sep 1994 07:50:50 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17690; Mon, 26 Sep 94 10:41:38 -0400 Date: Mon, 26 Sep 94 10:41:38 -0400 Message-Id: <9409261441.AA17690@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Questions & Thanks for all the fish. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mandeep rites: >I would be interested how could that be done without COMPLETE security >on accessing machine. In orange book's terms how do I get a secure path >to data's TCB if I have to go thru' host's _insecure_ TCB? Or what prevents >a trojan horse reading my smart card? Or what prevents a phoney superuser >on insecure host from mapping my reading processes image and geting to my >data? Well one way is the same way you can have multi-level compartments on a machine: encryption. This way even if a covert channel mechanism can capture your data in transit, it is useless. Second, there seems to be some confusion here between smart cards and one-time-password tokens. With OTP, it does not matter if the response is recorded since it is only good once. Many smart cards have, if not true OTP, then a cryptographic challenge/response mechanism to authenticate the card. Of course, an important piece of the answer is to have security on the accessing machine (fairly easy if it is a laptop or dedicated desktop *you* have physical control over). As for a trojan horse, this comes under the heading of "access control" - if security is done properly, the TH would not be on the end systems. Warmly, Padgett From firewalls-owner Mon Sep 26 08:38:56 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA29789; Mon, 26 Sep 1994 14:17:42 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA29783; Mon, 26 Sep 1994 07:17:31 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17577; Mon, 26 Sep 94 10:16:09 -0400 Date: Mon, 26 Sep 94 10:16:08 -0400 Message-Id: <9409261416.AA17577@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Zen and the Art of Network Maintenance Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ian has given us some very good philosophical comments for the management of Firewalls and Internet communications. Being an engineer (as certified by the great state of Florida), I tend to look at things a little differently. 1) A firewall is the first point of contact for incoming packets and the last point of contact for outgoing ones. 2) A firewall is a single, maintainable "choke point" for extra-organizational communications. For these two reasons, a firewall is a logical place for security. Years ago I came to the conclusion that one large reason for the spread of low level PC viruses (now accounting for over three quarters of all reported infections) was the fact that defenses did not start at the level of the attack, rather most began after the operating system had loaded. As a result, I concentrated my efforts at the BIOS and boot level and some say my software is very good (freeware by the way - part of *my* philosophy). More recently, I have seen the people who once wrote PC viruses turning to the Internet for their kicks hence my interest in firewalls. Just as five years ago I had a vision of what was needed to stop PC viruses, so is there a logical solution to network protection and while tasks at the application level are necessary for some things, they are not appropriate for others like blocking boot sector viruses. Just as BIOS level programs make more sense there, so are Firewalls, Filters, and Active Hubs the logical choice for Network level control. The simple fact is that review of the attacks reported (Panix, Rahul, et al) show that low level or "covert channel" attacks are the most common. Now before anyone gets on me about taking "covert channel" in vain, I suggest examination of NCSC-TG-030 "A Guide to Understanding Covert Channel Analysis of Trusted Systems" particularly the fourth definition posed in para. 2.1: "use entities not normally viewed as data objects to transfer information...". Also, I must admit that part of my attraction is the fact that this particular aspect is still in its infancy with little statistical background on what is good, most filter selections are rule of thumb, and static programming without feedback loops the accepted norm. Just as an example, one concern voiced often is "how do I keep hackers out of the firewall". Properly raised since it happens often (particularly if the firewall has "7000" in its DNS name and a Telnet password of "Cisco" - have seen it) but surprising since it is so easy to avoid (use of one-time- password tokens, allow connection only from inside). Even so, this is evidence of so basic a lack that those posing such questions cannot yet conceive of things like active reconfiguration, evasion, and alarming (heck, some routers touted as "firewalls" do not even have event logging - they will though). Just as an example, one security vendor offers a package designed to find TCP/IP vulnerabilities in a system simply by checking for all active nodes and then attempting to open all available sockets (of course the commercial version requires many pictures of dead presidents - several Grovers in fact - while it is fairly simple to write your own with nothing more than a laptop, Turbo C, and the WATTCP libraries). The point is not that the software exists, nor that it is easy to write, but that *most sites could run such a program and not set off any alarms*. To me, one of the first things I would want to know is if anyone were trying to finger/telnet a router/firewall. Think about it. I can see a future in which F,F,& AHs are integral (in fact necessary) parts of single-sign-on and network traffic balancing. Security is secondary to the ease-of-use they will provide. All sensitive extra-site communications will be protected from disclosure (some interesting alternatives to encryption are starting to appear, suprisingly enough from solutions to bandwidth problems with multimedia broadcasts). Integrity will be ensured through automatic error detection and correction at the network layer with adaptive routers and redundant lines will provide Availability. Many view the CIA triangle as opposing forces while it is really evidence of the intertwined nature of the requirements. Often solving one requirement provides sendipidous elevation of others. This is not going to happen overnight, there are still many problems to be solved along the way but the whole discipline is evolving in a very dynamic manner and *that* is what makes it exciting. Enough philosophy, Padgett From firewalls-owner Mon Sep 26 11:38:12 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA01830; Mon, 26 Sep 1994 17:47:20 GMT Received: from motgate.mot.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA01813; Mon, 26 Sep 1994 10:46:58 -0700 Received: from pobox.mot.com ([129.188.137.100]) by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA13354; Mon, 26 Sep 1994 12:46:35 -0500 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com) by pobox.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA04945; Mon, 26 Sep 1994 12:46:21 -0500 Received: from dragon.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA29472; Mon, 26 Sep 94 10:46:15 PDT Received: from sun11k.mdd.comm.mot.com by dragon.mdd.comm.mot.com (4.1/SMI-4.1) id AA29450; Mon, 26 Sep 94 10:46:14 PDT Date: Mon, 26 Sep 94 10:46:14 PDT From: dhami@mdd.comm.mot.com (Mandeep S Dhami) Message-Id: <9409261746.AA29450@dragon.mdd.comm.mot.com> Received: by sun11k.mdd.comm.mot.com (4.1/SMI-4.1) id AA12498; Mon, 26 Sep 94 10:46:13 PDT To: firewalls@greatcircle.com Subject: re: Questions & Thanks for all the fish. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, My comment was not that data security is not possible, just that popular misconception that data security < host security < network security. (where < is 'easier to secure'). I believe data security => host security (both storing and accessing) + more. Mandeep From firewalls-owner Mon Sep 26 12:45:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA02690; Mon, 26 Sep 1994 18:59:33 GMT Received: from uu9.psi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA02682; Mon, 26 Sep 1994 11:59:18 -0700 Received: from firewall.cwa.com by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA28713 for firewalls@greatcircle.com; Mon, 26 Sep 94 15:02:59 -0400 Received: from cwa.com by firewall.cwa.com (4.1/SMI-4.1) id AA20910; Mon, 26 Sep 94 12:01:30 PDT Received: from chinacat.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA02729; Mon, 26 Sep 94 12:02:27 PDT Date: Mon, 26 Sep 94 12:02:27 PDT From: dmurphy@cwa.com (Dan Murphy) Message-Id: <9409261902.AA02729@cwa.com> To: pfalzgmh@eckerd.edu Subject: Re: Poor Response on Firewall Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- I'm trying to set up a Sun running Solaris 2.3 as a firewall with IP forwarding turned off and using SOCKS to re-establish functionality for internal machines. Response to any commands such as "ftp", "telnet", etc. is greatly degraded either run directly from the firewall or using SOCKSified software from an internal machine. There is no improvement in response if an IP address is used in the commands in place of a site name. The lag in the response occurs AFTER the "Connected to site.name. Escape character it '^]'." message. Pings to remote systems from the firewall give a normal reponse time. .... ----- End Included Message ----- Marisa, We had a similar problem when we first set up our firewall. It turned out to be due to some DNS configuration error at our access provider: their DNS server was sending hostname lookups to our server, but not reverse hostname lookups, which some 'ftp' and 'telnet' applications use to validate the IP address/hostname mapping on incoming connections for audit purposes. What clued us in to the problem was trying to ftp from our firewall host to ftp.uu.net, which responded with an error message indicating that it wasn't able to validate our firewall's IP address, although it had a good hostname and domain. Dan Murphy From firewalls-owner Mon Sep 26 14:36:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA04338; Mon, 26 Sep 1994 21:26:41 GMT Received: from ns.ge.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA04332; Mon, 26 Sep 1994 14:26:26 -0700 Received: from [3.19.100.81] by ns.ge.com (5.65/GE Gateway 1.26) with SMTP id AA21617; Mon, 26 Sep 94 17:26:38 -0400 Message-Id: <9409262126.AA21617@ns.ge.com> Received: by mak.is.ge.com(1.37.109.9/15.6) id AA0921718990; Mon, 26 Sep 1994 17:24:46 -0500 From: Mohamad A Khatoun Subject: xforward as proxy To: firewalls@greatcircle.com Date: Mon, 26 Sep 94 17:24:46 CDT Mailer: Elm [revision: 70.85] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Greetings, in an attempt to implement an X proxy on one of our internal firewalls I decided to try the Xforward program. The program left me with several unanswered questions which I hope some of you can answer. Maybe I am not clear on what the program is meant for. Regards, Mohamad. Mohamad A. Khatoun mak@geis.geis.com ---------------------------------------------------------- 1) is there a document that describes how xforward should be implemented. 2) what does the "-terse" option do. Although the program knows about this option, it is not mentioned anywhre in the man pages. I may have the man pages for a different release of xforward. 3) when I issue the command "export DISPLAY=jupiter:X.Y" does this mean that the X server on the host jupiter should be listening on port 6000 + X, or 6000 + Y, or no direct relation exists. The code in Xforward is not clear on this issue. It extracts X.Y and add it to 6000. I may have missed something. 4) did anyone implement xforward as a proxy on a firewall. I tried to but was not successful. After minor modification to the code I installed it on a firewall called gate01 and attempted the following from an external machine called pluto: ------------------------------------------ pluto> telnet gate01 ...... gate01> xforward -display pluto:0.0 -allow jupiter &" "display is gate01:1" gate01> telnet jupiter ...... jupiter> export DISPLAY=gate01:1 jupiter> xterm "bad host connect from jupiter x.x.x.x" ..... ------------------------------------------ Note: x.x.x.x is the IP address of jupiter. I have no problem running xforward on the X display server host. Is this program meant to be a proxy on a firewall? 5) are there other X proxy implementations available on the internet, in particular I am looking for an implementation which allows me to accomplish the following: a) Filter the X Windows TCP ports (6000+) at the router, except for traffic comming and going to the firewall. b) Selectively relay X protocol packets between external and internal LANs. Thanks in advance. From firewalls-owner Mon Sep 26 16:37:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA05022; Mon, 26 Sep 1994 22:47:35 GMT Received: from ncar.UCAR.EDU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA05016; Mon, 26 Sep 1994 15:47:23 -0700 Message-Id: <199409262247.QAA17895@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id QAA17895; Mon, 26 Sep 1994 16:47:29 -0600 Subject: Re: xforward as proxy To: mak@mak.is.ge.com (Mohamad A Khatoun) Date: Mon, 26 Sep 94 16:47:28 MDT Cc: firewalls@GreatCircle.COM In-Reply-To: <9409262126.AA21617@ns.ge.com>; from "Mohamad A Khatoun" at Sep 26, 94 5:24 pm From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have looked into this issue. Xforward by itself is NOT a proxy server in the usual sense, since it requires that one have shell access to the system on which it runs in order to invoke it, and most of the time you want to avoid giving your users real logins on the firewall. So I wrote my own proxy server. It uses the TIS Firewall Toolkit authentication server to authenticate the user first, then prompts for the DISPLAY and the allowed hosts that Xforward needs, then invokes xforward. If you want to use xforward as a proxy server for X windows connections, you're going to have to write a server front end for it. xforward implements the hard part of a proxy server (which, for this non-X-hacker type, is dealing with the X protocol itself) but you still need a user interface and authentication for it if you want to have a real proxy server for X. It should also be pointed out that this allows any valid user who is normally allowed to access your network through your firewall using the other TIS proxy servers to open arbitrary holes between any outside host and any X server inside your network, so this is not a good idea for those with a high degree of paranoia. --Greg From firewalls-owner Mon Sep 26 18:36:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA06060; Tue, 27 Sep 1994 01:15:14 GMT Received: from motgate.mot.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA06045; Mon, 26 Sep 1994 18:14:56 -0700 Received: from pobox.mot.com ([129.188.137.100]) by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA11870; Mon, 26 Sep 1994 20:14:29 -0500 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com) by pobox.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1) id AA05484; Mon, 26 Sep 1994 20:14:28 -0500 Received: from dragon.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA13463; Mon, 26 Sep 94 18:14:25 PDT Received: from sun11k.mdd.comm.mot.com by dragon.mdd.comm.mot.com (4.1/SMI-4.1) id AA06426; Mon, 26 Sep 94 18:14:23 PDT Date: Mon, 26 Sep 94 18:14:23 PDT From: dhami@mdd.comm.mot.com (Mandeep S Dhami) Message-Id: <9409270114.AA06426@dragon.mdd.comm.mot.com> Received: by sun11k.mdd.comm.mot.com (4.1/SMI-4.1) id AA12554; Mon, 26 Sep 94 18:14:21 PDT To: mak@mak.is.ge.com Cc: firewalls@greatcircle.com In-Reply-To: <9409262126.AA21617@ns.ge.com> (message from Mohamad A Khatoun on Mon, 26 Sep 94 17:24:46 CDT) Subject: Re: xforward as proxy Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > 3) when I issue the command "export DISPLAY=jupiter:X.Y" > does this mean that the X server on the host jupiter > should be listening on port 6000 + X, or 6000 + Y, or > no direct relation exists. The code in Xforward is not > clear on this issue. It extracts X.Y and add it to 6000. > I may have missed something. 6000+X I believe. Mandeep From firewalls-owner Mon Sep 26 19:36:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA06297; Tue, 27 Sep 1994 01:45:49 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA06290; Mon, 26 Sep 1994 18:45:40 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma022318; Mon Sep 26 21:45:25 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA28279; Mon, 26 Sep 94 21:45:21 EDT Date: Mon, 26 Sep 94 21:45:21 EDT From: Marcus J Ranum Message-Id: <9409270145.AA28279@tis.com> To: mak@mak.is.ge.com, woods@ncar.ucar.edu Subject: Re: xforward as proxy Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I have looked into this issue. Xforward by itself is NOT a proxy server >in the usual sense, since it requires that one have shell access to the >system on which it runs in order to invoke it, and most of the time you >want to avoid giving your users real logins on the firewall. So I wrote >my own proxy server. It uses the TIS Firewall Toolkit authentication >server to authenticate the user first, then prompts for the DISPLAY >and the allowed hosts that Xforward needs, then invokes xforward. The TIS toolkit next version (due out REAL SOON NOW) has an X proxy, that is integrated with the rest of the toolkit. Access to the X proxy is via the tn-gw and rlogin-gw proxies. One simply telnets to the firewall, tells it "x-gw" and connects to the remote system. Meanwhile, the proxy is kicked off with its display set back to your system (there's an option for setting it to another system) -- then you simply set your DISPLAY and work from there. It's much like the DEC version, but for various reasons we found it easier to re-invent the wheel than to include xforward. mjr. From firewalls-owner Mon Sep 26 22:35:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA07544; Tue, 27 Sep 1994 05:19:46 GMT Received: from sdwsys by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA07522; Mon, 26 Sep 1994 22:19:31 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0qpRNE-0009tFC; Tue, 27 Sep 94 01:30 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Questions on the Meaning of Life & Security To: dhami@mdd.comm.mot.com (Mandeep S Dhami) Date: Tue, 27 Sep 1994 01:30:27 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9409260239.AA21115@dragon.mdd.comm.mot.com> from "Mandeep S Dhami" at Sep 25, 94 07:39:23 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1530 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Hi, > > Posting by Marcus J Ranum seems to imply => You can have data security > WITHOUT complete host security (using encryption/smart card etc). > > I disagree. If I wanted to get to your data and your data is VERY secure, > I will first attack your host (which access the data), plant a trojan horse > to read your smart-card/password/key as it is retrived and use that to > impersonate as you (with respect to the data box) and get to your data. The > bottom line being, IF I want to protect X, not only must X be secure; but so > must ALL means to access it. As usual, you are only as secure as the weakest > link. Obviously if the environment executing the programs that get access to the data are compromised, so is the data. However, it is no problem having insecure servers on the route between the source (database/server) and destination (PC/terminal/workstation/ secure host). All that is needed is public key (or possibly symmetric keys) and a completely encrypted link, along with a proper 3 way handshake, a la Kerberos. ... > Regards, > Mandeep > sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw@lig.net In Bay Area Aug94-Feb95!!! OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From firewalls-owner Tue Sep 27 04:37:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA09349; Tue, 27 Sep 1994 09:28:26 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA09343; Tue, 27 Sep 1994 02:28:06 -0700 Received: from localhost by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id CAA08436; Tue, 27 Sep 1994 02:16:39 -0700 Received: from cc:Mail UUCPLINK 2.0 by toto.kelly.com id 9408277806.AA780655303 Tue, 27 Sep 94 01:41:43 Date: Tue, 27 Sep 94 01:41:43 From: Will_Cavin@toto.kelly.com Message-Id: <9408277806.AA780655303@toto.kelly.com> To: Firewalls@GreatCircle.COM Subject: cc:Mail UUCPLINK 2.0 Undeliverable Message Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Resource error - try resending Original text follows ----------------------------------------- Received: by ccmail Received: from netcomsv by kelly.com (UUPC/extended 1.11) with UUCP; Tue, 27 Sep 1994 01:41:33 PDT Received: from relay2.UU.NET by netcomsv.netcom.com with ESMTP (8.6.4/SMI-4.1) id BAA13697; Tue, 27 Sep 1994 01:13:48 -0700 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP id QQxjdg15815; Tue, 27 Sep 1994 04:09:59 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA08440; Tue, 27 Sep 1994 08:00:17 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA08421; Tue, 27 Sep 1994 01:00:08 -0700 Date: Tue, 27 Sep 1994 01:00:08 -0700 Message-Id: <199409270800.BAA08421@mycroft.GreatCircle.COM> From: Firewalls-Digest-Owner@GreatCircle.COM X-ccAdmin: postmaster@netcomsv To: Firewalls-Digest@GreatCircle.COM Subject: Firewalls Digest V3 #331 Reply-To: Firewalls@GreatCircle.COM Sender: Firewalls-Digest-Owner@GreatCircle.COM Precedence: bulk Firewalls Digest Tuesday, 27 September 1994 Volume 03 : Number 331 In this issue: Re: Questions on the Meaning of Life & Security See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: sdw@lig.net (Stephen D. Williams) Date: Tue, 27 Sep 1994 01:30:27 +0000 (GMT) Subject: Re: Questions on the Meaning of Life & Security > > Hi, > > Posting by Marcus J Ranum seems to imply => You can have data security > WITHOUT complete host security (using encryption/smart card etc). > > I disagree. If I wanted to get to your data and your data is VERY secure, > I will first attack your host (which access the data), plant a trojan horse > to read your smart-card/password/key as it is retrived and use that to > impersonate as you (with respect to the data box) and get to your data. The > bottom line being, IF I want to protect X, not only must X be secure; but so > must ALL means to access it. As usual, you are only as secure as the weakest > link. Obviously if the environment executing the programs that get access to the data are compromised, so is the data. However, it is no problem having insecure servers on the route between the source (database/server) and destination (PC/terminal/workstation/ secure host). All that is needed is public key (or possibly symmetric keys) and a completely encrypted link, along with a proper 3 way handshake, a la Kerberos. ... > Regards, > Mandeep > sdw - -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw@lig.net In Bay Area Aug94-Feb95!!! OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. ------------------------------ End of Firewalls Digest V3 #331 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Sep 27 05:25:55 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA08825; Tue, 27 Sep 1994 08:52:33 GMT Received: from netcomsv.netcom.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA08818; Tue, 27 Sep 1994 01:52:13 -0700 Received: from localhost by netcomsv.netcom.com with UUCP (8.6.4/SMI-4.1) id BAA16258; Tue, 27 Sep 1994 01:52:13 -0700 Received: from cc:Mail UUCPLINK 2.0 by toto.kelly.com id 9408277806.AA780653128 Tue, 27 Sep 94 01:05:27 Date: Tue, 27 Sep 94 01:05:27 From: Will_Cavin@toto.kelly.com Message-Id: <9408277806.AA780653128@toto.kelly.com> To: Firewalls@GreatCircle.COM Subject: cc:Mail UUCPLINK 2.0 Undeliverable Message Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Resource error - try resending Original text follows ----------------------------------------- Received: by ccmail Received: from netcomsv by kelly.com (UUPC/extended 1.11) with UUCP; Tue, 27 Sep 1994 01:05:08 PDT Received: from relay2.UU.NET by netcomsv.netcom.com with ESMTP (8.6.4/SMI-4.1) id BAA13570; Tue, 27 Sep 1994 01:11:38 -0700 Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP id QQxjdg15930; Tue, 27 Sep 1994 04:11:10 -0400 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA08440; Tue, 27 Sep 1994 08:00:17 GMT Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA08421; Tue, 27 Sep 1994 01:00:08 -0700 Date: Tue, 27 Sep 1994 01:00:08 -0700 Message-Id: <199409270800.BAA08421@mycroft.GreatCircle.COM> From: Firewalls-Digest-Owner@GreatCircle.COM X-ccAdmin: postmaster@netcomsv To: Firewalls-Digest@GreatCircle.COM Subject: Firewalls Digest V3 #331 Reply-To: Firewalls@GreatCircle.COM Sender: Firewalls-Digest-Owner@GreatCircle.COM Precedence: bulk Firewalls Digest Tuesday, 27 September 1994 Volume 03 : Number 331 In this issue: Re: Questions on the Meaning of Life & Security See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: sdw@lig.net (Stephen D. Williams) Date: Tue, 27 Sep 1994 01:30:27 +0000 (GMT) Subject: Re: Questions on the Meaning of Life & Security > > Hi, > > Posting by Marcus J Ranum seems to imply => You can have data security > WITHOUT complete host security (using encryption/smart card etc). > > I disagree. If I wanted to get to your data and your data is VERY secure, > I will first attack your host (which access the data), plant a trojan horse > to read your smart-card/password/key as it is retrived and use that to > impersonate as you (with respect to the data box) and get to your data. The > bottom line being, IF I want to protect X, not only must X be secure; but so > must ALL means to access it. As usual, you are only as secure as the weakest > link. Obviously if the environment executing the programs that get access to the data are compromised, so is the data. However, it is no problem having insecure servers on the route between the source (database/server) and destination (PC/terminal/workstation/ secure host). All that is needed is public key (or possibly symmetric keys) and a completely encrypted link, along with a proper 3 way handshake, a la Kerberos. ... > Regards, > Mandeep > sdw - -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw@lig.net In Bay Area Aug94-Feb95!!! OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. ------------------------------ End of Firewalls Digest V3 #331 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Tue Sep 27 05:38:00 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA10022; Tue, 27 Sep 1994 11:50:07 GMT Received: from ua1.eglin.af.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA10011; Tue, 27 Sep 1994 04:49:56 -0700 From: BLUMENTH@eglin.af.mil Received: from DECNET-MAIL (MRGATE@UA1) by ut4.eglin.af.mil (PMDF V4.3-8 #7451) id <01HHLJ2RPYZ495TAN1@ut4.eglin.af.mil>; Tue, 27 Sep 1994 06:49:27 CST Date: Tue, 27 Sep 1994 06:49:27 -0600 (CST) Subject: Re: Firewalls Digest V3 #327 To: Firewalls@GreatCircle.COM Message-id: <01HHLJ2RTZN695TAN1@ut4.eglin.af.mil> X-VMS-To: IN%"Firewalls@GreatCircle.COM" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk From: NAME: DENNIS F. BLUMENTHAL FUNC: 46TW/TSWGR*CSA TEL: 904 882 9964 To: NAME: IN%"Firewalls@GreatCircle.COM" unsubscribe firewalls-digest BLUMENTH@eglin.af.mil From firewalls-owner Tue Sep 27 07:37:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA11134; Tue, 27 Sep 1994 14:19:13 GMT Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA11128; Tue, 27 Sep 1994 07:19:02 -0700 Received: from smtpgty.saicuk.co.uk by relay1.pipex.net with SMTP (PP) id <19442-0@relay1.pipex.net>; Tue, 27 Sep 1994 15:18:35 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2E883390@smtpgty.saicuk.co.uk>; Tue, 27 Sep 94 15:00:32 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Oranges and the Science of Risk Management Date: Tue, 27 Sep 94 10:35:00 GMT Message-ID: <2E883390@smtpgty.saicuk.co.uk> Encoding: 95 TEXT X-Mailer: Microsoft Mail V3.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Padgett makes some valid engineering points about virsus defence and barriers, but that is dealing with identified problems. If an enterprise has unlimited funds, it may be possible to make the case for taking every possible precaution against every conceivable threat. Usually though life is a series of priorities drawn from probability of threat against operational needs and available budgets. The analysis of risk, and enterprise organisation and method, should provide the basis from which all actions and counter actions can be based. There is often great potential for reducing risks at a profit. Changes in personnel selection and training may dramatically reduce a range of risks and produce a more efficient enterprise. Withdrawl from a particular market may reduce a number of risks, including those of terrorist attack. There are many examples which can be given of risk reduction which is achieved and financial advantage gained with little or no investment in technology. Specific technical solutions may support opposing argument of equal force. It could be argued that the implementation of a firewall reduces availability because it imposes restrictions to the free flow of communication and introduces an operational overhead. An equally valid argument could be that implementation of a firewall increases availability because otherwise a particular enterprise could not risk connection to the Internet and therefore no firewall equals zero availability. Between those two arguments there are many shades of grey. Air gapping may, or may not, avoid the need for a firewall but still enable the enterprise to access the Internet and some might regard air gapping as the ultimate firewall, or at least a water filled moat. The lack of physical connection between private networks and the Internet server makes hacking rather difficult. If the risk analysis shows a threat which requires the implementation of a firewall to reduce the probability of identified risk to an acceptable level, there is considerable choice in the level of blocking and multiple firewalls may be employed. In the event that a firewall, or several firewalls, is/are considered necessary, that does not mean that all identified risks have been reduced to an acceptable level. There may be a need to employ a range of other techniques, including protection of packets as they transit the Internet and protection and segregation of data within the elements of the private networks. Multi-level security can provide improved availability and increased assurance and increased integrity because requirements can be streamed and the heaviest protection is only applied to those transactions and data which demand it. If a classification system sets four levels, 80% of all transactions, subjects and data will probably sit at the lowest level. Less than 2% will sit at the highest level. Therefore a system which recognises these divisions will be able to provide adequate protection for the highest level without slugging the mass of data/transactions at the lower levels. If a personnel policy provides an accurate clearance system on a need-to-know basis risk is further reduced with potential improvements in assurance, integrity and availability because only duly authorised personnel will be able to transact business electronically. Thats much like a situation in a machine shop where dangerous machinery has to have safety guards fitted, but no system is idiot proof. An intelligent manager would ensure that only qualified people have access to the machine shop and only people qualified to operate, or maintain, the machine are able to do so. He would also be wise to ensure than correct tools were fitted to the machine for a specific purpose and matched the materials and the job requirements. In the event of a number of security systems being implemented there are the questions of who controls everything and where from. Some may be able to make a sound case for a central security officer who manages risk through a bastion firewall installation. Equally, it could be necessary to have regional, site and even work group security controls, combine the functions of security officer and system administrator, or operate control from something other than a bastion firewall installation. Every enterprise will have some common generic threats, but each case will differ in detail and need to apply different priorities. On example of narrow and inadequate risk management is police criminal intelligence computer systems. The US Federal Bureau of Investigation claims that its system has never been penetrated by a hacker. Similar organisations in other countries make similar claims about their equivalent systems. It may be that the claims are not justified, but they have each spent a chunk of money on security devices to protect all links with the outside world and they do manage those devices. However, every CIC has been compromised. The FBI is well aware that a range of unauthorised people routinely and illegally obtain information from the system and periodically some of these folk are brought to trial. The primary route for information is through authorised users who use information in an unauthorised manner, usually for money and often for very small sums of money. The typical rate for bank statements and police records from their respective systems is typically US$75 in most western countries. At those prices, even small private investigating companies can afford to make frequent use of this illegal service and who needs hackers. In the CIC example, the other major problem is integrity of data. Once a record has got into the system, it seems very difficult to remove or correct it if it is found to be inaccurate. Thats all part of the risk management requirements and it may be that a firewall provides part of the answer in some of the systems but thats not much comfort to the person who is lying nose down in the snow with a very large gun in his ear as a result of someone making a data entry error. Its even less comforting when it happens several times because no one removed the errors after the first incident. Ian J-B. From firewalls-owner Tue Sep 27 12:40:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA13155; Tue, 27 Sep 1994 18:57:18 GMT Received: from csn.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA13143; Tue, 27 Sep 1994 11:57:05 -0700 Received: from clinicom.UUCP by csn.org with UUCP id AA10564 (5.65c/IDA-1.4.4 for greatcircle.com!Firewalls); Tue, 27 Sep 1994 12:56:59 -0600 Received: by clinicom.clinicom.com (/\==/\ Smail3.1.25.1 #25.3) id ; Tue, 27 Sep 94 12:55 MDT Message-Id: Date: Tue, 27 Sep 94 12:55 MDT From: leo@clinicom.com (Leo Plotkin) To: Firewalls@greatcircle.com Subject: lobotomizing unix Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi all, I've got a unix-centric firewall related question. Is there any reason to keep any UID 0 users on the firewall gateway box? Binding processes to ports < 1024 is not a problem. I tracked down and quickly browsed through the bind() syscall implementation in the FreeBSD kernel and didn't find anything which would prohibit me from either removing the concept of 'privileged port' completely or allowing some user ID other than 0 to bind to such ports without opening up anything else. I suspect this is fairly typical of unixish kernels in general. Maintenance could all be done by rebooting the firewall in single user mode. Rebooting itself is easy enough to do if all disk partitions are normally mounted read-only -- just tell Eeeegor to fleep zee sveeech. The general concept I'm kicking around is having the boot rc file execution process become un-root at some point after mounting disks and doing similar burly root things, but before firing off any bloated potentially security hole laden processes like inetd. Once the UID of 0 is shed, there wouldn't be any way to get it back. Given a complete lack of setuid 0 executables on the machine, of course. My reasoning is that even if some maladjusted bozo is able to use an obscure back door in inetd's 'echo' implementation to get at a shell on my gateway, it wouldn't help them. The read & execute permissions throughout the machine would be set up to deny everything with extreme prejudice. Our hypothetical cretin would be completely prohibited from running anything other than inetd and proxy services. Including the shell in the first place. Come to think of it, there's no need for PTY support either. The frustration level of beating on such a mutant setup should be enough to make the aforementioned cretin take a chainsaw to a nearby playground instead. Am I overlooking anything fundamental? Has anyone tried a similar unixotomy? This approach seems like it would make the gateway MUCH more secure at the minor added frustration of having to be present at the console to maintain the machine. --leo From firewalls-owner Tue Sep 27 15:36:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA14597; Tue, 27 Sep 1994 21:49:48 GMT Received: from wolf.arl.mil by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA14583; Tue, 27 Sep 1994 14:49:26 -0700 Date: Tue, 27 Sep 94 21:28:43 GMT From: Mike Muuss To: "A. Padgett Peterson, P.E. Information Security" cc: Mike@arl.mil, firewalls@greatcircle.com Subject: Re: Zen and the Art of Network Maintenance Message-ID: <9409271728.aa04606@wolf.arl.mil> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Padgett wrote - > Ian has given us some very good philosophical comments for the management > of Firewalls and Internet communications. Being an engineer (as certified > by the great state of Florida), I tend to look at things a little differently. > > 1) A firewall is the first point of contact for incoming packets and the > last point of contact for outgoing ones. > > 2) A firewall is a single, maintainable "choke point" for extra-organizational > communications. > > For these two reasons, a firewall is a logical place for security. I both agree and disagree with Padgett here. I agree in the small sense, and disagree in the large sense. Certainly, firewalls are ONE logical place for security. However, when architecting an overall security strategy, it is important not to place too much faith in any one component. It seems implicit in a lot of the writings on this mailing list that each institution has only ONE interconnection point to the InterNet-at-large, and that ONE interconnection point is easily protected by a firewall. I assert that it is a dangerous error to assume that you know about all the interconnections in your organization, and to the outside world. For performance and reliability, our network has a pair of T-3 lines to Fix-East and Fix-West, plus numerous geographically distributed MILNET connections. Cut up to (N-1) links and service to the users degrades in performance but connectivity does not vanish. If one desired to firewall a "multi-homed" institution like ours, then multiple firewall machines would probably be required. Synchronizing multiple firewalls would then be a (substantial) extra detail to look after. But the protection of those "N" firewalls would come to naught if (a) even ONE of them was not functioning properly, or (b) an unregulated "N+1"th interconnection was installed. I assert that it is very difficult to ensure that your institution has _only_ "N" attachment points to the outside world. Most of you are probably familiar with the risks posed by having additional dial-in modem lines. Adding unauthorized modem lines is the frustrated user's first recourse against over-zealous information security (IS) policies. There are some strategies for finding such lines, but they tend to be difficult to enforce, especially in satellite offices. An even more difficult risk to detect is unauthorized dial-out lines. If the user has a certain amount of foresight, they can put these in in advance, and not use them until the need arises. Finding such assets (other than the hard way) is virtually impossible. [Don't tell me I'm dreaming, an instance of this came to my attention just last month.] But it gets worse. There is a newer risk that some of you may not have seen much yet: dial-out SLIP or PPP lines. It is very easy to configure workstations these days to "dial on demand" when IP traffic shows up. A little cleverness with service-based-routing makes it easy to send "unauthorized" (firewall blocked) traffic out to the network at large via a special local interface. And in the process, open the institution up to an attack through that "back door" path. Dial-up and ISDN rate IP service is *cheap*, and is going to get cheaper. If a department is beleaguered by the local IS policies, the investment threshold to bypass the whole IS infrastructure is very low indeed. In most US cities, such service can be had for less than $200/month, often for much less. Locally I can buy 24x7 SLIP for $45/month. Many successful penetrations of firewall-protected sites have not been accomplished by going _through_ the firewall, but by waltzing _around_ it -- via all the back doors thoughtfully installed by (a) frustrated end users, (b) lazy or frustrated system administrators, and/or (c) the IS staff themselves! I do not mean to suggest that we should all "give up" on security. Far from it. But encasing your organization inside impenetrable walls may not buy you any REAL security, unless it is done carefully. THE BOTTOM LINE Information Security professionals exist to aid and enhance the mission of the institution. Not the other way around. In TQM-talk, the end-users are "customers" for "security services". IS policies need to be _architected_ with the needs of those customers in mind. Whenever security measures stand in the way of the end-users accomplishing their mission, you pick up an additional and most potent threat: a frustrated in-house staff "just trying to do their jobs." In selected circumstances, firewalls can be an effective security measure. But they are only one (small) element of a security architecture. Fires tend to be very good at spreading around firewalls. Best, -Mike Muuss Leader, Advanced Computer Systems Team Survivability and Lethality Analysis Directorate The US Army Research Laboratory Attn: AMSRL-SL-BV APG, MD 21005-5068 USA From firewalls-owner Tue Sep 27 19:36:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA16145; Wed, 28 Sep 1994 01:44:41 GMT Received: from pine.proxima.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA16139; Tue, 27 Sep 1994 18:44:25 -0700 Received: by pine.proxima.com (NX5.67d/NX3.0M) id AA16876; Tue, 27 Sep 94 21:44:05 -0400 Date: Tue, 27 Sep 94 21:44:05 -0400 From: "Eric A. Litman" Message-Id: To: firewalls@GreatCircle.COM Subject: Re: xforward as proxy Newsgroups: proxima.firewalls Organization: Proxima, Inc. X-Newsreader: TIN [version 1.2 PL2] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > 3) when I issue the command "export DISPLAY=jupiter:X.Y" > > does this mean that the X server on the host jupiter > > should be listening on port 6000 + X, or 6000 + Y, or > > no direct relation exists. The code in Xforward is not > > clear on this issue. It extracts X.Y and add it to 6000. > > I may have missed something. Have you taken a look at udprelay and a reasonable set of filters on your routers? -- Eric Litman Proxima, Inc. vox: (703) 506.1661 Director, Network Services McLean, VA elitman+@proxima.com From firewalls-owner Tue Sep 27 20:10:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA16351; Wed, 28 Sep 1994 02:32:19 GMT Received: from pg2-srv.wam.umd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA16345; Tue, 27 Sep 1994 19:32:09 -0700 Received: from rac1.wam.umd.edu (reh@rac1.wam.umd.edu [128.8.70.3]) by pg2-srv.wam.umd.edu (8.6.9/8.6.9) with ESMTP id WAA21603; Tue, 27 Sep 1994 22:32:08 -0400 From: Richard Huddleston Received: (reh@localhost) by rac1.wam.umd.edu (8.6.9/8.6.9) id WAA07804; Tue, 27 Sep 1994 22:32:07 -0400 Date: Tue, 27 Sep 1994 22:32:07 -0400 Message-Id: <199409280232.WAA07804@rac1.wam.umd.edu> To: leo@clinicom.com Subject: Re: lobotomizing unix Cc: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk What you've actually introduced is the very excellent question about what operating system the specialized network device known as a firewall gateway should be running. I personally think that Morning Star has got the seed of the solution to this question in their router OS implementation. Just Unix-like enough to be familiar, but minimalistic in what it provides. For the most part, that is: it also seems like, if you're logged in to the router, then you're running UID 0. Specfically for what you have to do to a Unix box to get it to work without UID 0, though, I wish I could remember more than the name of the obscure, but interesting, USENIX paper: "Life Without Root" Richard From firewalls-owner Tue Sep 27 23:35:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA17611; Wed, 28 Sep 1994 06:17:52 GMT Received: from relay.hp.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA17605; Tue, 27 Sep 1994 23:17:38 -0700 From: RHODES_CHRIS/HP9061_62@hpausa1.aus.hp.com Received: from hpausa1.aus.hp.com by relay.hp.com with SMTP (1.37.109.8/15.5+ECS 3.3) id AA19433; Tue, 27 Sep 1994 23:17:42 -0700 Received: from by hpausa1.aus.hp.com with SMTP (1.37.109.11/15.5+ECS 3.3) id AA240033073; Wed, 28 Sep 1994 16:17:53 +1000 X-Openmail-Hops: 1 Date: Wed, 28 Sep 94 16:10:00 +1000 Message-Id: <"dc8?eG(0000xo.b8*"@MHS> Subject: Non-registered addresses To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello firewalls list readers, I have a client who has an IP network based on a non-registered B class address. They wish to connect to the Internet and can either: 1. Apply for a block of C class addresses (they cannot justify an official B class address), allocate one C class address as the Internet access point, and install a firewall of some sort. or 2. Apply for a single C class address and use it as their Internet access point, and install a firewall system that includes a box that connects the official network to the unofficial network. This box would not advertise routes and may need to have proxy services for telnet, ftp, etc. Option 1 represents the usual environment into which firewall systems are deployed, however, reassigning IP addresses would represent considerable disruption to the client. What (if any) are the firewall implications associated with adopting Option 2? Any comments/suggestions/advice welcome. Chris Rhodes Hewlett-Packard, Sydney, Australia Internet Address: Rhodes_Chris/hp9061@hpausa1.aus.hp.com From firewalls-owner Wed Sep 28 07:36:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA20196; Wed, 28 Sep 1994 13:57:51 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA20190; Wed, 28 Sep 1994 06:57:43 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma006030; Wed Sep 28 09:57:40 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA01870; Wed, 28 Sep 94 09:57:30 EDT From: Marcus J Ranum Message-Id: <9409281357.AA01870@tis.com> Subject: Re: lobotomizing unix To: reh@wam.umd.edu (Richard Huddleston) Date: Wed, 28 Sep 1994 09:59:05 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199409280232.WAA07804@rac1.wam.umd.edu> from "Richard Huddleston" at Sep 27, 94 10:32:07 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 687 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Richard Huddleston writes: > Specfically for what you have to do to a Unix box to get it to work > without UID 0, though, I wish I could remember more than the name of > the obscure, but interesting, USENIX paper: > > "Life Without Root" What's so depressing about this discussion is that years later, it would appear that we are re-inventing the notion of "least privilege" Running secure systems without all-powerful users is an old idea. mjr. [PS - when I ran a firewall in the manner that Leo describes (Hi Grod!!) the only thing that was a problem was making the bind() system call work right for low-numbered sockets. It wasn't a big problem since I had kernel source.) From firewalls-owner Wed Sep 28 08:37:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA20712; Wed, 28 Sep 1994 15:25:35 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA20706; Wed, 28 Sep 1994 08:25:13 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25924; Wed, 28 Sep 94 11:06:19 -0400 Date: Wed, 28 Sep 94 11:06:19 -0400 Message-Id: <9409281506.AA25924@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Zen etc. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mike rote: >I both agree and disagree with Padgett here. I agree in the small >sense, and disagree in the large sense. Certainly, firewalls are ONE >logical place for security. However, when architecting an overall >security strategy, it is important not to place too much faith in any >one component. Mike must not have read my other postings. For the firewalls group I write about firewalls and try to keep distant from Filters, Active Hubs, and One Time Password Tokens (be glad to expand but the attitude of the group seems to be to stay on the subject). Telephone matters and call back/caller-id properly belongs in Pat's digest and not here. However, I do believe in a layered response to everything. Certainly applications that require compartmenting cannot be handled by a firewall and as Mike mentions, adaptive routing is also not a firewall function. There *are* many things that are properly handled at the firewall and *should* be handled by the firewall, and these are appropriate for this group (if the direction changes, please let me know - there is a broad gap between comp.security and firewalls with a lot that goes in the middle). Warmly, Padgett From firewalls-owner Wed Sep 28 09:39:27 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA20934; Wed, 28 Sep 1994 15:45:59 GMT Received: from znanost.mz.hr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA20927; Wed, 28 Sep 1994 08:45:44 -0700 Received: from gaus@localhost by znanost.mz.hr (8.6.9/Ultrix 4.2A) id QAA15143; Wed, 28 Sep 1994 16:42:45 +0100 From: gaus@znanost.mz.hr (Damir Rajnovic) Message-Id: <199409281542.QAA15143@znanost.mz.hr> Subject: 'active' and 'pasive' firewalls To: firewalls@greatcircle.com Date: Wed, 28 Sep 1994 16:42:44 +0100 (MET) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1330 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, My contribution to philosophical thread. It seems to me that having firewalls as they are now means introducing more complexities into system. I see today's firewalls as 'active' firewalls. That is -- the are visible on the net, you must pay attention to it (as a user, system manager must always pay attention on it). What will be if we have 'pasive' firewall? One that will not be visible, one that will aciting like signal processor. Idea is to have one black box which will monitor every packet and perform appropriate action if some predefined condition is met. Nothing new? New is that nor use nor ever other machine is aware od firewall. That means that you don't have to advertise firewall to outside world. What's wrong with this idea? Cordially, Gaus |-----------------------------------------------------------------| | Damir Rajnovic | E-mail: gaus@znanost.hr | | Ministry of Science and Technology | Voice: (+385 41)46 14 37 | | Strossmayerov trg 4, 41000 Zagreb | | |-----------------------------------------------------------------| | There is no unsolvable problems, but question is - can you | | accept solution. | |=================================================================| From firewalls-owner Wed Sep 28 10:38:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA21163; Wed, 28 Sep 1994 16:27:25 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA21116; Wed, 28 Sep 1994 09:15:00 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26201; Wed, 28 Sep 94 12:03:32 -0400 Date: Wed, 28 Sep 94 12:03:32 -0400 Message-Id: <9409281603.AA26201@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Non-registered access Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I have a client who has an IP network based on a non-registered B class >address. They wish to connect to the Internet and can either: The easiest mechaism would be to use a translating system to exchange internal IP addresses for external ones. If inward access is needed, those machines will have to have fixed assigned addresses. For outward addresses, the assignments could be on a dynamic "as needed" basis from a pool. This has two advantages: 1) The internal addresses do not have to change 2) Some slight security is added since inside addresses are useless on the outside and there can be a single controlled translation point. If the inside addresses map easily (through logic rather than a table) then performance would not be impacted. If not, the size of the table/power of the translater could come into question. The other alternative would be to use a proxy host for both inward and outward access. This is not as good since it must be sized to handle actual sessions rather than just packet header modification and would be less convenient to use. Nonetheless this would allow better access control so long as it could be trusted. Just some thoughts, Padgett From firewalls-owner Wed Sep 28 12:28:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA21514; Wed, 28 Sep 1994 17:03:46 GMT Received: from lokkur.dexter.mi.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA21504; Wed, 28 Sep 1994 10:03:31 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.7/8.6.5) id NAA00341; Wed, 28 Sep 1994 13:03:20 -0400 From: Steve Simmons Message-Id: <199409281703.NAA00341@lokkur.dexter.mi.us> Subject: Re: lobotomizing unix To: mjr@tis.com (Marcus J Ranum) Date: Wed, 28 Sep 1994 13:03:14 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9409281357.AA01870@tis.com> from "Marcus J Ranum" at Sep 28, 94 09:59:05 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 409 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Richard Huddleston writes: > Specfically for what you have to do to a Unix box to get it to work > without UID 0, though, I wish I could remember more than the name of > the obscure, but interesting, USENIX paper: > > "Life Without Root" It's good to be remembered... Paper available for anonymous ftp from ftp.sage.usenix.org, in /pub/lisa/lisa4. Postscript in 10.scs.ps.0, troff in 10.scs.text.0. From firewalls-owner Wed Sep 28 14:54:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22261; Wed, 28 Sep 1994 17:51:06 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22255; Wed, 28 Sep 1994 10:50:56 -0700 Received: from yeager.corp.sgi.com (yeager.corp.sgi.com [192.102.145.23]) by sgigate.sgi.com (940519.SGI.8.6.9/8.6.4) with ESMTP id KAA29710; Wed, 28 Sep 1994 10:51:12 -0700 Received: by yeager.corp.sgi.com (940816.SGI.8.6.9/930416.SGI) id KAA02135; Wed, 28 Sep 1994 10:51:46 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9409281051.ZM2133@yeager.corp.sgi.com> Date: Wed, 28 Sep 1994 10:51:46 -0700 In-Reply-To: RHODES_CHRIS/HP9061_62@hpausa1.aus.hp.com "Non-registered addresses" (Sep 28, 4:10pm) References: <"dc8?eG(0000xo.b8*"@MHS> X-Mailer: Z-Mail (3.2b.921 21sep94 MediaMail) To: RHODES_CHRIS/HP9061_62@hpausa1.aus.hp.com, firewalls@GreatCircle.COM Subject: Re: Non-registered addresses Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Sorry.. I got cut off. This is an issue which we should take off line. Feel free to contact me directly for discussion. -- Eliot Lear [lear@sgi.com] From firewalls-owner Wed Sep 28 15:10:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA24257; Wed, 28 Sep 1994 20:45:24 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA24245; Wed, 28 Sep 1994 13:44:58 -0700 From: ted.doty@nsco.network.com Received: from doty.network.com by nsco.network.com (4.1/1.34) id AA02857; Wed, 28 Sep 94 15:45:07 CDT Date: Wed, 28 Sep 94 16:32:23 PDT Subject: RE: 'active' and 'pasive' firewalls To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >It seems to me that having firewalls as they are now means introducing >more complexities into system. I see today's firewalls as 'active' >firewalls. That is -- the are visible on the net, you must pay attention >to it (as a user, system manager must always pay attention on it). > >What will be if we have 'pasive' firewall? One that will not be visible, >one that will aciting like signal processor. Idea is to have one black >box which will monitor every packet and perform appropriate action if >some predefined condition is met. Nothing new? New is that nor use nor >ever other machine is aware od firewall. That means that you don't have >to advertise firewall to outside world. This is what we call "Firewall Routing". If you extend the concept of packet filtering to its logical conclusion, this is what you get. Set up your router, apply your filters, and let the users fire away. The transparency of the system is perhaps its strongest point. There are a few things you need to watch out for, tho. Not all services are nicely packetized with a single application PDU inside a single datagram. Even if they are, you get fragmented datagrams. What this means is that you need to maintain a certain amount of state information, and very few routers are capable of that. Still, it's not rocket science, it's just packet filtering in the payload. >What's wrong with this idea? Nothing. It's probably the future. Security needs to be a service of the network, rather than something imposed at a few (or only one) choke points. Mike Muuss has just eloquently discussed the drawbacks of this strategy. Also, we desperately need to get security services out of user space (the context switching is killing us). Firewall Routing looks like it can provide 2 orders of magnatude performance gain. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Sep 28 15:43:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA25086; Wed, 28 Sep 1994 22:02:11 GMT Received: from remus.ultranet.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA25079; Wed, 28 Sep 1994 15:01:58 -0700 Received: by remus.ultranet.com; (5.65/1.1.8.2/22Aug94-0201PM) id AA18804; Wed, 28 Sep 1994 18:01:52 -0400 Date: Wed, 28 Sep 1994 18:01:52 -0400 From: Joe Provo Message-Id: <9409282201.AA18804@remus.ultranet.com> To: firewalls@greatcircle.com Subject: Re: Non-registered addresses Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I have a client who has an IP network based on a non-registered B class >address. They wish to connect to the Internet and can either: The first time I read your message, I assumed you did mean addresses out of _the_ Private Network space (rfc1597). After re-reading some of it in padgett's (IMO correct) comments, I am not so sure. To even consider gatewaying to a "non-real" IP space, the numbers _must_ come from the Private Nets numbers, or else the gateway machine could get really, really, confused. How many people routinely use the numbers from 1597 for heavily filtered nets? Does anyone? Joe, asking that this tangential issue drop to personal responses. Systems and Network Admin, Ultranet Communications Inc. 508.229.8400(voice) jprovo@ultranet.com 508.229.8111(data) A network service provider in Marlboro, MA - mail info@ultranet.com From firewalls-owner Wed Sep 28 16:02:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22252; Wed, 28 Sep 1994 17:50:26 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22246; Wed, 28 Sep 1994 10:50:09 -0700 Received: from yeager.corp.sgi.com (yeager.corp.sgi.com [192.102.145.23]) by sgigate.sgi.com (940519.SGI.8.6.9/8.6.4) with ESMTP id KAA29640; Wed, 28 Sep 1994 10:50:13 -0700 Received: by yeager.corp.sgi.com (940816.SGI.8.6.9/930416.SGI) id KAA02121; Wed, 28 Sep 1994 10:50:43 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9409281050.ZM2119@yeager.corp.sgi.com> Date: Wed, 28 Sep 1994 10:50:43 -0700 In-Reply-To: RHODES_CHRIS/HP9061_62@hpausa1.aus.hp.com "Non-registered addresses" (Sep 28, 4:10pm) References: <"dc8?eG(0000xo.b8*"@MHS> X-Mailer: Z-Mail (3.2b.921 21sep94 MediaMail) To: RHODES_CHRIS/HP9061_62@hpausa1.aus.hp.com Subject: Re: Non-registered addresses Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Please see RFCs 1597 and 1627 for the arguments for and against using private networks. I am happy to discuss this privatey -- Eliot Lear [lear@sgi.com] From firewalls-owner Wed Sep 28 17:51:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA25736; Wed, 28 Sep 1994 22:52:28 GMT Received: from watson.ibm.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA25730; Wed, 28 Sep 1994 15:52:16 -0700 Received: from WATSON by watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 0497; Wed, 28 Sep 94 18:52:28 EDT Received: from YKTVMV by watson.vnet.ibm.com with "VAGENT.V1.0" id 5773; Wed, 28 Sep 1994 18:52:28 EDT Received: from ixextra2.watson.ibm.com by yktvmv.watson.ibm.com (IBM VM SMTP V2R3) with TCP; Wed, 28 Sep 94 18:52:27 EDT Received: by ixextra2.watson.ibm.com (AIX 3.2/UCB 5.64/930311) id AA19553; Wed, 28 Sep 1994 18:50:49 -0400 Date: Wed, 28 Sep 1994 18:50:49 -0400 From: pau@watson.ibm.com (Pau-Chen Cheng) Message-Id: <9409282250.AA19553@ixextra2.watson.ibm.com> To: firewalls@GreatCircle.COM Subject: Motorola Product Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, I remember some posting said that Motorola has a firewall or encryption product for the Internet ? Could you provide some details or pointers for me ? Thanks in advance. Regards, Pau-Chen From firewalls-owner Wed Sep 28 18:37:05 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA26108; Wed, 28 Sep 1994 23:06:06 GMT Received: from strauss.udel.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA26090; Wed, 28 Sep 1994 16:05:46 -0700 Received: (from donovan@localhost) by strauss.udel.edu (8.6.8/8.6.6) id TAA11681; Wed, 28 Sep 1994 19:05:44 -0400 Date: Wed, 28 Sep 1994 19:05:43 -0400 (EDT) From: Brian Willi Donovan Subject: Re: Firewalls Digest V3 #331 To: Firewalls@GreatCircle.COM In-Reply-To: <199409270800.BAA08421@mycroft.GreatCircle.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk i never subscribed to this so could someone tell me how to get rid of it From firewalls-owner Wed Sep 28 18:43:02 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA26241; Wed, 28 Sep 1994 23:10:06 GMT Received: from bifrost.Ross.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA26233; Wed, 28 Sep 1994 16:09:55 -0700 Received: by bifrost.Ross.COM (4.1/SMI-4.1) id AA05207; Wed, 28 Sep 94 18:10:28 CDT Received: from oldnick-e0.ross.com(143.187.10.206) by bifrost via smap (V1.3mjr) id sma005196; Wed Sep 28 18:10:00 1994 Received: from valhalla.ross.com by oldnick.Ross.COM (4.1/SMI-4.1) id AA01896; Wed, 28 Sep 94 18:09:47 CDT Received: by valhalla.ross.com (5.x/SMI-SVR4) id AA06257; Wed, 28 Sep 1994 18:09:39 -0500 Date: Wed, 28 Sep 1994 18:09:39 -0500 From: hdr@ross.com (Henry D. Reynolds/x253) Message-Id: <9409282309.AA06257@valhalla.ross.com> To: chickna@ncp.gpt.co.uk Cc: firewalls@greatcircle.com Subject: Encrypted WANs via the Internet References: <9409191443.AA00676@cvsu76.nsg.ncp.gpt.co.uk.LOCAL> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is kind of late on this thread but... I was talking to somebody yesterday and he claimed that he ran an encrypted link over the Internet using a hacked ppp driver and pgp(RSA?) encryption. I'm intrigued by this idea. What's wrong w/ this picture. -- - Oh my GOD -- the SUN just fell into YANKEE STADIUM!! Henry D. Reynolds hdr@ross.com -OR- cs.utexas.edu!helps!nidhog!hdr FONE: (512)892-7802 x253 ROSS Technology, Inc. FAX: (512)892-3036 5316 Hwy 290 West Suite 500 Austin, TX 78735 From firewalls-owner Wed Sep 28 19:36:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA27410; Thu, 29 Sep 1994 00:22:16 GMT Received: from igate1.melpar.esys.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA27404; Wed, 28 Sep 1994 17:22:03 -0700 Received: by igate1.melpar.esys.com id AA08683 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Wed, 28 Sep 1994 20:21:44 -0400 Received: from igate2.melpar.esys.com(198.4.96.2) by igate1.melpar.esys.com via smap (V1.0mjr) id sma008670; Wed Sep 28 20:21:31 1994 Received: from netcom.isp.melpar.esys.com by igate5.isp.melpar.esys.com with SMTP id AA24561 (5.67a/IDA-1.5 for firewalls@GreatCircle.COM); Wed, 28 Sep 1994 20:19:16 -0400 Received: by netcom.isp.melpar.esys.com (1.37.109.4/16.2) id AA00124; Wed, 28 Sep 94 20:21:25 -0400 From: "Barry Suskind" Message-Id: <9409282021.ZM122@netcom.isp.melpar.esys.com> Date: Wed, 28 Sep 1994 20:21:23 -0400 In-Reply-To: lear@yeager.corp.sgi.com (Eliot Lear) "Re: Non-registered addresses" (Sep 28, 10:50am) References: <"dc8?eG(0000xo.b8*"@MHS> <9409281050.ZM2119@yeager.corp.sgi.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: firewalls@greatcircle.com (Firewall Listserver) Subject: Re: Non-registered addresses Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Sep 28, 10:50am, Eliot Lear wrote: > Subject: Re: Non-registered addresses > Please see RFCs 1597 and 1627 for the arguments for and against using > private networks. I am happy to discuss this privatey > > -- > Eliot Lear > [lear@sgi.com] >-- End of excerpt from Eliot Lear We have an unregistered address on our internal network. The only way we could even THINK about connecting to the internet (Alternet is our provider) we had to create a dual bastion setup with tunnelling. -- ======================================================================| Barry A. Suskind bsuskind@melpar.esys.com || Information Services - E-Systems / Melpar Division (703)-560-5000 || || "If it weren't for change, your job would largely consist of making || sure the corporate abacus rods were adequately greased." John Cleese || From firewalls-owner Wed Sep 28 20:24:33 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id BAA27928; Thu, 29 Sep 1994 01:36:34 GMT Received: from warrane.connect.com.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA27922; Wed, 28 Sep 1994 18:36:15 -0700 Received: by warrane.connect.com.au with UUCP id AA14803 (5.67b8/IDA-1.5 for Firewalls@greatcircle.com); Thu, 29 Sep 1994 11:36:05 +1000 Received: from yes.optus.com.au by hai.optus.com.au with SMTP id AA03290 (5.67b/IDA-1.5 for Firewalls@greatcircle.com); Thu, 29 Sep 1994 11:24:39 +1000 Message-Id: Date: 29 Sep 1994 10:50:06 +1000 From: "Tim Tuck" Subject: Request for Comments, Opinions To: "Firewalls Talk" X-Mailer: Mail*Link SMTP/MS 3.0.0GM Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi all, We are in the process of evaluating firewalls for our business and I would = like any comments, opinions or experiences on the list of "walls" below. Alternatively, if someone has a better solution that I haven't listed I = would certainly like to hear about it. I would like to gain comments on the following systems: SUN & SOCKS SUN & ExFilter DEC & SEAL IBM & PORTUS To all respondents, thanks in advance. regards ___________________________________________________________________________= ____ Tim Tuck - Consultant | Operations Support Services | Phone 61 2 342 = 7573 Optus Communications | Fax 61 2 342 = 7566 101 Miller Street, | Mobile Phone 61 2 018 = 168 703 North Sydney, | Australia 2060 | Internet = tim_tuck@yes.optus.com.au ---------------------------------------------------------------------------= ---- You cannot teach a person anything; you can only help them to find it within themselves - Galileo ---------------------------------------------------------------------------= ---- Opinions are mine, not my clients - 'in-real-life' Tim Tuck, Sensei = Consulting. ___________________________________________________________________________= ____ From firewalls-owner Wed Sep 28 21:36:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA28904; Thu, 29 Sep 1994 03:42:22 GMT Received: from staff.cs.su.OZ.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA28881; Wed, 28 Sep 1994 20:41:47 -0700 From: KIDSTOJ@pcux.citec.qld.gov.au Received: from pcux.citec.qld.gov.au by staff.cs.su.OZ.AU (mail from KIDSTOJ for firewalls@GreatCircle.COM) with MHSnet (insertion MHSnet site: citecub.citec.qld.gov.au); Thu, 29 Sep 1994 13:41:53 +1000 Received: from pcux.citec.qld.gov.au by citec.qld.gov.au (5.0/SMI-SVR4) id AA24145; Thu, 29 Sep 1994 13:41:35 --1000 Received: from CITEC-Message_Server by pcux.citec.qld.gov.au with WordPerfect_Office; Thu, 29 Sep 1994 13:41:23 +1000 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Thu, 29 Sep 1994 13:39:29 +1000 To: firewalls%GreatCircle.COM@citec.qld.gov.au Subject: 'active' and 'pasive' firewalls -Reply content-length: 1373 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ** Low Priority ** gaus@znanost.hr wrote: >My contribution to philosophical thread. >It seems to me that having firewalls as they are now means introducing >more complexities into system. I see today's firewalls as 'active' firewalls. >That is -- the are visible on the net, you must pay attention to it (as a user, >system manager must always pay attention on it). >What will be if we have 'pasive' firewall? One that will not be visible, one >that will aciting like signal processor. Idea is to have one black box which >will monitor every packet and perform appropriate action if some >predefined condition is met. Nothing new? New is that nor use nor ever >other machine is aware od firewall. That means that you don't have to >advertise firewall to outside world. >What's wrong with this idea? I wouldn't say there was anything "wrong" with the idea. It has a lot of appeal, since the passive black box can actually sit astride the communications link and be completely non-addressable and thus non-reachable from the network. However, there is one potential disadvantage in that the invisible firewall cannot mask the protected network. All hosts are completely visible to the outside. Like everything to do with firewalls and security, there is always a trade-off. Cheers, John Kidston CITEC, Australia kidstoj@citec.qld.gov.au From firewalls-owner Thu Sep 29 04:55:35 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA02158; Thu, 29 Sep 1994 11:19:08 GMT Received: from gw.alantec.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA02152; Thu, 29 Sep 1994 04:19:00 -0700 Received: from tango.alantec.com by gw.alantec.com with SMTP id AA12599 (5.65b/IDA-1.4.3.7 for firewalls@greatcircle.com); Thu, 29 Sep 94 04:19:15 -0700 Received: by tango.alantec.com (4.1/SMI-4.1) id AA23893; Thu, 29 Sep 94 04:19:13 PDT Date: Thu, 29 Sep 94 04:19:13 PDT From: paul@alantec.com (G. Paul Ziemba) Message-Id: <9409291119.AA23893@tango.alantec.com> To: tcpr-notify@alantec.com Subject: tcpr 1.2 available Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Tcpr 1.2 is now available at: ftp.alantec.com:/pub/tcpr/tcpr-1.2.tar.{Z,gz}. Changes from 1.1.5 are: - Support for .netrc (aliases and machine entries) - bytecount logging per connection - userid logging - logging easily configurable via a config file - pfinger and pwhois clients From the README: ---------------- Tcpr is a set of perl scripts that enable you to run ftp and telnet commands across a firewall. Forwarding takes place at the application level, so it's easy to control. No recompilation of C code is necessary. Tcpr consists of an inetd-type server that interprets commands, a relay program, and a client that talks to the server. The client asks the server for a relay connection to some specified remote host at a specified TCP port number; the server invokes the relay program and returns a proxy port number to the client. The client then invokes telnet or ftp, telling them to connect to the relay host at the proxy port number. The relay program then transfers data between the client host and the remote host. Special handling is implemented for the FTP data connection, so everything works properly. Netrc files (~/.netrc) are supported (alias entries and, for ftp, machine entries). Server logging is controlled via a config file; various bits of information can be collected, including client userids and transfer byte counts. Bug reports ----------- Please email bug reports, comments, and patches to: tcpr-bugs@alantec.com. Where to get it --------------- Tcpr is available from the following servers via anonymous ftp: ftp.alantec.com pub/tcpr ftp.cs.umb.edu pub/security ftp.psg.com pub/unix/netware grasp1.univ-lyon1.fr pub/unix/network/tcpip/security ftp.denet.dk pub/misc/tcpr Platforms --------- Tcpr is known to work on SunOS 4.1. I haven't tested it on other platforms, so I can't say if it'll work right out of the box for them. It's all perl, but the output format of the netstat and ifconfig commands might vary, and there isn't much flexibility in the parser for that yet. Acknowledgements ---------------- The tcpr package is based on a relay program written by Kazumasa Utashiro, . The relay program originally was to be invoked manually on the relay host, giving a port number which the user then used as an argument to the ftp or telnet program. I modified the relay program to select an outgoing interface based on some simple routing computations, and wrote a client and server to automate the process. Thanks to Jim Kohli for code to parse and spoof .netrc files, and other useful changes. Many thanks to the maintainers of the ftp sites mentioned above, listed in reverse alphabetical order (-: Christophe.Wolfhugel John P. Rouillard Kim H|glund Randy Bush From firewalls-owner Thu Sep 29 05:37:06 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA02484; Thu, 29 Sep 1994 12:22:06 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA02478; Thu, 29 Sep 1994 05:21:50 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29433; Thu, 29 Sep 94 07:48:24 -0400 Date: Thu, 29 Sep 94 07:48:23 -0400 Message-Id: <9409291148.AA29433@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Definitions Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk John K. rote: >It seems to me that having firewalls as they are now means introducing >more complexities into system. I see today's firewalls as 'active' firewalls. >That is -- the are visible on the net, you must pay attention to it (as a user, >system manager must always pay attention on it). I disagree and pose the following definitions: ACTIVE FIREWALL: one which is dynamically reconfigurable (hopefully in a trusted/verifiable manner). I view this as an essential piece of single-sign-on. STATIC FIREWALL: one which executes according to a fixed set of rules and which requires manual intervention to reconfigure. >>What will be if we have 'pasive' firewall? One that will not be visible, one >>that will aciting like signal processor. Idea is to have one black box which >>will monitor every packet and perform appropriate action if some >>predefined condition is met. Nothing new? New is that nor use nor ever >>other machine is aware od firewall. That means that you don't have to >>advertise firewall to outside world. We do not have to advertise a firewall now, this is just the default/easy way out. There is no reason for a firewall to respond to a PING, FINGER, or even be listed in the DNS - this is just accepted practise. A firewall (really a filter but you get the idea) needs to be nothing more than a dedicated machine with two NICs that decides which packets to pass, which to refuse, and which to log/alarum. (I have something like this controlling the TCP/IP network in my den right now). The reason firewalls are visible is because this is the default (they started out as bridges/routers anyway - the security aspect is a bag on the side for most) and it makes it easy for an administrator to check on it/make changes remotely not because it is necessary, a terminal physically connected to a port would work as well (and why SUNs allow the concept of "secure" terminals). >However, there is one potential disadvantage in that the invisible firewall >cannot mask the protected network. All hosts are completely visible to >the outside. Why ? Only hosts that need to be visible to the outside must be and then only in those aspects required. All systems that I know of allow filtering by type of access (SMTP, TELNET, Novell), local host, and remote host. It is just a matter of programming. Further nothing says that the firewall cannot feed a proxy host and then the proxy is all that needs to be visible. Finally, I think that sometimes we get caught up in the old mainframe concept of "one box does everything". This is no longer either true or necessary. I prefer something like this: ____________ _____________ <--"The World"----| FIREWALL |--------------| PROXY HOST |----"INSIDE"--> ------------ | -------------- _____________ | LOGGER PC | ------------- This distributes the loading for minimal performance impact. With switches at the front and tail, can also maintain mirrors for redundancy. Neither the firewall nor the logger need to be visible to the world or the inside. This is also the simplest condition. In a more complex instalation, the Logger might be able to add/modify the rules on the Firewall or Proxy based on changing conditions e.g. three attempts by a "world" host to access systems improperly would cayse the FIREWALL to refuse all future connections from that host. I suspect that the elements above may come to be considered the "mininimun" for a protected connection and may need a term. Am sure that there is an electrical term that would fit (not a Pi filter but similar) - my Electrical Engineering handbook is at home and it has been a while. Warmly, Padgett From firewalls-owner Thu Sep 29 06:39:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA02496; Thu, 29 Sep 1994 12:24:06 GMT Received: from hummer.e-Commerce.Com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA02490; Thu, 29 Sep 1994 05:23:54 -0700 Received: by hummer.e-Commerce.Com (4.1/SMI-4.1) id AA02452; Thu, 29 Sep 94 08:25:35 EDT Received: from viper.e-commerce.com(198.235.154.21) by hummer via smap (V1.3mjr) id sma002450; Thu Sep 29 08:24:54 1994 Received: by viper.e-Commerce.Com (4.1/SMI-4.1) id AA15416; Thu, 29 Sep 94 08:23:22 EDT Date: Thu, 29 Sep 94 08:23:22 EDT From: jimc@e-Commerce.Com (Jim Carroll) Message-Id: <9409291223.AA15416@viper.e-Commerce.Com> To: firewalls@greatcircle.com Subject: DNS serving both sides Reply-To: jimc@e-Commerce.Com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm up against a bit of a poser. Got a scenario where a client will only have one DNS server available, that being on a dual-homed bastion. Question is, is there a way of setting up the server such that it would tell Internet users to resolve to Interface A, while telling internal users to resolve to Interface B? The only way I can see to do this is to set up a subdomain for internal users, but if possible, I'd like to avoid that. Comments? -- Jim Carroll -- jimc@e-Commerce.Com e-Commerce, Inc., 1030 Kamato Road, Suite 201 Mississauga, Ontario, Canada L4W 4B6 Tel: +1 905 602 0863 Fax: +1 905 602 8402 From firewalls-owner Thu Sep 29 07:40:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA02692; Thu, 29 Sep 1994 12:46:01 GMT Received: from ncrhub1.NCR.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id FAA02677; Thu, 29 Sep 1994 05:45:41 -0700 Received: from ncrhub4 by ncrhub1.NCR.COM id bq20747; 29 Sep 94 8:42 EDT Received: by ncrhub4.NCR.COM; 29 Sep 94 08:33:20 EDT Received: by nds-sa.SouthAfrica.NCR.COM; 29 Sep 94 13:38:41 SAT Date: Thu, 29 Sep 94 09:21:52 +0200 From: "Mark A. Nechoda" Subject: Request for firewall info To: firewalls@greatcircle.com, majordomo@greatcircle.com Cc: Lynn.Anderson@cape700.southafrica.NCR.COM X-Mailer: WIN Send Mail Priority: Normal Message-ID: <9409290842.bq20747@ncrhub1.NCR.COM> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk To whom it may concern: I attended a conference regarding security on the internet, and your E-mail address was given. In fact, seeing the same domain name, this may end-up being a duplicate posting, so forgive me if it is. Sending to: Firewalls@gratecircle.com majordomo@gratecirlce.com Would you please send info on how to implement firewalls? Thank you. Regards, Mark A. Nechoda Country/City Code: (+27) (21) AT&T Global Information Solutions P.O. Box 896 Voice Phone: 418 - 4830 ext. 234 Cape Town, 8000 Fax Number: 419 - 1908 South Africa E-Mail: Mark.Nechoda@SouthAFrica.NCR.COM /~~~~~~~~~~~~~~~\ ___ v /\ / Greetings from \_/ \ v / \ the fairest Cape \ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Sep 29 08:10:22 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA03064; Thu, 29 Sep 1994 13:23:55 GMT Received: from gate.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA03056; Thu, 29 Sep 1994 06:23:37 -0700 Received: from warburg.demon.co.uk by gate.demon.co.uk id aa23977; 29 Sep 94 14:22 GMT-60:00 Received: by warburg.demon.co.uk (4.1/25-eef) id AA04619; Thu, 29 Sep 94 14:24:38 BST From: Ian Marr Message-Id: <9409291324.AA04619@warburg.demon.co.uk> Subject: Re: Non-registered access To: "A. Padgett Peterson, P.E. Information Security" Date: Thu, 29 Sep 1994 14:24:38 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <9409281603.AA26201@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Sep 28, 94 12:03:32 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 626 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security writes: > > >I have a client who has an IP network based on a non-registered B class > >address. They wish to connect to the Internet and can either: > The easiest mechaism would be to use a translating system to exchange > internal IP addresses for external ones. Easy ?! I'm not so sure. But has anyone built such a beast ? Ian. ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@warburg.demon.co.uk I speak for myself and noone else From firewalls-owner Thu Sep 29 08:36:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA04111; Thu, 29 Sep 1994 15:20:10 GMT Received: from cheops.anu.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA04098; Thu, 29 Sep 1994 08:19:51 -0700 Message-Id: <199409291519.IAA04098@mycroft.GreatCircle.COM> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA23960; Fri, 30 Sep 94 01:18:52 +1000 From: Darren Reed Subject: Re: DNS serving both sides To: jimc@e-Commerce.Com Date: Fri, 30 Sep 1994 01:18:52 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9409291223.AA15416@viper.e-Commerce.Com> from "Jim Carroll" at Sep 29, 94 08:23:22 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 816 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > I'm up against a bit of a poser. > > Got a scenario where a client will only have one DNS server available, > that being on a dual-homed bastion. > > Question is, is there a way of setting up the server such that it > would tell Internet users to resolve to Interface A, while telling > internal users to resolve to Interface B? What if you ran two DNS server on the same host ? The idea would be to have one bind to port 53 of interface A and the other bind to port 53 of interface B. Of course, to do this, you'll need to get BIND 4.9.2 and hack it, but I do expect it will work. Or is this not a possible solution ? Oh, you'll also need to pick one to pickup 127.0.0.1.53 and one not to. However, I would try some more at convincing your client to run two and the second on an internal host. darren From firewalls-owner Thu Sep 29 08:58:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA03047; Thu, 29 Sep 1994 13:19:06 GMT Received: from triton.eckerd.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA03040; Thu, 29 Sep 1994 06:18:43 -0700 Received: from acasun.eckerd.edu by triton.eckerd.edu (5.0/SMI-SVR4) id AA00565; Thu, 29 Sep 1994 09:19:16 +0500 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA03428; Thu, 29 Sep 1994 09:15:05 +0500 From: pfalzgmh@acasun.eckerd.edu (Marisa H. Pfalzgraf) Message-Id: <9409291315.AA03428@acasun.eckerd.edu> Subject: Re: Poor Response on Firewall To: firewalls@GreatCircle.COM Date: Thu, 29 Sep 1994 09:15:04 -0400 (EDT) Cc: pfalzgmh@acasun.eckerd.edu (Marisa H. Pfalzgraf) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1697 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Recently I posted: > I'm trying to set up a Sun running Solaris 2.3 as a firewall with IP > forwarding turned off and using SOCKS to re-establish functionality for > internal machines. Response to any commands such as "ftp", "telnet", etc. > is greatly degraded either run directly from the firewall or using > SOCKSified software from an internal machine. There is no improvement in > response if an IP address is used in the commands in place of a site name. > The lag in the response occurs AFTER the "Connected to site.name. Escape > character it '^]'." message. Pings to remote systems from the firewall > give a normal reponse time. Thanks go to everyone who responded. The largest consensus was that it was a problem with DNS - which was correct! The kudos goes to Dan Murphy who gave me the specifics on what might be wrong with my DNS setup. He wrote: > We had a similar problem when we first set up our firewall. It turned out > to be due to some DNS configuration error at our access provider: their DNS > server was sending hostname lookups to our server, but not reverse hostname > lookups, which some 'ftp' and 'telnet' applications use to validate the IP > adddress/hostname mapping on incoming connections for audit purposes. Once our service provider included the IP.in-addr.arpa entry for our new IP address, everything worked wonderfully! Thank you for the responses & hints from: Dan Murphy dmurphy@cwa.com Omy Shani Omy.Shani@Corp.Sun.COM Charles Carvalho charles@acc.com Ken Hardy ken@bridge.com Richard Huddleston reh@wam.umd.edu David Wolfskill david@greatbasin.com Brent Chapman brent@GreatCircle.COM J. Eric Townsend jet@abulafia.genmagic.com From firewalls-owner Thu Sep 29 09:39:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA04227; Thu, 29 Sep 1994 15:39:25 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA04219; Thu, 29 Sep 1994 08:39:13 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma012049; Thu Sep 29 11:39:12 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA05507; Thu, 29 Sep 94 11:39:05 EDT Message-Id: <9409291539.AA05507@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: firewalls@greatcircle.com Subject: Three New Firewall Proxies From TIS Date: Thu, 29 Sep 94 11:39:04 -0400 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk TIS has announced 3 new proxies for Gauntlet and for the freely available TIS Internet Firewall Toolkit. Details were mailed to the fwtk-users mailing list, and put on our web server (www.tis.com under the Network Security & Firewalls bullet) and in our ftp area (ftp.tis.com under /pub/firewalls/gauntlet/new-features). Fred From firewalls-owner Thu Sep 29 10:21:52 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA04051; Thu, 29 Sep 1994 15:13:26 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA04039; Thu, 29 Sep 1994 08:13:08 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00272; Thu, 29 Sep 94 11:01:08 -0400 Date: Thu, 29 Sep 94 11:01:07 -0400 Message-Id: <9409291501.AA00272@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Janus DNS Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jim rites: >Question is, is there a way of setting up the server such that it >would tell Internet users to resolve to Interface A, while telling >internal users to resolve to Interface B? Of course there is, the only question is how difficult is it to do in the box you have (might be easier to set up two DNSes). The real question is "What DMSes can differentiate between internal requests and external ones ?". On the one hand, it is easy: in order to be able to respond to a request, the DNS must know where the request came from (from the firmware MAC address if not from the IP). Given this, identification as to inside or outside should be no more than comparison to inside addresses and deciding outside if not. On the other hand, this information may not be available to the DNS resolution software. In this case, if you are not a programmer, it would be impossible. On the gripping hand, you could either write your own DNS response software, or, as mentioned above, use two DNSes - one to resolve outside inquiries and a second to resolve inside inquiries. Warmly, Padgett From firewalls-owner Thu Sep 29 11:03:58 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA03577; Thu, 29 Sep 1994 14:16:11 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA03571; Thu, 29 Sep 1994 07:15:56 -0700 From: ted.doty@nsco.network.com Received: from doty.network.com by nsco.network.com (4.1/1.34) id AA07198; Thu, 29 Sep 94 09:17:12 CDT Date: Thu, 29 Sep 94 10:06:16 PDT Subject: Re: 'active' and 'pasive' firewalls To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marcus Ranum raises a raft of interesting points, but this discussion is wandering far afield indeed. I confess to being the guilty party here ... "just answering a question" starts you down the slipery slope. Rather than take more bandwidth on this, let me make two suggestions: 1. Why doesn't someone set up a "Firewalls-philosophy" list, so we can segregate this type of question from the technical ("how can I proxy MOSAIC") ones. Not that these questions are bad, quite to the contrary. Let's just get the two communities from using each other's bandwidth. 2. On a more personal level, I will be giving a talk on Firewall Routing in December at the 10th Annual Computer Security Applications Conference in Orlando. Anyone who wants to come and throw tomatoes is welcome. And now back to Brendt's regularly scheduled programming ... - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Sep 29 11:21:08 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA04742; Thu, 29 Sep 1994 16:31:00 GMT Received: from sdata.no by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA04736; Thu, 29 Sep 1994 09:30:48 -0700 Received: from breng.sdata.no ([193.216.12.65]) by sdata.no (4.1/SMI-4.1) id AA26003; Thu, 29 Sep 94 17:30:32 +0100 Date: Thu, 29 Sep 94 17:30:32 +0100 From: Einar.Landre@sdata.no (Einar Landre) Message-Id: <9409291630.AA26003@sdata.no> To: firewalls@GreatCircle.COM Subject: Returned mail: User unknown Cc: Einar.Landre@sdata.no X-Sun-Charset: US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi there, I wonder where can I obtain a proxy for NNTP (news) protocol. I have heard about something called nntpxd, but I don't know where to obtain it. Thanks in advance Regards, Einar Landre, Sen. System Eng. Skrivervik Data AS, Oslo Norway. From firewalls-owner Thu Sep 29 11:39:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA04770; Thu, 29 Sep 1994 16:34:23 GMT Received: from sdata.no by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA04763; Thu, 29 Sep 1994 09:33:49 -0700 Received: from breng.sdata.no ([193.216.12.65]) by sdata.no (4.1/SMI-4.1) id AA26055; Thu, 29 Sep 94 17:33:19 +0100 Date: Thu, 29 Sep 94 17:33:19 +0100 From: Einar.Landre@sdata.no (Einar Landre) Message-Id: <9409291633.AA26055@sdata.no> To: firewalls@greatcircle.com Subject: Where do I get an NNTP proxy X-Sun-Charset: US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi there, I wonder where can I obtain a proxy for NNTP (news) protocol. I have heard about something called nntpxd, but I don't know where to obtain it. Thanks in advance Regards, Einar Landre, Sen. System Eng. Skrivervik Data AS, Oslo Norway. ----- End Included Message ----- From firewalls-owner Thu Sep 29 12:30:47 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA03408; Thu, 29 Sep 1994 13:54:22 GMT Received: from pine.proxima.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA03352; Thu, 29 Sep 1994 06:48:53 -0700 Received: from elm by pine.proxima.com (NX5.67d/NX3.0M) id AA03122; Thu, 29 Sep 94 09:48:04 -0400 Message-Id: Received: by elm.proxima.com (NX5.67e/NX3.0X) id AA04824; Thu, 29 Sep 94 09:48:18 -0400 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v116.1) Received: by NeXT.Mailer (1.116.1.RR) From: "Eric A. Litman" Date: Thu, 29 Sep 94 09:48:16 -0400 To: jtalvy@cantor.com Subject: Re: Re[2]: xforward as proxy Cc: firewalls@greatcircle.com Reply-To: elitman+@proxima.com Organization: Proxima, Inc. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk udprelay is a good starting point for an X proxy. In fact, we have modified it internally to act as such. -- Eric Litman Proxima, Inc. vox: (703) 506.1661 Director, Network Services McLean, VA elitman+@proxima.com Begin forwarded message: From: jtalvy@cantor.com Date: Wed, 28 Sep 94 12:15:42 EST Encoding: 24 Text To: "Eric A. Litman" Subject: Re[2]: xforward as proxy X is not udp. Just my 2 cents worth. James ______________________________ Reply Separator _________________________________ Subject: Re: xforward as proxy Author: "Eric A. Litman" at Internet Date: 9/27/94 9:44 PM > > 3) when I issue the command "export DISPLAY=jupiter:X.Y" > > does this mean that the X server on the host jupiter > > should be listening on port 6000 + X, or 6000 + Y, or > > no direct relation exists. The code in Xforward is not > > clear on this issue. It extracts X.Y and add it to 6000. > > I may have missed something. Have you taken a look at udprelay and a reasonable set of filters on your routers? -- Eric Litman Proxima, Inc. vox: (703) 506.1661 Director, Network Services McLean, VA elitman+@proxima.com From firewalls-owner Thu Sep 29 13:12:19 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA04377; Thu, 29 Sep 1994 15:55:38 GMT Received: from probe.cacd.rockwell.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA04371; Thu, 29 Sep 1994 08:55:30 -0700 From: kelauben@cacd.rockwell.com Message-Id: <199409291555.IAA04371@mycroft.GreatCircle.COM> Received: by probe.cacd.rockwell.com (1.37.109.8/16.2) id AA07619; Thu, 29 Sep 1994 10:55:07 -0500 Date: Thu, 29 Sep 1994 10:55:07 -0500 Subject: syslogd on hpux To: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I've been testing some of the tools in the TIS toolkit and have run into some problems. I'm running hpux 9.01 with it's native syslogd. I'm able to successfully connect to both tn-gw and ftp-gw pieces of the toolkit, but no entries show up in the /usr/adm/syslog file. Is there anything special that I have to do make this happen? I would also appreciate making contact with someone who is running the TIS toolkit on hpux. Any help would be appreciated. Thanks in advance. -- Karl Laubengayer ms 106-180 Rockwell International kelauben@cacd.rockwell.com 400 Collins Rd. NE (319)395-3297 Cedar Rapids, Iowa 52498 "We have met the enemy and he is us!" From firewalls-owner Thu Sep 29 13:53:50 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA04595; Thu, 29 Sep 1994 16:10:06 GMT Received: from amdahl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA04584; Thu, 29 Sep 1994 09:09:36 -0700 Received: by amdahl.com (/\==/\ Smail #25.33) id ; Thu, 29 Sep 94 09:09 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA08428; Thu, 29 Sep 1994 09:10:00 +0800 Date: Thu, 29 Sep 1994 09:10:00 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9409291610.AA08428@brittany.oes.amdahl.com> To: jimc@e-Commerce.Com Subject: Re: DNS serving both sides Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1277 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I don't have the answer, but I need it:) If someone emails you with the answer, could you forward it to me? Actually I do have "an" answer I thought up yesterday...Hack the named source to get in.named to accept a port. Make another program to listen on the normal port that passes the requests on to one of two other ports, one with a daemon that has a database for internal view, and the other that has a database for external view... I think I could do it in an afternoon, so it'd probably take a week. Another harder idea would be to hack in.named to support this directly. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Sep 29 16:38:51 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA04665; Thu, 29 Sep 1994 16:21:03 GMT Received: from sequoia.itd.uts.EDU.AU by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA04659; Thu, 29 Sep 1994 09:20:53 -0700 Received: from matt.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA10721 (5.65c/IDA-1.4.4 for ); Fri, 30 Sep 1994 02:20:15 +1000 Received: by matt.itd.uts.edu.au (5.0/SMI-SVR4) id AA12168; Fri, 30 Sep 1994 02:22:59 +1000 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9409291622.AA12168@matt.itd.uts.edu.au> Subject: Re: Non-registered access To: im@warburg.demon.co.uk (Ian Marr) Date: Fri, 30 Sep 1994 02:22:58 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <9409291324.AA04619@warburg.demon.co.uk> from "Ian Marr" at Sep 29, 94 02:24:38 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1215 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ian Marr wrote this... > > A. Padgett Peterson, P.E. Information Security writes: > > > > >I have a client who has an IP network based on a non-registered B class > > >address. They wish to connect to the Internet and can either: > > > The easiest mechaism would be to use a translating system to exchange > > internal IP addresses for external ones. > > Easy ?! I'm not so sure. But has anyone built such a beast ? > > Ian. yeah, i dont think it would be that difficult, make a hashing function that handles collisions, then once you get an address shove it in an active hash table. i dont think it would that difficult, just a matter of sitting down and doing it. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Thu Sep 29 18:33:29 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA05413; Thu, 29 Sep 1994 17:22:48 GMT Received: from mail.llnl.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA05407; Thu, 29 Sep 1994 10:22:29 -0700 From: JSAYER@ARAC.llnl.gov Received: from DECNET-MAIL (JSAYER@ARAC) by mail.llnl.gov (PMDF V4.2-14 #5723) id <01HHOJ3EW18G005AFV@mail.llnl.gov>; Thu, 29 Sep 1994 10:22:15 PST Date: Thu, 29 Sep 1994 10:22:15 -0800 (PST) Subject: Commercial Firewalls Comments To: Firewalls@GreatCircle.COM Message-id: <01HHOJ3EXN3M005AFV@mail.llnl.gov> X-Envelope-to: Firewalls@GreatCircle.COM X-VMS-To: MAIL::IN%"Firewalls@GreatCircle.Com" MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would like to get some comments on commercial firewalls from those who are using them. Things that went well as well as those that didn't. Thank you John M. Sayer From firewalls-owner Thu Sep 29 19:55:48 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA03777; Thu, 29 Sep 1994 14:38:42 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA03771; Thu, 29 Sep 1994 07:38:29 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29784; Thu, 29 Sep 94 09:34:00 -0400 Date: Thu, 29 Sep 94 09:34:00 -0400 Message-Id: <9409291334.AA29784@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Translating system Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Easy ?! I'm not so sure. But has anyone built such a beast ? Well sort of - I have a bridge running at home that has been used for PofP experiments so I know it can be done but is not something I would want to hand to a user or even an administrator. The principle is simple: firewalls receive packets but instead of just translating to the internal protocols, examine the packet for type, source, and destination (these being bytes at specific offesets in the header). Since the information is already in a buffer, it is simple add logic to change the source or destination to "something else" since it is just a matter of byte for byte replacement. Now if there were a direct map that could be used (for example if the internal network used a class B addressing as was mentioned but the set was logic mappable, this would be trivial. If not, translation tables would be necessary. An example: Consider a system that used the internal address 150.1.1.25 (class B) but had an registered class C address of 257.10.20.x then translation of 150.1.1.25 to 257.10.20.25 would be a simple logic sieve. Of course if you have more than 254 nodes requiring access this would require something more imaginative (and/or multiple Class Cs). If simple mapping were not used, then a more complex algorithm would be necessary with table mapping the Last Resort (_Total Recall_). But the important element is that the firewall already has the information, is fixed length, knows where it is, and modification is easy (could even use COBOL - is good at modifying precisely located fixed length records 8*). Warmly, Padgett From firewalls-owner Thu Sep 29 20:00:17 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA03501; Thu, 29 Sep 1994 14:01:08 GMT Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA03493; Thu, 29 Sep 1994 07:00:56 -0700 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma010723; Thu Sep 29 10:00:52 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA11552; Thu, 29 Sep 94 10:00:46 EDT From: Marcus J Ranum Message-Id: <9409291400.AA11552@tis.com> Subject: Re: 'active' and 'pasive' firewalls To: ted.doty@nsco.network.com Date: Thu, 29 Sep 1994 10:02:24 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "ted.doty@nsco.network.com" at Sep 28, 94 04:32:23 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 2199 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ted.doty@nsco.network.com writes: > Set > up your router, apply your filters, and let the users fire away. The > transparency of the system is perhaps its strongest point. The transparency of the system is also its weakest point. Let me explain. Barring changes to IP or to the applications you're running at each end of your network stream, you're left relying on the quality of the implementation of all the software that supports all the services you're letting through. So, if you permit SMTP through to talk to 5 hosts, you now have 5 copies of sendmail to worry about. If you permit external traffic to 3 machines, you now have 3 machines worth of CERT advisories (and the stuff CERT hasn't mentioned yet) to worry about. It's very nice to force everything through one (or to try, anyhow, Mike Muus' point about how hard this can be is very well taken) system, so you have one point to maintain and defend. If we have authentication and encryption in our IP stack, then we can begin to consider (in a limited number of cases) permitting such traffic directly through from the outside to the inside without an interruption. Conceptually, there's a problem with "transparent" security. If it's "transparent," how effective can it be? Not very, I suspect. Analogies are weak, but let's put implementation details aside and I'll try one. Someone comes to me and says, "I need a secure front door for my house. It has to be bullet and fireproof and it has to open automatically whenever I walk up to it, since I can't be bothered to operate the lock." Now, there's lots of ways that you can actually *DO* that, but it involves having the user wear some kind of active badge (IP level encryption + authentication, etc) and then you have to worry about whether or not the badge has been stolen. That's why, when you go into highly secured facilities (Ted, you've been at the fort, right?) you have to have a badge *AND* enter a keycode, and so forth. I think it all boils down to how much assurance you need that the security works. The more transparent it is, the more easy I suspect it'll be to find a way to spoof being the person for whom the security becomes transparent. mjr. From firewalls-owner Thu Sep 29 20:11:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA05954; Thu, 29 Sep 1994 18:06:27 GMT Received: from nda.nda.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA05948; Thu, 29 Sep 1994 11:06:17 -0700 Received: from localhost (kovar@localhost) by nda.nda.com (8.6.4/8.6.4) id OAA04785 for firewalls@greatcircle.com; Thu, 29 Sep 1994 14:06:26 -0400 From: David Kovar Message-Id: <199409291806.OAA04785@nda.nda.com> Subject: Firewall products - this should be a FAQ To: firewalls@greatcircle.com Date: Thu, 29 Sep 1994 14:06:26 -0400 (EDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 253 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I need to do some research on existing firewall products. This includes things like SEAL and TIS, as well as companies making out of the box hardware solutions. Is there a list of all the various products, with contact information? TIA. -David From firewalls-owner Thu Sep 29 20:37:03 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id DAA12740; Fri, 30 Sep 1994 03:16:29 GMT Received: from global1.global.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA12718; Thu, 29 Sep 1994 20:16:14 -0700 Received: by global1.global.net (8.6.9/2.29) id UAA29550; Thu, 29 Sep 1994 20:14:43 -0700 Date: Thu, 29 Sep 1994 20:14:43 -0700 From: johnr@global.net (John A. Russo - GlobalNet) Message-Id: <199409300314.UAA29550@global1.global.net> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls Digest V3 #332 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I hear things are looking pretty good. How did everything work today? John From firewalls-owner Thu Sep 29 20:45:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA06091; Thu, 29 Sep 1994 18:19:21 GMT Received: from bos1b.delphi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA06085; Thu, 29 Sep 1994 11:19:14 -0700 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HHOPYTH9V48YLBBB@delphi.com>; Thu, 29 Sep 1994 14:19:24 -0400 (EDT) Date: Thu, 29 Sep 1994 14:19:24 -0400 (EDT) From: "Save a tree: kill an ISO Working Group." Subject: Newbie firewall question. To: firewalls@GreatCircle.COM Message-id: <01HHOPYTHT5E8YLBBB@delphi.com> X-VMS-To: IN%"firewalls@GreatCircle.COM" X-VMS-Cc: DOUGM MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Pardon if this is a simple-minded question, but I'm pretty much a novice with this stuff... What is a _prudent_ approach, security-wise, for setting up a system (e.g. a WWW server) that's on the 'dirty' side of a firewall, so that it can get filesystem updates (e.g. update HTML files, ftp libraries, etc) from the 'safe' side of the firewall ? Or is this a bad idea? Alternatively, can one set uo a "bastion host" firewall to allow a system (e.g. WWW server) to provide service to the 'dirty side' of the firewall from the 'clean' side of the firewall, so that you can do things with the server like mount NFS volumes, etc.? Would the firewall just be set up as a screening router with I looked in the FAQ, but I didn't find anything that helped wrt this specific question. All help/clarification gratefully accepted. /doug From firewalls-owner Thu Sep 29 20:50:31 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id TAA07130; Thu, 29 Sep 1994 19:42:08 GMT Received: from srv.cip.physik.tu-muenchen.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id MAA07123; Thu, 29 Sep 1994 12:41:47 -0700 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA02266 for (5.67a/IDA-1.5/bs03); Thu, 29 Sep 1994 20:41:40 +0100 Message-Id: <199409291941.AA02266@srv.cip.physik.tu-muenchen.de> To: Einar.Landre@sdata.no (Einar Landre) Cc: firewalls@greatcircle.com Subject: Re: Where do I get an NNTP proxy In-Reply-To: Your message of "Thu, 29 Sep 94 17:33:19 +0100." <9409291633.AA26055@sdata.no> Date: Thu, 29 Sep 94 20:41:39 +0100 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9409291633.AA26055@sdata.no> you write: > > Hi there, > > I wonder where can I obtain a proxy for NNTP (news) protocol. I have > heard about something called nntpxd, but I don't know where to obtain it. What do you need that can't be done with the standard TIS plug-gw ? \Bernhard. From firewalls-owner Thu Sep 29 21:35:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA06578; Thu, 29 Sep 1994 18:54:03 GMT Received: from nda.nda.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA06571; Thu, 29 Sep 1994 11:53:52 -0700 Received: from localhost (kovar@localhost) by nda.nda.com (8.6.4/8.6.4) id OAA05861; Thu, 29 Sep 1994 14:53:58 -0400 From: David Kovar Message-Id: <199409291853.OAA05861@nda.nda.com> Subject: Re: Returned mail: User unknown To: Einar.Landre@sdata.no (Einar Landre) Date: Thu, 29 Sep 1994 14:53:58 -0400 (EDT) Cc: firewalls@GreatCircle.COM, Einar.Landre@sdata.no In-Reply-To: <9409291630.AA26003@sdata.no> from "Einar Landre" at Sep 29, 94 05:30:32 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 362 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Hi there, > > I wonder where can I obtain a proxy for NNTP (news) protocol. I have > heard about something called nntpxd, but I don't know where to obtain it. Rather than use a proxy for NNTP, we set up two NNTP servers, one outside, one inside. They feed each other, and things seem to be working well. A proxy would be more efficient, I'm sure. -David From firewalls-owner Thu Sep 29 21:38:54 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA06244; Thu, 29 Sep 1994 18:29:24 GMT Received: from versant.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA06238; Thu, 29 Sep 1994 11:29:09 -0700 Received: from gwarn.versant.com by versant.com (4.1/SMI-4.1) id AA20383; Thu, 29 Sep 94 11:32:03 PDT Message-Id: <9409291832.AA20383@versant.com> To: jimc@e-Commerce.Com Cc: firewalls@GreatCircle.COM, strick@gwarn.versant.com Subject: Re: DNS serving both sides In-Reply-To: Your message of "Thu, 29 Sep 94 08:23:22 EDT." <9409291223.AA15416@viper.e-Commerce.Com> Date: Thu, 29 Sep 94 11:27:53 -0700 From: strick -- henry strickland Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk THUS SPAKE jimc@e-Commerce.Com (Jim Carroll): # # Question is, is there a way of setting up the server such that it # would tell Internet users to resolve to Interface A, while telling # internal users to resolve to Interface B? in SunOS 4.1.1 (on my sun3/60) "named" seems to open a different udp port for each "home" address it has: udp 0 0 140.174.114.1.53 *.* udp 0 0 192.70.173.225.53 *.* udp 0 0 192.245.54.11.53 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 *.53 *.* Now certainly you could compile versions of "named" that look to command line args for 1) the name of a specific IP host address to bind, and 2) the name of a different "named.boot" (and "named.pid") to use for the database. (This is the bind() call that you have to change.) You will also have to provide the specific IP host address for binding the TCP socket: tcp 0 0 *.53 *.* In SunOS you have to call setsockopt(SO_REUSEADDR) with to be able to reuse the port "53" on in different programs that bind to different local IP hosts. I don't know if anyone has packaged this yet, but I've done stuff similar (with gopher and ftp and www, not with named). Not too hard to develop the programs. (As for how well this works in the application you describe, I don't know, but it sounds plausible to me.) strick // // // strick / +1 415 329 7500 x116 / strick@versant.com / strick@yak.net // // // From firewalls-owner Thu Sep 29 22:36:36 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id EAA14970; Fri, 30 Sep 1994 04:44:35 GMT Received: from databus.databus.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA14964; Thu, 29 Sep 1994 21:44:16 -0700 Date: Fri, 30 Sep 94 00:41 EDT Message-ID: <9409300042.AA02964@databus.databus.com> From: Barney Wolff To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com Subject: Re: Translating system Content-Length: 853 Content-Type: text Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Date: Thu, 29 Sep 94 09:34:00 -0400 > From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) > > The principle is simple: firewalls receive packets but instead of just > translating to the internal protocols, examine the packet for type, > source, and destination (these being bytes at specific offesets in the > header). Since the information is already in a buffer, it is simple > add logic to change the source or destination to "something else" since > it is just a matter of byte for byte replacement. This works for TCP & UDP because the checksum is incrementally updatable. In the general case of a protocol with a CRC including (for assurance against exactly this process :-) the source/dest IP addresses, this can't be done at all. Ditto encryption including the addresses. Barney Wolff From firewalls-owner Thu Sep 29 23:23:32 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA07621; Thu, 29 Sep 1994 20:33:57 GMT Received: from border.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA07607; Thu, 29 Sep 1994 13:33:44 -0700 Received: by janus.border.com id <4420>; Thu, 29 Sep 1994 16:32:24 -0400 Date: Thu, 29 Sep 1994 16:34:45 -0400 From: Steven Lamb Reply-To: Steven Lamb Subject: Re: Non-registered access To: Ian Marr cc: firewalls@GreatCircle.COM In-Reply-To: <9409291324.AA04619@warburg.demon.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Message-Id: <94Sep29.163224edt.4420@janus.border.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 29 Sep 1994, Ian Marr wrote: > A. Padgett Peterson, P.E. Information Security writes: > > > > >I have a client who has an IP network based on a non-registered B class > > >address. They wish to connect to the Internet and can either: > > > The easiest mechaism would be to use a translating system to exchange > > internal IP addresses for external ones. > > Easy ?! I'm not so sure. But has anyone built such a beast ? One of the components of the Janus Firewall Server is that it performs network address translation. It hides all internal addresses behind the firewall allowing only the firewall's external IP address to be visible to the Internet. This re-mapping is invisible to the internal network and allows the use of non-registered or RFC1597 compliant addresses. BNTI developed the Janus Firewall Server. Please feel free to contact me for more information Steven Lamb ------------------------------------------------------------------------ Border Network Technologies Inc. Email: slamb@border.com 1 Yonge Street, Suite 1400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5E 1J9 Fax: +1 416 368 7789 From firewalls-owner Thu Sep 29 23:36:25 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA07805; Thu, 29 Sep 1994 20:46:51 GMT Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA07798; Thu, 29 Sep 1994 13:46:19 -0700 From: slamb@border.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA01847; Thu, 29 Sep 94 16:45:23 -0400 Date: Thu, 29 Sep 94 16:45:23 -0400 Message-Id: <9409292045.AA01847@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Janus DNS Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Thu, 29 Sep 1994 padgett@tccslr.dnet.mmc.com wrote: > Jim rites: > >Question is, is there a way of setting up the server such that it > >would tell Internet users to resolve to Interface A, while telling > >internal users to resolve to Interface B? > > Of course there is, the only question is how difficult is it to do in > the box you have (might be easier to set up two DNSes). The real question > is "What DMSes can differentiate between internal requests and external > ones ?". > On the other hand, this information may not be available to the DNS > resolution software. In this case, if you are not a programmer, it would > be impossible. This dual name server functionality is also available with the Janus Firewall Server. An excerp from the FAQ follows: The Janus Firewall Server runs two separate DNS servers on the firewall itself. The External DNS server provides a limited external view of the organizational domain and initially configures itself with a number of standard names that all point at the firewall itself (such as mail, news, ftp, ns and www) as well as specific entries for the domain (so that connections can be conveniently made using only the organizational domain name) and whatever additional hostname is specified for the firewall. The External DNS also automatically installs NS and wildcard MX records that point to the firewall. Additional backup MX and secondary NS records can be configured by the administrator. No internal information is available to the External DNS and only the External DNS can communicate with the outside, so no internal naming information can be obtained by anyone on the outside. The External DNS cannot query the Internal DNS or any other DNS inside the firewall. The Internal DNS is automatically configured with some initial information and can have additional hosts added via the administrator interface. Other internal domains or subdomains can be primaried, secondaried or delegated to other internal nameservers. The ability to prime the internal DNS by downloading host and NS delegation information from an existing DNS is available in the next minor release. The information managed by the Internal DNS is only available to internal machines. The Internal nameserver cannot receive queries from external hosts since it cannot communicate directly with the external network. Resolution of external DNS information both for the firewall itself and to handle internal queries for external information are handled by the internal nameserver. Although it is unable to communicate directly with the external network, it is able to send queries and receive the responses via the External DNS. Bnti produces the Janus Firewall Server. Please feel free to contact me for more information. Steven Lamb ------------------------------------------------------------------------ Border Network Technologies Inc. Email: slamb@border.com 1 Yonge Street, Suite 1400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5E 1J9 Fax: +1 416 368 7789 From firewalls-owner Thu Sep 29 23:40:10 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id WAA08597; Thu, 29 Sep 1994 22:13:55 GMT Received: from ashley.business.uwo.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA08591; Thu, 29 Sep 1994 15:13:33 -0700 Received: (from a5charti@localhost) by ashley.business.uwo.ca (8.6.8/8.6.6) id SAA03193; Thu, 29 Sep 1994 18:13:03 -0400 From: Alex Chartier Message-Id: <199409292213.SAA03193@ashley.business.uwo.ca> Subject: Re: Non-registered access To: im@warburg.demon.co.uk (Ian Marr) Date: Thu, 29 Sep 1994 18:13:03 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9409291324.AA04619@warburg.demon.co.uk> from "Ian Marr" at Sep 29, 94 02:24:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 542 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > A. Padgett Peterson, P.E. Information Security writes: > > > > >I have a client who has an IP network based on a non-registered B class > > >address. They wish to connect to the Internet and can either: > > > The easiest mechaism would be to use a translating system to exchange > > internal IP addresses for external ones. > > Easy ?! I'm not so sure. But has anyone built such a beast ? > Network Systems Packet Control Facility (included as part of all routers) allows you to translate IP addresses on the fly. Check it out. From firewalls-owner Fri Sep 30 00:03:18 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA09611; Thu, 29 Sep 1994 23:40:34 GMT Received: from ic.co.at by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA09599; Thu, 29 Sep 1994 16:40:08 -0700 Received: by ic.co.at id AA13343 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Fri, 30 Sep 1994 01:40:02 GMT Message-Id: <199409300140.AA13343@ic.co.at> Subject: Re: syslogd on hpux To: kelauben@cacd.rockwell.com Date: Fri, 30 Sep 1994 01:40:02 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199409291555.IAA04371@mycroft.GreatCircle.COM> from "kelauben@cacd.rockwell.com" at Sep 29, 94 10:55:07 am From: Michael Haberler Reply-To: mah@ic.co.at X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 765 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > I've been testing some of the tools in the TIS toolkit and have run into > some problems. I'm running hpux 9.01 with it's native syslogd. I'm able > to successfully connect to both tn-gw and ftp-gw pieces of the toolkit, but > no entries show up in the /usr/adm/syslog file. Is there anything special > that I have to do make this happen? Yes. Hpux syslog(3) works on FIFOs and not on Unix domain sockets. A working version of syslogd.c for HPUX is on ftp.eunet.co.at:/outgoing/syslogd.c > I would also appreciate making contact with someone who is running the TIS > toolkit on hpux. Not yet. -michael -- Michael Haberler mah@eunet.co.at EUnet Austria Ltd A-1090 Vienna, Austria, Thurngasse 8 Tel: +43 (1) 3174969 fax: +43 (1) 3106926 From firewalls-owner Fri Sep 30 00:19:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA09155; Thu, 29 Sep 1994 23:06:18 GMT Received: from nda.nda.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA09148; Thu, 29 Sep 1994 16:05:56 -0700 Received: from localhost (kovar@localhost) by nda.nda.com (8.6.4/8.6.4) id TAA11208 for firewalls@GreatCircle.COM; Thu, 29 Sep 1994 19:06:01 -0400 From: David Kovar Message-Id: <199409292306.TAA11208@nda.nda.com> Subject: Packet filters vs other forms of firewalls To: firewalls@GreatCircle.COM Date: Thu, 29 Sep 1994 19:05:59 -0400 (EDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1116 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A colleague is advocating using packet filters for security and is interested in knowing what benefit he'll get from going to a full(er) firewall configuration. I've enclosed an example filter configuration and am interested in knowing what holes it might leave that would be closed by another approach. The assumption here is that the services behind the openings in the filter are secure, which isn't a reasonable assumption. If we ran with this filter, what problems might we expect to encounter? -David permit all outgoing packets, icmp, udp, tcp or whatever. permit incoming udp packets on port 53 (DNS) deny all incoming icmp or udp packets. permit all incoming packets for already established TCP connections deny incoming TCP packets for X11 and NFS (I think 3000,3001,3002, 6000,6001,6002) permit incoming TCP connections for ports > 1023 *** Perhaps a problem permit incoming TCP connections for ports: 53 (DNS) 25 (SMTP) to mailhost Maybe turn on 80 (http), 119 (nntp), and for really daring sites 23 (telnet), 21 (ftp), and 20 (ftp-data) deny all incoming TCP connections From firewalls-owner Fri Sep 30 00:22:43 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id XAA09424; Thu, 29 Sep 1994 23:27:54 GMT Received: from nda.nda.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA09415; Thu, 29 Sep 1994 16:27:41 -0700 Received: from localhost (kovar@localhost) by nda.nda.com (8.6.4/8.6.4) id TAA11208 for firewalls@GreatCircle.COM; Thu, 29 Sep 1994 19:06:01 -0400 From: David Kovar Message-Id: <199409292306.TAA11208@nda.nda.com> Subject: Packet filters vs other forms of firewalls To: firewalls@GreatCircle.COM Date: Thu, 29 Sep 1994 19:05:59 -0400 (EDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1116 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A colleague is advocating using packet filters for security and is interested in knowing what benefit he'll get from going to a full(er) firewall configuration. I've enclosed an example filter configuration and am interested in knowing what holes it might leave that would be closed by another approach. The assumption here is that the services behind the openings in the filter are secure, which isn't a reasonable assumption. If we ran with this filter, what problems might we expect to encounter? -David permit all outgoing packets, icmp, udp, tcp or whatever. permit incoming udp packets on port 53 (DNS) deny all incoming icmp or udp packets. permit all incoming packets for already established TCP connections deny incoming TCP packets for X11 and NFS (I think 3000,3001,3002, 6000,6001,6002) permit incoming TCP connections for ports > 1023 *** Perhaps a problem permit incoming TCP connections for ports: 53 (DNS) 25 (SMTP) to mailhost Maybe turn on 80 (http), 119 (nntp), and for really daring sites 23 (telnet), 21 (ftp), and 20 (ftp-data) deny all incoming TCP connections From firewalls-owner Fri Sep 30 04:39:01 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA16927; Fri, 30 Sep 1994 07:48:24 GMT Received: from bronze.lcs.mit.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id AAA16918; Fri, 30 Sep 1994 00:48:15 -0700 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id DAA20704; Fri, 30 Sep 1994 03:48:05 -0400 Date: Fri, 30 Sep 1994 03:48:05 -0400 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199409300748.DAA20704@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: a very tiny terminology rant Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would much rather think of Padgett's diagram as ___________________________________________ | one of several possible | | FIREWALL SYSTEMS, deployed where needed | | | | ______________ _____________ | <--"The World"----| PKT FILTER |-----------| PROXY HOST |------"INSIDE"--> | -------------- | -------------- | | _____________ | | | LOGGER PC | | | ------------- | |___________________________________________| _H* From firewalls-owner Fri Sep 30 05:37:15 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA18077; Fri, 30 Sep 1994 09:47:21 GMT Received: from chenas.inria.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id CAA18071; Fri, 30 Sep 1994 02:47:10 -0700 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA07488; Fri, 30 Sep 1994 10:46:43 +0100 (MET) Received: from cli57aa.asr.ici (cli57aa.der.edf.fr) by edf.edf.fr with SMTP id AA20777 (5.65c8/IDA-1.4.4); Fri, 30 Sep 1994 10:47:55 +0100 Received: by cli57aa.asr.ici (5.0/SMI-SVR4) id AA21719; Fri, 30 Sep 1994 10:47:45 --100 Date: Fri, 30 Sep 1994 10:47:45 --100 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Message-Id: <9409300947.AA21719@cli57aa.asr.ici> To: im@warburg.demon.co.uk Cc: firewalls@greatcircle.com Subject: Re: Non-registered access Content-Length: 712 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The RFC 1631 discusses the different concerns of Network Adress Translation. #----------------------------------------------------------------------------# # Yves Dherbecourt | Tel : 33-1 47 65 37 90 # # Electricite de France | Fax : 33-1 47 65 35 23 # # DER / IMA / ICI / ASR | Tlx : 631576 # # 1, avenue du General de Gaulle | # # 92141 CLAMART Cedex | Email : Yves.Dherbecourt@der.edf.fr # # France | # #----------------------------------------------------------------------------# h From firewalls-owner Fri Sep 30 06:45:45 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA19445; Fri, 30 Sep 1994 13:21:20 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id GAA19439; Fri, 30 Sep 1994 06:21:05 -0700 From: ted.doty@nsco.network.com Received: from doty.network.com by nsco.network.com (4.1/1.34) id AA08603; Fri, 30 Sep 94 08:22:24 CDT Date: Fri, 30 Sep 94 09:14:43 PDT Subject: Security Conference in December To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have had a number of requests for information about the upcoming computer security conference in December. This will deal with many aspects of computer and network security, including firewalls. =============================================================== 10th Annual Computer Security Application Conference December 5-9, 1994 Grosvenor Resort, Orlando, FL Sponsored by: Aerospace Computer Security Associates in cooperation with IEEE Computer Society/ Tech Committee on Security and Privacy ACM SIG of Security, Audit, and Control Cost (Tutorials): $215 member/$265 non-member/$215 student Cost (Conference): $315 member/$385 non-member/$150 student For info, contact George Mason University Center for Professional Development at (703) 993-2090. ================================================================= I have no affiliation with this, except that I will be presenting there. Other than my bit, the conference catelog looks quite impressive. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Sep 30 07:36:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20030; Fri, 30 Sep 1994 14:27:29 GMT Received: from hummer.e-Commerce.Com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA20022; Fri, 30 Sep 1994 07:27:15 -0700 Received: by hummer.e-Commerce.Com (4.1/SMI-4.1) id AA03850; Fri, 30 Sep 94 10:28:58 EDT Received: from viper.e-commerce.com(198.235.154.21) by hummer via smap (V1.3mjr) id sma003848; Fri Sep 30 10:28:53 1994 Received: by viper.e-Commerce.Com (4.1/SMI-4.1) id AA21309; Fri, 30 Sep 94 10:27:20 EDT Date: Fri, 30 Sep 94 10:27:20 EDT From: jimc@e-Commerce.Com (Jim Carroll) Message-Id: <9409301427.AA21309@viper.e-Commerce.Com> To: ted.doty@nsco.network.com Cc: firewalls@GreatCircle.COM Subject: Re: 'active' and 'pasive' firewalls In-Reply-To: References: Reply-To: jimc@e-Commerce.Com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk ted doty writes: > > 1. Why doesn't someone set up a "Firewalls-philosophy" list, so we can > segregate this type of question from the technical ("how can I proxy > MOSAIC") ones. Not that these questions are bad, quite to the > contrary. Let's just get the two communities from using each other's > bandwidth. I may be wrong, but I have a feeling that the majority of folks would end up subscribing to both lists. I know I would. As a member of www-security, as soon as I discovered www-buyinfo, I subscribed to it, but have since started receiving duplicate messages as a result of cross-postings to both, which make up a large chunk of the traffic, from what I've seen. (Maybe I'm being too sensitive. :) If you're concerned with bandwidth waste, figure out a good way for handling the 'subscribe' and 'Please unsubscribe me!!' messages which arrive here as a result of either ignorance or misinformation. ;) My 2 ducats.... -- Jim Carroll -- jimc@e-Commerce.Com e-Commerce, Inc., 1030 Kamato Road, Suite 201 Mississauga, Ontario, Canada L4W 4B6 Tel: +1 905 602 0863 Fax: +1 905 602 8402 From firewalls-owner Fri Sep 30 08:38:38 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA20338; Fri, 30 Sep 1994 14:52:25 GMT Received: from wintermute.imsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id HAA20331; Fri, 30 Sep 1994 07:52:12 -0700 Received: from relay.imsi.com by wintermute.imsi.com id KAA28415; Fri, 30 Sep 1994 10:51:49 -0400 Received: from lorax.imsi.com by relay.imsi.com id KAA18066; Fri, 30 Sep 1994 10:51:48 -0400 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA15218; Fri, 30 Sep 94 10:51:47 EDT Message-Id: <9409301451.AA15218@lorax.imsi.com> To: Steven Lamb Cc: Ian Marr , firewalls@greatcircle.com Subject: Re: Non-registered access In-Reply-To: Your message of "Thu, 29 Sep 1994 16:34:45 EDT." <94Sep29.163224edt.4420@janus.border.com> Reply-To: rens@imsi.com Date: Fri, 30 Sep 1994 10:51:47 -0400 From: Rens Troost Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> "Steven" == Steven Lamb writes: Steven> One of the components of the Janus Firewall Server is that Steven> it performs network address translation. It hides all Steven> internal addresses behind the firewall allowing only the Steven> firewall's external IP address to be visible to the Steven> Internet. This re-mapping is invisible to the internal Steven> network and allows the use of non-registered or RFC1597 Steven> compliant addresses. The problem with network-level address translation gateways is that some application protocols (ftp, bootp, a variety of applications) pass IP addresses in the data portion of the packet. How do you deal with these? Also, TCP and UDP incorporate the source and destination addresses in their respective checksum calculations. Do you patch these as well? If so, doesn't this mean the firewall is busy recomputing checksums most of the time? Do you also have to deal with fragmentation and reassembly? I'm curious about how well you get away with this approach. -Rens From firewalls-owner Fri Sep 30 09:41:34 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA20647; Fri, 30 Sep 1994 15:27:10 GMT Received: from chsun.eunet.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA20638; Fri, 30 Sep 1994 08:26:07 -0700 Received: from mozart.UUCP by chsun.eunet.ch (8.6.4/1.34) id QAA16471; Fri, 30 Sep 1994 16:26:51 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/SMI-4.1) id AA11179; Fri, 30 Sep 94 15:58:49 +0100 Date: Fri, 30 Sep 94 15:58:49 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9409301458.AA11179@mozart.ergon.ch> To: firewalls@greatcircle.com Subject: Re: Janus DNS Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Padgett writes: > > One the one hand, [...] > > One the other hand, [...] > > On the gripping hand, [...] > Wow! A Motie on the Internet! Shall we call for Kusnetzov? :-))) (sorry, just couldn't resist :) From firewalls-owner Fri Sep 30 13:08:26 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22663; Fri, 30 Sep 1994 17:44:54 GMT Received: from ncrhub1.NCR.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22654; Fri, 30 Sep 1994 10:44:27 -0700 Received: from ncruk by ncrhub1.NCR.COM id af14129; 30 Sep 94 13:13 EDT Received: by ncruk.UnitedKingdom.NCR.CO.UK; 30 Sep 94 17:03:52 BST Received: by acid.UnitedKingdom.NCR.CO.UK; 30 Sep 94 16:00:28 gmt Subject: sea change firewall To: firewalls@greatcircle.com Date: Fri, 30 Sep 1994 17:00:26 +0100 (BST) From: John Corb Reply-To: john.corb@UnitedKingdom.NCR.COM X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 502 Message-ID: <9409301313.af14129@ncrhub1.NCR.COM> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk i've seen an article in the uk saying that sea change have a firewall product (called Janus?) but it doesn't give any contact info, i know sc are a usa company, the article says they have a uk office too but directory enquiries have no record of the company here can anyone tell me a phone number/email address for sc either in the uk or the usa? thanks john -- john.corb@UnitedKingdom.NCR.COM +44 71 725 8837, whois: jc716, pgp: 2BF6FF blow my cool, bite my lip, see me freak on my death trip From firewalls-owner Fri Sep 30 14:05:40 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id SAA23237; Fri, 30 Sep 1994 18:35:16 GMT Received: from ftp.std.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id LAA23209; Fri, 30 Sep 1994 11:34:36 -0700 Received: from world.std.com by ftp.std.com (8.6.8.1/Spike-8-1.0) id OAA13725; Fri, 30 Sep 1994 14:33:11 -0400 Received: by world.std.com (5.65c/Spike-2.0) id AA27068; Fri, 30 Sep 1994 14:33:06 -0400 Date: Fri, 30 Sep 1994 14:33:05 +0059 (EDT) From: Peter von Zirpolo Subject: Checkpoint Firewall-1 To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone have any experience/knowledge of this product??? We're in the process of obtaining funding for an Internet connection and my recommendation for a firewall is currently the TIS Gauntlet offering (Toolkit + consulting). However, pressure is coming from 'above' to look at Firewall-1 and a demo is scheduled for next week (10/05). I want to be able to get the check-signers to look beyond the (allegedly) glitzy GUI interface and draw a true comparison between the two products. Peter von Zirpolo John Hancock Financial Services Boston, Ma From firewalls-owner Fri Sep 30 14:38:04 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA24044; Fri, 30 Sep 1994 20:08:51 GMT Received: from nsco.network.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA24038; Fri, 30 Sep 1994 13:08:27 -0700 Received: from anubis.network.com (anubis-e4.network.com) by nsco.network.com (4.1/1.34) id AA12036; Fri, 30 Sep 94 15:09:47 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA01212; Fri, 30 Sep 94 15:08:02 CDT Date: Fri, 30 Sep 94 15:08:02 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9409302008.AA01212@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Non-registered access Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk im@warburg.demon.co.uk (Ian Marr) wrote: > >Network Systems Packet Control Facility (included as part of all routers) >allows you to translate IP addresses on the fly. Check it out. In the interest of strict correctness, I should point out that while PCF is included in all NSC routers, only the version in the DX platform will do address translation. There's vapor of various densities in the pipe, but the only thing you can buy today from us that does it is a DX series box. Andrew NSC From firewalls-owner Fri Sep 30 14:57:09 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22318; Fri, 30 Sep 1994 17:23:40 GMT Received: from pppl.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22311; Fri, 30 Sep 1994 10:23:20 -0700 Received: from [192.55.106.217] (otis.pppl.gov [192.55.106.217]) by pppl.gov (8.6.8.1/8.6.5) with SMTP id NAA02873 for ; Fri, 30 Sep 1994 13:23:31 -0400 Date: Fri, 30 Sep 1994 13:23:31 -0400 Message-Id: <199409301723.NAA02873@pppl.gov> X-Sender: randerso@pppl.gov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: lranderson@pppl.gov (Lewis E. Randerson) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk help -- Lewis E. Randerson Princeton Plasma Physics Lab phone:609/243-3134 FAX:609/243-3086 P.O.Box 451, Princeton, NJ 08543 email:lranderson@pppl.gov From firewalls-owner Fri Sep 30 15:09:59 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id PAA20543; Fri, 30 Sep 1994 15:13:58 GMT Received: from pserv1.dot.state.az.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id IAA20537; Fri, 30 Sep 1994 08:13:35 -0700 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA10828; Fri, 30 Sep 1994 08:13:12 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199409301513.AA10828@pserv1.dot.state.az.us> Subject: Packet filters vs other forms of firewalls (fwd) To: firewalls@greatcircle.com (Firewalls) Date: Fri, 30 Sep 94 8:13:11 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.00.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk David Kovar writes: > From: David Kovar > Subject: Packet filters vs other forms of firewalls > To: firewalls@greatcircle.com > Date: Thu, 29 Sep 1994 19:05:59 -0400 (EDT) much deleted... > If we ran with this filter, what problems might we expect to > encounter? > > -David > > permit all outgoing packets, icmp, udp, tcp or whatever. > permit incoming udp packets on port 53 (DNS) > deny all incoming icmp or udp packets. > permit all incoming packets for already established TCP connections > deny incoming TCP packets for X11 and NFS (I think 3000,3001,3002, > 6000,6001,6002) Humm, I believe NFS typically uses port 2049, and you might need to deny 6000 thru some higher number than 6002 (if you anticipate more than 3 Xwindow sessions). How about port 2000, anyone in your shop using Openwin? I recommend reviewing appendix B in 'Firewalls and Internet Security' by Bill Cheswick. > permit incoming TCP connections for ports > 1023 *** Perhaps a problem > permit incoming TCP connections for ports: > 53 (DNS) > 25 (SMTP) to mailhost > > Maybe turn on 80 (http), 119 (nntp), > and for really daring sites 23 (telnet), 21 (ftp), and 20 (ftp-data) I would seriously consider some kind of password encryption for the telnet connection, and setup some kind of an anon-ftp OUTSIDE of your packet-filter firewall. > deny all incoming TCP connections Cheers... tom -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Fri Sep 30 15:28:11 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id RAA22112; Fri, 30 Sep 1994 17:15:15 GMT Received: from tymix.Tymnet.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id KAA22096; Fri, 30 Sep 1994 10:14:50 -0700 Received: by tymix.Tymnet.COM (4.1/SMI-4.1) id AA16014; Fri, 30 Sep 94 10:12:22 PDT Received: from druid by tymix.Tymnet.COM (in.smtpd); 30 Sep 94 10:12:22 PDT Received: by druid.Tymnet.COM (4.1/SMI-4.1) id AA17376; Fri, 30 Sep 94 10:12:21 PDT Date: Fri, 30 Sep 94 10:12:21 PDT From: ddrew@Tymnet.COM (Dale Drew) Message-Id: <9409301712.AA17376@druid.Tymnet.COM> To: firewalls@GreatCircle.COM, kovar@NDA.COM Subject: Re: Packet filters vs other forms of firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, right off the bat, I can see a potiential problem with the "permit incoming TCP connections for ports > 1023" line. This is normally done to allow FTP connections, as they generate sessions on randomly created ports. The problem is that programs that run on the ports higher than 1023, can be scanned and possibly comprimised. These would be commercial products like SYBASE, and user generated programs for internal use. You must either rely on host security to block those connections from "unauthorized" hosts, or establish a specific host for those types of services, secure and log the hell out it, and direct all openen ended filtering rules to this host. This would be a good host to place ina DMZ for example. -Dale Drew Manager, internetMCI Security From firewalls-owner Fri Sep 30 15:36:23 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA21091; Fri, 30 Sep 1994 16:17:46 GMT Received: from amdahl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA21082; Fri, 30 Sep 1994 09:17:30 -0700 Received: by amdahl.com (/\==/\ Smail #25.33) id ; Fri, 30 Sep 94 09:17 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA10451; Fri, 30 Sep 1994 09:17:53 +0800 Date: Fri, 30 Sep 1994 09:17:53 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9409301617.AA10451@brittany.oes.amdahl.com> To: strick@versant.com Subject: Re: DNS serving both sides Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 906 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On our Solaris 2 firewall named opens a upd port for each interface, and one wildcard one: localhost.domain Idle gw1.domain Idle O16security.domain Idle *.domain Idle What's the purpose of the wildcard one? Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Sep 30 15:41:39 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id QAA21371; Fri, 30 Sep 1994 16:37:23 GMT Received: from mycroft.GreatCircle.COM by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id JAA21364; Fri, 30 Sep 1994 09:37:17 -0700 Message-Id: <199409301637.JAA21364@mycroft.GreatCircle.COM> To: jimc@e-Commerce.Com cc: ted.doty@nsco.network.com, firewalls@GreatCircle.COM Subject: Re: 'active' and 'pasive' firewalls In-reply-to: Your message of Fri, 30 Sep 94 10:27:20 EDT Date: Fri, 30 Sep 1994 09:37:16 -0700 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk jimc@e-Commerce.Com (Jim Carroll) writes: # ted doty writes: # > # > 1. Why doesn't someone set up a "Firewalls-philosophy" list, so we can # > segregate this type of question from the technical ("how can I proxy # > MOSAIC") ones. Not that these questions are bad, quite to the # > contrary. Let's just get the two communities from using each other's # > bandwidth. # # I may be wrong, but I have a feeling that the majority of folks would # end up subscribing to both lists. I know I would. I tend to agree. # If you're concerned with bandwidth waste, figure out a good way for # handling the 'subscribe' and 'Please unsubscribe me!!' messages which # arrive here as a result of either ignorance or misinformation. ;) Actually, if you take a closer look, all the messages like that which go out to Firewalls are ones where the person has misspelled "subscribe" or "unsubscribe" or done something else that circumvents the otherwise very effective administrivia filter. For every administrivia message that _does_ make it out to the list, the filter catches at least 10 that it keeps from making it to the list. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Fri Sep 30 16:27:28 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id UAA24425; Fri, 30 Sep 1994 20:56:23 GMT Received: from proton.llumc.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id NAA24418; Fri, 30 Sep 1994 13:56:03 -0700 Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.6.9/8.6.9) with ESMTP id NAA18166 for ; Fri, 30 Sep 1994 13:55:16 -0700 From: Michael Baumann Received: (baumann@localhost) by mycroft.llumc.edu (8.6.9/8.6.9) id NAA04558 for firewalls@greatcircle.com; Fri, 30 Sep 1994 13:55:14 -0700 Date: Fri, 30 Sep 1994 13:55:14 -0700 Message-Id: <199409302055.NAA04558@mycroft.llumc.edu> To: firewalls@greatcircle.com Subject: Raptor "Eagle" Package Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am looking for information from users of the above package... we are having some internal disagreement WRT either using a screening router (eg Livingston Firewall/IRX) or this software. What are the weaknesses of the above package? (Needless to say, I am on the router side of the argument) Any and all comments by sundry and all would be appreciated. And there is a time constraint, so sooner is better. Thanks! Michael Baumann Electus Technology Inc. San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Fri Sep 30 16:35:30 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA24621; Fri, 30 Sep 1994 21:24:38 GMT Received: from maine.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA24608; Fri, 30 Sep 1994 14:24:26 -0700 Received: from localhost (atr@localhost) by maine.net (8.6.5/8.6.5) id RAA02366; Fri, 30 Sep 1994 17:24:54 -0400 Message-Id: <199409302124.RAA02366@maine.net> Date: Fri, 30 Sep 94 17:23:35 EST From: "Andrew T. Robinson" To: Firewalls mailing list Subject: Security policies? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I am looking for "sample" security policies for a client--actual published policy documents, ranging from the short and simple to the complex and beaurocratic. Please forward references directly to atr@maine.net. Andy From firewalls-owner Fri Sep 30 16:37:21 1994 Return-Path: Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id VAA24610; Fri, 30 Sep 1994 21:24:27 GMT Received: from maine.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940829) id OAA24585; Fri, 30 Sep 1994 14:23:58 -0700 Received: from localhost (atr@localhost) by maine.net (8.6.5/8.6.5) id RAA02362; Fri, 30 Sep 1994 17:24:01 -0400 Message-Id: <199409302124.RAA02362@maine.net> Date: Fri, 30 Sep 94 17:09:05 EST From: "Andrew T. Robinson" To: Firewalls mailing list bugtraq@crimelab.com Subject: Wanted: hackers for tiger team (new england area) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Looking for experienced hackers to join tiger team; Team will be paid by the job. The job will be attempting to defeat the security measures of various clients (with their permission and encouragement). Pay will be based on successful break-ins--no break in, no pay (i.e., only people who know their business need apply). Systems to be hacked include VM (SP, XA, HPO, ESA, ad nauseam), MVS, VMS, Unix (any and all flavors), Windows (all flavors), OS/2, etc. Please send prospectus and salary requirements (assume that you are paid by successful attack) to andy@maine.edu with the subject line "TIGER TEAM CANDIDATE." Indicate systems with which you are experienced and any references (preferably commercial organizations) who can vouch for your hacking legerdemain. Andy