From firewalls-owner Thu Dec 1 00:04:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA27762 for firewalls-outgoing; Thu, 1 Dec 1994 00:00:57 -0800 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA27749 for ; Thu, 1 Dec 1994 00:00:20 -0800 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA11145; Thu, 1 Dec 94 18:23:59 CST Received: from mallee.awadi by bunya.awadi (5.0/SMI-SVR4) id AA26973; Thu, 1 Dec 1994 18:22:49 +1030 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9412010752.AA26973@bunya.awadi> Subject: Re: Air Force traces intruders To: avalon@coombs.anu.edu.au (Darren Reed) Date: Thu, 1 Dec 1994 18:22:48 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9412010741.AA10873@awadi.com.AU> from "Darren Reed" at Dec 1, 94 06:39:52 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Length: 848 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Darren Reed: > >> >> You mean you allow source routing? > >There are times when I wish I could have used source routing with >traceroute... > >not many, but still enough to make me wish ther was a better way. > >What would be nice if routers could let you say: > >"no ip source-route with tcp" > Hmmmm if you are filtering using infilt then a simple mod would allow you to do this :-) Still leaves you open to someone playing clever fsp games or accessing various udp based services though. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Aha! Pronoun problems. It's not `shoot you, shoot you', it's `shoot me, shoot me'. So, go ahead, shoot ME, shoot ME ... You're Despicable" -- Daffy Duck From firewalls-owner Thu Dec 1 00:34:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA27524 for firewalls-outgoing; Wed, 30 Nov 1994 23:44:47 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA27517 for ; Wed, 30 Nov 1994 23:44:24 -0800 Message-Id: <199412010744.XAA27517@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA23733; Thu, 1 Dec 94 18:39:53 +1100 From: Darren Reed Subject: Re: Air Force traces intruders To: blymn@awadi.com.AU (Brett Lymn) Date: Thu, 1 Dec 1994 18:39:52 +1100 (EDT) Cc: jna@concorde.com, firewalls@greatcircle.com In-Reply-To: <9412010541.AA26439@bunya.awadi> from "Brett Lymn" at Dec 1, 94 04:11:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 440 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > According to J. Adams: > > > >No way, they didn't have to break into anywhere to trace that call.. > > > >Ever use traceroute with source routing? > > > > You mean you allow source routing? There are times when I wish I could have used source routing with traceroute... not many, but still enough to make me wish ther was a better way. What would be nice if routers could let you say: "no ip source-route with tcp" etc. darren From firewalls-owner Thu Dec 1 04:04:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA02925 for firewalls-outgoing; Thu, 1 Dec 1994 03:59:42 -0800 Received: from galaxy.concorde.com (root@galaxy.concorde.com [198.242.54.51]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA02920 for ; Thu, 1 Dec 1994 03:59:37 -0800 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id GAA29426; Thu, 1 Dec 1994 06:50:43 -0500 Date: Thu, 1 Dec 1994 06:50:43 -0500 From: "J. Adams" Message-Id: <199412011150.GAA29426@galaxy.concorde.com> To: avalon@coombs.anu.edu.au, blymn@awadi.com.AU Subject: Re: Air Force traces intruders Cc: firewalls@GreatCircle.COM, jna@concorde.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not to be overly caustic, but I only mentioned a package that would trace the route back, and identify it using source routing. I didn't say we used it, allowed it, or did anything with source routing. SHould you decide to attempt to source route us and pay us a visit, one of our many security programs will gladly pay you and your admin a visit. -john From firewalls-owner Thu Dec 1 05:15:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA03289 for firewalls-outgoing; Thu, 1 Dec 1994 04:54:06 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA03280 for ; Thu, 1 Dec 1994 04:53:38 -0800 Message-Id: <199412011253.EAA03280@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA26570; Thu, 1 Dec 94 23:48:33 +1100 From: Darren Reed Subject: source routes and 'incident' response (was Re: Air Force traces intruders) To: jna@concorde.com (J. Adams) Date: Thu, 1 Dec 1994 23:48:33 +1100 (EDT) Cc: avalon@coombs.anu.edu.au, blymn@awadi.com.AU, firewalls@GreatCircle.COM, jna@concorde.com In-Reply-To: <199412011150.GAA29426@galaxy.concorde.com> from "J. Adams" at Dec 1, 94 06:50:43 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1685 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Not to be overly caustic, but I only mentioned a package that would trace > the route back, and identify it using source routing. I didn't say we > used it, allowed it, or did anything with source routing. SHould you > decide to attempt to source route us and pay us a visit, one of our many > security programs will gladly pay you and your admin a visit. > > -john I do hope you are joking re. your response to packets with source routed options...or at least only refering to cases reported by tcpd or similar where it is very rarely used for anything other than attacking security. traceroute when able to be used with -g is a very handy network tool. I often find it annoying to run into routers which return "!S" when I try to use a source route. As the Internet (in the USA at least) breaks up into the hands of the various ISPs, they may well become more useful. If only they weren't such a security risk. It seems that whilst we're developing nice tools to detect outsiders who appear to be making attempts at defeating our security, we haven't yet caught up with using tools to process the information so acquired. Swatch is one such tool and I am sure there are others to be found on the Internet. A reading of "Firewalls & Internet Security" book in chapter 11 highlights the "decision making" needed before you start to get what you really want. I don't think automated security programs are really what you want sending email warnings back to the perpetrator (if you even know who they are!) or the admin. That seems more like a joke to me, but by all means send mail to yourself to make yourself aware of the problem(s) if you feel you need it. Darren From firewalls-owner Thu Dec 1 05:34:28 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA03348 for firewalls-outgoing; Thu, 1 Dec 1994 04:59:43 -0800 Received: from UTARLVM1.UTA.EDU (utarlvm1.uta.edu [129.107.1.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA03343 for ; Thu, 1 Dec 1994 04:59:38 -0800 Received: from csparc.drc.com by UTARLVM1.UTA.EDU (IBM VM SMTP V2R2) with TCP; Thu, 01 Dec 94 06:58:10 CST Received: from S1.DRC.COM by csparc.drc.com (4.1/SMI-4.1) id AA08354; Thu, 1 Dec 94 07:55:13 EST Message-Id: <9412011255.AA08354@csparc.drc.com> Received: by S1.DRC.COM with VINES ; Thu, 1 Dec 94 07:56:01 EST Date: Thu, 1 Dec 94 07:54:55 EST From: Rich=Gautier%SP-23DC%DRC@S1.drc.com Subject: Re: Source Routing To: firewalls%GreatCircle.COM@UTARLVM1.UTA.EDU Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Morningstar Router allows you to filter source-routed packets. From firewalls-owner Thu Dec 1 06:05:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA03606 for firewalls-outgoing; Thu, 1 Dec 1994 05:28:29 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA03601 for ; Thu, 1 Dec 1994 05:28:18 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13366; Thu, 1 Dec 94 08:07:39 -0500 Date: Thu, 1 Dec 94 08:07:39 -0500 Message-Id: <9412011307.AA13366@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rik rites: >On Nov 3, padgett@tccslr.dnet.mmc.com wrote: >> This was one of the more important elements IMHO of the Air Force briefing >> on Information Warfare and "Internet Caller-ID" in Baltimore: crackers were >> hacking systems, the AF was backtracing the intrusions through nultiple >> nodes *and no one noticed* ... > >The implication (for me) is that the AirForce broke >into intermediate systems to backtrack the intruders. Exactly ! Was obviously the fastest way to do it. As far as the AF breaking in, *the hole was already there - it had been created by the intruder*, the AF was just using the same hole. What was done was confirmed at the briefing. I was told that a blanket authorization had been obtained for the AF to do exactly that. I believe the time frame of authorization was limited: 72 hours AIR and that Scott Chaney's name was mentioned as having something to do with it (nothing is garenteed from memory - I asked for a copy of the briefing slides but they have never arrived). Now before any opinions are raised, IMHO the AF people were in "hot pursuit" of a law breaker and only had a limited window of opportunity to backtrack. This doctorine is well established in US law - if a criminal breaks into a bank through a private residence next door and the police catch them in the act, pusuit through the residence is authorized. I have no problem with this since it *reduces* the risk to the householder next door. The fact is that like most software patents (another pet peeve) this is really nothing new, just pre-existing doctrine being applied in a new way. Warmly, Padgett ps was almost a lawyer once - decided to remain creative instead. From firewalls-owner Thu Dec 1 06:25:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA03720 for firewalls-outgoing; Thu, 1 Dec 1994 05:32:21 -0800 Received: from d.ecc.engr.uky.edu (d.ecc.engr.uky.edu [128.163.144.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA03714 for ; Thu, 1 Dec 1994 05:32:17 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA24483; Thu, 1 Dec 94 08:16:28 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA18238; Thu, 1 Dec 94 08:18:38 EST Date: Thu, 1 Dec 94 08:18:38 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9412011318.AA18238@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: Air Force traces intruders Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This also points out a secondary problem. >Responsible sites _used_ to notify each other whenever >something that looked like a hack was going on. That appears >not to be the case anymore. It's not a firewalls issue per se, >but it is a security issue. Indeed - we should remember that the term 'firewalled' does not extend to people. 8) I've often run into the proverbial brick wall when trying to track down problems; my counterpart on 'the other side' will simply say, "Thanks; we'll look into it," and never bring me up to speed on the results. On some occasions, I've actually been told "That's not possible; you've made some mistake." Yeesh. Remember, the net still needs a cooperative nature. 8) --Wes From firewalls-owner Thu Dec 1 07:04:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA04265 for firewalls-outgoing; Thu, 1 Dec 1994 06:43:33 -0800 Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA04260 for ; Thu, 1 Dec 1994 06:43:26 -0800 Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id JAA11988 for ; Thu, 1 Dec 1994 09:29:51 -0501 Received: by shlep.sware.com (5.65/2.0) from zorkmid.sware.com id AA13677; Thu, 1 Dec 94 09:40:09 -0500 Received: by zorkmid.sware.com (4.1/2.1) from (localhost) id AA01259; Thu, 1 Dec 94 09:40:07 EST Date: Thu, 1 Dec 94 09:40:07 EST Message-Id: <9412011440.AA01259@zorkmid.sware.com> From: "J.D. Forinash" X-Mailer: InterMail [1.3.1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Archie or UDP proxies and the fwtk To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of folks inside our firewall are asking about "archie" capability. Unfortunately, I found that it's a udp, not tcp connection, and plug-gw only does tcp. Is there a way to forward an archie request through a firewall? (PS: I even (no!) consulted the faq. It told me it couldn't be done yet. But it also told me that http gateways couldn't be done yet, either, so I wasn't sure as to the validity of that statement. :) ) ------------------------------------------------------------------- John D. Forinash foxtrot@sware.com (404)-315-6896 x146 SecureWare Inc - 2957 Clairmont Rd ste 200 - Atlanta GA 30329 You break it, I fix it. Good relationship, no? From firewalls-owner Thu Dec 1 07:34:49 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA04587 for firewalls-outgoing; Thu, 1 Dec 1994 07:12:17 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA04582 for ; Thu, 1 Dec 1994 07:12:10 -0800 From: sargent@orsun.saic.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14203; Thu, 1 Dec 94 10:10:20 -0500 Date: Thu, 1 Dec 94 10:10:20 -0500 Message-Id: <9412011510.AA14203@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com Subject: Re: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Now before any opinions are raised, IMHO the AF people were in "hot pursuit" > of a law breaker and only had a limited window of opportunity to backtrack. > This doctorine is well established in US law - if a criminal breaks into > a bank through a private residence next door and the police catch them in > the act, pusuit through the residence is authorized. There is a BIG difference between the AF and the "police" and for very good reasons. RLS From firewalls-owner Thu Dec 1 08:07:36 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA04522 for firewalls-outgoing; Thu, 1 Dec 1994 07:05:47 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA04515 for ; Thu, 1 Dec 1994 07:05:37 -0800 From: rens@imsi.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14146; Thu, 1 Dec 94 10:03:37 -0500 Date: Thu, 1 Dec 94 10:03:37 -0500 Message-Id: <9412011503.AA14146@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "A" == A Padgett Peterson, P E Information Security writes: A> Rik rites: R> The implication (for me) is that the AirForce broke into R> intermediate systems to backtrack the intruders. A> Exactly ! Was obviously the fastest way to do it. As far as the A> AF breaking in, *the hole was already there - it had been created A> by the intruder*, the AF was just using the same hole. A> What was done was confirmed at the briefing. I was told that a A> blanket authorization had been obtained for the AF to do exactly A> that. I believe the time frame of authorization was limited: 72 A> hours AIR and that Scott Chaney's name was mentioned as having A> something to do with it (nothing is garenteed from memory - I A> asked for a copy of the briefing slides but they have never A> arrived). A> Now before any opinions are raised, IMHO the AF people were in A> "hot pursuit" of a law breaker and only had a limited window of A> opportunity to backtrack. This doctorine is well established in A> US law - if a criminal breaks into a bank through a private A> residence next door and the police catch them in the act, pusuit A> through the residence is authorized. I have no problem with this A> since it *reduces* the risk to the householder next door. What I have a problem with is the Armed Forces being used for domestic policing. I've lived in a variety of countries where that was the norm, and the results were not particularly pretty. I think you'd better consider all the implication of this before you go condoning such police-state activity. I think this is off the firewalls topic, so if you want to discuss this further, do it in private mail. -Rens From firewalls-owner Thu Dec 1 08:37:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05258 for firewalls-outgoing; Thu, 1 Dec 1994 08:23:24 -0800 Received: from mrc.com (mrc.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05252 for ; Thu, 1 Dec 1994 08:23:07 -0800 From: tws@mrc.com Received: by mrc.com (4.1/SMI-4.1) id AA18368; Thu, 1 Dec 94 11:18:35 EST Received: by mrcs1 (5.64/X1.00) id AA04257; Thu, 1 Dec 94 11:18:28 -0500 Date: Thu, 1 Dec 94 11:18:28 -0500 Message-Id: <9412011618.AA04257@mrcs1> To: firewalls@greatcircle.com, foxtrot@sware.com Subject: Re: Archie or UDP proxies and the fwtk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Thu Dec 1 10:19:36 1994 > From: "J.D. Forinash" > Subject: Archie or UDP proxies and the fwtk > To: firewalls@greatcircle.com > A number of folks inside our firewall are asking > about "archie" capability. > Unfortunately, I found that it's a udp, not tcp > connection, and plug-gw only does tcp. Is there > a way to forward an archie request through a firewall? > (PS: I even (no!) consulted the faq. It told me it > couldn't be done yet. But it also told me that http > gateways couldn't be done yet, either, so I > wasn't sure as to the validity of that statement. :) ) Why not use email archie server? Tenna Sakai (tws@mrc.com) From firewalls-owner Thu Dec 1 09:51:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06339 for firewalls-outgoing; Thu, 1 Dec 1994 09:24:29 -0800 Received: from pserv1.dot.state.az.us (pserv1.dot.state.az.us [162.59.10.28]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06334 for ; Thu, 1 Dec 1994 09:24:15 -0800 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA12561; Thu, 1 Dec 1994 10:22:29 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199412011722.AA12561@pserv1.dot.state.az.us> Subject: Re: Archie or UDP proxies and the fwtk (fwd) To: firewalls@greatcircle.com (Firewalls) Date: Thu, 1 Dec 94 10:22:28 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tws@mrc.com writes: > From: tws@mrc.com > Date: Thu, 1 Dec 94 11:18:28 -0500 > To: firewalls@greatcircle.com, foxtrot@sware.com > Subject: Re: Archie or UDP proxies and the fwtk > Sender: firewalls-owner@greatcircle.com > > > From firewalls-owner@GreatCircle.COM Thu Dec 1 10:19:36 1994 > > From: "J.D. Forinash" > > Subject: Archie or UDP proxies and the fwtk > > To: firewalls@greatcircle.com > > > A number of folks inside our firewall are asking > > about "archie" capability. > > > Unfortunately, I found that it's a udp, not tcp > > connection, and plug-gw only does tcp. Is there > > a way to forward an archie request through a firewall? > > > (PS: I even (no!) consulted the faq. It told me it > > couldn't be done yet. But it also told me that http > > gateways couldn't be done yet, either, so I > > wasn't sure as to the validity of that statement. :) ) > > Why not use email archie server? > Tenna Sakai (tws@mrc.com) Or Telnet into an archie server? -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Thu Dec 1 09:59:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05581 for firewalls-outgoing; Thu, 1 Dec 1994 08:43:37 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA05575 for ; Thu, 1 Dec 1994 08:43:33 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id LAA15339; Thu, 1 Dec 1994 11:04:40 -0500 From: Adam Shostack Message-Id: <199412011604.LAA15339@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Archie or UDP proxies and the fwtk To: foxtrot@sware.com (J.D. Forinash) Date: Thu, 1 Dec 94 11:04:40 EST Cc: firewalls@GreatCircle.COM In-Reply-To: <9412011440.AA01259@zorkmid.sware.com>; from "J.D. Forinash" at Dec 1, 94 9:40 am X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | | A number of folks inside our firewall are asking about "archie" capability. | | Unfortunately, I found that it's a udp, not tcp connection, and plug-gw only | does tcp. Is there a way to forward an archie request through a firewall? There is a mail interface to archie. Your firewall passes mail, right? :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Dec 1 10:03:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05357 for firewalls-outgoing; Thu, 1 Dec 1994 08:30:21 -0800 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05351 for ; Thu, 1 Dec 1994 08:30:14 -0800 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Thu, 1 Dec 94 07:23:42 -0800 Received: by argus.intel.com (5.65/10.0i); Thu, 1 Dec 94 07:23:15 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9412011523.AA14801@argus.intel.com> Subject: Re: Higher speed data lines/firewalls To: jna@concorde.com (J. Adams) Date: Thu, 1 Dec 94 7:23:14 PST Cc: alastair@cadence.com, robp@anubis.network.com, Mark.Gibbons-1@pp.ksc.nasa.gov, firewalls@GreatCircle.COM In-Reply-To: <199412010315.WAA04250@oracle.concorde.com> from "J. Adams" at Nov 30, 94 10:15:24 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 398 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I suppose that all that ANS has doesn't quite matter now, as MCI just > bought them... That's America Online who bought ANS. > I wonder how long it will be before the backbone routers are turned into > backbone firewalls, and packets are charged by the byte.... Or by the hour. Drifting from the firewalls topic, folks. > -jna -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Dec 1 10:04:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06757 for firewalls-outgoing; Thu, 1 Dec 1994 09:58:04 -0800 Received: from crdems.ge.com (root@crdems.GE.COM [192.35.44.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06750 for ; Thu, 1 Dec 1994 09:57:55 -0800 Received: from grymoire.crd.ge.com by crdems.ge.com (5.65/GE 1.77) id AA28503; Thu, 1 Dec 94 12:55:05 -0500 Received: by grymoire.crd.ge.com (5.0/GE-CRD Standard Sendmail Version S1.5)id AA16073; Thu, 1 Dec 1994 12:51:28 +0500 Date: Thu, 1 Dec 1994 12:51:28 +0500 From: barnett@grymoire.crd.ge.com (Bruce Barnett) Message-Id: <9412011751.AA16073@grymoire.crd.ge.com> To: Firewalls@GreatCircle.COM Subject: GE Break-in X-Sun-Charset: US-ASCII Content-Length: 548 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been informed by GE management that GE will not make details of the break-in public. I (and several others) do not agree with this decision, so I have to argue my point. I would appreciate suggestions on how I can convince management that we should discuss this break-in publicly. What benefits are there to GE? Please E-mail me if you could. I'd appreciate some convincing arguments. Bruce Barnett Computer Scientist GE Corporate Research and Development Center PO Box 8, 1 River Road Schenectady, NY 12301 From firewalls-owner Thu Dec 1 10:33:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05530 for firewalls-outgoing; Thu, 1 Dec 1994 08:39:53 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05525 for ; Thu, 1 Dec 1994 08:39:42 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14647; Thu, 1 Dec 94 11:30:56 -0500 Date: Thu, 1 Dec 94 11:30:55 -0500 Message-Id: <9412011630.AA14647@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Third times the charm... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have gooten several comments much in this light: >There is a BIG difference between the AF and the "police" and for very good >reasons. About people apparently concerned that the USAF is going to be in their computer. Not so. First, anyone with a good firewall is probably not going to be a link unless have an insider problem. Second, the USAF group only investigates incidents involving USAF sites. Points I was trying to make was that tracing *can* be done (and should be a deterrent to intruders) and that there is a sound legal basis for authorizing proper authorities to do so. Further, it is up to us to make sure that such authorization is defined narrowly enough to permit through tracing only (no stopping and brousing) that only properly trained investigators receive permission to do so, and that notice is made to the system owners involved of exactly what happened. Warmly, Padgett From firewalls-owner Thu Dec 1 11:03:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06910 for firewalls-outgoing; Thu, 1 Dec 1994 10:09:40 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA06903 for ; Thu, 1 Dec 1994 10:09:33 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 1 Dec 1994 13:08:01 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA14973; Thu, 1 Dec 1994 13:07:59 -0500 Date: Thu, 1 Dec 1994 13:07:59 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199412011807.AA14973@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com Subject: Re: Archie or UDP proxies and the fwtk (fwd) Cc: tom@dot.state.az.us, tws@mrc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Why not use email archie server? >> Tenna Sakai (tws@mrc.com) >Or Telnet into an archie server? >Tom Brink tom@dot.state.az.us Or set up your own archie server on a bastion host in your DMZ. H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT From firewalls-owner Thu Dec 1 11:04:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05127 for firewalls-outgoing; Thu, 1 Dec 1994 08:09:56 -0800 Received: from ttown.apci.com (ttown.apci.com [144.249.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05117 for ; Thu, 1 Dec 1994 08:09:35 -0800 Received: by ttown.apci.com (5.57/Ultrix3.0-C) id AA29889; Thu, 1 Dec 94 11:10:46 -0500 Date: Thu, 1 Dec 94 11:10:46 -0500 From: gaulse@ttown.apci.com (Stephen E. Gaul Jr.) Message-Id: <9412011610.AA29889@ttown.apci.com> To: firewalls@greatcircle.com Subject: Firewalls and inet becoming... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Self-indulgent? Vandalism? Hah. Hardly. Just people upset at what the internet > is becoming. Too many companies. To much commercialism. > Go ILF. sorry to jump on the band wagon here and detract from fw but... let's not forget our friend's at the LOD, MOD and the POSSE elite the more youth start's to see authority potentially ruin something that they enjoy very much, they will strick back! guess that's what keeps us all gainfully employed... (my $0.02) I'm also lost, can you direct me to the information superhighway? ________________________________________________________________ /// / /// Stephen E. Gaul, Jr. / /// /\ Air Products and Chemicals, Inc. / __/// /__\ Lehigh Valley, PA 18001 / ///_ ______ __ INET: gaulse@ttown.apci.com / ///// /______\ \/ VOICE: (610) 481-7054 / ///______________ FAX: (610) 481-3300 / //////////////////______________________________________________/ NOTE: These statements and opinions are mine, not those of APCI... From firewalls-owner Thu Dec 1 11:09:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05375 for firewalls-outgoing; Thu, 1 Dec 1994 08:30:46 -0800 Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05366 for ; Thu, 1 Dec 1994 08:30:39 -0800 Received: from nixe.ISAR.de by relay.xlink.net id <27174-0@relay.xlink.net>; Thu, 1 Dec 1994 17:28:41 +0000 Received: from GeNUA.DE (Ugenua@localhost) by nixe.isar.de (8.6.9/ni-1.2) with UUCP id RAA12377; Thu, 1 Dec 1994 17:28:25 +0100 Received: from localhost.GeNUA.DE by Woozle.GeNUA.DE with SMTP id AA01383 (5.65c/IDA-1.4.4); Thu, 1 Dec 1994 17:21:55 +0100 Message-Id: <199412011621.AA01383@Woozle.GeNUA.DE> To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Cc: firewalls@greatcircle.com Subject: Re: Higher speed data lines In-Reply-To: Your message of "Tue, 29 Nov 94 21:20:08 EST." <9411300220.AA15666@hawksbill.sprintmrn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 01 Dec 1994 17:21:54 +0100 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9411300220.AA15666@hawksbill.sprintmrn.com>you write: > I must have missed something, because this thread is way out of control. > > A high-end cisco router can handle high-speed digital/synchronous > input (ds3) without ado. Your bastion/firewall/filtering mechanism > should be positioned behind the router, on the (perimeter) ethernet > or token-ring or whatever LAN. > > Did I miss something? What is the point? I think the original question was what machine would be needed to build a firewall capable of working at speed. Of course, all high end routers can pass traffic at T3/E3 or FDDI rates, that's what they were built for. But a Firewall should not simply pass packets, but has to analyze some parts of these and allow/deny information transfer. We all know how much setting up plain ip packet filtering hurts the performance of just about any router, so the question is still open: Which box would you need to build a firewall with application-level gateways (or any other method) for, say, real time 3d medical imaging and instrument control applications running at T3/E3 speed or higher? \Bernhard. From firewalls-owner Thu Dec 1 11:11:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05542 for firewalls-outgoing; Thu, 1 Dec 1994 08:40:24 -0800 Received: from birch.ims.disa.mil (brad@birch.ims.disa.mil [164.117.176.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA05523 for ; Thu, 1 Dec 1994 08:39:31 -0800 Received: (from brad@localhost) by birch.ims.disa.mil (8.6.9/DISA 0.5.1) id LAA13905; Thu, 1 Dec 1994 11:37:47 -0500 Date: Thu, 1 Dec 1994 11:37:47 -0500 From: Brad Knowles Message-Id: <199412011637.LAA13905@birch.ims.disa.mil> To: bind@uunet.uu.net, firewalls@greatcircle.com, wamsley@coltano.stortek.com Subject: Re: SMTP from IBM VM machine through relay host on firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9411302014.AA14565@coltano.stortek.com>, on Wed, 30 Nov 1994, wamsley@coltano.stortek.com (Jim Wamsley) said: > My mail environment here is that all outgoing and incoming mail goes > through a mail host, presently a Sun sparc classic, under SunOS4.1.3u > and Bind 4.9.3Alpah3 and Sendmail-5.56c-IDA1.4.4. As I remember the Release Notes, versions of BIND 4.9.3 prior to Beta 8 (or Beta 7-patch 2) are noticably inferior, and should probably be replaced by Beta 9 or Beta 9-patch 1 (primary improvements are CRED, negative caching updates, and bogusns to fix a severe problem that caused reverse name lookups to fail because of some problems on the root nameservers that got propagated). > A question has been posed to the appropriate tech support, but their > comment was to use MX records. All well and good, but how the h*** > do i create an MX record on my name server for the whole world? Obviously Tech Support didn't understand that you were talking about *outbound* mail, and not inbound mail. Or, perhaps they didn't understand that you don't want the mainframe to deliver directly, but to pass off most outbound mail to another machine -- "obviously" the mainframe is superior to everything else in the Universe, and should be able to do anything you want without depending on a single outside resource. Riiiiiiiiiiight. And I have some ocean-front property in Utah to sell you. ---- \_\_\_\_ \_\_\_\_\_ \_\_\_ \_\_\_ Brad Knowles \_ \_ \_ \_ \_ \_ \_ DISA/DISO/JISC/UJCLOA \_ \_ \_ \_ \_ \_ *.ims.disa.mil Co-Postmaster \_ \_ \_ \_\_\_ \_\_\_\_\_ brad@birch.ims.disa.mil \_ \_ \_ \_ \_ \_ Ph: (703) 695-0914/69E-MAIL \_ \_ \_ \_ \_ \_ \_ DSN: 225-0914/22E-MAIL \_\_\_\_ \_\_\_\_\_ \_\_\_ \_ \_ Fax: (703) 697-3352/693-7329 The above opinions are entirely the responsibility and property of the author. They do not necessarily reflect the official position of the Defense Information Systems Agency, the Department of Defense, the United States federal government, or anyone else in the Universe. From firewalls-owner Thu Dec 1 11:28:50 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05396 for firewalls-outgoing; Thu, 1 Dec 1994 08:32:06 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05384 for ; Thu, 1 Dec 1994 08:31:59 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA04421 (5.67b8/IDA-1.5 for ); Thu, 1 Dec 1994 11:30:41 -0500 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01240; Thu, 1 Dec 94 11:31:23 EST Received: by sandfiddler.paragon-systems.com (4.1/SMI-4.1) id AA00298; Thu, 1 Dec 94 11:28:32 EST Date: Thu, 1 Dec 94 11:28:32 EST From: rmck@paragon-systems.com Message-Id: <9412011628.AA00298@sandfiddler.paragon-systems.com> To: firewalls@greatcircle.com Subject: Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From bdboyle@maverick.erenj.com Thu Dec 1 10:15:46 1994 Posted-Date: Wed, 30 Nov 1994 21:56:33 -0500 (EST) Date: Wed, 30 Nov 1994 21:56:33 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: Sidewinder To: rmck@paragon-systems.com Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 773 On Wed, 30 Nov 1994 rmck@paragon-systems.com wrote: > Afternoon Cyberhounds! > > Anyone on the net got a handle yet on how solid Sidewinder is? > Secure Computing has put out a nice looking package (great brochure!). > But this firewall was hatched with some "encouragement" from our friends > up at zip code 20755, and am curious if anyone from the "real" world has ^^^^^ Ft. Meade, eh? NSA...that would instantly disqualify it for a commercial or personal application (If Clipper was the best they could come up with, then...) Besides, the NSA charter does not rule out domestic surveilance. I would not want to make it easy for them. But, then, I am a libertairan in that regard.. > taken it for a test drive. > > Bob-on-the-Beltway _______________________________________________________ Didn't intend to get folks exercised about 20755's involvement in Sidewider. Although the inference of such might be seen in the shadows by some, Sidewinder is indeed a commercially developed product, developed by a Secure Computing Corporation, who quite rightly and appropriately enjoys the benefits of very strong technical and financial support from 20755 through sponsored INFOSEC product R&D. The question I raised was, because of the access they enjoy with that gang, were they able to take advantage of it and put out a device that truly distinquishes itself from the growing stack of commercial offerings that are full of all kinds of holes, and has anyone (20755 excluded) looked under the hood long and hard enough to make an informed judgement? Don't worry about the boys and girls at 20755. Contrary to popular contemporary lore, they are not as much a threat to you as they are a danger to themselves and the poor Gov't user agencies they are supposed to support. Bob-on-the-Beltway From firewalls-owner Thu Dec 1 11:34:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06043 for firewalls-outgoing; Thu, 1 Dec 1994 09:05:48 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06025 for ; Thu, 1 Dec 1994 09:05:32 -0800 From: isdmill@gatekeeper.ddp.state.me.us Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14965; Thu, 1 Dec 94 12:03:40 -0500 Date: Thu, 1 Dec 94 12:03:39 -0500 Message-Id: <9412011703.AA14965@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 1 Dec 1994 padgett@tccslr.dnet.mmc.com wrote: > Rik rites: > >On Nov 3, padgett@tccslr.dnet.mmc.com wrote: > > > >The implication (for me) is that the AirForce broke > >into intermediate systems to backtrack the intruders. > > Exactly ! Was obviously the fastest way to do it. As far as the AF breaking > in, *the hole was already there - it had been created by the intruder*, the > AF was just using the same hole. > > What was done was confirmed at the briefing. I was told that a blanket > authorization had been obtained for the AF to do exactly that. I believe > the time frame of authorization was limited: 72 hours AIR and that Scott > Chaney's name was mentioned as having something to do with it (nothing > is garenteed from memory - I asked for a copy of the briefing slides but they > have never arrived). > > Now before any opinions are raised, IMHO the AF people were in "hot pursuit" > of a law breaker and only had a limited window of opportunity to backtrack. > This doctorine is well established in US law - if a criminal breaks into Not on computer systems it isn't. > a bank through a private residence next door and the police catch them in > the act, pusuit through the residence is authorized. I have no problem with > this since it *reduces* the risk to the householder next door. And through how many systems is it ok for them to backtrack on? Does the perception of a hacker hacking at my system then give me the right to hack through every host in a source routed attack until I find the perpetrator? Is it OK for anyone to track "in hot pursuit" - or only certain official types? If only official organizations, which ones and why? > > The fact is that like most software patents (another pet peeve) this is really > nothing new, just pre-existing doctrine being applied in a new way. > ... being applied in a new way to a very VERY different environment. --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Dec 1 12:05:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07409 for firewalls-outgoing; Thu, 1 Dec 1994 10:36:11 -0800 Received: from othello.admin.kth.se (othello.admin.kth.se [130.237.32.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07404 for ; Thu, 1 Dec 1994 10:36:05 -0800 Received: from othello.admin.kth.se by othello.admin.kth.se (5.65+bind 1.8+ida 1.4.2/4.0b) id AA22902; Thu, 1 Dec 94 19:34:30 +0100 X-Sender: palm@othello.admin.kth.se Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 1 Dec 1994 19:34:36 +0100 To: firewalls@greatcircle.com From: palm@admin.kth.se (Christer Palm) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SINGOFF me please From firewalls-owner Thu Dec 1 12:35:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07751 for firewalls-outgoing; Thu, 1 Dec 1994 10:58:12 -0800 Received: from graphite.comco.com (dougmc@graphite.comco.com [198.214.63.43]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07746 for ; Thu, 1 Dec 1994 10:57:58 -0800 Received: (from dougmc@localhost) by graphite.comco.com (8.6.9/8.6.9) id MAA17790; Thu, 1 Dec 1994 12:56:15 -0600 Date: Thu, 1 Dec 1994 12:56:15 -0600 From: Doug McLaren Message-Id: <199412011856.MAA17790@graphite.comco.com> To: jet@abulafia.genmagic.com, firewalls@GreatCircle.COM Subject: Re: GE break-in Newsgroups: mailing-list.firewalls In-Reply-To: <9411292216.AA18076@abulafia.genmagic.com> Organization: Computational Mechanics, Inc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9411292216.AA18076@abulafia.genmagic.com> you write: | Doug Hughes writes: | > to login to the bastion to get in or out, nothing is passed. (excepting | | Aha. the "able to log in from the outside through the bastion" bit is | critical information for our folks. I don't think he was speaking from a position of knowing, his question was worded more like he was making educated guesses, and so I would be reluctant to rely on it as 'critical information.' If you disallow all incoming logins from offsite to your bastion host, this should increase the security of said bastion host. :) -- Doug McLaren, dougmc@comco.com, 512-467-0618, ext 28 From firewalls-owner Thu Dec 1 13:25:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07367 for firewalls-outgoing; Thu, 1 Dec 1994 10:34:34 -0800 Received: from aero.org (aero.org [130.221.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07344 for ; Thu, 1 Dec 1994 10:33:50 -0800 Received: from simba.aero.org ([130.221.128.205]) by aero.org with SMTP id <111114-1>; Thu, 1 Dec 1994 10:31:49 -0800 Received: by simba.aero.org/D8/sws-04; Thu, 1 Dec 94 10:33:16 PST Date: Thu, 1 Dec 1994 10:33:16 -0800 From: Glenn Bailey Posted-Date: Thu, 1 Dec 94 10:33:16 PST Message-Id: <9412011833.AA07813@simba.aero.org> To: Firewalls@GreatCircle.COM, barnett@grymoire.crd.ge.com Subject: Re: GE Break-in Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce Barnett writes: *> *> I have been informed by GE management that GE will not make details *> of the break-in public. *> *> I (and several others) do not agree with this decision, so I have to *> argue my point. I would appreciate suggestions on how I can convince *> management that we should discuss this break-in publicly. *> *> *> What benefits are there to GE? *> I would think the most important benefit to GE is that others will be more willing to share with GE THEIR incidents, thus helping GE firewall administrators be aware and prepare for possible attacks. Prevention is surely worth pounds of cure after the fact. I don't think people like those on this list are that interested in the details of what files/info was comprimised. What is more interesting is how the attackers got in, what level of attack (i.e denial of service, user shell, root shell, we can imagine the details). Thus we can evaluate our own setups for similiar vulnerabilities. My own opinon, I don't know what MY company would say> ================================================================= => Glenn Bailey | The Aerospace Corporation <= => gbailey@aero.org | El Segundo, California <= => (310) 336-8316 |-----------------------------------<= => ********************* | Engineering Workstation Support <= ================================================================= From firewalls-owner Thu Dec 1 13:31:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08862 for firewalls-outgoing; Thu, 1 Dec 1994 12:02:13 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA08857 for ; Thu, 1 Dec 1994 12:02:03 -0800 From: ddrew@druid.reston.mci.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16021; Thu, 1 Dec 94 15:00:00 -0500 Date: Thu, 1 Dec 94 14:59:59 -0500 Message-Id: <9412012000.AA16021@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com Subject: Re: Third times the charm... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Have gooten several comments much in this light: > > >There is a BIG difference between the AF and the "police" and for very good > >reasons. > > About people apparently concerned that the USAF is going to be in their > computer. Not so. First, anyone with a good firewall is probably not > going to be a link unless have an insider problem. I guess the problem now is finding a definition of what a "good firewall" is. Several people with good firewalls have outsider problems; one reason for the creation and enthusiasm of this list. > Second, the USAF group > only investigates incidents involving USAF sites. > It was my understanding, perhaps incorrectly so, that the "tracking" that the USAF was doing to identify these intruders involved the access into non-military sites. I think this is where a majority of the concern is coming from. > Points I was trying to make was that tracing *can* be done (and should be > a deterrent to intruders) and that there is a sound legal basis for > authorizing proper authorities to do so. > Again, I think the concern was generated was the question if the USAF was considered a "proper authority" for tracking unauthorized useage into non- military sites, without prior administrative approval (from the potiential victims). And even had this been a "proper" "police" agency, does such access constitute a warrentless search, and therefore applicable to such guidelines? I am certainly an advocate for taking agressive steps to catch network intruders, but we have to examine very carefully the extent in which this is done, to ensure the rights of all the victims are considered. =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Thu Dec 1 13:36:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09254 for firewalls-outgoing; Thu, 1 Dec 1994 12:25:29 -0800 Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09220 for ; Thu, 1 Dec 1994 12:23:54 -0800 Received: from firewall.cwa.com by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA02160 for firewalls@greatcircle.com; Thu, 1 Dec 94 15:27:21 -0500 Received: from cwa.com by firewall.cwa.com (4.1/SMI-4.1) id AA14987; Thu, 1 Dec 94 12:25:51 PST Received: from chinacat.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA21106; Thu, 1 Dec 94 12:23:41 PST Date: Thu, 1 Dec 94 12:23:41 PST From: dmurphy@cwa.com (Dan Murphy) Message-Id: <9412012023.AA21106@cwa.com> To: firewalls@greatcircle.com Subject: Re: Archie or UDP proxies and the fwtk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "> >> Why not use email archie server? "> >> Tenna Sakai (tws@mrc.com) "> "> >Or Telnet into an archie server? "> >Tom Brink tom@dot.state.az.us "> "> Or set up your own archie server on a bastion host in your DMZ. Hmmm, do people on this list know something about 'udprelay' that I don't? Seems like the perfect solution to me (we are xarchie users here, and have the source). Try ftp://ftp.wang.com/pub/fitz/udprelay-0.2.tar.Z for more info (1500 lines source, daemon and Rsendto library function). Dan Murphy From firewalls-owner Thu Dec 1 14:16:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09246 for firewalls-outgoing; Thu, 1 Dec 1994 12:25:16 -0800 Received: from birch.ims.disa.mil (rich@birch.ims.disa.mil [164.117.176.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09231 for ; Thu, 1 Dec 1994 12:24:20 -0800 Received: (from rich@localhost) by birch.ims.disa.mil (8.6.9/DISA 0.5.1) id PAA29514; Thu, 1 Dec 1994 15:22:49 -0500 Date: Thu, 1 Dec 1994 15:22:49 -0500 From: "Richard A. Bjorklund" Message-Id: <199412012022.PAA29514@birch.ims.disa.mil> To: bind@uunet.uu.net, firewalls@greatcircle.com, wamsley@coltano.stortek.com Subject: Re: SMTP from IBM VM machine through relay host on firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk wamsley@coltano.stortek.com (Jim Wamsley) said: > I have recently finally been able to convince the mainframers that they > should run a caching only dns instead of running makesite every morning > to rebuild their equivalent to an /etc/hosts file. > > My problem is that it appears as if IBM's smtp does not understand the > concept of a relay mail host. If an address resolves as not local, it > will not forward to the mail host, but insists that it should be able > to charge out into the world and deliver it's own mail. Try creating a cname record pointing the name "mailhost" to your mail exchanger. It might pick up the existance of the mailhost and send the mail there. This has worked for us. -Rich ==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--== Richard Bjorklund : SMTP CoPostmaster & E-mail Backbone Admin for IMS.DISA.MIL rich@birch.ims.disa.mil : Computer Sciences Corp : (703)695-0914 (FAX)697-3352 "My opinions are mine and only mine...but I'm willing to share them with you." "Trapped in a world where email is the killer app." - Eric Schmidt, CTO, Sun ==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--== From firewalls-owner Thu Dec 1 15:07:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09982 for firewalls-outgoing; Thu, 1 Dec 1994 13:28:53 -0800 Received: from UTARLVM1.UTA.EDU (utarlvm1.uta.edu [129.107.1.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA09976 for ; Thu, 1 Dec 1994 13:28:45 -0800 Message-Id: <199412012128.NAA09976@miles.greatcircle.com> Received: from S1.DRC.COM by UTARLVM1.UTA.EDU (IBM VM SMTP V2R2) with TCP; Thu, 01 Dec 94 15:27:24 CST Received: by S1.DRC.COM with VINES ; Thu, 1 Dec 94 16:27:26 EST Date: Thu, 1 Dec 94 16:24:37 EST From: Rich=Gautier%SP-23DC%DRC@S1.DRC.COM Subject: Re: Some times it takes a while... To: firewalls%GreatCircle.COM@UTARLVM1.UTA.EDU Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would think that unless the AF types were AF police-types, they would have no right. If they were Security Police, or AFOSI, then I would think that the application of the hot pursuit law would give them free rein. There would be no reason to deny them that. The AFOSI could care less about your design/contracting/competition/labor/billing information. They have a certain level of professionalism that extends both to real-world and virtual- world scenarios. And now back to FIREWALLS! Rich From firewalls-owner Thu Dec 1 15:56:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10045 for firewalls-outgoing; Thu, 1 Dec 1994 13:32:25 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10006 for ; Thu, 1 Dec 1994 13:31:11 -0800 From: jprovo@ultranet.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16621; Thu, 1 Dec 94 16:28:38 -0500 Date: Thu, 1 Dec 94 16:28:38 -0500 Message-Id: <9412012128.AA16621@uvs1.orl.mmc.com> To: probsite-l@mcc-care.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Thu, 1 Dec 1994 padgett@tccslr.dnet.mmc.com wrote: >> Rik rites: >> >On Nov 3, padgett@tccslr.dnet.mmc.com wrote: >> > >> >The implication (for me) is that the AirForce broke >> >into intermediate systems to backtrack the intruders. [clip] >> Now before any opinions are raised, IMHO the AF people were in "hot pursuit" >> of a law breaker and only had a limited window of opportunity to backtrack. >> This doctorine is well established in US law - if a criminal breaks into >Not on computer systems it isn't. [clip] This thread is directly on-target for probsite-l@mcc-care.com, where sporadic discussion about "steps to take on noticing a breakin" takes place. Wandered far afeild from firewalls, IMO. [this cc'd to probsite-l@mcc-care.com] Cheers, Joe Provo Systems and Network Admin, UltraNet Communications Inc. 508.229.8400(voice) jprovo@ultranet.com 508.229.8111(data) A network service provider in Marlboro, MA - mail info@ultranet.com From firewalls-owner Thu Dec 1 16:29:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10372 for firewalls-outgoing; Thu, 1 Dec 1994 13:51:08 -0800 Received: from hummer.e-Commerce.Com (hummer.e-commerce.com [198.235.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10365 for ; Thu, 1 Dec 1994 13:51:00 -0800 Received: by hummer.e-Commerce.Com (4.1/SMI-4.1) id AA27969; Thu, 1 Dec 94 16:51:44 EST Received: from viper.e-commerce.com(192.168.42.12) by hummer.e-Commerce.Com via smap (V1.3) id sma027966; Thu Dec 1 16:51:39 1994 Received: by viper.e-Commerce.Com (4.1/SMI-4.1) id AA04435; Thu, 1 Dec 94 16:49:30 EST Date: Thu, 1 Dec 94 16:49:30 EST From: jimc@e-Commerce.Com (Jim Carroll) Message-Id: <9412012149.AA04435@viper.e-Commerce.Com> To: firewalls@greatcircle.com Subject: Re: Archie or UDP proxies and the fwtk (fwd) In-Reply-To: <199412011807.AA14973@SPARKY.CF.CS.YALE.EDU> References: <199412011807.AA14973@SPARKY.CF.CS.YALE.EDU> Reply-To: jimc@e-Commerce.Com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk H. Morrow Long writes: > > >> Why not use email archie server? > >> Tenna Sakai (tws@mrc.com) > > >Or Telnet into an archie server? > >Tom Brink tom@dot.state.az.us > > Or set up your own archie server on a bastion host in your DMZ. Or use a Web browser with forms support to connect to an Archieplex server, and put either SOCKS or the CERN httpd on your bastion. Netscape springs to mind. Check out http://web.nexor.co.uk/archie.html. -- Jim Carroll -- jimc@e-Commerce.Com -- Standard disclaimer here. e-Commerce, Inc., 1030 Kamato Road, Suite 201 Mississauga, Ontario, Canada L4W 4B6 ** http://www.e-Commerce.com/~jimc/home.html ** From firewalls-owner Thu Dec 1 16:44:28 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10148 for firewalls-outgoing; Thu, 1 Dec 1994 13:37:10 -0800 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA10142 for ; Thu, 1 Dec 1994 13:37:04 -0800 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.9/8.6.9) id OAA06355 for ; Thu, 1 Dec 1994 14:35:58 -0700 Received: from unknown(198.151.247.73) by prometheus.microchip.com via smap (V1.3) id smaa06349; Thu Dec 1 14:35:45 1994 Received: from localhost (gustavo@localhost) by pegasus.Microchip.COM (8.6.9/8.6.9) with ESMTP id OAA23528; Thu, 1 Dec 1994 14:39:13 -0700 Message-Id: <199412012139.OAA23528@pegasus.Microchip.COM> To: barnett@grymoire.crd.ge.com cc: Firewalls@greatcircle.com Subject: Re: GE Break-in In-reply-to: Your message of "Thu, 01 Dec 1994 00:51:28 MST." <9412011751.AA16073@grymoire.crd.ge.com> Date: Thu, 01 Dec 1994 14:39:13 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sections from message <9412011751.AA16073@grymoire.crd.ge.com> read: > >What benefits are there to GE? > Well right off the top of my head I can tell you that many of the brilliant people that read and actively discuss stuff in this list would probably be able to give alternate solutions to plug the bugs/holes/quirks used in breaking into your firewall. Some of those might be even better than the ones your people may have come up with. On the other hand, if the current situation is "services exploited by the attack are just disabled until further notice" I could see why GE does not want to release any details. IMHO GE's disclosure could help improve the firewall configuration of people using schemes that were exploited/circumvented by the attack, including GE's itself. ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Thu Dec 1 16:59:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11072 for firewalls-outgoing; Thu, 1 Dec 1994 14:41:01 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA11066 for ; Thu, 1 Dec 1994 14:40:51 -0800 From: ddrew@druid.reston.mci.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16884; Thu, 1 Dec 94 17:38:51 -0500 Date: Thu, 1 Dec 94 17:38:50 -0500 Message-Id: <9412012238.AA16884@uvs1.orl.mmc.com> To: walkera@druggist.gg.caltech.edu Cc: firewalls%greatcircle.com@uvs1.dnet.mmc.com Subject: Re: Third times the charm... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 01 Dec 1994 14:13:58 PST > From: Walker Aumann > Content-Length: 711 > X-Lines: 13 > Status: RO > > > Again, I think the concern was generated was the question if the USAF was > > considered a "proper authority" for tracking unauthorized useage into non- > > military sites, without prior administrative approval (from the potiential > > victims). And even had this been a "proper" "police" agency, does such > > access constitute a warrentless search, and therefore applicable to such > > guidelines? > > If it _were_ the proper authorities chasing down the intruders, wouldn't this > be similar to a thief trying to escape by breaking and entering into another > business or residence? I'd believe that "probable cause" would come into > play here, allowing them to chase the suspect. Not that I'm happy about this. > > Walker > There are no provisions in US Legal Code that provide Law Enforcement Agencies the ability to access an entity's computer system during the course of conducting an investigation without the permission of the owner of that system, or appropriate legal warrents. This is uncharted legal territory. It would also be interesting to note that the law that does provision for unauthorized access into computer systems, the terribly outdated USC 1030, has hardly ever been prosecuted under. =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Thu Dec 1 17:01:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10933 for firewalls-outgoing; Thu, 1 Dec 1994 14:29:57 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA10823 for ; Thu, 1 Dec 1994 14:20:25 -0800 From: walkera@druggist.gg.caltech.edu Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16788; Thu, 1 Dec 94 17:14:18 -0500 Date: Thu, 1 Dec 94 17:14:17 -0500 Message-Id: <9412012214.AA16788@uvs1.orl.mmc.com> To: ddrew@druid.reston.mci.net Cc: firewalls%greatcircle.com@uvs1.dnet.mmc.com Subject: Re: Third times the charm... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Again, I think the concern was generated was the question if the USAF was > considered a "proper authority" for tracking unauthorized useage into non- > military sites, without prior administrative approval (from the potiential > victims). And even had this been a "proper" "police" agency, does such > access constitute a warrentless search, and therefore applicable to such > guidelines? If it _were_ the proper authorities chasing down the intruders, wouldn't this be similar to a thief trying to escape by breaking and entering into another business or residence? I'd believe that "probable cause" would come into play here, allowing them to chase the suspect. Not that I'm happy about this. Walker From firewalls-owner Thu Dec 1 17:29:58 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10828 for firewalls-outgoing; Thu, 1 Dec 1994 14:20:44 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA10822 for ; Thu, 1 Dec 1994 14:20:15 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Thu, 1 Dec 94 23:18 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rDJpF-0003fcC; Thu, 1 Dec 94 23:18 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 1 Dec 1994 23:18:43 +0100 To: Doug Hughes From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: GE break-in Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, >well, there are several GE people that read this newsgroup regularly, >but I don't see them volunteering any information.. >Suffice it to say that GE used the bastion host approach.. You have >to login to the bastion to get in or out, nothing is passed. (excepting >mail and NNTP, possibly a few other innocuous things). This >info is several months old. A person wanting to hack would have to >hack the bastion(s) first. > And he or she would ONLY have to hack the bastion... >This is fairly evident through DNS.. there are only two GE hosts listed >for DNS nameservers and 3 for mail exchangers (with overlap between the >two). Now, you know they have to have more than 3 hosts. (well, they do). >they also refuse zone transfers. It's actually a pretty good firewall >as they go.. A bastion host isn't a good firewall (Single point of failure, user accounts on the firewall). In fact, it is the least secure one besides a standalone screening router (no proxies). > There must have been a passwd leak somehow (speculation). >Bastion access used to be tightly controlled. > As I said above... And it was a reuseable password from what I hear. Does anybody know anything definite? >I would consider disclosure unlikely.. (ie don't hold your breath) > Yes. Hmmph. OK, I know. Maybe I wouldn't admit it also ...:-) Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Thu Dec 1 17:32:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11177 for firewalls-outgoing; Thu, 1 Dec 1994 14:49:07 -0800 Received: from shadow.net (anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11170 for ; Thu, 1 Dec 1994 14:48:54 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id RAA00368; Thu, 1 Dec 1994 17:48:17 -0500 From: Christopher Klaus Message-Id: <199412012248.RAA00368@shadow.net> Subject: Re: Third times the charm... To: ddrew@druid.reston.mci.net Date: Thu, 1 Dec 94 17:48:17 EST Cc: firewalls@greatcircle.com In-Reply-To: <9412012000.AA16021@uvs1.orl.mmc.com>; from "ddrew@druid.reston.mci.net" at Dec 1, 94 2:59 pm X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It was my understanding, perhaps incorrectly so, that the "tracking" that > the USAF was doing to identify these intruders involved the access into > non-military sites. I think this is where a majority of the concern is > coming from. > > > Points I was trying to make was that tracing *can* be done (and should be > > a deterrent to intruders) and that there is a sound legal basis for > > authorizing proper authorities to do so. > > > > Again, I think the concern was generated was the question if the USAF was > considered a "proper authority" for tracking unauthorized useage into non- > military sites, without prior administrative approval (from the potiential > victims). And even had this been a "proper" "police" agency, does such > access constitute a warrentless search, and therefore applicable to such > guidelines? > "Someone from a CIA computer obviously tried to hack me when they tried to log into my machine as a guest account, therefore I was trying to do a citizen arrest and find the intruder by penetrating all of the CIA and FBI computers trying to locate the bad guy." Grin. Not sure if that will fly, but I think the correct procedure is to notify the admins of the site where the intruder came from. But then again, there are some admins that when you notify that a hacker was coming from their site, they say "Kiss off, that is your security problem." I suppose if you are a big enough organization, you can threaten to sue them. But how much liability does an admin have that is a public site that allows anyone to log on and telnet elsewhere? And in court, the site being sued could just claim they were also a victim of the intruder, why should they get sued? Also, what organization wants to admit that they cant secure their own computers, with investors watching? -- Christopher William Klaus Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030 From firewalls-owner Thu Dec 1 17:55:42 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11243 for firewalls-outgoing; Thu, 1 Dec 1994 14:54:00 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11237 for ; Thu, 1 Dec 1994 14:53:48 -0800 Received: from isgtec by mail.uunet.ca with UUCP id <89722-5>; Thu, 1 Dec 1994 17:53:11 -0500 Received: by drbong.isgtec.com (/\=-/\ Smail3.1.18.1 #18.20) id ; Thu, 1 Dec 94 17:49 EST Message-Id: From: klode@isgtec.com (Claude Morin) Subject: GE break-in: some thoughts about disclosure To: Firewalls@GreatCircle.COM Date: Thu, 1 Dec 1994 17:49:29 -0500 In-Reply-To: <9412011751.AA16073@grymoire.crd.ge.com> from "Bruce Barnett" at Dec 1, 94 02:51:28 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1668 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ... I would appreciate suggestions on how I can convince > management that we should discuss this break-in publicly. > What benefits are there to GE? Just some thoughts; I hope these arguments are useful to others, so I'm sending this to the list rather than via private mail. Please expand on/refute these points. Reasons for secrecy: S1) "security through obscurity" Sorry, this doesn't hold water. GE has no doubt closed the hole by now, so their security isn't threatened by disclosure. It may be a misplaced attempt to protect the rest of us; I submit that the best way to protect us is by informing us. If GE hasn't closed the hole, they're crazy to even be back on the 'net. S2) avoidance of bad PR S3) saving face on the part of their security experts/management I can think of a few possibilities where these reasons might be valid. Unfortunately, they all assume that GE blew it in some way and want to avoid looking like fools. Reasons for disclosure: D1) free flow of information Knowledge of (possibly new) cracker techniques can drive efforts to develop counters to the techniques. It seems to me that improving the state of the art can only help GE. Thus, it seems to me that if GE decides their security efforts don't need help from *anyone* outside the company, then the only reason for disclosure is some benevolent concern for *our* security. BTW, I favour full disclosure, since I don't buy S1, couldn't care less about S2 and S3 and stand to benefit from D1. Claude ----- Claude Morin that's "klode", not "clod"...French :-) System Administrator ISG Technologies Inc. Mississauga, Ontario, Canada From firewalls-owner Thu Dec 1 18:04:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA13161 for firewalls-outgoing; Thu, 1 Dec 1994 17:57:04 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA13155 for ; Thu, 1 Dec 1994 17:56:55 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ac11773; 2 Dec 94 0:42 GMT Received: from cellnet.co.uk by demon.demon.co.uk id aa19836; 2 Dec 94 0:42 GMT Received: from ford with uucp; Thu, 1 Dec 94 23:42:23 From: Steve Kennedy Message-Id: <4574.9412012342@ford.gbnet.org> Subject: Re: GE Break-in To: grymoire.crd.ge.com!barnett@cellnet.co.uk Date: Thu, 1 Dec 1994 23:42:23 +0000 (GMT) Cc: greatcircle.com!Firewalls@cellnet.co.uk In-Reply-To: <9412011751.AA16073@grymoire.crd.ge.com> from "Bruce Barnett" at Dec 1, 94 12:51:28 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 911 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Bruce Barnett > I have been informed by GE management that GE will not make details > of the break-in public. > I (and several others) do not agree with this decision, so I have to > argue my point. I would appreciate suggestions on how I can convince > management that we should discuss this break-in publicly. Well as far as rumours go it was via access to an internal web server, which allowed scripts to be executed ... It is ONLY a rumour though ... Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) steve@marvin.demon.co.uk Demon Internet Dial-up WWW http://www.demon.co.uk/subscribers/m/marvin/ UNIX/Networking Consulting steve@NetTek.co.uk From firewalls-owner Thu Dec 1 18:34:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12314 for firewalls-outgoing; Thu, 1 Dec 1994 16:27:45 -0800 Received: from netserv.com (netserv.com [198.37.128.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA12309 for ; Thu, 1 Dec 1994 16:27:30 -0800 Received: from [198.37.128.120] (smh-ppc.netserv.com [198.37.128.120]) by netserv.com (8.6.9/smh-1.1) with SMTP id QAA16065; Thu, 1 Dec 1994 16:23:53 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 1 Dec 1994 16:24:36 -0800 To: Glenn Bailey , Firewalls@GreatCircle.COM, barnett@grymoire.crd.ge.com From: smh@netserv.com (Scott M. Hinnrichs) Subject: Re: GE Break-in Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:33 AM 12/1/94, Glenn Bailey wrote: >Bruce Barnett writes: > *> > *> I have been informed by GE management that GE will not make details > *> of the break-in public. > *> > *> I (and several others) do not agree with this decision, so I have to > *> argue my point. I would appreciate suggestions on how I can convince > *> management that we should discuss this break-in publicly. > *> > *> > *> What benefits are there to GE? > *> > >I would think the most important benefit to GE is that others will >be more willing to share with GE THEIR incidents, thus helping GE >firewall administrators be aware and prepare for possible attacks. GE has *already* benefited from the disclosures made by other companies breakins, and now it is GE's turn to release details so we can all shore up our defenses. A simple statement as to what services were used to gain access, and even better, a list of the changes made after the breakin that made GE confident that they could restore Internet Access. What holes did they fill, and with what did they fill them? They might even get feedback as to whether they have picked the right/wrong hole filling material ;) Scott From firewalls-owner Thu Dec 1 18:41:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12067 for firewalls-outgoing; Thu, 1 Dec 1994 15:56:40 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12050 for ; Thu, 1 Dec 1994 15:56:17 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17047; Thu, 1 Dec 94 18:34:05 -0500 Date: Thu, 1 Dec 94 18:34:05 -0500 Message-Id: <9412012334.AA17047@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: OY ! Will this never die ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think the concern here revolves around "posse comitatus" law. >You no doubt know far more about the subject than I do, but at least as I >understand it the USAF is NOT allowed to participate in hot pursuit off >their own premises except in very, very, narrow circumstances. Okay, okay. My understanding based on some *very* brief questions because I know and trust some of the people involved (they do not tell me everything but generally tell me when they can't and I do believe what they do say) is that before trace 1 occured both civilian authorities and the Department of Justice were lined up and some very narrow "rules of engagement" were defined. I do not know who did what to whom but that 1) USAF sites were involved and 2) Backtraces were performed and at least one arrest was made. IN NO CASE did USAF sysadmins just decide to catch hackers, the people involved were specialists partly recruted from the USAF Security Service and had prior clearance from both civilian and military agencies to respond. In fact, my biggest amazement was not that it had been done, nor that it could be done, and close but not max that they had gotten permission, but that in the biggest hall NIST had at Baltimore (and it was packed) very few people seemed to realize just *what* had been done. Warmly, Padgett ps can we stop now ? Am not really the person to ask. From firewalls-owner Thu Dec 1 18:45:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12220 for firewalls-outgoing; Thu, 1 Dec 1994 16:15:34 -0800 Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA12213 for ; Thu, 1 Dec 1994 16:15:04 -0800 Received: from firewall.cwa.com by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA27564 for Firewalls@greatcircle.com; Thu, 1 Dec 94 19:18:13 -0500 Received: from cwa.com by firewall.cwa.com (4.1/SMI-4.1) id AA15256; Thu, 1 Dec 94 16:16:43 PST Received: from chinacat.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA21913; Thu, 1 Dec 94 16:14:31 PST Date: Thu, 1 Dec 94 16:14:31 PST From: dmurphy@cwa.com (Dan Murphy) Message-Id: <9412020014.AA21913@cwa.com> To: Firewalls@greatcircle.com Subject: Re: GE Break-in Cc: gbailey@aero.org, barnett@grymoire.crd.ge.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Bailey writes: "> "> Bruce Barnett writes: "> *> "> *> I have been informed by GE management that GE will not make details "> *> of the break-in public. "> *> [deletia] "> "> [deletia] ... I don't "> think people like those on this list are that interested in the details "> of what files/info was comprimised. What is more interesting is how "> the attackers got in, what level of attack (i.e denial of service, user "> shell,root shell, we can imagine the details). Thus we can evaluate our "> own setups for similiar vulnerabilities. "> Can the GE management be persuaded to bless a technical paper for a computer security conference coming up in the near future addressing the issues Glenn identifies? This would some advantages for GE: 1) Disclosure will be "old news" to the media that shareholders read/see 2) Don't need to discuss the WHO, WHY or WHAT aspects, just the HOW 3) Legal and Public Relations can "have input" on what will be disclosed 4) We (the interested public) find out, reliably, what we *need* to know 5) GE is not further embarrassed by worse-than-reality rumors circulating >> mount /soap/box But in any case, look on the bright side: such things never STAY secret for very long. Within a month, this list will have (almost) all the details on the HOW part, and probably about what files were accessed. All it takes is ONE person who knows, talking "off the record" to ONE other person with ANY kind of interest (business, politics, self-aggrandizement, ass-covering) in repeating the story to still others. GE's management is self-delusional if they really think saying "we will not make details of the break-in public" is going to keep people from finding out. Remember, this is the same company that loses antitrust cases to the USDOJ every 10 years or so, due to the written evidence in their own files. Here are secrets worth literally tens of millions of dollars they leave in secretarys' filing cabinets... No, I suspect the plan is to stonewall until the mainstream media, hot about stolen files with NBC's summer rerun schedule (like "Bionic Ever After Saves Elvis From Space Aliens"), gets distracted by next week's story. After that, GE's IS execs, none of whom will admit to having selected the at-fault HW/SW, will dine out (at network vendors' expense) for the rest of winter, telling the "real" story and providing grist for the industry rumor mill. >> umount /soap/box Dan Murphy From firewalls-owner Thu Dec 1 19:04:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA13625 for firewalls-outgoing; Thu, 1 Dec 1994 18:37:20 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA13618 for ; Thu, 1 Dec 1994 18:36:57 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id SAA28063; Thu, 1 Dec 1994 18:33:21 -0800 Date: Thu, 1 Dec 1994 18:33:21 -0800 Message-Id: <199412020233.SAA28063@uni> X-Sender: kadrich@uni.ins.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Gustavo Vegas , barnett@grymoire.crd.ge.com From: (Mark S. Kadrich) Subject: Re: GE Break-in Cc: Firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Agreed. **hop on soap box** I am writing a security policy for my client to recommend to his executive people and it contains a section on this very subject. I realize that it does not directly address technical issues of firewalls, but the moral ;-) responsibility of our group to disseminate information seems very important. I think we all intuitively understand the benefits of this type of policy. Science has used it successfully for years. I would encourage people to attempt to convince the execuweenies to generate and follow a policy that provides for information dissemination while balancing corporate responsibilities. This can foster an 'I'll show you mine if you show me yours' attitude. The info may be a generalized description in some cases, but that's better then nothing. Many of these executive folks have share holders and corporate prestige to think about and in the absence of some form of policy the reflex reaction is to say nothing. If there is a corporate directive to provide this info then it may happen, but that's where I think it will start. It may be too late for GE, but it is a beginning. **hop off of soap box** At 02:39 PM 12/1/94 -0700, Gustavo Vegas wrote: > >Sections from message <9412011751.AA16073@grymoire.crd.ge.com> read: >> >>What benefits are there to GE? >> >Well right off the top of my head I can tell you that many of the brilliant >people that read and actively discuss stuff in this list would probably >be able to give alternate solutions to plug the bugs/holes/quirks used in >breaking into your firewall. Some of those might be even better than the ones >your people may have come up with. > >On the other hand, if the current situation is "services exploited by the >attack are just disabled until further notice" I could see why GE does not >want to release any details. > >IMHO GE's disclosure could help improve the firewall configuration of people >using schemes that were exploited/circumvented by the attack, including >GE's itself. > >===========================================+=========================== > ****** > * *** * > * * * >*** * * >* * * * > * * >* *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu > ********** CAD Systems Administrator Microchip Technology Inc. > ******* Chandler, Arizona >===========================================+=========================== > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Thu Dec 1 20:05:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA13935 for firewalls-outgoing; Thu, 1 Dec 1994 19:04:32 -0800 Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA13930 for ; Thu, 1 Dec 1994 19:04:27 -0800 Received: from firewall.cwa.com by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA12509 for firewalls@greatcircle.com; Thu, 1 Dec 94 22:07:41 -0500 Received: from cwa.com by firewall.cwa.com (4.1/SMI-4.1) id AA15501; Thu, 1 Dec 94 19:06:11 PST Received: from chinacat.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA22521; Thu, 1 Dec 94 19:04:01 PST Date: Thu, 1 Dec 94 19:04:01 PST From: dmurphy@cwa.com (Dan Murphy) Message-Id: <9412020304.AA22521@cwa.com> To: firewalls@greatcircle.com Subject: Air Force "Hot Pursuit" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, folks, look... Unlike source code, a law NEVER means what is SAYS, it means what a court says it means, when applied to a particular set of facts, in a particular case at bar. US courts do not issue hypothetical or advisory rulings for precisely that reason. There are no cases on point (meaning having similar sets of facts and all surrounding circumstances), and there are no directly applicable statutes, therefore, THERE IS NO LAW ON THIS SUBJECT. All else is the interesting speculations of amateurs. Ever listen to your mother-in-law's conception of how computers work? And not only do I play a lawyer on TV, I was one once in real life, too. Harumph... Dan Murphy, !Esq. From firewalls-owner Fri Dec 2 00:34:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA16412 for firewalls-outgoing; Fri, 2 Dec 1994 00:18:29 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA16407 for ; Fri, 2 Dec 1994 00:18:21 -0800 Received: from [192.233.85.195] (shore2.shore.net) by northshore.ecosoft.com with SMTP id AA08299 (5.67a/IDA-1.5 for ); Fri, 2 Dec 1994 03:16:26 -0500 Message-Id: <199412020816.AA08299@northshore.ecosoft.com> X-Sender: vin@mailhost.shore.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 1 Dec 1994 15:15:26 -0500 To: Firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: Some time it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David quoted Padgett's defense of the AF backtracking a hack attack through already-penetrated intermediate systems : >> Now before any opinions are raised, IMHO the AF people were in "hot pursuit" >> of a law breaker and only had a limited window of opportunity to backtrack. >> This doctrine is well established in US law - if a criminal breaks into David objected: >Not on computer systems it isn't. > (deleted quote and counterquote) >... how many systems is it ok for them to backtrack on? > >Does the perception of a hacker hacking at my system then give me the >right to hack through every host in a source routed attack until I find >the perpetrator? > >Is it OK for anyone to track "in hot pursuit" - or only certain official >types? If only official organizations, which ones and why? > This, I suppose, involves one of the social extensions of the Firewalls technology. If the site manager detects an intruder, he does what he must in order to fend him off or cut him off -- but does that include backtracking him? If not (since no one else can; at least at that instant) does that define the site manager as a (Net) citizen with no responsibility to his (Net) society -- a mere property manager? (GE's attitude toward those who so desperately want to find out what allowed hackers to penetrate their firewall comes to mind....) A property manager with no concern for what is happening on the street is common in Urban America, but the Net is not yet infused with the futility that characterizes our meaner streets, is it? (Personally, I always felt the Sheriff was a fool to face down the bad guys alone at high noon. If the citizens didn't feel their society was worth some direct involvement, they deserved chaos.) That someone chose the Air Force to play Sheriff intrigues me. Was there some military (or DARPA) machines or nets being used or threatened? The US Air Force -- the executive agent which administers the DARPA contract that funds Carnagie Mellon's Software Engineering Institute, the coordinator of the Community Emergency Response Team (CERT) which the Net community has come to so rely on -- has a sort of legacy legitimacy playing sheriff. The Internet was first settled by the military the way the Canadian Frontier was first organized by the Mounties, a somewhat different model than used in the Wild American West. When Morris Jr. loosed the worm to penetrate the Unix systems Morris Sr. had secured, the Net community found itself wholly unprepared for the crisis (although yeoman labor by a many scattered groups of heroes proved how resilient a truly distributed system could be.) Out of that experience, to general acclaim and relief, DARPA funded CERT...and later, CERT begot FIRST. It's the closest thing we have to a "community watch;" as close as we come to Net Police; but both rely on Net citizens, the CERT consultants, to defend the on-line culture...'cause the cops don't have a clue. On a frontier, virtual or otherwise, when the Law has not yet established itself, those who can do what they can to defend what they value. If they don't, who will? That said, the role of the AF in this instance makes me realize Kapor and EFF have the right idea. God's in the details... and if we leave it to the lawyers, in office and out, we'll have railroad law mindlessly extended into Cyberspace. (Beg pardon, this pushes the envelope on the FW charter.) _vin ++ _Vin McLellan ++ The Privacy Guild ++ (617) 884-5548 ++ vin@shore.net ++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Fri Dec 2 04:34:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA21118 for firewalls-outgoing; Fri, 2 Dec 1994 04:13:03 -0800 Received: from bos1a.delphi.com (SYSTEM@bos1a.delphi.com [192.80.63.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA21082 for ; Fri, 2 Dec 1994 04:12:50 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HK5R2NZM9S99DOVZ@delphi.com>; Fri, 02 Dec 1994 07:11:20 -0500 (EST) Date: Fri, 02 Dec 1994 07:11:20 -0500 (EST) From: Network Security Observations Subject: Info request by NSO/ISM To: Firewalls@GreatCircle.COM Message-id: <01HK5R2NZVXE99DOVZ@delphi.com> X-VMS-To: INTERNET"Firewalls@GreatCircle.COM" X-VMS-Cc: NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Could anyone on this enticing list update me on "the Internet Liberation Front". This is supposed to be the group (if it is a group) that is responsible for (or claimed to be responsible for) the GE incident. I believe GE would also appreciate a copy of your response. If you have more info, please email us (and GE), but do not post your pertinent info to a list. thx for coop. Network Security Observations Internet Security Monthly Bertil Fortrie or [you are encouraged to offer us trinkets, luxurious yachts, evening + with Miss America or other Miss, large donations and lump sums, Learjet(s) and flights to the Carib., and thelike. ] From firewalls-owner Fri Dec 2 05:04:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA21259 for firewalls-outgoing; Fri, 2 Dec 1994 04:17:53 -0800 Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA21254 for ; Fri, 2 Dec 1994 04:17:49 -0800 Received: from escact.ksc.nasa.gov.ksc.nasa.gov (actually escact.ksc.nasa.gov) by pp with SMTP (PP); Fri, 2 Dec 1994 07:12:52 -0500 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA11125; Fri, 2 Dec 94 07:05:38 EST Date: Fri, 2 Dec 94 07:05:38 EST From: Mark.Gibbons-1@kmail.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9412021205.AA11125@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@greatcircle.com Subject: Re: Higher speed data lines Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In message <9411300220.AA15666@hawksbill.sprintmrn.com>you write: > > I must have missed something, because this thread is way out of control. snip > > Did I miss something? What is the point? then: > From: Bernhard Schneck > > I think the original question was what machine would be needed to > build a firewall capable of working at speed. > snip Well, more then that I was interested to know if people thought the higher speed links would cause them to look for different statagies. It appears that most people just plan on finding faster boxes, but a couple also feel this has nothing to do with firewalls, so I went back to lurking so as not to interfere with their Important Work. meg ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: mark e. gibbons Network Engineer M.S. INI-18 (v)407.867.4847 mark@luke.ksc.nasa.gov Kennedy Space Center, (f)407.867.4079 mark.e.gibbons@ksc.nasa.gov Florida 32899 "Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor." -- Wernher von Braun From firewalls-owner Fri Dec 2 05:34:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA21954 for firewalls-outgoing; Fri, 2 Dec 1994 05:02:32 -0800 Received: from mull.dis.strath.ac.uk (mull.dis.strath.ac.uk [130.159.80.150]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA21949 for ; Fri, 2 Dec 1994 05:02:25 -0800 Received: from localhost (stuart@localhost) by mull.dis.strath.ac.uk (8.6.5/8.6.5) id NAA15989 for Firewalls@Greatcircle.com.; Fri, 2 Dec 1994 13:00:59 GMT Date: Fri, 2 Dec 1994 13:00:59 GMT From: Stuart Aitken Message-Id: <199412021300.NAA15989@mull.dis.strath.ac.uk> To: Firewalls@Greatcircle.com Subject: Information please. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a student who is interested in firewalls and how they work. If you have any set documents on this subject it would be much appreciated. How easy is it to get into others files through the Internet. Should all organisations have firewalls and how secure are they anyway? Thanks for you time Stuart Aitken. From firewalls-owner Fri Dec 2 06:04:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA22017 for firewalls-outgoing; Fri, 2 Dec 1994 05:05:19 -0800 Received: from bastion.oecd.org (root@bastion.oecd.org [193.51.65.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA22011 for ; Fri, 2 Dec 1994 05:05:12 -0800 Received: from sidhe.oecd.org (sidhe.oecd.org [10.89.9.1]) by bastion.oecd.org (8.6.9/8.6.9) with ESMTP id OAA21047; Fri, 2 Dec 1994 14:04:26 GMT Received: (from roberto@localhost) by sidhe.oecd.org (8.6.9/sidhe-1.2) id PAA15233; Fri, 2 Dec 1994 15:02:22 +0100 From: Ollivier Robert Message-Id: <199412021402.PAA15233@sidhe.oecd.org> Subject: Re: Archie or UDP proxies and the fwtk To: adam@bwh.harvard.edu (Adam Shostack) Date: Fri, 2 Dec 1994 15:02:22 +0100 (MET) Cc: foxtrot@sware.com, firewalls@GreatCircle.COM Reply-To: roberto@hsc.fr.net (Ollivier Robert) In-Reply-To: <199412011604.LAA15339@bwh.harvard.edu> from "Adam Shostack" at Dec 1, 94 11:04:40 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 342 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There is a mail interface to archie. Your firewall passes > mail, right? :) One may use telnet for archie services. -- Ollivier ROBERT -=- Hervé Schauer Consultants -=- roberto@hsc.fr.net FreeBSD keltia 2.1.0-Development #0: Wed Nov 30 22:33:04 1994 root@keltia.frmug.fr.net:/usr/src/sys/compile/KELTIA i386 From firewalls-owner Fri Dec 2 06:34:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA22775 for firewalls-outgoing; Fri, 2 Dec 1994 06:31:41 -0800 Received: from orion.massolant.navy.mil (orion.massolant.navy.mil [192.171.8.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA22770 for ; Fri, 2 Dec 1994 06:31:15 -0800 Received: from hatteras (ch.inri.com [198.202.184.13]) by orion.massolant.navy.mil (8.6.4/8.6.4) with SMTP id JAA04151; Fri, 2 Dec 1994 09:30:04 -0500 Received: from wolftrap.ch.inri.com (wolftrap) by hatteras with SMTP id AA24751 (5.65c/IDA-1.4.4); Fri, 2 Dec 1994 09:27:21 -0500 Message-Id: <199412021427.AA24751@hatteras> X-Sender: wlb@ch.inri.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 02 Dec 1994 10:20:36 -0600 To: Stuart Aitken , Firewalls@GreatCircle.COM From: wlb@ch.inri.com (Bill Bunting) Subject: Re: Information please. X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Visit WWW Page http://www.tis.com. At 01:00 PM 12/2/94 GMT, Stuart Aitken wrote: >I am a student who is interested in firewalls and how they work. If you have >any set documents on this subject it would be much appreciated. How easy is >it to get into others files through the Internet. Should all organisations >have firewalls and how secure are they anyway? >Thanks for you time >Stuart Aitken. > > > --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 106 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** --------------------------------------- From firewalls-owner Fri Dec 2 07:04:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA22790 for firewalls-outgoing; Fri, 2 Dec 1994 06:33:27 -0800 Received: from bdypwt.knmi.nl (root@bdypwt.knmi.nl [145.23.16.126]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA22785 for ; Fri, 2 Dec 1994 06:33:20 -0800 Received: from dbc151.knmi.nl by bdypwt.knmi.nl with SMTP id AA27619 (5.67b+/IDA-1.5 for ); Fri, 2 Dec 1994 14:31:53 GMT Received: by dbc151.knmi.nl (5.64/1.36) id AA00938; Fri, 2 Dec 94 14:31:40 GMT Date: Fri, 2 Dec 1994 14:31:39 +0000 (WET) From: "J.H. vd Burg" Subject: this will never die, probably To: Firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In fact, my biggest amazement was not that it had been done, nor that it could >be done, and close but not max that they had gotten permission, but that in >the biggest hall NIST had at Baltimore (and it was packed) very few people >seemed to realize just *what* had been done. > Warmly, > Padgett > >ps can we stop now ? Am not really the person to ask. Generally I'm not too unhappy with these "off the subject" discussions. I feel that a lot of technically oriented people are rather narrow minded, and that it doesn't hurt (me :-) to have them think a little about the other aspects of the real world. Especially people that are concerned with subjects like security should not put technology first, since many of the "human" factors will dictate technical "details" (and not very often the other way round). That being said, I agree with Padgett that a very interresting question remains unanswered: How come "nobody noticed"????? >From a technical point of view, I hate it if somebody is able to compromise my information system, but I REALY hate it if I don't know about it! The word compromise is being used in the broadest sense here. I would like to know more about the "how to get away with it" and "how to prevent me from getting away with it". Could somebody give me some suggestions (technical suggestions :-) Met vriendelijke groet, Jan-Hein van der Burg afdeling Systeembeheer-CWD, KNMI e-mail: jhb@knmi.nl; tel: +31.30.206550 pgp 2.6 public key available From firewalls-owner Fri Dec 2 07:50:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23409 for firewalls-outgoing; Fri, 2 Dec 1994 07:19:58 -0800 Received: from dsinc.myxa.com (root@dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23403 for ; Fri, 2 Dec 1994 07:19:53 -0800 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #24) id m0rDZch-0004TeC; Fri, 2 Dec 94 10:10 EST Received: by pnc-pimc.com (4.1/SMI-4.1) id AA26072; Fri, 2 Dec 94 10:07:40 EST From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9412021507.AA26072@pnc-pimc.com> Subject: Turning off IP forwarding To: firewalls@GreatCircle.COM Date: Fri, 2 Dec 94 10:07:39 EST X-Mailer: ELM [version 2.3 PL11-upenn1.13] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is is really possible to turn off IP forwarding on SunOS 4.1.3_U1? I have tried both: options "IPFORWARDING=-1" and options "IPFORWARDING=-2" in the kernel, but testing shows this does not work. I suspect that there should be some way to do this directly to the source, perhaps in one of the /usr/kvm/sys/netinet files. As my C is rusty, I would appreciate any pointers if someone has done this. Apologies, if this has been discussed before... I haven't seen it in the past few months. thanks, cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| : ,;`( )__ ) ~ PNC BANK (Phila, Pa) : // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Fri Dec 2 08:05:23 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23852 for firewalls-outgoing; Fri, 2 Dec 1994 07:56:41 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23847 for ; Fri, 2 Dec 1994 07:56:35 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma024364; Fri Dec 2 10:55:00 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA25492; Fri, 2 Dec 94 10:53:05 EST From: Marcus J Ranum Message-Id: <9412021553.AA25492@tis.com> Subject: Re: GE break-in To: maass@odb.rhein-main.de (Joerg Maass) Date: Fri, 2 Dec 1994 10:57:47 -0500 (EST) Cc: Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM In-Reply-To: from "Joerg Maass" at Dec 1, 94 11:18:43 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 2067 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > A bastion host isn't a good firewall (Single point of failure, user > accounts on the firewall). In fact, it is the least secure one besides a > standalone screening router (no proxies). Let me attempt to defend some of the terminology, as I understand it. [Since "bastion host" is a term I coined, I'd like to exercise eminent domain over it] A bastion host is simply a term for a system that has been identified as a strong-point. Usually, a firewall system is a bastion host, or may consist of a screening router and a bastion host. A bastion host does *NOT* necessarily have user accounts on it. Ours, for example, do not. In the terminology I'm most comfortable with, a system that is a bastion host full of user accounts that people log into is a "user gateway" or a "gateway host." Most firewall experts agree that a user gateway is a pretty weak firewall if it's running on a normal commercial operating system. [A user gateway running on a multilevel secure system that used strong authentication might actually not be too bad] With respect to the "single point of failure" issue, let me observe that *ALL* firewall configurations are going to have a single point of failure someplace -- which if you're willing to assume an attacker gains control over, all bets are off. The tradeoffs are between complexity and correctness -- a firewall consisting of multiple systems *might* be harder to break into because of its layout, but it also is likely to be much harder to configure correctly. I used to believe in a major way that approaches like the 3-host firewall [see: "a network firewall" proceedings of SANS-I, mjr, 1992 ftp.tis.com:pub/firewalls/sans-1-paper.ps, which describes what later became DEC SEAL] was the best route. In fact, if you look at that configuration, there is still a single point of failure; the system known as "gate." Indeed if the system "gatekeeper" is compromised you're also in pretty bad shape. In fact, what tends to happen is that whenever *any* of your firewall machines gets broken into, you are in pain. mjr. From firewalls-owner Fri Dec 2 08:34:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA23958 for firewalls-outgoing; Fri, 2 Dec 1994 08:06:07 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA23935 for ; Fri, 2 Dec 1994 08:04:34 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA02299; Fri, 2 Dec 94 16:59:25 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00229; Fri, 2 Dec 94 16:55:46 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412021655.AA00229@tidtest.total.fr> Subject: Re: Firewalls for Novell (IPX) internetworking??? To: firewalls@greatcircle.com Date: Fri, 2 Dec 94 16:55:45 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199411300900.KAA27023@sjaan.fbk.eur.nl.>; from "Hans Michael Pronk" at Nov 30, 94 10:00 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hans Michael Pronk wrote : > > > > > Possible loopholes: static routes from client to server. > > Filters brought up after the SAPs did propagate to the listener/client > > segment. > > > Hmmmmm.... what about a Novell server reacting on a GetNearestFileServer > request. These requests tend to pass through SAP filters. > They should not pass through routers, though, since the router *itself* should answer the request ... -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 2 08:52:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23252 for firewalls-outgoing; Fri, 2 Dec 1994 07:08:45 -0800 Received: from dxmint.cern.ch (dxmint.cern.ch [128.141.1.113]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23246 for ; Fri, 2 Dec 1994 07:08:38 -0800 Received: from UXCSB1.DECnet MAIL11D_V3 by dxmint.cern.ch (5.65/DEC-Ultrix/4.3) id AA09866; Fri, 2 Dec 1994 16:06:57 +0100 Date: Fri, 2 Dec 1994 16:06:57 +0100 Message-Id: <9412021506.AA09866@dxmint.cern.ch> From: gamble@uxcsb1.cern.ch (John Gamble CN/CS/IN) X-Vms-To: DXMINT::firewalls@greatcircle.com Subject: FWD: Re: Higher speed data lines X-Mail11-Ostype: VAX/VMS Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (2nd try ... wrong address first time ..) I was very interested by the post about high-speed firewalls - and disapointed by the lack of concrete replies from vendors/developers. We currently have a cisco as our "external" router which implements the usual access lists to give us some protection. We are interested in adding a firewall. The current AVERAGE data rate through this cisco is 34Mbits/sec (it is connected between two FDDI rings), so we would be looking at something that could handle full FDDI speed (to be future proof - at least for 1 year). We are also part of ATM pilot projects - another reason for needing firewalls capable of handling 100Mbit/sec average rate. We are not paranoid about security - but would like something better than what we have. The product would have to be "transparent" - along the lines of only opening ports when needed. So why the vendor silence? Is it due to the lack of products (confidence) in this area? Does "security = low speed internet access"? (or a supercomputer - which we can't connect anyway to the Internet)(nor afford!!) Do high speed requirements need different techniques in developing firewalls? - is anyone seriously looking at this area?. John Gamble. From firewalls-owner Fri Dec 2 09:08:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24294 for firewalls-outgoing; Fri, 2 Dec 1994 08:47:31 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA24289 for ; Fri, 2 Dec 1994 08:47:06 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id LAA10038 for ; Fri, 2 Dec 1994 11:43:22 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet via smap (V1.3mjr) id sma010033; Fri Dec 2 11:42:48 1994 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id LAA12856 for ; Fri, 2 Dec 1994 11:48:16 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA04212; Fri, 2 Dec 94 11:48:09 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Higher speed data lines Date: 2 Dec 1994 11:48:08 -0500 Organization: Milkyway Networks Corporation Lines: 42 Distribution: milkyway Message-Id: <3bnj48$43h@calisto.milkyway.com> References: <9412021205.AA11125@escact.ksc.nasa.gov.ksc.nasa.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9412021205.AA11125@escact.ksc.nasa.gov.ksc.nasa.gov>, Mark E. Gibbons wrote: >> From: Bernhard Schneck >> >> I think the original question was what machine would be needed to >> build a firewall capable of working at speed. >> >snip > >Well, more then that I was interested to know if people thought the >higher speed links would cause them to look for different statagies. I was thinking about this last night as I cycled home (one advantage of cycling over driving, IMHO). One thought was to have multiple firewall machines, with the load somehow distributed between them. This assumes that a single machine has enough bandwidth through the application level gateway to support the highest bandwidth application, but that there might be multiple instances of the proxy running on multiple machines. The biggest problem I imagined was letting the client machines (both internal and external) know which firewall to choose. Clearly, one would prefer to have the load balancing done automatically. From my reading of the IPv6 (SIPP) stuff, it appears that facilities to do service redirection exist... >It appears that most people just plan on finding faster boxes, but a >couple also feel this has nothing to do with firewalls, so I went back >to lurking so as not to interfere with their Important Work. Are there any newer feats of TCP/IP throughput since Van Jacobson reported saturating the Interop ether in 1991 or so? If money is no issue, how fast can I source/sink data? (Not just route) -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 596-5549 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Fri Dec 2 09:30:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23746 for firewalls-outgoing; Fri, 2 Dec 1994 07:45:34 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23736 for ; Fri, 2 Dec 1994 07:45:05 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA01935; Fri, 2 Dec 94 16:40:58 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00205; Fri, 2 Dec 94 16:37:19 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412021637.AA00205@tidtest.total.fr> Subject: Re: Secure modem pool To: firewalls@greatcircle.com Date: Fri, 2 Dec 94 16:37:18 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9411300259.AA20018@tokyo.tss.com>; from "Andrew S. Howell" at Nov 30, 94 11:59 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andrew S. Howell wrote : > > I want to set up a modem pool to allow our clients and field engineers > to have ppp access to our site. I thought of using a terminal server > with ppp support, but am quite worried about security. This would allow > them to direct access to our network, would it not? I would guess that > it would be hard to implement additional filtering. > > Would I be better off setting up a firewall-like machine through > which all external ppp links passed? How about SCSI based terminal > servers ? Do they give me greater control over my links? > I would suggest the following : 1) Connect all of your PPP links to a terminal server using CHAP 2) configure the TS so it allows access to a single Unix machine 3) replace the standard login on that machine by one that uses one-time passwords (or a similar system such as SecureID from Security Dynamics) 4) consider the TS and the Unix machine to be part of the Internet (ie, if your outside users must ftp or telnet to your inside network, they do so through your firewall) How does that sound to you ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 2 09:36:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24213 for firewalls-outgoing; Fri, 2 Dec 1994 08:37:59 -0800 Received: from hummer.e-Commerce.Com (hummer.e-commerce.com [198.235.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24208 for ; Fri, 2 Dec 1994 08:37:52 -0800 Received: by hummer.e-Commerce.Com (4.1/SMI-4.1) id AA25679; Fri, 2 Dec 94 11:38:46 EST Received: from viper.e-commerce.com(192.168.42.12) by hummer.e-Commerce.Com via smap (V1.3) id sma025669; Fri Dec 2 11:38:27 1994 Received: by viper.e-Commerce.Com (4.1/SMI-4.1) id AA05484; Fri, 2 Dec 94 11:36:18 EST Date: Fri, 2 Dec 94 11:36:18 EST From: jimc@e-Commerce.Com (Jim Carroll) Message-Id: <9412021636.AA05484@viper.e-Commerce.Com> To: firewalls@greatcircle.com Subject: disabling source routing on SunOS Reply-To: jimc@e-Commerce.Com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saw a recent mention of how to disable source routing under Solaris 2.x, but how is it done under SunOS 4.1.x? -- Jim Carroll -- jimc@e-Commerce.Com -- Standard disclaimer here. e-Commerce, Inc., 1030 Kamato Road, Suite 201 Mississauga, Ontario, Canada L4W 4B6 ** http://www.e-Commerce.com/~jimc/home.html ** From firewalls-owner Fri Dec 2 09:47:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA23930 for firewalls-outgoing; Fri, 2 Dec 1994 08:03:49 -0800 Received: from edison.eng.auburn.edu (edison.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA23923 for ; Fri, 2 Dec 1994 08:03:34 -0800 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.9/8.6.4) with ESMTP id KAA29513 for ; Fri, 2 Dec 1994 10:02:05 -0600 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id KAA07961; Fri, 2 Dec 1994 10:02:04 -0600 Date: Fri, 2 Dec 1994 10:02:04 -0600 Subject: Re: GE break-in To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9412021553.AA25492@tis.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Based on mail I've seen in the past, I'm guessing that the user-gateway host itself was not the first compromise (though it may have been compromised later). All user-accounts are based upon restricted shell with minimum access (no mail, no editor, nothing that can spawn an editor).. Basically, most people login, and run mosaic, displaying it back to their own machine inside the firewall system. FYI, there are screening routers involved too, exact placement and configuration I wouldn't care to speculate upon at this time because it may have changed, and probably has.. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "The Light at the end of the tunnel is the headlamp of an oncoming train" From firewalls-owner Fri Dec 2 10:06:49 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA24483 for firewalls-outgoing; Fri, 2 Dec 1994 09:01:33 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA24478; Fri, 2 Dec 1994 09:01:24 -0800 Received: from smtpgate.gannett.com by relay2.UU.NET with SMTP id QQxsoi10809; Fri, 2 Dec 1994 12:00:05 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2EDF7C9A@smtpgate.gannett.com>; Fri, 02 Dec 94 11:59:22 PST From: "Robertson, Paul" To: firewalls@greatcircle.com, padgett@tccslr.dnet.mmc.com, firewalls-owner@GreatCircle.COM, "Wright, Robert" Subject: Re: Some times it takes a while... Date: Fri, 02 Dec 94 11:31:00 PST Message-ID: <2EDF7C9A@smtpgate.gannett.com> Encoding: 19 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [headers snipped] ! Now before any opinions are raised, IMHO the AF people were in "hot pursuit" ! of a law breaker and only had a limited window of opportunity to backtrack. ! This doctorine is well established in US law - if a criminal breaks into ! a bank through a private residence next door and the police catch them in ! the act, pusuit through the residence is authorized. >There is a BIG difference between the AF and the "police" and for very good >reasons. >RLS Yes, there is, the AF can, like our friends at Ft. Mead, use the "interests of national security" magic passphrase, this passphrase, kind of like the Clipper's escrow opens all sorts of neat doors, both at home and abroad. Paul "Let's take this to sneakers, before we get yelled at for being off-topic" Robertson From firewalls-owner Fri Dec 2 10:17:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24178 for firewalls-outgoing; Fri, 2 Dec 1994 08:35:52 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24162 for ; Fri, 2 Dec 1994 08:34:29 -0800 From: ted.doty@nsco.network.com Received: from nscultrix2.network.com by nsco.network.com (4.1/1.34) id AA03305; Fri, 2 Dec 94 10:45:35 CST Received: by nscultrix2.network.com (5.57/Ultrix3.0-C) id AA21707; Fri, 2 Dec 94 10:31:08 CST Date: Fri, 2 Dec 94 11:24:43 PST Subject: Re: Higher speed data lines To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We all know how much setting up plain ip packet filtering hurts >the performance of just about any router, so the question is still >open: > > Which box would you need to build a firewall with application-level > gateways (or any other method) for, say, real time 3d medical imaging > and instrument control applications running at T3/E3 speed or higher? IF the application presents data in a well-PDUized manner, and if you can tell me what the PDU format is, our new Enterprise Router-Switch will filter application traffic at (certainly) T3 rates. Examples of applications are FTP and NFS. It's a much more difficult task to firewall strongly stream-based applications where you need to maintain considerable state on the socket (the worst example of this, of course, is Telnet, which presents a single character at a time ... but I don't know many sites with a T3 worth of telnet). - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Dec 2 10:38:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25727 for firewalls-outgoing; Fri, 2 Dec 1994 10:26:05 -0800 Received: from dsinc.myxa.com (root@dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA25703 for ; Fri, 2 Dec 1994 10:25:41 -0800 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #24) id m0rDcaa-0004V5C; Fri, 2 Dec 94 13:20 EST Received: by pnc-pimc.com (4.1/SMI-4.1) id AA27181; Fri, 2 Dec 94 12:44:48 EST From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9412021744.AA27181@pnc-pimc.com> Subject: Turning off IP forwarding To: firewalls@GreatCircle.COM Date: Fri, 2 Dec 94 12:44:47 EST X-Mailer: ELM [version 2.3 PL11-upenn1.13] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please ignore previous query on turning off IP forwarding in SunOS 4.1.3_U1. Not enough coffee has caused temporary brain damage. Deleting in_proto.o, and changing the options line to:options IPFORWARDING="-1" worked (though I am at a loss to explain why options "IPFORWARDING=-1" was not okay). Now I am all set to tunnel back thru... cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| : ,;`( )__ ) ~ PNC BANK (Phila, Pa) : // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Fri Dec 2 10:45:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24020 for firewalls-outgoing; Fri, 2 Dec 1994 08:15:27 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24005 for ; Fri, 2 Dec 1994 08:14:35 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA02528; Fri, 2 Dec 94 17:10:23 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00245; Fri, 2 Dec 94 17:06:44 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412021706.AA00245@tidtest.total.fr> Subject: Re: GE Break-in To: firewalls@greatcircle.com Date: Fri, 2 Dec 94 17:06:43 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9412011751.AA16073@grymoire.crd.ge.com>; from "Bruce Barnett" at Dec 1, 94 12:51 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce Barnett wrote : > > I have been informed by GE management that GE will not make details > of the break-in public. > > I (and several others) do not agree with this decision, so I have to > argue my point. I would appreciate suggestions on how I can convince > management that we should discuss this break-in publicly. > > What benefits are there to GE? > I'm not an expert in US computer crime law, so this may not be relevant, but consider the following scenario : The same cracker that broke in GE's network breaks in X's network, and is caught, but not before doing substantial damage. A subsequent inquiry finds out that X has the same firewall system as GE, and that the same security holes were used in both cases. Would GE in this case be liable for damage, since disclosure of the methods used in that case would have allowed X to plug in its own security holes ? Regards -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 2 10:56:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23767 for firewalls-outgoing; Fri, 2 Dec 1994 07:46:44 -0800 Received: from world (sdt.com [199.100.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23761 for ; Fri, 2 Dec 1994 07:46:36 -0800 Received: by world (5.0) id AA26951; Fri, 2 Dec 1994 09:41:38 +0600 Received: from aadt.sdt.com(144.9.149.25) by world via smap (V1.3) id sma026948; Fri Dec 2 09:40:42 1994 Received: from shadow.sdt.com by sdt.com (4.1/SUN-2.0hub) id AA29032; Fri, 2 Dec 94 09:41:36 CST Received: by shadow.sdt.com (5.61) id AA29170; Fri, 2 Dec 94 09:43:54 -0600 From: aaron@sdt.com (Aaron Gair) Message-Id: <9412020943.ZM29168@shadow.sdt.com> Date: Fri, 2 Dec 1994 09:43:53 -0600 In-Reply-To: Steve Kennedy "Re: GE Break-in" (Dec 1, 11:42pm) References: <4574.9412012342@ford.gbnet.org> X-Mailer: Z-Mail (2.1.5 20sep93) To: firewalls@greatcircle.com Subject: Access to WWW servers , was Re: GE Break-in content-length: 1826 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SUBJECT: What sort of precautions should be taken in regards to a firewall to support WWW servers. What precautions should be taken to support access to Internet based WWW servers in regards to a firewall. Hope this is appropriate. I see we all have been struggling with what IS and what IS NOT for this list. Someone said: > Well as far as rumours go it was via access to an internal web server, > which allowed scripts to be executed ... If this is true or NOT, would anyone on this list like to point out any known holes, security cautions, or firewall configurations for WWW servers that serve the Internet? For starters: Should a WWW server reside on your perimeter net? Do you use http proxies to give access through your firewall to your WWW server? How does a script get executed on the WWW server? How can this be prevented? Will a dual-homed bastion, external screening router, and internal screening router, with only the WWW server port accessible from the Internet prevent script execution on a WWW server? Anyone want to elaborate on this configuration vs others in regards to WWW server access? Are there certain security measures that should be considered when developing home pages? Basically, what is needed to provide access to a WWW server securely? ( secure meaning - as secure as possible given known problems etc. ) AND What precautions should be taken to allow access through a firewall to Internet based WWW servers? Unless someone has already summarized these issues, I will summarize all replies to share with all. I feel that in most cases list participants avoid mentioning the obvious problems due to their own knowledge of some subject. Any information is helpful for some of us, so don't be shy. Aaron C. Gair SABRE Decision Technologies aaron@sdt.com From firewalls-owner Fri Dec 2 11:04:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26074 for firewalls-outgoing; Fri, 2 Dec 1994 10:56:57 -0800 Received: from druid.reston.mci.net (druid.reston.mci.net [204.70.128.42]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26069 for ; Fri, 2 Dec 1994 10:56:42 -0800 Received: (from ddrew@localhost) by druid.reston.mci.net (8.6.9/8.6.6) id NAA26000; Fri, 2 Dec 1994 13:54:35 -0500 Date: Fri, 2 Dec 1994 13:54:35 -0500 Message-Id: <199412021854.NAA26000@druid.reston.mci.net> To: firewalls@GreatCircle.COM, jimc@e-Commerce.Com Subject: Re: disabling source routing on SunOS From: ddrew@mci.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Source Routinng Patch - URL:ftp.greatcircle.com:/pub/firewalls/digest/v03.n153.Z > Saw a recent mention of how to disable source routing under Solaris > 2.x, but how is it done under SunOS 4.1.x? > > -- > Jim Carroll -- jimc@e-Commerce.Com -- Standard disclaimer here. > e-Commerce, Inc., 1030 Kamato Road, Suite 201 > Mississauga, Ontario, Canada L4W 4B6 > ** http://www.e-Commerce.com/~jimc/home.html ** > =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Fri Dec 2 11:35:30 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26718 for firewalls-outgoing; Fri, 2 Dec 1994 11:31:05 -0800 Received: from bootes.cus.cam.ac.uk (root@bootes.cus.cam.ac.uk [131.111.8.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA26713 for ; Fri, 2 Dec 1994 11:30:49 -0800 Received: from xenopus.chu.cam.ac.uk [131.111.131.81] (TAP id = majw100) by bootes.cus.cam.ac.uk with smtp (Smail-3.1.28.1 #256) id m0rDdeo-000BzUC; Fri, 2 Dec 94 19:28 GMT Date: Fri, 2 Dec 1994 19:28:31 +0100 From: Marcus Walls Subject: Re: Information please. To: Firewalls@Greatcircle.com In-Reply-To: <199412021300.NAA15989@mull.dis.strath.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 2 Dec 1994, Stuart Aitken wrote: > I am a student who is interested in firewalls and how they work. If you have > any set documents on this subject it would be much appreciated. How easy is > it to get into others files through the Internet. Should all organisations > have firewalls and how secure are they anyway? > Thanks for you time > Stuart Aitken. > > > Seconded. I too am a student very much interested in the workings of firewalls. I have my own machine on the internet, and I have a responsibility to make sure it is as secure as possible, to avoid providing an easy platform for someone to hack our local machines. I would still wish to allow telnet, ftp and talk request though. I have installed all the various TCP wrappers that supposedly allow host checking etc, but I don't think this is all that much use from the point of view of preventing intrusion. Therefore, could I also ask for any advice about setting up a firewall, and what I stand to gain from it? Thanks very much for your time Marcus From firewalls-owner Fri Dec 2 12:23:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA24686 for firewalls-outgoing; Fri, 2 Dec 1994 09:22:31 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA24681 for ; Fri, 2 Dec 1994 09:22:16 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA20486; Fri, 2 Dec 94 11:59:48 -0500 Date: Fri, 2 Dec 94 11:59:47 -0500 Message-Id: <9412021659.AA20486@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Worst thing... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan-Hein van der Burg rites: >From a technical point of view, I hate it if somebody is able to compromise >my information system, but I REALY hate it if I don't know about it! Will not go into details but the WORST thing is not a hacker finding a hole you did not know about, nor even having *someone else* tell you that you were hacked, the worst I can think of goes like this: 1) Hacker finds what looks like a hole - can't do anything but is happy to get any response at all. (Still have trouble with terms: in Florida "Cracker" has a very special meaning unrelated to computers) 2) logs it 3) authorities obtain logs 4) authorities contact sysadmin, verifies connection, and tells he/she/it/other "not to tell anyone because this is part of an on-going investigation" 5) sysadmin DOESN'T tell anyone including internal security (months pass) 6) Prosecution types leak info to press including site names 7) Article appears in paper at corporate headquarters with YOUR SITE in list. 8) Chairman asks Pres what is going on 9) Pres asks VP A) VP asks director (continue down the food chain with increasing volume) B) Your boss asks you, you do not have a clue what is going on (see #5), and the buck stops here... Warmly, Padgett From firewalls-owner Fri Dec 2 12:35:38 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA28208 for firewalls-outgoing; Fri, 2 Dec 1994 12:26:20 -0800 Received: from nis.cerf.net (root@nis.cerf.net [192.102.249.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA28189 for ; Fri, 2 Dec 1994 12:25:52 -0800 Received: from clink.acad.com (acad.com [192.215.52.2]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id NAA24595 for ; Thu, 1 Dec 1994 13:58:52 -0800 Received: from cc:Mail by clink.acad.com id AA786319141; Thu, 01 Dec 94 14:33:56 PST Date: Thu, 01 Dec 94 14:33:56 PST From: "Metzner, Ken" Encoding: 4 Text Message-Id: <9411017863.AA786319141@clink.acad.com> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please put me on your mailing list. (Very impressed by Bill Ruh's talk at NCI.) Thanks. Ken Metzner From firewalls-owner Fri Dec 2 12:46:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26673 for firewalls-outgoing; Fri, 2 Dec 1994 11:29:02 -0800 Received: from info.pgh.pa.us (info.pgh.pa.us [147.72.1.108]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA26657 for ; Fri, 2 Dec 1994 11:28:05 -0800 Received: (dehart@localhost) by info.pgh.pa.us (8.6.8.1/8.6.4) id OAA19149; Fri, 2 Dec 1994 14:27:26 -0500 Date: Fri, 2 Dec 94 14:27:25 EST From: Edward DeHart To: lavondes@tidtest.total.fr Cc: firewalls@GreatCircle.COM Subject: Re: GE Break-in In-Reply-To: Your message of Fri, 2 Dec 94 17:06:43 GMT Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm not an expert in US computer crime law, so this may not be relevant, but > consider the following scenario : > > The same cracker that broke in GE's network breaks in X's network, and is > caught, but not before doing substantial damage. A subsequent inquiry finds > out that X has the same firewall system as GE, and that the same security > holes were used in both cases. Would GE in this case be liable for damage, > since disclosure of the methods used in that case would have allowed X to > plug in its own security holes ? You really should direct legal questions to an attorney. There is a difference between logic and U.S. law. When CERT first started, we discussed this with a few attorneys. One provided the following story. If you see someone drowning and you do nothing and the person dies, you would not be arrested. The person would have died if you were not present. If you attempt to save the person and the person dies, the police and next of kin would examine everything you did in case you made a mistake. It is possible that you could be charged with a crime or sued by the next of kin. Most would think this story to be silly but there is case law to support it. If site X had security problems, an intruder could have attacked them regardless of what happened at GE. GE not discussing their breakin would not make things worst. They would not be helping either the site or the intruder. If GE announced a problem with ABCD's firewall product and an intruder used the same method as described in GE announcement to break into site X, GE could be sued. A good attorney could get away without proving the intruder knew about GE's announcement. Ed From firewalls-owner Fri Dec 2 13:06:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27879 for firewalls-outgoing; Fri, 2 Dec 1994 12:16:39 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27871 for ; Fri, 2 Dec 1994 12:16:26 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA24095; Fri, 2 Dec 94 15:13:02 -0500 Date: Fri, 2 Dec 94 15:13:01 -0500 Message-Id: <9412022013.AA24095@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Just thinking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The same cracker that broke in GE's network breaks in X's network, and is >caught, but not before doing substantial damage. A subsequent inquiry finds >out that X has the same firewall system as GE, and that the same security >holes were used in both cases. Would GE in this case be liable for damage, >since disclosure of the methods used in that case would have allowed X to >plug in its own security holes ? Ever hear of "deep pockets" ? Would a real lawyer care to explain ? - P.fla From firewalls-owner Fri Dec 2 13:19:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25752 for firewalls-outgoing; Fri, 2 Dec 1994 10:27:29 -0800 Received: from amdahl.amdahl.com (amdahl.com [129.212.11.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA25746 for ; Fri, 2 Dec 1994 10:27:23 -0800 Received: from brittany.oes.amdahl.com by amdahl.amdahl.com with smtp (Smail3.1.28.1 #49) id m0rDcfz-0000zWC; Fri, 2 Dec 94 10:25 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA04342; Fri, 2 Dec 1994 10:26:00 +0800 Date: Fri, 2 Dec 1994 10:26:00 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412021826.AA04342@brittany.oes.amdahl.com> To: foxtrot@sware.com Subject: Re: Archie or UDP proxies and the fwtk Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 933 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We handle archie requests by having people use one of the http sites that provide that service, like http://hoohoo.ncsa.uiuc.edu/archie.html. The user interface is nicer than archie or xarchie, and we don't have to let udp through our firewall. These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Dec 2 13:35:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25770 for firewalls-outgoing; Fri, 2 Dec 1994 10:29:34 -0800 Received: from piccolo.cco.caltech.edu (piccolo.cco.caltech.edu [131.215.48.151]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA25764 for ; Fri, 2 Dec 1994 10:29:28 -0800 Received: from gap.cco.caltech.edu by piccolo.cco.caltech.edu with ESMTP (8.6.7/DEI:4.41) id KAA08598; Fri, 2 Dec 1994 10:27:35 -0800 Received: from ki1.chemie.fu-berlin.de by gap.cco.caltech.edu with SMTP (8.6.7/DEI:4.41) id KAA21812; Fri, 2 Dec 1994 10:27:14 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Fri, 2 Dec 94 19:26 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rDceX-0003f2C; Fri, 2 Dec 94 19:24 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Dec 1994 19:24:56 +0100 To: vicki@cco.caltech.edu (Vicki Brown), mlist-firewalls@nntp-server.caltech.edu From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: automated firewall software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Vicky, >Went to a SUN seminar today, and lo and behold, someone tried to sell me >FireWall-1: Internet Connectivity Security Solution. Does this give >anybody else the heebiejeebies, or am I too old fashioned at age 20 and >crusty for thinkin we should do things the old fashioned way, and not >introduce some piece of software with its own potential security holes? > Well, software like Firewall-1 (which is essentially a more or less clever distributed packet filter) IS useful in a firewall configuration. However, I wouldn't call a packet filter a firewall. A good firewall design involves a lot more than that (application gateways, counteractive tools for nailing down intruders, etc.). Basically you're right, though. Any unnecessary piece of software is an additional security risk. Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Fri Dec 2 13:43:49 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25775 for firewalls-outgoing; Fri, 2 Dec 1994 10:29:41 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA25765 for ; Fri, 2 Dec 1994 10:29:30 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Fri, 2 Dec 94 19:27 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rDcfW-0003fiC; Fri, 2 Dec 94 19:25 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Dec 1994 19:25:57 +0100 To: beames@ins.com (Ken Beames), firewalls@greatcircle.com, info@checkpoint.com From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: Firewall case study Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Ken, At 13:01 Uhr 30.11.1994 -0800, Ken Beames wrote: >1. How does Firewall-1 handle mail? Does it come with something like TIS's >SMAP? > >From what I understand from the Checkpoint Web Server and promo literature (remember, Firewall-1 is NOT a Sun product), Firewall-1 is a simple packet filter. If you want to handle mail, do it yourself. >2. I have users that need to dial in to get mail, and this means _through_ >the front door of the firewall. (We don't have our own dialup server) > Get one and/or use authentication devices like the ones from Security Dynamics and Digital Pathways. >We are using a bunch of different mail servers; not everyone goes to the >same server. > >I'd like to pass mail, as well as basic services (ftp, telnet, http), but in >order to do so securely, (well, as much as possible) I'm of the opinion that >I'll need access lists a mile long to allow this. > No. Different mail hubs is no problem. Allowing the several applications is not a problem if you use application gateways, which to my knowledge Firewall-1 doesn't provide. I'd suggest (and I'm biased :-) that you contact a vendor that sells a firewall, not a packetfilter. >the design is a dual screening router with a application filter (sparc with >something like firewall-1) in between. > You mean that the router filters in- and outbound traffic, don't you? If so, you essentially have a bastion host design (additional security by means of the screening router). This design can be hacked (see GE incident this week). I'd try to install a screened subnet configuration, if possible. Check the Digital SEAL page : http://www.digital.com/info/seal.html SEAL docs/kits : ftp://www.pcs.dec.com/pub/net-tools/SEAL FTPable documents : ftp://ftp.digital.com/ Internet Security: Screening External Access Link (SEAL) Customer Update Article -- May 1994, 2 Pages Text : /pub/Digital/info/Customer-Update/940509010.txt Screening External Access Link (SEAL) Consulting Service Infosheet -- May 1994, 1 Page Abstract : /pub/Digital/info/infosheet/seal-consulting-service.abs PostScript: /pub/Digital/info/infosheet/seal-consulting-service.ps United States Contact: Dick Calandrella at 508-496-8626 As I said, I'm biased :-). All the best Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Fri Dec 2 14:05:07 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29817 for firewalls-outgoing; Fri, 2 Dec 1994 13:51:40 -0800 Received: from mail.uncc.edu (mail.uncc.edu [152.15.10.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29810 for ; Fri, 2 Dec 1994 13:51:22 -0800 Received: from gull.uncc.edu (gull.uncc.edu [152.15.52.2]) by mail.uncc.edu (8.6.4/8.6.4) with SMTP id QAA20985 for ; Fri, 2 Dec 1994 16:49:23 -0500 Received: by gull.uncc.edu (920330.SGI/890607.SGI) (for firewalls@greatcircle.com) id AA12895; Fri, 2 Dec 94 16:55:40 -0500 Date: Fri, 2 Dec 94 16:55:40 -0500 From: hcj@gull.uncc.edu (Harry C. Johnson) Message-Id: <9412022155.AA12895@gull.uncc.edu> To: firewalls@greatcircle.com Subject: tcpd and firewall/user gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How reliable is tcpd for preventing external access to a firewall that is also used as a 'user gateway' for local users? In other words , is a firewall with user accounts reasonably secure if tcpd is employed properly to restrict outside logins? I am fairly new to the subject of firewalls, so please forgive me if this is an obvious question. Thank you for your time! -Harry From firewalls-owner Fri Dec 2 14:16:46 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29109 for firewalls-outgoing; Fri, 2 Dec 1994 13:06:35 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29094 for ; Fri, 2 Dec 1994 13:05:55 -0800 Received: from [199.0.193.43] (godzilla.ins.com [199.0.193.43]) by uni (8.6.8.1/8.6.6) with SMTP id NAA03724; Fri, 2 Dec 1994 13:04:25 -0800 X-Sender: beames@uni.ins.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Dec 1994 13:09:21 -0800 To: maass@odb.rhein-main.de (Joerg Maass), firewalls@greatcircle.com, From:maass@odb.rhein-main.de (Joerg Maass) From: Ken_Beames@ins.com (Ken Beames) Subject: Re: Firewall case study Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi Ken, > >At 13:01 Uhr 30.11.1994 -0800, Ken Beames wrote: >>1. How does Firewall-1 handle mail? Does it come with something like TIS's >>SMAP? >> > >>From what I understand from the Checkpoint Web Server and promo literature >(remember, Firewall-1 is NOT a Sun product), Firewall-1 is a simple packet >filter. If you want to handle mail, do it yourself. > >>2. I have users that need to dial in to get mail, and this means _through_ >>the front door of the firewall. (We don't have our own dialup server) >> > >Get one and/or use authentication devices like the ones from Security >Dynamics and Digital Pathways. > >>We are using a bunch of different mail servers; not everyone goes to the >>same server. >> >>I'd like to pass mail, as well as basic services (ftp, telnet, http), but in >>order to do so securely, (well, as much as possible) I'm of the opinion that >>I'll need access lists a mile long to allow this. >> > >No. Different mail hubs is no problem. Allowing the several applications is >not a problem if you use application gateways, which to my knowledge >Firewall-1 doesn't provide. I'd suggest (and I'm biased :-) that you >contact a vendor that sells a firewall, not a packetfilter. > Please define "Application Gateways". I'd rather not _buy_ a firewall, (as then I know less as to how it's built/configured) I'd much rather build one, as I've done before, but those needs were different. >>the design is a dual screening router with a application filter (sparc with >>something like firewall-1) in between. >> > >You mean that the router filters in- and outbound traffic, don't you? If >so, you essentially have a bastion host design (additional security by >means of the screening router). This design can be hacked (see GE incident >this week). I'd try to install a screened subnet configuration, if >possible. > Yes, I screen both ways, and there are two subnets onto which there can be a secured subnet, and a semi-securedone with the unix host running the firewall-1 filter providing the _only_ route in between. >Check the Digital SEAL page : > > http://www.digital.com/info/seal.html > > SEAL docs/kits : > > ftp://www.pcs.dec.com/pub/net-tools/SEAL > > FTPable documents : > > ftp://ftp.digital.com/ > >Internet Security: Screening External Access Link (SEAL) > Customer Update Article -- May 1994, 2 Pages > Text : /pub/Digital/info/Customer-Update/940509010.txt > >Screening External Access Link (SEAL) Consulting Service > Infosheet -- May 1994, 1 Page > Abstract : /pub/Digital/info/infosheet/seal-consulting-service.abs > PostScript: /pub/Digital/info/infosheet/seal-consulting-service.ps > >United States Contact: > > Dick Calandrella at 508-496-8626 > > >As I said, I'm biased :-). > > >All the best > > > >Josch > > >-- >Am Tiergarten 22 Tel.: +49/69/4990880 >D-60316 Frankfurt Fax : +49/6103/383-157 > >Germany privat: maass@thinkfish.rhein-main.de > biz.: Joerg.Maass@frs.mts.dec.com > >PGP signature available upon request. Thanks, Josch, these links will help. Cheers! -Ken. ==================================------------------------------------- Ken Beames The effect of drinking a International Network Services pan galactic gargleblaster is ken_beames@ins.com like having your brains smashed out by a slice of lemon wrapped 415.254.4205 <---> pg:800.601.2907 around a large gold brick. ----------------------------------===================================== From firewalls-owner Fri Dec 2 14:52:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27770 for firewalls-outgoing; Fri, 2 Dec 1994 12:11:49 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27747 for ; Fri, 2 Dec 1994 12:11:13 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA16853 (5.67b8/IDA-1.5 for ); Fri, 2 Dec 1994 15:09:52 -0500 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA02195; Fri, 2 Dec 94 15:10:35 EST Received: by sandfiddler.paragon-systems.com (4.1/SMI-4.1) id AA00354; Fri, 2 Dec 94 15:07:43 EST Date: Fri, 2 Dec 94 15:07:43 EST From: rmck@paragon-systems.com Message-Id: <9412022007.AA00354@sandfiddler.paragon-systems.com> To: firewalls@greatcircle.com Subject: Source Routing on SunOS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner@GreatCircle.COM Fri Dec 2 13:53:44 1994 Date: Fri, 2 Dec 94 11:36:18 EST From: jimc@e-Commerce.Com (Jim Carroll) To: firewalls@greatcircle.com Subject: disabling source routing on SunOS Reply-To: jimc@e-Commerce.Com Sender: firewalls-owner@GreatCircle.COM Content-Length: 326 Saw a recent mention of how to disable source routing under Solaris 2.x, but how is it done under SunOS 4.1.x? -- Jim Carroll -- jimc@e-Commerce.Com -- Standard disclaimer here. e-Commerce, Inc., 1030 Kamato Road, Suite 201 Mississauga, Ontario, Canada L4W 4B6 ** http://www.e-Commerce.com/~jimc/home.html ** If you run up against the stops, try asking Tony Vincent, Sun Engineering guru. Try reaching him at: tony.vincent@East.Sun.Com -rmck From firewalls-owner Fri Dec 2 14:59:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00374 for firewalls-outgoing; Fri, 2 Dec 1994 14:19:18 -0800 Received: from spy.org (spy.org [198.232.139.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA00367 for ; Fri, 2 Dec 1994 14:18:17 -0800 Received: by spy.org (4.1/SPY-4.1) id AA03229; Fri, 2 Dec 94 15:14:24 MST Message-Id: <9412022214.AA03229@spy.org> X-Spy1: /\ Computer Systems Consulting WWW http://www.spy.org/ X-Spy2: / \ \ P.O. Box 5178 EMAIL listserv@spy.org X-Spy3: \ \ / Santa Fe, NM 87502-5178 FTP ftp.spy.org X-Spy4: \/ Phone: (505) 984-0085 GOPHER gopher.spy.org Date: Fri, 2 Dec 94 15:14:24 MST From: scott@spy.org (Scott D. Yelich) To: lavondes@tidtest.total.fr Cc: firewalls@greatcircle.com Subject: Re: GE Break-in In-Reply-To: Your message at 17:06:43 on Fri, 2 December 1994 References: <9412011751.AA16073@grymoire.crd.ge.com> <9412021706.AA00245@tidtest.total.fr> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [d'lurk] >>>>> "Michel" == Michel Lavondes writes: Michel> Bruce Barnett wrote : >> I have been informed by GE management that GE will not make details >> of the break-in public. bah! >> I (and several others) do not agree with this decision, so I have >> to argue my point. I would appreciate suggestions on how I can >> convince management that we should discuss this break-in publicly. there's probably nothing that will change their mind. >> What benefits are there to GE? probably none-- perhaps even some really negative things too. On the other hand, we sit here and discuss what is and what is not valid to discuss on the firewalls list... but I'd rather see discussions of specific firewall setups... and listings of their vulnerabilities as well as discussions of actual intrusions THROUGH firewalls to see where the firewalls can be inproved. If needed, this could be done on another list... but I think we should discuss the "other" part of firewalls. Scott From firewalls-owner Fri Dec 2 15:06:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29263 for firewalls-outgoing; Fri, 2 Dec 1994 13:13:43 -0800 Received: from interlock.ans.net (interlock.ans.net [147.225.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA29226 for ; Fri, 2 Dec 1994 13:11:59 -0800 Received: by interlock.ans.net id AA22402 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Fri, 2 Dec 1994 16:10:25 -0500 Received: by interlock.ans.net (Internal Mail Agent-1); Fri, 2 Dec 1994 16:10:25 -0500 Message-Id: <199412022110.AA29413@home.ans.net> X-Sender: rosalia@home.ans.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 2 Dec 1994 17:13:03 +0100 To: jna@concorde.com From: rosalia@ans.net (Rosalia Bacarella) Subject: AOL To Acquire Assets and Operations of ANS Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "J. Adams" >Date: Wed, 30 Nov 1994 22:15:24 -0500 >To: alastair@cadence.com, robp@anubis.network.com >Subject: Re: Higher speed data lines/firewalls >Cc: Mark.Gibbons-1@pp.ksc.nasa.gov, firewalls@greatcircle.com >Sender: firewalls-owner@greatcircle.com >Precedence: bulk On Wed, 30 Nov 1994, J. Adams wrote: >I suppose that all that ANS has doesn't quite matter now, as MCI just >bought them... > >I wonder how long it will be before the backbone routers are turned into >backbone firewalls, and packets are charged by the byte.... > >-jna I would like to correct the above statement. America Online has agreed to acquire all the assets, networking operations and related services of Advanced Network & Services, Inc. -- not MCI. The news release issued by Advanced Network & Services follows. Thank you. Rosalia Bacarella ------------------- Contact: Rosalia Bacarella ANS (914) 789-5363 e-mail: rosalia@ans.net Advanced Network & Services Strengthens Its Focus on Advancing Networking Technology and Use for Education and Science America Online To Acquire Assets and Operations of ANS and Related Services Elmsford, NY, Nov. 28, 1994 -- Advanced Network & Services, Inc.,* today announced it has agreed to sell substantially all the assets, networking operations and related services of ANS to America Online, Inc., for $35 million so that it can further its not-for-profit goals of advancing technology to benefit education, science and human welfare. This transaction has been planned to ensure the continued provision of high quality services to existing ANS customers. "Advanced Network & Services was created to expand the Internet, keep the network on the leading edge of technology and foster new applications to make the network more valuable, as well as provide quality services to the users of the network," said Allan Weis, president and CEO. "Today, many of the concerns that prompted the creation of Advanced Network & Services are no longer issues: the Internet has reached a critical mass; commercial use has stimulated business to invest in the future of internetworking; and robust Internet services are widely available. It's time for ANS to further focus its efforts to advance technology in support of research and education," Weis said. "We've been impressed with the success ANS has had in deploying and operating private networks, and we expect them to continue in this role," said Steve Case, president and CEO of America Online. "All ANS customers can expect to continue to receive the highest quality services now and in the future." The sale of ANS' assets to America Online creates multiple synergies. The purchase of ANSnet will enable the fastest growing online services provider to capitalize on emerging market opportunities and strengthen its position in consumer services. The $35 million, $20 million in cash and $15 million in shares of America Online, will be used by Advanced Network & Services to promote the advancement and diffusion of computer networking and information technology knowledge and its application to the advancement of education, science and human welfare. Advanced Network & Services will continue its primary mission of supporting the advancement of network technology and its use through grants, studies and other cooperative efforts with the network community. Advanced Network & Services was established in 1990 as a 501(c)(3) not-for-profit company by IBM, MCI and Merit (a consortium of Michigan universities). It has managed and operated the NSFnet backbone service, which serves as the primary national connectivity provider for the Internet in the United States, and has advanced high-speed networking technology and use. In 1993, Northern Telecom became a member of Advanced Network & Services to help advance these goals. Advanced Network & Services formed ANS CO+RE Systems, Inc., a for-profit subsidiary dedicated to providing internetworking services to the commercial marketplace, in 1991. All of the shares of ANS CO+RE Systems are included in the assets being purchased by America Online. America Online, Inc., based in Vienna, VA, (NASDAQ: AMER) is the nation's fastest growing provider of online services with the most active subscriber base. America Online offers its more than 1.25 million subscribers a wide variety of services, including electronic mail, conferencing, software, computing support, interactive magazines, newspapers, online classes, as well as easy and affordable access to the Internet. Founded in 1985, America Online has established strategic alliances with dozens of companies, including Time Warner, ABC, NBC, Knight-Ridder, Tribune, Hachette, IBM and Apple Computer. Personal computer owners can obtain America Online software at major retailers and bookstores, or by calling 800-827-6364. *Editor's Note: Advanced Network & Services refers to the not-for-profit portion of what is commonly known as ANS. ANS is used to refer to the portion of this entity that America Online is agreeing to acquire. -End- From firewalls-owner Fri Dec 2 15:35:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA00971 for firewalls-outgoing; Fri, 2 Dec 1994 15:11:42 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA00965 for ; Fri, 2 Dec 1994 15:11:22 -0800 Received: from (genmagic.genmagic.com [192.216.18.2]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id PAA06377; Fri, 2 Dec 1994 15:00:20 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA11343; Fri, 2 Dec 94 14:54:46 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:Firewalls@GreatCircle.COM id AA26199; Fri, 2 Dec 94 14:58:54 -0800 Date: Fri, 2 Dec 94 14:58:54 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9412022258.AA26199@abulafia.genmagic.com> To: Network Security Observations Cc: Firewalls@GreatCircle.COM In-Reply-To: <01HK5R2NZVXE99DOVZ@delphi.com> Subject: Info request by NSO/ISM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Network Security Observations writes: > Could anyone on this enticing list update me on > "the Internet Liberation Front". Well, the last I read, they were pretty much a joke group. I got a 'press release' from them written in some sort of nonsensical techno-babble about overthrowing everything. From firewalls-owner Fri Dec 2 16:05:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA01270 for firewalls-outgoing; Fri, 2 Dec 1994 15:35:36 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA01263 for ; Fri, 2 Dec 1994 15:34:59 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA24692 (5.67b8/IDA-1.5 for ); Fri, 2 Dec 1994 18:32:51 -0500 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA02920; Fri, 2 Dec 94 18:33:34 EST Received: by sandfiddler.paragon-systems.com (4.1/SMI-4.1) id AA00425; Fri, 2 Dec 94 18:30:41 EST Date: Fri, 2 Dec 94 18:30:41 EST From: rmck@paragon-systems.com Message-Id: <9412022330.AA00425@sandfiddler.paragon-systems.com> To: firewalls@greatcircle.com Subject: Worst thing... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner@GreatCircle.COM Fri Dec 2 17:03:34 1994 Date: Fri, 2 Dec 94 11:59:47 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Worst thing... Sender: firewalls-owner@GreatCircle.COM Content-Length: 1265 Jan-Hein van der Burg rites: >From a technical point of view, I hate it if somebody is able to compromise >my information system, but I REALY hate it if I don't know about it! Will not go into details but the WORST thing is not a hacker finding a hole you did not know about, nor even having *someone else* tell you that you were hacked, the worst I can think of goes like this: 1) Hacker finds what looks like a hole - can't do anything but is happy to get any response at all. (Still have trouble with terms: in Florida "Cracker" has a very special meaning unrelated to computers) 2) logs it 3) authorities obtain logs 4) authorities contact sysadmin, verifies connection, and tells he/she/it/other "not to tell anyone because this is part of an on-going investigation" 5) sysadmin DOESN'T tell anyone including internal security (months pass) 6) Prosecution types leak info to press including site names 7) Article appears in paper at corporate headquarters with YOUR SITE in list. 8) Chairman asks Pres what is going on 9) Pres asks VP A) VP asks director (continue down the food chain with increasing volume) B) Your boss asks you, you do not have a clue what is going on (see #5), and the buck stops here... Warmly, Padgett ----------------------------------------------- Now you guys are getting to the real issue. I own a company that sells a "firewall". Not long after installing a system at a Fortune XX company, I had a chance to talk with the CEO, who confided that his biggest fear was not only that his proforma five year R&D plans would end up on the desk of his competitor, but the implications that would create on Wall Street. Shareholders and institutional investors don't give a hoot-in-hell about the information superhighway any more than they do about the type of concrete used in building the Washington Beltway. "But", he said, "you have no idea what it's like to arrive at your office on a Monday morning, and see the executive staff waiting at your door with panic in their eyes, the switchboard is crashing, and the Wall Street Journal and every business reporter and camera crew within five hundred miles has you in their sights". I asked him if that was experience talking, and he replied, "not yet, but if your firewall fails, you and I both will be looking for work - selling womens shoes". -rmck From firewalls-owner Fri Dec 2 16:37:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02096 for firewalls-outgoing; Fri, 2 Dec 1994 16:26:44 -0800 Received: from ubs.ubs.utah.edu (ubs.ubs.utah.edu [128.110.135.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA02090 for ; Fri, 2 Dec 1994 16:26:19 -0800 From: gordonj@ubs.ubs.utah.edu Received: by ubs.ubs.utah.edu (AIX 3.2/UCB 5.64/4.03) id AA55687; Fri, 2 Dec 1994 17:09:31 -0700 Date: Fri, 2 Dec 1994 16:56:05 -0700 (MST) Reply-To: gordonj@ubs.ubs.utah.edu Subject: more screened host firewall questions To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Recently I posted a question about getting mail through a screened host type gateway. All of the responces involved using DNS on the inside of the firewall or on the firewall itself. Problem: we have a small network inside the firewall (right now one computer, growing soon though) with no DNS running on it. Must I run DNS? (please tell me I dont have to! :) Also, is DNS required for telnet and ftp? If I must what is involved with setting it up. thanks for the help so far! * --- Gordon Jones --- * o *** *** University Bookstore Programmer/ *** /\ _ ***** ***** Mountain Biking Nut ***** _ > (_) **** * phone: (801) 585-5865 * (_) ***** ********************************************************** From firewalls-owner Fri Dec 2 17:05:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02520 for firewalls-outgoing; Fri, 2 Dec 1994 16:55:38 -0800 Received: from uu4.psi.com (uu4.psi.com [38.146.21.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA02511 for ; Fri, 2 Dec 1994 16:55:17 -0800 Received: from port6.los-angeles.ca.pub-ip.psi.net by uu4.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA23448 for firewalls@greatcircle.com; Fri, 2 Dec 94 19:53:42 -0500 Received: by TDS.COM (4.1/SMI-4.1) id AA23271; Fri, 2 Dec 94 16:53:12 PST Date: Fri, 2 Dec 1994 16:53:10 -0800 (PST) From: Dave Watson Subject: Security Policy (Re: GE Break-in) To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 18:33:21 1 Dec 1994, mark_kadrich@ins.com wrote: >...I would encourage people to attempt to convince the execuweenies to >generate and follow a policy that provides for information dissemination >while balancing corporate responsibilities. There is a pretty good book available on this: Information Security Policies Made Easy, by Charles Cresson Wood. On the other hand, some folks think policies are for weenies. No doubt they can get out of hand. This still leaves the open question of deciding "how much firewall," assuming we establish policy in the first place that says we want one at all. Dave Watson Trident Data Systems From firewalls-owner Fri Dec 2 17:35:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02420 for firewalls-outgoing; Fri, 2 Dec 1994 16:45:06 -0800 Received: from cais.cais.com (cais.com [199.0.216.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA02414 for ; Fri, 2 Dec 1994 16:45:01 -0800 Received: from localhost (rfitzher@localhost) by cais.cais.com (8.6.5/8.6.5) id TAA18912; Fri, 2 Dec 1994 19:43:34 -0500 Date: Fri, 2 Dec 1994 19:43:34 -0500 (EST) From: Ron Fitzherbert Subject: DEC's SEAL Solution To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any thoughts on this, good, bad, ugly? Ron -------------------------------------------- Ronald James Fitzherbert - President Flying Penguin Productions Limited Arlington, VA (USA) +1.703.358.9219 From firewalls-owner Sat Dec 3 05:34:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA11255 for firewalls-outgoing; Sat, 3 Dec 1994 05:14:24 -0800 Received: from maine.net (maine.net [199.191.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA11250 for ; Sat, 3 Dec 1994 05:14:20 -0800 Received: from localhost (atr@localhost) by maine.net (8.6.5/8.6.5) id IAA04477; Sat, 3 Dec 1994 08:13:21 -0500 Message-Id: <199412031313.IAA04477@maine.net> In-Reply-To: Date: Sat, 3 Dec 94 08:07:22 EST From: "Andrew T. Robinson" To: majw100@cam.ac.uk, firewalls@greatcircle.com Subject: Re: Information please. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've written (more accurately am in the process of writing) an introduction to firewalls, which (I hope) avoids some of the platform-specific language you will see elsewhere. Look for a paper on security policy planning (largely a reorganization of RFC1244 with some embellishments) sometime within the next few months. The firewall paper may be accessed at: ftp://maine.net/public/firewall.ps.Z There have been some problems with the version of PostScript I use in the past--if you have problems let me know and I will send a paper copy. Andy From firewalls-owner Sat Dec 3 17:34:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA13855 for firewalls-outgoing; Sat, 3 Dec 1994 17:04:21 -0800 Received: from galaxy.concorde.com (root@galaxy.concorde.com [198.242.54.51]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA13850 for ; Sat, 3 Dec 1994 17:04:11 -0800 Received: from universe.concorde.com (jna@universe.concorde.com [198.242.54.1]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id TAA21068; Sat, 3 Dec 1994 19:58:00 -0500 From: "J. Adams" Received: (jna@localhost) by universe.concorde.com (8.6.8.1/8.6.6) id TAA06994; Sat, 3 Dec 1994 19:58:30 -0500 Date: Sat, 3 Dec 1994 19:58:30 -0500 Message-Id: <199412040058.TAA06994@universe.concorde.com> To: jna@concorde.com, rosalia@ans.net Subject: Re: AOL To Acquire Assets and Operations of ANS Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Consider this a formal apology for my mistake of saying that MCI bought ANS. MCI has purchased a signifigant section of the internet, someplace, and I'll post the newsclip when I find it. Apologies again, john From firewalls-owner Sat Dec 3 18:34:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA14232 for firewalls-outgoing; Sat, 3 Dec 1994 18:06:36 -0800 Received: from oa.ptloma.edu (oa.ptloma.edu [192.147.249.102]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA14227 for ; Sat, 3 Dec 1994 18:06:25 -0800 From: lucasEX@kruncher.ptloma.edu Received: from kruncher.ptloma.edu by oa.ptloma.edu (AIX 3.2/UCB 5.64/4.03) id AA56559; Sat, 3 Dec 1994 18:06:31 -0800 Received: by kruncher.ptloma.edu (AIX 3.2/UCB 5.64/4.03) id AA29758; Sat, 3 Dec 1994 18:05:54 -0800 Message-Id: <9412040205.AA29758@kruncher.ptloma.edu> Subject: SIGNOFF To: firewalls@greatcircle.com Date: Sat, 3 Dec 1994 18:05:54 -0800 (PST) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 9 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SIGNOFF From firewalls-owner Sun Dec 4 03:04:07 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA18879 for firewalls-outgoing; Sun, 4 Dec 1994 02:49:00 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA18874 for ; Sun, 4 Dec 1994 02:48:52 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 4 Dec 94 11:47 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rEET3-0003eZC; Sun, 4 Dec 94 11:46 MET Message-Id: X-Sender: maass@odb.rhein-main.de (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 4 Dec 1994 11:47:43 +0100 To: Marcus J Ranum From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: GE break-in Cc: Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Marcus, At 10:57 Uhr 02.12.1994 -0500, Marcus J Ranum wrote: > A bastion host is simply a term for a system that has been >identified as a strong-point. Usually, a firewall system is a bastion >host, or may consist of a screening router and a bastion host. OK, then we have a different understanding of the term. And since you coined it, I'll follow :-). > A bastion host does *NOT* necessarily have user accounts >on it. Ours, for example, do not. Agreed again. I think we have a common understanding that there shouldn't be user accounts on a bastion. > In the terminology I'm most comfortable with, a system that >is a bastion host full of user accounts that people log into is >a "user gateway" or a "gateway host." Most firewall experts agree >that a user gateway is a pretty weak firewall if it's running on >a normal commercial operating system. [A user gateway running on >a multilevel secure system that used strong authentication might >actually not be too bad] > Agreed. > With respect to the "single point of failure" issue, let >me observe that *ALL* firewall configurations are going to have a >single point of failure someplace -- which if you're willing to >assume an attacker gains control over, all bets are off. The >tradeoffs are between complexity and correctness -- a firewall >consisting of multiple systems *might* be harder to break into >because of its layout, but it also is likely to be much harder >to configure correctly. Agreed again, in a certain way. It depends on how you define "single point of failure". If you essentially have to achieve several different breakins in order to get through, you'd have a "single point of failure" in every soft- or hardware you'd have to crack. However, this differs from an approach where you only have to crack one barrier until you're in. Maybe I should clarify my usage of terms, but in my understanding, a "single step firewall" is a "single point of failure". > I used to believe in a major way that approaches like >the 3-host firewall [see: "a network firewall" proceedings of >SANS-I, mjr, 1992 ftp.tis.com:pub/firewalls/sans-1-paper.ps, >which describes what later became DEC SEAL] was the best >route. In fact, if you look at that configuration, there is >still a single point of failure; the system known as "gate." Not necessarily. But I admit that it's true in the overwhelming majority of cases, where you only have one gate. Let me ask you a question, please: >From what you write, I assume that you don't believe any more that a screened subnet firewall is the most secure configuration. How did you come to this opinion and what fuels it? >Indeed if the system "gatekeeper" is compromised you're also >in pretty bad shape. Yes and no. If someone would crack "Gatekeeper", you'd have some trouble. That's true. But one of the advantage of the screened subnet setup is that "Gatekeeper" is only the first barrier, and you'd gain time to counter the attack. >In fact, what tends to happen is that >whenever *any* of your firewall machines gets broken into, >you are in pain. > No doubt. The only thing I wanted to say was that a "single barrier" approach is less secure than a "multiple barrier" one, at least in my opinion. >From what I hear, the successful attack at GE was performed using reusable passwords. Correct me if I'm wrong, but would this be possible on a screened subnet configuration? Perhaps, if a) you'd have user accounts on Gatekeeper and let remote users into your network (bad idea without strong authentication, e.g. HHAs) b) you'd have a wrong configuration c) you'd have a hole in Gatekeeper AND Gate. Points a) and b) can be avoided by the use of proper authentication and a correct configuration. As with point c), well, bad things happen, but you can significantly lower your risk in code deficencies by requiring the cracker to break a hole into two or more pieces of software. And this is precisely what a screened subnet configuration does, IMHO. All the best, Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Dec 4 10:05:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22638 for firewalls-outgoing; Sun, 4 Dec 1994 09:35:03 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22633 for ; Sun, 4 Dec 1994 09:34:55 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12192; Sun, 4 Dec 94 12:14:21 -0500 Date: Sun, 4 Dec 94 12:14:20 -0500 Message-Id: <9412041714.AA12192@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Points of Failure Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, let me reiterate that I am a fan of redundancy and using the least capable possible (why I like using PCs for this) system to enforce security. In all of my experience (nearly thirty years now in different disciplines) complexity just assists Murphy. > With respect to the "single point of failure" issue, let >me observe that *ALL* firewall configurations are going to have a >single point of failure someplace - True *but* you can control the effect of the failure to a large extent. In most cases, failure means the connection ceases to operate at all, not that an intruder gains entrance. Consider the dumbest possible packet filter: Karlbridge. You cannot log into it remotely, access is *only* from the system keyboard and you must reboot the system to make any change (somewhat difficult for a packet to do). Just about all of the breakins I have seen have relied on either the ability of one task to have effect on another, or system managers who insist on remote control of the gateways. Reguarding GE (a hot topic nowadays) I will go out on a limb a bit and postulate that there was a server (I hear WWW) that was either in parallel with the firewall or packets for it was passed through the firewall since it was deemed safe without restriction. Am reasonably confident that once the hacker (around here "cracker" is an insult) tires of the method he/she/it/other will either start telling friends or will post it on the net just for fun. Usually this is about a month after the incident. Just be patient. >- which if you're willing to >assume an attacker gains control over, all bets are off. True, only way to be sure is if *you* have to walk up to the local console for access, better if a reboot is required for anything other than monitoring. >The tradeoffs are between complexity and correctness -- a firewall >consisting of multiple systems *might* be harder to break into >because of its layout, but it also is likely to be much harder >to configure correctly. Not necessarily so long as you utilize intelligent task separation. I have found it *easier* to configure multiple simple systems than one complex one. - The really nice thing is that today MTBF is measured in *years*. Warmly, Padgett ps Have a new hobby - any spare Zenith H-600s or Royal 7000s (USA mfg) around ? From firewalls-owner Sun Dec 4 12:34:53 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23336 for firewalls-outgoing; Sun, 4 Dec 1994 12:09:26 -0800 Received: from iss.net (root@iss.net [198.79.48.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA23331 for ; Sun, 4 Dec 1994 12:09:06 -0800 Received: (from cklaus@localhost) by iss.net (8.6.9/8.6.9) id PAA05210 for firewalls@greatcircle.com; Sun, 4 Dec 1994 15:10:43 -0800 From: Christopher Klaus Message-Id: <199412042310.PAA05210@iss.net> Subject: Article on Inet Security To: firewalls@greatcircle.com Date: Sun, 4 Dec 1994 15:10:42 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5091 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an article that was in the front page of the Chicago tribune. This represents what the public reads and has an impression of. Any comments? Privacy under siege in the heart of the Internet By Nathaniel Sheppard Jr. Tribune Staff Writer Source: The Chicago Tribune, Nov. 30, '94 (p. 1, 12) WASHINGTON--They're terrorists with names such as the Legion of Doom and Masters of Deception. But unlike the Red Guard or Symbionese Liberation Army of a previous era, their weapon of choice is a keyboard, not an assault rifle. They're among the subversives launching sporadic attacks on the information superhighway and raising troubling questions about security and privacy for individuals, corporations and federal law enforcement agencies. ((The article notes that electronic invaders compromised passwords, stole data, and are increasingly able to monitor telephone calls)) Perhaps most alarming are the attacks against Internet, a global grid of computer networks, and the widespread distribution over the internet of intrusion tool kits, the hacker's equivalent of the burglar's black bag. The tool kits contain "sniffer" programs that attach themselves to the hub of computer networks and copy user passwords and other log-in data. ((The story quotes a computer security expert, Earl Boebert in Roseville, Minn, as saying that there's a convergence of traditional areas of concern--protecing individuals' personal data from organizations and protecting intellectual property from theft, and some individuals are going after organizatins that keep personal data records. The story notes that sniffer programs are used by intruders, and recent targets this year included Milnet)). A Defense Department spokeswoman said intruders captured the identification codes of about 100,000 users and were able to "steal, alter or erase information on the affected computers and to shut computers down or alter them in such a way as to allow further undetected access to the compromised systems." "Attacks on the infrastructure are becoming increasingly more significant," said Barbara Fraser, manager of product development for the Computer Emergency Response Team, a federally funded project based at Carnegie Mellon University in Pittsburgh that helps computer users cope with intrusion problems. The agency was set up in 1988 after a young hacker named Robert Morris Jr. introduced a "worm" into Internet, compromising an estimated 6,000 "host" or primary systems. ((Cert handled more than 1,300 incidents last year, the story says. It alludes to the MCI calling card scheme, and repeats the questionable facts reported by earlier media sources)) The incidents are part of a rash of attacks by underground groups of hackers with names such as the Legion of Doom, groups made up largely of college students. Crackers, as the more malevolent hackers are called, have become very sophisticated. They focus their attacks on known weaknesses in systems or probe for back doors, said Scott Charney, director of the Justice Department's computer crimes unit. "Cases involving the Legion of Doom and the Masters of Deception really went to the heart of the system," he said. The legion is a group of about 20 hackers spread around the country. Beginning in 1987 three members of the group in Atlanta used pilfered passwords and old identification cards to gain access to computers at BellSouth, the regional phone company serving southeastern states. The three men, who subsequently pleaded guilty to computer fraud charges, eavesdropped on telephone conversations, re-routed calls, and are believed by authorities to have planted electronic messages in telephone facilities in Atlanta, Denver and New Jersey that could have knocked out 911 emergency and long distance service. In July 1992, members of a rival group of crackers, the Masters of Deception, allegedly broke into computers at BellSouth, TRW Information Services, Timenet, Nynex and other data carriers and stole credit reports and other confidential information that was sold to private investigators. The increase in attacks may be in part due to the proliferation of intrusion kits, Fraser said. "Tool kits for intruding on systems are being posted to bulletin boards all over the world," he said. "This allows even novices to enter network systems." ((The article notes that electronic theft of software is also increasing. It gives the exaple of TIE Fighter, based on Star Wars movies, that an employee made available to "software pirates" two weeks before the scheduled release. The article notes that some companies are hiring ex-hackers for security advice. The article also finds great significance in the "finger" command on Unix as a means of aiding to stalking or harassment of women)). -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Sun Dec 4 14:34:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA24135 for firewalls-outgoing; Sun, 4 Dec 1994 14:31:13 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA24130 for ; Sun, 4 Dec 1994 14:31:04 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma010737; Sun Dec 4 12:19:25 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA29042; Sun, 4 Dec 94 12:12:59 EST From: Marcus J Ranum Message-Id: <9412041712.AA29042@tis.com> Subject: Re: GE break-in To: maass@odb.rhein-main.de (Joerg Maass) Date: Sun, 4 Dec 1994 12:17:47 -0500 (EST) Cc: mjr@tis.com, Doug.Hughes@Eng.Auburn.EDU, firewalls@GreatCircle.COM In-Reply-To: from "Joerg Maass" at Dec 4, 94 11:47:43 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 7519 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joerg Maass writes: > [...] It depends on how you define "single point > of failure". If you essentially have to achieve several different breakins I was thinking something to the effect that a single point of failure is a case where you'd be able to launch an effective attack on the inside if you were able to get through or onto that single point. > From what you write, I assume that you don't believe any more that a > screened subnet firewall is the most secure configuration. How did you come > to this opinion and what fuels it? I'm not sure it's accurate to say I no longer feel it's the most secure configuration -- it's really really hard to quantify! [Believe me, working at a place like TIS that does *REAL* security opened my eyes to a lot of issues I hadn't considered before] The most important security aspect of a firewall, I submit to you, is getting it right and being able to keep it right. That implies a simple, empirically testable initial design, and a fairly easy growth/maintenance path. I know that I, personally, am less likely to get 3 machines configured right than I am 1. [Encroaching old age reducing attention span, etc.] Another aspect that's hard to quantify is getting the equipment right. For example, I am almost completely Cisco-illiterate. So, if I were to build a firewall that consisted of a bastion host and a screening router, the bastion host might hold up great but I might miss something really obvious in the router. Let's propose a few principles related to the ratio of eggs to baskets: The more baskets you have, the harder it is to watch them all. The more baskets you have, the less likely you are to lose all your eggs at once. [Observation: if the basket is worth watching, it has an egg in it] In a firewall, you have to look at the number of unique hardware/software systems in use, and potentially be able to empirically test each one to a degree that makes you comfortable with it. If the firewall consists of multiple security-critical components, it stands to reason that having any one of the components compromised is a bad thing -- after all, were it not, they wouldn't be security critical components, would they? That's the view from 10,000 feet. Looking at a 3 host screened gateway like the one in my SANS paper, you'll note that there are 2 points of attack. Firstly, one might break into "gate" somehow, and do Bad Things to the screening rules and then all the dogs of war are loose on your network. The second possibility is that someone gets into "gatekeeper." We'll look at that next. [see my next paragraph below] > >Indeed if the system "gatekeeper" is compromised you're also > >in pretty bad shape. > > Yes and no. If someone would crack "Gatekeeper", you'd have some trouble. > That's true. But one of the advantage of the screened subnet setup is that > "Gatekeeper" is only the first barrier, and you'd gain time to counter the > attack. Depends a lot on how the internal network's access to "gatekeeper" is set up. If the screening rules in "gate" ONLY permit access between "gatekeeper" and "mailgate" then an attacker with a foothold on "gatekeeper" can launch a full-blown attack against "mailgate." If "mailgate" is a normal UNIX box, it may well crumble. In fact, if the attacker takes advantage of the fact that they have a foothold on "gatekeeper" they could arguably do horrendous things like jigger the proxies on "gatekeeper" to log passwords and simply log right into "mailgate" without even launching an attack at all. A foothold on "gatekeeper" would be a Very Bad Thing. If the screening rules between "gatekeeper" and the inside network are such that "gatekeeper" can talk to arbitrary hosts on the inside network, then the fact that "gate" is there is completely irrelevant -- it is effectively transparent and may log some of the attack as it proceeds, but the whole situation is already out of control. I'm not sure what you mean about if "gatekeeper" is only the first barrier, about how you'd gain time to counter the attack. If an administrator had all kinds of alarms and whatnot set up on "gatekeeper" then it might help -- but -- by the time you've done that, most of your effort has been expended on getting "gatekeeper" right -- why do the other stuff at all? You're already assuming that essentially "gatekeeper" is a single point of failure. Part of the reason I've changed my views is because I've gotten a more sophisticated view of what Trust is all about. It's actually very hard to set up one dumb machine to not trust another, and to still do anything really useful. Suppose I had a firewall where I had 2 machines, using something like SOCKS, such that the first one gatewayed "inside" calls to the "outside" but would only accept calls from the outside in response to requests it generated for call-backs [such as for FTP] -- if the "outside" machine were compromised, it could intercept and/or substitute its own call-back and/or could log all manner of interesting stuff over the data stream. Let's take it a step further and imagine that FTP only uses PASV; so that now the "inside" machine never accepts *ANY* call-backs from the "outside" machine. Well -- the "outside" machine just became a no-op. Trying to build firewalls where the machines don't trust eachother often seems to result in firewalls where one component that looks useful on paper is really a no-op (like "gate" in my SANS paper example, which could have been transparently replaced with a segment of ethernet). When you automate intra-machine trust, then all you're doing is making it so that one machine can be broken into if another one is; in the end it's about as good as .rhosts files. > >In fact, what tends to happen is that > >whenever *any* of your firewall machines gets broken into, > >you are in pain. > > > > No doubt. The only thing I wanted to say was that a "single barrier" > approach is less secure than a "multiple barrier" one, at least in my > opinion. Right. What I'm saying is that the more I look at the problem, the more I'm convinced that there tends to be a "single barrier" and possibly a "flimsy barrier" or two, but mostly the secondary barriers are no-ops. Imagine a firewall consisting of 6 Ciscos in a row. :) For it to work at all, 5 of them have to be no-ops. :) And if there's a firmware bug in one, it'll be in all of them. Perhaps you could make a firewall that consisted of a: Morninstar->Cisco->Wellfleet->NSC [Sorry if I left anyone out, this is an example, not a real suggestion] :) If you actually managed to get any traffic *through* that mess, then it's likely that if someone figured out a way to attack you with it, they'd be able to attack through all 4 routers too. The only thing having 4 routers would do (other than please router vendors) is reduce the chance of a firmware bug nailing you; your packet screening rules could still make a wrong assumption. :) > [...] but you > can significantly lower your risk in code deficencies by requiring the > cracker to break a hole into two or more pieces of software. And this is > precisely what a screened subnet configuration does, IMHO. Right -- but the trick is being able to be sure that you actually have to break a hole in 2 or more pieces of software, rather than simply finding a hole in the one and then tricking the other. After all, if the first is just a dumb computer that trusts what the other dumb computer tells it to any degree, then it's a no-op. mjr. From firewalls-owner Sun Dec 4 16:19:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA25917 for firewalls-outgoing; Sun, 4 Dec 1994 15:51:55 -0800 Received: from bsdi.sccsi.com (root@bsdi.sccsi.com [198.65.128.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07329 for ; Thu, 1 Dec 1994 10:33:07 -0800 Received: (darren@localhost) by bsdi.sccsi.com (8.6.8.1/8.6.5) id MAA01881 for firewalls@greatcircle.com; Thu, 1 Dec 1994 12:31:46 -0600 From: Darren Bolding Message-Id: <199412011831.MAA01881@bsdi.sccsi.com> Subject: Thanks To: firewalls@greatcircle.com Date: Thu, 1 Dec 1994 12:31:45 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 637 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several people have given me usefull information and help in answering my question about switching connections based on source *and* destination ip/port combinations. One even sent me diffs for tcp wrapper to make the appropriate mods.! To one and all, Thanks very much! If others need information on this topic, feel free to write me at: darren@bsdi.sccsi.com or darren@rice.edu And I will try to help. Thanks again! -- Darren Bolding Networking, Unix, and "Technical" Support (713)917-5000 darren@sccsi.com South Coast Computing Services, Houston, TX How many batches would a batcher batch if a batcher could batch batches? From firewalls-owner Sun Dec 4 16:42:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA25973 for firewalls-outgoing; Sun, 4 Dec 1994 15:55:18 -0800 Received: from border.com (border.com [142.77.1.128]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA25966 for ; Sun, 4 Dec 1994 15:55:12 -0800 Received: by janus.border.com id <29482>; Sun, 4 Dec 1994 19:04:43 -0500 To: firewalls@GreatCircle.COM Subject: JANUS at Internet World Date: Sun, 4 Dec 1994 18:56:38 -0500 From: Glenn Mackintosh Message-Id: <94Dec4.190443est.29482@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Until I have avoided mentioning when we were going to be at trade shows. If it upsets people, then I will refrain again in the future. However, there has been interest expressed by various members of this list in the past in seeing the JANUS Firewall Server and seeing whether it actually does all the things we claim it does. This is just a brief note to say that you can drop by the BNTi booth (921) at Internet World in Washington this week and see it doing its thing. Glenn Mackintosh ------------------------------------------------------------------------ Border Network Technologies Inc. Email: glenn@border.com 1 Yonge Street, Suite 1400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5E 1J9 Fax: +1 416 368 7789 From firewalls-owner Sun Dec 4 16:50:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA25880 for firewalls-outgoing; Sun, 4 Dec 1994 15:50:59 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05609 for ; Thu, 1 Dec 1994 08:44:27 -0800 From: kovar@nda.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14711; Thu, 1 Dec 94 11:42:42 -0500 Date: Thu, 1 Dec 94 11:42:41 -0500 Message-Id: <9412011642.AA14711@uvs1.orl.mmc.com> To: rens@imsi.com Cc: padgett@tccslr.dnet.mmc.com@imsi.com"firewalls@greatcircle.com"@uvs1.dnet.mmc.com (A.@imsi.com Padgett@imsi.com Peterson@imsi.com P.E. Information Security) Subject: Re: Some times it takes a while... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What I have a problem with is the Armed Forces being used for domestic > policing. I've lived in a variety of countries where that was the > norm, and the results were not particularly pretty. The AF was not doing domestic policing, they were trying to backtrack their own security problem. We've all done this to some extent, they just went overboard. If someone had just broken into my site and I could figure out how to backtrack them, similar to what the AF did, I probably would while reporting to the sites in question what was going on. If the intermediate site wants to say no, or "let me watch", or "thanks!", we're covered. Are you going to worry about me doing domestic policing, too? -David From firewalls-owner Sun Dec 4 17:05:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA26905 for firewalls-outgoing; Sun, 4 Dec 1994 16:52:07 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA14767 for ; Sat, 3 Dec 1994 19:37:47 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma009215; Sat Dec 3 22:36:39 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA21560; Sat, 3 Dec 94 22:34:45 EST Date: Sat, 3 Dec 94 22:34:45 EST From: Marcus J Ranum Message-Id: <9412040334.AA21560@tis.com> To: firewalls@greatcircle.com Subject: firewalls FAQ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Firewalls Frequently Asked Questions ============================================= About the FAQ ============= This FAQ is not an advertisement or endorsement for any product, company, or consultant. The maintainer welcomes input and comments on the contents of this FAQ. Comments related to the FAQ should be addressed to Fwalls-FAQ@tis.com. The FAQ is also available via WWW from http://www.tis.com Contents: ========= 1: What is a network firewall? 2: Why would I want a firewall? 3: What can a firewall protect against? 4: What can't a firewall protect against? 5: What are good sources of print information on firewalls? 6: Where can I get more information on firewalls on the network? 7: What are some commercial products or consultants who sell/service firewalls? 8: What are some of the basic design decisions in a firewall? 9: What are proxy servers and how do they work? 10: What are some cheap packet screening tools? 11: What are some reasonable filtering rules for my Cisco? 12: How do I make DNS work with a firewall? 13: How do I make FTP work through my firewall? 14: How do I make Telnet work through my firewall? 15: How do I make Finger and whois work through my firewall? 16: How do I make gopher, archie, and other services work through my firewall? 17: What are the issues about X-Window through a firewall? 18: What is source routed traffic and why is it a threat? 19: What are ICMP redirects and redirect bombs? 20: Glossary of firewall related terms ------------------------------ Date: Mon Jun 27 15:50:11 1994 From: Fwalls-FAQ@tis.com Subject: 1: What is a network firewall? A firewall is any one of several ways of protecting one network from another untrusted network. The actual mechanism whereby this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. ------------------------------ Date: Mon Jun 27 15:50:28 1994 From: Fwalls-FAQ@tis.com Subject: 2: Why would I want a firewall? The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. A firewall's purpose is to keep the jerks out of your network while still letting you get your job done. Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security - it often plays an important role as a security blanket for management. Lastly, a firewall can act as your corporate "ambassador" to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g.: UUnet.uu.net, gatekeeper.dec.com) and have reflected well on their corporate sponsors. ------------------------------ Date: Mon Jun 27 15:50:35 1994 From: Fwalls-FAQ@tis.com Subject: 3: What can a firewall protect against? Some firewalls permit only Email traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems. Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network borne attack if you unplug it. Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. ------------------------------ Date: Mon Jun 27 15:50:48 1994 From: Fwalls-FAQ@tis.com Subject: 4: What can't a firewall protect against? Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network. Firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security- consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack -- attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of Sendmail. ------------------------------ Date: Wed Jul 6 14:45:13 1994 From: Fwalls-FAQ@tis.com Subject: 5: What are good sources of print information on firewalls? There are several books that touch on firewalls. The best known are: Title: Firewalls and Internet Security: Repelling the Wily Hacker Authors: Bill Cheswick and Steve Bellovin Publisher: Addison Wesley Edition: 1994 ISBN: 0-201-63357-4 Title: Practical Unix Security Authors: Simson Garfinkel and Gene Spafford Publisher: O'Reilly Edition: 1991 ISBN: 0-937175-72-2 (discusses primarily host security) Related references are: Titles: Internetworking with TCP/IP Vols I, II and III Authors: Douglas Comer and David Stevens Publisher: Prentice-Hall Edition: 1991 ISBN: 0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2 (III) Comment: A detailed discussion on the architecture and implementation of the Internet and its protocols. Vol I (on principles, protocols and architecture) is readable by everyone, Vol 2 (on design, implementation and internals) is more technical, and Vol 3 (on client-server computing) is recently out. Title: Unix System Security - A Guide for Users and System Administrators Author: David Curry Publisher: Addision Wesley Edition: 1992 ISBN: 0-201-56327-4 ------------------------------ Date: Mon Jun 27 15:54:03 1994 From: Fwalls-FAQ@tis.com Subject: 6: Where can I get more information on firewalls on the network? Ftp.greatcircle.com - Firewalls mailing list archives. Directory: pub/firewalls Ftp.tis.com - Internet firewall toolkit and papers. Directory: pub/firewalls Research.att.com - Papers on firewalls and breakins. Directory: dist/internet_security Net.Tamu.edu - Texas AMU security tools. Directory: pub/security/TAMU The internet firewalls mailing list is a forum for firewall administrators and implementors. To subscribe to Firewalls, send "subscribe firewalls" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Archives of past Firewalls postings are available for anonymous FTP from ftp.greatcircle.com in pub/firewalls/archive ------------------------------ Date: Mon Jun 27 15:54:06 1994 From: Fwalls-FAQ@tis.com Subject: 7: What are some commercial products or consultants who sell/service firewalls? We feel this topic is too sensitive to address in a FAQ, as well as being difficult to maintain an up-to-date list. ------------------------------ Date: Mon Jun 27 15:54:23 1994 From: Fwalls-FAQ@tis.com Subject: 8: What are some of the basic design decisions in a firewall? There are a number of basic design issues that should be addressed by the lucky person who has been tasked with the responsibility of designing, specifying, and implementing or overseeing the installation of a firewall. The first and most important is reflects the policy of how your company or organization wants to operate the system: is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net, or is the firewall in place to provide a metered and audited method of "queuing" access in a non-threatening manner. There are degrees of paranoia between these positions; the final stance of your firewall may be more the result of a political than an engineering decision. The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (e.g.: how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement. The third issue is financial. We can't address this one here in anything but vague terms, but it's important to try to quantify any proposed solutions in terms of how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end. The free option, of doing some fancy configuring on a Cisco or similar router will cost nothing but staff time and cups of coffee. Implementing a high end firewall from scratch might cost several man- months, which may equate to $30,000 worth of staff salary and benefits. The systems management overhead is also a consideration. Building a home-brew is fine, but it's important to build it so that it doesn't require constant and expensive fiddling-with. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support. On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services. The decision to make here is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, ftp, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are plusses and minuses to both approaches, with the proxy machine providing a greater level of audit and potentially security in return for increased cost in configuration and a decrease in the level of service that may be provided (since a proxy needs to be developed for each desired service). The old trade-off between ease-of-use and security comes back to haunt us with a vengeance. ------------------------------ Date: Mon Jun 27 15:54:30 1994 From: Fwalls-FAQ@tis.com Subject: 9: What are proxy servers and how do they work? A proxy server (sometimes referred to as an application gateway or forwarder) is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Many proxies contain extra logging or support for user authentication. Since proxies must "understand" the application protocol being used, they can also implement protocol specific security (e.g., an FTP proxy might be configurable to permit incoming FTP and block outgoing FTP). Proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. SOCKS is a generic proxy system that can be compiled into a client-side application to make it work through a firewall. Its advantage is that it's easy to use, but it doesn't support the addition of authentication hooks or protocol specific logging. For more information on SOCKS, see ftp.nec.com: /pub/security/socks.cstc Users are encouraged to check the file "FILES" for a description of the directory's contents. ------------------------------ Date: Mon Jun 27 15:54:33 1994 From: Fwalls-FAQ@tis.com Subject: 10: What are some cheap packet screening tools? The Texas AMU security tools include software for implementing screening routers (FTP net.tamu.edu, pub/security/TAMU). Karlbridge is a PC-based screening router kit (FTP nisca.acs.ohio-state.edu, pub/kbridge). A version of the Digital Equipment Corporation "screend" kernel screening software is available for BSD/386, NetBSD, and BSDI. Many commercial routers support screening of various forms. ------------------------------ Date: Thu Jul 7 13:39:33 1994 From: Fwalls-FAQ@tis.com Subject: 11: What are some reasonable filtering rules for my Cisco? The following example shows one possible configuration for using the Cisco as a filtering router. It is a sample that shows the implementation of a specific policy. Your policy will undoubtedly vary. In this example, a company has Class B network address of 128.88.0.0 and is using 8 bits for subnets. The Internet connection is on the "red" subnet 128.88.254.0. All other subnets are considered trusted or "blue" subnets. +---------------+ +---------------+ | IP provider | | Gateway | | 128.88.254.1 | | 128.88.254.2 | +------+--------+ +------+--------+ | "Red" net ----------+-----------------+---------------------------------- | +------+--------+ | Cisco | | 128.88.254.3 | |...............| | 128.88.1.1 | +---------------+ | ----------------------------+---------------------------------- | "Blue" net +------+--------+ | mail router | | 128.88.1.2 | +---------------+ Keeping the following points in mind will help in understanding the configuration fragments: 1. Ciscos applying filtering to output packets only. 2. Rules are tested in order and stop when the first match is found. 3. There is an implicit deny rule at the end of an access list that denies everything. The example below concentrates on the filtering parts of a configuration. Line numbers and formatting have been added for readability. The policy to be implemented is: Anything not explicitly allowed is denied Traffic between the external gateway machine and blue net hosts is allowed. Permit services orginating from the blue net Allow a range of ports for FTP data connections back to the blue net. 1 no ip source-route 2 ! 3 interface Ethernet 0 4 ip address 128.88.1.1 255.255.255.0 5 ip access-group 10 6 ! 7 interface Ethernet 1 8 ip address 128.88.254.3 255.255.255.0 9 ip access-group 11 10 ! 11 access-list 10 permit ip 128.88.254.2 0.0.0.0 128.88.0.0 0.0.255.255 12 access-list 10 deny tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 lt 1025 13 access-list 10 deny tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 4999 14 access-list 10 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 15 ! 16 access-list 11 permit ip 128.88.0.0 0.0.255.255 128.88.254.2 0.0.0.0 17 access-list 11 deny tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 25 18 access-list 11 permit tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 Lines Explanation 1 Although this is not a filtering rule, it is good to include here. 5 Ethernet 0 is on the red net. Extended access list 10 will be applied to output on this interface. You can also think of output from the red net as input on the blue net. 9 Ethernet 1 is on the blue net. Extended access list 11 will be applied to output on this interface. 11 Allow all traffic from the gateway machine to the blue net. 12-14 Allow connections originating from the red net that come in between ports 1024 and 5000. This is to allow ftp data connections back into the blue net. 5000 was chosen as the upper limit as it is where OpenView starts. Note: again, we are assuming this is acceptable for the given policy. There is no way to tell a Cisco to filter on source port. Newer versions of the Cisco firmware will apparently support source port filtering. Since the rules are tested until the first match we must use this rather obtuse syntax. 16 Allow all blue net packets to the gateway machine. 17 Deny SMTP (tcp port 25) mail to the red net. 18 Allow all other TCP traffic to the red net. Cisco.Com has an archive of examples for building firewalls using Cisco routers, available for FTP from: ftp.cisco.com in /pub/acl-examples.tar.Z ------------------------------ Date: Mon Jun 27 16:00:08 1994 From: Fwalls-FAQ@tis.com Subject: 12: How do I make DNS work with a firewall? Some organizations want to hide DNS names from the outside. Many experts disagree as to whether or not hiding DNS names is worthwhile, but if site/corporate policy mandates hiding domain names, this is one approach that is known to work. This approach is one of many, and is useful for organizations that wish to hide their host names from the Internet. The success of this approach lies on the fact that DNS clients on a machine don't have to talk to a DNS server on that same machine. In other words, just because there's a DNS server on a machine, there's nothing wrong with (and there are often advantages to) redirecting that machine's DNS client activity to a DNS server on another machine. First, you set up a DNS server on the bastion host that the outside world can talk to. You set this server up so that it claims to be authoritative for your domains. In fact, all this server knows is what you want the outside world to know; the names and addresses of your gateways, your wildcard MX records, and so forth. This is the "public" server. Then, you set up a DNS server on an internal machine. This server also claims to be authoritiative for your domains; unlike the public server, this one is telling the truth. This is your "normal" nameserver, into which you put all your "normal" DNS stuff. You also set this server up to forward queries that it can't resolve to the public server (using a "forwarders" line in /etc/named.boot on a UNIX machine, for example). Finally, you set up all your DNS clients (the /etc/resolv.conf file on a UNIX box, for instance), including the ones on the machine with the public server, to use the internal server. This is the key. An internal client asking about an internal host asks the internal server, and gets an answer; an internal client asking about an external host asks the internal server, which asks the public server, which asks the Internet, and the answer is relayed back. A client on the public server works just the same way. An external client, however, asking about an internal host gets back the "restricted" answer from the public server. This approach assumes that there's a packet filtering firewall between these two servers that will allow them to talk DNS to each other, but otherwise restricts DNS between other hosts. Another trick that's useful in this scheme is to employ wildcard PTR records in your IN-ADDR.ARPA domains. These cause an an address-to-name lookup for any of your non- public hosts to return something like "unknown.YOUR.DOMAIN" rather than an error. This satisfies anonymous FTP sites like ftp.uu.net that insist on having a name for the machines they talk to. This may fail when talking to sites that do a DNS cross-check in which the host name is matched against its address and vice versa. Note that hiding names in the DNS doesn't address the problem of host names "leaking" out in mail headers, news articles, etc. ------------------------------ Date: Mon Jun 27 16:00:17 1994 From: Fwalls-FAQ@tis.com Subject: 13: How do I make FTP work through my firewall? Generally, making FTP work through the firewall is done either using a proxy server or by permitting incoming connections to the network at a restricted port range, and otherwise restricting incoming connections using something like "established" screening rules. The FTP client is then modified to bind the data port to a port within that range. This entails being able to modify the FTP client application on internal hosts. A different approach is to use the FTP "PASV" option to indicate that the remote FTP server should permit the client to initiate connections. The PASV approach assumes that the FTP server on the remote system supports that operation. (See RFC1579 for more information) Other sites prefer to build client versions of the FTP program that are linked against a SOCKS library. ------------------------------ Date: Mon Jun 27 16:00:18 1994 From: Fwalls-FAQ@tis.com Subject: 14: How do I make Telnet work through my firewall? Telnet is generally supported either by using an application proxy, or by simply configuring a router to permit outgoing connections using something like the "established" screening rules. Application proxies could be in the form of a standalone proxy running on the bastion host, or in the form of a SOCKS server and a modified client. ------------------------------ Date: Mon Jun 27 16:00:25 1994 From: Fwalls-FAQ@tis.com Subject: 15: How do I make Finger and whois work through my firewall? Permit connections to the finger port from only trusted machines, which can issue finger requests in the form of: finger user@host.domain@firewall This approach only works with the standard UNIX version of finger. Some finger servers do not permit user@host@host fingering. Many sites block inbound finger requests for a variety of reasons, foremost being past security bugs in the finger server (the Morris internet worm made these bugs famous) and the risk of proprietary or sensitive information being revealed in user's finger information. ------------------------------ Date: Tue Jul 5 16:33:27 1994 From: Fwalls-FAQ@tis.com Subject: 16: How do I make gopher, archie, and other services work through my firewall? This is still an area of active research in the firewall community. Many firewall administrators support these services only through the character-cell interface provided by telnet. Unfortunately, many of the sexier network services make connections to multiple remote systems, without transmitting any inline information that a proxy could take advantage of, and often the newer information retrieval systems transmit data to local hosts and disks with only minimal security. There are risks that (for example) WAIS clients may request uuencoded files, which decode and modify security related files in the user's home directory. At present, there is a lot of head-scratching going on between the firewall administrators who are responsible for guarding the network perimeters, and the users, who want to take advantage of these very sexy and admittedly useful tools. ------------------------------ Date: Mon Jun 27 16:00:34 1994 From: Fwalls-FAQ@tis.com Subject: 17: What are the issues about X-Window through a firewall? X Windows is a very useful system, but unfortunately has some major security flaws. Remote systems that can gain or spoof access to a workstation's X display can monitor keystrokes that a user enters, download copies of the contents of their windows, etc. While attempts have been made to overcome them (E.g., MIT "Magic Cookie") it is still entirely too easy for an attacker to interfere with a user's X display. Most firewalls block all X traffic. Some permit X traffic through application proxies such as the DEC CRL X proxy (FTP crl.dec.com). ------------------------------ Date: Thu Sep 22 11:57:46 1994 From: Fwalls-FAQ@tis.com Subject: 18: What is source routed traffic and why is it a threat? Normally, the route a packet takes from its source to its destination is determined by the routers between the source and destination. The packet itself only says where it wants to go (the destination address), and nothing about how it expects to get there. There is an optional way for the sender of a packet (the source) to include information in the packet that tells the route the packet should get to its destination; thus the name "source routing". For a firewall, source routing is noteworthy, since an attacker can generate traffic claiming to be from a system "inside" the firewall. In general, such traffic wouldn't route to the firewall properly, but with the source routing option, all the routers between the attacker's machine and the target will return traffic along the reverse path of the source route. Implementing such an attack is quite easy; so firewall builders should not discount it as unlikely to happen. In practice, source routing is very little used. In fact, generally the main legitimate use is in debugging network problems or routing traffic over specific links for congestion control for specialized situations. When building a firewall, source routing should be blocked at some point. Most commercial routers incorporate the ability to block source routing specifically, and many versions of UNIX that might be used to build firewall bastion hosts have the ability to disable or ignore source routed traffic. ------------------------------ Date: Thu Sep 22 11:58:00 1994 From: Fwalls-FAQ@tis.com Subject: 19: What are ICMP redirects and redirect bombs? An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal or defunct route to a particular destination, i.e. the host is sending it to the wrong router. The wrong router sends the host back an ICMP Redirect packet that tells the host what the correct route should be. If you can forge ICMP Redirect packets, and if your target host pays attention to them, you can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path the network manager didn't intend. ICMP Redirects also may be employed for denial of service attacks, where a host is sent a route that loses it connectivity, or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network. Many firewall builders screen ICMP traffic from their network, since it limits the ability of outsiders to ping hosts, or moify their routing tables. ------------------------------ Date: Mon Jun 27 16:02:14 1994 From: Fwalls-FAQ@tis.com Subject: 20: Glossary of firewall related terms Host-based Firewall: A firewall where the security is implemented in software running on a general-purpose computer of some sort. Security in host-based firewalls is generally at the application level, rather than at a network level. Router-based Firewall: A firewall where the security is implemented using screening routers as the primary means of protecting the network. Screening Router: A router that is used to implement part of the security of a firewall by configuring it to selectively permit or deny traffic at a network level. Bastion Host: A host system that is a "strong point" in the network's security perimeter. Bastion hosts should be configured to be particularly resistant to attack. In a host-based firewall, the bastion host is the platform on which the firewall software is run. Bastion hosts are also referred to as "gateway hosts." Dual-Homed Gateway: A firewall consisting of a bastion host with 2 network interfaces, one of which is connected to the protected network, the other of which is connected to the Internet. IP traffic forwarding is usually disabled, restricting all traffic between the two networks to whatever passes through some kind of application proxy. Application Proxy: An application that forwards application traffic through a firewall. Proxies tend to be specific to the protocol they are designed to forward, and may provide increased access control or audit. Screened Subnet: A firewall architecture in which a "sand box" or "demilitarized zone" network is set up between the protected network and the Internet, with traffic between the protected network and the Internet blocked. Conceptually, this is similar to a dual-homed gateway, except that an entire network, rather than a single host is reachable from the outside. Contributors: ------------- mjr@tis.com - Marcus Ranum, Trusted Information Systems leibowa@wl.com - Allen Leibowitz, Warner Lambert Inc. brent@greatcircle.com - Brent Chapman, Great Circle Associates bdboyle@erenj.com - Brian Boyle, Exxon Research From firewalls-owner Sun Dec 4 21:04:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA29035 for firewalls-outgoing; Sun, 4 Dec 1994 20:49:45 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA29030 for ; Sun, 4 Dec 1994 20:49:38 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16894; Sun, 4 Dec 94 23:16:57 -0500 Date: Sun, 4 Dec 94 23:16:56 -0500 Message-Id: <9412050416.AA16894@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Not just "nop"s Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus rites: > Imagine a firewall consisting of 6 Ciscos in a row. :) >For it to work at all, 5 of them have to be no-ops. :) And if >there's a firmware bug in one, it'll be in all of them. Am going to focus on just this one point from a very long and well done posting since it is important IMHO. The five *do not* need to be no-ops nor do they even have to have the same programming. I have seen a couple of cases where loadbalancing did use multiple identical systems in a row to keep the ACLs from getting too long. True in that case you have to be careful about the precidence just as in any FAW (First Agreement Wins) system such as a Cisco. Redundancy does not require identical programming (what is being referred to as NO-OPs). For instance consider three serial routers in which each rule is expressed twice but in a different way each time e.g. IF NOT LESS THAN is the same as IF GREATER OR EQUAL TO but uses a different microcode sequence. In this manner, even if a firmware bug let the first pass anything, the second would still be operative. It would take a dual failure to be a problem. Of course if you never notice the first fail that opens things up a bit but there are ways around that too. At the assembly language level, you typically have even more ways to do a particular operation. For instance to clear a register (AX) you can MOV AX,0; SUB AX,AX; XOR AX,AX; or AND AX,0. True, this particular expertise is not much in demand, but when designing flight controls for aircraft like the F-16, one tends to be *very* careful (suspicious, paranoid, same thing really). Once upon a time, I designed a test suite for a processor, just to verify its basic operation since errors such as recently exposed in the Pentium could provide unplesant surprises if applied to the third order equation used by a vibrating cylinder altimeter during 100 ft MACH 1 terrain following "hard ride". For that matter, a "packet generator" could be designed without too much difficulty using a POPC (plain old PC) that could just throw packets at a filter in a lab to test the strength of the programming. Of course to do that you need a lab with a dedicated net and a spare Cisco or what ever but then everyone has one of those, right. Oh you don't ? Not surprising since a standard joke is that I have better equipment in my den at home than is available at work (sad part is that it is true). But the fact is that a row of two or three routers, even identical models, do not have to have identical programming to achieve the same thing, and to the intruder who finally gets through #1 only to find #2 sitting there with completely different rules and no idea how many more there are...well you get the idea. Warmly, Padgett From firewalls-owner Sun Dec 4 22:35:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA29548 for firewalls-outgoing; Sun, 4 Dec 1994 22:29:01 -0800 Received: from databus.databus.com (root@databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA29543 for ; Sun, 4 Dec 1994 22:28:57 -0800 Date: Mon, 5 Dec 94 01:27 EST Message-ID: <9412050127.AA22757@databus.databus.com> From: Barney Wolff To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com Subject: Re: Not just "nop"s Content-Length: 976 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Sun, 4 Dec 94 23:16:56 -0500 > From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) > > But the fact is that a row of two or three routers, even identical models, > do not have to have identical programming to achieve the same thing, and > to the intruder who finally gets through #1 only to find #2 sitting there > with completely different rules and no idea how many more there are...well > you get the idea. Security by obscurity, and anyway, packet discard rules are additive (or subtractive, depending on how you look at it), so I coulda put them all in the first router. All this does is leave routers 2-n less than fully protected. If we're getting into independently-developed firewalls in series, we need to remember that there is some literature reporting correlated errors even in such systems (don't have the refs any more), because mere humans tend to misinterpret specs the same way. Barney Wolff From firewalls-owner Mon Dec 5 01:35:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA01018 for firewalls-outgoing; Mon, 5 Dec 1994 01:17:33 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA01013 for ; Mon, 5 Dec 1994 01:17:27 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id KAA19932; Mon, 5 Dec 1994 10:17:27 +0100 Received: from barolo.ak.munich.ibm.com by prosecco.munich.ibm.de (4.03afxG1.2) id AA10388; Mon, 5 Dec 1994 10:07:29 +0100 Received: by barolo (AIX 3.2/UCB 5.64/afx1.8) id AA16561; Mon, 5 Dec 1994 10:12:54 +0100 From: afx@ibm.de (Andreas Siegert) Message-Id: <9412050912.AA16561@barolo> Subject: Transparent proxy wanted To: firewalls@GreatCircle.COM (Firewall mailing list) Date: Mon, 5 Dec 1994 10:12:54 +0100 (CET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 837 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for transparent proxy solutions for a customer. SOCKS will not work because the client needs to be modified, ptelnetd style proxies will not work because the application trying to get external access would need to know about the extra step. Is there another form of gateway daemon that could be used? I think someone mentioned a solution here that looked like a router to the inside (Blackhole?) I don't care if it is commercial or free, but for commercial solutions a European/German reseller would be nice. thx afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Mon Dec 5 05:04:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA06496 for firewalls-outgoing; Mon, 5 Dec 1994 05:00:15 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA06491 for ; Mon, 5 Dec 1994 05:00:07 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA19825; Mon, 5 Dec 94 07:50:02 -0500 Date: Mon, 5 Dec 94 07:50:02 -0500 Message-Id: <9412051250.AA19825@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Addition Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barney rites: >Security by obscurity, and anyway, packet discard rules are additive (or >subtractive, depending on how you look at it), so I coulda put them all >in the first router. All this does is leave routers 2-n less than fully >protected. Was more of "security by inability" since it is hard to make a system do something it is not capable of. Also while the rules are cumulative, a fault in the first system will not affect the next in line *even if the same rule is used but expressed differently* so that the fault is not exercised. >If we're getting into independently-developed firewalls in series, we need >to remember that there is some literature reporting correlated errors >even in such systems (don't have the refs any more), because mere humans >tend to misinterpret specs the same way. Why it is easier to start out with a system in which *everything* is turned off as a baseline, and only necessary services are turned on. That way users will quickly tell you what extras they need while if you turn too much on, the intruder is unlikely to tell you about it. Most systems I've looked at have waaaay to many services enabled because they came from the factory with everything turned on. Warmly, Padgett From firewalls-owner Mon Dec 5 06:35:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06956 for firewalls-outgoing; Mon, 5 Dec 1994 06:08:56 -0800 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA06951 for ; Mon, 5 Dec 1994 06:08:51 -0800 From: Hans-Peter.Nicole@MGB.migros-mgb.inet.ch X400-Received: by mta chx400.switch.ch in /ADMD=SWITCHgate/C=ch/; Relayed; Mon, 5 Dec 1994 15:07:36 +0100 X400-Received: by /ADMD=ARCOM/C=CH/; Relayed; Mon, 5 Dec 1994 15:06:05 +0100 X400-Received: by /PRMD=MIGROS/ADMD=ARCOM/C=CH/; Relayed; Mon, 5 Dec 1994 15:04:41 +0100 X400-Received: by /PRMD=MIGROS-MGB/ADMD=ARCOM/C=CH/; Relayed; Mon, 5 Dec 1994 14:57:27 +0100 Date: Mon, 5 Dec 1994 14:57:27 +0100 X400-Originator: Hans-Peter.Nicole@MGB.migros-mgb.inet.ch X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=MIGROS-MGB/ADMD=ARCOM/C=CH/;CCGW-MGB Dec 05 14:57:27 1994] X400-Content-Type: P2-1984 (2) Content-Identifier: 265714051294 Message-ID: <265714051294*/G=Hans-Peter/S=Nicole/O=MGB/PRMD=MIGROS-MGB/ADMD=ARCOM/C=CH/@MHS> To: firewalls@GreatCircle.COM (Non Receipt Notification Requested) (IPM Return Requested) Subject: Request for information on IP-Adress-Mapping please Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi We are looking for a bare IP-adress-mapper without firewall features. Is that perhaps a single feature of a existing complete firewall solution? It would be very helpful to send me some information about providers, software and solutions for that purpose. Thanks for your contributions Hans-Peter Nicole From firewalls-owner Mon Dec 5 08:35:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07931 for firewalls-outgoing; Mon, 5 Dec 1994 08:24:52 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA07925 for ; Mon, 5 Dec 1994 08:24:46 -0800 From: pat@loc201.tandem.com Received: from adm.loc201.tandem.com (admin_01.loc201.tandem.com) by suntan.Tandem.com (4.1/suntan5.940222) for firewalls@greatcircle.com id AA29652; Mon, 5 Dec 94 08:23:13 PST Received: from vern.loc201.tandem.com.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA15510; Mon, 5 Dec 94 08:20:38 PST Received: by vern.loc201.tandem.com.loc201.tandem.com (4.1/6nospool.930120) id AA13271; Mon, 5 Dec 94 08:23:05 PST Date: Mon, 5 Dec 94 08:23:05 PST Message-Id: <9412051623.AA13271@vern.loc201.tandem.com.loc201.tandem.com> To: firewalls@greatcircle.com Subject: Re: Transparent proxy wanted Cc: afx@ibm.de Reply-To: pat@tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sfx@ibm.de (Andreas Siegert) writes: > I am looking for transparent proxy solutions for a customer. > SOCKS will not work because the client needs to be modified, ptelnetd style > proxies will not work because the application trying to get external access > would need to know about the extra step. I have started looking for the same thing for a small site. I understand this is the way the JANUS Firewall Server works (please correct me if I am wrong), and have started looking for others. -pat -- Patrick Mulrooney Tandem Computers ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Hi, I am looking for transparent proxy solutions for a customer. SOCKS will not work because the client needs to be modified, ptelnetd style proxies will not work because the application trying to get external access would need to know about the extra step. Is there another form of gateway daemon that could be used? I think someone mentioned a solution here that looked like a router to the inside (Blackhole?) I don't care if it is commercial or free, but for commercial solutions a European/German reseller would be nice. thx afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Mon Dec 5 09:06:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA08030 for firewalls-outgoing; Mon, 5 Dec 1994 08:45:47 -0800 Received: from border.com (border.com [142.77.1.128]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA08024 for ; Mon, 5 Dec 1994 08:45:40 -0800 Received: by janus.border.com id <29481>; Mon, 5 Dec 1994 11:54:58 -0500 Date: Mon, 5 Dec 1994 11:46:48 -0500 From: Steven Lamb Subject: Re: Transparent proxy wanted To: Andreas Siegert cc: Firewall mailing list In-Reply-To: <9412050912.AA16561@barolo> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <94Dec5.115458est.29481@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Dec 1994, Andreas Siegert wrote: > Hi, > I am looking for transparent proxy solutions for a customer. > SOCKS will not work because the client needs to be modified, ptelnetd style > proxies will not work because the application trying to get external access > would need to know about the extra step. > Is there another form of gateway daemon that could be used? > I think someone mentioned a solution here that looked like a router to the > inside (Blackhole?) > I don't care if it is commercial or free, but for commercial solutions a > European/German reseller would be nice. The JANUS Firewall Server addresses your requirements of transparency without having to modify client applications. Feel free to email me for details. Steven Lamb Product Manager ------------------------------------------------------------------------ Border Network Technologies Inc. Email: slamb@border.com 1 Yonge Street, Suite 1400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5E 1J9 Fax: +1 416 368 7789 From firewalls-owner Mon Dec 5 09:35:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08254 for firewalls-outgoing; Mon, 5 Dec 1994 09:14:37 -0800 Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08249 for ; Mon, 5 Dec 1994 09:14:30 -0800 Received: from LEXGATE by VNET.IBM.COM (IBM VM SMTP V2R2) with BSMTP id 3621; Mon, 05 Dec 94 12:13:23 EST Received: by LEXGATE (XAGENTA 3.0) id 0028; Mon, 5 Dec 1994 12:13:16 -0500 Received: by bangalore.lexington.ibm.com (AIX 3.2/UCB 5.64/4.03) id AA21759; Mon, 5 Dec 1994 12:10:54 -0500 From: (Tony Zamora) Message-Id: <9412051710.AA21759@bangalore.lexington.ibm.com> Subject: Re: firewalls FAQ To: firewalls@greatcircle.com Date: Mon, 5 Dec 1994 12:10:51 -0500 (EST) Reply-To: In-Reply-To: <9412040334.AA21560@tis.com> from "Marcus J Ranum" at Dec 3, 94 10:34:45 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 242 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J Ranum wrote, > Note that hiding names in the DNS doesn't address the > problem of host names "leaking" out in mail headers, > news articles, etc. How does one go about addressing these problems? When does it become worth it? Tony From firewalls-owner Mon Dec 5 10:04:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08566 for firewalls-outgoing; Mon, 5 Dec 1994 09:56:27 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA08560 for ; Mon, 5 Dec 1994 09:56:20 -0800 Received: from relay.imsi.com by wintermute.imsi.com id MAA23692; Mon, 5 Dec 1994 12:55:07 -0500 Received: from lorax.imsi.com by relay.imsi.com id MAA20192; Mon, 5 Dec 1994 12:55:06 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA16269; Mon, 5 Dec 94 12:55:05 EST Message-Id: <9412051755.AA16269@lorax.imsi.com> To: pat@tandem.com Cc: firewalls@greatcircle.com, afx@ibm.de Subject: Re: Transparent proxy wanted In-Reply-To: Your message of "Mon, 05 Dec 1994 08:23:05 PST." <9412051623.AA13271@vern.loc201.tandem.com.loc201.tandem.com> Reply-To: rens@imsi.com Date: Mon, 05 Dec 1994 12:55:05 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "pat" == pat writes: pat> sfx@ibm.de (Andreas Siegert) writes: >> I am looking for transparent proxy solutions for a customer. >> SOCKS will not work because the client needs to be modified, >> ptelnetd style proxies will not work because the application >> trying to get external access would need to know about the extra >> step. pat> I have started looking for the same thing for a small site. I pat> understand this is the way the JANUS Firewall Server works pat> (please correct me if I am wrong), and have started looking for pat> others. Feeling lucky, punk? You could do it with cisco's access lists in a router-only firewall. Just block all incoming traffic not destined to your "firewall" (read, externally-accessible server) with the "established" keyword. This will not allow transparent FTP, but transparent telnet will work. If the router gets compromised, you're history; you could put a few routers in with recieve-only hosts in between to detect intruders and possibly automatically shut down the routers. -Rens From firewalls-owner Mon Dec 5 10:34:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA08731 for firewalls-outgoing; Mon, 5 Dec 1994 10:13:52 -0800 Received: from erenj.com (ereapp.erenj.com [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA08724 for ; Mon, 5 Dec 1994 10:13:39 -0800 Posted-Date: Mon, 5 Dec 1994 13:11:57 -0500 From: "Bryan D. Boyle" Message-Id: <9412051311.ZM4803@maverick.erenj.com> Date: Mon, 5 Dec 1994 13:11:57 -0500 In-Reply-To: (Tony Zamora) "Re: firewalls FAQ" (Dec 5, 12:10pm) References: <9412051710.AA21759@bangalore.lexington.ibm.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: firewalls FAQ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 5, 12:10pm, (Tony Zamora) wrote: > Subject: Re: firewalls FAQ > Marcus J Ranum wrote, > > Note that hiding names in the DNS doesn't address the > > problem of host names "leaking" out in mail headers, > > news articles, etc. > > How does one go about addressing these problems? When does it become > worth it? In my experience, unless you are absolutely paranoid about the fact that hostnames may leak out of your firewall, then imo it is not something to worry (as opposed to be concerned) overly long about. This assumes, of course, that there are no routes available to the hosts whose names leak out of 'wall. In which case, there are bigger problems than just hostnames getting around...all a name points out is a person's preferences, humour, or in some cases, bureaucracy and control span... The fact that my machine here is named maverick has no information that can be gleaned from that fact (prima facie, that is...); you would have to know what my IP address is, my MAC address, routers between me and thee, mx hosts, name servers, etc., to mount something of an attack. the name in and of itself (even if attached to a domain...) only tells you something of where in the hierarchy I live, not geography per se. I would examine the risk involved in transmitting a hostname versus not. The risk, in our estimation, resides somewhere above null and less than unity. But, at this time, it has never been an issue, and yes, we did discuss this when installling the 'wall a few years ago. YMMV, etc. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Mon Dec 5 11:04:45 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA08892 for firewalls-outgoing; Mon, 5 Dec 1994 10:35:29 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA08884 for ; Mon, 5 Dec 1994 10:35:21 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id TAA18009; Mon, 5 Dec 1994 19:35:18 +0100 Received: from barolo.ak.munich.ibm.com by prosecco.munich.ibm.de (4.03afxG1.2) id AA12830; Mon, 5 Dec 1994 19:24:25 +0100 Received: by barolo (AIX 3.2/UCB 5.64/afx1.8) id AA06562; Mon, 5 Dec 1994 19:29:44 +0100 From: afx@ibm.de (Andreas Siegert) Message-Id: <9412051829.AA06562@barolo> Subject: Re: firewalls FAQ / DNS leakage To: zamora@VNET.IBM.COM Date: Mon, 5 Dec 1994 19:29:44 +0100 (CET) Cc: firewalls@greatcircle.com In-Reply-To: <9412051710.AA21759@bangalore.lexington.ibm.com> from "Tony Zamora" at Dec 5, 94 12:10:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 640 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Note that hiding names in the DNS doesn't address the > > problem of host names "leaking" out in mail headers, > > news articles, etc. > > How does one go about addressing these problems? When does it become > worth it? You could configure your mail agent to leave out a lot of information if you think it is worth it. cheers afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Mon Dec 5 11:36:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09269 for firewalls-outgoing; Mon, 5 Dec 1994 11:06:35 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA09264 for ; Mon, 5 Dec 1994 11:06:30 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id LAA14338; Mon, 5 Dec 1994 11:05:19 -0800 Date: Mon, 5 Dec 1994 11:05:19 -0800 Message-Id: <199412051905.LAA14338@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ron Fitzherbert , firewalls@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: DEC's SEAL Solution X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All I can comment on is the presentation DEC gave at the Santa Clara Convention center recently. From the level of detail it looks OK for a commercial solution. DEC solution using DEC equipment though. They addressed many of the important elements we all worry about. If you're a DEC house, and you're not interested in learning the nitty gritty about firewalls, it may be a cost effective solution you. I am not affiliated with DEC any way, any how. Period. At 07:43 PM 12/2/94 -0500, Ron Fitzherbert wrote: >Any thoughts on this, good, bad, ugly? > >Ron > >-------------------------------------------- > Ronald James Fitzherbert - President > Flying Penguin Productions Limited > Arlington, VA (USA) +1.703.358.9219 > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Mon Dec 5 12:11:36 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09171 for firewalls-outgoing; Mon, 5 Dec 1994 11:01:03 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA09164 for ; Mon, 5 Dec 1994 11:00:56 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id KAA14298; Mon, 5 Dec 1994 10:59:37 -0800 Date: Mon, 5 Dec 1994 10:59:37 -0800 Message-Id: <199412051859.KAA14298@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gordonj@ubs.ubs.utah.edu, firewalls@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: more screened host firewall questions X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk DNS is not required for telnet and ftp if you know the ip addresses of the targets. At 04:56 PM 12/2/94 -0700, gordonj@ubs.ubs.utah.edu wrote: >Hi: > >Recently I posted a question about getting mail through a screened host >type gateway. All of the responces involved using DNS on the inside of >the firewall or on the firewall itself. Problem: we have a small network >inside the firewall (right now one computer, growing soon though) with no >DNS running on it. Must I run DNS? (please tell me I dont have to! :) >Also, is DNS required for telnet and ftp? If I must what is involved with >setting it up. > >thanks for the help so far! > > * --- Gordon Jones --- * o *** > *** University Bookstore Programmer/ *** /\ _ ***** > ***** Mountain Biking Nut ***** _ > (_) **** > * phone: (801) 585-5865 * (_) ***** >********************************************************** > > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Mon Dec 5 12:57:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10031 for firewalls-outgoing; Mon, 5 Dec 1994 12:05:12 -0800 Received: from shadow.net (anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA10024 for ; Mon, 5 Dec 1994 12:04:49 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id PAA18313; Mon, 5 Dec 1994 15:06:08 -0500 From: Christopher Klaus Message-Id: <199412052006.PAA18313@shadow.net> Subject: Re: firewalls FAQ / DNS leakage To: afx@ibm.de (Andreas Siegert) Date: Mon, 5 Dec 94 15:06:08 EST Cc: zamora@VNET.IBM.COM, firewalls@GreatCircle.COM In-Reply-To: <9412051829.AA06562@barolo>; from "Andreas Siegert" at Dec 5, 94 7:29 pm X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Note that hiding names in the DNS doesn't address the > > > problem of host names "leaking" out in mail headers, > > > news articles, etc. > > > > How does one go about addressing these problems? When does it become > > worth it? > > You could configure your mail agent to leave out a lot of information if you > think it is worth it. In some literature from Harris corp on their firewall, they say their firewall, Cyberguard, will support a NNTP server on the gateway which can remove information about the internal network (replacing it with an appropritate gateway address) from all news postings traveling through the gateway. Also their Firewall supports SMTP and a multi-level mail protocol that will configure a mail system so internal network information is not revealed to the external network. Cheers, Chris -- Christopher William Klaus Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030 From firewalls-owner Mon Dec 5 13:05:46 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09478 for firewalls-outgoing; Mon, 5 Dec 1994 11:22:25 -0800 Received: from ccub.wlv.ac.uk (root@ccub.wlv.ac.uk [134.220.1.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09456 for ; Mon, 5 Dec 1994 11:21:50 -0800 Received: by ccub.wlv.ac.uk (Smail3.1.28.1 #35) id m0rEix7-0003xPC; Mon, 5 Dec 94 19:20:01 0000 (GMT) Message-Id: From: cm4233@wlv.ac.uk (N.Scott) Subject: Re: Information please. To: firewalls@greatcircle.com Date: Mon, 5 Dec 1994 19:20:01 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 505 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > Date: Fri, 2 Dec 1994 19:28:31 +0100 > From: Marcus Walls > Subject: Re: Information please. > > On Fri, 2 Dec 1994, Stuart Aitken wrote: > > > I am a student who is interested in firewalls and how they work. > > > > > Seconded. I too am a student very much interested in the workings of > firewalls. i also am a student - but i want to know about firewalls for a completly different reason ;-) BIG GRIN scott -- http://scitsc.wlv.ac.uk/~cm4233/home.html From firewalls-owner Mon Dec 5 13:34:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10792 for firewalls-outgoing; Mon, 5 Dec 1994 13:14:59 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10787 for ; Mon, 5 Dec 1994 13:14:38 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma024483; Mon Dec 5 16:12:51 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA07464; Mon, 5 Dec 94 16:10:52 EST Message-Id: <9412052110.AA07464@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Christopher Klaus Cc: afx@ibm.de (Andreas Siegert), zamora@vnet.ibm.com, firewalls@greatcircle.com Subject: Re: firewalls FAQ / DNS leakage In-Reply-To: Your message of Mon, 05 Dec 94 15:06:08 -0500. <199412052006.PAA18313@shadow.net> Date: Mon, 05 Dec 94 16:10:43 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Everyone's commercial firewall can do these things. > > > > > > Note that hiding names in the DNS doesn't address the > > > > problem of host names "leaking" out in mail headers, > > > > news articles, etc. > > > > > > How does one go about addressing these problems? When does it become > > > worth it? > > > > You could configure your mail agent to leave out a lot of information if you > > think it is worth it. > > In some literature from Harris corp on their firewall, they say their > firewall, Cyberguard, will support a NNTP server on the gateway which can > remove information about the internal network (replacing it with an > appropritate gateway address) from all news postings traveling through > the gateway. > > Also their Firewall supports SMTP and a multi-level mail protocol that > will configure a mail system so internal network information is not > revealed to the external network. > > Cheers, > Chris > > -- > Christopher William Klaus > Internet Security Systems, Inc. Computer Security Consulting > 2209 Summit Place Drive, Penetration Analysis of Networks > Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030 From firewalls-owner Mon Dec 5 14:06:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11047 for firewalls-outgoing; Mon, 5 Dec 1994 13:44:42 -0800 Received: from jupiter.worldlinx.com (jupiter.worldlinx.com [198.235.216.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA11041 for ; Mon, 5 Dec 1994 13:44:33 -0800 Received: by jupiter.worldlinx.com (4.1/WorldLinx-1.1) id AA21185; Mon, 5 Dec 94 16:30:51 EST Date: Mon, 5 Dec 94 16:30:51 EST From: Matthew Harding Message-Id: <9412052130.AA21185@jupiter.worldlinx.com> To: firewalls@greatcircle.com Subject: port 113 - auth Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have been receiving numerous queries on this port... can anyone tell me if it is used by some standard program, or if we should be concerned at all regarding this activity? Please respond directly and I will post a summary in a few days. Thanks, Matthew (matt@worldlinx.com) From firewalls-owner Mon Dec 5 14:46:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11621 for firewalls-outgoing; Mon, 5 Dec 1994 14:20:11 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA11616 for ; Mon, 5 Dec 1994 14:20:05 -0800 Received: by hawk.csd.harris.com (5.61/harris-5.1) id AA17090; Mon, 5 Dec 94 15:48:19 -0500 Date: Mon, 5 Dec 94 15:48:19 -0500 From: mrdeep@hawk.csd.harris.com (Jon P. Shallow) Message-Id: <9412052048.AA17090@hawk.csd.harris.com> Apparently-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Dec 5 14:51:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11215 for firewalls-outgoing; Mon, 5 Dec 1994 13:59:02 -0800 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA11209 for ; Mon, 5 Dec 1994 13:58:47 -0800 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.9/8.6.9) id OAA08991 for ; Mon, 5 Dec 1994 14:57:51 -0700 Received: from unknown(198.151.247.73) by prometheus.microchip.com via smap (V1.3) id smaa08987; Mon Dec 5 14:57:21 1994 Received: from localhost (gustavo@localhost) by pegasus.Microchip.COM (8.6.9/8.6.9) with ESMTP id PAA10590; Mon, 5 Dec 1994 15:00:50 -0700 Message-Id: <199412052200.PAA10590@pegasus.Microchip.COM> To: zamora@VNET.IBM.COM, firewalls@greatcircle.com Subject: Re: firewalls FAQ In-reply-to: Your message of "Mon, 05 Dec 1994 10:10:51 MST." <9412051710.AA21759@bangalore.lexington.ibm.com> Date: Mon, 05 Dec 1994 15:00:49 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sections from message <9412051710.AA21759@bangalore.lexington.ibm.com> read: >Marcus J Ranum wrote, >> Note that hiding names in the DNS doesn't address the >> problem of host names "leaking" out in mail headers, >> news articles, etc. > >How does one go about addressing these problems? When does it become >worth it? Well, you may be able to fix it with the software that provides the services. I know rn can use a rewrite rule in its configuration for the e-mail address source. Sendmail V8 can use the new Berkeley database package, with which one can masquerade addresses on outgoing mail. I'm sure there are other ways everywhere. Is it worth it? Perhaps, it is one less thing to worry about if you do not give out info on your network topology and naming conventions. In Cheswick & Bellovin's book, they mention the possibility of hosts named after projects, thus their names become sensitive information. ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas titan!gustavo@enuucp.eas.asu.edu ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== chfn From firewalls-owner Mon Dec 5 15:21:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA12237 for firewalls-outgoing; Mon, 5 Dec 1994 14:51:22 -0800 Received: from cadman.cit.buffalo.edu (cadman.cit.buffalo.edu [128.205.3.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA12229 for ; Mon, 5 Dec 1994 14:51:16 -0800 Received: from localhost (jcmurphy@localhost) by cadman.cit.buffalo.edu (8.6.5/8.6.5) id RAA12519; Mon, 5 Dec 1994 17:49:11 -0500 From: Jeff Murphy Message-Id: <199412052249.RAA12519@cadman.cit.buffalo.edu> Subject: Re: port 113 - auth To: matt@worldlinx.com (Matthew Harding) Date: Mon, 5 Dec 1994 17:49:11 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9412052130.AA21185@jupiter.worldlinx.com> from "Matthew Harding" at Dec 5, 94 04:30:51 pm X-Mailer: ELM [version 2.4 PL21+PEM] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 501 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Harding insists: > > >We have been receiving numerous queries on this port... can anyone tell >me if it is used by some standard program, or if we should be concerned >at all regarding this activity? Please respond directly and I will post >a summary in a few days. > >Thanks, >Matthew (matt@worldlinx.com) > it's used by the ident daemon to back-trace connections to the user who originated it. many machines, http daemons, etc have this feature enabled.. check rfc931 for more info. From firewalls-owner Mon Dec 5 15:36:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11852 for firewalls-outgoing; Mon, 5 Dec 1994 14:27:32 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11847 for ; Mon, 5 Dec 1994 14:27:25 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id RAA07365; Mon, 5 Dec 1994 17:24:38 -0500 Received: from [128.29.140.130] (mckenney-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA18628; Mon, 5 Dec 94 17:25:31 EST Date: Mon, 5 Dec 94 17:25:30 EST Message-Id: <9412052225.AA18628@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Frederick M Avolio From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: firewalls FAQ / DNS leakage Cc: cklaus@shadow.net, afx@ibm.de (Andreas Siegert), zamora@vnet.ibm.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Everyone's commercial firewall can do these things. I think the key point is that the secrecy of host names or IP addresses can never be guaranteed even though products can be configured to hide this information. Products have to be configured and maintained correctly, users have to be trained not to disclose Enterprise configuration-related information, system administrators and users can't make inadvertent errors, and the Enterprise security perimeter(s) must never be compromised. We can do a lot but I would hesitate to offer an ironclad guarantee. -Brian > >> > >> > > > Note that hiding names in the DNS doesn't address the >> > > > problem of host names "leaking" out in mail headers, >> > > > news articles, etc. >> > > >> > > How does one go about addressing these problems? When does it become >> > > worth it? >> > >> > You could configure your mail agent to leave out a lot of information if >>you >> > think it is worth it. >> >> In some literature from Harris corp on their firewall, they say their >> firewall, Cyberguard, will support a NNTP server on the gateway which can >> remove information about the internal network (replacing it with an >> appropritate gateway address) from all news postings traveling through >> the gateway. >> >> Also their Firewall supports SMTP and a multi-level mail protocol that >> will configure a mail system so internal network information is not >> revealed to the external network. >> >> Cheers, >> Chris >> >> -- >> Christopher William Klaus >> Internet Security Systems, Inc. Computer Security Consulting >> 2209 Summit Place Drive, Penetration Analysis of Networks >> Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030 Respectfully, Brian W. McKenney Mail Stop: Z-202 The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 Voice: 703.883.5463 Fax: 703.883.1397 From firewalls-owner Mon Dec 5 16:04:53 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11747 for firewalls-outgoing; Mon, 5 Dec 1994 14:22:26 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA11703 for ; Mon, 5 Dec 1994 14:22:08 -0800 Received: from london.csd.harris.com by hawk.csd.harris.com (5.61/harris-5.1) id AA08692; Mon, 5 Dec 94 12:12:18 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA01534; Mon, 5 Dec 94 17:10:40 GMT From: jon@london.csd.harris.com (Jon Shallow) Message-Id: <9412051710.AA01534@london.csd.harris.com> Subject: Packet Filter Responses To: firewalls@GreatCircle.COM Date: Mon, 5 Dec 94 17:10:39 GMT X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If there is a packet filter actively dropping packets to ports, should a) ICMP_UNREACH_PORT be sent back for UDP packets ? b) A tcp TH_RST be sent back for TCP packets ? If the answer is no, as attackers are to be slowed down, then this system is not 'net-friendly' and traceroute etc etc are unhappy. If the answer is yes, then it is very easy for an attacker to build up a picture of the filter. Regards Jon -- Jon Shallow, Harris Computer Systems jon@london.csd.harris.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Mon Dec 5 16:34:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12766 for firewalls-outgoing; Mon, 5 Dec 1994 15:14:22 -0800 Received: from dickory.SDSU.Edu (dickory.sdsu.edu [130.191.163.56]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12755 for ; Mon, 5 Dec 1994 15:13:53 -0800 Received: by dickory.SDSU.Edu (4.1/SDSU-Complex) id AA22413 for delivery to firewalls@greatcircle.com; Mon, 5 Dec 94 15:12:28 PST Date: Mon, 5 Dec 1994 15:08:26 -0800 (PST) From: Jason Matthews Subject: Re: port 113 - auth To: Matthew Harding Cc: firewalls@greatcircle.com In-Reply-To: <9412052130.AA21185@jupiter.worldlinx.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Dec 1994, Matthew Harding wrote: > > We have been receiving numerous queries on this port... can anyone tell > me if it is used by some standard program, or if we should be concerned > at all regarding this activity? Please respond directly and I will post > a summary in a few days. port 113 is used for user authentication. TCP Wrappers can be set at compile time to query for authentication data. Read RFC-931 for specific information. In a nutshell, when one of your users telnets to a site using tcp wrappers the remote site tries to obtain user authentication data. Make sense? Jason ---------------------------------------------------------------------------- jason@dickory.sdsu.edu San Diego State University jason@mentor.sdsu.edu College of Engineering jason@BOOM.extern.ucsd.edu Electrical*Computer Engineering ---------------------------------------------------------------------------- The following email address are no longer valid odn@LoD.amaranth.com ---------------------------------------------------------------------------- From firewalls-owner Mon Dec 5 17:06:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA13197 for firewalls-outgoing; Mon, 5 Dec 1994 16:04:10 -0800 Received: from ns.draper.com (ns.draper.com [140.102.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA13191 for ; Mon, 5 Dec 1994 16:04:03 -0800 Message-Id: <199412060004.QAA13191@miles.greatcircle.com> Received: from surname.draper.com by ns.draper.com id aa26203; 5 Dec 94 19:02 EST Received: from kss1376.draper.com by surname.draper.com id aa19250; 5 Dec 94 19:02 EST X-Sender: kss1376@pop.draper.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 05 Dec 1994 19:02:19 -0500 To: "Bryan D. Boyle" , firewalls@greatcircle.com From: Ken Shores Subject: Re: firewalls FAQ X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:11 PM 12/5/94 -0500, Bryan D. Boyle wrote: >On Dec 5, 12:10pm, (Tony Zamora) wrote: >> Subject: Re: firewalls FAQ >> Marcus J Ranum wrote, >> > Note that hiding names in the DNS doesn't address the >> > problem of host names "leaking" out in mail headers, >> > news articles, etc. >> >> How does one go about addressing these problems? When does it become >> worth it? > >In my experience, unless you are absolutely paranoid about the fact that >hostnames may leak out of your firewall, then imo it is not something to >worry (as opposed to be concerned) overly long about. This assumes, of >course, that there are no routes available to the hosts whose names >leak out of 'wall. But if the hostnames are leaking out in mail, it's likely that you do have a route to the host: mail. This may have fewer vulnerabilities that a full IP connection, but there has been plenty of evidence that mail can be used to penetrate a host. Of course you'd still have that vulnerability if you were hiding the names. However, as someone else pointed out, names may give away interesting information. I'm sure "bob@os2-source.ibm.com" would be a more likely target for penetration/vandalism than "bob@ibm.com". You can argue that this is just another form of "security through obscurity" and I wouldn't disagree. On the other hand, if you have to have mail, and it may have vulnerabilities, why give away info if you don't need to? Ken P.S. As you can see from my address, I don't lose too much sleep over this issue, or maybe I just trust my mail system. :-) ----- Ken Shores, Sr. Network Analyst The Charles Stark Draper Laboratory, Inc. kss1376@pop.draper.com 555 Technology Square, Cambridge, MA 02139-3563 (617) 258-2529 Mail Stop 33 From firewalls-owner Mon Dec 5 21:04:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA15621 for firewalls-outgoing; Mon, 5 Dec 1994 20:46:01 -0800 Received: from rover.village.org (rover.village.org [198.137.146.49]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA15616 for ; Mon, 5 Dec 1994 20:45:52 -0800 Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.6.8/8.6.6) with SMTP id VAA03863; Mon, 5 Dec 1994 21:44:26 -0700 Message-Id: <199412060444.VAA03863@rover.village.org> To: Firewalls@greatcircle.com Subject: Re: Firewalls-Digest V3 #443 Cc: Jason Matthews In-reply-to: Your message of Mon, 05 Dec 1994 16:35:05 PST Date: Mon, 05 Dec 1994 21:44:24 -0700 From: Warner Losh Sender: firewalls-owner@GreatCircle.COM Precedence: bulk : port 113 is used for user authentication. TCP Wrappers can be set at compile : time to query for authentication data. Read RFC-931 for specific : information. In a nutshell, when one of your users telnets to a site : using tcp wrappers the remote site tries to obtain user authentication : data. Make sense? Keep in mind that there are a fair number of ident servers that will always return "Warm-Fuzzy" or something like that, so that you get no useful information. This is done in the interest of maintaining the privacy of the individuals that are using the machine, and to ensure that machine readible usernames aren't sent over the Internet. This is allowed in the ident protocol as a "encrypted user token." See RFC 1413 for current details on the protocol. The data from it should be viewed as "a strong hint" as to who someone on the other end of the line might be. Warner From firewalls-owner Mon Dec 5 21:34:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA15777 for firewalls-outgoing; Mon, 5 Dec 1994 21:09:44 -0800 Received: from [143.191.19.72] (host-72.greatcircle.com [143.191.19.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA15771; Mon, 5 Dec 1994 21:09:36 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 5 Dec 1994 23:07:20 -0500 To: cbk@ingress.com (Charles Kaplan), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Shadow passwords under SunOs 4.1.3 ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:10 11/30/94, Charles Kaplan wrote: > This is probably simple, but is there a way to make sunos do this. You have to install and enable the optional C2 security package, which is included on the standard OS distribution media (though I forget what the exact package name is). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon Dec 5 22:04:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA15768 for firewalls-outgoing; Mon, 5 Dec 1994 21:09:26 -0800 Received: from [143.191.19.72] (host-72.greatcircle.com [143.191.19.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA15762; Mon, 5 Dec 1994 21:09:15 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 5 Dec 1994 23:06:59 -0500 To: Glenn Mackintosh , firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: JANUS at Internet World Cc: mcb@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 18:56 12/4/94, Glenn Mackintosh wrote: >Until I have avoided mentioning when we were going to be at trade shows. If >it upsets people, then I will refrain again in the future. However, there >has been interest expressed by various members of this list in the past in >seeing the JANUS Firewall Server and seeing whether it actually does all the >things we claim it does. This is just a brief note to say that you can drop >by the BNTi booth (921) at Internet World in Washington this week and see it >doing its thing. I don't think you should make more postings like this to Firewalls in the future. One such announcement from one vendor isn't a problem, but if all the vendors announced all their appearances, it would be a problem, and I don't see any practical way to draw a line other than to discourage all such postings. What I'd suggest is you set up a private mailing list for folks interested in your products and announcements, like the "GCA-Announce@GreatCircle.COM" mailing list that I maintain here to make GCA announcements to. You're welcome to use the Majordomo software (available for anonymous FTP from FTP.GreatCircle.COM, directory pub/majordomo). Hope things are going well for you guys. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue Dec 6 01:04:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA16823 for firewalls-outgoing; Tue, 6 Dec 1994 00:37:22 -0800 Received: from cohesive.com (cohesive.com [192.104.234.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA16818 for ; Tue, 6 Dec 1994 00:37:16 -0800 From: hharamis@cohesive.com Received: from nts-1.cohesive.com by cohesive.com (4.1/SMI-4.1) id AA01272; Tue, 6 Dec 94 00:34:35 PST Received: from ccMail by nts-1.cohesive.com (IMA Internet Exchange v1.03) id ee41d0f0; Tue, 6 Dec 94 00:13:03 -0800 Mime-Version: 1.0 Date: Tue, 6 Dec 1994 00:35:06 -0800 Message-Id: Subject: Re[2]: port 113 - auth To: firewalls@greatcircle.com Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also, some versions of sendmail use the ident protocol when they are connected to. This is a compile time option, usually IDENTPROTO. Harry Haramis hharamis@cohesive.com _______________________________________________________________________________ Subject: Re: port 113 - auth From: Jason Matthews at INTERNET Date: 12/5/94 3:08 PM On Mon, 5 Dec 1994, Matthew Harding wrote: > > We have been receiving numerous queries on this port... can anyone tell > me if it is used by some standard program, or if we should be concerned > at all regarding this activity? Please respond directly and I will post > a summary in a few days. port 113 is used for user authentication. TCP Wrappers can be set at compile time to query for authentication data. Read RFC-931 for specific information. In a nutshell, when one of your users telnets to a site using tcp wrappers the remote site tries to obtain user authentication data. Make sense? Jason ---------------------------------------------------------------------------- jason@dickory.sdsu.edu San Diego State University jason@mentor.sdsu.edu College of Engineering jason@BOOM.extern.ucsd.edu Electrical*Computer Engineering ---------------------------------------------------------------------------- The following email address are no longer valid odn@LoD.amaranth.com ---------------------------------------------------------------------------- From firewalls-owner Tue Dec 6 02:05:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA17806 for firewalls-outgoing; Tue, 6 Dec 1994 02:02:56 -0800 Received: from xroads.vthrc.uq.oz.au (0@xroads.vthrc.uq.oz.au [130.102.4.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA17799 for ; Tue, 6 Dec 1994 02:02:46 -0800 Received: (mailwrap@localhost) by xroads.vthrc.uq.oz.au (8.6.9/8.6.3) id UAA14310 for ; Tue, 6 Dec 1994 20:01:22 +1000 Received: from arundel.vthrc.uq.oz.au(130.102.4.21) by xroads.vthrc.uq.oz.au. via smap (V1.3mjr) id sma014307; Tue Dec 6 20:01:03 1994 X-Sender: thomas@pop3.vthrc.uq.oz.au. Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 6 Dec 1994 20:01:18 +1000 To: firewalls@GreatCircle.COM From: Danny Thomas Subject: Re[2]: port 113 - auth Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Also, some versions of sendmail use the ident protocol when they are >connected to. This is a compile time option, usually IDENTPROTO. indeed. Interestingly, the vast majority of mailers who run ident against our smtp connections don't run ident themselves. Hardly conducive to fostering a web of (mis)trust. I suspect the resons people have for not running are not based on suspicion of identd itself being a security weakness, but lack of time/energy/motivation/what's-in-it-for-me. I understand the credibility problem in believing what an arbitrary foreign host tells me, but in particular I'd like to see hosts with large user bases encouraged to run ident. I have encountered a few instances when it was useful since it was installed on the main servers at this institution (and particularly since the packet filtering of ident was removed). Of course it is only a palliative and we await the widespread deployment of secure, authenticated traffic across the Internet, but that ain't going to happen this year. In the meantime ident can sometimes be a useful tool in identifying suspicious connections. cheers, Danny Thomas (D.Thomas@vthrc.uq.edu.au) PS an earlier poster described port 113 as an authentication mechanism. Unfortunately it was named along these lines at some point, but the various protocols sitting on it have never aimed to authenticate (the user), merely point to the account initiating the connection. In our case, we follow the suggestion in the installation guide to return uids rather than user names. From firewalls-owner Tue Dec 6 05:35:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA22708 for firewalls-outgoing; Tue, 6 Dec 1994 05:27:20 -0800 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA22702 for ; Tue, 6 Dec 1994 05:26:59 -0800 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id IAA11592; Tue, 6 Dec 1994 08:23:10 -0500 Received: from swlpak.msd.ray.com by gatekeeper.ray.com; Tue Dec 6 08:24:12 1994 Received: (from wag@localhost) by swlpak.msd.ray.com (8.6.9/8.6.9) id IAA24739; Tue, 6 Dec 1994 08:23:56 -0500 From: William Gianopoulos {84718} Message-Id: <199412061323.IAA24739@swlpak.msd.ray.com> Subject: Re: Packet Filter Responses To: jon@london.csd.harris.com (Jon Shallow) Date: Tue, 6 Dec 1994 08:23:55 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9412051710.AA01534@london.csd.harris.com> from "Jon Shallow" at Dec 5, 94 05:10:39 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1122 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If there is a packet filter actively dropping packets to > ports, should > > a) ICMP_UNREACH_PORT be sent back for UDP packets ? > > b) A tcp TH_RST be sent back for TCP packets ? > > If the answer is no, as attackers are to be slowed down, then this > system is not 'net-friendly' and traceroute etc etc are unhappy. > > If the answer is yes, then it is very easy for an attacker to build > up a picture of the filter. Different vendors handle this differently, Cisco send an ICMP_UNREACH_HOST for all packets dropped by a filter. This causes a problem if it was a match on port filter because some TCP implementations drop all active connections to a host if an ICMP_HOST_UNREACH is received. Wellfleet, on the other hand, does not send any ICMP (or anything else) back to the host on a packet dropped by a filter. It appears that anything you do is probably not right for all cases. -- William A. Gianopoulos; Raytheon Missile Systems Division wag@swl.msd.ray.com -------------------------------------------------------------------- Any opinions expressed above are my own and not that of my employer. From firewalls-owner Tue Dec 6 06:36:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23075 for firewalls-outgoing; Tue, 6 Dec 1994 06:07:36 -0800 Received: from d.ecc.engr.uky.edu (d.ecc.engr.uky.edu [128.163.144.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23070 for ; Tue, 6 Dec 1994 06:07:32 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA27358; Tue, 6 Dec 94 09:03:02 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA23064; Tue, 6 Dec 94 09:05:23 EST Date: Tue, 6 Dec 94 09:05:23 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9412061405.AA23064@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: port 113 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>We have been receiving numerous queries on this port... > > it's used by the ident daemon to back-trace connections to the > user who originated it. many machines, http daemons, etc > have this feature enabled.. check rfc931 for more info. The Identification Protocol is described in RFC 1413, not RFC 931. The RFC, as well as source code implementations, can be retrieved from ftp.lysator.liu.se, in the /pub/ident directory. --Wes From firewalls-owner Tue Dec 6 07:04:50 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23132 for firewalls-outgoing; Tue, 6 Dec 1994 06:15:26 -0800 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23127 for ; Tue, 6 Dec 1994 06:15:19 -0800 Received: from us1rmc.bb.dec.com by inet-gw-1.pa.dec.com (5.65/10Aug94) id AA21011; Tue, 6 Dec 94 06:05:11 -0800 Received: from ljsrv2.enet by us1rmc.bb.dec.com (5.65/rmc-22feb94) id AA20254; Tue, 6 Dec 94 09:05:27 -0500 Message-Id: <9412061405.AA20254@us1rmc.bb.dec.com> Received: from ljsrv2.enet; by us1rmc.enet; Tue, 6 Dec 94 09:05:27 EST Date: Tue, 6 Dec 94 09:05:27 EST From: Danny Mayer To: afx@ibm.de, firewalls@greatcircle.com Cc: mayer@ljsrv2.enet.dec.com Apparently-To: firewalls@greatcircle.com, afx@ibm.de Subject: RE: Transparent proxy wanted Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can get a copy of Mosaic modified to full support Proxy Servers from ftp://gatekeeper.dec.com/pub/DEC/Mosaic. This version supports proxies and no_proxy, news_proxy and a case-insensitive mime types. You then need to set up the proxy server to support the firewall at the site. Digital can help with this. Danny ================================================================================ Danny Mayer Digital Equipment Corporation Mayer@ljo.dec.com Littleton, MA 01460 ================================================================================ From firewalls-owner Tue Dec 6 07:29:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23302 for firewalls-outgoing; Tue, 6 Dec 1994 06:33:14 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23297 for ; Tue, 6 Dec 1994 06:32:53 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA02428; Tue, 6 Dec 94 15:28:43 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA01213; Tue, 6 Dec 94 15:25:03 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412061525.AA01213@tidtest.total.fr> Subject: Re: Packet Filter Responses To: firewalls@greatcircle.com Date: Tue, 6 Dec 94 15:25:02 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199412061323.IAA24739@swlpak.msd.ray.com>; from "William Gianopoulos {84718}" at Dec 6, 94 8:23 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk William Gianopoulos {84718} wrote : > > > > > If there is a packet filter actively dropping packets to > > ports, should > > > > a) ICMP_UNREACH_PORT be sent back for UDP packets ? > > > > b) A tcp TH_RST be sent back for TCP packets ? > > > > [...] > > Different vendors handle this differently, Cisco send an ICMP_UNREACH_HOST > for all packets dropped by a filter. This causes a problem if it was a match > on port filter because some TCP implementations drop all active connections > to a host if an ICMP_HOST_UNREACH is received. Wellfleet, on the other hand, > does not send any ICMP (or anything else) back to the host on a packet dropped > by a filter. It appears that anything you do is probably not right for all > cases. > cisco routers can be configured per-interface not to send any ICMP unreachables (no ip unreachables). There is no way to send unreachables except for packets dropped by a filter. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Tue Dec 6 07:35:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23779 for firewalls-outgoing; Tue, 6 Dec 1994 07:08:10 -0800 Received: from edison.eng.auburn.edu (edison.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA23769; Tue, 6 Dec 1994 07:07:48 -0800 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.9/8.6.4) with ESMTP id JAA09688; Tue, 6 Dec 1994 09:06:04 -0600 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id JAA12403; Tue, 6 Dec 1994 09:06:01 -0600 Date: Tue, 6 Dec 1994 09:06:01 -0600 Subject: Re: Shadow passwords under SunOs 4.1.3 ? To: Brent@greatcircle.com Cc: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="jebbagbfaddc-netman.eng.auburn.edu-11582-0" Content-Transfer-Encoding: 7bit In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multimedia message in MIME format. If you are reading this prefix, your mail reader does not understand MIME or is not currently configured to parse MIME messages. You may wish to look into upgrading to a mail reader that does. --jebbagbfaddc-netman.eng.auburn.edu-11582-0 Content-Type: text/plain; charset=us-ascii >At 03:10 11/30/94, Charles Kaplan wrote: >> This is probably simple, but is there a way to make sunos do this. > >You have to install and enable the optional C2 security package, which is >included on the standard OS distribution media (though I forget what the >exact package name is). > > >-Brent > >-- >Brent Chapman | Great Circle Associates | Call or email for info about >Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security >+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates > > Well, you don't HAVE to.. there's a pretty good README on how to do this as shipped, or you can use a free program like "shadow" an ASCII mime attachment going through it follows. No C2 installation involved. PS.. it works.. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "The Light at the end of the tunnel is the headlamp of an oncoming train" --jebbagbfaddc-netman.eng.auburn.edu-11582-0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Description: How to do shadow on SunOS without C2 From knight.vf.ge.com!news.ge.com!psinntp!psinntp!newstand.syr.edu!galileo.cc.rochester.edu!ub!news.kei.com!MathWorks.Com!europa.eng.gtefsd.com!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!psuvax1!news.cc.swarthmore.edu!news.haverford.edu!ra Mon Jun 13 13:17:37 1994 Article: 33657 of comp.sys.sun.admin Path: knight.vf.ge.com!news.ge.com!psinntp!psinntp!newstand.syr.edu!galileo.cc.rochester.edu!ub!news.kei.com!MathWorks.Com!europa.eng.gtefsd.com!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!psuvax1!news.cc.swarthmore.edu!news.haverford.edu!ralph.cs.haverford.edu!eoliver From: eoliver@ralph.cs.haverford.edu (Erik Oliver) Newsgroups: comp.sys.sun.admin Subject: NIS Shadow Passwords w/o C2 under Sun OS 4.1.X [Long] Date: 7 Jun 1994 19:42:24 GMT Organization: Haverford College Computer Science Department Lines: 201 Message-ID: <2t2ij0$2cr@saturn.haverford.edu> NNTP-Posting-Host: 165.82.15.42 Keywords: nis shadow passwd passwords sunos 4.1.3 After many requests to me and other people I've mailed this to, I am reposting our own internal account of how to setup shadow passwords with NIS w/o C2 security under 4.1.X. Standard disclaimers about lack of responsibility for damages, etc. All I can say is it works for our network of 6 Sun's with 4.1.3 and over 1400 NIS accounts and a good 20 local accounts on a number of machines. Only machines in the same subnet have access to our maps now and total password maps with encrypted password fields never go across the network... I would appreciate hearing from you if you made changes to the procedures that also work or have advice about ways we could improve this procedure... Please do not redistribute without leaving the header intact, thanks. -Erik Setting up the NIS Master with Shadow Passwords under Sun OS 4.1.3 (THIS DOCUMENT IS BASED ON OUR OWN EXPERIENCES WITH SETUP NO GUARANTEES ARE MADE TO ITS SUITABILITY FOR USE AT OTHER SITES. OR ITS CORRECTNESS.) Author: Erik Oliver, eoliver@ralph.cs.haverford.edu Based on work done for Haverford College Academic Computing Center This document describes steps to setup shadow passwords on a network of Sun Workstations running 4.1.2 and 4.1.3 using NIS to obtain passwords. This technique avoids the full process of setting up C2 security, but offers all of the benefits of shadowed passwords, including shadowed passwords over NIS. STEP BY STEP: (1) Obtain Sun Patches: 100564-05 and 100482-04. Assumptions: /etc/passwd contains local accounts and passwords /var/yp contains a file named passwd with the NIS accounts and passwds on the NIS Master, and the Makefile in /var/yp is suitably configured for this location. (2) Setup NIS normally without shadowing based on this information, your /var/yp/Makefile on the NIS Master should have the line with: DIR=/etc reading DIR=/var/yp This will enable it to use /var/yp as the origin of the source files rather than /etc. (3) Install patch 100482-04, this contains new versions of ypserv, ypxfrd, and portmap, this is not directly related to setting up shadowed passwords but it fixes some security problems and will allow you to use the file /var/yp/securenets to restrict map access to specific subnets. In our case we have /var/yp/securenets: # # /var/yp/sercurenets file # # The format of this file is one of more lines of # # netmask netaddr # Both netmask and netaddr must be dotted quads. # # for example: 255.255.255.0 165.82.1.0 This means only machines in 165.82.1.X can request maps, etc. (4) Next install patch 100564-07 as follows: ** NOTE: YOU ARE NOT GOING TO FOLLOW THE PATCH INSTRUCTIONS LETTER FOR LETTER HERE, FOLLOW THESE INSTRUCTIONS VERY PRECISELY TO GET THINGS TO WORK ** (4a) Copy the new static versions of rpc.pwdauthd and rpc.yppasswdd into /usr/etc as instructed on the last page of the patch instructions. (4b) Then you must modify the passwd file as follows, remove all entries from the passwd field, second field, of /etc/passwd and replace it with ##username. (You might want to copy passwd to security/passwd.adjunct or use an awk script to accomplish this task.) Example: root:XXabcdefgh:0:1:Root:/:/bin/csh Becomes: root:##root:0:1:Root:/:/bin/csh Then in the file /etc/security/passwd.adjunct: Put entries of the form: username:oldpasswd::::: Example: root:XXabcdefgh::::: Now repeat this process for /etc/group, copying it to /etc/security/group.adjunct and modifying the second field to ##groupname. Example: wheel:*:1: Becomes: wheel:##wheel:1: Then in the file /etc/security/group.adjunct: Put entries of the form: groupname:oldpasswd:: Example: wheel:*:: You can leave behind any + notations and in fact should if you want the NIS accounts accessible on that machine. NOTE: You might want to use an awk script to automate the process for a long passwd file. Repeat this for the /var/yp/passwd and /var/yp/group files except this time the auxiliary file you create is /var/yp/security/passwd.adjunct and /var/yp/security/group.adjunct respectively. (4c) Set permissions on the adjunct file/directory: chmod 2711 /etc/security /var/yp/security chmod 600 /etc/security/passwd.adjunct /var/yp/security/passwd.adjunct chmod 600 /etc/security/group.adjunct /var/yp/security/group.adjunct chown root.staff /etc/security /var/yp/security /etc/security/passwd.adjunct \ /var/yp/security/passwd.adjunct /etc/security/group.adjunct \ /var/yp/security/group.adjunct (4d) Audit Accounts --- THIS MUST BE DONE whether or not you want to use the auditd Also you must add two local accounts and two more NIS accounts. In /etc/passwd and /var/yp/passwd add AUpwdauthd:##AUpwdauthd:29:10:::/bin/false AUyppasswdd:##AUyppasswdd:28:10:::/bin/false Add the following to /etc/security/passwd.adjunct and /var/yp/security/passwd.adjunct: AUpwdauthd:*::::: AUyppasswdd:*::::: IT IS VITAL THAT THESE TWO ACCOUNTS BE ADDED EXACTLY AS WRITTEN AND TO BOTH THE LOCAL and NIS source files otherwise you will not be able to login or change passwords. (5) Fix up the boot process: Next, edit the file /etc/rc.local, (5a) Comment out the lines where auditd is launched. (5b) Change the line where rpc.yppasswd is launched to: /usr/etc/rpc.yppasswdd /var/yp/passwd \ /var/yp/security/passwd.adjunct -nogecos -m; echo -n ' yppasswd' Which insures that it knows about the shadow password file for NIS and will remake properly. Note: -nogecos prevents users from changing their full name field. Sede man rpc.yppasswdd fpr a description of all flags. (5c) Double check that ypbind will start with -s: if [ -f /etc/security/passwd.adjunct ]; then ypbind -s; echo -n ' ypbind' else ypbind; echo -n ' ypbind' fi (6) Then reboot and cross your fingers. Test that local accounts can log in and change passwords and then try an NIS account. (7) ON THE CLIENTS/SLAVE SERVERS: Install 100481-04 in full. [We are not sure if this necessary] DO THE FOLLOWING with Patch 100564-07 Follow the steps listed in (4) for copying the appropriate static rpc.pwdauthd and rpc.yppasswdd, also follow the instructions for splitting out the passwd file, you can ignore anything having to do with the directory /var/yp on a client though. Be sure to add AUpwdauthd and AUyppasswdd as above to /etc/passwd and /etc/security/passwd.adjunct. Copy permission information about /etc/security and /etc/security/passwd.adjunct from above. As well as /etc/group and /etc/group.adjunct. Then disable the auditd in rc.local and reboot. -- Erik Oliver eoliver@ralph.cs.haverford.edu --jebbagbfaddc-netman.eng.auburn.edu-11582-0-- DO NOT DELETE the above boundary line. Anything placed after this line will be ignored by MIME readers. From firewalls-owner Tue Dec 6 08:05:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23511 for firewalls-outgoing; Tue, 6 Dec 1994 06:49:03 -0800 Received: from jpmorgan.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA23506; Tue, 6 Dec 1994 06:48:58 -0800 Received: from tcpg01a.ny.jpmorgan.com by jpmorgan.jpmorgan.com (8.6.9/fma-120691.2); id JAA17156; Tue, 6 Dec 1994 09:47:47 -0500 Received: from fugit.ny.jpmorgan.com (fugit.ny.jpmorgan.com [146.149.54.234]) by tcpg01a.ny.jpmorgan.com (8.6.9/cjy.sub.1.0) with ESMTP id JAA01594 Received: (from cyerkes@localhost) by fugit.ny.jpmorgan.com (8.6.9/8.6.9) id JAA21587; Tue, 6 Dec 1994 09:47:46 -0500 From: "Chuck Yerkes" Message-Id: <9412060947.ZM21585@fugit.ny.jpmorgan.com> Date: Tue, 6 Dec 1994 09:47:45 -0500 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls-digest@GreatCircle.COM Subject: Re: Shadow passwords under SunOs 4.1.3 ? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's called the "security" package under 4.1.x, although I've had tremendous performance problems with it, and I believe it uses RPC's for it's authentication - thus opening more holes. It's referred to as their "C2" package, but I don't believe it's been submitted for actual C2 certification. chuck yerkes consultant guy. > > At 03:10 11/30/94, Charles Kaplan wrote: > > This is probably simple, but is there a way to make sunos do this. > > You have to install and enable the optional C2 security package, which is > included on the standard OS distribution media (though I forget what the > exact package name is). > > > - -Brent From firewalls-owner Tue Dec 6 08:40:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA24073 for firewalls-outgoing; Tue, 6 Dec 1994 07:35:58 -0800 Received: from aero.org (aero.org [130.221.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA24068 for ; Tue, 6 Dec 1994 07:35:53 -0800 Received: from simba.aero.org ([130.221.128.205]) by aero.org with SMTP id <111119-1>; Tue, 6 Dec 1994 07:32:45 -0800 Received: by simba.aero.org/D8/sws-04; Tue, 6 Dec 94 07:34:14 PST Date: Tue, 6 Dec 1994 07:34:14 -0800 From: Glenn Bailey Posted-Date: Tue, 6 Dec 94 07:34:14 PST Message-Id: <9412061534.AA24064@simba.aero.org> To: cbk@ingress.com, firewalls@GreatCircle.COM Subject: Re: Shadow passwords under SunOs 4.1.3 ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent wrote in response: *> *> At 03:10 11/30/94, Charles Kaplan wrote: *> > This is probably simple, but is there a way to make sunos do this. *> *> You have to install and enable the optional C2 security package, which is *> included on the standard OS distribution media (though I forget what the *> exact package name is). *> The package is called simply "security" and is fairly easy to install and setup. The thing to watch is all the auditing that comes with the C2 being turned on (logs accumulate) and the Secure RPC is now used. This can be controlled but requires more thought and reading when setting C2 up then just the simple example Sun gives. ================================================================= => Glenn Bailey | The Aerospace Corporation <= => gbailey@aero.org | El Segundo, California <= => (310) 336-8316 |-----------------------------------<= => ********************* | Engineering Workstation Support <= ================================================================= From firewalls-owner Tue Dec 6 09:05:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23985 for firewalls-outgoing; Tue, 6 Dec 1994 07:30:03 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23974 for ; Tue, 6 Dec 1994 07:29:12 -0800 Received: from anubis (anubis.network.com) by nsco.network.com (4.1/1.34) id AA12477; Tue, 6 Dec 94 09:41:59 CST Received: from beldar.network.com by anubis (4.1/SMI-4.1) id AA11344; Tue, 6 Dec 94 09:26:57 CST From: robp@anubis.network.com (Rob Peglar) Message-Id: <9412061526.AA11344@anubis> Subject: Re: Packet Filter Responses To: wag@swl.msd.ray.com (William Gianopoulos {84718}) Date: Tue, 6 Dec 1994 09:29:01 -0600 (CST) Cc: jon@london.csd.harris.com, firewalls@greatcircle.com In-Reply-To: <199412061323.IAA24739@swlpak.msd.ray.com> from "William Gianopoulos {84718}" at Dec 6, 94 08:23:55 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1733 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > If there is a packet filter actively dropping packets to > > ports, should > > > > a) ICMP_UNREACH_PORT be sent back for UDP packets ? > > > > b) A tcp TH_RST be sent back for TCP packets ? > > > > If the answer is no, as attackers are to be slowed down, then this > > system is not 'net-friendly' and traceroute etc etc are unhappy. > > > > If the answer is yes, then it is very easy for an attacker to build > > up a picture of the filter. > > Different vendors handle this differently, Cisco send an ICMP_UNREACH_HOST > for all packets dropped by a filter. This causes a problem if it was a match > on port filter because some TCP implementations drop all active connections > to a host if an ICMP_HOST_UNREACH is received. Wellfleet, on the other hand, > does not send any ICMP (or anything else) back to the host on a packet dropped > by a filter. It appears that anything you do is probably not right for all > cases. This is why NSC routers with Packet Control Facility (PCF) give the user the option to either send, with 7 different ICMP reasons (default is "port unreachable"), or prevent the sending of, an ICMP Unreachable packet as a filter action. The latter (prevent the sending of) is useful as a secondary mechanism in case a prior filter sequence decides to send the ICMP Unreachable, and further investigation (filters) decide that it is best to do something else instead of sending the ICMP Unreachable. So, it's entirely up to the user - as the previous posters have noted, one size does not fit all. Later Rob -- Rob Peglar Network Systems Corporation Router/Switch Group 7600 Boone Avenue North robp@anubis.network.com Minneapolis MN 55428 (612)424-4888 x1028 From firewalls-owner Tue Dec 6 16:42:45 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA28927 for firewalls-outgoing; Tue, 6 Dec 1994 16:12:18 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA28921 for ; Tue, 6 Dec 1994 16:11:51 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Wed, 7 Dec 94 01:10 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rF9w5-0003fMC; Wed, 7 Dec 94 01:08 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 7 Dec 1994 01:09:31 +0100 To: Ken_Beames@ins.com (Ken Beames), firewalls@greatcircle.com From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: Firewall case study Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Ken, At 13:09 Uhr 02.12.1994 -0800, Ken Beames wrote: > >Please define "Application Gateways". > An application gateway is a piece of software that handles communication requests of application software that are bound to cross the firewall. In such terms, a WWW proxy agent is an application gateway for WWW (and other services used by WWW browsers). >I'd rather not _buy_ a firewall, (as then I know less as to how it's >built/configured) I'd much rather build one, as I've done before, but those >needs were different. > This a very secure approach if you a) have the time and skills to build and maintain a secure firewall configuration b) you have the time and skills to maintain the necessary software. If you lack time and/or skills, a commercial firewall solution (including consultancy. I'm not talking software packages here) can be a good alternative to build up know-how and/or get your Internet connection rolling quickly. >Yes, I screen both ways, and there are two subnets onto which there can be >a secured subnet, and a semi-securedone with the unix host running the >firewall-1 filter providing the _only_ route in between. > Ah OK, but do you use server nodes on the screened subnet, or do you handle everything on the filtering host? >Thanks, Josch, these links will help. Cheers! -Ken. > Nasdarovy :-)! You're welcome :-)! Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Tue Dec 6 18:35:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA29746 for firewalls-outgoing; Tue, 6 Dec 1994 18:06:31 -0800 Received: from tyrell.net (tyrell.net [198.175.8.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA29741 for ; Tue, 6 Dec 1994 18:06:16 -0800 Received: by tyrell.net id AA01776 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Tue, 6 Dec 1994 20:02:33 -0600 Date: Tue, 6 Dec 1994 20:02:32 -0600 (CST) From: JR of the NCC To: firewalls@greatcircle.com Subject: signoff Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff From firewalls-owner Tue Dec 6 19:04:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA29918 for firewalls-outgoing; Tue, 6 Dec 1994 18:31:57 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA29913 for ; Tue, 6 Dec 1994 18:31:47 -0800 Received: from beames.ins.com (beames.ins.com [199.0.193.42]) by uni (8.6.8.1/8.6.6) with SMTP id SAA23153; Tue, 6 Dec 1994 18:30:39 -0800 Date: Tue, 6 Dec 1994 18:30:39 -0800 Message-Id: <199412070230.SAA23153@uni> X-Sender: beames@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: maass@odb.rhein-main.de (Joerg Maass), firewalls@greatcircle.com From: Ken_Beames@ins.com (Ken Beames) Subject: Re: Firewall case study X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:09 AM 12/7/94 +0100, Joerg Maass wrote: >Hi Ken, > >At 13:09 Uhr 02.12.1994 -0800, Ken Beames wrote: >> >>Please define "Application Gateways". >> > >An application gateway is a piece of software that handles communication >requests of application software that are bound to cross the firewall. In >such terms, a WWW proxy agent is an application gateway for WWW (and other >services used by WWW browsers). > >>I'd rather not _buy_ a firewall, (as then I know less as to how it's >>built/configured) I'd much rather build one, as I've done before, but those >>needs were different. >> > >This a very secure approach if you > >a) have the time and skills to build and maintain a secure firewall >configuration >b) you have the time and skills to maintain the necessary software. > >If you lack time and/or skills, a commercial firewall solution (including >consultancy. I'm not talking software packages here) can be a good >alternative to build up know-how and/or get your Internet connection >rolling quickly. > >>Yes, I screen both ways, and there are two subnets onto which there can be >>a secured subnet, and a semi-securedone with the unix host running the >>firewall-1 filter providing the _only_ route in between. >> > >Ah OK, but do you use server nodes on the screened subnet, or do you handle >everything on the filtering host? > >>Thanks, Josch, these links will help. Cheers! -Ken. >> > >Nasdarovy :-)! You're welcome :-)! > > > >Josch > > >-- >Am Tiergarten 22 Tel.: +49/69/4990880 >D-60316 Frankfurt Fax : +49/6103/383-157 > >Germany privat: maass@thinkfish.rhein-main.de > biz.: Joerg.Maass@frs.mts.dec.com > >PGP signature available upon request. > > > > Thanks. If any of the _newer_ readers out there didn't understand any of this case study, please speak up and someone will answer. I get a lot out of this list, and I'd like to think that I contribute as well as leach! -------------------------------------======================================= Ken Beames International Network Services ken_beames@ins.com 415.254.4205<---->pg:800.601.2907 =====================================---------------------------------------- From firewalls-owner Wed Dec 7 02:06:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA02444 for firewalls-outgoing; Wed, 7 Dec 1994 01:40:11 -0800 Received: from clbull.frcl.bull.fr (clbull.frcl.bull.fr [129.182.1.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA02434 for ; Wed, 7 Dec 1994 01:39:30 -0800 From: daussin@frene3.frcl.bull.fr Received: from dpx236.frcl.bull.fr by clbull.frcl.bull.fr; Wed, 7 Dec 1994 10:36:34 +0100 (MET) Received: from frene3 by dpx236.frcl.bull.fr; Wed, 7 Dec 94 09:19:16 GMT (MET) Received: from localhost by frene3.frcl.bull.fr; Wed, 7 Dec 94 10:37:44 +0100 (MET) Message-Id: <9412070937.AA00270@frene3.frcl.bull.fr> To: firewalls@greatcircle.com Subject: Information please Date: Wed, 07 Dec 94 10:37:43 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am student who is interested in firewalls and how they work. Can I also have information about TCP wrapper and how it works. Is TCP_wrapper neccessary in the Firewall's design. herve. From firewalls-owner Wed Dec 7 03:04:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA03220 for firewalls-outgoing; Wed, 7 Dec 1994 02:55:59 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA03215 for ; Wed, 7 Dec 1994 02:55:36 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA13193; Wed, 7 Dec 94 11:51:36 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA01387; Wed, 7 Dec 94 11:47:57 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412071147.AA01387@tidtest.total.fr> Subject: Re: Information please To: firewalls@greatcircle.com Date: Wed, 7 Dec 94 11:47:56 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9412070937.AA00270@frene3.frcl.bull.fr>; from "daussin@frene3.frcl.bull.fr" at Dec 7, 94 10:37 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk daussin@frene3.frcl.bull.fr wrote : > > I am student who is interested in firewalls and how they work. > Can I also have information about TCP wrapper and how it works. > Is TCP_wrapper neccessary in the Firewall's design. > > herve. > My, interest in firewalls is growing fast among students. Should we celebrate, or look for traps ? Am I getting paranoid ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Dec 7 04:34:36 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA06689 for firewalls-outgoing; Wed, 7 Dec 1994 04:19:03 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA06684 for ; Wed, 7 Dec 1994 04:18:59 -0800 Received: from world.std.com by relay2.UU.NET with SMTP id QQxtgb25056; Wed, 7 Dec 1994 07:16:38 -0500 Received: by world.std.com (5.65c/Spike-2.0) id AA00463; Wed, 7 Dec 1994 07:15:13 -0500 Date: Wed, 7 Dec 1994 07:15:13 +0001 (EST) From: Jamie C Pole Subject: Re: Information please To: Michel Lavondes Cc: firewalls@greatcircle.com In-Reply-To: <9412071147.AA01387@tidtest.total.fr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look for traps - definately... > My, interest in firewalls is growing fast among students. Should we celebrate, > or look for traps ? Am I getting paranoid ? > -- > Michel Lavondes > E-Mail : lavondes@tidtest.total.fr > lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) > Tel : +33-1-4135-4198 > Fax : +33-1-4135-4189 > From firewalls-owner Wed Dec 7 06:35:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA07247 for firewalls-outgoing; Wed, 7 Dec 1994 06:25:28 -0800 Received: from puzzler.nichols.com (PUZZLER.NICHOLS.COM [152.136.101.56]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA07242 for ; Wed, 7 Dec 1994 06:25:21 -0800 Received: by puzzler.nichols.com (931110.SGI/930416.SGI) for firewalls@greatcircle.com id AA11192; Wed, 7 Dec 94 08:25:34 -0600 Date: Wed, 7 Dec 1994 08:25:32 -0600 (CST) From: "Thomas L. Hodges" Subject: IRIX-based Firewalls To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for contact from those individuals who have built firewalls on Silicon Graphics machines. Your time would be most appreciated. Thank you. Tom ______________________________________________________________________________ Thomas L. Hodges Nichols Research Corporation 205.955.8407 (voice) 4040 S. Memorial Pkwy., MS-912 205.876.7200 (fax) Huntsville, AL 35802 hodgest@puzzler.nichols.com ______________________________________________________________________________ From firewalls-owner Wed Dec 7 07:05:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA07282 for firewalls-outgoing; Wed, 7 Dec 1994 06:32:56 -0800 Received: from bonnou.lab.kdd.co.jp (bonnou.lab.kdd.co.jp [192.26.91.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA07277 for ; Wed, 7 Dec 1994 06:32:31 -0800 Received: from planslab.kitsu.sjk.kdd.co.jp by bonnou.lab.kdd.co.jp (8.6.9+2.4W/KDDIP-1.1MX) id XAA10099; Wed, 7 Dec 1994 23:31:36 +0900 Received: from [133.128.64.98] by planslab.kitsu.sjk.kdd.co.jp (8.6.9+2.4W/KDD-1.00MX) id XAA03071; Wed, 7 Dec 1994 23:33:07 +0900 Date: Wed, 7 Dec 1994 23:33:07 +0900 Message-Id: <199412071433.XAA03071@planslab.kitsu.sjk.kdd.co.jp> To: firewalls@greatcircle.com From: nozawa@planslab.kitsu.sjk.kdd.co.jp (Atushi NOZAWA) X-Sender: nozawa@planslab.kitsu.sjk.kdd.co.jp MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-jp X-Mailer: Eudora-J(1.3.5-J10) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to join the firewalls mailing list. *********************************************************** Atushi Nozawa KDD Network Engineering Division, Business Communication Department 3-2 Nishishinjuku 2-chome,Shinjuku-ku,Tokyo 163-03 Japan $B!!(B TEL: +81-3-3347-5557 FAX: +81-3-3347-5553 $B!!!!(B E-mail: nozawa@kitsu.sjk.kdd.co.jp *********************************************************** From firewalls-owner Wed Dec 7 08:12:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07871 for firewalls-outgoing; Wed, 7 Dec 1994 07:52:48 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA07865 for ; Wed, 7 Dec 1994 07:52:39 -0800 Received: from mwmgate2.mitre.org (mwmgate2.mitre.org [128.29.155.13]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id KAA24896 for <@mwunix.mitre.org:firewalls@GreatCircle.COM>; Wed, 7 Dec 1994 10:50:42 -0500 Message-Id: <199412071550.KAA24896@mwunix.mitre.org> Date: Wed, 07 Dec 94 10:51:53 EST From: D_Bauer%huac@MWMGATE1.mitre.org To: firewalls@GreatCircle.COM Subject: Wellfleet Training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone point me in the direction of any courses covering packet-filtering with Wellfleet routers? Thanks. Dennis. From firewalls-owner Wed Dec 7 09:28:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA08442 for firewalls-outgoing; Wed, 7 Dec 1994 08:51:50 -0800 Received: from cannon.ecf.toronto.edu (root@cannon.ecf.toronto.edu [128.100.8.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA08424 for ; Wed, 7 Dec 1994 08:51:24 -0800 Received: by cannon.ecf.toronto.edu id <3417>; Wed, 7 Dec 1994 11:38:15 -0500 From: Steve Kotsopoulos To: "Thomas L. Hodges" , firewalls@greatcircle.com Subject: Re: IRIX-based Firewalls Message-Id: <94Dec7.113815edt.3417@cannon.ecf.toronto.edu> Date: Wed, 7 Dec 1994 11:38:07 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for contact from those individuals who have built firewalls > on Silicon Graphics machines. Your time would be most appreciated. We don't have a 'real' firewall, but I'm building a couple high-security servers right now (Challenge S systems, running IRIX 5.3). IRIX has more built-in security knobs than most OS's right now, you just have to know how to turn them on. Have a look at the following manpages: Manpage Things to look for ------- --------------------------------------------------- login setup /etc/default/login to log all attempts with SYSLOG=ALL, add support for external authentication programs with SITECHECK=/path/to/prog portmap use '-a mask,match' to restrict most of the portmap services to a subset of hosts or networks use '-v' to log all unprivileged accesses to syslog rshd use '-l' to disable validation using .rhosts files use '-L' to log all access attempts to syslog rlogind use '-l' to disable validation using .rhosts files (beware, this was broken prior to IRIX 5.3) fingerd use '-l' to log all connections use '-S' to suppress information about login status, home directory, and shell use '-f msg-file' to make it just display that file ipfilterd IP packet filtering daemon (never tried it myself) Also, IRIX 5.3 includes rdist6.1, sendmail8.6.4 (not sure if that's the latest, but we run a different mailer anyways). A few notes of caution: IRIX has lots of gui-based stuff for sysadmin tasks. We always use a find script to seek out all the setuid files and turn off or remove whatever we can before putting anything into 'production' use. Their tftpd does not do a chroot, and instead relies on a list of 'acceptable' directories listed in inetd.conf. If you have to run tftpd, you should probably chroot it by some other means. Also remember to remove whatever you don't need from /etc/inetd.conf. We use Weitse Venema's tcp wrapper, and chrootuid programs, which work fine. I haven't tried compiling the TIS fwtk yet, but I'm reading the docs now. Of course, use Cops/ISS/whatever to double-check you haven't missed anything. Good Luck, Steve ps. Here's a script I wrote that checks a few things: ls -ld /usr/ucb/rdist /usr/etc/arp /usr/sbin/colorview /usr/Cadmin # lots of setuid stuff under /usr/Cadmin chmod 700 /usr/Cadmin # adjust to taste, rdist isn't setuid any more in irix5.3 chmod 755 /usr/ucb/rdist # if you put your 'staff' in group sys chmod 2750 /usr/etc/arp # very yucky bug in irix5.2 chmod 755 /usr/sbin/colorview # sendmail needs /usr/spool/mqueue, but we don't run sendmail rm -rf /usr/spool/uucppublic /usr/spool/mqueue # this setuid-root program was deleted by sgi for irix5.2 rm /usr/bin/under # disable rexecd in /etc/inetd.conf # 'rlogind -l' doesn't work in irix5.2, so don't depend on it # ftp and install security patch from sgi.com:/sgi/IRIX5.0/sendmail # ftp and install security patch from sgi.com:/sgi/IRIX5.0/lpr # /usr/sbin/cdinstmgr is setuid root and is a script on some systems From firewalls-owner Wed Dec 7 09:35:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08582 for firewalls-outgoing; Wed, 7 Dec 1994 09:10:24 -0800 Received: from JBERGER.DOA.STATE.LA.US (jberger.DOA.State.LA.US [192.206.109.29]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08577 for ; Wed, 7 Dec 1994 09:10:19 -0800 From: JBERGER@JBERGER.DOA.STATE.LA.US Received: by JBERGER.DOA.STATE.LA.US (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0674; Wed, 07 Dec 94 11:06:30 -0800 Message-Id: <9412071906.AA0674@JBERGER.DOA.STATE.LA.US> Date: Wed, 7 Dec 94 11:01:14 CST Reply-To: JBERGER@JBERGER.DOA.STATE.LA.US To: firewalls@greatcircle.com Subject: Security Administration Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone assist us in defining the security administration (administrative non-technical) function vs the need for technical access to the firewall. Our auditors require seperation of administrative security functions from purely technical duties. How and where is that line established? *-*-*-*-*-*-*-*-*-*-* John E. Bergeron State of Louisiana Voice: (504) 342-5165 Management Consultant FAX: (504) 342-5137 P.O. Box 44335 Email: jberger@jberger.doa.state.la.us Baton Rouge, LA 70802 From firewalls-owner Wed Dec 7 11:06:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA09394 for firewalls-outgoing; Wed, 7 Dec 1994 10:38:46 -0800 Received: from csn.net (root@csn.org [128.138.213.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA09382 for ; Wed, 7 Dec 1994 10:38:11 -0800 Received: from cc.com (cc.com) by csn.net with SMTP id AA22005 (5.65c/IDA-1.4.4 for ); Wed, 7 Dec 1994 11:36:26 -0700 Received: from clc-gate.cc.com ([192.137.59.62]) by cc.com (4.1/SMI-4.1) id AA04597; Wed, 7 Dec 94 11:29:53 MST To: FIREWALLS@greatcircle.com From: "Darry L. Cooley" Date: Wed, 7 Dec 1994 11:37:23 MST Subject: FireWall Router X-Gateway: iGate, (WP Office) vers 2.02 - 1051 Message-Id: <9412071241.4ee60fe4.CFC@CLC-GATE.CC.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone using Livingston's IRX FireWall Router? Being resource limited (in terms of $$ and firewall experience) it appears to be an ideal starting place. Any experiences good or bad? Darry L. Cooley Comlinear Corporation darry_cooley@cc.com (303) 225 9639 From firewalls-owner Wed Dec 7 11:35:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA09389 for firewalls-outgoing; Wed, 7 Dec 1994 10:38:33 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA09384 for ; Wed, 7 Dec 1994 10:38:22 -0800 Received: from machine.engr.sgi.com by sgi.sgi.com via ESMTP (941129.SGI.8.6.9/910110.SGI) id KAA02204; Wed, 7 Dec 1994 10:37:10 -0800 Received: by machine.engr.sgi.com (940816.SGI.8.6.9/911001.SGI) id KAA09730; Wed, 7 Dec 1994 10:36:46 -0800 From: jes@machine.engr.sgi.com (John E. Schimmel) Message-Id: <199412071836.KAA09730@machine.engr.sgi.com> Subject: Re: IRIX-based Firewalls To: steve@ecf.toronto.edu (Steve Kotsopoulos) Date: Wed, 7 Dec 1994 10:36:46 -0800 (PST) Cc: hodgest@puzzler.nichols.com, firewalls@greatcircle.com In-Reply-To: <94Dec7.113815edt.3417@cannon.ecf.toronto.edu> from "Steve Kotsopoulos" at Dec 7, 94 11:38:07 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 569 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > # adjust to taste, rdist isn't setuid any more in irix5.3 > chmod 755 /usr/ucb/rdist Note that the old rdist is still shipped as /usr/bsd/ordist. You should chmod this sucker if it worries you. I put quite a bit of time into it to make sure that it did things in the most secure way possible, but . . . --------------------------------------------------- John E. Schimmel jes@sgi.com Just Another Hacker Voice: (415)390-4116 Silicon Graphics Inc. Fax: (415)967-8496 --------------------------------------------------- From firewalls-owner Wed Dec 7 15:45:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11071 for firewalls-outgoing; Wed, 7 Dec 1994 14:42:00 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11066 for ; Wed, 7 Dec 1994 14:41:54 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id OAA27482; Wed, 7 Dec 1994 14:40:08 -0800 Date: Wed, 7 Dec 1994 14:40:08 -0800 Message-Id: <199412072240.OAA27482@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: lavondes@tidtest.total.fr, firewalls@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: Information please X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paranoia is a healthy thing. I would take the carefull route...;-) At 11:47 AM 12/7/94 GMT, lavondes@tidtest.total.fr wrote: >daussin@frene3.frcl.bull.fr wrote : >> >> I am student who is interested in firewalls and how they work. >> Can I also have information about TCP wrapper and how it works. >> Is TCP_wrapper neccessary in the Firewall's design. >> >> herve. >> > >My, interest in firewalls is growing fast among students. Should we celebrate, >or look for traps ? Am I getting paranoid ? >-- >Michel Lavondes >E-Mail : lavondes@tidtest.total.fr > lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) >Tel : +33-1-4135-4198 >Fax : +33-1-4135-4189 > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Wed Dec 7 15:58:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11515 for firewalls-outgoing; Wed, 7 Dec 1994 15:01:57 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA01051 for ; Tue, 6 Dec 1994 20:54:37 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma009977; Tue Dec 6 23:53:24 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA14632; Tue, 6 Dec 94 23:51:22 EST Message-Id: <9412070451.AA14632@tis.com> To: firewalls@greatcircle.com Subject: Program Announcement: ISOC '95 Symp. Net. & Distr. Sys. Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <14629.786775880.1@tis.com> Date: Tue, 06 Dec 1994 23:51:21 -0500 From: "David M. Balenson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ============================================================================== THE INTERNET SOCIETY SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY 16-17 FEBRUARY 1995 CATAMARAN HOTEL - SAN DIEGO, CALIFORNIA The symposium will bring together people who are building software and/or hardware to provide network and distributed system security services. The symposium is intended for those interested in the more practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than in theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy and advance the state of the available security technology. ============================================================================== P R E L I M I N A R Y P R O G R A M WEDNESDAY, FEBRUARY 15 6:00 P.M. - 8:00 P.M. REGISTRATION AND RECEPTION - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - THURSDAY, FEBRUARY 16 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. OPENING REMARKS 9:00 A.M. SESSION 1: DIVERSE APPROACHES TO SECURITY AT THE NETWORK LAYER Chair: Stephen T. Kent (Bolt, Beranek and Newman, USA) Multicast-Specific Security Threats and Counter-Measures, Tony Ballardie and Jon Crowcroft (University College London, United Kingdom). Design of a Key Agile Cryptographic System for OC-12c Rate ATM, Daniel Stevenson, Nathan Hillery, Greg Byrd, and Dan Winkelstein (Microelectronics Center of North Carolina - MCNC, USA). IpAccess: An Internet Service Access System for Firewall Installations, Steffen Stempel (University of Karlsruhe, Germany). 10:30 A.M. BREAK 11:00 A.M. SESSION 2: PANEL: SECURITY ARCHITECTURE FOR THE INTERNET INFRASTRUCTURE Chair: Robert W. Shirey (The MITRE Corporation, USA) Security for the Internet Protocol (IP) and IP Next Generation, Paul A. Lambert (Motorola, USA). Security for the Internet Domain Name System, James M. Galvin (Trusted Information Systems, USA). Security of Routing Protocols in the Internet, Gary Scott Malkin (Xylogics, USA). Security Approaches to Routing in the Internet, Sandra L. Murphy (Trusted Information Systems, USA). 12:30 P.M. LUNCH 2:00 P.M. SESSION 3: OFF-LINE OBJECT DISTRIBUTION SECURITY Chair: Jeffrey I. Schiller (Massachusetts Institute of Technology, USA) Trusted Distribution of Software Over the Internet, Aviel D. Rubin (Bellcore, USA). Location-Independent Information Object Security, John Lowry (Bolt Beranek and Newman, USA). 3:00 P.M. BREAK 3:30 P.M. SESSION 4: INTERNET PAYMENTS Chair: Ravi Ganesan (Bell Atlantic, USA) Electronic Cash on the Internet, Stefan Brands (Centrum voor Wiskunde en informatica - CWI, The Netherlands). PANEL: Internet Payment Mechanisms - Requirements and Architecture Chair: Ravi Ganesan (Bell Atlantic, USA) Panelists: B. Clifford Neuman (Information Sciences Institute, USA), David Crocker (Brandenburg Consulting, USA), and others TBD 7:00 P.M. DINNER BANQUET - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FRIDAY, FEBRUARY 17 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. SESSION 5: SECURITY MONITORING TOOLS - PRACTICE AND EXPERIENCE Chair: Michael St. Johns (Advanced Research Projects Agency, USA) NERD: Network Event Recording Device: An Automated System for Network Anomaly Detection and Notification, David G. Simmons and Ronald Wilkins (Los Alamos National Laboratory, USA). An Overview of SNIF: A Tool for Surveying Network Information Flow, Jim Alves-Foss (University of Idaho, USA). Distributed Audit Trail Analysis, Abdelaziz Mounji, Baudouin Le Charlier, Denis Zampunieris and Naji Habra (Facultes Universitaires de Namur - FUNDP, Belgium). 10:00 A.M. BREAK 10:30 A.M. SESSION 6: AUTHENTICATION AND AUTHORIZATION Chair: B. Clifford Neuman (Information Sciences Institute, USA) SESAME V2 Public Key and Authorisation Extensions to Kerberos, Piers McMahon (ICL, United Kingdom). Yaksha: Augmenting Kerberos with Public Key Cryptography, Ravi Ganesan (Bell Atlantic, USA). GSS-API Security for ONC RPC, Barry Jaspan (OpenVision Technologies, USA). 12:00 NOON - 1:30 P.M. LUNCH 1:30 P.M. SESSION 7: MECHANISMS OF IDENTITY - THE CERTIFICATE INFRASTRUCTURE Chair: Hilarie Orman (University of Arizona, USA) A Certificate Management System: Structure, Functions and Protocols, Nada Kapidzic and Alan Davidson (Stockholm University & Royal Institute of Technology, Sweden). PEMToolKit: Building a Top-Down Certification Hierarchy for PEM from the Bottom Up, Alireza Bahreman (Bellcore, USA). A New Approach to the X.509 Framework: Allowing a Global Authentication Infrastructure Without a Global Trust Model, Suzan Mendes (TS-E3X - Research and Development Center, France) and Christian Huitema (INRIA, France). 3:00 P.M. BREAK 3:30 P.M. SESSION 8: PANEL: SECURITY ISSUES FOR MOSAIC AND THE WORLD WIDE WEB Chair: Fred Avolio (Trusted Information Systems, USA) Panelists: Peter J. Churchyard (Trusted Information Systems, USA), Allan M. Schiffman (Enterprise Integration Technologies, USA), and Bill Cheswick (AT&T Bell Laboratories, USA) ------------------------------------------------------------------------------ GENERAL CHAIR James T. Ellis, CERT Coordination Center, Carnegie Mellon University PROGRAM CO-CHAIRS David M. Balenson, Trusted Information Systems Robert W. Shirey, The MITRE Corporation PROGRAM COMMITTEE Thomas A. Berson, Anagram Laboratories Matt Bishop, University of California at Davis Ravi Ganesan, Bell Atlantic Stephen T. Kent, Bolt, Beranek and Newman Paul A. Lambert, Motorola John Linn, OpenVision Technologies B. Clifford Neuman, Information Sciences Institute Hilarie Orman, University of Arizona Michael Roe, University of Cambridge (UK) Robert Rosenthal, U.S. National Institute of Standards and Technology Jeffrey I. Schiller, Massachusetts Institute of Technology Peter Yee, U.S. National Aeronautics and Space Administration Roberto Zamparo, Telia Research (Sweden) PUBLICATIONS CHAIR Terry Mayfield, Institute for Defense Analyses REGISTRATIONS CHAIR Gloria Carrier, The MITRE Corporation LOCAL ARRANGEMENTS CHAIR Thomas Hutton, San Diego Supercomputer Center STEERING GROUP Internet Research Task Force, Privacy and Security Research Group ------------------------------------------------------------------------------ BEAUTIFUL SAN DIEGO The Symposium venue is the Catamaran Resort Hotel, providing 7 acres of gorgeous surroundings, facing Mission Bay and only 100 yards from beautiful Pacific Ocean beaches. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. After the Symposium, plan to spend the weekend visiting La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. A limited number of rooms have been reserved at the Catamaran for the very special rate of $71.56 single, $88 double. Reservations, on a space available basis, can be made by calling (800)-288-0770 and indicating you are attending the ISOC Security Symposium, or by FAXing the hotel registration form attached below. Reservations must be made before Jan. 15, 1995 to ensure the special rate. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 55 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate during February; although, occasionally it rains. TRANSPORTATION San Diego International Airport is 10 miles (approx. 15 minutes) from the Catamaran Hotel. Cloud9 shuttle operates a continuous service between the airport and the hotel: fare is $6.00. When you arrive at the airport, go to the shuttle loading area at either terminal and ask the attendant to radio for a Cloud9 shuttle to the Catamaran. Taxi fare between the airport and the hotel is approx. $20. The Catamaran charges $6 per day for parking. REGISTRATION FEES Postmarked Subsequent by Jan. 6 registration $320 $365 REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Reception - Banquet - Two Luncheons - Coffee Breaks ON-SITE REGISTRATION is available Wednesday evening at the reception, and Thursday morning at the Symposium. FOR MORE INFORMATION on registration contact Gloria Carrier by phone at (703)-883-4508 or via email to gcarrier@mitre.org. ============================================================================== SYMPOSIUM REGISTRATION FORM Name ______________________________________________________________________ Affiliation _______________________________________________________________ Name on Badge _____________________________________________________________ Special Requirements (e.g., dietary)? _____________________________________ Mailing Address ___________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Area Code/Phone # _________________________________________________________ Area Code/FAX # ___________________________________________________________ Email Address _____________________________________________________________ [ ] Check here if you would prefer that your name NOT be included in the list of attendees distributed at the symposium. Make check (credit cards not accepted) payable to ISOC NDSS SYMPOSIUM. (Registration is not effective until payment is received). Mail registration, no later than February 10, 1994, to: ISOC Symposium, C/O Gloria Carrier, The MITRE Corporation, 7525 Colshire Drive, M.S. Z605, McLean, VA 22102-3481, USA. ============================================================================== HOTEL REGISTRATION FORM WELCOME ISOC SECURITY SYMPOSIUM February 16-17, 1995 Single: $71.56 Double: $88.00 Triple: $103.00 Quad: $118.00 Extra Person $15.00 All rates subject to $10.50 room tax Reservations required by: January 15, 1995 Fax this form to the Catamaran Hotel at (619)-490-3328 Name ______________________________________________________________________ Street ____________________________________________________________________ City ___________________________________ State ___________ Zip ____________ Phone # ________________________________ Number in Party ________________ Arrival Date ___________________________ Departure Date _________________ Roommate(s) ____________________________ Special Needs __________________ Credit Card # __________________________ Expires ________________________ Name on Card ______________________________________________________________ Signature _________________________________________________________________ ============================================================================== From firewalls-owner Wed Dec 7 16:36:46 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12453 for firewalls-outgoing; Wed, 7 Dec 1994 16:25:14 -0800 Received: from riverside.mr.net (Riverside.MR.Net [137.192.2.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA12447 for ; Wed, 7 Dec 1994 16:25:06 -0800 Received: from .mr.net by riverside.mr.net (8.6.9/SMI-4.1.R931202) id SAA09909; Wed, 7 Dec 1994 18:23:52 -0600 Date: Wed, 7 Dec 1994 18:23:52 -0600 Message-Id: <199412080023.SAA09909@riverside.mr.net> X-Sender: freeman@mr.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: freeman@MR.Net (Alex Li) Subject: compiling SCANPORTS X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone here tried to compile the SCANPORTS program in the Firewalls and Internet Security book by Cheswick and Bellovin (p.151) on AIX 3.2.5? Of course it could not find routines like ipcpath(), ipcopen(), and ipcperror(). Can I find a library that has these routines somewhere else? Or is there equivalents in the ANSI C library? In TAMU's Tiger script, it also reported all the well known ports on my system. Maybe I don't need to run SCANPORTS? Please advise. -------------------------------------- Alex Li Health Systems Integration, Inc. 1-800-TEAM-HSI -------------------------------------- -------------------------------------- Alex Li Health Systems Integration, Inc. 1-800-TEAM-HSI -------------------------------------- From firewalls-owner Wed Dec 7 16:48:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11344 for firewalls-outgoing; Wed, 7 Dec 1994 14:55:47 -0800 Received: from iss.net (root@iss.net [198.79.48.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA26850 for ; Sun, 4 Dec 1994 16:49:14 -0800 Received: (from cklaus@localhost) by iss.net (8.6.9/8.6.9) id TAA05420 for firewalls@greatcircle.com; Sun, 4 Dec 1994 19:51:11 -0800 From: Christopher Klaus Message-Id: <199412050351.TAA05420@iss.net> Subject: ILF To: firewalls@greatcircle.com Date: Sun, 4 Dec 1994 19:51:10 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 540 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone requested information on ILF and said ILF may have been the ones behind the GE breaking. I thought this might help those in search of that information: Organization: TIME Magazine There's an article about the Internet Liberation Front in the current issue of TIME. Available on America Online today, on newstands and www.timeinc.com tomorrow. -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Wed Dec 7 17:04:58 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12458 for firewalls-outgoing; Wed, 7 Dec 1994 16:25:34 -0800 Received: from riverside.mr.net (Riverside.MR.Net [137.192.2.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA12451 for ; Wed, 7 Dec 1994 16:25:12 -0800 Received: from .mr.net by riverside.mr.net (8.6.9/SMI-4.1.R931202) id SAA09904; Wed, 7 Dec 1994 18:23:46 -0600 Date: Wed, 7 Dec 1994 18:23:46 -0600 Message-Id: <199412080023.SAA09904@riverside.mr.net> X-Sender: freeman@mr.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: freeman@MR.Net (Alex Li) Subject: Anyone running TAMU's Tiger script on AIX 3.2.5? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone here running TAMU's Tiger script on AIX 3.2.5? I'm trying to resolve some errors reported by Tiger: SIGNATURE_FILE [init005e] I understand there's no signature file for AIX from TAMU. Would Tripwire do the trick? FILE_ACL [init005e] According to Doug Schales at TAMU, this isn't *too* critical. But I'd still like to get a copy of such list. Any help or pointers are greatly appreciated. TIA. -------------------------------------- Alex Li Health Systems Integration, Inc. 1-800-TEAM-HSI -------------------------------------- -------------------------------------- Alex Li Health Systems Integration, Inc. 1-800-TEAM-HSI -------------------------------------- From firewalls-owner Wed Dec 7 18:35:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA13498 for firewalls-outgoing; Wed, 7 Dec 1994 18:28:59 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA13493 for ; Wed, 7 Dec 1994 18:28:55 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma009663; Wed Dec 7 21:27:38 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA11222; Wed, 7 Dec 94 21:25:33 EST From: Marcus J Ranum Message-Id: <9412080225.AA11222@tis.com> Subject: Re: compiling SCANPORTS To: freeman@MR.Net (Alex Li) Date: Wed, 7 Dec 1994 21:30:29 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199412080023.SAA09909@riverside.mr.net> from "Alex Li" at Dec 7, 94 06:23:52 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 438 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alex Li writes: > Anyone here tried to compile the SCANPORTS program in the Firewalls and > Internet Security book by Cheswick and Bellovin (p.151) on AIX 3.2.5? Of > course it could not find routines like ipcpath(), ipcopen(), and > ipcperror(). There's a similar set of tools (portscan and netscan) that are part of the toolkit. FTP ftp.tis.com: pub/firewalls/toolkit/fwtk.tar.Z and you want tools/admin/portscan/portscan.c mjr. From firewalls-owner Wed Dec 7 21:15:23 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA00491 for firewalls-outgoing; Wed, 7 Dec 1994 20:46:11 -0800 Received: from CSOS.ORST.EDU (root@CSOS.ORST.EDU [128.193.40.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA00486 for ; Wed, 7 Dec 1994 20:46:01 -0800 Received: from localhost (lazore@[127.0.0.1]) by CSOS.ORST.EDU (8.6.9/8.6.6) with ESMTP id UAA24534; Wed, 7 Dec 1994 20:43:39 -0800 Message-Id: <199412080443.UAA24534@CSOS.ORST.EDU> To: Jamie C Pole cc: Michel Lavondes , firewalls@greatcircle.com Subject: Re: Information please In-reply-to: Your message of "Wed, 07 Dec 1994 07:15:13 +0001." Date: Wed, 07 Dec 1994 20:43:31 -0800 From: Ed Lazor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from: Jamie C Pole > > Look for traps - definately... > awww... come on, not everyone expressing interest in learning more about firewalls and system security is trying to break in some place. From firewalls-owner Thu Dec 8 03:15:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA03604 for firewalls-outgoing; Thu, 8 Dec 1994 02:52:54 -0800 Received: from zaphod.axion.bt.co.uk (zaphod.axion.bt.co.uk [132.146.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA03599 for ; Thu, 8 Dec 1994 02:52:50 -0800 Received: from everest.srd.bt.co.uk by zaphod.axion.bt.co.uk with SMTP (PP); Thu, 8 Dec 1994 10:50:46 +0000 Received: from ariel.srd.bt.co.uk by everest.srd.bt.co.uk; Thu, 8 Dec 94 10:50:31 GMT From: Jake Hill Date: Thu, 8 Dec 94 10:49:25 GMT Message-Id: <4818.9412081049@ariel.srd.bt.co.uk> To: firewalls@greatcircle.com Subject: Re: IRIX-based Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > servers right now (Challenge S systems, running IRIX 5.3). IRIX has more > built-in security knobs than most OS's right now, you just have to know ^^^^^ Shouldn't that be HOLES? :-) Jake From firewalls-owner Thu Dec 8 05:15:28 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA06979 for firewalls-outgoing; Thu, 8 Dec 1994 05:12:34 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA06974 for ; Thu, 8 Dec 1994 05:12:28 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26856; Thu, 8 Dec 94 08:00:11 -0500 Date: Thu, 8 Dec 94 08:00:11 -0500 Message-Id: <9412081300.AA26856@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: SCANPORTS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alex Li rites: >In TAMU's Tiger script, it also reported all the well known ports on my >system. Maybe I don't need to run SCANPORTS? Well, the TIS FWTK also contains a similar program and I *assume* the FWTK is complete (do not particularly care for UNIX - see "Quigly Down Under - so haven't tried to compile it). Must admit I have had mixed emotions about such programs. True they are valuable tools for the professional, but are equally valuable tools for intruders. When the Sidewinder Challenge opened, I posted the output of a program I wrote that checked the B&C appendix A ports plus a few other interesting ones, but have been reluctant to make it available on the net for the above reason. Then again it might help make people more aware of the exposures. Now the FWTK program (I forget the name), for reasons that would be obvious to anyone who uses it, is useful only on the local domain and I have been thinking about doing something more limited - "fixing" the program so that it will *only* work on the local domain and making it available to the firewalls crowd - good, bad, & ugly. Comments ? Warmly, Padgett ps it runs on PCs From firewalls-owner Thu Dec 8 05:45:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA07073 for firewalls-outgoing; Thu, 8 Dec 1994 05:40:36 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA07068 for ; Thu, 8 Dec 1994 05:40:27 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma012989; Thu Dec 8 08:38:55 1994 Received: by tis.com (4.1/SUN-5.64) id AA08181; Thu, 8 Dec 94 08:36:48 EST Date: Thu, 8 Dec 94 08:36:48 EST From: Frederick M Avolio Message-Id: <9412081336.AA08181@tis.com> To: firewalls@greatcircle.com Subject: CPF: 5th USENIX UNIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ANNOUNCEMENT and CALL FOR PAPERS 5th USENIX UNIX Security Symposium June 5-7, 1995 Salt Lake City Marriott Hotel Salt Lake City, Utah Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association In cooperation with: The Computer Emergency Response Team (CERT), IFIP WG 11.4, and UniForum IMPORTANT DATES DATES FOR REFEREED PAPER SUBMISSIONS Extended abstracts due: Feb 13, 1995 Program Committee decisions made: Mar 8, 1995 Camera-ready final papers due: May 1, 1995 Registration Materials Available: March 1995 PROGRAM COMMITTEE Program Chair: Fred Avolio, Trusted Information Systems, Inc. Steve Bellovin, AT&T Bell Laboratories Bill Cheswick, AT&T Bell Laboratories Ed DeHart, CERT Ed Gould, Digital Equipment Corporation Marcus Ranum, Trusted Information Systems, Inc. Jeff Schiller, MIT Gene Spafford, COAST Laboratory, Purdue University OVERVIEW The goal of this symposium is to bring together security practitioners, researchers, system administrators, systems programmers, and others with an interest in computer security as it relates to networks and the UNIX operating system. This will be a 3 day, single-track symposium. The symposium will consist of tutorials, refereed and invited technical presentations, and panel sessions. The first day will be devoted to tutorial presentations. Two days of technical sessions will follow the tutorials. TUTORIALS [June 5] This one-day tutorial program is designed to address the needs of both technical and management attendees. The tutorials will supply overviews of various security mechanisms and policies. Each will provide specifics to the system and site administrator for implementing numerous local and network security precautions, firewalls, and monitoring systems. KEYNOTE AND TECHNICAL SESSIONS [June 6-7] The keynote address by Stephen T. Walker, Founder and President of Trusted Information Systems, will begin the technical sessions program. Mr. Walker will speak on information security and privacy in computing. Mr. Walker is an electronics engineer and computer systems analyst with over 25 years of experience in system design and program management; particularly extensive is his experience with the design and implementation of large scale computer networks and information systems. He is nationally recognized for his pioneering work on the DoD Computer Security Initiative, the establishment of the National Computer Security Center, and the formation of the Defense Data Network. He is a member of the Computer System Security and Privacy Advisory Board, established by the Computer Security Act of 1987. The technical sessions program, in addition to presentations of refereed papers, will include invited talks, and possibly panel sessions. There will also be two evenings available for Birds-of-a-Feather sessions (BoFs) and Works-in-Progress Reports (WiPs). The program committee invites you to submit proposals, ideas, or suggestions for these presentations; your suggestions may be submitted to the program chair via email to: securitypapers@usenix.org or by post to the address given below. Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings. Proceedings of the symposium will be published by USENIX and will be provided free to technical session attendees; additional copies will be available for purchase from USENIX. SYMPOSIUM TOPICS Presentations are being solicited in areas including but not limited to: *User/system authentication *File system security *Network security *Security and system management *Security-enhanced versions of the UNIX operating system *Security tools *security incident investigation and response *computer misuse and anomaly detection *security in heterogeneous environments *configuration management to support security *security-related testing methods *case studies REFEREED PAPER SUBMISSIONS Submissions must be received by Feb 13, 1995. Full papers should be 10 to 15 pages. Instead of a full paper, authors may submit an extended abstract which discusses key ideas. Extended abstracts should be 5-7 pages long (about 2500-3500 words), not counting references and figures. The body of the extended abstract should be in complete paragraphs. The object of an extended abstract is to convince the reviewers that a good paper and presentation will result. All submissions will be judged on originality, relevance, and correctness. Each accepted submission will be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due May 1, 1995. Please accompany each submission by a cover letter stating the paper title and authors along with the name of the person who will act as the contact to the program committee. Please include a surface mail address, daytime and evening phone number, and, if available, an email address and fax number for the contact person. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: securityauthors@usenix.org or telephone the USENIX Association office at +1 510 528 8649. The UNIX Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by "non-disclosure agreement" forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. WHERE TO SUBMIT Please send one copy of a full paper or an extended abstract to the program committee via two of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript or ASCII) to: securitypapers@usenix.org o Alternate Method: postal delivery to Fred Avolio Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 +1 410 442 1673 o Fax: +1 301 854 5363 REGISTRATION MATERIALS Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available beginning in March 1995. If you wish to receive the registration materials, please contact USENIX at: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 +1 714 588 8649; Fax: +1 714 588 9706 email: conference@usenix.org From firewalls-owner Thu Dec 8 08:19:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07788 for firewalls-outgoing; Thu, 8 Dec 1994 07:52:15 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA07772 for ; Thu, 8 Dec 1994 07:51:51 -0800 Received: from snail.Sun.COM (snail-swanbb.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA01836; Thu, 8 Dec 94 07:50:08 PST Received: from France (isunfra) by snail.Sun.COM (4.1/SMI-4.1) id AA07157; Thu, 8 Dec 94 07:50:06 PST Received: from mygale.France.Sun.COM by France (4.1/SMI-4.1) id AA19253; Thu, 8 Dec 94 16:50:05 +0100 Received: from changi.France.Sun.COM by mygale.France.Sun.COM (5.0/SMI-SVR4 (1/24/94)) id AA13234; Thu, 8 Dec 1994 16:50:09 --100 Received: by changi.France.Sun.COM (5.0/SMI-SVR4) id AA02064; Thu, 8 Dec 1994 16:48:02 --100 Date: Thu, 8 Dec 1994 16:48:02 --100 From: Denis.Martin@France.Sun.COM (Denis Martin - SunService France - IT-OPS) Message-Id: <9412081548.AA02064@changi.France.Sun.COM> To: firewalls@greatcircle.com Subject: REGISTARTION ANSWER X-Sun-Charset: US-ASCII Content-Length: 139 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I was on the last FIREWALL TOI Can you please registrer me to the firewall@greatcircle.com alias. thanks in advance Denis From firewalls-owner Thu Dec 8 09:18:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07867 for firewalls-outgoing; Thu, 8 Dec 1994 08:08:24 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA07861 for ; Thu, 8 Dec 1994 08:08:17 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 8 Dec 1994 11:06:40 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA08242; Thu, 8 Dec 1994 11:06:38 -0500 Date: Thu, 8 Dec 1994 11:06:38 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199412081606.AA08242@SPARKY.CF.CS.YALE.EDU> To: cklaus@iss.net, firewalls@greatcircle.com Subject: Re: ILF Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The URL that will get you directly to the TIME ILF story ("TERROR ON THE INTERNET" by PHILIP ELMER-DEWITT ) is: http://www.timeinc.com/time/magazine/domestic/1994/941212/941212.technology.html -Morrow Christopher William Klaus wrote: >Someone requested information on ILF and said ILF may have been the ones >behind the GE breaking. I thought this might help those in search of that >information: > >Organization: TIME Magazine > >There's an article about the Internet Liberation Front in the current >issue of TIME. Available on America Online today, on newstands and >www.timeinc.com tomorrow. From firewalls-owner Thu Dec 8 10:27:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA08171 for firewalls-outgoing; Thu, 8 Dec 1994 08:57:03 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA08166 for ; Thu, 8 Dec 1994 08:56:57 -0800 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQxtkl09058; Thu, 8 Dec 1994 11:55:14 -0500 Received: from rosevax.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Thu, 8 Dec 1994 11:55:13 -0500 Received: from reddwarf.pond by rosevax.rosemount.com (4.1/smail2.5/RMT4.1) id ; Thu, 8 Dec 94 10:33:34 CST Received: by reddwarf.pond (5.0/SMI-SVR4) id AA02708; Thu, 8 Dec 1994 10:32:50 +0600 From: grante@rosevax.rosemount.com (Grant Edwards) Message-Id: <9412081632.AA02708@reddwarf.pond> Subject: Re: Information please To: uunet!greatcircle.com!firewalls@uunet.uu.net Date: Thu, 8 Dec 1994 10:32:49 -0600 (CST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 526 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ed Lazor writes: > > Look for traps - definately... > awww... come on, not everyone expressing interest in learning more > about firewalls and system security is trying to break in some place. Indeed. Some of us are trying to break _out_. I've been trying for weeks to get a Unix-based WWW browser to work with our firewall, but to no avail. All the DOS weenies around me can surf the web, but nobody with a Unix workstation can... -- Grant Edwards Rosemount Inc. grante@rosemount.com From firewalls-owner Thu Dec 8 11:16:30 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08642 for firewalls-outgoing; Thu, 8 Dec 1994 09:59:22 -0800 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08637 for ; Thu, 8 Dec 1994 09:59:05 -0800 Received: from pobox.mot.com by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA19252; Thu, 8 Dec 1994 11:56:54 -0600 Received: from phx.sectel.mot.com (rambo.phx.sectel.mot.com) by pobox.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA07872; Thu, 8 Dec 1994 11:56:53 -0600 Received: from starglow.sectel (starglow.phx.sectel.mot.com) by phx.sectel.mot.com (4.1/SMI-4.1) id AA24736; Thu, 8 Dec 94 10:57:47 MST Date: Thu, 8 Dec 94 10:57:47 MST From: thur@phx.sectel.mot.com (thu tran) Message-Id: <9412081757.AA24736@ phx.sectel.mot.com> To: firewalls@greatcircle.com Subject: FTP and Telnet Proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any other sources to get free FTP and Telnet proxies (code) besides TIS Toolkit? TIS requires commerical license if the Toolkit is incorporated into any program or other product that is sold (which translates to royalties for TIS). I want to able to modify the code and use it freely. Thanks in advance, Thu Tran _____________________________________________________________________ Thu T. Tran Motorola ISB Motorola GSTG, M/S: R1209 Phone: (602)441-3077 8220 East Roosevelt Road Fax: (602)441-8864 Scottsdale AZ 85257 Email: Thu_Tran@email.mot.com _______________________________________________________________________ From firewalls-owner Thu Dec 8 12:46:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09965 for firewalls-outgoing; Thu, 8 Dec 1994 12:35:45 -0800 Received: from netcom5.netcom.com (kenh@netcom5.netcom.com [192.100.81.113]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09954 for ; Thu, 8 Dec 1994 12:35:20 -0800 Received: by netcom5.netcom.com (8.6.9/Netcom) id MAA22956; Thu, 8 Dec 1994 12:33:32 -0800 Date: Thu, 8 Dec 1994 12:33:32 -0800 From: kenh@netcom.com (Ken Harris) Message-Id: <199412082033.MAA22956@netcom5.netcom.com> To: avolio@tis.com, firewalls@greatcircle.com Subject: Re: CPF: 5th USENIX UNIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shouldn't that be Salt Lake in February and San Diego in June? From firewalls-owner Thu Dec 8 13:19:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09905 for firewalls-outgoing; Thu, 8 Dec 1994 12:30:50 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09897 for ; Thu, 8 Dec 1994 12:30:20 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29618; Thu, 8 Dec 94 15:21:52 -0500 Date: Thu, 8 Dec 94 15:21:52 -0500 Message-Id: <9412082021.AA29618@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Socket2me Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PLEASE: I asked for comments not requests to send. I -=>may<=- get time to modify the program as I mentioned over Christmas break and am not going to entertain requests until then. Further, when it is ready I will post the executables on a large FTP site (probably oak) since that is where the rest of my FreeWare is posted. Finally, it will be in compliled form for an Intel platform under MS-DOS or capable, I will not distribute the source code. (If you want to roll your own - the WATTCP library is a good starting point). Warmly, Padgett From firewalls-owner Thu Dec 8 13:47:23 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10124 for firewalls-outgoing; Thu, 8 Dec 1994 12:50:38 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10111 for ; Thu, 8 Dec 1994 12:49:05 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA26556 (5.67b8/IDA-1.5 for ); Thu, 8 Dec 1994 15:47:14 -0500 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01912; Thu, 8 Dec 94 15:47:57 EST Received: by sandfiddler.paragon-systems.com (4.1/SMI-4.1) id AA00266; Thu, 8 Dec 94 15:44:53 EST Date: Thu, 8 Dec 94 15:44:53 EST From: rmck@paragon-systems.com Message-Id: <9412082044.AA00266@sandfiddler.paragon-systems.com> To: firewalls@greatcircle.com Subject: Firewall Software - Application, or Utility? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone want to settle an arguement (sorry no money involved) between a Gov't. Agency and a contractor? Generally speaking, is firewall software; i.e. Gauntlet, Eagle, Toolkit, Interlock, SEAL, Firewall-1 etc., considered "applicationware", a bastion host utility, or a sub-architecture? -rmck From firewalls-owner Thu Dec 8 14:16:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10629 for firewalls-outgoing; Thu, 8 Dec 1994 13:55:32 -0800 Received: from delphi.ndhm.gtegsc.com (delphi.ndhm.gtegsc.com [155.95.155.160]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10624 for ; Thu, 8 Dec 1994 13:55:17 -0800 Date: Thu, 8 Dec 1994 13:55:17 -0800 Message-Id: <199412082155.NAA10624@miles.greatcircle.com> Received: from [155.95.35.29] ([155.95.35.29]) by delphi.ndhm.gtegsc.com with SMTP; Thu, 8 Dec 1994 16:55:03 -0500 (EST) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: moscone@gtec3.ndhm.gtegsc.com (Nick Moscone) Subject: Connecting Isolated Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We currently have a T1 WAN connecting about 30 sites across the USA, and have 2 Internet connections into our network(1 on the east coast and 1 on the west). Our security plans involve establishing firewalls at the 2 sites with the Internet connections, and to establish isolated "dirty" nets at those 2 sites to support systems which must be accessible from the Internet. However, we also have requirements to make systems at other sites accessible. What we're thinking is to also install firewalls & isolated networks at these sites, and to allow the isolated networks to talk to each other via the WAN. All routers on the net are Cisco, and we're considering using Tunneling to connect the "dirty" nets. My question is, are they any potential security risks by allowing "dirty" traffic to travel over our "clean" network ??? Any comments would be appreciated. Would also be intrested in knowing how other companies handle this. Thanks Nick Moscone Manager, Enterprise Network Services GTE Government Systems 617-455-2098 From firewalls-owner Thu Dec 8 15:04:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11079 for firewalls-outgoing; Thu, 8 Dec 1994 14:34:21 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11073 for ; Thu, 8 Dec 1994 14:34:16 -0800 Received: from miriworld.its.unimelb.edu.au by relay1.UU.NET with SMTP id QQxtli09120; Thu, 8 Dec 1994 17:32:54 -0500 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA19904; Fri, 9 Dec 1994 09:32:51 +1100 Date: Fri, 9 Dec 1994 09:32:50 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Information please To: Grant Edwards cc: uunet!greatcircle.com!firewalls@uunet.uu.net In-Reply-To: <9412081632.AA02708@reddwarf.pond> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 8 Dec 1994, Grant Edwards wrote: > Indeed. Some of us are trying to break _out_. I've been trying for > weeks to get a Unix-based WWW browser to work with our firewall, but > to no avail. All the DOS weenies around me can surf the web, but > nobody with a Unix workstation can... Install CERN httpd as a proxy server From firewalls-owner Thu Dec 8 15:37:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10918 for firewalls-outgoing; Thu, 8 Dec 1994 14:18:23 -0800 Received: from muse.microunity.com (muse1.microunity.com [192.216.206.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA10912 for ; Thu, 8 Dec 1994 14:18:01 -0800 Received: from gaea.microunity.com by muse.microunity.com (4.1/ericm1.1) id AA12009; Thu, 8 Dec 94 14:15:34 PST Received: from angst.microunity.com by gaea.microunity.com (4.1/muse1.3) id AA29312; Thu, 8 Dec 94 14:15:31 PST Received: by angst.microunity.com (5.61/muse.mw-2) id AA24504; Thu, 8 Dec 94 14:15:28 -0800 From: ericm@MicroUnity.com (Eric Murray) Message-Id: <9412082215.AA24504@angst.microunity.com> Subject: Re: Firewall Software - Application, or Utility? To: rmck@paragon-systems.com Date: Thu, 8 Dec 94 14:15:23 PST Cc: firewalls@greatcircle.com In-Reply-To: <9412082044.AA00266@sandfiddler.paragon-systems.com>; from "rmck@paragon-systems.com" at Dec 8, 94 3:44 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rmck@paragon-systems.com wrote: > > Anyone want to settle an arguement (sorry no money involved) between a Gov't. Agency and a contractor? heh. "would you like to step between this speeding train and a large rock? it'll only hurt for a moment". > Generally speaking, is firewall software; i.e. Gauntlet, Eagle, Toolkit, Interlock, SEAL, Firewall-1 etc., considered "applicationware", a bastion host utility, or a sub-architecture? define "applicationware" and "sub-architecture" and we'll tell you. -- ericm ericm@microunity.com From firewalls-owner Thu Dec 8 15:45:36 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11537 for firewalls-outgoing; Thu, 8 Dec 1994 15:12:24 -0800 Received: from netsys.com (netsys.com [198.175.9.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA11529 for ; Thu, 8 Dec 1994 15:12:11 -0800 Received: by netsys.com id AA04435 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 8 Dec 1994 15:10:26 -0800 Date: Thu, 8 Dec 1994 15:10:25 -0800 (PST) From: Jonathan Heiliger X-Sender: loco@netsys.com To: Matthew Harding Cc: firewalls@greatcircle.com Subject: Re: port 113 - auth In-Reply-To: <9412052130.AA21185@jupiter.worldlinx.com> Message-Id: X-Secure: None Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 5 Dec 1994, Matthew Harding wrote: > We have been receiving numerous queries on this port... can anyone tell > me if it is used by some standard program, or if we should be concerned > at all regarding this activity? Please respond directly and I will post > a summary in a few days. authd, pauthd, identd and ident all descend from RFC 931; which as other have said are used to determine who is opening a TCP connection to your machine. RFC 1413 defines how this "information" is returned. Generally speaking I would venture to say that is on the safer side of services that can be allowed. If you choose to disallow it however, I would imagine there would be problems if you also sent a ICMP Unreach -- causing all TCP connections to close between the two hosts. (Yours and the one that you're querying) If you do choose to allow it, I would spend some time considering how trustworthy the auth data you're getting back is. What if someone purposely hacked their side to falsify information? Then your logging based on identity would be worthless. -- Jonathan Heiliger | "Because Windows/NT is too important The Boom Group, Inc. | to entrust to Intel" - MIPS loco@boom.com | Open RISC Technology From firewalls-owner Thu Dec 8 16:45:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12367 for firewalls-outgoing; Thu, 8 Dec 1994 16:36:12 -0800 Received: from ecnet.ec (ecnet.ec [157.100.45.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA12358 for ; Thu, 8 Dec 1994 16:35:54 -0800 Received: by ecnet.ec (AIX 3.2/UCB 5.64/4.04) id AA27166; Thu, 8 Dec 1994 18:34:21 -0500 From: xmerino@ecnet.ec (Xavier Merino) Message-Id: <9412082334.AA27166@ecnet.ec> Subject: Information about firwall-1 To: firewalls@greatcircle.com Date: Thu, 8 Dec 94 18:34:21 EST X-Mailer: ELM [version 2.4dev PL17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there: Do you have any experience with firewall-1, the one that SUN released this december. ?? If this isn't, witch will be the best comercial Firewall software / Best Regards, Xavier A. Merino From firewalls-owner Thu Dec 8 17:16:48 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12402 for firewalls-outgoing; Thu, 8 Dec 1994 16:43:52 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA12397 for ; Thu, 8 Dec 1994 16:43:46 -0800 Received: from tusk.sgt.com (sargent@tusk.sgt.com [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id TAA24496; Thu, 8 Dec 1994 19:42:02 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id TAA00816; Thu, 8 Dec 1994 19:41:16 -0500 Date: Thu, 8 Dec 1994 19:41:16 -0500 From: Robert Sargent Message-Id: <199412090041.TAA00816@tusk.sgt.com> To: rmck@paragon-systems.com, ericm@MicroUnity.com Subject: Re: Firewall Software - Application, or Utility? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Anyone want to settle an arguement (sorry no money involved) between a Gov't. Agency and a contractor? > > heh. > > "would you like to step between this speeding train and a large rock? > it'll only hurt for a moment". > > > > Generally speaking, is firewall software; i.e. Gauntlet, Eagle, Toolkit, Interlock, SEAL, Firewall-1 etc., considered "applicationware", a bastion host utility, or a sub-architecture? > It's a desert topping AND a floor wax. From firewalls-owner Thu Dec 8 17:53:35 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA12887 for firewalls-outgoing; Thu, 8 Dec 1994 17:31:19 -0800 Received: from sol.acs.uwosh.edu (sol.acs.uwosh.edu [141.233.128.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA12871 for ; Thu, 8 Dec 1994 17:30:43 -0800 Received: from titan.acs.uwosh.edu by sol.acs.uwosh.edu (4.1/SMI-4.1) id AA03028; Thu, 8 Dec 94 19:02:41 CST Date: Thu, 8 Dec 1994 19:02:41 -0600 (CST) From: Chuck Milam X-Sender: milamc@titan.acs.uwosh.edu To: firewalls@greatcircle.com Subject: DOS Ping? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a good Dos-based Ping program that returns a simple "alive" or "dead" message? ------------------------------------------------------------------------------ Charles R. Milam MilamC@vaxa.cis.uwosh.edu Academic Computing milamc@sol.acs.uwosh.edu University of Wisconsin-Oshkosh KF9FR@KA9JAC.WI.USA.NA Oshkosh, WI 54901 Badger 112 -- WI0112 (414) 424-2309 Delta Sigma Phi - EB Chapter ---------------<<>>---------------- From firewalls-owner Thu Dec 8 18:15:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA12774 for firewalls-outgoing; Thu, 8 Dec 1994 17:22:19 -0800 Received: from geoworks.com (fusion.geoworks.com [198.211.200.200]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA12766 for ; Thu, 8 Dec 1994 17:21:44 -0800 From: Marc_Mangus@ccmail.geoworks.com Received: from ccmail.geoworks.com by geoworks.com (4.1/SMI-4.1) id AA12799; Thu, 8 Dec 94 17:19:12 PST Received: from cc:Mail by ccmail.geoworks.com id AA786935948; Thu, 08 Dec 94 17:17:25 PST Date: Thu, 08 Dec 94 17:17:25 PST Encoding: 47 Text Message-Id: <9411087869.AA786935948@ccmail.geoworks.com> To: firewalls@greatcircle.com, xmerino@ecnet.ec (Xavier Merino) Subject: Re: Information about firwall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out this month's issue of Advanced Systems - they do a review of it. The thrust of the article is that it is a really good product. The GUI administration is particularly nice, but the manual needs work. Marc ______________________________ Reply Separator _________________________________ Subject: Information about firwall-1 Author: xmerino@ecnet.ec (Xavier Merino) at Internet Date: 12/8/94 6:34 PM Received: by ccmail from relay3.UU.NET >From firewalls-owner@GreatCircle.COM X-Envelope-From: firewalls-owner@GreatCircle.COM Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxtls07328; Thu, 8 Dec 1994 20:10:27 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12367 for firewalls-outgoing; Thu, 8 Dec 1994 16:36:12 -0800 Received: from ecnet.ec (ecnet.ec [157.100.45.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA12358 for ; Thu, 8 Dec 1994 16:35:54 -0800 Received: by ecnet.ec (AIX 3.2/UCB 5.64/4.04) id AA27166; Thu, 8 Dec 1994 18:34:21 -0500 From: xmerino@ecnet.ec (Xavier Merino) Message-Id: <9412082334.AA27166@ecnet.ec> Subject: Information about firwall-1 To: firewalls@greatcircle.com Date: Thu, 8 Dec 94 18:34:21 EST X-Mailer: ELM [version 2.4dev PL17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello there: Do you have any experience with firewall-1, the one that SUN released this december. ?? If this isn't, witch will be the best comercial Firewall software / Best Regards, Xavier A. Merino From firewalls-owner Thu Dec 8 18:45:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA13130 for firewalls-outgoing; Thu, 8 Dec 1994 17:55:20 -0800 Received: from erenj.com (ereapp.erenj.com [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA13119 for ; Thu, 8 Dec 1994 17:55:15 -0800 Posted-Date: Thu, 8 Dec 1994 20:53:46 -0500 (EST) Date: Thu, 8 Dec 1994 20:53:46 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: Firewall Software - Application, or Utility? To: rmck@paragon-systems.com Cc: firewalls@greatcircle.com In-Reply-To: <9412082044.AA00266@sandfiddler.paragon-systems.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes. it is an application that provides the capability of using the internet as a utility. It is really middleware. Lives under applications, but above the lowest level of the 7-layer model. It appears, depending on where you sit, as an application, a presentation/session layer filter, or a very useful utility. (how is that for a jesuitical answer?) Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key On Thu, 8 Dec 1994 rmck@paragon-systems.com wrote: > Anyone want to settle an arguement (sorry no money involved) between a Gov't. Agency and a contractor? > > Generally speaking, is firewall software; i.e. Gauntlet, Eagle, Toolkit, Interlock, SEAL, Firewall-1 etc., considered "applicationware", a bastion host utility, or a sub-architecture? > > -rmck > From firewalls-owner Thu Dec 8 19:45:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA13856 for firewalls-outgoing; Thu, 8 Dec 1994 19:17:53 -0800 Received: from triton.eckerd.edu (triton.eckerd.edu [198.187.214.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA13849 for ; Thu, 8 Dec 1994 19:17:47 -0800 Received: from acasun.eckerd.edu by triton.eckerd.edu (5.0/SMI-SVR4) id AA29350; Thu, 8 Dec 1994 22:15:26 +0500 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA02405; Thu, 8 Dec 1994 22:12:29 +0500 From: petroca@acasun.eckerd.edu (Chris A. Petro) Message-Id: <9412090312.AA02405@acasun.eckerd.edu> Subject: Re: Information please To: firewalls@greatcircle.com Date: Thu, 8 Dec 1994 22:12:28 -0500 (EST) In-Reply-To: <9412081632.AA02708@reddwarf.pond> from "Grant Edwards" at Dec 8, 94 10:32:49 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 909 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Look for traps - definately... > > awww... come on, not everyone expressing interest in learning more > > about firewalls and system security is trying to break in some place. > Indeed. Some of us are trying to break _out_. I've been trying for > weeks to get a Unix-based WWW browser to work with our firewall, but > to no avail. All the DOS weenies around me can surf the web, but > nobody with a Unix workstation can... for a while I was trying to get talk to work. one person made a suggestion on the socks list about how to do it, but if it does indeed work, it would tend to imply a security hole in socks -- one that would let me run any kind of a server inside of a firewall and let it receive from any address. I'm assuming that this isn't so. has anyone had any experience with this? of course, there's other ways to get around socks outgoing-only/established limitations anyway. From firewalls-owner Thu Dec 8 21:45:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA14467 for firewalls-outgoing; Thu, 8 Dec 1994 21:25:02 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA14462 for ; Thu, 8 Dec 1994 21:24:57 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id XAA12897(telemann.inoc.dl.nec.com); Thu, 8 Dec 1994 23:20:36 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id XAA15650(texas.syl.dl.nec.com); Thu, 8 Dec 1994 23:20:35 -0600 Received: by nebraska.syl.dl.nec.com (8.6.9/YDL1.9-920708.13) id XAA18797(nebraska.syl.dl.nec.com); Thu, 8 Dec 1994 23:20:30 -0600 From: mjr@syl.dl.nec.com (Matt Ranney) Message-Id: <199412090520.XAA18797@nebraska.syl.dl.nec.com> Subject: Re: Information please To: petroca@acasun.eckerd.edu (Chris A. Petro) Date: Thu, 8 Dec 1994 23:20:29 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9412090312.AA02405@acasun.eckerd.edu> from "Chris A. Petro" at Dec 8, 94 10:12:28 pm X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1301 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris A. Petro Writes... ) [...] ) for a while I was trying to get talk to work. one person made a ) suggestion on the socks list about how to do it, but if it does indeed ) work, it would tend to imply a security hole in socks -- one that would ) let me run any kind of a server inside of a firewall and let it receive ) from any address. I'm assuming that this isn't so. has anyone had any ) experience with this? You can certainly do just that. I'm pretty sure though that you need to connect someplace before you can accept a connection back, and it has to come from the same place you connected to. I'm not sure why that is though. In fact, I'm sure you could devise a little back door program that read your (or someone's) mail and looked for a magic message that said what host you wanted to come in from, then bound up a port on the socks server for you to telnet into. Since most people let mail through their firewall, this would be a pretty universally usable attack against people using socks. ) of course, there's other ways to get around socks outgoing-only/established ) limitations anyway. Other than what I've described above? -- Matt Ranney - mjr@nec.com "You know, I don't think theres a man, woman, or child alive today who doesn't enjoy a lovely beverage." -DL From firewalls-owner Thu Dec 8 23:24:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA15020 for firewalls-outgoing; Thu, 8 Dec 1994 22:53:04 -0800 Received: from get.hooked.net (get.hooked.net [199.2.134.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA15013 for ; Thu, 8 Dec 1994 22:52:56 -0800 Received: (ee@localhost) by get.hooked.net (8.6.9/8.6.5) id WAA15397; Thu, 8 Dec 1994 22:51:37 -0800 Date: Thu, 8 Dec 1994 22:51:37 -0800 From: Eric Eigenfeld Message-Id: <199412090651.WAA15397@get.hooked.net> To: firewalls@greatcircle.com Subject: SQL-Net across firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, What are the implications of allowing SQL*Net (or similar) service across a firewall (tis fwtk)? Thanks in advance, Eric Eigenfeld Evox Engineering Systems Integration/Internetworking From firewalls-owner Thu Dec 8 23:45:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA15431 for firewalls-outgoing; Thu, 8 Dec 1994 23:22:17 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA15426 for ; Thu, 8 Dec 1994 23:22:13 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id CAA01313; Fri, 9 Dec 1994 02:20:36 -0500 Date: Fri, 9 Dec 1994 02:20:36 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199412090720.CAA01313@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: students Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Traps? Get over it. A lot of people who happen to be students right now are also setting up nets at home, and probably have the same worries as big corporate IS types, just on a smaller scale. Dorms are peppered with linux boxes these days... _H* From firewalls-owner Fri Dec 9 01:19:53 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA15837 for firewalls-outgoing; Fri, 9 Dec 1994 00:20:14 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA15830 for ; Fri, 9 Dec 1994 00:20:07 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id DAA01721; Fri, 9 Dec 1994 03:18:29 -0500 Date: Fri, 9 Dec 1994 03:18:29 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199412090818.DAA01721@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: socket2mesocket2mesocket2mesocket2me Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good stuff. There's also probe_tcp_ports which is floating around all over. Big question: Does anyone have an equivalent for UDP?? I'm not completely clear on this, but it seems you'd have to jack into the ICMP layer to get "no port listening" messages. Or you could just try winging random bytes, or calls to RPC procedure 0, or something, and see if it answers.. _H* From firewalls-owner Fri Dec 9 01:28:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA16999 for firewalls-outgoing; Fri, 9 Dec 1994 00:59:31 -0800 Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA16994 for ; Fri, 9 Dec 1994 00:59:25 -0800 From: lviding@expressen.se Received: by mail.swip.net with UUCP (8.6.8/3.01) id JAA19831; Fri, 9 Dec 1994 09:59:27 +0100 Message-ID: <199412090859.JAA19831@mail.swip.net> Date: Fri, 9 Dec 1994 9:57 +0100 To: firewalls@greatcircle.com Subject: Appletalk firewall ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Does anyone know of a firewall for appletalk? We have several ISDN and async connections for LAN -> LAN and Client -> LAN. Today we must setup several dedicated Macintosh's including ISDN/ansync modem's on separate LAN's. It would be very nice to concentrate all ISDN/async modem's to one unsafe LAN and then filter through a firewall, like in the Internet world. Thanks in advance! Lars Viding EXPRESSEN/Network Manager SWEDEN Email. lviding@expressen.se tel. +46 8 738 37 11 fax. +46 8 656 74 00 From firewalls-owner Fri Dec 9 01:45:23 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA16065 for firewalls-outgoing; Fri, 9 Dec 1994 00:24:07 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA08698 for ; Thu, 8 Dec 1994 10:03:53 -0800 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQxtkq22937; Thu, 8 Dec 1994 13:02:24 -0500 Received: from brite.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Thu, 8 Dec 1994 13:02:18 -0500 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA13021; Thu, 8 Dec 94 19:01:07 GMT Date: Thu, 8 Dec 94 11:59:30 PST From: Shane Kinsch Subject: Help Wanted To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any FTP sites with firewall software or security packages both specifically for the Interactive Unix OS? Thanks. Shane Kinsch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _/_/_/ _/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ shane.kinsch@brite.com V O I C E S Y S T E M S VP UNIX Support Engineer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-- From firewalls-owner Fri Dec 9 02:29:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA18128 for firewalls-outgoing; Fri, 9 Dec 1994 02:00:15 -0800 Received: from triton.eckerd.edu (triton.eckerd.edu [198.187.214.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA18076 for ; Fri, 9 Dec 1994 02:00:03 -0800 Received: from acasun.eckerd.edu by triton.eckerd.edu (5.0/SMI-SVR4) id AA02186; Fri, 9 Dec 1994 04:57:50 +0500 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA08653; Fri, 9 Dec 1994 04:54:52 +0500 From: petroca@acasun.eckerd.edu (Chris A. Petro) Message-Id: <9412090954.AA08653@acasun.eckerd.edu> Subject: Re: students To: firewalls@greatcircle.com Date: Fri, 9 Dec 1994 04:54:51 -0500 (EST) In-Reply-To: <199412090720.CAA01313@bronze.lcs.mit.edu> from "*Hobbit*" at Dec 9, 94 02:20:36 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 365 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Traps? Get over it. A lot of people who happen to be students right now > are also setting up nets at home, and probably have the same worries as > big corporate IS types, just on a smaller scale. Dorms are peppered with > linux boxes these days... I don't keep anything sensitive on my box... I wouldn't want it behind a firewall if I had a choice about it. From firewalls-owner Fri Dec 9 02:33:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17766 for firewalls-outgoing; Fri, 9 Dec 1994 01:39:52 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA17745 for ; Fri, 9 Dec 1994 01:39:23 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA08746; Fri, 9 Dec 94 10:35:08 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03038; Fri, 9 Dec 94 10:31:29 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412091031.AA03038@tidtest.total.fr> Subject: Re: SQL-Net across firewall To: ee@hooked.net (Eric Eigenfeld) Date: Fri, 9 Dec 94 10:31:27 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199412090651.WAA15397@get.hooked.net>; from "Eric Eigenfeld" at Dec 8, 94 10:51 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Eigenfeld wrote : > > What are the implications of allowing SQL*Net (or similar) > service across a > firewall (tis fwtk)? > How secure is your database server ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 9 02:45:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17676 for firewalls-outgoing; Fri, 9 Dec 1994 01:32:21 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA17659 for ; Fri, 9 Dec 1994 01:31:31 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA08680; Fri, 9 Dec 94 10:26:33 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03023; Fri, 9 Dec 94 10:22:53 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412091022.AA03023@tidtest.total.fr> Subject: Re: DOS Ping? To: firewalls@greatcircle.com Date: Fri, 9 Dec 94 10:22:51 GMT Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Chuck Milam" at Dec 8, 94 7:02 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chuck Milam wrote : > > Does anyone know of a good Dos-based Ping program that returns a simple > "alive" or "dead" message? > Most if not all DOS IP packages have a ping command. The one in Novell's Lan Workplace (only one I know) answers more or less what you want (I don't remember the exact message.) Or you could get a C interface library and hack up your own (it can't be that hard :-) HTH -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 9 03:06:48 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA18009 for firewalls-outgoing; Fri, 9 Dec 1994 01:58:30 -0800 Received: from triton.eckerd.edu (triton.eckerd.edu [198.187.214.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA18003 for ; Fri, 9 Dec 1994 01:58:22 -0800 Received: from acasun.eckerd.edu by triton.eckerd.edu (5.0/SMI-SVR4) id AA02178; Fri, 9 Dec 1994 04:56:04 +0500 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA08636; Fri, 9 Dec 1994 04:53:07 +0500 From: petroca@acasun.eckerd.edu (Chris A. Petro) Message-Id: <9412090953.AA08636@acasun.eckerd.edu> Subject: Re: Information please To: firewalls@greatcircle.com Date: Fri, 9 Dec 1994 04:53:06 -0500 (EST) In-Reply-To: <199412090520.XAA18797@nebraska.syl.dl.nec.com> from "Matt Ranney" at Dec 8, 94 11:20:29 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 775 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In fact, I'm sure you could devise a little back door program that > read your (or someone's) mail and looked for a magic message that said > what host you wanted to come in from, then bound up a port on the > socks server for you to telnet into. Since most people let mail > through their firewall, this would be a pretty universally usable > attack against people using socks. that was the solution discussed at the regional ACM competition 8^) the other solution someone had was to call rbind with a phony socket (just pick anything outside) and then do a normal call to wait for any address. the implication was that it would then let traffic from any address in. that seems hard to believe, since that's kind of what the connection-oriented bit is to prevent... From firewalls-owner Fri Dec 9 03:15:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA18988 for firewalls-outgoing; Fri, 9 Dec 1994 02:57:41 -0800 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA18983 for ; Fri, 9 Dec 1994 02:57:36 -0800 Received: from ilonet.ilo.dec.com by inet-gw-2.pa.dec.com (5.65/10Aug94) id AA00729; Fri, 9 Dec 94 02:53:37 -0800 Received: by ilonet.ilo.dec.com (5.65/MS-012594); id AA25049; Fri, 9 Dec 1994 10:54:39 GMT Received: by karpov.ilo.dec.com; id AA20759; Fri, 9 Dec 1994 10:54:40 GMT Date: Fri, 9 Dec 1994 10:54:40 GMT From: Dermot Tynan Message-Id: <9412091054.AA20759@karpov.ilo.dec.com> To: firewalls@greatcircle.com, thur@phx.sectel.mot.com Subject: Re: FTP and Telnet Proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > TIS requires commerical license if the Toolkit is > incorporated into any program or other product that is sold (which translates > to royalties for TIS). I want to able to modify the code and use it freely. As I see it, you can do what you want with the TIS stuff as long as you don't try to sell it, or make money from their efforts. If I understand what you're saying, you want someone to provide you (free of charge) with a suite of programs which you can then sell. If you get any takers, let me know... :) - Der From firewalls-owner Fri Dec 9 05:26:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23268 for firewalls-outgoing; Fri, 9 Dec 1994 05:15:11 -0800 Received: from mmdfhost.gtis.gc.ca (mmdfhost.gtis.gc.ca [198.103.0.71]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23263 for ; Fri, 9 Dec 1994 05:15:06 -0800 Received: from smtpgate.gtis.gc.ca by mmdfhost.gtis.gc.ca id aa00589; 9 Dec 94 8:06 EST Received: by smtpgate.gtis.gc.ca with Microsoft Mail id <2EE85852@smtpgate.gtis.gc.ca>; Fri, 09 Dec 94 08:14:58 EST From: "Thompson, Dave: GTIS" To: firewalls Subject: "shared" firewall Date: Fri, 09 Dec 94 08:12:00 EST Message-ID: <2EE85852@smtpgate.gtis.gc.ca> Encoding: 12 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to get some feedback on the concept of "sharing" one firewall between two or more independent organizations (ie. separate small organizations administering independent networks wishing to gain Internet access). Has anyone out there tried this or does anyone know of any reason why this would or would not be advisable. If anyone can point us towards specific tools it would be greatly appreciated. Dave Thompson - GTIS From firewalls-owner Fri Dec 9 06:06:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23392 for firewalls-outgoing; Fri, 9 Dec 1994 05:30:02 -0800 Received: from ultra3.larc.nasa.gov (ultra3.larc.nasa.gov [128.155.22.226]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23383 for ; Fri, 9 Dec 1994 05:29:57 -0800 From: letch@ultra3.larc.nasa.gov Received: by ultra3.larc.nasa.gov (5.57/Ultrix3.0-C) id AA26613; Fri, 9 Dec 94 08:31:25 -0500 Message-Id: <9412091331.AA26613@ultra3.larc.nasa.gov> To: rmck@paragon-systems.com Cc: firewalls@greatcircle.com, letch@ultra3.larc.nasa.gov Subject: Re: Firewall Software - Application, or Utility? In-Reply-To: Your message of "Thu, 08 Dec 94 15:44:53 EST." <9412082044.AA00266@sandfiddler.paragon-systems.com> Date: Fri, 09 Dec 94 08:31:24 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know that as far as Gauntlet goes TIS's "Gauntlet Product Description" states "Gauntlet is a hardware- and software-based firewall system". I would say someone in your discussion does not have the terms defined. However Gauntlet is a host-based firewall therefore observing the bastion-host methodolgy of firewalls. But implementation of a firewall is not just SW. letch From firewalls-owner Fri Dec 9 06:49:28 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23762 for firewalls-outgoing; Fri, 9 Dec 1994 06:25:10 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23756 for ; Fri, 9 Dec 1994 06:25:05 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Fri, 9 Dec 1994 09:23:42 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA11548; Fri, 9 Dec 1994 09:23:41 -0500 Date: Fri, 9 Dec 1994 09:23:41 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199412091423.AA11548@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, hobbit@bronze.lcs.mit.edu Subject: Re: socket2mesocket2mesocket2mesocket2me Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hobbit said: >There's also probe_tcp_ports which is floating around all over. 2 places you can pick it up from are: ftp://coast.cs.purdue.edu/pub/tools/unix/probe_tcp_ports/ ftp://ftp.cs.yale.edu/pub/long/src/network/security/ - Morrow From firewalls-owner Fri Dec 9 07:29:36 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA24320 for firewalls-outgoing; Fri, 9 Dec 1994 07:14:34 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA24314 for ; Fri, 9 Dec 1994 07:14:05 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA11149; Fri, 9 Dec 94 16:09:42 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03262; Fri, 9 Dec 94 16:05:57 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412091605.AA03262@tidtest.total.fr> Subject: Re: "shared" firewall To: dthompso@ott3.gtis.gc.ca (Thompson Dave: GTIS) Date: Fri, 9 Dec 94 16:05:56 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <2EE85852@smtpgate.gtis.gc.ca>; from "Thompson, Dave: GTIS" at Dec 9, 94 8:12 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thompson, Dave: GTIS wrote : > > I would like to get some feedback on the concept of "sharing" one firewall > between two or more independent organizations (ie. separate small > organizations administering independent networks wishing to gain Internet > access). Has anyone out there tried this or does anyone know of any reason > why this would or would not be advisable. If anyone can point us towards > specific tools it would be greatly appreciated. > I believe this (or something close) was discussed a few months ago (August ?). The problem with this is trust i.e., can one of the organisations be trusted to manage the firewall without taking advantage of it e.g., opening and using security holes ? If not, can all of them agree on a trusted 3rd-party manager ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 9 09:46:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25557 for firewalls-outgoing; Fri, 9 Dec 1994 09:19:11 -0800 Received: from amdahl.amdahl.com (amdahl.com [129.212.11.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA25552 for ; Fri, 9 Dec 1994 09:19:06 -0800 Received: from brittany.oes.amdahl.com by amdahl.amdahl.com with smtp (Smail3.1.28.1 #49) id m0rG8wW-0001LkC; Fri, 9 Dec 94 09:17 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA16355; Fri, 9 Dec 1994 09:17:39 +0800 Date: Fri, 9 Dec 1994 09:17:39 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412091717.AA16355@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, rmck@paragon-systems.com Subject: Re: Firewall Software - Application, or Utility? X-Sun-Charset: US-ASCII content-length: 1821 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: rmck@paragon-systems.com > To: firewalls@greatcircle.com > Subject: Firewall Software - Application, or Utility? > Anyone want to settle an arguement (sorry no money involved) between a Gov't. Agency and a contractor? > > Generally speaking, is firewall software; i.e. Gauntlet, Eagle, Toolkit, Interlock, SEAL, Firewall-1 etc., considered "applicationware", a bastion host utility, or a sub-architecture? > If I have to choose between an application and utility, I'd say it's closer to a utility, but it's really both. I have no idea what a sub-architecture is, but while you certainly have to architect (cool word for design,) your firewall, I'd hate the characterize it as a sub-architecture...we have enough buzz-words going around already. In any case, software isn't architec- ture, it's the implementation of an architecture. Is applicationware a word... I don't think so! Let's at least try to stick to English;) We could say that firewall software is object oriented, real time, client server, open systems environment protection for your enterprise wide assets, but let's not, and say we didn't!:) Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Dec 9 10:46:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26299 for firewalls-outgoing; Fri, 9 Dec 1994 10:43:16 -0800 Received: from everest.cclabs.missouri.edu (everest.cclabs.missouri.edu [128.206.206.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26294 for ; Fri, 9 Dec 1994 10:43:11 -0800 Received: from indy26.gclab.missouri.edu (indy26.gclab.missouri.edu [128.206.48.190]) by everest.cclabs.missouri.edu (8.6.9/8.6.6-Arete) with SMTP id MAA18709; Fri, 9 Dec 1994 12:41:37 -0600 Date: Fri, 9 Dec 1994 12:41:37 -0600 (CST) From: "Paul 'Shag' Walmsley" X-Sender: ccshag@indy26.gclab.missouri.edu To: *Hobbit* cc: firewalls@GreatCircle.COM Subject: Re: socket2mesocket2mesocket2mesocket2me In-Reply-To: <199412090818.DAA01721@bronze.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 9 Dec 1994, *Hobbit* wrote: > Big question: Does anyone have an equivalent for UDP?? I'm not completely > clear on this, but it seems you'd have to jack into the ICMP layer to > get "no port listening" messages. Or you could just try winging random > bytes, or calls to RPC procedure 0, or something, and see if it answers.. Some systems (IRIX 4, IRIX 5) also allow SNMP queries out of the box for both TCP and UDP port use, and SNMP is a lot more network- and machine-friendly than sequentially banging on every port. Re calls to RPC procedure 0, it's easier to query the portmapper on the remote machine for the programs that it serves .. "rpcinfo -p hostname" Watching returning ICMP messages sounds like a cool idea. - Paul "Shag" Walmsley "The only difference between myself and a madman is that I am not mad." - Salvador Dali From firewalls-owner Fri Dec 9 11:17:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26347 for firewalls-outgoing; Fri, 9 Dec 1994 10:47:07 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26338 for ; Fri, 9 Dec 1994 10:46:55 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id KAA03984; Fri, 9 Dec 1994 10:45:28 -0800 Date: Fri, 9 Dec 1994 10:45:28 -0800 Message-Id: <199412091845.KAA03984@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Marc_Mangus@ccmail.geoworks.com, firewalls@GreatCircle.COM, xmerino@ecnet.ec (Xavier Merino) From: (Mark S. Kadrich) Subject: Re: Information about firwall-1 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:17 PM 12/8/94 PST, Marc_Mangus@ccmail.geoworks.com wrote: > Check out this month's issue of Advanced Systems - they do a review of > it. The thrust of the article is that it is a really good product. > The GUI administration is particularly nice, but the manual needs ^^^^^^ Both pages... > work. > > Marc > > >______________________________ Reply Separator _________________________________ >Subject: Information about firwall-1 >Author: xmerino@ecnet.ec (Xavier Merino) at Internet >Date: 12/8/94 6:34 PM > > >Received: by ccmail from relay3.UU.NET >>From firewalls-owner@GreatCircle.COM >X-Envelope-From: firewalls-owner@GreatCircle.COM >Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP > id QQxtls07328; Thu, 8 Dec 1994 20:10:27 -0500 >Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id >QAA12367 for firewalls-outgoing; Thu, 8 Dec 1994 16:36:12 -0800 >Received: from ecnet.ec (ecnet.ec [157.100.45.2]) by miles.greatcircle.com >(8.6.9/Miles-941015-1) with SMTP id QAA12358 for ; >Thu, 8 Dec 1994 16:35:54 -0800 >Received: by ecnet.ec (AIX 3.2/UCB 5.64/4.04) > id AA27166; Thu, 8 Dec 1994 18:34:21 -0500 >From: xmerino@ecnet.ec (Xavier Merino) >Message-Id: <9412082334.AA27166@ecnet.ec> >Subject: Information about firwall-1 >To: firewalls@greatcircle.com >Date: Thu, 8 Dec 94 18:34:21 EST >X-Mailer: ELM [version 2.4dev PL17] >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > >Hello there: > >Do you have any experience with firewall-1, the one that SUN released this >december. >?? > >If this isn't, witch will be the best comercial Firewall software / > >Best Regards, > >Xavier A. Merino > > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Fri Dec 9 12:53:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27215 for firewalls-outgoing; Fri, 9 Dec 1994 12:18:18 -0800 Received: from wnet.gov.edmonton.ab.ca (champ.wnet.gov.edmonton.ab.ca [162.106.7.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27209 for ; Fri, 9 Dec 1994 12:18:05 -0800 Received: from pwgis103 by wnet.gov.edmonton.ab.ca with smtp (Smail3.1.28.1 #1) id m0rGBir-0000jAC; Fri, 9 Dec 94 13:15 MST Date: Fri, 9 Dec 1994 13:15:36 PST From: Shaw Zhang Subject: RE: FTP and Telnet Proxies To: firewalls-digest@GreatCircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk thur@phx.sectel.mot.com (thu tran) wrote: >Date: Thu, 8 Dec 94 10:57:47 MST >Subject: FTP and Telnet Proxies >Does anyone know of any other sources to get free FTP and Telnet proxies >code) >besides TIS Toolkit? TIS requires commerical license if the Toolkit is >incorporated into any program or other product that is sold (which >translates >to royalties for TIS). I want to able to modify the code and use it >freely. >Thanks in advance, >Thu Tran There is a TCPRELAY in perl, good for Unix (requiring ftp/telnet client with port as param, syslog on proxy). DOS/Win try SOCK. ;-) Shaw /*----------------------------------------------------------------------+ | Shaw Zhang, Public Works, City of Edmonton, Alberta, Canada | | internet: szhang@champ.wnet.gov.edmonton.ab.ca (403)-496-6744 | | The more u know the more u ???? to know. (The common disclaimer ...) | +----------------------------------------------------------------------*/ From firewalls-owner Fri Dec 9 13:30:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27202 for firewalls-outgoing; Fri, 9 Dec 1994 12:17:29 -0800 Received: from usenix.ORG (usenix-gw.usenix.ORG [131.106.1.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27197 for ; Fri, 9 Dec 1994 12:17:25 -0800 Received: by usenix.ORG (4.1/1.29-emg890317) id AA02500; Fri, 9 Dec 94 12:16:13 PST Date: Fri, 9 Dec 94 12:16:13 PST From: cynthia@usenix.org (Cynthia Deno) Message-Id: <9412092016.AA02500@usenix.ORG> To: firewalls@greatcircle.com Subject: USENIX Association 1995 Technical Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1995 USENIX ASSOCIATION TECHNICAL CONFERENCE January 16-20, 1995, New Orleans, Lousianna *************************************************** The latest technical developments in UNIX and advanced computing systems. . . Choose from among 20 Tutorials, attend Invited Talks, and learn details of never-before-published researchin the refereed papers sessions. Don't miss Mark Weiser's keynote talk on Ubiquitous Computing. Meet your peers and discuss common problems. Discuss with industry experts in a relaxed environment. And, get a hands-on look at the latest products in the Vendor Display. A partial list of topics includes: UNIX Security, Firewalls, System Administration, UNIX Programming, COM OLE, BSD, Mass Store, Streams, SIFT, Tcl/Tk, World Wide Web, Libraries, File Systems, Sendmail 8, Internet Cash and Commerce, and more. Program Chair: Peter Honeyman, CITI, University of Michigan TO OBTAIN FULL PROGRAM AND REGISTRATION INFORMATION: ==================================================== Telephone: 714 588 8649; Fax: 714 588 9706 Email: conference@usenix.org Automatic mailserver: Email to: info@usenix.org. Your message should contain the line "send conferences catalog". Conference information will be returned to you. World Wide Web: The USENIX URL is: http://www.usenix.org From firewalls-owner Fri Dec 9 14:06:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA27861 for firewalls-outgoing; Fri, 9 Dec 1994 13:30:30 -0800 Received: from vdoehp.vak12ed.edu (vdoehp.vak12ed.edu [141.104.22.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA27856 for ; Fri, 9 Dec 1994 13:30:25 -0800 Message-Id: <199412092130.NAA27856@miles.greatcircle.com> Received: by vdoehp.vak12ed.edu (1.37.109.11/16.2) id AA052508471; Fri, 9 Dec 1994 16:27:51 -0500 From: "W.C. Epperson" Subject: Re: SQL-Net across firewall To: lavondes@tidtest.total.fr Date: Fri, 9 Dec 94 16:27:50 EST Cc: firewalls@greatcircle.com In-Reply-To: <9412091031.AA03038@tidtest.total.fr>; from "Michel Lavondes" at Dec 9, 94 10:31 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Eigenfeld wrote : > > > > What are the implications of allowing SQL*Net (or similar) > > service across a > > firewall (tis fwtk)? > > And Michel Lavondes replied: > How secure is your database server ? > -- > And how secure is your database? And how secure would you like to keep it? One problem, unless you use some sort of transport layer encryption, is that the Oracle password will be passed through the SQLNet connection, and thus through God-only-knows whose bandwidth (and promiscuous network interfaces). Same for the data. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Virginia Dept. of Education --E.A. Poe-- epperson@vdoehp.vak12ed.edu From firewalls-owner Fri Dec 9 14:20:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA28110 for firewalls-outgoing; Fri, 9 Dec 1994 13:51:23 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA28103 for ; Fri, 9 Dec 1994 13:51:19 -0800 Received: from uucp5.UU.NET by relay2.UU.NET with SMTP id QQxtox00471; Fri, 9 Dec 1994 16:49:54 -0500 Received: from sps.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Fri, 9 Dec 1994 16:50:11 -0500 Received: from pascal.sps.com by sps.com (4.1/SMI-4.1) id AA00900; Fri, 9 Dec 94 16:51:01 EST Date: Fri, 9 Dec 94 16:51:01 EST From: cgraham@sps.com (Christopher Graham) Message-Id: <9412092151.AA00900@sps.com> To: firewalls@greatcircle.com Subject: Re: TIS hangs Cc: cgraham@sps.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We set up the TIS firewall toolkit about a week ago. Everything seemed to work correctly, until yesterday. It seems that whenever we use any proxy or even the actual telnet deamon from our local net, it connects, starts the *-gw proxies or telnet deamon and then hangs. In about 1 and a half minutes, the connections comes back and works correctly. Our modem (~38K) is connected and transmits nothing during this time. When we run netstat -a it also seems to hang for a bit and then comes back. We only have about 10 things running on the SPARC (SunOS 4.1.3) and the machine seems idle while all this is going on. We have banged our heads long enough, and need help, Thanks in advance, Christopher Graham cgraham@sps.com From firewalls-owner Fri Dec 9 15:16:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA28773 for firewalls-outgoing; Fri, 9 Dec 1994 15:03:17 -0800 Received: from [143.191.19.72] (host-72.greatcircle.com [143.191.19.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA28768; Fri, 9 Dec 1994 15:03:06 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 9 Dec 1994 18:00:32 -0500 To: cgraham@sps.com (Christopher Graham), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: TIS hangs Cc: cgraham@sps.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:51 12/9/94, Christopher Graham wrote: >We set up the TIS firewall toolkit about a week ago. >Everything seemed to work correctly, until yesterday. >It seems that whenever we use any proxy or even the >actual telnet deamon from our local net, it connects, >starts the *-gw proxies or telnet deamon and then >hangs. In about 1 and a half minutes, the connections >comes back and works correctly. Our modem (~38K) is >connected and transmits nothing during this time. > >When we run netstat -a it also seems to hang for a >bit and then comes back. We only have about 10 >things running on the SPARC (SunOS 4.1.3) and the >machine seems idle while all this is going on. Symptoms like this are often indicative of a DNS problem: your servers are "hanging" while they try to translate IP addresses to host names (or vice versa). DNS eventually either succeeds or times out, and things go on. Try running "netstat -an" (the "n" flag tells it to give you raw IP addresses, rather than try to translate the IP addresses to hostnames). If that works immediately, but "netstat -a" still hangs, then you've definitely got a DNS problem. Now, the problem could be on your end (are you able to do any DNS lookups successfully?), or it could be on the other end (wherever these incoming connections are coming from). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Fri Dec 9 16:15:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA29296 for firewalls-outgoing; Fri, 9 Dec 1994 15:53:12 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA29289 for ; Fri, 9 Dec 1994 15:53:05 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id PAA05905; Fri, 9 Dec 1994 15:48:53 -0800 Date: Fri, 9 Dec 1994 15:48:53 -0800 Message-Id: <199412092348.PAA05905@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "W.C. Epperson" , lavondes@tidtest.total.fr From: (Mark S. Kadrich) Subject: Re: SQL-Net across firewall Cc: firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That is correct. There is a company that provides a shell that does passwd encryption for sqlnet. Contact Oracle. I have it somewhere in a box in my garage.... msk At 04:27 PM 12/9/94 EST, W.C. Epperson wrote: > > Eric Eigenfeld wrote : >> > >> > What are the implications of allowing SQL*Net (or similar) >> > service across a >> > firewall (tis fwtk)? >> > >And Michel Lavondes replied: >> How secure is your database server ? >> -- >> >And how secure is your database? And how secure would you like to keep it? >One problem, unless you use some sort of transport layer encryption, is that >the Oracle password will be passed through the SQLNet connection, and thus >through God-only-knows whose bandwidth (and promiscuous network interfaces). >Same for the data. >-- >W.C. Epperson "I have great faith in fools. >Senior SE Self-confidence, my friends call it." >Virginia Dept. of Education --E.A. Poe-- >epperson@vdoehp.vak12ed.edu > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com We must all condsider our place in the scheme of things, least we forget its effect on our own schemes. ****************************************************************** From firewalls-owner Fri Dec 9 18:45:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA00396 for firewalls-outgoing; Fri, 9 Dec 1994 18:15:49 -0800 Received: from triton.eckerd.edu (triton.eckerd.edu [198.187.214.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA00390 for ; Fri, 9 Dec 1994 18:15:37 -0800 Received: from acasun.eckerd.edu by triton.eckerd.edu (5.0/SMI-SVR4) id AA12184; Fri, 9 Dec 1994 21:13:21 +0500 Received: by acasun.eckerd.edu (5.0/SMI-SVR4) id AA00622; Fri, 9 Dec 1994 21:10:25 +0500 From: petroca@acasun.eckerd.edu (Chris A. Petro) Message-Id: <9412100210.AA00622@acasun.eckerd.edu> Subject: udprelay crashing To: firewalls@greatcircle.com Date: Fri, 9 Dec 1994 21:10:24 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whenever any significant amount of udp traffic start going through it, udprelay just stops working. Process disappears, no error message. Nothing. Any thoughts? Has anyone else had this happen? From firewalls-owner Fri Dec 9 20:45:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA00894 for firewalls-outgoing; Fri, 9 Dec 1994 20:18:27 -0800 Received: from netcom19.netcom.com (pascal@netcom19.netcom.com [192.100.81.132]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA00889 for ; Fri, 9 Dec 1994 20:18:20 -0800 Received: by netcom19.netcom.com (8.6.9/Netcom) id UAA07676; Fri, 9 Dec 1994 20:17:15 -0800 Date: Fri, 9 Dec 1994 20:17:15 -0800 From: pascal@netcom.com (Richard A Childers) Message-Id: <199412100417.UAA07676@netcom19.netcom.com> To: Firewalls@GreatCircle.COM Subject: SQL-Net across firewalls Cc: `@netcom.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "From: Eric Eigenfeld Date: Thu, 8 Dec 1994 22:51:37 -0800 Subject: SQL-Net across firewall "What are the implications of allowing SQL*Net (or similar) service across a firewall (tis fwtk)?" In general, I'd think it could be catastrophic. This would allow a person to, at the very least, query your databases. At the very worst, they could gain DBA access, and (a) rewrite your database with arbitrary data, or (b) have your database generate checks to numbered accounts in Switzerland, or (c) totally erase it, forcing you to spend valuable hours or days restoring it, or (d) they could exercise options (b), (a), and (c), in that order, the better to muddle the trail. Having worked for both Oracle and Ingres, I can say that database security is not a strong point in the design of most databases, and they tend to be very trusting of networks and operating systems. ( As well they should ... it's enough work getting a high-level sort algorithm to work without under- -taking fixing all of the problems in the platform's OS and networking infra- -structure. ) -- richard Pontius Pilate was politically correct. So was Benedict Arnold. So was Mssr Quisling ... richard childers san francisco, california pascal@netcom.com From firewalls-owner Sun Dec 11 11:15:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA16594 for firewalls-outgoing; Sun, 11 Dec 1994 10:51:07 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA16589 for ; Sun, 11 Dec 1994 10:51:01 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 11 Dec 94 19:49 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rGtJV-0003gfC; Sun, 11 Dec 94 19:48 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 11 Dec 1994 19:49:00 +0100 To: "Thompson, Dave: GTIS" , firewalls From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: "shared" firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Dave, At 8:12 Uhr 09.12.1994 -0500, Thompson, Dave: GTIS wrote: >I would like to get some feedback on the concept of "sharing" one firewall >between two or more independent organizations (ie. separate small >organizations administering independent networks wishing to gain Internet >access). Has anyone out there tried this or does anyone know of any reason >why this would or would not be advisable. If anyone can point us towards >specific tools it would be greatly appreciated. > this is more of a legal and organizational issue than a technical one. Questions are: - Who is responsible of maintaining the firewall and the address space? - Are illegal addresses being used in the combined networks? - Should there be a path between the two networks other than through the firewall? - How are escalations being handled in case of a breakin? - Who will be responsible (a VERY difficult question :-)? Technically, the problems of two networks connecting through one firewall can be solved. The organizational and political implications are much harder to solve. However, if you look for commercial firewalls (including a possible outsourcing), check with your local Digital Equipment sales office or try: SEAL page : http://www.digital.com/info/seal.html FTPable documents : ftp://ftp.digital.com/ United States Contact: Dick Calandrella at 508-496-8626 Kind regards Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Dec 11 11:45:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16794 for firewalls-outgoing; Sun, 11 Dec 1994 11:41:58 -0800 Received: from CSOS.ORST.EDU (root@CSOS.ORST.EDU [128.193.40.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA16789 for ; Sun, 11 Dec 1994 11:41:49 -0800 Received: from localhost (lazore@localhost [127.0.0.1]) by CSOS.ORST.EDU (8.6.9/8.6.6) with ESMTP id LAA15485; Sun, 11 Dec 1994 11:38:32 -0800 Message-Id: <199412111938.LAA15485@CSOS.ORST.EDU> To: petroca@acasun.eckerd.edu (Chris A. Petro) cc: firewalls@greatcircle.com Subject: Re: students In-reply-to: Your message of "Fri, 09 Dec 1994 04:54:51 EST." <9412090954.AA08653@acasun.eckerd.edu> Date: Sun, 11 Dec 1994 11:38:31 -0800 From: Ed Lazor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk message-id: <9412090954.AA08653@acasun.eckerd.edu> from: petroca@acasun.eckerd.edu (Chris A. Petro) >> Traps? Get over it. A lot of people who happen to be students right now >> are also setting up nets at home, and probably have the same worries as >> big corporate IS types, just on a smaller scale. Dorms are peppered with >> linux boxes these days... > >I don't keep anything sensitive on my box... I wouldn't want it behind a >firewall if I had a choice about it. why would you choose not to use a firewall? Are you saying that you feel that nothing is really safe? From firewalls-owner Sun Dec 11 16:48:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01009 for firewalls-outgoing; Sun, 11 Dec 1994 16:22:04 -0800 Received: from miles.greatcircle.com (localhost [127.0.0.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA00976; Sun, 11 Dec 1994 16:21:43 -0800 Message-Id: <199412120021.QAA00976@miles.greatcircle.com> Date: Sun, 11 Dec 1994 16:21:42 -0800 From: Brent Chapman Subject: Administrivia: IP address changes at GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apparently-To: firewalls-outgoing ------- Blind-Carbon-Copy To: Brent@greatcircle.com Subject: Administrivia: IP address changes at GreatCircle.COM Date: Sun, 11 Dec 1994 16:21:42 -0800 From: Brent Chapman FYI, we're changing our IP addresses (a necessary part of switching to our new 56 kb/s frame relay service), so there may be some transient problems over the next few days reaching various GreatCircle.COM machines (i.e., FTP.GreatCircle.COM, WWW.GreatCircle.COM, WAIS.GreatCircle.COM, etc.). Hopefully everything will stabilize no later than the end of the week. If you have trouble reaching one of our machines, just try again later; if the trouble persists for more than a day or two, please let us know by sending email to "root@GreatCircle.COM" or by calling us at 800-270-2562 (please ask to leave a message for Brent or Michael; the number is +1 415 962 0841 from outside the USA). Our apologies for any inconvenience, but I think we're all going to be much happier with our new, faster connection. - -Brent - -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates ------- End of Blind-Carbon-Copy From firewalls-owner Mon Dec 12 04:09:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA10140 for firewalls-outgoing; Mon, 12 Dec 1994 03:44:27 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA10135 for ; Mon, 12 Dec 1994 03:44:22 -0800 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA16299; Mon, 12 Dec 1994 12:42:59 +0100 (MET) Received: from cli57aa.asr.ici (cli57aa.der.edf.fr) by edf.edf.fr with SMTP id AA09896 (5.65c8/IDA-1.4.4); Mon, 12 Dec 1994 12:44:42 +0100 Received: by cli57aa.asr.ici (5.0/SMI-SVR4) id AA06806; Mon, 12 Dec 1994 12:43:44 --100 Date: Mon, 12 Dec 1994 12:43:44 --100 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Message-Id: <9412121143.AA06806@cli57aa.asr.ici> To: Firewalls@greatcircle.com, pascal@netcom.com Cc: `@netcom.com Subject: Re: SQL-Net across firewalls Content-Length: 1761 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: pascal@netcom.com (Richard A Childers) >To: Firewalls@greatcircle.com >Subject: SQL-Net across firewalls >Cc: `@netcom.com > > >"From: Eric Eigenfeld > Date: Thu, 8 Dec 1994 22:51:37 -0800 > Subject: SQL-Net across firewall > >"What are the implications of allowing SQL*Net (or similar) > service across a firewall (tis fwtk)?" > > >In general, I'd think it could be catastrophic. > >This would allow a person to, at the very least, query your databases. > >At the very worst, they could gain DBA access, and > > (a) rewrite your database with arbitrary data, or > (b) have your database generate checks to numbered > accounts in Switzerland, or > (c) totally erase it, forcing you to spend valuable > hours or days restoring it, or > (d) they could exercise options (b), (a), and (c), > in that order, the better to muddle the trail. > >Having worked for both Oracle and Ingres, I can say that database security >is not a strong point in the design of most databases, and they tend to be >very trusting of networks and operating systems. ( As well they should ... >it's enough work getting a high-level sort algorithm to work without under- >-taking fixing all of the problems in the platform's OS and networking infra- >-structure. ) > > >-- richard > OK. But what about an SQL*Net proxy with strong authentication (S/Key, SecurID , ...) ? Is such a beast feasible (I don't know much the SQL*Net protocol), and very different from existing proxies with authentication (tn-gw, for example)? Or, if integrating authentication is the problem, why not fall back on an Xproxy-like solution, i.e. fork the SQL proxy from the tn-gw, after authentication of the user. Yves Dherbecourt - Electricite de France / Etudes et Recherches From firewalls-owner Mon Dec 12 05:39:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA10860 for firewalls-outgoing; Mon, 12 Dec 1994 05:29:21 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA10855 for ; Mon, 12 Dec 1994 05:29:17 -0800 From: smb@research.att.com Message-Id: <199412121329.FAA10855@miles.greatcircle.com> Received: by gryphon; Mon Dec 12 08:25:40 EST 1994 To: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) cc: Firewalls@greatcircle.com, pascal@netcom.com Subject: Re: SQL-Net across firewalls Date: Mon, 12 Dec 94 08:25:39 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK. But what about an SQL*Net proxy with strong authentication (S/Key, SecurID , ...) ? Authentication is only half the problem. Is SQL*Net sufficiently bug-free that one should trust it to be exposed to the outside world? I should note that I have no idea of the answer here; I'm merely posing the question. From firewalls-owner Mon Dec 12 08:10:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA11635 for firewalls-outgoing; Mon, 12 Dec 1994 08:03:54 -0800 Received: from po.gis.prc.com (po.gis.prc.com [140.188.128.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA11630 for ; Mon, 12 Dec 1994 08:03:50 -0800 Message-ID: Date: 12 Dec 1994 10:04:06 -0500 From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP/MS 3.0.0 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V3 #449 Sent: Sat, Dec 10, 1994 12:34 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, Dec 12, 1994 10:04 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Dec 12 13:40:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA14143 for firewalls-outgoing; Mon, 12 Dec 1994 13:32:47 -0800 Received: from pserv1.dot.state.az.us (pserv1.dot.state.az.us [162.59.10.28]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA14138 for ; Mon, 12 Dec 1994 13:32:43 -0800 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA06819; Mon, 12 Dec 1994 14:30:39 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199412122130.AA06819@pserv1.dot.state.az.us> Subject: Minimal fingerd To: firewalls@greatcircle.com (Firewalls) Date: Mon, 12 Dec 94 14:30:39 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was requested to run fingerd on our firewall. We don't want to use the normal fingerd, only return an informational message to the effect- ***Contact soandso for further information***. Is there a 'bland' fingerd that will do this, something VERY simple? Or would I just be better off not doing this at all? -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Mon Dec 12 14:40:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14807 for firewalls-outgoing; Mon, 12 Dec 1994 14:35:21 -0800 Received: from dickory.SDSU.Edu (dickory.sdsu.edu [130.191.163.56]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA14802 for ; Mon, 12 Dec 1994 14:35:17 -0800 Received: by dickory.SDSU.Edu (4.1/SDSU-Complex) id AA04152 for delivery to firewalls@greatcircle.com; Mon, 12 Dec 94 14:34:23 PST Date: Mon, 12 Dec 1994 14:30:37 -0800 (PST) From: Jason Matthews Subject: Re: Minimal fingerd To: Tom Brink Cc: Firewalls In-Reply-To: <199412122130.AA06819@pserv1.dot.state.az.us> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was requested to run fingerd on our firewall. We don't want to use > the normal fingerd, only return an informational message to the effect- > ***Contact soandso for further information***. Is there a 'bland' > fingerd that will do this, something VERY simple? Or would I just be > better off not doing this at all? Let's not over look the obvious... main() { printf(\n **** Contact tom@pserv1.dot.state.az.us for more information ***\n"); } Or am I missing something? Jason From firewalls-owner Mon Dec 12 14:53:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14545 for firewalls-outgoing; Mon, 12 Dec 1994 14:18:02 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA14540 for ; Mon, 12 Dec 1994 14:17:57 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma019575; Mon Dec 12 17:16:45 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA20712; Mon, 12 Dec 94 17:14:25 EST From: Marcus J Ranum Message-Id: <9412122214.AA20712@tis.com> Subject: Re: Minimal fingerd To: tom@pserv1.dot.state.az.us Date: Mon, 12 Dec 1994 17:19:34 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199412122130.AA06819@pserv1.dot.state.az.us> from "Tom Brink" at Dec 12, 94 02:30:39 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 823 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tom Brink writes: > > I was requested to run fingerd on our firewall. We don't want to use > the normal fingerd, only return an informational message to the effect- > ***Contact soandso for further information***. Is there a 'bland' > fingerd that will do this, something VERY simple? Or would I just be > better off not doing this at all? A simple approach would be to have an entry in /etc/inetd.conf like this: finger stream tcp nowait nobody /bin/cat cat /etc/go-away.txt This actually works pretty nicely and is fairly trustworthy. On our firewalls, we use netacl to provide a switching mechanism, so that insiders get fingerd and outsiders get cat: netacl-fingerd: permit-hosts 192.33.112.* -exec /usr/libexec/fingerd netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt mjr. From firewalls-owner Mon Dec 12 15:10:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14726 for firewalls-outgoing; Mon, 12 Dec 1994 14:28:16 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA14721 for ; Mon, 12 Dec 1994 14:28:12 -0800 Received: from beames.ins.com (beames.ins.com [199.0.193.42]) by uni (8.6.8.1/8.6.6) with SMTP id OAA15725; Mon, 12 Dec 1994 14:26:36 -0800 Date: Mon, 12 Dec 1994 14:26:36 -0800 Message-Id: <199412122226.OAA15725@uni> X-Sender: beames@uni.ins.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: lviding@expressen.se, firewalls@GreatCircle.COM, garryh@seeding.apple.com From: Ken_Beames@ins.com (Ken Beames) Subject: Re: Appletalk firewall ? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:57 AM 12/9/94 +0100, lviding@expressen.se wrote: >Hi, > >Does anyone know of a firewall for appletalk? > >We have several ISDN and async connections for LAN -> LAN and Client -> LAN. >Today we must setup several dedicated Macintosh's including ISDN/ansync modem's >on separate LAN's. >It would be very nice to concentrate all ISDN/async modem's to one unsafe LAN >and then filter through a firewall, like in the Internet world. > > >Thanks in advance! > >Lars Viding >EXPRESSEN/Network Manager >SWEDEN > >Email. lviding@expressen.se tel. +46 8 738 37 11 fax. +46 8 656 74 00 > > If the macs only talk IP to each other, through standard ports, then you can use any ip filtering scheme. If you are using alot of apple's sharing stuff, then who knows. If the MacTCP guy, garryh@seeding.apple.com is listening, he might have some suggestions/solutions. Gary? -Ken. -------------------------------------======================================= Ken Beames International Network Services ken_beames@ins.com 415.254.4205<---->pg:800.601.2907 =====================================---------------------------------------- From firewalls-owner Mon Dec 12 15:10:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14819 for firewalls-outgoing; Mon, 12 Dec 1994 14:37:51 -0800 Received: from oscva.orbital.com (oscva.orbital.com [199.36.24.99]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA14814 for ; Mon, 12 Dec 1994 14:37:46 -0800 Received: (from brooks@localhost) by oscva.orbital.com (8.6.9/8.6.9) id RAA10937; Mon, 12 Dec 1994 17:35:40 -0500 From: "Charles E. Brooks" Message-Id: <199412122235.RAA10937@oscva.orbital.com> Subject: Re: Minimal fingerd ... use TIS' netacl ... To: tom@pserv1.dot.state.az.us Date: Mon, 12 Dec 1994 17:35:39 -0500 (EST) Cc: firewalls@GreatCircle.COM, brooks@oscva.orbital.com (Charles E. Brooks) In-Reply-To: <199412122130.AA06819@pserv1.dot.state.az.us> from "Tom Brink" at Dec 12, 94 02:30:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1148 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I use the "netacl" program from TIS' Firewall Toolkit to accomplish this. Below are excerpts from the configuration files. The toolkit is available at ftp.tis.com in /pub/firewalls/toolkit/fwtk-v1.3.tar.Z : 848 -rw-r--r-- 1 122 418175 Nov 4 18:33 fwtk-doc-only.tar.Z 896 -rw-r--r-- 2 122 443363 Nov 4 18:33 fwtk-v1.3.tar.Z inetd.conf: The standard FINGER is disabled and all accesses routed via netacl. # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # #finger stream tcp nowait nobody /usr/etc/tcpd in.fingerd finger stream tcp nowait nobody /usr/local/etc/netacl fingerd netperm-table: Any access from hosts on the LOCAL2MY.NET domain get the real FINGER after logging its access. All other hosts get the contents of finger.txt displayed follwoed by a disconnect. netacl-fingerd: permit-hosts *.LOCAL2MY.NET -exec /usr/etc/in.fingerd netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt finger.txt: "Finger is disabled." /ceb\ From firewalls-owner Mon Dec 12 15:25:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14709 for firewalls-outgoing; Mon, 12 Dec 1994 14:26:50 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA14704 for ; Mon, 12 Dec 1994 14:26:47 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id QAA11526; Mon, 12 Dec 1994 16:25:25 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HKK9BKUISG984UTJ@GateV1.SEMATECH.Org>; Mon, 12 Dec 1994 16:24:58 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id QAA17452; Mon, 12 Dec 1994 16:24:38 -0600 Date: Mon, 12 Dec 1994 16:24:36 -0600 From: Quentin Fennessy Subject: Re: Minimal fingerd To: tom@pserv1.dot.state.az.us Cc: firewalls@greatcircle.com (Firewalls) Message-id: <199412122224.QAA17452@thecount.eng.sematech.org> Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is our minimal fingerd: > #! /bin/sh > > # fingerd (modified from DCs telnetd) > > FINGERD="/etc/fingerd" > PEER=/usr/local/etc/peer-address > > # match acceptable patterns and invoke the standard server > > ADDR="`$PEER`" > > LOOPBACK="127.*" > SEMATECH="131.153.*" > GATER3="192.73.53.3" > > EXTERNAL_MESSAGE="\n > To reach someone at SEMATECH, send mail to firstname.lastname@sematech.org.\n > (i.e. Jane User -> jane.user@sematech.org).\n > If you have any questions, send mail to postmaster@sematech.org.\n\n" > > case "$ADDR" in > # Allow connects from localhost or any host on > # the SEMATECH internal network. > $LOOPBACK | $SEMATECH | $GATER3 ) > exec "$FINGERD" > ;; > # All others -- abort with message > *) echo $EXTERNAL_MESSAGE > ;; > esac > > # terminate on fall through This is run from inetd.conf finger stream tcp nowait nobody /usr/local/etc/fingerd fingerd peer-address runs getpeername on stdin. If the connect is from off our network the info message is printed, otherwise the real finger is run. I let the 'real' finger be run so that we can do $ finger @gateway@some.host.com from the inside. (a cheap proxy finger). Quentin Fennessy From firewalls-owner Mon Dec 12 15:37:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14972 for firewalls-outgoing; Mon, 12 Dec 1994 14:49:22 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA14967 for ; Mon, 12 Dec 1994 14:49:20 -0800 Received: from uni by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id OAA03299; Mon, 12 Dec 1994 14:45:37 -0800 Received: from beames.ins.com (beames.ins.com [199.0.193.42]) by uni (8.6.8.1/8.6.6) with SMTP id OAA15819; Mon, 12 Dec 1994 14:46:29 -0800 Date: Mon, 12 Dec 1994 14:46:29 -0800 Message-Id: <199412122246.OAA15819@uni> X-Sender: beames@uni.ins.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: moscone@gtec3.ndhm.gtegsc.com (Nick Moscone), firewalls@GreatCircle.COM From: Ken_Beames@ins.com (Ken Beames) Subject: Re: Connecting Isolated Networks X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:55 PM 12/8/94 -0800, Nick Moscone wrote: >Hi, > We currently have a T1 WAN connecting about 30 sites across the USA, and >have 2 Internet connections into our network(1 on the east coast and 1 on >the west). Our security plans involve establishing firewalls at the 2 >sites with the Internet connections, and to establish isolated "dirty" >nets at those 2 sites to support systems which must be accessible from the >Internet. However, we also have requirements to make systems at other sites >accessible. What we're thinking is to also install firewalls & isolated >networks at these sites, and to allow the isolated networks to talk to each >other via the WAN. All routers on the net are Cisco, and we're considering >using Tunneling to connect the "dirty" nets. > > >My question is, are they any potential security risks by allowing "dirty" >traffic to travel over our "clean" network ??? > >Any comments would be appreciated. Would also be intrested in knowing how >other companies handle this. > >Thanks > >Nick Moscone >Manager, Enterprise Network Services >GTE Government Systems >617-455-2098 > > > > What about setting up a dedicated dialup, or isdn link, something slow, or fast, and bridge the subnet? i.e. set up a private dedicated leased, or dialup line, and connect the two like any other WAN connection. just a penny's worth. -Ken. -------------------------------------======================================= Ken Beames International Network Services ken_beames@ins.com 415.254.4205<---->pg:800.601.2907 =====================================---------------------------------------- From firewalls-owner Mon Dec 12 15:43:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15766 for firewalls-outgoing; Mon, 12 Dec 1994 15:38:17 -0800 Received: from ic.co.at (root@ic.co.at [192.92.138.41]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA15750 for ; Mon, 12 Dec 1994 15:38:11 -0800 Received: by ic.co.at id AA16626 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 13 Dec 1994 01:37:27 GMT Message-Id: <199412130137.AA16626@ic.co.at> Subject: Encrypting tunnels To: firewalls@greatcircle.com Date: Tue, 13 Dec 1994 01:37:26 +0000 (GMT) From: Michael Haberler Reply-To: mah@ic.co.at X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 503 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody working on a {ip-authenticating,encrypting,CHAPing,DH-ing} point-to-point-tunnel ala plug-gw? This could solve some of the problems of database-access over firewalls (note that e.g. Oracle uses TCP out-of-band signalling and TCP keepalives, which probably should be catered for.). Something along the lines of a userland swIPe. -michael -- Michael Haberler mah@eunet.co.at EUnet Austria Ltd A-1090 Vienna, Austria, Thurngasse 8 Tel: +43 (1) 3174969 fax: +43 (1) 3106926 From firewalls-owner Mon Dec 12 16:03:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15294 for firewalls-outgoing; Mon, 12 Dec 1994 15:10:53 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA15289 for ; Mon, 12 Dec 1994 15:10:50 -0800 Received: from bwnmr5.bwh.harvard.edu (bwnmr5.bwh.harvard.edu [134.174.81.35]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id SAA03760; Mon, 12 Dec 1994 18:08:47 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by bwnmr5.bwh.harvard.edu (8.6.4/8.6.4) id SAA21442; Mon, 12 Dec 1994 18:08:55 -0500 Message-Id: <199412122308.SAA21442@bwnmr5.bwh.harvard.edu> Subject: Re: Minimal fingerd To: tom@pserv1.dot.state.az.us Date: Mon, 12 Dec 94 18:08:55 EST Cc: firewalls@GreatCircle.COM In-Reply-To: <199412122130.AA06819@pserv1.dot.state.az.us>; from "Tom Brink" at Dec 12, 94 2:30 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | I was requested to run fingerd on our firewall. We don't want to use | the normal fingerd, only return an informational message to the effect- | ***Contact soandso for further information***. Is there a 'bland' | fingerd that will do this, something VERY simple? Or would I just be | better off not doing this at all? ----- This is Adam Shostack's list of finger replacements, v1.2. A current version is available from duke.bwh.harvard.edu:/pub/adam/finger-summary In looking to replace fingerd on my bastion host, I had several requirements. The first, and most important, was security. The other requirement was the ability to give out user mail status, subject to security concerns. When speaking of security, I had several requirements. The first was that it not suffer from holes that would allow remote users to execute code on my bastion host. (The worm exploited this bug, amongst others.) The daemon needed to be small in order that the code could be examined for holes, and checked to see that it does what we expect. The fingerd should not give out user directory or shell information; there is no reason to give that out outside, and evil people are known to exploit it. Other information, such as last login time was also not needed. Rather than decide what should not be given out, I wanted the ability to filter the output of the finger program. Remote users really do not need a list of who is logged in at any given time (finger @host), nor do they need to be able to forward finger requests (finger @sun1@sun2, others forward requests as well.) Thus, the ability to filter the requests before processing is also important. Lastly, I wanted to be able to log who is using finger to get early warning of possible attacks. I wanted to be able to log entire finger requests, not just the machine the request came from. I provide brief comments on each of the 'useful' finger daemons that do some or all of what I want. The other daemons listed: GNU finger is too large. Andreas Stolcke made some changes & improvements, including some logging, but its still too big for my comfort. I'm including pointers to NetBSD and Linux implementations to be complete. Neither does any logging. Someone sent me a pointer to rufingerd, which uses rusers to collect information about users on remote machines. Also has the ability to finger gopher targets, for weather & the like. Smallish at 1600 lines, but no filtering. Does use syslog. There are three replacements which I felt did what I asked for, which was logging and filtering. * Sfingerd is the almost the most restrictive of the three, using a chrooted directory to provide access to plan files etc. Uses syslog. 800 lines. hplyot.obspm.fr:/net/sfingerd-1.8.tar.gz. Jochen Bern has tweaked it into his 1.5b2, even more restrictive. I haven't looked at it yet. He says its 'not exactly small.' ftp.informatik.uni-trier.de:/pub/unix/sfingerd/ * fingerd-1.1 handles extensive logging via syslog, ident lookups, controls forwarding. The code is small enough to be walked through & verified. 1050 lines. kiwi.foobar.com:/pub/fingerd.tar.gz * rfingerd is a *very* small perl program that uses its own logfile to trap the log information. Easy to hook in output filters in perl. 143 lines. I would suggest doing some hacking, but its a good starts. You might want to change the input filtering: if ($input =~ /[!,@,#,$,%,^,&,*,(,),_,-,+,=,,,|]/) { exit; } with something that instead has a list of allowable characters. I prefer the 'explicit allow' approach to security code. if ($input !~ /[\w, ,-]/) { exit; } ftp.technet.sg:/pub/unix/bsdi/rfingerd.tgz Other finger daemons: GNU finger prep.ai.mit.edu: /pub/gnu/finger-1.37.tar.gz icsi.brkeley.edu:/pub/stolcke/icsi-finger-1.0.23.tar.Z NetBSD f.ms.uky.edu:/pub2/NetBSD/NetBSD-current/src/libexec/fingerd/ Linux mcsun.eu.net:/os/linux/util/networking/net-2/sources/fingerd/fingerd-560.tar.z mcsun.eu.net:/os/linux/util/networking/net-2/sources/finger/finger-522.tar.z rufingerd brrcrftp.cr.usgs.gov:/pub/ben/runfingerd.tar.gz Changes: 1.2 looked at fingerd1.1, Bern sfingerd, added changelog 1.1a added pointers to fingerd1.1, Bern sfingerd From firewalls-owner Mon Dec 12 21:09:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA18745 for firewalls-outgoing; Mon, 12 Dec 1994 21:08:05 -0800 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA18740; Mon, 12 Dec 1994 21:08:01 -0800 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id VAA16225; Mon, 12 Dec 1994 21:06:38 -0800 Date: Mon, 12 Dec 1994 21:06:38 -0800 From: Phil Trubey Message-Id: <199412130506.VAA16225@lykos.netpart.com> To: Brent@GreatCircle.COM Subject: Re: JANUS at Internet World Newsgroups: np.firewalls In-Reply-To: Organization: NetPartners, Newport Beach, CA Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: >I don't think you should make more postings like this to Firewalls in the >future. One such announcement from one vendor isn't a problem, but if all >the vendors announced all their appearances, it would be a problem, and I >don't see any practical way to draw a line other than to discourage all >such postings. > Which brings up an interesting point - I take it from this and other postings that firewalls@greatcircle.com is not meant for discussion about commercial firewalls? Or is it just that blatently commercial postings are not allowed? Please clarify. BTW, the reason I bring this up is that I personally think that a lot of people on this list *would* appreciate a short note telling them where they can see whiz bang commercial product X up close. Its not as if dozens of firewall products are demoed at major shows. -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Mon Dec 12 21:39:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA18817 for firewalls-outgoing; Mon, 12 Dec 1994 21:14:02 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA18812; Mon, 12 Dec 1994 21:13:59 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 12 Dec 1994 21:12:59 -0800 To: Phil Trubey From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: JANUS at Internet World Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 21:06 12/12/94, Phil Trubey wrote: >In article you write: >>I don't think you should make more postings like this to Firewalls in the >>future. One such announcement from one vendor isn't a problem, but if all >>the vendors announced all their appearances, it would be a problem, and I >>don't see any practical way to draw a line other than to discourage all >>such postings. >> > >Which brings up an interesting point - I take it from this and other postings >that firewalls@greatcircle.com is not meant for discussion >about commercial firewalls? Or is it just that blatently commercial >postings are not allowed? Please clarify. Discussions of commercial firewalls are encouraged. Blatantly commercial postings by firewalls vendors are discouraged. >BTW, the reason I bring this up is that I personally think that a >lot of people on this list *would* appreciate a short note telling >them where they can see whiz bang commercial product X up close. Its >not as if dozens of firewall products are demoed at major shows. Yeah, but if _every_ vendor posted about _every_ show they were going to be at (for instance), it would quickly get out of hand. I'm considering new guidelines for commercial posts, something like the following: Postings should be less than 1 screenful of body (24 lines, not counting mail headers) Postings should be clearly tagged in the Subject line as product announcements, conference announcements, calls for papers, or whatever Posting should provide basic information, and a pointer (preferably a URL, FTP site, email address, and phone number) for further inquiries by interested readers No more than one posting per vendor/conference/whatever per month No automatic postings; people should only post when they've got something _new_ to announce Posters are encouraged to send an advance copy to Firewalls-Owner before posting, for review and suggestions on avoiding flames and unnecessary controversy -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue Dec 13 01:39:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA20493 for firewalls-outgoing; Tue, 13 Dec 1994 01:38:33 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA20487 for ; Tue, 13 Dec 1994 01:38:26 -0800 Received: from juno-gate by eros.britain.eu.net with UUCP id ; Tue, 13 Dec 1994 09:36:57 +0000 Received: from orion.Windmill by diasemi.co.uk (4.1/SMI-4.1) id AA00380; Tue, 13 Dec 94 09:36:16 GMT Received: by orion.Windmill (4.1/SMI-4.1) id AA17016; Tue, 13 Dec 94 09:36:15 GMT Date: Tue, 13 Dec 94 09:36:15 GMT From: gray@diasemi.co.uk (Dick Gray) Message-Id: <9412130936.AA17016@orion.Windmill> To: firewalls@GreatCircle.COM Subject: Re: JANUS at Internet World Sender: firewalls-owner@GreatCircle.COM Precedence: bulk brent@miles.greatcircle.com wrote: > Yeah, but if _every_ vendor posted about _every_ show they were going to > be at (for instance), it would quickly get out of hand. Don't mailing list discussions get out of hand very quickly anyway? Dick From firewalls-owner Tue Dec 13 02:42:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA21195 for firewalls-outgoing; Tue, 13 Dec 1994 02:30:05 -0800 Received: from srv.cip.physik.tu-muenchen.de (srv.cip.physik.tu-muenchen.de [129.187.41.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA21180 for ; Tue, 13 Dec 1994 02:29:49 -0800 Received: from ss3.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA27005 for (5.67a/IDA-1.5/bs03); Tue, 13 Dec 1994 11:27:04 +0100 Message-Id: <199412131027.AA27005@srv.cip.physik.tu-muenchen.de> To: tom@pserv1.dot.state.az.us Cc: firewalls@greatcircle.com (Firewalls) Subject: Re: Minimal fingerd In-Reply-To: Your message of "Mon, 12 Dec 94 14:30:39 MST." <199412122130.AA06819@pserv1.dot.state.az.us> Date: Tue, 13 Dec 94 11:27:04 +0100 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199412122130.AA06819@pserv1.dot.state.az.us> you write: > I was requested to run fingerd on our firewall. [...] how about (in inetd.conf): finger stream tcp nowait nobody /bin/cat cat /the/finger.txt (in Germany, you might want to rename /the/finger.txt to effe.txt after the German soccer player Stephan Effenberg at World Cup '94 ;-) ) From firewalls-owner Tue Dec 13 07:39:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA25065 for firewalls-outgoing; Tue, 13 Dec 1994 07:12:49 -0800 Received: from pserv1.dot.state.az.us (pserv1.dot.state.az.us [162.59.10.28]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA25060 for ; Tue, 13 Dec 1994 07:12:41 -0800 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA18184; Tue, 13 Dec 1994 08:10:54 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199412131510.AA18184@pserv1.dot.state.az.us> Subject: Thank You (was Minimal fingerd) To: firewalls@greatcircle.com (Firewalls) Date: Tue, 13 Dec 94 8:10:53 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I got MANY responses on my fingerd question (see below). To summarize, they fell roughly into two catagories- 1) Modify finger in /etc/inetd.conf to cat a text file. A nice twist to this was to use TIS netacl, providing one finger for outside users and one finger for inside users (thanks mjr). 2) Hybrid fingers (written in perl or c). Many pointers and good ideas. Since some of this was emailed directly to me, I can email back the entire thread for anyone that wants it. tom Tom Brink writes: > > I was requested to run fingerd on our firewall. We don't want to use > the normal fingerd, only return an informational message to the effect- > ***Contact soandso for further information***. Is there a 'bland' > fingerd that will do this, something VERY simple? Or would I just be > better off not doing this at all? -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Tue Dec 13 08:09:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA25427 for firewalls-outgoing; Tue, 13 Dec 1994 08:06:52 -0800 Received: from wopia.wo.erim.org (wopia.wo.erim.org [192.160.189.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA25422 for ; Tue, 13 Dec 1994 08:06:49 -0800 From: rich@wo.erim.org Received: by wopia.wo.erim.org (920330.SGI/SMI-4.1) id AA27991; Tue, 13 Dec 94 10:55:05 -0500 Date: Tue, 13 Dec 1994 10:55:05 +30000 To: Chuck Milam Cc: firewalls@greatcircle.com Subject: Re: DOS Ping? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know of a good Dos-based Ping program that returns a simple > "alive" or "dead" message? Novell's LAN Workplace for DOS has a Ping program in it that basically responds with "192.XXX.XXX.XXX is alive" or "No Response from 192.XXX.XXX.XXX". It comes as part of Novell's TCP/IP for the PC program. *********************************************************************** Richard S. Roomian Research Scientist Environmental Research Institute of Michigan 1101 Wilson Boulevard, Suite 1100 Arlington, VA 22209 Voice: 703-528-5250 x 4139 FAX: 703-524-3527 *********************************************************************** From firewalls-owner Tue Dec 13 08:43:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA25683 for firewalls-outgoing; Tue, 13 Dec 1994 08:27:20 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA25659; Tue, 13 Dec 1994 08:26:57 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rHa2S-0006RVC; Tue, 13 Dec 94 08:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Tue, 13 Dec 94 08:13 PST Message-Id: Received: by miro.ilinx.com id ; Tue, 13 Dec 94 08:18:49 -0800 From: brian@imcon.ilinx.com To: Brent@GreatCircle.COM Subject: Re[2]: JANUS at Internet World Cc: firewalls@GreatCircle.COM Date: Tue, 13 Dec 1994 08:18:48 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Brent@GreatCircle.COM (Brent Chapman) > Posters are encouraged to send an advance copy to Firewalls-Owner > before posting, for review and suggestions on avoiding flames and > unnecessary controversy > Perhaps posters of commercial material should *be required* to send the posting to you for posting, if appropriate. Kind of like a "moderated" channel to the list distribution. If people then insist on continually posting commercials without going through the moderated channel, your list processor can exclude them from posting to the list. This last step is usually not necessary (thank goodness). Thots? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Tue Dec 13 09:10:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA25734 for firewalls-outgoing; Tue, 13 Dec 1994 08:29:14 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA25729 for ; Tue, 13 Dec 1994 08:29:11 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id KAA17632(telemann.inoc.dl.nec.com); Tue, 13 Dec 1994 10:27:19 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id KAA02827(texas.syl.dl.nec.com); Tue, 13 Dec 1994 10:27:18 -0600 Received: by warbucks.syl.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id KAA17640(warbucks.syl.dl.nec.com); Tue, 13 Dec 1994 10:27:17 -0600 Date: Tue, 13 Dec 1994 10:27:17 -0600 From: ylee@syl.dl.nec.com (Ying-Da Lee) Message-Id: <199412131627.KAA17640@warbucks.syl.dl.nec.com> To: firewalls@greatcircle.com, petroca@acasun.eckerd.edu Subject: Re: Information please Cc: ylee@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >for a while I was trying to get talk to work. one person made a >suggestion on the socks list about how to do it, but if it does indeed >work, it would tend to imply a security hole in socks -- one that would >let me run any kind of a server inside of a firewall and let it receive >from any address. I'm assuming that this isn't so. has anyone had any >experience with this? > >of course, there's other ways to get around socks outgoing-only/established >limitations anyway. Can you expand on that and give details of what you are referring to? What you have said so far is way too vague for any serious discussion. If there are problems with SOCKS I and many others would definitely be very interested to know. Ying-Da Lee (214)518-3490 (214)518-3552 (FAX) Principal Member, Technical Staff NEC Systems Laboratory, C&C Software Technology Center ylee@syl.dl.nec.com Speaking only for myself. From firewalls-owner Tue Dec 13 09:12:30 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA25782 for firewalls-outgoing; Tue, 13 Dec 1994 08:34:38 -0800 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA25777 for ; Tue, 13 Dec 1994 08:34:33 -0800 Date: Tue, 13 Dec 1994 11:33:54 -0500 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id LAA07941 for firewalls@greatcircle.com; Tue, 13 Dec 1994 11:33:54 -0500 Message-Id: <199412131633.LAA07941@real.com> To: firewalls@greatcircle.com Subject: Re: Minimal fingerd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Dec 12 22:53:51 1994 > Date: Mon, 12 Dec 1994 14:30:37 -0800 (PST) > From: Jason Matthews > Subject: Re: Minimal fingerd > To: Tom Brink > Cc: Firewalls > Mime-Version: 1.0 > Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII> > Sender: firewalls-owner@GreatCircle.COM > Content-Length: 489 > > > > I was requested to run fingerd on our firewall. We don't want to use > > the normal fingerd, only return an informational message to the effect- > > ***Contact soandso for further information***. Is there a 'bland' > > fingerd that will do this, something VERY simple? Or would I just be > > better off not doing this at all? > > Let's not over look the obvious... > > > main() > { > printf(\n **** Contact tom@pserv1.dot.state.az.us for more information ***\n"); > } > > Or am I missing something? > > Jason > > well, you'd need to ibnd port 79.. the program would prolly look more like: #include #include #include #include #include reap() { int s; while(wait(&s)!=-1); } main(argc,argv) int argc; char **argv; { struct sockaddr_in mya,cli_name; struct servent *sp; fd_set muf; int myfd,new,x,maxfd=getdtablesize(); int cli_len; char fingere[81]; int fp,s,fing_size=sizeof(fingere); signal(SIGCLD,reap); if (argc<3) { printf("Useage: %s port logfile\n",argv[0]); exit(1); } if((myfd=socket(AF_INET,SOCK_STREAM,0))<0) exit(1); cli_len=sizeof(cli_name); mya.sin_family=AF_INET; bzero(&mya.sin_addr,sizeof(mya.sin_addr)); if((sp=getservbyname(argv[1],"tcp"))==(struct servent *)0){ if (atoi(argv[1]) <=0) { printf("%s: port must be greater than 0\n",argv[0]); exit(1); } mya.sin_port=htons(atoi(argv[1])); } else mya.sin_port=sp->s_port; if(bind(myfd,(struct sockaddr *)&mya,sizeof(mya)))exit(1); if(listen(myfd,1)<0)exit(1); loop: FD_ZERO(&muf); FD_SET(myfd,&muf); if(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto loop; if((new=accept(myfd,0,0))<0)goto loop; if(fork()==0){ for(x=2;x; Tue, 13 Dec 1994 08:24:41 -0800 Received: from by ix2.ix.netcom.com (8.6.9/SMI-4.1/Netcom) id GAA03922; Tue, 13 Dec 1994 06:53:02 -0800 Date: Tue, 13 Dec 1994 06:53:02 -0800 Message-Id: <199412131453.GAA03922@ix2.ix.netcom.com> From: actuary@ix.netcom.com (LIONEL GOLDBERG) Subject: Court Ordered Liquidation - Computer Memory - CPU's & Disk Drives To: dark-shadows@sunee.waterloo.ca Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Choice Trading Company, Court Appointed Liquidators, have been assigned to liquidate the following Multi-Million Dollar inventory of computer Memory Chips, CPU's and Hard Disk Drives. All items are new and come with applicable manufactures warranty. Prices quoted include all state and local taxes plus shipping and handling. Order Cost Number Mfg. Description (EACH) Memory 1524 Toshiba 30 Pin Simms 1x3 70ns 1 meg $ 25.00 1525 Toshiba 30 Pin Simms 1x9 70ns 1 meg 25.00 1526 Toshiba 30 Pin Simms 4x9 70ns 4 meg 100.00 1527 Toshiba 30 Pin Simms 1x3 60ns 1 meg 26.00 1528 Toshiba 30 Pin Simms 1x9 60ns 1 meg 26.00 1529 Toshiba 30 Pin Simms 4x9 60ns 4 meg 106.00 1624 Toshiba 72 Pin Simms 512x36 70ns 2 meg 50.00 1625 Toshiba 72 Pin Simms 1x36 70ns 4 meg 100.00 1626 Toshiba 72 Pin Simms 2x36 70ns 8 meg 200.00 1627 Toshiba 72 Pin Simms 4x36 70ns 16 meg 400.00 1628 Toshiba 72 Pin Simms 8x36 70ns 32 meg 800.00 1624 Toshiba 72 Pin Simms 512x36 60ns 2 meg 52.00 1625 Toshiba 72 Pin Simms 1x36 60ns 4 meg 104.00 1626 Toshiba 72 Pin Simms 2x36 60ns 8 meg 208.00 1627 Toshiba 72 Pin Simms 4x36 60ns 16 meg 416.00 1628 Toshiba 72 Pin Simms 8x36 60ns 32 meg 832.00 Memory for the Macintosh 1122 Toshiba 1 meg x 8 Simm Module 70ns 1 meg 31.00 1123 Toshiba 2 meg x 8 Simm Module 70ns 2 meg 62.00 1124 Toshiba 4 meg x 8 Simm Module 70ns 4 meg 109.00 CPU's 1276 Intel 80486 DX/33 115.00 1277 Intel 80486 DX/50 188.00 1278 Intel 80486 DX-2/66 156.00 1279 Intel 80486 DX-4/75 358.00 1280 Intel 80486 DX-4/100 498.00 1281 Intel Pentium 80501-60 366.00 1282 Intel Pentium 80501-66 453.00 1283 Intel Pentium 80502-90 558.00 Hard Disk Drives Seagate Barracuda Drives 1351 Seagate ST11950N 8ms 3.5" 1.69 GB SCSI 658.00 1352 Seagate ST12550N 8ms 3.5" 2.1 GB SCSI 899.00 1353 Seagate ST15150N 8ms 3.5" 4.2 GB SCSI 1,526.00 1354 Seagate ST31200N 11ms 3.5" 1.05 GB SCSI 538.00 1355 Seagate ST11900N 9ms 3.5" 1.7 GB SCSI 628.00 1366 Seagate ST2400A 9ms 3.5" 2.1 GB SCSI 856.00 1367 Seagate ST15230N 9ms 3.5" 4.29 GB SCSI 1,454.00 1368 Seagate ST41080N 11ms 5.5" 9.08 GB SCSI 2,848.00 Western Digital 1366 Western AC2340 12ms 3.5" 340 MB IDE 122.00 1367 Western AC2420 12ms 3.5" 420 MB IDE 136.00 1368 Western AC2540 12ms 3.5" 540 MB IDE 160.00 1369 Western AC2700 12ms 3.5" 731 MB IDE 230.00 Conner 1372 Connor CFS420A 14ms 3.5" 420 MB IDE 138.00 1373 Connor CFA540A 10ms 3.5" 540 MB IDE 168.00 1374 Connor CFA1080A 10ms 3.5" 1080 MB IDE 408.00 ORDERING INFORMATION To order please use a company order form/letterhead or if for personal use, use a plain white sheet of paper with your return address. List the items desired by order number, the quantity and total cost. Send your order with check or money order payable to Choice Trading Company to: Choice Trading Company Order Processing Lot #1776 86228 Terminal Annex Los Angeles, Ca. 90086-0228 Orders are processed on a first come basis. Adjustments and refunds will be made immediately for items that have sold out. Please allow 2 to 3 Weeks for shipping. Due to court ordered restrictions we are unable to accept COD, phone or credit card orders. This public offering is valid through December 30, 1994. Any unsold inventories will be auctioned. For auction information please send a self addressed stamped enveloped to: Choice Trading Company Lot #1776 202 So. Broadway Los Angeles, Ca. 90012 (213) 856 6172 If you are unable to use this information, please pass it on to someone who may. Lionel M. Goldberg Actuary From firewalls-owner Tue Dec 13 11:09:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA27266 for firewalls-outgoing; Tue, 13 Dec 1994 10:47:09 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA27261 for ; Tue, 13 Dec 1994 10:47:06 -0800 Received: from uucp1.UU.NET by relay3.UU.NET with SMTP id QQxudf13369; Tue, 13 Dec 1994 13:45:51 -0500 Received: from ppt.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Tue, 13 Dec 1994 13:45:44 -0500 Received: by ppt.com (4.1/PPT-1.3) id AA14981; Tue, 13 Dec 94 10:27:52 PST From: "david r coelho" Message-Id: <9412131027.ZM14979@ppt.com> Date: Tue, 13 Dec 1994 10:27:51 -0800 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@GreatCircle.COM Subject: spoofing TCP/SYN packets? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My first line of defense for our network uses a router to filter out all new TCP sessions (e.g. with SYN). We let in all established sessions, and then do additional filtering with a firewall. The idea is that the router lets anything go out, but only lets established sessions come in. My question is, is there a vulnerability whereby the established incoming TCP packet could be used to open a new TCP session (say login, telnet, etc) or is the unix (SunOS in my case) kernel tight enought to reject these packets. -- david r. coelho email: drc@ppt.COM personal productivity tools, inc 43000 christy street voice: (510) 440-3050 fremont, ca 94538-3198 usa fax: (510) 770-0728 From firewalls-owner Tue Dec 13 11:30:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA27344 for firewalls-outgoing; Tue, 13 Dec 1994 10:56:03 -0800 Received: from amdahl.amdahl.com (amdahl.com [129.212.11.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA27339 for ; Tue, 13 Dec 1994 10:55:54 -0800 Received: from brittany.oes.amdahl.com by amdahl.amdahl.com with smtp (Smail3.1.28.1 #49) id m0rHcLx-0001ZMC; Tue, 13 Dec 94 10:53 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA20849; Tue, 13 Dec 1994 10:54:03 +0800 Date: Tue, 13 Dec 1994 10:54:03 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412131854.AA20849@brittany.oes.amdahl.com> To: tom@pserv1.dot.state.az.us, jason@dickory.SDSU.Edu Subject: Re: Minimal fingerd Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 982 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Let's not over look the obvious... > > > main() > { > printf(\n **** Contact tom@pserv1.dot.state.az.us for more information ***\n"); > } > > Or am I missing something? > > Jason > How about this in inetd.conf? finger stream tcp nowait nobody /usr/bin/cat cat /etc/finger.goaway Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Dec 13 15:11:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29608 for firewalls-outgoing; Tue, 13 Dec 1994 14:47:34 -0800 Received: from intercon.com (root@intercon.com [149.52.1.88]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29603 for ; Tue, 13 Dec 1994 14:47:32 -0800 Received: from localhost by intercon.com (Sendmail 8.6.5/940209.RS/940908.JB) id RAA02017; Tue, 13 Dec 1994 17:45:55 -0500 Date: Tue, 13 Dec 1994 17:45:55 -0500 From: jailbait@intercon.com (Jailbait) Message-Id: <199412132245.RAA02017@intercon.com> To: patrick@oes.amdahl.com (Patrick Horgan), jason@dickory.SDSU.Edu, tom@pserv1.dot.state.az.us Subject: Re: Minimal fingerd Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a side note, some fingerd's come with a -f option to print a file, and a -S option to print much more limited information about someone. Irix 4.0.5h for one... JB From firewalls-owner Tue Dec 13 15:26:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29571 for firewalls-outgoing; Tue, 13 Dec 1994 14:40:59 -0800 Received: from dickory.SDSU.Edu (dickory.sdsu.edu [130.191.163.56]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA29566 for ; Tue, 13 Dec 1994 14:40:53 -0800 Received: by dickory.SDSU.Edu (4.1/SDSU-Complex) id AA05951 for delivery to firewalls@greatcircle.com; Tue, 13 Dec 94 14:39:20 PST Date: Tue, 13 Dec 1994 14:34:40 -0800 (PST) From: Jason Matthews Reply-To: Jason Matthews Subject: Re: Minimal fingerd To: Bret McDanel Cc: firewalls@greatcircle.com In-Reply-To: <199412131633.LAA07941@real.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 Dec 1994, Bret McDanel wrote: > > Let's not over look the obvious... > > > > > > main() > > { > > printf(\n **** Contact tom@pserv1.dot.state.az.us for more information ***\n"); > > } > > > > Or am I missing something? > > > > Jason > > > well, you'd need to ibnd port 79.. the program would prolly look more like: > > #include > #include > #include > #include > #include [the rest of delete in the interest of sanity] All you have to do is set up inetd.conf so that inetd will bind the program to port 79 for ya. An entry in /etc/inetd.conf might look like this finger stream tcp nowait nobody /usr/etc/tcpd /usr/etc/nofinger Sure, you can write some fancy code to do alot of things but ultimately I think this thread started with a guy asking how to send out a generic message. I rather like the 'cat some.text.file' method myself. That method never crossed my mind but it does lend itself to easy changes. Jason ---------------------------------------------------------------------------- jason@dickory.sdsu.edu San Diego State University jason@mentor.sdsu.edu College of Engineering jason@BOOM.extern.ucsd.edu Electrical*Computer Engineering ---------------------------------------------------------------------------- The following email address are no longer valid odn@LoD.amaranth.com ---------------------------------------------------------------------------- From firewalls-owner Tue Dec 13 16:41:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01005 for firewalls-outgoing; Tue, 13 Dec 1994 16:30:26 -0800 Received: from Getty.edu (smtpgate.getty.edu [153.10.97.97]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA01000 for ; Tue, 13 Dec 1994 16:30:23 -0800 Received: from Getty-Message_Server by Getty.edu with Novell_GroupWise; Tue, 13 Dec 1994 16:30:10 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 13 Dec 1994 16:29:08 -0800 From: Wulf Losee To: firewalls@greatcircle.com Subject: Is DEC's SEAL as good as DEC claims? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk DEC's SEAL received a glowing mention in a December 12th _INFOWORLD_ article ("Digital and the Internet: heavy use and security"). Among other things the article claims: "For more than a decade, the Screening External Access Link, or SEAL, has kept Digitial Equipment's mammoth EasyNet completely impervious to outsiders". My immediate response was: "as far as they know". Anyway, all cynicism aside... Is SEAL as great as DEC says it is? Does anyone on the Firewalls list have any experiences with SEAL? Thanks in advance, Wulf ^-^ / = , / | ( ( / } \ \ =/ = \ \ *************************************** Wulf Losee Network Analyst, J. Paul Getty Trust Vox: 310.451.6321 Internet: wlosee@getty.edu *************************************** A little rudeness and disrespect can elevate a meaningless interaction to a battle of wills and add drama to an otherwise dull day. --Calvin From firewalls-owner Tue Dec 13 18:09:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01643 for firewalls-outgoing; Tue, 13 Dec 1994 17:44:34 -0800 Received: from SCSW6.SLAC.STANFORD.EDU (SCSW6.SLAC.Stanford.EDU [134.79.24.56]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA01638 for ; Tue, 13 Dec 1994 17:44:29 -0800 Received: from unixhub.SLAC.Stanford.EDU by SCSW6.SLAC.STANFORD.EDU (PMDF V4.3-10 #6987) id <01HKLQDQ5FBK000R8Q@SCSW6.SLAC.STANFORD.EDU>; Tue, 13 Dec 1994 17:43:47 -0800 (PST) Received: by unixhub.SLAC.Stanford.EDU (4.1/SLAC 920508) from charon.SLAC.Stanford.EDU id AA06295; Tue, 13 Dec 94 17:43:03 PST Received: by charon.SLAC.Stanford.EDU (4.1/SLAC 920508) id AA01210; Tue, 13 Dec 94 17:43:03 PST Date: Tue, 13 Dec 1994 17:43:03 -0800 (PST) From: JXH@SLAC.Stanford.EDU (John Halperin) Subject: Re: Minimal fingerd In-reply-to: <199412122308.SAA21442@bwnmr5.bwh.harvard.edu> (message from Adam Shostack on Mon, 12 Dec 1994 18:08:55 -0500 (EST)) To: adam@bwh.harvard.edu Cc: firewalls@greatcircle.com Message-id: <9412140143.AA06295@unixhub.SLAC.Stanford.EDU> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 12 Dec 1994 18:08:55 -0500 (EST) > From: Adam Shostack > Sender: firewalls-owner@greatcircle.com > > [...] > > * rfingerd is a *very* small perl program that uses its own > logfile to trap the log information. Easy to hook in output filters > in perl. 143 lines. I would suggest doing some hacking, but its a > good starts. You might want to change the input filtering: > > if ($input =~ /[!,@,#,$,%,^,&,*,(,),_,-,+,=,,,|]/) { exit; } > with something that instead has a list of allowable characters. I > prefer the 'explicit allow' approach to security code. > if ($input !~ /[\w, ,-]/) { exit; } The way the test on the last line is written, if $input has _any_ _valid_ characters, it will pass the test. Also, the commas shouldn't be used in the bracketed character set (unless you really want to allow commas in $input). I think that last line should be if ($input =~ /[^\w -]/) { exit; } -- John Halperin Network Group Stanford Linear Accelerator Center (SLAC). From firewalls-owner Tue Dec 13 19:09:45 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA02068 for firewalls-outgoing; Tue, 13 Dec 1994 18:46:40 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA02063 for ; Tue, 13 Dec 1994 18:46:37 -0800 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA21980; Tue, 13 Dec 94 18:45:23 PST Received: from sunrise.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA17652; Tue, 13 Dec 94 21:45:20 EST Received: from kfir.East.Sun.COM by sunrise.East.Sun.COM (5.0/SMI-5.3-900117) id AA03304; Tue, 13 Dec 1994 21:45:20 -0500 Received: by kfir.East.Sun.COM (5.0/SMI-SVR4) id AA19882; Tue, 13 Dec 1994 21:45:33 +0500 Date: Tue, 13 Dec 1994 21:45:33 +0500 From: stern@sunrise.East.Sun.COM (Hal Stern - NE Area Systems Engineer) Message-Id: <9412140245.AA19882@kfir.East.Sun.COM> To: firewalls@greatcircle.com Subject: radius from livingston? Content-Length: 302 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i *think* i saw something on this several months ago, but my brain has become a sieve (kids will do that). anyone familiar with the "radius" products for dial-in/dial-back security from livingston? i'm asking on behalf of a customer. post replies/followups to me and i'll summarize. thanks --hal From firewalls-owner Tue Dec 13 19:25:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA02155 for firewalls-outgoing; Tue, 13 Dec 1994 19:03:11 -0800 Received: from riverside.mr.net (Riverside.MR.Net [137.192.2.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA02150 for ; Tue, 13 Dec 1994 19:03:07 -0800 Received: from .mr.net by riverside.mr.net (8.6.9/SMI-4.1.R931202) id VAA09726; Tue, 13 Dec 1994 21:01:49 -0600 Date: Tue, 13 Dec 1994 21:01:49 -0600 Message-Id: <199412140301.VAA09726@riverside.mr.net> X-Sender: freeman@mr.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: freeman@MR.Net (Alex Li) Subject: Drawbridge questions X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I have the following questions regarding TAMU's Drawbridge as well as general "firewall" topic: 1. How well am I protected with a screening router? Or, should I say what am I vulnerable to with a screening router? I think that Drawbridge has a *very* powerful rule language although I haven't look at it in detail. e.g. can I say "refuse all TELNET & FTP packets except net xxx.yyy.zzz.0"? 2. Is there a "recommended" NIC card to use with Drawbridge? Thanks for any comments and suggestions. Alex Li -------------------------------------- Alex Li Health Systems Integration, Inc. 1-800-TEAM-HSI -------------------------------------- From firewalls-owner Tue Dec 13 19:39:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA02332 for firewalls-outgoing; Tue, 13 Dec 1994 19:29:54 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA02326 for ; Tue, 13 Dec 1994 19:29:52 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma011890; Tue Dec 13 22:28:37 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA00329; Tue, 13 Dec 94 22:26:09 EST From: Marcus J Ranum Message-Id: <9412140326.AA00329@tis.com> Subject: Re: Is DEC's SEAL as good as DEC claims? To: wlosee@Getty.Edu (Wulf Losee) Date: Tue, 13 Dec 1994 22:31:22 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Wulf Losee" at Dec 13, 94 04:29:08 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 852 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Among other things the article claims: "For more than a decade, > the Screening External Access Link, or SEAL, has kept Digitial Equipment's > mammoth EasyNet completely impervious to outsiders". I guess they never heard of Kevin Mitnick? I'm not mentioning that to bash DEC's marketing, but to point out one of the issues with respect to firewalls. Mitnick got into the EasyNet via terminal servers initially, and pretty well infected the whole network. It took a huge amount of effort to root him out. The firewall had nothing to do with it, of course, since he broke in via a different avenue into the perimeter. Moral: security must be consistent around the entire perimeter. mjr. [As far as I know, SEAL hasn't been in existence for a decade. Some of the ideas used in SEAL have, but the first SEAL was installed about 4 or so years ago.] From firewalls-owner Tue Dec 13 23:09:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA03598 for firewalls-outgoing; Tue, 13 Dec 1994 23:03:25 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA03592 for ; Tue, 13 Dec 1994 23:03:21 -0800 Received: by panix.com id AA17582 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Wed, 14 Dec 1994 02:01:57 -0500 From: John Hawkinson Message-Id: <199412140701.AA17582@panix.com> Subject: Re: Should loose source routing be enabled if not IPFORWARDING? To: G.Michaelson@cc.uq.oz.au (George Michaelson) Date: Wed, 14 Dec 1994 02:01:56 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <29171.787386999@brolga.cc.uq.oz.au> from "George Michaelson" at Dec 14, 94 04:36:39 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 7382 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls people -- this is a contination of a discussion which began on current-users@netbsd.org, the general mailing list for users of NetBSD-current (and NetBSD 1.0); my initial mail to which the below quoted fragment is a response is attached, for purposes of context. > To: John Hawkinson > Cc: current-users@netbsd.org > Subject: Re: Should loose source routing be enabled if not IPFORWARDING? > From: George Michaelson > John, if the box is specifically intended to be a firewall and will > be using proxy at application level to permit flow-through, why would > LSR be desireable? I felt that this was not appropriate for current-users. There is nothing INHERENTLY wrong with source routing. What it allows is for a clever person to spoof a badly written application into believing that a particular host sent a particular packet which it did in fact not. This is a flaw in the application, not in the operating system or in source routing itself. The _other_ security concern is that source routing allows a clever person to cause a well-written application into not knowing the origin of a packet. Both of these are not particularly significant in a service where IP address-based authentication is not used. For instance, finger (port 79) and SMTP do not particularly require IP address-based authentication. Many people like to log the source of such connections -- if so, they ought to log the full list of source-routed addresses -- you can guarantee that your packet came through at least one of them (if you're being spoofed; if you're not, then it came through all of them).. It starts to become more of a concern with services like telnet and rlogin which log the address you came from in places like utmp. Again, such applications should log the entire source-routed path, not just the "destination" address. We come to serious problems when you look at applications that perform authentication on the basis of IP address. For instance, Berekely-style r-services (such as rlogin) when used with a .rhosts file. The way this _ought_ to be implemented is that a .rhosts file (if you feel the need to use such a thing at all) needs to specify EXPLICITLY the ENTIRE source routing path that a packet takes if source routing r-authentication is to be accepted at all (if such is implemented, it ought to be made clear to the user that s/he must trust EACH AND EVERY host mentioned in such a path (which is sort of unlikely in long paths)). It is an acceptable subset of this to reject r-style authentication if a packet comes in source routed. (other sorts of authentication, such as s/key, SecurID, Kerberos, or even plaintext if that's what you believe in, are all reasonable on source routed connections). I think that's a relatively decent summary of the issues here -- any further questions? -- John Hawkinson jhawk@panix.com ---cut here for original context Received: by panix.com id AA05241 (5.67b/IDA-1.5 for jhawk); Wed, 14 Dec 1994 00:41:12 -0500 From: John Hawkinson Message-Id: <199412140541.AA05241@panix.com> Subject: Re: Should loose source routing be enabled if not IPFORWARDING? To: G.Michaelson@cc.uq.oz.au (George Michaelson) Date: Wed, 14 Dec 1994 00:41:12 -0500 (EST) Cc: current-users@netbsd.org In-Reply-To: <"brolga.cc.uq:090790:941213231536"@cc.uq.oz.au> from "George Michaelson" at Dec 14, 94 09:15:29 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3793 Status: RO > From: George Michaelson > We've been using Net/FreeBSD as firewall boxes here, disabling > IP forwarding and gateway options. A quick test revealed that if packets > with IP options set to loose source route flow, they still transit in > the kernel following the explicit route. This is correct behavior, as documented by RFC1122, which states on page 35, under section ``3.2.1.8 Options: RFC-791 Section 3.2'', subsection (c) Source Route Options: A host MUST support originating a source route and MUST be able to act as the final destination of a source route. If host receives a datagram containing a completed source route (i.e., the pointer points beyond the last field), the datagram has reached its final destination; the option as received (the recorded route) MUST be passed up to the transport layer (or to ICMP message processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a return source route is built, it MUST be correctly formed even if the recorded route included the source host (see case (B) in the discussion below). > Locally the firewall expert has #ifdef'd this out, but theres an idea > floating around the hosts requirements or related docs may obligate > leaving lsr enabled. Absolutely. Source routing by itself, either loose or strict, is not a security risk. It is only a risk when it is misinterpreted (in this respect, it is much like identd). Specifically, if, on a source-routed connection, an application relies upon the IP address of the other end of a connection for authentication purposes, then that application is broken and insecure. This is an issue for the application level, not for the operating system. Admittedly, there are pieces of NetBSD-current that are not conformant to the previous paragraph. If we want to fix this (which sounds reasonable), then we should fix it "right", rather than wrongly. Fixing it with a hammer (removing source routing support) has the unfortunate consequence of breaking legitimate uses of source routing (right now they're essentially confined to traceroute -g and telnet @site1:site2), which many of us use every day and find to be particularly convenient. Fixing it the right way has none of these disadvantages; the only problem is that a poorly designed application can be fooled -- but poorly defined applications can always be fooled. > Anybody have any idea what NetBSD maybe should do by default? Seems to > me that disabling forwarding doesn't neccessarily imply no packet transit > through the kernel, and that a distinct option in the kernel config might > be wanted to make a box into a firewall. I think that NetBSD's proper default is clear -- it should continue to support RFC1122; whether there ought to be an option to disable source routing is not clear to me. There are arguments for and against, but I fear that people would turn off source routing for the wrong reason, and because of that, I think that such an option is a bad idea. Again, a number of NetBSD programs probably ought to be a little more careful with regard to source routing (for instance, the information written to utmp/wtmp ought to be tagged in some way, Berkely-style authentication should not succeed on source routed sockets, etc.). I hadn't thought much about this with regard to NetBSD, but I'm certainly willing to spend some time dealing with these problems... References: RFC1122 Requirements for Internet hosts - communication layers. R.T. Braden. Oct-01-1989. (Format: TXT=295992 bytes) -- John Hawkinson jhawk@panix.com From firewalls-owner Wed Dec 14 01:09:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA04039 for firewalls-outgoing; Wed, 14 Dec 1994 01:00:29 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA04033 for ; Wed, 14 Dec 1994 01:00:27 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id DAA16347; Wed, 14 Dec 1994 03:58:47 -0500 Date: Wed, 14 Dec 1994 03:58:47 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199412140858.DAA16347@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: SEAL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A decade, eh? Ask DEC about Mitnick and VMS source code. I don't think that was ten years ago. _H* From firewalls-owner Wed Dec 14 10:42:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA05302 for firewalls-outgoing; Wed, 14 Dec 1994 02:08:45 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA12582 for ; Mon, 12 Dec 1994 10:47:40 -0800 Received: from uucp5.UU.NET by relay2.UU.NET with SMTP id QQxtzn04370; Mon, 12 Dec 1994 13:46:22 -0500 Received: from sps.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Mon, 12 Dec 1994 13:46:30 -0500 Received: from pascal.sps.com by sps.com (4.1/SMI-4.1) id AA05409; Mon, 12 Dec 94 13:14:17 EST Date: Mon, 12 Dec 94 13:14:17 EST From: cgraham@sps.com (Christopher Graham) Message-Id: <9412121814.AA05409@sps.com> To: firewalls@greatcircle.com Subject: DNS not TIS fwtk hangs... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to the many people that have sent help on my hanging firewall. We have just started to look into our DNS problem, that everybody pointed out. It seems that our DNS was "messed" with, and has led to the hanging problem I posted. It is sure nice to see a list full of helpful people! Happy Holidays. Chris cgraham@sps.com From firewalls-owner Wed Dec 14 10:47:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA04912 for firewalls-outgoing; Wed, 14 Dec 1994 01:51:21 -0800 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA04897 for ; Wed, 14 Dec 1994 01:51:11 -0800 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA07701; Wed, 14 Dec 94 20:17:52 CST Received: from mallee.awadi by bunya.awadi (5.0/SMI-SVR4) id AA13164; Wed, 14 Dec 1994 20:16:22 +1030 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9412140946.AA13164@bunya.awadi> Subject: Re: Should loose source routing be enabled if not IPFORWARDING? To: jhawk@panix.com (John Hawkinson) Date: Wed, 14 Dec 1994 20:16:20 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199412140701.AA17582@panix.com> from "John Hawkinson" at Dec 14, 94 02:01:56 am X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Length: 1658 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to John Hawkinson: > >The _other_ security concern is that source routing allows a clever >person to cause a well-written application into not knowing the >origin of a packet. > I may be showing my ignorance here, if I am then please be gentle ;-) I believe there is another scenario where source routing either loose or strict may be a problem. Consider the case of someone doing a firewall on the cheap, that is without a router and just relying on something like tcp wrappers to prevent unauthorised access to various services. In this case a clever person can use a strict source route to access a machine behind the "bastion" host that is running the tcp wrappers. If the people who set up the system were not aware of source routing then they may be fooled into believing that since their main contact with the outside world is protected then they need not worry about any of their other machines. So a clever person may be able to exploit this and get access to an ftpd or telnetd *behind* the "bastion". Sure, you really should have a router to block nasty packets for you but sometimes that's a bit hard to explain to the bean counters when you know their first reaction will be "well we don't need that anyway...." and pull the link instead of getting the equipment to do the job properly. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Aha! Pronoun problems. It's not `shoot you, shoot you', it's `shoot me, shoot me'. So, go ahead, shoot ME, shoot ME ... You're Despicable" -- Daffy Duck From firewalls-owner Wed Dec 14 11:14:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02029 for firewalls-outgoing; Wed, 14 Dec 1994 10:29:28 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA02020 for ; Wed, 14 Dec 1994 10:29:25 -0800 Received: from hp.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id DAA09383; Wed, 14 Dec 1994 03:19:40 -0800 Received: from hpber199.swiss.hp.com by hp.com with SMTP (1.37.109.14/15.5+ECS 3.3) id AA184224045; Wed, 14 Dec 1994 03:20:45 -0800 Message-Id: <199412141120.AA184224045@hp.com> Received: by hpber199.swiss.hp.com (1.37.109.8/16.2) id AA04202; Wed, 14 Dec 1994 12:19:12 +0100 From: Daniel Huber Subject: "router IP filter compiler" ? To: firewalls@GreatCircle.COM Date: Wed, 14 Dec 1994 12:19:11 +0100 (MET) X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 652 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I have to configure several HP, Cisco and Wellfleet routers with IP packet filters. Now since the frontend of the routers are quite awkward I wonder if somebody outthere has written a kind of IP packet filter "compiler" which would create a router-readable configuration based on a simple filter list.. Any pointers? Thanx Daniel -- Daniel Huber, RCO, HP Niederwangen (8700), Switzerland SMTP: danielh@hpber199.swiss.hp.com (or Daniel_Huber@hp8700.desk.hp.com) X.400: /G=Daniel/S=Huber/OU=HP8700/O=HP/P=HP/A=ArCom/C=CH/ If a train station is where a train stops, then what's a workstation? --- Opinions Expressed Above Are My Owns --- From firewalls-owner Wed Dec 14 11:14:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03805 for firewalls-outgoing; Wed, 14 Dec 1994 10:41:37 -0800 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03800 for ; Wed, 14 Dec 1994 10:41:32 -0800 Received: from arwen.unibe.ch by chx400.switch.ch with SMTP (PP); Wed, 14 Dec 1994 17:48:28 +0100 From: greulich@math-stat.unibe.ch (Andreas Greulich) Message-Id: <9412141648.AA01137@grimsel> Subject: tn3270 over firewalls? To: firewalls@greatcircle.com Date: Wed, 14 Dec 1994 17:48:19 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1581 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! I got a question concerning clients/hosts that are running the sna 3270, 3279/3 etc (whatever their names are...) protocols. It seems there's a problem running them over a firewall. My problem now is that I don't see where the problem is... Actually I thought if the firewall runs a circuit-level proxy and just copies bytes like a wire, then why should it care what the protocol between the end nodes is..? I could see a problem with the additional authentication step started by the firewall, but was told this just has to run in line mode. But somebody told me that the firewall actually runs a telnet-like demon as a proxy and doesn't just copy bytes between it's two entries... if that's true, why is that so? I know that at least two of the major firewall vendors are working at the 3270-problem, so maybe somebody can explain the problem to me *smile* Thanks in advance! A.Greulich -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Andreas Greulich University of Berne, Switzerland ---------------- Email: greulich@math-stat.unibe.ch greulich@iam.unibe.ch CIS: 100014,1033 Phone home: (+41 31) 961 7031 Phone office: (+41 31) 631 8809 (+41 31) 631 4497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Dec 14 11:16:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00946 for firewalls-outgoing; Wed, 14 Dec 1994 10:23:08 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00854 for ; Wed, 14 Dec 1994 10:22:46 -0800 Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id FAA10456; Wed, 14 Dec 1994 05:19:26 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29130; Wed, 14 Dec 94 08:17:47 -0500 Date: Wed, 14 Dec 94 08:17:46 -0500 Message-Id: <9412141317.AA29130@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: SEAL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wulf rites: >Is SEAL as great as DEC says it is? Does anyone on the Firewalls list have >any experiences with SEAL? IMHO, the three-box system I have looked at has the capability of being that good if properly programmed, not bypassed, and you do not have to ask "how much". Warmly, Padgett From firewalls-owner Wed Dec 14 11:47:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03302 for firewalls-outgoing; Wed, 14 Dec 1994 10:34:01 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03159 for ; Wed, 14 Dec 1994 10:33:33 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rHxRs-0003h9C; Wed, 14 Dec 94 09:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Wed, 14 Dec 94 08:43 PST Message-Id: Received: by miro.ilinx.com id ; Wed, 14 Dec 94 08:48:51 -0800 From: brian@imcon.ilinx.com To: firewalls@GreatCircle.COM Subject: tis http gateway problem Date: Wed, 14 Dec 1994 08:48:50 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I've been using the TIS toolkit here for a bit and have noticed an anomoly with the http proxy. If an HTTP client (Netscape in this case) tries to open a a URL of the form "http://www.somesite.domain/path/CNPSRVCS.HTML#trade" with the "#..." phrase at the end, the http-gw gateway fails to find it. Has anybody else found this?? Has anybody got a fix?? If not, I'll take a look at the protocol and see how fixable it is. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed Dec 14 11:57:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04040 for firewalls-outgoing; Wed, 14 Dec 1994 10:53:52 -0800 Received: from amdahl.amdahl.com (amdahl.com [129.212.11.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04035 for ; Wed, 14 Dec 1994 10:53:50 -0800 Received: from brittany.oes.amdahl.com by amdahl.amdahl.com with smtp (Smail3.1.28.1 #49) id m0rHwCH-0001A1C; Wed, 14 Dec 94 08:04 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA00401; Wed, 14 Dec 1994 08:05:18 +0800 Date: Wed, 14 Dec 1994 08:05:18 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412141605.AA00401@brittany.oes.amdahl.com> To: stern@sunrise.East.Sun.COM Subject: Re: radius from livingston? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1472 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use radiusd here...In your configuration on the portmaster, you tell it to use remote authentication, and give it a "secret key". Meanwhile, you get radiusd running on the gateway, or any other machine the portmaster can reach. Give the radiusd the "secret key". Then when someone tries to get access through the portmaster, they have to type in their passwd. It passes your name and passwd to the radiusd, (encrypted with the secret key,) and the radiusd decides if you get access and what type...i.e. dial in, ppp, slip etc., and ships that information back to the portmaster. The source code for radiusd (with the appropriate chapter out of the portmaster manual in postscript,) is available freely for anonymous ftp from: ftp://ftp.netcom.com/pub/livingston/radius Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Dec 14 12:03:46 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01204 for firewalls-outgoing; Wed, 14 Dec 1994 10:25:30 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01189 for ; Wed, 14 Dec 1994 10:25:26 -0800 Received: from mail.crl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id EAA10393; Wed, 14 Dec 1994 04:50:38 -0800 Received: from crl.crl.com (crl.com) by mail.crl.com with SMTP id AA21244 (5.65c/IDA-1.5 for ); Wed, 14 Dec 1994 04:50:15 -0800 Received: by crl.crl.com id AA12718 (5.65c/IDA-1.5 for Firewalls@greatcircle.com); Wed, 14 Dec 1994 04:50:14 -0800 Date: Wed, 14 Dec 1994 04:50:14 -0800 (PST) From: Resource Manager To: Firewalls@greatcircle.com Subject: ISO 9000 Requirements & Firewalls In-Reply-To: <199412140900.BAA04028@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firstly: Thank you for ALL the valuable information that Firewalls provides. ------- Secondly: ISO Certification Criteria in respect to a corporate firewall. -------- The company that I work for is currently going through the process that will hopefully result in ISO 9001 certification for the company by 10/95. The current corporate plan is to be a full time "net.citizen" by 6/95. I have searched the "net" for guides, resources, hints, etc. on this topic without success. Therefore, I am now turning to my fellow "Firewallers" for help. I am seeking ANY & ALL input on this issue. Please E-mail your responses directly to me instead of here. If my fellow "Firewallers" would like, I will summarize the information that I receive & post it back here. Thirdly: Seasons Greetings - May your XMAS "wish lists" be completely funded. ------- From firewalls-owner Wed Dec 14 12:04:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01190 for firewalls-outgoing; Wed, 14 Dec 1994 10:25:26 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01178 for ; Wed, 14 Dec 1994 10:25:23 -0800 Received: from hp4at.eunet.co.at by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id FAA10521; Wed, 14 Dec 1994 05:50:42 -0800 Received: by hp4at.eunet.co.at id AA09665 (5.65c8/hp4at for firewalls@greatcircle.com); Wed, 14 Dec 1994 14:49:23 +0100 From: Georg Chytil Message-Id: <199412141349.AA09665@hp4at.eunet.co.at> Subject: Re: Shadow passwords under SunOs 4.1.3 ? To: glenn@simba.aero.org (Glenn Bailey) Date: Wed, 14 Dec 94 14:49:22 MEZ Cc: cbk@ingress.com, firewalls@greatcircle.com In-Reply-To: <9412061534.AA24064@simba.aero.org>; from "Glenn Bailey" at Dec 6, 94 7:34 am Reply-To: chytil@Austria.EU.net X-Organization: EUnet Austria X-Phone: (+43) (0)222 3174969 X-Home-Phone: (+43) (0)222 3718445 X-Fax: (+43) (0)222 3106926 X-Tie: finally yes Read-Receipt-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Bailey writes : > The package is called simply "security" and is fairly easy to install and setup. > The thing to watch is all the auditing that comes with the C2 being turned on > (logs accumulate) and the Secure RPC is now used. This can be controlled but > requires more thought and reading when setting C2 up then just the simple > example Sun gives. I do not like the idea of running RPC at all, even if it is called "secure". Any way to have shadow passwords on SunOS _without_ RPC ? Georg <---------------------------------------------------------------------------> Chytil Georg GC82 chytil@Austria.EU.net EUnet EDV-Dienstleistungs-Gesellschaft backup : chytil@EU.net Phone : +43/Vienna/3174969 Fax : +43/Vienna/3106926 Home? : 0222/3718445 From firewalls-owner Wed Dec 14 12:11:52 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05588 for firewalls-outgoing; Wed, 14 Dec 1994 11:53:47 -0800 Received: from world (world.sdt.com [199.100.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05583 for ; Wed, 14 Dec 1994 11:53:41 -0800 Received: by world (5.0) id AA03571; Wed, 14 Dec 1994 13:48:31 +0600 Received: from aadt.sdt.com(144.9.149.25) by world via smap (V1.3) id sma003569; Wed Dec 14 13:47:36 1994 Received: from shadow.sdt.com by sdt.com (4.1/SUN-2.0hub) id AA04537; Wed, 14 Dec 94 13:48:12 CST Received: by shadow.sdt.com (5.61) id AA17023; Wed, 14 Dec 94 13:50:39 -0600 From: aaron@sdt.com (Aaron Gair) Message-Id: <9412141350.ZM17021@shadow.sdt.com> Date: Wed, 14 Dec 1994 13:50:38 -0600 In-Reply-To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) "SEAL" (Dec 14, 8:17am) References: <9412141317.AA29130@uvs1.orl.mmc.com> X-Mailer: Z-Mail (2.1.5 20sep93) To: "firewalls@greatcircle.com"@sdt.com, firewalls@greatcircle.com Subject: Re: SEAL content-length: 57 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have a technical contact for the SEAL product? From firewalls-owner Wed Dec 14 12:26:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01308 for firewalls-outgoing; Wed, 14 Dec 1994 10:25:51 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01233 for ; Wed, 14 Dec 1994 10:25:38 -0800 Received: from osiris.cs.uow.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id EAA10387; Wed, 14 Dec 1994 04:48:59 -0800 Received: from SPi (osiris.cs.uow.edu.au) by osiris.cs.uow.edu.au with SMTP (5.65c/IDA-1.5); id AA05478; Wed, 14 Dec 1994 23:47:42 +1100 (from ruf@SPi for ) Received: by SPi (Linux Smail3.1.28.1 #14) id m0rHt74-0005qJC; Wed, 14 Dec 94 23:47 EST Message-Id: From: ruf@GreatCircle.COM (Justin J. Lister) Subject: Re: SEAL To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Wed, 14 Dec 1994 23:47:21 +1100 (EST) In-Reply-To: <199412140858.DAA16347@bronze.lcs.mit.edu> from "*Hobbit*" at Dec 14, 94 03:58:47 am Reply-To: X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1485 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "*Hobbit* wrote:" >A decade, eh? Ask DEC about Mitnick and VMS source code. I don't think >that was ten years ago. Was early 1988, though DEC apparently took little interest for months. Also dont forget to mention XSafe, loginout details and probably a host of other information that was never revealed. >From the documentation I have here; the WRL Research Report - Simple and Flexible Datagram Access Controls for Unix-based Gateways (Screend), it dates March 1989. Also have the Screening External Access Link (SEAL) Introductory Guide but it contains no date. It would appear this software was developed *AFTER* the Mitnick incidents. Also they have the Polycenter Intrusion Detector (formerly DECinspect) but I believe this was much later development. I would still be interested in how much of an influence the Mitnick incidents had on the development of this product. -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+ From firewalls-owner Wed Dec 14 12:40:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA06311 for firewalls-outgoing; Wed, 14 Dec 1994 12:22:52 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA06304 for ; Wed, 14 Dec 1994 12:22:35 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA14135; Wed, 14 Dec 94 21:18:07 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04884; Wed, 14 Dec 94 21:14:27 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412142114.AA04884@tidtest.total.fr> Subject: Re: tn3270 over firewalls? To: greulich@math-stat.unibe.ch (Andreas Greulich) Date: Wed, 14 Dec 94 21:14:26 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9412141648.AA01137@grimsel>; from "Andreas Greulich" at Dec 14, 94 5:48 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andreas Greulich wrote : > > I got a question concerning clients/hosts that are running the sna > 3270, 3279/3 etc (whatever their names are...) protocols. It seems > there's a problem running them over a firewall. My problem now is that > I don't see where the problem is... > > Actually I thought if the firewall runs a circuit-level proxy and just > copies bytes like a wire, then why should it care what the protocol > between the end nodes is..? I could see a problem with the additional > authentication step started by the firewall, but was told this > just has to run in line mode. But somebody told me that the firewall > actually runs a telnet-like demon as a proxy and doesn't just copy > bytes between it's two entries... if that's true, why is that so? > I know that at least two of the major firewall vendors are working at > the 3270-problem, so maybe somebody can explain the problem to me *smile* > Are you talking about tn3270, or a *full* SNA stack ? If the latter, I don't think it will ever be able to get thru your *IP* firewall. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Dec 14 12:40:45 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04347 for firewalls-outgoing; Wed, 14 Dec 1994 11:13:41 -0800 Received: from denver.ssds.com ([134.127.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA04340 for ; Wed, 14 Dec 1994 11:13:37 -0800 Received: from sanjose.ssds.com (sanjose.ssds.com [134.127.10.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id MAA04634 for ; Wed, 14 Dec 1994 12:10:10 -0700 Received: (from pcc@localhost) by sanjose.ssds.com (8.6.9/8.6.9.SSDSnet-site) id LAA13467; Wed, 14 Dec 1994 11:10:08 -0800 Date: Wed, 14 Dec 1994 11:10:07 -0800 (PST) From: Phil Cox X-Sender: pcc@sanjose To: firewalls@greatcircle.com Subject: chroot, UDP, and time stamps Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running the FWTK and using the UDP version of the syslog calls (#define USE_UDPSYSLOG). All seems to be working fine EXCEPT that the logging from the chroot`d programs (ftp-gw and tn-gw) are entered with time stamps 7 hrs later than actual local time. I am not sure why it is using the wrong timezone, all non-chroot progs log correct time. Is there something I need to stick in the chrooted environment? Any pointers would be appreciated. Phil * Philip C. Cox | Quote of the Day: * * pcc@ssds.com | "When opportunity knocks, about all * * PAGER: (510) 734-7983 | some people do is complain about * * VOICE: (510) 294-3557 | the noise." * From firewalls-owner Wed Dec 14 12:48:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01321 for firewalls-outgoing; Wed, 14 Dec 1994 10:25:54 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01250 for ; Wed, 14 Dec 1994 10:25:41 -0800 Received: from erenj.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id EAA10283; Wed, 14 Dec 1994 04:36:03 -0800 Posted-Date: Wed, 14 Dec 1994 07:36:49 -0500 From: "Bryan D. Boyle" Message-Id: <9412140736.ZM13550@maverick.erenj.com> Date: Wed, 14 Dec 1994 07:36:49 -0500 In-Reply-To: Wulf Losee "Is DEC's SEAL as good as DEC claims?" (Dec 13, 4:29pm) References: X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com, Wulf Losee Subject: Re: Is DEC's SEAL as good as DEC claims? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 13, 4:29pm, Wulf Losee wrote: > Subject: Is DEC's SEAL as good as DEC claims? > DEC's SEAL received a glowing mention in a December 12th > _INFOWORLD_ article ("Digital and the Internet: heavy use and > security"). Among other things the article claims: "For more than a decade, > the Screening External Access Link, or SEAL, has kept Digitial Equipment's > mammoth EasyNet completely impervious to outsiders". > > My immediate response was: "as far as they know". Anyway, all cynicism > aside... > > Is SEAL as great as DEC says it is? Does anyone on the Firewalls list have > any experiences with SEAL? 2 1/2 years worth. It works. Handles aprx 50K mail messages a month, close to a gig of ftp, and all the http/gopher we seem to stuff thru it. It is configurable (not as much, say, as the tis toolkit, which, imho, if a logical next step for us...), and robust. The logging is extensive. So much so that we end up with LARGE amounts of syslog information every day to munge thru perl scripts to get the necessary info out--better to have too much than too little though. It is certainly one of the better products; well thought out, minimalist in the size of it, and certainly a crystal box implementation (you get the source). Meets (and, in some areas, exceeds) our needs even after all this time. Just my $.02. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Wed Dec 14 13:05:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04973 for firewalls-outgoing; Wed, 14 Dec 1994 11:39:13 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04964 for ; Wed, 14 Dec 1994 11:39:10 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma025202; Wed Dec 14 14:38:01 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA22986; Wed, 14 Dec 94 14:35:36 EST Message-Id: <9412141935.AA22986@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: firewalls@greatcircle.com Subject: Re: SEAL In-Reply-To: Your message of Wed, 14 Dec 94 08:17:46 -0500. <9412141317.AA29130@uvs1.orl.mmc.com> Date: Wed, 14 Dec 94 14:35:31 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I, also, have a passing acquantaince with SEAL. SEAL is sort of a hybrid firewall: it has elements of an application gateway based firewall (in that it uses some proxies), circuit level gateway (in that it uses SOCKS), and a packet filter (in that it uses screend). In some cases it is philosophically similar to Gauntlet and the FWTK (some proxies are small and, so, examinable) but different in others (SEAL runs large programs such as the CERN HTTP proxy, Sendmail, and SOCKS). As far as I can tell from people I have talked to it requires consulting to set it up. Fred From firewalls-owner Wed Dec 14 13:10:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04576 for firewalls-outgoing; Wed, 14 Dec 1994 11:24:41 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA04561 for ; Wed, 14 Dec 1994 11:24:03 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id OAA07412 for ; Wed, 14 Dec 1994 14:25:02 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma007410; Wed Dec 14 14:24:41 1994 Received: from calisto.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id OAA05049 for ; Wed, 14 Dec 1994 14:25:02 -0500 Message-Id: <199412141925.OAA05049@jupiter.milkyway.com> To: firewalls@greatcircle.com Subject: ix.netcom.com In-reply-to: Your message of "Wed, 14 Dec 1994 14:14:23 EST." <199412141914.OAA07372@blackhole.milkyway.com> Date: Wed, 14 Dec 1994 14:24:52 -0500 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I complained this morning to the person who posted that ad, (support@netcom.com tells me their account has been disabled...) and was looking at my firewall and noticed this: Dec 14 08:53:03 internet proxy-tcp[6702]: deny host=ix.ix.netcom.com/199.182.120.2 service= port=2 Port #2? Huh? Was there ever anything on port #2? I always have been curious about ports 2-6, 8, 10, 14-18. Were they ever used? I haven't seen implementations of tcpmux either actually... Maybe they missed the '5' and were thinking about mail bombing us :-) :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 596-5549 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed Dec 14 13:40:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07312 for firewalls-outgoing; Wed, 14 Dec 1994 13:15:20 -0800 Received: from NYXGATE1.btco.com (btgate1.btco.com [198.81.205.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA07307 for ; Wed, 14 Dec 1994 13:15:17 -0800 From: misrahij@btco.com Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id QAA00541; Wed, 14 Dec 1994 16:13:52 -0500 Received: from nycsex0001.btco.com(138.93.15.58) by NYXGATE1.btco.com via smap (V1.3mjr) id sma000569; Wed Dec 14 16:13:43 1994 Received: from (nycsew0110.btco.com [138.93.15.45]) by NYCSEX0001.btco.com (8.6.9/8.6.9) with SMTP id QAA03843; Wed, 14 Dec 1994 16:13:42 -0500 Date: Wed, 14 Dec 1994 16:13:42 -0500 Message-Id: <199412142113.QAA03843@NYCSEX0001.btco.com> To: Daniel Huber , firewalls@GreatCircle.COM Subject: Re: "router IP filter compiler" ? X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a componant of Firewall-1 (a product discussed elsewhere in these hallowed halls) that did this sort of thing for Cisco and Wellfleet routers. I can't comment on its cost or give details of how it performs, although it does have a nice GUI. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Jeff Misrahi Internet: misrahij@btco.com > < Client Server Engineering Phone: (212) 250-3378 > < Bankers Trust Company, Fax: (212) 250-2184 > < New York, NY, 10006 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Dec 14 13:54:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04424 for firewalls-outgoing; Wed, 14 Dec 1994 11:16:41 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04412 for ; Wed, 14 Dec 1994 11:16:31 -0800 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA22186; Wed, 14 Dec 94 13:29:21 CST Received: by mnbp.network.com with Microsoft Mail id <2EEF4434@mnbp.network.com>; Wed, 14 Dec 94 13:15:00 CST From: Grant Miller To: Firewalls Mailing List Subject: RE: Encrypting tunnels Date: Wed, 14 Dec 94 13:14:00 CST Message-Id: <2EEF4434@mnbp.network.com> Encoding: 39 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Haberler wites... >Is there anybody working on a {ip-authenticating,encrypting,CHAPing,DH-ing} >point-to-point-tunnel ala plug-gw? >This could solve some of the problems of database-access over firewalls >(note that e.g. Oracle uses TCP out-of-band signalling and TCP keepalives, >which probably should be catered for.). >Something along the lines of a userland swIPe. start commercial Network Systems Corp. (NSC) has announced a security product called "Data Privacy Facility" (DPF). It encrypts IP datagrams on a per-packet basis, gives you the ability to select what gets encrypted and what doesn't. DPF supports DES, IDEA, and NSC1 encryption algorithms, MD5 for digi-signatures, uses RSA and Diffie/Hellman for key exchange, works great, lasts long time. DPF runs on a router (which means that you can not only encrypt traffic but establish/ control access policy as well.) There is no limit to the number of end-stations that can use an encrypted tunnel. Encrypted packets can be forwarded over any data-link that supports IP (frame relay, ATM, ethernet, T/R, etc.) The first hardware platform to support DPF is a router called (suprisingly enough!) the 'Security Router'. Future platforms will be released that will support DPF. Cost? very reasonable. Performance? 4 Mbs or better (depends on a bunch of stuff - like how the thing is configured.) Want more info? www.network.com (look for recent press releases), Contact NSC corporate HQ in lovely Minneapolis, MN. or contact your local sales-weenie. end commercial Grant Miller NSC - Bellevue, WA From firewalls-owner Wed Dec 14 14:10:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07322 for firewalls-outgoing; Wed, 14 Dec 1994 13:15:28 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA07314 for ; Wed, 14 Dec 1994 13:15:24 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma028307; Wed Dec 14 16:13:57 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA05615; Wed, 14 Dec 94 16:11:31 EST Message-Id: <9412142111.AA05615@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ruf@osiris.cs.uow.edu.au Cc: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: SEAL In-Reply-To: Your message of Wed, 14 Dec 94 23:47:21 +1100. Date: Wed, 14 Dec 94 16:11:30 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > "*Hobbit* wrote:" > > >A decade, eh? Ask DEC about Mitnick and VMS source code. I don't think > >that was ten years ago. > > Was early 1988, though DEC apparently took little interest for months. > Also dont forget to mention XSafe, loginout details and probably a > host of other information that was never revealed. Well, the DEC gateways developed over those years. When I was there, it had been in use for about 5 years -- although not in the product's current form, but close -- so 7 years or so is probably close to reality. > Also they have the Polycenter Intrusion Detector (formerly DECinspect) > but I believe this was much later development. I would still be > interested in how much of an influence the Mitnick incidents had on > the development of this product. If you mean DECinspect, I would guess lots. If you mean SEAL (DEC, do you still call it that? Where are the DEC SEAL engineers or consultants on this list?) I would say very little. Fred From firewalls-owner Wed Dec 14 14:39:35 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07821 for firewalls-outgoing; Wed, 14 Dec 1994 13:44:48 -0800 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA07816 for ; Wed, 14 Dec 1994 13:44:45 -0800 Received: from us1rmc.bb.dec.com by inet-gw-2.pa.dec.com (5.65/10Aug94) id AA16082; Wed, 14 Dec 94 13:37:46 -0800 Received: from ljsrv2.enet by us1rmc.bb.dec.com (5.65/rmc-22feb94) id AA10190; Wed, 14 Dec 94 16:37:48 -0500 Message-Id: <9412142137.AA10190@us1rmc.bb.dec.com> Received: from ljsrv2.enet; by us1rmc.enet; Wed, 14 Dec 94 16:37:48 EST Date: Wed, 14 Dec 94 16:37:48 EST From: Danny Mayer To: firewalls@greatcircle.com Cc: mayer@ljsrv2.enet.dec.com Apparently-To: firewalls@greatcircle.com Subject: Re: SEAL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Contact Bill Pozerycki at pozerycki@ooes.enet.dec.com Danny ============================================================================== Danny Mayer Digital Equipment Corporation Mayer@ljo.dec.com Littleton, MA 01460 ============================================================================== From firewalls-owner Wed Dec 14 15:09:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA08643 for firewalls-outgoing; Wed, 14 Dec 1994 14:38:30 -0800 Received: from netcom2.netcom.com (kinne@netcom2.netcom.com [192.100.81.108]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA08638 for ; Wed, 14 Dec 1994 14:38:27 -0800 Received: by netcom2.netcom.com (8.6.9/Netcom) id OAA18495; Wed, 14 Dec 1994 14:37:11 -0800 From: kinne@netcom.com (Kinne Strong) Message-Id: <199412142237.OAA18495@netcom2.netcom.com> Subject: Re: radius from livingston? To: firewalls@greatcircle.com (firewalls) Date: Wed, 14 Dec 1994 14:37:10 -0800 (PST) Reply-To: kinne@netcom.com X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 585 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Patrick Horgan: > > ... The source > code for radiusd (with the appropriate chapter out of the portmaster manual > in postscript,) is available freely for anonymous ftp from: > > ftp://ftp.netcom.com/pub/livingston/radius Netcom has changed things (the /pub directory was getting too big). The new URL is: ftp://ftp.netcom.com/pub/li/livingston/radius Note the new directory level "/li" added. The new directory levels are always the first two letters of the directory that used to be in /pub. (For instance, mine changed from /pub/kinne to /pub/ki/kinne.) -Kinne From firewalls-owner Wed Dec 14 15:23:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA08193 for firewalls-outgoing; Wed, 14 Dec 1994 14:09:16 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA08188 for ; Wed, 14 Dec 1994 14:09:13 -0800 Received: from relay.imsi.com by wintermute.imsi.com id RAA25214; Wed, 14 Dec 1994 17:07:20 -0500 Received: from lorax.imsi.com by relay.imsi.com id RAA25946; Wed, 14 Dec 1994 17:07:19 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA20863; Wed, 14 Dec 94 17:07:18 EST Message-Id: <9412142207.AA20863@lorax.imsi.com> To: Michael Richardson Cc: firewalls@greatcircle.com Subject: Re: ix.netcom.com In-Reply-To: Your message of "Wed, 14 Dec 1994 14:24:52 EST." <199412141925.OAA05049@jupiter.milkyway.com> Reply-To: rens@imsi.com Date: Wed, 14 Dec 1994 17:07:18 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Michael" == Michael Richardson writes: Michael> I complained this morning to the person who posted that Michael> ad, (support@netcom.com tells me their account has been Michael> disabled...) and was looking at my firewall and noticed Michael> this: [ log output elided ] Pretty Funny. They tried to finger my site, and then sent mail back to me claiming to be postmaster@ix.netcom.com...without even changing the headers around. The mail was full of typos and said that the problem was being dealt with and I should not hassle them anymore. Well, I think they're off the air now! Idiots. -Rens From firewalls-owner Wed Dec 14 17:09:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA10333 for firewalls-outgoing; Wed, 14 Dec 1994 16:46:08 -0800 Received: from sequoia.itd.uts.EDU.AU (daemon@[138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA10328 for ; Wed, 14 Dec 1994 16:46:00 -0800 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA02640 (5.65c/IDA-1.4.4 for ); Thu, 15 Dec 1994 11:44:08 +1100 Received: by lordmuck.itd.uts.edu.au (5.0/SMI-SVR4) id AA24114; Thu, 15 Dec 1994 11:45:58 +1100 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9412150045.AA24114@lordmuck.itd.uts.edu.au> Subject: Re: chroot, UDP, and time stamps To: pcc@SSDS.com (Phil Cox) Date: Thu, 15 Dec 1994 11:45:57 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: from "Phil Cox" at Dec 14, 94 11:10:07 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1104 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Cox wrote this... > > I am running the FWTK and using the UDP version of the syslog calls > (#define USE_UDPSYSLOG). All seems to be working fine EXCEPT that the > logging from the chroot`d programs (ftp-gw and tn-gw) are entered > with time stamps 7 hrs later than actual local time. I am not sure > why it is using the wrong timezone, all non-chroot progs log correct > time. Is there something I need to stick in the chrooted environment? > > Any pointers would be appreciated. > if you have a /etc/timezone, you'll need one in your chrooted env as well. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Wed Dec 14 18:09:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11004 for firewalls-outgoing; Wed, 14 Dec 1994 17:52:14 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA10999 for ; Wed, 14 Dec 1994 17:52:10 -0800 Received: from East.Sun.COM ([129.151.1.15]) by Sun.COM (sun-barr.Sun.COM) id AA26400; Wed, 14 Dec 94 14:05:34 PST Received: from sunrise.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA26441; Wed, 14 Dec 94 17:04:01 EST Received: from kfir.East.Sun.COM by sunrise.East.Sun.COM (5.0/SMI-5.3-900117) id AA15652; Wed, 14 Dec 1994 17:03:57 -0500 Received: by kfir.East.Sun.COM (5.0/SMI-SVR4) id AA20789; Wed, 14 Dec 1994 17:04:12 +0500 Date: Wed, 14 Dec 1994 17:04:12 +0500 From: stern@sunrise.East.Sun.COM (Hal Stern - NE Area Systems Engineer) Message-Id: <9412142204.AA20789@kfir.East.Sun.COM> To: firewalls@greatcircle.com Subject: radius: summary Content-Length: 966 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i received tons of white papers, comments and pointers regarding the radius software from livingston. here's a summary of the pointers for anyone who wants to pull more data: For more info: info@livingston.com or support@livingston.com. Technical information including source code and a white paper are at ftp.livingston.com:/pub/radius ----------- there is currently a thread in the newsgroup comp.dcom.servers about it The latest Internet-Draft is ftp://ftp.livingston.com/pub/radius/draft-radius-02.txt The latest RADIUS server source is ftp://ftp.livingston.com/pub/radius/radius-1.13.tar.Z Release 1.16 is in beta test now and adds support for Accounting, Challenge/Response and Linux, BSDI, Unixware, SCO, and OSF/1 on Alpha. We anticipate its release in December, and will announce it on the portmaster-users@msen.com mailing list. ---------- a review appeared in Lan Times: *PortMaster 2, LAN Times: Sep 5, 1994 McGraw-Hill Inc. 1994 --hal From firewalls-owner Wed Dec 14 18:25:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11102 for firewalls-outgoing; Wed, 14 Dec 1994 18:02:24 -0800 Received: from ns.draper.com (ns.draper.com [140.102.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA11097 for ; Wed, 14 Dec 1994 18:02:21 -0800 Message-Id: <199412150202.SAA11097@miles.greatcircle.com> Received: from surname.draper.com by ns.draper.com id aa02046; 14 Dec 94 21:00 EST Received: from kss1376.draper.com by surname.draper.com id aa11674; 14 Dec 94 21:00 EST X-Sender: kss1376@pop.draper.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 14 Dec 1994 21:00:20 -0500 To: Jas , Phil Cox MMDF-Warning: Unable to confirm address in preceding line at ns.draper.com From: Ken Shores Subject: Re: chroot, UDP, and time stamps Cc: Firewalls Mailing List X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:45 AM 12/15/94 +1000, Jas (Matthew K wrote: >Phil Cox wrote this... >> >> I am running the FWTK and using the UDP version of the syslog calls >> (#define USE_UDPSYSLOG). All seems to be working fine EXCEPT that the >> logging from the chroot`d programs (ftp-gw and tn-gw) are entered >> with time stamps 7 hrs later than actual local time. I am not sure >> why it is using the wrong timezone, all non-chroot progs log correct >> time. Is there something I need to stick in the chrooted environment? >> >if you have a /etc/timezone, you'll need one in your chrooted env as well. On SunOS you need /usr/share/lib/zoneinfo/localtime, and possibly other files (I generally put GMT and my local timezone, EST5EDT, in as well). Ken ----- Ken Shores, Sr. Network Analyst The Charles Stark Draper Laboratory, Inc. kss1376@pop.draper.com 555 Technology Square, Cambridge, MA 02139-3563 (617) 258-2529 Mail Stop 33 From firewalls-owner Wed Dec 14 20:39:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA11929 for firewalls-outgoing; Wed, 14 Dec 1994 20:19:10 -0800 Received: from netcom.netcom.com (root@netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA11924 for ; Wed, 14 Dec 1994 20:19:07 -0800 Received: from bundy.cnet-pnw.com by netcom.netcom.com (8.6.9/Netcom) id UAA23685; Wed, 14 Dec 1994 20:17:49 -0800 Received: by bundy.cnet-pnw.com (5.0/SMI-SVR4) id AA02873; Wed, 14 Dec 1994 16:09:10 -0800 Date: Wed, 14 Dec 1994 16:09:09 -0800 (PST) From: Jeff Collyer X-Sender: jeff@bundy To: firewall list Cc: TIS firewall list Subject: tn-gw under Solaris 2.3 Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I have built FWTK v1.3 under Solaris 2.3 and am having problems with the tn-gw proxy (telnet gateway). What happens is : I telnet to the firewall I get the banner I get the prompt Any character typed on my end closes the connection. This happens from when telneting in from a SUN. If I happen to telnet in from one of our older NCR machines : I get the banner I get the prompt The connection closes immediatley (no keystroke necessary) I saw this posted earlier to the TIS list, but no response was ever given. I have searched both the fwtk list archives and the firewalls list archives for solutions to no avail. Has anyone solved this problem. I know someone must be using TIS FWTK on a Solaris box sowewhere. help. I have hacked the code a bit and I think that several characters are being passed to the tn-gw code after the prompt is printing. On the SUN I see 3 chars recieved after the prompt prints. The fourth (the one I type) never seems to get there. TIA jeff ---------------------------------------------------------------------- | Really -- it worked yesterday..... jeff@bundy.cnet-pnw.com | ---------------------------------------------------------------------- From firewalls-owner Wed Dec 14 22:09:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA12267 for firewalls-outgoing; Wed, 14 Dec 1994 21:39:43 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA12262 for ; Wed, 14 Dec 1994 21:39:41 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id AAA01809; Thu, 15 Dec 1994 00:38:18 -0500 From: David Kovar Message-Id: <199412150538.AAA01809@nda.nda.com> Subject: Re: SEAL To: avolio@tis.com (Frederick M Avolio) Date: Thu, 15 Dec 1994 00:38:15 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9412141935.AA22986@tis.com> from "Frederick M Avolio" at Dec 14, 94 02:35:31 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 475 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As far as I can tell from people I have talked to it requires > consulting to set it up. Very expensive consulting, on the order of $250 per hour. It also potentially requires a lot of DEC hardware running Ultrix. A client has four Ultrix boxes dedicated to SEAL firewall operations, two are just for the Mosaic gateway, though we're also using one for other purposes. I tend to be wary of modifying it, which means that I do not understand it well enough. -David From firewalls-owner Wed Dec 14 23:09:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA12594 for firewalls-outgoing; Wed, 14 Dec 1994 22:40:06 -0800 Received: from bos1a.delphi.com (SYSTEM@bos1a.delphi.com [192.80.63.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA12589 for ; Wed, 14 Dec 1994 22:40:03 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HKNL8E31KM8ZSH3I@delphi.com>; Thu, 15 Dec 1994 01:38:39 -0500 (EST) Date: Thu, 15 Dec 1994 01:38:39 -0500 (EST) From: Network Security Observations Subject: Free copy Internet Security Monthly To: firewalls@GreatCircle.com Message-id: <01HKNL8E31KO8ZSH3I@delphi.com> X-VMS-To: INTERNET"firewalls@GreatCircle.com" X-VMS-Cc: NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Security Monthly * News release Washington DC, December 1994 Due to special support from the United States Postal Services it is now possible to make a limited number of copies of Internet Security Monthly free of charge available for subscription review purposes. If you are a regular subscriber/reader of one of the following lists/digests, and return a completed request-template (below) by electronic mail to < nso@delphi.com >, you will receive a promotional copy of Internet Security Monthly. risks-digest, CUD-digest, telecom-digest, privacy-digest, firewall-digest, virus-L, crypto-L, security-L -----cut here------email to> nso@delphi.com------- Request for free of charge subscription evaluation copy of Internet Security Monthly Template ----------- Name: Position/function: Company/affiliation: Dept.: Address: City/State/Zip: Country: Telefax nr.: Email address: After registration you will be (air)mailed one copy of Internet Security Monthly. Internet Security Monthly is a not-for-profit initiative. Thus the service is not continued for subsequent copies, nor will a request for another copy be granted. You may use the above as template for registration, or alternatively fax it to: Network Security Observations Internet Security Monthly + 1 202 429 9574 ----------------------x-------------------- Regular subscriptions of Internet Security are available for US $ 75 (United States), US $ 100 (World), including (air)mail. For more info contact: NSO/ISM Subscriptions Internet: nso@delphi.com Tel.: +1 202 775 4947 Fax.: +1 202 429 9574 ----------------------------------- == From firewalls-owner Thu Dec 15 00:09:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA12910 for firewalls-outgoing; Wed, 14 Dec 1994 23:45:36 -0800 Received: from gatekeeper.roche.com (GATEKEEPER.ROCHE.COM [151.120.84.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA12905 for ; Wed, 14 Dec 1994 23:45:32 -0800 Received: by gatekeeper.roche.com (5.65/fma-120691); id AA18764; Thu, 15 Dec 94 02:44:08 -0500 Received: by mailgate.roche.com (5.65/fma-120691); id AA27444; Thu, 15 Dec 94 02:44:05 -0500 Received: from conversion.RBAC01 by RBAC01.BAS.ROCHE.COM (PMDF V4.3-13 #8481) id <01HKO041LJG08Y5NZT@RBAC01.BAS.ROCHE.COM>; Thu, 15 Dec 1994 08:43:54 +0100 (MET) Received: from mr.bas.roche.com by RBAC01.BAS.ROCHE.COM (PMDF V4.3-13 #8481) id <01HKO03TW8SW8WXEJF@RBAC01.BAS.ROCHE.COM>; Thu, 15 Dec 1994 08:43:46 +0100 (MET) Received: with PMDF-MR; Thu, 15 Dec 1994 08:43:18 MET Mr-Received: by mta ROCBI.MUAS; Relayed; Thu, 15 Dec 1994 08:43:18 +0100 Mr-Received: by mta RBIZ07; Relayed; Thu, 15 Dec 1994 08:43:18 +0100 Mr-Received: by mta RBAC01; Relayed; Thu, 15 Dec 1994 08:43:32 +0100 Disclose-Recipients: prohibited Date: Thu, 15 Dec 1994 08:43:18 +0100 (MET) From: Michael BAUMANNM +61 68 73 52 0 Subject: Re: SEAL In-Reply-To: <31932241214991/653427@RBAC01> To: firewalls Message-Id: <0218430815121994/A43737/RBIZ07/118C7A2B1000*@MHS> Autoforwarded: false Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT Importance: low Priority: normal Ua-Content-Id: 118C7A2B1000 X400-Mts-Identifier: [;0218430815121994/A43737/RBIZ07] Hop-Count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I, also, have a passing acquantaince with SEAL. SEAL is sort of a >hybrid firewall: it has elements of an application gateway based >firewall (in that it uses some proxies), circuit level gateway (in >that it uses SOCKS), and a packet filter (in that it uses screend). In >some cases it is philosophically similar to Gauntlet and the FWTK >(some proxies are small and, so, examinable) but different in others >(SEAL runs large programs such as the CERN HTTP proxy, Sendmail, and >SOCKS). > >As far as I can tell from people I have talked to it requires >consulting to set it up. As far as I know SEAL is only a consulting service. Seal is not what I would call a "Dec product" it consists of several modified PD programms. -r Michael From firewalls-owner Thu Dec 15 05:39:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA14908 for firewalls-outgoing; Thu, 15 Dec 1994 05:31:48 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA14903 for ; Thu, 15 Dec 1994 05:31:45 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA07567; Thu, 15 Dec 94 08:25:14 -0500 Date: Thu, 15 Dec 94 08:25:13 -0500 Message-Id: <9412151325.AA07567@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Interesting but... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...I realy have to wonder about an ad that does not include either a phone number or E-Mail contact info. Does sound interesting - something like Hughes LOCK. >Network Systems Corp. (NSC) has announced a security product called "Data >Privacy Facility" (DPF). >recent press releases), Contact NSC corporate HQ in lovely Minneapolis, MN. another Honeywell spinoff like SCTV ? Warmly (+20 C today 8*), Padgett From firewalls-owner Thu Dec 15 05:54:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA14892 for firewalls-outgoing; Thu, 15 Dec 1994 05:27:40 -0800 Received: from cais.cais.com (cais.com [199.0.216.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA14887 for ; Thu, 15 Dec 1994 05:27:38 -0800 Received: from localhost (rfitzher@localhost) by cais.cais.com (8.6.5/8.6.5) id IAA14847; Thu, 15 Dec 1994 08:21:55 -0500 Date: Thu, 15 Dec 1994 08:21:54 -0500 (EST) From: Ron Fitzherbert Subject: Re: SEAL To: firewalls@greatcircle.com In-Reply-To: <199412150538.AAA01809@nda.nda.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It now also runs under OSF/1 -- I suppose it could be set up by anyone with the manuals, but what you are really paying for is to have DEC come out and install it. Ron -------------------------------------------- Ronald James Fitzherbert - President Flying Penguin Productions Limited Arlington, VA (USA) +1.703.358.9219 On Thu, 15 Dec 1994, David Kovar wrote: > > As far as I can tell from people I have talked to it requires > > consulting to set it up. > > Very expensive consulting, on the order of $250 per hour. It also > potentially requires a lot of DEC hardware running Ultrix. A client > has four Ultrix boxes dedicated to SEAL firewall operations, two > are just for the Mosaic gateway, though we're also using one for > other purposes. > > I tend to be wary of modifying it, which means that I do not understand > it well enough. > > -David > > From firewalls-owner Thu Dec 15 06:09:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA15042 for firewalls-outgoing; Thu, 15 Dec 1994 05:49:28 -0800 Received: from ultra3.larc.nasa.gov (ultra3.larc.nasa.gov [128.155.22.226]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA15036 for ; Thu, 15 Dec 1994 05:49:24 -0800 From: letch@ultra3.larc.nasa.gov Received: by ultra3.larc.nasa.gov (5.57/Ultrix3.0-C) id AA00643; Thu, 15 Dec 94 08:50:42 -0500 Message-Id: <9412151350.AA00643@ultra3.larc.nasa.gov> To: bret@real.com (Bret McDanel) Cc: firewalls@greatcircle.com, letch@ultra3.larc.nasa.gov Subject: Re: Minimal fingerd In-Reply-To: Your message of "Tue, 13 Dec 94 11:33:54 EST." <199412131633.LAA07941@real.com> Date: Thu, 15 Dec 94 08:50:42 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The tcp programming in the second is impressive but the first works also. From firewalls-owner Thu Dec 15 06:39:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15274 for firewalls-outgoing; Thu, 15 Dec 1994 06:10:26 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA15269 for ; Thu, 15 Dec 1994 06:10:23 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA26720; Thu, 15 Dec 1994 09:05:28 -0500 Date: Thu, 15 Dec 1994 09:05:27 -0500 (EST) From: David Miller Subject: SEAL vs FWTK To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to cut enough red tape here to install a firewall (Governments!). At a recent meeting with the Gartner group, my management was told by one consultant that roll-your-own firewalls are "just barely" better than nothing at all, that if you wanted security you had to buy a commercial product, running on a commercial operating system. After seeing the login holes on SCO and AIX, I'm not convinced that BSDI is evil or porous. I'm very interested in hearing other opinions on commercial vs FWTK, and on whether FWTK is generally considered a roll-your-own or not. Thanks in advance, David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Dec 15 06:55:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15282 for firewalls-outgoing; Thu, 15 Dec 1994 06:11:56 -0800 Received: from mail.Reston.VMD.Sterling.COM (zuzu.reston.VMD.Sterling.COM [199.0.82.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA15277 for ; Thu, 15 Dec 1994 06:11:53 -0800 Received: from ss1.Reston.VMD.Sterling.COM (ss1.reston.VMD.Sterling.COM [199.0.83.43]) by mail.Reston.VMD.Sterling.COM (8.6.4/8.6.4) with SMTP id IAA16931 for <@Mail.Reston.VMD.Sterling.Com:firewalls@greatcircle.com>; Thu, 15 Dec 1994 08:51:06 -0500 Message-Id: <199412151351.IAA16931@mail.Reston.VMD.Sterling.COM> Received: from ss1.Reston.VMD.Sterling.COM by ss1.Reston.VMD.Sterling.COM (IBM VM SMTP V2R2) with BSMTP id 0261; Thu, 15 Dec 94 09:09:40 EST Date: Thu, 15 Dec 94 09:09:15 EST From: "Ross Patterson" To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems GE isn't the only one with troubles. The following excerpt from the British daily, The Guardian, appeared recently in EDUPAGE. It's vaguely reminiscent of William Gibson's "Dadaist punks", who break into cars and install 8-track systems. UNITED KINGDOM IS SERIOUS ABOUT OPEN GOVERNMENT Minutes after the Government formally joined the Internet, the department responsible for Open Government was the victim of a hacker. The Minister for Science said: "Six minutes after we went live, a man from Edinburgh University hacked into our system, decided he didn't like the design of some of our pages and redesigned them. Now, in fact, he made them better, and the people who designed the pages accept that. The problem is, supposing somebody is able to hack into the system, changes the information and somebody acts on that information. Whose responsibility is it? I don't know the answer. But I think you will be reassured that we at least are posing that question." (The Guardian 12/8/94 p.10) Ross Patterson Sterling Software, Inc. VM Software Division From firewalls-owner Thu Dec 15 07:10:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15686 for firewalls-outgoing; Thu, 15 Dec 1994 06:52:45 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA15681 for ; Thu, 15 Dec 1994 06:52:40 -0800 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA06604; Thu, 15 Dec 94 09:05:37 CST Received: from beldar.network.com by anubis.network.com (4.1/SMI-4.1) id AA26720; Thu, 15 Dec 94 08:50:23 CST From: robp@anubis.network.com (Rob Peglar) Message-Id: <9412151450.AA26720@anubis.network.com> Subject: Re: Interesting but... To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Thu, 15 Dec 1994 08:52:33 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9412151325.AA07567@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Dec 15, 94 08:25:13 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 973 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Grant Miller's post unfortunately didn't give any address information. My .signature below gives some. We have a Web server at www.network.com which gives other world-wide locations, telephone #'s, etc. North America: 800.328.9108 > ...I realy have to wonder about an ad that does not include either a phone > number or E-Mail contact info. Does sound interesting - something like > Hughes LOCK. > > >Network Systems Corp. (NSC) has announced a security product called "Data > >Privacy Facility" (DPF). > > >recent press releases), Contact NSC corporate HQ in lovely Minneapolis, MN. > another Honeywell spinoff like SCTV ? Nope, actually a spinoff from CDC some two decades ago... > Warmly (+20 C today 8*), Big deal. -20 C is much better; it tends to focus the mind :-) Rob -- Rob Peglar Network Systems Corporation Router/Switch Group 7600 Boone Avenue North robp@anubis.network.com Minneapolis MN 55428 (612)424-4888 x1028 From firewalls-owner Thu Dec 15 07:39:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15722 for firewalls-outgoing; Thu, 15 Dec 1994 06:54:37 -0800 Received: from seas.smu.edu (root@seas.smu.edu [129.119.3.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA15717 for ; Thu, 15 Dec 1994 06:54:34 -0800 Received: by seas.smu.edu (/\oo/\ Smail3.1.29.0 #29.7) id ; Thu, 15 Dec 94 08:51 CST Received: by seas.smu.edu (/\==/\ Smail3.1.28.1 #28.28 63.63.63.rapid_f) id ; Thu, 15 Dec 94 08:51 CST Message-Id: From: doug@seas.smu.edu (Doug Davis) Subject: Re: Free copy Internet Security Monthlyg To: NSO@delphi.com (Network Security Observations) Date: Thu, 15 Dec 1994 08:51:53 -0600 (CST) Cc: firewalls@GreatCircle.com In-Reply-To: <01HKNL8E31KO8ZSH3I@delphi.com> from "Network Security Observations" at Dec 15, 94 01:38:39 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1886 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Washington DC, December 1994 > > Due to special support from the United States > Postal Services it is now possible to make a > limited number of copies of Internet Security > Monthly free of charge available for subscription > review purposes. > > If you are a regular subscriber/reader of one of > the following lists/digests, and return a > completed request-template (below) by electronic > mail to < nso@delphi.com >, you will receive a > promotional copy of Internet Security Monthly. > > risks-digest, CUD-digest, telecom-digest, > privacy-digest, firewall-digest, virus-L, > crypto-L, security-L > > -----cut here------email to> nso@delphi.com------- > > Request for free of charge subscription evaluation > copy of Internet Security Monthly > > Template > ----------- > > Name: doug davis > Position/function: director > Company/affiliation: Sothern Methodist University > Dept.: computer operations > Address: 3145 Dyer --- Room 303 > City/State/Zip: Dallas tx 75275 > Country: usa > Telefax nr.: 214-768-3883 > Email address: doug@smu.edu > > After registration you will be (air)mailed one > copy of Internet Security Monthly. Internet > Security Monthly is a not-for-profit initiative. > Thus the service is not continued for subsequent > copies, nor will a request for another copy be > granted. > > You may use the above as template for registration, > or alternatively fax it to: > > Network Security Observations > Internet Security Monthly > + 1 202 429 9574 > > ----------------------x-------------------- > > Regular subscriptions of Internet Security > are available for US $ 75 (United States), > US $ 100 (World), including (air)mail. > For more info contact: > NSO/ISM > Subscriptions > Internet: nso@delphi.com > Tel.: +1 202 775 4947 > Fax.: +1 202 429 9574 > ----------------------------------- > > == > From firewalls-owner Thu Dec 15 08:09:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA16832 for firewalls-outgoing; Thu, 15 Dec 1994 08:02:50 -0800 Received: from NYXGATE1.btco.com (btgate1.btco.com [198.81.205.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA16827 for ; Thu, 15 Dec 1994 08:02:42 -0800 From: misrahij@btco.com Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id LAA00382; Thu, 15 Dec 1994 11:00:56 -0500 Received: from nycsex0001.btco.com(138.93.15.58) by NYXGATE1.btco.com via smap (V1.3mjr) id sma004086; Thu Dec 15 10:08:19 1994 Received: from (nycsew0110.btco.com [138.93.15.45]) by NYCSEX0001.btco.com (8.6.9/8.6.9) with SMTP id KAA07188; Thu, 15 Dec 1994 10:08:12 -0500 Date: Thu, 15 Dec 1994 10:08:12 -0500 Message-Id: <199412151508.KAA07188@NYCSEX0001.btco.com> To: "Bryan D. Boyle" , firewalls@GreatCircle.COM, Wulf Losee Subject: Re: Is DEC's SEAL as good as DEC claims? X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan D. Boyle writes about DEC SEAL: >> ..."It is certainly one of the better products; well thought out, minimalist >> in the size of it, and certainly a crystal box implementation (you get the >> source)."... Do you get _all_ the source ? Whqt about the composants which are part of the O/S such as screend ? /Jeff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Jeff Misrahi Internet: misrahij@btco.com > < Client Server Engineering Phone: (212) 250-3378 > < Bankers Trust Company, Fax: (212) 250-2184 > < New York, NY, 10006 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Dec 15 08:33:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA16654 for firewalls-outgoing; Thu, 15 Dec 1994 07:52:55 -0800 Received: from simtel.Coast.NET (simtel.coast.net [148.59.6.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA16649 for ; Thu, 15 Dec 1994 07:52:52 -0800 Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0rIISr-0000rbC; Thu, 15 Dec 94 10:51 EST Date: Thu, 15 Dec 1994 10:51:33 -0500 (EST) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: SEAL vs FWTK (fwd) From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <941215105133.mjo@dojo> Content-Type: text Content-Length: 1518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :I'm trying to cut enough red tape here to install a firewall (Governments!). :At a recent meeting with the Gartner group, my management was told by one :consultant that roll-your-own firewalls are "just barely" better than :nothing at all, that if you wanted security you had to buy a commercial :product, running on a commercial operating system. After seeing the :login holes on SCO and AIX, I'm not convinced that BSDI is evil or porous. BSDI is a commercial operating system as well, written and supported by people who understand Unix and TCP/IP internetworking very well. :I'm very interested in hearing other opinions on commercial vs FWTK, and :on whether FWTK is generally considered a roll-your-own or not. I see the FWTK as a (very!) useful toolkit, not a total firewall solution in and of itself. It's not like putting pieces of the FWTK on a box somewhere transforms your whole network. Note that some firewall vendors offer their services, as distinct from "run this magic code and everything just works", where they go in, may help in establishing policy and identifying issues, and then go off to implement policy and do some level of continuing work with you. I'd argue that the documentation of the FWTK is the most useful part for many people. -- Michael J. O'Connor Internet: mjo@dojo.mi.org (email address) InterNIC WHOIS: MJO http://www.coast.net/~mjo/ (WWW homepage) "Childhood is short and maturity is forever." -Calvin From firewalls-owner Thu Dec 15 08:39:37 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA16951 for firewalls-outgoing; Thu, 15 Dec 1994 08:13:51 -0800 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA16946 for ; Thu, 15 Dec 1994 08:13:48 -0800 From: thierry@osftag.geo.dec.com Received: from osfsil.geo.dec.com by inet-gw-1.pa.dec.com (5.65/10Aug94) id AA08721; Thu, 15 Dec 94 08:05:56 -0800 Received: from localhost by osftag.geo.dec.com; (5.65/1.1.8.2/31Oct94-0435PM) id AA02288; Thu, 15 Dec 1994 17:08:34 +0100 Message-Id: <9412151608.AA02288@osftag.geo.dec.com> To: firewalls@greatcircle.com Subject: Re: SEAL Date: Thu, 15 Dec 94 17:08:33 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Everybody, David Kovar wrote : > It also potentially requires a lot of DEC hardware running Ultrix One to three machines actually, (or more, depending on the network throughput you want to sustain) according to the level of security you need. DEC solution runs on DEC OSF/1, too. For more details, please, see : ftp://ftp.digital.com/pub/Digital/info/document/firewall-intro.ps firewall-user.ps.Z firewall-user.abs firewall-admin.abs firewall-user.ps firewall-admin.ps firewall-admin.ps.Z Thierry AGASSIS (who replies on his own initiative). From firewalls-owner Thu Dec 15 08:58:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA16944 for firewalls-outgoing; Thu, 15 Dec 1994 08:13:40 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA16939 for ; Thu, 15 Dec 1994 08:13:37 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma012755; Thu Dec 15 11:12:34 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA24536; Thu, 15 Dec 94 11:10:08 EST Message-Id: <9412151610.AA24536@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: David Miller Cc: firewalls@greatcircle.com Subject: Re: SEAL vs FWTK In-Reply-To: Your message of Thu, 15 Dec 94 09:05:27 -0500. Date: Thu, 15 Dec 94 11:10:06 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Miller wrote: > I'm trying to cut enough red tape here to install a firewall (Governments!). > At a recent meeting with the Gartner group, my management was told by one > consultant that roll-your-own firewalls are "just barely" better than > nothing at all, that if you wanted security you had to buy a commercial > product, running on a commercial operating system. After seeing the > login holes on SCO and AIX, I'm not convinced that BSDI is evil or porous. > > I'm very interested in hearing other opinions on commercial vs FWTK, and > on whether FWTK is generally considered a roll-your-own or not. FWTK is better than roll your own in that 1) the S/W is already written, tested, and documented, and 2) it is in use at hundreds of sites worldwide. I'd disagree with the "just barely" statement as I think it is way too strong. It all depends on if you know what you are doing or not, if your security policy is well thought out, and if you've done a decent verification test on the installation. We differentiate the freely available FWTK from our commercial product, Gauntlet (and similar statements could be made for Interlock, Raptor, etc.), as follows. The commerical product: - Has more complete documentation - Is commercially supported - Is built and configured by experts - has extra features no part of the FWTK With both the FWTK and Gauntlet you get source code. Some people balk at a commercial price for a commercial product and then spend much more than that in internal coding, testing, and maintenance. It's not always less expensive to do it yourself. But sometimes it is. Side note: BSDI *is* a commercial operating system. Fred From firewalls-owner Thu Dec 15 09:10:33 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA17285 for firewalls-outgoing; Thu, 15 Dec 1994 08:43:32 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA17279 for ; Thu, 15 Dec 1994 08:43:29 -0800 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQxukg21576; Thu, 15 Dec 1994 11:42:11 -0500 Received: from octela.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Thu, 15 Dec 1994 11:42:09 -0500 Received: from angie.octel by octela.octel.com (4.1/SMI-4.0) id AA26575; Thu, 15 Dec 94 08:37:46 PST Received: by angie.octel (4.1/SMI-4.1) id AA09576; Thu, 15 Dec 94 08:37:45 PST Date: Thu, 15 Dec 94 08:37:45 PST From: octela!angie!hbo@uunet.uu.net (Howard B Owen) Message-Id: <9412151637.AA09576@angie.octel> To: nso@delphi.com Cc: uunet!GreatCircle.com!firewalls@uunet.uu.net In-Reply-To: <01HKNL8E31KO8ZSH3I@delphi.com> (uunet!delphi.com!NSO) Subject: Re: Free copy Internet Security Monthly Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Request for free of charge subscription evaluation copy of Internet Security Monthly Name: Howard Owen Position/function: System Administrator Company/affiliation: Octel Communications Corp. Dept.: Development Engineering Computer Services Address: 1001 Murphy Ranch Rd. C2-1N City/State/Zip: Milpitas CA 95035 Country: USA Telefax nr.: 408-324-6576 Email address: hbo@octel.com -- Howard Owen, System Administrator internet: hbo@octel.com Octel Communications Corporation I am not a pay TV service! 1001 Murphy Ranch Rd. Mail Stop C2-1N I've had the initials longer. Milpitas CA 95035-7912 Tel. 408-324-6576 ///////////////////////////// From firewalls-owner Thu Dec 15 09:39:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA17892 for firewalls-outgoing; Thu, 15 Dec 1994 09:32:48 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA17887 for ; Thu, 15 Dec 1994 09:32:46 -0800 Received: from mocha.bunyip.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id JAA14934; Thu, 15 Dec 1994 09:28:56 -0800 Received: from ocean.Bunyip.Com by mocha.bunyip.com with SMTP (5.65a/IDA-1.4.2b/CC-Guru-2b) id AA23939 (mail destined for firewalls@greatcircle.com) on Thu, 15 Dec 94 12:29:58 -0500 Received: by ocean.bunyip.com (NX5.67c/NX3.0S) id AA08852; Thu, 15 Dec 94 12:29:56 -0500 Date: Thu, 15 Dec 1994 12:28:27 -0500 (EST) From: David Holmes Subject: Re: Free copy Internet Security Monthly To: firewalls@greatcircle.com In-Reply-To: <01HKNL8E31KO8ZSH3I@delphi.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do we think we could manage to NOT cc the whole list with our responses? From firewalls-owner Thu Dec 15 09:42:49 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA17386 for firewalls-outgoing; Thu, 15 Dec 1994 08:51:29 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA17381 for ; Thu, 15 Dec 1994 08:51:18 -0800 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA01986; Thu, 15 Dec 1994 17:49:47 +0100 (MET) Received: from cli57aa.asr.ici (cli57aa.der.edf.fr) by edf.edf.fr with SMTP id AA29240 (5.65c8/IDA-1.4.4); Thu, 15 Dec 1994 17:51:31 +0100 Received: by cli57aa.asr.ici (5.0/SMI-SVR4) id AA04357; Thu, 15 Dec 1994 17:50:31 --100 Date: Thu, 15 Dec 1994 17:50:31 --100 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Message-Id: <9412151650.AA04357@cli57aa.asr.ici> To: firewalls@greatcircle.com, greulich@math-stat.unibe.ch Subject: Re: tn3270 over firewalls? Content-Length: 2114 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: greulich@math-stat.unibe.ch (Andreas Greulich) >Date: Wed, 14 Dec 1994 17:48:19 +0100 (MET) > >I got a question concerning clients/hosts that are running the sna >3270, 3279/3 etc (whatever their names are...) protocols. It seems >there's a problem running them over a firewall. My problem now is that >I don't see where the problem is... > >Actually I thought if the firewall runs a circuit-level proxy and just >copies bytes like a wire, then why should it care what the protocol >between the end nodes is..? I could see a problem with the additional >authentication step started by the firewall, but was told this >just has to run in line mode. But somebody told me that the firewall >actually runs a telnet-like demon as a proxy and doesn't just copy >bytes between it's two entries... if that's true, why is that so? >I know that at least two of the major firewall vendors are working at >the 3270-problem, so maybe somebody can explain the problem to me *smile* > >Thanks in advance! > A.Greulich > Yes, a telnet proxy has to behave as a telnet daemon with the real telnet client, at least at the beginning of the connection, to manage authentication and destination host info. In particular, they must be able to agree on a particular terminal type to initiate the dialog, and that's where it can be a problem with 3270 : if you get a 3270 client (IBM's X3270 for example) that only knows about IBM-EBCDIC-like terminals, and a telnet daemon that only knows ASCII-type terminals, they will never understand each other. I see 2 solutions : 1- let your 3270 telnet client know about ASCII: that is already the case of the public domain tn3270 and X3270 products. They are also able to re-negociate the terminal type with the real IBM mainframe, once the firewall is in the 'transparent' mode. I hope I'm clear enough. It means that you CAN use these 3270 clients to reach IBM mainframes through a firewall. 2- let your firewall telnet proxy daemon know about EBCDIC : I suppose that's what your firewall vendors are doing. Yves Dherbecourt - Electricite de France / Etudes et Recherches From firewalls-owner Thu Dec 15 10:07:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA17781 for firewalls-outgoing; Thu, 15 Dec 1994 09:22:00 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA17776 for ; Thu, 15 Dec 1994 09:21:52 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rIFFh-0009u8C; Thu, 15 Dec 94 12:25 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: SEAL To: avolio@tis.com (Frederick M Avolio) Date: Thu, 15 Dec 1994 12:25:44 +0000 (GMT) Cc: ruf@osiris.cs.uow.edu.au, firewalls@greatcircle.com In-Reply-To: <9412142111.AA05615@tis.com> from "Frederick M Avolio" at Dec 14, 94 04:11:30 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1029 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > If you mean DECinspect, I would guess lots. If you mean SEAL (DEC, do > you still call it that? Where are the DEC SEAL engineers or > consultants on this list?) I would say very little. They are here... Too busy or shy to talk I guess. I've worked on one quite a bit at one of my clients. It's pretty usable and reasonably flexible (although I still like the idea of a transparent firewall). They support most useful services. I have a few quibles about things they're still working on (that I wish were done now). I happened to be an independant brought on as a followon to the DEC Installation. > Fred sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/~sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Thu Dec 15 10:41:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA18562 for firewalls-outgoing; Thu, 15 Dec 1994 10:24:34 -0800 Received: from gate.barr.com (gate.barr.com [199.199.120.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA18554 for ; Thu, 15 Dec 1994 10:24:30 -0800 Received: from wpo.barr.com ([198.137.217.19]) by gate.barr.com (4.1/SMI-4.1) id AA09454; Thu, 15 Dec 94 12:17:51 CST Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Thu, 15 Dec 1994 12:15:47 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 15 Dec 1994 12:15:24 -0600 From: "Steve P. Devore" To: firewalls@greatcircle.com, mcr@milkyway.com Subject: ix.netcom.com -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>>>>>>>>>>>> I complained this morning to the person who posted that ad, (support@netcom.com tells me their account has been disabled...) and was looking at my firewall and noticed this: Dec 14 08:53:03 internet proxy-tcp[6702]: deny host=ix.ix.netcom.com/199.182.120.2 service= port=2 <<<<<<<<<<<<<<< The same thing happened here. I have no idea what they were trying to do. From firewalls-owner Thu Dec 15 10:54:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA18355 for firewalls-outgoing; Thu, 15 Dec 1994 10:10:00 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA18347 for ; Thu, 15 Dec 1994 10:09:57 -0800 Received: from ds9.lis.cch.com by relay3.UU.NET with SMTP id QQxukm06572; Thu, 15 Dec 1994 13:08:33 -0500 Received: by ds9.lis.cch.com id AA17115; Thu, 15 Dec 94 13:05:58 EST Received: from mailhub.lis.cch.com(165.181.144.1) by ds9.lis.cch.com via smap (V1.3) id sma017113; Thu Dec 15 13:05:41 1994 Received: by deathstar.lis.cch.com (AIX 3.2/UCB 5.64/4.03) id AA66217; Thu, 15 Dec 1994 13:07:12 -0500 From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) Message-Id: <9412151807.AA66217@deathstar.lis.cch.com> Subject: Re: SEAL vs FWTK To: isdmill@gatekeeper.ddp.state.me.us (David Miller) Date: Thu, 15 Dec 1994 13:07:12 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "David Miller" at Dec 15, 94 09:05:27 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1884 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Miller wrote... > > I'm trying to cut enough red tape here to install a firewall (Governments!). > At a recent meeting with the Gartner group, my management was told by one > consultant that roll-your-own firewalls are "just barely" better than > nothing at all, that if you wanted security you had to buy a commercial > product, running on a commercial operating system. After seeing the > login holes on SCO and AIX, I'm not convinced that BSDI is evil or porous. > > I'm very interested in hearing other opinions on commercial vs FWTK, and > on whether FWTK is generally considered a roll-your-own or not. It's amazing me what some big management consulting groups are passing off as "experts" these daze... I actually met one recently who was supposedly a "security expert" for a big6 firm -- I happened to know this guy from a previous job and can say with certainty that he's good with UNIX bot no security expert. TIS has a commercial product, called "Guantlet" which comes with various options including software, documentation, installation services, etc. Use commercial hardware and OS like a Sun SparcStation if you're paranoid about AIX. My site, a fortune 500 corporation, implements TIS' FWTK and I can personally vouch for the integrity of the firewall since its installation. We also, BTW, run mission critical applications on IBM RS/6000's w/AIX and TIS has assisted us in "plugging" those security holes you mention. I strongly advise you and your management to hire a *real* Internet Security consultant, like TIS, or Brent Chapman of GreatCircle Associates (if you prefer non-allied objectivity) who can provide you with realistic issues, concerns, and resolutions to the joys and pitfalls of Internet... Regards -- -- Doc Matthew J. D'Errico Systems Manager, Chief Architect CCH Legal Information Services 1633 Broadway New York, NY 10019 From firewalls-owner Thu Dec 15 11:09:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA18799 for firewalls-outgoing; Thu, 15 Dec 1994 10:39:43 -0800 Received: from news.primenet.com (root@news.primenet.com [198.68.32.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA18794 for ; Thu, 15 Dec 1994 10:39:40 -0800 Received: from slip138.tus.primenet.com (slip138.tus.primenet.com [198.68.42.138]) by news.primenet.com (8.6.9/8.6.9) with SMTP id LAA28622 for ; Thu, 15 Dec 1994 11:38:11 -0700 Message-Id: <199412151838.LAA28622@news.primenet.com> X-Sender: rjudson@mailhost.primenet.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Dec 1994 11:40:54 +0700 To: firewalls@GreatCircle.COM From: rjudson@PrimeNet.Com (Richard Judson) Subject: Firewall Software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for opinions on firewall software from various vendors such as JANUS from NetPartners, CyberGuard from Harris, or SEAL from DEC. Anyone have good stories, bad, opinions about these products or others that I don't know about? Thanks, Richard ---------------------------------------------------- Richard Judson (RJ58) Mail: RJUDSON@PRIMENET.COM LAN Systems Manager Phone: (602) 882-1502 Tucson Unified Schools FAX: (602) 798-8626 Building Information Systems for our Children's Future ---------------------------------------------------- From firewalls-owner Thu Dec 15 11:09:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA18777 for firewalls-outgoing; Thu, 15 Dec 1994 10:38:34 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA18769 for ; Thu, 15 Dec 1994 10:38:28 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA14753 (5.67b8/IDA-1.5 for ); Thu, 15 Dec 1994 13:36:51 -0500 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01659; Thu, 15 Dec 94 13:37:40 EST Received: by sandfiddler.paragon-systems.com (4.1/SMI-4.1) id AA00334; Thu, 15 Dec 94 13:34:20 EST Date: Thu, 15 Dec 94 13:34:20 EST From: rmck@paragon-systems.com Message-Id: <9412151834.AA00334@sandfiddler.paragon-systems.com> To: isdmill@gatekeeper.ddp.state.me.us Subject: Re: SEAL vs FWTK Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Suggestion- Begin at the beginning by assessing your level of expertise and the technical resources, and time, at your disposal. If you are confident that you can fashion either a "roll-your-own", or a toolkit firewall in such a manner that will preserve the security integrity of your enterprise, and maybe your job, then proceed accordingly. However, if you are even the least bit unsure of yourself or that of your resources, I would suggest that you call in the commercial vendors (Raptor, TIS, DEC, SCC, Checkpoint, NSI, Janus etc.) show them the task, and put them to work. Pick the best based on technical performance against your requirement. (And there is only one best. He/She who buys a security device based on anything other than technical merit deserves whatever bad happends to them.) That process should include a "best-of-breed" live test and evaluation exercise, including a stout penetration analysis on each to determine the "real truths" again based on your specific environment and needs. There are a number of good solutions which (1) can be fashioned through a combination of "freeware", and integration of COTS (commercial off-the-shelf) piece parts, and (2) from "shrink-wrapped" commercially developed product packages. But, there is no magic in this process, it just takes some old fashioned investigative due diligence. The axiom applies; What you end up with most likely will be proportional to what you invest in it. INFOSEC is not a place to cut corners. Good Luck! Bob-on-the-Beltway From firewalls-owner Thu Dec 15 11:32:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA18811 for firewalls-outgoing; Thu, 15 Dec 1994 10:39:53 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA18806 for ; Thu, 15 Dec 1994 10:39:50 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id MAA08130 for ; Thu, 15 Dec 1994 12:38:28 -0600 Received: by jayhawk. (5.0/SMI-SVR4) id AA00850; Thu, 15 Dec 1994 12:42:28 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9412151842.AA00850@jayhawk.> Subject: SEAL To: firewalls@greatcircle.com Date: Thu, 15 Dec 1994 12:42:28 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 775 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could we please stop flooding with information and show and tell about Seal? I could list our firewall products, I could talk about commercial products, but I don't, because I believe that while this forum may be appropriate to ask for emails of pople who have experience with SEAL, it is _not_ appropriate for stories, specs, and anecdotes. Am I wrong? If not, please take your SEAL (and other commercial-specific) discussions elsewhere. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\______ and feel with their own hearts." - Albert Einstein + From firewalls-owner Thu Dec 15 11:39:35 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA19747 for firewalls-outgoing; Thu, 15 Dec 1994 11:38:50 -0800 Received: from toontown.sw-eng.dts.harris.com (toontown.sw-eng.dts.harris.com [198.99.128.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA19741 for ; Thu, 15 Dec 1994 11:38:45 -0800 Received: from enterprise.dts.harris.com by toontown.sw-eng.dts.harris.com (5.0/SMI-SVR4) id AA12925; Thu, 15 Dec 1994 10:46:00 +0800 Received: from kennyz (kzeleny) by enterprise.dts.harris.com (5.0/SMI-SVR4) id AA19450; Thu, 15 Dec 1994 10:45:51 +0800 Date: Thu, 15 Dec 1994 10:45:51 +0800 Message-Id: <9412151845.AA19450@enterprise.dts.harris.com> X-Sender: kennyz@dts.harris.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: kzeleny@DTS.Harris.COM (Ken Zeleny) Subject: Janus Firewall X-Mailer: Content-Length: 163 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am seriously considering purchasing the JANUS firewall product. Has anyone had any experiance using this product. Any Info would be very helpful. Thanks Ken From firewalls-owner Thu Dec 15 12:28:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20449 for firewalls-outgoing; Thu, 15 Dec 1994 12:06:41 -0800 Received: from overdrive.ccrl.nj.nec.com (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20443 for ; Thu, 15 Dec 1994 12:06:37 -0800 Received: by overdrive.ccrl.nj.nec.com (4.1/YDL1.9-920708.13) id AA06739(overdrive.ccrl.nj.nec.com); Thu, 15 Dec 94 15:04:39 EST From: ems@ccrl.nj.nec.com (Ed Strong) Received: by deimos (4.1/CNC-Client) id AA09013; Thu, 15 Dec 94 15:04:39 EST Date: Thu, 15 Dec 94 15:04:39 EST Message-Id: <9412152004.AA09013@deimos> To: firewalls@GreatCircle.COM Subject: ease-of-use Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a list of firewalls (any flavor) that are transparent, yet do not require program replacement on the client. I already know of two such, FW-1 from Checkpoint and JANUS from Border Network Technologies. Does anyone know of any others? I theorize that if we assume that everyone's firewall works as advertised, that the main differences will be cost and ease-of-use. (It could be argued that ease-of-use is just another cost factor.) So, many firewalls will have GUIs. But the major headache, which some avoid, is replacing (and re-replacing) client programs. Thanks Ed Strong From firewalls-owner Thu Dec 15 12:40:42 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20409 for firewalls-outgoing; Thu, 15 Dec 1994 12:05:32 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20403 for ; Thu, 15 Dec 1994 12:05:28 -0800 Received: from london.csd.harris.com by hawk.csd.harris.com (5.61/harris-5.1) id AA12510; Thu, 15 Dec 94 15:03:54 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA03354; Thu, 15 Dec 94 20:02:19 GMT From: jon@london.csd.harris.com (Jon Shallow) Message-Id: <9412152002.AA03354@london.csd.harris.com> Subject: Re: ix.netcom.com To: firewalls-owner@GreatCircle.COM (Michael Richardson) Date: Thu, 15 Dec 94 10:15:20 GMT In-Reply-To: <199412141925.OAA05049@jupiter.milkyway.com>; from "Michael Richardson" at Dec 14, 94 2:24 pm X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have seen them do this after one of our users sent them some mail almost as if they were trying some form of authentication. The host is also moving in IP address terms - 192.148.172.2 & 192.148.172.3. Regards > > > I complained this morning to the person who posted that ad, > (support@netcom.com tells me their account has been disabled...) > and was looking at my firewall and noticed this: > > > Dec 14 08:53:03 internet proxy-tcp[6702]: deny host=ix.ix.netcom.com/199.182.120.2 service= port=2 > > Port #2? Huh? Was there ever anything on port #2? I always have been > curious about ports 2-6, 8, 10, 14-18. Were they ever used? > I haven't seen implementations of tcpmux either actually... > > Maybe they missed the '5' and were thinking about mail bombing us :-) > > :!mcr!: | Milkyway Networks Corporation > Michael Richardson | Makers of the Black Hole firewall > NCF: aa714 || xx714 | +1 613 596-5549 ... mcr@milkyway.com > Home: mcr@sandelman.ocunix.on.ca. PGP key available. > -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Thu Dec 15 13:09:50 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA21054 for firewalls-outgoing; Thu, 15 Dec 1994 12:29:08 -0800 Received: from rohrer.rohrer.com (sol.rohrer.com [198.51.253.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA21043 for ; Thu, 15 Dec 1994 12:29:01 -0800 Received: by rohrer.rohrer.com (5.65/DEC-Ultrix/4.3) id AA05445; Thu, 15 Dec 1994 15:26:26 -0500 Date: Thu, 15 Dec 1994 15:26:25 -0500 (EST) From: Joe Matuscak To: Alan Hannan Cc: firewalls@greatcircle.com Subject: Re: SEAL In-Reply-To: <9412151842.AA00850@jayhawk.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 15 Dec 1994, Alan Hannan wrote: > products, but I don't, because I believe that while this forum may be > appropriate to ask for emails of pople who have experience with SEAL, it is > _not_ appropriate for stories, specs, and anecdotes. > Am I wrong? Personally, I *am* interested in hearing what experiences people are having with specific commercial products. I want to decide on how I might best protect my organization, and a part of that is deciding on build vs buy. My $.02 Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (216)335-1541 Matuscak@Rohrer.com From firewalls-owner Thu Dec 15 13:11:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA19863 for firewalls-outgoing; Thu, 15 Dec 1994 11:46:39 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA19858 for ; Thu, 15 Dec 1994 11:46:36 -0800 From: pat@loc201.tandem.com Received: from adm.loc201.tandem.com (admin_01.loc201.tandem.com) by suntan.Tandem.com (4.1/suntan5.940222) for firewalls@greatcircle.com id AA07873; Thu, 15 Dec 94 11:44:47 PST Received: from vern.loc201.tandem.com.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA18136; Thu, 15 Dec 94 11:44:47 PST Received: by vern.loc201.tandem.com.loc201.tandem.com (4.1/6nospool.930120) id AA03395; Thu, 15 Dec 94 11:44:45 PST Date: Thu, 15 Dec 94 11:44:45 PST Message-Id: <9412151944.AA03395@vern.loc201.tandem.com.loc201.tandem.com> To: firewalls@greatcircle.com, rjudson@primenet.com Subject: Re: Firewall Software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for opinions on firewall software from various vendors such as > JANUS from NetPartners, CyberGuard from Harris, or SEAL from DEC. Anyone > have good stories, bad, opinions about these products or others that I don't > know about? JANUS is from BNTi (Border Network Technologies Inc). It is my understanding NetPartners is a VAR of the JANUS firewall (ie: installs the software from BNTi on a box for you.) http://www.border.com http://www.netpart.com -pat -- Patrick M Mulrooney +1 408 285 3193 pat@Tandem.com Tandem Computers - Network Administrator, Email Postmaster and Usenet Admin From firewalls-owner Thu Dec 15 13:40:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21740 for firewalls-outgoing; Thu, 15 Dec 1994 13:13:09 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA21735 for ; Thu, 15 Dec 1994 13:13:06 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id PAA09734 for ; Thu, 15 Dec 1994 15:11:41 -0600 Received: by jayhawk. (5.0/SMI-SVR4) id AA01172; Thu, 15 Dec 1994 15:15:41 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9412152115.AA01172@jayhawk.> Subject: SEAL To: firewalls@greatcircle.com Date: Thu, 15 Dec 1994 15:15:40 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 298 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having been corrected, I apologize for my comment that the SEAL discussion is too extremely singular for this forum. Thank you. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + From firewalls-owner Thu Dec 15 14:39:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA22911 for firewalls-outgoing; Thu, 15 Dec 1994 14:20:44 -0800 Received: from Getty.edu (smtpgate.getty.edu [153.10.97.97]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA22898 for ; Thu, 15 Dec 1994 14:20:37 -0800 Received: from Getty-Message_Server by Getty.edu with Novell_GroupWise; Thu, 15 Dec 1994 14:20:09 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 15 Dec 1994 14:18:52 -0800 From: Wulf Losee To: firewalls@greatcircle.com Subject: SEAL of apology to Alan Hannan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan writes: > Could we please stop flooding with information and show and tell about > Seal? I could list our firewall products, I could talk about commercial > products, but I don't, because I believe that while this forum may be > appropriate to ask for emails of pople who have experience with SEAL, it > is _not_ appropriate for stories, specs, and anecdotes. > Am I wrong? > If not, please take your SEAL (and other commercial-specific) discussions > elsewhere. Alan: I was the person who posted the original SEAL query. I apologize if I caused you some frustration. However, I thought I had posted a legitimate question for this group to comment on (Brent will need to be the final judge of this). Looking at the responses, and the flood of questions about other firewall products, it looks like I tapped a nerve. Since I am a Firewalls neophyte, I personally value the comments I received -- war stories and all. I need any and all information that allows me to me to evaluate a product, and for me *information* does not equal marketing hype. Information for me is the knowledge that the many experts on the Firewalls list (by the way, thank you all for taking the time to respond). The next time I post a question like my SEAL question, I'll request that people send their replies to my personal email account. I suspect, though, that other people could use this information (about SEAL and other firewall products). Maybe we should put together a FAQ that contains reviews of firewall products (I will volunteer to do the legwork if someone will point me in the right direction...). Thanks, Wulf *************************************** Wulf Losee Network Analyst J. Paul Getty Trust email: wlosee@getty.edu *************************************** From firewalls-owner Thu Dec 15 15:15:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23163 for firewalls-outgoing; Thu, 15 Dec 1994 14:52:03 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA23158 for ; Thu, 15 Dec 1994 14:52:00 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id QAA00483 for ; Thu, 15 Dec 1994 16:50:42 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA3475; Thu, 15 Dec 94 16:50:40 -0800 Message-Id: <9412160050.AA3475@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 062702932180F09B86256126007C4F15; Thu, 15 Dec 94 16:50:40 To: firewalls From: Kenneth Smith Date: 15 Dec 94 14:27:04 EDT Subject: Re: SEAL Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd have to agree. Isn't a large part of being a networking specialist just knowing what the hell's out there, and whether it's any good or not? And a "communal impression" can contribute to this knowledge. To: alan @ mid.net (Alan Hannan) @ Internet cc: firewalls @ GreatCircle.COM @ Internet (bcc: Kenneth Smith) From: matuscak @ rohrer.com (Joe Matuscak) @ Internet @ WORLDCOM Date: 12/15/94 03:26:25 PM CST Subject: Re: SEAL On Thu, 15 Dec 1994, Alan Hannan wrote: > products, but I don't, because I believe that while this forum may be > appropriate to ask for emails of pople who have experience with SEAL, it is > _not_ appropriate for stories, specs, and anecdotes. > Am I wrong? Personally, I *am* interested in hearing what experiences people are having with specific commercial products. I want to decide on how I might best protect my organization, and a part of that is deciding on build vs buy. My $.02 Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (216)335-1541 Matuscak@Rohrer.com From firewalls-owner Thu Dec 15 15:39:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA23385 for firewalls-outgoing; Thu, 15 Dec 1994 15:10:43 -0800 Received: from utmdacc (utmdacc.mda.uth.tmc.edu [129.106.60.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA23380 for ; Thu, 15 Dec 1994 15:10:40 -0800 From: jbradley@utmdacc.mda.uth.tmc.edu Received: from [129.106.62.123] (mdasec.mda.uth.tmc.edu) by utmdacc (4.1/SMI-4.1) id AA28257; Thu, 15 Dec 94 17:03:59 CST Message-Id: <9412152303.AA28257@utmdacc> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 15 Dec 1994 17:11:54 -0600 To: Firewalls@GreatCircle.COM Subject: TribeLink Ethernet Remote Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if this is inappropriate, but is anyone out there familiar with a gizmo called the TribeLink Ethernet Remote?. It's a high speed remote access to AppleTalk, TCP/IP and IPX networks. One of our doctors wants to install it on our ethernet backbone and I've been asked to assess it's security implications. Sage advice or direction to other sources is most welcome. Jim Bradley jbradley@utmdacc.uth.tmc.edu Information Services Security Administrator tel: 713 794 5317 UT MD Anderson Cancer Center fax: 713 792 8321 1100 Holcombe Blvd. Box 241 Houston, TX 77030 Eschew Obfuscation The opinions and comments presented herein are mine alone and do not reflect any offical position of anyone living or dead. From firewalls-owner Thu Dec 15 16:09:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA23968 for firewalls-outgoing; Thu, 15 Dec 1994 16:06:02 -0800 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA23963 for ; Thu, 15 Dec 1994 16:05:58 -0800 Received: (from speck@localhost) by uni.ins.com (8.6.8.1/8.6.6) id QAA10129; Thu, 15 Dec 1994 16:04:36 -0800 Date: Thu, 15 Dec 1994 16:04:36 -0800 (PST) From: "Philip C. Speck" Subject: Re: TribeLink Ethernet Remote To: jbradley@utmdacc.mda.uth.tmc.edu cc: Firewalls@GreatCircle.COM In-Reply-To: <9412152303.AA28257@utmdacc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 15 Dec 1994 jbradley@utmdacc.mda.uth.tmc.edu wrote: > Sorry if this is inappropriate, but is anyone out there familiar with a > gizmo called the TribeLink Ethernet Remote?. > > Sage advice or direction to other sources is most welcome. > > Jim Bradley jbradley@utmdacc.uth.tmc.edu > Information Services Security Administrator tel: 713 794 5317 > UT MD Anderson Cancer Center fax: 713 792 8321 > 1100 Holcombe Blvd. > Box 241 > Houston, TX 77030 Jim, Haven't used one, but here's some info from the data sheet: . Supports AppleTalk, TCP/IP, and IPX over PPP . Supports CHAP & PAP . "...allows eight simultaneous sessions (at speeds up to 57.6 Kbps) with no performance degradation." Sounds like a "PPP server" (instead of a terminal server). Address/phone is: Tribe Computer Works 960 Atlantic Avenue Suite 101 Alameda, CA 94501 510/814-3900 800/77-TRIBE Regards, Phil Speck ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Philip C. Speck speck@ins.com Systems Engineer Main: (415) 254-0800 International Network Services Toll Free: (800) 377-3467 650 Castro Street, Suite 260 Direct: (415) 254-4224 Mountain View, CA 94041 FAX: (415) 254-4288 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Dec 15 17:39:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA24587 for firewalls-outgoing; Thu, 15 Dec 1994 17:25:26 -0800 Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA24582 for ; Thu, 15 Dec 1994 17:25:23 -0800 Received: (uucp@localhost) by gw1.octel.com (8.6.9/8.6.4) id RAA17353 for ; Thu, 15 Dec 1994 17:23:29 -0800 Received: from unknown(148.147.200.7) by gw1 via smap (V1.3mjr) id sma017335; Thu Dec 15 17:22:09 1994 Received: from angie.octel by octela.octel.com (4.1/SMI-4.0) id AA04028; Thu, 15 Dec 94 17:22:08 PST Received: by angie.octel (4.1/SMI-4.1) id AA10539; Thu, 15 Dec 94 17:22:07 PST Date: Thu, 15 Dec 94 17:22:07 PST From: hbo@octel.com (Howard B Owen) Message-Id: <9412160122.AA10539@angie.octel> To: firewalls@greatcircle.com In-Reply-To: (uunet!barr.com!sdevore) Subject: Re: Free copy Internet Security Monthly -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sdevore@barr.com (like many others) wrote: >This probably did not have to go to the entire mailing list :-) Probably not. 8(. Sorry for the wasted bandwith. -- Howard Owen, System Administrator internet: hbo@octel.com Octel Communications Corporation I am not a pay TV service! 1001 Murphy Ranch Rd. Mail Stop C2-1N I've had the initials longer. Milpitas CA 95035-7912 Tel. 408-324-6576 ///////////////////////////// From firewalls-owner Fri Dec 16 02:39:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA27293 for firewalls-outgoing; Fri, 16 Dec 1994 02:10:59 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA27283 for ; Fri, 16 Dec 1994 02:10:52 -0800 Received: from smtpgty.saicuk.co.uk by relay1.pipex.net with SMTP (PP) id ; Fri, 16 Dec 1994 10:07:38 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2EF1667D@smtpgty.saicuk.co.uk>; Fri, 16 Dec 94 10:05:49 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: SEAL vs FWTK Date: Thu, 15 Dec 94 18:22:00 GMT Message-ID: <2EF1667D@smtpgty.saicuk.co.uk> Encoding: 58 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends on how you describe a product and how you describe 'roll your own' custom engineering. Examples of *BOTH* can be worse than nothing at all. If an implementation is defficient it is worse because people believe it works - false sense of security.. >From the experience of our engineers, large parts of a barrier system can be reliably productized. This improves effectiveness because the product modules can be refined and strengthened. This improvement increases with the volume of product shipped. It also greatly reduces cost for a given level of protection because effort will focus on enhancement and not on re-inventing the wheel with each installation. Beyond that, the barrier can be integrated with other risk reduction measures because the behaviour of the barrier is known. As the product family develops, it becomes easier to automate the risk management processes and the presentation/alarm of suspected/identified attacks to make the Security Officer more effective and make the protection system more transparent to the users. Having said that, every customer has some unique requirements, assuming that a real security policy has been developed, and not all of these requirements can be catered for by configuration of relicated technology, requiring some custom engineering. What complicates matters is that some vendors claim a PRODUCT when in fact they have some tools and may be able to re-use some code they wrote for someone else. The reality is that they are basically providing a consulting service. Other vendors may offer low cost barriers which provide very little protection. The other issue is how effective a barrier is in a particular situation. There is little point in fitting a super thief proof lock to a paper door which is mounted in a wall which is full of holes. Ian J-B ---------- From: firewalls-owner To: firewalls Subject: SEAL vs FWTK Date: 15 December 1994 09:05 I'm trying to cut enough red tape here to install a firewall (Governments!). At a recent meeting with the Gartner group, my management was told by one consultant that roll-your-own firewalls are "just barely" better than nothing at all, that if you wanted security you had to buy a commercial product, running on a commercial operating system. After seeing the login holes on SCO and AIX, I'm not convinced that BSDI is evil or porous. I'm very interested in hearing other opinions on commercial vs FWTK, and on whether FWTK is generally considered a roll-your-own or not. Thanks in advance, David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Fri Dec 16 03:39:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA27693 for firewalls-outgoing; Fri, 16 Dec 1994 03:17:22 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA27688 for ; Fri, 16 Dec 1994 03:17:05 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA09660; Fri, 16 Dec 94 12:12:30 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA05095; Thu, 15 Dec 94 10:26:31 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412151026.AA05095@tidtest.total.fr> Subject: Re: chroot, UDP, and time stamps To: pcc@SSDS.com (Phil Cox) Date: Thu, 15 Dec 94 10:26:29 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Phil Cox" at Dec 14, 94 11:10 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Cox wrote : > > I am running the FWTK and using the UDP version of the syslog calls > (#define USE_UDPSYSLOG). All seems to be working fine EXCEPT that the > logging from the chroot`d programs (ftp-gw and tn-gw) are entered > with time stamps 7 hrs later than actual local time. I am not sure > why it is using the wrong timezone, all non-chroot progs log correct > time. Is there something I need to stick in the chrooted environment? > Have a look at man pages for tzset and/or tzfile. They should tell you where your timezone files live (on SunOS 4.1.1, it's under /usr/share/lib/zoneinfo.) HTH -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 16 05:09:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28193 for firewalls-outgoing; Fri, 16 Dec 1994 05:00:46 -0800 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA28188 for ; Fri, 16 Dec 1994 05:00:43 -0800 Received: from ds9.lis.cch.com by relay4.UU.NET with SMTP id QQxunj13283; Fri, 16 Dec 1994 07:58:05 -0500 Received: by ds9.lis.cch.com id AA19074; Fri, 16 Dec 94 07:55:34 EST Received: from mailhub.lis.cch.com(165.181.144.1) by ds9.lis.cch.com via smap (V1.3) id sma019072; Fri Dec 16 07:55:08 1994 Received: by deathstar.lis.cch.com (AIX 3.2/UCB 5.64/4.03) id AA76725; Fri, 16 Dec 1994 07:56:40 -0500 From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) Message-Id: <9412161256.AA76725@deathstar.lis.cch.com> Subject: Re: SEAL vs FWTK To: IJB@saicuk.co.uk (Johnson-Bryden, Ian) Date: Fri, 16 Dec 1994 07:56:40 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <2EF1667D@smtpgty.saicuk.co.uk> from "Johnson-Bryden, Ian" at Dec 15, 94 06:22:00 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1008 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Johnson-Bryden, Ian wrote... > > It depends on how you describe a product and how you describe 'roll your > own' custom engineering. Examples of *BOTH* can be worse than nothing at > all. If an implementation is defficient it is worse because people believe > it works - false sense of security.. Good point. Which is why it pays to contract the services of a company like TIS or another Firewall specialist company or contractor. These companies/individuals are up to speed on all the infiltration techniques, and will test the heck out of the installation once complete. While I can only speak for experience with TIS, I have to expect that the other vendors would do something similar. Evidence that in our site, the firewall was installed at 2 of 3 points of presence into the Internet. After running the test suite, the 2 FWTK sites passed, and the home-spun 3rd (socks, etc.) failed on one of the first tests. You can bet that the FWTK has been since installed on the 3rd as well... -- Doc From firewalls-owner Fri Dec 16 05:39:22 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28302 for firewalls-outgoing; Fri, 16 Dec 1994 05:21:31 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA28296 for ; Fri, 16 Dec 1994 05:21:27 -0800 Received: from london.csd.harris.com by hawk.csd.harris.com (5.61/harris-5.1) id AA04503; Fri, 16 Dec 94 08:20:07 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA07529; Fri, 16 Dec 94 13:18:48 GMT From: jon@london.csd.harris.com (Jon Shallow) Message-Id: <9412161318.AA07529@london.csd.harris.com> Subject: tcp TH_RST annoyances To: firewalls@greatcircle.com Date: Fri, 16 Dec 94 13:18:47 GMT X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take the following scenario . Host A (Firewall) sets up and is using tcp session to Host B somewhere on the Internet. . Hacker on Host C on the Internet sees this sesssion and sends a tcp TH_RST to host A (with correct ports etc), faking he is coming from B. . A's session then resets itself and shuts down. The more general case is C says he is B on say port 23, and sprays all ports on A with TH_RST packets. Is there any way of preventing this sort of malicious denial of service attack ? Regards Jon -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Fri Dec 16 06:39:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28832 for firewalls-outgoing; Fri, 16 Dec 1994 06:35:22 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA28824 for ; Fri, 16 Dec 1994 06:34:52 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA12258; Fri, 16 Dec 94 15:29:57 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA05481; Fri, 16 Dec 94 15:26:18 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412161526.AA05481@tidtest.total.fr> Subject: Re: tcp TH_RST annoyances To: jon@london.csd.harris.com (Jon Shallow) Date: Fri, 16 Dec 94 15:26:16 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9412161318.AA07529@london.csd.harris.com>; from "Jon Shallow" at Dec 16, 94 1:18 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon Shallow wrote : > > . Host A (Firewall) sets up and is using tcp session to Host B somewhere > on the Internet. > . Hacker on Host C on the Internet sees this sesssion and sends a tcp > TH_RST to host A (with correct ports etc), faking he is coming from B. > . A's session then resets itself and shuts down. > > The more general case is C says he is B on say port 23, and sprays all > ports on A with TH_RST packets. > > Is there any way of preventing this sort of malicious denial of service > attack ? > A's net admin can't do much about that, but C's can, assuming B is not on their network and they try hard to be nice to the Internet. For instance, they could have their firewall discard packets coming from C since these were neither sent on an established TCP session nor sent as an answer to erroneous non-SYN packets from A, or since their apparent source address (B's) should not appear on a packet coming from inside their network. Did anyone hear of firewall set-ups that can protect the outside from the inside ? The mechanisms I think of feel pretty much like some that were discussed on firewalls, only turned inside out. Do we need other barriers for this use of firewalls ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 16 07:09:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28898 for firewalls-outgoing; Fri, 16 Dec 1994 06:46:05 -0800 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA28887 for ; Fri, 16 Dec 1994 06:45:51 -0800 Received: from us1rmc.bb.dec.com by inet-gw-1.pa.dec.com (5.65/10Aug94) id AA09105; Fri, 16 Dec 94 06:39:19 -0800 Received: from tpsys.enet by us1rmc.bb.dec.com (5.65/rmc-22feb94) id AA05628; Fri, 16 Dec 94 09:39:31 -0500 Message-Id: <9412161439.AA05628@us1rmc.bb.dec.com> Received: from tpsys.enet; by us1rmc.enet; Fri, 16 Dec 94 09:39:31 EST Date: Fri, 16 Dec 94 09:39:31 EST From: 16-Dec-1994 0939 To: firewalls@greatcircle.com Cc: pozerycki@ooes.enet.dec.com Apparently-To: pozerycki@ooes.enet.dec.com, firewalls@greatcircle.com Subject: re: seal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, My name is Bill Pozerycki or just poz and I'm the Service Manager for Digital's Firewall Service, formally and respectfully known as S.E.A.L. (Screening External Access Link). I do not want to use this forum to define Digital's Firewall Service, it's not the place and I do not wish to advertise. However, I would like to clear up any misconceptions about the service. Please note that I used the word service and not product - the Firewall Service is just that, a service. It consists of public domain, modified public domain, and Digital proprietary software. An experienced firewall consultant will arrive on site and configure the firewall per your security policy. The platforms it runs on today are ULTRIX and DEC OSF/1. This service does not include hardware. If you have the hardware and it meets the baseline requirements, great, we'll use that. If you wish to purchase the hardware, we can help you there as well. The firewall can be either a two or three system configuration dependent upon your present/future needs, desires and internal computing environment. For further information please see our home page: http:://www.digital.com Now for my own 2 cents... There was mention of Kevin Mitnick and the verbiage used may lead people to believe that he gained access to our internal systems via the firewall, not true. Kevin's means of access was via social engineering, not the firewall. In fact it was the firewall that stopped his ftp attempt to remove source code. Because I'm the service manager I probably shouldn't say this, but it's truly how I feel, a firewall is NOT a panacea! It is however a very important piece of a good quality comprehensive security program. If I'm not mistaken, only 9% of computer breaks are via the Internet. What questions should that raise? Hopefully: How are we securing the other 91%? How complete & secure is our internal information, computer and physical security programs? I agree with Marcus Ranum in one of his replies: "Moral: security must be consistent around the entire perimeter." I just hope that people do not get so caught up with the limelight of the Internet and firewalls that they forget about the back and side doors, because the hackers surely will not! Best Regards, /poz From firewalls-owner Fri Dec 16 07:39:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29318 for firewalls-outgoing; Fri, 16 Dec 1994 07:25:23 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29312 for ; Fri, 16 Dec 1994 07:25:16 -0800 Received: from edf.edf.fr by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA13744; Fri, 16 Dec 1994 16:22:25 +0100 (MET) Received: from cli57aa.asr.ici (cli57aa.der.edf.fr) by edf.edf.fr with SMTP id AA04981 (5.65c8/IDA-1.4.4); Fri, 16 Dec 1994 16:20:22 +0100 Received: by cli57aa.asr.ici (5.0/SMI-SVR4) id AA06326; Fri, 16 Dec 1994 16:17:53 --100 Date: Fri, 16 Dec 1994 16:17:53 --100 From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Message-Id: <9412161517.AA06326@cli57aa.asr.ici> To: doc@deathstar.lis.cch.com Cc: Firewalls@greatcircle.com Subject: Re: SEAL vs FWTK Content-Length: 743 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) >Subject: Audit firewall's strength (Was 'SEAL vs FWTK') >Date: Fri, 16 Dec 1994 07:56:40 -0500 (EST) > >Evidence that in our site, the firewall was installed at 2 of 3 points >of presence into the Internet. After running the test suite, the 2 FWTK >sites passed, and the home-spun 3rd (socks, etc.) failed on one of the > What is your test suite like ? Could you make it available ? Being able to audit firewall's strength as Cops does for host security is an important issue I did'nt see much about it in the list. Yes I know,it could also be use for malicious purpose. But this kind of debate has already been done. Yves Dherbecourt - Electricite de France / Etudes et Recherches From firewalls-owner Fri Dec 16 09:39:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00368 for firewalls-outgoing; Fri, 16 Dec 1994 09:32:40 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00362 for ; Fri, 16 Dec 1994 09:32:37 -0800 Received: from ds9.lis.cch.com by relay2.UU.NET with SMTP id QQxuoc02853; Fri, 16 Dec 1994 12:31:13 -0500 Received: by ds9.lis.cch.com id AA19615; Fri, 16 Dec 94 12:28:43 EST Received: from mailhub.lis.cch.com(165.181.144.1) by ds9.lis.cch.com via smap (V1.3) id sma019613; Fri Dec 16 12:28:30 1994 Received: by deathstar.lis.cch.com (AIX 3.2/UCB 5.64/4.03) id AA33632; Fri, 16 Dec 1994 12:30:03 -0500 From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) Message-Id: <9412161730.AA33632@deathstar.lis.cch.com> Subject: Re: SEAL vs FWTK To: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) Date: Fri, 16 Dec 1994 12:30:03 -0500 (EST) Cc: Firewalls@greatcircle.com In-Reply-To: <9412161517.AA06326@cli57aa.asr.ici> from "Yves Dherbecourt - IMA/ICI/ASR - 47653790" at Dec 16, 94 04:17:53 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3808 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yves Dherbecourt - IMA/ICI/ASR - 47653790 wrote... > > >From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) > >Subject: Audit firewall's strength (Was 'SEAL vs FWTK') > >Date: Fri, 16 Dec 1994 07:56:40 -0500 (EST) > > > >Evidence that in our site, the firewall was installed at 2 of 3 points > >of presence into the Internet. After running the test suite, the 2 FWTK > >sites passed, and the home-spun 3rd (socks, etc.) failed on one of the > > > What is your test suite like ? Could you make it available ? TIS provided their own suite, but I've since built my own set of tools based on the tools publically available... You really need to decide which tests to run based on what services you offer or possible more importantly which services you *don't* offer... Here's a clip from my archives that I used to amass my kit (apologies to any original authors of the encompassed text for reproducing without retaining the original credit) : : Even though the strongest gateways contemplate a successful invasion : of their bastion host, life is simpler if that never occurs. There : are a number of auditing packages that can help spot configuration errors. : The auditing function is exceedingly important even if you choose not : to evaluate your own machines. You may rest assured that various : ne'er-do-wells on the Internet will do it for you, with : possibly-unpleasant results. : : The TAMU system is a collection of very useful tools. Some can be : used to build your own firewall, others can detect attack signatures. : The Tiger scripts can be used to assess the security of your own machines. : : net.tamu.edu /pub/security/TAMU : : COPS is another popular auditing package along the lines of the Tiger scripts. : : ftp.cert.org /pub/tools/cops : : Gene Spafford and Gene Spafford have produced a package named : Tripwire that evaluates a system and checks for altered files and the like. : : ftp.cw.purdue.edu /pub/spaf/COAST/Tripwire : : The ISS package is a network vulnerability auditing package, along the lines : of TAMU and our network sweep programs. It can be used to probe entire : networks for vulnerabilities. Again, even if you choose not to run this : package, others with less-than-pure hearts will. Closing the holes it checks : for is vitally important. : : ISS has been recently published for the first time. It covers a number : of fairly old holes. We expect that the public will add modules to this : package, until it becomes a very thorough test. If we are right, we : encourage you to keep up with these tools and run them. The Bad Guys will. : : ftp.uu.net /usenet/comp.sources.misc/volume39/iss : aql.gatech.edu /pub/security/iss : : Crack is a well-known and widely-distributed password cracking program : by Alec Moffat. The best way to beat password crackers is to get out of : the game. Authentication devices are the best defense. : Shadow password files help, but are no defense against the eavesdropper. : If you are stuck with passwords, the best defense against bad passwords : is a smart passwd program like passwd+. The cracklib library : provides routines to check the safety of a proposed password. : If none of these are used, crack your own password files and weed : out the weak ones. : : ftp.cert.org /pub/tools/crack : ftp.cert.org /pub/tools/cracklib > Being able to audit firewall's strength as Cops does for host security > is an important issue I did'nt see much about it in the list. Not that COPS is included above... > Yes I know,it could also be use for malicious purpose. But this kind > of debate has already been done. Indeed it has, but therein lies the strength, n'est ce pas ? If people run these tests and secure against the techniques, then they can't be used maliciously ! Regards -- -- Doc From firewalls-owner Fri Dec 16 10:39:07 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00898 for firewalls-outgoing; Fri, 16 Dec 1994 10:21:14 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00893 for ; Fri, 16 Dec 1994 10:21:12 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma010873; Fri Dec 16 13:20:03 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA17247; Fri, 16 Dec 94 13:17:33 EST From: Marcus J Ranum Message-Id: <9412161817.AA17247@tis.com> Subject: Re: tcp TH_RST annoyances To: jon@london.csd.harris.com (Jon Shallow) Date: Fri, 16 Dec 1994 13:22:52 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9412161318.AA07529@london.csd.harris.com> from "Jon Shallow" at Dec 16, 94 01:18:47 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 1357 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon Shallow writes: > . Host A (Firewall) sets up and is using tcp session to Host B somewhere > on the Internet. > . Hacker on Host C on the Internet sees this sesssion and sends a tcp > TH_RST to host A (with correct ports etc), faking he is coming from B. > . A's session then resets itself and shuts down. > > The more general case is C says he is B on say port 23, and sprays all > ports on A with TH_RST packets. > > Is there any way of preventing this sort of malicious denial of service > attack ? If you're on the Internet, you're vulnerable to denial of service attacks. Period. Denial of service can always be accomplished by means of a flooding attack of legitimate traffic (ex: mail, telnet) It's also difficult to guard upstream sites; someone desiring to blow you off could icmp bomb a router upstream of you, or DNS cache bomb you someplace else up the tree. One of the joys of distributed computing is that it makes your infrastructure much more vulnerable. The good news is that about all they can do is deny you service, generally. mjr. [PS - real world denial of service structure hits are also a threat most of us ignore and live with. I'm hesitant to even discuss them, but, for example, consider what would happen if someone submitted a postal change of address on behalf of someone else. Those are totally unauthenticated.] From firewalls-owner Fri Dec 16 10:52:58 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00788 for firewalls-outgoing; Fri, 16 Dec 1994 10:10:04 -0800 Received: from news.primenet.com (root@news.primenet.com [198.68.32.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00783 for ; Fri, 16 Dec 1994 10:10:00 -0800 Received: from slip144.tus.primenet.com (slip144.tus.primenet.com [198.68.42.144]) by news.primenet.com (8.6.9/8.6.9) with SMTP id LAA17345 for ; Fri, 16 Dec 1994 11:08:39 -0700 Message-Id: <199412161808.LAA17345@news.primenet.com> X-Sender: rjudson@mailhost.primenet.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 16 Dec 1994 11:11:22 +0700 To: firewalls@greatcircle.com From: rjudson@PrimeNet.Com (Richard Judson) Subject: Firewall Software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope that I've not upset anyone for asking about info on various firewall products? I was, and am, merely seeking knowledge on products that are available on the market, which ones work as advertised, which ones don't, why people feel that a DNS/SMTP/FTP/Proxy Server like JANUS is better or worse than a transparent one like Gauntlet, or why SEAL is so expensive or are you paying for the DEC name etc. As a neophyte, I need all the info I can gather. I'm especially interested in war stories from those of you who've been in the trenches and had to foil the wily hacker! :) Richard ---------------------------------------------------- Richard Judson (RJ58) Mail: RJUDSON@PRIMENET.COM LAN Systems Manager Phone: (602) 882-1502 Tucson Unified Schools FAX: (602) 798-8626 Building Information Systems for our Children's Future ---------------------------------------------------- From firewalls-owner Fri Dec 16 11:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01758 for firewalls-outgoing; Fri, 16 Dec 1994 11:35:25 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01753; Fri, 16 Dec 1994 11:35:21 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 16 Dec 1994 11:34:22 -0800 To: alan@mid.net (Alan Hannan), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: SEAL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:42 12/15/94, Alan Hannan wrote: > Could we please stop flooding with information and show and tell about >Seal? I could list our firewall products, I could talk about commercial >products, but I don't, because I believe that while this forum may be >appropriate to ask for emails of pople who have experience with SEAL, it is >_not_ appropriate for stories, specs, and anecdotes. > Am I wrong? > If not, please take your SEAL (and other commercial-specific) discussions >elsewhere. I would not call what I've seen of this discussion (so far) inappropriate. I think we're getting good, relevant information with (so far) little hype. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Fri Dec 16 11:51:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01751 for firewalls-outgoing; Fri, 16 Dec 1994 11:35:04 -0800 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01746 for ; Fri, 16 Dec 1994 11:35:00 -0800 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA05199 for firewalls@greatcircle.com; Fri, 16 Dec 94 13:34:25 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA08852; Fri, 16 Dec 1994 13:34:05 +0600 Date: Fri, 16 Dec 1994 13:34:05 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9412161934.AA08852@cygnus.uprc.com> To: jon@london.csd.harris.com, mjr@tis.com Subject: Re: tcp TH_RST annoyances Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1074 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If you're on the Internet, you're vulnerable to denial of > service attacks. Period. Denial of service can always be accomplished > by means of a flooding attack of legitimate traffic (ex: mail, telnet) > It's also difficult to guard upstream sites; someone desiring to blow > you off could icmp bomb a router upstream of you, or DNS cache bomb > you someplace else up the tree. One of the joys of distributed computing > is that it makes your infrastructure much more vulnerable. The good > news is that about all they can do is deny you service, generally. > Although the effects of this could be disastrous when AOL starts charging per packet for routing traffic :-> [ AOL pres: we're getting a little low on income this month - go start a broadcast storm on a few connected nets...] ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@uprc.com / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Fri Dec 16 12:06:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01688 for firewalls-outgoing; Fri, 16 Dec 1994 11:26:53 -0800 Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01682 for ; Fri, 16 Dec 1994 11:26:42 -0800 Received: by interlock.reston.ans.net id AA02859 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Fri, 16 Dec 1994 14:24:51 -0500 Received: by interlock.reston.ans.net (Internal Mail Agent-1); Fri, 16 Dec 1994 14:24:51 -0500 Date: Fri, 16 Dec 1994 14:24:50 +0500 From: sangster@reston.ans.net (Paul Sangster) Message-Id: <9412161924.AA14566@peabody> To: firewalls@greatcircle.com Subject: Re: tn3270 over firewalls X-Sun-Charset: US-ASCII Content-Length: 4200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andreas, >>From: greulich@math-stat.unibe.ch (Andreas Greulich) >>Date: Wed, 14 Dec 1994 17:48:19 +0100 (MET) >> >>Actually I thought if the firewall runs a circuit-level proxy and just >>copies bytes like a wire, then why should it care what the protocol >>between the end nodes is..? I could see a problem with the additional >>authentication step started by the firewall, but was told this >>just has to run in line mode. But somebody told me that the firewall >>actually runs a telnet-like demon as a proxy and doesn't just copy >>bytes between it's two entries... if that's true, why is that so? >>I know that at least two of the major firewall vendors are working at >>the 3270-problem, so maybe somebody can explain the problem to me *smile* >> I have to agree with what Yves mentions below. I don't know if you included the InterLock in your two firewall vendors because we have supported 3270 from ASCII for over a year and just added 3270 from EBCDIC. The difference (as mentioned by Yves) is that some clients dont comply with the RFCs and assume 3270 mode terminal type from the get go. This means they start out talking EBCDIC in line mode and expect a 3270 data stream in return. This is the variation we recently added to our telnetd. The other variation follows the RFCs and starts with a standard NVT telnet session and tries to negotiate line mode, binary, and terminal type before using EBCDIC. These clients are easier to support since they follow the telnet option paradigm and should allow authentication and redirection while in NVT. >From: Yves.Dherbecourt@der.edf.fr (Yves Dherbecourt - IMA/ICI/ASR - 47653790) >Yes, a telnet proxy has to behave as a telnet daemon with the real telnet >client, at least at the beginning of the connection, to manage authentication >and destination host info. In particular, they must be able to agree on >a particular terminal type to initiate the dialog, and that's where it can be a >problem with 3270 : > >if you get a 3270 client (IBM's X3270 for example) that only knows about >IBM-EBCDIC-like terminals, and a telnet daemon that only knows ASCII-type >terminals, they will never understand each other. > >I see 2 solutions : >1- let your 3270 telnet client know about ASCII: that is already the case of th e >public domain tn3270 and X3270 products. They are also able to re-negociate the >terminal type with the real IBM mainframe, once the firewall is in the >'transparent' mode. I hope I'm clear enough. It means that you CAN use these >3270 clients to reach IBM mainframes through a firewall. > >2- let your firewall telnet proxy daemon know about EBCDIC : I suppose that's >what your firewall vendors are doing. Agreed. The choice is whether you have your firewall telnetd understand EBCDIC and talk 3270 Data Stream protocol or not. If you choose not to speak 3270, then you are limited to only being able to talk with 3270 clients which support ASCII and will function in NVT. If you would like to support both classes of clients, you'll need to be able to speak and parse a subset of 3270 Data Streams, and be flexible enough to negotiate several telnet options. This will allow the firewall to authenticate the user and prompt for remote destination. On a final note, there are some other issues that need to be addressed to handle 3270 correctly. You'll need to support retrieval of the password without echo during a 3270 Data Stream. Another issue is if your telnetd is going to negotiate options with the 3270 client (to allow it to go into 3270 mode), then you will need to be able to proxy this negotiation with the end 3270 host. This can get interesting if your not careful. All this needs to be settled before you can go into "just coping bytes on the wire" mode. Paul ____________________________________________________________________________ Paul Sangster Advanced Network & Services Senior Software Engineer 1875 Campus Commons Dr. sangster@reston.ans.net Suite 220, Reston VA 22091 (703) 758-7706 ____________________________________________________________________________ From firewalls-owner Fri Dec 16 12:09:35 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02037 for firewalls-outgoing; Fri, 16 Dec 1994 11:58:12 -0800 Received: from Gayle-Gaston.tenet.edu (jroller@Gayle-Gaston.tenet.edu [198.213.2.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA02032 for ; Fri, 16 Dec 1994 11:58:09 -0800 Received: (from jroller@localhost) by Gayle-Gaston.tenet.edu (8.6.9/8.6.9) id NAA10563; Fri, 16 Dec 1994 13:55:38 -0600 Date: Fri, 16 Dec 1994 13:55:37 -0600 (CST) From: Jeff Roller Subject: Re: Firewall Software To: Richard Judson cc: firewalls@GreatCircle.COM In-Reply-To: <199412161808.LAA17345@news.primenet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 16 Dec 1994, Richard Judson wrote: > are you paying for the DEC name etc. As a neophyte, I need all the info I > can gather. I'm especially interested in war stories from those of you > who've been in the trenches and had to foil the wily hacker! :) > > Richard Hello, My name is Jeff D. Roller and I work for the Amarillo I.S.D. We are in the process of being connected to the net. I will be in charge of maintaining our connection and mail services. I would also be interested in the information that Richard requests. I have read the FAQ and relevent info. Thanks in advance. _____ . . ' \\ . . |>> O// . . | \_\ . . | | | . . . . | / | . Jeff D. Roller . . . | / .| jroller@tenet.edu . ...o | From firewalls-owner Fri Dec 16 14:10:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03150 for firewalls-outgoing; Fri, 16 Dec 1994 13:43:11 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA03145 for ; Fri, 16 Dec 1994 13:42:56 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA13585; Fri, 16 Dec 94 22:38:18 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06160; Fri, 16 Dec 94 22:34:39 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412162234.AA06160@tidtest.total.fr> Subject: Re: ISO 9000 Requirements & Firewalls To: duperret@crl.com (Resource Manager) Date: Fri, 16 Dec 94 22:34:37 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Resource Manager" at Dec 14, 94 4:50 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Resource Manager wrote : > > The company that I work for is currently going through the process that > will hopefully result in ISO 9001 certification for the company by 10/95. > > The current corporate plan is to be a full time "net.citizen" by 6/95. > Some time, I overheard the opinion that you can't be on the net and obtain or keep ISO 9000 certification. I don't have the faintest idea why that should be, but then I don't know much about ISO 9000 except that it means *lots* of paperwork before, during and after :-) Does anyone have an idea ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Dec 16 14:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA03305 for firewalls-outgoing; Fri, 16 Dec 1994 14:12:07 -0800 Received: from jalisco.optimum.net (jalisco.optimum.net [198.81.218.66]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA03300 for ; Fri, 16 Dec 1994 14:12:00 -0800 Received: from zacatecas.optimum.com (mail.optimum.com) by jalisco.optimum.net (5.67a/94071801) id AA25603; Fri, 16 Dec 1994 17:10:09 -0500 Received: from optimum.com by zacatecas.optimum.com (5.67a/94071801) id AA03649; Fri, 16 Dec 1994 17:12:15 -0500 X-Sender: steven_pfister@mail.optimum.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 16 Dec 1994 17:10:09 -0500 To: firewalls@greatcircle.com From: spfister@optimum.com (Steven R. Pfister) Subject: Controlling access to firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a couple of Sun Sparc 5s that we are using as dual-homed firewalls for an Ethernet network of Macintoshes. What is the best way for us to divide our users into groups (at least two) and control their access to the proxy daemons running on the firewalls? We would like to have one group with unlimited access and another with access only to e-mail during the daytime. We were thinking of having a second class C network number in addition to the one in use right now, but aren't having any success. Is anyone in a similar situation? Any help will be greatly appreciated. Thanks! Steven Pfister / Optimum Group spfister@optimum.com From firewalls-owner Fri Dec 16 15:09:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA03746 for firewalls-outgoing; Fri, 16 Dec 1994 14:59:53 -0800 Received: from grolsch.cs.ubc.ca (grolsch-2.cs.ubc.ca [142.103.5.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA03738 for ; Fri, 16 Dec 1994 14:59:47 -0800 Received: from mprgate.mpr.ca (mprgate.mpr.ca [134.87.131.13]) by grolsch.cs.ubc.ca (8.6.9/8.6.9) with SMTP id OAA26341 for ; Fri, 16 Dec 1994 14:57:56 -0800 Received: from norton.mpr.ca by mprgate.mpr.ca with SMTP id AA23347 (5.67b+/IDA-1.5 for ); Fri, 16 Dec 1994 14:51:05 -0800 Received: by norton.mpr.ca (4.1/SMI-4.1) id AA21647; Fri, 16 Dec 94 14:51:00 PST Date: Fri, 16 Dec 94 14:51:00 PST From: parker@mprgate.mpr.ca (Ross Parker) Message-Id: <9412162251.AA21647@norton.mpr.ca> To: duperret@crl.com, lavondes@tidtest.total.fr Subject: Re: ISO 9000 Requirements & Firewalls Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some time, I overheard the opinion that you can't be on the net and obtain > or keep ISO 9000 certification. I don't have the faintest idea why that > should be, but then I don't know much about ISO 9000 except that it means > *lots* of paperwork before, during and after :-) > > Does anyone have an idea ? Yeah - the above is bunk, I'm afraid! ISO 9000 has nothing to do with whether you're on the net or not... Ross -- Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc) MPR Teltech Ltd. | Who cares if Mikey doesn't like 'em! Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal parker@mprgate.mpr.ca | with fingernail clippings mixed in" -- Larry Wall From firewalls-owner Fri Dec 16 15:39:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04005 for firewalls-outgoing; Fri, 16 Dec 1994 15:19:50 -0800 Received: from oucsace.cs.ohiou.edu (oucsace.cs.ohiou.edu [132.235.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA03998 for ; Fri, 16 Dec 1994 15:19:45 -0800 Received: from goffer.acs.ohio-state.edu (slip3-20.acs.ohio-state.edu [128.146.24.196]) by oucsace.cs.ohiou.edu (8.6.8/8.6.6) with SMTP id SAA29945; Fri, 16 Dec 1994 18:18:03 -0500 Received: by goffer.acs.ohio-state.edu (4.1/SMI-4.1) id AA01421; Fri, 16 Dec 94 18:14:48 EST Date: Fri, 16 Dec 94 18:14:48 EST From: cmcurtin@goffer (C Matthew Curtin) Message-Id: <9412162314.AA01421@goffer.acs.ohio-state.edu> To: duperret@crl.com, lavondes@tidtest.total.fr Subject: Re: ISO 9000 Requirements & Firewalls Cc: firewalls@greatcircle.com Reply-To: cmc@brandx.cs.ohiou.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lavondes@tidtest.total.fr writes: >Resource Manager wrote : >> >> The company that I work for is currently going through the process that >> will hopefully result in ISO 9001 certification for the company by 10/95. >> >> The current corporate plan is to be a full time "net.citizen" by 6/95. > >Some time, I overheard the opinion that you can't be on the net and obtain >or keep ISO 9000 certification. I don't have the faintest idea why that >should be, but then I don't know much about ISO 9000 except that it means >*lots* of paperwork before, during and after :-) > >Does anyone have an idea ? This isn't the case: AT&T Network Systems/Bell Labs Columbus is ISO 9000 certified, and is where AT&T's internal/internet gateway is located... -matt From firewalls-owner Fri Dec 16 15:58:52 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04300 for firewalls-outgoing; Fri, 16 Dec 1994 15:37:43 -0800 Received: from troy.netmarket.com (root@troy.netmarket.com [199.79.247.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA04269 for ; Fri, 16 Dec 1994 15:37:37 -0800 Received: from thebes.netmarket.com (hal@thebes.netmarket.com [199.79.247.13]) by troy.netmarket.com with ESMTP id SAA03935; Fri, 16 Dec 1994 18:36:19 -0500 Received: (hal@localhost) by thebes.netmarket.com id SAA09222; Fri, 16 Dec 1994 18:36:19 -0500 Message-Id: <199412162336.SAA09222@thebes.netmarket.com> From: hal@netmarket.com (Hal Pomeranz) Date: Fri, 16 Dec 1994 18:36:18 -0500 In-Reply-To: lavondes@tidtest.total.fr (Michel Lavondes) "Re: ISO 9000 Requirements & Firewalls" (Dec 16, 10:34pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: lavondes@tidtest.total.fr, duperret@crl.com (Resource Manager) Subject: Re: ISO 9000 Requirements & Firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some time, I overheard the opinion that you can't be on the net and obtain > or keep ISO 9000 certification. My wife works for Sybase, Inc. which was recently ISO9k certified. Sybase is certainly connected to the Internet, so it would appear that this information is incorrect. --Hal From firewalls-owner Fri Dec 16 16:39:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05084 for firewalls-outgoing; Fri, 16 Dec 1994 16:34:07 -0800 Received: from netcom15.netcom.com (pascal@netcom15.netcom.com [192.100.81.128]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05079 for ; Fri, 16 Dec 1994 16:34:04 -0800 Received: by netcom15.netcom.com (8.6.9/Netcom) id QAA14324; Fri, 16 Dec 1994 16:32:43 -0800 Date: Fri, 16 Dec 1994 16:32:43 -0800 From: pascal@netcom.com (Richard A Childers) Message-Id: <199412170032.QAA14324@netcom15.netcom.com> To: firewalls-digest@greatcircle.com Subject: Where can I rent a Network Sniffer ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ( Pardon a query that is tangential to the main thrust of Firewalls Digest, but I trust that we all have occasional need to take a close look at our network and protocol loads, looking for security problems and hot spots. ) So, where can I buy or rent a Network General Sniffer, or equivalent piece of network analysis hardware ? A few years ago, 8088- and 80286-based PCs were barely fast enough to keep up with the network they were monitoring. 80386s came along and that was no longer a problem. These 386s were generally in laptops, increasingly with a color LCD monitor. Did the availability of these 386 laptops cause the market for third-party monitoring software to dry up ? Or, can one still buy soft- -ware to run on a PC, in conjunction with an ethernet controller, to gather and display statistical information on the network's traffic ? I'm interested in both software and hardware. I'm located in the San Francisco Bay Area but am interested in any agency who does business in the Bay Area, no matter where they are located primarily. I'll be happy to post a summary of what I learn. -- richard Pontius Pilate was politically correct. So was Benedict Arnold. So was Peter Quisling ... and so was Adolph Hitler. |-: richard childers san francisco, california pascal@netcom.com From firewalls-owner Fri Dec 16 16:54:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04960 for firewalls-outgoing; Fri, 16 Dec 1994 16:21:26 -0800 Received: from rambone.psi.net (rambone.psi.net [38.145.250.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA04955 for ; Fri, 16 Dec 1994 16:21:23 -0800 Received: by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA12502; Fri, 16 Dec 94 19:11:41 EST Received: from belegost.aule-tek (belegost.ARPA) by aule-tek.com (4.1/3.2.083191-Aule-Tek Inc.) id AA11508; Fri, 16 Dec 94 18:31:17 EST Received: by belegost.aule-tek (5.0/SMI-SVR4) id AA21054; Fri, 16 Dec 1994 18:29:53 +0500 Date: Fri, 16 Dec 1994 18:29:53 +0500 From: jonesmd@aule-tek.com (Mike Jones) Message-Id: <9412162329.AA21054@belegost.aule-tek> To: firewalls@greatcircle.com Subject: Re: ISO 9000 Requirements & Firewalls X-Sun-Charset: US-ASCII Content-Length: 1145 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes writes > Resource Manager wrote : > > The company that I work for is currently going through the process that > > will hopefully result in ISO 9001 certification for the company by 10/95. > > The current corporate plan is to be a full time "net.citizen" by 6/95. > Some time, I overheard the opinion that you can't be on the net and obtain > or keep ISO 9000 certification. I don't have the faintest idea why that > should be, but then I don't know much about ISO 9000 except that it means > *lots* of paperwork before, during and after :-) > Does anyone have an idea ? I was the "process architect" for a software organization that became ISO 9001 registered, and we were on the net, so I can fairly conclusively say that it *is* possible. There's no particular reason why being connected to the net should have any major effect on a certification unless you rely on the net for production of your product. Beyond that, the reason most people think ISO9000 == paperwork is that they try to substitute paperwork for understanding. Mike Jones | jonesmd@aule-tek.com Drawing on my fine command of language, I said nothing. From firewalls-owner Fri Dec 16 17:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA05602 for firewalls-outgoing; Fri, 16 Dec 1994 17:16:02 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA05592 for ; Fri, 16 Dec 1994 17:15:58 -0800 From: pat@loc201.tandem.com Received: from adm.loc201.tandem.com (admin_01.loc201.tandem.com) by suntan.Tandem.com (4.1/suntan5.940222) for firewalls-digest@greatcircle.com id AA16834; Fri, 16 Dec 94 17:13:28 PST Received: from vern.loc201.tandem.com.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA24475; Fri, 16 Dec 94 17:13:27 PST Received: by vern.loc201.tandem.com.loc201.tandem.com (4.1/6nospool.930120) id AA08416; Fri, 16 Dec 94 17:13:25 PST Date: Fri, 16 Dec 94 17:13:25 PST Message-Id: <9412170113.AA08416@vern.loc201.tandem.com.loc201.tandem.com> To: pascal@netcom.com Subject: Re: Where can I rent a Network Sniffer ? Cc: firewalls-digest@greatcircle.com Reply-To: pat@tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard, > So, where can I buy or rent a Network General Sniffer, or equivalent piece > of network analysis hardware ? Direct from Network General. Call them with a credit card and they will happy to rent you one. They also have a direct sales force for sales, as well as third party sales. -pat -- Patrick Mulrooney Tandem Computers From firewalls-owner Fri Dec 16 18:39:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06093 for firewalls-outgoing; Fri, 16 Dec 1994 18:10:24 -0800 Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA06088 for ; Fri, 16 Dec 1994 18:10:21 -0800 Received: from BTV by VNET.IBM.COM (IBM VM SMTP V2R2) with BSMTP id 2672; Fri, 16 Dec 94 21:09:05 EST Received: by BTV (XAGENTA 3.0) id 7418; Fri, 16 Dec 1994 21:08:57 -0500 Received: from kdp.btv.ibm.com by btv.ibm.com (AIX 3.2/UCB 5.64/1.9) id ; Fri, 16 Dec 1994 21:09:02 -0500 Received: from localhost.chips.ibm.com by btv.ibm.com (AIX 3.2/UCB 5.64/fs4.03) id AA26998; Fri, 16 Dec 1994 21:09:00 -0500 Message-Id: <9412170209.AA26998@btv.ibm.com> To: firewalls@greatcircle.com X-Note-Format: RFC822 Subject: Re: SEAL In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 16 Dec 1994 21:09:00 -0500 From: "Ken Paquette" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 16 Dec 1994 11:34:22 PST Brent Chapman wrote: >At 10:42 12/15/94, Alan Hannan wrote: >> Could we please stop flooding with information and show and tell about ...... >> If not, please take your SEAL (and other commercial-specific) discussions >>elsewhere. > >I would not call what I've seen of this discussion (so far) inappropriate. >I think we're getting good, relevant information with (so far) little hype. > > >-Brent > >-- >Brent Chapman | Great Circle Associates | Call or email for info abou t >Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security >+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates > > > I too find it interesting. As a supporter of firewalls and such all the info I have makes it easier for me to do my job, even if it is about someone else's software. If this were real advertising, I am sure someone from IBM marketing would love to post all about their newly announced firewall products and services..... -- Ken Paquette; IBM Microelectronics Division; Distributed Computing Services VNET: KEN at BTV; IBM internet: ken@btv.ibm.com; Internet: ken@vnet.ibm.com; IBMMAIL: USIB1X62; X.400 c=us; a=ibmx400; p=ibmmail; s=paquette; g=paquetk From firewalls-owner Fri Dec 16 19:09:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06240 for firewalls-outgoing; Fri, 16 Dec 1994 18:46:43 -0800 Received: from europe.std.com (root@europe.std.com [192.74.137.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06235 for ; Fri, 16 Dec 1994 18:46:40 -0800 Received: from world.std.com by europe.std.com (8.6.8.1/Spike-8-1.0) id VAA16571; Fri, 16 Dec 1994 21:45:23 -0500 Received: by world.std.com (5.65c/Spike-2.0) id AA24063; Fri, 16 Dec 1994 21:45:34 -0500 Date: Fri, 16 Dec 1994 21:45:34 +0001 (EST) From: Jamie C Pole Subject: Re: Where can I rent a Network Sniffer ? To: Richard A Childers Cc: firewalls-digest@greatcircle.com In-Reply-To: <199412170032.QAA14324@netcom15.netcom.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So, where can I buy or rent a Network General Sniffer, or equivalent piece > of network analysis hardware ? Try GE Rental/Lease. Their number is 1-800-GE-RENTS. They're pretty good for stuff like that... Prices aren't all that unreasonable, either. They've probably got the more advanced analyzers as well... J.C. Pole From firewalls-owner Fri Dec 16 23:40:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA07461 for firewalls-outgoing; Fri, 16 Dec 1994 23:12:38 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA07456 for ; Fri, 16 Dec 1994 23:12:35 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id CAA19857; Sat, 17 Dec 1994 02:10:48 -0500 Date: Sat, 17 Dec 1994 02:10:48 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199412170710.CAA19857@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: commercial vs roll-yer-own Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone who sells you a black box labeled "network security firewall" with no further information or without the bigger picture is selling you a false sense of security, regardless of what's in the black box. Network security, as the term implies, involves the whole network. This is a basic premise which I emphasize in my own consulting work; part of that bigger picture is EDUCATION. I'm kind of disturbed by this "black box" approach of some of the commercial outfits. Sure, the black box might be a useful tool, but it's not the whole enchilada by any means.. [I guess this mini-rant is aimed mostly at the newbies...] _H* From firewalls-owner Sat Dec 17 03:09:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA08794 for firewalls-outgoing; Sat, 17 Dec 1994 02:54:18 -0800 Received: from dub-img-3.compuserve.com (dub-img-3.compuserve.com [198.4.9.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA08789 for ; Sat, 17 Dec 1994 02:54:15 -0800 Received: by dub-img-3.compuserve.com (8.6.9/5.940406sam) id FAA07719; Sat, 17 Dec 1994 05:52:30 -0500 Date: 17 Dec 94 05:50:22 EST From: Hartmut Pohl <100436.3361@compuserve.com> To: Firewall communication Subject: Products and Services Message-ID: <941217105021_100436.3361_BHG53-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for an overview of commercial available products (software & hardware) and services dealing with the socalled functions of a firewall. Please let me know the most popular products and e-mail addresses or fax-numbers if possible. Until now I only have information about SEAL and GAUNTLET. But I want to know some more and I am looking for evaluation criteria to select the right product. Thank you very much, Hartmut From firewalls-owner Sat Dec 17 03:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA09087 for firewalls-outgoing; Sat, 17 Dec 1994 03:31:36 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA09081 for ; Sat, 17 Dec 1994 03:31:34 -0800 From: jim@Tadpole.COM Received: from chiba (chiba.Tadpole.COM) by tadpole.tadpole.com (4.1/SMI-4.1-jim) id AA21293; Sat, 17 Dec 94 05:29:24 CST Received: by chiba (5.x/SPARCbook_POP1.3) id AA09889; Sat, 17 Dec 1994 05:29:26 -0600 Date: Sat, 17 Dec 1994 05:29:26 -0600 Message-Id: <9412171129.AA09889@chiba> To: duperret@crl.com, hal@netmarket.com, lavondes@tidtest.total.fr Subject: Re: ISO 9000 Requirements & Firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tadpole too (ISO 9000 & Internet connected). From firewalls-owner Sat Dec 17 05:39:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA09500 for firewalls-outgoing; Sat, 17 Dec 1994 05:36:04 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA09495 for ; Sat, 17 Dec 1994 05:36:00 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sat, 17 Dec 94 14:34 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rIzFq-0003hpC; Sat, 17 Dec 94 14:32 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 17 Dec 1994 14:34:04 +0100 To: aaron@sdt.com (Aaron Gair), firewalls@greatcircle.com From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: SEAL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:50 Uhr 14.12.1994 -0600, Aaron Gair wrote: >Anyone have a technical contact for the SEAL product? SEAL page : http://www.digital.com/info/seal.html FTPable documents : ftp://ftp.digital.com/ United States Contact: Dick Calandrella at 508-496-8626 -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sat Dec 17 05:51:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA09493 for firewalls-outgoing; Sat, 17 Dec 1994 05:35:47 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA09488 for ; Sat, 17 Dec 1994 05:35:44 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sat, 17 Dec 94 14:34 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rIzFH-0003hkC; Sat, 17 Dec 94 14:32 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 17 Dec 1994 14:33:29 +0100 To: hobbit@bronze.lcs.mit.edu (*Hobbit*), firewalls@greatcircle.com From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: SEAL Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi H*, At 3:58 Uhr 14.12.1994 -0500, *Hobbit* wrote: >A decade, eh? Ask DEC about Mitnick and VMS source code. I don't think >that was ten years ago. > Mitnick broke into Easynet via terminal servers, and the VMS bugs you're refering to have NOTHING to do with SEAL. SEAL runs on Ultrix and OSF/1 platforms. I have to admit, though, that Marcus is right about security. It has to include the whole system (network), not only one point (firewall). And you're right about the time frame. SEAL exists since some six years. Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sat Dec 17 06:05:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA09507 for firewalls-outgoing; Sat, 17 Dec 1994 05:36:14 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA09502 for ; Sat, 17 Dec 1994 05:36:10 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sat, 17 Dec 94 14:34 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rIzG4-0003hqC; Sat, 17 Dec 94 14:33 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 17 Dec 1994 14:34:18 +0100 To: Frederick M Avolio , ruf@osiris.cs.uow.edu.au From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: SEAL Cc: firewalls@greatcircle.com (Firewalls Mailing List) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Frederick, At 16:11 Uhr 14.12.1994 -0500, Frederick M Avolio wrote: >If you mean DECinspect, I would guess lots. If you mean SEAL (DEC, do >you still call it that? Where are the DEC SEAL engineers or >consultants on this list?) I would say very little. > I am a SEAL consultant, and Digital calls it Digital Firewall Service by now :-). The reason for this is that we sell it as a consulting solution. You get the software, source code and consulting in that we train you, set up and configure the firewall according to a jointly developed statement of work and document what we've done and what should be done by the firewall administrators :-). Plus, you get phone support following the installation and an ongoing support contract if you wish to. Mail me or use the contacts below to get more information. SEAL page : http://www.digital.com/info/seal.html FTPable documents : ftp://ftp.digital.com/pub/Digital/info/document/firewall*.* United States Contact: Dick Calandrella at 508-496-8626 Kind regards Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sat Dec 17 06:39:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA10056 for firewalls-outgoing; Sat, 17 Dec 1994 06:25:05 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA10051 for ; Sat, 17 Dec 1994 06:25:01 -0800 Received: from smtpgty.saicuk.co.uk by relay1.pipex.net with SMTP (PP) id ; Sat, 17 Dec 1994 14:23:18 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2EF2F3C0@smtpgty.saicuk.co.uk>; Sat, 17 Dec 94 14:20:48 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Re: ISO 9000 Requirements & Firewalls Date: Sat, 17 Dec 94 14:10:00 GMT Message-ID: <2EF2F3C0@smtpgty.saicuk.co.uk> Encoding: 88 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are some folk who will tell you that you cant buy a newpaper without an ISO 9000 and when you get your certificate you can only buy a newspaper produced by a publisher who has ISO 9000 and vended by someone who holds a certificate. ISO 9000 is a quality management methodology/certification system which is replacing national systems from folk like NIST in the US and BSI in the UK. Like the earlier systems, ISO 9000 is great for Government procurement officials (because it potentially reduces the number of Open Procurement vendors and provides yet another tick box for procurement documents) and for consultants (most corporations would have difficulty in producing all the required documentation without help unless they simply stopped doing business while they prepared for evaluation) Like the old BSI BS5750 system, ISO 9000 does not really impose any special constraints. The company has to formally document how it works. Small companies may pay anything up to US$50K to produce this documentation, but at the end of the process they may continue to work exactly as they always did, with the same personnel, plant & machinery. If you call in to an auto tyre shop which now displays a nice shiny ISO 9000 certificate you may not notice any difference from your previous visit except their prices have gone up and the manager has a new bookcase to hold his umpteen volumes of procedure manuals (you will probably also notice that these manuals are the only documents in the shop which are not covered with dirty finger prints). If the ISO 9000 system works correctly, it is possible that some companies will not be able to connect to the Internet. That isnt a function directly of ISO 9000, but the way the enterprise produces and implements its enterprise policy with the attendant risk policy. At the other extreme, a company could hold ISO 9000 and not even require a firewall. What is probably more significant is the current bureaucratic drift on data protection and evaluation criteria and their relationship to ISO 9000. There are now active moves by several governments to MANDATE given minimum levels of security for every user of IT equipment who has to register under data protection regulations. As data protection regulations are now set to expand across the user base that means potentially EVERY IT user including the home computer user. The mandated security levels will be expressed in criteria terms and probably require that the security functionality has been evaluated and certified under ITSEC or whatever. It will probably not accept vendor 'designed to meet' claims. As people like NIST and BSI are now closely involved in criteria development, it is likely that a vendor will have to achieve ISO 9000 even though some ITSEC Commercial Licensed Evaluation Facilities have already stated publicly that they often have more problems with products supplied by BSI/ISO certified developers. It could therefore follow that a company which has achieved ISO 9000 will have to meet all data protection requirements including the use of certified security technology and even to have his systems accredited. This could mean that he will not be able to link to the Internet or any other Information Super Highway unless he fits certified network security systems. This could mean that most existing firewalls will have to be replaced with certified firewalls (but certified firewalls dont currently exist) or the user cuts his Internet links. Fortunately we have not yet reached this level of government involvement in our communications habits, but the question is - how long will it continue? Ian J-B. ---------- From: firewalls-owner To: duperret; lavondes Cc: firewalls Subject: Re: ISO 9000 Requirements & Firewalls Date: 16 December 1994 14:51 > Some time, I overheard the opinion that you can't be on the net and obtain > or keep ISO 9000 certification. I don't have the faintest idea why that > should be, but then I don't know much about ISO 9000 except that it means > *lots* of paperwork before, during and after :-) > > Does anyone have an idea ? Yeah - the above is bunk, I'm afraid! ISO 9000 has nothing to do with whether you're on the net or not... Ross -- Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc) MPR Teltech Ltd. | Who cares if Mikey doesn't like 'em! Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal parker@mprgate.mpr.ca | with fingernail clippings mixed in" -- Larry Wall From firewalls-owner Sat Dec 17 07:09:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA10162 for firewalls-outgoing; Sat, 17 Dec 1994 06:40:07 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA10157 for ; Sat, 17 Dec 1994 06:40:03 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA23934; Sat, 17 Dec 94 09:16:09 -0500 Date: Sat, 17 Dec 94 09:16:09 -0500 Message-Id: <9412171416.AA23934@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: BBs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm kind of disturbed by this "black box" approach of some of the commercial >outfits. Sure, the black box might be a useful tool, but it's not the whole >enchilada by any means.. Have felt that way since long before firewalls were ever conceived. Fact is that the marketeers rarely know enough to sell anything other than black boxes (and it is a joy to find one who not only knows but is willing and permitted by his/her/its/other company to talk about it). Most of my career has been spent spotting and fixing holes the manufacturer left in and as far as I am concerned, if I have a question that goes unanswered, I find a new vendor. If I feel charitable, I might even tell them why but usually once I lose trust, I do not bother with them anymore, listen politely for the ret of the speil and never call back. Those who know me realize that when I get quiet and formal it is a good idea to seek shelter. Recently I was invited to a conference call with a service provider after they had a publicised intrusion. After invoking "proprietary information", the provider stonewalled any detailed discussions. I got the message early on and stayed (relatively) quiet. My advice to the client after the call was that they had better put in a firewall between them and the provider since the provider was not to be trusted. (Don't ask) Trust is a wonderful thing and is essential to any long relationship, be it marriage or client/provider. When dealing with new and emerging technology, often it is the only workable basis. Destroy that and a vendor had best look to the watermark on any references given for a stork with a broken neck. Just my tuppence. Warmly, Padgett From firewalls-owner Sat Dec 17 07:39:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA10546 for firewalls-outgoing; Sat, 17 Dec 1994 07:31:44 -0800 Received: from zork.tiac.net (zork.tiac.net [199.0.65.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA10541 for ; Sat, 17 Dec 1994 07:31:40 -0800 From: ian@jerboa.com Received: from jerboa.com (jerboa.com [199.3.130.95]) by zork.tiac.net (8.6.9/8.6.6.Beta9) with SMTP id KAA04356; Sat, 17 Dec 1994 10:30:07 -0500 Message-Id: <199412171530.KAA04356@zork.tiac.net> X-Sender: ian@tiac.net. X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 17 Dec 1994 10:30:24 -0500 To: Firewalls@GreatCircle.COM Subject: Re: ISO 9000 Requirements & Firewalls Cc: "Johnson-Bryden, Ian" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:10 PM 12/17/94 GMT, Ian Johnson-Bryden wrote: >Like the old BSI BS5750 system, ISO 9000 does not really impose any special >constraints. The company has to formally document how it works. Small It seems to me that documenting the procedures used to install and maintain the firewall might be a good idea even without ISO 9000 hanging over one's head. Of course, one hopes that commercial firewalls would come with a lot of this documentation, although in my experience this sadly isn't always the case. Maybe I can use ISO 9000 as leverage to get clients to spend the appropriate amount of time to produce realistic security policies :-). Ian ----- Ian Poynter ian@jerboa.com Jerboa Internet Services (617) 357-5013 PO Box 120054, Boston, MA 02112 Providing Internet advice, consulting and training for businesses. From firewalls-owner Sat Dec 17 09:39:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA11057 for firewalls-outgoing; Sat, 17 Dec 1994 09:14:46 -0800 Received: from libove.mindspring.com (root@libove.mindspring.com [168.121.16.58]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA11052 for ; Sat, 17 Dec 1994 09:14:42 -0800 Received: from localhost (libove@localhost) by libove.mindspring.com (8.6.5/8.6.5) id MAA02224 for firewalls-digest@greatcircle.com; Sat, 17 Dec 1994 12:14:24 -0500 Date: Sat, 17 Dec 1994 12:14:24 -0500 From: Jay Vassos-Libove Message-Id: <199412171714.MAA02224@libove.mindspring.com> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls-digest@greatcircle.com Subject: Suggestion for firewall for deliberately insecure company? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do any of you folks have suggestions for a particular firewall product/service for a company which deliberately has no security inside its own borders, and wants to remain that way, but also wants to have access to the outside network? Thanks Jay From firewalls-owner Sat Dec 17 11:09:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11643 for firewalls-outgoing; Sat, 17 Dec 1994 11:01:05 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA11638 for ; Sat, 17 Dec 1994 11:01:01 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id KAA27836; Sat, 17 Dec 1994 10:56:20 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA08905; Sat, 17 Dec 94 10:58:50 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls-digest@GreatCircle.COM id AA06975; Sat, 17 Dec 94 10:53:07 -0800 Date: Sat, 17 Dec 94 10:53:07 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9412171853.AA06975@abulafia.genmagic.com> To: Jay Vassos-Libove Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199412171714.MAA02224@libove.mindspring.com> Subject: Suggestion for firewall for deliberately insecure company? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay Vassos-Libove writes: > Do any of you folks have suggestions for a particular firewall > product/service for a company which deliberately has no security > inside its own borders, and wants to remain that way, but also wants > to have access to the outside network? check the archive for discussions of the "crunchy shell, soft insides" model. Basically, your users want to get to the net from inside, this can be achieved with a socks host. If you simply do not allow remote access, especially from the internet (block ports with a router), you've just saved yourself a huge amount of security work. (Use dedicated lines for remote access (dial back if you're cheap).) --eric From firewalls-owner Sat Dec 17 12:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12087 for firewalls-outgoing; Sat, 17 Dec 1994 12:09:56 -0800 Received: from gatekeeper (gatekeeper.lddsnet.com [170.127.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA12079 for ; Sat, 17 Dec 1994 12:09:52 -0800 Received: by mailgw.lddsnet.com (8.6.9/LDDSgw941115tjn) id OAA04386; Sat, 17 Dec 1994 14:06:18 -0600 Received: from keymaster(170.127.113.130) by gatekeeper via smap (V1.3) id sma004384; Sat Dec 17 20:05:57 1994 Received: by lddsnet.com (8.6.9/LDDSmh941115tjn) with ESMTP id OAA01017; Sat, 17 Dec 1994 14:06:57 -0600 Received: by localhost (8.6.9/LDDScl941115tjn) id OAA19567; Sat, 17 Dec 1994 14:06:57 -0600 Date: Sat, 17 Dec 1994 14:06:57 -0600 From: Terry.Nelms@lddsnet.com (Terry Nelms (Manager Systems Integrity)) Reply-To: Terry.Nelms@lddsnet.com (Terry Nelms (Manager Systems Integrity)) Message-Id: <199412172006.OAA19567@localhost> To: firewalls@GreatCircle.Com Subject: smap X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my log file I keep getting the following error message(s), marked with an (*), from smap & smapd. Dec 17 12:57:45 gatekeeper smap[4346]: connect host=keymaster/170.127.113.130 *Dec 17 18:57:45 gatekeeper smap[4346]: n2a get_local_info: open to get interface configuration: No such file or directory Dec 17 18:57:46 gatekeeper smap[4346]: host=keymaster/170.127.113.130 bytes=730 from= to=<74044.254@compuserve.co Dec 17 18:57:46 gatekeeper smap[4346]: exiting host=keymaster/170.127.113.130 bytes=730 *Dec 17 12:57:49 gatekeeper smapd[4347]: error (other error -278136948) I know smap runs chrooted and could require certain files in the /etc directory of it's root. I have hosts, resolv.conf, & hostname.le0 in that directory. What else could it be looking for? The error message from smapd I don't understand at all. It doesn't look like a valid error message and the mail does go through. Is this something to be concerned with? I'm running this on a Sun SPARCstation 5 with Solaris 2.3. Thanks, Terry ------------------------------------------------------------------------------- Terry Nelms LDDS Communications, Inc. Manager Systems Integrity Corporate Security email: terry.nelms@lddsnet.com 515 East Amite St. voice: 601.360.8903 Jackson, MS 39201-2702 FAX: 601.974.8256 ------------------------------------------------------------------------------- From firewalls-owner Sat Dec 17 12:51:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12075 for firewalls-outgoing; Sat, 17 Dec 1994 12:09:35 -0800 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA12070 for ; Sat, 17 Dec 1994 12:09:31 -0800 Received: by hosaka.smallworks.com (4.1/SMI-4.1) id AA18211; Sat, 17 Dec 94 14:08:13 CST Date: Sat, 17 Dec 94 14:08:13 CST From: charisse@SmallWorks.COM (Charisse Castagnoli) Message-Id: <9412172008.AA18211@hosaka.smallworks.com> To: 100436.3361@compuserve.com, firewalls@greatcircle.com Subject: information on NetGate packet filtering firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NetGate(TM)is a software firewall for SPARC based systems developed by SmallWorks of Travis Co. SmallWorks specializes in efficient networking utilities and custom software development for SunOS. NetGate was designed to provide routing and filtering for networks of TCP/IP systems without requiring expensive, separately managed hardware. It performs filtering, logging and forwarding for a network or subnetwork of TCP/IP based computers. The extensible rules based system allows the administrator to customize the firewall to allow or disallow packets into the network system. Technical Overview: NetGate is a rule-based packet forwarding scheme for use on SPARC systems running SunOS 4.1.X. Through the use of NetGate, a SPARC system can become a sophisticated router, packet forwarder and firewall. NetGate examines each incoming packet and performs rule based filtering on the packet before allowing the packet to be delivered to the network service or forwarded to the next system. NetGate operates by applying a set of administrator customized rules to each packet. Packets may be forwarded, logged or dropped. Filtering rules can be based on any combination of: source or destination IP address, source or destination hostnames, networks or netgroups, protocols, and services NetGate maintains statistics for each rule and packet. NetGate conveniently logs failed packets using the syslog facility. Thus providing a convenient monitoring mechanism and allowing the administrator to utilize standard Unix utilities to implement escalation policies. Operation: NetGate executes inside the operating system, making it virtually un-spoofable. As a kernel module, performance impact is minimal, since the packet filtering is done prior to presenting the errant packet to user space. Saving processing time through the remainder of the protocol stack, and eliminating superfluous context switches. This is a distinct advantage over public domain "wrapper" programs, and other similar commercial products. NetGate's simple command line interface allows the administrator to create time based access policies, through the use of cron(8). Availability: NetGate is available for SunOS 4.1.X as either a binary installation, or in source code for the truly adventurous. A single binary license is $1500. Source Code is $2500. Site, corporate-wide and distributor licensing are also available. All shipments include 90 days support and maintenance, which includes any updates released during that time. For more information, or to contact a SmallWorks representative: Send email to: info@smallworks.com Or telephone/fax to: 512 338 0619 From firewalls-owner Sat Dec 17 13:09:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12553 for firewalls-outgoing; Sat, 17 Dec 1994 13:04:55 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA12548 for ; Sat, 17 Dec 1994 13:04:52 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma027359; Sat Dec 17 16:03:34 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA26799; Sat, 17 Dec 94 16:01:25 EST From: Marcus J Ranum Message-Id: <9412172101.AA26799@tis.com> Subject: Re: Suggestion for firewall for deliberately insecure company? To: libove@libove.mindspring.com (Jay Vassos-Libove) Date: Sat, 17 Dec 1994 16:06:48 -0500 (EST) Cc: firewalls-digest@greatcircle.com In-Reply-To: <199412171714.MAA02224@libove.mindspring.com> from "Jay Vassos-Libove" at Dec 17, 94 12:14:24 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 1366 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay Vassos-Libove writes: > Do any of you folks have suggestions for a particular firewall > product/service for a company which deliberately has no security > inside its own borders, and wants to remain that way, but also wants > to have access to the outside network? A lot depends on the degree of access desired, and how much they want to be sure they're protected. If the amount of access required is high ("complete transparent Internet access") and the assurance of security required is high ("we must not ever be broken into") then there are some mutually incompatible goals to meet. The best answer in that case is to buy everyone an account on AOL and keep the Internet away from the private network. :) For the in-between solutions, such as protecting the network and having a fairly high degree of access, a firewall may be the solution. Before you pick (or even look at) firewalls, you should have a clear idea of what your requirements are on the security versus complete connection spectrum. A firewall is an implementation of a security policy, and a security policy derives from weighing risks and business requirements and coming up with a compromise that works for you. If you haven't defined the access policy and requirements issues, then if you just implement a solution, how will you know if you've implemented the *right* solution? mjr. From firewalls-owner Sat Dec 17 14:09:07 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA13078 for firewalls-outgoing; Sat, 17 Dec 1994 14:02:47 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA13073; Sat, 17 Dec 1994 14:02:43 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 17 Dec 1994 14:01:46 -0800 To: Terry.Nelms@lddsnet.com (Terry Nelms (Manager Systems Integrity)), firewalls@GreatCircle.Com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: smap Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:06 12/17/94, Terry.Nelms@lddsnet.com (Terry Nelms (Manager Systems Integrity wrote: >In my log file I keep getting the following error message(s), marked with >an (*), from smap & smapd. Firewalls@GreatCircle.COM is NOT the right place for technical support questions concerning the TIS Firewalls Toolkit, or any other product or package. For the TIS Firewalls Toolkit, there's a dedicated mailing list "fwall-users@tis.com" that would be more appropriate for this question. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Sat Dec 17 16:09:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA14256 for firewalls-outgoing; Sat, 17 Dec 1994 16:06:55 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA14250 for ; Sat, 17 Dec 1994 16:06:51 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AB28578 (5.67b8/IDA-1.5 for ); Sat, 17 Dec 1994 19:05:32 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01195; Sat, 17 Dec 94 19:06:22 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00439; Sat, 17 Dec 1994 19:06:18 +0500 Date: Sat, 17 Dec 1994 19:06:18 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9412180006.AA00439@ Paragon-Systems.COM> To: mjr@tis.com Subject: Re: Suggestion for firewall for deliberately insecure company? Cc: firewalls-digest@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 648 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay - There are a multitude of possibilities that will allow you to set up a pretty stout perimeter, i.e. construct a mote around your castle with high, thick walls, no windows, and a guard at the door that allows folks to roam freely on the inside once passage across the gate is authorized. But, then what? Marcus is right - you need to take a crisp look at what you are trying to protect and against what possible threats, (both inside and outside I might ad). Maybe you aren't worried about a hostile event, but rather are just interested in looking at the traffic. In that case any firewall would be a waste of money. Bob-on-the-Beltway From firewalls-owner Sat Dec 17 16:39:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA14630 for firewalls-outgoing; Sat, 17 Dec 1994 16:21:24 -0800 Received: from denver.ssds.com (denver.ssds.com [134.127.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA14624 for ; Sat, 17 Dec 1994 16:21:21 -0800 Received: from sanjose.ssds.com (sanjose.ssds.com [134.127.10.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id RAA06601 for ; Sat, 17 Dec 1994 17:17:59 -0700 Received: (from pcc@localhost) by sanjose.ssds.com (8.6.9/8.6.9.SSDSnet-site) id QAA16143; Sat, 17 Dec 1994 16:17:57 -0800 Date: Sat, 17 Dec 1994 16:17:56 -0800 (PST) From: Phil Cox X-Sender: pcc@sanjose To: firewalls@greatcircle.com Subject: VMS firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been told there is a firewall implemented on VMS. Is this true, and if it is, could someone point me to the info concerning it. Phil * Philip C. Cox | Quote of the Day: * * pcc@ssds.com | "When opportunity knocks, about all * * PAGER: (510) 734-7983 | some people do is complain about * * VOICE: (510) 294-3557 | the noise." * From firewalls-owner Sat Dec 17 21:09:03 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA16098 for firewalls-outgoing; Sat, 17 Dec 1994 21:07:01 -0800 Received: from zephyr.isi.edu (zephyr.isi.edu [128.9.160.160]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA16093 for ; Sat, 17 Dec 1994 21:06:58 -0800 Received: by zephyr.isi.edu (5.65c/5.61+local-17) id ; Sat, 17 Dec 1994 21:05:13 -0800 From: bmanning@ISI.EDU (Bill Manning) Message-Id: <199412180505.AA06726@zephyr.isi.edu> Subject: Re: Where can I rent a Network Sniffer ? To: pat@tandem.com Date: Sat, 17 Dec 1994 21:05:13 -0800 (PST) Cc: pascal@netcom.com, firewalls-digest@greatcircle.com In-Reply-To: <9412170113.AA08416@vern.loc201.tandem.com.loc201.tandem.com> from "pat@loc201.tandem.com" at Dec 16, 94 05:13:25 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 120 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk GE Rents also has network analysers available. They are in most Metro areas and are generally reasonable. -- --bill From firewalls-owner Sun Dec 18 10:39:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA19024 for firewalls-outgoing; Sun, 18 Dec 1994 10:35:34 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA19019 for ; Sun, 18 Dec 1994 10:35:31 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 18 Dec 94 19:34 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rJQQ1-0003e5C; Sun, 18 Dec 94 19:33 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 18 Dec 1994 19:34:26 +0100 To: firewalls@GreatCircle.COM From: maass@odb.rhein-main.de (Joerg Maass) Subject: Corrected pointers to Digital Firewall Services info (SEAL) Cc: mayer@ljsrv2.enet.dec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, accidentally, I sent out some incorrect pointers for information about Digital's Firewall Services (aka SEAL) product to some of you and the list. The correct pointers are: SEAL page : http://www.digital.com/info/seal.html FTPable documents : ftp://ftp.digital.com/pub/Digital/info/document/firewall*.* United States Contact: Dick Calandrella at 508-496-8626 Kind regards and sorry for the misinformation Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Dec 18 10:59:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA19017 for firewalls-outgoing; Sun, 18 Dec 1994 10:35:27 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA19012 for ; Sun, 18 Dec 1994 10:35:24 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 18 Dec 94 19:34 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rJQPm-0003e7C; Sun, 18 Dec 94 19:33 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 18 Dec 1994 19:34:12 +0100 To: Phil Cox , firewalls@greatcircle.com From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: VMS firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Phil, At 16:17 Uhr 17.12.1994, Phil Cox wrote: >I have been told there is a firewall implemented on VMS. Is this true, >and if it is, could someone point me to the info concerning it. > >Phil > darn, my memory :-). We have a product called SecureGate (as far as I know. I'll have to check for the exact name.) that runs on VMS and is used in DECnet networks ONLY. I don't know if this the kind of system you're looking for, but if you're interested, I'd put some material together and send it to you in January (sorry for this delay, but I'll be out of the office for the rest of the year.). Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Dec 18 15:39:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA22460 for firewalls-outgoing; Sun, 18 Dec 1994 15:37:20 -0800 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA22455 for ; Sun, 18 Dec 1994 15:37:15 -0800 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-20) id ; Sun, 18 Dec 1994 15:35:58 -0800 Posted-Date: Sun, 18 Dec 1994 15:35:50 -0800 (PST) Message-Id: <199412182335.AA00342@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Sun, 18 Dec 1994 15:35:51 -0800 Subject: Re: commercial vs roll-yer-own To: hobbit@bronze.lcs.mit.edu (*Hobbit*) Date: Sun, 18 Dec 1994 15:35:50 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: <199412170710.CAA19857@bronze.lcs.mit.edu> from "*Hobbit*" at Dec 17, 94 02:10:48 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 766 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Anyone who sells you a black box labeled "network security firewall" with > no further information or without the bigger picture is selling you a false > sense of security, regardless of what's in the black box. Network security, > as the term implies, involves the whole network. This is a basic premise > which I emphasize in my own consulting work; part of that bigger picture > is EDUCATION. > > I'm kind of disturbed by this "black box" approach of some of the commercial > outfits. Sure, the black box might be a useful tool, but it's not the whole > enchilada by any means.. > > [I guess this mini-rant is aimed mostly at the newbies...] > > _H* > I have "AIR-GAP" (tm) in -my- black-box "network security firewall". Feel Better? :) -- --bill From firewalls-owner Sun Dec 18 18:09:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA23417 for firewalls-outgoing; Sun, 18 Dec 1994 17:52:39 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA23412 for ; Sun, 18 Dec 1994 17:52:36 -0800 Received: from wallyman (wallynet.dialup.access.net) by panix.com with SMTP id AA03980 (5.67b/IDA-1.5 for ); Sun, 18 Dec 1994 20:51:22 -0500 Message-Id: <199412190151.AA03980@panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 18 Dec 1994 20:51:20 -0500 To: firewalls@greatcircle.com From: wallynet@panix.com (Walter F. Netman) Subject: Re: Firewall Software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Me three. My task is 2000 users and no down time! --- Walter F. Netman wallynet@panix.com >On Fri, 16 Dec 1994, Richard Judson wrote: > > >> are you paying for the DEC name etc. As a neophyte, I need all the info I >> can gather. I'm especially interested in war stories from those of you >> who've been in the trenches and had to foil the wily hacker! :) >> >> Richard >Hello, > >My name is Jeff D. Roller and I work for the Amarillo I.S.D. We are in >the process of being connected to the net. I will be in charge of >maintaining our connection and mail services. I would also be interested >in the information that Richard requests. I have read the FAQ and >relevent info. Thanks in advance. From firewalls-owner Sun Dec 18 19:09:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA23748 for firewalls-outgoing; Sun, 18 Dec 1994 18:44:18 -0800 Received: from netcom.netcom.com (root@netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA23743 for ; Sun, 18 Dec 1994 18:44:16 -0800 Received: from bundy.cnet-pnw.com by netcom.netcom.com (8.6.9/Netcom) id SAA00313; Sun, 18 Dec 1994 18:43:00 -0800 Received: by bundy.cnet-pnw.com (5.0/SMI-SVR4) id AA15848; Sun, 18 Dec 1994 18:42:12 -0800 Date: Sun, 18 Dec 1994 18:42:11 -0800 (PST) From: Jeff Collyer X-Sender: jeff@bundy To: firewall list Subject: Re: Where can I rent a Network Sniffer ? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 1071 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can also try putting together one of your own on an old PC. I have done this here and saw some very interesting things floating across our net. I used the ethload/ethdump public domain package. Its available from ftp.germany.eu.net:/pub/networking/inet/ethernet/ethdp103.zip ethld103.zip I have also used the Beholder monitor package from th DNPAP group at et.tudelft.nl You can find the software on : yuma.acns.colostate.edu:/software.ibmpc/beholder/beholder.zip You might also look into the etherman/packetman/interman series of programs from ftp.cs.curtin.edu.au:~ftp/pub/netman/[sun4c|dec-mips|sgi|alpha|solaris]/ [etherman-1.1a|interman-1.1|packetman-1.1|loadman-1.0].tar.Z You will also need: ~ftp/pub/netman/hershey-[sun4c|dec-mips|sgi|alpha|solaris].tar.Z hope this helps jeff ---------------------------------------------------------------------- | Really -- it worked yesterday..... jeff@bundy.cnet-pnw.com | ---------------------------------------------------------------------- From firewalls-owner Mon Dec 19 06:09:34 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA27932 for firewalls-outgoing; Mon, 19 Dec 1994 05:53:58 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA27927 for ; Mon, 19 Dec 1994 05:53:54 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma025800; Mon Dec 19 08:52:18 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA29122; Mon, 19 Dec 94 08:50:05 EST Message-Id: <9412191350.AA29122@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Jay Vassos-Libove Cc: firewalls-digest@greatcircle.com Subject: Re: Suggestion for firewall for deliberately insecure company? In-Reply-To: Your message of Sat, 17 Dec 94 12:14:24 -0500. <199412171714.MAA02224@libove.mindspring.com> Date: Mon, 19 Dec 94 08:50:03 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Almost any commercial firewall -- ours included, of course :-) -- will allow you to establish what you want. My brother in security, Bill Cheswick, referred to it in a talk -- when discussing the same sort of network at Bell Labs -- as the "hard shell around a soft, chewy center." Fred > Do any of you folks have suggestions for a particular firewall > product/service for a company which deliberately has no security > inside its own borders, and wants to remain that way, but also wants > to have access to the outside network? > > Thanks > Jay From firewalls-owner Mon Dec 19 06:39:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28146 for firewalls-outgoing; Mon, 19 Dec 1994 06:16:29 -0800 Received: from dsinc.myxa.com (root@dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA28141 for ; Mon, 19 Dec 1994 06:16:26 -0800 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #24) id m0rJiTd-0002F6C; Mon, 19 Dec 94 08:50 EST Received: by pnc-pimc.com (4.1/SMI-4.1) id AA04503; Mon, 19 Dec 94 08:24:15 EST From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9412191324.AA04503@pnc-pimc.com> Subject: Commercial Firewall Vendors To: firewalls@greatcircle.com Date: Mon, 19 Dec 94 8:24:15 EST X-Mailer: ELM [version 2.3 PL11-upenn1.13] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone currently maintain a list of commercial firewall vendors, products and partial firewall products? If not, I have started a list that has about 18 vendors/products and info on a half dozen. I would be happy to maintain such a list and sent it out on request. (Info includes product, vendor, brief description, contact info). cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| : ,;`( )__ ) ~ PNC Bank (Phila, PA, US): // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Mon Dec 19 07:39:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29075 for firewalls-outgoing; Mon, 19 Dec 1994 07:31:33 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29070 for ; Mon, 19 Dec 1994 07:31:30 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id JAA16455 for ; Mon, 19 Dec 1994 09:30:18 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA4617; Mon, 19 Dec 94 09:30:19 -0800 Message-Id: <9412191730.AA4617@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id C0D2634F41E01DC38625612A0054823A; Mon, 19 Dec 94 09:30:18 To: firewalls From: Dan Thorson Date: 19 Dec 94 8:42:41 EDT Subject: ISO-9000 Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although I don't see how this pertains to firewalls.... ISO-9000 says to do something consistently, and have it written down. Therefore a bad firewall will be documented, but may still fail. That's OK from the ISO-9000 viewpoint. They want repeatability, not quality. The concept is that if you _don't_ have quality, you'll make junk every time, and then go out of business, thereby increasing the overall quality (cuz the folks that remain must be doing a better job). Remember - My opinions, as we're ISO-9000 qualified here! From firewalls-owner Mon Dec 19 08:09:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29337 for firewalls-outgoing; Mon, 19 Dec 1994 07:55:47 -0800 Received: from netcom4.netcom.com (bbosen@netcom4.netcom.com [192.100.81.107]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29331 for ; Mon, 19 Dec 1994 07:55:43 -0800 Received: by netcom4.netcom.com (8.6.9/Netcom) id HAA17189; Mon, 19 Dec 1994 07:54:28 -0800 Date: Mon, 19 Dec 1994 07:54:28 -0800 (PST) From: Bob Bosen Subject: Re: Where can I rent a Network Sniffer ? To: Richard A Childers cc: firewalls-digest@greatcircle.com In-Reply-To: <199412170032.QAA14324@netcom15.netcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 16 Dec 1994, Richard A Childers wrote: > > ( Pardon a query that is tangential to the main thrust of Firewalls Digest, > but I trust that we all have occasional need to take a close look at our > network and protocol loads, looking for security problems and hot spots. ) > > So, where can I buy or rent a Network General Sniffer, or equivalent piece > of network analysis hardware ? > > A few years ago, 8088- and 80286-based PCs were barely fast enough to keep > up with the network they were monitoring. 80386s came along and that was no > longer a problem. These 386s were generally in laptops, increasingly with a > color LCD monitor. Did the availability of these 386 laptops cause the market > for third-party monitoring software to dry up ? Or, can one still buy soft- > -ware to run on a PC, in conjunction with an ethernet controller, to gather > and display statistical information on the network's traffic ? > > I'm interested in both software and hardware. I'm located in the San Francisco > Bay Area but am interested in any agency who does business in the Bay Area, no > matter where they are located primarily. > > I'll be happy to post a summary of what I learn. > > > -- richard > > > Pontius Pilate was politically correct. So was Benedict Arnold. > So was Peter Quisling ... and so was Adolph Hitler. |-: > > richard childers san francisco, california pascal@netcom.com > Richard: I don't know about the commercial marketplace for sniffer software, but I've got a copy of public-domain software, with source code, that works pretty well. It's called "netwatch". I keep a copy in Enigma's anonymous ftp archives (network location listed below). You can obtain copies of this from several ftp archive sites. If you use "archie", you can usually find several such sites with the following command: archie netwatch The versions you'll find published refuse to display or log more than the first dozen-or-so bytes from each "snooped" packet. I was unsatisfied with this, so I traced into the source code, figgered out how it worked, and modified it to log the first 512 bytes of each packet, which makes this stuff much more powerful and sufficiently dangerous to snoop passwords, etc. For this reason, I've restricted access to the copy that's out there amongst the other goodies in our archives. If you'll contact me by voice telephone and persuade me that your intentions are good and that you'll take similar care in further distributions, I'll work out a way to ftp a copy to you. Note that it isn't very hard to modify the source code that you can get free off of the net; the work I've done might save you one or two days at most. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Mon Dec 19 08:40:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29597 for firewalls-outgoing; Mon, 19 Dec 1994 08:14:11 -0800 Received: from dsinc.myxa.com (root@dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA29592 for ; Mon, 19 Dec 1994 08:14:08 -0800 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #24) id m0rJkCA-0002HNC; Mon, 19 Dec 94 10:40 EST Received: by pnc-pimc.com (4.1/SMI-4.1) id AA06229; Mon, 19 Dec 94 10:39:38 EST From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9412191539.AA06229@pnc-pimc.com> Subject: More on Commercial FW Vendors To: firewalls@greatcircle.com Date: Mon, 19 Dec 94 10:39:38 EST X-Mailer: ELM [version 2.3 PL11-upenn1.13] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It looks like a large number of folks are interested in the list of fw product vendors. For any/all vendors/readers who are watching this list, if you could send me a brief blurb on a product, I'll make sure I have your latest info in my list, update it, and send the update to those who have already requested it AND: - have it added to the faq??? - post it here??? (Brent?) thanks, cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| : ,;`( )__ ) ~ PNC Bank (Phila, PA, US): // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Mon Dec 19 09:09:25 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29883 for firewalls-outgoing; Mon, 19 Dec 1994 08:33:33 -0800 Received: from wc11.wl.aecl.ca ([132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA29876 for ; Mon, 19 Dec 1994 08:33:30 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HKTP0RDQBK8ZENB9@wl.aecl.ca>; Mon, 19 Dec 1994 10:31:25 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA09461; Mon, 19 Dec 1994 10:31:07 -0600 Date: Mon, 19 Dec 1994 10:31:06 -0600 (CST) From: system PRIVILEGED account Subject: Hardware for FWTK In-reply-to: <941215105133.mjo@dojo> To: Firewalls Mailing List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are considering providing modem access to a terminal server at a local university. The terminal server will be connected on login-less segment on their network and connected to a router which will be connected to a multi-port router at our site. Piggybacking off our connection will be a local freenet who will be using a seperate virtual channel on the routers. To isolate ourselves from the university/internet traffic I have been considering putting a PC together with two ethernet cards, a UNIX OS, FWTK, and a seperate Class C domain address. A few questions: 1. Could someone please tell me what the minimum PC requirements should be. 2. What PC Unix OS should be used. 3. Will the roll-your-own FWTK provide sufficient isolation from the internet? Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca From firewalls-owner Mon Dec 19 10:09:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01318 for firewalls-outgoing; Mon, 19 Dec 1994 10:03:31 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01313 for ; Mon, 19 Dec 1994 10:03:28 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma003911; Mon Dec 19 13:02:16 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA06650; Mon, 19 Dec 94 12:59:58 EST Message-Id: <9412191759.AA06650@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: system PRIVILEGED account Cc: Firewalls Mailing List Subject: Re: Hardware for FWTK In-Reply-To: Your message of Mon, 19 Dec 94 10:31:06 -0600. Date: Mon, 19 Dec 94 12:59:57 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1. Could someone please tell me what the minimum PC requirements should be. Check the tecnical description of Gauntlet to see the HW requirements. These are not *minimum* but should give you a good jumping off point. > 2. What PC Unix OS should be used. We use BSDI's UNIX system. > 3. Will the roll-your-own FWTK provide sufficient isolation from the > internet? If you do it correctly. Fred From firewalls-owner Mon Dec 19 10:39:45 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01530 for firewalls-outgoing; Mon, 19 Dec 1994 10:24:52 -0800 Received: from mail.Reston.VMD.Sterling.COM (zuzu.reston.VMD.Sterling.COM [199.0.82.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01525 for ; Mon, 19 Dec 1994 10:24:49 -0800 Received: from ss1.Reston.VMD.Sterling.COM (ss1.reston.VMD.Sterling.COM [199.0.83.43]) by mail.Reston.VMD.Sterling.COM (8.6.4/8.6.4) with SMTP id NAA17698; Mon, 19 Dec 1994 13:03:07 -0500 Message-Id: <199412191803.NAA17698@mail.Reston.VMD.Sterling.COM> Received: from ss1.Reston.VMD.Sterling.COM by ss1.Reston.VMD.Sterling.COM (IBM VM SMTP V2R2) with BSMTP id 0112; Mon, 19 Dec 94 13:21:42 EST Date: Mon, 19 Dec 94 13:12:40 EST From: "Ross Patterson" To: Firewalls@greatcircle.com Cc: ROSSP@ss1.Reston.VMD.Sterling.COM, lavondes@tidtest.total.fr Subject: Re: tcp TH_RST annoyances Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lavondes@tidtest.total.fr (Michel Lavondes) writes: >Jon Shallow wrote : >> . Host A (Firewall) sets up and is using tcp session to Host B somewhere >> on the Internet. >> . Hacker on Host C on the Internet sees this sesssion and sends a tcp >> TH_RST to host A (with correct ports etc), faking he is coming from B. >> . A's session then resets itself and shuts down. ... >A's net admin can't do much about that, but C's can, assuming B is not on >their network and they try hard to be nice to the Internet. For instance, >they could have their firewall discard packets coming from C since these >were neither sent on an established TCP session nor sent as an answer to >erroneous non-SYN packets from A, or since their apparent source address >(B's) should not appear on a packet coming from inside their network. > >Did anyone hear of firewall set-ups that can protect the outside from the >inside ? The mechanisms I think of feel pretty much like some that were >discussed on firewalls, only turned inside out. Do we need other barriers >for this use of firewalls ? Several Internet service providers (the real kind, like PSI and AlterNet, not the pseudo-online-services like Digex and Netcom) have what could best be described as a "reverse firewall", strictly for business reasons. In an effort to prevent their customers from becoming piggy-back service providers (like some long-distance telephone services), these companies limit the traffic coming *out* of their customers' networks to just those network numbers that have been identified in the contract as the customers'. This has the side effect of preventing machines on these networks from being "host C" in the example above. Ross Patterson Sterling Software, Inc. VM Software Division From firewalls-owner Mon Dec 19 11:39:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02354 for firewalls-outgoing; Mon, 19 Dec 1994 11:29:58 -0800 Received: from lassie.eunet.fi (lassie.eunet.fi [192.26.119.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA02349 for ; Mon, 19 Dec 1994 11:29:53 -0800 Received: from pot.hole.fi by lassie.eunet.fi with SMTP id AA21491 (5.67a/IDA-1.5 for ); Mon, 19 Dec 1994 21:28:38 +0200 Received: (from jak@localhost) by pot.hole.fi (8.6.9/8.6.9) id VAA04669 for firewalls@greatcircle.com; Mon, 19 Dec 1994 21:28:51 +0200 From: Jaakko Manninen Message-Id: <199412191928.VAA04669@pot.hole.fi> Subject: Firewall and Linux To: firewalls@greatcircle.com Date: Mon, 19 Dec 1994 21:28:50 +0200 (GMT+0200) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1268 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am responsible for designing the way our company should connect to the Internet. We have a very hysteric and suspicious crew and we'd like to be pretty sure, or atleast monitor what we can't be sure of :) (I know, maybe we shouldn't get on at all, but our clients want us to (we administrate a couple other companies' networks)). What I've figured so far (I'm pretty much of a newbie in Firewalls and such), is that for our needs, one UNIX box with proxy services and a firewall would be best (options are each PC 'workstation' routed separately in the Cisco, yuch). But I do have sort of a problem! :) I am interested in running a Firewall on a Linux system, and I'd like to know if anyone's done that.. How safe is it? Is there software for it, or will software compile for it?-) Any information on linux security and/or use with a firewall would be greatly appreciated. Thanks. -- Jaakko Manninen email: jaakko.manninen@partek.partek.mailnet.fi (yes, twice) Parcomp Oy Ab second: jak@hole.fi FAX: +358-0-394-4717 DISCLAIMER: "I'm not, by default, influenced by anything like money, fame or success. All the views and opinions I have should be mine." From firewalls-owner Mon Dec 19 12:43:44 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA02889 for firewalls-outgoing; Mon, 19 Dec 1994 12:13:13 -0800 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA02884 for ; Mon, 19 Dec 1994 12:13:09 -0800 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA17974 for firewalls@greatcircle.com; Mon, 19 Dec 94 14:12:31 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA15538; Mon, 19 Dec 1994 14:12:17 +0600 Date: Mon, 19 Dec 1994 14:12:17 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9412192012.AA15538@cygnus.uprc.com> To: firewalls@greatcircle.com Subject: address translation X-Sun-Charset: US-ASCII Content-Length: 1306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in need of IP translation at our gateway; i.e. several registered class {B,C} and unregistered (from RFC 1597) nets route through us - I would like all outgoing packets from OUR net to look like they came from our gateway. At the moment I use SOCKS to accomplish this; unfortunately socksified clients for PC's and MAC's are hard to come by. Haven't had much success with the socksified Trumpet winsock. Have been speaking with JANUS about their "firewall" product and its ability to do address translation on-the-fly without proxies. This is exactly what I am looking for. The point? Has anyone worked on additions such as this to any of the PD filtering packages? Most interested in work on BSD/386, FreeBSD, or NetBSD. If this well comes up dry, I will start hacking screend; anyone then interested in helping (with the idea that the code will be made public domain when finished) will be welcomed. Truth is, I am happy with our TIS toolkit firewall and can't justify buying JANUS just for this feature... ______/ Jeff LaCoursiere FastLane Communications, Inc. / Network security/services mail info@fastlane.net ___/ lacoursj@uprc.com / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Mon Dec 19 14:09:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03919 for firewalls-outgoing; Mon, 19 Dec 1994 13:52:41 -0800 Received: from eniac.disaster.vbh.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA03914 for ; Mon, 19 Dec 1994 13:52:35 -0800 Received: (from mail@localhost) by eniac.disaster.vbh.com (8.6.9/8.6.9) id QAA01023 for ; Sun, 18 Dec 1994 16:51:03 -0500 Date: Sun, 18 Dec 1994 16:51:03 -0500 Message-Id: <199412182151.QAA01023@eniac.disaster.vbh.com> Received: from knecht.disaster.vbh.com(199.99.205.131) by eniac via smap (V1.3) id sma001016; Sun Dec 18 16:50:46 1994 X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: ferioli@disaster.vbh.com (Michael Ferioli - D&D Consulting) Subject: Info about BSDI? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've heard a lot of talk about BSDI and I'd like to get some information about it. Can someone recommend a web site or does anyone have a phone number? I've successfully compiled and am running FWTK on a Linux box. Can anyone comment on the relative security of Linux? Oh, is BSDI a commercial or free product? ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Mon Dec 19 15:09:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA04366 for firewalls-outgoing; Mon, 19 Dec 1994 14:40:46 -0800 Received: from mrc.com (mrc.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA04361 for ; Mon, 19 Dec 1994 14:40:43 -0800 From: tws@mrc.com Received: by mrc.com (4.1/SMI-4.1) id AA28530; Mon, 19 Dec 94 17:36:49 EST Received: by mrcs1 (5.64/X1.00) id AA09226; Mon, 19 Dec 94 17:36:59 -0500 Date: Mon, 19 Dec 94 17:36:59 -0500 Message-Id: <9412192236.AA09226@mrcs1> To: ferioli@disaster.vbh.com, firewalls@greatcircle.com Subject: Re: Info about BSDI? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Dec 19 17:22:23 1994 > To: firewalls@greatcircle.com > From: ferioli@disaster.vbh.com (Michael Ferioli - D&D Consulting) > Subject: Info about BSDI? > I've heard a lot of talk about BSDI and I'd > like to get some information about it. Can > someone recommend a web site or does anyone > have a phone number? . . . Check out http://www.bsdi.com/ Tenna Sakai (tws@mrc.com) From firewalls-owner Mon Dec 19 15:30:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA04467 for firewalls-outgoing; Mon, 19 Dec 1994 14:53:17 -0800 Received: from st-james.comp.vuw.ac.nz (st-james.comp.vuw.ac.nz [130.195.5.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA04462 for ; Mon, 19 Dec 1994 14:53:12 -0800 Received: from gcs.co.nz (uucp@localhost) by st-james.comp.vuw.ac.nz (8.6.9/8.6.9-VUW) with UUCP/animal id LAA24327; Tue, 20 Dec 1994 11:47:59 +1300 Received: from oscar.lab.gcs.co.nz (oscar.lab.gcs.co.nz [134.251.6.254]) by fozzie.gcs.co.nz (8.6.9/8.6.9) with ESMTP id LAA23687; Tue, 20 Dec 1994 11:31:44 +1300 Received: (from tim@localhost) by oscar.lab.gcs.co.nz (8.6.9/8.6.9) id WAA01872; Mon, 19 Dec 1994 22:38:02 GMT From: Tim Frost Message-Id: <199412192238.WAA01872@oscar.lab.gcs.co.nz> Subject: Re: Firewall and Linux To: jak@pot.hole.fi (Jaakko Manninen) Date: Tue, 20 Dec 1994 11:38:00 +1300 (NZDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199412191928.VAA04669@pot.hole.fi> from "Jaakko Manninen" at Dec 19, 94 09:28:50 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1374 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jaakko, I have built V1.3 of TIS Firewall toolkit (except for the X-related software, as I didn't have enough disk in the test system :( ) under Linux. It performs reasonably on a 386SX, for testing. I can't comment on the security of linux, as I haven't done any testing of that aspect - the system is just an internal testbed, and is *not* connected to the real world. I do know, from reading the linux newsgroups, that linux *is* used seriously by some people as a server. I haven't seen a security-related Linux HOWTO. Tim Frost Jaakko Manninen wrote: [ intro deleted] > > I am interested in running a Firewall on a Linux system, > and I'd like to know if anyone's done that.. How safe is it? > Is there software for it, or will software compile for it?-) > Any information on linux security and/or use with a firewall > would be greatly appreciated. > > Thanks. > > -- > Jaakko Manninen email: jaakko.manninen@partek.partek.mailnet.fi (yes, twice) > Parcomp Oy Ab second: jak@hole.fi FAX: +358-0-394-4717 > DISCLAIMER: "I'm not, by default, influenced by anything like money, fame or > success. All the views and opinions I have should be mine." > -- Tim Frost, Systems Consultant, GCS Ltd P.O. Box 3055, Wellington, New Zealand. Voice: +64 4 495-0400 Fax: +64 4 495-0565 Email: tim@gcs.co.nz From firewalls-owner Mon Dec 19 15:39:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04686 for firewalls-outgoing; Mon, 19 Dec 1994 15:18:07 -0800 Received: from tigger.beckman.uiuc.edu (root@tigger.beckman.uiuc.edu [128.174.212.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA04681 for ; Mon, 19 Dec 1994 15:18:04 -0800 Received: from tigger.beckman.uiuc.edu (baba@localhost [127.0.0.1]) by tigger.beckman.uiuc.edu (8.6.9/8.6.9) with ESMTP id RAA02444; Mon, 19 Dec 1994 17:16:10 -0600 Message-Id: <199412192316.RAA02444@tigger.beckman.uiuc.edu> X-face: ?/"MXina;Tt'.c6A>P1["3Wm#HCKX-/DEGN$1y[T?I6fCGFUTh]6'<@mJ&1TSRDlc_>|Lo' %b|.Rwf= `7~U>E@VElJ`RI\Sb1h X-Uri: http://www.beckman.uiuc.edu/groups/biss/people/baba/ Reply-to: Baba Z Buehler From: Baba Z Buehler To: ferioli@disaster.vbh.com (Michael Ferioli - D&D Consulting) cc: firewalls@greatcircle.com Subject: Re: Info about BSDI? In-reply-to: Your message of "Sun, 18 Dec 1994 16:51:03 EST." <199412182151.QAA01023@eniac.disaster.vbh.com> Date: Mon, 19 Dec 1994 17:16:09 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ferioli@disaster.vbh.com (Michael Ferioli - D&D Consulting) writes: > I've heard a lot of talk about BSDI and I'd like to get some information > about it. Can someone recommend a web site or does anyone have a phone > number? I've successfully compiled and am running FWTK on a Linux box. > Can anyone comment on the relative security of Linux? UNIX security is largely a function of the system administrator, at least more so than a function of the operating system. Linux can be made at least as secure as any other UNIX. Sysadmining both Linux and SunOS boxes, the Linux boxes have given me less grief. I personally find Linux far superior to other 3/4/586 UNIXes, as the development and support base is much larger, and most packages build relatively easy on recent versions of Linux. -- # Baba Z Buehler # Beckman Institute Systems Services, Urbana Illinois # # "Either I'm dead and I've done everything that I want, # or I'm still alive and there's nothing I want to do." -- TMBG # # WWW: http://www.beckman.uiuc.edu/groups/biss/people/baba/ # PGP Public Key available via WWW homepage & key servers From firewalls-owner Mon Dec 19 16:09:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA05059 for firewalls-outgoing; Mon, 19 Dec 1994 15:46:49 -0800 Received: from metnet.geog.pdx.edu (root@metnet.geog.pdx.edu [131.252.70.83]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA05054 for ; Mon, 19 Dec 1994 15:46:45 -0800 Received: by metnet.geog.pdx.edu (Linux Smail3.1.28.1 #1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk id m0rJrlf-0005qhC; Mon, 19 Dec 94 15:45 PST Date: Mon, 19 Dec 1994 15:45:25 +0000 From: Matt Sottile Subject: Linux/FreeBSD/BSDI To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII I use Linux here at work, and the need for a firewall or some sort of security has arisen. Now, I've heard alot of talk about using BSDI. Would FreeBSD work just as well, or is there something different? Would Linux work just as well? ----------------------------------------------------------------------------- "We believe in freedom of the arts reflected by the freedom of the artists." -KMFDM ------------[ Matt Sottile : matts@metnet.geog.pdx.edu ]------------------- From firewalls-owner Mon Dec 19 16:26:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05305 for firewalls-outgoing; Mon, 19 Dec 1994 16:04:44 -0800 Received: from pahtoh.cwu.edu (root@pahtoh.cwu.edu [198.104.65.27]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05300 for ; Mon, 19 Dec 1994 16:04:38 -0800 Received: from tahoma.cwu.edu (hixson@tahoma.cwu.edu [198.104.67.25]) by pahtoh.cwu.edu (8.6.9/8.6.9) with ESMTP id QAA15674 for ; Mon, 19 Dec 1994 16:02:56 -0800 Received: (from hixson@localhost) by tahoma.cwu.edu (8.6.9/8.6.9) id QAA04871; Mon, 19 Dec 1994 16:02:55 -0800 Date: Mon, 19 Dec 1994 16:02:54 -0800 (PST) From: Matthew Hixson Subject: HEEEEELLLLP!!! To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How do I cancel my subscription to this newgroup!!???? My mailbox keeps overflowing with mail!! -M@ From firewalls-owner Mon Dec 19 16:39:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05458 for firewalls-outgoing; Mon, 19 Dec 1994 16:15:54 -0800 Received: from ic.co.at (root@ic.co.at [192.92.138.41]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA05446 for ; Mon, 19 Dec 1994 16:15:19 -0800 Received: by ic.co.at id AA24095 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 20 Dec 1994 02:13:08 GMT Message-Id: <199412200213.AA24095@ic.co.at> Subject: Firewall (proxy) access protocol standard needed? To: firewalls@greatcircle.com Date: Tue, 20 Dec 1994 02:13:07 +0000 (GMT) From: Michael Haberler Reply-To: mah@ic.co.at X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1129 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Given: - a proliferation of firewall products based on the proxy concept - a proliferation of e.g. Windows client software and cheap TCP stacks I would just love to tell a customer: yes, there's this RFC-XXXX compliant firewall with proxies for this&that, and here you have a choice of vendors A..Z for RFC-XXXX compliant clients. I hate to tell a customer: well you *can* ftp, but you gotta educate your users about this little syntactic twist to make it work. To bootstrap a market like WinSock apps for proxy-aware clients we probably need (a? several?) standardized client/proxy server access protocol. Given the Internet's track record as proving ground for defacto standards this should work. Is there any work in the area? Is reading the TIS fwtk and Socks source the way to go? (Dont get me wrong - both are great works, but they are implementations of an idea whose time had come; to create foundation for client mass products we need a more formal base). -michael -- Michael Haberler mah@eunet.co.at EUnet Austria Ltd A-1090 Vienna, Austria, Thurngasse 8 Tel: +43 (1) 3174969 fax: +43 (1) 3106926 From firewalls-owner Mon Dec 19 17:05:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05336 for firewalls-outgoing; Mon, 19 Dec 1994 16:05:39 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05331; Mon, 19 Dec 1994 16:05:35 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni (8.6.8.1/8.6.6) with SMTP id QAA13690; Mon, 19 Dec 1994 16:04:10 -0800 Date: Mon, 19 Dec 1994 16:04:10 -0800 Message-Id: <199412200004.QAA13690@uni> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: brian@imcon.ilinx.com, Brent@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: Re[2]: JANUS at Internet World Cc: firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The suggestions I have seen represent a fine compromise but I wonder how much free time our friends at GC.com have. I suspect that the marketing weenees would abuse this priviledge (Brents time and resources) in short order. What I suggest is a seperate mailing list for those that are interested. Then _we_ would have a choise as to whether or not we wanted to be bothered with them at all. This could be accomplised with minimal effort and resorces. At 08:18 AM 12/13/94 -0700, brian@imcon.ilinx.com wrote: >from the quill of Brent@GreatCircle.COM (Brent Chapman) >> Posters are encouraged to send an advance copy to Firewalls-Owner >> before posting, for review and suggestions on avoiding flames and >> unnecessary controversy >> >Perhaps posters of commercial material should *be required* to send the >posting to you for posting, if appropriate. Kind of like a "moderated" >channel to the list distribution. If people then insist on continually >posting commercials without going through the moderated channel, your list >processor can exclude them from posting to the list. This last step is >usually not necessary (thank goodness). > >Thots? > >b. > >-- >Brian J. Murrell brian@ilinx.com >InterLinx Support Services, Inc. brian@wimsey.com >North Vancouver, B.C. 604 983 UNIX > Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com Security is a process, not a solution. ****************************************************************** From firewalls-owner Mon Dec 19 17:39:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06405 for firewalls-outgoing; Mon, 19 Dec 1994 17:34:50 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06400 for ; Mon, 19 Dec 1994 17:34:43 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id IAA06379; Tue, 20 Dec 1994 08:34:00 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id IAA06379; Tue, 20 Dec 1994 08:34:00 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA19972; Tue, 20 Dec 94 08:30:16 GMT Date: Tue, 20 Dec 1994 08:30:15 -0700 (GMT) From: Pradit Pitaksathienkul Subject: tcp_wrapper.ps.Z's log file ? To: firewalls@GreatCircle.com In-Reply-To: <199412192238.WAA01872@oscar.lab.gcs.co.nz> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 191 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm first install tcp_wrapper version 6.3, it successful, but I don't know where is the information of loging it keep ?! Who've ever use it ,please tell me where is it log file ... pradit. From firewalls-owner Mon Dec 19 19:39:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07165 for firewalls-outgoing; Mon, 19 Dec 1994 19:34:13 -0800 Received: from translation.com (pao.jma.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07160 for ; Mon, 19 Dec 1994 19:34:09 -0800 Received: (from jcm@localhost) by translation.com (8.6.9/8.6.9) id TAA13395; Mon, 19 Dec 1994 19:31:44 -0800 Date: Mon, 19 Dec 1994 19:31:44 -0800 From: John Mayes Message-Id: <199412200331.TAA13395@translation.com> To: z056716@uprc.com Subject: Re: address translation Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our company, Network Translation, Inc., has such a Network Address Translation product (see RFC-1631). Give us a call, or check our web site: www.translation.com John Mayes Network Translation, Inc. 415/494-NETS > I am in need of IP translation at our gateway; i.e. several registered > class {B,C} and unregistered (from RFC 1597) nets route through us - I would > like all outgoing packets from OUR net to look like they came from our > gateway. At the moment I use SOCKS to accomplish this; unfortunately > socksified clients for PC's and MAC's are hard to come by. Haven't had > much success with the socksified Trumpet winsock. Have been speaking > with JANUS about their "firewall" product and its ability to do address > translation on-the-fly without proxies. This is exactly what I am > looking for. > > The point? Has anyone worked on additions such as this to any of the > PD filtering packages? Most interested in work on BSD/386, FreeBSD, > or NetBSD. If this well comes up dry, I will start hacking screend; > anyone then interested in helping (with the idea that the code will be > made public domain when finished) will be welcomed. Truth is, I am > happy with our TIS toolkit firewall and can't justify buying JANUS just for > this feature... > > > ______/ Jeff LaCoursiere FastLane Communications, Inc. > / Network security/services mail info@fastlane.net > ___/ lacoursj@uprc.com > / > __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Mon Dec 19 19:57:49 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07136 for firewalls-outgoing; Mon, 19 Dec 1994 19:27:33 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07131 for ; Mon, 19 Dec 1994 19:27:30 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HKUBUBBA808ZEN3B@wl.aecl.ca>; Mon, 19 Dec 1994 21:25:10 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA13566; Mon, 19 Dec 1994 21:24:53 -0600 Date: Mon, 19 Dec 1994 21:24:52 -0600 (CST) From: system PRIVILEGED account Subject: Re: ix.netcom.com In-reply-to: <9412142207.AA20863@lorax.imsi.com> To: Rens Troost Cc: Michael Richardson , firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me people, But were these messages MAIL messages or BROADCAST messages? We had a rather strange occurance, where a message was broadcast to all our PC's running DECnet Pathworks, the broadcast message doesn't seem to have hit any of our machines running strictly TCP/IP but may have shown up on some of our VAX VMS machines. The message was apparently pretty stupid, but we were unable to determine a sending address and the user name ascribed to the message was some non-existant person (within our corporation anyways). If this kind of traffic is coming from outside our domain, will FWTK catch it? Or perhaps some other utility? Thanks in advance, Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca On Wed, 14 Dec 1994, Rens Troost wrote: > > >>>>> "Michael" == Michael Richardson writes: > Michael> I complained this morning to the person who posted that > Michael> ad, (support@netcom.com tells me their account has been > Michael> disabled...) and was looking at my firewall and noticed > Michael> this: > > [ log output elided ] > Pretty Funny. They tried to finger my site, and then sent mail back to > me claiming to be postmaster@ix.netcom.com...without even changing the > headers around. The mail was full of typos and said that the problem > was being dealt with and I should not hassle them anymore. > > Well, I think they're off the air now! Idiots. > > -Rens > From firewalls-owner Mon Dec 19 20:09:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07317 for firewalls-outgoing; Mon, 19 Dec 1994 19:50:03 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07311 for ; Mon, 19 Dec 1994 19:50:00 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id WAA14292; Mon, 19 Dec 1994 22:48:25 -0500 Date: Mon, 19 Dec 1994 22:48:25 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199412200348.WAA14292@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: what firewall platform? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Linux folks are starting to think about packet filtering in the kernel, as evidenced by some new additions to the 1.1.7x revision. It was largely swiped from 44bsd, I think. However, neither implementation apparently cares what *interface* a given packet came from, which makes it useless as a real packet filter! I beat up the developers newsgroup about it; hopefully they'll do something both in linux and 44bsd about this. In the meantime, KA9Q looks like a potentially viable solution for a small network... _H* From firewalls-owner Mon Dec 19 20:20:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07397 for firewalls-outgoing; Mon, 19 Dec 1994 19:56:02 -0800 Received: from eniac.disaster.vbh.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07390 for ; Mon, 19 Dec 1994 19:55:55 -0800 Received: (from mail@localhost) by eniac.disaster.vbh.com (8.6.9/8.6.9) id WAA02486; Sun, 18 Dec 1994 22:54:13 -0500 Date: Sun, 18 Dec 1994 22:54:13 -0500 Message-Id: <199412190354.WAA02486@eniac.disaster.vbh.com> Received: from knecht.disaster.vbh.com(199.99.205.131) by eniac via smap (V1.3) id sma002481; Sun Dec 18 22:53:52 1994 X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jaakko Manninen From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Subject: Re: Firewall and Linux Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am interested in running a Firewall on a Linux system, > and I'd like to know if anyone's done that.. How safe is it? > Is there software for it, or will software compile for it?-) > Any information on linux security and/or use with a firewall > would be greatly appreciated. Well I've used Linux as an internet gateway for a customer and it works pretty well. In terms of how "safe" it is, I cannot comment. All I can say is that, so far (knock wood), there has not been a problem. Grab the TIS Firewall Toolkit from ftp.tis.com and compile it with GCC. You will need to make a number of modifications to the Makefile.config file. I'll forward you my working copy if you have problems doing it yourself. The package is fairly complete. If you intend to use DOS/Windows clients, be prepared to find clients which support proxying, or else your users will be totally lost. I recommend ws_ftp for a Windows FTP client. Mosaic and Netscape support proxying as well. If you have any other questions about configuration, let me know. ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Mon Dec 19 21:39:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA08322 for firewalls-outgoing; Mon, 19 Dec 1994 21:25:06 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA08317 for ; Mon, 19 Dec 1994 21:25:03 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id AAA05865; Tue, 20 Dec 1994 00:22:58 -0500 From: Adam Shostack Message-Id: <199412200522.AAA05865@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Linux/FreeBSD/BSDI To: matts@metnet.geog.pdx.edu (Matt Sottile) Date: Tue, 20 Dec 94 0:22:57 EST Cc: firewalls@GreatCircle.COM In-Reply-To: ; from "Matt Sottile" at Dec 19, 94 3:45 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt Sottile wrote: | I use Linux here at work, and the need for a firewall or some sort of | security has arisen. Now, I've heard alot of talk about using BSDI. | Would FreeBSD work just as well, or is there something different? Would | Linux work just as well? You are better off not trying to learn a new OS to build on. If you know any of the BSD variants, give them some consideration. Otherwise, take what you know, strip it down to only support what you need, and then build on that. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Dec 19 21:50:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA08276 for firewalls-outgoing; Mon, 19 Dec 1994 21:20:18 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA08271; Mon, 19 Dec 1994 21:20:14 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 19 Dec 1994 21:19:21 -0800 To: (Mark S. Kadrich), brian@imcon.ilinx.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Re[2]: JANUS at Internet World Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:04 12/19/94, Mark S. Kadrich wrote: >The suggestions I have seen represent a fine compromise but I wonder how >much free time our friends at GC.com have. I suspect that the marketing >weenees would abuse this priviledge (Brents time and resources) in short >order. What I suggest is a seperate mailing list for those that are >interested. Then _we_ would have a choise as to whether or not we wanted to >be bothered with them at all. This could be accomplised with minimal effort >and resorces. We did consider that possibility, and decided to pursue a solution through policy changes/clarifications on the existing list first. If that doesn't work out (if it gets to be too much hassle), then we'll again consider spinning off a second list. So far, it hasn't been a problem. Thanks! -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon Dec 19 22:03:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA08307 for firewalls-outgoing; Mon, 19 Dec 1994 21:24:01 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA08299 for ; Mon, 19 Dec 1994 21:23:56 -0800 Message-Id: <199412200523.VAA08299@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA20194; Tue, 20 Dec 94 16:22:48 +1100 From: Darren Reed Subject: modload'able packet filter for SunOS 4.1.x To: firewalls@greatcircle.com Date: Tue, 20 Dec 1994 16:22:47 +1100 (EDT) In-Reply-To: <9412172008.AA18211@hosaka.smallworks.com> from "Charisse Castagnoli" at Dec 17, 94 02:08:13 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1470 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you found the NetGate ad. interesting, you may wish to checkup my latest efforts with writing a packet filter for SunOS 4.1.x kernels. I've now completed rewriting it so that it works as a modload'able device. It now requires no SunOS patches, having hacked the required files from 4.3BSD and hacked in 4.4BSD-Lite code (where possible) to hopefully improve the IP implementation and eliminate some of the older bugs. Thus, full source is provided, all .c's and no .o's. I've been running this for the last month or so, with 4.1.1 and 4.1.3_U1 and have not had any problems so far. I have also included the ability to do a range check on the port number. Ie, to see if a port number is between or outside of two numbers, it is one rule rather than 2 or three. The desire for this was brought up with talk on this mailing list. Unlike most other packages, it doesn't log via syslog for a couple of reasons: 1. firewalls do a _lot_ of logging, and I don't know about you, but I'm running out of "local" definitions for separate apps (ftpd, tcpd, xntpd, gated, fwtk, wais, named) and being able to direct it elsewhere (ie CERN httpd) is very nice. 2. it is easier to log binary data and requires less processing on behalf of the filter to perform the log `write'. And it costs $0! If you'd like to ftp it and check it out: coombs.anu.edu.au:/pub/net/kernel/ip_fil2.0.tar.gz coombs.anu.edu.au:/pub/net/kernel/ip_fil2.0.tar.Z Cheers, Darren From firewalls-owner Mon Dec 19 22:15:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA08915 for firewalls-outgoing; Mon, 19 Dec 1994 22:02:18 -0800 Received: from lvhgate.lvh.com (lvhgate.lvh.com [192.234.106.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA04015 for ; Mon, 19 Dec 1994 14:04:05 -0800 Message-Id: <199412192204.OAA04015@miles.greatcircle.com> Received: by lvhgate.lvh.com (1.37.109.4/16.2) id AA12000; Mon, 19 Dec 94 17:08:00 -0500 From: Mark Stickler Subject: Firewall Consulting Services To: firewalls@greatcircle.com Date: Mon, 19 Dec 94 17:07:59 EST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We currently have the an "old-style" Internet firewall (single router, single, dual-homed host) and would like to go to the dual router/bastion host style. We would prefer to make this conversion with the help of someone who has exerience with this. Please send private email to me (mstickler@lvh.com) to discuss providing consulting services in this area if you offer such services. +----------------------------+-----------------------------+ | Mark G. Stickler | Voice: (610) 402-1459 | | Lehigh Valley Hospital | FAX: (610) 402-1409 | | Information Services | Internet: mstickler@lvh.com | | 2024 Lehigh Street | Title: Technical Analyst | | Allentown, PA 18103 | | +----------------------------+-----------------------------+ From firewalls-owner Mon Dec 19 23:09:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA10492 for firewalls-outgoing; Mon, 19 Dec 1994 22:59:00 -0800 Received: from siemens.co.at (siemens.co.at [192.138.228.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA10487 for ; Mon, 19 Dec 1994 22:58:55 -0800 Received: from mx5217.gud.siemens.co.at (mx5217.gud.siemens-austria) by siemens.co.at with SMTP id AA17532 (5.67a/IDA-1.5 for ); Tue, 20 Dec 1994 07:55:18 +0100 Received: by mx5217.gud.siemens.co.at (Smail3.1.28.1 #3 for ) id m0rJyVQ-0003KnC; Tue, 20 Dec 94 07:57 MET Message-Id: Date: Tue, 20 Dec 94 07:57 MET From: benedek@mx5217.gud.siemens.co.at (Istvan Benedek) To: firewalls@greatcircle.com Subject: unsubs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Dec 20 01:09:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA11022 for firewalls-outgoing; Tue, 20 Dec 1994 00:52:19 -0800 Received: from awadi.com.AU ([150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA11017 for ; Tue, 20 Dec 1994 00:52:11 -0800 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA20689; Tue, 20 Dec 94 19:18:48 CST Received: from mallee.awadi by bunya.awadi (5.0/SMI-SVR4) id AA14686; Tue, 20 Dec 1994 19:17:38 +1030 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9412200847.AA14686@bunya.awadi> Subject: Re: Info about BSDI? To: baba@beckman.uiuc.edu Date: Tue, 20 Dec 1994 19:17:36 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199412192316.RAA02444@tigger.beckman.uiuc.edu> from "Baba Z Buehler" at Dec 19, 94 05:16:09 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Length: 1317 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Baba Z Buehler: > >ferioli@disaster.vbh.com (Michael Ferioli - D&D Consulting) writes: > >> I've heard a lot of talk about BSDI and I'd like to get some information >> about it. Can someone recommend a web site or does anyone have a phone >> number? I've successfully compiled and am running FWTK on a Linux box. >> Can anyone comment on the relative security of Linux? > >UNIX security is largely a function of the system administrator, at least more >so than a function of the operating system. Linux can be made at least as >secure as any other UNIX. > Modulo bugs of course and Linux has had some beauties in the past (such as the rlogin vulnerability).... > >I personally find Linux far superior to other 3/4/586 UNIXes, as the >development and support base is much larger, and most packages build relatively >easy on recent versions of Linux. > It's the same for the other free unixen as well (Net & FreeBSD) Linux does not have a monopoly on this. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Aha! Pronoun problems. It's not `shoot you, shoot you', it's `shoot me, shoot me'. So, go ahead, shoot ME, shoot ME ... You're Despicable" -- Daffy Duck From firewalls-owner Tue Dec 20 05:09:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA12698 for firewalls-outgoing; Tue, 20 Dec 1994 04:39:39 -0800 Received: from deep-thought.demos.su (root@deep-thought.demos.su [192.91.186.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA12693 for ; Tue, 20 Dec 1994 04:39:29 -0800 Received: by deep-thought.demos.su id PAA16491; (8.6.9/D) Tue, 20 Dec 1994 15:30:29 +0300 Message-Id: <199412201230.PAA16491@deep-thought.demos.su> Subject: Re: Linux/FreeBSD/BSDI To: matts@metnet.geog.pdx.edu (Matt Sottile) Date: Tue, 20 Dec 1994 15:30:28 +0300 (MSK) Cc: firewalls@greatcircle.com In-Reply-To: from "Matt Sottile" at Dec 19, 94 03:45:25 pm From: dima@demos.su (Dima Ruban) X-Class: Fast Organization: HackerDome X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 787 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt Sottile writes: > > > I use Linux here at work, and the need for a firewall or some sort of > security has arisen. Now, I've heard alot of talk about using BSDI. > Would FreeBSD work just as well, or is there something different? Would > Linux work just as well? I don't know about Linux and BSDi, but `fwtk' works quite with FreeBSD. More, FreeBSD-2.x contains firewall stuff in distribution. You just need to configure kernel with IPFIREWALL. > ----------------------------------------------------------------------------- > "We believe in freedom of the arts reflected by the freedom of the artists." > -KMFDM > ------------[ Matt Sottile : matts@metnet.geog.pdx.edu ]------------------- > > > -- dima From firewalls-owner Tue Dec 20 07:09:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA13450 for firewalls-outgoing; Tue, 20 Dec 1994 06:48:40 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA13445 for ; Tue, 20 Dec 1994 06:48:37 -0800 Received: from relay.imsi.com by wintermute.imsi.com id JAA08967; Tue, 20 Dec 1994 09:47:09 -0500 Received: from lorax.imsi.com by relay.imsi.com id JAA15960; Tue, 20 Dec 1994 09:47:08 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA08143; Tue, 20 Dec 94 09:47:08 EST Message-Id: <9412201447.AA08143@lorax.imsi.com> To: system PRIVILEGED account Cc: Rens Troost , Michael Richardson , firewalls@greatcircle.com Subject: Re: ix.netcom.com In-Reply-To: Your message of "Mon, 19 Dec 1994 21:24:52 CST." Reply-To: rens@imsi.com Date: Tue, 20 Dec 1994 09:47:07 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "system" == system PRIVILEGED account writes: system> Excuse me people, system> But were these messages MAIL messages or BROADCAST messages? Mail messages. Unless you have a very strange firewall configuration, DECnet will certainly not get through and you probably are not routing IP through it, so things like wall, etc. would not be able to get through. system> non-existant person (within our corporation anyways). Assuming your firewall is blocking network-level traffic, and you are not proxying in RPC services (running a portmapper on your firewall can be a dangerous thing) you probably have a prankster in-house. system> If this kind of traffic is coming from outside our domain, system> will FWTK catch it? Or perhaps some other utility? FWTK does not catch things; it allows some things through (namely, it proxies TCP connections). It's up to you to make sure your firewall is not also configured as a TCP/IP router, which might be bad. -Rens From firewalls-owner Tue Dec 20 09:09:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14280 for firewalls-outgoing; Tue, 20 Dec 1994 09:04:41 -0800 Received: from eniac.disaster.vbh.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14274 for ; Tue, 20 Dec 1994 09:04:35 -0800 Message-Id: Date: Mon, 19 Dec 94 12:03 EST Received: from knecht.disaster.vbh.com(199.99.205.131) by eniac via smap (V1.3) id sma006135; Mon Dec 19 12:03:35 1994 X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Subject: Proxy aware COMt? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Though a private conversation with another memeber of this list, I was made aware of a Proxy aware COMt for windows. Can anyone confirm the existence of such a beast? If so, I'd imagine it would have to be written for a SPECIFIC set of proxy agents... perhaps for FWTK? If anyone knows where I can get more info or get my hands on the thing, please let me know. Also, can anyone point me in the direction of a socks-ified winsock? ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Tue Dec 20 09:39:42 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14488 for firewalls-outgoing; Tue, 20 Dec 1994 09:37:28 -0800 Received: from hill.msri.org (msri.org [128.3.188.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA14483 for ; Tue, 20 Dec 1994 09:37:24 -0800 Received: from chern.msri.org by hill.msri.org (8.6.4/MSRI) id JAA07094; Tue, 20 Dec 1994 09:35:43 -0800 Received: from localhost by chern.msri.org (8.6.4/MSRI) id JAA03828; Tue, 20 Dec 1994 09:35:41 -0800 From: Dave Wright Message-Id: <199412201735.JAA03828@chern.msri.org> Subject: Re: Proxy aware COMt? To: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Date: Tue, 20 Dec 1994 09:35:40 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael Ferioli - D&D Consulting" at Dec 19, 94 12:03:00 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1143 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Though a private conversation with another memeber of this list, I was > made aware of a Proxy aware COMt for windows. Can anyone confirm the > existence of such a beast? If so, I'd imagine it would have to be > written for a SPECIFIC set of proxy agents... perhaps for FWTK? If > anyone knows where I can get more info or get my hands on the thing, > please let me know. > > Also, can anyone point me in the direction of a socks-ified winsock? > > ------------------------------------------------------------------------------ > Michael D. Ferioli Design & Disaster Recovery Consulting > Special Projects Consultant Suite 300 > ferioli@disaster.com 9 Elm Street > Albany, NY 12202 > info@disaster.com > > ftp://ftp.trumpet.com.au/ftp/pub/winsock/twsk20b.zip there are some other apps there too, that will let you use a proxy host ________ o Dave Wright _______ _/\_> dave@msri.org _______O=>// O 91CBR1000F 87EX500 AFM# 316 -------------- Mathematical Sciences Research Institute From firewalls-owner Tue Dec 20 10:09:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14523 for firewalls-outgoing; Tue, 20 Dec 1994 09:40:23 -0800 Received: from ace (ace.mid.net [198.247.225.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14518 for ; Tue, 20 Dec 1994 09:40:20 -0800 From: voelrb@cronus.gallup.com Received: from gallup.com (cronus.gallup.com.140.175.198.in-addr.arpa) by ace (5.0/SMI-SVR4) id AA20816; Tue, 20 Dec 1994 11:39:38 +0600 Received: from cronus.gallup.com (smtp.gallup.com) by gallup.com (4.1/SMI-4.1) id AA10146; Tue, 20 Dec 94 11:38:10 CST Received: from cc:Mail by cronus.gallup.com id AA787956472 Tue, 20 Dec 94 12:47:52 CST Date: Tue, 20 Dec 94 12:47:52 CST Encoding: 315 Text Message-Id: <9411207879.AA787956472@cronus.gallup.com> To: firewalls@greatcircle.com Subject: Mosaic FTP control content-length: 308 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any way to check a FTP packet for virus corruption running Mosaic clients with a BSDI operated firewall? Is there a proxy product or a way to code a proxy to quickly scan FTP packets before they hit the users machine. Thanks! Bob Voelker Gallup Organization From firewalls-owner Tue Dec 20 10:43:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA15067 for firewalls-outgoing; Tue, 20 Dec 1994 10:13:39 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA15062 for ; Tue, 20 Dec 1994 10:13:35 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id NAA06931; Tue, 20 Dec 1994 13:08:41 -0500 Date: Tue, 20 Dec 1994 13:08:40 -0500 (EST) From: David Miller Subject: Bastion hosts vs bridges To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, a hearty thank you to all those who replied to my fwtk vs seal question last week. I got a lot of quality replies that pretty much said that fwtk is plenty good, and that the most important factors are the knowledge and ability of the administrator and the site security policy. Next question.... While suggesting a firewall for my organization myself, we have another gentleman who insists he can do everything with filters in his bridge that I can do with a firewall. I would greatly appreciate hearing your best arguments for or against bridge filters vs a firewall as far as security is concerned. ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Dec 20 11:08:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA15052 for firewalls-outgoing; Tue, 20 Dec 1994 10:12:41 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA15047 for ; Tue, 20 Dec 1994 10:12:36 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id MAA13234 for ; Tue, 20 Dec 1994 12:08:54 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma013226; Tue Dec 20 12:08:45 1994 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA16098 (5.67b/IDA-1.5 for ); Tue, 20 Dec 1994 12:11:51 -0600 Date: Tue, 20 Dec 1994 12:11:51 -0600 From: Ken Hardy Message-Id: <199412201811.AA16098@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: Firewall and Linux Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was going to post what I thought I recently read when setting up a Linux system about how it currently only supports a single ethernet interface. But I cannot find that now, and the HowTo at seems to say that multiple interfaces are supported. Those of you who know can tell those considering it for a firewall whether I was hallucinating. On the subject of Linux but slightly off the subject of firewalls, does anyone know where I can get a version of skey for Linux that has replacements for login and su? Send any information or questions directly to me since it doesn't really apply to this list. ken@bridge.com From firewalls-owner Tue Dec 20 11:10:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA15485 for firewalls-outgoing; Tue, 20 Dec 1994 10:58:54 -0800 Received: from wc11.wl.aecl.ca (wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA15480 for ; Tue, 20 Dec 1994 10:58:48 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HKV8EXO1RK8ZEP1D@wl.aecl.ca>; Tue, 20 Dec 1994 12:57:17 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA00566; Tue, 20 Dec 1994 12:56:53 -0600 Date: Tue, 20 Dec 1994 12:56:52 -0600 (CST) From: system PRIVILEGED account Subject: PPP and plug-gw In-reply-to: <9411232036.AA14406@zeus.london.micrognosis.com> To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We would like to provide our site with dial-in PPP and terminal access FROM a remote calling area. However, the provider of this service, is also the major internet provider in this region, but our corporate point-of-presence is elsewhere, and must be kept there. We therefore must ensure that those dialing in can only connect to our network, and that those on the Internet cannot access our net. A quick schematic would look like: INTERNET | | modems------router----router---bastion host---our domain. | | INTERNET TIS's FWTK can proxy FTP/TELNET/NNTP, but the $94 question is 1. Can FWTK be configured to proxy PPP to our local hosts? If so, how? I believe Plug-gw could play a major roll in this, but questions abound.... Thanks in advance Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca From firewalls-owner Tue Dec 20 11:40:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16122 for firewalls-outgoing; Tue, 20 Dec 1994 11:35:46 -0800 Received: from disaster.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA16117 for ; Tue, 20 Dec 1994 11:35:39 -0800 Message-Id: Date: Tue, 20 Dec 94 14:32 EST X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: sdw@lig.net (Stephen D. Williams) From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Subject: Re: Proxy aware COMt? Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What's COMt??? Well it's a transport layer between winsock and TCP. I'm doubting the existence of this thing more and more. >I've been watching and I don't think anyone else has asked: Does anyone have >a proxy aware telnet? I need it desparately. ftp, www, gopher, etc. >are all taken care of by cern_httpd, but telnet is a problem. The best I can offer at this time is a script that I wrote for the Lan Workplace Host Presenter which interactively prompts for a hostname to which to connect. Then it goes about its business logging into the telnet proxy. This is, of course, only usefull to those running LWP or LWG. If interested, I'll pass it along to anyone who wants it. ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Tue Dec 20 12:03:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16110 for firewalls-outgoing; Tue, 20 Dec 1994 11:33:55 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA16092 for ; Tue, 20 Dec 1994 11:33:06 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA10828; Tue, 20 Dec 94 20:28:14 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA07698; Tue, 20 Dec 94 20:24:35 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9412202024.AA07698@tidtest.total.fr> Subject: Re: Mosaic FTP control To: voelrb@cronus.gallup.com Date: Tue, 20 Dec 94 20:24:33 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9411207879.AA787956472@cronus.gallup.com>; from "voelrb@cronus.gallup.com" at Dec 20, 94 12:47 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk voelrb@cronus.gallup.com wrote : > > Is there any way to check a FTP packet for virus corruption running > Mosaic clients with a BSDI operated firewall? Is there a proxy > product or a way to code a proxy to quickly scan FTP packets before > they hit the users machine. Thanks! > Unless I'm mistaken, this was discussed on the list some 3-4 months ago, and the consensus seemed to be that with all the architectures (CPU/OS/etc) floating around and all the intruders (viruses/trojan horses/logic bombs) waiting for a chance to get a toe in, this is hopeless. Even if it weren't, there still remains the down-to-earth issues of computing power and architecture database (ie, what brand of machine has such and such an IP address.) HTH -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Tue Dec 20 12:11:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15863 for firewalls-outgoing; Tue, 20 Dec 1994 11:25:52 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15858 for ; Tue, 20 Dec 1994 11:25:46 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rK5ZJ-0009xxC; Tue, 20 Dec 94 14:29 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Proxy aware COMt? To: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Date: Tue, 20 Dec 1994 14:29:37 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Ferioli - D&D Consulting" at Dec 19, 94 12:03:00 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1713 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Though a private conversation with another memeber of this list, I was > made aware of a Proxy aware COMt for windows. Can anyone confirm the What's COMt??? I've been watching and I don't think anyone else has asked: Does anyone have a proxy aware telnet? I need it desparately. ftp, www, gopher, etc. are all taken care of by cern_httpd, but telnet is a problem. In Unix I could wrap it in expect or something, but I need a hacked version in DOS/Windows. Source to Trmptel.exe available? (Don't remember seeing it.) BC++ 4.02 is handy. Be happy to hack if a winsock telnet source can be found. > existence of such a beast? If so, I'd imagine it would have to be > written for a SPECIFIC set of proxy agents... perhaps for FWTK? If > anyone knows where I can get more info or get my hands on the thing, > please let me know. > > Also, can anyone point me in the direction of a socks-ified winsock? > > ------------------------------------------------------------------------------ > Michael D. Ferioli Design & Disaster Recovery Consulting > Special Projects Consultant Suite 300 > ferioli@disaster.com 9 Elm Street > Albany, NY 12202 > info@disaster.com > > -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/~sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Tue Dec 20 12:24:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16335 for firewalls-outgoing; Tue, 20 Dec 1994 11:54:13 -0800 Received: from relay.tandy.com (relay.Tandy.COM [139.60.210.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA16330 for ; Tue, 20 Dec 1994 11:54:08 -0800 Received: from tcgw.tandy.com by relay.tandy.com (5.65/3.1.090690) id AA26048; Tue, 20 Dec 94 13:51:44 -0600 Received: from abacus.tis.tandy.com by tcgw.tandy.com (5.65/3.1.090690) id AA05902; Tue, 20 Dec 94 13:50:38 -0600 Received: by abacus.tis.tandy.com (931110.SGI/930416.SGI) for firewalls@greatcircle.com id AA19574; Tue, 20 Dec 94 13:50:00 -0600 From: criney1@abacus.tis.tandy.com (Chris Riney) Message-Id: <9412201950.AA19574@abacus.tis.tandy.com> Subject: Re: Bastion hosts vs bridges To: isdmill@gatekeeper.ddp.state.me.us (David Miller) Date: Tue, 20 Dec 1994 13:50:00 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "David Miller" at Dec 20, 94 01:08:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1781 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > First, a hearty thank you to all those who replied to my fwtk vs seal > question last week. I got a lot of quality replies that pretty much said > that fwtk is plenty good, and that the most important factors are the > knowledge and ability of the administrator and the site security policy. > > Next question.... > > While suggesting a firewall for my organization myself, we have another > gentleman who insists he can do everything with filters in his bridge > that I can do with a firewall. > > I would greatly appreciate hearing your best arguments for or against > bridge filters vs a firewall as far as security is concerned. > > ---------------------------------------------------------------------------- > It's *amazing* what one can accomplish when > one doesn't know what one can't do! > Most of the firewall tutorials and guides recommend that a firewall consist of a mix of routers and bastion-hosts. I'd be suprised if your friend could implement a proxy server with his filters (Am I missing something, or don't most filters on router only determine who can get through the router, not interperate/massage/authenticate the data)! You use filters on a router (on both sides of the DMZ leg) to determine who can get into the DMZ and where in the DMZ they can go. You have a BASTION HOST in the DMZ to allow connectivity between the two sides of the DMZ. Without the bastion host, you (in most likely hood) would be updating the filters on a TO frequent of a bases, when someone on your side of the DMZ want's to go to a diffent host on the other side of the DMZ. Bastion-hosts and router-filters cover different aspects of security in a firewall environment. Without a delicate balance of both, you are usually just inviting trouble. From firewalls-owner Tue Dec 20 12:25:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15675 for firewalls-outgoing; Tue, 20 Dec 1994 11:10:46 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA15668 for ; Tue, 20 Dec 1994 11:10:33 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id OAA24202 for ; Tue, 20 Dec 1994 14:11:48 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma024200; Tue Dec 20 14:11:33 1994 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id OAA05907 for ; Tue, 20 Dec 1994 14:14:16 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA12030; Tue, 20 Dec 94 14:14:01 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: packet filter on stock OSes (was: what firewall platform?) Date: 20 Dec 1994 14:14:00 -0500 Organization: Milkyway Networks Corporation Lines: 23 Distribution: milkyway Message-Id: <3d7ado$bnr@calisto.milkyway.com> References: <199412200348.WAA14292@bronze.lcs.mit.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199412200348.WAA14292@bronze.lcs.mit.edu>, *Hobbit* wrote: >However, neither implementation apparently cares what *interface* a given >packet came from, which makes it useless as a real packet filter! I beat >up the developers newsgroup about it; hopefully they'll do something both in >linux and 44bsd about this. Uh, the interface a packet arrived on is available from the mbuf header in 44bsd systems. I've used this fairly easily to build a fairly minimumal packet filter so that "virtual private networking" (encrypting and sending to a branch office) works, and isn't spoofed by packets arriving from the "public" interface. This is possible in 43BSD/SunOS too, thanks to a little kludge. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Tue Dec 20 12:40:05 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16269 for firewalls-outgoing; Tue, 20 Dec 1994 11:46:31 -0800 Received: from rodan.UU.NET (0@rodan.UU.NET [153.39.128.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA16264 for ; Tue, 20 Dec 1994 11:46:28 -0800 Received: from babar.UU.NET by rodan.UU.NET with SMTP id QQxvdf27669; Tue, 20 Dec 1994 14:45:17 -0500 Received: by babar.UU.NET id OAAxvdf04321; Tue, 20 Dec 1994 14:45:01 -0500 Date: Tue, 20 Dec 1994 14:45:01 -0500 Message-Id: From: Bob Stratton To: Firewalls@GreatCircle.COM Subject: Filtering by service providers In-Reply-To: <199412200339.TAA07243@miles.greatcircle.com> References: <199412200339.TAA07243@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Ross Patterson" writes: Ross> Several Internet service providers (the real kind, like PSI Ross> and AlterNet, not the pseudo-online-services like Digex and Ross> Netcom) have what could best be described as a "reverse Ross> firewall", strictly for business reasons. In an effort to Ross> prevent their customers from becoming piggy-back service Ross> providers (like some long-distance telephone services), Ross> these companies limit the traffic coming *out* of their Ross> customers' networks to just those network numbers that have Ross> been identified in the contract as the customers'. While we at AlterNet are happy that you consider us "the real kind" of Internet service provider, some of what you describe above doesn't really jibe with the facts. We don't do packet filtering on our routers. There are several reasons for this, not least of which is the impact that such filtering would have on router throughput if we did it everywhere. It is possible that you are referring to BGP route filtering. We do limit which routes we'll accept from our BGP peers, as it prevents customer configuration problems from affecting the backbone. This has very little to do with "preventing customers from becoming piggy-back service providers" and everything to do with preventing people from feeding us bogus routing information. It could also be said that we "block traffic" if the customer hasn't provided us with a request to route a particular network. Again, this has nothing to do with "preventing piggy-back providers", but simply that static routed customers don't receive traffic for which there's no route. My apologies if this seems obvious, but in the current climate of concern about the routing infrastructure, it pays to be specific. I hope this clarifies things. Also, if you have questions about AlterNet's policies, feel free to call us. We're happy to talk to customers, prospective customers, and other providers. ObFirewall: AlterNet is now offering security consulting services to our customers and others. I'm not going to plug things here on the list, so mail or call me for more information. Bob Stratton Sr. Engineer UUNET Technologies, Inc. strat@uunet.uu.net 3110 Fairview Park Dr., Suite 570 Voice) +1 703 204 8000 Falls Church, Va 22042 Fax) +1 703 204 8001 From firewalls-owner Tue Dec 20 13:09:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA17290 for firewalls-outgoing; Tue, 20 Dec 1994 12:47:26 -0800 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA17277 for ; Tue, 20 Dec 1994 12:47:18 -0800 Received: from sbi.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA05312 for firewalls-digest@greatcircle.com; Tue, 20 Dec 94 15:46:03 -0500 Received: from outpost.aud.com by internet.sbi.com (4.1/SMI-4.1) id AA11277; Tue, 20 Dec 94 15:46:01 EST Received: by outpost.aud.com (4.1/SMI-4.1) id AA15914; Tue, 20 Dec 94 15:46:35 EST From: bwong@outpost.sbi.com (Bik Yee Wong) Message-Id: <9412202046.AA15914@outpost.aud.com> Subject: RE: tcp_wrapper.ps.Z's log file ? To: firewalls-digest@greatcircle.com Date: Tue, 20 Dec 1994 15:46:35 -0500 (EST) X-Mailer: ELM [version 2.4 PL17] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 420 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm first install tcp_wrapper version 6.3, it successful, but I don't know > where is the information of loging it keep ?! Who've ever use it ,please > tell me where is it log file ... If you have successfully installed and set up the configuration for tcp_wrapper on your machine, activities should be logged in: /var/log/syslog -- Bik Yee Wong Salomon Inc. Information Security Services Tel: (212) 783-5127 From firewalls-owner Tue Dec 20 13:36:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA17474 for firewalls-outgoing; Tue, 20 Dec 1994 12:56:42 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA17465 for ; Tue, 20 Dec 1994 12:56:39 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rKBXx-0000bfC; Tue, 20 Dec 94 12:52 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA13057; Tue, 20 Dec 1994 12:55:24 +0800 Date: Tue, 20 Dec 1994 12:55:24 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412202055.AA13057@brittany.oes.amdahl.com> To: sdw@lig.net, ferioli@disaster.com Subject: Re: Proxy aware COMt? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1075 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >I've been watching and I don't think anyone else has asked: Does anyone have > >a proxy aware telnet? I need it desparately. ftp, www, gopher, etc. > >are all taken care of by cern_httpd, but telnet is a problem. > If you have sockd on your firewall you can use rtelnet, and it works just fine from a web browser, (as long as you make sure that it's the telnet it gets!) Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Dec 20 13:39:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA17486 for firewalls-outgoing; Tue, 20 Dec 1994 12:57:47 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA17481 for ; Tue, 20 Dec 1994 12:57:39 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rK70F-0009xvC; Tue, 20 Dec 94 16:01 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Firewall and Linux To: ken@bridge.com (Ken Hardy) Date: Tue, 20 Dec 1994 16:01:31 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199412201811.AA16098@ignatz.bridge.com> from "Ken Hardy" at Dec 20, 94 12:11:51 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1657 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sure it supports multiple interfaces, and therefore should be able to support as many as you can fit in the box (since any constant can easily be changed). What I need to figure out is if Linux can support multiple IP's per interface. I was just told yesterday that BSDi or freeBSD can do that. Since I thought it was standard for ethernet hardware to support two addresses at most, I was surprised. You would have to put it into promiscuous mode which causes the box to process all packets. I guess a modern machine can handle that. > I was going to post what I thought I recently read when setting up a > Linux system about how it currently only supports a single ethernet > interface. But I cannot find that now, and the HowTo at > seems to say that > multiple interfaces are supported. Those of you who know can tell > those considering it for a firewall whether I was hallucinating. > > On the subject of Linux but slightly off the subject of firewalls, does > anyone know where I can get a version of skey for Linux that has > replacements for login and su? Send any information or questions > directly to me since it doesn't really apply to this list. > > ken@bridge.com > > -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/~sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Tue Dec 20 14:09:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA17753 for firewalls-outgoing; Tue, 20 Dec 1994 13:13:18 -0800 Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA17746 for ; Tue, 20 Dec 1994 13:13:15 -0800 Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.5/8.6.5) with SMTP id PAA01881 for ; Tue, 20 Dec 1994 15:55:15 -0500 Received: by shlep.sware.com (5.65/2.0) from q.sware.com id AA20640; Tue, 20 Dec 94 16:11:55 -0500 Received: by Q.sware.com (AIX 3.2/UCB 5.64/2.1) from localhost id AA91308; Tue, 20 Dec 1994 16:09:37 -0500 Message-Id: <9412202109.AA91308@Q.sware.com> From: Shan Bell X-Mailer: InterMail [1.3.1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: NFS proxy? To: firewalls@greatcircle.com Date: Tue, 20 Dec 94 16:09:36 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this is very not recommended, but for various reasons we really need to be able to allow one particular filesystem on an internal machine to be mounted on one particular external machine. I've tried using udprelay and plug-gw to proxy ports 2049 and 111, but that doesn't seem to be quite enough. Does anyone know of a package that will handle this? Shannon Bell Email: shan.bell@sware.com - Voice: +1 404 321 6597 x163 - Fax: +1 404 315 0293 SecureWare, Inc. / 2957 Clairmont Rd Suite 200 / Atlanta GA 30329-1647 GCS -d+@ H>++ s+:- g+ p?>!p !au>* a- w+ v- C++$ U[BLUAVHSCX]++++$ P+ L+>+++ 3>+++ E- !N>N++ K W M+ V- -po+ Y+ t+>+(+++) 5+ j R(+) G'('') tv+ b+++ !D B-- e++ u** h--- f+ r+++ n-- y+++ From firewalls-owner Tue Dec 20 14:14:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA17796 for firewalls-outgoing; Tue, 20 Dec 1994 13:18:10 -0800 Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA17791 for ; Tue, 20 Dec 1994 13:18:05 -0800 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA26827; Tue, 20 Dec 94 21:20:38 GMT Received: from mcimail.com by mailgate.mcimail.com id ay21265; 20 Dec 94 21:16 WET Date: Tue, 20 Dec 94 16:14 EST From: Henry Lemon To: Firewalls Subject: Internet security for a VAX VMS Network Message-Id: <53941220211435/0003668858NA1EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------- ATTACHMENT ---------------------------------- DATE: Wed Nov 30, 1994 3:44 am SUBJECT:Internet security for a VAX VMS Network We are presently a VAX VMS shop, running Decnet and Lat. TCP is being considered and evaluated. We have very little Unix experience. There is however great interest in connecting to the internet. Is it feasible to install a router, add a Vax with two ethernet interfaces and run TCP on one and decnet on the other. Connections to the corporate network will be by decnet using personal computers as display servers. Mosaic will run on the VAX and displayed to the personal computers using DECNET. The VAX will only serve the purpose of interfacing to the internet. In order to penetrate the corporate network, the hacker would have to use TCP and DECNET. The only nodes defined in decnet database would be the display servers. We have a pretty good understanding of DecNet security. We know nothing about TCP/IP. Should I encourage use of an access provider until we become more knowledgeable. If using a slip account from a service provider, are we at greater risk if the personal computers are also on the corporate network? Will this risk increase with use Windows 95 or Windows NT. +--------+ tcp +------------+ decnet |router |__________| VAX |------------ | | | | +--------+ +------------+ We are such novices that I have installed DECNET on the Corporate UNIX boxes. I don't know how much longer I can use the excuse of Ignorance. Our lack of UNIX and TCP skills will make us vulnerable to every two bit hacker on the internet even if we were to install a firewall. Any ideas as to a game plan. Long term, TCP will also be running on our corporate network. I need to satisfy our users until we are able support a firewall. I don't want to give them something and have to take it away later. Direct replies can be sent to Lemonh@DElphi.com or LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com if the my problem is not appropriate for this list, however, I am sure that I can not be the only person with these concerns. Henry Lemon Aristech Chemical Corporation. From firewalls-owner Tue Dec 20 14:36:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA18426 for firewalls-outgoing; Tue, 20 Dec 1994 14:08:41 -0800 Received: from jpmorgan.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA18418 for ; Tue, 20 Dec 1994 14:08:36 -0800 Received: from tcpg01a.ny.jpmorgan.com by jpmorgan.jpmorgan.com (8.6.9/fma-120691.2); id RAA09185; Tue, 20 Dec 1994 17:07:17 -0500 Received: from fugit.ny.jpmorgan.com (fugit.ny.jpmorgan.com [146.149.54.234]) by tcpg01a.ny.jpmorgan.com (8.6.9/cjy.sub.1.0) with ESMTP id RAA17777 at Tue, 20 Dec 1994 17:07:17 -0500 Received: (from cyerkes@localhost) by fugit.ny.jpmorgan.com (8.6.9/8.6.9) id RAA19043 for Firewalls@GreatCircle.COM; Tue, 20 Dec 1994 17:07:16 -0500 From: "Chuck Yerkes" Message-Id: <9412201707.ZM19041@fugit.ny.jpmorgan.com> Date: Tue, 20 Dec 1994 17:07:16 -0500 X-Mailer: Z-Mail (3.2.0 06sep94) To: Firewalls@GreatCircle.COM Subject: SunOS patches for True packet filtering. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been told by some ex-Sun people that patches exist that let Sun's do true full packet filtering. The patch allows the information about WHICH interface got the packet - helps avoid src-route spoofing. Does anyone know what patch this is? I've hit our patch lists, but to no avail. It seems that this is essential to building a firewall service on a sun. And no, I'm not interested in Solaris. If I want SVR4, I'll use an SGI. Thank you chuck yerkes consultant guy chuck@jpmorgan.com From firewalls-owner Tue Dec 20 14:39:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA18910 for firewalls-outgoing; Tue, 20 Dec 1994 14:32:12 -0800 Received: from gw0.telebase.com (root@gw0.telebase.com [192.132.57.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA18902 for ; Tue, 20 Dec 1994 14:32:05 -0800 Received: from gw1.telebase.com by gw0.telebase.com id RAA20235 for ; Tue, 20 Dec 1994 17:47:49 -0500 From: Brian Clapper Message-Id: <199412202230.RAA15116@telebase.com> Subject: Re: NFS proxy? To: Firewalls@GreatCircle.COM Date: Tue, 20 Dec 1994 17:30:14 -0500 (EST) In-Reply-To: <199412202210.OAA18460@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Dec 20, 94 02:10:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1165 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shannon Bell wrote: > > I realize this is very not recommended, but for various reasons we really need > to be able to allow one particular filesystem on an internal machine to be > mounted on one particular external machine. I've tried using udprelay and > plug-gw to proxy ports 2049 and 111, but that doesn't seem to be quite enough. > Does anyone know of a package that will handle this? Cheswick and Bellovin talk about NFS proxies in their Firewalls book; it's worth reading. In Appendix A, they state: "Linux has a user-level NFS server. It would be a good starting point for a proxy version similar to ours." Look in "/pub/linux/BETA/NFS" on "tsx-11.mit.edu" to start. The README file from that directory states: "This is the new version of the user-space NFS server for Linux. It is now very portable and should run with a little work on about any Unix with RPC." Also, start by reading section 4.5.9 (page 107) in Cheswick and Bellovin's "Firewalls". Regards, Brian M. Clapper bmc@telebase.com Telebase Systems, Inc., 435 Devon Park Drive, Wayne, PA 19087 From firewalls-owner Tue Dec 20 14:58:42 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA18763 for firewalls-outgoing; Tue, 20 Dec 1994 14:22:37 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA18755 for ; Tue, 20 Dec 1994 14:22:34 -0800 Received: from wallyman (wallynet.dialup.access.net) by panix.com with SMTP id AA03604 (5.67b/IDA-1.5 for ); Tue, 20 Dec 1994 17:21:02 -0500 Message-Id: <199412202221.AA03604@panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Tue, 20 Dec 1994 17:21:21 -0500 To: firewalls@greatcircle.com From: wallynet@panix.com (Walter F. Netman) Subject: Twinsock Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried TwinSock as a firewall extender? What is TwinSock? ----------------- TwinSock is a free implementation of proxy sockets for Windows. Other Windows Sockets drivers use a network card, or a well known Internet over serial lines protocol, such as SLIP, C-SLIP or PPP. These drivers may access the network card or communications card directly, or via a VxD or DOS based TCP/IP stack. their uses are limited to cases where either the machine is directly connected to a network, or the host at the other end of the phone line supports the same serial line internet protocol. The other shortcoming of these drivers is that they require an official IP address to operate, and frequently you will not be able to connect very far beyond the host you connect directly to. TwinSock, on the other hand, makes use of the IP address of the host to provide socket services to the client. When an application running under Windows requests socket services of TwinSock, TwinSock will transparently pass these requests on to the TwinSock Host program running on the remote machine for processing. The result is that you have all the same networking capabilities as you would if your Windows machine were physically connected to the network in place of the host machine. For more information on what TwinSock can do for you, read on, or refer to one of the following newsgroups, where TwinSock is discussed: alt.dcomp.slip-emulators comp.os.ms-windows.networking.tcp-ip comp.os.ms-windows.apps.comm > > From firewalls-owner Tue Dec 20 15:09:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA18622 for firewalls-outgoing; Tue, 20 Dec 1994 14:18:28 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA18616; Tue, 20 Dec 1994 14:18:24 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 20 Dec 1994 14:17:33 -0800 To: sdw@lig.net (Stephen D. Williams), ken@bridge.com (Ken Hardy) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewall and Linux Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:01 12/20/94, Stephen D. Williams wrote: >I'm sure it supports multiple interfaces, and therefore should be >able to support as many as you can fit in the box (since any >constant can easily be changed). > >What I need to figure out is if Linux can support multiple IP's per >interface. I was just told yesterday that BSDi or freeBSD can do >that. Since I thought it was standard for ethernet hardware to >support two addresses at most, I was surprised. You would have to put >it into promiscuous mode which causes the box to process all packets. >I guess a modern machine can handle that. Huh? Ethernet hardware might support at most 2 _ethernet_ addresses, but what's that got to do with supporting multiple _IP_ addresses? The ethernet hardware isn't even aware of the IP addresses. All those multiple IP addresses (as many as you want) can resolve (via ARP) to the same ethernet address; this is how "Proxy ARP" systems have worked for years and years. The trick is getting the kernel to recognize the multitude of IP addresses in these packets being handed up by the ethernet hardware. Traditionally, UNIX kernels have recognized one IP address per physical interface, but that's strictly a limitation in the kernel (i.e., does the kernel compare the destination address to a single IP address for that interfaces, or to a list of addresses for that interface?); it has nothing to do with the underlying physical interface (i.e., the ethernet hardware). -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue Dec 20 15:38:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA19422 for firewalls-outgoing; Tue, 20 Dec 1994 14:56:08 -0800 Received: from databus.databus.com (root@databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA19416 for ; Tue, 20 Dec 1994 14:56:03 -0800 Date: Tue, 20 Dec 94 17:54 EST Message-ID: <9412201754.AA02303@databus.databus.com> From: Barney Wolff To: sdw@lig.net (Stephen D. Williams), ken@bridge.com (Ken Hardy) Cc: firewalls@greatcircle.com Subject: Re: Firewall and Linux Content-Length: 732 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: sdw@lig.net (Stephen D. Williams) > Subject: Re: Firewall and Linux > > What I need to figure out is if Linux can support multiple IP's per > interface. I was just told yesterday that BSDi or freeBSD can do > that. Since I thought it was standard for ethernet hardware to > support two addresses at most, I was surprised. You would have to put > it into promiscuous mode which causes the box to process all packets. > I guess a modern machine can handle that. So far as I know, the hardware interface doesn't know about IP addresses at all, just 6-byte ethernet addresses. It's ARP and the IP stack that have to know to respond to more than one IP address, and that's all software. Barney Wolff From firewalls-owner Tue Dec 20 15:39:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA19789 for firewalls-outgoing; Tue, 20 Dec 1994 15:08:55 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA19784 for ; Tue, 20 Dec 1994 15:08:53 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id PAA18583; Tue, 20 Dec 1994 15:07:43 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma018571; Tue Dec 20 15:07:25 1994 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id PAA12971; Tue, 20 Dec 1994 15:07:23 -0800 From: "Alastair Young" Message-Id: <9412201507.ZM12969@cds1004> Date: Tue, 20 Dec 1994 15:07:21 -0800 In-Reply-To: wallynet@panix.com (Walter F. Netman) "Twinsock" (Dec 20, 5:21pm) References: <199412202221.AA03604@panix.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: wallynet@panix.com (Walter F. Netman), firewalls@GreatCircle.COM Subject: Re: Twinsock Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 20, 5:21pm, Walter F. Netman wrote: > Subject: Twinsock > Has anyone tried TwinSock as a firewall extender? > > What is TwinSock? > ----------------- > > TwinSock is a free implementation of proxy sockets for Windows. > > Other Windows Sockets drivers use a network card, or a well known Internet > over serial lines protocol, such as SLIP, C-SLIP or PPP. These drivers may > access the network card or communications card directly, or via a VxD or DOS > based TCP/IP stack. their uses are limited to cases where either the machine > is directly connected to a network, or the host at the other end of the phone > line supports the same serial line internet protocol. > > The other shortcoming of these drivers is that they require an official IP > address to operate, and frequently you will not be able to connect very far > beyond the host you connect directly to. > > TwinSock, on the other hand, makes use of the IP address of the host to > provide socket services to the client. When an application running under > Windows requests socket services of TwinSock, TwinSock will transparently > pass these requests on to the TwinSock Host program running on the remote > machine for processing. The result is that you have all the same networking > capabilities as you would if your Windows machine were physically connected > to the network in place of the host machine. > > For more information on what TwinSock can do for you, read on, or refer to > one of the following newsgroups, where TwinSock is discussed: > > alt.dcomp.slip-emulators > comp.os.ms-windows.networking.tcp-ip > comp.os.ms-windows.apps.comm > > > > > >-- End of excerpt from Walter F. Netman Dunno about firewall extending, but we have gone to the extent of forbidding our gateway users from using it. It effectively provides IP tunneling over your telnet connection, thus allowing people to extend the "inside" to the "outside". Similar for the "Internet Adapter". Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Tue Dec 20 16:09:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20886 for firewalls-outgoing; Tue, 20 Dec 1994 16:07:45 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA20881 for ; Tue, 20 Dec 1994 16:07:43 -0800 From: smb@research.att.com Message-Id: <199412210007.QAA20881@miles.greatcircle.com> Received: by gryphon; Tue Dec 20 18:36:34 EST 1994 To: firewalls@greatcircle.com Subject: Re: Firewall and Linux Date: Tue, 20 Dec 94 18:36:33 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The trick is getting the kernel to recognize the multitude of IP addresses in these packets being handed up by the ethernet hardware. Traditionally, UNIX kernels have recognized one IP address per physical interface, but that's strictly a limitation in the kernel (i.e., does the kernel compare the destination address to a single IP address for that interfaces, or to a list of addresses for that interface?); it has nothing to do with the underlying physical interface (i.e., the ethernet hardware). Exactly. And some new kernels -- including specifically BSDI; I don't know about the others -- do permit multiple IP addresses per interface. From firewalls-owner Tue Dec 20 16:27:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20877 for firewalls-outgoing; Tue, 20 Dec 1994 16:07:22 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA20872 for ; Tue, 20 Dec 1994 16:07:18 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HKVJ647BHS8ZENJU@wl.aecl.ca>; Tue, 20 Dec 1994 18:05:31 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA02463; Tue, 20 Dec 1994 18:05:10 -0600 Date: Tue, 20 Dec 1994 18:05:10 -0600 (CST) From: system PRIVILEGED account Subject: Re: Problem compiling on DEC Alpha In-reply-to: To: sotiris.baxevanis@intelsat.int Cc: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 28 Nov 1994 sotiris.baxevanis@intelsat.int wrote: > Hello, I'm trying to compile the TIS toolkit on a DEC Alpha OSF/1 version > 2.0 and I'm getting the following error in compiling the ftpd daemon. > > /usr/lib/cmplrs/cc/cfe: Error: popen.c, line 147: storage size for > 'stat_loc' is > n't known > > union wait stat_loc; > > -----------^ > > /usr/lib/cmplrs/cc/cfe: Error: popen.c, line 147: Reference an expression of > voi > d type or an incomplete type. > > union wait stat_loc; > > -----------^ > > > Any ideas? The ftp-gw, tn-gw and some others compiled without any errors. > > thanks > Subject: Compiler errors: ?????? nstall: /tmp/tst/fwtk/x-gw cc -I.. -g -I/usr/include/X11 -c x-gw.c cc -I.. -g -I/usr/include/X11 -c child.c cc -I.. -g -I/usr/include/X11 -c fwd.c cc -I.. -g -I/usr/include/X11 -c pmsg.c cc -I.. -g -I/usr/include/X11 -c sig.c /usr/lib/cmplrs/cc/cfe: Error: sig.c, line 35: storage size for 'wstatus' isn't known union wait wstatus; -------------------^ /usr/lib/cmplrs/cc/cfe: Error: sig.c, line 46: Reference an expression of void type or an incomplete type. if ((((wstatus) & 0177 ) != 0177 && ((wstatus) & 0177 ) != 0) || (((wstatus) & 0177 ) == 0177 ) ) { ---------------^ /usr/lib/cmplrs/cc/cfe: Error: sig.c, line 52: Reference an expression of void type or an incomplete type. if( !(((wstatus) & 0177 ) == 0) ) { -----------------^ /usr/lib/cmplrs/cc/cfe: Error: sig.c, line 57: Reference an expression of void type or an incomplete type. exitstat = ((((wstatus) & 0177 ) == 0) ? (((wstatus) >> 8) &0377) : -1); *** Exit 1 ----------------^ Stop. *** Exit 1 Stop. Any ideas???////////????? Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca From firewalls-owner Tue Dec 20 16:39:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA21133 for firewalls-outgoing; Tue, 20 Dec 1994 16:25:07 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA21128; Tue, 20 Dec 1994 16:25:03 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rKAEr-0009u8C; Tue, 20 Dec 94 19:28 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Firewall and Linux To: Brent@GreatCircle.COM (Brent Chapman) Date: Tue, 20 Dec 1994 19:28:48 +0000 (GMT) Cc: sdw@lig.net, ken@bridge.com, firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Dec 20, 94 02:17:33 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1285 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I knew all the pieces but imagined a problem anyway. Gee, I feel dull today. ... > The trick is getting the kernel to recognize the multitude of IP addresses > in these packets being handed up by the ethernet hardware. Traditionally, > UNIX kernels have recognized one IP address per physical interface, but > that's strictly a limitation in the kernel (i.e., does the kernel compare > the destination address to a single IP address for that interfaces, or to a > list of addresses for that interface?); it has nothing to do with the > underlying physical interface (i.e., the ethernet hardware). > > > -Brent > > -- > Brent Chapman | Great Circle Associates | Call or email for info about > Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security > +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/~sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Tue Dec 20 16:51:50 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA21077 for firewalls-outgoing; Tue, 20 Dec 1994 16:19:36 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA21072 for ; Tue, 20 Dec 1994 16:19:32 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rKA9T-0009svC; Tue, 20 Dec 94 19:23 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Firewall and Linux To: barney@databus.com (Barney Wolff) Date: Tue, 20 Dec 1994 19:23:13 +0000 (GMT) Cc: sdw@lig.net, ken@bridge.com, firewalls@greatcircle.com In-Reply-To: <9412201754.AA02295@databus.databus.com> from "Barney Wolff" at Dec 20, 94 05:54:00 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1450 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > From: sdw@lig.net (Stephen D. Williams) > > Subject: Re: Firewall and Linux > > > > What I need to figure out is if Linux can support multiple IP's per > > interface. I was just told yesterday that BSDi or freeBSD can do > > that. Since I thought it was standard for ethernet hardware to > > support two addresses at most, I was surprised. You would have to put > > it into promiscuous mode which causes the box to process all packets. > > I guess a modern machine can handle that. > > So far as I know, the hardware interface doesn't know about IP addresses > at all, just 6-byte ethernet addresses. It's ARP and the IP stack that > have to know to respond to more than one IP address, and that's all software. Actually, I knew that and just forgot to translate, but your response points to the obvious solution: hack the arp layer/table/responses to return the same ethernet for multiple IPs. I need to implement this in slip also, so I have some interesting kernel diving to do. > > Barney Wolff > sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/~sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Tue Dec 20 17:09:19 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA21619 for firewalls-outgoing; Tue, 20 Dec 1994 16:59:59 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA21614; Tue, 20 Dec 1994 16:59:56 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 20 Dec 1994 16:59:05 -0800 To: system PRIVILEGED account , sotiris.baxevanis@intelsat.int From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Problem compiling on DEC Alpha Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:05 12/20/94, system PRIVILEGED account wrote: >On Mon, 28 Nov 1994 sotiris.baxevanis@intelsat.int wrote: > >> Hello, I'm trying to compile the TIS toolkit on a DEC Alpha OSF/1 version >> 2.0 and I'm getting the following error in compiling the ftpd daemon. >> >> /usr/lib/cmplrs/cc/cfe: Error: popen.c, line 147: storage size for >> 'stat_loc' is >> n't known > >Any ideas???////////????? No, but for what seems like the 14th time this week, let me remind folks that the Firewalls@GreatCircle.COM mailing list is NOT the technical support outlet for the TIS Firewalls Toolkit. Questions such as this should be posted to the "fwall-users@tis.com" mailing list. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Tue Dec 20 22:39:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA23591 for firewalls-outgoing; Tue, 20 Dec 1994 22:16:50 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA23586 for ; Tue, 20 Dec 1994 22:16:34 -0800 Message-Id: <199412210616.WAA23586@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA07582; Wed, 21 Dec 94 17:15:16 +1100 From: Darren Reed Subject: Re: packet filter on stock OSes (was: what firewall platform?) To: mcr@milkyway.com (Michael Richardson) Date: Wed, 21 Dec 1994 17:15:16 +1100 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <3d7ado$bnr@calisto.milkyway.com> from "Michael Richardson" at Dec 20, 94 02:14:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 837 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In article <199412200348.WAA14292@bronze.lcs.mit.edu>, > *Hobbit* wrote: > >However, neither implementation apparently cares what *interface* a given > >packet came from, which makes it useless as a real packet filter! I beat > >up the developers newsgroup about it; hopefully they'll do something both in > >linux and 44bsd about this. > > Uh, the interface a packet arrived on is available from the mbuf > header in 44bsd systems. I've used this fairly easily to build a > fairly minimumal packet filter so that "virtual private networking" > (encrypting and sending to a branch office) works, and isn't spoofed > by packets arriving from the "public" interface. > This is possible in 43BSD/SunOS too, thanks to a little kludge. I think the reference here is to BPF, rather than kernel internals. From firewalls-owner Wed Dec 21 01:39:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA24557 for firewalls-outgoing; Wed, 21 Dec 1994 01:15:52 -0800 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA24552 for ; Wed, 21 Dec 1994 01:15:49 -0800 Received: from ilonet.ilo.dec.com by inet-gw-2.pa.dec.com (5.65/10Aug94) id AA00146; Wed, 21 Dec 94 01:09:55 -0800 Received: by ilonet.ilo.dec.com (5.65/MS-012594); id AA09127; Wed, 21 Dec 1994 09:11:02 GMT Received: by karpov.ilo.dec.com; id AA01944; Wed, 21 Dec 1994 09:07:51 GMT Date: Wed, 21 Dec 1994 09:07:51 GMT From: Dermot Tynan Message-Id: <9412210907.AA01944@karpov.ilo.dec.com> To: root@wu1.wl.aecl.ca, sotiris.baxevanis@intelsat.int Subject: Re: Problem compiling on DEC Alpha Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The 'wait(2)' system call on OSF/1 takes an int pointer as argument, not a union. Replace the 'union wait wstatus' line with an 'int wstatus;' and wherever 'wait(2)' is called, make sure its address is passed and not its value (as in ... wait(&wstatus)). Also make sure that the code is not referencing an element of the 'wait' union. I would have thought the code had #ifdefs to differentiate between different UNIX types. Anyway, it would be a lot easier just to use the Digital Firewall Service... :) - Der From firewalls-owner Wed Dec 21 05:39:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA25858 for firewalls-outgoing; Wed, 21 Dec 1994 05:27:16 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA25853 for ; Wed, 21 Dec 1994 05:27:08 -0800 Received: by taureau.as03.bull.oz.au id AA19621 (5.65c/IDA-1.4.4 for Firewalls@greatcircle.com); Thu, 22 Dec 1994 00:51:54 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id AAA14032; Thu, 22 Dec 1994 00:29:26 +1100 Message-Id: <199412211329.AAA14032@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: Brian Clapper Cc: Firewalls@greatcircle.com Subject: Re: NFS proxy? In-Reply-To: Your message of "Tue, 20 Dec 94 17:30:14 CDT." <199412202230.RAA15116@telebase.com> Date: Thu, 22 Dec 1994 00:29:23 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Shannon Bell wrote: > > > > I realize this is very not recommended, but for various reasons we really need > > to be able to allow one particular filesystem on an internal machine to be > > mounted on one particular external machine. I've tried using udprelay and > > plug-gw to proxy ports 2049 and 111, but that doesn't seem to be quite enough. > > Does anyone know of a package that will handle this? Brian Clapper wote: > > Cheswick and Bellovin talk about NFS proxies in their Firewalls book; it's > worth reading. In Appendix A, they state: > > "Linux has a user-level NFS server. It would be a good starting > point for a proxy version similar to ours." Yep. This is exactly what I'm doing at present.... for a firewall project at one of my customer sites. I can't recall if I actually got the stuff from txs-11 though that was the first place I tried... I ended up with nfs-server-2.0.tar.gz It needed only a few changes to compile on SunOS, and NetBSD, though as shipped it only recognizes nfs mountpoints for linux. You'll need to edit nfsmounted.c for sure. Since I was testing on the NetBSD system I had to hack quite a bit to make it handle the new 4.4BSD symlinks. In the end I hacked the kernel to make it behave like earlier versions... There was also a bug in the cache lookup code that caused it to report STALE NFS handles incorrectly when simply dealing with a file with multiple links in different directories. Anyway, at this point I have the nfs server working ok though hardly stress tested. The next set is to split it in two so that the NFS RPCs can be sent via a TCP stream through the firewall as we don't plan to allow any UDP traffic through. I also plan to make it work without the need for a portmaper on the server.... Anyone else working on this? --sjg From firewalls-owner Wed Dec 21 06:09:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26030 for firewalls-outgoing; Wed, 21 Dec 1994 05:53:20 -0800 Received: from alv.nada.kth.se (alv.nada.kth.se [130.237.223.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA26025 for ; Wed, 21 Dec 1994 05:53:16 -0800 From: x-frode@nada.kth.se Received: by alv.nada.kth.se (5.61-bind 1.4+ida/nada-mx-1.0) id AA03227; Wed, 21 Dec 94 14:52:01 +0100 Date: Wed, 21 Dec 94 14:52:01 +0100 Message-Id: <9412211352.AA03227@alv.nada.kth.se> To: Firewalls@GreatCircle.COM Subject: Configuration advice needed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am doing a project at an institution in Sweden investigating the possible ways of securely accessing the Internet. We plan to: 1) Let Telnet Clients on the inside access the Internet. A proxy is probably needed. 2) Support SMTP mail. 3) Provide on-site information to the WWW. The way we want to do this is as follows: Have a web-server reachable to the outside. Have an inside machine con- taining a database receiving SQL-queries from the web-server via a TCP/IP- connection. The inside database-machine sends its results to the outside web-server via the same TCP/IP-connection. The results from the database (i.e. documents) goes to the world from the web-server via http. The questions are: i) Should I recommend a single bastion-host and one router connected to the Internet ? The router would be letting through outbound telnet, inbound http and SMTP mainly. The bastion would be running the telnet-proxy, web-server, a mail-program and the database-to-webserver TCP/IP-script. If this is a good solution, should the bastion be dual-homed or a single-interface one ? ii) or should I choose a screened-subnet configuration with dual routers and the services I mentioned running on different machines ? I am happy for all kinds of advice and comments on this Thanks in advance Frode From firewalls-owner Wed Dec 21 06:39:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA26302 for firewalls-outgoing; Wed, 21 Dec 1994 06:19:53 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA26297 for ; Wed, 21 Dec 1994 06:19:47 -0800 Received: from actbsh.demon.co.uk by post.demon.co.uk id aa10662; 21 Dec 94 14:03 GMT Received: from spok01.actbs.com by lmux.actbs.com id aa01989; 21 Dec 94 14:02 GMT Subject: Re: Proxy aware COMt? To: Dave Wright Date: Wed, 21 Dec 1994 14:01:45 +0000 (GMT) From: davem Cc: ferioli@disaster.com, firewalls@greatcircle.com In-Reply-To: <199412201735.JAA03828@chern.msri.org> from "Dave Wright" at Dec 20, 94 09:35:40 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1734 Message-ID: <9412211401.aa18053@spok01.actbs.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I saw this, which I got from micros.hensa.ac.uk, and tried it out. It tries to make everything look like a Hayes modem, if I remeber correctly. It turned out not to be too useful for us. It would however be very useful if you wanted to hang a modem on a terminal server port or some such thing. I could'nt use it in our environment. > > > > > Though a private conversation with another memeber of this list, I was > > made aware of a Proxy aware COMt for windows. Can anyone confirm the > > existence of such a beast? If so, I'd imagine it would have to be > > written for a SPECIFIC set of proxy agents... perhaps for FWTK? If > > anyone knows where I can get more info or get my hands on the thing, > > please let me know. > > > > Also, can anyone point me in the direction of a socks-ified winsock? > > > > ------------------------------------------------------------------------------ > > Michael D. Ferioli Design & Disaster Recovery Consulting > > Special Projects Consultant Suite 300 > > ferioli@disaster.com 9 Elm Street > > Albany, NY 12202 > > info@disaster.com > > > > > > ftp://ftp.trumpet.com.au/ftp/pub/winsock/twsk20b.zip > there are some other apps there too, that will let you use > a proxy host > > ________ o Dave Wright > _______ _/\_> dave@msri.org > _______O=>// O 91CBR1000F 87EX500 AFM# 316 > -------------- Mathematical Sciences Research Institute > > -- Dave Miles Email: davem@actbs.com Voice: +44 1442-883320 Senior Consultant Fax: +44 1442-256739 Parity Systems Ltd. Technology House Maylands Avenue Hemel Hempstead HP2 7DF England From firewalls-owner Wed Dec 21 07:09:21 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA26598 for firewalls-outgoing; Wed, 21 Dec 1994 06:41:12 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA26593 for ; Wed, 21 Dec 1994 06:41:08 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA20305; Wed, 21 Dec 1994 09:35:03 -0500 Date: Wed, 21 Dec 1994 09:35:02 -0500 (EST) From: David Miller Subject: Re: Proxy aware COMt? To: Patrick Horgan cc: sdw@lig.net, ferioli@disaster.com, firewalls@greatcircle.com In-Reply-To: <9412202055.AA13057@brittany.oes.amdahl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 20 Dec 1994, Patrick Horgan wrote: > > > > >I've been watching and I don't think anyone else has asked: Does anyone have > > >a proxy aware telnet? I need it desparately. ftp, www, gopher, etc. > > >are all taken care of by cern_httpd, but telnet is a problem. > > > If you have sockd on your firewall you can use rtelnet, and it works just fine > from a web browser, (as long as you make sure that it's the telnet it gets!) > Depends on your environment. Unix socksified rtelnets seem almost common, but many of us are looking for a dos/windows version. > Patrick > > These opinions are mine, and not Amdahl's (except by coincidence;). > > ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ > / | | (\ \ > | Patrick J. Horgan | Amdahl Corporation | \\ Have | > | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | > | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | > | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | > \ | O16-2294 | \) / > ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ > ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Dec 21 07:26:24 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA26933 for firewalls-outgoing; Wed, 21 Dec 1994 07:05:45 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA26821 for ; Wed, 21 Dec 1994 06:58:28 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA02223; Tue, 20 Dec 94 13:41:14 -0500 Date: Tue, 20 Dec 94 13:41:14 -0500 Message-Id: <9412201841.AA02223@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Mosaic FTP Control Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: UVS1::"firewalls-owner@greatcircle.com" 20-DEC-1994 13:29:51.99 To: firewalls@greatcircle.com CC: Subj: Mosaic FTP control Bob Voelker rites: > Is there any way to check a FTP packet for virus corruption running > Mosaic clients with a BSDI operated firewall? Is there a proxy > product or a way to code a proxy to quickly scan FTP packets before > they hit the users machine. Thanks! Short Answer: No Medium Answer: You cannot tell from an indidual packet what platform it is intended for, much less is is compressed/uuencoded/ ASCIIized/executable Long Answer: Didn't I post it here last month ? Warmly, Padgett ps I could post my ASCII-executable Christmas Card if you want a good example of the impossibility of pre-determination without emulation. - this is the one Rob Slade wrote about in CUD but only if Brent doesn't mind. (a bit over 2k bytes). From firewalls-owner Wed Dec 21 08:09:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27558 for firewalls-outgoing; Wed, 21 Dec 1994 07:55:58 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA27553 for ; Wed, 21 Dec 1994 07:55:53 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id KAA26430 for ; Wed, 21 Dec 1994 10:56:48 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma026425; Wed Dec 21 10:56:43 1994 Received: from calisto.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id KAA08916 for ; Wed, 21 Dec 1994 10:59:29 -0500 Message-Id: <199412211559.KAA08916@jupiter.milkyway.com> To: firewalls@greatcircle.com Subject: Re: packet filter on stock OSes (was: what firewall platform?) In-reply-to: Your message of "Tue, 20 Dec 1994 22:41:50 +0100." <9412202141.AA23325@mozart.ergon.ch> Date: Wed, 21 Dec 1994 10:59:15 -0500 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Sten" == Sten Gunterberg writes: >> interface. This is possible in 43BSD/SunOS too, thanks to a >> little kludge. >> Sten> Hmm. Interesting. Can you describe the "little kludge"? Sten> Directly to the list would be best, as I'm sure a lot of Sten> people would be interested. This isn't a kludge that I did, rather something that was there. It is however, at the level of a kludge, which bsd44 fixes in a nice way. See net/if.h, the macro IF_DEQUEUEIF, there are lots of comments there. From firewalls-owner Wed Dec 21 10:14:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA28546 for firewalls-outgoing; Wed, 21 Dec 1994 10:06:22 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA28541 for ; Wed, 21 Dec 1994 10:06:19 -0800 From: mulligan@poptop.incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.9/94082501) id KAA02890; Wed, 21 Dec 1994 10:04:36 -0800 Received: from poptop.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA01152; Wed, 21 Dec 1994 10:04:51 -0800 Received: from localhost by poptop.incog.com (5.x/SMI-SVR4) id AA00842; Wed, 21 Dec 1994 11:02:15 -0700 Message-Id: <9412211802.AA00842@poptop.incog.com> To: sdw@lig.net (Stephen D. Williams) Cc: barney@databus.com (Barney Wolff), ken@bridge.com, firewalls@greatcircle.com Subject: Re: Firewall and Linux In-Reply-To: Your message of "Tue, 20 Dec 94 19:23:13 GMT." Date: Wed, 21 Dec 94 11:02:15 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Actually, I knew that and just forgot to translate, but your > response points to the obvious solution: hack the arp layer/table/responses > to return the same ethernet for multiple IPs. This won't work. Unless the kernel recognizes the IP address as it's own it won't pass the packets to a high layer protocol but will try to route the packet instead. If linux will only recognize one address per interface then hacks to arp won't help. geoff From firewalls-owner Wed Dec 21 11:42:55 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA29278 for firewalls-outgoing; Wed, 21 Dec 1994 11:28:58 -0800 Received: from rohrer.rohrer.com (sol.rohrer.com [198.51.253.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA29273 for ; Wed, 21 Dec 1994 11:28:48 -0800 Received: by rohrer.rohrer.com (5.65/DEC-Ultrix/4.3) id AA17752; Wed, 21 Dec 1994 14:26:24 -0500 Date: Wed, 21 Dec 1994 14:26:24 -0500 (EST) From: Joe Matuscak To: Henry Lemon Cc: Firewalls Subject: Re: Internet security for a VAX VMS Network In-Reply-To: <53941220211435/0003668858NA1EM@MCIMAIL.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 20 Dec 1994, Henry Lemon wrote: > We are presently a VAX VMS shop, running Decnet and Lat. TCP is being > considered and evaluated. We have very little Unix experience. There is > however great interest in connecting to the internet. Is it feasible to > install a router, add a Vax with two ethernet interfaces and run TCP on > one and decnet on the other. Connections to the corporate network will > be by decnet using personal computers as display servers. Mosaic will > run on the VAX and displayed to the personal computers using DECNET. In the past, I worked in a mostly VMS mostly DECnet shop and I still have DECnet here (at least at the moment), so Im familiar with that enviroment. The configuration youre talking about is possible, but Im not convinced that its at all secure. It seems more like an attempt at "security through obscurity" rather than what you would get out of a "real" firewall. Id also question how happy your users would be with using VMS Mosaic over X versus a local implementation as well as the other Internet services. > The > VAX will only serve the purpose of interfacing to the internet. In order > to penetrate the corporate network, the hacker would have to use TCP and > DECNET. Id guess that you would be planning on having user accounts on the bastion VMS system and either have the users log in (or use a DECnet task to task tool) and do a "set display/node=xxx/create". This implies haing user accounts (probably with NETMBX privilege) on the bastion system. This is generally considered to be a bad thing. It gives the potential cracker more doorknobs to rattle and more users that can have dumb passwords that might allow an attacker to get a toehold on your VMS bastion. From there, they can start to prod your internal DECnet machines. Despite the Internet being tcp/ip based, there are folks out there that have seen DECnet. Besides, unlike Unix, VMS has a useful help system :-) > The only nodes defined in decnet database would be the display > servers. But of course, the DECnet database really only does nodename <-> DECnet address translation. That (or show net) gives you the DECnet area that you are using. All the utilities (set host, copy, etc.) are perfectly happy to take numeric format DECnet address that dont look at the database at all. (Try "set host N::" where N =(Area*1024)+Node number). From there its maybe a ten line DCL procedure to try every DECnet address in your area and log the ones that are used by systems (Even if you arent running proxies and dont have default DECnet accounts). > We know nothing about TCP/IP. This is going to be a problem. For example, one of the things that would improve the security of the above environment would be to set up filtering rules in the router. These might allow inbound mail but not telnet for example. That requires you to understand the particular router (and they are all different) *and* understand the various tcp/ip protocols in fairly gory detail. BTW, depending on your needs for security, a screening router might be all you decide you need. > We are such novices that I have installed DECNET on the Corporate UNIX > boxes. I don't know how much longer I can use the excuse of Ignorance. Ive made the transition from being DECnet centric to living in a tcp world. Its not easy, but I think its the way the world is going. Besides, its more useful on ones resume than DECnet/OSI :-) > Our lack of UNIX and TCP skills will make us vulnerable to every two bit > hacker on the internet even if we were to install a firewall. I dont think thats true. I think if you buy a commercial firewall package one of the things you get for your money is people who are tcp/ip and firewall gurus. Administering a firewall that was well designed and installed after training is a world different from setting one up from scratch. > Any ideas > as to a game plan. Long term, TCP will also be running on our corporate > network. I need to satisfy our users until we are able support a > firewall. I don't want to give them something and have to take it away > later. Id suggest you get a copy of the Cheswick and Bellovin firewalls book. Decide on what kind of security policy makes sense for your organization. Look at some commercial firewalls. Start getting some staff training on tcp. Get TGV MultiNet for a VMS box (I havent heard many good things about DEC's UCX). If youre running PathWorks, install V5 and set up a small IP test network. Thats probably a good start. Good Luck Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (216)335-1541 Matuscak@Rohrer.com From firewalls-owner Wed Dec 21 12:39:15 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA29826 for firewalls-outgoing; Wed, 21 Dec 1994 12:26:08 -0800 Received: from bos1a.delphi.com (SYSTEM@bos1a.delphi.com [192.80.63.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA29821 for ; Wed, 21 Dec 1994 12:26:05 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HKWRSZ06SG94EM6T@delphi.com>; Wed, 21 Dec 1994 15:24:00 -0500 (EST) Date: Wed, 21 Dec 1994 15:24:00 -0500 (EST) From: Network Security Observations Subject: Mosaic FTP Control To: padgett@tccslr.dnet.mmc.com, firewalls@GreatCircle.com Message-id: <01HKWRSZ0GG294EM6T@delphi.com> X-VMS-To: INTERNET"padgett@tccslr.dnet.mmc.com" X-VMS-Cc: INTERNET"firewalls@GreatCircle.com" ,NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Subj: Mosaic FTP control > Bob Voelker rites: > > Is there any way to check a FTP packet for virus corruption running > > Mosaic clients with a BSDI operated firewall? Is there a proxy > > product or a way to code a proxy to quickly scan FTP packets before > > they hit the users machine. Thanks! > > Short Answer: No > Medium Answer: You cannot tell from an indidual packet what platform > it is intended for, much less is is compressed/uuencoded/ > ASCIIized/executable > Long Answer: Didn't I post it here last month ? > > Warmly, > Padgett > > ps I could post my ASCII-executable Christmas Card if you want a good > example of the impossibility of pre-determination without emulation. > - this is the one Rob Slade wrote about in CUD but only if Brent doesn't > mind. (a bit over 2k bytes). ----------- P: >>> could the inability lead to a 'problematic situation', anyhow ? Shivering, Bertil Fortrie From firewalls-owner Wed Dec 21 13:11:53 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA00107 for firewalls-outgoing; Wed, 21 Dec 1994 12:51:14 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA29998 for ; Wed, 21 Dec 1994 12:51:08 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id OAA25372(telemann.inoc.dl.nec.com); Wed, 21 Dec 1994 14:48:35 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id OAA27808(texas.syl.dl.nec.com); Wed, 21 Dec 1994 14:48:34 -0600 Received: by warbucks.syl.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id OAA22796(warbucks.syl.dl.nec.com); Wed, 21 Dec 1994 14:48:25 -0600 Date: Wed, 21 Dec 1994 14:48:25 -0600 From: ylee@syl.dl.nec.com (Ying-Da Lee) Message-Id: <199412212048.OAA22796@warbucks.syl.dl.nec.com> To: dave@msri.org, ferioli@disaster.com, firewalls@GreatCircle.COM Subject: SOCKSified winsock Cc: ylee@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Also, can anyone point me in the direction of a socks-ified winsock? >ftp://ftp.trumpet.com.au/ftp/pub/winsock/twsk20b.zip >there are some other apps there too, that will let you use >a proxy host Unfortunately the handling of Rbind() in that version of Trumpet winsock is still not right. But that may not be such a big drawback since among the commonly used clients only ftp makes use of that and it can be circumvented even there by making the server do PASV mode, which is available in the current version of WS_FTP and I suspect in many WWW browsers. Ying-Da Lee (214)518-3490 (214)518-3552 (FAX) Principal Member, Technical Staff NEC Systems Laboratory, C&C Software Technology Center ylee@syl.dl.nec.com Speaking only for myself. From firewalls-owner Wed Dec 21 14:09:23 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00756 for firewalls-outgoing; Wed, 21 Dec 1994 13:59:25 -0800 Received: from st-james.comp.vuw.ac.nz (st-james.comp.vuw.ac.nz [130.195.5.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA00751 for ; Wed, 21 Dec 1994 13:59:21 -0800 Received: from gcs.co.nz (uucp@localhost) by st-james.comp.vuw.ac.nz (8.6.9/8.6.9-VUW) with UUCP/animal id JAA20159; Thu, 22 Dec 1994 09:52:08 +1300 Received: from oscar.lab.gcs.co.nz (oscar.lab.gcs.co.nz [134.251.6.254]) by fozzie.gcs.co.nz (8.6.9/8.6.9) with ESMTP id IAA13553; Thu, 22 Dec 1994 08:26:26 +1300 Received: (from tim@localhost) by oscar.lab.gcs.co.nz (8.6.9/8.6.9) id TAA06114; Wed, 21 Dec 1994 19:33:06 GMT From: Tim Frost Message-Id: <199412211933.TAA06114@oscar.lab.gcs.co.nz> Subject: Re: Firewall and Linux To: mulligan@poptop.incog.com Date: Thu, 22 Dec 1994 08:33:04 +1300 (NZDT) Cc: barney@databus.com (Barney Wolff), ken@bridge.com, firewalls@GreatCircle.COM In-Reply-To: <9412211802.AA00842@poptop.incog.com> from "mulligan@poptop.incog.com" at Dec 21, 94 11:02:15 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 893 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mulligan@poptop.incog.com wrote: > > > Actually, I knew that and just forgot to translate, but your > > response points to the obvious solution: hack the arp layer/table/responses > > to return the same ethernet for multiple IPs. > > This won't work. Unless the kernel recognizes the IP address as it's > own it won't pass the packets to a high layer protocol but will try to > route the packet instead. If linux will only recognize one address per > interface then hacks to arp won't help. >From my reading of Linux documentation, this is the purpose of the dummy interface: You configure the eth0 interface with the preferred address, and configure dummy interfaces with additional IP addresses. Tim > > geoff > -- Tim Frost, Systems Consultant, GCS Ltd (EDS NZ Ltd) P.O. Box 3055, Wellington, New Zealand. Voice: +64 4 495-0400 Fax: +64 4 495-0565 Email: tim@gcs.co.nz From firewalls-owner Wed Dec 21 14:32:41 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00834 for firewalls-outgoing; Wed, 21 Dec 1994 14:05:16 -0800 Received: from ucsd.edu (ucsd.edu [132.239.254.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA00829 for ; Wed, 21 Dec 1994 14:05:11 -0800 Received: from milton by ucsd.edu; id OAA26608 sendmail 8.6.9/UCSD-2.2-sun via SMTP Wed, 21 Dec 1994 14:03:46 -0800 Date: Wed, 21 Dec 1994 14:03:46 -0800 Message-Id: <199412212203.OAA26608@ucsd.edu> X-Sender: it1@sdcc1.ucsd.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Henry Lemon From: mlopez@ucsd.edu (Milton F. Lopez) Subject: Re: Internet security for a VAX VMS Network Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > We are presently a VAX VMS shop, running Decnet and Lat. TCP is being > considered and evaluated. We have very little Unix experience. There is > however great interest in connecting to the internet ... --------------------------------------------snip------------------------------- I manage a small VAX site runnign Pathworks to a dozen or so PC's - a DECnet shop not unlike yours. We are in the process of "getting connected to the Internet and keeping our VAX and Pc's safe". I agree with Joe Matuscak's sugestions in another recent reply to your message posted on this list. Try Pathworks 5.x, even if it means dealing with *another* security headache (LAN Manager) - it will help you deal with simultaneous DECnet and TCP/IP on your LAN later. If you need to do something soon, consider a commercial firewall product and then learn as you go. Definetely read Bellovin & Cheswick's book. From my own bit of exploring (on paper, that is - we are not yet connected), the Janus product by Border Technologies, Inc. seems to be the best "turn key" firewall out there. Some vendors uphold the "you'd better know Unix and IP" philosophy to a fault, in my opinion. You *should* understand what is going on, but not necessarely become an expert on everything. If a product does it's job, then you can do yours - manage it - much better. Take care. Milton F. Lopez mlopez@ucsd.edu Voice: (619) 546-7041 Fax: (619) 546-7133 From firewalls-owner Wed Dec 21 15:09:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01309 for firewalls-outgoing; Wed, 21 Dec 1994 14:54:14 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA01304 for ; Wed, 21 Dec 1994 14:54:08 -0800 From: mjr@tis.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA08195; Wed, 21 Dec 94 10:45:57 -0500 Date: Wed, 21 Dec 94 10:45:56 -0500 Message-Id: <9412211545.AA08195@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Mosaic FTP Control Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Short Answer: No > Medium Answer: You cannot tell from an indidual packet what platform > it is intended for, much less is is compressed/uuencoded/ > ASCIIized/executable > Long Answer: Didn't I post it here last month ? Side Issue: And if it's encrypted with PGP, *THEN* what do you do? mjr. From firewalls-owner Wed Dec 21 15:26:26 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01264 for firewalls-outgoing; Wed, 21 Dec 1994 14:49:56 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA01259 for ; Wed, 21 Dec 1994 14:49:51 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09780; Wed, 21 Dec 94 15:12:55 -0500 Date: Wed, 21 Dec 94 15:12:55 -0500 Message-Id: <9412212012.AA09780@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Example of the futility of determining contents from packets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Once again the question was asked if a packet filter can detect viruses and I responded "No" at least not without a *very* complex determination first of WHAT the program is, and WHICH platform it is intended for. The following short executable program is an example of this (note that it is pgp *signed* and not "converted" to ASCII) executable ASCII using a mechanism to allow the passage of .COM files through E-mail gateways. Unlike UUENCODED files though, the ASCII itself is executable - if I had sent it without the PGP signature, many systems could execute it directly from the mail window. Extracted with PGP switch -o CARD.COM it becomes a DOS executable program 2064 bytes long. You *could* just strip the header off (down to the line that starts "XP[@PPD...") and execute that if you feel brave (the trailing signature lines do not matter). But the point is that I could have used the "ASCIIzer" (YAAA) recursively to additionally wrap the contents (in an experiment I recursively ran it on itself until the original 1k binary had become a 45k "Katchina Doll" that was still executable). Meanwhile, if nothing else, Happy Holidays, Padgett ps this is a later version (but still a "beta") than Rob rote about in CUD - for easy checking, all lines are 64d/40h characters long. pps The tune sounds OK to me but remember, I have been wearing hearing aids for over 20 years & every speaker is different. -----BEGIN PGP SIGNED MESSAGE----- XP[@PPD]5`P(f#(f((f?5!QP^P_u!2$=po}l=!!rZF*$*$ =0%GF%!!%PP$P$Ps- $l%gmZ$rl6lW$rm6mWlVl6m=ldmAlv%fmvmB%Xm6lW%Xm6mWl6m6m=ld%ylVmqlJ mqlRmqlNmqlBlWl6m6l/m'l/m3mql8mrm4mql:mAm1l\m/mPl.%tm5$j$Xm5mBmg m6mWl6l6lZl6m.mZlvl5lB$wl6lZl6m.mZ$bl4lB%|l6lZl6%ZmZl&%vlBl$l6lZ l!m#mWlVm4lB%wl6lZl!m#mW$rl3lB${l6lZl!%{mW$Zm5lB$wl6lBl.l6lBmbl6 mB%dm6l3mYl6lZlomUm=mam3mUlZl6l5%ymIlYl6m+mPl.l\m2lYm)l5mPm&mUl3 mYl6lZlomUmZm6l6lYl*l6lBm-l6m3mUl3mYl6lZlomUmZm6l6lYl(l6lBm+l6m3 mU%jm=ma%f%ulQ%Y$lmvmSlgl6m!m:m!m:mumVl5mAmAlBm$l6mvmSlil6lBl'l6 %jm=ma%fmum?l5lBl,l6mumSl5%ulQ%Yl$mvmSlkl6m!m:m!m:mumVl5mAmG$jmv m?lgl6mflHm6mamflGm6mvmSlgl6ma$fmUmnl,lYl'lZl6$_m!m:mum?m5mZl5l6 mamamvmSlhl6lEl:mUl3%glZl6lZlolVmWlZm6lZm/m/mamvmSlhl6lZmPm/mal7 lVmal7lRmamvmSlhl6lZlYm/ma%cm3mUl&l&l&l&l&l&l&l&l&l&l&l&%g%^%Y$^ %^$[%_l&%V%[%Xl&%b$[$`l&%V%[%X$Y%Yl&$X$^%`l&%_$Y%`%`$X%^$[%_%Yl& %[$_l&$m%[%Vl&%b$[$`l&$i%`%\%`%\$a%`$Y%b$[%a%`m0l1l&l&l&l&l&l&l& l&l&l&l&l&%^$[l&$X$^%^%Yl&$n%[$\%^$`%b%Vl&%i%`%b%Y%[$[${l1%g%b$Y %\$\%V$|l1$j%b$`%_%`$X$X$|l&$l%^$[$`%b$|l&l#l&%o%`%[$_$_%`$Y%Vl$ l3lZl2%xmPm&mrl'$pm5lpl3$om5l'm3lY$wm5lZl2m$mPm&lW%nm5m`m1lV$X$w $j%ylVl^l[lC%q$flC$qlqlTlC$qlD%bl0m5lC%bl`le$nm5lB$nl6lD%bl$l8lC %bl\m1mPm&l7lV$Xm2l`le$nm5lB%yl6mAmRl\l2mPm&l'mql+$pm5lol'$om5lZ l2m$mPm&m'mWl6l6lZl6m+mZl6$rmWl6l6lB%{l7lZl6l5%ymIlYl6l6mPl.lZl6 $lmPm&lv$s$nm5l6%Wm:mU$j%ylV${lf$nm5$n${le$nm5$flAl6l6l6l6l6l7l5 l2m6mGm1m3m6mGm1m5m6lll1m5m6mGm1m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/ m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5 m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5 m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1 m3m6mGm1m3m6lVl0l1m6lVl0m3m6mGm1m3m6lVl0m3m6m$m/m3m6l7l5l1m6l7l5 m3m6$Zm2m3m6lll1m3m6mGm1m3m6l>m3m3m6l7l5m3m6l7l5m5m6l7l5m5m6m$m/ m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1m5m6lll1m5m6mGm1 m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1 m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2 m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0 m3m6mGm1l1l.l6l6pp_YAAA_v1.02_copyright_(C)_1994_by_Padgett_____ -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAgUBLvgNcYVuK+48ORdVAQEjDQP+Ndm2FryRXkUzW47E+88jCCZi/VPSqJ57 l08JPkBc3P6BX9nh8bJjcJXrmmwa0mgFaH6Ov96jQ1kk+Q+NEEL45TiAy5k4oHH2 F5SaGhh7AQ2OOtSgXfXpLkh1FRIVzO+INL/af3+GFdG62rswztUEhGieslu+1bF/ dFqWpAGxuHE= =Xf/8 -----END PGP SIGNATURE----- From firewalls-owner Wed Dec 21 16:09:13 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA01920 for firewalls-outgoing; Wed, 21 Dec 1994 15:47:15 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA01915 for ; Wed, 21 Dec 1994 15:47:12 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma011071; Wed Dec 21 18:45:46 1994 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA23075; Wed, 21 Dec 94 18:43:25 EST From: Marcus J Ranum Message-Id: <9412212343.AA23075@tis.com> Subject: Re: Internet security for a VAX VMS Network To: mlopez@ucsd.edu (Milton F. Lopez) Date: Wed, 21 Dec 1994 18:48:58 -0500 (EST) Cc: LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com, firewalls@greatcircle.com In-Reply-To: <199412212203.OAA26608@ucsd.edu> from "Milton F. Lopez" at Dec 21, 94 02:03:46 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 2416 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Some vendors uphold the "you'd > better know Unix and IP" philosophy to a fault, in my opinion. I admit I've been heard to make similar claims at various conferences where I've spoken. :) I do, in fact, think that if you plan to use the Internet effectively, you'll need to know IP and understand it; all other networking protocols are basically doomed to the dustbin at this point in time. In the (many) firewall installs I've done, the bulk of the effort is consistently spent in interfacing legacy/proprietary systems with the IP/internet suite. Things like: making blahblah office V4.321's SMTP server work properly with mumblemumble's network O/S, etc. The Internet side of the connection has become practically "plug and play" except for all the bizarre contortions we have to go through on the legacy side. The situation is improving, but it's improving because the legacy stuff is crumbling rapidly and being replaced. Certainly, you don't *NEED* to know IP to connect to the Internet. But if you plan to be doing networking in 5 years, you *WILL* understand IP or you'll be in the dustbin. I don't think that the same is the case for UNIX - knowing UNIX will help, since UNIX-like systems are the current backbone service engines of the Internet, but that may change. UNIX - unlike IP - lacks the momentum of a single, clean interface. [The standards guys and vendors seem to have an initiative every 3 months that will solve this, but, by now, most of us have stopped waiting and realized that the network really *is* the computer] Another thing that often comes up when discussing a firewall with someone who is about to get an Internet connection is ALL THE OTHER STUFF -- that has nothing (really) to do with the firewall, but is intimately intertwined with it and requires expertise and knowledge to manage. That's why, often, I tell folks that they will need some UNIX expertise eventually. Not because the firewall needs it -- but because the good WWW servers are all for UNIX. And the good FTP servers. And the good News servers. And so on and so on. Sure, there are alternatives, but they get expensive [I know folks who have spent HUGE amounts of money to avoid having to learn how to configure named]. As the Internet connection becomes something more than just a pipe for Email, you *WILL* have to learn something about UNIX because your users will be demanding UNIX-based servers. mjr. From firewalls-owner Wed Dec 21 22:39:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA05020 for firewalls-outgoing; Wed, 21 Dec 1994 22:27:45 -0800 Received: from cs.uchicago.edu (gargoyle.uchicago.edu [128.135.20.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA05015 for ; Wed, 21 Dec 1994 22:27:41 -0800 Received: by cs.uchicago.edu from lme2.wipsys.soft.net (4.1/2.0) id AA13566; Thu, 22 Dec 94 00:26:26 CST Received: from atlantic.wipsys.soft.net by lme2.wipsys.soft.net id aa05141; 22 Dec 94 11:46 IST Received: from superior by atlantic.wipsys.soft.net (4.0/SMI-4.0) id AA23342; Thu, 22 Dec 94 11:55:40+050 Message-Id: <9412220655.AA23342@atlantic.wipsys.soft.net> Received: by superior (16.6/16.2) id AA11757; Thu, 22 Dec 94 11:57:46 +0500 From: "C. NAGARAJU" Subject: firewalls FAQ To: firewalls%greatcircle.com@cs.uchicago.edu Date: Thu, 22 Dec 94 11:57:45 IST Phone: 5588583/ 5588613/ 5586202/ 5586203 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to : nagaraj@wipsys.soft.net Mailer: Elm [revision: 66.25] send FAQ nagaraj@wipsys.soft.net -- o/ \o /> <\ __________________________ ________________________| |_________________________ \ 5, M R Street | | Systems Engineer / \ M R Palya | C. NAGARAJU | Wipro Systems Limited / ) Bangalore-6 | | Bangalore ( / Ph No: 3337156 |________________________| Ph: 5588583 extn 201 \ /__________________________) (___________________________\ From firewalls-owner Thu Dec 22 05:39:11 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA07214 for firewalls-outgoing; Thu, 22 Dec 1994 05:29:34 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA07209 for ; Thu, 22 Dec 1994 05:29:29 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15993; Thu, 22 Dec 94 07:43:49 -0500 Date: Thu, 22 Dec 94 07:43:48 -0500 Message-Id: <9412221243.AA15993@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "aneely@publix.empath.on.ca"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RE: YAAA ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: UVS1::"aneely@publix.empath.on.ca" 22-DEC-1994 00:15:43.17 >I tried to extract the .com file but to no avail. I assume I need to >unwrap the file first with this YAAA thingy? Where can I get a copy of >this encoder - I've never heard of it before. Heard of xxbug, but not this >one. Thanks in advance. Oy, it's documentation he wants 8*), shoulda knowed better. To answer in reverse order, YAAA is a program I wrote that is not on the net but you do not need for what I posted. What it does is to take a normal DOS .COM file (binary) and convert it into executable ASCII (see my RISKS posting last month). Now, just so people might not be fooled by imitators, I *signed* the program with my PGP key but this does not alter the program in any way, it is not encrypted - that 2k piece inside the signed envelope (the part between "XP[@PP" and "YAAA") IS the executable file - for example the "XP" translates in a PC to a "POP/PUSH" pair. I realize that most people think this is impossible, but the technology has been around for a while, just the application had a difugelty that limited its application until I made a few -=>brilliant<=- breakthroughs 8*). Bottom line is that YAAA (Yet Another ASCII Ascirizer) was only needed to create the program, it is executable as it stands. Just to get back on track a bit, the point is that unless you had a very intelligent firewall, you could not tell from the packet level that this was an executable unless you knew all about YAAA. Further even with the entire file reconstructed you could not tell without executing it either directly or through emulation exactly what it does. Further scanners will only help *if they know what it is* for instance I could have started the program [SX instead of XP[ and it would execute exactly the same (the exercise is left to the student 8*). For that matter the "YAAA" part at the end could have been omitted entirely, I just put it there for my ego (I do not get paid for this). Add in the fact that some mailers (I am told new MSMAIL and some versions of EMACS) are able to directly extract and execute attachments and the capability for a destructive CHRISTMA.EXEC becomes very possible (another reason I did not send out my card without signing it). Now this is not to say that scanning filters cannot be very handy and effective against known attacks, it just bothers me when certain parties state things like "protects against all known and unknown...". Two years ago I coined a term for such marketing: TOAST for "The Only Antivirus Software That...". So while such things are Good To Have, they are not a cure-all and the limitations need to be understood up front. Not that they take anything away from the products - I see things like Sidewinder and the Data Privacy Facility as pushing the state of the art and I want some (but then I want FORTEZZA cards also so my view is skewed), just that IMHO it still needs a lot more pushing. Warmly, Padgett From firewalls-owner Thu Dec 22 09:27:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00548 for firewalls-outgoing; Thu, 22 Dec 1994 09:15:39 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00361 for ; Thu, 22 Dec 1994 09:15:05 -0800 Received: from bilbo by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id HAA02940; Thu, 22 Dec 1994 07:27:30 -0800 Received: from by bilbo (4.1/SMI-4.1) id AB22759; Thu, 22 Dec 94 16:27:57 +0100 Received: from logrus.rada.kiev.ua (Logrus.Rada.Kiev.UA [194.44.144.1]) by Sigma.ICMP.Lviv.UA (8.6.8/8.3) with ESMTP id MAA00537; Thu, 22 Dec 1994 12:58:15 +0200 Received: from office.un.kiev.ua (fiber [194.44.144.150]) by logrus.rada.kiev.ua (8.6.8/8.6.6) with ESMTP id NAA01846; Thu, 22 Dec 1994 13:49:56 +0200 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.8/8.6.6) id MAA13938; Thu, 22 Dec 1994 12:47:39 +0200 Date: Thu, 22 Dec 1994 12:47:38 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Brent Chapman Cc: "Stephen D. Williams" , Ken Hardy , firewalls@GreatCircle.COM Subject: Re: Firewall and Linux In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All ! > Huh? Ethernet hardware might support at most 2 _ethernet_ addresses, but > what's that got to do with supporting multiple _IP_ addresses? The Right > The trick is getting the kernel to recognize the multitude of IP addresses > in these packets being handed up by the ethernet hardware. Traditionally, In FreeBSD there's an ifconfig alias command which allows to use the second IP address ( even from another network ) > UNIX kernels have recognized one IP address per physical interface, but > that's strictly a limitation in the kernel (i.e., does the kernel compare Thats not particularly true with newest breeds Question is : how do i spread information about several IP addresses which are actually on one interface without all packets come through this interface ? Can I use the same filtering in that case - when a lot of SLIP's exists, and they share C- class network on Eth with another C ? Thanx Slava From firewalls-owner Thu Dec 22 09:42:47 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00335 for firewalls-outgoing; Thu, 22 Dec 1994 09:14:59 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00229 for ; Thu, 22 Dec 1994 09:14:36 -0800 Received: from bilbo by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id HAA02985; Thu, 22 Dec 1994 07:35:21 -0800 Received: from by bilbo (4.1/SMI-4.1) id AB22843; Thu, 22 Dec 94 16:30:17 +0100 Received: from logrus.rada.kiev.ua (Logrus.Rada.Kiev.UA [194.44.144.1]) by Sigma.ICMP.Lviv.UA (8.6.8/8.3) with ESMTP id MAA00506; Thu, 22 Dec 1994 12:56:19 +0200 Received: from office.un.kiev.ua (fiber [194.44.144.150]) by logrus.rada.kiev.ua (8.6.8/8.6.6) with ESMTP id NAA01842 for ; Thu, 22 Dec 1994 13:48:00 +0200 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.8/8.6.6) id MAA13914; Thu, 22 Dec 1994 12:40:57 +0200 Date: Thu, 22 Dec 1994 12:40:57 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: "Stephen D. Williams" Cc: Ken Hardy , firewalls@GreatCircle.COM Subject: Multiple nets per interface ( was Re: Firewall and Linux ) In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! On Tue, 20 Dec 1994, Stephen D. Williams wrote: > I'm sure it supports multiple interfaces, and therefore should be > able to support as many as you can fit in the box (since any > constant can easily be changed). Right > interface. I was just told yesterday that BSDi or freeBSD can do > that. Since I thought it was standard for ethernet hardware to Exactly > support two addresses at most, I was surprised. You would have to put > it into promiscuous mode which causes the box to process all packets. > I guess a modern machine can handle that. And the problem I'm solving now is that we have two IP nets for one physical cable for now ( waiting for Routers to come ;) I had to make ifconfig alias on server, and it results that any transfer between computers on the same cable but different IP's occurs through that aliased interface. That seems quite stupid, but could you offer any other solution ( except, of course, aliasing all interfaces on all computers :) ) ? Question is that one network is Freenet, and the other - UN office in Ukraine. I would certainly divide it into separate phys zones, but for now its the solutions. BTW all hosts on Freenet are connected via SLIP. Thanx a lot Slava From firewalls-owner Thu Dec 22 14:42:32 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA02241 for firewalls-outgoing; Thu, 22 Dec 1994 14:30:38 -0800 Received: from albert.gnu.ai.mit.edu (root@albert.gnu.ai.mit.edu [128.52.46.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA02236 for ; Thu, 22 Dec 1994 14:30:36 -0800 From: docboom@gnu.ai.mit.edu Received: from spiff.gnu.ai.mit.edu by albert.gnu.ai.mit.edu (8.6.9/4.0) with SMTP id ; Thu, 22 Dec 1994 17:29:06 -0500 Received: by spiff.gnu.ai.mit.edu (5.65/4.0) id ; Thu, 22 Dec 94 17:28:14 -0500 Date: Thu, 22 Dec 94 17:28:14 -0500 Message-Id: <9412222228.AA04103@spiff.gnu.ai.mit.edu> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk UNSUIBSCRIBE firewalls From firewalls-owner Thu Dec 22 15:12:38 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA02403 for firewalls-outgoing; Thu, 22 Dec 1994 14:55:00 -0800 Received: from netcom18.netcom.com (miltwebb@netcom18.netcom.com [192.100.81.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA02398 for ; Thu, 22 Dec 1994 14:54:56 -0800 Received: by netcom18.netcom.com (8.6.9/Netcom) id OAA07477; Thu, 22 Dec 1994 14:53:19 -0800 Date: Thu, 22 Dec 1994 14:53:17 -0800 (PST) From: Milt Webb Subject: Router software for PC To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know where I might find software to turn a spare PC into a simple IP router between two networks? I recall some mention of such a thing on this list a while ago. Thanks, Milt Webb From firewalls-owner Thu Dec 22 15:43:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA02800 for firewalls-outgoing; Thu, 22 Dec 1994 15:33:07 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA02795 for ; Thu, 22 Dec 1994 15:33:03 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id RAA11413; Thu, 22 Dec 1994 17:32:28 -0600 Received: by jayhawk. (5.0/SMI-SVR4) id AA01162; Thu, 22 Dec 1994 17:32:27 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9412222332.AA01162@jayhawk.> Subject: Re: Router software for PC To: miltwebb@netcom.com (Milt Webb) Date: Thu, 22 Dec 1994 17:32:27 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Milt Webb" at Dec 22, 94 02:53:17 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 843 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone know where I might find software to turn a spare PC into a > simple IP router between two networks? I recall some mention of such a > thing on this list a while ago. > Thanks, ftp://sunsite.unc.edu/pub/Linux for your Operating System. and then get routed or gated, and use that to route your packets. I've not personally used it, but it ought to work fine. Anticipated problems in configuring dual ethernet ports, and I bet that gated is a bit more difficult to setup than routed. Good luck to you... -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Thu Dec 22 16:42:40 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA03297 for firewalls-outgoing; Thu, 22 Dec 1994 16:34:54 -0800 Received: from oeonline.oeonline.com (oeonline.com [198.108.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA03292 for ; Thu, 22 Dec 1994 16:34:51 -0800 Received: by oeonline.oeonline.com (Smail3.1.28.1 #3) id m0rKxsg-000AgdC; Thu, 22 Dec 94 19:29 EST Date: Thu, 22 Dec 1994 19:29:13 -500 (EST) From: William Avery To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubcribe firewalls ========================================================================= Respond to bavery@oeonline.com | It's great to be alive!!!!! ========================================================================= From firewalls-owner Thu Dec 22 17:12:31 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA03444 for firewalls-outgoing; Thu, 22 Dec 1994 16:53:03 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA03439 for ; Thu, 22 Dec 1994 16:53:00 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id SAA03591; Thu, 22 Dec 1994 18:49:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003589; Thu Dec 22 18:49:00 1994 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA24958 (5.67b/IDA-1.5); Thu, 22 Dec 1994 18:52:05 -0600 Date: Thu, 22 Dec 1994 18:52:05 -0600 From: Ken Hardy Message-Id: <199412230052.AA24958@ignatz.bridge.com> To: miltwebb@netcom.com Subject: Re: Router software for PC Cc: alan@mid.net, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Linux is hardly "simple". There's a package called "PCROUTE" that seems to work fairly well. It's as you describe it; a simple IP router. Seems we had problems with the packet-driver version, but the WD8003-specific executable ran well. It comes with executable and source, rare for a DOS-based application. Another package you'll probably hear about is KA9Q. It's not so simple and is not designed as a turnkey router like PCROUTE, though it will do the function admirably, I'm told (filtering?). PCROUTE can be put on a boot diskette in a PC with 2 net cards, a floppy drive, and nothing else, not even a monitor. The latest free version of PCROUTE that I'm aware of (don't have at hand) is fairly old; it was supposedly being taken commercial, though I've never heard what became of that. It incorporated no filtering, so is only tangentially related to this list, at best. -KH >From firewalls-owner@greatcircle.com Thu Dec 22 17:49:05 1994 >From: alan@mid.net (Alan Hannan) >Subject: Re: Router software for PC >To: miltwebb@netcom.com (Milt Webb) >Date: Thu, 22 Dec 1994 17:32:27 -0600 (CST) >Cc: firewalls@greatcircle.com >Sender: firewalls-owner@greatcircle.com > >> >> Does anyone know where I might find software to turn a spare PC into a >> simple IP router between two networks? I recall some mention of such a >> thing on this list a while ago. >> Thanks, > >ftp://sunsite.unc.edu/pub/Linux for your Operating System. >and then get routed or gated, and use that to route your packets. > >I've not personally used it, but it ought to work fine. > >Anticipated problems in configuring dual ethernet ports, and I bet that >gated is a bit more difficult to setup than routed. > >Good luck to you... >-- >+ alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + >+ + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + >+============\\ "Small is the number of them that see with their own eyes + >+MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + > From firewalls-owner Thu Dec 22 20:42:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA05018 for firewalls-outgoing; Thu, 22 Dec 1994 20:18:28 -0800 Received: from chs.claremont.edu (CHS.CUSD.Claremont.Edu [134.173.22.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA05013 for ; Thu, 22 Dec 1994 20:18:25 -0800 Received: by chs.claremont.edu (5.65/DEC-Ultrix/4.3) id AA02254; Thu, 22 Dec 1994 20:16:08 -0800 Date: Thu, 22 Dec 1994 20:16:07 -0800 (PST) From: Matthew Bostwick To: firewalls@greatcircle.com In-Reply-To: <9412222228.AA04103@spiff.gnu.ai.mit.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk UNSUIBSCRIBE firewalls From firewalls-owner Thu Dec 22 20:54:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA04999 for firewalls-outgoing; Thu, 22 Dec 1994 20:13:57 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA04994 for ; Thu, 22 Dec 1994 20:13:53 -0800 From: pat@loc201.tandem.com Received: from adm.loc201.tandem.com (admin_01.loc201.tandem.com) by suntan.Tandem.com (4.1/suntan5.940222) for firewalls@greatcircle.com id AA28696; Thu, 22 Dec 94 20:11:58 PST Received: from vern.loc201.tandem.com.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA26336; Thu, 22 Dec 94 20:11:58 PST Received: by vern.loc201.tandem.com.loc201.tandem.com (4.1/6nospool.930120) id AA02611; Thu, 22 Dec 94 20:11:47 PST Date: Thu, 22 Dec 94 20:11:47 PST Message-Id: <9412230411.AA02611@vern.loc201.tandem.com.loc201.tandem.com> To: firewalls@greatcircle.com Subject: Re: Router software for PC Reply-To: pat@tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Hardy writes: > The latest free version of PCROUTE that I'm aware of (don't have at > hand) is fairly old; it was supposedly being taken commercial, though > I've never heard what became of that. >From the readme file: ***************************************************************** Information on PCRoute / PCBridge LANPort, Inc. lanport@cup.portal.com ****************************************************************** I) WHAT IS PCROUTE AND PCBRIDGE? PCroute and PCbridge are software programs for IBM PC computers that can convert a PC with the necessary network cards into a IP router (PCroute) or an ethernet bridge (PCbridge). More information on exactly what capabilities PCroute and PCbridge have can be found in the 'readme.pcroute.doc' and 'readme.pcbridge.doc'. ----------------------------------------------------------------- II) WHAT IS THE HISTORY OF PCROUTE and PCBRIDGE? The first version of PCroute was designed, coded, tested, and deployed by Vance Morrison in 1988 while he was working for Northwestern University. The code proved very useful and reliable, and encouraged by this success, Vance Morrison continued further development and deployment of the code at Northwestern. It quickly became obvious that PCroute and PCbridge could be useful to many others outside of Northwestern. The decision was to make the code as well as the source freely available. To keep some control, however, the copywrite did not allow distribution of modified versions of PCroute. This restriction turned out to be an excellent compromise between the users need to have and modify the source, and the author's desire to maintain the control that was needed to enhance PCroute and PCbridge as a unified product. In 1990 the author, Vance Morrison, left NorthWestern and it became clear that continuing product delevopment could best be assured if some commercial entity would support it and continue it's enhancement. By earily 1991, LANport Inc. purchased the copywrite for PCRoute. They have committed to continuing the development of PCroute and PCbridge as well as providing ongoing support. Futhermore LANport's goal is NOT to restrict use of PCroute and PCbridge, but rather to make it even more widely used by providing enhancements and support that are requirements for many users. Vance Morrison, the author of both PCRoute and PCBridge, has been retained as the technical product manager in this effort. II) WHERE TO FIND PCROUTE and PCBRIGE? There are now two different versions of PCroute and PCbridge, the one that has been distributed to date, and the enhanced version, both of which LANport is developing and supporting. THE 'FTP' VERSION: The freely distributed version will continue to be available, without charge to Universities and nonprofit insitutions. Certain updates and enhancements will also be provided in future releases. The 'official' repository for the binaries and documentation will continue to be the FTP archive on ftp.acns.nwu.edu (129.105.113.52) in pub/pcroute. (The 'official' repository may change in the future). The file 'readme.dir' contains additional information about the distribution directory. Requests for source code by individuals, or institutions should be forwarded to Etienne Taylor at; E-MAIL: Lanport@cup.portal.com PHONE: (415)775-0188 US-MAIL: LANport, Inc. 2040 Polk Street # 340 San Francisco, CA 94109 Note: even if you don't need the source, please an E-mail message, or send a letter to the address above so you can become a 'registered' user. Registered users will be informed about new versions and other developments with PCroute and PCbridge. LANPort is also interested in hearing about bugs, bug-fixes, desired enhancements, or anything else about PCroute/bridge that you would like to tell us. If you would like a copy of the manual and same day E-mail mail technical support please a check or purchase order for $75.00 to the addresss above. THE ENHANCED VERSION: LANport is developing the next generation of PCroute and PCbridge that it will sell and support commercially. Improvements include enhanced network management, higher speed serial line support, improved user interface and documentation. If you are interested in this, please write or call Etienne Taylor at the above address. He can give you current information on what is available as well as keep you informed as new enhancements debut. Vance Morrison Lanport@cup.portal.com / morrison@cs.uiuc.edu From firewalls-owner Thu Dec 22 22:42:29 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA06030 for firewalls-outgoing; Thu, 22 Dec 1994 22:25:58 -0800 Received: from muwayb.ucs.unimelb.EDU.AU (muwayb.ucs.unimelb.EDU.AU [128.250.20.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA06025 for ; Thu, 22 Dec 1994 22:25:54 -0800 X-PMrqc: 1 Received: from cardiology.medrmh.unimelb.EDU.AU by muwayb.ucs.unimelb.edu.au (PMDF V4.3-10 #7200) id <01HKZOLXT6U80013KK@muwayb.ucs.unimelb.edu.au>; Fri, 23 Dec 1994 17:24:13 +1100 Received: from CARDIOLOGY/SpoolDir by cardiology.medrmh.unimelb.edu.au (Mercury 1.20); 23 Dec 94 17:24:05 +1000 Received: from SpoolDir by CARDIOLOGY (Mercury 1.20); 23 Dec 94 17:23:40 +1000 Date: Fri, 23 Dec 1994 17:23:39 +1000 From: "Peter Summers, Cardiology, RMH" Subject: Re: Router software for PC To: firewalls@greatcircle.com Message-id: Organization: Royal Melbourne Hospital MIME-version: 1.0 X-Mailer: Pegasus Mail v3.22 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal X-Confirm-Reading-To: "Peter Summers, Cardiology, RMH" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ken Hardy writes: > > > The latest free version of PCROUTE that I'm aware of (don't have at > > hand) is fairly old; it was supposedly being taken commercial, though > > I've never heard what became of that. > > From the readme file: > The freely distributed version will continue to be available, > without charge to Universities and nonprofit insitutions. Certain > updates and enhancements will also be provided in future releases. > The 'official' repository for the binaries and documentation will > continue to be the FTP archive on ftp.acns.nwu.edu (129.105.113.52) in > pub/pcroute. (The 'official' repository may change in the > future). The file 'readme.dir' contains additional information > about the distribution directory. It appears that the official repository has moved; I can't find a pub/pcroute directory on ftp.acns.nwu.edu. The last version of PCROUTE on Simtel is 2.24. It contains a kludge for BootPing CISCO devices which can cause nasty packet storms under some circumstances, and should be removed if you don't have such devices. The code to be removed is clearly documented by the author (in BOOTP.INC). Peter Summers Cardiology Department Phone (+613/03) 342 8727 (B) Royal Melbourne Hospital (+613/03) 387 4203 (H) AUSTRALIA 3050 Fax (+613/03) 347 2808 From firewalls-owner Fri Dec 23 13:12:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10302 for firewalls-outgoing; Fri, 23 Dec 1994 12:46:39 -0800 Received: from watchdog.ftc.gov (watchdog.ftc.gov [164.62.3.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10297 for ; Fri, 23 Dec 1994 12:46:34 -0800 Received: by watchdog.ftc.gov (4.1/SMI-4.1-MHS-7.1) id AA14539; Fri, 23 Dec 94 15:43:50 EST From: mfrank@ftc.gov (Mike Frank) Message-Id: <9412232043.AA14539@watchdog.ftc.gov> Subject: Re: Router software for PC To: miltwebb@netcom.com (Milt Webb) Date: Fri, 23 Dec 1994 15:43:49 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Milt Webb" at Dec 22, 94 02:53:17 pm X-Organization: Federal Trade Commission X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 4056 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone know where I might find software to turn a spare PC into a > simple IP router between two networks? I recall some mention of such a > thing on this list a while ago. > Thanks, > Milt Webb > Hi Milt: Hard to tell from your question what your application is, or from your signiture whether your work for netcom, a customer, or what. But the thrust of your question is routing on the cheap, and in that you posted it to firewalls, security might be in the back of you mind somewhere. PCROUTE was designed to use a castoff 4.77 Mhz PC or XT to implement routing and/or SLIP connections on the cheap a number of years ago. When I looked at it over a year ago, it was very restrictive in hardware enet cards supported, required Borland Turbo C (or was is Pascal) to rebuild, and of course, run on MSDOS. (DOS may be to you taste, but to each his own ;-). But if I were gonna build a router (in my case, for home) from spare parts and a couple of hundred bucks, well: 1) Nowadays, castoff PCs are the like of 386sx, 386DX16, or 386DX25, since windows makes them seem dog slow. 2) You can't get better networking than a Unix OS 3) You (probably) can't get better Unix networking that from BSD Unix (where better is defined as the whole enchalada, route, arp, reverse arp, proxy arp, rip and ospf (gated), etc. 4) You can't get a much cheaper BSD Unix than FreeBSD I looking seriously of building a PC based unix box for home specifically for routing and PPP connection service to work. I just got a new Walnut Creek catalog the other day and they list FreeBSD 2.0 (based on BSD 4.4 Lite) on a cdrom for $39.95. You could download it for free, but it's not worth my time; I'll gladly pay 40 bucks. Scheduled for release Dec 94. What would you need: 1. A least a 386sx, 32 bit OS, you know 2. 60MB disk space or more (at 50 cents a MB, get 400MB or more) 3. 4MB (8MB recommended) RAM (swipe DRAMS from other castoff machines) 4. 1 NIC (for SLIP/PPP) or 2 NIC cards (ethernet to ethernet) SMC, WD, Isolan, Novell NE1000 NE2x00, 3Com503 (more choices) 5. Mitsumi cdrom drive at about $150 (one of the cheapest, but not bad) The cdrom drive and hard disk space I see as the only major investment. For reliability, I would consider replacing any MFM/RLL drives with IDE drives with a decent MTBF. Of course, you build the thing up using all SCSI componets, but they are probably not leftovers. What do you get: 1. Complete set of network features with ten years maturity built in. (Sorry, Linux, DOS, WIN NT, Novell, none of them can say this). 2. A platform on which you can take advantage of year of network development that is free for the taking out on the internet. 3. A platform on which you can impliment the likes of the TIS firewall toolkit (Ah hah, there was a reason for copying the firewalls list). 4. In fact, I believe, someone correct me if I'm wrong please, that BSD 4.4 included a kernel filtering option that was introduced in the latter BDS 4.3 releases (Taos ?) Things I want to find out: 1. Does it have the packet filtering mentioned above? 2. Does the PPP included implement full CHAP handshake, and if not, can it be ripped out and replaced with something else (preferably free). Downside: I guess I assumed here you know unix, or want to learn. Not saying there is not a learning curve. But even if you are a network wizzard (helped Eric debug sendmail, etc.) I'll say this for any reader reading firewalls that is driving a Novell LAN or the like and connecting to the Internet. Learn unix so you can understand the issues. And this is cheaper than asking your company to buy you a Sun. Off soapbox. Happy Holidays to All Mike -- +-------------------------------------------------------------------+ Mike Frank, Federal Trade Commission Voice: 202-326-2217 Fax: 202-326-2050 Email: mfrank@ftc.gov X.400: /pn=Michael.Frank/c=us/admd=telemail/prmd=gov+ftc/o=wpo/ +-------------------------------------------------------------------+ From firewalls-owner Fri Dec 23 13:42:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10561 for firewalls-outgoing; Fri, 23 Dec 1994 13:33:50 -0800 Received: from muwayb.ucs.unimelb.EDU.AU (muwayb.ucs.unimelb.EDU.AU [128.250.20.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA10556 for ; Fri, 23 Dec 1994 13:33:47 -0800 X-PMrqc: 1 Received: from cardiology.medrmh.unimelb.EDU.AU by muwayb.ucs.unimelb.edu.au (PMDF V4.3-10 #7200) id <01HL0KBEYFOW000WNV@muwayb.ucs.unimelb.edu.au>; Sat, 24 Dec 1994 08:32:00 +1100 Received: from CARDIOLOGY/SpoolDir by cardiology.medrmh.unimelb.edu.au (Mercury 1.20); 24 Dec 94 08:31:51 +1000 Received: from SpoolDir by CARDIOLOGY (Mercury 1.20); 24 Dec 94 08:31:32 +1000 Date: Sat, 24 Dec 1994 08:31:22 +1000 From: "Peter Summers, Cardiology, RMH" Subject: Re: Router software for PC To: firewalls@greatcircle.com Message-id: Organization: Royal Melbourne Hospital MIME-version: 1.0 X-Mailer: Pegasus Mail v3.22 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal X-Confirm-Reading-To: "Peter Summers, Cardiology, RMH" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Does anyone know where I might find software to turn a spare PC into a > > simple IP router between two networks? I recall some mention of such a > > thing on this list a while ago. > > Hard to tell from your question what your application is, or from > your signiture whether your work for netcom, a customer, or what. > But the thrust of your question is routing on the cheap, and in > that you posted it to firewalls, security might be in the back of > you mind somewhere. PCROUTE was designed to use a castoff 4.77 Mhz > PC or XT to implement routing and/or SLIP connections on the cheap > a number of years ago. When I looked at it over a year ago, it was > very restrictive in hardware enet cards supported, required Borland > Turbo C (or was is Pascal) to rebuild, and of course, run on MSDOS. > (DOS may be to you taste, but to each his own ;-). It requires Turbo Assembler to rebuild. Also, it comes with a version build for packet drivers. Peter Summers Cardiology Department Phone (+613/03) 342 8727 (B) Royal Melbourne Hospital (+613/03) 387 4203 (H) AUSTRALIA 3050 Fax (+613/03) 347 2808 From firewalls-owner Fri Dec 23 14:13:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10649 for firewalls-outgoing; Fri, 23 Dec 1994 13:43:09 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10644 for ; Fri, 23 Dec 1994 13:43:06 -0800 From: smb@research.att.com Message-Id: <199412232143.NAA10644@miles.greatcircle.com> Received: by gryphon; Fri Dec 23 16:40:43 EST 1994 To: miltwebb@netcom.com (Milt Webb), firewalls@greatcircle.com Subject: Re: Router software for PC Date: Fri, 23 Dec 94 16:40:42 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you can live with a filtering bridge instead of a router, check out the TAMU package. From firewalls-owner Sat Dec 24 00:43:04 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA13331 for firewalls-outgoing; Sat, 24 Dec 1994 00:34:02 -0800 Received: from ns.onramp.net (ns.onramp.net [199.1.11.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA13326 for ; Sat, 24 Dec 1994 00:33:59 -0800 Received: from .onramp.net (dal10.onramp.net [199.1.11.110]) by ns.onramp.net (8.6.5/8.6.5) with SMTP id CAA26094 for ; Sat, 24 Dec 1994 02:32:34 -0600 Date: Sat, 24 Dec 1994 02:32:34 -0600 Message-Id: <199412240832.CAA26094@ns.onramp.net> X-Sender: saleh@onramp.net X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: saleh@Onramp.NET (Saleh W. Igal) Subject: Re: Router software for PC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone know where I might find software to turn a spare PC into a >simple IP router between two networks? I recall some mention of such a >thing on this list a while ago. If you want simple configuration, and are considering commercial products, Novell's Multiprotocol Router is a no-brainer to configure, is fast, and supports about any network card that you can find. Minimal hardware is a 386sx, 4MB RAM, and around 20MB disk, or something like that. On the down side, the filtering leaves a bit to be desired, so it isn't much use as a firewall. _______________________________________________________________________________ Saleh W. Igal From firewalls-owner Sat Dec 24 13:42:56 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA15664 for firewalls-outgoing; Sat, 24 Dec 1994 13:16:51 -0800 Received: from bos1a.delphi.com (SYSTEM@bos1a.delphi.com [192.80.63.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA15659; Sat, 24 Dec 1994 13:16:47 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HL10HFP8HS9364HK@delphi.com>; Sat, 24 Dec 1994 16:15:23 -0500 (EST) Date: Sat, 24 Dec 1994 16:15:23 -0500 (EST) From: Network Security Observations Subject: product information To: firewalls-digest@GreatCircle.com, firewalls@GreatCircle.com Message-id: <01HL10HFPI4Y9364HK@delphi.com> X-VMS-To: INTERNET"firewalls-digest@GreatCircle.com" X-VMS-Cc: INTERNET"firewalls@GreatCircle.com" ,NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Network Security Observations Internet Security Monthly ============================= 24/12/94 Opportunity for manufacturers/producers of firewall hard/software, and dedicated consultancy services. NSO plans to publish in its 1995 volume a comprehensive listing of all available products/ services for firewall security/protection currently available on the World market. A cropped/limited version will be published in ISM. Manufacturers/producers are hereby invited to submit to us the documentation of the hardware and/or software they offer. The publication is free of any charges. The conditions for publication: 1. Registration by email to if you would like to participate in this program. 2. The documentation must be limited to firewall products and services, including consultancy services. 3. Please do not send us any hard or software. 4. We do not evaluate or recommend particular hard/software/service, but focus this time on the availability. 5. If you register (see 1.) you will receive an electronic form to be completed as much as possible. This form is meant for the ISM (short) listing. 6. The form (see 5.) gives further details for the comprehensive NSO listing (pre-press instructions). 7. The listing is free of any charges. However we do expect from manufacturers/producers that their company is listed as subscriber to our journals. 8. All documentation/information must be submitted in the English language. Please register first by email to NSO and ISM have a Worldwide circulation, reaching virtually all countries of the globe. Both non-profit publications are exclusively devoted to the security, safety and protection of computer network datacommunications. The publishers work in close cooperation with the Internet Society. Subscribers may expect certain privileges as to membership of the Society. For further information please contact: NSO/ISM suite 400, 1825 I (eye) Street NW Washington DC, 20006 United States tel.: +1 202 775 4947 fax.: +1 202 429 9574 telex: 440557 hqwdc internet: nso@delphi.com --------- * this message was distributed on Saturday December 24, 1994 * --------- Season s Greetings From firewalls-owner Sun Dec 25 04:12:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA18068 for firewalls-outgoing; Sun, 25 Dec 1994 04:09:06 -0800 Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA18063 for ; Sun, 25 Dec 1994 04:09:02 -0800 Received: from pwcm.com by uu3.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA22265 for firewalls@greatcircle.com; Sun, 25 Dec 94 07:07:24 -0500 Received: from eqdev.pwcm.com (thor.ARPA) by pwcm.com (4.1/3.1.090690-PaineWebber Capital Markets) id AA04768; Sun, 25 Dec 94 07:07:19 EST Date: Sun, 25 Dec 94 07:07:18 EST From: dgumport@eqdev.pwcm.com (Danny Gumport) Received: from elephant.pwcm.com (elephant.ARPA) by eqdev.pwcm.com (4.1/3.2.083191-PaineWebber Soup Kitchen) id AA28139; Sun, 25 Dec 94 07:07:18 EST Message-Id: <9412250707.ZM24923@elephant> In-Reply-To: sotiris.baxevanis@intelsat.int "Automatic syslog scanning" (Nov 11, 13:34) References: X-Mailer: Z-Mail (3.2.0 06sep94) To: sotiris.baxevanis@intelsat.int, firewalls@greatcircle.com Subject: Re: Automatic syslog scanning Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fwtk_watch is a tk/tcl script that does a pretty good job and can be cusomized to do what you want... pointer to it on TIS http site:http://www.tis.com listed under contributions. --dg On Nov 11, 13:34, sotiris.baxevanis@intelsat.int wrote: > Subject: Automatic syslog scanning > Hi, does anyone know of a utility that will enable to scan automatically > scan syslog files or better yet trigger an event from an incoming syslog > message? > > thanks >-- End of excerpt from sotiris.baxevanis@intelsat.int From firewalls-owner Sun Dec 25 05:12:57 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA18222 for firewalls-outgoing; Sun, 25 Dec 1994 04:42:39 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA18217 for ; Sun, 25 Dec 1994 04:42:36 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id NAA07605; Sun, 25 Dec 1994 13:42:24 +0100 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 25 Dec 94 13:40 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rLsDP-0003gaC; Sun, 25 Dec 94 13:38 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 25 Dec 1994 13:39:45 +0100 To: mcr@milkyway.com (Michael Richardson) From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: packet filter on stock OSes (was: what firewall platform?) Cc: firewalls@GreatCircle.COM, hobbit@bronze.lcs.mit.EDU Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Mike, > Uh, the interface a packet arrived on is available from the mbuf >header in 44bsd systems. I've used this fairly easily to build a >fairly minimumal packet filter so that "virtual private networking" >(encrypting and sending to a branch office) works, and isn't spoofed >by packets arriving from the "public" interface. > This is possible in 43BSD/SunOS too, thanks to a little kludge. > Possible on Ultrix and OSF/1 from Digital Equipment, too. Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Dec 25 11:43:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA18936 for firewalls-outgoing; Sun, 25 Dec 1994 11:15:55 -0800 Received: from wraith.internode.com.au (wraith.internode.com.au [192.83.231.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA18931 for ; Sun, 25 Dec 1994 11:15:50 -0800 Received: from simon.Zen by wraith.internode.com.au with DMSP (5.83--+1.3.1+0.50/UA-5.23) id AA12305; Mon, 26 Dec 1994 05:42:11 +1030 Date: Mon, 26 Dec 1994 05:42:11 +1030 Message-Id: <9412251912.AA12305@wraith.internode.com.au> To: pcc@SSDS.com Subject: Re: VMS firewall From: simon@internode.com.au (Simon Hackett) Reply-To: simon@internode.com.au Cc: firewalls@greatcircle.com Repository: internode.com.au Originating-Client: Zen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have been told there is a firewall implemented on VMS. Is this true, > and if it is, could someone point me to the info concerning it. > > Phil > Hi Phil, We produce one... and have a number of Australian corporate/government customers using it. Drop me a line for more information. Regards, Simon Hackett Technical Director Internode Systems Pty Ltd Simon Hackett, Internode Systems Pty Ltd, Adelaide, Australia Email: simon@internode.com.au URL: http://www.internode.com.au Phone: +61 8 373 1020 Fax: +61 8 373 4911 "My other car is a glider ... SF25-C MotorFalke ... VH-FQW" From firewalls-owner Sun Dec 25 13:42:58 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA19348 for firewalls-outgoing; Sun, 25 Dec 1994 13:35:55 -0800 Received: from magna.telco.com (magna.telco.com [198.49.97.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA19343 for ; Sun, 25 Dec 1994 13:35:51 -0800 Received: from localhost (cbk@localhost) by magna.telco.com (8.6.5/8.6.5) id QAA22968 for firewalls@greatcircle.com; Sun, 25 Dec 1994 16:34:50 -0500 Date: Sun, 25 Dec 1994 16:34:50 -0500 From: "Charles B. Kaplan" Message-Id: <199412252134.QAA22968@magna.telco.com> To: firewalls@greatcircle.com Subject: UDP realy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a version of this greater than the 0.2 over at wang.com ? -Charles From firewalls-owner Sun Dec 25 13:54:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA19340 for firewalls-outgoing; Sun, 25 Dec 1994 13:35:08 -0800 Received: from magna.telco.com (magna.telco.com [198.49.97.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA19335 for ; Sun, 25 Dec 1994 13:35:05 -0800 Received: from localhost (cbk@localhost) by magna.telco.com (8.6.5/8.6.5) id QAA22949 for firewalls@greatcircle.com; Sun, 25 Dec 1994 16:34:02 -0500 Date: Sun, 25 Dec 1994 16:34:02 -0500 From: "Charles B. Kaplan" Message-Id: <199412252134.QAA22949@magna.telco.com> To: firewalls@greatcircle.com Subject: latest trends in FTP proxys and filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been reviewing some of the archives, but was wondering what the latest trend was regarding FTP access (outbound only in my case) through a firewall. I could run a proxy, but they all seem to have the lagging problem of difficulty for mac's and pc's, and are clumbsy, but I don't see how I could configure my router (or screened etc) to handle this. Is there anything besides firewall 1 which basically turns on a 30 second timer after the outbound ftp, and keeps the inbound ports open untill the timer expires ? How wide spread and usable is the PASV route ? This is easy enough to setup, but do people use it ? -Charles From firewalls-owner Mon Dec 26 09:43:08 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22567 for firewalls-outgoing; Mon, 26 Dec 1994 09:23:03 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22562; Mon, 26 Dec 1994 09:22:55 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 26 Dec 1994 09:21:59 -0800 To: "Charles B. Kaplan" , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: latest trends in FTP proxys and filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:34 12/25/94, Charles B. Kaplan wrote: > I have been reviewing some of the archives, but was wondering what >the latest trend was regarding FTP access (outbound only in my case) through >a firewall. > > How wide spread and usable is the PASV route ? This is easy enough >to setup, but do people use it ? PASV is almost universally supported by FTP servers. My understanding is that this is both because PASV is a required part of the FTP protocol spec for the servers, and because Mosaic-like programs with built-in FTP clients tend to use PASV mode. With the rapid growth in popularity of such programs, it seems likely that almost all FTP servers already support PASV mode, and that those that don't will either be upgraded or replaced very shortly. Now, as far as finding clients that'll use PASV mode... Well, like I said, the Mosaic-like programs with built-in FTP support generally use PASV mode, so that's a start. I'm sure there are some standalone Mac/PC FTP clients as well that use PASV mode, but I'm not sure how widespread they are. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon Dec 26 10:12:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22731 for firewalls-outgoing; Mon, 26 Dec 1994 09:51:10 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22726 for ; Mon, 26 Dec 1994 09:51:02 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ab21568; 26 Dec 94 17:49 GMT Received: from ford by demon.demon.co.uk id aa22438; 26 Dec 94 17:49 GMT From: Steve Kennedy Message-Id: <9086.9412261717@ford.gbnet.org> Subject: KarlBridge Info To: firewalls@greatcircle.com Date: Mon, 26 Dec 1994 17:17:52 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 933 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a quick note to say the KarlBridge has a new information server. http://www.demon.co.uk/kbridge/ (this is moving to http://www.gbnet.net/kbridge/ very soon) gopher://gopher.gbnet.net/KarlBridge/ IRC /msg kb_help help email addresses are still :- sales@gbnet.com (UK/Europe) sales@KarlNet.com (US/elsewhere) Regards Steve p.s. hope everyone is having a cool Yule -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Mon Dec 26 16:12:59 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA24228 for firewalls-outgoing; Mon, 26 Dec 1994 15:57:02 -0800 Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA24223 for ; Mon, 26 Dec 1994 15:56:59 -0800 Received: from pwcm.com by uu3.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA21898 for firewalls@greatcircle.com; Mon, 26 Dec 94 18:55:38 -0500 Received: from eqdev.pwcm.com (thor.ARPA) by pwcm.com (4.1/3.1.090690-PaineWebber Capital Markets) id AA00597; Mon, 26 Dec 94 18:55:37 EST Date: Mon, 26 Dec 94 18:55:37 EST From: dgumport@eqdev.pwcm.com (Danny Gumport) Received: from elephant.pwcm.com (elephant.ARPA) by eqdev.pwcm.com (4.1/3.2.083191-PaineWebber Soup Kitchen) id AA01244; Mon, 26 Dec 94 18:55:37 EST Message-Id: <9412261855.ZM28074@elephant> In-Reply-To: NetSurfer "Re: Bastion host on Sun Sparc Solaris 2.x" (Nov 11, 5:08) References: X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Host naem resolution using TIS v 3.0 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk okay... I've tried and tried... gotten my guys to change dns, created explicite hosts files... I've got the toolkit working great except for name resolution. It just can't math em up... the main problem this causes me (since a hostname is not really trust worthy - what is?) is that it seems that names are important to x-gw... any hints ? Thanks -Danny G From firewalls-owner Mon Dec 26 17:13:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA24693 for firewalls-outgoing; Mon, 26 Dec 1994 17:08:48 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA24688 for ; Mon, 26 Dec 1994 17:08:44 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id TAA11950 for ; Mon, 26 Dec 1994 19:08:25 -0600 Received: by jayhawk. (5.0/SMI-SVR4) id AA26213; Mon, 26 Dec 1994 19:08:25 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9412270108.AA26213@jayhawk.> Subject: tcp wrapper mailing list To: firewalls@greatcircle.com Date: Mon, 26 Dec 1994 19:08:24 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 417 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If someone could please point me at a tcp wrapper mailing list, I would greatly appreciate it. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Tue Dec 27 04:43:00 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA27008 for firewalls-outgoing; Tue, 27 Dec 1994 04:28:14 -0800 Received: from lager.cisco.com (lager.cisco.com [171.69.1.148]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA27003 for ; Tue, 27 Dec 1994 04:28:11 -0800 Received: (tli@localhost) by lager.cisco.com (8.6.8+c/CISCO.SERVER.1.1) id EAA05835; Tue, 27 Dec 1994 04:23:40 -0800 Date: Tue, 27 Dec 1994 04:23:40 -0800 From: Tony Li Message-Id: <199412271223.EAA05835@lager.cisco.com> To: danielh@hpber199.swiss.hp.com (Daniel Huber) Cc: firewalls@GreatCircle.COM Subject: "router IP filter compiler" ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Catching up on really old mail] I have to configure several HP, Cisco and Wellfleet routers with IP packet filters. Now since the frontend of the routers are quite awkward I wonder if somebody outthere has written a kind of IP packet filter "compiler" which would create a router-readable configuration based on a simple filter list.. On ftp.cisco.com:pub/acl-examples, you'll find a Perl based access list compiler. With a small amount of programming ;-), it should be possible to extend this to do other syntaxes. Extending it to completely different filtering semantics would be more challenging. ;-) Tony From firewalls-owner Tue Dec 27 08:16:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27796 for firewalls-outgoing; Tue, 27 Dec 1994 07:47:17 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA27791 for ; Tue, 27 Dec 1994 07:47:14 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id KAA21598; Tue, 27 Dec 1994 10:44:38 -0500 Received: from [128.29.140.151] (woycke-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA15636; Tue, 27 Dec 94 10:45:42 EST X-Sender: woycke@128.29.140.20 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 27 Dec 1994 10:45:51 -0500 To: www-security@ns1.rutgers.edu, firewalls@GreatCircle.COM From: woycke@mitre.org (Daniel W. Woycke) Subject: CGI Scripts an security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know, I know, scripts and security are bad ideas together.... I am interested in any comments on the following policy. Using an http proxy to pass through a firewall, but disabling all PUTs and POSTs. This will restrict an CGI script from using the POST method. The GET method requires all of the data to be in the URL. Then, I would apply a search for meta-characters to the URL as it passes through the firewall. This would prevent users from sending meta-characters to scripts. The big problem I see with this is that none of the metacharaters can be used in the URL anywhere (maybe this is good). And of course, all script writers better be doing a darn good job... Thank You, Daniel W. Woycke |"I went out drinking with Thomas Information Engineer (c) 1992|Paine..." -- Billy Bragg The MITRE Corporation |"But I am still thirsty..." 7525 Colshire Drive (MS Z213)|-- Arrested Development McLean, VA 22102 |These opinions are mine and are not woycke@smiley.mitre.org |and will not be held by anyone else. From firewalls-owner Tue Dec 27 14:43:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29813 for firewalls-outgoing; Tue, 27 Dec 1994 14:38:49 -0800 Received: from news.intelsat.int (news.intelsat.int [164.86.100.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29808 for ; Tue, 27 Dec 1994 14:38:46 -0800 From: sotiris.baxevanis@x400gw.adm.intelsat.int Received: (from bin@localhost) by news.intelsat.int (8.6.9/8.6.9) id RAA26074 for ; Tue, 27 Dec 1994 17:39:16 -0500 Received: from comsrvpre1.adm.intelsat.int(164.86.33.141) by news via smap (V1.3mjr) id sma026071; Tue Dec 27 17:38:54 1994 Received: by comsrvpr.adm.intelsat.int (1.38.193.5/16.2) id AA03162; Tue, 27 Dec 1994 17:36:52 -0500 Received: by x400gw.adm.intelsat.int via Worldtalk with X400 (3.0.3/1.55) id WT26543.4; Tue, 27 Dec 1994 17:36:52 EST Date: 27 Dec 94 17:36:37 -0500 Reply-To: sotiris.baxevanis@x400gw.adm.intelsat.int To: firewalls@greatcircle.com Subject: TIS configuration of ftp-gw Ua-Content-Id: TIS configuratio P1-Recipient: firewalls%greatcircle.com@news P1-Message-Id: US*MCI*INTELSAT;c\mhsgw\941227173637a Original-Encoded-Information-Types: IA5-Text X400-Trace: US*MCI*INTELSAT; arrival 941227173637-0500 deferred 941227173637-0500 action Relayed Message-Id: P1-Content-Type: P2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm puzzled as to what the correct syntax is for the loging function in the TIS ftp-gw? In the man pages is simply says -log operation and points to ftpd(8) for a list of known FTP operations, but ftpd(8) does not have any four letter codes like the one's used in the example setup (stor retr). Does anyone have any ideas on this? From firewalls-owner Tue Dec 27 16:43:14 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00577 for firewalls-outgoing; Tue, 27 Dec 1994 16:16:40 -0800 Received: from geoworks.com (fusion.geoworks.com [198.211.200.200]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA28556 for ; Tue, 27 Dec 1994 10:07:25 -0800 From: Marc_Mangus@ccmail.geoworks.com Received: from ccmail.geoworks.com by geoworks.com (4.1/SMI-4.1) id AA25202; Tue, 27 Dec 94 10:04:54 PST Received: from cc:Mail by ccmail.geoworks.com id AA788551446; Tue, 27 Dec 94 10:01:52 PST Date: Tue, 27 Dec 94 10:01:52 PST Encoding: 7 Text Message-Id: <9411277885.AA788551446@ccmail.geoworks.com> To: Firewalls@greatcircle.com Subject: TIS Toolkit and Linux Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I may have missed this thread before, but does anyone know an ftp site where I can get TIS and compile it on Linux? Also has anyone hade experience with the shareware-based package from John Mayes Associates? Thanks for the help. Marc From firewalls-owner Tue Dec 27 18:13:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01278 for firewalls-outgoing; Tue, 27 Dec 1994 17:58:54 -0800 Received: from chinacat.unicom.com (root@chinacat.unicom.com [192.108.105.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA01273 for ; Tue, 27 Dec 1994 17:58:49 -0800 Received: from coldsnap.unicom.com (root@coldsnap.unicom.com [192.108.105.33]) by chinacat.unicom.com (8.6.9/8.6.9) with ESMTP id TAA07849 for ; Tue, 27 Dec 1994 19:56:48 -0600 (CST) Received: (chip@localhost) by coldsnap.unicom.com (8.6.9/8.6.9) id TAA12652 for firewalls@greatcircle.com; Tue, 27 Dec 1994 19:56:44 -0600 (CST) Newsgroups: local.maillist.firewalls Path: chip From: chip@chinacat.unicom.com (Chip Rosenthal) Subject: Re: CGI Scripts an security Organization: Unicom Systems Development, Austin, TX Date: Wed, 28 Dec 1994 01:56:37 GMT Message-ID: References: Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , Daniel W. Woycke wrote: >I am interested in any comments on the following policy. Using an http >proxy to pass through a firewall, but disabling all PUTs and POSTs. This >will restrict an CGI script from using the POST method. The GET method >requires all of the data to be in the URL. Then, I would apply a search >for meta-characters to the URL as it passes through the firewall. This >would prevent users from sending meta-characters to scripts. I think this is a bad idea. For non-trivial CGI processors, POST is much easier to handle than GET. If you are going to allow CGI processors, then, I believe, from a security viewpoint you should be doing everything you can to simplify them. If that's true, then what you propose is 180 degrees out of phase. Take a look at ftp.unicom.com:/pub/gn-tools/cgi-postin.c and the documentation in http://www.unicom.com/gn-info/gn-tools.html#cgi-postin . It would be trivial to add a few ctype(3) tests to restrict the character set for data. If you are going to allow CGI processors, I think you would do more for security by insisting that your users develop their scripts using a tool such as cgi-postin. It will make your CGI scripts will be simpler (thus less to go wrong and easier to audit) and help deflect attacks through client-provided data. -- Chip Rosenthal |It breaks my heart to see those stars Unicom Systems Development |smashing a perfectly good guitar. (Thank you, Cancelmoose[tm].) | - http://www.unicom.com/john-hiatt/ From firewalls-owner Tue Dec 27 19:43:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA01715 for firewalls-outgoing; Tue, 27 Dec 1994 19:31:23 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA01710 for ; Tue, 27 Dec 1994 19:31:20 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rMp1P-0000WsC; Tue, 27 Dec 94 19:25 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA17748; Tue, 27 Dec 1994 19:30:03 +0800 Date: Tue, 27 Dec 1994 19:30:03 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9412280330.AA17748@brittany.oes.amdahl.com> To: cbk@magna.telco.com, firewalls@greatcircle.com Subject: Re: latest trends in FTP proxys and filters Content-Length: 1059 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have hundreds and hundreds of people going out through our firewall to ftp sites. We use the rftp that comes with the socks distribution modified by me to use passive mode. I've never gotten a complaint from users, but from my personal experiance there are some sites you can't get to. These fall into three categories: 1) Broken ftp daemon. Some vms systems are like this, but it's uncommon. 2) passive mode disabled by policy. These are even more uncommon, but I've seen a couple. 3) The site is behind a firewall, and they only let in the initial connection, but not the data connection. These are rare too, but I get frustrated none-the-less...the bind distribution is in this category. All in all, my personal experience over the last couple of years puts the sites I can't reach at less than 1%. The advantage of it is of course that the user's use it exactly like normal ftp...they don't have to learn anything new. The Firewall-1 approach, or the Janus approach get's the same result without needing modified clients. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Dec 27 20:43:09 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA02045 for firewalls-outgoing; Tue, 27 Dec 1994 20:38:09 -0800 Received: from bastion.CinEle.COM (bastion.cinele.com [199.99.87.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA02040 for ; Tue, 27 Dec 1994 20:38:05 -0800 Received: from norris.cinele.com by bastion.CinEle.COM (5.0/SMI-SVR4) id AA08907; Tue, 27 Dec 1994 23:37:37 +0500 Message-Id: <9412280437.AA08907@bastion.CinEle.COM> X-Sender: hnorris@linny.CinEle.COM X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 27 Dec 1994 23:34:47 -0500 To: firewalls@greatcircle.com From: hnorris@CinEle.COM (Harold Norris) Subject: Re: latest trends in FTP proxys and filters content-length: 316 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a note re: PASV FTP clients on the PC: I've used John A. Junod's WS_FTP client for WINSOCK for a while. It supports PASV, has a slick interface, and works very well. Since it can be picked up from CICA, I imagine it's widely used (though not necessarily in PASV mode). -- Harold Norris (hnorris@CinEle.COM) From firewalls-owner Wed Dec 28 01:43:01 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA03425 for firewalls-outgoing; Wed, 28 Dec 1994 01:34:32 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA03420 for ; Wed, 28 Dec 1994 01:34:25 -0800 Received: from diva.fr (phoenix.diva.fr) by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA07997; Wed, 28 Dec 1994 10:33:04 +0100 (MET) Received: from diva.diva.fr by diva.fr (4.1/SMI-4.1) id AA13918; Wed, 28 Dec 94 10:31:24 +0100 Received: from galaxia.diva.fr by diva.diva.fr (4.1/SMI-4.1) id AA13943; Wed, 28 Dec 94 10:31:18 +0100 Received: by galaxia.diva.fr (5.x/SMI-SVR4) id AA01645; Wed, 28 Dec 1994 10:31:44 +0100 Date: Wed, 28 Dec 1994 10:31:44 +0100 From: Eric.Deschamps@diva.fr (Eric Deschamps) Message-Id: <9412280931.AA01645@galaxia.diva.fr> To: firewalls@greatcircle.com Subject: Application gateways X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I would like to have some details concerning how an application gateways work. For example, if we look how ftp work : - At the beginning we pick a random port ( say 32768 ) and we make connection to a remote port 21. - The remote host connect directly to our local host on the random port ( 32768 ) The exact exchange is not important here, but the principe is there. Now I would like to know how this kind of exchange work with an application gateway. - At the beginning we still pick a random port ( 32768 ) and then we make a connectin to the application gateway. Is it right ? - Then the application relay the connection to the remote host on port 21. Does the relay is transparent for the client or does the client must connect to the application gateway ? I think that the application gateway make an arrangement, so the connection is between a well known port ( not random on the application gateway ) and the remote port 21. Is it right ? - Then what does the remote host ? Does it connect directly to our local host or does it always pass through the application gateway ? I hope this is clear enough :-) Regards Eric Deschamps From firewalls-owner Wed Dec 28 05:13:12 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA04408 for firewalls-outgoing; Wed, 28 Dec 1994 04:53:19 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA04401 for ; Wed, 28 Dec 1994 04:53:16 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id HAA21434; Wed, 28 Dec 1994 07:50:43 -0500 Received: from [128.29.140.151] (woycke-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA27015; Wed, 28 Dec 94 07:51:48 EST X-Sender: woycke@128.29.140.20 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 28 Dec 1994 07:51:57 -0500 To: chip@chinacat.unicom.com (Chip Rosenthal) From: woycke@mitre.org (Daniel W. Woycke) Subject: Re: CGI Scripts an security Cc: firewalls@GreatCircle.COM, www-security@ns1.rutgers.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In article , >I think this is a bad idea. For non-trivial CGI processors, POST is >much easier to handle than GET. If you are going to allow CGI >processors, then, I believe, from a security viewpoint you should be >doing everything you can to simplify them. If that's true, then what >you propose is 180 degrees out of phase. > >Take a look at ftp.unicom.com:/pub/gn-tools/cgi-postin.c and the >documentation in http://www.unicom.com/gn-info/gn-tools.html#cgi-postin . >It would be trivial to add a few ctype(3) tests to restrict the >character set for data. > >If you are going to allow CGI processors, I think you would do more >for security by insisting that your users develop their scripts using >a tool such as cgi-postin. It will make your CGI scripts will be >simpler (thus less to go wrong and easier to audit) and help deflect >attacks through client-provided data. >-- >Chip Rosenthal |It breaks my heart to see those stars >Unicom Systems Development |smashing a perfectly good guitar. >(Thank you, Cancelmoose[tm].) | - http://www.unicom.com/john-hiatt/ I will look at CGIpostin, thank you for that information. But, I agree that get is bad for non-trivial scripts, but the basic philosophy behind firewalls is to have one point to concentrate your security resources. If I require the user community to write "trusted" cgi scripts then I am relying on this community, not something I have control over (the firewall). Thank You, Daniel W. Woycke |"I went out drinking with Thomas Information Engineer (c) 1992|Paine..." -- Billy Bragg The MITRE Corporation |"But I am still thirsty..." 7525 Colshire Drive (MS Z213)|-- Arrested Development McLean, VA 22102 |These opinions are mine and are not woycke@smiley.mitre.org |and will not be held by anyone else. From firewalls-owner Wed Dec 28 05:25:51 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA04456 for firewalls-outgoing; Wed, 28 Dec 1994 04:59:56 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA04451 for ; Wed, 28 Dec 1994 04:59:53 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id HAA21923; Wed, 28 Dec 1994 07:57:22 -0500 Received: from [128.29.140.151] (woycke-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA27407; Wed, 28 Dec 94 07:58:27 EST X-Sender: woycke@128.29.140.20 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 28 Dec 1994 07:58:36 -0500 To: sotiris.baxevanis@x400gw.adm.intelsat.int From: woycke@mitre.org (Daniel W. Woycke) Subject: Re: TIS configuration of ftp-gw Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 5:36 PM 12/27/94, sotiris.baxevanis@x400gw.adm.intelsat.int wrote: >Hello, I'm puzzled as to what the correct syntax is for the loging function >in the TIS ftp-gw? > >In the man pages is simply says -log operation and points to ftpd(8) for a >list of known FTP operations, but ftpd(8) does not have any four letter >codes like the one's used in the example setup (stor retr). > >Does anyone have any ideas on this? I think the folks at TIS had a different ftpd man page. The list is pretty complete in ftp-gw.c in the structure "ops". Otherwise, go the the ftp or ftpd source code. Thank You, Daniel W. Woycke |"I went out drinking with Thomas Information Engineer (c) 1992|Paine..." -- Billy Bragg The MITRE Corporation |"But I am still thirsty..." 7525 Colshire Drive (MS Z213)|-- Arrested Development McLean, VA 22102 |These opinions are mine and are not woycke@smiley.mitre.org |and will not be held by anyone else. From firewalls-owner Wed Dec 28 05:43:02 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA04787 for firewalls-outgoing; Wed, 28 Dec 1994 05:41:43 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA04780 for ; Wed, 28 Dec 1994 05:41:38 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA23404; Wed, 28 Dec 1994 08:36:28 -0500 Date: Wed, 28 Dec 1994 08:36:27 -0500 (EST) From: David Miller Subject: Issuing RFP To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The State of Maine will soon be issuing an RFP for consulting services related to the design and possible implementation of an Internet Firewall. Vendors of such services or firewalls are encouraged to send me private e-mail to receive a copy of the RFP. Please indicate whether your company wants to provide the services, the firewall itself, or both. Thanks in advance, --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Dec 28 05:54:10 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA04725 for firewalls-outgoing; Wed, 28 Dec 1994 05:38:18 -0800 Received: from srv.cip.physik.tu-muenchen.de (srv.cip.physik.tu-muenchen.de [129.187.41.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04720 for ; Wed, 28 Dec 1994 05:38:12 -0800 Received: from ss3.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA14938 for (5.67a/IDA-1.5/bs03); Wed, 28 Dec 1994 14:36:29 +0100 Message-Id: <199412281336.AA14938@srv.cip.physik.tu-muenchen.de> To: woycke@mitre.org (Daniel W. Woycke) Cc: firewalls@greatcircle.com, www-security@ns1.rutgers.edu Subject: Re: CGI Scripts an security In-Reply-To: Your message of "Wed, 28 Dec 94 07:51:57 EST." Date: Wed, 28 Dec 94 14:36:28 +0100 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you write: > But, I agree that get is bad for non-trivial scripts, but the basic > philosophy behind firewalls is to have one point to concentrate your > security resources. If I require the user community to write "trusted" cgi > scripts then I am relying on this community, not something I have control > over (the firewall). I ususally recommend to have as few things as possible tunnel through a firewall from the outside. Can't you put your web server in the DMZ area? I've set up several sites with this geometry: - the external accessible net has the WAN router, the Firewall System, and the external WEB server. - The internal net has the internal WEB server. All internal clients proxy to the internal WWW server, which does caching and proxies to the firewall. It also has all internal documents. On the Firewall System, a TIS plug-gw (or build-alike) connects all internal http requests through to the external WWW server (but NOT vice versa) On the external WWW server, only external accessibe documents (or CGIs) are provided. With this setup, there is (almost) zero risk to get access to internal documents from the outside (do *you* trust access lists in multi-megabyte software??) and little risk for attacks on the firewall system, even if the WWW server system gets compromised (if you build your DMZ net carefully) \Bernhard. From firewalls-owner Wed Dec 28 06:07:16 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA04718 for firewalls-outgoing; Wed, 28 Dec 1994 05:38:07 -0800 Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04713 for ; Wed, 28 Dec 1994 05:37:58 -0800 Received: from pwcm.com by uu3.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA04286 for firewalls@greatcircle.com; Wed, 28 Dec 94 08:36:37 -0500 Received: from elephant (elephant.ARPA) by pwcm.com (4.1/3.1.090690-PaineWebber Capital Markets) id AA09865; Wed, 28 Dec 94 08:36:34 EST Message-Id: <9412281336.AA09865@pwcm.com> From: Danny Gumport Date: Wed, 28 Dec 94 08:36:57 -500 To: sotiris.baxevanis@intelsat.int, firewalls@greatcircle.com Mime-Version: 1.0 X-Mailer: Mozilla/0.96 Beta (X11; SunOS 4.1.3 sun4m) Content-Type: multipart/mixed; boundary="-------------------------------16056235051948237110720254007" Subject: Re: Automatic syslog scanning - ftp://ftp.tis.com/pub/firewalls/toolkit/contrib/tcl-fwtk-logwatcher X-Url: ftp://ftp.tis.com/pub/firewalls/toolkit/contrib/tcl-fwtk-logwatcher Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is the description and localtions of all the pieces... it does work. -Danny G > From fwall-users-request Fri Dec 9 13:49:31 1994 > Received: by tis.com (4.1/SUN-5.64) > id AA16086; Fri, 9 Dec 94 13:32:10 EST > Received: from relay.tis.com by tis.com (4.1/SUN-5.64) > id AA16082; Fri, 9 Dec 94 13:32:09 EST > Received: from cs.sandia.gov(132.175.13.2) by relay via smap (V1.3) > id sma006322; Fri Dec 9 13:33:59 1994 > Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp > (Smail3.1.28.1 #5) id m0rGA8W-000XQIC; Fri, 9 Dec 94 11:33 MST > Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) > id AA12519; Fri, 9 Dec 94 11:33:32 MST > Date: Fri, 9 Dec 94 11:33:32 MST > From: mccurley@cs.sandia.gov (Kevin S. McCurley) > Message-Id: <9412091833.AA12519@work.cs.sandia.gov.noname> > To: fwtk-users@tis.com > Subject: X-windows GUI interface to fwtk logs > Status: RO > > > I have written a tcl-based X windows tool for monitoring syslog > messages produced by the TIS firewall toolkit. It is completely > unpolished, but other users may be interested in it. It is available > from ftp.cs.sandia.gov (132.175.18.3) via anonymous ftp in the > file pub/source/fwtk_watch.tar. > > Kevin McCurley > Sandia National Laboratories > > ------------- the README file follows ---------------------- > > The TIS firewalls toolkit can generate quite a few different log > events, most of which are quite routine, but some of which are more > serious: > > * signs of an attack in progress > * a user's failed login attempts when they forget how > * a configuration error > > fwtk_watch is a tcl script tool to actively monitor such events. It > provides three capabilities: > > * a GUI to monitor a logfile as it is being generated, displaying > more serious events in a more noticeable color. > * a GUI to inspect a static logfile, looking for certain patterns. > * a GUI interface to the reporting tools provided with the TIS toolkit > (e.g., netacl-summ.sh). > > This code was inspired by seeing a demonstration of NERD, the Network > Event Recording Device, written by David Simmons and Ronald Wilkins at > Los Alamos. I was also partly interested in how hard it was to write > graphical interface code in tcl/tk for X windows displays. I have > made no attempt to present the code in a polished fashion, or to make > it easy to configure. The entire script is only a little over 500 > lines, so most people should be able to read and understand the entire > code to make appropriate modifications for their site. The use of > fwtk_watch will require several things to be installed on your system: > > tcl (I used version 7.3) > tk (I used version 3.6) > the addinput-3.6b modifications to tk, which require recompiling tk. > > Each of these are available under the URL ftp://ftp.aud.alcatel.com/tcl. > > The code for fwtk_watch is based on code for Searchbox, and includes the > copyright for searchbox. The shar file containing fwtk_watch has several > files included: > > fwtk_watch: the wish script for the application > taputils.tcl: some utilities distributed with searchbox > searchbox.tcl: the searchbox code > fileselect.tcl: code to do a file selection dialog box > > In order to access the reporting scripts of the TIS toolkit (from > tools/admin/reporting) you will need to modify them to accept > arguments on the command line. This is easy: for example, in > ftp-summ.sh, simply insert a line like > > LOGS=$* > > and then later change the line > > grep 'ftp-gw.*:' | awk ' > > to say > > grep 'ftp-gw.*:' $LOGS | awk ' > > Known deficiencies: > * it needs to be made more configurable. The things that I flag as > significant may not matter to others, and I may have missed things. > * tcl is dog slow to manipulate large files (ours typically get to be up > to three megabytes) > * the filtering needs to apply to monitoring as well as static > file inspection. > * it depends on too many things being available (tcl, tk, fileselect, etc) > > This code is offered without warranty or support of any kind. I have found > it useful, and I provide it to others mostly as a starting point to develop > their own tools. I welcome suggestions or criticisms. > > Kevin McCurley > Sandia National Laboratories > (mccurley@cs.sandia.gov) > ---------------------------------16056235051948237110720254007 Content-Type: text/plain Content-Transfer-Encoding: 8bit >From fwall-users-request Fri Dec 9 13:49:31 1994 Received: by tis.com (4.1/SUN-5.64) id AA16086; Fri, 9 Dec 94 13:32:10 EST Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA16082; Fri, 9 Dec 94 13:32:09 EST Received: from cs.sandia.gov(132.175.13.2) by relay via smap (V1.3) id sma006322; Fri Dec 9 13:33:59 1994 Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0rGA8W-000XQIC; Fri, 9 Dec 94 11:33 MST Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA12519; Fri, 9 Dec 94 11:33:32 MST Date: Fri, 9 Dec 94 11:33:32 MST >From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9412091833.AA12519@work.cs.sandia.gov.noname> To: fwtk-users@tis.com Subject: X-windows GUI interface to fwtk logs Status: RO I have written a tcl-based X windows tool for monitoring syslog messages produced by the TIS firewall toolkit. It is completely unpolished, but other users may be interested in it. It is available from ftp.cs.sandia.gov (132.175.18.3) via anonymous ftp in the file pub/source/fwtk_watch.tar. Kevin McCurley Sandia National Laboratories ------------- the README file follows ---------------------- The TIS firewalls toolkit can generate quite a few different log events, most of which are quite routine, but some of which are more serious: * signs of an attack in progress * a user's failed login attempts when they forget how * a configuration error fwtk_watch is a tcl script tool to actively monitor such events. It provides three capabilities: * a GUI to monitor a logfile as it is being generated, displaying more serious events in a more noticeable color. * a GUI to inspect a static logfile, looking for certain patterns. * a GUI interface to the reporting tools provided with the TIS toolkit (e.g., netacl-summ.sh). This code was inspired by seeing a demonstration of NERD, the Network Event Recording Device, written by David Simmons and Ronald Wilkins at Los Alamos. I was also partly interested in how hard it was to write graphical interface code in tcl/tk for X windows displays. I have made no attempt to present the code in a polished fashion, or to make it easy to configure. The entire script is only a little over 500 lines, so most people should be able to read and understand the entire code to make appropriate modifications for their site. The use of fwtk_watch will require several things to be installed on your system: tcl (I used version 7.3) tk (I used version 3.6) the addinput-3.6b modifications to tk, which require recompiling tk. Each of these are available under the URL ftp://ftp.aud.alcatel.com/tcl. The code for fwtk_watch is based on code for Searchbox, and includes the copyright for searchbox. The shar file containing fwtk_watch has several files included: fwtk_watch: the wish script for the application taputils.tcl: some utilities distributed with searchbox searchbox.tcl: the searchbox code fileselect.tcl: code to do a file selection dialog box In order to access the reporting scripts of the TIS toolkit (from tools/admin/reporting) you will need to modify them to accept arguments on the command line. This is easy: for example, in ftp-summ.sh, simply insert a line like LOGS=$* and then later change the line grep 'ftp-gw.*:' | awk ' to say grep 'ftp-gw.*:' $LOGS | awk ' Known deficiencies: * it needs to be made more configurable. The things that I flag as significant may not matter to others, and I may have missed things. * tcl is dog slow to manipulate large files (ours typically get to be up to three megabytes) * the filtering needs to apply to monitoring as well as static file inspection. * it depends on too many things being available (tcl, tk, fileselect, etc) This code is offered without warranty or support of any kind. I have found it useful, and I provide it to others mostly as a starting point to develop their own tools. I welcome suggestions or criticisms. Kevin McCurley Sandia National Laboratories (mccurley@cs.sandia.gov) ---------------------------------16056235051948237110720254007-- From firewalls-owner Wed Dec 28 07:43:06 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA05791 for firewalls-outgoing; Wed, 28 Dec 1994 07:41:07 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA05786 for ; Wed, 28 Dec 1994 07:41:03 -0800 Received: from ugh.UUCP by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA20098 for ; Wed, 28 Dec 94 10:30:59 -0500 Received: from hq.cac.com by ugh.cac.com (4.1/SMI-4.1) id AA14167; Wed, 28 Dec 94 10:19:30 EST Received: by hq.cac.com with Microsoft Mail id <2F01AC95@hq.cac.com>; Wed, 28 Dec 94 10:21:09 PST From: Jay Clements To: David Miller Subject: Firewalls and Security Assessment Services Date: Wed, 28 Dec 94 10:16:00 PST Message-Id: <2F01AC95@hq.cac.com> Encoding: 69 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Computing Analysis Corporation (CAC) is ready to respond to The State of Maine requirements for support. We have in-place resources to perform either or both requirements in either in a parallel fashion or serial mode. Our personnel are eager for the opportunity to support this requirement and begin building a business relationship. Our personnel have experience with the Department of Defense, the National Security Agency, Department of Justice, the National Aeronautic and Space Administration, and our support services contract to the Advanced Research Projects Agency - we are fully capable of providing the required services. Our technical and management approach brings to bear the full spectrum of this experience which ensures a complete security assessment, incorporating network, user applications, encryption, and proven risk reduction measures. Our assessment of the system/network susceptibility (ability to be penetrated, disrupted, degraded, and/or damaged in whole or in part) and its vulnerability (assessment of the probabilities and potential targets) will include recommendations scaled according to the exploitation threat. While statistics may vary, more than 90 percent of security incidents are not a result of penetration from off-site. Improper or weak procedures such as, users not educated in the proper use of pass-words, or workstations left on after-hours, account for more incidents than sophisticated and dedicated hackers breaking through well managed wide area or local area networks. Evaluation of counter-measures to protect network and systems assets include: o User Education and Training o Authorization/Authentication o Encryption o Hardware and Software Firewalls o Intrusion Detection and Monitoring Our assessment will incorporate both the experience of our personnel and our company experience from our support to ARPA+s networks and systems. CAC welcomes the opportunity to support to your requirements. Security compromise, on an open system, occurs at an alarming rate. We have the in-place resources to perform on a timely basis. Our personnel are eager for the opportunity to support this requirement and help close the door on compromised systems while maintaining a user availability. Dear Mr. Miller, The preceding was provided/updated from an Executive Summary for our proposal to Sprint/SAIC for services they required on a government project. They came to us seeking assistance. With our customer base that includes MIS support to ARPA, personnel with NSA and DoD experience, I know why they called us. As a provider of services, we have no conflict of interest in recommending the best product mix or implementation in the most cost effective way. In this new world of Internet, we have the collective experience to provide quality services. We would welcome the opportunity to respond to any RFP of a similar nature. If you would like more information, please give me a call (703) 527-3020x184 or e-mail return. Respectfully Yours Jay B. Clements jclements@cac.com 1100 N Glebe Rd Suite 750 Arlington VA 22201-4798 please confirm recpt of this message. From firewalls-owner Wed Dec 28 08:13:07 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05957 for firewalls-outgoing; Wed, 28 Dec 1994 08:04:11 -0800 Received: from gate.projo.com (gate.projo.com [147.136.254.253]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA05952 for ; Wed, 28 Dec 1994 08:04:09 -0800 Received: (from smap@localhost) by gate.projo.com (8.6.9/8.6.9) id LAA02606 for ; Wed, 28 Dec 1994 11:02:21 -0500 Received: from hades.projo.com(147.136.5.207) by gate via smap (V1.3mjr) id sma002601; Wed Dec 28 11:01:34 1994 Received: by ProJo.COM (4.1/projo-srv1.0) id AA06829; Wed, 28 Dec 94 11:01:32 EST Date: Wed, 28 Dec 94 11:01:32 EST Message-Id: <9412281601.AA06829@ProJo.COM> From: "Brian Stormont" To: firewalls@greatcircle.com Subject: Doorknob twisting Original-To: inet:firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a suggestion for response to probes of every port number on a certain ip address? Should it just be ignored, or should the probing sites admin be contacted? I realize it's not necessarily harmful activity, so I'm not looking for ideas for retribution; I was just curious was policy might make the most sense. Recently we've started getting such broadband probes at our site. Thanks, -brian From firewalls-owner Wed Dec 28 08:26:43 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05947 for firewalls-outgoing; Wed, 28 Dec 1994 08:03:21 -0800 Received: from clavin (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05936 for ; Wed, 28 Dec 1994 08:03:15 -0800 Received: from cygnus.uprc.com by clavin (4.1/3.2.012693-Union Pacific Resources Company); id AA16357 for firewalls@greatcircle.com; Wed, 28 Dec 94 10:02:45 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA06671; Wed, 28 Dec 1994 10:02:44 +0600 Date: Wed, 28 Dec 1994 10:02:44 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9412281602.AA06671@cygnus.uprc.com> To: firewalls@greatcircle.com, jay@cac.com Subject: Re: Firewalls and Security Assessment Services X-Sun-Charset: US-ASCII Content-Length: 3943 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I urge the State of Maine to disqualify those consulting agencies that can't keep their responses off the list. Jeff LaCoursiere Network Admin UPRC Ft. Worth, TX /********************************************************************** THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE **********************************************************************/ > From firewalls-owner@GreatCircle.COM Wed Dec 28 09:56 CST 1994 > From: Jay Clements > To: David Miller > Subject: Firewalls and Security Assessment Services > Date: Wed, 28 Dec 94 10:16:00 PST > Encoding: 69 TEXT > > > Computing Analysis Corporation (CAC) is ready to respond to The State of > Maine requirements for support. We have in-place resources to perform > either or both requirements in either in a parallel fashion or serial mode. > Our personnel are eager for the opportunity to support this requirement and > begin building a business relationship. > > Our personnel have experience with the Department of Defense, the National > Security Agency, Department of Justice, the National Aeronautic and Space > Administration, and our support services contract to the Advanced Research > Projects Agency - we are fully capable of providing the required services. > > Our technical and management approach brings to bear the full spectrum of > this experience which ensures a complete security assessment, incorporating > network, user applications, encryption, and proven risk reduction measures. > Our assessment of the system/network susceptibility (ability to be > penetrated, disrupted, degraded, and/or damaged in whole or in part) and its > vulnerability (assessment of the probabilities and potential targets) will > include recommendations scaled according to the exploitation threat. > > While statistics may vary, more than 90 percent of security incidents are > not a result of penetration from off-site. Improper or weak procedures such > as, users not educated in the proper use of pass-words, or workstations left > on after-hours, account for more incidents than sophisticated and dedicated > hackers breaking through well managed wide area or local area networks. > > Evaluation of counter-measures to protect network and systems assets > include: > o User Education and Training > o Authorization/Authentication > o Encryption > o Hardware and Software Firewalls > o Intrusion Detection and Monitoring > > Our assessment will incorporate both the experience of our personnel and our > company experience from our support to ARPA+s networks and systems. CAC > welcomes the opportunity to support to your requirements. > > Security compromise, on an open system, occurs at an alarming rate. We > have the in-place resources to perform on a timely basis. Our personnel are > eager for the opportunity to support this requirement and help close the > door on compromised systems while maintaining a user availability. > > Dear Mr. Miller, > > The preceding was provided/updated from an Executive Summary for our > proposal to Sprint/SAIC for services they required on a government project. > They came to us seeking assistance. With our customer base that includes > MIS support to ARPA, personnel with NSA and DoD experience, I know why they > called us. As a provider of services, we have no conflict of interest in > recommending the best product mix or implementation in the most cost > effective way. > > In this new world of Internet, we have the collective experience to provide > quality services. We would welcome the opportunity to respond to any RFP of > a similar nature. If you would like more information, please give me a call > (703) 527-3020x184 or e-mail return. > > Respectfully Yours > > Jay B. Clements > > jclements@cac.com > > 1100 N Glebe Rd Suite 750 > Arlington VA 22201-4798 > > please confirm recpt of this message. > > From firewalls-owner Wed Dec 28 08:43:18 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA06201 for firewalls-outgoing; Wed, 28 Dec 1994 08:32:35 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA06196 for ; Wed, 28 Dec 1994 08:32:29 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id LAA27238; Wed, 28 Dec 1994 11:26:49 -0500 Date: Wed, 28 Dec 1994 11:26:49 -0500 (EST) From: David Miller Subject: Re: Firewalls and Security Assessment Services To: Jay Clements cc: David Miller In-Reply-To: <2F01AC95@hq.cac.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 28 Dec 1994, Jay Clements wrote: > > Respectfully Yours > > Jay B. Clements > > jclements@cac.com > > 1100 N Glebe Rd Suite 750 > Arlington VA 22201-4798 > > please confirm recpt of this message. Confirmed :) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Dec 28 08:58:27 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA06100 for firewalls-outgoing; Wed, 28 Dec 1994 08:24:57 -0800 Received: from pjl53ig.i-p.attmail.com (PJL53IG.I-P.MAIL.ATT.NET [198.152.2.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA06095 for ; Wed, 28 Dec 1994 08:24:54 -0800 Date: Wed, 28 Dec 1994 09:30:26 -0700 From: phmff@phuxf.attmail.com (phmff) Received: from phuxf by attmail; Wed Dec 28 16:21 GMT 1994 To: jclement@cac.com, firewalls@greatcircle.com Content-Type: Text Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: M. Fabian Foote, WAN Administrator Cable Systems International (CSI) 505 N. 51st. Ave. MS510 PHoenix, AZ 85043 voice: 602.233.5210 FAX: 602.233.5069/5878 email: phmff@phuxf.attmail.com Subject: RFC Requests Please send me via email the following RFC's Please send me the following information (via email) RFC 1035; RFC 1597; RFC 1591; RFC 1034/1035; RFC 1480 RFC 1032; RFC 1033; RFC 1101 Reason: We are building a Large WAN/LAN network using PacNet/USWest as the WAN Frame relay providers, and will have a large CISCO7000 as the main Phoenix hub with multiple 2505's around the country using Novell 4.1 and TCP/IP. I'm trying to find information on FIREWALL security, EIGRP/RIP addressing using OSPF with multiple C addressing/subnetting. Respectfully, M. Fabian Foote From firewalls-owner Wed Dec 28 09:13:54 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA06449 for firewalls-outgoing; Wed, 28 Dec 1994 08:49:56 -0800 Received: from erenj.com (ereapp.erenj.com [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA06444 for ; Wed, 28 Dec 1994 08:49:51 -0800 Posted-Date: Wed, 28 Dec 1994 11:48:26 -0500 From: "Bryan D. Boyle" Message-Id: <9412281148.ZM18675@maverick.erenj.com> Date: Wed, 28 Dec 1994 11:48:26 -0500 In-Reply-To: z056716@uprc.com (LaCoursiere J. D. (Jeff)) "Re: Firewalls and Security Assessment Services" (Dec 28, 10:02am) References: <9412281602.AA06671@cygnus.uprc.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Firewalls and Security Assessment Services Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 28, 10:02am, LaCoursiere J. D. (Jeff) wrote: > Subject: Re: Firewalls and Security Assessment Services > > I urge the State of Maine to disqualify those consulting agencies that > can't keep their responses off the list. > > which would, to me, indicate an inability to use the existing tools properly, as well as an inappropriate use of resources. I agree. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Wed Dec 28 09:43:39 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA07057 for firewalls-outgoing; Wed, 28 Dec 1994 09:26:10 -0800 Received: from uni (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA07048 for ; Wed, 28 Dec 1994 09:26:05 -0800 Received: from [199.0.193.223] (badenII.ins.com [199.0.193.223]) by uni (8.6.8.1/8.6.6) with SMTP id JAA14413; Wed, 28 Dec 1994 09:24:30 -0800 X-Sender: ljrebar@uni.ins.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 28 Dec 1994 09:24:32 -0800 To: phmff@phuxf.attmail.com (phmff) From: (Lawrence J. Rebarchik) Subject: Re: RFC request Cc: jclement@cac.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fabian, Send email to: mailserv@ds.internic.net In the body of the note, place the following lines to request the RFCs you desire; SEND /rfc/rfc1035.txt SEND /rfc/rfc1032.txt From firewalls-owner Wed Dec 28 10:43:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07801 for firewalls-outgoing; Wed, 28 Dec 1994 10:40:53 -0800 Received: from disaster.vbh.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07796 for ; Wed, 28 Dec 1994 10:40:47 -0800 Message-Id: Date: Tue, 27 Dec 94 13:39 EST X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: FIREWALLS@greatcircle.com From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Subject: Mail Routing with firewalls? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have some questions about how one might go about doing mail routing on a network which has a single point of contact with the Internet. Let's say we have a company: 1) Top level domain: acme.com 2) The internet gateway (firewall) is called (among other names) mailhost.acme.com 3) There are (at least) two subdomains: boston.acme.com and nyc.acme.com 4) Both Boston and NYC have a single machine which they use as a mailhost: mailhost.boston.acme.com and mailhost.nyc.acme.com 5) Mail desinted for boston should be addressed: user@boston.acme.com and likewise for nyc. 6) Mail should enter the network at mailhost.acme.com, then be forwarded to boston and nyc respectively. Both boston.acme.com and nyc.acme.com must be MX'd to mailhost.acme.com (obviously). Now, here's the questions: 1) How do I implement such a setup? There are two equally non-eligant ways of doing this that I know of: 1. Alias ALL of the users in Boston and NYC (very messy!) 2. Use POP3 to poll the mailhost.acme.com mailboxes from both mailhost.boston.acme.com and mailhost.nyc.acme.com (better... but not quite) There MUST be a bette way of doing this! With all the firewalls out there, I cannot be the only one who is facing this challenge. ANY and ALL help would be appreciated. I'm familiar with both Sendmail and Smail. Sorry if this question does not DIRECTLY pertain to this group, but I'm at my wit's end! Mike ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Wed Dec 28 11:13:20 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07951 for firewalls-outgoing; Wed, 28 Dec 1994 10:55:19 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07946 for ; Wed, 28 Dec 1994 10:55:16 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma027353; Wed Dec 28 13:54:04 1994 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA11933; Wed, 28 Dec 94 13:51:27 EST Message-Id: <9412281851.AA11933@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Cc: FIREWALLS@greatcircle.com Subject: Re: Mail Routing with firewalls? In-Reply-To: Your message of Tue, 27 Dec 94 13:39:00 -0500. Date: Wed, 28 Dec 94 13:51:26 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have some questions about how one might go about doing mail routing > on a network which has a single point of contact with the Internet. > Let's say we have a company: This sort of thing is covered in a new Digital Press book on Sendmail which is orderable now, shipping next month. You described how you'd implement this set up in your mail. Have mailhost be the MX for boston and newyork. WHen it gets mail have it send mail for boston to mailhost.boston and newyork to mailhost.newyork. Have boston configured to send mail for newyork to newyork, boston to boston, local to local, and anything else to mailhost. And so on. Nothing in this should require aliases at the firewall. This is very straightforward. Fred > 1) Top level domain: acme.com > 2) The internet gateway (firewall) is called (among other names) > mailhost.acme.com > 3) There are (at least) two subdomains: boston.acme.com and nyc.acme.com > 4) Both Boston and NYC have a single machine which they use as a mailhost: > mailhost.boston.acme.com and mailhost.nyc.acme.com > 5) Mail desinted for boston should be addressed: user@boston.acme.com > and likewise for nyc. > 6) Mail should enter the network at mailhost.acme.com, then be forwarded > to boston and nyc respectively. > > Both boston.acme.com and nyc.acme.com must be MX'd to mailhost.acme.com > (obviously). > > Now, here's the questions: > > 1) How do I implement such a setup? > > There are two equally non-eligant ways of doing this that I know of: > 1. Alias ALL of the users in Boston and NYC (very messy!) > 2. Use POP3 to poll the mailhost.acme.com mailboxes from both > mailhost.boston.acme.com and mailhost.nyc.acme.com (better... but not quite) > > There MUST be a bette way of doing this! With all the firewalls out there, > I cannot be the only one who is facing this challenge. > > ANY and ALL help would be appreciated. I'm familiar with both Sendmail > and Smail. > > Sorry if this question does not DIRECTLY pertain to this group, but I'm > at my wit's end! > > Mike > > ------------------------------------------------------------------------------ > Michael D. Ferioli Design & Disaster Recovery Consulting > Special Projects Consultant Suite 300 > ferioli@disaster.com 9 Elm Street > Albany, NY 12202 > info@disaster.com From firewalls-owner Wed Dec 28 11:43:17 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08501 for firewalls-outgoing; Wed, 28 Dec 1994 11:25:58 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08496 for ; Wed, 28 Dec 1994 11:25:52 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15489; Wed, 28 Dec 94 14:14:55 -0500 Date: Wed, 28 Dec 94 14:14:54 -0500 Message-Id: <9412281914.AA15489@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Bedposts and Doorknobs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone have a suggestion for response to probes of every port number on a >certain ip address? Should it just be ignored, or should the probing sites >admin be contacted? Well cannot speak to any policy but what *I* do is to record the probing IP, find the domain owner and the local sysadmin, and send copies of the log with the simple question: "Why ?" Usually this is enough. Will say that there are several products on the net that can do this including one that is included in the FWTK (I have written one for the PC myself) since it is not difficult at all todo. However usually response time is slow enough that people do not do it to remote systems, at least not the blanket strobe you were seeing (in fact if it was the first 30,000 ports only, it probably was the FWTK). Further, I generally delay the inquiry 24 hours so that outsiders have no idea how often I check things but then I'm paranoid. Will say that IMHO there is only two reasons for such a probe: an intruder looking for a weakness and a professsional doing the same thing, if not for you (and you would know about that), then working for someone else. Warmly (70F - what we put up with summer for), Padgett From firewalls-owner Wed Dec 28 11:57:53 1994 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08467 for firewalls-outgoing; Wed, 28 Dec 1994 11:24:33 -0800 Received: from border.com (border.com [142.77.1.128]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08460 for ; Wed, 28 Dec 1994 11:24:30 -0800 Received: by janus.border.com id <29441>; Wed, 28 Dec 1994 13:37:50 -0600 To: "Charles B. Kaplan" Subject: Re: latest trends in FTP proxys and filters Cc: firewalls@GreatCircle.COM Date: Wed, 28 Dec 1994 13:26:50 -0600 From: Glenn Mackintosh Message-Id: <94Dec28.133750cst.29441@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have been reviewing some of the archives, but was wondering what > the latest trend was regarding FTP access (outbound only in my case) through > a firewall. > > I could run a proxy, but they all seem to have the lagging problem > of difficulty for mac's and pc's, and are clumbsy, but I don't see how I could > configure my router (or screened etc) to handle this. > > Is there anything besides firewall 1 which basically turns on a 30 > second timer after the outbound ftp, and keeps the inbound ports open untill > the timer expires ? The JANUS Firewall Server provides the illusion of total transparency to client applications on the internal network. This means that your installed base of point and click applications on your PC's and Mac's will be able to access the various Internet services without modification (and without the user having to do anything unusual to use them). This transparency is an illusion provided by the firewall. In reality all connections are being intercepted by the firewall. All connections to external services come from the firewall and the internal network is completely hidden and isolated from the external network. This is true for all Internet services that you may want to allow access to, not just FTP. Of course, when we say totally transparent to internal clients we mean for those that the administrator has configured to be allowed using the administrator GUI, those services that you do not explicitly enable on the firewall are blocked. If you would like more information on the JANUS Firewall, you can dro