From firewalls-owner Sun Jan 1 11:43:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA29477 for firewalls-outgoing; Sun, 1 Jan 1995 11:30:38 -0800 Received: from europe.std.com (root@europe.std.com [192.74.137.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA29472 for ; Sun, 1 Jan 1995 11:30:35 -0800 Received: from world.std.com by europe.std.com (8.6.8.1/Spike-8-1.0) id OAA17806; Sun, 1 Jan 1995 14:29:18 -0500 Received: by world.std.com (5.65c/Spike-2.0) id AA25563; Sun, 1 Jan 1995 14:29:36 -0500 Date: Sun, 1 Jan 1995 14:29:36 +0001 (EST) From: Jamie C Pole Subject: FireWall-1 Configurations? To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone out there working with FireWall-1 using a Sun with 2 ethernets as a platform? I'm in the process of building such a setup, and I'd like any feedback someone might have as far as this platform... Basically, having FireWall-1 act as a filter on traffic routed internally (SunOS or Solaris routed) between the two ethernets... [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] Jamie C. Pole [] Data Communications Specialist [] Office: 203-967-6840 GartnerGroup, Inc. [] 56 Top Gallant Road [] Fax : 203-975-6490 Stamford, CT 06904-2212 [] [] These are MY opinions, NOT those jpole@world.std.com [] of my employer... jpole@gartner.com [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Sun Jan 1 16:43:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01505 for firewalls-outgoing; Sun, 1 Jan 1995 16:41:37 -0800 Received: from xroads.vthrc.uq.oz.au (0@xroads.vthrc.uq.oz.au [130.102.4.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA01500 for ; Sun, 1 Jan 1995 16:41:33 -0800 Received: (mailwrap@localhost) by xroads.vthrc.uq.oz.au (8.6.9/8.6.3) id KAA27844 for ; Mon, 2 Jan 1995 10:27:34 +1000 Received: from arundel.vthrc.uq.oz.au(130.102.4.21) by xroads.vthrc.uq.oz.au. via smap (V1.3mjr) id smaa27833; Mon Jan 2 10:26:59 1995 X-Sender: thomas@pop3.vthrc.uq.oz.au. Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Jan 1995 10:27:39 +1000 To: firewalls@GreatCircle.COM From: Danny Thomas Subject: Re: Doorknob twisting Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rens@imsi.com writes: >For a while I used to send mail to root at sites that probed me; I >stopped when I got sick of reading "We have many users at this >site...who do you think it was and why are you so paranoid" from ^^^^^^^^^^^^^^^^^^^^^^^ >university admins. the obvious reply is to suggest they run ident particularly on campus hosts with large populations of students - some of whom are bound to be 'inquisitive'. cheers, Danny Thomas (D.Thomas@vthrc.uq.edu.au) ftp://ftp-boi.external.hp.com/pub/printers/laserjet/doc/4plfaq.txt >TCP/IP stands for Transmission Control Protocol/Internet >Protocol, a de facto industry-standard communication service >for multivendor networks built around OSI. ^^^ truly rooly? From firewalls-owner Sun Jan 1 22:13:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA03097 for firewalls-outgoing; Sun, 1 Jan 1995 21:50:22 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA03092 for ; Sun, 1 Jan 1995 21:50:18 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 1 Jan 1995 21:49:33 -0800 To: firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Legal Issues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:06 12/30/94, Tony Wege wrote: >Hi, > I've only been lurking for a short time but I gather this is > not off topic since the thread has been going for awhile. It's kind of marginal; I've been letting it go for several reasons: the list has been quiet anyway because of the holidays, I've been enjoying the holidays myself (actually, I've been working my butt off and ignoring email, but we'll pretend I've been enjoying the holidays), the discussion has so far been very calm and rational, and nobody has complained to me about it yet. I have a feeling that, as folks get back to work next week, we'll want to get back to more technical discussions. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Mon Jan 2 00:13:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA04087 for firewalls-outgoing; Sun, 1 Jan 1995 23:46:30 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA04082 for ; Sun, 1 Jan 1995 23:46:26 -0800 Received: from rccapd by sun4nl.NL.net via EUnet id AA05670 (5.65b/CWI-3.3); Mon, 2 Jan 1995 08:45:18 +0100 Received: by rccapd.rcc.nl (4.1/SMI-4.1) id AA22976; Mon, 2 Jan 95 08:01:06 +0100 Date: Mon, 2 Jan 95 08:01:06 +0100 From: rccapd!rsnao23@relay.NL.net (WFM user Jean-Marc van Leerdam) Message-Id: <9501020701.AA22976@rccapd.rcc.nl> To: Firewalls@greatcircle.com Subject: Newbie questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Thanks for all the generous replies! I have gotten the FAQ and some other references, so I'll start working on those. BTW Happy Newyear! Jean-Marc van Leerdam +-------------------------------------------------------------------+ | rccapd!rsnao23@relay.NL.net nlrccbjc@ibmmail.com | | vanleerdam@rcc.rcc400.unisource.nl jeanmarc@knoware.nl | +-------------------------------------------------------------------+ | These views are not necessarily those of my employer | +-------------------------------------------------------------------+ From firewalls-owner Mon Jan 2 01:43:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA05017 for firewalls-outgoing; Mon, 2 Jan 1995 01:30:17 -0800 Received: from bi.fish.com (zen@bi.fish.com [140.174.97.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA05012 for ; Mon, 2 Jan 1995 01:30:09 -0800 Received: from localhost (zen@localhost) by bi.fish.com (8.9.1 (Alpha)/1.0.23) with SMTP id BAA15149 for ; Mon, 2 Jan 1995 01:33:14 -0800 Message-Id: <199501020933.BAA15149@bi.fish.com> X-Authentication-Warning: bi.fish.com: Host localhost didn't use HELO protocol To: firewalls@greatcircle.com Subject: traffic-only network sniffer? Date: Mon, 02 Jan 95 01:33:14 -0800 From: Dan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Before I went and wrote/got my own, does anyone know of anything out there that will just keep track of connections, not the info inside? That is, the to's & from's, type/port, and time info - starting time and length of connection? I'm interested in monitoring large-scale networks over a long period of time. If it generated stats/graphs/whatever that'd be a bonus, but not necessary. Tnx -- -- d (If it worked on an SGI box, that'd be great, but I'll take any pointers or working stuff; preferably free, 'natch.) From firewalls-owner Mon Jan 2 06:13:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06903 for firewalls-outgoing; Mon, 2 Jan 1995 06:05:05 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA06898 for ; Mon, 2 Jan 1995 06:05:01 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id IAA17322 for ; Mon, 2 Jan 1995 08:03:54 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA0147; Mon, 02 Jan 95 08:03:53 -0800 Message-Id: <9501021603.AA0147@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 639D7160E6872F1986256138004D393C; Mon, 2 Jan 95 08:03:53 To: firewalls Cc: Greg Duncan , Keith Cleveland , KSmith27 From: Kenneth Smith Date: 2 Jan 95 3:04:44 EDT Subject: Summary of Information on NT Firewalls Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For all of those who offered suggestions, asked further questions, or simply asked for any information I might scare up, here's a summary of what I've discovered so far on firewalls for NT. (a) They don't exist. Suggestions for getting around this problem included: (a) Learn Unix. (b) Hire somebody who *does* know Unix. (c) Use something like the Janus firewall that hides most of the Unix stuff behind a GUI, and will run on an Intel-based PC. (d) Use a router as a protocol-layer firewall (various Cisco and 3Com routers were mentioned). (e) Write one. (Several people were interested in this option. I'm not.) (f) Rewrite and/or recompile an existing Unix firewall. (g) Wait until someone comes out with one. Perhaps Microsoft Europe . . .? Others offered various related comments (take them for what they're worth): (a) Because the source code isn't available for Windows NT, it can't be as secure as Unix, since nobody knows where the problems might be. (b) Because the source code isn't available for Windows NT, it's probably more secure than Unix, since nobody knows where the problems might be. (c) NT's supposed to be C2 certified, so with proper security policies, an NT server shouldn't *need* to be firewalled. (The caveats to this, I suppose, are many and obvious.) (d) Unlike Unix, it's probably pretty difficult to pull out or replace portions of the NT OS that are felt to be insecure or aren't needed. (Anybody out there feel up to the task?) (e) While www.microsoft.com talks in great detail about various products relating to the Internet and Windows NT, it mentions nothing (so far as I could find) on any current or future firewall products. And following is the most detailed reply I received: Ken, Much like your company we lack UNIX experience and are committed to an NT 3.5 environment. We have around 20 NT servers connected by 3COM CDDI cards to FDDI backbone driven by 3COM routers in our internal network. We have a NT server connected to our external 3COM router running the NT beta versions of a WEB and Gopher (both running well,by the way, with people connecting and not even knowing they are connected to NT server vs UNIX). We also provided the router to our internet provider so we could move some router/firewall decisions farther away from our environment. At this point we do major and minor access control(filtering) in different 3COM routers to keep certain sockets out of this NT server on the internet. The router feeding the internet backbone allows no UNKNOWN user access from outside in. In the NT server we do extensive logging of just about all kinds of foreign access (the Russ Blake book, by Microsoft, "Optimizing Windows NT" was a big help here) We do some things with code on the server. Mail, at this point, is handled by out internet provider server. North Bay Networks, they know alot of UNIX. In firewall terms we use a version of a "screened subnet". RPC 1597. Most of the work is done in the 3COM routers in which I have a lot of experience. We have a lot of NT AS people who are very nervous and we keep looking at this server. I am willing to provide the "filters" for the 3COM routers if anybody is interested. 3COM helped on these and you get them from any 3COM technical person. You could also call your Microsoft people since the Microsoft stuff on the Internet is all NT (www.microsoft.com. gopher.microsoft.com, etc) A BIG NOTE OF CONCERN. Maybe we are doing OK because: 1. Not that many people know,use, or care about the NT operating system so the years of expierence of attacking UNIX systems is missing at this time; 2. There is so much to go after then 3 years ago; 3. We pay A LOT attention to the firewall user group and try to match problems mentioned to our area; 4. We read all the GreatCircle, TIS, etc stuff; 5. We read the "Firewalls and Internet Security" book by Cheswick and Bellovin. (How can I get an autograph ??) 6. its all TCP/IP good or bad, we stay awake; 7. Its still a test area, we have NOT bet the shop. Lastly, as part of the MIDAS project for all the schools, cities, etc in Marin County, we are using the UNIX operating systems with firewalls in addition to our own NT AS environment. SO we will try to keep the best of both worlds. WARMLY from the hot tub, Bill Blackmer County of Marin blackmer@nbn.com From firewalls-owner Mon Jan 2 06:43:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06956 for firewalls-outgoing; Mon, 2 Jan 1995 06:13:57 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA06946 for ; Mon, 2 Jan 1995 06:13:51 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA08002; Mon, 2 Jan 95 08:53:33 -0500 Date: Mon, 2 Jan 95 08:53:33 -0500 Message-Id: <9501021353.AA08002@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Traffic only sniffer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Before I went and wrote/got my own, does anyone know of anything out >there that will just keep track of connections, not the info inside? Well in the PC world ETHLD might (have not studied it that close). IF not, everything you need can be found in either the WATTCP libraries (free, book is U$45.00) or the FTP SDK (around U$400.00) Since I like to carry my test equipment around with me (and got a great deal on an AT&T/NCR 3150 model 230 colour notebook - plug ) the PC is my preferred test platform. Warmly, Padgett From firewalls-owner Mon Jan 2 07:13:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07552 for firewalls-outgoing; Mon, 2 Jan 1995 07:12:02 -0800 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA07547 for ; Mon, 2 Jan 1995 07:11:58 -0800 Received: (from alan@localhost) by westie.mid.net (8.6.9/8.6.9) id JAA12941; Mon, 2 Jan 1995 09:11:35 -0600 From: Alan Hannan Message-Id: <199501021511.JAA12941@westie.mid.net> Subject: Re: traffic-only network sniffer? To: zen@bi.fish.com (Dan) Date: Mon, 2 Jan 1995 09:11:34 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199501020933.BAA15149@bi.fish.com> from "Dan" at Jan 2, 95 01:33:14 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1350 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Before I went and wrote/got my own, does anyone know of anything out > there that will just keep track of connections, not the info inside? > That is, the to's & from's, type/port, and time info - starting time and > length of connection? I'm interested in monitoring large-scale networks > over a long period of time. If it generated stats/graphs/whatever > that'd be a bonus, but not necessary. The Network General Sniffer will do what you ask. It's pretty malleable and I find it very useful for protocol analysis. > > (If it worked on an SGI box, that'd be great, but I'll take any pointers > or working stuff; preferably free, 'natch.) While not free, it will run on an sgi... actually, let me rephrase that: The sniffer is a piece of hardware, actually, I think NG has trademarked the name, regardless, it runs on a dedicated PC of theirs, and it has this nifty interface into the DOS that runs on an xwindow on my solaris machines. I'm not certain they have one for SGI, but I think they might. Good luck. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Mon Jan 2 08:13:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07838 for firewalls-outgoing; Mon, 2 Jan 1995 07:43:30 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA07833 for ; Mon, 2 Jan 1995 07:43:28 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id KAA16090; Mon, 2 Jan 1995 10:42:08 -0500 From: David Kovar Message-Id: <199501021542.KAA16090@nda.nda.com> Subject: Re: traffic-only network sniffer? To: alan@mid.net (Alan Hannan) Date: Mon, 2 Jan 1995 10:42:08 -0500 (EST) Cc: zen@bi.fish.com, firewalls@GreatCircle.COM In-Reply-To: <199501021511.JAA12941@westie.mid.net> from "Alan Hannan" at Jan 2, 95 09:11:34 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 417 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > While not free, it will run on an sgi... actually, let me rephrase that: The >sniffer is a piece of hardware, actually, I think NG has trademarked the name, > regardless, it runs on a dedicated PC of theirs, and it has this nifty > interface into the DOS that runs on an xwindow on my solaris machines. I'm > not certain they have one for SGI, but I think they might. It cost > $10,000 last I checked. -David From firewalls-owner Mon Jan 2 08:25:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07911 for firewalls-outgoing; Mon, 2 Jan 1995 08:00:16 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07906 for ; Mon, 2 Jan 1995 08:00:13 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id KAA16516; Mon, 2 Jan 1995 10:59:05 -0500 From: David Kovar Message-Id: <199501021559.KAA16516@nda.nda.com> Subject: Re: FireWall-1 Configurations? To: jpole@world.std.com (Jamie C Pole) Date: Mon, 2 Jan 1995 10:59:04 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Jamie C Pole" at Jan 1, 95 02:29:36 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1017 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Anyone out there working with FireWall-1 using a Sun with 2 ethernets > as a platform? I'm in the process of building such a setup, and I'd like > any feedback someone might have as far as this platform... Basically, > having FireWall-1 act as a filter on traffic routed internally (SunOS or > Solaris routed) between the two ethernets... We're using a Sparc Classic in this configuration and it seems to be working well for the most part. Some things we encountered: * The documentation is very sparse. * The machine was hanging completely, requiring a power cycle to restore it to life. A patch from Checkpoint seems to have fixed this problem. * We still have a problem with the filter not being reloaded after a crash, power cycle, reboot requiring that we do it by hand. Checkpoint and the reseller, Qualix, are still working with us on this one. It seems to handle the load well, is very easy to configure, and when configured correctly, does the job. -David From firewalls-owner Mon Jan 2 08:43:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07994 for firewalls-outgoing; Mon, 2 Jan 1995 08:19:26 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA07989 for ; Mon, 2 Jan 1995 08:19:23 -0800 Received: by panix.com id AA06746 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 2 Jan 1995 11:17:48 -0500 From: John Hawkinson Message-Id: <199501021617.AA06746@panix.com> Subject: Re: traffic-only network sniffer? To: zen@bi.fish.com (Dan) Date: Mon, 2 Jan 1995 11:17:48 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199501020933.BAA15149@bi.fish.com> from "Dan" at Jan 2, 95 01:33:14 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 783 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To: firewalls@greatcircle.com > From: Dan > > Before I went and wrote/got my own, does anyone know of anything out > there that will just keep track of connections, not the info inside? > That is, the to's & from's, type/port, and time info - starting time and > length of connection? I'm interested in monitoring large-scale networks > over a long period of time. If it generated stats/graphs/whatever > that'd be a bonus, but not necessary. I'm starting to feel old. You can do this with tcpdump; it won't generate graphs, but you can do that yourself. > (If it worked on an SGI box, that'd be great, but I'll take any pointers > or working stuff; preferably free, 'natch.) It works under Irix 4.x & 5.2, and it's free. -- John Hawkinson jhawk@panix.com From firewalls-owner Mon Jan 2 09:46:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08775 for firewalls-outgoing; Mon, 2 Jan 1995 09:13:19 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08770 for ; Mon, 2 Jan 1995 09:13:16 -0800 Received: from ribit.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1-jim) id AA25726; Mon, 2 Jan 95 11:11:34 CST Date: Mon, 2 Jan 95 11:11:34 CST From: jim@Tadpole.COM (Jim Thompson) Message-Id: <9501021711.AA25726@tadpole.tadpole.com> To: zen@bi.fish.com Subject: Re: traffic-only network sniffer? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Run, don't walk to isi.edu and grab nnstat. It won't give you the start time and duration, but I can't imagine how you'ld possibly be able to use that data for 'large-scale networks over a long period of time'. Data reduction should be trivial with an awk/perl script or two, and a copy of Lotus 123 or gnuplot. nnstat was originally written to track usage on the (now defunct) NSF backbone. (So it ought to be able to keep up with any 'large-scale network' that you can throw at it.) If you really *need* start-time and duration, (which will only work for TCP in any case) the hacking shouldn't be too difficult. At least Dan isn't claiming to have a Cray at home these days... :-) Jim From firewalls-owner Mon Jan 2 10:13:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA09096 for firewalls-outgoing; Mon, 2 Jan 1995 09:56:54 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA09091 for ; Mon, 2 Jan 1995 09:56:49 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09171; Mon, 2 Jan 95 12:32:59 -0500 Date: Mon, 2 Jan 95 12:32:59 -0500 Message-Id: <9501021732.AA09171@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: NT Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Blackmer rites: >For all of those who offered suggestions, asked further questions, or simply >asked for any information I might scare up, here's a summary of what I've >discovered so far on firewalls for NT. Guess I musta missed something but for people obviously familiar with PCs, I would suggest a Karlbridge between the router and the net as a start. Next, get either LINUX or FreeBSD Unix and the TIS FWTK. Once comfortable, convert the PC from KB to a real firewall but IMHO, for a packet filter, KB does a better job than anything I have seen on a multitasking system. However the capability of the FWTK makes learning UNIX worth while. Will say that I do not think that NT will ever make a real effective firewall, there is just too much overhead, what you really want is a dedicated, single-tasking machine that does nothing but protect your subnet (could be Unix-like such as would result if you started with a good UNIX kernel, just does not need to be multi-user - this is what many high performance dedicated machines do. I suspect that there is a real market for good dual-NIC subnet filter software that runs on all those NT-obsoleted 386 PCs with statistics and logging/alarming in the U$500.00 range. Warmly, Padgett From firewalls-owner Mon Jan 2 11:13:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09958 for firewalls-outgoing; Mon, 2 Jan 1995 11:06:38 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09953 for ; Mon, 2 Jan 1995 11:06:35 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma019801; Mon Jan 2 14:05:27 1995 Received: by tis.com (4.1/SUN-5.64) id AA00804; Mon, 2 Jan 95 14:02:37 EST Date: Mon, 2 Jan 95 14:02:37 EST From: Frederick M Avolio Message-Id: <9501021902.AA00804@tis.com> To: firewalls@greatcircle.com Subject: CPF: 5th USENIX UNIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ANNOUNCEMENT and CALL FOR PAPERS 5th USENIX UNIX Security Symposium June 5-7, 1995 Salt Lake City Marriott Hotel Salt Lake City, Utah Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association In cooperation with: The Computer Emergency Response Team (CERT), IFIP WG 11.4, and UniForum IMPORTANT DATES DATES FOR REFEREED PAPER SUBMISSIONS Extended abstracts due: Feb 13, 1995 Program Committee decisions made: Mar 8, 1995 Camera-ready final papers due: May 1, 1995 Registration Materials Available: March 1995 PROGRAM COMMITTEE Program Chair: Fred Avolio, Trusted Information Systems, Inc. Steve Bellovin, AT&T Bell Laboratories Bill Cheswick, AT&T Bell Laboratories Ed DeHart, CERT Ed Gould, Digital Equipment Corporation Marcus Ranum, Trusted Information Systems, Inc. Jeff Schiller, MIT Gene Spafford, COAST Laboratory, Purdue University OVERVIEW The goal of this symposium is to bring together security practitioners, researchers, system administrators, systems programmers, and others with an interest in computer security as it relates to networks and the UNIX operating system. This will be a 3 day, single-track symposium. The symposium will consist of tutorials, refereed and invited technical presentations, and panel sessions. The first day will be devoted to tutorial presentations. Two days of technical sessions will follow the tutorials. TUTORIALS [June 5] This one-day tutorial program is designed to address the needs of both technical and management attendees. The tutorials will supply overviews of various security mechanisms and policies. Each will provide specifics to the system and site administrator for implementing numerous local and network security precautions, firewalls, and monitoring systems. KEYNOTE AND TECHNICAL SESSIONS [June 6-7] The keynote address by Stephen T. Walker, Founder and President of Trusted Information Systems, will begin the technical sessions program. Mr. Walker will speak on information security and privacy in computing. Mr. Walker is an electronics engineer and computer systems analyst with over 25 years of experience in system design and program management; particularly extensive is his experience with the design and implementation of large scale computer networks and information systems. He is nationally recognized for his pioneering work on the DoD Computer Security Initiative, the establishment of the National Computer Security Center, and the formation of the Defense Data Network. He is a member of the Computer System Security and Privacy Advisory Board, established by the Computer Security Act of 1987. The technical sessions program, in addition to presentations of refereed papers, will include invited talks, and possibly panel sessions. There will also be two evenings available for Birds-of-a-Feather sessions (BoFs) and Works-in-Progress Reports (WiPs). The program committee invites you to submit proposals, ideas, or suggestions for these presentations; your suggestions may be submitted to the program chair via email to: securitypapers@usenix.org or by post to the address given below. Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings. Proceedings of the symposium will be published by USENIX and will be provided free to technical session attendees; additional copies will be available for purchase from USENIX. SYMPOSIUM TOPICS Presentations are being solicited in areas including but not limited to: *User/system authentication *File system security *Network security *Security and system management *Security-enhanced versions of the UNIX operating system *Security tools *security incident investigation and response *computer misuse and anomaly detection *security in heterogeneous environments *configuration management to support security *security-related testing methods *case studies REFEREED PAPER SUBMISSIONS Submissions must be received by Feb 13, 1995. Full papers should be 10 to 15 pages. Instead of a full paper, authors may submit an extended abstract which discusses key ideas. Extended abstracts should be 5-7 pages long (about 2500-3500 words), not counting references and figures. The body of the extended abstract should be in complete paragraphs. The object of an extended abstract is to convince the reviewers that a good paper and presentation will result. All submissions will be judged on originality, relevance, and correctness. Each accepted submission will be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due May 1, 1995. Please accompany each submission by a cover letter stating the paper title and authors along with the name of the person who will act as the contact to the program committee. Please include a surface mail address, daytime and evening phone number, and, if available, an email address and fax number for the contact person. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: securityauthors@usenix.org or telephone the USENIX Association office at +1 510 528 8649. The UNIX Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by "non-disclosure agreement" forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. WHERE TO SUBMIT Please send one copy of a full paper or an extended abstract to the program committee via two of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript or ASCII) to: securitypapers@usenix.org o Alternate Method: postal delivery to Fred Avolio Trusted Information Systems 3060 Washington Road Glenwood, MD 21738 +1 410 442 1673 o Fax: +1 301 854 5363 REGISTRATION MATERIALS Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available beginning in March 1995. If you wish to receive the registration materials, please contact USENIX at: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 +1 714 588 8649; Fax: +1 714 588 9706 email: conference@usenix.org From firewalls-owner Mon Jan 2 11:43:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10904 for firewalls-outgoing; Mon, 2 Jan 1995 11:39:41 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA10899 for ; Mon, 2 Jan 1995 11:39:38 -0800 Received: from [198.115.177.229] (bertha29.shore.net) by northshore.ecosoft.com with SMTP id AA25566 (5.67a/IDA-1.5 for ); Mon, 2 Jan 1995 14:39:35 -0500 Message-Id: <199501021939.AA25566@northshore.ecosoft.com> X-Sender: vin@mailhost.shore.net (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Jan 1995 02:37:57 -0500 To: Firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: Doorknob twisting Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Howell implies, correctly I believe, that I and others overreacted. His minimalist response,in the face of a report of "probing" from his site, seems more reasonable to me on second reading. It's clear he and UMich would respond if confronted with a real incident of net abuse or site penetration. On the other hand, I don't believe universities _or_ commercial access providers effectively educate (or contractually obligate) their users to any meaningful standard. Users don't equate net abuse or on-line vandalism with crimes like arson, and they won't until the cost made concrete. But then, it's not the providers' responsibility to secure our sites. Some large corporations automatically probe their own multiple sites daily to identify machines that are not properly configured -- but an activist defense (including, but not limited to, firewalls) is still relatively rare, isn't it? And, of course, poking around the Net is neither a crime, nor a sin. Our generic reaction (echoing here, as it has through the years) says what it has always said about the fragility and vulnerability inherent in our established technology. The whole industry is quick-marching into client/server economies, little concerned about new, relatively untested, bet-your-ass apps. It was only a year ago that CERT finally recommendated a shift to one-time passwords. (Although many of you have probably been urging it for half of a decade or more; and your management ignored CERT too, right?) Truth is, managers at most penetrated sites should be more embarrassed than outraged. Clever hacks are rare; inept IS management is common. And minimal standards of responsible IS management are, to the extent they exist, defined within the MIS profession. >From Padgett Peterson: >Now once a Netcom or a GE gets sucessfully sued by their clients for allowing >such a thing to happen.... Sure, a successful suit against Netcom or other Internet providers could do a lot to tighten the system: hopefully with identification of users/customers, enforced user sign-off on policies, even suits against abusive users for breach of contract. But then, I've been waiting for 20 years for shareholder suits against irresponsible management (not, to my mind, GE) which doesn't invest in safeguarding IS resources. Haven't we all waited, for activist auditors, or the insurers -- someone, anyone, with the muscle to demand management protect the corporate crown jewels with something stronger than security thru obscurity. Are investments in firewalls often the result of such non-MIS pressures today? I'd bet yes, on the odds. >From bukys@cs.rochester.edu: >It will be interesting to see whether everyone supplying dialup SLIP access >will also be vulnerable to charges of "harboring hackers" because they don't >police the content of packets. Unless our culture changes considerably, no one foresees access providers policing outgoing packets. The best we can hope for is that they educate users and contractually obligate them to follow minimal rules, but that -- presuming progress in message, header, and routing integrity -- could dramatically change our environment. Change it, but not really secure it. Won't there always be a DMZ gap (eg. anon remailers, transborder confusions; undocumented backdoors, software conflicts) within which the tech-savvy, both the curious and the criminal, can escape accountability? The best we can hope for is to raise the threshold to exclude the wanna-bees who haven't "earned" the right to pose the threat they do today. And now back to the configuration queries.... Suerte & Happy New Year, _Vin McLellan The Privacy Guild Vin McLellan + + Technical Translators' Guild = MULTI-LINGUAL tech writers, engineers, med techs, programmers. *TRANSLATORS FOR HIRE* /\\/\\/\\/\\/\\/\\/\\ *BICULTURAL TECHIES* "For Intl Sales & Support, Gopher & Web-Serve in Multiple Languages!" From firewalls-owner Mon Jan 2 12:43:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11430 for firewalls-outgoing; Mon, 2 Jan 1995 12:25:19 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11425 for ; Mon, 2 Jan 1995 12:25:14 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10176; Mon, 2 Jan 95 15:13:16 -0500 Date: Mon, 2 Jan 95 15:13:16 -0500 Message-Id: <9501022013.AA10176@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Internal Probes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk _Vin McLellan rites: > But then, it's not the providers' responsibility to secure our >sites. Some large corporations automatically probe their own multiple sites >daily to identify machines that are not properly configured -- but an >activist defense (including, but not limited to, firewalls) is still >relatively rare, isn't it? Cannot speak for anyone else but I have been using active probing for quite a few years. Stared with periodic strobes with war-dialers for modems and other responses. About two years ago started using daemon-pingers and socket- openers to find out what is on our nets (the line responce to opening port 21 or 25 will often also report the platform/software in use). Can now go through a *local* class B net in a matter of hours. The one thing I have learned is that there is always more to learn - have never seen such a dynamic industry. Another thing is how few sysadmins notice strobing even when they have been warned (has gone up since I started giving goodies - coffee cups and such - to those who notice/report). The good news is that it works and with overlapping layers, you do not need 100% coverage, 80-85% is sufficient. However it is a lot like redundant control systems: if you do not notice the first failure, you can get into a dual-fail situation real quick. Warmly, Padgett From firewalls-owner Mon Jan 2 12:56:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11572 for firewalls-outgoing; Mon, 2 Jan 1995 12:38:08 -0800 Received: from erenj.com (ereapp.erenj.com [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11567 for ; Mon, 2 Jan 1995 12:38:05 -0800 Posted-Date: Mon, 2 Jan 1995 15:36:10 -0500 (EST) Date: Mon, 2 Jan 1995 15:36:10 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: FireWall-1 Configurations? (fwd) To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Mon, 2 Jan 1995 10:59:04 -0500 (EST) From: David Kovar To: Jamie C Pole Cc: firewalls@GreatCircle.COM Subject: Re: FireWall-1 Configurations? > We're using a Sparc Classic in this configuration and it seems to be >working well for the most part. > Some things we encountered: > * The documentation is very sparse. > * The machine was hanging completely, requiring a power cycle to > restore it to life. A patch from Checkpoint seems to have fixed > this problem. Great. You are depending on this to protect your network? What did you say your address is again? Don't you love buggy software from vendors. Ask them why they don't release the source. I would hate to think that I have to depend on the skills of some software house to secure my network. You get what you pay for. > * We still have a problem with the filter not being reloaded after > a crash, power cycle, reboot requiring that we do it by hand. > Checkpoint and the reseller, Qualix, are still working with us on > this one. I would hope so. That is what you paid for. Don't forget to remind them each time the thing buggers up. > It seems to handle the load well, is very easy to configure, and when >configured correctly, does the job. If you have paid thousands of dollars for this, why should you have to worry about any of this. From firewalls-owner Mon Jan 2 13:19:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11857 for firewalls-outgoing; Mon, 2 Jan 1995 13:02:01 -0800 Received: from master.lds-az.loral.com (master.lds-az.loral.com [158.185.20.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA11848 for ; Mon, 2 Jan 1995 13:01:54 -0800 Received: by master.lds-az.loral.com (5.65a/LDS-AZ-3.12) id AA08864; Mon, 2 Jan 95 13:54:14 -0700 Date: Mon, 2 Jan 95 13:54:14 -0700 From: goodic@master.lds-az.loral.com ( Charles Gooding ) Message-Id: <9501022054.AA08864@master.lds-az.loral.com> To: firewalls@greatcircle.com Subject: Tn3270 session Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried to run a MAC 3270 telnet session through the FWTK telnet proxie?? There are some comments in the source code that implies that it may work. The problem that I have is that the MAC is left in "DEC" mode instead of IBM3270. If I telnet directly to the IBM site it works ok. I would be gratefull for any help on this subject. Thanks in advance Chuck Gooding goodic@master.lds-az.loral.com From firewalls-owner Mon Jan 2 13:34:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11902 for firewalls-outgoing; Mon, 2 Jan 1995 13:03:39 -0800 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA11897 for ; Mon, 2 Jan 1995 13:03:36 -0800 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA10178; Mon, 2 Jan 95 11:02:13 HST Date: Mon, 2 Jan 1995 11:00:36 -1000 (HST) From: NetSurfer Subject: Re: firewall administration To: H Morrow Long Cc: firewalls@greatcircle.com In-Reply-To: <199412292027.AA13670@SPARKY.CF.CS.YALE.EDU> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Dec 1994, H Morrow Long wrote: > [Mail to the original user bounced with : > > hinc.hawaii.gov (tcp)... 550 Host unknown > 554 ... 550 Host unknown (Valid name but no data [IP address]) Try: Whois: hawaii.gov Hawaii State Government (HAWAII2-DOM) Domain Name: HAWAII.GOV Administrative Contact: Nielsen, Torben (TN11) torben@Hawaii.Edu (808) 956 3499 Technical Contact, Zone Contact: Whinery, D. Alan (DAW) whinery@HAWAII.EDU (808) 956-9167 Record last updated on 12-Oct-94. Domain servers in listed order: MX.NSI.NASA.GOV 128.102.18.31 DNS.HAWAII.NET 128.171.3.13 DNS2.HAWAII.NET 128.171.7.1, 128.171.44.1 -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Mon Jan 2 18:14:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA15345 for firewalls-outgoing; Mon, 2 Jan 1995 18:09:36 -0800 Received: from dolphin.ins.com (dolphin.ins.com [199.0.192.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA15340 for ; Mon, 2 Jan 1995 18:09:30 -0800 Received: from samzuckerman.ins.com (sz-pc.ins.com [199.0.192.216]) by dolphin.ins.com (8.6.9/8.6.9) with SMTP id VAA04376; Mon, 2 Jan 1995 21:08:01 -0500 Date: Mon, 2 Jan 1995 21:08:01 -0500 Message-Id: <199501030208.VAA04376@dolphin.ins.com> X-Sender: sam@dolphin.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Alan Hannan , zen@bi.fish.com (Dan) From: sam_zuckerman@ins.com (Sam Zuckerman) Subject: Re: traffic-only network sniffer? Cc: firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:11 AM 1/2/95 -0600, Alan Hannan wrote: >> Before I went and wrote/got my own, does anyone know of anything out >> there that will just keep track of connections, not the info inside? >> That is, the to's & from's, type/port, and time info - starting time and >> length of connection? I'm interested in monitoring large-scale networks >> over a long period of time. If it generated stats/graphs/whatever >> that'd be a bonus, but not necessary. > > The Network General Sniffer will do what you ask. It's pretty malleable >and I find it very useful for protocol analysis. >> >> (If it worked on an SGI box, that'd be great, but I'll take any pointers >> or working stuff; preferably free, 'natch.) > > While not free, it will run on an sgi... actually, let me rephrase that: The >sniffer is a piece of hardware, actually, I think NG has trademarked the name, >regardless, it runs on a dedicated PC of theirs, and it has this nifty >interface into the DOS that runs on an xwindow on my solaris machines. I'm >not certain they have one for SGI, but I think they might. > The Network General Sniffer is actually software that was produced by Network General and yes it is trademarked. It will run on just about any PC and or Notebook. You do not have to buy the platform that the Sniffer will run on. You just have to buy the software and the board from Network General. Actually they prefer not to sell you the platform, but they do just to package everything. > Good luck. > >-- >+ alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + >+ + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + >+============\\ "Small is the number of them that see with their own eyes + >+MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + > > **************************************************************************** Sam S.Zuckerman Systems Engineer International Network Services E-Mail sam@ins.com Pager 800 931-1429 PROVIDING THE POWER OF OPERABLE NETWORKS **************************************************************************** From firewalls-owner Mon Jan 2 23:57:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA00330 for firewalls-outgoing; Mon, 2 Jan 1995 23:55:52 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA00297 for ; Mon, 2 Jan 1995 23:55:43 -0800 Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id XAA23057; Mon, 2 Jan 1995 23:00:20 -0800 Received: from loddon.demon.co.uk by post.demon.co.uk id aa13093; 3 Jan 95 7:02 GMT Date: Mon, 02 Jan 1995 20:27:12 GMT From: Stuart Broderick Reply-To: Stuart@loddon.demon.co.uk Message-Id: <53@loddon.demon.co.uk> To: firewalls-digest@greatcircle.com Subject: TCP/IP + IPX firewall solutions ? X-Mailer: PCElm 1.10 Lines: 15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a requirement to segment the LAN and to protect one half against the other. The LAN supports TCP/IP and IPX. Does anyone know if a single firewall offering can achieve this division or am I looking at a TCP/IP firewall to control TCP/IP traffic and perhaps a multi-protocol router to control the IPX traffic ? Is it possible to encapsulate IPX in TCP/IP packets and control these somehow ? Any ideas/suggestions (polite) welcome. Stuart PS: A firewall already exists to connect one half of the net to Internet, but the other half is not permitted to access this (politics....no technical reason :-)) From firewalls-owner Tue Jan 3 00:56:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA00902 for firewalls-outgoing; Tue, 3 Jan 1995 00:45:42 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA00897 for ; Tue, 3 Jan 1995 00:45:40 -0800 Received: from snail.Sun.COM ([129.145.1.3]) by Sun.COM (sun-barr.Sun.COM) id AA01117; Tue, 3 Jan 95 00:44:07 PST Received: from Spain.Sun.COM (isunspain) by snail.Sun.COM (4.1/SMI-4.1) id AA14429; Tue, 3 Jan 95 00:44:05 PST Received: from sunbird.Spain.Sun.COM by Spain.Sun.COM (5.0/SMI-4.1c) id AA01139; Tue, 3 Jan 1995 09:43:20 --100 Received: from gaudi.Spain.Sun.COM by sunbird.Spain.Sun.COM (5.0/SMI-SVR4) id AA07678; Tue, 3 Jan 1995 09:37:53 --100 Received: by gaudi.Spain.Sun.COM (5.x/SMI-SVR4) id AA21983; Tue, 3 Jan 1995 09:39:51 +0100 Date: Tue, 3 Jan 1995 09:39:51 +0100 From: Albert.Triola@Spain.Sun.COM (Albert Triola - Sun SMCC - Barcelona - TSE) Message-Id: <9501030839.AA21983@gaudi.Spain.Sun.COM> To: firewalls@greatcircle.com Subject: SUNBSCRIBE X-Sun-Charset: US-ASCII Content-Length: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Jan 3 05:01:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA03080 for firewalls-outgoing; Tue, 3 Jan 1995 04:41:14 -0800 Received: from rufus.infonet.net (jeffo@rufus.infonet.net [167.142.225.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA03075 for ; Tue, 3 Jan 1995 04:41:12 -0800 Received: (from jeffo@localhost) by rufus.infonet.net (8.6.9/8.6.9) id GAA08482; Tue, 3 Jan 1995 06:39:22 -0600 Date: Tue, 3 Jan 1995 06:39:21 -0600 (CST) From: "Jeffrey C. Ollie" Reply-To: "Jeffrey C. Ollie" To: Stuart Broderick cc: firewalls@greatcircle.com Subject: Re: TCP/IP + IPX firewall solutions ? In-Reply-To: <53@loddon.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jan 1995, Stuart Broderick wrote: > I've got a requirement to segment the LAN and to protect one half > against the other. The LAN supports TCP/IP and IPX. > > Does anyone know if a single firewall offering can achieve this > division or am I looking at a TCP/IP firewall to control TCP/IP traffic > and perhaps a multi-protocol router to control the IPX traffic ? Is it > possible to encapsulate IPX in TCP/IP packets and control these somehow ? > > Any ideas/suggestions (polite) welcome. The latest versions of the Linux kernels (+ some additional software) have the ability to route IPX packets as well as IP packets. Could be the beginning of a solution. It's definitely roll your own, though. Source is included though :). Jeffrey C. Ollie Iowa Network Services Support Daemon From firewalls-owner Tue Jan 3 07:00:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA04354 for firewalls-outgoing; Tue, 3 Jan 1995 06:33:37 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA04349 for ; Tue, 3 Jan 1995 06:33:33 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00692; Tue, 3 Jan 95 09:14:37 -0500 Date: Tue, 3 Jan 95 09:14:37 -0500 Message-Id: <9501031414.AA00692@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Dual Net Protection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Jan 1995, Stuart Broderick wrote: > I've got a requirement to segment the LAN and to protect one half > against the other. The LAN supports TCP/IP and IPX. > Well, just about any filtering router that supports dual subnet separation should be able to handle the task. You will need to have physical separation between the two halves and serve each from a separate port. As far as IPX vs IP, this can be dome at the TYPE level - IP is type 8 and IPX (original crispy - there are a lot of varients these days) is 8137. If you just need to prevent intercommunication while allowing each Internet access, this is easy. Permitting some traffic between the two is more complex but still doable. If your router does not have this capability and you trust one of the two sub nets, you could use a filtering bridge (Drawbridge, Karlbridge) or even intelligent hubs (3Com, HP). Warmly, Padgett From firewalls-owner Tue Jan 3 07:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA04474 for firewalls-outgoing; Tue, 3 Jan 1995 06:41:50 -0800 Received: from clark.net (mikebat@clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA04469 for ; Tue, 3 Jan 1995 06:41:47 -0800 Received: (mikebat@localhost) by clark.net (8.6.9/8.6.5) id JAA07379 for firewalls-digest@greatcircle.com; Tue, 3 Jan 1995 09:40:10 -0500 From: Mike Batchelor Message-Id: <199501031440.JAA07379@clark.net> Subject: Sun Netra Internet servers To: firewalls-digest@greatcircle.com Date: Tue, 3 Jan 1995 09:40:08 -0500 (EST) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 618 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking at the Sun Netra Internet server as a possible gateway/firewall server to connect our LAN to the net. I have contacted Sun for more information, but would appreciate any comments (via e-mail) from anyone who has had an experience with these systems. All I know so far is what the promotional literature tells me, which isn't very much. -- \\\ Mike Batchelor /// mikebat@clark.net \\\ M.Batchelor@babylon4.clark.net /// "Supporting Windows is like buying a puppy. The dog only cost $100, but we spent another $500 cleaning the carpet." - Marc Dodge, "Reality Check", _Open Computing_, December 1994 From firewalls-owner Tue Jan 3 08:57:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05959 for firewalls-outgoing; Tue, 3 Jan 1995 08:43:16 -0800 Received: from rubik (root@construc.rdc.cl [146.155.30.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05954 for ; Tue, 3 Jan 1995 08:43:07 -0800 Received: from [200.9.152.-116] by rubik with smtp (Linux Smail3.1.28.1 #3) id m0rPCIQ-0006lJC; Tue, 3 Jan 95 13:41 CDT Message-Id: From: "Francisco Javier Cabezas" Subject: Re: Sun Netra Internet servers To: Mike Batchelor Cc: firewalls-digest@greatcircle.com Date: Tue, 3 Jan 95 13:40:30 PST In-Reply-To: Your message of Tue, 3 Jan 1995 09:40:08 -0500 (EST).<199501031440.JAA07379@clark.net> Encoding: 6 TEXT , 40 MESSAGE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is Sun Netra ??? I never have to hear about this... Quito. :-) X-POP3-Rcpt: quito@rubik Return-Path: Received: from constructa.constructa.cl.constructa.cl by rubik with smtp (Linux Smail3.1.28.1 #3) id m0rPBTC-0006lJa; Tue, 3 Jan 95 12:48 CDT Received: from tronador.puc.cl by constructa.constructa.cl.constructa.cl (4.1/SMI-4.1) id AA13478; Tue, 3 Jan 95 12:48:46 CDT Received: from uchdcc.dcc.uchile.cl by tronador.puc.cl with smtp (Smail3.1.28.1 #1) id m0rP8e2-0000HMa; Tue, 3 Jan 95 06:47 CST Received: by uchdcc.dcc.uchile.cl (/\==/\ Smail3.1.25.1 #25.3) id ; Tue, 3 Jan 95 12:45 CDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxxcg01756; Tue, 3 Jan 1995 10:34:24 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA04474 for firewalls-outgoing; Tue, 3 Jan 1995 06:41:50 -0800 Received: from clark.net (mikebat@clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA04469 for ; Tue, 3 Jan 1995 06:41:47 -0800 Received: (mikebat@localhost) by clark.net (8.6.9/8.6.5) id JAA07379 for firewalls-digest@greatcircle.com; Tue, 3 Jan 1995 09:40:10 -0500 From: Mike Batchelor Message-Id: <199501031440.JAA07379@clark.net> Subject: Sun Netra Internet servers To: firewalls-digest@greatcircle.com Date: Tue, 3 Jan 1995 09:40:08 -0500 (EST) X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 618 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking at the Sun Netra Internet server as a possible gateway/firewall server to connect our LAN to the net. I have contacted Sun for more information, but would appreciate any comments (via e-mail) from anyone who has had an experience with these systems. All I know so far is what the promotional literature tells me, which isn't very much. -- \\\ Mike Batchelor /// mikebat@clark.net \\\ M.Batchelor@babylon4.clark.net /// "Supporting Windows is like buying a puppy. The dog only cost $100, but we spent another $500 cleaning the carpet." - Marc Dodge, "Reality Check", _Open Computing_, December 1994 From firewalls-owner Tue Jan 3 09:15:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05822 for firewalls-outgoing; Tue, 3 Jan 1995 08:27:13 -0800 Received: from world (sdt.com [199.100.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05816 for ; Tue, 3 Jan 1995 08:27:06 -0800 Received: by world (5.0) id AA03243; Tue, 3 Jan 1995 10:21:45 +0600 Received: from aadt.sdt.com(144.9.149.25) by world via smap (V1.3) id sma003240; Tue Jan 3 10:21:19 1995 Received: from shadow.sdt.com by sdt.com (4.1/SUN-2.0hub) id AA14314; Tue, 3 Jan 95 10:21:27 CST Received: by shadow.sdt.com (5.61) id AA15769; Tue, 3 Jan 95 10:24:16 -0600 From: aaron@sdt.com (Aaron Gair) Message-Id: <9501031024.ZM15767@shadow.sdt.com> Date: Tue, 3 Jan 1995 10:24:16 -0600 In-Reply-To: jdb@ecofin.ch (John B*hrer) "Re- Doorknob twisting" (Dec 30, 1:41pm) References: <00614.2871640659.3156@ecofin.uucp> X-Mailer: Z-Mail (2.1.5 20sep93) To: Firewalls@GreatCircle.COM (Fire Walls) Subject: Re- Doorknob twisting content-length: 531 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears from this discussion that this is a common problem. As far as policy goes, battle it out, but for a simple suggestion to University Admins- don't leave all doors open to the net - why not filter out destination ports that are of no use to students. At least those students that persist on scanning 64k of ports will have to wait a hell of a long time! Possibly long enough to loose interest in doing it. It would also eliminate useless packets on the net. ( Assuming this is not already being done. ) A. Gair From firewalls-owner Tue Jan 3 10:26:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA07015 for firewalls-outgoing; Tue, 3 Jan 1995 09:58:07 -0800 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA07007 for ; Tue, 3 Jan 1995 09:58:03 -0800 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-20) id ; Tue, 3 Jan 1995 09:56:10 -0800 Posted-Date: Tue, 3 Jan 1995 09:55:51 -0800 (PST) Message-Id: <199501031755.AA07267@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Tue, 3 Jan 1995 09:55:52 -0800 Subject: Re: TIS & Gauntlet To: alan@mid.net (Alan Hannan) Date: Tue, 3 Jan 1995 09:55:51 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: <199412310404.WAA06991@westie.mid.net> from "Alan Hannan" at Dec 30, 94 10:04:19 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 362 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I am curious to hear war stories and discussions on TIS and their product > Gauntlet. I would enjoy hearing these either publically across this mailing > list, or via direct mail to/from me... > Really good people. Ask Steve, Jerry &/or Bob as I gave them my opinions before you arrived. They tend to err on the side of completeness. -- --bill From firewalls-owner Tue Jan 3 10:57:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07156 for firewalls-outgoing; Tue, 3 Jan 1995 10:06:50 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07151 for ; Tue, 3 Jan 1995 10:06:48 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id NAA21704; Tue, 3 Jan 1995 13:04:59 -0500 From: David Kovar Message-Id: <199501031804.NAA21704@nda.nda.com> Subject: Re: FireWall-1 Configurations? (fwd) To: bdboyle@maverick.erenj.com (Bryan D. Boyle) Date: Tue, 3 Jan 1995 13:04:58 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bryan D. Boyle" at Jan 2, 95 03:36:10 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 544 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Don't you love buggy software from vendors. Ask them why they don't > release the source. I would hate to think that I have to depend on the > skills of some software house to secure my network. I had hopes that I could come up with a reasonable black box solution, but this one obviously isn't it. > I would hope so. That is what you paid for. Don't forget to remind them > each time the thing buggers up. Payment? We're holding the check still and are about to charge them for engineering time to debug their product. -David From firewalls-owner Tue Jan 3 11:03:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07161 for firewalls-outgoing; Tue, 3 Jan 1995 10:06:59 -0800 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07149 for ; Tue, 3 Jan 1995 10:06:46 -0800 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-20) id ; Tue, 3 Jan 1995 10:05:11 -0800 Posted-Date: Tue, 3 Jan 1995 10:04:53 -0800 (PST) Message-Id: <199501031804.AA07280@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Tue, 3 Jan 1995 10:04:53 -0800 Subject: Re: your mail To: alan@mid.net (Alan Hannan) Date: Tue, 3 Jan 1995 10:04:53 -0800 (PST) Cc: mccoy@io.com, bukys@cs.rochester.edu, firewalls@greatcircle.com In-Reply-To: <199412310421.WAA08379@westie.mid.net> from "Alan Hannan" at Dec 30, 94 10:21:33 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 790 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > In a short while various features for IPv6 will prevent anyone from > > policing the content of the packets or determining the true source and > > destination of a particular packet .... > > I rather doubt this day will come in the next ten years, sure you might be > able to make a version 6 and all the IETF people can say it's secure, but not > in the real world...... > Alan... The "IETF people" are real-world. As a matter of fact, most of them are spending time and effort to continue the growth curve that is providing most of us w/ gainful empolyment! IPv6 will happen or the Internet will fragment. NAT is only a bandaid. The addition of security to the base protocol is a really good thing. You don't have to turn it on and then IPv6 looks a lot like IPv4. --bill From firewalls-owner Tue Jan 3 11:23:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07111 for firewalls-outgoing; Tue, 3 Jan 1995 10:01:52 -0800 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07105 for ; Tue, 3 Jan 1995 10:01:48 -0800 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id JAA08985; Tue, 3 Jan 1995 09:57:56 -0801 Date: Tue, 3 Jan 1995 09:57:56 -0801 From: Phil Trubey Message-Id: <199501031758.JAA08985@lykos.netpart.com> To: quito@constructa.CL Subject: Re: Sun Netra Internet servers Newsgroups: np.firewalls In-Reply-To: References: <199501031440.JAA07379@clark.net> Organization: NetPartners, Newport Beach, CA Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: >What is Sun Netra ??? > I never have to hear about this... > > Quito. > :-) I have seen Sun Netra at two tradeshows now. From what I've seen it is simply a Sun Sparcserver with a Netra label on it. It additionally comes with a really simple menu based interface that allows you to turn processes on and off and some public domain Internet servers pre-compiled and installed. It has no firewall functionality (ask a Netra person about that and they say that you can optionally load Firewall-1 on it). But Netra does come with some nice expensive 4 color brochures that talk about how Sun servers are used in 60% of the Internet. And Sun has a huge advertising budget (people see those full page Wall Street Journal ads?) Netra strikes me as Sun's pretty transparent attempt to sell more Sun boxes - nothing wrong with that, but look carefully at what you get before buying a Netra... -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Tue Jan 3 11:27:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07483 for firewalls-outgoing; Tue, 3 Jan 1995 10:39:59 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07475 for ; Tue, 3 Jan 1995 10:39:55 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 3 Jan 1995 13:38:07 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA27766; Tue, 3 Jan 1995 13:38:06 -0500 Date: Tue, 3 Jan 1995 13:38:06 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199501031838.AA27766@SPARKY.CF.CS.YALE.EDU> To: Firewalls@greatcircle.com, vin@shore.net Subject: Re: Doorknob twisting Cc: sneakers@CS.YALE.EDU Sender: firewalls-owner@GreatCircle.COM Precedence: bulk _Vin McLellan of The Privacy Guild wrote: >.................................... The best we can hope for is that they >educate users and contractually obligate them to follow minimal rules, but >that -- presuming progress in message, header, and routing integrity -- >could dramatically change our environment. Change it, but not really secure >it. > Won't there always be a DMZ gap (eg. anon remailers, transborder >confusions; undocumented backdoors, software conflicts) within which the >tech-savvy, both the curious and the criminal, can escape accountability? >The best we can hope for is to raise the threshold to exclude the >wanna-bees who haven't "earned" the right to pose the threat they do today. I don't want to get too far afield and waste bandwidth but just want to address the Internet 'contractual obligation' idea by providing a few Internet pointers since this issue has come up here but has been much more extensively debated in the CYBERIA-L mailing list ( cyberia-l@birds.wm.edu , appended at the very end is more information about the CYBERIA-L list) and is the subject of a paper by our (Yale CS) Director of Administration, Robert L. Dunne ( Dunne@CS.Yale.EDU ) in the Fall 1994 JURIMETRICS JOURNAL of LAW, SCIENCE and TECHNOLOGY (V.35, N.1, P.1) available online w/permission. The Jurimetrics article and Cyberia-L list may also be a good place to redirect the current discussion. Here are the pointers: ------------------------------------------------------------------------ Unauthorized Access to Computers: Controlling Behavior in Cyberspace through a Contract Law Paradigm by Robert L. Dunne -------------------------------- Availability : LaTeX, DVI, PostScript and HTML versions of this paper are available (as well as this plain text version) by browsing the following Internet URLs (Universal Resource Locators): ftp://www.cs.yale.edu/pub/dunne/jurimetrics/ gopher://www.cs.yale.edu/11/pub/dunne/jurimetrics/ http://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.html mailto:majordomo@cs.yale.edu ( put 'get sneakers jurimetrics.txt' in message body ) -------------------------------- ...More details... This paper is available in the following formats via URLs : HTML (suitable for Web browsers such as Netscape and Mosaic) http://www.cs.yale.edu/pub/dunne/jurimetrics/HTML/jurimetrics.html gopher://www.cs.yale.edu/h0/pub/dunne/jurimetrics/HTML/jurimetrics.html ftp://ftp.cs.yale.edu/pub/dunne/jurimetrics/HTML/jurimetrics.html LaTeX http://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.tex gopher://www.cs.yale.edu/00/pub/dunne/jurimetrics/jurimetrics.tex ftp://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.tex DVI http://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.dvi gopher://www.cs.yale.edu/99/pub/dunne/jurimetrics/jurimetrics.dvi ftp://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.dvi PostScript(TM) http://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.ps gopher://www.cs.yale.edu/00/pub/dunne/jurimetrics/jurimetrics.ps ftp://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.ps Text http://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.txt gopher://www.cs.yale.edu/00/pub/dunne/jurimetrics/jurimetrics.txt ftp://www.cs.yale.edu/pub/dunne/jurimetrics/jurimetrics.txt mailto:majordomo@cs.yale.edu ( put 'get sneakers jurimetrics.txt' in message body ) -------------------------------- Abstract: This paper describes the advantages of a contract law paradigm as an alternative to the use of criminal law in controlling many types of low level illegal conduct on the Internet, suggests how such a paradigm might be implemented, and illustrates its application in the specific context of unauthorized access to computers. The paper focuses on unauthorized access gained by defeating password protection schemes, perhaps the most common method of obtaining unauthorized access to computer systems. The paper suggests that a viable way of deterring this conduct is to address the problem at its source, attempted unauthorized access to computers, and argues that the proposed contract law paradigm would dramatically reduce attempted unauthorized access by changing the way Internet users think about this behavior. ------------------------------------------------------------------------ About the CYBERIA-L list: From: listserver@birds.wm.edu Subject: INFO CYBERIA-L X-Listserver-Version: 6.0 -- UNIX ListServer by Anastasios Kotsikonas X-Comment: William and Mary ListServer CYBERIA-L is an Internet "listserv" discussion group. It was once called "CYBERLAW," but in deference to another writer about the law of cyberspace who was also using that term, the name was changed to CYBERIA. The group discusses anything that relates to the law and policy of computer networks. Topics have included: copyright in digital writings; the Clipper chip and privacy; access policies about government-held information; the use of Internet domain names that are similar to existing trademarks; trade secret rights in encryption algorithms; and more. For the first few years, discussion on the list waxed and waned in volume. Some months saw very few messages, others quite a bit more. Things seem to have picked up around mid-1994, and traffic flow has been rather consistently heavy (10 to 20 messages a day) since then. As of Fall, 1994, the list had about 275 direct subscribers, but because list traffic is circulated in several other places (UseNet, among others), the readership and writership is considerably larger than that. The list is open for subscription to anyone who wants to subscribe. To do so, send a message to listserv@listserv.cc.wm.edu and place in the body of the message "subscribe cyberia-l John Doe", but use your name instead of "John Doe" and leave off the quotes. The list owner and moderator is Trotter Hardy, a professor of law at the College of William and Mary, in Williamsburg, Virginia. His address is thardy@mail.wm.edu. ------------------------------------------------------------------------ - Morrow From firewalls-owner Tue Jan 3 11:36:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08208 for firewalls-outgoing; Tue, 3 Jan 1995 11:27:09 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08189 for ; Tue, 3 Jan 1995 11:27:02 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rPEr3-0007iaC; Tue, 3 Jan 95 11:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Tue, 3 Jan 95 11:10 PST Message-Id: Received: by miro.ilinx.com id ; Tue, 3 Jan 95 11:10:23 -0800 From: brian@imcon.ilinx.com To: firewalls@GreatCircle.COM Subject: detecting port scanning Date: Tue, 3 Jan 1995 11:10:22 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With all this talk regarding port scanning, I was wondering what people are using to monitor the unused ports on their firewalls. I can visualize the program which would do it, or even how to configure inetd to do the monitoring, but puting ~65000 entries in my inetd file does not "light my candle". Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as "don't watch on these ports" instead of watch on these ports as inetd does. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Tue Jan 3 11:49:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA07909 for firewalls-outgoing; Tue, 3 Jan 1995 11:10:59 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA07902 for ; Tue, 3 Jan 1995 11:10:55 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id OAA26056; Tue, 3 Jan 1995 14:09:11 -0500 From: David Kovar Message-Id: <199501031909.OAA26056@nda.nda.com> Subject: Re: FireWall-1 Configurations? (fwd) To: kovar@nda.com (David Kovar) Date: Tue, 3 Jan 1995 14:09:10 -0500 (EST) Cc: bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM In-Reply-To: <199501031804.NAA21704@nda.nda.com> from "David Kovar" at Jan 3, 95 01:04:58 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 913 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I *sincerely* appologize for sending this back out to the list. I failed to check the cc line and thought I was replying just to the original sender. This was a quite unprofessional message to send to the list. Checkpoint is still working with us on our problem and we're hoping that we can come to a reasonable solution. -David > > Don't you love buggy software from vendors. Ask them why they don't > > release the source. I would hate to think that I have to depend on the > > skills of some software house to secure my network. > > I had hopes that I could come up with a reasonable black box solution, > but this one obviously isn't it. > > > I would hope so. That is what you paid for. Don't forget to remind them > > each time the thing buggers up. > > Payment? We're holding the check still and are about to charge them > for engineering time to debug their product. > > -David > From firewalls-owner Tue Jan 3 12:06:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA00638 for firewalls-outgoing; Tue, 3 Jan 1995 11:56:03 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA00633 for ; Tue, 3 Jan 1995 11:56:00 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma003134; Tue Jan 3 14:54:26 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA28179; Tue, 3 Jan 95 14:51:34 EST From: Marcus J Ranum Message-Id: <9501031951.AA28179@tis.com> Subject: Re: detecting port scanning To: brian@imcon.ilinx.com Date: Tue, 3 Jan 1995 14:57:37 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "brian@imcon.ilinx.com" at Jan 3, 95 11:10:22 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 1376 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > With all this talk regarding port scanning, I was wondering what people are > using to monitor the unused ports on their firewalls. I can visualize the > program which would do it, or even how to configure inetd to do the > monitoring, but puting ~65000 entries in my inetd file does not "light my > candle". Put it in your kernel. The good news is that if it's in the kernel, your "attacker" never knows it's been logged since a connection is never made. The bad news is that lots of applications "dribble" packets at closed connections (i.e.: my server shuts down but your client keeps cheerfully writing to it until my kernel sends you a reply that the connection is now closed). Another alternative is to decide that port sniffing attacks are uninteresting and therefore you don't care about them. After all, any firewall admin worth beans is going to have already port-sniffed the bejeezus out of their firewall and determined that there's nothing unusual running on it. So if you've satisfied yourself that you're OK what do you care if someone probes you? Unless, of course, you have copious free time in which to send notes to systems admins, etc, etc, complaining that their users are badly brought up. Whether or not that makes sense or improves the security of the 'net significantly is a different matter, which I feel isn't worth going into here. mjr. From firewalls-owner Tue Jan 3 12:32:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA00815 for firewalls-outgoing; Tue, 3 Jan 1995 12:03:01 -0800 Received: from databus.databus.com (root@databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA00809 for ; Tue, 3 Jan 1995 12:02:58 -0800 Date: Tue, 3 Jan 95 15:01 EST Message-ID: <9501031501.AA07381@databus.databus.com> From: Barney Wolff To: brian@imcon.ilinx.com, firewalls@GreatCircle.COM Subject: Re: detecting port scanning Content-Length: 562 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: brian@imcon.ilinx.com > Date: Tue, 3 Jan 1995 11:10:22 -0700 (PST) > > Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as > "don't watch on these ports" instead of watch on these ports as inetd does. Unless I'm missing something, you need a packet snooper interface to do this, as I don't think the kernel will take kindly to a process that opens 65K sockets TCP and another 65K UDP. I would truly LOVE a kernel call that allowed me to say "If nobody else is listening, give the thing to me." Barney Wolff From firewalls-owner Tue Jan 3 12:36:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01553 for firewalls-outgoing; Tue, 3 Jan 1995 12:33:52 -0800 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01540 for ; Tue, 3 Jan 1995 12:33:18 -0800 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-20) id ; Tue, 3 Jan 1995 12:29:14 -0800 Posted-Date: Tue, 3 Jan 1995 12:28:56 -0800 (PST) Message-Id: <199501032028.AA08841@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Tue, 3 Jan 1995 12:28:56 -0800 Subject: Re: Doorknob twisting To: long-morrow@CS.YALE.EDU (H Morrow Long) Date: Tue, 3 Jan 1995 12:28:56 -0800 (PST) Cc: Firewalls@greatcircle.com, vin@shore.net, sneakers@CS.YALE.EDU In-Reply-To: <199501031838.AA27766@SPARKY.CF.CS.YALE.EDU> from "H Morrow Long" at Jan 3, 95 01:38:06 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 26 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Plug. RFC 1746 --bill From firewalls-owner Tue Jan 3 13:07:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01391 for firewalls-outgoing; Tue, 3 Jan 1995 12:25:07 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01386 for ; Tue, 3 Jan 1995 12:25:03 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA02630; Tue, 3 Jan 95 15:11:37 -0500 Date: Tue, 3 Jan 95 15:11:37 -0500 Message-Id: <9501032011.AA02630@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: port scanning Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >With all this talk regarding port scanning, I was wondering what people are >using to monitor the unused ports on their firewalls. I can visualize the >program which would do it, or even how to configure inetd to do the >monitoring, but puting ~65000 entries in my inetd file does not "light my >candle". Dunno about anyone else but I use a PC that looks for openable ports. So long as the RTT is in the 20-30 ms range (very local) checking all 65536 is not too bad (less than an hour). Usually I just check the "popular" ports but for sensitive areas it's worth the coffee break every now and again. Warmly, Padgett From firewalls-owner Tue Jan 3 13:07:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01439 for firewalls-outgoing; Tue, 3 Jan 1995 12:27:52 -0800 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01434 for ; Tue, 3 Jan 1995 12:27:49 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA26895; Tue, 3 Jan 1995 15:21:52 -0500 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9501032021.AA26895@oxygen.house.gov> Subject: Re: detecting port scanning To: firewalls@greatcircle.com Date: Tue, 3 Jan 1995 15:21:52 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1282 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > With all this talk regarding port scanning, I was wondering what people are > using to monitor the unused ports on their firewalls. I can visualize the > program which would do it, or even how to configure inetd to do the > monitoring, but puting ~65000 entries in my inetd file does not "light my > candle". > > Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as > "don't watch on these ports" instead of watch on these ports as inetd does. ... > Brian J. Murrell brian@ilinx.com > InterLinx Support Services, Inc. brian@wimsey.com ... There are a million good/sophisticated ways to do this, but here's a simple one that should work: Use tcp-wrappers and add three made-up services to inetd.conf at ports you are fairly certain not to use: say, 100, 101, and 102. Now, make sure wrappers is configured to refuse all connections to those ports and log the fact. Any time someone probes you, you'll get three "connection refused" messages, milliseconds apart. This is machine specific, and won't catch udp probes, of course. If you want more sophistication there is plenty of very good monitoring software out there, but this one has the advantage of simplicity. dorian From firewalls-owner Tue Jan 3 13:21:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01498 for firewalls-outgoing; Tue, 3 Jan 1995 12:31:14 -0800 Received: from sealex.kaman.com (sealex.kaman.com [199.29.132.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01493 for ; Tue, 3 Jan 1995 12:31:08 -0800 Received: by sealex.kaman.com (5.65/fma-120691); id AA14088; Tue, 3 Jan 95 15:28:02 -0500 Received: by mach10.utica1.kaman.com (4.1/1.34/Kaman-1.2) id AA19519; Tue, 3 Jan 95 15:28:21 EST Date: Tue, 3 Jan 1995 15:28:21 -0500 (EST) From: Edward F Killian Subject: Re: Sun Netra Internet servers To: Phil Trubey Cc: quito@constructa.cl, firewalls@greatcircle.com In-Reply-To: <199501031758.JAA08985@lykos.netpart.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Phil Trubey wrote: > In article you write: > >What is Sun Netra ??? > > I never have to hear about this... > > > > Quito. > > :-) > > I have seen Sun Netra at two tradeshows now. From what I've seen it is simply > a Sun Sparcserver with a Netra label on it. It additionally comes with a > really simple menu based interface that allows you to turn processes on and > off and some public domain Internet servers pre-compiled and installed. It > has no firewall functionality (ask a Netra person about that and they say > that you can optionally load Firewall-1 on it). > > But Netra does come with some nice expensive 4 color brochures that talk > about how Sun servers are used in 60% of the Internet. > > And Sun has a huge advertising budget (people see those full page Wall Street > Journal ads?) > > Netra strikes me as Sun's pretty transparent attempt to sell more Sun boxes - > nothing wrong with that, but look carefully at what you get before buying > a Netra... > -- > Phil Trubey | > NetPartners | Providing Internet products and services. > E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ > Phone: 714-759-1641 | > Sorry, but I felt I had to respond. I'll say up front that I work for a Sun Value Added Reseller. One of the main features Sun is presenting with the Netra Internet server is the ability for a novice to purchase one and connect to the internet. The Netra comes with a diskette and CDROM. You place both into the system at boot time, connect your internet tap, the system reads configuration info off the diskette ( IP address, etc. ) and after a few short minutes you are connected to the internet. Now since this is a firewall group I am talking to, and a very knowledgable one at that, most of you don't need the self configuration. And since it only has firewall software as a add-on, you will have to still install your favorite software, if that's what you want. Please send flames directly to me. Ed Killian System Engineer System Administrator Kaman Sciences Corporation Phone (315) 734-3629 258 Genesee Street FAX (315) 734-3699 Utica, New York 13502-4627 email edk@utica1.kaman.com ############################################################################# The opinions expressed are mine, wholly mine, and nothing but mine. ############################################################################# From firewalls-owner Tue Jan 3 16:36:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04844 for firewalls-outgoing; Tue, 3 Jan 1995 16:08:58 -0800 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA04839 for ; Tue, 3 Jan 1995 16:08:55 -0800 Received: from hq.ortel.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA27747 for firewalls@greatcircle.com; Tue, 3 Jan 95 19:07:15 -0500 Received: from cc:Mail by hq.ortel.com id AA789178295; Tue, 03 Jan 95 16:09:36 pst Date: Tue, 03 Jan 95 16:09:36 pst From: "Vincent Yau" Message-Id: <9500037891.AA789178295@hq.ortel.com> To: firewalls@greatcircle.com Subject: Terminology Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All Would appreciate if someone can get back to me and explain what is "stealth IP address"? Thanks a lot. --Vincent Yau vyau@ortel.com From firewalls-owner Tue Jan 3 17:06:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05380 for firewalls-outgoing; Tue, 3 Jan 1995 16:55:08 -0800 Received: from yodac.dsai.com (yodac.dsai.com [192.94.201.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA05371 for ; Tue, 3 Jan 1995 16:55:01 -0800 Received: from vader.dsai.com by yodac.dsai.com via SMTP (920330.SGI/920502.SGI.AUTO) for firewalls@GreatCircle.COM id AA06020; Tue, 3 Jan 95 17:52:47 -0700 Received: by vader.dsai.com (931110.SGI/930416.SGI) for @yodac.dsai.com:firewalls@GreatCircle.COM id AA27762; Tue, 3 Jan 95 17:52:20 -0700 From: "Steve J. Sibert" Message-Id: <9501031752.ZM27760@vader.dsai.com> Date: Tue, 3 Jan 1995 17:52:20 -0700 X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: firewalls@GreatCircle.COM Subject: email monitoring Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know how to monitor incoming and outgoing email messages? Thanks in advance, Steve Sibert -- =================================================================== = Steve J. Sibert Decision-Science Applications, Inc. = = Internet: sibert@dsai.com (719) 593-5974 = =================================================================== From firewalls-owner Tue Jan 3 17:20:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05221 for firewalls-outgoing; Tue, 3 Jan 1995 16:45:37 -0800 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05216 for ; Tue, 3 Jan 1995 16:45:32 -0800 Received: from localhost (blast@localhost) by world1.worldbit.com (8.6.4.1/A/UX 3.1) id QAA00869; Tue, 3 Jan 1995 16:49:13 -0800 Date: Tue, 3 Jan 1995 16:49:12 -0800 (PST) From: Tim Keanini To: Dorian Deane cc: firewalls@GreatCircle.COM Subject: Re: detecting port scanning In-Reply-To: <9501032021.AA26895@oxygen.house.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Dorian Deane wrote: > > Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as > > "don't watch on these ports" instead of watch on these ports as inetd does. > ... > > Brian J. Murrell brian@ilinx.com > There are a million good/sophisticated ways to do this, but here's a > simple one that should work: > > Use tcp-wrappers and add three made-up services to inetd.conf at ports > you are fairly certain not to use: say, 100, 101, and 102. Now, > make sure wrappers is configured to refuse all connections to those > ports and log the fact. > > Any time someone probes you, you'll get three "connection refused" > messages, milliseconds apart. > > This is machine specific, and won't catch udp probes, of course. If > you want more sophistication there is plenty of very good monitoring > software out there, but this one has the advantage of simplicity. This is exactly what I do and then I use 'swatch' monitor my log file to catch it with a regexp. My load is not that heavy to where it could get confused. Just my $00.02 --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Tue Jan 3 18:09:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06287 for firewalls-outgoing; Tue, 3 Jan 1995 17:50:28 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06277 for ; Tue, 3 Jan 1995 17:50:21 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id IAA26379; Wed, 4 Jan 1995 08:49:15 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id IAA26379; Wed, 4 Jan 1995 08:49:15 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA06907; Wed, 4 Jan 95 08:45:31 GMT Date: Wed, 4 Jan 1995 08:45:30 -0700 (GMT) From: Pradit Pitaksathienkul Subject: where can I find RFCs ? To: firewalls@GreatCircle.COM In-Reply-To: <9501031752.ZM27760@vader.dsai.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 129 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me , where can I find RFCs ? I need to know about RFC 821 to understand about SMTP protocol but I cannot find it. pradit. From firewalls-owner Tue Jan 3 18:24:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06038 for firewalls-outgoing; Tue, 3 Jan 1995 17:40:45 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06033 for ; Tue, 3 Jan 1995 17:40:34 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id IAA26229; Wed, 4 Jan 1995 08:39:18 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id IAA26229; Wed, 4 Jan 1995 08:39:18 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA06826; Wed, 4 Jan 95 08:35:23 GMT Date: Wed, 4 Jan 1995 08:35:23 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Re: email monitoring To: "Steve J. Sibert" Cc: firewalls@GreatCircle.COM In-Reply-To: <9501031752.ZM27760@vader.dsai.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 406 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Steve J. Sibert wrote: > Anyone know how to monitor incoming and outgoing email messages? > > Thanks in advance, > > Steve Sibert > I use tcp_wrapper software ,can see what happened include sendmail , But I have some problem too, someone send mail that has large size to my host and make my in.telnetd broken pipe , I cannot manage my sendmail to ignore it. pradit. From firewalls-owner Tue Jan 3 18:36:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06984 for firewalls-outgoing; Tue, 3 Jan 1995 18:34:06 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA06978 for ; Tue, 3 Jan 1995 18:34:03 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 3 Jan 1995 21:31:48 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA29159; Tue, 3 Jan 1995 21:31:47 -0500 Date: Tue, 3 Jan 1995 21:31:47 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199501040231.AA29159@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, pradit@kmitnb03.kmitnb.ac.th Subject: Re: where can I find RFCs ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Pradit Pitaksathienkul > >Excuse me , where can I find RFCs ? I need to know about RFC 821 to understand >about SMTP protocol but I cannot find it. >pradit. This should be in a FAQ: ftp ftp.internic.net cd /rfc get rfc821.txt quit (don't do a dir listing in the /rfc directory, it takes forever). - Morrow From firewalls-owner Tue Jan 3 18:40:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06020 for firewalls-outgoing; Tue, 3 Jan 1995 17:39:33 -0800 Received: from remus.ultranet.com (remus.ultranet.com [199.232.56.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA06011 for ; Tue, 3 Jan 1995 17:39:25 -0800 Received: from romulus.ultranet.com by remus.ultranet.com; (5.65/1.1.8.2/22Aug94-0201PM) id AA16782; Tue, 3 Jan 1995 20:36:36 -0500 From: Joe Provo Received: by romulus.ultranet.com; (5.65/1.1.8.2/22Aug94-0147PM) id AA26995; Tue, 3 Jan 1995 20:36:32 -0500 Date: Tue, 3 Jan 1995 20:36:32 -0500 Message-Id: <9501040136.AA26995@romulus.ultranet.com> To: edk@mach10.utica1.kaman.com, phil@netpart.com Subject: Re: Sun Netra Internet servers Cc: firewalls@greatcircle.com, quito@constructa.cl Sender: firewalls-owner@GreatCircle.COM Precedence: bulk {This is still vaguely firewall-ish, but meandering} [big bobbit] >Value Added Reseller. One of the main features Sun is presenting with the >Netra Internet server is the ability for a novice to purchase one and connect >to the internet. The Netra comes with a diskette and CDROM. You place both >into the system at boot time, connect your internet tap, the system reads >configuration info off the diskette ( IP address, etc. ) and after a few >short minutes you are connected to the internet. [clip] Today I was just queried by a proto-client about a similar "Site-in-a-box"* from BBN. I'm very old school, and while I heartily welcome novice users, I cannot see how in *any* way a solo-ing novice admin is *anything* but a Bad Thing. Perhaps we can try to bring HINFO back into vogue so that Sites-in-boxen can be detected trivially thereby informing us to notify the admins of the feeds and not the box when investigating suspect activity? I would be intensly curious as to the 'default" security on one of these boxen... I'm sure this will do nothing but help the security consultant trade. Perhaps I jumped onto the wrong wave... Cheers, Joe *obvious, but mine! If you want to use it, send $50 to the FSF. Systems and Network Admin, UltraNet Communications Inc. 508.229.8400(voice) jprovo@ultra.net 508.229.8111(data) A network service provider in Marlboro, MA mailto:info@ultra.net From firewalls-owner Tue Jan 3 18:50:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06616 for firewalls-outgoing; Tue, 3 Jan 1995 18:17:28 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06611 for ; Tue, 3 Jan 1995 18:17:26 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id UAA07425; Tue, 3 Jan 1995 20:32:44 -0500 From: Adam Shostack Message-Id: <199501040132.UAA07425@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: email monitoring To: sibert@vader.dsai.com (Steve J. Sibert) Date: Tue, 3 Jan 95 20:32:43 EST Cc: firewalls@GreatCircle.COM In-Reply-To: <9501031752.ZM27760@vader.dsai.com>; from "Steve J. Sibert" at Jan 3, 95 5:52 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Anyone know how to monitor incoming and outgoing email messages? You might start by having your legal department take a hard look at the Electronic Communications Privacy Act of 1986. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 3 18:55:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06374 for firewalls-outgoing; Tue, 3 Jan 1995 17:58:40 -0800 Received: from sequoia.itd.uts.EDU.AU (daemon@sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA06369 for ; Tue, 3 Jan 1995 17:58:33 -0800 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA15119 (5.65c/IDA-1.4.4 for ); Wed, 4 Jan 1995 12:56:49 +1100 Received: by lordmuck.itd.uts.edu.au (5.0/SMI-SVR4) id AA12650; Wed, 4 Jan 1995 12:58:54 +1100 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9501040158.AA12650@lordmuck.itd.uts.edu.au> Subject: Re: TCP/IP + IPX firewall solutions ? To: jeffo@ins.infonet.net Date: Wed, 4 Jan 1995 12:58:54 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: from "Jeffrey C. Ollie" at Jan 3, 95 06:39:21 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1777 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeffrey C. Ollie wrote this... > > On Mon, 2 Jan 1995, Stuart Broderick wrote: > > > I've got a requirement to segment the LAN and to protect one half > > against the other. The LAN supports TCP/IP and IPX. > > > > Does anyone know if a single firewall offering can achieve this > > division or am I looking at a TCP/IP firewall to control TCP/IP traffic > > and perhaps a multi-protocol router to control the IPX traffic ? Is it > > possible to encapsulate IPX in TCP/IP packets and control these somehow ? > > > > Any ideas/suggestions (polite) welcome. > > The latest versions of the Linux kernels (+ some additional software) have > the ability to route IPX packets as well as IP packets. Could be the > beginning of a solution. It's definitely roll your own, though. Source > is included though :). > > Jeffrey C. Ollie > Iowa Network Services Support Daemon > UNIX versions that support TLI (such as svr4) should be able to firewall IPX as easily as it firewalls IP (however the firewall has to be able to talk TLI as well). I am hoping to write some TLI firewalling software (ie something like fwtk but with TLI support), but this is when i get time as i am probbaly going to be very busy till late february sometime. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Tue Jan 3 19:10:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06959 for firewalls-outgoing; Tue, 3 Jan 1995 18:32:54 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06950 for ; Tue, 3 Jan 1995 18:32:49 -0800 Received: from yyz by mail.uunet.ca with UUCP id <123942-3>; Tue, 3 Jan 1995 21:32:08 -0500 Received: by yyz.org (Smail 3.1.28.1 #5) id m0rPLRK-000GUdC; Tue, 3 Jan 95 21:27 EST Date: Mon, 16 Jan 1995 04:27:06 -0500 From: Michael Holmes Subject: Re: detecting port scanning To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Momentary de-lurk] I've been thinking about, and am interested in such an "anti-" program since this subject of scanning ports came up. With such excellent suggestions that were given regarding printing a comment when a specific port was plinked, recently, I would be interested in hearing if there are any similar "easy hacks" which would have a watchdog program monitor all ports, and log/exec on all plinks, other than those in inetd.conf Ideally, it wouldn't depend on any specific firewall product/wrappers/etc. Any good ideas? holmesm@yyz.org [ Back to lurking ] From firewalls-owner Tue Jan 3 19:12:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06120 for firewalls-outgoing; Tue, 3 Jan 1995 17:44:19 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06115 for ; Tue, 3 Jan 1995 17:44:16 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id RAA04746; Tue, 3 Jan 1995 17:42:43 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma004740; Tue Jan 3 17:42:39 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id RAA07064; Tue, 3 Jan 1995 17:42:37 -0800 From: "Alastair Young" Message-Id: <9501031742.ZM7062@cds1004> Date: Tue, 3 Jan 1995 17:42:36 -0800 In-Reply-To: Tim Keanini "Re: detecting port scanning" (Jan 3, 4:49pm) References: X-Mailer: Z-Mail (3.0.1 23feb94) To: Tim Keanini , Dorian Deane Subject: Re: detecting port scanning Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 3, 4:49pm, Tim Keanini wrote: > Subject: Re: detecting port scanning > On Tue, 3 Jan 1995, Dorian Deane wrote: > > > > Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as > > > "don't watch on these ports" instead of watch on these ports as inetd does. > > ... > > > Brian J. Murrell brian@ilinx.com > > > There are a million good/sophisticated ways to do this, but here's a > > simple one that should work: > > > > Use tcp-wrappers and add three made-up services to inetd.conf at ports > > you are fairly certain not to use: say, 100, 101, and 102. Now, > > make sure wrappers is configured to refuse all connections to those > > ports and log the fact. > > > > Any time someone probes you, you'll get three "connection refused" > > messages, milliseconds apart. > > > > This is machine specific, and won't catch udp probes, of course. If > > you want more sophistication there is plenty of very good monitoring > > software out there, but this one has the advantage of simplicity. > > > This is exactly what I do and then I use 'swatch' monitor my log file > to catch it with a regexp. > My load is not that heavy to where it could get confused. > Just my $00.02 > If your outer filter does logging, port scanning shows up clear as day. Our filter also generates "connection refused" responses when dropping tcp/ip connection attempts, so look just like a real machine. Firewall-1 also has this capability. Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Tue Jan 3 19:15:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06943 for firewalls-outgoing; Tue, 3 Jan 1995 18:32:22 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06934 for ; Tue, 3 Jan 1995 18:32:16 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id JAA26921; Wed, 4 Jan 1995 09:31:16 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id JAA26921; Wed, 4 Jan 1995 09:31:16 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA07196; Wed, 4 Jan 95 09:26:52 GMT Date: Wed, 4 Jan 1995 09:26:51 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Re: where can I find RFCs ? To: firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 354 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jan 1995, Pradit Pitaksathienkul wrote: > Excuse me , where can I find RFCs ? I need to know about RFC 821 to understand > about SMTP protocol but I cannot find it. > pradit. > Thanks you for all users ,I can get that file after ask for help in 10 minutes ! ,I hope I will understand about SMTP protocol. Happy new year. pradit. From firewalls-owner Tue Jan 3 19:28:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06807 for firewalls-outgoing; Tue, 3 Jan 1995 18:24:07 -0800 Received: from ben.britain.eu.net (ben.Britain.EU.net [192.91.199.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA06802 for ; Tue, 3 Jan 1995 18:24:05 -0800 Received: from fennel.compnews.co.uk by ben.britain.eu.net via UKIP with SMTP (PP) id ; Wed, 4 Jan 1995 02:21:10 +0000 Received: from sage.compnews.co.uk by fennel.compnews.co.uk; Wed, 4 Jan 95 02:20:56 GMT Date: Wed, 4 Jan 1995 02:20:48 +0000 (GMT) From: Phil Male X-Sender: phil@sage.compnews.co.uk To: Pradit Pitaksathienkul Cc: firewalls@greatcircle.com Subject: Re: where can I find RFCs ? In-Reply-To: Message-Id: X-Fax: +44 1430 433111 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Jan 1995, Pradit Pitaksathienkul wrote: > Excuse me , where can I find RFCs ? I need to know about RFC 821 to understand > about SMTP protocol but I cannot find it. > pradit. > ftp src.doc.ic.ac.uk /rfc/rfc821.txt.gz ___/ / /_/) / Phil Male, Technical Director, Information Systems / /_ '/ PA data Design, The Bishops Manor, Howden, DN14 7BL / / /// Tel: UK 01 430 488 288 Fax: UK 01 430 433 111 From firewalls-owner Tue Jan 3 19:29:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06082 for firewalls-outgoing; Tue, 3 Jan 1995 17:41:43 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06077 for ; Tue, 3 Jan 1995 17:41:40 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id RAA04644; Tue, 3 Jan 1995 17:40:07 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma004573; Tue Jan 3 17:39:43 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id RAA07056; Tue, 3 Jan 1995 17:39:40 -0800 From: "Alastair Young" Message-Id: <9501031739.ZM7054@cds1004> Date: Tue, 3 Jan 1995 17:39:39 -0800 In-Reply-To: "Steve J. Sibert" "email monitoring" (Jan 3, 5:52pm) References: <9501031752.ZM27760@vader.dsai.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: "Steve J. Sibert" , firewalls@GreatCircle.COM Subject: Re: email monitoring Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 3, 5:52pm, Steve J. Sibert wrote: > Subject: email monitoring > Anyone know how to monitor incoming and outgoing email messages? > > Thanks in advance, > > Steve Sibert > > > -- > =================================================================== > = Steve J. Sibert Decision-Science Applications, Inc. = > = Internet: sibert@dsai.com (719) 593-5974 = > =================================================================== > > >-- End of excerpt from Steve J. Sibert Monitoring of email is legally questionable, particularly relative to the Electronic Communications Privacy Act. Listening in on email is roughly equivalent to telephone wiretap. As long as your users have a reasonable expectation of privacy, their email is protected in the same way that their telephone conversations are. If you tell them "we will read your email whenever we feel like it" then they no longer have a reasonable expectation of privacy, and as long as they let all the people who send them mail know that this is the case, you are legally in the clear. Your users will hate you though. If all you want to know is "from, to, when, how big" then most mailers will log this info on request. If you want to copy it, this is trivial too, just tweak your mail gateway to copy all mail going through to a file as well as passing it on, or do store and manual-forward-after-I-read-it. I have, on occasion, been asked to monitor email, and I have always responded by sending the asker (usually a manager) a copy of the ECPA with the appropriate areas highlighted (including the bit about length of prison terms) and they have never yet come back willing to take the responsibility for it. Whether it is legal or not, clear it with the highest manager available before doing it, cover your rear. If it is done secretly and your user community find out and create a stink, a scapegoat will be required... Take care Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Tue Jan 3 19:36:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA08562 for firewalls-outgoing; Tue, 3 Jan 1995 19:15:53 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA08539 for ; Tue, 3 Jan 1995 19:15:36 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id KAA27664; Wed, 4 Jan 1995 10:13:56 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id KAA27664; Wed, 4 Jan 1995 10:13:56 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA07422; Wed, 4 Jan 95 10:09:27 GMT Date: Wed, 4 Jan 1995 10:09:26 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Re: email monitoring To: Adam Shostack Cc: "Steve J. Sibert" , firewalls@GreatCircle.COM In-Reply-To: <199501040132.UAA07425@bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 341 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Adam Shostack wrote: > | Anyone know how to monitor incoming and outgoing email messages? > > You might start by having your legal department take a hard > look at the Electronic Communications Privacy Act of 1986. > > Adam > Excuse me , How to get the Electronic Communications Privacy Act of 1986? pradit. From firewalls-owner Tue Jan 3 19:36:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06716 for firewalls-outgoing; Tue, 3 Jan 1995 18:20:32 -0800 Received: from ben.britain.eu.net (ben.Britain.EU.net [192.91.199.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA06709 for ; Tue, 3 Jan 1995 18:20:29 -0800 Received: from fennel.compnews.co.uk by ben.britain.eu.net via UKIP with SMTP (PP) id ; Wed, 4 Jan 1995 02:18:42 +0000 Received: from sage.compnews.co.uk by fennel.compnews.co.uk; Wed, 4 Jan 95 02:18:36 GMT Date: Wed, 4 Jan 1995 02:18:32 +0000 (GMT) From: Phil Male X-Sender: phil@sage.compnews.co.uk To: "Steve J. Sibert" Cc: firewalls@greatcircle.com Subject: Re: email monitoring In-Reply-To: <9501031752.ZM27760@vader.dsai.com> Message-Id: X-Fax: +44 1430 433111 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Steve J. Sibert wrote: > Anyone know how to monitor incoming and outgoing email messages? > > Thanks in advance, Do you mean activity or content? > > Steve Sibert > > > -- > =================================================================== > = Steve J. Sibert Decision-Science Applications, Inc. = > = Internet: sibert@dsai.com (719) 593-5974 = > =================================================================== > > ___/ / /_/) / Phil Male, Technical Director, Information Systems / /_ '/ PA data Design, The Bishops Manor, Howden, DN14 7BL / / /// Tel: UK 01 430 488 288 Fax: UK 01 430 433 111 From firewalls-owner Tue Jan 3 19:44:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06745 for firewalls-outgoing; Tue, 3 Jan 1995 18:21:19 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06740 for ; Tue, 3 Jan 1995 18:21:16 -0800 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id UAA12102; Tue, 3 Jan 1995 20:20:49 -0600 Received: by jayhawk.mid.net (5.0/SMI-SVR4) id AA01416; Tue, 3 Jan 1995 20:20:48 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9501040220.AA01416@jayhawk.mid.net> Subject: Re: email monitoring To: sibert@vader.dsai.com (Steve J. Sibert) Date: Tue, 3 Jan 1995 20:20:47 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9501031752.ZM27760@vader.dsai.com> from "Steve J. Sibert" at Jan 3, 95 05:52:20 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 732 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Anyone know how to monitor incoming and outgoing email messages? Using a unix system, my sendmail daemon sends debugging messages to my syslogd. I monitor certain output from my syslog. I have the option of monitoring at least the to and from sites for mail. In a classic firewall, all mail will go through the bastion, so you have the capability to monitor all mail relayed by the bastion sendmail. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Tue Jan 3 19:59:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06571 for firewalls-outgoing; Tue, 3 Jan 1995 18:14:47 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA06560 for ; Tue, 3 Jan 1995 18:14:39 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id JAA26616; Wed, 4 Jan 1995 09:12:26 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id JAA26616; Wed, 4 Jan 1995 09:12:26 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA07064; Wed, 4 Jan 95 09:07:23 GMT Date: Wed, 4 Jan 1995 09:07:22 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Re: detecting port scanning To: Tim Keanini Cc: Dorian Deane , firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 1857 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Jan 1995, Tim Keanini wrote: > > There are a million good/sophisticated ways to do this, but here's a > > simple one that should work: > > > > Use tcp-wrappers and add three made-up services to inetd.conf at ports > > you are fairly certain not to use: say, 100, 101, and 102. Now, > > make sure wrappers is configured to refuse all connections to those > > ports and log the fact. > > > > Any time someone probes you, you'll get three "connection refused" > > messages, milliseconds apart. > > > > This is machine specific, and won't catch udp probes, of course. If > > you want more sophistication there is plenty of very good monitoring > > software out there, but this one has the advantage of simplicity. > > > This is exactly what I do and then I use 'swatch' monitor my log file > to catch it with a regexp. > My load is not that heavy to where it could get confused. > Just my $00.02 > > --blast > Oh! , I have some problem about how to tailor tcp_wrapper, after installed it , in /var/log/syslog file, some lines said : kmitnb03 in.telnetd[1305]: error :can't get client address: Broken pipe kmitnb03 in.telnetd[1305]: connect from unknown Can the client connect or not ? Other questions : 1. what is meaning of LOCKED ? kmitnb03 sendmail[2279]: AA022122 : locked 2. what is this error ? kmitnb03 in.telnetd[3114]: ioctl: I_GETSIG failed32 3. and this ? kmitnb03 in.telnetd[3117]: warning : can't verify hostname :gethostbyname(INADDR_ANY) failed. kmitnb03 in.telnetd[3117]: refuse connect from 0.0.0.0 4. and this ? kmitnb03 sendmail[4115]: AA05604: SYSERR: collect : unexpected closed ,from ......... : Result too large . and can I set /etc/hosts.deny to not received mail that make problem ? Thanks , pradit. From firewalls-owner Tue Jan 3 20:04:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA06824 for firewalls-outgoing; Tue, 3 Jan 1995 18:24:49 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA06814 for ; Tue, 3 Jan 1995 18:24:22 -0800 Message-Id: <199501040224.SAA06814@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA23232; Wed, 4 Jan 95 13:24:09 +1100 From: Darren Reed Subject: Re: detecting port scanning To: dorian@oxygen.house.gov (Dorian Deane) Date: Wed, 4 Jan 1995 13:24:08 +1100 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9501032021.AA26895@oxygen.house.gov> from "Dorian Deane" at Jan 3, 95 03:21:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2337 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > With all this talk regarding port scanning, I was wondering what people are > > using to monitor the unused ports on their firewalls. I can visualize the > > program which would do it, or even how to configure inetd to do the > > monitoring, but puting ~65000 entries in my inetd file does not "light my > > candle". > > > > Perhaps an inetd like utility (anti-inetd) which reads the inetd.conf as > > "don't watch on these ports" instead of watch on these ports as inetd does. > ... > > Brian J. Murrell brian@ilinx.com > > InterLinx Support Services, Inc. brian@wimsey.com > ... > > There are a million good/sophisticated ways to do this, but here's a > simple one that should work: > > Use tcp-wrappers and add three made-up services to inetd.conf at ports > you are fairly certain not to use: say, 100, 101, and 102. Now, > make sure wrappers is configured to refuse all connections to those > ports and log the fact. > > Any time someone probes you, you'll get three "connection refused" > messages, milliseconds apart. Using this rationale, you don't even need to use `weird' services, but (as this is a firewall) if you have dummy entries for "shell", "login" and "exec", you will notice the same. Depending on the network between you and the prober, the times will vary between milliseconds and seconds in delay. Of course, if you're using fwtk, then you might like to have all your inetd services run through netacl (with smap/smapd setup) so that you have everything being logged anyway, without needing dummy services. You may or may not need to do extra processing to notice scans (usually not). For the person scanning ports, a connection refused is (best case) 2 packets (SYN,RST), and established+close is at around 6 (SYN,SYN-ACK,ACK,FIN,FIN-ACK,ACK). > This is machine specific, and won't catch udp probes, of course. If > you want more sophistication there is plenty of very good monitoring > software out there, but this one has the advantage of simplicity. Hacking tftp can be worth your while, just remove the get/put file code (or even have it supply dummy info :-), and add in logging code. Most of the other udp services are single-packet in nature and writing a "receive and run" isn't too hard or bothersome. darren From firewalls-owner Tue Jan 3 20:06:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA09265 for firewalls-outgoing; Tue, 3 Jan 1995 19:37:21 -0800 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA09239 for ; Tue, 3 Jan 1995 19:37:04 -0800 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA12414; Wed, 4 Jan 95 14:03:42 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA02453; Wed, 4 Jan 1995 13:59:17 +1030 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9501040329.AA02453@bunya.awadi> Subject: Re: detecting port scanning To: holmesm@yyz.org (Michael Holmes) Date: Wed, 4 Jan 1995 13:59:32 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Holmes" at Jan 16, 95 04:27:06 am X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Michael Holmes: > >With such excellent suggestions that were given regarding printing a >comment when a specific port was plinked, recently, I would be interested >in hearing if there are any similar "easy hacks" which would have a >watchdog program monitor all ports, and log/exec on all plinks, other >than those in inetd.conf > >Ideally, it wouldn't depend on any specific firewall product/wrappers/etc. > >Any good ideas? > You can do this stuff with infilt which is some add in code for the publically available ppp drivers. It prints a message to syslog for all packets that are blocked. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Aha! Pronoun problems. It's not `shoot you, shoot you', it's `shoot me, shoot me'. So, go ahead, shoot ME, shoot ME ... You're Despicable" -- Daffy Duck From firewalls-owner Tue Jan 3 20:24:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA09223 for firewalls-outgoing; Tue, 3 Jan 1995 19:36:40 -0800 Received: from nic.near.net (nic.near.net [192.52.71.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA09215 for ; Tue, 3 Jan 1995 19:36:36 -0800 Received: from jcurran.near.net by nic.near.net id aa08112; 3 Jan 95 22:34 EST X-Sender: jcurran@192.52.71.4 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 3 Jan 1995 22:34:59 -0500 To: Joe Provo From: John Curran Subject: Re: Sun Netra Internet servers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:36 PM 1/3/95, Joe Provo wrote: Definitely. Anyone know of a good list to transfer this thread to? >{This is still vaguely firewall-ish, but meandering} >Today I was just queried by a proto-client about a similar "Site-in-a-box"* >from BBN. I'm very old school, and while I heartily welcome novice users, I >cannot see how in *any* way a solo-ing novice admin is *anything* but a Bad >Thing. Just curious: why were you assuming similiarity between the products? I presume by "novice admin", you mean someone who needs to log into the system to perform routine system administration functions (e.g. handling users, mailing lists, pop access, news access, etc.)? I don't think creating such situations is a good idea either, but the administration of the particular BBN product is done via a client- server app which handles a very well-defined set of tasks. These systems have been deployed on the Internet for over a year now, and the user community seems quite pleased. There _are_ very significant security implications, unless the box s/w is both strictly profiled and under pro-active maintenance. I'm not certain that I'd buy an turnkey server without maintenance any more than I'd buy a PBX without maintenance... /John From firewalls-owner Tue Jan 3 21:13:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA11168 for firewalls-outgoing; Tue, 3 Jan 1995 20:41:59 -0800 Received: from aspen.Craycos.COM (aspen.Craycos.COM [134.195.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA11163 for ; Tue, 3 Jan 1995 20:41:55 -0800 Received: from zippy.craycos.com by aspen.Craycos.COM (4.1/TotalHack-4.1) id AA03129; Tue, 3 Jan 95 21:39:50 MST Received: from zippy.craycos.com (localhost.craycos.com [127.0.0.1]) by zippy.craycos.com (8.6.5/8.6.5) with ESMTP id VAA00761 for ; Tue, 3 Jan 1995 21:39:41 -0700 Message-Id: <199501040439.VAA00761@zippy.craycos.com> To: Firewalls@greatcircle.com Subject: ECPA Date: Tue, 03 Jan 1995 21:39:38 -0700 From: Eric Varsanyi Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found a copy of the ECPA in http://www.eff.org/pub/EFF/Legal/ecpa.law -Eric Varsanyi Cray Computer Corporation From firewalls-owner Tue Jan 3 21:30:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA11425 for firewalls-outgoing; Tue, 3 Jan 1995 20:51:10 -0800 Received: from networx.com (root@openwx.networx.com [192.245.234.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA11417 for ; Tue, 3 Jan 1995 20:51:06 -0800 Received: from iridium (stewart@iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id UAA11837 for ; Tue, 3 Jan 1995 20:49:11 -0800 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA13836; Tue, 3 Jan 1995 20:48:56 +0800 Date: Tue, 3 Jan 1995 20:48:56 +0800 Message-Id: <9501040448.AA13836@iridium> To: firewalls@greatcircle.com Subject: email monitoring In-Reply-To: <9501031752.ZM27760@vader.dsai.com> References: <9501031752.ZM27760@vader.dsai.com> Reply-To: stewart@networx.com content-length: 1162 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Steve" == Steve J Sibert writes: Steve> Anyone know how to monitor incoming and outgoing email Steve> messages? Thanks in advance, Steve> Steve Sibert Unless you want to see contents also, a simple configuration of syslogd will log from whom to whom.. I've got a similar problem though, I would like to filter out going email messages.. I've come across what I consider a rather heinous abuse of email by a commerial package, it sends "usage statistics" back to the manufacturer. We've also got one that sends license violations back to the manufacturer, this one isn't as heinious as it sends a copy of the message to a local responsible person, whereas the first does it silently.. Basicly I need a program that can replace the builtin IPC mailer and filter out certain addresses.. Anything out there like that? -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Tue Jan 3 21:37:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA11636 for firewalls-outgoing; Tue, 3 Jan 1995 21:14:36 -0800 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA11631 for ; Tue, 3 Jan 1995 21:14:33 -0800 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA01535; Tue, 3 Jan 1995 23:12:57 -0600 Date: Tue, 3 Jan 1995 23:12:57 -0600 From: charisse@hosaka.smallworks.com.SmallWorks.COM (Charisse Castagnoli) Message-Id: <9501040512.AA01535@hosaka.smallworks.com> To: adam@bwh.harvard.edu, sibert@vader.dsai.com Subject: Re: email monitoring Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> You might start by having your legal department take a hard >> look at the Electronic Communications Privacy Act of 1986. I don't think the ECPA applies to private employers monitoring their own networks. I've written a paper on the subject which you can retrieve via anonymous ftp from smallworks.com. ` Charisse@smallworks.com PS For those of you who picked up the paper last year, it has been updated with recent legal decisions and presented at the Unix and the Law conference Nov'94. From firewalls-owner Tue Jan 3 22:36:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA12887 for firewalls-outgoing; Tue, 3 Jan 1995 22:27:26 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA12878 for ; Tue, 3 Jan 1995 22:27:20 -0800 Received: from kmitnb03.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id NAA00619; Wed, 4 Jan 1995 13:25:57 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id NAA00619; Wed, 4 Jan 1995 13:25:57 +0700 Received: by kmitnb03.kmitnb.ac.th (5.0/SMI-SVR4) id AA08895; Wed, 4 Jan 95 12:43:33 GMT Date: Wed, 4 Jan 1995 12:43:32 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Please skip my old mail about tcp_wrapper problem. To: firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please skip my old mail that I ask about tcp_wrapper in this list . It should not posted here because it is not related about firewall , but it should to ask with comp.unix.admin instead . Sorry, pradit. From firewalls-owner Wed Jan 4 03:36:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA14973 for firewalls-outgoing; Wed, 4 Jan 1995 03:22:40 -0800 Received: from srv.cip.physik.tu-muenchen.de (srv.cip.physik.tu-muenchen.de [129.187.41.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA14968 for ; Wed, 4 Jan 1995 03:22:24 -0800 Received: from ss3.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA02680 for (5.67a/IDA-1.5/bs03); Wed, 4 Jan 1995 12:20:34 +0100 Message-Id: <199501041120.AA02680@srv.cip.physik.tu-muenchen.de> To: firewalls@greatcircle.com Subject: Re: email monitoring In-Reply-To: Your message of "Wed, 04 Jan 95 10:09:26 MST." Date: Wed, 04 Jan 95 12:20:33 +0100 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you write: > > On Tue, 3 Jan 1995, Adam Shostack wrote: > > > | Anyone know how to monitor incoming and outgoing email messages? > > > > You might start by having your legal department take a hard > > look at the Electronic Communications Privacy Act of 1986. > > > > Adam > > > Excuse me , How to get the Electronic Communications Privacy Act of 1986? And how can the ECPA apply to anybody from somewhere.ac.th ?? I don't recall having heard that US legislation is now to be enforced on a world wide scale ... maybe it's time to emigrate :-) Maybe some readers should remember that there are a few other countries left on this planet (strange as it may seem (to them)). \Bernhard. PS: This should not mean that I think snooping email is ethically acceptable! PPS: The ECPA can be found at several places, eg. WWW: http://www.eff.org/pub/EFF/Legal/ecpa.law FTP: ftp.std.com in /obi/ECPA From firewalls-owner Wed Jan 4 05:48:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA15656 for firewalls-outgoing; Wed, 4 Jan 1995 05:29:13 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA15649 for ; Wed, 4 Jan 1995 05:29:07 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05243; Wed, 4 Jan 95 08:10:25 -0500 Date: Wed, 4 Jan 95 08:10:24 -0500 Message-Id: <9501041310.AA05243@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: detecting port scanning Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I would not use this alone but if you can just do one thing, why not replace the FINGER daemon (port 79) on all routers and firewalls with a record/alarm function. There is no real need for it on these systems yet always seems to be the first place A-6s check (guess they want to see if anyone is there before trying to break in). Should you want to be very, very vindictive you could have it return a special "signature" ID that is attractive to the immature so they will have it in their logs when the SS knocks. I have seen a small surge from the inside when enacted, but a few gentle phone calls stopped that. Possibly fortunate in my environment but have generally found that people want to do the right thing and appreciate someone knowlegable who is charged with protecting their systems. Suspect that in about five years we will look back with wonder at these simple beginnings so we might as well enjoy it while we can. Warmly, Padgett ps have a new hobby: Zenith TransOceanic Radios. If anyone has one or more they would care to dispose of, contact me offline. From firewalls-owner Wed Jan 4 06:36:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA16070 for firewalls-outgoing; Wed, 4 Jan 1995 06:32:27 -0800 Received: from d.ecc.engr.uky.edu (d.ecc.engr.uky.edu [128.163.144.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA16047 for ; Wed, 4 Jan 1995 06:31:27 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA04238; Wed, 4 Jan 95 09:18:19 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA28870; Wed, 4 Jan 95 08:19:58 EST Date: Wed, 4 Jan 95 08:19:58 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9501041319.AA28870@s.ecc.engr.uky.edu> To: adam@bwh.harvard.edu Subject: Re: email monitoring Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >| Anyone know how to monitor incoming and outgoing email messages? > > You might start by having your legal department take a hard >look at the Electronic Communications Privacy Act of 1986. I'm reasonably certain that he's talking about monitoring message transactions, not the content of the messages themselves. >From the ECPA: > (h) It shall not be unlawful under this chapter-- >[...] > (ii) for a provider of electronic communication service to record the >fact that a wire or electronic communication was initiated or completed in >order to protect such provider, another provider furnishing service toward >the completion of the wire or electronic communication, or a user of that >service, from fraudulent, unlawful or abusive use of such service. The ECPA specifically authorizes service providers to collect information on the transactions themselves, for the protection of the service and its users. Now, this information should not be distributed to the public (the ECPA makes this clear), but there are no prohibitions on the gathering of such information by the provider *for internal use*. In short, your mail admin is well within the ECPA if his logs show that you sent an email message to firewalls@greatcircle.com on such-and-such a date/time, and that it was successfully delivered (or not). Quick question: If you were accused of sending a death threat to president@whitehouse.gov, wouldn't you be happy if your admin had sendmail logs that strongly suggested that a forgery was afoot? Let's be sure to distinguish between the monitoring of a service and the monitoring of the content of its use. The ECPA certainly makes that distinction, although it should be noted that content monitoring can be legal in certain limited circumstances (quality checks, etc). --Wes "I have syslogs back to 1989" Morgan ps> ASCII text of the Electronic Communications Privacy Act is available via anonymous FTP from ftp.eff.org, in the /pub/Legal directory. URL: ftp://ftp.eff.org/pub/Legal/ecpa.law From firewalls-owner Wed Jan 4 07:09:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA16162 for firewalls-outgoing; Wed, 4 Jan 1995 06:55:02 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA16156 for ; Wed, 4 Jan 1995 06:54:56 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05698; Wed, 4 Jan 95 09:32:16 -0500 Date: Wed, 4 Jan 95 09:32:16 -0500 Message-Id: <9501041432.AA05698@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Had gone offline but... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Anyone know how to monitor incoming and outgoing email messages? > You might start by having your legal department take a hard >look at the Electronic Communications Privacy Act of 1986. Am sure a legal type will correct me if rong but my understanding for the US is that: 1) It is ok to monitor source and destination (essentially the "envelope") without restriction by anyone anywhere who may come into contact with it. 2) There has never been a complaint sustained against a company for monitoring traffic on their wholly owned systems by their own employees. 3) In a court case all such communications may be subpoenaed. 4) If the DOJ warning of monitoring is properly displayed, few lawyers would even be willing to take it to court without lotsa cash up front. 5) Companies can be held responsible for the actions of their employees and therefore have an obligation to know what they are doing when they are acting as employees. 6) "Common Carriers" operate under different rules but the above is still generally true. And finally, "Padgett's Law": Never ask a lawyer if you can do something. Tell them what you are planning and ask *how* to do it. Warmly, Padgett From firewalls-owner Wed Jan 4 07:55:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA16258 for firewalls-outgoing; Wed, 4 Jan 1995 07:14:44 -0800 Received: from yodac.dsai.com (yodac.dsai.com [192.94.201.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA16253 for ; Wed, 4 Jan 1995 07:14:36 -0800 Received: from vader.dsai.com by yodac.dsai.com via SMTP (920330.SGI/920502.SGI.AUTO) for firewalls@GreatCircle.COM id AA06577; Wed, 4 Jan 95 08:12:20 -0700 Received: by vader.dsai.com (931110.SGI/930416.SGI) for @yodac.dsai.com:firewalls@GreatCircle.COM id AA04521; Wed, 4 Jan 95 08:11:20 -0700 From: "Steve J. Sibert" Message-Id: <9501040811.ZM4519@vader.dsai.com> Date: Wed, 4 Jan 1995 08:11:19 -0700 X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: firewalls@GreatCircle.COM Subject: Email monitoring Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Anyone know how to monitor incoming and outgoing email messages? I don't want to see what's *in* the message, only the addresses and length. Thanks again... Steve -- =================================================================== = Steve J. Sibert Decision-Science Applications, Inc. = = Internet: sibert@dsai.com (719) 593-5974 = =================================================================== From firewalls-owner Wed Jan 4 08:37:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA16608 for firewalls-outgoing; Wed, 4 Jan 1995 08:18:13 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA16603 for ; Wed, 4 Jan 1995 08:18:11 -0800 Received: from gatekeeper.open.ch by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id IAA27674; Wed, 4 Jan 1995 08:13:17 -0800 Received: by gatekeeper.open.ch; id QAA12256; Wed, 4 Jan 1995 16:15:46 +0100 Received: from chelsea.open.ch(193.72.201.42) by gatekeeper.open.ch via smap (V1.3) id sma012254; Wed Jan 4 16:15:37 1995 Received: from soda.open.ch (soda.open.ch [193.72.201.12]) by chelsea.open.ch (8.6.9/8.6.9) with SMTP id QAA09596 for ; Wed, 4 Jan 1995 16:13:31 +0100 Message-Id: <199501041513.QAA09596@chelsea.open.ch> Received: by soda.open.ch (NX5.67d/NX3.0X) id AA04649; Wed, 4 Jan 95 16:09:19 +0100 Received: by NeXT.Mailer (1.112.1.RR) Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v112.1) From: Goetz von Escher Date: Wed, 4 Jan 95 16:09:16 +0100 To: firewalls@greatcircle.com Subject: Split DNS and Subdomain Delegation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Assuming that we run a split dns with an EXTERNAL server on the firewall, an internal PARENT server with a forwarder statement to the firewall and some SUBDOMAIN servers that have the real information. When we ask the internal PARENT server about a host in a subdomain the query fails! Due to the forwarder statement the PARENT server will (after a look in its own database & cache) ask the EXTERNAL server and promptly get the (wrong) answer: "no such host in this domain". He will never ask the SUBDOMAIN servers! Conclusion: You cannot delegate domains in a split dns setup! Now in a really decentralized company (where you cannot make the PARENT server secondary of all the SUBDOMAIN servers) is there a possibility to achieve split dns *and* subdomain delegation without hacking bind? --- Goetz von Escher email: Goetz.von-Escher@Open.CH Open Systems AG voice: +41 (61) 262-0505 Basel, Switzerland FAX: +41 (61) 262-0510 From firewalls-owner Wed Jan 4 09:40:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA16669 for firewalls-outgoing; Wed, 4 Jan 1995 08:31:13 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA16664 for ; Wed, 4 Jan 1995 08:31:09 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rPYWV-0000W4C; Wed, 4 Jan 95 08:25 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA23830; Wed, 4 Jan 1995 08:29:21 +0800 Date: Wed, 4 Jan 1995 08:29:21 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9501041629.AA23830@brittany.oes.amdahl.com> To: firewalls@GreatCircle.COM, pradit@kmitnb03.kmitnb.ac.th Subject: Re: where can I find RFCs ? X-Sun-Charset: US-ASCII content-length: 3885 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Pradit Pitaksathienkul > Subject: where can I find RFCs ? > To: firewalls@GreatCircle.COM> Sender: firewalls-owner@GreatCircle.COM > > Excuse me , where can I find RFCs ? I need to know about RFC 821 to understand > about SMTP protocol but I cannot find it. > pradit. If this isn't in the FAQ it should be:) The FAQs are available from a number of ftp sites by anonymous ftp. I usually get them from the internic. You can ftp to ds.internic.net, cd to rfc and they're all there...I'd get the index while you're there. I've automated this in a script that lets you say things like: rfc index, or rfc 989. I've appended the script below. You'll have to look at five variables near the top and set them appropriately. The script keeps a local cache of the rfcs so everyone can share them:) It doesn't by default cache the index, since it can change, but if it can't acquire the index via ftp, it will use a cached version. It prints with the -p argument. My next enhancement will be to let you give a list of rfcs instead of just one. If someone else enhances it, send it back please;) Patrick ~~~~~~~~ cut here for rfc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #! /bin/sh #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # rfc [-p] - let's you look at rfcs # # author - Patrick J. Horgan with thanks to many with the same idea. # patrick@amdahl.com # # Setup, just set the first six variables to what you want. # # Features - Caches everything you access for later access. Forces index # to be fetched each time, but if not available uses a cached # version of the index. With the -p argument it will print the # rfc instead. # #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ftpuser=patrick@amdahl.com # Your password for anonymous ftp rfcdir=/home/patrick/docs/rfc # Where the ftp'd docs should go textviewer=vi # What you want to view text with psviewer=gs # What you want to view postscript with ftp=rftp # ftp program to use, I use socksified rftp printer=lpr # The printing command you use. for arg in $* ; do case $arg in -p) textviewer=$printer ; psviewer=$printer ;; index) getit=rfc-index ;; *) getit=rfc$arg ;; esac done if [ -f $rfcdir/$getit.txt -o -f $rfcdir/$getit.ps ] ; then echo Using cached copy. else echo "No cached copy of $getit.txt available, acquiring it by anonymous ftp" $ftp >/dev/null 2>&1 ds.internic.net << EOF anonymous $ftpuser cd rfc get $getit.txt $rfcdir/$getit.txt get $getit.ps $rfcdir/$getit.ps bye EOF fi if [ -f $rfcdir/$getit.txt ] ; then $textviewer $rfcdir/$getit.txt elif [ -f $rfcdir/$getit.ps ] ; then $psviewer $rfcdir/$getit.ps elif [ "$getit" = "rfc-index" -a -f $rfcdir/rfc-index.txt.old ] ; then echo "Failed getting the new index, using the old one..." $textviewer $rfcdir/rfc-index.txt.old else echo "I can't find $rfcdir/$getit.txt or $rfcdir/$getit.ps" fi if [ -f $rfcdir/rfc-index.txt ] ; then mv $rfcdir/rfc-index.txt $rfcdir/rfc-index.txt.old fi ~~~~~~~ end of rfc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Jan 4 10:22:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA17238 for firewalls-outgoing; Wed, 4 Jan 1995 09:36:52 -0800 Received: from worc.ac.uk ([193.62.48.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA17233 for ; Wed, 4 Jan 1995 09:36:47 -0800 Received: from charles1.worc.ac.uk by worc.ac.uk with smtp (Smail3.1.28.1 #35) id m0rPZZD-00010yC; Wed, 4 Jan 95 17:32 GMT Received: from CHARLES1/SpoolDir by charles1.worc.ac.uk (Mercury 1.13); Wed, 4 Jan 95 17:35:13 GMT Received: from SpoolDir by CHARLES1 (Mercury 1.13); Wed, 4 Jan 95 17:35:08 GMT From: "Letchford Ian" Organization: Worcester College of Higher Educ. To: firewalls@GreatCircle.COM Date: Wed, 4 Jan 1995 17:35:02 GMT Subject: Re: email monitoring Priority: normal X-mailer: Pegasus Mail/Windows (v1.11a) Message-ID: <1CF5E5A0F54@charles1.worc.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: "Steve J. Sibert" > Date: Tue, 3 Jan 1995 17:52:20 -0700 > To: firewalls@GreatCircle.COM > Subject: email monitoring > Anyone know how to monitor incoming and outgoing email messages? > > Thanks in advance, > > Steve Sibert > > > -- > =================================================================== > = Steve J. Sibert Decision-Science Applications, Inc. = > = Internet: sibert@dsai.com (719) 593-5974 = > =================================================================== > > > What about encryption? If you send email encrypted then your email can not be read by "even" systems admin staff!! 8-) Ian Letchford Network Administration (Email & Unix) Worcester College of Higher Education Henwick Grove St. Johns Worcester United Kingdom +44 (0)1905 748080 Ext 211 email leti1@worc.ac.uk From firewalls-owner Wed Jan 4 11:08:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA17218 for firewalls-outgoing; Wed, 4 Jan 1995 09:35:46 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA17213 for ; Wed, 4 Jan 1995 09:35:43 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id JAA27841; Wed, 4 Jan 1995 09:34:12 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma027778; Wed Jan 4 09:33:49 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id JAA07687; Wed, 4 Jan 1995 09:33:46 -0800 From: "Alastair Young" Message-Id: <9501040933.ZM7685@cds1004> Date: Wed, 4 Jan 1995 09:33:44 -0800 In-Reply-To: "Christopher A. Stewart" "email monitoring" (Jan 3, 8:48pm) References: <9501031752.ZM27760@vader.dsai.com> <9501040448.AA13836@iridium> X-Mailer: Z-Mail (3.0.1 23feb94) To: stewart@networx.com, firewalls@GreatCircle.COM Subject: Re: email monitoring Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you know the destination address you can add a line to your sendmail configuration to route the mail somewhere else, eg if the addres is stats@badsoft.com Rstats<@badsoft.com> $#error $@ NOPERM $: "mail to stats@badsoft.com forbidden" or Rstats<@badsoft.com> postmaster there's probably an easy way to send it to /dev/null, but it escapes me at the moment. Al On Jan 3, 8:48pm, Christopher A. Stewart wrote: > Subject: email monitoring > >>>>> "Steve" == Steve J Sibert writes: > > Steve> Anyone know how to monitor incoming and outgoing email > Steve> messages? Thanks in advance, > > Steve> Steve Sibert > > Unless you want to see contents also, a simple configuration of > syslogd will log from whom to whom.. > > I've got a similar problem though, I would like to filter out going > email messages.. I've come across what I consider a rather heinous > abuse of email by a commerial package, it sends "usage statistics" > back to the manufacturer. We've also got one that sends license > violations back to the manufacturer, this one isn't as heinious as it > sends a copy of the message to a local responsible person, whereas the > first does it silently.. > > Basicly I need a program that can replace the builtin IPC mailer and > filter out certain addresses.. Anything out there like that? > > > -- > ---------------------------------------------------------------------- > Christopher A. Stewart | (Standard disclaimers are in effect) > System/Network Administrator | > Legent Corp. Networx Div. | > Bellevue, Wa. 98004 | > Voice (206)-688-2154 | > Fax (206)-688-2050 | >-- End of excerpt from Christopher A. Stewart -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Wed Jan 4 11:10:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA17850 for firewalls-outgoing; Wed, 4 Jan 1995 10:57:43 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA17845 for ; Wed, 4 Jan 1995 10:57:40 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id KAA12643; Wed, 4 Jan 1995 10:55:56 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma012505; Wed Jan 4 10:55:16 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id KAA07840; Wed, 4 Jan 1995 10:55:01 -0800 From: "Alastair Young" Message-Id: <9501041055.ZM7838@cds1004> Date: Wed, 4 Jan 1995 10:54:59 -0800 In-Reply-To: "Steve J. Sibert" "Email monitoring" (Jan 4, 8:11am) References: <9501040811.ZM4519@vader.dsai.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: "Steve J. Sibert" , firewalls@GreatCircle.COM Subject: Re: Email monitoring Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 4, 8:11am, Steve J. Sibert wrote: > Subject: Email monitoring > > > Anyone know how to monitor incoming and outgoing email messages? > > I don't want to see what's *in* the message, only the addresses and length. > > Thanks again... If using "sendmail" just uncomment the "mail.debug" line in your /etc/syslog.conf file mail.debug /var/log/syslog and do a kill -HUP on your syslogd daemon. Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Wed Jan 4 12:16:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA17018 for firewalls-outgoing; Wed, 4 Jan 1995 09:10:51 -0800 Received: from donald.uoregon.edu (donald.uoregon.edu [128.223.32.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA17013 for ; Wed, 4 Jan 1995 09:10:46 -0800 Received: from RIS.OR.GOV by OREGON.UOREGON.EDU (PMDF V4.3-9 #7713) id <01HLFYQ087XS8WY2FZ@OREGON.UOREGON.EDU>; Wed, 04 Jan 1995 09:07:55 -0800 (PST) Received: from RISMTP01.RIS.OR.GOV by RISVS.RIS.OR.GOV (PMDF V4.3-8 #2476) id <01HLFYK6H3W0007DSG@RISVS.RIS.OR.GOV>; Wed, 04 Jan 1995 09:01:51 -0700 (PDT) Received: by RISMTP01.RIS.OR.GOV with Microsoft Mail id <2F0AD3EF@RISMTP01.RIS.OR.GOV>; Wed, 04 Jan 95 08:59:27 PST Date: Wed, 04 Jan 1995 09:00:00 -0800 (PST) From: IRONPLOW Lorraine Subject: FW: PC Take-Over? To: Firewalls Message-id: <2F0AD3EF@RISMTP01.RIS.OR.GOV> MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID aadPPHt8/gE/YMtECJWBxw)" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID aadPPHt8/gE/YMtECJWBxw) Content-type: TEXT/PLAIN Is anyone aware of any actual break-in that was accomplished by "taking over" a PC (running DOS or Windows or Windows for Workgroups or NT) and then launching an attack from there? I don't mean dialling in to a modem on the PC, but an attack that could have been prevented by a better firewall. This would include tunnelling where the user is enticed into running a program acquired via the web, though I doubt that a firewall could prevent such an attack from succeeding. If PC take-overs are not an issue, would the following strategy be sufficient? No host (except mail & DNS) may use the Internet in either direction. Firewall consists solely of filtering routers and logging machine. We had been considering putting up a proxy gateway (CERN httpd) on a Linux box, but with the above strategy, we won't do that unless I can come up with a convincing reason to do so, because of the administrative cost and the risk of performance degradation. We have a WAN with about 1500 PCs, an IBM mainframe, half a dozen VMS, a dozen Unix, and about 50 NT hosts. PCs will use Mosaic or Netscape. Thanks for any feedback or ideas. Lorraine Ironplow Regional Information Systems cedpali@ris001.ris.or.gov --Boundary (ID aadPPHt8/gE/YMtECJWBxw)-- From firewalls-owner Wed Jan 4 12:31:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA18250 for firewalls-outgoing; Wed, 4 Jan 1995 11:33:01 -0800 Received: from icm1.icp.net (icm1.icp.net [192.94.207.66]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA18245 for ; Wed, 4 Jan 1995 11:32:55 -0800 Received: from echonyc.com ([198.67.15.2]) by icm1.icp.net (8.6.9/8.6.9) with ESMTP id OAA12768 for ; Wed, 4 Jan 1995 14:30:46 -0500 Received: by echonyc.com id OAA18120; Wed, 4 Jan 1995 14:29:31 -0500 From: mcbai@echonyc.com (Mario Bai) Message-Id: <199501041929.OAA18120@echonyc.com> Subject: sockd To: firewalls@greatcircle.com Date: Wed, 4 Jan 1995 14:29:28 -0500 (EST) X-Mailer: ELM [version 2.4 PL13] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 638 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My sockd keeps returning an error message of "Wrong version (0x47) " whenever I try to connect with a client running the winsock supplied with Lan Workplace (actually the updated version downloaded from Novell). Anyone have any experience with this? Is this an error with the sockd? or an incompatibility with the winsock.dll? It works fine from a SparcStation with Netscape, but also, the Netscape client on the PC doesn't have an option to identify an address for a sock server,unlike the X11 version, which does. Any help with this would be appreciated, as this is inhibiting us from implementing the firewall. Mario G. Bai From firewalls-owner Wed Jan 4 12:40:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA17528 for firewalls-outgoing; Wed, 4 Jan 1995 10:19:25 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA17523 for ; Wed, 4 Jan 1995 10:19:21 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id KAA05594; Wed, 4 Jan 1995 10:17:50 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma005510; Wed Jan 4 10:17:24 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id KAA07761; Wed, 4 Jan 1995 10:17:16 -0800 From: "Alastair Young" Message-Id: <9501041017.ZM7759@cds1004> Date: Wed, 4 Jan 1995 10:17:15 -0800 In-Reply-To: RAS@cacdvax.cacd.rockwell.com "Re: email monitoring" (Jan 4, 8:45am) References: <950104084517.3f20cc51@cacdvax.cacd.rockwell.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: RAS@cacdvax.cacd.rockwell.com Subject: Re: email monitoring Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 4, 8:45am, RAS@cacdvax.cacd.rockwell.com wrote: > Subject: Re: email monitoring > > >Monitoring of email is legally questionable, particularly relative to the > >Electronic Communications Privacy Act. Listening in on email is roughly > >equivalent to telephone wiretap. As long as your users have a reasonable > >expectation of privacy, their email is protected in the same way that their > >telephone conversations are. If you tell them "we will read your email whenever > >we feel like it" then they no longer have a reasonable expectation of privacy, > >and as long as they let all the people who send them mail know that this is the > >case, you are legally in the clear. Your users will hate you though. > > The security folks have been telling me that monitoring is ok, and the > financial folks (who have stock holder interests in mind) agree. I've never > been able to get a clear-cut answer from the legal folks, but they haven't > strenuously objected to specific monitoring (as opposed to general monitoring). > But I also feel that monitoring "is legally questionable, particularly > relative to the Electronic Communications Privacy Act." The first time this came up, the request came from some very senior people including the corporate legal counsel (no longer with us) who assured us that it was all legal. I had my wife dig the ECPA out of the library and I read it. It appeared to me that monitoring under the circumstances was not legal, so I said "I'm no lawyer but this reads illegal to me, please give me a signed written statement explaining how this monitoring does not contravene this law or I will not do it". I never heard from them again on the subject, and the monitoring did not occur. I say that it is legally questionable when the lawyer *says* its ok, but won't put it in writing. Without a written signed clearance from your corporate legal eagle, they have absolute deniability. You will be the one who goes to jail, not them. As I said before: cover your rear! Al PS I also happen to think that people have a right to privacy unless clearly told otherwise. It is our job as system administrators to protect and uphold that right. This is an ethical as well as a legal issue. Email monitoring is Evil. IMHO. There are exceptions, like when investigating illegal activity, but even then you must be cautious as if you do things wrong, the evidence you turn up may be dismissed by a court of law as inadmissible due to the way it was obtained. -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Wed Jan 4 13:19:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA18731 for firewalls-outgoing; Wed, 4 Jan 1995 12:19:38 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA18726 for ; Wed, 4 Jan 1995 12:19:35 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id PAA10524; Wed, 4 Jan 1995 15:16:41 -0500 Received: from [128.29.140.130] (mckenney-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA13985; Wed, 4 Jan 95 15:17:51 EST Date: Wed, 4 Jan 95 15:17:51 EST Message-Id: <9501042017.AA13985@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Stuart@loddon.demon.co.uk From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: TCP/IP + IPX firewall solutions ? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I've got a requirement to segment the LAN and to protect one half >against the other. The LAN supports TCP/IP and IPX. > >Does anyone know if a single firewall offering can achieve this >division or am I looking at a TCP/IP firewall to control TCP/IP traffic >and perhaps a multi-protocol router to control the IPX traffic ? Is it >possible to encapsulate IPX in TCP/IP packets and control these somehow ? > >Any ideas/suggestions (polite) welcome. > Yes it is possible to encapsulate IPX packets. This is also known as tunneling. More information is needed to answer your question. Do you need guidance on how to protect an IPX segment from an IP segment with a firewall? COTS routers can certainly block all IPX traffic from entering the IP segment. The other missing piece of the question is whether some communication is needed between the two segments. If this is the case, then the COTS router will have to perform some protocol translation (e.g., IPX to IP). Select communications between authorized end systems on each segment also leads to the problem that people could change their machine source addresses, thereby bypassing local security policy. -Brian From firewalls-owner Wed Jan 4 14:06:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA19872 for firewalls-outgoing; Wed, 4 Jan 1995 13:24:24 -0800 Received: from javelin.hks.com (javelin.hks.com [192.101.199.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA19867 for ; Wed, 4 Jan 1995 13:24:22 -0800 Received: from ragnarok.hks.com by javelin.hks.com with smtp (Smail3.1.29.0 #2) id m0rPd9h-0008faC; Wed, 4 Jan 95 16:22 EST Received: by ragnarok.hks.com (931110.SGI/930416.SGI) for @javelin.hks.com:firewalls@greatcircle.com id AA07925; Wed, 4 Jan 95 16:21:54 -0500 From: "Jim Littlefield" Message-Id: <9501041621.ZM7923@ragnarok.hks.com> Date: Wed, 4 Jan 1995 16:21:53 -0500 In-Reply-To: Goetz von Escher "Split DNS and Subdomain Delegation" (Jan 4, 4:09pm) References: <199501041513.QAA09596@chelsea.open.ch> X-Mailer: Z-Mail (3.2.0 16aug94) To: Goetz von Escher , firewalls@greatcircle.com Subject: Re: Split DNS and Subdomain Delegation Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 4, 4:09pm, Goetz von Escher wrote: : Folks, : : Assuming that we run a split dns with an EXTERNAL server on the firewall, : an internal PARENT server with a forwarder statement to the firewall and : some SUBDOMAIN servers that have the real information. : : When we ask the internal PARENT server about a host in a subdomain : the query fails! Due to the forwarder statement the PARENT server will : (after a look in its own database & cache) ask the EXTERNAL server and : promptly get the (wrong) answer: "no such host in this domain". He will : never ask the SUBDOMAIN servers! : : Conclusion: You cannot delegate domains in a split dns setup! Why not list each of the subdomain servers on the forwards line? According to the named man pages on my SGI: The ``forwarders'' line specifies the addresses of sitewide servers that will accept recursive queries from other servers. If the boot file specifies one or more forwarders, then the server will send all queries for data not in the cache to the forwarders first. Each forwarder will be asked in turn until an answer is returned or the list is exhausted. If no answer is forthcoming from a forwarder, the server will continue as it would have without the forwarders line unless it is in ``slave'' mode. So a line like the following should work: forwarders 192.1.1.1 192.2.2.2 192.3.3.3 -- Jim Littlefield "I've got a bad feeling about this..." -- Han Solo From firewalls-owner Wed Jan 4 14:08:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA20309 for firewalls-outgoing; Wed, 4 Jan 1995 13:46:38 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA20299 for ; Wed, 4 Jan 1995 13:46:32 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id PAA06216(telemann.inoc.dl.nec.com); Wed, 4 Jan 1995 15:44:29 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id PAA08573(texas.syl.dl.nec.com); Wed, 4 Jan 1995 15:44:29 -0600 Received: by warbucks.syl.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id PAA26737(warbucks.syl.dl.nec.com); Wed, 4 Jan 1995 15:44:16 -0600 Date: Wed, 4 Jan 1995 15:44:16 -0600 From: ylee@syl.dl.nec.com (Ying-Da Lee) Message-Id: <199501042144.PAA26737@warbucks.syl.dl.nec.com> To: firewalls@greatcircle.com, mcbai@echonyc.com Subject: Re: sockd Cc: ylee@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >My sockd keeps returning an error message of "Wrong version (0x47) " >whenever I try to connect with a client running the winsock supplied with >Lan Workplace (actually the updated version downloaded from Novell). Is the client meant to work with sockd? I'd be very happy if it does, am just not aware of it. >SparcStation with Netscape, but also, the Netscape client on the PC >doesn't have an option to identify an address for a sock server,unlike >the X11 version, which does. For the PC version of Netscape, you must edit the file netscape.ini. In the [Services] section, uncomment the #SOCKS_Server=... line and supply your SOCKS server's domain name. Ying-Da Lee (214)518-3490 (214)518-3552 (FAX) Principal Member, Technical Staff NEC Systems Laboratory, C&C Software Technology Center ylee@syl.dl.nec.com Speaking only for myself. From firewalls-owner Wed Jan 4 15:18:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA20968 for firewalls-outgoing; Wed, 4 Jan 1995 14:19:41 -0800 Received: from gate3.fmr.com ([192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA20954 for ; Wed, 4 Jan 1995 14:19:07 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id RAA24041 for ; Wed, 4 Jan 1995 17:17:17 -0500 Message-Id: <199501042217.RAA24041@gate3.fmr.com> Received: from mail3.fmr.com(155.1.75.10) by a0140648 via smap (V1.3mjr) id sma024029; Wed Jan 4 22:16:49 1995 Date: Wed, 04 Jan 1995 10:52:05 -0500 From: Joe Judge Subject: bsdi and secureID (access?) To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 195 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are other BSDI gateway folks using to securely access their machines? (skey, secureID, homebrew stuff, etc?) Or, has anyone gotten past the BSDI os versus secureID problems? -- joe From firewalls-owner Wed Jan 4 15:38:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA22359 for firewalls-outgoing; Wed, 4 Jan 1995 15:30:44 -0800 Received: from NYXGATE1.btco.com (btgate1.btco.com [198.81.205.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA22354 for ; Wed, 4 Jan 1995 15:30:40 -0800 Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id SAA11472; Wed, 4 Jan 1995 18:28:49 -0500 Received: from lncsex0000.eu.btco.com(160.82.136.140) by NYXGATE1.btco.com via smap (V1.3mjr) id sma011452; Wed Jan 4 18:28:40 1995 Received: from brockley1 (ras_tsa1.eu.btco.com [160.82.136.17]) by LNCSEX0000.eu.btco.com (8.6.9/8.6.9) with SMTP id XAA13243; Wed, 4 Jan 1995 23:28:36 GMT Date: Wed, 4 Jan 1995 23:28:10 -0800 (PST) From: "Todd S. Aven" To: Goetz von Escher cc: firewalls@GreatCircle.COM Subject: Re: Split DNS and Subdomain Delegation X-Sender: avento@lncsex0000.eu.btco.com In-Reply-To: <199501041513.QAA09596@chelsea.open.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Goetz, > Assuming that we run a split dns with an EXTERNAL server on the firewall, > an internal PARENT server with a forwarder statement to the firewall and > some SUBDOMAIN servers that have the real information. We do exactly what you have described above. Our internal parent servers are secondaries for the subdomain and the subdomain servers are secondaries for the parent. It works perfectly for us using bind 4.9.2 as the DNS servers. Of course, the internal PARENT server has real information for the parent zone and the SUBDOMAIN servers have real information for the sub zones. > When we ask the internal PARENT server about a host in a subdomain > the query fails! Due to the forwarder statement the PARENT server will > (after a look in its own database & cache) ask the EXTERNAL server and > promptly get the (wrong) answer: "no such host in this domain". He will > never ask the SUBDOMAIN servers! > > Conclusion: You cannot delegate domains in a split dns setup! Not a completely correct conclusion, since it is working for us as described above. However... > Now in a really decentralized company (where you cannot make the > PARENT server secondary of all the SUBDOMAIN servers) is there a > possibility to achieve split dns *and* subdomain delegation without > hacking bind? I get the feeling that you've done more investigation than you've let on in your memo, because you allude to a difference in behavior according to whether the parent server is secondary for the subdomain(s). I would expect the behavior to be the same, provided you have properly delegated the subdomains in the parent zone. I currently don't have the 'decentralized' environment you just described, but you've piqued my curiousity enough to try it on a test server which I have readily available. Can you verify that you have NS records in the parent zone delegating to the subdomain servers (i.e. 'dig @parent-server sub.domain ns')? Regards, Todd Aven avents@btco.com From firewalls-owner Wed Jan 4 16:02:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA21889 for firewalls-outgoing; Wed, 4 Jan 1995 15:04:22 -0800 Received: from minnesota.emc.cdc.com (ip129179-112-13.cdc.com [129.179.112.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA21875 for ; Wed, 4 Jan 1995 15:04:14 -0800 Received: from localhost.cdc.com by minnesota.emc.cdc.com (5.61/1.34) id AA22655; Wed, 4 Jan 95 17:01:39 -0600 Message-Id: <9501042301.AA22655@minnesota.emc.cdc.com> Default-Recipient-Options: report nonreceipt, no reply, return content To: Goetz von Escher Cc: firewalls@greatcircle.com Subject: Re: Split DNS and Subdomain Delegation In-Reply-To: Your message of Wed, 04 Jan 95 16:09:16 +0100. <199501041513.QAA09596@chelsea.open.ch> Sensitivity: personal Importance: normal Priority: non-urgent Delivery-Options: allow alternate recipients, return content, allow conversion, mask P1 recipients X-Mailer: xemh [version 2.11] Organization: Control Data Systems, Inc. Reply-To: wvg@minnesota.emc.cdc.com (Bill Gaupp) Date: Wed, 04 Jan 95 17:01:38 -0600 From: Bill Gaupp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Folks, > > Assuming that we run a split dns with an EXTERNAL server on the firewall, > an internal PARENT server with a forwarder statement to the firewall and > some SUBDOMAIN servers that have the real information. > > When we ask the internal PARENT server about a host in a subdomain > the query fails! Due to the forwarder statement the PARENT server will > (after a look in its own database & cache) ask the EXTERNAL server and > promptly get the (wrong) answer: "no such host in this domain". He will > never ask the SUBDOMAIN servers! > > Conclusion: You cannot delegate domains in a split dns setup! > > Now in a really decentralized company (where you cannot make the > PARENT server secondary of all the SUBDOMAIN servers) is there a > possibility to achieve split dns *and* subdomain delegation without > hacking bind? > > --- > Goetz von Escher email: Goetz.von-Escher@Open.CH > Open Systems AG voice: +41 (61) 262-0505 > Basel, Switzerland FAX: +41 (61) 262-0510 Sure you can. We're doing exactly this. In your main "foo.com" map on your internal "parent" server just list NS records for all the subdomain servers. Also make sure you include IP addresses of the subdomain servers so the parent knows how to contact the subdomain servers. ORIGIN foo.com. alpha IN NS host1.alpha ns1.alpha IN A 192.0.0.1 beta IN NS ns2.beta ns2.beta IN A 193.0.0.1 Also force all your subdomain servers to secondary this foo.com map from the parent server so they can be aware of the other subdomain servers. Note this foo.com map is completely different from the foo.com map on your firewall host. Both your firewall host and your parent host believe they are the master for foo.com -- and really they are. It's just a matter of funneling requests for *.foo.com to the right server. Other requests (for stuff not in foo.com) should be forwarded out to the internet as usual. (And hopefully cached by your parent!) Thanks, Bill Gaupp internet: William.Gaupp@cdc.com (NIC-handle BG146) Enterprise Management Center X.400: /pn=William.V.Gaupp/ou=zeus/o=/ Control Data Systems, Inc. /prmd=cdc/admd=attmail/c=us/ 4201 Lexington Avenue North AT&T: (612) 482-4127 Arden Hills, MN 55126-6198 pager: (612) 530-1237 From firewalls-owner Wed Jan 4 17:06:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA23303 for firewalls-outgoing; Wed, 4 Jan 1995 16:36:20 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA23298 for ; Wed, 4 Jan 1995 16:36:17 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id QAA23451; Wed, 4 Jan 1995 16:28:11 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA04992; Wed, 4 Jan 95 16:27:08 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA17406; Wed, 4 Jan 95 16:27:35 -0800 Date: Wed, 4 Jan 95 16:27:35 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9501050027.AA17406@abulafia.genmagic.com> To: ylee@syl.dl.nec.com (Ying-Da Lee) Cc: firewalls@GreatCircle.COM, mcbai@echonyc.com Subject: Re: sockd In-Reply-To: <199501042144.PAA26737@warbucks.syl.dl.nec.com> References: <199501042144.PAA26737@warbucks.syl.dl.nec.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "ylee" == Ying-Da Lee writes: ylee> Is the client meant to work with sockd? I'd be very happy if it ylee> does, am just not aware of it. I think you're talking about the 'netscape' client.... Sort of, but some of the nifty 4.1 features aren't supporte.d They wrote their own version of the libsocks.a because of some screwy multithreading problem. Our users here have to go in and remove the sockd config stuff to use our internal name server as a result of their not supporting the 'current' sockd features. Netscape also fails to support multihomed servers, their unix client complains about a config file with multiple sockd@ entries like: sockd@gate1 x.x.x.x y.y.y.y sockd@gate2 x.x.x.x y.y.y.y From firewalls-owner Wed Jan 4 17:41:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA23746 for firewalls-outgoing; Wed, 4 Jan 1995 17:18:33 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA23741 for ; Wed, 4 Jan 1995 17:18:30 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f0b49880; Wed, 4 Jan 95 20:21:12 -0500 Mime-Version: 1.0 Date: Wed, 4 Jan 1995 20:20:58 -0500 Message-ID: Subject: Re[2]: Split DNS and Subdomain Delegation To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at the fwtk and tcpwrapper programs. They both basically do the same thing. Questions. 1. the tcpwrapper faq states that it confirms the name & ip address of the client making the request) via dns lookup. Does the fwtk do the same? 2. Anyone have opinions or suggestions and/or comparisions between the two. Thanks, Tom. ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Internet:twalker@acc.org From firewalls-owner Wed Jan 4 18:06:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA24198 for firewalls-outgoing; Wed, 4 Jan 1995 17:58:33 -0800 Received: from jbxs1 (johnb@jbxs1.jbx.com [204.97.14.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA24192 for ; Wed, 4 Jan 1995 17:58:29 -0800 Received: by jbxs1 (5.0/SMI-SVR4) id AA08686; Wed, 4 Jan 1995 21:00:46 +0500 From: johnb@jbxs1.jbx.com (John Boudreaux) Message-Id: <9501050200.AA08686@jbxs1> Subject: Re: email monitoring To: firewalls@greatcircle.com Date: Wed, 4 Jan 1995 21:00:45 -0500 (EST) In-Reply-To: <199501040132.UAA07425@bwh.harvard.edu> from "Adam Shostack" at Jan 3, 95 08:32:43 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 468 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > | Anyone know how to monitor incoming and outgoing email messages? > > You might start by having your legal department take a hard > look at the Electronic Communications Privacy Act of 1986. > > Adam > yes which does not apply to corprate machine with a policy or to systems that do not have facility's for private email. hense anyone who says i dont have private email. and no they dont have to warn you... scary aint it :> John Boudreaux johnb@jbx.com From firewalls-owner Wed Jan 4 18:36:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA24649 for firewalls-outgoing; Wed, 4 Jan 1995 18:34:49 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA24644 for ; Wed, 4 Jan 1995 18:34:45 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09647; Wed, 4 Jan 95 21:27:35 -0500 Date: Wed, 4 Jan 95 21:27:34 -0500 Message-Id: <9501050227.AA09647@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "cedpali@ris001.ris.or.gov"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Po' widdle PCs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Is anyone aware of any actual break-in that was accomplished by "taking >over" a PC (running DOS or Windows or Windows for Workgroups or NT) and then >launching an attack from there? I don't mean dialling in to a modem on the >PC, but an attack that could have been prevented by a better firewall. Yes, the "dutch hacker" incident in which tracer.army.mil was taken over. Remember the "Dan Quayle" account ? Tracer was a PC running what looked like XENIX. I have a copy of the video made of the incident. The A-6s then used files found on tracer to springboard onto other systems AFAIR. Warmly, Padgett From firewalls-owner Wed Jan 4 19:06:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA24796 for firewalls-outgoing; Wed, 4 Jan 1995 18:44:49 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA24791 for ; Wed, 4 Jan 1995 18:44:43 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09713; Wed, 4 Jan 95 21:34:25 -0500 Date: Wed, 4 Jan 95 21:34:25 -0500 Message-Id: <9501050234.AA09713@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Counterpoint Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Without a written signed clearance from your corporate legal eagle, they have >absolute deniability. You will be the one who goes to jail, not them. But then I keep reading about incidents where sysops have been arrested for things that they claimed they did not know were there and must have been uploaded by someone else. I am also seeing cases in which employers are being cited for actions of employees that the employer did not know were happening and in fact had written policy against. Fact is that you may be able to get into as much or more trouble for doing nothing as you would if you do something. My opinion is: 1) State a position publicly 2) Enforce it Just make sure your boss knows what you are doing (the old military method works well: "Unless I receive instructions to the contrary..."). If you don't like that then "Lead, follow, or get the h*ll out of the way." Warmly, Padgett From firewalls-owner Wed Jan 4 20:36:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA25509 for firewalls-outgoing; Wed, 4 Jan 1995 20:29:37 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA25504 for ; Wed, 4 Jan 1995 20:29:34 -0800 Received: from lci by mail.uunet.ca with UUCP id <124142-1>; Wed, 4 Jan 1995 23:28:55 -0500 Received: by lci (MKS Internet Anywhere); Wed, 04 Jan 95 23:42:06 UTC From: lci!cklung (C.K. Lung) To: Stuart@loddon.demon.co.uk, mckenney@smiley.mitre.org (Brian W. McKenney) Cc: firewalls@GreatCircle.COM Subject: Re: TCP/IP + IPX firewall solutions ? Date: Wed, 4 Jan 1995 23:01:02 -0500 X-MAILER: MKS Internet Anywhere - Compose 1.1b X-MKSIA-SN: 3990260790 Message-Id: <789262926@lci> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian W. McKenney wrote: > >Does anyone know if a single firewall offering can achieve this > >division or am I looking at a TCP/IP firewall to control TCP/IP traffic > >and perhaps a multi-protocol router to control the IPX traffic ? Is it > >possible to encapsulate IPX in TCP/IP packets and control these somehow ? > Do you need guidance on how to protect an IPX segment from an IP segment > with a firewall? COTS routers can certainly block all IPX traffic from > entering the IP segment. The other missing piece of the question is > whether some communication is needed between the two segments. If this is > the case, then the COTS router will have to perform some protocol > translation (e.g., IPX to IP). Select communications between authorized > end systems on each segment also leads to the problem that people could > change their machine source addresses, thereby bypassing local security > policy. > > > -Brian Someone recommended that the Firefox Nov*ix can do the job. > > > > From firewalls-owner Wed Jan 4 21:01:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA25516 for firewalls-outgoing; Wed, 4 Jan 1995 20:29:43 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA25511 for ; Wed, 4 Jan 1995 20:29:39 -0800 Received: from lci by mail.uunet.ca with UUCP id <100924-2>; Wed, 4 Jan 1995 23:28:58 -0500 Received: by lci (MKS Internet Anywhere); Thu, 05 Jan 95 00:10:47 UTC From: lci!cklung (C.K. Lung) To: firewalls@greatcircle.com Subject: Nov*ix for NetWare Date: Thu, 5 Jan 1995 00:01:47 -0500 X-MAILER: MKS Internet Anywhere - Compose 1.1b X-MKSIA-SN: 3990260790 Message-Id: <789264647@lci> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeking comments on Nov*ix for Netware's firewall/security feature? Any ideas are appreciated. Thank you in advance. From firewalls-owner Thu Jan 5 00:07:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA26623 for firewalls-outgoing; Wed, 4 Jan 1995 23:45:31 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA26618 for ; Wed, 4 Jan 1995 23:45:28 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id CAA19123 for firewalls@greatcircle.com; Thu, 5 Jan 1995 02:43:57 -0500 From: David Kovar Message-Id: <199501050743.CAA19123@nda.nda.com> Subject: Brief review of Firewall-1 - installation, support, failure modes To: firewalls@greatcircle.com Date: Thu, 5 Jan 1995 02:43:56 -0500 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2555 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I reported some problems we've encountered with Checkpoint's Firewall-1 to this list last week. Here is a brief follow up on the situation, the problems we encountered, the solution, and some issues you might want to keep in mind. We had two major problems: * The machine running FW-1 would hang completely several times a week. We had to power cycle the machine to clear the problem. * When the machine was rebooted, the FW-1 startup script would report that the filters were installed and the GUI would show that the machine ws protected. However, tests showed that the entire network was wide open and no filtering was taking place. After talking with the reseller and Checkpoint several times, we convinced them that the problem did indeed exist and that it had to be solved soon. We allowed Checkpoint to log into the firewall and then exchanged a few messages. The filtering problem was fixed by making sure that the hosts file agreed exactly with the objects defined in the FW-1 configuration. With this change in place, the correct filter was installed each time the machine rebooted. We've not seen a hang since then, but it's only been a day or so. Once installed correctly, FW-1 seems to be a viable firewall product. Some points that you should keep in mind: * Before you buy it, ask the reseller if they will come help you install it. The marketing materials, and the poor documentation leave you with a false sense of security. You can install it wrong, with fatal results. * Your first line of support is your reseller. The startup screen tells you to contact Checkpoint for support, but they will tell you to call your reseller. So, make sure you're happy with your reseller if you are concerned about support issues. * The documentation is very sparse. By far the most disturbing issue is: * There is at least one failure mode that will result in your network being left wide open despite indications to the contrary. This is easy to fix, but it leaves you wondering what other failure modes exist. The lack of adaquate documentation and source code makes this an even larger concern. On the up side, the GUI makes managing it very simple, the filter language appears to be very powerful, it is handling the load well, and the logging functionality is good. Checkpoint just needs to work on ways to improve customer's faith in its reliability. No security product should ever fail in any manner other than "safe". We'll see how it holds up over the long haul. -David From firewalls-owner Thu Jan 5 01:36:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA27542 for firewalls-outgoing; Thu, 5 Jan 1995 01:16:03 -0800 Received: from gatekeeper.open.ch (gatekeeper.open.ch [192.94.233.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA27537 for ; Thu, 5 Jan 1995 01:15:58 -0800 Received: by gatekeeper.open.ch; id KAA15456; Thu, 5 Jan 1995 10:09:48 +0100 Received: from chelsea.open.ch(193.72.201.42) by gatekeeper.open.ch via smap (V1.3) id sma015454; Thu Jan 5 10:09:35 1995 Received: from soda.open.ch (soda.open.ch [193.72.201.12]) by chelsea.open.ch (8.6.9/8.6.9) with SMTP id KAA12641; Thu, 5 Jan 1995 10:10:11 +0100 Message-Id: <199501050910.KAA12641@chelsea.open.ch> Received: by soda.open.ch (NX5.67d/NX3.0X) id AA05175; Thu, 5 Jan 95 10:06:59 +0100 Received: by NeXT.Mailer (1.112.1.RR) Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v112.1) From: Goetz von Escher Date: Thu, 5 Jan 95 10:06:57 +0100 To: wvg@minnesota.emc.cdc.com (Bill Gaupp) Subject: Re: Split DNS and Subdomain Delegation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > Now in a really decentralized company (where you cannot make the > PARENT server secondary of all the SUBDOMAIN servers) is there a > possibility to achieve split dns *and* subdomain delegation without > hacking bind? > [snip] > Conclusion: You cannot delegate domains in a split dns setup! As several people have mentionned it is possible *if* (only if?) the parent server is a secondary server for all internal subdomains. I have to rephrase my conclusion a little bit: You cannot delegate domains in a split dns setup without having a server that knows every single host/IP address in that domain. Bill Gaupp wrote: > Sure you can. We're doing exactly this. > > In your main "foo.com" map on your internal "parent" server just list > NS records for all the subdomain servers. Also make sure you include > IP addresses of the subdomain servers so the parent knows how to contact > the subdomain servers. If I correctly understand the functionality of the forwarder statement the parent server looks at the following places for a host from a delegated subdomain (in that order): 1. in the cache 2. in its database (Bingo! if he is secondary) 3. queries all forwarder nameservers (firewall will return: no such host) 4. does a regular query (this will *never* happen!) Now it won't help if the parent server knows about other servers, since he will never do a regular query. I actually tried what you propose with SunOS 4.1.3 named and it didn't work. Could you tell me please what version of bind you're using on the internal "parent" server? Maybe your nameserver behaves differently from what I observed? Thanks --- Goetz von Escher email: Goetz.von-Escher@Open.CH Open Systems AG voice: +41 (61) 262-0505 Basel, Switzerland FAX: +41 (61) 262-0510 From firewalls-owner Thu Jan 5 05:36:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28787 for firewalls-outgoing; Thu, 5 Jan 1995 05:09:09 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA28782 for ; Thu, 5 Jan 1995 05:09:07 -0800 Received: from relay.imsi.com by wintermute.imsi.com id IAA13477; Thu, 5 Jan 1995 08:07:21 -0500 Received: from lorax.imsi.com by relay.imsi.com id IAA17196; Thu, 5 Jan 1995 08:07:20 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA07590; Thu, 5 Jan 95 08:07:19 EST Message-Id: <9501051307.AA07590@lorax.imsi.com> To: jet@abulafia.genmagic.com (J. Eric Townsend) Cc: ylee@syl.dl.nec.com (Ying-Da Lee), firewalls@greatcircle.com, mcbai@echonyc.com Subject: Re: sockd In-Reply-To: Your message of "Wed, 04 Jan 1995 16:27:35 PST." <9501050027.AA17406@abulafia.genmagic.com> Reply-To: rens@imsi.com Date: Thu, 05 Jan 1995 08:07:19 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "J" == J Eric Townsend writes: J> Netscape also fails to support multihomed servers, their unix J> client complains about a config file with multiple sockd@ entries J> like: Yeah, netscape's socks support is not that great. I run the socksified proxy CERN daemon internally, and the netscape users hit that to get out. Best of both worlds. -Rens From firewalls-owner Thu Jan 5 06:44:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29356 for firewalls-outgoing; Thu, 5 Jan 1995 06:11:54 -0800 Received: from disaster.vbh.com (root@eniac136.disaster.vbh.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29351 for ; Thu, 5 Jan 1995 06:11:50 -0800 Message-Id: Date: Thu, 5 Jan 95 09:11 EST X-Sender: ferioli@eniac.disaster.vbh.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: FIREWALLS@greatcircle.com From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Subject: Finger-back service? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if there is a way to have your firewall do a finger on the user who is attempting to connect to your service? As I see it, the only problem would be determining the user name of the callee since that doesn't appear to be sent to the host. Any ideas on how to program this? Perhaps just a simple fingering of the site and logging that to a file would be sufficient. That way if the firewall was attacked, you could contact the sysadmin of the calling host and forward on a list of users that were logged in (and non-idle) and the time of the attack. Ideas? ------------------------------------------------------------------------------ Michael D. Ferioli Design & Disaster Recovery Consulting Special Projects Consultant Suite 300 ferioli@disaster.com 9 Elm Street Albany, NY 12202 info@disaster.com From firewalls-owner Thu Jan 5 07:06:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29582 for firewalls-outgoing; Thu, 5 Jan 1995 06:40:47 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA29574 for ; Thu, 5 Jan 1995 06:40:44 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HLHBY2608W934VIZ@wl.aecl.ca>; Thu, 5 Jan 1995 08:36:25 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA10794; Thu, 5 Jan 1995 08:35:54 -0600 Date: Thu, 05 Jan 1995 08:35:53 -0600 (CST) From: system PRIVILEGED account Subject: Re: spoofing TCP/SYN packets? In-reply-to: <9412131027.ZM14979@ppt.com> To: david r coelho Cc: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 13 Dec 1994, david r coelho wrote: > My first line of defense for our network uses a router to filter > out all new TCP sessions (e.g. with SYN). We let in all established > sessions, and then do additional filtering with a firewall. The > idea is that the router lets anything go out, but only lets > established sessions come in. > > My question is, is there a vulnerability whereby the established > incoming TCP packet could be used to open a new TCP session > (say login, telnet, etc) or is the unix (SunOS in my case) kernel > tight enought to reject these packets. > It would seem to me that if one host C were to snoop an active telnet session say, between hosts A and B, grab a string of frames, spray the recieving host B momentarily, then repeatedly spray host A (or knock down host A by some other means) while resending the copied string of frames and adding to them whatever one would like while also keeping the packet signatures the same -- that whomever is behind host C could become the new active session in place of A. If the preceding BS is true, then what can any kind of firewall SW/HW do to detect such an intrusion, short of encrytion strategies? Will FWTK detect such an intrusion? > -- > david r. coelho email: drc@ppt.COM > personal productivity tools, inc > 43000 christy street voice: (510) 440-3050 > fremont, ca 94538-3198 usa fax: (510) 770-0728 > From firewalls-owner Thu Jan 5 07:41:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29672 for firewalls-outgoing; Thu, 5 Jan 1995 06:49:47 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29667 for ; Thu, 5 Jan 1995 06:49:44 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma008047; Thu Jan 5 09:48:29 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA02273; Thu, 5 Jan 95 09:45:32 EST From: Marcus J Ranum Message-Id: <9501051445.AA02273@tis.com> Subject: Re: Re[2]: Split DNS and Subdomain Delegation To: twalker@acc.org Date: Thu, 5 Jan 1995 09:51:39 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "twalker@acc.org" at Jan 4, 95 08:20:58 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 1165 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk twalker@acc.org writes: > > I am looking at the fwtk and tcpwrapper programs. They both basically > do the same thing. No, they don't. Not at all. There is some functionality overlap between the two packages, but the toolkit is designed for building fairly conservative internet firewalls, and tcp_wrappers is designed for host security and as a general-purpose access control and logging tool (Wietse, correct me if I'm wrong!) > 1. the tcpwrapper faq states that it confirms the name & ip address of > the client making the request) via dns lookup. Does the fwtk do the > same? Yes, but the recommendation in the toolkit docs is to ignore DNS names completely anyhow, and to rely only on addresses wherever possible. I suspect that most of the folks using tcp_wrapper do the same. > 2. Anyone have opinions or suggestions and/or comparisions between the > two. They're apples and oranges -- the best suggestion I can make is that you read the documentation of both of the packages again. There's a lot of higher-level design issue type stuff in the toolkit overview that should clarify matters a bit. mjr. From firewalls-owner Thu Jan 5 07:44:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00196 for firewalls-outgoing; Thu, 5 Jan 1995 07:15:05 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00185 for ; Thu, 5 Jan 1995 07:14:53 -0800 Received: from mod.nl by sun4nl.NL.net with SMTP id AA13720 (5.65b/CWI-3.3); Thu, 5 Jan 1995 16:13:18 +0100 Received: from localhost by mod.nl (8.6.5/mail.byaddr) id QAA00742; Thu, 5 Jan 1995 16:13:26 +0100 From: laichun@nlmodnet1.mod.nl (C.W. Lai) Message-Id: <199501051513.QAA00742@mod.nl> Subject: Internet-server & firewall To: FIREWALLS@greatcircle.com Date: Thu, 5 Jan 95 16:13:26 MET Cc: laichun@NL.net (C.W. Lai) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a question. If I make my Internet-server to be a firewall, can I still work with Gopher or FTP from my workstation? I was thinking that the remote FTP-site can't send files to me, because of the firewall. Does anyone know an answer? Greetings, C.W. Lai From firewalls-owner Thu Jan 5 08:06:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29995 for firewalls-outgoing; Thu, 5 Jan 1995 07:09:48 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29987; Thu, 5 Jan 1995 07:09:38 -0800 Received: from smtpgate.gannett.com by relay1.UU.NET with SMTP id QQxxjo08442; Thu, 5 Jan 1995 10:08:05 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2F0C353F@smtpgate.gannett.com>; Thu, 05 Jan 95 10:06:55 PST From: "Robertson, Paul" To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM, "Wright, Robert" Subject: Tn3270 session Date: Thu, 05 Jan 95 10:00:00 PST Message-ID: <2F0C353F@smtpgate.gannett.com> Encoding: 48 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have noticed that some tn3270 implementations do the up-front stuff in ASCII, and then switch to EBCDIC, and most just go EBCDIC right after initial negotiation. The x3270 that comes with linux lets you specify an A: in front of the destination address to enable ASCII negotiation. IBM's TCP/IP is EBCDIC centric, whilst Interlink's is ASCII centric. My guess is that any telnet proxy agents would have to be specifically written to handle both cases. Paul. "My opinions are my own." proberts@moc1.gannett.com (work) proberts@clark.net (home) ------------------------------------------------------------------------------ REPLY FROM: Robertson, Paul Return-Path: Received: from relay2.UU.NET by smtpgate.gannett.com id <2F089AD5@smtpgate.gannett.com>; Mon, 02 Jan 95 16:31:17 PST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQxwzl09821; Mon, 2 Jan 1995 16:27:45 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11857 for firewalls-outgoing; Mon, 2 Jan 1995 13:02:01 -0800 Received: from master.lds-az.loral.com (master.lds-az.loral.com [158.185.20.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA11848 for ; Mon, 2 Jan 1995 13:01:54 -0800 Received: by master.lds-az.loral.com (5.65a/LDS-AZ-3.12) id AA08864; Mon, 2 Jan 95 13:54:14 -0700 Date: Mon, 2 Jan 95 13:54:14 -0700 From: goodic@master.lds-az.loral.com ( Charles Gooding ) Message-Id: <9501022054.AA08864@master.lds-az.loral.com> To: firewalls@greatcircle.com Subject: Tn3270 session Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried to run a MAC 3270 telnet session through the FWTK telnet proxie?? There are some comments in the source code that implies that it may work. The problem that I have is that the MAC is left in "DEC" mode instead of IBM3270. If I telnet directly to the IBM site it works ok. I would be gratefull for any help on this subject. Thanks in advance Chuck Gooding goodic@master.lds-az.loral.com From firewalls-owner Thu Jan 5 08:19:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00244 for firewalls-outgoing; Thu, 5 Jan 1995 07:18:24 -0800 Received: from issi.com (root@issi.com [192.246.29.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00237 for ; Thu, 5 Jan 1995 07:18:06 -0800 Received: from xyzzy.issi.com (xyzzy-bb.issi.com) by issi.com (4.1/3.1.012693-ISSI); id AA03353 for FIREWALLS@greatcircle.com; Thu, 5 Jan 95 09:17:41 CST Received: by xyzzy.issi.com (4.1/server.1.1) id AA12435; Thu, 5 Jan 95 09:17:37 CST Date: Thu, 5 Jan 95 09:17:37 CST From: rg@issi.com (Ron Gilmer) Message-Id: <9501051517.AA12435@xyzzy.issi.com> To: FIREWALLS@greatcircle.com, ferioli@disaster.com Subject: Re: Finger-back service? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From postmaster Thu Jan 5 08:59:26 1995 > Date: Thu, 5 Jan 95 09:11 EST > X-Sender: ferioli@eniac.disaster.vbh.com > Mime-Version: 1.0 > Content-Type > : > text/plain > ; > charset="us-ascii" > > To: FIREWALLS@greatcircle.com > From: ferioli@disaster.com (Michael Ferioli - D&D Consulting) > Subject: Finger-back service? > X-Mailer: > Sender: firewalls-owner@greatcircle.com > Content-Length: 951 > > Does anyone know if there is a way to have your firewall do a finger on the > user who is attempting to connect to your service? Try Wietse's tcp_wrapper program. This (along with pidentd or authd) will do what you want. However few systems utilize the IDENT protocol and of those that do you can't be sure that the user name returned is for real ;<(. You can also execute other commands before/instead of the desired service, ie. finger, mail, loging, ...... The following is a blurb from the tcp_wrapper README file: "With this package you can monitor incoming connections to the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the remote host and of the requested service; the wrappers do not exchange information with the remote client process, and impose no overhead on the actual communication between the client and server applications. Optional features are: access control to restrict what systems can connect to your network daemons; remote user name lookups with the RFC 931 protocol; additional protection against hosts that pretend to have omeone elses host name; additional protection against hosts that pretend to have someone elses host address." > As I see it, the only > problem would be determining the user name of the callee since that doesn't > appear to be sent to the host. Any ideas on how to program this? Perhaps > just a simple fingering of the site and logging that to a file would be > sufficient. That way if the firewall was attacked, you could contact the > sysadmin of the calling host and forward on a list of users that were logged > in (and non-idle) and the time of the attack. > > Ideas? > > > ------------------------------------------------------------------------------ > Michael D. Ferioli Design & Disaster Recovery Consulting > Special Projects Consultant Suite 300 > ferioli@disaster.com 9 Elm Street > Albany, NY 12202 > info@disaster.com > Good Luck, -rg- From firewalls-owner Thu Jan 5 08:31:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29859 for firewalls-outgoing; Thu, 5 Jan 1995 07:03:43 -0800 Received: from world (sdt.com [199.100.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29852 for ; Thu, 5 Jan 1995 07:03:38 -0800 Received: by world (5.0) id AA14776; Thu, 5 Jan 1995 08:57:34 +0600 Received: from aadt.sdt.com(144.9.149.25) by world via smap (V1.3) id sma014769; Thu Jan 5 08:57:05 1995 Received: from shadow.sdt.com by sdt.com (4.1/SUN-2.0hub) id AA17194; Thu, 5 Jan 95 08:57:10 CST Received: by shadow.sdt.com (5.61) id AA21957; Thu, 5 Jan 95 09:00:01 -0600 From: aaron@sdt.com (Aaron Gair) Message-Id: <9501050900.ZM21955@shadow.sdt.com> Date: Thu, 5 Jan 1995 09:00:00 -0600 In-Reply-To: David Kovar "Brief review of Firewall-1 - installation, support, failure modes" (Jan 5, 2:43am) References: <199501050743.CAA19123@nda.nda.com> X-Mailer: Z-Mail (2.1.5 20sep93) To: David Kovar , firewalls@greatcircle.com Subject: Re: Brief review of Firewall-1 - installation, support, failure modes content-length: 2976 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not trying to bash the product, but the feeling that a little-ole host file can totally make a product useless is frightening. Yes/No? Aaron On Jan 5, 2:43am, David Kovar wrote: > Subject: Brief review of Firewall-1 - installation, support, failure modes > I reported some problems we've encountered with Checkpoint's Firewall-1 > to this list last week. Here is a brief follow up on the situation, > the problems we encountered, the solution, and some issues you might > want to keep in mind. > > We had two major problems: > > * The machine running FW-1 would hang completely several times > a week. We had to power cycle the machine to clear the problem. > * When the machine was rebooted, the FW-1 startup script would > report that the filters were installed and the GUI would > show that the machine ws protected. However, tests showed that > the entire network was wide open and no filtering was taking > place. > > After talking with the reseller and Checkpoint several times, we convinced > them that the problem did indeed exist and that it had to be solved soon. > We allowed Checkpoint to log into the firewall and then exchanged a few > messages. > > The filtering problem was fixed by making sure that the hosts file > agreed exactly with the objects defined in the FW-1 configuration. With > this change in place, the correct filter was installed each time the > machine rebooted. > > We've not seen a hang since then, but it's only been a day or so. > > Once installed correctly, FW-1 seems to be a viable firewall product. > Some points that you should keep in mind: > > * Before you buy it, ask the reseller if they will come help you install > it. The marketing materials, and the poor documentation leave you with > a false sense of security. You can install it wrong, with fatal results. > > * Your first line of support is your reseller. The startup screen tells > you to contact Checkpoint for support, but they will tell you to call > your reseller. So, make sure you're happy with your reseller if you > are concerned about support issues. > > * The documentation is very sparse. > > By far the most disturbing issue is: > > * There is at least one failure mode that will result in your network > being left wide open despite indications to the contrary. This is > easy to fix, but it leaves you wondering what other failure modes > exist. The lack of adaquate documentation and source code makes > this an even larger concern. > > > On the up side, the GUI makes managing it very simple, the filter > language appears to be very powerful, it is handling the load > well, and the logging functionality is good. > > Checkpoint just needs to work on ways to improve customer's faith > in its reliability. No security product should ever fail in any manner > other than "safe". > > We'll see how it holds up over the long haul. > > -David >-- End of excerpt from David Kovar From firewalls-owner Thu Jan 5 08:37:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01466 for firewalls-outgoing; Thu, 5 Jan 1995 08:33:58 -0800 Received: from hud.gov (hudgate.hud.gov [198.200.153.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01461 for ; Thu, 5 Jan 1995 08:33:54 -0800 From: James_Jasinski@hud.gov Received: by hud.gov (4.1/SMI-4.1) id AA00838; Thu, 5 Jan 95 11:29:28 EST Received: from hudsmtphq.hud.gov(170.97.1.9) by hudgate via smap (V1.0mjr) id sma000826; Thu Jan 5 11:28:50 1995 Received: from cc:Mail by hudsmtphq.hud.gov id AA789334309 Thu, 05 Jan 95 11:31:49 EST Date: Thu, 05 Jan 95 11:31:49 EST Encoding: 872 Text Message-Id: <9500057893.AA789334309@hudsmtphq.hud.gov> To: lci!cklung@uunet.uu.net (C.K. Lung), firewalls@greatcircle.com Subject: Re: Nov*ix for NetWare Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm seeking comments on Nov*ix for Netware's firewall/security feature? Any > > ideas are appreciated. > >Thank you in advance. Novix for Netware is just a Netware Loadable Module running on a Novell File Server. We use the product, but it's kept behind our firewall on the trusted side. How do you trust Novell's operating system when you can't change it? ////////////////////////////////////////////////////////////////////////// James Jasinski | My opinions are of my own and Martin Marietta | not that of my employer. HUD HIIPS Contract, Washington, D.C. | Fax: 202-708-3577 | Voice: 202-708-2107 | E-Mail: james_jasinski@hud.gov | ========================================================================== From firewalls-owner Thu Jan 5 09:02:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00830 for firewalls-outgoing; Thu, 5 Jan 1995 07:56:23 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00825 for ; Thu, 5 Jan 1995 07:56:20 -0800 Received: by panix.com id AA07254 (5.67b/IDA-1.5); Thu, 5 Jan 1995 10:27:04 -0500 From: "Alec H. Peterson" Message-Id: <199501051527.AA07254@panix.com> Subject: Re: Finger-back service? To: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Date: Thu, 5 Jan 1995 10:27:04 -0500 (EST) Cc: FIREWALLS@greatcircle.com In-Reply-To: from "Michael Ferioli - D&D Consulting" at Jan 5, 95 09:11:00 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 976 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Ferioli - D&D Consulting writes: > >Does anyone know if there is a way to have your firewall do a finger on the >user who is attempting to connect to your service? As I see it, the only >problem would be determining the user name of the callee since that doesn't >appear to be sent to the host. Any ideas on how to program this? Perhaps >just a simple fingering of the site and logging that to a file would be >sufficient. That way if the firewall was attacked, you could contact the >sysadmin of the calling host and forward on a list of users that were logged >in (and non-idle) and the time of the attack. The only way I can see to do this is to try to use identd, which must be run on the finger-ing host. Short of that, there does't seem to be any other way to do it (without re-writting the finger protocol). Alec -- Alec Peterson Panix Public Access UNIX and Internet chuckie@panix.com New York City, NY From firewalls-owner Thu Jan 5 09:08:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01629 for firewalls-outgoing; Thu, 5 Jan 1995 08:46:59 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA01624 for ; Thu, 5 Jan 1995 08:46:56 -0800 Received: from relay.imsi.com by wintermute.imsi.com id LAA14214; Thu, 5 Jan 1995 11:43:48 -0500 Received: from lorax.imsi.com by relay.imsi.com id LAA18898; Thu, 5 Jan 1995 11:43:48 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA08124; Thu, 5 Jan 95 11:43:47 EST Message-Id: <9501051643.AA08124@lorax.imsi.com> To: Frederick M Avolio Cc: rens@imsi.com, jet@abulafia.genmagic.com (J. Eric Townsend), ylee@syl.dl.nec.com (Ying-Da Lee), firewalls@greatcircle.com, mcbai@echonyc.com Subject: Re: sockd In-Reply-To: Your message of "Thu, 05 Jan 1995 11:11:28 EST." <9501051611.AA10938@tis.com> Reply-To: rens@imsi.com Date: Thu, 05 Jan 1995 11:43:46 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Frederick" == Frederick M Avolio writes: Frederick> We use the http proxy with the TIS Internet Firewall Frederick> Toolkit (no surprise). We're using netscape without any Frederick> problems. How unbiased :) The TIS proxy is good too; CERN gives you caching, which helps on slow links (and even on my T1). I find that web usage among my PC users resembles the behavior of a school of piranhas; one guy sees a neat page, and then 20 or 30 more are looking at it. -Rens From firewalls-owner Thu Jan 5 09:28:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01190 for firewalls-outgoing; Thu, 5 Jan 1995 08:16:04 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01184 for ; Thu, 5 Jan 1995 08:16:01 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma011155; Thu Jan 5 11:14:37 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA10938; Thu, 5 Jan 95 11:11:38 EST Message-Id: <9501051611.AA10938@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: rens@imsi.com Cc: jet@abulafia.genmagic.com (J. Eric Townsend), ylee@syl.dl.nec.com (Ying-Da Lee), firewalls@greatcircle.com, mcbai@echonyc.com Subject: Re: sockd In-Reply-To: Your message of Thu, 05 Jan 95 08:07:19 -0500. <9501051307.AA07590@lorax.imsi.com> Date: Thu, 05 Jan 95 11:11:28 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use the http proxy with the TIS Internet Firewall Toolkit (no surprise). We're using netscape without any problems. > > >>>>> "J" == J Eric Townsend writes: > > J> Netscape also fails to support multihomed servers, their unix > J> client complains about a config file with multiple sockd@ entries > J> like: > > Yeah, netscape's socks support is not that great. I run the socksified > proxy CERN daemon internally, and the netscape users hit that to get > out. Best of both worlds. > > -Rens From firewalls-owner Thu Jan 5 09:38:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02269 for firewalls-outgoing; Thu, 5 Jan 1995 09:27:18 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02264 for ; Thu, 5 Jan 1995 09:27:15 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id MAA02073; Thu, 5 Jan 1995 12:25:35 -0500 From: David Kovar Message-Id: <199501051725.MAA02073@nda.nda.com> Subject: Re: Brief review of Firewall-1 - installation, support, failure modes To: aaron@sdt.com (Aaron Gair) Date: Thu, 5 Jan 1995 12:25:34 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9501050900.ZM21955@shadow.sdt.com> from "Aaron Gair" at Jan 5, 95 09:00:00 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 342 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Not trying to bash the product, but the feeling that a little-ole host file > can totally make a product useless is frightening. Yes/No? > > Aaron Quite. And, as I said, if it was useless and passed no packets I'd be a lot less concerned. In this case, it is useless and passes all packets. A bad failure mode for a firewall. -David From firewalls-owner Thu Jan 5 10:01:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01202 for firewalls-outgoing; Thu, 5 Jan 1995 08:16:33 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01147 for ; Thu, 5 Jan 1995 08:13:58 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA05487; Thu, 5 Jan 95 17:07:37 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA01991; Thu, 5 Jan 95 17:04:00 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501051704.AA01991@tidtest.total.fr> Subject: Re: spoofing TCP/SYN packets? To: root@wu1.wl.aecl.ca (system PRIVILEGED account) Date: Thu, 5 Jan 95 17:03:58 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "system PRIVILEGED account" at Jan 5, 95 8:35 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk system PRIVILEGED account wrote : > > It would seem to me that if one host C were to snoop an active telnet > session say, between hosts A and B, grab a string of frames, spray the > recieving host B momentarily, then repeatedly spray host A (or knock down > host A by some other means) while resending the copied string of frames > and adding to them whatever one would like while also keeping the packet > signatures the same -- that whomever is behind host C could become > the new active session in place of A. > > If the preceding BS is true, then what can any kind of firewall SW/HW > do to detect such an intrusion, short of encrytion strategies? > > Will FWTK detect such an intrusion? > Assuming that the packets flowing between A and B don't go through a compromised router (ie one that would of its own "volition" divert/copy to C packets to/from B,) the only way that C could do the hosing would involve using IP source route header options, since the IP source/dest. address must still be that of B. In that case, blocking IP source-routed packets on the screening router (the one that connects to the service provider) should do the trick. cisco boxen can do it, others also should. Am I being hopelessly naive ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Thu Jan 5 10:09:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02446 for firewalls-outgoing; Thu, 5 Jan 1995 09:40:14 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02439 for ; Thu, 5 Jan 1995 09:40:07 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f0c2f570; Thu, 5 Jan 95 12:41:43 -0500 Mime-Version: 1.0 Date: Thu, 5 Jan 1995 12:41:08 -0500 Message-ID: Subject: Re: Counterpoint To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One Point. If you know its wrong or illegal & do it anyway (even though your boss tells you otherwise), you most likely can be held accountable. Just ask 'Ollie North'. He should have know selling arms was illegal (in the manner he did it in), but did it anyway because he indicates the President 'told him to'. He did not get anything in writing and he was the one who got pinned on that one. He was just lucky not to get any jail time. That's just my observation and opinion. /Tom PS. Asking for a written statement/authorization is good, especially if the statement indicates who is responsible. (i.e. your boss/not you). ______________________________ Reply Separator _________________________________ Subject: Counterpoint Author: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) at Internet-Mail Date: 1/4/ 0 9:34 PM >Without a written signed clearance from your corporate legal eagle, they have >absolute deniability. You will be the one who goes to jail, not them. But then I keep reading about incidents where sysops have been arrested for things that they claimed they did not know were there and must have been uploaded by someone else. I am also seeing cases in which employers are being cited for actions of employees that the employer did not know were happening and in fact had written policy against. Fact is that you may be able to get into as much or more trouble for doing nothing as you would if you do something. My opinion is: 1) State a position publicly 2) Enforce it Just make sure your boss knows what you are doing (the old military method works well: "Unless I receive instructions to the contrary..."). If you don't like that then "Lead, follow, or get the h*ll out of the way." Warmly, Padgett From firewalls-owner Thu Jan 5 10:39:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02934 for firewalls-outgoing; Thu, 5 Jan 1995 10:07:55 -0800 Received: from Getty.edu (smtpgate.getty.edu [153.10.97.97]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA02928 for ; Thu, 5 Jan 1995 10:07:48 -0800 Received: from Getty-Message_Server by Getty.edu with Novell_GroupWise; Thu, 05 Jan 1995 10:07:56 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 05 Jan 1995 10:06:22 -0800 From: Wulf Losee To: firewalls@GreatCircle.com Subject: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lorraine Ironplow asks: >Is anyone aware of any actual break-in that was >accomplished by "taking over" a PC (running >DOS or Windows or Windows for Workgroups >or NT) and then launching an attack from there? >I don't mean dialling in to a modem on the >PC, but an attack that could have been prevented >by a better firewall. Answer: I am not aware of any breakins; however, I think you have to ask yourself the question: "how -- through what mechanism -- would a breakin be accomplished?" PCs running multitasking OSs that offer TCP/IP-based services (rlogin, telnet, and ftp) are vulnerable from the Internet (without proper firewalls or router filters). So... Correct me if I'm wrong (please!), but since DOS and regular Windows (both Windows 3.x and and Windows for Warehouses) are not multitasking, multithreading operating systems it would be impossible to subvert these systems unless the cracker were dialing in through a modem or actually sitting at the PC's console. Windows NT might be a different story. In its base configuration Windows NT allows peer-to-peer networking through Microsloth's NetBEUI protocol, but NetBEUI services wouldn't be vulnerable from the Internet (they *might* be vulnerable from your LAN, however). There are third- party packages that allow Windows NT to host rlogin, telnet, or ftp sessions. If your firewall isn't properly configured, your Win NT PCs might be vulnerable from the Internet -- if you have enabled TCP/IP-based services (certainly I can telnet into a Windows NT PC on my network and use it as a jumping off point to telnet to yet other hosts). A. Padgett Peterson brings up a good point, though: PCs running UNIX OSs (XENIX, SCO, LINUX, etc.) are just as vulnerable as any other UNIX System. If I have overlooked some key point, PLEASE let me know. Thanks, Wulf From firewalls-owner Thu Jan 5 11:10:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03697 for firewalls-outgoing; Thu, 5 Jan 1995 10:54:15 -0800 Received: from cayuga.cs.rochester.edu (cayuga.cs.rochester.edu [192.5.53.209]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03692 for ; Thu, 5 Jan 1995 10:54:11 -0800 From: bukys@cs.rochester.edu Received: from otter.cs.rochester.edu (otter.cs.rochester.edu [192.5.53.121]) by cayuga.cs.rochester.edu (8.6.7/G) with ESMTP id NAA03900; Thu, 5 Jan 1995 13:52:32 -0500 Received: (from bukys@localhost) by otter.cs.rochester.edu (8.6.9/G) id NAA19619; Thu, 5 Jan 1995 13:52:24 -0500 Date: Thu, 5 Jan 1995 13:52:24 -0500 Message-Id: <199501051852.NAA19619@otter.cs.rochester.edu> To: WLosee@Getty.Edu, firewalls@GreatCircle.com Subject: Re: FW: PC Take-Over -- reply Cc: bukys@cs.rochester.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Usually what you find on PCs are clients, not servers. However, occasionally, a program will be both. For example, NCSA Telnet includes an FTP server, which you have to explicitly enable, and it does support a password file if you set one up, but it's not hard to imagine some rogue poking around for unprotected PC/Mac FTP servers worldwide and then dropping trojan horses all over your PC/Mac disk. The rogue only needs a foot in the door once. There might be footholds via encapsulations like AppleTalk-in-IP, poking around for misconfigured Personal File Sharing or Retrospect Remote services just waiting to be used. From firewalls-owner Thu Jan 5 11:12:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02385 for firewalls-outgoing; Thu, 5 Jan 1995 09:36:40 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02380 for ; Thu, 5 Jan 1995 09:36:36 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id JAA20475; Thu, 5 Jan 1995 09:35:06 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma020400; Thu Jan 5 09:34:43 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id JAA09210; Thu, 5 Jan 1995 09:34:41 -0800 From: "Alastair Young" Message-Id: <9501050934.ZM9208@cds1004> Date: Thu, 5 Jan 1995 09:34:39 -0800 In-Reply-To: David Kovar "Brief review of Firewall-1 - installation, support, failure modes" (Jan 5, 2:43am) References: <199501050743.CAA19123@nda.nda.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: David Kovar , firewalls@GreatCircle.COM Subject: Re: Brief review of Firewall-1 - installation, support, failure modes Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 5, 2:43am, David Kovar wrote: > Subject: Brief review of Firewall-1 - installation, support, failure modes > I reported some problems we've encountered with Checkpoint's Firewall-1 > to this list last week. Here is a brief follow up on the situation, > the problems we encountered, the solution, and some issues you might > want to keep in mind. > > We had two major problems: > > * The machine running FW-1 would hang completely several times > a week. We had to power cycle the machine to clear the problem. > * When the machine was rebooted, the FW-1 startup script would > report that the filters were installed and the GUI would > show that the machine ws protected. However, tests showed that > the entire network was wide open and no filtering was taking > place. > > After talking with the reseller and Checkpoint several times, we convinced > them that the problem did indeed exist and that it had to be solved soon. > We allowed Checkpoint to log into the firewall and then exchanged a few > messages. > > The filtering problem was fixed by making sure that the hosts file > agreed exactly with the objects defined in the FW-1 configuration. With > this change in place, the correct filter was installed each time the > machine rebooted. > > We've not seen a hang since then, but it's only been a day or so. > > Once installed correctly, FW-1 seems to be a viable firewall product. > Some points that you should keep in mind: > > * Before you buy it, ask the reseller if they will come help you install > it. The marketing materials, and the poor documentation leave you with > a false sense of security. You can install it wrong, with fatal results. > > * Your first line of support is your reseller. The startup screen tells > you to contact Checkpoint for support, but they will tell you to call > your reseller. So, make sure you're happy with your reseller if you > are concerned about support issues. > > * The documentation is very sparse. > > By far the most disturbing issue is: > > * There is at least one failure mode that will result in your network > being left wide open despite indications to the contrary. This is > easy to fix, but it leaves you wondering what other failure modes > exist. The lack of adaquate documentation and source code makes > this an even larger concern. > > > On the up side, the GUI makes managing it very simple, the filter > language appears to be very powerful, it is handling the load > well, and the logging functionality is good. > > Checkpoint just needs to work on ways to improve customer's faith > in its reliability. No security product should ever fail in any manner > other than "safe". > > We'll see how it holds up over the long haul. > > -David >-- End of excerpt from David Kovar I also noticed that the default installation brings the firewall up at the end of rc.local. The interfaces are brought up several seconds earlier. As "established" TCP packets are freely passed, this leaves a window of opportunity for anyone to set up any connection they feel like. I recommend modifying rc.local to configure your outer interface down, then bringing it up after the filter is activated. Even better, have your filter stored locally and keep both interfaces down until the filter is active. Just my $0.02 Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Thu Jan 5 11:43:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03569 for firewalls-outgoing; Thu, 5 Jan 1995 10:45:43 -0800 Received: from cirrus (cirrus.com [141.131.7.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA03564 for ; Thu, 5 Jan 1995 10:45:39 -0800 Received: from sunstorm.corp.cirrus.com (sunstorm) by cirrus with SMTP id AA08442 (5.65c/IDA-1.4.4 for ); Thu, 5 Jan 1995 10:44:06 -0800 Received: from ss309.corp.cirrus.com (ss2119.corp.cirrus.com) by sunstorm.corp.cirrus.com with SMTP id AA01519 (5.67b/IDA-1.4.4 for ); Thu, 5 Jan 1995 10:44:05 -0800 Received: by ss309.corp.cirrus.com (5.0-Corp/1.01) id AA16733; Thu, 5 Jan 1995 10:44:03 +0800 From: jsm@corp.cirrus.com (John Mizzi) Message-Id: <9501051844.AA16733@ss309.corp.cirrus.com> Subject: Re: Brief review of Firewall-1 - installation, support, failure modes To: firewalls@greatcircle.com Date: Thu, 5 Jan 1995 10:44:03 -0800 (PST) In-Reply-To: <9501050900.ZM21955@shadow.sdt.com> from "Aaron Gair" at Jan 5, 95 09:00:00 am X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 304 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Aaron Gair writes > > > Not trying to bash the product, but the feeling that a little-ole host file > can totally make a product useless is frightening. Yes/No? > > Aaron I would have preferred for the machine not to come up rather than appear to work and give me a false sense of security. John From firewalls-owner Thu Jan 5 12:16:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA03853 for firewalls-outgoing; Thu, 5 Jan 1995 11:02:50 -0800 Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA03847 for ; Thu, 5 Jan 1995 11:02:44 -0800 Received: from musak.UUCP by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA19577 for ; Thu, 5 Jan 95 13:46:55 -0500 Received: from zydeco.csystems by dasw.com (4.1/SMI-4.1) id AA12932; Thu, 5 Jan 95 14:01:30 EST Received: from raga.csystems by zydeco.csystems (4.1/SMI-4.1) id AA10390; Thu, 5 Jan 95 13:40:58 EST Date: Thu, 5 Jan 95 13:40:58 EST From: jwelfeld@dasw.com (Joe Welfeld) Message-Id: <9501051840.AA10390@zydeco.csystems> To: firewalls@greatcircle.com Subject: SPARC IPC - packet filter Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a SPARC IPC (running sunos 4.1.3) at home that I would like to hook up to the internet and use a router to an ethernet network with a PC and a Mac on it. I found a local provider that supplies 28.8kb ppp links for very reasonable rates. I have a few questions about hooking this up that might pertain to this list ? I'm not sure if I'm asking the right questions but here goes: 1) Can I set up ttya as a PPP link with a packet filter running. 2) Is there any PD packet filtering software and PPP software I can use to accomplish this ? 3) any hints and directions on how to set the IPC up as a router with a packet filter? would greatly be appreciated ? 4) If no PD software exists what might be an INEXPENSIVE alternative, (this is a home project) ? 5) Any other suggestions on how I can create a firewall/router out of this IPC would be greatly appreciated ? If this is deemed not appropriate for this list, then please send responses to me directly. Thanks, Joe Welfeld ===================================================== Joe Welfeld Data Switch Corporation Email:jwelfeld@dasw.com 1 Enterprise Dr. Systems Analysis Shelton, CT. 06484 203.925.7548 Fax:203.929.8494 ==================================================== From firewalls-owner Thu Jan 5 12:20:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04031 for firewalls-outgoing; Thu, 5 Jan 1995 11:14:42 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA04025 for ; Thu, 5 Jan 1995 11:14:40 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id OAA04269; Thu, 5 Jan 1995 14:13:02 -0500 From: David Kovar Message-Id: <199501051913.OAA04269@nda.nda.com> Subject: Re: Brief review of Firewall-1 - installation, support, failure modes To: alastair@cadence.com (Alastair Young) Date: Thu, 5 Jan 1995 14:13:01 -0500 (EST) Cc: aaron@sdt.com, firewalls@GreatCircle.COM In-Reply-To: <9501051106.ZM9333@cds1004> from "Alastair Young" at Jan 5, 95 11:06:24 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1029 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Not trying to bash the product, but the feeling that a little-ole host file > > can totally make a product useless is frightening. Yes/No? > > > > Aaron > > > > Not really, you should never use hostnames when configuring filters as the > name->address mapping is vulnerable, whether by hosts file corruption or NIS or > DNS spoofing. Use the IP addresses directly. The host file on the FW-1 machine is only used, apparently, when the FW-1 starts up. It knows the host*name* of the machine that it wants to load the filters from and looks up the IP address in the hosts table. Lacking source and documentation, it is hard to tell. Someone else pointed out that if you were using resolv+, or something similar, FW-1 might potentially go load the filters from wherever the resolver pointed you to. Hmm, let's load it from cracker-haven.org. Checkpoint said "You don't have to worry about turning off other services on your firewall machine." but I went ahead and turned *everything* off. Probably a good idea. -David From firewalls-owner Thu Jan 5 12:36:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA03920 for firewalls-outgoing; Thu, 5 Jan 1995 11:08:36 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA03915 for ; Thu, 5 Jan 1995 11:08:33 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id LAA00974; Thu, 5 Jan 1995 11:06:58 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma000863; Thu Jan 5 11:06:28 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id LAA09335; Thu, 5 Jan 1995 11:06:25 -0800 From: "Alastair Young" Message-Id: <9501051106.ZM9333@cds1004> Date: Thu, 5 Jan 1995 11:06:24 -0800 In-Reply-To: aaron@sdt.com (Aaron Gair) "Re: Brief review of Firewall-1 - installation, support, failure modes" (Jan 5, 9:00am) References: <199501050743.CAA19123@nda.nda.com> <9501050900.ZM21955@shadow.sdt.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: aaron@sdt.com (Aaron Gair), David Kovar , firewalls@GreatCircle.COM Subject: Re: Brief review of Firewall-1 - installation, support, failure modes Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 5, 9:00am, Aaron Gair wrote: > Subject: Re: Brief review of Firewall-1 - installation, support, failure m > > Not trying to bash the product, but the feeling that a little-ole host file > can totally make a product useless is frightening. Yes/No? > > Aaron > Not really, you should never use hostnames when configuring filters as the name->address mapping is vulnerable, whether by hosts file corruption or NIS or DNS spoofing. Use the IP addresses directly. Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Thu Jan 5 12:37:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03489 for firewalls-outgoing; Thu, 5 Jan 1995 10:40:47 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03482 for ; Thu, 5 Jan 1995 10:40:44 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id KAA27118; Thu, 5 Jan 1995 10:39:13 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma027009; Thu Jan 5 10:38:47 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id KAA09290; Thu, 5 Jan 1995 10:38:43 -0800 From: "Alastair Young" Message-Id: <9501051038.ZM9288@cds1004> Date: Thu, 5 Jan 1995 10:38:41 -0800 In-Reply-To: system PRIVILEGED account "Re: spoofing TCP/SYN packets?" (Jan 5, 8:35am) References: X-Mailer: Z-Mail (3.0.1 23feb94) To: system PRIVILEGED account , david r coelho Subject: Re: spoofing TCP/SYN packets? Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 5, 8:35am, system PRIVILEGED account wrote: > Subject: Re: spoofing TCP/SYN packets? > > > On Tue, 13 Dec 1994, david r coelho wrote: > > > My first line of defense for our network uses a router to filter > > out all new TCP sessions (e.g. with SYN). We let in all established > > sessions, and then do additional filtering with a firewall. The > > idea is that the router lets anything go out, but only lets > > established sessions come in. > > > > My question is, is there a vulnerability whereby the established > > incoming TCP packet could be used to open a new TCP session > > (say login, telnet, etc) or is the unix (SunOS in my case) kernel > > tight enought to reject these packets. > > > It would seem to me that if one host C were to snoop an active telnet > session say, between hosts A and B, grab a string of frames, spray the > recieving host B momentarily, then repeatedly spray host A (or knock down > host A by some other means) while resending the copied string of frames > and adding to them whatever one would like while also keeping the packet > signatures the same -- that whomever is behind host C could become > the new active session in place of A. > > If the preceding BS is true, then what can any kind of firewall SW/HW > do to detect such an intrusion, short of encrytion strategies? > > Will FWTK detect such an intrusion? > > What you describe are the classic man-in-the-middle and/or packet sequence numbering attacks. Without encryption, you're screwed. Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Thu Jan 5 13:07:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04329 for firewalls-outgoing; Thu, 5 Jan 1995 11:38:34 -0800 Received: from mail.auburn.edu (ducserv.duc.auburn.edu [131.204.2.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04324 for ; Thu, 5 Jan 1995 11:38:30 -0800 Received: from noc.auburn.edu by mail.auburn.edu (4.1/SMI-4.0 News-1.0) id AA17435; Thu, 5 Jan 95 13:35:29 CST Received: by noc.auburn.edu (5.x/SMI-SVR4) id AA04081; Thu, 5 Jan 1995 13:31:03 -0600 Date: Thu, 5 Jan 1995 13:31:03 -0600 From: owen@noc.mail.auburn.edu (Larry Owen) Message-Id: <9501051931.AA04081@noc.auburn.edu> To: firewalls@GreatCircle.com Subject: Re: FW: PC Take-Over -- reply X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wulf Losee writes: > Answer: I am not aware of any breakins; however, I think you have to ask > yourself the question: "how -- through what mechanism -- would a breakin > be accomplished?" PCs running multitasking OSs that offer TCP/IP-based > services (rlogin, telnet, and ftp) are vulnerable from the Internet (without > proper firewalls or router filters). So... > > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. > Well, yeah, they're (potentially) vulnerable. Example: NCSA Telnet and Clarkson University's modified/enhanced version of same (CUTCP) are widely used, and the telnet client includes an ftp server. So, when you're running telnet, you effectively have an ftp server running as well. Now, if you haven't taken the necessary steps to password protect access to this server (or have chosen bad passwords), anyone can ftp into the system and replace, for example, autoexec.bat, config.sys, whatever. The denial-of-service consequences should be obvious, but applications can also be replaced with versions which do all sorts of sneaky things. And I'm no Windows expert, but Windows and WFW are *effectively* multitasking, even if they don't fit some precise computer science definition of the term. You can have multiple applications active at any given time, and you have potential vulnerabilities through virtually any network server process (even if that's not what Microsoft would call it), such as ftp server, X server, etc. > Windows NT might be a different story. In its base configuration Windows > NT allows peer-to-peer networking through Microsloth's NetBEUI > protocol, but NetBEUI services wouldn't be vulnerable from the Internet > (they *might* be vulnerable from your LAN, however). There are third- > party packages that allow Windows NT to host rlogin, telnet, or ftp > sessions. If your firewall isn't properly configured, your Win NT PCs might > be vulnerable from the Internet -- if you have enabled TCP/IP-based > services (certainly I can telnet into a Windows NT PC on my network and > use it as a jumping off point to telnet to yet other hosts). > > A. Padgett Peterson brings up a good point, though: PCs running UNIX OSs > (XENIX, SCO, LINUX, etc.) are just as vulnerable as any other UNIX > System. > > If I have overlooked some key point, PLEASE let me know. > > Thanks, > Wulf > Larry Owen email: owen@noc.auburn.edu Campus Network Administrator phone: (205) 844-4110 Auburn University fax: (205) 844-9390 From firewalls-owner Thu Jan 5 13:31:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04262 for firewalls-outgoing; Thu, 5 Jan 1995 11:34:31 -0800 Received: from zeus.datasrv.co.il (root@zeus.datasrv.co.il [192.114.20.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04251 for ; Thu, 5 Jan 1995 11:34:21 -0800 Received: from applicom.co.il (gateway.applicom.co.il) by zeus.datasrv.co.il with SMTP id AA01029 (5.65c/IDA-1.4.4 for ); Thu, 5 Jan 1995 21:31:32 +0200 Received: by applicom.co.il id AA22663 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Thu, 5 Jan 1995 21:31:32 +0200 Date: Thu, 5 Jan 1995 21:31:32 +0200 (IST) From: "Jonathan B. Horen" X-Sender: horen@gateway To: firewalls@greatcircle.com Subject: Re: Brief review of Firewall-1 - installation, support, failure , modes In-Reply-To: <199501051725.MAA02073@nda.nda.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jan 1995, David Kovar wrote: > > Not trying to bash the product, but the feeling that a little-ole host file > > can totally make a product useless is frightening. Yes/No? "Don't try this at home, kids" -- that is, if you aren't a good-enough Unix SysAdmin to have your basic site/machine configuration files set-up correctly, then you've got no business placing your employer's site/data in jeapordy. FireWall-1 is certainly not the only piece of 3rd-party software, commercial or otherwise, which expects to find that the contents of /etc/{aliases,group,hosts,passwd,services} (to name a few) actually reflect the reality of the machine/site and its users. What frightens *me* is how a professional system administrator can screw-up that "little-ole host file"! Where are you guys living, on Mars?! > Quite. And, as I said, if it was useless and passed no packets I'd > be a lot less concerned. In this case, it is useless and passes all > packets. A bad failure mode for a firewall. What did you expect from a piece of software which could not rely on *your* configuration files -- that it would do something *other* then to just allow "business as usual" to continue? What should have happened? a klaxon? the monitor blink on-and-off? Is this your first job? Haven't you ever been burned by the "software package from Hell" which, when something wasn't configured correctly, overwrote your root partition or something equally absurd? Was this the first piece of software you ever installed? Sheesh, *I'd* be embarrassed as all hell if something for which *my employer* paid $10,000 didn't work *because I f^cked-up*!! (and I sure wouldn't be writing letters to a mailing list, fer chrissakes!) "My car stopped running *right in the middle of the highway*!" "Hmmm... let's see... oh! it's *out of gas*!" "GAS!? You mean I have to put in *GAS*??? I paid $30,000 for the damn thing, and I have to put in GAS?? Oh! where's my Prozac?!" I'm surprised you've got a job, dude. ------------------------------------------------------------------------- Jonathan B. Horen System/Network Manager Applicom Software Industries ------------------------------------------------------------------------- From firewalls-owner Thu Jan 5 13:37:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04426 for firewalls-outgoing; Thu, 5 Jan 1995 11:42:14 -0800 Received: from gki.com (voodoo.Cryptek.Gki.COM [198.6.120.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04420 for ; Thu, 5 Jan 1995 11:42:04 -0800 Received: from vampire.cryptek.gki.com by gki.com (4.1/SMI-4.1/ccg.7.2.91) id AA13445; Thu, 5 Jan 95 14:31:01 EST Received: by vampire.cryptek.gki.com (4.1/SMI-4.1) id AA02151; Thu, 5 Jan 95 14:41:26 EST Date: Thu, 5 Jan 95 14:41:26 EST From: williams@gki.com (Tim Williams) Message-Id: <9501051941.AA02151@vampire.cryptek.gki.com> To: firewalls@greatcircle.com Subject: RE: PC takeover Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wulf Losee writes > Answer: I am not aware of any breakins; however, I think you have to ask > yourself the question: "how -- through what mechanism -- would a breakin > be accomplished?" PCs running multitasking OSs that offer TCP/IP-based > services (rlogin, telnet, and ftp) are vulnerable from the Internet (without > proper firewalls or router filters). So... > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. Well if I were a really bad guy I guess that I could distribute a piece of software (lets say a game for now) that would, as a side effect, install a nice little windows program that is loaded by windows each time windows comes up (yes it can run in the background and not display anything on the screen). In this nice little program, I simply open a connection to my little store house of data and start dumping your entire local disk and any disk to which you are currently attached (since you have so graciously provided access to it by your normal login process). This action is much easier now that we have WINSOCK compatibility for network programmers in a windows environment for most of the TCP/IP products that are out there today :-) I then turn around and sell your stuff to your competiors. As an after thought I might even send a remove command to that nice little program (over the network) which will cause it to remove its self from your system. How's that for a hole in a windows or WFW system ? I believe that the most important point here is that PC users are more likely to 'bring something in' and run it on their systems (its only a game :-) than their equivalent unix brothers. Therefore it may very well be more likely that your networking threat has bypassed your firewall and is in fact just dumping data through it (depending on the type of firewall and how you have it configured - remember most firewalls are there to keep things from getting in, not necessarly things from getting out). Well its only a thought I had. I had better get back to work.... Any thoughts from anyone else. Tim Williams From firewalls-owner Thu Jan 5 13:47:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04748 for firewalls-outgoing; Thu, 5 Jan 1995 12:00:12 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA04741 for ; Thu, 5 Jan 1995 12:00:05 -0800 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQxxkh19783; Thu, 5 Jan 1995 14:58:35 -0500 Date: Thu, 5 Jan 1995 14:58:35 -0500 Message-Id: Received: from rsca.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Thu, 5 Jan 1995 14:58:41 -0500 From: Steve Marquess To: Wulf Losee , firewalls@GreatCircle.COM Subject: Re: FW: PC Take-Over -- reply Reply-To: steve@rsca.com Content-Length: 1116 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Wulf Losee says: > >Correct me if I'm wrong (please!), but since DOS and regular Windows (both >Windows 3.x and and Windows for Warehouses) are not multitasking, >multithreading operating systems it would be impossible to subvert these >systems unless the cracker were dialing in through a modem or actually >sitting at the PC's console. > Probably true in general, but I have a PC here running DOS and a TSR from a widely used protocol stack (Novell's LWPD, the tsr is XPC.EXE) that I can telnet into and execute DOS commands -- including, in principle, commands to access LAN file servers or the mainframes that are not reachable via IP. This PC is allows my Unix hosts to execute DOS commands and fetch data from the LANs from cron scripts run in the middle of the night. Any although few people here are aware of it, the software I used to do this is present on another thousand or so other PCs on our corporate WAN... Steve Marquess steve@tdg.rsca.com Residential Services Corp. of America 7445 New Technology Way (301) 815-6219 voice Frederick, MD 21701 (301) 815-6515 fax I use th From firewalls-owner Thu Jan 5 14:08:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05158 for firewalls-outgoing; Thu, 5 Jan 1995 12:27:10 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA05148 for ; Thu, 5 Jan 1995 12:27:01 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rPykB-0006z3C; Thu, 5 Jan 95 12:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Thu, 5 Jan 95 11:50 PST Message-Id: Received: by miro.ilinx.com id ; Thu, 5 Jan 95 11:50:53 -0800 From: root@miro.ilinx.com To: WLosee@Getty.Edu Subject: Re: FW: PC Take-Over -- reply Cc: firewalls@GreatCircle.com Date: Thu, 5 Jan 1995 11:49:57 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Wulf Losee > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. You are wrong. But we all are at some time or another. :-) We have PC's in our office here that run Beame and Whiteside's TCP/IP stack. Under MS-Windows they have a "full-fledged" inetd daemon which allows me to "telnet" to the box and use it in a character based mode. From there I can change the IP address of the box and re-boot it. I could then telnet into it again and use it to go elsewhere. Now as to whether any of this could be used to subvert another system I can't say, as I haven't really thought (and tried) it through. I am just confirming that I can indeed log into an MS-Windows PC and dick with IP configurations. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Jan 5 14:35:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05563 for firewalls-outgoing; Thu, 5 Jan 1995 13:05:53 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA05558 for ; Thu, 5 Jan 1995 13:05:50 -0800 Received: from relay.imsi.com by wintermute.imsi.com id QAA15330; Thu, 5 Jan 1995 16:03:55 -0500 Received: from lorax.imsi.com by relay.imsi.com id QAA20927; Thu, 5 Jan 1995 16:03:54 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA08988; Thu, 5 Jan 95 16:03:53 EST Message-Id: <9501052103.AA08988@lorax.imsi.com> To: David Kovar Cc: alastair@cadence.com (Alastair Young), aaron@sdt.com, firewalls@greatcircle.com Subject: Re: Brief review of Firewall-1 - installation, support, failure modes In-Reply-To: Your message of "Thu, 05 Jan 1995 14:13:01 EST." <199501051913.OAA04269@nda.nda.com> Reply-To: rens@imsi.com Date: Thu, 05 Jan 1995 16:03:53 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "David" == David Kovar writes: David> Someone else pointed out that if you were using resolv+, or David> something similar, FW-1 might potentially go load the filters David> from wherever the resolver pointed you to. Hmm, let's load it David> from cracker-haven.org. God forbid it would just use 'gethostbyname'. After all, the resolver library may have been compromised by crackers! Lets still use libc for other things, though. ! ! ^ \_/ -Rens From firewalls-owner Thu Jan 5 14:37:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06571 for firewalls-outgoing; Thu, 5 Jan 1995 14:09:23 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA06561 for ; Thu, 5 Jan 1995 14:09:19 -0800 Received: from uran.informatik.uni-bonn.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id OAA02286; Thu, 5 Jan 1995 14:04:38 -0800 Received: from gatekeeper.rhein.de (root@gatekeeper.rhein.de [193.175.27.1]) by uran.informatik.uni-bonn.de (8.6.9-ws4/8.6.9) with ESMTP id WAA01583; Thu, 5 Jan 1995 22:56:46 +0100 Received: from hamlet.oberberg.rhein.de (hamlet.oberberg.rhein.de [193.175.27.57]) by gatekeeper.rhein.de (8.6.9-ws4/8.6.9) with ESMTP id WAA04079; Thu, 5 Jan 1995 22:56:43 +0100 Received: (from toni@localhost) by hamlet.oberberg.rhein.de (8.6.9/8.6.9) id XAA02372; Wed, 4 Jan 1995 23:52:12 +0100 From: Toni Mueller Message-Id: <199501042252.XAA02372@hamlet.oberberg.rhein.de> Subject: scanning email ... To: stewart@networx.com Date: Wed, 4 Jan 1995 23:52:12 +0100 (MET) Cc: Firewalls@GreatCircle.COM Reply-To: mueller@uran.informatik.uni-bonn.de X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1216 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the firewalls mailing list you wrote: > I've got a similar problem though, I would like to filter out going > email messages.. I've come across what I consider a rather heinous > abuse of email by a commerial package, it sends "usage statistics" > back to the manufacturer. We've also got one that sends license > violations back to the manufacturer, this one isn't as heinious as it > sends a copy of the message to a local responsible person, whereas the > first does it silently.. Hello ! Would you mind naming the two packages in question ? I also think that the first is unacceptable at any rate. It _must_ be configured out. And here is what I would do about it: [I run sendmail, so this may not apply to you.] I would add special rules to the beginnings of rule sets 0 (mailer) and 2 (receiver) to have this special address rewritten and delivered locally in some kind of log file (or /dev/null, if you don't care). The other thing I'd think of is sueing the manufacturer and/or switching the product. Yours, --Toni --------------------------------------------------------------------------- Toni M"uller Internet: mueller@uran.informatik.uni-bonn.de phone: +49-2261-79351 fax: +49-2261-78747 From firewalls-owner Thu Jan 5 15:08:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06726 for firewalls-outgoing; Thu, 5 Jan 1995 14:18:19 -0800 Received: from lassie.eunet.fi (lassie.eunet.fi [192.26.119.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06718 for ; Thu, 5 Jan 1995 14:18:16 -0800 Received: from pot.hole.fi by lassie.eunet.fi with SMTP id AA14866 (5.67a/IDA-1.5 for ); Fri, 6 Jan 1995 00:16:42 +0200 Received: (from jak@localhost) by pot.hole.fi (8.6.9/8.6.9) id AAA08358 for firewalls@GreatCircle.COM; Fri, 6 Jan 1995 00:17:09 +0200 From: Jaakko Manninen Message-Id: <199501052217.AAA08358@pot.hole.fi> Subject: PC using external service To: firewalls@GreatCircle.COM Date: Fri, 6 Jan 1995 00:17:05 +0200 (EET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 749 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone looked into the possibility of a user on a network under a Firewall running a SLIP/etc connection? Example. You have a closed 1200+ PC-machine LAN, connected to the Net thru a BSDI+Firewall. One PC-end user in his days of wisdom decides to purchase a SLIP-connection to a local INet provider. He enables "IP Routing" from his Windows for Workgroups, and someone on the net "sees" or hears about this, and decides to route himself into the "firewalled" network thru this machine... Boom. I couldn't think of an easy way to disable this possibility, other than telling the end user not to do this. Any hints/ideas? -- Jaakko Manninen Parcomp Oy Ab From firewalls-owner Thu Jan 5 15:37:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06960 for firewalls-outgoing; Thu, 5 Jan 1995 14:28:20 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06952 for ; Thu, 5 Jan 1995 14:28:13 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f0c732a0; Thu, 5 Jan 95 17:31:06 -0500 Mime-Version: 1.0 Date: Thu, 5 Jan 1995 17:29:39 -0500 Message-ID: Subject: Re[2]: TCP/IP + IPX firewall solutions ? Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might want to look at the 'Livingston IRX Firewall Router'. It routes IPX & IP, supports inbound & outbound filtering, & comes with 2 ethernet ports. Port A is normally for bastion hosts and port B is for your trusted network. I have one. Its nice. Try 'sales@livingston.com ( i think ) /Tom ______________________________ Reply Separator _________________________________ Subject: Re: TCP/IP + IPX firewall solutions ? Author: lci!cklung@uunet.uu.net (C.K. Lung) at Internet-Mail Date: 1/4/ 0 11:01 PM Brian W. McKenney wrote: > >Does anyone know if a single firewall offering can achieve this > >division or am I looking at a TCP/IP firewall to control TCP/IP traffic > >and perhaps a multi-protocol router to control the IPX traffic ? Is it > >possible to encapsulate IPX in TCP/IP packets and control these somehow ? > Do you need guidance on how to protect an IPX segment from an IP segment > with a firewall? COTS routers can certainly block all IPX traffic from > entering the IP segment. The other missing piece of the question is > whether some communication is needed between the two segments. If this is > the case, then the COTS router will have to perform some protocol > translation (e.g., IPX to IP). Select communications between authorized > end systems on each segment also leads to the problem that people could > change their machine source addresses, thereby bypassing local security > policy. > > > -Brian Someone recommended that the Firefox Nov*ix can do the job. > > > > From firewalls-owner Thu Jan 5 15:37:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07032 for firewalls-outgoing; Thu, 5 Jan 1995 14:31:45 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07026 for ; Thu, 5 Jan 1995 14:31:42 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id RAA07813; Thu, 5 Jan 1995 17:27:16 -0500 From: David Kovar Message-Id: <199501052227.RAA07813@nda.nda.com> Subject: Re: Brief review of Firewall-1 - installation, support, failure , modes To: horen@applicom.co.il (Jonathan B. Horen) Date: Thu, 5 Jan 1995 17:27:16 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Jonathan B. Horen" at Jan 5, 95 09:31:32 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2039 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > "Don't try this at home, kids" -- that is, if you aren't a good-enough > Unix SysAdmin to have your basic site/machine configuration files > set-up correctly, then you've got no business placing your employer's > site/data in jeapordy. The machine was set up correctly. It had proper IP addresses and names for both interfaces, had the correct routes installed, and functioned normally on the net. The hosts file just didn't agree with what FW-1 wanted, and what FW-1 wanted wasn't documented. > FireWall-1 is certainly not the only piece of 3rd-party software, > commercial or otherwise, which expects to find that the contents of > /etc/{aliases,group,hosts,passwd,services} (to name a few) actually > reflect the reality of the machine/site and its users. > > What frightens *me* is how a professional system administrator can > screw-up that "little-ole host file"! > > Where are you guys living, on Mars?! Once again, the hosts file was perfectly normal. I've set up hosts files on Suns since '83, I'm not about to screw them up now. I've installed several hundred software packages, I've written significant quantities of quality code (check out the copyright on bootp in OSF-1, SunOS, and others sometime if you want to see how far back I've been doing this stuff), and our company has a lot of very satisfied clients. I'm not perfect and I've screwed up before, but this was not one of them. The rest of your message goes on in a rather insulting manner, so I'll stop responding to it. Basically, the machine was configured correctly, the software was installed per the documentation, and the software then failed in a manner that left the network wide open. Once again I will state that the documentation is substandard and that no firewall product should fail in such a way that leaves your net wide open. When it failed to load my filter correctly, it loaded some other filter in a manner that I have yet to determine and that filter had absolutely no rules in it, so all traffic would pass through it. -David From firewalls-owner Thu Jan 5 16:03:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07253 for firewalls-outgoing; Thu, 5 Jan 1995 14:44:07 -0800 Received: from world (sdt.com [199.100.49.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07248 for ; Thu, 5 Jan 1995 14:44:01 -0800 Received: by world (5.0) id AA17858; Thu, 5 Jan 1995 16:37:40 +0600 Received: from aadt.sdt.com(144.9.149.25) by world via smap (V1.3) id sma017853; Thu Jan 5 16:36:46 1995 Received: from shadow.sdt.com by sdt.com (4.1/SUN-2.0hub) id AA26638; Thu, 5 Jan 95 16:36:50 CST Received: by shadow.sdt.com (5.61) id AA22966; Thu, 5 Jan 95 16:39:48 -0600 From: aaron@sdt.com (Aaron Gair) Message-Id: <9501051639.ZM22964@shadow.sdt.com> Date: Thu, 5 Jan 1995 16:39:47 -0600 In-Reply-To: "Jonathan B. Horen" "Re: Brief review of Firewall-1 - installation, support, failure , modes" (Jan 5, 9:31pm) References: X-Mailer: Z-Mail (2.1.5 20sep93) To: "Jonathan B. Horen" Subject: Re: Brief review of Firewall-1 - installation, support, failure , modes Cc: firewalls@greatcircle.com content-length: 4624 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathan, Sorry sir, but you have come across this Dave gentleman in a very unprofessional manner. Grow up. An Implicit deny to packets would have been good. Who else out here can modify one file and cause your firewall to OPEN ALL DOORS. Car/Gas analogy does not match computer/power analogy. Come on folks, this is not about whether you can keep your /etc/host file in line, it's about a product that many of you might have purchase, felt secure with, but now your learning that there are things you might want to watch closely. This guy Jonathan probably left his firewall software at the end of his /etc/rc.local file as Al pointed out - I bet he changes it! To the rest of the list: For those of you following this conversation, don't let Jonathan spoil it for you. As far as I'm concerned, I want to know when products have poor design flaws, or that a certain product that obviously claims to be for the novice could cause the novice a false sense of security. Face it, for those consultants on this list, products like these - that appear to be working and are fairly cheap- will put you out of business. I have a manager that preaches COTS all the time, I agree in most cases it is a good thing - but not for firewalls yet. Most of the good commercial packages out there come with professional consultants who customize the package to fit the needs of your site, not a reseller that will not respond to his customer. So let the guys/gals on this list speak there mind, as long as it does not stray from the proper topics. Some guys/gals will learn, some may already know. Aaron - I normally would not respond this way, but it is hard enough for some people to speak there mind without rubbish like below. On Jan 5, 9:31pm, "Jonathan B. Horen" wrote: > Subject: Re: Brief review of Firewall-1 - installation, support, failure , > On Thu, 5 Jan 1995, David Kovar wrote: > > > > Not trying to bash the product, but the feeling that a little-ole host file > > > can totally make a product useless is frightening. Yes/No? > > "Don't try this at home, kids" -- that is, if you aren't a good-enough > Unix SysAdmin to have your basic site/machine configuration files > set-up correctly, then you've got no business placing your employer's > site/data in jeapordy. > > FireWall-1 is certainly not the only piece of 3rd-party software, > commercial or otherwise, which expects to find that the contents of > /etc/{aliases,group,hosts,passwd,services} (to name a few) actually > reflect the reality of the machine/site and its users. > > What frightens *me* is how a professional system administrator can > screw-up that "little-ole host file"! > > Where are you guys living, on Mars?! > > > Quite. And, as I said, if it was useless and passed no packets I'd > > be a lot less concerned. In this case, it is useless and passes all > > packets. A bad failure mode for a firewall. > > What did you expect from a piece of software which could not rely on > *your* configuration files -- that it would do something *other* then > to just allow "business as usual" to continue? > > What should have happened? a klaxon? the monitor blink on-and-off? > Is this your first job? Haven't you ever been burned by the "software > package from Hell" which, when something wasn't configured correctly, > overwrote your root partition or something equally absurd? > > Was this the first piece of software you ever installed? Sheesh, *I'd* > be embarrassed as all hell if something for which *my employer* paid > $10,000 didn't work *because I f^cked-up*!! (and I sure wouldn't be > writing letters to a mailing list, fer chrissakes!) > > "My car stopped running *right in the middle of the highway*!" > "Hmmm... let's see... oh! it's *out of gas*!" > "GAS!? You mean I have to put in *GAS*??? I paid $30,000 for the > damn thing, and I have to put in GAS?? Oh! where's my Prozac?!" > > I'm surprised you've got a job, dude. > > version 0.85 -- and that was before there were any docs. I guess > it must have something to do with the ozone layer, or that I grew > up without television, I dunno. Must've been dumb luck -- that's > it, just dumb luck...> > > ------------------------------------------------------------------------- > Jonathan B. Horen > System/Network Manager Applicom Software Industries > ------------------------------------------------------------------------- > >-- End of excerpt from "Jonathan B. Horen" From firewalls-owner Thu Jan 5 17:05:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09145 for firewalls-outgoing; Thu, 5 Jan 1995 16:33:25 -0800 Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA09140 for ; Thu, 5 Jan 1995 16:33:22 -0800 Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id QAA21175; Thu, 5 Jan 1995 16:31:48 -0800 Received: from cds1004.cadence.com(158.140.32.39) by mailgate.cadence.com via smap (V1.0mjr) id sma021128; Thu Jan 5 16:31:24 1995 Received: (from alastair@localhost) by cds1004 (8.6.8/8.6.8) id QAA09687; Thu, 5 Jan 1995 16:31:14 -0800 From: "Alastair Young" Message-Id: <9501051631.ZM9685@cds1004> Date: Thu, 5 Jan 1995 16:31:12 -0800 In-Reply-To: David Kovar "Re: Brief review of Firewall-1 - installation, support, failure modes" (Jan 5, 2:13pm) References: <199501051913.OAA04269@nda.nda.com> X-Mailer: Z-Mail (3.0.1 23feb94) To: David Kovar Subject: Re: Brief review of Firewall-1 - installation, support, failure modes Cc: aaron@sdt.com, firewalls@GreatCircle.COM Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 5, 2:13pm, David Kovar wrote: > Subject: Re: Brief review of Firewall-1 - installation, support, failure m > > > Not trying to bash the product, but the feeling that a little-ole host file > > > can totally make a product useless is frightening. Yes/No? > > > > > > Aaron > > > > > > > Not really, you should never use hostnames when configuring filters as the > > name->address mapping is vulnerable, whether by hosts file corruption or NIS or > > DNS spoofing. Use the IP addresses directly. > > The host file on the FW-1 machine is only used, apparently, when the > FW-1 starts up. It knows the host*name* of the machine that it wants > to load the filters from and looks up the IP address in the hosts table. > Lacking source and documentation, it is hard to tell. > Urg. I think it is possible to store the filter in a local file and force it to load locally, using the remote loader for development. If it is possible to do this then this is the way to do it. It is necessary to do it this way if you want to keep your interfaces down till the filter is installed. My eval ran out so I can't test this stuff.. Al -- ---------------------------------------------------------------------------- Alastair Young _ This vehicle incapable Cadence Design Systems, Information Services )/___ _ 555 River Oaks Parkway, 4B1 __/(___)_*##/c of evading low San Jose CA 95134 Fax: (408)894-3487 / /\\|| \ / \ alastair@cadence.com (408)428-5278 \__/ ----'\__/ speed pursuit! ---------------------------------------------------------------------------- These statements and opinions are mine, not those of Cadence Design Systems From firewalls-owner Thu Jan 5 17:06:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09396 for firewalls-outgoing; Thu, 5 Jan 1995 16:51:21 -0800 Received: from remus.ultranet.com (remus.ultranet.com [199.232.56.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09391 for ; Thu, 5 Jan 1995 16:51:14 -0800 Received: from romulus.ultranet.com by remus.ultranet.com; (5.65/1.1.8.2/22Aug94-0201PM) id AA19272; Thu, 5 Jan 1995 19:49:44 -0500 From: Joe Provo Received: by romulus.ultranet.com; (5.65/1.1.8.2/22Aug94-0147PM) id AA10009; Thu, 5 Jan 1995 19:49:43 -0500 Date: Thu, 5 Jan 1995 19:49:43 -0500 Message-Id: <9501060049.AA10009@romulus.ultranet.com> To: firewalls@greatcircle.com Subject: Re: PC using external service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jak@pot.hole.fi: > You have a closed 1200+ PC-machine LAN, connected to the Net thru > a BSDI+Firewall. One PC-end user in his days of wisdom decides to > purchase a SLIP-connection to a local INet provider. He enables "IP > Routing" from his Windows for Workgroups, and someone on the net "sees" > or hears about this, and decides to route himself into the "firewalled" > network thru this machine... Boom. > > I couldn't think of an easy way to disable this possibility, other > than telling the end user not to do this. Any hints/ideas? The answer, I think, would lie in - only stocking your LAN with single-address/single-interface PCs - only responsible and competent providers existing Unfortunately for the industry, the latter is not as likely as the the former. [comments about those who would route arbitrary networks on their system undermining their own security (and business) deleted] Joe Provo Systems and Network Admin, UltraNet Communications Inc. 508.229.8400(voice) jprovo@ultra.net 508.229.8111(data) A network service provider in Marlboro, MA mailto:info@ultra.net From firewalls-owner Thu Jan 5 17:36:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09421 for firewalls-outgoing; Thu, 5 Jan 1995 16:52:39 -0800 Received: from cheops.anu.edu.au (avalon@[150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09412 for ; Thu, 5 Jan 1995 16:52:09 -0800 Message-Id: <199501060052.QAA09412@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA13675; Fri, 6 Jan 95 11:48:09 +1100 From: Darren Reed Subject: Re: spoofing TCP/SYN packets? To: root@wu1.wl.aecl.ca (system PRIVILEGED account) Date: Fri, 6 Jan 1995 11:48:08 +1100 (EDT) Cc: drc@ppt.com, firewalls@greatcircle.com In-Reply-To: from "system PRIVILEGED account" at Jan 5, 95 08:35:53 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1667 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > On Tue, 13 Dec 1994, david r coelho wrote: > > > My first line of defense for our network uses a router to filter > > out all new TCP sessions (e.g. with SYN). We let in all established > > sessions, and then do additional filtering with a firewall. The > > idea is that the router lets anything go out, but only lets > > established sessions come in. > > > > My question is, is there a vulnerability whereby the established > > incoming TCP packet could be used to open a new TCP session > > (say login, telnet, etc) or is the unix (SunOS in my case) kernel > > tight enought to reject these packets. > > New, as in to a new service/port, no...but... > It would seem to me that if one host C were to snoop an active telnet > session say, between hosts A and B, grab a string of frames, spray the > recieving host B momentarily, then repeatedly spray host A (or knock down > host A by some other means) while resending the copied string of frames > and adding to them whatever one would like while also keeping the packet > signatures the same -- that whomever is behind host C could become > the new active session in place of A. This is discussed in one of Steve Bellovin's papers on TCP/IP... pext.ps - "Security Problems in the TCP/IP Protocol Suite" Steven M. Bellovin, AT&T Bell Laboraties smb@ulysses.att.com, Apr 1989. CACM Vol 19, No. 2 is the one you want (I think). > If the preceding BS is true, then what can any kind of firewall SW/HW > do to detect such an intrusion, short of encrytion strategies? > > Will FWTK detect such an intrusion? No. Nothing will. Darren From firewalls-owner Thu Jan 5 17:38:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08969 for firewalls-outgoing; Thu, 5 Jan 1995 16:23:49 -0800 Received: from nomad.tc.gc.ca ([192.197.85.26]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA08955 for ; Thu, 5 Jan 1995 16:23:40 -0800 Received: (from sndmail@localhost) by nomad.tc.gc.ca (8.6.9/8.6.9) id TAA11249; Thu, 5 Jan 1995 19:20:23 -0500 Received: from unknown(142.209.9.2) by nomad via smap (V1.3mjr) id sma011244; Thu Jan 5 19:20:14 1995 Received: by ccgc.ccgc.tc.gc.ca (1.36.108.7/16.2) id AA03358; Thu, 5 Jan 1995 20:21:09 -0400 Date: Thu, 5 Jan 1995 20:21:06 -0400 (AST) From: Steve Moores To: Jaakko Manninen Cc: firewalls@greatcircle.com Subject: Re: PC using external service In-Reply-To: <199501052217.AAA08358@pot.hole.fi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jan 1995, Jaakko Manninen wrote: > You have a closed 1200+ PC-machine LAN, connected to the Net thru > a BSDI+Firewall. One PC-end user in his days of wisdom decides to > purchase a SLIP-connection to a local INet provider. He enables "IP > Routing" from his Windows for Workgroups, and someone on the net "sees" > or hears about this, and decides to route himself into the "firewalled" > network thru this machine... Boom. > I couldn't think of an easy way to disable this possibility, other > than telling the end user not to do this. Any hints/ideas? Yes, IMHO; ensure that your firewall has much higher speed connectivity than the user with a modem can get from a service provider; ensure that ALL the users requirements are met (e.g. ANY kind of outgoing connection) and ensure that the users know how to use the available services. Further, make certain they know how to reach you and know that you are willing to help them with their connectivity problems. When they call on you for help; take responsibility to solve their problem. After all that there is no reason for them to waste their money paying a service provider for something they already have at a superior level of service and support. Of course while you (or someone you deligate) is doing all these wonderful and helpful things for them, there is the opportunity to educate. Most 'problems' still come from the inside; your own shop must be in order and properly servicing the users before it really matters when it comes to external threats. If you make your firewall too restrictive, they will try to tunnel out from the INSIDE as well as the outside trying to get in. Unfortunately; I am very much aware of "Organizations" that have set up restrictive firewalls on their WAN, only to have the user community at another site (WAN connected) lay all their efforts to waste... even to the point of ordering up their *OWN* unprotected full-time connection and plugging it into the WAN because the existing connectivity was not there, not supported or inconvienent, always down or for any other reason that prevents them from using it to do what it is they need to do. Kindest regards, -- Steve Moores | Canadian Coast Guard College Computer Services | Sydney, Nova Scotia, Canada From firewalls-owner Thu Jan 5 17:47:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09256 for firewalls-outgoing; Thu, 5 Jan 1995 16:40:27 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA09251 for ; Thu, 5 Jan 1995 16:40:25 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id TAA10125; Thu, 5 Jan 1995 19:38:42 -0500 From: David Kovar Message-Id: <199501060038.TAA10125@nda.nda.com> Subject: Re: Brief review of Firewall-1 - installation, support, failure modes To: alastair@cadence.com (Alastair Young) Date: Thu, 5 Jan 1995 19:38:41 -0500 (EST) Cc: aaron@sdt.com, firewalls@GreatCircle.COM In-Reply-To: <9501051631.ZM9685@cds1004> from "Alastair Young" at Jan 5, 95 04:31:12 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 541 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Urg. I think it is possible to store the filter in a local file and force it to > load locally, using the remote loader for development. If it is possible to do > this then this is the way to do it. It is necessary to do it this way if you > want to keep your interfaces down till the filter is installed. > > My eval ran out so I can't test this stuff.. > > Al The filter is in a local file. I'll beat on the scripts more to see if I can make it load differently. I definitely want to tune the scripts for other reasons. -David From firewalls-owner Thu Jan 5 18:06:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA09826 for firewalls-outgoing; Thu, 5 Jan 1995 17:23:36 -0800 Received: from gatekeeper.es.dupont.com (gatekeeper.es.dupont.com [192.26.233.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA09821 for ; Thu, 5 Jan 1995 17:23:33 -0800 From: tkevans@fallst.es.dupont.com Received: by gatekeeper.es.dupont.com; id AA16182; Thu, 5 Jan 95 20:22:02 -0500 Received: by esds01.es.dupont.com; id AA01111; Thu, 5 Jan 95 20:22:00 -0500 Received: from fallst.es.dupont.com by eplrx7.es.duPont.com (4.1/kdm-082991-main)id AA21566; Thu, 5 Jan 95 20:21:45 EST Received: by fallst.es.dupont.com (AIX 4.1/UCB 5.64/4.03) id AA14842; Thu, 5 Jan 1995 20:18:54 -0500 Message-Id: <9501060118.AA14842@fallst.es.dupont.com> Subject: Re: PC using external service To: jak@pot.hole.fi (Jaakko Manninen) Date: Thu, 5 Jan 1995 20:18:54 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199501052217.AAA08358@pot.hole.fi> from "Jaakko Manninen" at Jan 6, 95 00:17:05 am Phone: (302) 234-9151; (302) 695-9353 Reply-To: tkevans@eplrx7.es.duPont.com X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1296 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sez Jaakko Manninen (for which I'm grateful): > > > Has anyone looked into the possibility of a user on a network under > a Firewall running a SLIP/etc connection? Example. > > You have a closed 1200+ PC-machine LAN, connected to the Net thru > a BSDI+Firewall. One PC-end user in his days of wisdom decides to > purchase a SLIP-connection to a local INet provider. He enables "IP > Routing" from his Windows for Workgroups, and someone on the net "sees" > or hears about this, and decides to route himself into the "firewalled" > network thru this machine... Boom. > > I couldn't think of an easy way to disable this possibility, other > than telling the end user not to do this. Any hints/ideas? > I've just been reading about a package called "The Internet Adaptor," which purports to set up a "pseudo-slip" link over an ordinary dialup link. What's to keep the PC user from dialing in and routing the "pseudo-SLIP" connection out to another network his PC is connected to? -- Tim Evans | E.I. du Pont de Nemours & Co. tkevans@eplrx7.es.dupont.com | Experimental Station (302) 695-9353/7395 | P.O. Box 80357 EVANSTK AT A1 AT ESVAX | Wilmington, Delaware 19880-0357 From firewalls-owner Thu Jan 5 18:08:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08811 for firewalls-outgoing; Thu, 5 Jan 1995 16:16:20 -0800 Received: from xroads.vthrc.uq.oz.au (xroads.vthrc.uq.oz.au [130.102.4.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA01459 for ; Sun, 1 Jan 1995 16:33:37 -0800 Received: (mailwrap@localhost) by xroads.vthrc.uq.oz.au (8.6.9/8.6.3) id KAA27840 for ; Mon, 2 Jan 1995 10:27:21 +1000 Received: from arundel.vthrc.uq.oz.au(130.102.4.21) by xroads.vthrc.uq.oz.au. via smap (V1.3mjr) id sma027833; Mon Jan 2 10:26:57 1995 X-Sender: thomas@pop3.vthrc.uq.oz.au. Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Jan 1995 10:27:37 +1000 To: firewalls@GreatCircle.COM From: Danny Thomas Subject: Re: Router software for PC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mfrank@ftc.gov (Mike Frank) writes: >But if I were gonna build a router (in my case, for home) from spare >parts and a couple of hundred bucks, well: > >1) Nowadays, castoff PCs are the like of 386sx, 386DX16, or 386DX25, >since windows makes them seem dog slow. >2) You can't get better networking than a Unix OS >3) You (probably) can't get better Unix networking that from BSD Unix >(where better is defined as the whole enchalada, route, arp, reverse arp, >proxy arp, rip and ospf (gated), etc. >4) You can't get a much cheaper BSD Unix than FreeBSD > >I looking seriously of building a PC based unix box for home specifically >for routing and PPP connection service to work. all valid (except I prefer NetBSD), but if you're not a unix weenie or wannabe then I think you've got less likelihood of security problems with PCRoute (which I'm still using). Also note the recent posting of how disabling gatewaying in NetBSD still sees source-routed packets being passed. I don't know what PCRoute does with source-routed packets, though Drawbridge drops em. BTW PCRoute is IP-only, whereas Drawbridge passes other protocols, even the AppleTalk zones and servers you'd prefer to not make public. Peer-to-peer networking places a lot of responsibility onto naive end-users, which is a worry when you don't have the mechanisms to protect them. smb@research.att.com writes >If you can live with a filtering bridge instead of a router, check >out the TAMU package. agreed. I have only seen the Cisco etc packet-filtering from postings on this list, but I think the following is a bit easier to grasp and to logically combine into higher level rule-sets: BTW the '!' means don't pass .... # make a special definition for stuff we particularly want to stop # the main advantage of this definition is when we create a class # that isn't based on default. By adding a verboten clause it # adds all of these. It is unlikely that any of these services would # be added deliberately to any rule, but by explicitly denying # these we are covering ourselves from most errors in a rule # However a question is with rules as simple as 'gateway'. If I # was to add a verboten clause would it be any safer? And if verboten # included some services instead of being totally exclusionary, then # those services would be added. A pragmatic probabilistic decision. define bad-rep , # these are particularly bad , # OpenWindows ,# and first hundred X windows consoles , , # RPC and NFS-default , , , , # and now for a group of UN*X services. # If some of these shouldn't be filtered, # it is just my ignorance showing. , , , , , , , , ; # naturally these don't have an official name define unassigned , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ; define reserved # , , , , , ; # but discarding historic protocols is less clear-cut # it may be that in a diverse population there are some users happily # using historic protocols and who don't have an easy migration path. # Then again there may be vestigial servers hanging around with security # bugs that aren't well-known and aren't likely to be discovered except # by people with time and motivation on their hands. define historic , , , , , , , , # , , , , , , , , , , , , , , , , , , , , , , , , ; # my *guess* is that these are effectively historic too define private , , # any private mail system , , # any private printer server , , # any private terminal access , , # any private file service , , # any private dial out service , , # any private RJE service , ; # any private terminal link # including the unassigned, etc results in too many classes # you can increase CLASS_SIZE from 32, but it seems you also # have to alter something in the filter source code. What's # particularly bad is that filter accepts the files without # complaint - but the filtering is all screwed up! # define verboten bad-rep, unassigned, reserved, private, historic; define verboten bad-rep, historic; # this tends to go against the standard advice. # here we explicitly allow everything # maybe should be split to disallow all privileged ports? define default-tcp <1-65535/tcp out>; define default-udp <1-65535/udp out>; # the idea is that default-std should not filter *any* services # we may want to run on *some* of our hosts. That way our servers # can be based on default-base... # if we wanted to allow ftp or telnet to some of our servers, we'd # just remove the appropriate clause because default would still # apply the ftp-default and telnet-default clauses # ident is specifically allowed here # # NOTE: I think it is important to state what this base describes # from inside : to anything # from outside : only to ident # BUT all verboten traffic is dropped define default-base verboten, default-tcp, default-udp, no-ftp-in, no-telnet-in, ident-default; # restricting the default to non-privileged ports may slightly restrict # the ability of people hacking *from a PC or mac inside* our network # to bypass source-port filtering, not that I think that is a useless # filtering policy in its own right but it certainly doesn't improve # your guaranteed level of security. define non-server , # allow identity? # is client from > 1023? ; # Eudora's SMTP & POP3 (client) connections seem to be from > 1023 # # I don't know if the next line is feasible. Because udp is connectionless # we can't filter only on the basis of connection-initiation. This ability # is the basis that allows tcp clients, at arbitrary ports, to receive # packets back from the server. Then again how many useful clients on # macs and pcs are udp-based? # ; # answer ntp? # MacTCP's resolver seems to initiate from high ports # but on top of the default-base these clauses add # from inside : nothing can be added but some restrictions # from outside : ftp data channel define default default-base, non-server, rip-default, dns-default, smtp-default, pop3-default, ftp-default, telnet-default, snmp-default; .... defines for particular hosts in our subnet... cheers, Danny Thomas (D.Thomas@vthrc.uq.edu.au) ftp://ftp-boi.external.hp.com/pub/printers/laserjet/doc/4plfaq.txt >TCP/IP stands for Transmission Control Protocol/Internet >Protocol, a de facto industry-standard communication service >for multivendor networks built around OSI. ^^^ truly rooly? From firewalls-owner Thu Jan 5 19:06:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11184 for firewalls-outgoing; Thu, 5 Jan 1995 18:38:04 -0800 Received: from oc.rjl.com (oc.rjl.com [129.189.184.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA11179 for ; Thu, 5 Jan 1995 18:37:58 -0800 Received: by oc.rjl.com id <184855>; Thu, 5 Jan 1995 18:35:45 -0800 Date: Thu, 5 Jan 1995 18:35:41 -0800 From: Rob Liebschutz To: firewalls@GreatCircle.COM, Joe.Judge@FMR.Com Subject: Re: bsdi and secureID (access?) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What are other BSDI gateway folks using to securely access > their machines? (skey, secureID, homebrew stuff, etc?) > Or, has anyone gotten past the BSDI os versus secureID > problems? I mostly use skeys. It works well when the user at the remote end has a PC/MAC or Unix box to compute the password. The version in Wietse Venema's logdaemon package (available via anon ftp to FTP.win.tue.nl) compiles and runs under BSDI. If you still need something with the profile of a keycard, Enigma Logic offers several different key card encription based systems and the last time I talked to them they told me that support for BSDI (or custom porting to other OS's was no problem for them). I have no personal experience with their products, other than having investigated them. At the last minute, my client changed his mind and decided that skey was an acceptable solution for them. I did talk to someone that used their products and he was using their gold (probably the top of the line) DES based card and was very happy with them. Unlike the Security Dynamics cards, the enigma gold card is not dependant upon any kind of clock syncronization which could cause them to fail if the card gets out of sync with the host software (I've heard that this does happen with the SD cards). Enigma Logic is at (800) 333-4416 or (510) 827-5707. The person that I talked to was Tom Brady. Rob From firewalls-owner Thu Jan 5 19:36:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11403 for firewalls-outgoing; Thu, 5 Jan 1995 18:49:42 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA11398 for ; Thu, 5 Jan 1995 18:49:37 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14802; Thu, 5 Jan 95 21:19:51 -0500 Date: Thu, 5 Jan 95 21:19:51 -0500 Message-Id: <9501060219.AA14802@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Being polite... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...is right but being rude would have gotten you shot in Saigon: >What should have happened? a klaxon? the monitor blink on-and-off? >Is this your first job? Haven't you ever been burned by the "software >package from Hell" which, when something wasn't configured correctly, >overwrote your root partition or something equally absurd? Not my first job but IMHO a security product must first guarentee its own integrity before proceeding. Executing but doing nothing is like the sailor assigned to weigh fire extinquishers who every month writes down "35.1 lbs" when the full weight is 50+ but does nothing else (thanks Steve). If *anything* looks suspicious it should post a warning (hopefully meaninful) and exit, not continue as if everything is OK. The fact that the user is a sysadmin type who has never been properly trained is unfortunately the rule in corporate America not the exception. How many here have ten uears experience ? Five ? Doesn't matter that firewalls did not exist outside of a few homebrews (Hi B&S) and concepts (Hi Earl) even four years ago. Back then security was an air-gap and a sneakernet. Further connects were mostly of the 2400 baud variety with a few 9600 and high class joints had 56s. Trying to open 30,000 ports just was not done. Every student in the dorm didn't have a $50 10Base-T card or anything to plug it into. Sorry but at the NCSC bash this year the halls were full of people who didn't know what a firewall was (but knew they needed to find out - fast). A lot I talked to were very knowlegable in Ethernet/Novell/Banyan/DecNet/SNA but had no experience in TCP/IP. Suddenly they need to know but just because they are not instant experts today does not mean they will not be tomorrow. And tomorrow is when they are going to be buying products from the same people whose products kept them out of trouble today, not those who just sat there. The bottom line is that firewalls and the whole Internet security/encryption/ USABILITY field is exploding and any product that expects a half-life of over six months is probably not going to make it. What is put up with today will be considered unusable tomorrow. We are still in the linear portion of the quantum economic curve and vendors will be well advised to act accordingly. I have seen this happen in four different industries during my career, this makes number five. Warmly, Padgett From firewalls-owner Thu Jan 5 20:04:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA11834 for firewalls-outgoing; Thu, 5 Jan 1995 19:30:37 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA11826 for ; Thu, 5 Jan 1995 19:30:29 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14868; Thu, 5 Jan 95 21:54:07 -0500 Date: Thu, 5 Jan 95 21:54:07 -0500 Message-Id: <9501060254.AA14868@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Some day I'll learn... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ...not to make so many obscure references: 1) The "Dutch Hacker" tape (VHS) 30 minutes Never The Same Colour: as of last year it was available for U$10.00 from 2600 magazine (horrors) POB 752, Middle Island, New York, 11953 USA - you can call 516-751-2600 and ask for the guy with the leather hat but I would not give out a credit card number 8*). 2) PCs dunno but I suspect we have a coupla thousand licenses for software that includes among other theings the abiliy to be both an SMTP and FTP *servers*. I suspect that if they read the instruction books, many companies will find that they have the same thing since many of the popular packages include it. Telnetd is free. Macintoshes are worse. I suspect that most people would be amazed how many .coms are nothing more than a PC with Novell-DOS 7.0 multitasking an SMTP and FTP server and a 14.4 modem connection to a provider (heck - I know of a class B domain in NYC whose connection/email server is exactly that - don't ask). 3) The nice part is that my personal mail server is an "obsolete" 386sx-16 with 40 Mb drive, 2 Mb of 80 ns memory, and a 3C503. The last three such I brought home came from a corporate surplus sale for U$10.00 each. The one behind me I pulled out of the salvage pile. Have real-time mail while the one on my desk is never tied up for such things. *Real* multi-processing and the only port that can be opened is 25. 4) Answer to the modem/PPP/SLIP-on-the-desk is modem registration and periodic sweeps of our phone lines (five digit dialing makes for fast connections) for Things Which Respond. We authorize special modem lines for those who need them - auto-answer requires a briefing but woe betide the owner of a non-registered modem, they tend to disappear and the supervisor must come down to claim it. 5) Have been running "socket2me" periodically on local lines to do the same for E-net, fact that all nodes are registered down to their MAC address helps. With c.a. 30 ms response times does not take long particularly with YAPC dedicated to the task. Have not yet figured out a way to automate checking the Appleshare zones for open guest accounts but only takes about an hour (didn't say couldn't - just haven't - know of a company with a product that will allow me to do it from a PC & am waiting for that.) 6) And it works. On essentially zero budget and capital expense (didn't say I was cheap though 8*). You get the idea, Padgett From firewalls-owner Thu Jan 5 20:06:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA12229 for firewalls-outgoing; Thu, 5 Jan 1995 19:55:59 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA12224; Thu, 5 Jan 1995 19:55:55 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 5 Jan 1995 19:54:50 -0800 To: Wulf Losee , firewalls@GreatCircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:06 1/5/95, Wulf Losee wrote: >Correct me if I'm wrong (please!), but since DOS and regular Windows (both >Windows 3.x and and Windows for Warehouses) are not multitasking, >multithreading operating systems it would be impossible to subvert these >systems unless the cracker were dialing in through a modem or actually >sitting at the PC's console. There are commercial packages (like Timbuktu from Farralon; don't know if it's available for Windows, or only for Mac) that, if installed on a machine, let someone "take over" control of that machine as if they were sitting in front of it; input is read from the remote user's keyboard, and output goes to the remote user's display (possibly shadowed to the real display; I don't know). There's probably nothing to stop one of your users from installing such a package, so that they can work from home or something. Timbuktu, at least, can be accessed via TCP/IP. I have no idea what its authentication mechanisms are, or how good they are; I wouldn't be surprised if it's a simple password sent over the net in the clear, though, and we all know how good users are at choosing passwords, and the vulnerabilities of sending it over the net in the clear. So, the answer really comes down to "it depends on what software you're running on your Mac/PC". It doesn't matter if the machine is running NT, Windows, UNIX, MacOS, or whatever; what matters is what software is there listening for incoming connections, and therefore subject to attack. Here on the Macs in my office, I don't run any software that listens for incoming connections, therefore I don't worry much about giving the Macs free and unrestricted access to the Internet. -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates From firewalls-owner Thu Jan 5 20:32:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA11933 for firewalls-outgoing; Thu, 5 Jan 1995 19:38:37 -0800 Received: from ns.mci.net (ns.mci.net [204.70.128.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA11926 for ; Thu, 5 Jan 1995 19:38:30 -0800 Received: from occam (occam.Reston.mci.net [204.70.130.95]) by ns.mci.net (8.6.9/8.6.6) with SMTP id WAA13492 for ; Thu, 5 Jan 1995 22:36:26 -0500 Message-Id: <199501060336.WAA13492@ns.mci.net> X-Sender: krumviede@alpha1.reston.mci.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Jan 1995 22:35:02 -0500 To: firewalls@greatcircle.com From: paul@mci.net (Paul Krumviede) Subject: Re: PC using external service X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Strictly speaking, if someone purchases such a SLIP connection, the entity from which that connection was purchased shouldn't actually advertise a route to the internal network out to the rest of the world (I'd think they would most likely provide the SLIP account purchaser with an address out of the SLIP provider's address space). Secondly, I don't think the major network service providers would accept a route to your internal network unless the SLIP service provider was perverse enough to register it in the appropriate routing registry (or registries if being truly perverse). So the advertisement, if there was one, might not get very far. Of course, source routing could still subvert that. Try to make sure people have boxes that won't do anything with source-routed packets (other than drop them, that is), and that won't advertise routes (and you might want to look for every box that does advertise a route and see if you think it should be). Stocking the LAN with single interface PCs (or other boxes) doesn't stop people from going and getting modems. Then they need an analog line, and if they can't get one of the PBX they may be able to order a business line, bypassing the PBX. It gets really hard to find all the ways somebody can bypass the administrative channels... Education is the big thing (at least imho). Explaining why this isn't such a good thing, and why the company (or other institution) dislikes it, might help convince people not to do this. -paul ---------------------------------------------------------------------------- ----- At 07:49 PM 1/5/95 -0500, Joe Provo wrote: > >jak@pot.hole.fi: >> You have a closed 1200+ PC-machine LAN, connected to the Net thru >> a BSDI+Firewall. One PC-end user in his days of wisdom decides to >> purchase a SLIP-connection to a local INet provider. He enables "IP >> Routing" from his Windows for Workgroups, and someone on the net "sees" >> or hears about this, and decides to route himself into the "firewalled" >> network thru this machine... Boom. >> >> I couldn't think of an easy way to disable this possibility, other >> than telling the end user not to do this. Any hints/ideas? >The answer, I think, would lie in > - only stocking your LAN with single-address/single-interface PCs > - only responsible and competent providers existing > >Unfortunately for the industry, the latter is not as likely as the the former. > >[comments about those who would route arbitrary networks on their system >undermining their own security (and business) deleted] From firewalls-owner Thu Jan 5 20:36:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA12773 for firewalls-outgoing; Thu, 5 Jan 1995 20:21:44 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA12768; Thu, 5 Jan 1995 20:21:41 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 5 Jan 1995 23:20:11 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA06185; Thu, 5 Jan 1995 23:20:10 -0500 Date: Thu, 5 Jan 1995 23:20:10 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199501060420.AA06185@SPARKY.CF.CS.YALE.EDU> To: Brent@GreatCircle.COM, WLosee@Getty.Edu, firewalls@GreatCircle.com Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:06 1/5/95, Wulf Losee wrote: >Correct me if I'm wrong (please!), but since DOS and regular Windows (both >Windows 3.x and and Windows for Warehouses) are not multitasking, >multithreading operating systems it would be impossible to subvert these >systems unless the cracker were dialing in through a modem or actually >sitting at the PC's console. Many of the Mac, PC and Windows TCP/IP packages I've seen make it very easy for any user to accidently enable an anonymous or unpassworded FTP server mode with the flick of the mouse button. The original NCSA Telnet for the Mac automatically enabled anyone to ftp into your Mac whenever you telnetted out unless you turned off the inbound FTP option. Only in the later versions was this fixed and an easy way to set passwords implemented. Many users obtained, installed and ran the early NCSA telnet and were blissfully unaware that anyone could 'ftp -n IPaddress' into their Mac and steal their financial spreadsheets (even scarier -- update them and write them back to the Mac's HD w/o anyone the wiser). In many Windows TCP/IP s/w suites you can turn on an FTP server. In at least 2 (to remain nameless) this immediately means that anyone can ftp into your PC, get a directory listing of your hard disk and read and write any file on the disk with abandon. This is an accident waiting to happen. Which is one of the reasons that firewalls exist. - Morrow From firewalls-owner Thu Jan 5 20:57:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA12945 for firewalls-outgoing; Thu, 5 Jan 1995 20:36:07 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA12940 for ; Thu, 5 Jan 1995 20:35:57 -0800 Received: by taureau.as03.bull.oz.au id AA29381 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 6 Jan 1995 16:00:30 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id JAA00401; Fri, 6 Jan 1995 09:05:21 +1100 Message-Id: <199501052205.JAA00401@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: "Alastair Young" Cc: "Steve J. Sibert" , firewalls@greatcircle.com Subject: Re: Email monitoring In-Reply-To: Your message of "Wed, 04 Jan 95 10:54:59 -0800." <9501041055.ZM7838@cds1004> Date: Fri, 06 Jan 1995 09:05:19 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If using "sendmail" just uncomment the "mail.debug" line in your > /etc/syslog.conf file > > mail.debug /var/log/syslog And have a _lot_ of disk space handy :-) Actually, mail.info is all you need and is usually logged, so just have a look at /etc/syslog.conf to see where its going. You get entries such as: Jan 5 15:10:09 zen sendmail[17136]: PAA17136: from=greatcircle.com!firewalls-owner, size=2067, class=-60, pri=140067, nrcpts=1, msgid=<9501050234.AA09713@uvs1.orl.mmc.com>, proto=UUCP, relay=uucp@localhost Jan 5 15:10:09 zen sendmail[17136]: PAA17136: to=sjg, delay=00:00:01, stat=queued Jan 5 15:13:29 zen sendmail[17151]: PAA17136: to=sjg, delay=00:03:21, mailer=local, stat=Sent That tells you who from, who to and how much, sadly across multiple entries though. --sjg From firewalls-owner Thu Jan 5 22:06:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA13874 for firewalls-outgoing; Thu, 5 Jan 1995 22:00:06 -0800 Received: from tamiya.llnl.gov (tamiya.llnl.gov [128.115.15.50]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA13849 for ; Thu, 5 Jan 1995 21:59:57 -0800 Received: from [128.115.138.237] (fswiftmac.llnl.gov) by tamiya.llnl.gov (4.1/LLNL-1.18) id AA24730; Thu, 5 Jan 95 21:57:24 PST X-Sender: swift@tamiya.llnl.gov Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Thu, 5 Jan 1995 21:56:49 -0800 To: disclosure@elmegil.bradley.edu, ids@uow.edu.au, Problems@tdr.com, probsite-l@mcc-care.com, Firewalls@greatcircle.com From: uncl@llnl.gov (Frank Swift @ Home) Subject: INTUDERS ARE HERE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. Apology in advance to those who receive more than once; howsomever, that's what the delete key is for. 2. Down and Dirty: Mid-December, someone started up in texas, jumped to a commercial site on the east coast, jumped to one of our computers, jumped to an .edu site near hear and then went to a commercial site and trashed some files. That's history. 3. On 15 December, I sent the following to the onsite administraters: "What's going on: A couple of systems have been penetrated here and at other National Laboratory sites. Some are suspected of sniffers and trojaned login files. Some .log files were truncated. CSO's [LLNL Computer Security Organization]damage assessment is underway now. What we specifically know at this point was that the individual logged in as Root, deleted log files and the application that was supposed to watch them. The source appears to be someone who found a security hole in a major network provider and was busy for a while until the configuration management software detected an error. Before the "what line" gets flooded, lets get back to the square one basic good business practice checklist: a. all patches installed? b. mininum numbers for root access ? c. smart card or one-time pass word for root access? d. passwords changed recently? e. checked configuration? f. proactive security management? g. checked for sniffers? h. deleted dormant/gone users? i. reviewed the CSO hacker workgroup report? j. know where your sensitive stuff is and how well it is protected? [..] (who to call at LLNL) Make sure Computer Security at LLNL is informed of our problems; we can't help you solve them if we are not told. Use applications such as SPI 3.2.1 (available only to DOD/DOE Sites) Tripwire, XWatch and Watch. Be more observant of your log and wtmp files. Remember, it's the season to expect unexpected 'presents'." 4. Today, I received DDN Bulletin 9501 which reported that there have been an increase in reports of root compromises caused by intruders using tools to exploit a number of Network File System (NFS) vulnerabilities. Sound familiar? 5. The post holiday season is probably a good time to review some of our "orphans" out there. They are the ones that traditionally get had. Check 'em out. 6. I'm hot now! It seems that something has been going on for about two months and I've been left in the dark again until one of my systems have been had. Have any of you experienced NFS, root grabs, increase in Sniffer activity, or automated attacks? Sure was awful damn quiet for a traditional holiday vacation period. ANYONE want to share anything? I thought that's what we were all about: protecting ourselves, our data, our users and our customers. CHECK THOSE LOGS AND WTMP FILES frank Frank Swift L-321 (Sent from Home) Unclassified Computer Security Coordinator Lawrence Livermore National Laboratory (LLNL) 7000 East Avenue L-321 Livermore CA 94550-9516 Voice: (510) 422-1463 FAX: (510) 423-0913 From firewalls-owner Thu Jan 5 22:42:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA14265 for firewalls-outgoing; Thu, 5 Jan 1995 22:30:36 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA17030 for ; Mon, 2 Jan 1995 22:47:02 -0800 Received: from berthc7.shore.net (berthc9.shore.net) by northshore.ecosoft.com with SMTP id AA18020 (5.67a/IDA-1.5 for ); Tue, 3 Jan 1995 01:47:04 -0500 Date: 3 Jan 1995 00:45:00 GMT From: tiac.net@tiac.net (by way of vin@shore.net (Vin McLellan)) To: Firewalls@greatcircle.com Reply-To: wsanders@lotus.com Subject: HELP: TIS TOOLKIT and TELNET PROXY USING HIGH PORTS Organization: The Internet Access Company Path: shore.shore.net!noc.near.net!news3.near.net!news2.near.net!howland.reston.ans.net!news.sprintlink.net!sundog.tiac.net!usenet Newsgroups: comp.security.unix,comp.sys.sun.admin Lines: 25 Message-Id: <3ea6mc$gtb@sundog.tiac.net> Nntp-Posting-Host: ptown.com X-Newsreader: IBM NewsReader/2 v1.07 Xref: shore.shore.net comp.security.unix:10936 comp.sys.sun.admin:43040 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have successfully install the TIS TOOLKIT, on a SUN SPARC330 running 4.1.3. I have everything working, but users cannot telnet via the PROXY to non-standard telnet ports. (non port 23). I contacted TIS and they said it is client dependent and I was on my own. Well, I figured some much, you get what you don't pay for I look at some sessions and I can see the client sending out packets, to the Server, but the Server never sends the telnet screen data back. ( I can perform normal telnet (no proxy) from this machine to the same external non telnet port as above test.) Anyway, has anyone else had better luck at getting the TIS Telnet Proxy working to non standard telnet ports ie: "c xxx.yz.com 4000" ? I like the proxy, but my end users don't like the non working telnet to port 1000 to get the latest weather. ( I wish I had this idle time) Also the TIS tech, said they put the client into a "rawmode" and some client cannot handle this? What is rawmode? Any info on your successes would be great!!!! Bill Sanderson wsanders@lotus.com From firewalls-owner Thu Jan 5 22:59:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA14005 for firewalls-outgoing; Thu, 5 Jan 1995 22:20:32 -0800 Received: from access1.digex.net (sorrywedontgiveoutthisinformation@access1.digex.net [164.109.10.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA13996 for ; Thu, 5 Jan 1995 22:20:23 -0800 Received: by access1.digex.net id AA10026 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 Jan 1995 01:18:53 -0500 From: Don Krapf Message-Id: <199501060618.AA10026@access1.digex.net> Subject: Re: spoofing TCP/SYN packets? To: firewalls@greatcircle.com Date: Fri, 6 Jan 1995 01:18:52 -0500 (EST) In-Reply-To: <9501051704.AA01991@tidtest.total.fr> from "Michel Lavondes" at Jan 5, 95 05:03:58 pm X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1803 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes writes: > > system PRIVILEGED account wrote : > > > > It would seem to me that if one host C were to snoop an active telnet > > session say, between hosts A and B, grab a string of frames, spray the > > recieving host B momentarily, then repeatedly spray host A (or knock down > > host A by some other means) while resending the copied string of frames > > and adding to them whatever one would like while also keeping the packet > > signatures the same -- that whomever is behind host C could become > > the new active session in place of A. > > > > If the preceding BS is true, then what can any kind of firewall SW/HW > > do to detect such an intrusion, short of encrytion strategies? > > > > Will FWTK detect such an intrusion? > > > > Assuming that the packets flowing between A and B don't go through a > compromised router (ie one that would of its own "volition" divert/copy > to C packets to/from B,) the only way that C could do the hosing would > involve using IP source route header options, since the IP source/dest. > address must still be that of B. In that case, blocking IP source-routed > packets on the screening router (the one that connects to the service > provider) should do the trick. cisco boxen can do it, others also should. > > Am I being hopelessly naive ? Unfortunately, yes. There are various ways to spoof a host and hijack a TCP connection. You could use a router based attack to persuade a router to send the packets through you or your could attack host B to get it off the net and let you grab its packets. Since the packets you (host C) generate could be identical to the packets from host B, there is no way a firewall could detect it. Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Fri Jan 6 01:07:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA16353 for firewalls-outgoing; Fri, 6 Jan 1995 00:45:25 -0800 Received: from versant.com (versant.com [192.70.173.43]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA16348 for ; Fri, 6 Jan 1995 00:45:20 -0800 Received: from gwarn.versant.com by versant.com (4.1/SMI-4.1) id AA14860; Fri, 6 Jan 95 00:46:38 PST Message-Id: <9501060846.AA14860@versant.com> To: jwelfeld@dasw.com (Joe Welfeld) Cc: firewalls@greatcircle.com, strick@gwarn.versant.com Subject: infilt (Re: SPARC IPC - packet filter) In-Reply-To: Your message of "Thu, 05 Jan 95 13:40:58 EST." <9501051840.AA10390@zydeco.csystems> Date: Fri, 06 Jan 95 00:43:14 -0800 From: strick -- henry strickland Sender: firewalls-owner@GreatCircle.COM Precedence: bulk THUS SPAKE jwelfeld@dasw.com (Joe Welfeld): # # # I have a SPARC IPC (running sunos 4.1.3) at home that I would # like to hook up to the internet and use a router to an ethernet # network with a PC and a Mac on it. ... # # 2) Is there any PD packet filtering software and PPP software # I can use to accomplish this ? Yes, if you use "DialupPPP" dp-2.3 for your PPP driver, you can use my package named "infilt" for a packet filter: ftp ftp.yak.net /pub/infilt http://www.yak.net:/pub/infilt/announce Current version is 0.6; I need to publish version 0.7 really soon now. It'll have a bug fix that matters after "silo overflow" errors. -- strick From firewalls-owner Fri Jan 6 01:36:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA16570 for firewalls-outgoing; Fri, 6 Jan 1995 01:10:37 -0800 Received: from networx.com (root@openwx.networx.com [192.245.234.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA16565 for ; Fri, 6 Jan 1995 01:10:33 -0800 Received: from iridium (stewart@iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id BAA27707; Fri, 6 Jan 1995 01:08:53 -0800 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA11358; Fri, 6 Jan 1995 01:08:50 +0800 Date: Fri, 6 Jan 1995 01:08:50 +0800 Message-Id: <9501060908.AA11358@iridium> To: "Jonathan B. Horen" Cc: firewalls@greatcircle.com Subject: Re: Brief review of Firewall-1 - installation, support, failure , modes In-Reply-To: References: <199501051725.MAA02073@nda.nda.com> Reply-To: stewart@networx.com content-length: 2080 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Jonathan" == Jonathan B Horen writes: Jonathan> "Don't try this at home, kids" -- that is, if you aren't Jonathan> a good-enough Unix SysAdmin to have your basic Jonathan> site/machine configuration files set-up correctly, then Jonathan> you've got no business placing your employer's site/data Jonathan> in jeapordy. Jonathan> FireWall-1 is certainly not the only piece of 3rd-party Jonathan> software, commercial or otherwise, which expects to find Jonathan> that the contents of Jonathan> /etc/{aliases,group,hosts,passwd,services} (to name a Jonathan> few) actually reflect the reality of the machine/site Jonathan> and its users. Jonathan> What frightens *me* is how a professional system Jonathan> administrator can screw-up that "little-ole host file"! Jonathan> Where are you guys living, on Mars?! And you must be living on Jupiter, there are several possible choices as to how to write a hosts file. Personally I use the following format -- ip_address fully_qualified_name hostname But the following formats are just as valid depending on your net config -- ip_address hostname fully_qualified_name ip_address hostname There is software that expect different formats, and you have to come up with work arounds.. A lot of this depends on what your hostname() function returns and how smart the software is.. But dumb software like apparently Firewall-1 is, will only work with one format.. My feeling on this, (and I've spent hours yelling at vendors to get them to correct their attitude) is I shouldn't be required to change my configs to suit their idea of how a network will work, thus breaking other software packages.. -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Fri Jan 6 02:06:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17411 for firewalls-outgoing; Fri, 6 Jan 1995 01:53:03 -0800 Received: from networx.com (root@openwx.networx.com [192.245.234.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA17404 for ; Fri, 6 Jan 1995 01:52:57 -0800 Received: from iridium (stewart@iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id BAA27824 for ; Fri, 6 Jan 1995 01:51:17 -0800 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA11622; Fri, 6 Jan 1995 01:51:14 +0800 Date: Fri, 6 Jan 1995 01:51:14 +0800 Message-Id: <9501060951.AA11622@iridium> To: firewalls@greatcircle.com Subject: My last letter Reply-To: stewart@networx.com content-length: 372 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apolgize for the last letter, it was suppost to be a private mailing.. -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Fri Jan 6 10:22:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA17730 for firewalls-outgoing; Fri, 6 Jan 1995 02:07:48 -0800 Received: from networx.com (root@openwx.networx.com [192.245.234.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA17724 for ; Fri, 6 Jan 1995 02:07:42 -0800 Received: from iridium (stewart@iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id CAA27949 for ; Fri, 6 Jan 1995 02:06:11 -0800 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA11709; Fri, 6 Jan 1995 02:06:08 +0800 Date: Fri, 6 Jan 1995 02:06:08 +0800 Message-Id: <9501061006.AA11709@iridium> To: firewalls@greatcircle.com Subject: Nevermind the apology Reply-To: stewart@networx.com content-length: 343 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I did't do the idiot thing I thought I had.. -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Fri Jan 6 11:00:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17285 for firewalls-outgoing; Fri, 6 Jan 1995 01:39:30 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA17278 for ; Fri, 6 Jan 1995 01:38:28 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17981; Fri, 6 Jan 95 10:32:42 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA02492; Fri, 6 Jan 95 10:29:06 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501061029.AA02492@tidtest.total.fr> Subject: Email packages sending out stats (was Re: scanning email ...) To: mueller@uran.informatik.uni-bonn.de Date: Fri, 6 Jan 95 10:29:04 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501042252.XAA02372@hamlet.oberberg.rhein.de>; from "Toni Mueller" at Jan 4, 95 11:52 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Toni Mueller wrote : > > [snip] > > Would you mind naming the two packages in question ? I also think that > the first is unacceptable at any rate. It _must_ be configured out. Second the motion. > > And here is what I would do about it: > > [I run sendmail, so this may not apply to you.] > > I would add special rules to the beginnings of rule sets 0 (mailer) and > 2 (receiver) to have this special address rewritten and delivered locally > in some kind of log file (or /dev/null, if you don't care). I too would do that, and if I'm in a playful mood (read, if I had some free time :-) ) I would also set up sendmail.cf so that a taunting message is sent instead ... -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Jan 6 11:00:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA17722 for firewalls-outgoing; Fri, 6 Jan 1995 02:07:13 -0800 Received: from inesc.inesc.pt (inesc.inesc.pt [146.193.0.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA17717 for ; Fri, 6 Jan 1995 02:07:06 -0800 Received: from avila.inesc.pt ([146.193.248.1]) by inesc.inesc.pt with SMTP; id AA20038 (/); Fri, 6 Jan 1995 11:04:19 +0100 Received: by avila.inesc.pt (4.1/SunOS4.1.2) id AA06781; Fri, 6 Jan 95 11:05:31 +0100 From: ammf@avila.inesc.pt (Antonio Franco) Message-Id: <9501061005.AA06781@avila.inesc.pt> Subject: Re: Brief review of Firewall-1 - installation, support, failure modes To: kovar@NDA.COM (David Kovar) Date: Fri, 6 Jan 1995 11:05:30 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: <199501051725.MAA02073@nda.nda.com> from "David Kovar" at Jan 5, 95 12:25:34 pm Organization: Sol-S Solucoes de Suporte e Manutencao Informatica SA Phone: 351-1-3100180 X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 709 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Not trying to bash the product, but the feeling that a little-ole host file > > can totally make a product useless is frightening. Yes/No? > > > > Aaron > > Quite. And, as I said, if it was useless and passed no packets I'd > be a lot less concerned. In this case, it is useless and passes all > packets. A bad failure mode for a firewall. > > -David > > I am surprised with this recent comments about Firewall-1, since I had seen some positive comments about it on some magazines (for example, Open Computing, Oct 94). Anyway, does anyone know about any alternative commercial products with better and more reliable performance ? Antonio Franco ammf@inesc.pt Fax: 351.1.3100181 From firewalls-owner Fri Jan 6 11:02:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00149 for firewalls-outgoing; Fri, 6 Jan 1995 10:22:49 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00139 for ; Fri, 6 Jan 1995 10:22:45 -0800 Received: from access4.digex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA04873; Fri, 6 Jan 1995 10:18:02 -0800 Received: by access4.digex.net id AA06834 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 Jan 1995 12:20:20 -0500 From: Don Krapf Message-Id: <199501061720.AA06834@access4.digex.net> Subject: Re: spoofing TCP/SYN packets? To: firewalls@greatcircle.com (FireWalls List) Date: Fri, 6 Jan 1995 12:20:19 -0500 (EST) In-Reply-To: <9501061202.AA02585@tidtest.total.fr> from "Michel Lavondes" at Jan 6, 95 12:02:48 pm X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 810 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > There are various ways to spoof a host and > hijack a TCP connection. You could use a router based attack to > persuade a router to send the packets through you > Michel Lavondes replied: > That's what I meant by "compromised router". Anyone heard of this being > doable/done for dedicated routers (ie not host-based) ? It wouldn't require what I think you mean by "compromised". Depending on the setup, suppose you just advertized a shorter route to the destination network. > > or your could attack > > host B to get it off the net and let you grab its packets. > > Without compromised routers, wouldn't that require that C be "close" to B > (eg, on the same LAN) ? Yes Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Fri Jan 6 11:35:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00137 for firewalls-outgoing; Fri, 6 Jan 1995 10:22:40 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00132 for ; Fri, 6 Jan 1995 10:22:38 -0800 Received: from donald.uoregon.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA04868; Fri, 6 Jan 1995 10:17:48 -0800 Received: from RIS.OR.GOV by OREGON.UOREGON.EDU (PMDF V4.3-9 #7713) id <01HLITT7W6F48X0469@OREGON.UOREGON.EDU>; Fri, 06 Jan 1995 10:19:21 -0800 (PST) Received: from RISMTP01.RIS.OR.GOV by RISVS.RIS.OR.GOV (PMDF V4.3-8 #2476) id <01HLITKD9EOW007BDG@RISVS.RIS.OR.GOV>; Fri, 06 Jan 1995 10:11:36 -0700 (PDT) Received: by RISMTP01.RIS.OR.GOV with Microsoft Mail id <2F0D8747@RISMTP01.RIS.OR.GOV>; Fri, 06 Jan 95 10:09:11 PST Date: Fri, 06 Jan 1995 10:09:00 -0800 (PST) From: IRONPLOW Lorraine Subject: RE: PC takeover To: Firewalls Message-id: <2F0D8747@RISMTP01.RIS.OR.GOV> MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID 4LFM8NzSLk/DxSajpBst7w)" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID 4LFM8NzSLk/DxSajpBst7w) Content-type: TEXT/PLAIN Tim Williams writes: | Well if I were a really bad guy I guess that I could distribute a piece of | software (lets say a game for now) that would, as a side effect, install a | nice little windows program that is loaded by windows each time | windows comes up (yes it can run in the background and not display anything | on the screen). In this nice little program, I simply open a connection to | my little store house of data and start dumping your entire local disk and any | disk to which you are currently attached (since you have so graciously provided | access to it by your normal login process). This action is much easier now | that we have WINSOCK compatibility for network programmers in a windows | environment for most of the TCP/IP products that are out there today :-) This is exactly my concern, especially since our users will now be able to go get goodies all over the web. And it would not be necessary for them to intentionally install a program with server capabilities either. My question is how can a firewall help? The trojan horse comes in legally since we allow PCs to ship data both directions over the net, and the disk dump goes out legally for the same reason. Would any of the httpd features help? In any case, it sounds like this type of attack is not yet common. --Boundary (ID 4LFM8NzSLk/DxSajpBst7w)-- From firewalls-owner Fri Jan 6 11:39:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00218 for firewalls-outgoing; Fri, 6 Jan 1995 10:23:42 -0800 Received: from cheops.anu.edu.au (daemon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00211 for ; Fri, 6 Jan 1995 10:23:37 -0800 Message-Id: <199501061823.KAA00211@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA26891; Sat, 7 Jan 95 04:47:21 +1100 From: Darren Reed Subject: Re: spoofing TCP/SYN packets? To: Larry_Chin@ca.cch.com (Larry Chin) Date: Sat, 7 Jan 1995 04:47:21 +1100 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199501061746.MAA06684@cchtor.ca.cch.com> from "Larry Chin" at Jan 6, 95 12:46:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 511 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> This is discussed in one of Steve Bellovin's papers on TCP/IP... > >> > >> pext.ps - "Security Problems in the TCP/IP Protocol Suite" > >> Steven M. Bellovin, AT&T Bell Laboraties > >> smb@ulysses.att.com, Apr 1989. > >> CACM Vol 19, No. 2 > >> > >> is the one you want (I think). > > any idea where we can pick up this paper ? coombs.anu.edu.au:/pub/net/papers/ipext.ps.Z (looks like vi chewed the 'i' on ipext there, sorry O:) darren From firewalls-owner Fri Jan 6 11:40:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00183 for firewalls-outgoing; Fri, 6 Jan 1995 10:23:09 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00178 for ; Fri, 6 Jan 1995 10:23:05 -0800 Received: from access4.digex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA04886; Fri, 6 Jan 1995 10:18:23 -0800 Received: by access4.digex.net id AA06233 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 Jan 1995 12:10:01 -0500 From: Don Krapf Message-Id: <199501061710.AA06233@access4.digex.net> Subject: Re: FW: PC Take-Over -- reply To: firewalls@greatcircle.com (FireWalls List) Date: Fri, 6 Jan 1995 12:10:01 -0500 (EST) In-Reply-To: from "Wulf Losee" at Jan 5, 95 10:06:22 am X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2317 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wulf Losee writes: > Answer: I am not aware of any breakins; however, I think you have to ask > yourself the question: "how -- through what mechanism -- would a breakin > be accomplished?" PCs running multitasking OSs that offer TCP/IP-based > services (rlogin, telnet, and ftp) are vulnerable from the Internet (without > proper firewalls or router filters). So... > > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. Imagine this: A user picks up a shareware/freeware MS-Windows program from the net. Maybe it's a fancy new network client. Maybe it's a (supposedly non-network) game. When it runs, it shoots a TCP connection out to an external host. It uses a port for which you're probably not blocking outgoing connections, like port 23. Via a private RPC mechanism over that connection, it exports the entire winsock API (and any other API's it wants to export). Whoever's waiting at that external host can now do anything that could be done by a program running on the MS-Windows machine. The external host can even be another MS-Windows machine with a stub winsock.dll which just ships its function calls right out over the RPC mechanism. The user on the external host can now telnet/FTP/etc through the internal MS-Windows machine and onto the internal network and the user there won't even know it. I think I just scared myself. This'd be so easy to do and I can't think of any way to detect it. If somebody wrote something like this and it got passed around, would firewalls become pointless? The only defense I can see against it is a very restrictive policy regarding outgoing TCP connections carrying arbitrary data. (e.g. none except to predefined hosts) Even if outbound telnet is restricted, the RPC mechanism could be made to work over a pair of FTP data connections. It wouldn't matter whether they were going through a proxy or not. Practically any live exchange of arbitrary data would do. Don Krapf -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Fri Jan 6 11:58:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00231 for firewalls-outgoing; Fri, 6 Jan 1995 10:23:51 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00226 for ; Fri, 6 Jan 1995 10:23:48 -0800 Received: from dns.medio.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA04899; Fri, 6 Jan 1995 10:19:03 -0800 Received: (from mgodsey@localhost) by dns.medio.com (8.6.9/8.6.9) id JAA26671 for firewalls@GreatCircle.COM; Fri, 6 Jan 1995 09:48:29 -0800 From: Mike Godsey Message-Id: <199501061748.JAA26671@dns.medio.com> Subject: Re: INTUDERS ARE HERE To: firewalls@GreatCircle.COM (Firewalls Mail List) Date: Fri, 6 Jan 1995 09:48:29 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 925 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk our esteemed colleague Frank Swift wrote: > Before the "what line" gets flooded, lets get back to the square one basic > good business practice checklist: > > a. all patches installed? > b. mininum numbers for root access ? > c. smart card or one-time pass word for root access? < Remainder of alert truncated...> This brings up a good point I need to follow up on. Can someone give me pointers to sources for 'smart-cards'? I'm especially interested in putting them on some DEC Alpha's, but also possibly som Linux systems. Just need a place to start looking - vendor names, FAQs, etc. Thanks! -- ------------------------------------------------------------ | Mike Godsey mgodsey@medio.com | | Medio Multimedia | | Redmond, WA | ------------------------------------------------------------ From firewalls-owner Fri Jan 6 12:07:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00297 for firewalls-outgoing; Fri, 6 Jan 1995 10:24:33 -0800 Received: from dot.ca.gov (nic.dot.ca.gov [149.136.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00281 for ; Fri, 6 Jan 1995 10:24:27 -0800 Received: from trew002 (trew.dot.ca.gov) by dot.ca.gov (4.1/03.08.94) id AA15279; Fri, 6 Jan 95 08:50:52 PST Message-Id: <9501061650.AA15279@dot.ca.gov> Date: Fri, 6 Jan 1995 08:43:28 -0800 From: stan@dot.ca.gov ( ) To: jak@pot.hole.fi Subject: Re: Firewall and Linux Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Dec 19 11:40:35 1994 > From: Jaakko Manninen > Subject: Firewall and Linux > To: firewalls@greatcircle.com > Date: Mon, 19 Dec 1994 21:28:50 +0200 (GMT+0200) > > Hi, > > I am interested in running a Firewall on a Linux system, > and I'd like to know if anyone's done that.. How safe is it? > Is there software for it, or will software compile for it?-) > Any information on linux security and/or use with a firewall > would be greatly appreciated. i have done it with linux it is immune to attack because it is invisible when i document and have validated that distributing the source code will not compromise in any way our firewall that is in production use i would consider distributing the source code to this list. it does not use TIS socks or drawbridge. > > Thanks. > > -- > Jaakko Manninen email: jaakko.manninen@partek.partek.mailnet.fi (yes, twice) > Parcomp Oy Ab second: jak@hole.fi FAX: +358-0-394-4717 > DISCLAIMER: "I'm not, by default, influenced by anything like money, fame or > success. All the views and opinions I have should be mine." > > From firewalls-owner Fri Jan 6 12:08:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00464 for firewalls-outgoing; Fri, 6 Jan 1995 10:26:23 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00427 for ; Fri, 6 Jan 1995 10:26:11 -0800 Received: from gatekeeper.alpharel.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id IAA04789; Fri, 6 Jan 1995 08:28:22 -0800 Received: (from mail@localhost) by gatekeeper.alpharel.com (8.6.8/8.6.6a) id IAA23194 for ; Fri, 6 Jan 1995 08:26:11 -0800 Received: from optigfx.optigfx.com(147.203.1.30) by gatekeeper.alpharel.com via smap (V1.3mjr) id sma023191; Fri Jan 6 08:25:36 1995 Received: from optisun17.optigfx.com by optigfx.optigfx.com (4.1/SMI-4.1-3) id AA13479; Fri, 6 Jan 95 08:25:35 PST Received: by optisun17.optigfx.com (4.1/SMI-4.1) id AA08100; Fri, 6 Jan 95 08:25:34 PST Date: Fri, 6 Jan 95 08:25:34 PST From: mrm@alpharel.com (Mike Murphy) Message-Id: <9501061625.AA08100@optisun17.optigfx.com> To: firewalls@greatcircle.com Subject: Re: PC using external service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Though off the firewall subject, folks worried about unauthorized SLIP/PPP backdoors to a protected net are also worried about diskettes and qic40/80 tapes in pockets and briefcases, yes? I think that these classes of security concern are matters of policy rather than of technology, and therefore also probably not strictly firewall related. The way that one keeps an unauthorized SLIP/PPP from being a backdoor is by firing anyone who install one. (Like that tenured full professor down the hall, eh? :-) Regards, Mike -- Mike Murphy mrm@ALPHAREL.COM +1.619.625.3000 x265 ALPHAREL 9339 Carroll Park Drive San Diego, CA 92121 Any opinions above are mine and not those of my employer. From firewalls-owner Fri Jan 6 12:22:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01444 for firewalls-outgoing; Fri, 6 Jan 1995 10:34:01 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01414 for ; Fri, 6 Jan 1995 10:33:45 -0800 Received: from pegase.total.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id DAA03759; Fri, 6 Jan 1995 03:09:15 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA19210; Fri, 6 Jan 95 12:06:26 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA02585; Fri, 6 Jan 95 12:02:50 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501061202.AA02585@tidtest.total.fr> Subject: Re: spoofing TCP/SYN packets? To: dkrapf@access.digex.net (Don Krapf) Date: Fri, 6 Jan 95 12:02:48 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501060618.AA10026@access1.digex.net>; from "Don Krapf" at Jan 6, 95 1:18 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don Krapf wrote : > > Michel Lavondes writes: > > > > > [snip] > > > > Assuming that the packets flowing between A and B don't go through a > > compromised router (ie one that would of its own "volition" divert/copy > > to C packets to/from B,) the only way that C could do the hosing would > > involve using IP source route header options, since the IP source/dest. > > address must still be that of B. In that case, blocking IP source-routed > > packets on the screening router (the one that connects to the service > > provider) should do the trick. cisco boxen can do it, others also should. > > > > Am I being hopelessly naive ? > > Unfortunately, yes. There are various ways to spoof a host and > hijack a TCP connection. You could use a router based attack to > persuade a router to send the packets through you That's what I meant by "compromised router". Anyone heard of this being doable/done for dedicated routers (ie not host-based) ? > or your could attack > host B to get it off the net and let you grab its packets. Without compromised routers, wouldn't that require that C be "close" to B (eg, on the same LAN) ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Jan 6 12:30:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01437 for firewalls-outgoing; Fri, 6 Jan 1995 10:33:55 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01411 for ; Fri, 6 Jan 1995 10:33:43 -0800 Received: from NYXGATE1.btco.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id CAA03719; Fri, 6 Jan 1995 02:53:34 -0800 Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id FAA18597; Fri, 6 Jan 1995 05:55:19 -0500 Received: from lncsex0000.eu.btco.com(160.82.136.140) by NYXGATE1.btco.com via smap (V1.3mjr) id sma018646; Fri Jan 6 05:55:02 1995 Received: from lncsea0001 (lncsea0001.eu.btco.com [160.82.136.15]) by LNCSEX0000.eu.btco.com (8.6.9/8.6.9) with SMTP id KAA19416; Fri, 6 Jan 1995 10:54:55 GMT Date: Fri, 6 Jan 1995 10:54:53 -0800 (PST) From: "Todd S. Aven" To: Wulf Losee cc: firewalls@GreatCircle.COM Subject: Re: FW: PC Take-Over -- reply X-Sender: avento@lncsex0000.eu.btco.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jan 1995, Wulf Losee wrote: > Lorraine Ironplow asks: > >Is anyone aware of any actual break-in that was > >accomplished by "taking over" a PC (running > >DOS or Windows or Windows for Workgroups > >or NT) and then launching an attack from there? > >I don't mean dialling in to a modem on the > >PC, but an attack that could have been prevented > >by a better firewall. > > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. The analysis does not hinge upon the multi-tasking abilities of the operating system. The question that needs to be asked is: does the PC at any time while connected to the network run an application that performs local actions in response to network communications? If so, it is (in the broadest sense) vulnerable to compromise. A trivial example for DOS is an FTP server (such as comes with PC/TCP et al.). I dare say that this combination leaves wide open the possibility of introducing all manner of nasty trojan horses on the PC in question. Regards, Todd Aven avents@btco.com From firewalls-owner Fri Jan 6 12:38:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01291 for firewalls-outgoing; Fri, 6 Jan 1995 10:32:42 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01252 for ; Fri, 6 Jan 1995 10:32:12 -0800 Received: from post.demon.co.uk by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id FAA04108; Fri, 6 Jan 1995 05:02:52 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ac02058; 6 Jan 95 11:25 GMT Received: from ford by demon.demon.co.uk id aa14046; 6 Jan 95 11:19 GMT From: Steve Kennedy Message-Id: <21120.9501061103@ford.gbnet.org> Subject: Re: FW: PC Take-Over -- reply To: Brent Chapman Date: Fri, 6 Jan 1995 11:03:30 +0000 (GMT) Cc: WLosee@getty.edu, firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Jan 5, 95 07:54:50 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1664 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Brent Chapman > At 10:06 1/5/95, Wulf Losee wrote: > >Correct me if I'm wrong (please!), but since DOS and regular Windows (both > >Windows 3.x and and Windows for Warehouses) are not multitasking, > >multithreading operating systems it would be impossible to subvert these > >systems unless the cracker were dialing in through a modem or actually > >sitting at the PC's console. > There are commercial packages (like Timbuktu from Farralon; don't know if > it's available for Windows, or only for Mac) that, if installed on a > machine, let someone "take over" control of that machine as if they were > sitting in front of it; input is read from the remote user's keyboard, > and output goes to the remote user's display (possibly shadowed to > the real display; I don't know). There is a program called Proxy that allows taking over a PC from another PC. I think the current version supports IPX, but there is a tcp/ip version in the works. Basically a proxy'd pc runs in a Window (yes real Windows window) on your PC. Dont ask I dont have details yet, but I'll find out. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Fri Jan 6 12:53:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02776 for firewalls-outgoing; Fri, 6 Jan 1995 11:15:30 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA02771 for ; Fri, 6 Jan 1995 11:15:27 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f0d978e0; Fri, 6 Jan 95 14:18:38 -0500 Mime-Version: 1.0 Date: Fri, 6 Jan 1995 14:16:57 -0500 Message-ID: Subject: need makefile for Solaris 2.4 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I asked this about my bsdi system, but the same goes for my Sun. 'since I am not a programmer, anyone have the Makefile for fwtk configured for Solaris 2.4-v5.4' Thanks, Tom ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Phone:1-301-493-2318 Internet:twalker@acc.org From firewalls-owner Fri Jan 6 12:57:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02645 for firewalls-outgoing; Fri, 6 Jan 1995 11:05:31 -0800 Received: from Getty.edu (smtpgate.getty.edu [153.10.97.97]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA02637 for ; Fri, 6 Jan 1995 11:05:28 -0800 Received: from Getty-Message_Server by Getty.edu with Novell_GroupWise; Fri, 06 Jan 1995 11:05:41 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 06 Jan 1995 11:03:52 -0800 From: Wulf Losee To: firewalls@greatcircle.com Subject: INTRUDERS MIGHT BE HERE, but how do I get DDN bulletins? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let me apologize up front for asking a question that's only tangential to the firewalls mailing list, but I think only the veteran firewallers might have the answer. So here it goes... Frank Swift's posting mentioned the DDN Bulletins, and I've heard mention of them before. Supposedly they cover things that the CERT advisories don't cover. Is there any site that echoes these bulletins to non-military sites? I naively requested to be put on the Bulletin mailing list, and I received a snooty reply from the DDN postmaster that those bulletins were only available to "the military and military contractors." I assume that there's nothing top secret in those bulletins -- except maybe that the mil sites are embarrassed to share their break-in experiences with civilians (insert grumble here about how my tax dollars are being spent, etc.). Any help in this matter will be appreciated... Thanks, Wulf From firewalls-owner Fri Jan 6 13:00:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02635 for firewalls-outgoing; Fri, 6 Jan 1995 11:05:11 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA02630 for ; Fri, 6 Jan 1995 11:05:08 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id KAA20232; Fri, 6 Jan 1995 10:20:56 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma020230; Fri Jan 6 10:20:48 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA27927 (5.67b/IDA-1.5); Fri, 6 Jan 1995 10:25:10 -0600 Date: Fri, 6 Jan 1995 10:25:10 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: sjg@zen.void.oz.au Cc: firewalls@greatcircle.com Subject: Re: Email monitoring Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In ftp://ftp.sra.co.jp/pub/lan/perl/sra-scripts/fromto-1.2 you will find a perl script to reduce those multi-line syslog entries into a useable 1-line per message summary. I find it quite handy. -KH -- "Simon J. Gerraty" wrote: >Actually, mail.info is all you need and is usually logged, so just >have a look at /etc/syslog.conf to see where its going. You get >entries such as: > >Jan 5 15:10:09 zen sendmail[17136]: PAA17136: from=greatcircle.com!firewalls-owner, size=2067, class=-60, pri=140067, nrcpts=1, msgid=<9501050234.AA09713@uvs1.orl.mmc.com>, proto=UUCP, relay=uucp@localhost >Jan 5 15:10:09 zen sendmail[17136]: PAA17136: to=sjg, delay=00:00:01, stat=queued >Jan 5 15:13:29 zen sendmail[17151]: PAA17136: to=sjg, delay=00:03:21, mailer=local, stat=Sent > >That tells you who from, who to and how much, sadly across multiple >entries though. > From firewalls-owner Fri Jan 6 13:01:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02252 for firewalls-outgoing; Fri, 6 Jan 1995 10:52:41 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01846 for ; Fri, 6 Jan 1995 10:42:39 -0800 Received: from paranor.ca.cch.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA04986; Fri, 6 Jan 1995 10:25:06 -0800 Received: by paranor.ca.cch.com id AA02933; Fri, 6 Jan 95 13:32:05 EST Received: from cchtor.ca.cch.com(192.139.241.2) by paranor via smap (V1.3mjr) id sma002921; Fri Jan 6 13:31:52 1995 Received: (from larry@localhost) by cchtor.ca.cch.com (8.6.9/8.6.9) id MAA06684; Fri, 6 Jan 1995 12:46:10 -0500 Date: Fri, 6 Jan 1995 12:46:10 -0500 From: Larry Chin Message-Id: <199501061746.MAA06684@cchtor.ca.cch.com> To: avalon@coombs.anu.edu.au Subject: Re: spoofing TCP/SYN packets? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> This is discussed in one of Steve Bellovin's papers on TCP/IP... >> >> pext.ps - "Security Problems in the TCP/IP Protocol Suite" >> Steven M. Bellovin, AT&T Bell Laboraties >> smb@ulysses.att.com, Apr 1989. >> CACM Vol 19, No. 2 >> >> is the one you want (I think). any idea where we can pick up this paper ? Fri Jan 6 12:45:59 EST 1995 =========================================================================== Larry Chin {larry@cchtor.ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== Travel important today; Internal Revenue men arrive tomorrow. From firewalls-owner Fri Jan 6 13:18:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02274 for firewalls-outgoing; Fri, 6 Jan 1995 10:53:08 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01847 for ; Fri, 6 Jan 1995 10:42:40 -0800 Received: from access4.digex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id KAA05019; Fri, 6 Jan 1995 10:26:28 -0800 Received: by access4.digex.net id AA08310 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 Jan 1995 12:45:04 -0500 From: Don Krapf Message-Id: <199501061745.AA08310@access4.digex.net> Subject: Re: PC using external service To: firewalls@greatcircle.com (FireWalls List) Date: Fri, 6 Jan 1995 12:45:04 -0500 (EST) In-Reply-To: <199501052217.AAA08358@pot.hole.fi> from "Jaakko Manninen" at Jan 6, 95 00:17:05 am X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1454 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jaakko Manninen writes: > > Has anyone looked into the possibility of a user on a network under > a Firewall running a SLIP/etc connection? Example. > > You have a closed 1200+ PC-machine LAN, connected to the Net thru > a BSDI+Firewall. One PC-end user in his days of wisdom decides to > purchase a SLIP-connection to a local INet provider. He enables "IP > Routing" from his Windows for Workgroups, and someone on the net "sees" > or hears about this, and decides to route himself into the "firewalled" > network thru this machine... Boom. As I see it, even if the intruder manages to get his packets routed into the protected network, he still needs a way to get his return packets back. Unless something is done, the return packets will try to come back via the firewall. (This is a clue that a firewall should not pass packets when it sees only one side of a TCP connection. It should ring alarms instead. There's not much you can do about UDP.) To get packets back through the same PC with the SLIP connection, one of three things must be done: 1 The PC can advertize a route. You can monitor for this. 2 The PC can spoof the router's IP address. You can monitor for this, too. 3 An internal machine can have a route manually set. The only defense against this is education. Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Fri Jan 6 13:22:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04030 for firewalls-outgoing; Fri, 6 Jan 1995 12:17:59 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA04020 for ; Fri, 6 Jan 1995 12:17:45 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA25620; Fri, 6 Jan 95 21:12:47 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03243; Fri, 6 Jan 95 21:09:11 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501062109.AA03243@tidtest.total.fr> Subject: Protecting routers (was Re: spoofing TCP/SYN packets?) To: dkrapf@access.digex.net (Don Krapf) Date: Fri, 6 Jan 95 21:09:09 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501061720.AA06834@access4.digex.net>; from "Don Krapf" at Jan 6, 95 12:20 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don Krapf wrote : > > > Michel Lavondes replied: > > That's what I meant by "compromised router". Anyone heard of this being > > doable/done for dedicated routers (ie not host-based) ? > > It wouldn't require what I think you mean by "compromised". Depending on > the setup, suppose you just advertized a shorter route to the destination > network. > So now the question becomes : What steps can service providers or network admins take to shield their routers from this kind of abuse, other than purely static routing ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Jan 6 13:43:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05199 for firewalls-outgoing; Fri, 6 Jan 1995 13:02:00 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA05194 for ; Fri, 6 Jan 1995 13:01:58 -0800 Received: from relay.imsi.com by wintermute.imsi.com id PAA19179; Fri, 6 Jan 1995 15:57:36 -0500 Received: from lorax.imsi.com by relay.imsi.com id PAA01840; Fri, 6 Jan 1995 15:57:36 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA11187; Fri, 6 Jan 95 15:57:35 EST Message-Id: <9501062057.AA11187@lorax.imsi.com> To: Don Krapf Cc: firewalls@greatcircle.com (FireWalls List) Subject: Re: FW: PC Take-Over -- reply In-Reply-To: Your message of "Fri, 06 Jan 1995 12:10:01 EST." <199501061710.AA06233@access4.digex.net> Reply-To: rens@imsi.com Date: Fri, 06 Jan 1995 15:57:35 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Don" == Don Krapf writes: Don> can't think of any way to detect it. If somebody wrote Don> something like this and it got passed around, would firewalls Don> become pointless? We block all outgoing connections except through our proxy, but the principle remains the same; dont let your users run unexamined/unvetted binaries. This susceptibility to trojans is why an IETF-standard SOCKS library is such a bad idea. The Socks I use has been hacked heavily to change the handshaking; just knowing I use socks is not enough to trojan me. -Rens From firewalls-owner Fri Jan 6 13:53:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05531 for firewalls-outgoing; Fri, 6 Jan 1995 13:18:56 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05523 for ; Fri, 6 Jan 1995 13:18:41 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA16538; Fri, 6 Jan 95 16:16:20 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9501062116.AA16538@hawksbill.sprintmrn.com> Subject: Re: spoofing TCP/SYN packets? To: firewalls@greatcircle.com Date: Fri, 6 Jan 1995 16:16:20 -0500 (EST) In-Reply-To: <199501061746.MAA06684@cchtor.ca.cch.com> from "Larry Chin" at Jan 6, 95 12:46:10 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 870 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> This is discussed in one of Steve Bellovin's papers on TCP/IP... > >> > >> pext.ps - "Security Problems in the TCP/IP Protocol Suite" > >> Steven M. Bellovin, AT&T Bell Laboraties > >> smb@ulysses.att.com, Apr 1989. > >> CACM Vol 19, No. 2 > >> > >> is the one you want (I think). > > any idea where we can pick up this paper ? > try: research.att.com:/dist.internet_security/ipext.ps.Z There are several other papers located here also. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Jan 6 14:11:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05278 for firewalls-outgoing; Fri, 6 Jan 1995 13:05:14 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05273 for ; Fri, 6 Jan 1995 13:04:58 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA19323; Fri, 6 Jan 95 15:38:45 -0500 Date: Fri, 6 Jan 95 15:38:45 -0500 Message-Id: <9501062038.AA19323@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: What gave you that idea ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wulf Losee rites: > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. Well I have an old 386-16 on the desk behind me running NW-DOS 7.0 using TASKMGR. While the DOS prompt shows on the screen, two background tasks can be running, FTP's SMTPSRV and FTPSRV which can accept E-mail and process FTP requests without ever disturbing my reading of whatever mail arrived. Strobe the machine from the net while in that state and it will respond to SMTP, FTP, and PING. Unless you know how to read the broadcast lines to SMTP or FTP, the fact that it is a lowly PC will never be apparent. The same can be done from a machine running Windoze or DesqView since I have. So let's just consider that I might set a window up with TELNETD (heck I have so know it can be done), then anyone can just telnet in and work (albeit a bit slowly) on the PC just as if it was multiuser. Bottom line: if you can think of it, there is usually a way it can be done, even with DOS on a PC. The net doesn't care. Warmly, Padgett From firewalls-owner Fri Jan 6 14:22:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07072 for firewalls-outgoing; Fri, 6 Jan 1995 14:14:36 -0800 Received: from freedom.msfc.nasa.gov ([128.158.1.222]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07064 for ; Fri, 6 Jan 1995 14:14:08 -0800 Received: by freedom.msfc.nasa.gov (5.61/Silicon-Graphics/90-04-25) id AA00679; Thu, 5 Jan 95 13:18:25 -0600 Date: Thu, 5 Jan 95 13:18:25 -0600 From: roosekj@freedom.msfc.nasa.gov (kathryn Roose) Message-Id: <9501051918.AA00679@freedom.msfc.nasa.gov> To: FIREWALLS@greatcircle.com Subject: TCP/IP Firewall System Product Comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am searching for information comparing the TCP/IP Firewall System products that are currently available on the market. (A product list was given in the "Internet World", Feb. 1995 issue) Any information regarding a source providing this information would be greatly appreciated. Thank you in advance! From firewalls-owner Fri Jan 6 14:51:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07589 for firewalls-outgoing; Fri, 6 Jan 1995 14:37:49 -0800 Received: from ns1.hri.com (ns1.hri.com [137.203.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07575 for ; Fri, 6 Jan 1995 14:36:40 -0800 Received: from sextant.hri.com by ns1.hri.com (5.65+/1.0s) id AA14134; Fri, 6 Jan 95 17:31:36 -0500 Received: (from rali@localhost) by sextant.hri.com (8.6.9/8.6.9) id RAA11167; Fri, 6 Jan 1995 17:30:49 -0500 From: Reto Lichtensteiger Message-Id: <199501062230.RAA11167@sextant.hri.com> Subject: Re: Email monitoring To: ken@bridge.com (Ken Hardy) Date: Fri, 6 Jan 1995 17:30:48 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Ken Hardy" at Jan 6, 95 10:25:10 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 651 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Back at the ranch, Ken Hardy scribed: : In ftp://ftp.sra.co.jp/pub/lan/perl/sra-scripts/fromto-1.2 you will ^^^ : find a perl script to reduce those multi-line syslog entries into a : useable 1-line per message summary. I find it quite handy. It's "lang" -- /pub/lang/perl/sra-scripts Hard to type on Friday afternoons :-) Reto -- R A Lichtensteiger rali@hri.com System Administrator Horizon Research Inc (617) 466-8304 Waltham MA 02154 http://www.hri.com/HRI/Pages/rali.html/ "The system has been practicing a noncomputational lifestyle ever since the boot disk became I/O challenged." From firewalls-owner Fri Jan 6 15:24:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08066 for firewalls-outgoing; Fri, 6 Jan 1995 15:04:41 -0800 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08061 for ; Fri, 6 Jan 1995 15:04:38 -0800 Received: from hq.ortel.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA29613 for firewalls@greatcircle.com; Fri, 6 Jan 95 18:02:59 -0500 Received: from cc:Mail by hq.ortel.com id AA789433733; Fri, 06 Jan 95 15:05:04 pst Date: Fri, 06 Jan 95 15:05:04 pst From: "Vincent Yau" Message-Id: <9500067894.AA789433733@hq.ortel.com> To: firewalls@greatcircle.com Subject: Audit Trail for AIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All Wonder if anyone know of an user audit trail program that runs on AIX? Basically, we want a package that can detect any user's sudden change in computing behavior? I read about NIDES but they only have a version on SunOS. thanks for any information. --Vincent vyau@ortel.com From firewalls-owner Fri Jan 6 15:41:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07424 for firewalls-outgoing; Fri, 6 Jan 1995 14:29:33 -0800 Received: from dns.medio.com (root@dns.medio.com [204.94.124.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07419 for ; Fri, 6 Jan 1995 14:29:16 -0800 Received: (from mgodsey@localhost) by dns.medio.com (8.6.9/8.6.9) id OAA28993 for firewalls@GreatCircle.COM; Fri, 6 Jan 1995 14:45:24 -0800 From: Mike Godsey Message-Id: <199501062245.OAA28993@dns.medio.com> Subject: SUMMARY: 'smart cards' information To: firewalls@GreatCircle.COM (Firewalls Mail List) Date: Fri, 6 Jan 1995 14:45:24 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1215 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is a summary of the replies I got regarding security cards, or 'smart-cards': * One person offered this: Situation might have changed , but last I looked Digital Pathways was the only vendor that did not REQUIRE you to buy their back-end server for authentication. I use these $60 keys with the free TIS firewall toolkit - you could take the authserver out of the toolkit to make it work on Linux, Alpha, etc (assuming ISF-1, not WinNT :-) * Another offering: The most common one I know of (and the one we are looking into using on our firewall) is the SecurID, by Security Dynamics Inc. * A general place to look for info: Look in http://www.greatcircle.com/firewalls/info/authentication_devices.ps.Z for a start. Most of the phone numbers can be obtained by looking in an old CERT advisory on network snooping (it was issued around December 1993). Thanks to everyone for the help! -- ------------------------------------------------------------ | Mike Godsey mgodsey@medio.com | | Medio Multimedia | | Redmond, WA | ------------------------------------------------------------ From firewalls-owner Fri Jan 6 16:11:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07845 for firewalls-outgoing; Fri, 6 Jan 1995 14:50:43 -0800 Received: from jpmorgan.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07840 for ; Fri, 6 Jan 1995 14:50:32 -0800 Received: from tcpg01a.ny.jpmorgan.com by jpmorgan.jpmorgan.com (8.6.9/fma-120691.2); id RAA19913; Fri, 6 Jan 1995 17:48:54 -0500 Received: from fugit.ny.jpmorgan.com (fugit.ny.jpmorgan.com [146.149.54.234]) by tcpg01a.ny.jpmorgan.com (8.6.9/cjy.sub.1.0) with ESMTP id RAA16527 Received: (from cyerkes@localhost) by fugit.ny.jpmorgan.com (8.6.9/8.6.9) id RAA20026; Fri, 6 Jan 1995 17:48:53 -0500 From: "Chuck Yerkes" Message-Id: <9501061748.ZM20024@fugit.ny.jpmorgan.com> Date: Fri, 6 Jan 1995 17:48:53 -0500 X-Mailer: Z-Mail (3.2.0 06sep94) To: Don Krapf Subject: Re: FW: PC Take-Over -- reply Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [general scenario describing trojan horse program on your machine deleted for space] > The only defense I can see against it is a very restrictive policy > regarding outgoing TCP connections carrying arbitrary data. (e.g. none > except to predefined hosts) Even if outbound telnet is restricted, > the RPC mechanism could be made to work over a pair of FTP data > connections. It wouldn't matter whether they were going through a > proxy or not. Practically any live exchange of arbitrary data would do. Well, you can (1) only allow outbound telnet's from/to certain pairs. (2) Not allow ANY inbound connections, other than those that are proxy controlled (ftp, telnet responses, etc). (3) RPC? Over the 'Net? I think I stop that at my firewall. Yes, an internal 'doctored' telnet that can negotiate proxies to an outside 'doctored' telnetd, and has, say Kerberos tickets, can present a problem. A more real problem is a person with a FAX modem (or similiar) who set's it up to autoanswer and run, say "PC-Anywhere" with no passwords (because he doesn't want to fill out paper work to use the prescribed method - modems with single-use tokens and auditing). Scanning for modems is an old trick. When you have a company-wide dialup service, you need to also have a policy prohibiting going around it and appropriate punishment for violating this. For .com, dismissal is appropriate. For .edu, some discipline or removal of priviledge is appropriate. For .mil, take em out and shoot 'em (Just kidding, mr pataki!). The point is you must have policy and punishment outlined first, before you catch someone with unauthorized software/hardware on their (company owned) machine. You must make it easier/less risky to use the proper techniques. Also, if someone is caught walking with a backup tape or floppy, and that's not okay, they're gone. They have also signed a statement that says you can go search their house and beat their loved ones - if it's that big a concern (although, why can they get to a tape/floppy drive in the first place). - You DO encrypt your backups, don't you? The scenario of doom above is possible, but not as simple as you make it sound if you have a firewall policy of "that which is not explicitly permitted, is prohibited" (thanque mjr) and a good firewall. chuck yerkes consultant ------------------------------- I speak not for my client; I usually don't subscribe to my own opinions. From firewalls-owner Fri Jan 6 16:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09194 for firewalls-outgoing; Fri, 6 Jan 1995 16:49:23 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09189 for ; Fri, 6 Jan 1995 16:49:21 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rQPFp-0000ZEC; Fri, 6 Jan 95 16:43 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03999; Fri, 6 Jan 1995 16:47:34 +0800 Date: Fri, 6 Jan 1995 16:47:34 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9501070047.AA03999@brittany.oes.amdahl.com> To: firewalls@GreatCircle.COM, mgodsey@medio.com Subject: Re: SUMMARY: 'smart cards' information X-Sun-Charset: US-ASCII content-length: 858 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Virtual Open Network Environment offers smart cards as well. You can call them as 301-881-2297, or visit their web page at www.v-one.com They have a good system. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jan 6 17:09:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08835 for firewalls-outgoing; Fri, 6 Jan 1995 16:24:49 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA08830 for ; Fri, 6 Jan 1995 16:24:46 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id TAA11783 for firewalls@greatcircle.com; Fri, 6 Jan 1995 19:23:09 -0500 From: David Kovar Message-Id: <199501070023.TAA11783@nda.nda.com> Subject: Discussing reliability and thus making yourselv vulnerable To: firewalls@greatcircle.com Date: Fri, 6 Jan 1995 19:23:08 -0500 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 428 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It struck me that some people might be unwilling to discuss problems with their firewalls for fear of announcing to their world what software they're using and thus making it easier for someone to break in. Is this the case for anyone out there? Please feel free to respond privately, if you so desire, and I will keep your replies confidential. In my case, I never post to the firewalls list from a client's site. -David From firewalls-owner Fri Jan 6 18:52:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA09988 for firewalls-outgoing; Fri, 6 Jan 1995 18:25:46 -0800 Received: from crocus.sasknet.sk.ca (crocus.sasknet.sk.ca [192.75.63.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA09983 for ; Fri, 6 Jan 1995 18:25:42 -0800 Received: by crocus.sasknet.sk.ca (5.65/DEC-Ultrix/4.3) id AA28867; Fri, 6 Jan 1995 20:23:58 -0600 Date: Fri, 6 Jan 1995 20:23:58 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii To: firewalls@greatcircle.com From: balderd@crocus.sasknet.sk.ca (Dave Balderstone) Subject: Re: PC using external service Cc: mrm@alpharel.com (Mike Murphy) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Though off the firewall subject, folks worried about unauthorized SLIP/PPP >backdoors to a protected net are also worried about diskettes and qic40/80 >tapes in pockets and briefcases, yes? Excellent point. As we examine our "security" requirements, we find that while it's very important to secure ourselves from "out there", the reality is that security of data "in here" essentially becomes a matter of trust if we want to be functional. Dave Balderstone, Manager Business Analysis | balderd@crocus.sasknet.sk.ca Western Producer Publications | OR 2310 Millar Ave, Saskatoon, Canada S7K 2C4 | Voice 306-665-3545, Fax 306-665-9614 | 75211.3630@compuserve.com -------------------------------------------------------------------------- "Opinions expressed are not necessarily those of the Western Producer" -------------------------------------------------------------------------- From firewalls-owner Fri Jan 6 19:21:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA10444 for firewalls-outgoing; Fri, 6 Jan 1995 19:18:28 -0800 Received: from access1.digex.net (sorrywedontgiveoutthisinformation@access1.digex.net [164.109.10.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA10439 for ; Fri, 6 Jan 1995 19:18:22 -0800 Received: by access1.digex.net id AA01631 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 6 Jan 1995 22:16:42 -0500 From: Don Krapf Message-Id: <199501070316.AA01631@access1.digex.net> Subject: Re: FW: PC Take-Over -- reply To: firewalls@greatcircle.com (FireWalls List) Date: Fri, 6 Jan 1995 22:16:42 -0500 (EST) In-Reply-To: <9501061748.ZM20024@fugit.ny.jpmorgan.com> from "Chuck Yerkes" at Jan 6, 95 05:48:53 pm X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1808 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In general, I think I agree with you but you seem to have missed a few points: [out of order] Chuck Yerkes writes: > (3) RPC? Over the 'Net? I think I stop that at my firewall. By "private RPC mechanism", I was not referring to Sun RPC, or any other specific protocol. I was simply referring to any means by which a function called on one computer can pass its arguments to, and get results from, a function on another computer. Since the specific protocol (carried within the TCP connection) would be known only to its author, it would appear to be arbitrary data to, and therefore be unstoppable by, a firewall. Chuck Yerkes writes: > (2) Not allow ANY inbound connections, other than those that are proxy > controlled (ftp, telnet responses, etc). It doesn't matter which end initiates the connection or whether or not it goes through a proxy, as long as the two ends can exchange arbitrary data with each other. A proxy could (for example) ensure that only a known set of commands are passed over an FTP control connection but it could have nothing to say about what flows over an FTP data connection other than to prevent data from flowing in the "wrong" direction. Thus, simultaneous STOR and RETR connections, even through a proxy, could be made to carry a "private RPC mechanism" as I described above. > Yes, an internal 'doctored' telnet that can negotiate proxies to an > outside 'doctored' telnetd, and has, say Kerberos tickets, can present > a problem. As you (and others) have pointed out, the real defense is in authentication at the proxy. A preferable defense might be to prevent users from doing things they shouldn't (running unknown programs) but when has that ever worked? Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Sat Jan 7 00:51:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA12058 for firewalls-outgoing; Sat, 7 Jan 1995 00:23:28 -0800 Received: from networx.com (root@openwx.networx.com [192.245.234.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA12053 for ; Sat, 7 Jan 1995 00:23:25 -0800 Received: from iridium (stewart@iridium.networx.com [192.245.234.11]) by networx.com (8.6.8.1/8.6.6) with SMTP id AAA18339; Sat, 7 Jan 1995 00:21:42 -0800 From: "Christopher A. Stewart" Received: by iridium (5.0) id AA20911; Sat, 7 Jan 1995 00:21:37 +0800 Date: Sat, 7 Jan 1995 00:21:37 +0800 Message-Id: <9501070821.AA20911@iridium> To: ammf@avila.inesc.pt (Antonio Franco) Cc: kovar@nda.com (David Kovar), firewalls@greatcircle.com Subject: Re: Brief review of Firewall-1 - installation, support, failure modes In-Reply-To: <9501061005.AA06781@avila.inesc.pt> References: <199501051725.MAA02073@nda.nda.com> <9501061005.AA06781@avila.inesc.pt> Reply-To: stewart@networx.com content-length: 930 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Antonio" == Antonio Franco writes: [Stuff deleted] Antonio> I am surprised with this recent comments about Antonio> Firewall-1, since I had seen some positive comments about Antonio> it on some magazines (for example, Open Computing, Oct Antonio> 94). [More stuff deleted] Being in a software company, and after seeing how some positive comments are placed, I take anything I read in the mags with several grains of salt.. I've also seen reviewers complain about what got edited out of their reviews.. Ah capitalism at work, can't piss off those potential advertisers... -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Sat Jan 7 03:51:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA16469 for firewalls-outgoing; Sat, 7 Jan 1995 03:43:34 -0800 Received: from mn3.swip.net (mn3.swip.net [192.71.180.33]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA16450 for ; Sat, 7 Jan 1995 03:43:29 -0800 Received: by mn3.swip.net with UUCP (8.6.8/2.01) id MAA06188; Sat, 7 Jan 1995 12:41:10 +0100 Received: from hades by exodata.se (4.1/SMI-4.1) id AA24623; Sat, 7 Jan 95 12:16:40 +0100 Date: Sat, 7 Jan 1995 12:16:40 +0100 (MET) From: "Mats Akerberg, Exo Data AB" X-Sender: mats@hades To: twalker@acc.org Cc: firewalls@greatcircle.com Subject: Re: need makefile for Solaris 2.4 In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 'since I am not a programmer, anyone have the Makefile for fwtk > configured for Solaris 2.4-v5.4' Look at ftp.tis.com:/pub/firewalls/toolkit/contrib The file solaris.patch will help you bild a Solaris 2.4 (using gcc) fwtk. You need to fix some referenc to suite your own config. But basicly it work's. /Mats Mats Akerberg (mats@exodata.se) Exo Data AB Snail: Box 8312 S-163 08 Spanga Sweden Phone: + 46 8 795 98 30 FAX: + 46 8 36 55 78 From firewalls-owner Sat Jan 7 06:51:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19572 for firewalls-outgoing; Sat, 7 Jan 1995 06:42:03 -0800 Received: from great-miami.iac.net (root@great-miami.iac.net [198.180.60.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA19567 for ; Sat, 7 Jan 1995 06:42:00 -0800 Received: from wabash.iac.net by great-miami.iac.net with SMTP id JAA22827; Sat, 7 Jan 1995 09:40:22 -0500 Date: Sat, 7 Jan 1995 09:40:20 -0500 (EST) From: Carl Jolley To: Don Krapf cc: FireWalls List Subject: Re: PC using external service In-Reply-To: <199501061745.AA08310@access4.digex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jan 1995, Don Krapf wrote: > Jaakko Manninen writes: > > > > Has anyone looked into the possibility of a user on a network under > > a Firewall running a SLIP/etc connection? Example. > > > > You have a closed 1200+ PC-machine LAN, connected to the Net thru > > a BSDI+Firewall. One PC-end user in his days of wisdom decides to > > purchase a SLIP-connection to a local INet provider. He enables "IP > > Routing" from his Windows for Workgroups, and someone on the net "sees" > > or hears about this, and decides to route himself into the "firewalled" > > network thru this machine... Boom. > > As I see it, even if the intruder manages to get his packets routed into > the protected network, he still needs a way to get his return packets back. > Unless something is done, the return packets will try to come back via the > firewall. (This is a clue that a firewall should not pass packets when it > sees only one side of a TCP connection. It should ring alarms instead. > There's not much you can do about UDP.) [rest deleted] I'm kind of new to this stuff but would it be possible for the intruder who get his packets routed into the protected network to include among those packets, some ICMP type packets, i.e. code 5, type 1? From firewalls-owner Sat Jan 7 09:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20235 for firewalls-outgoing; Sat, 7 Jan 1995 09:18:33 -0800 Received: from anon.penet.fi (anon.penet.fi [193.64.202.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA20230 for ; Sat, 7 Jan 1995 09:18:29 -0800 Received: by anon.penet.fi (5.67/1.35) id AA04980; Sat, 7 Jan 95 18:42:41 +0200 Message-Id: <9501071642.AA04980@anon.penet.fi> To: firewalls@greatcircle.com From: an178211@anon.penet.fi X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an178211@anon.penet.fi Date: Sat, 7 Jan 1995 16:42:40 UTC Subject: Re: Discussing reliability and thus making yourselv vulnerable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jan, David Kovar wrote: > It struck me that some people might be unwilling to discuss problems > with their firewalls for fear of announcing to their world what software > they're using and thus making it easier for someone to break in. Is > this the case for anyone out there? Please feel free to respond > privately, if you so desire, and I will keep your replies confidential. There are certainly ways that the information can be shared for the benefit of all and still protect the inocent (or not so inocent). Many people on the net don't approve of anonymous mail servers like this one but they do have their valid uses. If one knows some important information or has experience that others can benefit from, sharing it (even anonymously) is one way to be a good network citizen. There is no way that we individually can solve all our own problems; only by collective knowledge and experience can we address all the security issues involved. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Sat Jan 7 09:33:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20179 for firewalls-outgoing; Sat, 7 Jan 1995 08:55:15 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA20174 for ; Sat, 7 Jan 1995 08:55:12 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma017045; Sat Jan 7 11:53:47 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA23140; Sat, 7 Jan 95 11:50:44 EST Message-Id: <9501071650.AA23140@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: patrick@oes.amdahl.com (Patrick Horgan) Cc: firewalls@greatcircle.com, mgodsey@medio.com Subject: Re: SUMMARY: 'smart cards' information In-Reply-To: Your message of Fri, 06 Jan 95 16:47:34 +0800. <9501070047.AA03999@brittany.oes.amdahl.com> Date: Sat, 07 Jan 95 11:50:43 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk V-ONE offers a smart card. Digital Pathways and Security Dynamic (and Enigma Logics and Racal) offer security tokens. Smart Cards and not the same as security token. f From firewalls-owner Sat Jan 7 10:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20749 for firewalls-outgoing; Sat, 7 Jan 1995 09:50:55 -0800 Received: from mail04.mail.aol.com (mail04.mail.aol.com [152.163.172.53]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA20744 for ; Sat, 7 Jan 1995 09:50:52 -0800 From: RJudson@aol.com Received: by mail04.mail.aol.com (1.38.193.5/16.2) id AA05237; Sat, 7 Jan 1995 12:45:42 -0500 Date: Sat, 7 Jan 1995 12:45:42 -0500 Message-Id: <950107124538_1614503@aol.com> To: Firewalls@greatcircle.com Subject: Fwd: Returned mail: User unknown Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------------- Forwarded message: From: MAILER-DAEMON@mail04.mail.aol.com (Mail Delivery Subsystem) To: RJudson@aol.com Date: 95-01-07 03:11:38 EST ----- Transcript of session follows ----- While connected to miles.greatcircle.com [198.102.244.34] (tcp): >>> RCPT To: <<< 550 ... User unknown 550 Firewall@greatcircle.com... User unknown ----- Unsent message follows ----- Received: by mail04.mail.aol.com (1.38.193.5/16.2) id AA23742; Fri, 6 Jan 1995 16:08:04 -0500 Date: Fri, 6 Jan 1995 16:08:04 -0500 From: RJudson@aol.com Return-Path: Message-Id: <950106160802_775934@aol.com> To: Firewall@greatcircle.com Subject: Subscribe Subscribe Firewalls RJudson@aol.com From firewalls-owner Sat Jan 7 11:51:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA21231 for firewalls-outgoing; Sat, 7 Jan 1995 11:34:23 -0800 Received: from cap1.CapAccess.org (sparker@cap1.CapAccess.org [198.69.201.50]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA21226 for ; Sat, 7 Jan 1995 11:34:14 -0800 Received: (from sparker@localhost) by cap1.CapAccess.org (8.6.9/8.6.9) id OAA20775; Sat, 7 Jan 1995 14:32:36 -0500 Date: Sat, 7 Jan 1995 14:32:36 -0500 Message-Id: <199501071932.OAA20775@cap1.CapAccess.org> From: sparker@CapAccess.org (Sean Parker) To: firewalls@greatcircle.com Subject: Securing a PC Reply-To: sparker@CapAccess.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the near future I will be placing a number of PC's running both Net BSD and Linux behind a machine that acts as a firewall (I believe its referred to as a bastian host?) and a packet filtering router. Being new to network security (I'm a student, and not majoring in any related fields) I'm wondering if there is anything specific I should disable or modify that might pose a problem to the rest of the machines behind the firewall? We will be maintaining a web page on one of the machines (I've asked about http problems in the past, but got no responses) but besides that we will not be providing any extraneous services. I'd really like to get my hands on a checklist detailing secure setup of hosts, especially in relation to other hosts. We're getting connected through a defense think tank of sorts and the idea has got a lot of people biting their nails. Any help would be appreciated immensely. -- sparker@cap.gwu.edu From firewalls-owner Sat Jan 7 19:21:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA22482 for firewalls-outgoing; Sat, 7 Jan 1995 18:53:45 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA22477 for ; Sat, 7 Jan 1995 18:53:39 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id aa15668; 8 Jan 95 2:52 GMT Received: from ford by demon.demon.co.uk id aa25101; 8 Jan 95 2:51 GMT From: Steve Kennedy Message-Id: <22908.9501080232@ford.gbnet.org> Subject: Re: SUMMARY: 'smart cards' information To: Mike Godsey Date: Sun, 8 Jan 1995 02:31:59 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199501062245.OAA28993@dns.medio.com> from "Mike Godsey" at Jan 6, 95 02:45:24 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1160 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Mike Godsey > Here is a summary of the replies I got regarding security cards, > or 'smart-cards': > The most common one I know of (and the one we are looking into using on > our firewall) is the SecurID, by Security Dynamics Inc. A note aboute SecurID software, on Sun's at least, the CLIENT code will only talk to an ACE server via le0 !!! This is really usefull when you have a dual-homed host or when you're trying to authenticate over PPP ??? Oh well - I'm sure they'll fix it. Regards Steve p.s. Security Dynamics in UK have been notified - but they didn't seem too bothered. -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Sat Jan 7 19:51:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA22787 for firewalls-outgoing; Sat, 7 Jan 1995 19:50:22 -0800 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA22782 for ; Sat, 7 Jan 1995 19:50:18 -0800 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA23782; Sat, 7 Jan 95 17:47:52 HST Date: Sat, 7 Jan 1995 17:43:03 -1000 (HST) From: NetSurfer Subject: Re: Discussing reliability and thus making yourselv vulnerable To: David Kovar Cc: firewalls@greatcircle.com In-Reply-To: <199501070023.TAA11783@nda.nda.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Jan 1995, David Kovar wrote: > It struck me that some people might be unwilling to discuss problems > with their firewalls for fear of announcing to their world what software > they're using and thus making it easier for someone to break in. Is > this the case for anyone out there? Please feel free to respond > privately, if you so desire, and I will keep your replies confidential. This is exactly what anonymous remailers are legitimately used for. To get a list of remailers: Send a message to skaplin@c2.org Subject line should read: SEND FILE remailer_list NOTE: this IS case sensitive To get help, substitute help for remailer_list IMHO this allows for safe dialogue from both sides of the security world (hacker/cracker & Info Sec. Offcr) -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Sun Jan 8 09:46:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA04042 for firewalls-outgoing; Sun, 8 Jan 1995 09:16:54 -0800 Received: from netcom11.netcom.com (okuyama@netcom11.netcom.com [192.100.81.121]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA04036 for ; Sun, 8 Jan 1995 09:16:51 -0800 Received: by netcom11.netcom.com (8.6.9/Netcom) id JAA13177; Sun, 8 Jan 1995 09:14:29 -0800 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199501081714.JAA13177@netcom11.netcom.com> Subject: log entry could be break-in .. To: firewalls@greatcircle.com Date: Sun, 8 Jan 1995 09:14:29 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 379 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just got a log entry that doesn't look very comforting: Jan 8 01:57:28 localhost smap[840]: EXPN severinov (bruno.cs.colorado.edu/128.138.243.150) Jan 8 01:57:29 localhost smap[840]: EXPN TestingForDisabledSMTP_EXPN (bruno.cs.colorado.edu/128.138.243.150) Have any of you seen this message before. What does it mean, and what action should I take? ---Darin OKuyama From firewalls-owner Sun Jan 8 10:20:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04395 for firewalls-outgoing; Sun, 8 Jan 1995 10:16:26 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04390 for ; Sun, 8 Jan 1995 10:16:23 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA20453; Sun, 8 Jan 95 13:14:23 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9501081814.AA20453@hawksbill.sprintmrn.com> Subject: Re: log entry could be break-in .. To: okuyama@netcom.com (Darin Okuyama) Date: Sun, 8 Jan 1995 13:14:23 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199501081714.JAA13177@netcom11.netcom.com> from "Darin Okuyama" at Jan 8, 95 09:14:29 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 922 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I just got a log entry that doesn't look very comforting: > > Jan 8 01:57:28 localhost smap[840]: EXPN severinov (bruno.cs.colorado.edu/128.138.243.150) > Jan 8 01:57:29 localhost smap[840]: EXPN TestingForDisabledSMTP_EXPN (bruno.cs.colorado.edu/128.138.243.150) > > Have any of you seen this message before. What does it > mean, and what action should I take? > bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger queries from this site, but not much of anything else. Can't imagine why you're seeing port 25 access, however. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Jan 8 10:46:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04415 for firewalls-outgoing; Sun, 8 Jan 1995 10:20:02 -0800 Received: from cadman.cit.buffalo.edu (jcmurphy@cadman.cit.buffalo.edu [128.205.3.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA04410 for ; Sun, 8 Jan 1995 10:20:00 -0800 Received: from localhost (jcmurphy@localhost) by cadman.cit.buffalo.edu (8.6.5/8.6.5) id NAA08764; Sun, 8 Jan 1995 13:18:01 -0500 From: Jeff Murphy Message-Id: <199501081818.NAA08764@cadman.cit.buffalo.edu> Subject: Re: log entry could be break-in .. To: okuyama@netcom.com (Darin Okuyama) Date: Sun, 8 Jan 1995 13:18:00 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199501081714.JAA13177@netcom11.netcom.com> from "Darin Okuyama" at Jan 8, 95 09:14:29 am X-Mailer: ELM [version 2.4 PL21+PEM] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 525 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I just got a log entry that doesn't look very comforting: > > Jan 8 01:57:28 localhost smap[840]: EXPN severinov (bruno.cs.colorado.edu/128.138.243.150) > Jan 8 01:57:29 localhost smap[840]: EXPN TestingForDisabledSMTP_EXPN (bruno.cs.colorado.edu/128.138.243.150) > >Have any of you seen this message before. What does it >mean, and what action should I take? bruno.cs.colorado.edu is a very popular netfind site. odds are this is the netfind software doing a username expansion as part of its search process. From firewalls-owner Sun Jan 8 11:50:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05039 for firewalls-outgoing; Sun, 8 Jan 1995 11:36:57 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05034 for ; Sun, 8 Jan 1995 11:36:53 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA04388; Sun, 8 Jan 95 14:35:06 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9501081935.AA04388@hawksbill.sprintmrn.com> Subject: Re: log entry could be break-in .. To: jdwilson@gold.chem.hawaii.edu (NetSurfer) Date: Sun, 8 Jan 1995 14:35:05 -0500 (EST) Cc: okuyama@netcom.com, firewalls@greatcircle.com In-Reply-To: from "NetSurfer" at Jan 8, 95 09:28:02 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 858 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger > > queries from this site, but not much of anything else. Can't imagine > > why you're seeing port 25 access, however. > > Perhaps it is from a scanner like ISS or COPS? > Possibly, but doubtful. This NETINFO server doesn't allow full shell access, from what I understand, but rather selective functions, much like an anonymous ftp site. Thus, I don't see how just anyone could load ISS or etc. at their leisure. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Jan 8 12:03:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05011 for firewalls-outgoing; Sun, 8 Jan 1995 11:31:02 -0800 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05006 for ; Sun, 8 Jan 1995 11:30:59 -0800 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA18370; Sun, 8 Jan 95 09:28:49 HST Date: Sun, 8 Jan 1995 09:28:02 -1000 (HST) From: NetSurfer Subject: Re: log entry could be break-in .. To: Paul Ferguson Cc: Darin Okuyama , firewalls@greatcircle.com In-Reply-To: <9501081814.AA20453@hawksbill.sprintmrn.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Jan 1995, Paul Ferguson wrote: > > Jan 8 01:57:28 localhost smap[840]: EXPN severinov (bruno.cs.colorado.edu/128.138.243.150) > > Jan 8 01:57:29 localhost smap[840]: EXPN TestingForDisabledSMTP_EXPN (bruno.cs.colorado.edu/128.138.243.150) > > > > Have any of you seen this message before. What does it > > mean, and what action should I take? > > > > bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger > queries from this site, but not much of anything else. Can't imagine > why you're seeing port 25 access, however. Perhaps it is from a scanner like ISS or COPS? -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Sun Jan 8 17:03:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00802 for firewalls-outgoing; Sun, 8 Jan 1995 16:58:43 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA00797 for ; Sun, 8 Jan 1995 16:58:39 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA10280; Sun, 8 Jan 95 19:55:26 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9501090055.AA10280@hawksbill.sprintmrn.com> To: cjpatten@teaching.cs.adelaide.edu.au (Craig Patten) Date: Sun, 8 Jan 1995 19:55:26 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9501090051.AA18118@ermintrude.teaching.cs.adelaide.edu.au> from "Craig Patten" at Jan 9, 95 11:21:16 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 777 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Paul Ferguson wrote: > > % bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger > % queries from this site, but not much of anything else. Can't imagine > % why you're seeing port 25 access, however. > % > % - paul > > I believe the later versions of the Netfind software also use port > 25 accesses to try and find people in addition to finger searches. > There you go. End of mystery. ;-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Jan 8 17:16:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00787 for firewalls-outgoing; Sun, 8 Jan 1995 16:53:35 -0800 Received: from tigger.cs.adelaide.edu.au (tigger.cs.adelaide.edu.au [129.127.8.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA00782 for ; Sun, 8 Jan 1995 16:53:31 -0800 Received: from ermintrude.teaching.cs.adelaide.edu.au (via delivery) by tigger.cs.adelaide.edu.au with SMTP (5.65/UA-5.20) id AA28917; Mon, 9 Jan 95 11:21:43 +1030 X-Authentic-Sender: cjpatten@ermintrude.teaching.cs.adelaide.edu.au Received: by ermintrude.teaching.cs.adelaide.edu.au (5.65/SMI-4.1)id AA18118; Mon, 9 Jan 95 11:21:17 +1030 From: cjpatten@teaching.cs.adelaide.edu.au (Craig Patten) Message-Id: <9501090051.AA18118@ermintrude.teaching.cs.adelaide.edu.au> Subject: Re: log entry could be break-in .. To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Mon, 9 Jan 1995 11:21:16 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9501081814.AA20453@hawksbill.sprintmrn.com> from "Paul Ferguson" at Jan 8, 95 01:14:23 pm X-Face: ?/"MXina;Tt'.c6A>P1["3Wm#HCKX-/DEGN$1y[T?I6fCGFUTh]6'<@mJ&1TSRDlc_>|Lo'%b|.Rwf=`7~U>E@VElJ`RI\Sb1h X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 369 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: % bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger % queries from this site, but not much of anything else. Can't imagine % why you're seeing port 25 access, however. % % - paul I believe the later versions of the Netfind software also use port 25 accesses to try and find people in addition to finger searches. Craig. From firewalls-owner Sun Jan 8 18:33:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA01751 for firewalls-outgoing; Sun, 8 Jan 1995 18:07:41 -0800 Received: from diamond.pcy.mci.net (diamond.PentagonCity.mci.net [204.70.136.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA01746 for ; Sun, 8 Jan 1995 18:07:37 -0800 Received: (from bwatson@localhost) by diamond.pcy.mci.net (8.6.9/8.6.6) id CAA15665; Mon, 9 Jan 1995 02:05:26 GMT From: Brett Watson Message-Id: <199501090205.CAA15665@diamond.pcy.mci.net> Subject: Re: log entry could be break-in .. To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Mon, 9 Jan 1995 02:05:26 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9501081935.AA04388@hawksbill.sprintmrn.com> from "Paul Ferguson" at Jan 8, 95 02:35:05 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 739 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson > > > > > > > > > > bruno.cs.colorado.edu is a NETINFO server. We usually see alot of finger > > > queries from this site, but not much of anything else. Can't imagine > > > why you're seeing port 25 access, however. > > > > Perhaps it is from a scanner like ISS or COPS? > > > > Possibly, but doubtful. This NETINFO server doesn't allow full > shell access, from what I understand, but rather selective functions, > much like an anonymous ftp site. Thus, I don't see how just anyone could > load ISS or etc. at their leisure. NETFIND *does* try the EXPN command on SMTP servers when it's searching. It's always done this from what I remember. Anyway, it's nothing for you to be alarmed at I don't think. -brett From firewalls-owner Sun Jan 8 21:03:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA03026 for firewalls-outgoing; Sun, 8 Jan 1995 20:48:52 -0800 Received: from babylon5.dss.gov.au (babylon5.dss.gov.au [161.146.130.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA03021 for ; Sun, 8 Jan 1995 20:48:43 -0800 Received: by babylon5.dss.gov.au (911016.SGI/911001.SGI) for Firewalls@GreatCircle.COM id AA08997; Mon, 9 Jan 95 15:47:17 -0800 Date: Mon, 9 Jan 1995 15:47:16 -0800 (PST) From: Chris Brittain To: Firewalls@GreatCircle.COM Subject: IBM's NetSP Secured Network Gateway Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone had any experience with IBM's NetSP Secured Network Gateway? Anybody want to make any comments about it? positive? negative? // | ...if only I could think of something | // Christopher J. Brittain | interesting to write here... | \\ // Canberra, Australia. | | \X/ Chris.Brittain@dss.gov.au | chris@xuthus.apana.org.au | 3:620.243.20 | From firewalls-owner Sun Jan 8 21:20:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA03079 for firewalls-outgoing; Sun, 8 Jan 1995 20:53:55 -0800 Received: from netcom3.netcom.com (okuyama@netcom3.netcom.com [192.100.81.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA03073 for ; Sun, 8 Jan 1995 20:53:50 -0800 Received: by netcom3.netcom.com (8.6.9/Netcom) id UAA22157; Sun, 8 Jan 1995 20:51:33 -0800 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199501090451.UAA22157@netcom3.netcom.com> Subject: Re: log entry could be break-in .. To: firewalls@greatcircle.com (Firewall Mailing List) Date: Sun, 8 Jan 1995 20:51:32 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 632 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you everyone for responding to my query about the strange log entry. The responses were quick and accurate. I immediately was a little suspicious be- cause it came from a University. Maybe we should compile a FAQ on log messages, that way, we could keep most of the mundane traffic about log entries off the list. Certainly, some log entries should be shared with the list immediately (use your judgement). Any volunteers to compile a list of log entries and their significance -- we could all con- tribute log entries that we know about, and we think other firewall administrators should know about. ---Darin OKuyama From firewalls-owner Sun Jan 8 22:03:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA03672 for firewalls-outgoing; Sun, 8 Jan 1995 21:34:40 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA03667 for ; Sun, 8 Jan 1995 21:34:37 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id AAA17519; Mon, 9 Jan 1995 00:31:34 -0500 From: Adam Shostack Message-Id: <199501090531.AAA17519@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: IBM's NetSP Secured Network Gateway To: xuthus@dss.gov.au (Chris Brittain) Date: Mon, 9 Jan 95 0:31:24 EST Cc: Firewalls@GreatCircle.COM In-Reply-To: ; from "Chris Brittain" at Jan 9, 95 3:47 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: | Has anyone had any experience with IBM's NetSP Secured Network Gateway? | Anybody want to make any comments about it? positive? negative? The product manager was kind enough to send me a copy of the manual. (Scott Baumann (sbaumann@vnet.ibm.com)) Its a socks based bastion system, with support for several smartcards systems. It runs on an rs/6000, with aix 3.2.5. Overall, it seemed to be a decent system. It used code from outside IBM, and seemed to be a decent first pass at building a firewall. I had a number of criticisms, which I'll mention, but it did seem to be a decent basis on which to build. 1. Its a SMIT installable image. Theres very little said about cutting down AIX bloat & suid's. The manual does mention cutting whats in inetd.conf. However, I think AIX is way too big to be trusted. 2. It uses IBM's sendmail. Not ucb 8.6.9, not smap, smail or anything else, but sendmail. 3. Nothing like tripwire seems to be included. 4. No high speed network adapters (I noted a lack of FDDI and ATM) 5. The manual didn't cover testing enough. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Jan 9 01:36:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA04994 for firewalls-outgoing; Mon, 9 Jan 1995 01:06:35 -0800 Received: from hk.super.net (root@hk.super.net [202.14.67.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA04989 for ; Mon, 9 Jan 1995 01:06:21 -0800 Received: from hktmgw.hkt.com.hk by hk.super.net with SMTP id AA03717 (5.67b/IDA-1.5 for ); Mon, 9 Jan 1995 17:04:25 +0800 Received: by hktmgw.hkt.com.hk with Microsoft Mail id <2F11DF1C@hktmgw.hkt.com.hk>; Mon, 09 Jan 95 17:13:00 PST From: William Wong To: firewalls Subject: Re: Nov*ix for NetWare Date: Mon, 09 Jan 95 16:58:00 PST Message-Id: <2F11DF1C@hktmgw.hkt.com.hk> Encoding: 45 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James, 1st of all. This is not a flame. I think unless Novix engineer have put some trap door inside the NLM. I don't see great possibilities of penetration. If it's not, please correct me. Since we think that it is a great firewall itself. Best Regards, William Wong (wwong@hkt.com.hk) ---------- From: firewalls-owner To: cklung; firewalls Subject: Re: Nov*ix for NetWare Date: Thursday, January 05, 1995 11:31AM >I'm seeking comments on Nov*ix for Netware's firewall/security feature? Any > > ideas are appreciated. > >Thank you in advance. Novix for Netware is just a Netware Loadable Module running on a Novell File Server. We use the product, but it's kept behind our firewall on the trusted side. How do you trust Novell's operating system when you can't change it? ////////////////////////////////////////////////////////////////////////// James Jasinski | My opinions are of my own and Martin Marietta | not that of my employer. HUD HIIPS Contract, Washington, D.C. | Fax: 202-708-3577 | Voice: 202-708-2107 | E-Mail: james_jasinski@hud.gov | ========================================================================== From firewalls-owner Mon Jan 9 02:33:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA07341 for firewalls-outgoing; Mon, 9 Jan 1995 02:19:16 -0800 Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA07335 for ; Mon, 9 Jan 1995 02:19:12 -0800 Received: by delta.eecs.nwu.edu (4.1/SMI-4.0-proxy) id AA19784; Mon, 9 Jan 95 04:17:36 CST Date: Mon, 9 Jan 95 04:17:36 CST From: bonomi@delta.eecs.nwu.edu (Robert Bonomi) Message-Id: <9501091017.AA19784@delta.eecs.nwu.edu> To: firewalls@greatcircle.com, wwong@hkt.com.hk Subject: Re: Nov*ix for NetWare Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: William Wong To: firewalls Subject: Re: Nov*ix for NetWare Date: Mon, 09 Jan 95 16:58:00 PST James, 1st of all. This is not a flame. I think unless Novix engineer have put some trap door inside the NLM. I don't see great possibilities of penetration. point 1: "Think", or "know"?? Are you willing to bet your business on being right, when you can't see the source code? How do you _prove_ that such a trapdoor is *not* there?? Suppose I claim that there are _three_ such secret entrances -- *now* what do you do?? Try and prove me wrong!! Or would you rather trust *me* to: A) tell you about all the flaws *I* know about, and b) not use any of them against your system. point 2: *ANY* breach is a _complete_ breach, since -every- NLM has complete access to -all- system resources, and can do *anything* to any of them. How much do you know about *all* possible mode of interaction of _every_ combination of NLM's you have on your server? (note: these kinds of a problem are *hard* to find, even with -complete- source code) point 3: What happens if somebody from the "outside" tries to login to the server, *with* the 'operator' password?? Did you already know, or was it a case of 'go try it and find out'? Did any alarms go off? If not, why not?? If yes, did people know what they meant?? And the proper actions to take in response to that alarm? point 4: what do you do *when* (_not_ "if", please note) you find a security hole?? How do _you_ fix it?? what if Novell doesn't think it's urgent? How do you keep the person(s) who exploited the hole out of your system, untill Novell gets around to supplying a fix? *CAN* you?? If it's not, please correct me. Since we think that it is a great firewall itself. Glad you think so. Faith is a wonderful thing. Paranoia is a much more desirable quality in a systems security setting, though. From firewalls-owner Mon Jan 9 03:06:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA07552 for firewalls-outgoing; Mon, 9 Jan 1995 02:40:08 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA07547 for ; Mon, 9 Jan 1995 02:39:34 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA11388; Mon, 9 Jan 95 11:34:14 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03736; Mon, 9 Jan 95 11:30:38 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501091130.AA03736@tidtest.total.fr> Subject: Re: Nov*ix for NetWare To: wwong@hkt.com.hk (William Wong) Date: Mon, 9 Jan 95 11:30:36 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <2F11DF1C@hktmgw.hkt.com.hk>; from "William Wong" at Jan 9, 95 4:58 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk William Wong wrote : > > I think unless Novix engineer have put some trap door inside the NLM. I > don't see great possibilities of penetration. If it's not, please correct > me. Since we think that it is a great firewall itself. > > >I'm seeking comments on Nov*ix for Netware's firewall/security feature? > Any > > > > ideas are appreciated. > > > >Thank you in advance. > > Novix for Netware is just a Netware Loadable Module running on a > Novell File Server. > > We use the product, but it's kept behind our firewall on the trusted > side. How do you trust Novell's operating system when you > can't change it? > The Netware operating system doesn't even *try* to protect itself from the NLMs that run on it, or the NLMs from each other. There is no memory protection, no uid protection if the NLM doesn't ask for it, no nothing. Definitely not a good choice to support a firewall. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Jan 9 06:32:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA01548 for firewalls-outgoing; Mon, 9 Jan 1995 06:12:22 -0800 Received: from gsusgi2.gsu.edu (gsusgi2.Gsu.EDU [131.96.1.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA01543 for ; Mon, 9 Jan 1995 06:12:19 -0800 Received: by gsusgi2.gsu.edu (931110.SGI.ANONFTP/931108.SGI.ANONFTP) for firewalls@greatcircle.com id AA08788; Mon, 9 Jan 95 08:10:37 -0500 From: syshtg@gsusgi2.gsu.edu (Tom Gillman) Message-Id: <9501091310.AA08788@gsusgi2.gsu.edu> Subject: ISS scanning from tostada.engr.ucdavis.edu To: firewalls@greatcircle.com Date: Mon, 9 Jan 1995 08:10:36 -0500 (EST) X-Mailer: ELM [version 2.4 PL17] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 428 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just as a note. We had an ISS scan run on our domain from this location over the weekend. You may be next. Tom -- Tom Gillman, Unix/AIX Systems Weenie |"For a privacy advocate to determine Wells Computer Center-Ga. State Univ. |the best way to do key escrow is like (404) 651-4503 syshtg@gsusgi2.gsu.edu |a death penalty opponent choosing My opinions, not GSU's... |between gas or electricity"-D.Banisar From firewalls-owner Mon Jan 9 07:03:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA02757 for firewalls-outgoing; Mon, 9 Jan 1995 06:58:09 -0800 Received: from po.gis.prc.com (po.gis.prc.com [140.188.128.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA02752 for ; Mon, 9 Jan 1995 06:58:03 -0800 Message-ID: Date: 9 Jan 1995 08:03:45 -0500 From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP/MS 3.0.0 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #16 Sent: Sun, Jan 8, 1995 4:28 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, Jan 9, 1995 8:03 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Jan 9 07:32:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA02919 for firewalls-outgoing; Mon, 9 Jan 1995 07:04:15 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA02914 for ; Mon, 9 Jan 1995 07:04:12 -0800 Received: by maily1.prodigy.com id AA70468 (5.65c/IDA-1.4.4); Mon, 9 Jan 1995 10:01:08 -0500 Date: Mon, 9 Jan 1995 10:01:08 -0500 (EST) From: Frank Wortner To: Adam Shostack Cc: Chris Brittain , Firewalls@greatcircle.com Subject: Re: IBM's NetSP Secured Network Gateway In-Reply-To: <199501090531.AAA17519@bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Jan 1995, Adam Shostack wrote (regarding NetSP): > 3. Nothing like tripwire seems to be included. Admittedly, it's not tripwire, but "normal" AIX does include a trusted computing base audit program called tcbck. It checks files against attributes listed in /etc/security/sysck.cfg. One advantage is that it understands ACLs, which tripwire does not. On the downside, the checksum it uses is just plain "sum -r". I believe that it is possible to use alternate checksum programs, but I haven't tried this. The database is also available online in /etc/security, so it's subject to the same vulnerabilities as an online tripwire database. With either program, it makes sense to store a copy of the database on a readonly medium and verify against that copy. -- Frank From firewalls-owner Mon Jan 9 08:03:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03350 for firewalls-outgoing; Mon, 9 Jan 1995 07:38:19 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA03339 for ; Mon, 9 Jan 1995 07:38:14 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id QAA26438; Mon, 9 Jan 1995 16:36:33 +0100 Received: from barolo.ak.munich.ibm.com by prosecco.munich.ibm.de (4.03afxG1.2) id AA08367; Mon, 9 Jan 1995 16:23:38 +0100 Received: by barolo (AIX 3.2/UCB 5.64/afx1.8) id AA14766; Mon, 9 Jan 1995 16:32:53 +0100 From: afx@ibm.de (Andreas Siegert) Message-Id: <9501091532.AA14766@barolo> Subject: Re: IBM's NetSP Secured Network Gateway To: adam@bwh.harvard.edu (Adam Shostack) Date: Mon, 9 Jan 1995 16:32:53 +0100 (CET) Cc: xuthus@dss.gov.au, Firewalls@GreatCircle.COM In-Reply-To: <199501090531.AAA17519@bwh.harvard.edu> from "Adam Shostack" at Jan 9, 95 00:31:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2693 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is me as a beta customer of the gateway... > | Has anyone had any experience with IBM's NetSP Secured Network Gateway? > | Anybody want to make any comments about it? positive? negative? > > The product manager was kind enough to send me a copy of the > manual. (Scott Baumann (sbaumann@vnet.ibm.com)) Its a socks based > bastion system, with support for several smartcards systems. It runs > on an rs/6000, with aix 3.2.5. Actually it contains also a complete packet filter with logging. And for those that can not run socksified clients, there are proxy ftp and telnet daemons. > Overall, it seemed to be a decent system. It used code from > outside IBM, and seemed to be a decent first pass at building a > firewall. I had a number of criticisms, which I'll mention, but it > did seem to be a decent basis on which to build. The only outside thing is socks as far as I know, the filter and the proxies are from internal systems that have been running for quite some time serving thousands of users. But I agree. It is a good basic system to built a firewall with. And I also do not like some of the details... > 1. Its a SMIT installable image. Theres very little said > about cutting down AIX bloat & suid's. The manual does mention > cutting whats in inetd.conf. However, I think AIX is way too big to > be trusted. You really don't need to install much for the firewall. And I wouldn't. > 2. It uses IBM's sendmail. Not ucb 8.6.9, not smap, smail or > anything else, but sendmail. Yup, I would have liked to see a different solution.... > 3. Nothing like tripwire seems to be included. Hmm. The initial product does not use it by default (I hope future ones will), but have you checked the TCB in AIX? It is a pretty nifty inegrety checker once configured propperly. Unfortuantely the current docs don't cover it, but when adding the AIX audit facility you can get a realtime trace fo a lot of events. On my gateway systems this includes write access to any configuration file. With the right setup you have a realtime trace of hot events. (AIX audit > syslog > remote syslog > swatch) > 4. No high speed network adapters (I noted a lack of FDDI and > ATM) I think that is just the manual, it should work on any IP connection, haven't tested it yet though. > 5. The manual didn't cover testing enough. Yup, that one could be better. cheers afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Mon Jan 9 08:32:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04171 for firewalls-outgoing; Mon, 9 Jan 1995 08:13:29 -0800 Received: from freedom.msfc.nasa.gov (FREEDOM.MSFC.NASA.GOV [128.158.1.222]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA04162 for ; Mon, 9 Jan 1995 08:13:24 -0800 Received: by freedom.msfc.nasa.gov (5.61/Silicon-Graphics/90-04-25) id AA12165; Mon, 9 Jan 95 10:11:14 -0600 Date: Mon, 9 Jan 95 10:11:14 -0600 From: roosekj@freedom.msfc.nasa.gov (kathryn Roose) Message-Id: <9501091611.AA12165@freedom.msfc.nasa.gov> To: firewalls-digest@GreatCircle.COM Subject: TCP/IP Firewall System Comparisons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The periodical Internet World listed commercial vendors for TCP/IP Firewall Systems in their February 1995 issue. I am trying to research possible articles that compare current TCP/IP Firewall System products that are on the market. If anyone knows of such articles I would appreciate the information. Many thanks in advance! From firewalls-owner Mon Jan 9 09:02:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04594 for firewalls-outgoing; Mon, 9 Jan 1995 08:43:14 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA04582 for ; Mon, 9 Jan 1995 08:42:38 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA16950; Mon, 9 Jan 95 17:37:08 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03852; Mon, 9 Jan 95 17:33:32 GMT Received: from pegase.total.fr by tidtest.total.fr (4.1/SMI-4.1) id AA03818; Mon, 9 Jan 95 16:08:37 GMT Received: from vger-ppp0.tripcom.com by pegase.total.fr with SMTP (16.6/16.2) id AA16072; Mon, 9 Jan 95 16:11:22 +0100 Received: from localhost (adam@localhost) by vger.tripcom.com (8.6.5/8.6.5) id JAA14264 for lavondes@tidtest.total.fr; Mon, 9 Jan 1995 09:14:14 -0600 From: Adam Horwitz Message-Id: <199501091514.JAA14264@vger.tripcom.com> Subject: Re: Nov*ix for NetWare To: lavondes@tidtest.total.fr Date: Mon, 9 Jan 1995 09:14:13 -0600 (CST) In-Reply-To: <9501091130.AA03736@tidtest.total.fr> from "Michel Lavondes" at Jan 9, 95 11:30:36 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 871 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > William Wong wrote : > > > > I think unless Novix engineer have put some trap door inside the NLM. I > > don't see great possibilities of penetration. If it's not, please correct > > me. Since we think that it is a great firewall itself. > > > > >I'm seeking comments on Nov*ix for Netware's firewall/security feature? > > Any > > > > > > ideas are appreciated. > > > > > >Thank you in advance. If you are not running TCP/IP on your network for any other reason (i.e. you don't have any UNIX systems) then should a user start up FTP server, you have a potential security hole. Potentially everything that that network user has access to (i.e. drives F:, N:, etc.) is now available to the outside world. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com E-Mail, Internet, TCP/IP Solutions & Consulting From firewalls-owner Mon Jan 9 11:33:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06664 for firewalls-outgoing; Mon, 9 Jan 1995 11:15:54 -0800 Received: from shadow.net (cklaus@anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA06659 for ; Mon, 9 Jan 1995 11:15:51 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id OAA15225; Mon, 9 Jan 1995 14:17:09 -0500 From: Christopher Klaus Message-Id: <199501091917.OAA15225@shadow.net> Subject: Re: ISS scanning from tostada.engr.ucdavis.edu To: syshtg@gsusgi2.gsu.edu (Tom Gillman) Date: Mon, 9 Jan 1995 14:17:09 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9501091310.AA08788@gsusgi2.gsu.edu> from "Tom Gillman" at Jan 9, 95 08:10:36 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1760 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Just as a note. We had an ISS scan run on our domain from this location > over the weekend. You may be next. Thanks for letting us know. I have followed up by sending mail to CERT and the people at UC Davis. Awaiting their response. ISS, Internet Security Scanner, is an auditing package that is publicly available that checks domains and nodes searching for well-known vulnerabilities and generating a log for the administrator to take corrective measures. It is mentioned in Bellovin's and Cheswick's Internet Security and Firewalls and Repelling the Wily Hacker. It is vital that you run this package against your network to find vulnerabilities before intruders do. It is available on ftp at aql.gatech.edu /pub/security/iss. There is a commercial version available and if you are interested, there is more information on it at http://iss.net/~iss. I highly recommend that if you have Netscape (preferably) or Mosaic, you check out http://iss.net/~iss because I also write Security FAQs on who to contact for security problems at various vendors, what patches you need, what to do if you are compromised and what security problems to look for, and how to set up anonymous FTP securely. These files are available on rtfm.ai.mit.edu I believe in the FAQ answers as well as periodically posted on Usenet. If you are in a big organisation, I recommend getting these files to various admins so they know more about security issues and problems. If you have any questions about using ISS, my FAQs, etc, you can e-mail me at cklaus@iss.net. -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Mon Jan 9 12:18:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06928 for firewalls-outgoing; Mon, 9 Jan 1995 11:39:18 -0800 Received: from shadow.net (cklaus@anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA06923 for ; Mon, 9 Jan 1995 11:39:15 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id OAA16230; Mon, 9 Jan 1995 14:40:40 -0500 From: Christopher Klaus Message-Id: <199501091940.OAA16230@shadow.net> Subject: Re: ISS scanning from tostada.engr.ucdavis.edu To: syshtg@gsusgi2.gsu.edu (Tom Gillman) Date: Mon, 9 Jan 1995 14:40:39 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9501091310.AA08788@gsusgi2.gsu.edu> from "Tom Gillman" at Jan 9, 95 08:10:36 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 902 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I totally disapprove of miscreants abusing ISS. ISS is intended for scanning your own networks with which you are authorized to scan. I highly recommend setting up tcp_wrappers and checking logs to see if anyone is using ISS to knock on your doors. If so, please report the site that the scanning is coming from to CERT and probably would be a good idea to get in touch with the admin's of that site by doing whois site.com or site.edu . Other possible ways to protect yourself would be to block that site from your routers before the scanning is complete if possible. Also, I highly recommend you check your own security by running ISS so you know atleast what the intruder knows. Sincerely, Christopher -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Mon Jan 9 13:32:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08415 for firewalls-outgoing; Mon, 9 Jan 1995 13:17:58 -0800 Received: from ustcunclass.safb.af.mil (ustcunclass.safb.af.mil [140.175.24.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08404 for ; Mon, 9 Jan 1995 13:17:36 -0800 Received: by ustcunclass.safb.af.mil (4.1/SMI-4.1) id AA19869; Mon, 9 Jan 95 15:10:15 CST Date: Mon, 9 Jan 95 15:10:15 CST From: kidaj@ustcunclass.safb.af.mil (John H. Kida) Message-Id: <9501092110.AA19869@ustcunclass.safb.af.mil> To: syshtg@gsusgi2.gsu.edu, cklaus@shadow.net Subject: Re: ISS scanning from tostada.engr.ucdavis.edu Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could you provide an FTP point for ISS? Kida From firewalls-owner Mon Jan 9 14:34:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA09059 for firewalls-outgoing; Mon, 9 Jan 1995 14:07:40 -0800 Received: from shadow.net (cklaus@anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA09054 for ; Mon, 9 Jan 1995 14:07:36 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id RAA24686; Mon, 9 Jan 1995 17:07:28 -0500 From: Christopher Klaus Message-Id: <199501092207.RAA24686@shadow.net> Subject: ISS and FTP To: kidaj@ustcunclass.safb.af.mil (John H. Kida) Date: Mon, 9 Jan 1995 17:07:28 -0500 (EST) Cc: syshtg@gsusgi2.gsu.edu, cklaus@shadow.net, firewalls@GreatCircle.COM In-Reply-To: <9501092110.AA19869@ustcunclass.safb.af.mil> from "John H. Kida" at Jan 9, 95 03:10:15 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 617 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Could you provide an FTP point for ISS? > The publicly available version is on aql.gatech.edu /pub/security/iss. ISS, Inc is moving this month and getting a faster link to the net. I apologize if you get a connection refuse by my host at times, but it is temporarily down, and I recommend trying later. By next month, the Web pages should be accessible faster and more reliable. Thank you for understanding. Christopher -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Mon Jan 9 15:42:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA10026 for firewalls-outgoing; Mon, 9 Jan 1995 15:07:32 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA10011 for ; Mon, 9 Jan 1995 15:07:27 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f11c25d0; Mon, 9 Jan 95 18:10:21 -0500 Mime-Version: 1.0 Date: Mon, 9 Jan 1995 18:09:21 -0500 Message-ID: Subject: fwtk & Solaris (not) To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I wrote: >'since I am not a programmer, anyone have the Makefile for fwtk >configured for Solaris 2.4' -------------------------------------------------------------------- It does not look good for me on this Solaris 2.4 version. The patch on ftp.tis.com is incomplete & a call to Tis did not provide fruitful. Tis indicated that a Solaris port would be painfull. hmmm. How about Sun OS 4.1.3? Anyone have luck with this? And would I be able to get a Makefile and/or config files for it? Thanks for the Help. /Tom ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Internet:twalker@acc.org From firewalls-owner Mon Jan 9 18:33:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11979 for firewalls-outgoing; Mon, 9 Jan 1995 18:07:35 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA11974 for ; Mon, 9 Jan 1995 18:07:28 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rRVxW-000BMNC; Mon, 9 Jan 95 18:05 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Mon, 9 Jan 95 17:25 PST Message-Id: Received: by miro.ilinx.com id ; Mon, 9 Jan 95 17:26:23 -0800 From: brian@imcon.ilinx.com To: twalker@acc.org Subject: Re: fwtk & Solaris (not) Cc: firewalls@greatcircle.com Date: Mon, 9 Jan 1995 17:26:23 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of twalker@acc.org > > I wrote: > > >'since I am not a programmer, anyone have the Makefile for fwtk > >configured for Solaris 2.4' > > -------------------------------------------------------------------- > > It does not look good for me on this Solaris 2.4 version. The patch > on ftp.tis.com is incomplete & a call to Tis did not provide fruitful. > > Tis indicated that a Solaris port would be painfull. hmmm. I don't get it. Why would it be painful?? FWTK compiled pretty much out of the box on my UnixWare box which is SVR4.2 which application-wise is _very_ close to Solaris (or is it the other way around :-) ). b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Mon Jan 9 19:08:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12706 for firewalls-outgoing; Mon, 9 Jan 1995 18:39:22 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA12700 for ; Mon, 9 Jan 1995 18:39:19 -0800 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA14469; Mon, 9 Jan 95 18:37:43 PST Received: from zeppo.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA22554; Mon, 9 Jan 1995 18:37:42 +0800 Received: from onizuka.West.Sun.COM by zeppo.West.Sun.COM (5.0/SMI-5.3-900117) id AA05673; Mon, 9 Jan 1995 18:37:15 -0800 Received: by onizuka.West.Sun.COM (5.0/SMI-SVR4) id AA05862; Mon, 9 Jan 1995 18:36:32 -0800 Date: Mon, 9 Jan 1995 18:36:32 -0800 From: Michael.Possedi@West.Sun.COM (Michael Possedi - SMCC Air Force Sales) Message-Id: <9501100236.AA05862@onizuka.West.Sun.COM> To: firewalls@GreatCircle.COM Subject: please add me to this alias X-Sun-Charset: US-ASCII Content-Length: 248 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk thanks Michael Possedi | _ | Sun Sales Representative _|___/v\___|_ Government District -====(~)=(.*.)=(~)====- phone: 415-960-4359 `-' fax #: 415-961-4872 From firewalls-owner Mon Jan 9 20:08:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA14189 for firewalls-outgoing; Mon, 9 Jan 1995 19:52:26 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA14183 for ; Mon, 9 Jan 1995 19:52:23 -0800 Received: from lci by mail.uunet.ca with UUCP id <124355-1>; Mon, 9 Jan 1995 22:51:29 -0500 Received: by lci (MKS Internet Anywhere); Mon, 09 Jan 95 22:10:41 UTC From: lci!cklung (C.K. Lung) To: firewalls , William Wong Subject: Re: Nov*ix for NetWare Date: Mon, 9 Jan 1995 22:01:41 -0500 X-MAILER: MKS Internet Anywhere - Compose 1.1b X-MKSIA-SN: 3990260790 Message-Id: <789689441@lci> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 January at 19:58, you wrote: > I think unless Novix engineer have put some trap door inside the NLM. I > don't see great possibilities of penetration. If it's not, please correct > me. Since we think that it is a great firewall itself. > William; How does Nov*ix "trap door" work? Any further information is appreciated. Thanks. -- C.K. Lung Toronto, Ontario ck.lung@rose.com From firewalls-owner Mon Jan 9 20:29:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA14021 for firewalls-outgoing; Mon, 9 Jan 1995 19:35:17 -0800 Received: from uustar.starnet.net (uustar.starnet.net [128.252.135.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA14016 for ; Mon, 9 Jan 1995 19:35:14 -0800 Received: from devildog.UUCP by uustar.starnet.net with UUCP id AA26517 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 9 Jan 1995 20:44:22 -0600 Received: by devildog (5.65/1.35) id AA03619; Mon, 9 Jan 95 20:44:09 -0600 From: devildog!grover@uustar.starnet.net (grover davidson) Message-Id: <9501100244.AA03619@devildog> Subject: re: IBM's NetSP Secured Gateway Product To: firewalls@greatcircle.com Date: Mon, 9 Jan 95 20:44:08 CST X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Mon, 9 Jan 1995, Adam Shostack wrote (regarding NetSP): > > > 3. Nothing like tripwire seems to be included. > > Admittedly, it's not tripwire, but "normal" AIX does include a trusted > computing base audit program called tcbck. It checks files against > attributes listed in /etc/security/sysck.cfg. One advantage is that it > understands ACLs, which tripwire does not. On the downside, the checksum > it uses is just plain "sum -r". I believe that it is possible to > use alternate checksum programs, but I haven't tried this. > True, but it does not have all the attributes that tripwire does and IMHO, tripwire is far superior. I do not remember exactly what AIX is missing, but I remember having a very in depth conversation with the AIX level 3 folks about it. > The database is also available online in /etc/security, so it's subject to > the same vulnerabilities as an online tripwire database. With either > program, it makes sense to store a copy of the database on a readonly > medium and verify against that copy. > > -- > Fran Grover -- Grover C. Davidson II | I speak for ME! This is my machine, and my 828 Fall Crown Ln | ideas. My employer doen't pay for my machine Fenton, Mo 63026 | or ask for my opinions. 314-343-5642 | grover@devildog.st-louis.mo.us From firewalls-owner Tue Jan 10 09:03:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22859 for firewalls-outgoing; Tue, 10 Jan 1995 08:46:36 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22854 for ; Tue, 10 Jan 1995 08:46:34 -0800 From: smb@research.att.com Message-Id: <199501101646.IAA22854@miles.greatcircle.com> Received: by gryphon; Tue Jan 10 11:40:09 EST 1995 To: Darren Reed cc: root@wu1.wl.aecl.ca (system PRIVILEGED account), drc@ppt.com, firewalls@greatcircle.com Subject: Re: spoofing TCP/SYN packets? Date: Tue, 10 Jan 95 11:40:08 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is discussed in one of Steve Bellovin's papers on TCP/IP... pext.ps - "Security Problems in the TCP/IP Protocol Suite" Steven M. Bellovin, AT&T Bell Laboraties smb@ulysses.att.com, Apr 1989. CACM Vol 19, No. 2 is the one you want (I think). ftp://ftp.research.att.com/dist/internet_security/ipext.ps.Z From firewalls-owner Tue Jan 10 09:49:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22785 for firewalls-outgoing; Tue, 10 Jan 1995 08:31:40 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22780 for ; Tue, 10 Jan 1995 08:31:38 -0800 From: smb@research.att.com Message-Id: <199501101631.IAA22780@miles.greatcircle.com> Received: by gryphon; Tue Jan 10 11:28:00 EST 1995 To: Wulf Losee cc: firewalls@GreatCircle.com Subject: Re: FW: PC Take-Over -- reply Date: Tue, 10 Jan 95 11:27:59 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Answer: I am not aware of any breakins; however, I think you have to ask yourself the question: "how -- through what mechanism -- would a break in be accomplished?" PCs running multitasking OSs that offer TCP/IP-based services (rlogin, telnet, and ftp) are vulnerable from the Internet (without proper firewalls or router filters). So... Correct me if I'm wrong (please!), but since DOS and regular Windows (both Windows 3.x and and Windows for Warehouses) are not multitasking, multithreading operating systems it would be impossible to subvert these systems unless the cracker were dialing in through a modem or actually sitting at the PC's console. You might be surprised at what your PC is running. A colleague here brought up Chameleon -- and I discovered that he was running an FTP server on his machine, quite unknowingly. This was an ordinary PC running Windows... From firewalls-owner Tue Jan 10 09:51:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22834 for firewalls-outgoing; Tue, 10 Jan 1995 08:43:52 -0800 Received: from cuugnet.cuug.ab.ca (cuugnet.cuug.ab.ca [204.50.6.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22829 for ; Tue, 10 Jan 1995 08:43:40 -0800 Received: by cuugnet.cuug.ab.ca (AIX 3.2/UCB 5.64/4.03-CUUG-02) id AA28554; Tue, 10 Jan 1995 09:37:40 -0700 Received: by ctycal.lis.dpsd.gov.calgary.ab.ca (AIX 3.2/UCB 5.64/4.03.TRI-IG) id AA41926; Tue, 10 Jan 1995 08:35:41 -0700 Date: Tue, 10 Jan 1995 08:35:41 -0700 (MST) From: Terry Ingoldsby X-Sender: ingoldsb@ctycal.lis.dpsd.gov.calgary.ab.ca To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #11 In-Reply-To: <199501052309.PAA07656@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jan 1995 firewalls-digest-owner@GreatCircle.COM wrote: > > Firewalls-Digest Thursday, 5 January 1995 Volume 04 : Number 011 ... > ------------------------------ > > From: Steve Marquess > Date: Thu, 5 Jan 1995 14:58:35 -0500 > Subject: Re: FW: PC Take-Over -- reply > > >Wulf Losee says: > > > >Correct me if I'm wrong (please!), but since DOS and regular Windows (both > >Windows 3.x and and Windows for Warehouses) are not multitasking, > >multithreading operating systems it would be impossible to subvert these > >systems unless the cracker were dialing in through a modem or actually > >sitting at the PC's console. > > > > Probably true in general, but I have a PC here running DOS and a TSR from a > widely used protocol stack (Novell's LWPD, the tsr is XPC.EXE) that I can > telnet into and execute DOS commands -- including, in principle, commands to > access LAN file servers or the mainframes that are not reachable via IP. This > PC is allows my Unix hosts to execute DOS commands and fetch data from the LANs > from cron scripts run in the middle of the night. Let's restrict the question further. Suppose, instead of a full-fledged TCP/IP stack, the situation is as follows: A user has a PC that is connected to a local network. Perhaps with IPX or TCP/IP. The user occasionally connects to a local Internet provider using a dial-up PPP that comes with their Internet browser package (e.g. Internet in a Box). My question is, am I safe in assuming that the economy version of PPP (TCP/IP) that comes with the browser is incapable of routing packets to the local network. I'm pretty sure that would be the case if the local network were IPX, I *think* this would be the case even if the local network were PPP. I'm basing my trust on the *assumption* that a low cost Internet browser package isn't going to be smart enough (particularly on on single tasking DOS/Windows box) to route packets (even if source routing is used). Am I deluded? This is starting to become a common question. I've fielded it 3 or 4 times in the last few weeks. Many people would like to use this strategy as a poor man's firewall. I.e. they have a local network that they don't want connected to the Internet, but a few of the users want access to Internet services. It is hard to justify the cost of a full-blown firewall in this case. Using a dial-out PPP Internet browser (to an ISP) on the DOS/Windows boxes *seems* like a reasonably safe but fairly functional compromise. From firewalls-owner Tue Jan 10 10:17:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22922 for firewalls-outgoing; Tue, 10 Jan 1995 08:53:04 -0800 Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22912 for ; Tue, 10 Jan 1995 08:53:00 -0800 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA12106; Tue, 10 Jan 95 16:55:22 GMT Received: from mcimail.com by mailgate.mcimail.com id ar14708; 10 Jan 95 16:49 WET Date: Tue, 10 Jan 95 11:40 EST From: Ken Presser To: firewalls Subject: Vendor Request for Proposal Message-Id: <73950110164037/0005842030DC6EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are contemplating a 56KB connection to the Internet. Our main network consists of PC's on a Token-Ring connected to several Ethernet subnets. I will probably add a Cisco 2513 (1-TR, 1-Eth, 2-WAN) to bridge the TR to an Ethernet which would be the portion exposed to the Internet. I want to allow mail in and out. We will set up a public WWW, Gopher, and FTP server on the Ethernet segment. I want to provide a way to get from the internal net to all Internet services via proxy or some other secure means which will hide the details of the internal net. I am seeking proposals from firewall vendors on products to help accomplish this project. Please respond via email to avoid cluttering this list with commercial announcements. I am also looking for Internet Access Providers. If you know of or are one in the Winston-Salem, NC area please respond via email as well. Anyone with advice on network configuration or other issues, please feel free to respond to the list or via email. I am studying the TIS fwtk and have the Cheswick and Bellovin book. Am about to go after the FAQ. What other resources are available? Please send proposals to: Ken Presser Mgr. Tech Support Sara Lee Intimates PO Box 5100 Winston-Salem, NC 27113 Email not requiring an immediate answer (I'm very behind) can also be sent to kpresser@infi.net From firewalls-owner Tue Jan 10 10:33:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA23809 for firewalls-outgoing; Tue, 10 Jan 1995 10:07:29 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA23804 for ; Tue, 10 Jan 1995 10:07:26 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 10 Jan 1995 13:05:46 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA21038; Tue, 10 Jan 1995 13:05:45 -0500 Date: Tue, 10 Jan 1995 13:05:45 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199501101805.AA21038@SPARKY.CF.CS.YALE.EDU> To: WLosee@Getty.Edu, smb@research.att.com Subject: Re: FW: PC Take-Over -- reply Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smb wrote: >You might be surprised at what your PC is running. A colleague here >brought up Chameleon -- and I discovered that he was running an FTP >server on his machine, quite unknowingly. This was an ordinary PC >running Windows... Is it just under MS-DOS, or can you also under Windows do strange things to a person's PC via anonymous FTP by reading and writing to the devices:-? con: com1: com2: lpt: prn: ... etc. Morrow From firewalls-owner Tue Jan 10 11:03:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24365 for firewalls-outgoing; Tue, 10 Jan 1995 10:40:38 -0800 Received: from hal.nes.com (hal.nes.com [198.114.188.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA24355 for ; Tue, 10 Jan 1995 10:40:33 -0800 Received: by hal.nes.com; Tue, 10 Jan 95 13:48:44 EST Date: Tue, 10 Jan 95 13:45:30 EST Message-ID: X-Priority: 3 (Normal) From: "Philip Kubat" To: Firewalls@GreatCircle.COM Subject: re:INFO X-Incognito-SN: 344 X-Incognito-Format: VERSION=2.00 EA-2 ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk INFOPhilip Kubat New England Systems 60 First Avenue Waltham, MA 02154 617-672-8466 From firewalls-owner Tue Jan 10 11:32:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24734 for firewalls-outgoing; Tue, 10 Jan 1995 10:56:54 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24719 for ; Tue, 10 Jan 1995 10:56:47 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id MAA03400; Tue, 10 Jan 1995 12:52:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003397; Tue Jan 10 12:51:57 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA27084 (5.67b/IDA-1.5); Tue, 10 Jan 1995 12:55:43 -0600 Date: Tue, 10 Jan 1995 12:55:43 -0600 From: Ken Hardy Message-Id: <199501101855.AA27084@ignatz.bridge.com> To: ingoldsb@gov.calgary.ab.ca Subject: Re: Firewalls-Digest V4 #11 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >My question is, am I safe in assuming that the economy version of PPP >(TCP/IP) that comes with the browser is incapable of routing packets to >the local network. I'm pretty sure that would be the case if the local >network were IPX, I *think* this would be the case even if the local >network were PPP. I'm basing my trust on the *assumption* that a low >cost Internet browser package isn't going to be smart enough >(particularly on on single tasking DOS/Windows box) to route packets >(even if source routing is used). > >Am I deluded? This is starting to become a common question. I've >fielded it 3 or 4 times in the last few weeks. > >Many people would like to use this strategy as a poor man's firewall. It's unlikely that under DOS or Windows that the two IP stacks would know anything about each other. Even on OS/2; I've seen an OS/2 box used as an applications gateway between two networks runing IBM's TCP/IP on one interface and FTP, Inc.'s on the other, and there's absolutely no (direct) interconnection possible between the networks (as I'm told by those involved in the work.) The only way to get from one network to the other would be to telnet into the OS/2 system and then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's running on the remote interface. -KH From firewalls-owner Tue Jan 10 11:53:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA24881 for firewalls-outgoing; Tue, 10 Jan 1995 11:02:05 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA24872 for ; Tue, 10 Jan 1995 11:01:02 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA04764; Tue, 10 Jan 95 19:55:05 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04264; Tue, 10 Jan 95 19:51:29 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501101951.AA04264@tidtest.total.fr> Subject: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) To: ingoldsb@gov.calgary.ab.ca (Terry Ingoldsby) Date: Tue, 10 Jan 95 19:51:27 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Terry Ingoldsby" at Jan 10, 95 8:35 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Terry Ingoldsby wrote : > > [snip] > > My question is, am I safe in assuming that the economy version of PPP > (TCP/IP) that comes with the browser is incapable of routing packets to > the local network. I'm pretty sure that would be the case if the local > network were IPX, I *think* this would be the case even if the local > network were PPP. I'm basing my trust on the *assumption* that a low > cost Internet browser package isn't going to be smart enough > (particularly on on single tasking DOS/Windows box) to route packets > (even if source routing is used). > DOS/Win IPX can manage only one IPX address, so you should be safe from that side. Of the DOS/Win IP stacks I know of, only Wollongong's can (could) be multi-homed, with a routing module available. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Tue Jan 10 12:02:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25572 for firewalls-outgoing; Tue, 10 Jan 1995 11:35:35 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA25562 for ; Tue, 10 Jan 1995 11:35:24 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA05081; Tue, 10 Jan 95 20:30:02 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04304; Tue, 10 Jan 95 20:26:27 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501102026.AA04304@tidtest.total.fr> Subject: Re: FW: PC Take-Over -- reply To: long-morrow@CS.YALE.EDU (H Morrow Long) Date: Tue, 10 Jan 95 20:26:26 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501101805.AA21038@SPARKY.CF.CS.YALE.EDU>; from "H Morrow Long" at Jan 10, 95 1:05 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk H Morrow Long wrote : > > Is it just under MS-DOS, or can you also under Windows do strange things > to a person's PC via anonymous FTP by reading and writing to the devices:-? > > con: > com1: > com2: > lpt: > prn: > ... > etc. > Except maybe for con:, I'm afraid you could. Didn't try it, though. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Tue Jan 10 12:18:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25182 for firewalls-outgoing; Tue, 10 Jan 1995 11:15:59 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25177 for ; Tue, 10 Jan 1995 11:15:56 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id NAA03615; Tue, 10 Jan 1995 13:11:28 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003613; Tue Jan 10 13:11:20 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA27336 (5.67b/IDA-1.5); Tue, 10 Jan 1995 13:15:13 -0600 Date: Tue, 10 Jan 1995 13:15:13 -0600 From: Ken Hardy Message-Id: <199501101915.AA27336@ignatz.bridge.com> To: long-morrow@CS.YALE.EDU Subject: Re: FW: PC Take-Over -- reply Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Tue, 10 Jan 1995 13:05:45 -0500 >From: long-morrow@CS.YALE.EDU (H Morrow Long) > >Is it just under MS-DOS, or can you also under Windows do strange things >to a person's PC via anonymous FTP by reading and writing to the devices:-? > > con: > com1: > com2: > lpt: > prn: > ... > etc. [Now I remember -- this is how I used to get access to a Novell PostScript printer from a Unix workstation before I had direct lpr connectivity; I'd run NCSA's telnet cum FTP server on my PC and ftp .ps files to LPT1:.] The answer is that, at least with Chameleon, yes, you can ftp to devices. But it's worse that that. I just saw a demonstration where someone was running Chameleon's NFS server and mounted the PC's C: drive on a Unix box. From the Unix box, he did "cd /net/mikespc/c ; ls -l > con" and the PC's console was written to (while in Windows graphics mode!) Apparently all special devices are available via this route (and FTP, presumably); this particular person said that "cat file > lpt1" will cause the named file to be dumped to the PC's printer. Fun, fun, fun. -KH From firewalls-owner Tue Jan 10 12:46:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26409 for firewalls-outgoing; Tue, 10 Jan 1995 12:22:14 -0800 Received: from spanky.ov.com (spanky.pls.ov.com [198.153.190.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA26403 for ; Tue, 10 Jan 1995 12:22:10 -0800 From: Mark.Hickey@ov.com Received: from ccgate.pls.ov.com by spanky.ov.com with SMTP on Tue, 10 Jan 1995 12:19:18 -0800 Received: from ccMail by ccgate.pls.ov.com id AA789768847 Tue, 10 Jan 95 12:14:07 PST Date: Tue, 10 Jan 95 12:14:07 PST Message-Id: <9500107897.AA789768847@ccgate.pls.ov.com> To: stewart@networx.com, ammf@avila.inesc.pt (Antonio Franco) CC: kovar@nda.com (David Kovar), firewalls@GreatCircle.COM Subject: Re[2]: Brief review of Firewall-1 - installation, support, f Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Antonio" == Antonio Franco writes: [Stuff deleted] Antonio> I am surprised with this recent comments about Antonio> Firewall-1, since I had seen some positive comments about Antonio> it on some magazines (for example, Open Computing, Oct Antonio> 94). [More stuff deleted] [ Chris Stewart responds ] Being in a software company, and after seeing how some positive comments are placed, I take anything I read in the mags with several grains of salt.. I've also seen reviewers complain about what got edited out of their reviews.. Ah capitalism at work, can't piss off those potential advertisers... A healthy grain of salt is good. This is true not only for magazine articles, but for industry newsletters/analyst reports. It is more than implied that you get better press if you subscribe to the (sometimes pricey) service. Mark All opinions are strictly my own. -- ---------------------------------------------------------------------- Christopher A. Stewart | (Standard disclaimers are in effect) System/Network Administrator | Legent Corp. Networx Div. | Bellevue, Wa. 98004 | Voice (206)-688-2154 | Fax (206)-688-2050 | From firewalls-owner Tue Jan 10 13:02:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27112 for firewalls-outgoing; Tue, 10 Jan 1995 12:45:45 -0800 Received: from pru-psc.com (pru-psc.com [204.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27107 for ; Tue, 10 Jan 1995 12:45:41 -0800 Received: by pru-psc.com (5.0/SMI-SVR4) id AA01211; Tue, 10 Jan 1995 15:44:20 +0500 Date: Tue, 10 Jan 1995 15:44:20 +0500 From: jpatti@pru-psc.com (Joe Patti) Message-Id: <9501102044.AA01211@ pru-psc.com> To: ken@bridge.com Subject: Re: Firewalls-Digest V4 #11 Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 967 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's unlikely that under DOS or Windows that the two IP stacks would > know anything about each other. Even on OS/2; I've seen an OS/2 box > used as an applications gateway between two networks runing IBM's > TCP/IP on one interface and FTP, Inc.'s on the other, and there's > absolutely no (direct) interconnection possible between the networks > (as I'm told by those involved in the work.) The only way to get from > one network to the other would be to telnet into the OS/2 system and > then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's > running on the remote interface. I agree with you on DOS and Windows, but watch out for OS/2. If you run IBM's TCP/IP stack over more than one interface, IP forwarding is turned on by default. I've seen this with two network cards; we use a dual-homed OS/2 PC as a poor man's router (don't ask why). I haven't tried it with SLIP or PPP but I'd be careful. --Joe Patti Prudential Service Company From firewalls-owner Tue Jan 10 13:43:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA27804 for firewalls-outgoing; Tue, 10 Jan 1995 13:11:47 -0800 Received: from sol (sol.corp.rockwell.com [129.172.4.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA27789 for ; Tue, 10 Jan 1995 13:11:43 -0800 Received: by sol (5.0/SMI-SVR4) id AA01365; Tue, 10 Jan 1995 13:09:09 +0800 Date: Tue, 10 Jan 1995 13:09:09 +0800 From: mcfowler@corp.rockwell.com (Mark C. Fowler) Message-Id: <9501102109.AA01365@sol> To: firewalls@greatcircle.com Subject: Bastion host sizing X-Sun-Charset: US-ASCII content-length: 1000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been asked what kind of UNIX machine we should get for our bastion host. I've been told by our network hardware people to size it for a T1 rate of throughput. We have a T1 connection to the Internet but does that really mean that the bastion host should expect 1.544 megabits per second? I expect that the machine will be running some proxy software (I can't be anymore specific at the moment), anonymous FTP service (read only), httpd (probably NCSA's but this could change), and an authentication server (not sure which one). I would like some information about the performance of various brands/models/configurations of UNIX machines that are used as bastion hosts. I really have no idea what size of machine to get. Can we get away with a PC-AT running Coherent or do we need the latest 64-bit monstrosity? How much memory and disk? Is one brand's ethernet throughput better than another's? Does that really matter? Etc., etc., etc. Mark Fowler Rockwell mcfowler@corp.rockwell.com From firewalls-owner Tue Jan 10 14:03:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA28876 for firewalls-outgoing; Tue, 10 Jan 1995 13:55:16 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA28871 for ; Tue, 10 Jan 1995 13:55:09 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA06760; Tue, 10 Jan 95 16:49:25 -0500 Date: Tue, 10 Jan 95 16:49:25 -0500 Message-Id: <9501102149.AA06760@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Anything you can do. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Is it just under MS-DOS, or can you also under Windows do strange things >to a person's PC via anonymous FTP by reading and writing to the devices:-? No, anything you can do under DOS can be done from Windows, just there is less chance that a person at the monitor will notice. Also you are not limited to attached devices: I have come into a DOS machine over the net using TELNETD and FTPed out to another machine using the same NIC through packet multiplexing and put the retrieved file directly into my directory on an attached Novell server. Then printed the file using the CAPTUREd printer on LPT1:. True the connection is rather fragile but not impossible. Further, dual homing is possible (look at DRAWBRIDGE and KARLBRIDGE) so it can be done and as soon as you give a user FTP access to the world *anything* is liable to wind up on that PC. You are best to adopt the concept that whatever it is *can* be done. Warmly, Padgett From firewalls-owner Tue Jan 10 14:32:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA28519 for firewalls-outgoing; Tue, 10 Jan 1995 13:44:30 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA28514 for ; Tue, 10 Jan 1995 13:44:27 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id PAA05084; Tue, 10 Jan 1995 15:39:58 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma005082; Tue Jan 10 15:39:48 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA29004 (5.67b/IDA-1.5); Tue, 10 Jan 1995 15:43:34 -0600 Date: Tue, 10 Jan 1995 15:43:34 -0600 From: Ken Hardy Message-Id: <199501102143.AA29004@ignatz.bridge.com> To: jpatti@pru-psc.com Subject: Re: Firewalls-Digest V4 #11 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> It's unlikely that under DOS or Windows that the two IP stacks would >> know anything about each other. Even on OS/2; I've seen an OS/2 box >> used as an applications gateway between two networks runing IBM's >> TCP/IP on one interface and FTP, Inc.'s on the other, and there's >> absolutely no (direct) interconnection possible between the networks >> (as I'm told by those involved in the work.) The only way to get from >> one network to the other would be to telnet into the OS/2 system and >> then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's >> running on the remote interface. > >I agree with you on DOS and Windows, but watch out for OS/2. If you run >IBM's TCP/IP stack over more than one interface, IP forwarding is turned >on by default. I've seen this with two network cards; we use a dual-homed >OS/2 PC as a poor man's router (don't ask why). I haven't tried it with >SLIP or PPP but I'd be careful. Yes. The trick here is to use two independent TCP/IP stacks from two different vendors and give each of them only one of the network interfaces. They don't know about each other, and they don't know about the other interface. -KH From firewalls-owner Tue Jan 10 15:02:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29604 for firewalls-outgoing; Tue, 10 Jan 1995 14:32:49 -0800 Received: from vger.tripcom.com (vger-ppp0.tripcom.com [198.5.220.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29599 for ; Tue, 10 Jan 1995 14:32:46 -0800 Received: from localhost (adam@localhost) by vger.tripcom.com (8.6.5/8.6.5) id QAA19847; Tue, 10 Jan 1995 16:31:34 -0600 From: Adam Horwitz Message-Id: <199501102231.QAA19847@vger.tripcom.com> Subject: Re: Re[2]: Brief review of Firewall-1 - installation, support, f To: Mark.Hickey@ov.com Date: Tue, 10 Jan 1995 16:31:33 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9500107897.AA789768847@ccgate.pls.ov.com> from "Mark.Hickey@ov.com" at Jan 10, 95 12:14:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 881 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [Stuff deleted] > > Antonio> I am surprised with this recent comments about > Antonio> Firewall-1, since I had seen some positive comments about > Antonio> it on some magazines (for example, Open Computing, Oct > Antonio> 94). > > [More stuff deleted] > > [ Chris Stewart responds ] > Being in a software company, and after seeing how some positive > comments are placed, I take anything I read in the mags with several > grains of salt.. I've also seen reviewers complain about what got > edited out of their reviews.. Ah capitalism at work, can't piss off > those potential advertisers... I sell FireWall-1 and I apparently missed the comments regarding it. If someone could forward them to be, I'd appreciate it; good or bad. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Tue Jan 10 15:22:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00121 for firewalls-outgoing; Tue, 10 Jan 1995 14:53:39 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA00116 for ; Tue, 10 Jan 1995 14:53:36 -0800 Received: (kovar@localhost) by nda.nda.com (8.6.9/8.6.4) id RAA15607 for firewalls@greatcircle.com; Tue, 10 Jan 1995 17:52:02 -0500 From: David Kovar Message-Id: <199501102252.RAA15607@nda.nda.com> Subject: rsh problem with Checkpoint's Firewall-1 To: firewalls@greatcircle.com Date: Tue, 10 Jan 1995 17:52:01 -0500 (EST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1005 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've encountered another problem with Firewall-1. Before we installed FW-1, we allowed some hosts to rsh/rlogin to the net. This access was controlled by /etc/hosts.equiv and not by .rhosts. (No flames on how bad this is, I've been fighting this battle with the engineers for awhile.) The hosts.equiv entry only 'trusts' people in the local domain and would prompt anyone outside of the local domain for a password. After we installed FW-1, and without changing any of the hosts.equiv entries, any hosts that were permitted to pass through the firewall for rsh/rlogin acted as if they were trusted. Ie, anything that the firewall permitted through was not challenged with a password. It appears that FW-1 is doing something to the rsh/rlogin session that circumvents the (admittedly weak) authentication system. If you are allowing rlogin/rsh to pass through your FW-1, you might want to look into this. Onward to the next bug. (Actually, this is the last one that we know about.) -David From firewalls-owner Tue Jan 10 17:27:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA00749 for firewalls-outgoing; Tue, 10 Jan 1995 17:07:47 -0800 Received: from rambone.psi.net (rambone.psi.net [38.145.250.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA00744 for ; Tue, 10 Jan 1995 17:07:44 -0800 Received: by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA12565; Tue, 10 Jan 95 19:52:16 EST Received: from badboy (badboy.ARPA) by sd.microage.com (4.1/3.2.083191-microage san diego) id AA01239; Tue, 10 Jan 95 15:27:20 PST Message-Id: <9501102327.AA01239@sd.microage.com> Received: by badboy (16.8/16.2) id AA00526; Tue, 10 Jan 95 15:23:38 -0800 From: David Schiffrin Subject: Re: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) To: lavondes@tidtest.total.fr Date: Tue, 10 Jan 95 15:23:37 PST Cc: firewalls@greatcircle.com In-Reply-To: <9501101951.AA04264@tidtest.total.fr>; from "Michel Lavondes" at Jan 10, 95 7:51 pm Mailer: Elm [revision: 70.30] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have used Dual homed routing with NetManage's ChameleonNFS/X product (I think a conglomeration of their TCP/IP stack, NFS client _AND_ server, and X-server for your windows PC. > > Terry Ingoldsby wrote : > > > > [snip] > > > > My question is, am I safe in assuming that the economy version of PPP > > (TCP/IP) that comes with the browser is incapable of routing packets to > > the local network. I'm pretty sure that would be the case if the local > > network were IPX, I *think* this would be the case even if the local > > network were PPP. I'm basing my trust on the *assumption* that a low > > cost Internet browser package isn't going to be smart enough > > (particularly on on single tasking DOS/Windows box) to route packets > > (even if source routing is used). > > > > DOS/Win IPX can manage only one IPX address, so you should be safe from > that side. Of the DOS/Win IP stacks I know of, only Wollongong's can > (could) be multi-homed, with a routing module available. > -- > Michel Lavondes > E-Mail : lavondes@tidtest.total.fr > lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) > Tel : +33-1-4135-4198 > Fax : +33-1-4135-4189 > -- ------------------------------------------------------------ David Schiffrin Systems Engineer MicroAge, San Diego (619)566-1900 x7692 daves@sd.microage.com From firewalls-owner Tue Jan 10 19:23:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA01549 for firewalls-outgoing; Tue, 10 Jan 1995 18:59:29 -0800 Received: from mail3.netcom.com (root@mail3.netcom.com [192.100.81.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA01544 for ; Tue, 10 Jan 1995 18:59:26 -0800 Received: from irvin.irvin.com by mail3.netcom.com (8.6.9/Netcom) id SAA28252; Tue, 10 Jan 1995 18:56:26 -0800 Received: from eon.irvin by irvin.irvin.com (4.1/SMI-4.1) id AA03610; Tue, 10 Jan 95 11:43:58 PST Received: by eon.irvin (4.1/SMI-4.1) id AA02206; Tue, 10 Jan 95 11:19:06 PST Message-Id: <9501101919.AA02206@eon.irvin> To: Wulf Losee , firewalls@GreatCircle.COM Subject: Re: FW: PC Take-Over -- reply In-Reply-To: Your message of "Tue, 10 Jan 1995 11:27:59 EST." <199501101631.IAA22780@miles.greatcircle.com> Date: Tue, 10 Jan 1995 11:19:05 -0800 From: & Purshottam Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wfw running machines can act as file servers using the microsoft remote file system. Many wfw users are unaware of this, and leave all their paritions workgroup accessible. Andy From firewalls-owner Wed Jan 11 00:54:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA03230 for firewalls-outgoing; Wed, 11 Jan 1995 00:30:46 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA03225 for ; Wed, 11 Jan 1995 00:30:43 -0800 Received: from london.csd.harris.com by hawk.csd.harris.com (5.61/harris-5.1) id AA04345; Wed, 11 Jan 95 03:29:03 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA03967; Wed, 11 Jan 95 08:26:30 GMT From: jon@london.csd.harris.com (Jon Shallow) Message-Id: <9501110826.AA03967@london.csd.harris.com> Subject: Re: Firewalls-Digest V4 #11 (fwd) To: firewalls@greatcircle.com Date: Wed, 11 Jan 95 8:26:30 GMT X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > From: Ken Hardy > > >> It's unlikely that under DOS or Windows that the two IP stacks would > >> know anything about each other. Even on OS/2; I've seen an OS/2 box > >> used as an applications gateway between two networks runing IBM's > >> TCP/IP on one interface and FTP, Inc.'s on the other, and there's > >> absolutely no (direct) interconnection possible between the networks > >> (as I'm told by those involved in the work.) The only way to get from > >> one network to the other would be to telnet into the OS/2 system and > >> then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's > >> running on the remote interface. > > > >I agree with you on DOS and Windows, but watch out for OS/2. If you run > >IBM's TCP/IP stack over more than one interface, IP forwarding is turned > >on by default. I've seen this with two network cards; we use a dual-homed > >OS/2 PC as a poor man's router (don't ask why). I haven't tried it with > >SLIP or PPP but I'd be careful. > > Yes. The trick here is to use two independent TCP/IP stacks from two > different vendors and give each of them only one of the network > interfaces. They don't know about each other, and they don't know > about the other interface. Can you simply prove that they have no knowledge of each other ? -- Jon Shallow, Harris Computer Systems Corporation Jon.Shallow@mail.hcsc.com Tel +44 (0) 1276 686886 Fax +44 (0) 1276 678733 From firewalls-owner Wed Jan 11 05:24:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA05792 for firewalls-outgoing; Wed, 11 Jan 1995 05:20:47 -0800 Received: from clark.net (mikebat@clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA05787 for ; Wed, 11 Jan 1995 05:20:44 -0800 Received: (mikebat@localhost) by clark.net (8.6.9/8.6.5) id IAA12982 for Firewalls@GreatCircle.COM; Wed, 11 Jan 1995 08:19:04 -0500 From: Mike Batchelor Message-Id: <199501111319.IAA12982@clark.net> Subject: Re: FW: PC Take-Over -- reply To: Firewalls@GreatCircle.COM Date: Wed, 11 Jan 1995 08:19:03 -0500 (EST) In-Reply-To: <199501110900.BAA03505@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Jan 11, 95 01:00:11 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 933 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not the firewalls-digest-owner@GreatCircle.COM once wrote... > > From: smb@research.att.com > Date: Tue, 10 Jan 95 11:27:59 EST > Subject: Re: FW: PC Take-Over -- reply > > You might be surprised at what your PC is running. A colleague here > brought up Chameleon -- and I discovered that he was running an FTP > server on his machine, quite unknowingly. This was an ordinary PC > running Windows... This is true. An acquantance of mine plays on IRC via SLIP connection using Windows NT. I finally told him the other day that I was able to login to his PC when he was connected, via ftp using any user id and any password - except anonymous, for some reason. -- \\\ Mike Batchelor /// mikebat@clark.net \\\ M.Batchelor@babylon4.clark.net /// "Supporting Windows is like buying a puppy. The dog only cost $100, but we spent another $500 cleaning the carpet." - Marc Dodge, "Reality Check", _Open Computing_, December 1994 From firewalls-owner Wed Jan 11 06:54:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06501 for firewalls-outgoing; Wed, 11 Jan 1995 06:40:38 -0800 Received: from pentagon-emh5.army.mil (PENTAGON-EMH5.ARMY.MIL [134.11.50.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA06495 for ; Wed, 11 Jan 1995 06:40:14 -0800 Message-Id: <199501111440.GAA06495@miles.greatcircle.com> Date: Wed, 11 Jan 95 9:33:32 EST (1433Z) From: Lew Houston To: Firewalls@GreatCircle.Com Subject: Firewalls User Groups Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any Firewalls User Groups? Would be interested in their e-mail addresses if anyone knows of any. Also, interested in any user groups for Windows NT. Thanks From firewalls-owner Wed Jan 11 07:17:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06484 for firewalls-outgoing; Wed, 11 Jan 1995 06:34:05 -0800 Received: from gate3.fmr.com ([192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA06479 for ; Wed, 11 Jan 1995 06:34:03 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id JAA18614 for ; Wed, 11 Jan 1995 09:32:10 -0500 Message-Id: <199501111432.JAA18614@gate3.fmr.com> Received: from mail3.fmr.com(155.1.75.10) by a0140648 via smap (V1.3mjr) id sma018612; Wed Jan 11 14:31:50 1995 Date: Wed, 11 Jan 1995 09:29:37 -0500 From: Joe Judge Subject: TIS proxys To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 537 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TIS's telnet gateway out, and ftp gateway out to the Internet are very ... obvious. Are there ftp/telnet clients out there that are TIS-proxified ? (standard set in order of importance: Unix and Windows, Mac ) I've heard of SOCK-ified clients .. so I thought I'd ask. - joe note: I've found a 'ws_ftp' for Windows that has a firewall checkbox, radio buttons give a choice of ftp firewalls of SITE hostname, USER after logon, USER with no logon, PROXY open The second works well when pointed at a TIS relay. From firewalls-owner Wed Jan 11 08:00:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07424 for firewalls-outgoing; Wed, 11 Jan 1995 07:50:45 -0800 Received: from noc.sura.net (noc.sura.net [192.80.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA07419 for ; Wed, 11 Jan 1995 07:50:42 -0800 Received: from u6 (u6.cbn.org [159.26.64.16]) by noc.sura.net (8.6.8.1/8.6.6) with SMTP id KAA01577 for ; Wed, 11 Jan 1995 10:49:04 -0500 Received: by u6 (5.0/SMI-SVR4) id AA00331; Wed, 11 Jan 1995 10:50:28 -0500 Date: Wed, 11 Jan 1995 10:50:28 -0500 From: gbrown@cbn.org (Greg Brown) Message-Id: <9501111550.AA00331@u6> To: firewalls@greatcircle.com Subject: ISS on SunOS 5.3 X-Sun-Charset: US-ASCII content-length: 699 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: Has anyone successfully compiled ISS on SunOS 5.3 using Sun's ProC compiler? Please respond directly to me. Thanks. Cordially, ------------------------------------------------------------------- Greg Brown email: gbrown@cbn.org Unix Systems Administrator voice: +1 804 579 3285 Christian Broadcasting Network fax: +1 804 579 3019 977 Centerville Turnpike TELEX: 710 882 9356 CBN VABH Virginia Beach, VA 23463.0001 ------------------------------------------------------------------- Opinions are mine, wholly mine, and no one else's but mine, SHMG. =================================================================== From firewalls-owner Wed Jan 11 08:24:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07110 for firewalls-outgoing; Wed, 11 Jan 1995 07:34:12 -0800 Received: from access.rrd.com (access.rrd.com [198.81.197.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA07105 for ; Wed, 11 Jan 1995 07:34:08 -0800 From: WILLIAM.ROCHOLL@rrd.com Received: from EMAILNET.CHGOCORP.RRD.COM (emailnet.rrd.com) by access.rrd.com with SMTP id AA09443 (InterLock SMTP Gateway 1.1 for ); Wed, 11 Jan 1995 10:32:12 -0600 X400-Originator: WILLIAM.ROCHOLL@emailnet.rrd.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=RRD/ADMD=TELEMAIL/C=US/;0013600001006958000002] X400-Content-Type: P2-1988 (22) Priority: Non-Urgent Message-Id: <0013600001006958000002*@MHS> To: "firewalls(a)greatcircle.com" Cc: "Rocholl, CORP1:" Subject: Facts and Figures for Justification Date: Wed, 11 Jan 1995 09:30:18 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all concerned: I have to make a presentation to the management in our organization in regards to security. I do not have a problem explaining the risks, and technical alternatives, however, the problem I do have is in explaining the probabilities and costs associated with a break in. I was hoping that you folks might be able to point me to some documentation that shows number of break-ins, costs, statistics of any kind. Thanks in advance. Bill Rocholl Member of Technical Staff, Communication Systems R.R. Donnelley & Sons, Company bill.rocholl@rrd.com From firewalls-owner Wed Jan 11 08:57:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07523 for firewalls-outgoing; Wed, 11 Jan 1995 07:57:29 -0800 Received: from csdc.com (sla.csdc.com [198.242.16.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA07518 for ; Wed, 11 Jan 1995 07:57:25 -0800 Date: Wed, 11 Jan 95 10:55:47 EST From: eric@csdc.com (Eric Stephan) Received: from killeen.csdc.com by csdc.com (4.1/3.1.090690-CSDC) id AA08465; Wed, 11 Jan 95 10:55:47 EST Message-Id: <9501111555.AA08465@csdc.com> To: firewalls@greatcircle.com Subject: More info on Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am fairly new to the system security side of sys admin. Could someone recommend/direct me to more info on firewalls and TCP Wrappers? Thanks for any info! Eric From firewalls-owner Wed Jan 11 09:15:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07956 for firewalls-outgoing; Wed, 11 Jan 1995 08:25:54 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07951 for ; Wed, 11 Jan 1995 08:25:51 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id IAA27485 for ; Wed, 11 Jan 1995 08:24:14 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA19587; Wed, 11 Jan 95 08:15:35 PST Date: Wed, 11 Jan 95 08:15:34 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: cheer@isisph.com (Christopher D. Heer) Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:19 AM 1/10/95, & Purshottam wrote: >Wfw running machines can act as file servers using the microsoft >remote file system. Many wfw users are unaware of this, and leave all >their paritions workgroup accessible. This is scary, too, because WFW can use any protocol -- including TCP/IP -- as its own. I don't know if you still can, but you used to be able to mount Microsoft's ftp server as a WFW drive over the Internet. . . :( -- Christopher D. Heer | "He's back, and it's about time!" cheer@isisph.com | -- Doctor Who: coming to FOX, May 1995! My opinions are mine! | "Ragweed pollen!" -- Dr. Leavitt, THE ANDROMEDA STRAIN From firewalls-owner Wed Jan 11 10:24:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA09695 for firewalls-outgoing; Wed, 11 Jan 1995 10:17:19 -0800 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA09690 for ; Wed, 11 Jan 1995 10:17:17 -0800 Received: from hq.ortel.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA28402 for firewalls@greatcircle.com; Wed, 11 Jan 95 13:15:38 -0500 Received: from cc:Mail by hq.ortel.com id AA789848487; Wed, 11 Jan 95 10:18:23 pst Date: Wed, 11 Jan 95 10:18:23 pst From: "Vincent Yau" Message-Id: <9500117898.AA789848487@hq.ortel.com> To: firewalls@greatcircle.com Subject: RFC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All Some time ago I remembered seeing an RFC that talks about the details of an Internet breakin incident (maybe the 1988 Morris case, cannot remember). If such an RFC exist, can someone tell me the RFC number? Also, is there any other places I can retrieve details of break-in incident? I am compiling a report for someone here at my company and would appreciate such report. Thanks a lot. --Vincent Yau vyau@ortel.com From firewalls-owner Wed Jan 11 11:24:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10608 for firewalls-outgoing; Wed, 11 Jan 1995 11:17:13 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA10602 for ; Wed, 11 Jan 1995 11:17:07 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rS3tB-0009vAC; Wed, 11 Jan 95 14:19 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: ISS on SunOS 5.3 To: gbrown@cbn.org (Greg Brown) Date: Wed, 11 Jan 1995 14:19:04 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9501111550.AA00331@u6> from "Greg Brown" at Jan 11, 95 10:50:28 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1195 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, just did it yesterday with gcc though... > > Greetings: > > Has anyone successfully compiled ISS on SunOS 5.3 using Sun's ProC > compiler? Please respond directly to me. Thanks. > > Cordially, > ------------------------------------------------------------------- > Greg Brown email: gbrown@cbn.org > Unix Systems Administrator voice: +1 804 579 3285 > Christian Broadcasting Network fax: +1 804 579 3019 > 977 Centerville Turnpike TELEX: 710 882 9356 CBN VABH > Virginia Beach, VA 23463.0001 > ------------------------------------------------------------------- > Opinions are mine, wholly mine, and no one else's but mine, SHMG. > =================================================================== > -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Wed Jan 11 11:40:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10667 for firewalls-outgoing; Wed, 11 Jan 1995 11:23:26 -0800 Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA10662 for ; Wed, 11 Jan 1995 11:23:22 -0800 From: Rich.Friedeman@corp.anixter.com Received: from corp.anixter.com by anixter.com (4.1/SMI-4.1) id AA01425; Wed, 11 Jan 95 13:19:37 CST Received: from cc:Mail by corp.anixter.com id AA789859352; Wed, 11 Jan 95 13:17:14 csd Date: Wed, 11 Jan 95 13:17:14 csd Message-Id: <9500117898.AA789859352@corp.anixter.com> To: firewalls@greatcircle.com Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:19 AM 1/10/95, & Purshottam wrote: >>Wfw running machines can act as file servers using the microsoft >>remote file system. Many wfw users are unaware of this, and leave >all >their paritions workgroup accessible. cheer@isisph.com writes >This is scary, too, because WFW can use any protocol -- including >TCP/IP -- as its own. I don't know if you still can, but you used to >be able to mount Microsoft's ftp server as a WFW drive over the >Internet. . . :( This is possible. I've gotten into WFW machines that are running tcp/ip using ftp. This is definitely something to watch out for. Rich rich.friedeman@anixter.com From firewalls-owner Wed Jan 11 11:54:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11105 for firewalls-outgoing; Wed, 11 Jan 1995 11:50:03 -0800 Received: from nda.nda.com (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA11099 for ; Wed, 11 Jan 1995 11:50:00 -0800 Received: from cerberos.nda.com (cerberos.nda.COM [204.57.51.8]) by nda.nda.com (8.6.9/8.6.4) with SMTP id OAA01771 for ; Wed, 11 Jan 1995 14:48:23 -0500 Date: Wed, 11 Jan 95 14:42:26 PST From: jlawton@NDA.COM Subject: Checkpoint Firewall-1 To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm new to the list - I've read the FAQ...etc. Sooo, if this is a question asked every 5 minutes, I apologize upfront and will promptly put on my flameproof suit... I need to get an idea of who is using what, in terms of commercial firewall products. If you have the time to either point me to a previous survey or allow me to conduct my very own (I'll send results to the list...), that would be great. I'd like to know what people use, and if they like it. If you are not wanting your name used, please send to anon@nda.com and your mail will be anonymous (stripped of headers). I'm most interested in SEAL, Firewall-1, Gauntlet. Any other packages are welcome in a survey... Thanks in advance. I'll reach for the asbestos vest Computer Jennifer Lawton Networking Net Daemons Associates Solutions 400 West Cummings Park Suite 4250 Woburn, MA 01801 617.937.3338 jlawton@nda.com http://www.nda.com From firewalls-owner Wed Jan 11 12:10:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10859 for firewalls-outgoing; Wed, 11 Jan 1995 11:38:06 -0800 Received: from svcs1.digex.net (svcs1.digex.net [164.109.10.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA10847 for ; Wed, 11 Jan 1995 11:37:52 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA27113 (5.67b8/IDA-1.5 for ); Wed, 11 Jan 1995 14:35:40 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01919; Wed, 11 Jan 95 14:36:42 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00369; Wed, 11 Jan 1995 14:35:48 +0500 Date: Wed, 11 Jan 1995 14:35:48 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9501111935.AA00369@ Paragon-Systems.COM> To: WILLIAM.ROCHOLL@rrd.com Subject: Re: Facts and Figures for Justification Cc: firewalls-digest@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1862 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill - The number of break-ins are now nearly too high to keep track of, let alone attempts. Current "educated" guessing is anywhere from 250 to 1000 successfull intrusions a day resulting in some information compromise, harvesting and significant dollar value loss at U. S. Government sites alone. Commercial/industrial is in the thousands. Where to find? Try such sources as the FBI (yes you can get useful stuff from them) Bob McCree (New York City based Security Consultant), industry rags like; Washington Technology, Wall Street Journal, InfoSecurity News, and trade groups such as the National Computer Security Association, etc. Both NIST and CERT have some useful data which, if you can get it, is probably only a third of what actually goes down. One of the best recent news stand articles was in the 12/12/94 issue of INFORMATION WEEK, which focused on the intrusion at GE, but the composite data illustrates the point. Average damage repair prices run anywhere from $200K - to $400K for manhours and machine time depending on the level of trauma, and required reconstructive work. For instance if they just left notes to your bosses secretary about your dreams of her in the back of your Volvo it could be nothing more than an interesting winter. On the other hand, if they got into finance at a place like Goodyear Tire and Rubber and hijacked the five year passenger tire R&D plan, your looking at probably $1 -$2 million in manhours alone, plus a one and a half to three point decline in the stock, plus some rather tense phone conversations between your CEO and Wall Street analysts and shareholders. "Malicious intrusion - the mononeucleosis epidemic of the electronic information age. It is usually not fatal, but it can flatten you quickly, the impact can be devastating, and the affects can be long lasting." Good Hunting! rmck From firewalls-owner Wed Jan 11 12:25:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11586 for firewalls-outgoing; Wed, 11 Jan 1995 12:05:24 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11581 for ; Wed, 11 Jan 1995 12:05:19 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13715; Wed, 11 Jan 95 14:51:16 -0500 Date: Wed, 11 Jan 95 14:51:16 -0500 Message-Id: <9501111951.AA13715@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "vyau@ortel.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Incidents Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Also, is there any other places I can retrieve details of break-in > incident? Well on pages 32 and 33 of the Autumn _2600_ magazine you will find a relatively complete description of the intrusion at a2i communications (better known as the RAHUL incident from last July along with a list of "potentially compromised" sites. I suspect that the fact that the details/port numbers involved were published in "The Hacker Quarterly" would have as much impact as the description itself, particularly if one of your nodes is listed (one of ours is). Warmly, Padgett From firewalls-owner Wed Jan 11 13:24:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12807 for firewalls-outgoing; Wed, 11 Jan 1995 12:56:43 -0800 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA12802 for ; Wed, 11 Jan 1995 12:56:40 -0800 Received: from hq.ortel.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA09170 for firewalls@greatcircle.com; Wed, 11 Jan 95 15:54:47 -0500 Received: from cc:Mail by hq.ortel.com id AA789858024; Wed, 11 Jan 95 12:59:48 pst Date: Wed, 11 Jan 95 12:59:48 pst From: "Vincent Yau" Message-Id: <9500117898.AA789858024@hq.ortel.com> To: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Cc: firewalls@greatcircle.com Subject: Re[2]: Facts and Figures for Justification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks Bob for the input. >Where to find? Try such sources as the FBI (yes you can get useful stuff from >them) Bob McCree (New York City based Security Consultant), industry rags like; >Washington Technology, Wall Street Journal, InfoSecurity News, and trade groups >such as the National Computer Security Association, etc. Both NIST and CERT >have some useful data which, if you can get it, is probably only a third of >what >actually goes down. One of the best recent news stand articles was in the >12/12/94 issue of INFORMATION WEEK, which focused on the intrusion at GE, but >the composite data illustrates the point. Would anyone know how I can get in touch with either NIST or CERT to retreive such breakins statistics? Thanks a lot. -Vincent vyau@ortel.com From firewalls-owner Wed Jan 11 13:43:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13044 for firewalls-outgoing; Wed, 11 Jan 1995 13:12:03 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA13039 for ; Wed, 11 Jan 1995 13:12:01 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id PAA11457; Wed, 11 Jan 1995 15:10:20 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HLQ3GBH2TC987JX6@GateV1.SEMATECH.Org>; Wed, 11 Jan 1995 15:10:11 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id PAA16069; Wed, 11 Jan 1995 15:10:08 -0600 Date: Wed, 11 Jan 1995 15:10:03 -0600 From: Quentin Fennessy Subject: Re: Facts and Figures for Justification To: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Cc: WILLIAM.ROCHOLL@rrd.com, firewalls@greatcircle.com Message-id: <199501112110.PAA16069@thecount.eng.sematech.org> Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob: I want to discuss some points that you made: rmck@sandfiddler.paragon-systems.com (Bob McKisson) said: > The number of break-ins are now nearly too high to keep track of, let > alone attempts. Current "educated" guessing is anywhere from 250 to > 1000 successfull intrusions a day resulting in some information This estimate of successful breakins seems outrageously high. I am willing to be corrected, but I have never seen numbers like this. > [ Bob suggests sources such as the 12/12/94 Information Week, the WSJ, CERT, NIST, Bob McCree, Washington Technology, InfoSecurity News ] Bob: I have seen some of these sources but the numbers still astound me. Can you offer more specifics? I just looked at the Information Week article and saw that CERT becomes involved with 150 - 250 incidents a month. CERT also claims that 'hacker' incidents are up 76% from last year. This is a small fraction of your estimate. > Average damage repair prices run anywhere from $200K - to $400K for > manhours and machine time depending on the level of trauma, and > required reconstructive work. This is outrageous! What goes on in these 'average' breakins that cost $200K - $400K? That indicates approximately 2 - 8 person-years of work per incident. I am very willing to learn from this discussion. However I feel that you are making some alarmist claims that do not reflect reality. The estimated number of successful intrusions seems high, and the average cost per intrusion is also high. Multiplied together they might indicate that corporations that have been 'hacked' are paying on the order of 18 billion per year. (250 incidents / day * 365 days * $200,000) Yow. I may have misread your statements - please correct me if I have. Thanks, Quentin From firewalls-owner Wed Jan 11 13:54:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13224 for firewalls-outgoing; Wed, 11 Jan 1995 13:32:08 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA13219 for ; Wed, 11 Jan 1995 13:32:01 -0800 From: Larry_LaBella@pcmailgw.ml.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14385; Wed, 11 Jan 95 16:29:47 -0500 Date: Wed, 11 Jan 95 16:29:47 -0500 Message-Id: <9501112129.AA14385@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Re: Anything you can do. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > No, anything you can do under DOS can be done from Windows, just there > is less chance that a person at the monitor will notice. One of the things that can be done, with access to the standard DOS devices, is to completely trash the contents of CMOS (163 163 or 165 error on PS/2, have your setup disk handy). This is possible from the DOS command line and it sounds as if you're saying it is possibile remotely as well. LRL From firewalls-owner Wed Jan 11 14:24:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13713 for firewalls-outgoing; Wed, 11 Jan 1995 13:59:39 -0800 Received: from osiris.cs.uow.edu.au (root@osiris.cs.uow.edu.au [192.70.135.118]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA13708 for ; Wed, 11 Jan 1995 13:59:22 -0800 Received: from SPi (osiris.cs.uow.edu.au) by osiris.cs.uow.edu.au with SMTP (5.65c/IDA-1.5); id AA07227; Thu, 12 Jan 1995 08:54:03 +1100 (from ruf@SPi for ) Received: by SPi (Linux Smail3.1.28.1 #14) id m0rSAz0-0005qAC; Thu, 12 Jan 95 08:53 EST Message-Id: From: ruf@SPi (Justin J. Lister) Subject: Re: RFC To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Thu, 12 Jan 1995 08:53:33 +1100 (EST) In-Reply-To: <9500117898.AA789848487@hq.ortel.com> from "Vincent Yau" at Jan 11, 95 10:18:23 am Reply-To: X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1180 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Vincent Yau wrote:" > Dear All > Some time ago I remembered seeing an RFC that talks about the details > of an Internet breakin incident (maybe the 1988 Morris case, cannot > remember). If such an RFC exist, can someone tell me the RFC number? RFC1135 : The Helminthiasis of the Internet. > Also, is there any other places I can retrieve details of break-in > incident? ftp://coast.cs.purdue.edu/pub/doc/morris_worm > I am compiling a report for someone here at my company and would > appreciate such report. Thanks a lot. -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-327 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+ From firewalls-owner Wed Jan 11 15:00:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA14719 for firewalls-outgoing; Wed, 11 Jan 1995 14:41:29 -0800 Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA14711 for ; Wed, 11 Jan 1995 14:41:26 -0800 From: Rich.Friedeman@corp.anixter.com Received: from corp.anixter.com by anixter.com (4.1/SMI-4.1) id AA01944; Wed, 11 Jan 95 16:37:32 CST Received: from cc:Mail by corp.anixter.com id AA789871232; Wed, 11 Jan 95 16:35:04 csd Date: Wed, 11 Jan 95 16:35:04 csd Message-Id: <9500117898.AA789871232@corp.anixter.com> To: firewalls@greatcircle.com Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have been reading the comments about the pc take over. just one >question. >what is WFW ? >rodney wfw=windows for workgroups Rich rich.friedeman@anixter.com From firewalls-owner Wed Jan 11 15:53:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15642 for firewalls-outgoing; Wed, 11 Jan 1995 15:40:05 -0800 Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA15637 for ; Wed, 11 Jan 1995 15:40:02 -0800 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA22676; Wed, 11 Jan 95 23:37:49 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma022673; Wed Jan 11 23:37:17 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA00222; Wed, 11 Jan 95 23:37:13 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9501112337.AA00222@zeus.london.micrognosis.com> Subject: Re: Facts and Figures for Justification To: Quentin.Fennessy@SEMATECH.Org (Quentin Fennessy) Date: Wed, 11 Jan 1995 23:37:13 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199501112110.PAA16069@thecount.eng.sematech.org> from "Quentin Fennessy" at Jan 11, 95 03:10:03 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1366 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although this is not a technical issue related to firewalls I think the cost of a successful breakin is worth discussing ... Quentin Fennessy writes: > This is outrageous! What goes on in these 'average' breakins that > cost $200K - $400K? That indicates approximately 2 - 8 person-years of > work per incident. For an 'average' breakin this is way too high, but in quite a few cases it is not outrageous. Suppose a breakin causes you to have to restore all the filesystems on an NFS server that everyone relies on. That might take a day and leave 50 developers essentially idle. 50 man-days (ie 10 man-weeks or around a quarter of a man-year) could easily be worth $25K. Suppose you decide you need to force 300 people to get a new password - how much time would that take? How much time would be spent on examining why the breakin was successful? What if the conclusion is you need a new firewall - how much would that cost? Do the CPU-hours and network bandwidth that the intruders may have used cost anything? On the other hand, I've sat through power cuts that I estimate cost the company $10K :-) Lost productivity seems much cheaper than it is - noone has to sign off a purchase order but that doesn't mean it's free. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Wed Jan 11 16:05:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15665 for firewalls-outgoing; Wed, 11 Jan 1995 15:40:37 -0800 Received: from insite.parasoft.co.uk (insite.parasoft.co.uk [193.132.123.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA15659 for ; Wed, 11 Jan 1995 15:40:32 -0800 Received: from pb (pb.insite.co.uk [192.168.0.20]) by insite.parasoft.co.uk (8.6.9/8.6.9) with SMTP id XAA04704 for ; Wed, 11 Jan 1995 23:33:42 GMT Date: Wed, 11 Jan 1995 23:33:42 GMT Message-Id: <199501112333.XAA04704@insite.parasoft.co.uk> X-Sender: peter@gate.insite.co.uk Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: peter@insite.parasoft.co.uk (Peter Bowyer) Subject: Multi-homed firewall, DNS & sendmail X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Unlurking briefly for a quick question.... I have a multi-homed host (Linux 1.1.74) acting as firewall between our Internet connection (Ethernet), the private LAN (also Ethernet) and a slip connection to a non-trusted domain. The Internet connection is behind a filtering router (Cisco). The firewall has a different IP address on each of the 3 interfaces . It also has 2 hostnames - well, actually 3 at the momment, migrating to 2 when we get our own domain registered - currently we're piggybacking on a neighbour. These look like this :- 193.x.x.x - internet - aaaa.bbbb.co.uk (to be gate.aaaa.co.uk) 192.168.x.x - private LAN - gate.aaaa.co.uk 44.x.x.x - SLIP - xxx.ampr.org I have various pieces of fwtk running,as well as CERN 3.0 httpd for proxy www access from the private LAN. I'm comfortable that I can configure these to suit my needs. The firewall host is to be primary nameserver for the new aaaa.co.uk domain. The domain will include one only registered IP address (from the neighbour's Class C), and many 192.168's. My problems are these :- Problem 1. When the new domain aaaa.co.uk gets registered (any day now), my firewall will have one hostname for the two ethernet IPs - 193.x.x.x and 192.168.x.x. When queried from outside, the named will provide both addresses; only one is reachable; the other is highly dangerous. The internal hosts will never get queried (hopefully) so no problem. How can I avoid this situation? I see 2 solutions : 1. Call the private LAN something else and run separate zones in BIND (administratively a nightmare); 2. Register a class C for the lot, get the filtering and routing changed with the service provider, change the IPs on all the private hosts, all for only one internet-accessible host. What a waste of number-space. I don't like either of these - is there a trick I can do with BIND to sort this out? Problem 2. This relates to sendmail (8.6.9). All 3 interfaces on my firewall host need to accept sendmail connections. I need to have sendmail masquerade with the 2 hostnames, depending on which port the connection comes in from. I'm not too concerned about the private LAN with this one, but the internet and the ampr.org interfaces must be different. Is there a firewall/sendmail guru out there who can advise me on this? I really need the two sides to behave as though they are 2 completely separate hosts - in the banner, the 'Received' headers, bouncing mail headers etc etc. I know a bit about sendmail.cf and can have it do rewrites and normal masquerades, but hhow can I have it answer and behave differently on the 2 ports? Thanks for any help - direct email probably best, I'll summarise if appropriate. Peter -- Peter Bowyer - InSite Computer Technology Ltd Tel: +44 635 861700 Fax: +44 635 861600 peter@insite.parasoft.co.uk From firewalls-owner Wed Jan 11 16:53:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA16370 for firewalls-outgoing; Wed, 11 Jan 1995 16:24:47 -0800 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA16365 for ; Wed, 11 Jan 1995 16:24:44 -0800 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 11 Jan 95 16:22:31 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 11 Jan 95 16:22:30 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9501120022.AA05893@argus.intel.com> Subject: opinions on NCSA's CCI? To: firewalls@greatcircle.com Date: Wed, 11 Jan 95 16:22:29 PST X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 764 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Has anyone taken a look at NCSA'S CCI? It seems pretty scary to me. CCI (Common Client Interface) is a way for programs to talk to a running NCSA Mosaic browser. The application program talks to some port the browsers listens to and then sends commands for it to execute. Some of the proposed commands have the browser get URIs, display stuff, send information, and shutdown(!). If that's not exciting enough, some proposed features will send applications send scripts to the browser to be executed. I can see the power and possible utility of CCI, but it seems too open to abuse. Anyway, check out http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/CCI/cci-spec.html for more information. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Wed Jan 11 17:54:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA17152 for firewalls-outgoing; Wed, 11 Jan 1995 17:44:06 -0800 Received: from igw.merck.com (igw.merck.com [155.91.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA17147 for ; Wed, 11 Jan 1995 17:44:02 -0800 Received: by igw.merck.com (5.65/fma-120691); id AA10561; Wed, 11 Jan 95 20:47:48 -0500 Message-Id: <9501120147.AA10561@igw.merck.com> From: anthony_starks@merck.com (Anthony Starks) Subject: Re: CCI To: firewalls@greatcircle.com Date: Wed, 11 Jan 1995 20:43:41 -0500 (EST) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1811 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CCI is useful but dangerous. Here's a program to exercise CCI; it reads URLs from stdin for display. Link against NCSAs libcci. /* * * cci -- minimal CCI interface * * Anthony Starks (Anthony_Starks@Merck.Com) * */ #include #include "cci.h" void cb(); char *smessages[] = { "general failure", "no memory", "bad request", "network error" }; #define DEF_CCIPORT 1958 #define DEF_CCIHOST "localhost" #define usage() fputs("Usage: cci [-p port] [-h host]\n", stderr); exit(1) main(argc, argv) int argc; char *argv[]; { MCCIPort p, MCCIConnect(); char url[1024], ccihost[1024]; int c, status, cciport, verbose; extern int optind, opterr; extern char *optarg; opterr=0; cciport=DEF_CCIPORT; strcpy(ccihost, DEF_CCIHOST); verbose=0; /* * Process the command line */ while ((c=getopt(argc, argv, "p:h:v")) != EOF) { switch(c) { case 'p': cciport=atoi(optarg); break; case 'h': strcpy(ccihost, optarg); break; case 'v': verbose++; break; default : usage(); } } /* * * The main loop: connect to the client, read URLs * from stdin and send them to the client. * */ MCCIInitialize(); p = MCCIConnect(ccihost, cciport, cb, NULL); if (MCCIIsConnected(p)) { while (fgets(url, sizeof(url), stdin) != NULL) { url[strlen(url) - 1] = '\0'; if (verbose) printf("Opening %s\n", url); if ((status = MCCIGet(p, url, MCCI_OUTPUT_NEW, MCCI_ABSOLUTE, NULL)) != MCCI_OK) printf("The URL: %s failed because of %s\n", url, smessages[status - 1]); } } else fputs("cannot connect", stderr); MCCIDisconnect(p); } void cb(p, d) MCCIPort p; void *d; { puts("Connection closed"); } -- Anthony Starks Merck Research Laboratories Anthony_Starks@Merck.Com From firewalls-owner Wed Jan 11 21:53:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA18774 for firewalls-outgoing; Wed, 11 Jan 1995 21:45:29 -0800 Received: from grin.io.org (root@grin.io.org [198.133.36.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA18769 for ; Wed, 11 Jan 1995 21:45:26 -0800 Received: (from carlo@localhost) by grin.io.org (8.6.9/8.6.9) id AAA19214 for Firewalls@GreatCircle.COM; Thu, 12 Jan 1995 00:43:48 -0500 From: Carlo Tosti Message-Id: <199501120543.AAA19214@grin.io.org> Subject: Re: Firewalls-Digest V4 #20 To: Firewalls@GreatCircle.COM Date: Thu, 12 Jan 1995 00:43:42 -0500 (EST) In-Reply-To: <199501120154.RAA17273@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Jan 11, 95 05:54:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 730 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >what is WFW ? > > >rodney > > wfw=windows for workgroups > > Rich > rich.friedeman@anixter.com > Sorry to pickup on a special case of "Firewall" but I can't resist the temptation. There are people that use the 3 letter words as plain words hopping to give an immediate message but in reality they use the most annoing and time consuming "Firewall" to the information. Granted that people in the specific trade are able to attach meaningful words to a 3 letter word but the others are left out just as if they where isolated by a "Firewall". I assume that every person in this forum is for sharing knowledge and information. Am I wrong ? Flames are welcome From firewalls-owner Thu Jan 12 00:53:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA19747 for firewalls-outgoing; Thu, 12 Jan 1995 00:48:14 -0800 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA19737; Thu, 12 Jan 1995 00:48:10 -0800 From: Esmond_Tong@HP-HongKong-om1.om.hp.com Received: from hpsgm1.sgp.hp.com by hp.com with ESMTP (1.37.109.14/15.5+ECS 3.3) id AA033530375; Thu, 12 Jan 1995 00:46:17 -0800 Received: from by hpsgm1.sgp.hp.com with SMTP (1.37.109.11/15.5+ECS 3.4 Openmail) id AA105190370; Thu, 12 Jan 1995 16:46:10 +0800 X-Openmail-Hops: 2 Date: Thu, 12 Jan 95 16:45:32 +0800 Message-Id: In-Reply-To: <199501111432.JAA18614@gate3.fmr.com> Subject: TIS proxys To: firewalls-owner@GreatCircle.com, Joe.judge@fmr.com Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Item Subject: Message text Hello Joe, I would appreciate if you can let me know where I can get a copy of the ws_ftp. Is it a shareware or a commercial product ?? Any similar info for Telnet ?? Regards, Esmond > > TIS's telnet gateway out, and ftp gateway out to the > Internet are very ... obvious. > > Are there ftp/telnet clients out there that are TIS-proxified ? > (standard set in order of importance: Unix and Windows, Mac ) > > I've heard of SOCK-ified clients .. so I thought I'd ask. > > - joe > > > note: I've found a 'ws_ftp' for Windows that has a firewall > checkbox, radio buttons give a choice of ftp firewalls of > SITE hostname, > USER after logon, > USER with no logon, > PROXY open > > The second works well when pointed at a TIS relay. > > From firewalls-owner Thu Jan 12 01:53:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA20866 for firewalls-outgoing; Thu, 12 Jan 1995 01:44:42 -0800 Received: from ducie.cs.umass.edu (ducie.cs.umass.edu [128.119.40.164]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA20861 for ; Thu, 12 Jan 1995 01:44:38 -0800 Received: (from lmccarth@localhost) by ducie.cs.umass.edu (8.6.9/8.6.9) id EAA10923 for Firewalls@GreatCircle.COM; Thu, 12 Jan 1995 04:44:36 -0500 From: "L. McCarthy" Message-Id: <199501120944.EAA10923@ducie.cs.umass.edu> Subject: Re: What is WFW ? To: Firewalls@GreatCircle.COM Date: Thu, 12 Jan 1995 04:44:35 -0500 (EST) In-Reply-To: <199501120900.BAA19850@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Jan 12, 95 01:00:14 am X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 507 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carlo Tosti writes: > Granted that people in the specific trade are able to attach > meaningful words to a 3 letter word but the others are left out just > as if they where isolated by a "Firewall". It's certainly a hazard. I had been assuming WFW was an acronym for "Word For Windows", and was puzzling over why in the world Microsoft had built communications capabilities into a word processor. I was also beginning to ponder wiping it off the hard disk on the PC I occasionally use for dialup.... From firewalls-owner Thu Jan 12 02:11:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA20917 for firewalls-outgoing; Thu, 12 Jan 1995 01:53:23 -0800 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA20907 for ; Thu, 12 Jan 1995 01:53:18 -0800 Via: uk.ac.sghms; Thu, 12 Jan 1995 09:50:01 +0000 From: RH Hulkhory Message-Id: <23890.9501120947@sghms.ac.uk> Subject: TCP Wrapper To: firewalls@greatcircle.com Date: Thu, 12 Jan 1995 09:47:35 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 607 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Platform Solaris 2.3 -------------------- I need to know about TCP wrappers . Any help on how to set it up will be much appreciated Many Thanks -- Richard +---------------------------------------------------------------------+ | R H Hulkhory Tel: 081 725 5435 | | St George's Medical School Fax: 081 725 3583 | | Cranmer Terrace, Tooting | | London SW17 ORE Email: r.hulkhory@sghms.ac.uk | +---------------------------------------------------------------------+ From firewalls-owner Thu Jan 12 04:24:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA22278 for firewalls-outgoing; Thu, 12 Jan 1995 04:18:11 -0800 Received: from eagle (root@eagle.idshq.com [199.100.93.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA22273 for ; Thu, 12 Jan 1995 04:18:08 -0800 From: Mark_Podracky@smtpgtwy.idshq.com Received: from cc:Mail by smtpgtwy.idshq.com id AA789923833 Thu, 12 Jan 95 07:17:13 EST Date: Thu, 12 Jan 95 07:17:13 EST Message-Id: <9500127899.AA789923833@smtpgtwy.idshq.com> To: "L. McCarthy" CC: firewalls@greatcircle.com Subject: What is WFW ? -- A Correction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WFW does not stand for Word for Windows but Windows For Workgroups. WFW is an extended MS Windows 3.1 that has an improved file manager and some built-in network capabilities such as TCP/IP. From firewalls-owner Thu Jan 12 04:39:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA22262 for firewalls-outgoing; Thu, 12 Jan 1995 04:12:46 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA22257 for ; Thu, 12 Jan 1995 04:12:38 -0800 Received: from pwood1 by sun4nl.NL.net via EUnet id AA29192 (5.65b/CWI-3.3); Thu, 12 Jan 1995 13:11:01 +0100 Received: by pwood1.pinewood.nl (1.38.193.4/16.2) id AA25713; Thu, 12 Jan 1995 10:05:33 +0100 From: "Frank ten Wolde" Message-Id: <9501121005.ZM25711@pwood1.pinewood.nl> Date: Thu, 12 Jan 1995 10:05:33 +0100 In-Reply-To: Mike Batchelor "Re: FW: PC Take-Over -- reply" (Jan 11, 8:19) References: <199501111319.IAA12982@clark.net> X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (3.2.0 06sep94) To: Firewalls@greatcircle.com Subject: Re: FW: PC Take-Over -- reply Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jan 11, 8:19, Mike Batchelor wrote: > > You might be surprised at what your PC is running. A colleague here > > brought up Chameleon -- and I discovered that he was running an FTP > > server on his machine, quite unknowingly. This was an ordinary PC > > running Windows... > > This is true. An acquantance of mine plays on IRC via SLIP connection > using Windows NT. I finally told him the other day that I was able to > login to his PC when he was connected, via ftp using any user id and any > password - except anonymous, for some reason. > > -- > \\\ Mike Batchelor /// mikebat@clark.net \\\ M.Batchelor@babylon4.clark.net /// > "Supporting Windows is like buying a puppy. The dog only cost $100, but > we spent another $500 cleaning the carpet." > - Marc Dodge, "Reality Check", _Open Computing_, December 1994 Things may have changed in the last half year or so, but six months ago we brought up Windows NT for a very short evalutation. There were rumours that it was supposed to be C2 certified (of course, I had no reason to doubt this statement :-). When the system was running I was able to do anonymous FTP to it and.... it appeared the system did not do a chroot() to the anon-FTP home directory and I was able to do (in FTP): FTP> cd .. FTP> cd .. In other words, the *entire* disk was available for reading (can't remember if you could write to it :-). -Frank -- ------------------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automatisering B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: (+31) 15 682 543 2629 HT Delft Fax: (+31) 15 682 544 The Netherlands ------------------------------------------------------------------------------- From firewalls-owner Thu Jan 12 06:54:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23314 for firewalls-outgoing; Thu, 12 Jan 1995 06:28:02 -0800 Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23309 for ; Thu, 12 Jan 1995 06:27:59 -0800 From: Rich.Friedeman@corp.anixter.com Received: from corp.anixter.com by anixter.com (4.1/SMI-4.1) id AA03156; Thu, 12 Jan 95 08:24:14 CST Received: from cc:Mail by corp.anixter.com id AA789927758; Thu, 12 Jan 95 08:21:58 csd Date: Thu, 12 Jan 95 08:21:58 csd Message-Id: <9500127899.AA789927758@corp.anixter.com> To: firewalls@greatcircle.com Subject: Re:What is WFW - a Correction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >WFW does not stand for Word for Windows but Windows For Workgroups. >WFW is an extended MS Windows 3.1 that has an improved file manager >and some built-in network capabilities such as TCP/IP. WFW does not havd tcp/ip built in. You have to go out of your way to add it. it has NetBEUI built in, and supports the addition of several other protocols, such as tcp/ip. Rich rich.friedeman@anixter.com From firewalls-owner Thu Jan 12 07:23:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23682 for firewalls-outgoing; Thu, 12 Jan 1995 07:20:37 -0800 Received: from master.lds-az.loral.com (master.lds-az.loral.com [158.185.20.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23677 for ; Thu, 12 Jan 1995 07:20:34 -0800 Received: by master.lds-az.loral.com (5.65a/LDS-AZ-3.12) id AA24391; Thu, 12 Jan 95 08:12:13 -0700 Date: Thu, 12 Jan 95 08:12:13 -0700 From: goodic@master.lds-az.loral.com ( Charles Gooding ) Message-Id: <9501121512.AA24391@master.lds-az.loral.com> To: firewalls@greatcircle.com Subject: CERN httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does any one know where I can obtain CERN httpd? Thanks ...chuck From firewalls-owner Thu Jan 12 07:54:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23992 for firewalls-outgoing; Thu, 12 Jan 1995 07:38:22 -0800 Received: from utah.afwc.af.mil (utah.afwc.af.mil [132.60.48.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA23987 for ; Thu, 12 Jan 1995 07:38:17 -0800 Received: (hightowr@localhost) by utah.afwc.af.mil (8.6.8.1/8.6.5) id IAA01157; Thu, 12 Jan 1995 08:43:07 -0600 Date: Thu, 12 Jan 1995 08:43:06 -0600 (CST) From: Dave Hightower X-Sender: hightowr@utah To: Frank ten Wolde cc: Firewalls@GreatCircle.COM Subject: Re: FW: PC Take-Over -- reply In-Reply-To: <9501121005.ZM25711@pwood1.pinewood.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Jan 1995, Frank ten Wolde wrote: > Things may have changed in the last half year or so, but six months ago > we brought up Windows NT for a very short evalutation. There were rumours > that it was supposed to be C2 certified (of course, I had no reason to > doubt this statement :-). When the system was running I was able to > do anonymous FTP to it and.... it appeared the system did not do a > chroot() to the anon-FTP home directory and I was able to do (in FTP): > > FTP> cd .. > FTP> cd .. > > In other words, the *entire* disk was available for reading (can't remember > if you could write to it :-). It's *still* that way by default: utah:~ 89> ftp NTsucks Connected to NTsucks. 220 NTsucks Windows NT FTP Server (Version 3.5). Name (NTsucks:hightowr): 331 Password required for hightowr. Password: 230 User hightowr logged in (guest access). ftp> pwd 257 "C:\" is current directory. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. I simply hit for each of the prompts there. And yes, the machine names have been changed to protect the innocent--or naive. ;> with "guest access" you have complete access to the hard drive; you can read any file, you just don't have write permissions. Dave ______________________________________________________________________________ Dave Hightower | opinion? I'm allowed to have an opinion? Systems Manager | well, if I DID have one, it'd be mine, all mine! Air Force Wargaming Center | "Dum vivimus, vivamus!" hightower@afwc.af.mil | ------------------------------------------------------------------------------ From firewalls-owner Thu Jan 12 08:24:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24564 for firewalls-outgoing; Thu, 12 Jan 1995 08:14:48 -0800 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA24559 for ; Thu, 12 Jan 1995 08:14:45 -0800 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id LAA13984; Thu, 12 Jan 1995 11:09:55 -0500 Received: from swlpak.msd.ray.com by gatekeeper.ray.com; Thu Jan 12 11:10:06 1995 Received: (from wag@localhost) by swlpak.msd.ray.com (8.6.9/8.6.9) id LAA01260; Thu, 12 Jan 1995 11:09:54 -0500 From: William Gianopoulos {84718} Message-Id: <199501121609.LAA01260@swlpak.msd.ray.com> Subject: Re: Firewalls-Digest V4 #20 To: carlo@io.org (Carlo Tosti) Date: Thu, 12 Jan 1995 11:09:54 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199501120543.AAA19214@grin.io.org> from "Carlo Tosti" at Jan 12, 95 00:43:42 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 446 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > >what is WFW ? > > > > >rodney > > > > wfw=windows for workgroups Continuing with this completely off the firewall topic, the commonly used abbrevieation for windows for workgroups is W4WG. -- William A. Gianopoulos; Raytheon Missile Systems Division wag@swl.msd.ray.com -------------------------------------------------------------------- Any opinions expressed above are my own and not that of my employer. From firewalls-owner Thu Jan 12 08:55:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24810 for firewalls-outgoing; Thu, 12 Jan 1995 08:33:07 -0800 Received: from netcomsv.netcom.com (uucp7.netcom.com [163.179.3.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA24805 for ; Thu, 12 Jan 1995 08:33:05 -0800 Received: from zodiac.UUCP by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id IAA28763; Thu, 12 Jan 1995 08:19:50 -0800 Received: by zcon.com (4.1/SMI-4.1) id AA17528; Thu, 12 Jan 95 07:39:47 PST Date: Thu, 12 Jan 95 07:39:47 PST From: szh@zcon.com (Syed Zaeem Hosain) Message-Id: <9501121539.AA17528@zcon.com> To: Mark_Podracky@smtpgtwy.idshq.com Subject: Re: What is WFW ? -- A Correction Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > WFW does not stand for Word for Windows but Windows For Workgroups. WFW is > an extended MS Windows 3.1 that has an improved file manager and some > built-in network capabilities such as TCP/IP. One minor correction. WFW, out of the box, does *not* have built-in TCP/IP support - it uses Microsoft NetBEUI protocols for its network. However, you *can* freely get a TCP/IP protocol stack for WFW via anon ftp from ftp.microsoft.com in the networking software directories. Z ------------------------------------------------------------------------- | Syed Zaeem Hosain P. O. Box 610097 (408) 441-7021 | | Z Consulting Group San Jose, CA 95161 szh@zcon.com | ------------------------------------------------------------------------- From firewalls-owner Thu Jan 12 08:55:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24582 for firewalls-outgoing; Thu, 12 Jan 1995 08:15:45 -0800 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24577 for ; Thu, 12 Jan 1995 08:15:40 -0800 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA07374; Thu, 12 Jan 95 06:13:26 HST Date: Thu, 12 Jan 1995 06:09:24 -1000 (HST) From: NetSurfer Subject: Re: Firewalls-Digest V4 #20 To: Carlo Tosti Cc: Firewalls@GreatCircle.COM In-Reply-To: <199501120543.AAA19214@grin.io.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >what is WFW ? > > > > >rodney > > > > wfw=windows for workgroups > > > > Rich > > rich.friedeman@anixter.com > > > Sorry to pickup on a special case of "Firewall" > but I can't resist the temptation. > > There are people that use the 3 letter words as plain words > hopping to give an immediate message but in reality they use > the most annoing and time consuming "Firewall" to the information. For myself it isn't a matter of firewalling information but of not wanting to type out Windows For Workgroups every time - > > Granted that people in the specific trade are able to attach > meaningful words to a 3 letter word but the others are left out just > as if they where isolated by a "Firewall". This is a technical group - if you aren't clear on a particular acronym's meaning, just ask > > I assume that every person in this forum is for sharing knowledge and > information. Am I wrong ? Negative. See preceeding comment > > Flames are welcome Never done it, never will. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Thu Jan 12 09:55:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA26056 for firewalls-outgoing; Thu, 12 Jan 1995 09:49:35 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA26049 for ; Thu, 12 Jan 1995 09:49:24 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id LAA06317 for ; Thu, 12 Jan 1995 11:47:49 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA3756; Thu, 12 Jan 95 11:47:47 -0800 Message-Id: <9501121947.AA3756@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id F543B04C1A37D52886256142006021C4; Thu, 12 Jan 95 11:47:45 To: Dave Hightower Cc: Firewalls From: Kenneth Smith Date: 12 Jan 95 9:23:36 EDT Subject: Re: NT security holes. Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To be fair to Windows NT, I don't believe that the problem just mentioned isn't anything that couldn't be taken care of with the proper systems management. And a question: was the problem you mentioned on a FAT or an NTFS partition? FAT partitions are, of course, not secure: and I believe that NTFS partitions would not display the default behavior you describe. But I may be wrong: I haven't tested the FTP security myself. That's not to say that there aren't some very real (and interesting) holes in NT's system security. For instance, the sa password for Microsoft SQL Server can be viewed in cleartext in the system registry database. And if you haven't disabled the option, and if they know how to do it, anybody who has rights to run a stored procedure on MS SQL Server can run a command line on the server with the full rights of whoever is signed onto the system console. And I understand that in the first build of NT 3.1, in some instances RAS passwords were not actually checked. (Ooops . . .) To: franky @ pinewood.nl (Frank ten Wolde) @ Internet cc: Firewalls @ GreatCircle.COM @ Internet (bcc: Kenneth Smith) From: hightowr @ afwc.af.mil (Dave Hightower) @ Internet @ WORLDCOM Date: 01/12/95 08:43:06 AM CST Subject: Re: FW: PC Take-Over -- reply On Thu, 12 Jan 1995, Frank ten Wolde wrote: > Things may have changed in the last half year or so, but six months ago > we brought up Windows NT for a very short evalutation. There were rumours > that it was supposed to be C2 certified (of course, I had no reason to > doubt this statement :-). When the system was running I was able to > do anonymous FTP to it and.... it appeared the system did not do a > chroot() to the anon-FTP home directory and I was able to do (in FTP): > > FTP> cd .. > FTP> cd .. > > In other words, the *entire* disk was available for reading (can't remember > if you could write to it :-). It's *still* that way by default: utah:~ 89> ftp NTsucks Connected to NTsucks. 220 NTsucks Windows NT FTP Server (Version 3.5). Name (NTsucks:hightowr): 331 Password required for hightowr. Password: 230 User hightowr logged in (guest access). ftp> pwd 257 "C:\" is current directory. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. I simply hit for each of the prompts there. And yes, the machine names have been changed to protect the innocent--or naive. ;> with "guest access" you have complete access to the hard drive; you can read any file, you just don't have write permissions. Dave ______________________________________________________________________________ Dave Hightower | opinion? I'm allowed to have an opinion? Systems Manager | well, if I DID have one, it'd be mine, all mine! Air Force Wargaming Center | "Dum vivimus, vivamus!" hightower@afwc.af.mil | ------------------------------------------------------------------------------ From firewalls-owner Thu Jan 12 10:24:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25688 for firewalls-outgoing; Thu, 12 Jan 1995 09:28:05 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA25682 for ; Thu, 12 Jan 1995 09:27:54 -0800 Received: from firewall.meaddata.com.meaddata.com by relay1.UU.NET with SMTP id QQxyjt04466; Thu, 12 Jan 1995 12:25:42 -0500 Received: from meaddata.com ([138.12.96.71]) by firewall.meaddata.com.meaddata.com (4.1/SMI-4.1) id AA29827; Thu, 12 Jan 95 12:27:39 EST Received: from ticktock.meaddata.com by meaddata.com (4.1/SMI-4.1) id AA05344; Thu, 12 Jan 95 12:25:39 EST Received: by ticktock.meaddata.com (4.1/SMI-4.1) id AA14257; Thu, 12 Jan 95 12:25:37 EST Date: Thu, 12 Jan 1995 12:25:36 -0500 (EST) From: Richard Bellingar Subject: Firewall Resource List To: Firewalls Mailing List Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone recently requested information about firewalls and sources, thought others might also find this information useful... ----+---- Rick Bellingar, Security Analyst, LEXIS-NEXIS (513)865-7005 PO Box 933, Dayton, Ohio 45401 (USA) ubellrj@meaddata.com -*- Sine ultima piscet, excrementi ad infinitum, non excrementus facit. -*- ---------- Text of forwarded message ---------- All contents copyright (c) 1994 Integrated Media Inc. Send a message to robot@advanced.com to get an index of on-line information. Additional firewall resources: "Firewalls and Internet Security", Steven Bellovin and William Cheswick. Addison-Wesley. ISBN 0-201-63357-4. "Internetworking with TCP/IP", Douglas Comer. Prentice-Hall, Inc. ISBN 0-13-468505-9. "Practical Unix Security", Garfinkle and Eugene Spafford. O-Reilly & Associates, Inc. ISBN 0-937175-72-2. "Computer Security Basics", Deborah Russell and G. T. Gangemi. ISBN 0-937175-71-4. Firewalls mailing list. Send subscription requests to firewalls-request@greatcircle.com with "subscribe firewalls" as the message body. Firewalls mailing list archive. Available via anonymous ftp to ftp.greatcircle.com in the directory /pub/firewalls. The subdirectory vendor has information about various vendor products. The subdirectory papers has many useful design documents. "Network and Internetwork Security: Principles and Practice," William Stallings (Prentice Hall). "Security Insider Report," a monthly newsletter covering products designed to protect computers and networks. $99 per year; 813-393-6600 SEAL firewall product: Digital Equipment Corporation FireWall-1 firewall product: SunSoft 2550 Garcia Avenu Mountain View, CA 94043 Voice: 510-460-3267 or 800-SUNSOFT Gauntlet firewall product: Fred Avolio Trusted Information Systems netsec@tis.com Voice: 301-854-6889 Fax: 301-854-5363 Interlock firewall product: ANS CO+RE Systems, Inc. 100 Clearbrook Road Elmsford, NY 10523 Voice: 800-456-8267 Email: info@ans.net Portus firewall product: Livermore Software Laboratories, Inc. (LSLI) P.O. Box 73228 Houston, TX 77273-3228 Voice: 800-240-5754 Fax: 713-379-5225 Email: portusinfo@gw.lsli.com Eagle firewall product: Raptor Systems, Inc. 3422 Old Capitol Trail Suite 3331 Wilmingon, Delaware 19808 Voice: 302-996-3331 Fax: 302-996-5818 Sidwinder firewall product: Kevin Sorensen Secure Computing Corporation. 2675 Long Lake Road Roseville, MN 55113 Voice: 800-692-5625 Fax: 612-628-2701 Email: sidewinder@sctc.com TIS fwtk firewall building toolkit. Available from TIS via anonymous ftp to ftp.tis.com in /pub/firewalls/toolkit. In addition, many consulting firms provide firewall design services. For a conversational explanation of how to set up a firewall send an e-mail message to 4445591@mcimail.com with "INTERNET" on the Subject line. By return e-mail (be patient, this e-mail robot gets behind sometimes) you'll get a set of three LAN Talk columns from InfoWorld, a sister weekly to Advanced Systems magazine. From firewalls-owner Thu Jan 12 10:54:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26715 for firewalls-outgoing; Thu, 12 Jan 1995 10:32:12 -0800 Received: from realityone.gstone.com (realityone.gstone.com [199.35.226.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA26708 for ; Thu, 12 Jan 1995 10:32:08 -0800 Received: from smtpgate.gstone.com by realityone.gstone.com via SMTP (931110.SGI/930416.SGI.AUTO) for cheer@isisph.com id AA13056; Thu, 12 Jan 95 10:15:30 -0800 Received: from Microsoft Mail (PU Serial #1024) by smtpgate.gstone.com (PostalUnion/SMTP(tm) v2.1.2RC1 for Windows NT(tm)) id AA-1995Jan12.100900.1024.11750; Thu, 12 Jan 1995 10:14:49 -0800 From: rschlientz@smtpgate.gstone.com (Schlientz, Rick) To: cheer@isisph.com (Christopher D. Heer) Cc: firewalls@GreatCircle.COM (Firewalls) Message-Id: <1995Jan12.100900.1024.11750@smtpgate.gstone.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Organization: GreyStone Technology, Inc. 15010 Ave. of Science, Suite 200 San Diego, CA 92128 Date: Thu, 12 Jan 1995 10:14:49 -0800 Subject: Re: FW: PC Take-Over -- reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christopher D. Heer wrote: > This is scary, too, because WFW can use any protocol -- including > TCP/IP -- as its own. I don't know if you still can, but you used to > be able to mount Microsoft's ftp server as a WFW drive over > the Internet. . . :( I'm more than a litle concerned to hear this. Apparently the ftp site is on the "dirty" side of the firewall, so it is accessable to the internet. Is there some way to filter the packets so others can't do this to us? Does anyone know the port(s) to block to prevent this from happening? Where can I get more information on this? Thanks in advance. ================================================================ | Rick Schlientz email: rschlientz@gstone.com | Network / Systems Administrator | | /\/\/\ GreyStone Technology, Inc. | / /\/\ \ 15010 Avenue of Science, Suite 200 | \ \/\/ / San Diego, CA 92128 | \/\/\/ Phone: (619)675-7800 Ext. 148 FAX: (619)675-7808 ============================================================== From firewalls-owner Thu Jan 12 11:24:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA27377 for firewalls-outgoing; Thu, 12 Jan 1995 11:01:12 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA27372 for ; Thu, 12 Jan 1995 11:01:09 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id MAA10790(telemann.inoc.dl.nec.com); Thu, 12 Jan 1995 12:59:04 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id MAA27059(texas.syl.dl.nec.com); Thu, 12 Jan 1995 12:59:03 -0600 To: firewalls@GreatCircle.com Date: 12 Jan 1995 12:58:59 -0600 From: cornell@syl.dl.nec.com Message-ID: <3f3u5j$qd8@texas.syl.dl.nec.com> Organization: CSTC - NEC Systems Lab., Irving, TX Path: syl.dl.nec.com!syl.dl.nec.com!not-for-mail Reply-To: cornell@syl.dl.nec.com Subject: cmsg newgroup necus.internet.mirror.firewalls Newsgroups: necus.internet.mirror.firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk necus.internet.mirror.firewalls is a newsgroup for use within NEC only and was approved 10 Jan 1995. Do not propagate this control message outside of NEC. necus.internet.* contact: cornell@syl.dl.nec.com (Cornell Kinderknecht) For your newsgroups file: necus.internet.mirror.firewalls: Mirror of firewalls@GreatCircle.COM mailing list. The informal charter: necus.internet.mirror.firewalls mirrors the articles posted to the mailing list firewalls@GreatCircle.COM for viewing by all NEC sites carrying the necus.* heirarchy. Be careful about posts to this group, they go out to the entire mailing list. NOTE: The necus.* heirarchy is for use inside NEC only. Do NOT propagate articles or control messages outside of NEC. -- | Cornell Kinderknecht Email: cornell@syl.dl.nec.com | | CSTC | | NEC Systems Lab. Phone: 214-518-3509 | | Irving, TX (Dallas) | From firewalls-owner Thu Jan 12 11:39:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA27681 for firewalls-outgoing; Thu, 12 Jan 1995 11:18:29 -0800 Received: from icm1.icp.net (icm1.icp.net [192.94.207.66]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA27676 for ; Thu, 12 Jan 1995 11:18:26 -0800 From: kpresser@infi.net Received: from infi.net (larry.infi.net [198.22.1.107]) by icm1.icp.net (8.6.9/8.6.9) with SMTP id OAA07836 for ; Thu, 12 Jan 1995 14:16:48 -0500 Received: from h-varrius.nr.infi.net by infi.net with smtp (Smail3.1.28.1 #13) id m0rSV1G-00006qC; Thu, 12 Jan 95 14:17 EST Received: by h-varrius.nr.infi.net (IBM OS/2 SENDMAIL VERSION 1.3.6)/1.0um) id AA0098; Thu, 12 Jan 95 14:18:43 -0800 Message-Id: <9501122218.AA0098@h-varrius.nr.infi.net> Mime-Version: 1.0 Date: Thu, 12 Jan 95 13:20:49 -0500 To: firewalls@greatcircle.com Reply-To: kpresser@infi.net Subject: Vendor RFP clarification - Our Tentative Plan X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Type: text/plain; charset="US-ASCII" Content-Id: <74_134_1_789934850> Content-Transfer-Encoding: 7Bit Content-Description: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have received a few questions regarding our plans. Although not completely formulated and subject to change to fit whichever firewall product I use, this is what I have been thinking of doing. Feel free to shoot holes in it (with constructive comments please) or add other sage advice. | +------------+ | | | public | | +-------+ 172.16.2 |---| DNS, WWW, | |---| Cisco | ---- ---- +-------+ | | FTP Server | | | 2513 | / \ (Inet)----| Cisco |----| +------------+ | |IP Only|---(Token ) ---- | 2501 | | | +-------+ \Ring/ |IP Only| | +----------+ | ---- +-------+ |---| Firewall |------| | | +----------+ | +--------+ 198.x.x 172.16.1 |Internal| (my registered |DNS,Mail| Class C IP) | Server | +--------+ Is that the right place for the public DNS, WWW, FTP server? The two routers will be configured to only allow configuration from the console, no ftp access (I believe that is possible with Cisco.) The routers would have restrictive access lists and route IP only. I would also tighten the access lists on the Cisco 4000 routers (not shown) which connect my Token-Ring to the rest of the WAN. Let's see, where were those sample access lists? The FAQ, Greatcircle, or was it TIS? This should allow me to set things up minus the 2513 and do testing and verification with a couple of devices on the 172.16.1 net, before I hook the Corporate Asset to the thing. Not sure exactly how mail flows in this scheme yet, but I want to funnel it to the RS/6000 on the Token-Ring which will then decide whether it goes to one of the AS/400's, the HP/9000's, or the MS-Mail Gateway. ---------------------------------------------------------------------------- Ken Presser kpresser@infi.net Mgr Tech Support Sara Lee Intimates From firewalls-owner Thu Jan 12 11:54:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA28199 for firewalls-outgoing; Thu, 12 Jan 1995 11:45:22 -0800 Received: from spanky.ov.com (spanky.pls.ov.com [198.153.190.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA28186 for ; Thu, 12 Jan 1995 11:45:19 -0800 From: Mark.Hickey@ov.com Received: from ccgate.pls.ov.com by spanky.ov.com with SMTP on Thu, 12 Jan 1995 11:43:24 -0800 Received: from ccMail by ccgate.pls.ov.com id AA789939329 Thu, 12 Jan 95 11:35:29 PST Date: Thu, 12 Jan 95 11:35:29 PST Message-Id: <9500127899.AA789939329@ccgate.pls.ov.com> To: , firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Re[2]: RFC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Lister writes (about a site for info on the Morris worm) ftp://coast.cs.purdue.edu/pub/doc/morris_worm > I am compiling a report for someone here at my company and would > appreciate such report. Thanks a lot. There is also an excellent HTML document at http://www.mit.edu:8001/people/eichin/virus/main.html Talks about the code, the chronology, etc. From firewalls-owner Thu Jan 12 12:23:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA28153 for firewalls-outgoing; Thu, 12 Jan 1995 11:42:04 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA28148 for ; Thu, 12 Jan 1995 11:42:01 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA07517; Thu, 12 Jan 95 11:39:26 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA19350; Thu, 12 Jan 95 11:36:03 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F1585AA@ushqgw.sequent.com>; Thu, 12 Jan 95 11:40:26 PST From: "Ned Smith (nedbob)" To: "'Firewalls Group'" Subject: RE: NT security holes. Date: Thu, 12 Jan 95 11:38:00 PST Message-Id: <2F1585AA@ushqgw.sequent.com> Encoding: 96 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C2 certification doesn't necessarily guarantee the default setup fits your site security policy nor does it necessarily guarantee sub-systems (such as networking) meet C2 requirements. Often, the evaluated product and the delivered product are different. I'm quite certain FAT file systems were *not* part of any C2 *certified* system! A prudent systems administrator will consult the Evaluated Products List (EPL) and investigate the configuration evaluated then compare with what he/she has purchased and configured. The evaluation of an operating system is specific to a hardware platform and usually does not include networks. (If it did - for C2 - then there would need to be ACL and AUDIT support in the underlying network protocols which MAY limit interoperability with protocols that do not support these protocol extensions - aka internet access). An NCSC Evaluation only promises that SOME experts in the computer security field have reviewed a particular product's security mechanisms and are able to construct a site security policy that meets one of NSA's categorizations of computer security policy (e.g. C1, C2, B1, B2, B3, A1, A2). The NSA policy classifications include criteria for evaluating the integrity of the security mechanisms (assurances). None of this replaces a system security administrator's responsiblity to carefully consider and implement their site security policy. my 2 cents worth. Best Regards, Ned Smith Sequent Computer Systems nedbob@sequent.com ---------------------------------------------------------------------------- ------------------------------------------------ Replied to mail follows: ---------- From: firewalls-owner To: Dave Hightower Cc: Firewalls Subject: Re: NT security holes. Date: Thursday, January 12, 1995 12:00AM To be fair to Windows NT, I don't believe that the problem just mentioned isn't anything that couldn't be taken care of with the proper systems management. And a question: was the problem you mentioned on a FAT or an NTFS partition? FAT partitions are, of course, not secure: and I believe that NTFS partitions would not display the default behavior you describe. But I may be wrong: I haven't tested the FTP security myself. [snip] ----------------------------------------------- To: franky @ pinewood.nl (Frank ten Wolde) @ Internet cc: Firewalls @ GreatCircle.COM @ Internet (bcc: Kenneth Smith) From: hightowr @ afwc.af.mil (Dave Hightower) @ Internet @ WORLDCOM Date: 01/12/95 08:43:06 AM CST Subject: Re: FW: PC Take-Over -- reply On Thu, 12 Jan 1995, Frank ten Wolde wrote: > Things may have changed in the last half year or so, but six months ago > we brought up Windows NT for a very short evalutation. There were rumours > that it was supposed to be C2 certified (of course, I had no reason to > doubt this statement :-). When the system was running I was able to [snip] [snip] with "guest access" you have complete access to the hard drive; you can read any file, you just don't have write permissions. Dave ______________________________________________________________ Dave Hightower | opinion? I'm allowed to have an opinion? Systems Manager | well, if I DID have one, it'd be mine, all mine! Air Force Wargaming Center | "Dum vivimus, vivamus!" hightower@afwc.af.mil | ---------------------------------------------------------------------------- -- From firewalls-owner Thu Jan 12 12:24:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA28635 for firewalls-outgoing; Thu, 12 Jan 1995 12:04:52 -0800 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA28630 for ; Thu, 12 Jan 1995 12:04:47 -0800 Received: by telemann.inoc.dl.nec.com (8.6.9/YDL1.9.1-940729.15) id OAA12416(telemann.inoc.dl.nec.com); Thu, 12 Jan 1995 14:02:40 -0600 Received: by texas.syl.dl.nec.com (8.6.9/YDL1.9-930614.17) id OAA28959(texas.syl.dl.nec.com); Thu, 12 Jan 1995 14:02:39 -0600 Received: by michigan.syl.dl.nec.com (8.6.9/YDL1.9-920708.13) id OAA13070(michigan.syl.dl.nec.com); Thu, 12 Jan 1995 14:02:39 -0600 From: cornell@syl.dl.nec.com (Cornell Kinderknecht) Message-Id: <199501122002.OAA13070@michigan.syl.dl.nec.com> Subject: sorry about the cmsg To: firewalls@greatcircle.com Date: Thu, 12 Jan 1995 14:02:38 -0600 (CST) X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 376 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about the Control message getting out on this list from me. Funny how fast the mail system runs when you're trying to undo a mistake. :-) --- Cornell | Cornell Kinderknecht Email: cornell@syl.dl.nec.com | | CSTC | | NEC Systems Lab. Phone: 214-518-3509 | | Irving, TX (Dallas) | From firewalls-owner Thu Jan 12 12:59:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA29009 for firewalls-outgoing; Thu, 12 Jan 1995 12:28:19 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA29002 for ; Thu, 12 Jan 1995 12:28:10 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA19517; Thu, 12 Jan 95 15:05:26 -0500 Date: Thu, 12 Jan 95 15:05:25 -0500 Message-Id: <9501122005.AA19517@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Not a new problem (C2 certification) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >Things may have changed in the last half year or so, but six months ago >we brought up Windows NT for a very short evalutation. There were rumours >that it was supposed to be C2 certified (of course, I had no reason to >doubt this statement :-). ... >In other words, the *entire* disk was available for reading (can't remember >if you could write to it :-). Nothing unusual (in fact FTP's FTPSRV had a similar problem with 2.3). The fact is that C2 certification is generally contingent on the configuration of the system. For instance IBM MVS was certified C1 *but only* if RAC-F was also properly installed. Often this distinction is lost on the marketoids /reporters who would take this to mean that a particular operating system is certified. Second, is the C2 in standalone (Orange Book) or Network (Red Book) configuration ? The point is that just saying NT is C2 does not really say anything unless you know under what conditions it was granted (the fact that C2 has no "covert channel" requirements already started one flame war here so I will not rekindle it 8*). Further, the installation is contingent on proper configuration - years ago I ran into a site that had RAC-F on their machine and thought they were protected. They did not know it had to be turned on. I see the same thing with virus protection and even firewalls today. The fact is that the manufacturers often build wonderful things into their products - things that the default "express" installation does not turn on. Back to the Windoze 4 Workgroups problem: FTP's FTPSRV facility in the default configuration even allows you to change disks (if you logged into the D: drive, the command "CD C:" will put you on the C: drive. It *can* provide for very powerful restrictions on what a user can do but will do nothing unless you get the syntax exactly right (must use two lines). Is not a problem if you know about it but an easy mistake for a novice reading the manual to make (is in v2.3, haven't looked in ONNET). So the question needs to be, "Is this a problem with WFW/NT or is it a matter of not being configured properly ?" In either case, a lack of knowlege creates a vulnerability. Warmly, Padgett From firewalls-owner Thu Jan 12 13:34:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29953 for firewalls-outgoing; Thu, 12 Jan 1995 13:07:47 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29945 for ; Thu, 12 Jan 1995 13:07:39 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rSWhn-0007trC; Thu, 12 Jan 95 13:05 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Thu, 12 Jan 95 12:38 PST Message-Id: Received: by miro.ilinx.com id ; Thu, 12 Jan 95 12:39:11 -0800 From: brian@imcon.ilinx.com To: cornell@syl.dl.nec.com Subject: Re: cmsg newgroup necus.internet.mirror.firewalls Cc: firewalls@GreatCircle.com Date: Thu, 12 Jan 1995 12:39:10 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of cornell@syl.dl.nec.com > necus.internet.mirror.firewalls is a newsgroup for use within NEC only > and was approved 10 Jan 1995. Do not propagate this control message > outside of NEC. Looks like that worked well. :-) b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Jan 12 14:02:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00909 for firewalls-outgoing; Thu, 12 Jan 1995 13:45:10 -0800 Received: from Polka.Med.Yale.Edu (polka.med.yale.edu [130.132.19.123]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA00904 for ; Thu, 12 Jan 1995 13:45:07 -0800 Received: from beaker.med.yale.edu by Polka.Med.Yale.Edu (PMDF #12135) id <01HLRNDTYD340008D8@Polka.Med.Yale.Edu>; Thu, 12 Jan 1995 17:51 EDT Received: from rrr.ynhhlab.yale.edu by beaker.med.yale.edu via SMTP; Thu, 12 Jan 95 16:39:48 -0500 Date: Thu, 12 Jan 95 16:39:48 -0500 From: rodion@beaker.med.yale.edu (R. Rodion Rathbone) Subject: Re: SUMMARY: 'smart cards' information To: Mike Godsey , firewalls@GreatCircle.COM Message-id: <9501122139.AA09042@beaker.med.yale.edu> X-Envelope-to: firewalls@GreatCircle.COM Content-type: text/plain; charset="us-ascii" X-Sender: rodion@beaker.med.yale.edu Mime-Version: 1.0 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >* Another offering: >The most common one I know of (and the one we are looking into using on >our firewall) is the SecurID, by Security Dynamics Inc. > We have some experience with non-technical (Physician) users and SecurID. Wouldn't mind talking over details if you find your are going that route. We would now prefer to use dial-back for modems and maybe S-key over the net. The card was difficult enough for people to use that many would write the Modem phone number AND the PIN on the card. Also the card gets out of sync if you don't use it very often, and the battery goes after 3 years in any case. Our application may be atypical. Users are not employees, and are somewhat loosely tied to the institution. From firewalls-owner Thu Jan 12 14:24:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA01117 for firewalls-outgoing; Thu, 12 Jan 1995 13:55:50 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA01111 for ; Thu, 12 Jan 1995 13:55:48 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id NAA14483 for ; Thu, 12 Jan 1995 13:54:09 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA21747; Thu, 12 Jan 95 13:45:29 PST Date: Thu, 12 Jan 95 13:45:28 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cheer@isisph.com (Christopher D. Heer) Subject: Re: Not a new problem (C2 certification) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With regards to the Windows for Workgroups issue, Padgett sez: >So the question needs to be, "Is this a problem with WFW/NT or is it a matter >of not being configured properly ?" In either case, a lack of knowlege creates >a vulnerability. The big problem here is that, unlike Unix-style packages, there's a good chance that W4WG is sitting out on end user hard disks all across the company. Hell, lots of new machines *ship* with it. I was amazed to find a new machine boot up into the blasted thing. Two mouse clicks, and your users are sharing everything on their hard drives. Fortunately the default protocol is NetBEUI, which generally makes it a purely internal matter (stopping an alien protocol at your router is pretty easy), but suppose you *do* use TCP/IP? Does anyone have any idea how W4WG or Windows NT do this? Do they use any sort of standards? If I want to block disk sharing (gads, and we thought NFS was bad) at the firewall, how would I? Manoman this is scary. . . -- Christopher D. Heer | "He's back, and it's about time!" cheer@isisph.com | -- Doctor Who: coming to FOX, May 1995! My opinions are mine! | "Ragweed pollen!" -- Dr. Leavitt, THE ANDROMEDA STRAIN From firewalls-owner Thu Jan 12 14:36:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00713 for firewalls-outgoing; Thu, 12 Jan 1995 13:37:24 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA00707 for ; Thu, 12 Jan 1995 13:37:17 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id PAA12822 for ; Thu, 12 Jan 1995 15:35:41 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA7683; Thu, 12 Jan 95 15:35:39 -0800 Message-Id: <9501122335.AA7683@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id FFE1C32663368BB68625614200769630; Thu, 12 Jan 95 15:35:38 To: firewalls From: Kenneth Smith Date: 12 Jan 95 13:35:11 EDT Subject: Re: FW: PC Take-Over -- reply Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not certain, but I believe that WFW and NT do this through NetBIOS over TCP/IP (Microsoft's NBT protocol). If so, the port numbers for this service are: nbname 137/udp nbdatagram 138/udp nbsession 139/tcp To: cheer @ isisph.com (Christopher D. Heer) @ Internet cc: firewalls @ GreatCircle.COM @ Internet (bcc: Kenneth Smith) From: rschlientz @ smtpgate.gstone.com (Schlientz Rick) @ Internet @ WORLDCOM Date: 01/12/95 10:14:49 AM CST Subject: Re: FW: PC Take-Over -- reply Christopher D. Heer wrote: > This is scary, too, because WFW can use any protocol -- including > TCP/IP -- as its own. I don't know if you still can, but you used to > be able to mount Microsoft's ftp server as a WFW drive over > the Internet. . . :( I'm more than a litle concerned to hear this. Apparently the ftp site is on the "dirty" side of the firewall, so it is accessable to the internet. Is there some way to filter the packets so others can't do this to us? Does anyone know the port(s) to block to prevent this from happening? Where can I get more information on this? Thanks in advance. ================================================================ | Rick Schlientz email: rschlientz@gstone.com | Network / Systems Administrator | | /\/\/\ GreyStone Technology, Inc. | / /\/\ \ 15010 Avenue of Science, Suite 200 | \ \/\/ / San Diego, CA 92128 | \/\/\/ Phone: (619)675-7800 Ext. 148 FAX: (619)675-7808 ============================================================== From firewalls-owner Thu Jan 12 14:39:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01928 for firewalls-outgoing; Thu, 12 Jan 1995 14:37:35 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA01915 for ; Thu, 12 Jan 1995 14:37:31 -0800 Received: from relay.imsi.com by wintermute.imsi.com id RAA09173; Thu, 12 Jan 1995 17:35:32 -0500 Received: from lorax.imsi.com by relay.imsi.com id RAA29648; Thu, 12 Jan 1995 17:35:31 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA24028; Thu, 12 Jan 95 17:35:31 EST Message-Id: <9501122235.AA24028@lorax.imsi.com> To: rodion@beaker.med.yale.edu (R. Rodion Rathbone) Cc: Mike Godsey , firewalls@greatcircle.com Subject: Re: SUMMARY: 'smart cards' information In-Reply-To: Your message of "Thu, 12 Jan 1995 16:39:48 EST." <9501122139.AA09042@beaker.med.yale.edu> Reply-To: rens@imsi.com Date: Thu, 12 Jan 1995 17:35:30 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "R" == R Rodion Rathbone writes: R> Our application may be atypical. Users are not employees, and R> are somewhat loosely tied to the institution. At one bank I worked at, users wrote their passwords on yellow stickies attached to the monitors. At another, Management decreed that all the traders were to have the same password. It took a while to get that one changed. -Rens From firewalls-owner Thu Jan 12 15:10:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA02758 for firewalls-outgoing; Thu, 12 Jan 1995 15:08:33 -0800 Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA02752 for ; Thu, 12 Jan 1995 15:08:29 -0800 From: Rich.Friedeman@corp.anixter.com Received: from corp.anixter.com by anixter.com (4.1/SMI-4.1) id AA04487; Thu, 12 Jan 95 17:04:44 CST Received: from cc:Mail by corp.anixter.com id AA789958968; Thu, 12 Jan 95 17:02:19 csd Date: Thu, 12 Jan 95 17:02:19 csd Message-Id: <9500127899.AA789958968@corp.anixter.com> To: firewalls@greatcircle.com Subject: Re: Not a new problem (C2 certification) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cheer@isisph.com writes >Two mouse clicks, and your users are sharing everything on their hard >drives. Fortunately the default protocol is NetBEUI, which generally >makes it a purely internal matter (stopping an alien protocol at your >router is pretty easy), but suppose you *do* use TCP/IP? Does anyone >have any idea how W4WG or Windows NT do this? Do they use any sort >of standards? If I want to block disk sharing (gads, and we thought >NFS was bad) at the firewall, how would I? correct me if I'm wrong, but I was under the impression that wfw could only do it's peer-to-peer stuff (ie sharing local hard drives, etc) using NetBEUI. This would mean that an tcp/ip enabled machine could have its hard drive compramised, but not that of the other pc's to which it had drive mappings, since the ip connection couldn't access the NetBEUI connected drives. Is this right, or am I totally off base? The idea that all of the drive connections would be transparent to an ip connection is really awful. Thank God it doesn't come with tcp/ip installed by default. Rich rich.friedeman@anixter.com From firewalls-owner Thu Jan 12 15:34:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA02502 for firewalls-outgoing; Thu, 12 Jan 1995 14:55:36 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA02497 for ; Thu, 12 Jan 1995 14:55:33 -0800 Received: from asimov.bwh.harvard.edu (asimov.bwh.harvard.edu [134.174.81.55]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id RAA21369; Thu, 12 Jan 1995 17:53:12 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by asimov.bwh.harvard.edu (8.6.9) id RAA24937; Thu, 12 Jan 1995 17:38:57 -0500 Message-Id: <199501122238.RAA24937@asimov.bwh.harvard.edu> Subject: Re: SUMMARY: 'smart cards' information To: rodion@beaker.med.yale.edu (R. Rodion Rathbone) Date: Thu, 12 Jan 1995 17:38:51 -0500 (EST) Cc: mgodsey@medio.com, firewalls@GreatCircle.COM In-Reply-To: <9501122139.AA09042@beaker.med.yale.edu> from "R. Rodion Rathbone" at Jan 12, 95 04:39:48 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 837 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | We have some experience with non-technical (Physician) users and SecurID. | Wouldn't mind talking over details if you find your are going that route. | | We would now prefer to use dial-back for modems and maybe S-key over the net. | The card was difficult enough for people to use that many would write the | Modem phone number AND the PIN on the card. Did you do any user education before introducing the cards? I've found that a quick demo of sniff, in conjunction with speaking in terms of protecting patients, gets doctors interested enough that they accept S/key paper lists. I also make an effort to present this as gee-whiz nifty spy kinda stuff. We encourage them to carry the lists with them, and seem to have good sucsess. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Jan 12 15:47:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA02184 for firewalls-outgoing; Thu, 12 Jan 1995 14:45:42 -0800 Received: from sun-lamp.cs.berkeley.edu (sun-lamp.CS.Berkeley.EDU [128.32.138.88]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA02179 for ; Thu, 12 Jan 1995 14:45:39 -0800 Received: from localhost (localhost [127.0.0.1]) by sun-lamp.cs.berkeley.edu (8.6.9/8.6.9) with SMTP id OAA05986; Thu, 12 Jan 1995 14:41:07 -0800 Message-Id: <199501122241.OAA05986@sun-lamp.cs.berkeley.edu> X-Authentication-Warning: sun-lamp.cs.berkeley.edu: Host localhost didn't use HELO protocol To: cheer@isisph.com (Christopher D. Heer) cc: firewalls@greatcircle.com Subject: Re: Not a new problem (C2 certification) In-reply-to: Your message of "Thu, 12 Jan 1995 13:45:28 PST." Date: Thu, 12 Jan 1995 14:41:06 -0800 From: Adam Glass Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Fortunately the default protocol is NetBEUI, which generally makes > it a purely internal matter (stopping an alien protocol at your router is > pretty easy), but suppose you *do* use TCP/IP? Does anyone have any idea > how W4WG or Windows NT do this? Do they use any sort of standards? If I > want to block disk sharing (gads, and we thought NFS was bad) at the > firewall, how would I? > > Manoman this is scary. . . > > -- > Christopher D. Heer | "He's back, and it's about time!" > cheer@isisph.com | -- Doctor Who: coming to FOX, May 1995! Lets see if i can get this right: NetBIOS was an api defined by IBM. NetBEUI is mapping of that API to token ring and ethernet. (i'm a little fuzzy here as to the details) RFC 1001 and RFC 1002 (references below) define a mapping of the NetBIOS api to TCP/UDP. I know for a fact that it does define some port #s which you could probably filter. SMB (various versions) is the file sharing protocol that runs on top of the NetBIOS api. I can't think of an all encompassing ftp site for the docs except the home of 'Samba: a unix smb-server"... see comp.protocols.smb for an ftp location. later, Adam Glass rfc references: 1002 S Defense Advanced Research Projects Agenc, End-to-End Services Task Force, Internet Activities Board, NetBIOS Working Group, "Protocol standard for a NetBIOS service on a TCP/UDP transport: Detailed specifications", 03/01/1987. (Pages=85) (Format=.txt) (STD 19) 1001 S Defense Advanced Research Projects Agenc, End-to-End Services Task Force, Internet Activities Board, NetBIOS Working Group, "Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods", 03/01/1987. (Pages=68) (Format=.txt) (STD 19) From firewalls-owner Thu Jan 12 16:10:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA03856 for firewalls-outgoing; Thu, 12 Jan 1995 15:58:23 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA03844 for ; Thu, 12 Jan 1995 15:58:19 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA19355 (5.67b8/IDA-1.5 for ); Thu, 12 Jan 1995 18:56:36 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA03192; Thu, 12 Jan 95 18:57:39 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00481; Thu, 12 Jan 1995 18:56:41 +0500 Date: Thu, 12 Jan 1995 18:56:41 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9501122356.AA00481@ Paragon-Systems.COM> To: ubellrj@meaddata.com Subject: LEXIS-NEXIS Cc: firewalls-digest@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 376 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks be advised of the following change: Old Data: Eagle firewall product: Raptor Systems, Inc. 3422 Old Capitol Trail Suite 3331 Wilmingon, Delaware 19808 Voice: 302-996-3331 Fax: 302-996-5818 New Data: Eagle firewall product: Raptor Systems, Inc. 69 Hickory Dr. Waltham, MA 02154 Voice: (800) 9-EAGLE-6 Voice: (617) 487-7700 FAX: (617) 487-6755 rmck From firewalls-owner Thu Jan 12 16:22:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA03697 for firewalls-outgoing; Thu, 12 Jan 1995 15:51:27 -0800 Received: from insite.parasoft.co.uk (insite.parasoft.co.uk [193.132.123.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA03690 for ; Thu, 12 Jan 1995 15:51:22 -0800 Received: from pb (pb.insite.co.uk [192.168.0.20]) by insite.parasoft.co.uk (8.6.9/8.6.9) with SMTP id XAA05681 for ; Thu, 12 Jan 1995 23:44:27 GMT Date: Thu, 12 Jan 1995 23:44:27 GMT Message-Id: <199501122344.XAA05681@insite.parasoft.co.uk> X-Sender: peter@gate.insite.co.uk Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: peter@insite.parasoft.co.uk (Peter Bowyer) Subject: Summary : Multi-homed firewall, DNS & Sendmail X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've said it before, and I'll say it again: people around here are just great. Many thanks for all the replies to my query (it's quoted at the end of this message for those who missed it). I had several requests for summaries, so here goes - apologies if I've mis-interpreted and therefore mis-quoted anyone, but I think I've got it just about right :- Problem 1: 2-legged firewall; how to manage DNS 3 very similar suggestions from : David Perlin Brian J Murrell Mike Murphy These gentlemen suggested that I run a cut-down DNS on the firewall for public queries; that I establish another DNS on a machine on the private side for internal queries; the firewall resolver (as well as all the internal hosts) points to the private DNS; the private DNS forwards queries it can't answer back to the firewall. This seems a perfect solution; thanks all. Problem 2 : How to make sendmail masquerade as 2 completely different hosts on 2 different ports. >From Tim Roper Instead of running sendmail in daemon (-bd) mode, run it behind inetd tcp-wrappers with the 'twist' option in one-shot mode (-bs). This will allow me to run a different command depending on the origin of the connection. I like this solution - I actually use fwtk, so it will be netacl rather than tcp-wrappers, but to the same effect - but I'm worried about the effect this might have on performance - sendmail would load afresh for every incoming connection - would this be a problem? If anyone has an opinion on this, I'd like to hear it. Thanks again to all who replied. Peter Original message follows :- >I have a multi-homed host (Linux 1.1.74) acting as firewall between our >Internet connection (Ethernet), the private LAN (also Ethernet) and a slip >connection to a non-trusted domain. The Internet connection is behind a >filtering router (Cisco). > >The firewall has a different IP address on each of the 3 interfaces . > >It also has 2 hostnames - well, actually 3 at the momment, migrating to 2 >when we get our own domain registered - currently we're piggybacking on a >neighbour. These look like this :- > >193.x.x.x - internet - aaaa.bbbb.co.uk (to be gate.aaaa.co.uk) >192.168.x.x - private LAN - gate.aaaa.co.uk >44.x.x.x - SLIP - xxx.ampr.org > >I have various pieces of fwtk running,as well as CERN 3.0 httpd for proxy >www access from the private LAN. I'm comfortable that I can configure these >to suit my needs. > >The firewall host is to be primary nameserver for the new aaaa.co.uk domain. >The domain will include one only registered IP address (from the neighbour's >Class C), and many 192.168's. > > >My problems are these :- > >Problem 1. When the new domain aaaa.co.uk gets registered (any day now), my >firewall will have one hostname for the two ethernet IPs - 193.x.x.x and >192.168.x.x. When queried from outside, the named will provide both >addresses; only one is reachable; the other is highly dangerous. The >internal hosts will never get queried (hopefully) so no problem. > >How can I avoid this situation? > >I see 2 solutions : 1. Call the private LAN something else and run separate >zones in BIND (administratively a nightmare); 2. Register a class C for the >lot, get the filtering and routing changed with the service provider, change >the IPs on all the private hosts, all for only one internet-accessible host. >What a waste of number-space. > >I don't like either of these - is there a trick I can do with BIND to sort >this out? > >Problem 2. This relates to sendmail (8.6.9). All 3 interfaces on my firewall >host need to accept sendmail connections. I need to have sendmail masquerade >with the 2 hostnames, depending on which port the connection comes in from. >I'm not too concerned about the private LAN with this one, but the internet >and the ampr.org interfaces must be different. > >Is there a firewall/sendmail guru out there who can advise me on this? I >really need the two sides to behave as though they are 2 completely separate >hosts - in the banner, the 'Received' headers, bouncing mail headers etc >etc. I know a bit about sendmail.cf and can have it do rewrites and normal >masquerades, but hhow can I have it answer and behave differently on the 2 >ports? > >Thanks for any help - direct email probably best, I'll summarise if appropriate. > >Peter -- Peter Bowyer - InSite Computer Technology Ltd Tel: +44 635 861700 Fax: +44 635 861600 peter@insite.parasoft.co.uk From firewalls-owner Thu Jan 12 16:39:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04275 for firewalls-outgoing; Thu, 12 Jan 1995 16:14:04 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA04270 for ; Thu, 12 Jan 1995 16:14:01 -0800 From: smb@research.att.com Message-Id: <199501130014.QAA04270@miles.greatcircle.com> Received: by gryphon; Thu Jan 12 19:08:13 EST 1995 To: Adam Glass cc: firewalls@greatcircle.com Subject: Re: Not a new problem (C2 certification) Date: Thu, 12 Jan 95 19:08:11 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMB (various versions) is the file sharing protocol that runs on top of the NetBIOS api. I can't think of an all encompassing ftp site for the docs except the home of 'Samba: a unix smb-server"... see comp.protocols.smb for an ftp location. Hey -- there's only one version of me, I don't have my own newsgroup ('cause I'm not Kibo), and I *don't* do MS-DOS! Gotta trademark my login.... --Steve Bellovin smb@research.att.com From firewalls-owner Thu Jan 12 17:59:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA05736 for firewalls-outgoing; Thu, 12 Jan 1995 17:31:30 -0800 Received: from hp4at.eunet.co.at (hp4at.eunet.co.at [192.92.138.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA05731 for ; Thu, 12 Jan 1995 17:31:26 -0800 Received: by hp4at.eunet.co.at id AA11359 (5.65c8/hp4at for Firewalls@GreatCircle.COM); Fri, 13 Jan 1995 02:29:50 +0100 From: Georg Chytil Message-Id: <199501130129.AA11359@hp4at.eunet.co.at> Subject: (trivia?) Q on SNK and TIS toolkit To: Firewalls@greatcircle.com Date: Fri, 13 Jan 95 2:29:49 MEZ Reply-To: chytil@Austria.EU.net X-Organization: EUnet Austria X-Phone: (+43) (0)222 3174969 X-Home-Phone: (+43) (0)222 3718445 X-Fax: (+43) (0)222 3106926 X-Tie: finally yes Read-Receipt-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was fooling around with TIS toolkit ( tn-gw with Snk enabled ) and a SecureNet Key device ( (tm) they say ) the other day and seem to lack some very very basics --- which I'd like to explain ex post : I've programmed this device with seed ( they call it 'key number' ) and PIN, and it works quite fine -- giving me different challenges, and with the proper PIN in my device I can answer them easily ( most of the time, manual and display are not the very most readable I've met :-) ) ... Now imagine I loose this device on the street, and Willy Hacker ( may be the competition on reconnaisance mission in our dustbins as well ) finds it -- it' straightfroward to program it with a new PIN, and this has no effect to the challenge/response exchange as far as I've observed -- without _ANY_ knowldge of the intriniscs I admit, yet I've tried it with different PINs ... I _MUST_ be wrong --- please enlighten so I can go to sleep ( it's GMT+1 here :-) ) .... Georg <---------------------------------------------------------------------------> Chytil Georg GC82 chytil@Austria.EU.net EUnet EDV-Dienstleistungs-Gesellschaft backup : chytil@EU.net Phone : +43/Vienna/3174969 Fax : +43/Vienna/3106926 Home? : 0222/3718445 From firewalls-owner Thu Jan 12 18:10:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06060 for firewalls-outgoing; Thu, 12 Jan 1995 17:54:08 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA06050 for ; Thu, 12 Jan 1995 17:54:00 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ac14749; 13 Jan 95 1:52 GMT Received: from ford by demon.demon.co.uk id aa20654; 13 Jan 95 1:51 GMT From: Steve Kennedy Message-Id: <28611.9501130126@ford.gbnet.org> Subject: Re: FW: PC Take-Over -- reply To: Kenneth Smith Date: Fri, 13 Jan 1995 01:26:29 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9501122335.AA7683@notes.worldcom.com> from "Kenneth Smith" at Jan 12, 95 01:35:11 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Kenneth Smith > I'm not certain, but I believe that WFW and NT do this through NetBIOS over > TCP/IP (Microsoft's NBT protocol). If so, the port numbers for this service > are: > nbname 137/udp > nbdatagram 138/udp > nbsession 139/tcp It's also called NetBIOS over tcp/ip as documented in RFC1001/1002 It's actually part of Server Message Block (SMB) protocol. It's not MS proprietry but an X/Open spec. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Thu Jan 12 18:40:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06061 for firewalls-outgoing; Thu, 12 Jan 1995 17:54:09 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA06051 for ; Thu, 12 Jan 1995 17:54:01 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ad14749; 13 Jan 95 1:52 GMT Received: from ford by demon.demon.co.uk id aa20657; 13 Jan 95 1:51 GMT From: Steve Kennedy Message-Id: <28620.9501130130@ford.gbnet.org> Subject: Re: Not a new problem (C2 certification) To: Rich.Friedeman@corp.anixter.com Date: Fri, 13 Jan 1995 01:30:12 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9500127899.AA789958968@corp.anixter.com> from "Rich.Friedeman@corp.anixter.com" at Jan 12, 95 05:02:19 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1757 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Rich.Friedeman@corp.anixter.com > >have any idea how W4WG or Windows NT do this? Do they use any sort > >of standards? If I want to block disk sharing (gads, and we thought > >NFS was bad) at the firewall, how would I? [stuff deleted] > correct me if I'm wrong, but I was under the impression that wfw could > only do it's peer-to-peer stuff (ie sharing local hard drives, etc) > using NetBEUI. This would mean that an tcp/ip enabled machine could > have its hard drive compramised, but not that of the other pc's to > which it had drive mappings, since the ip connection couldn't access > the NetBEUI connected drives. Is this right, or am I totally off > base? The idea that all of the drive connections would be transparent > to an ip connection is really awful. Thank God it doesn't come with > tcp/ip installed by default. NetBEUI is NetBIOS Extended User Interface ... W4WG, NT etc all implement SMB servers (to a degree), which use NetBIOS. NetBIOS can be run over lots of transports including tcp/ip (RFC1001/1002), IPX (???), NetBEUI (some MS and IBM documentation), DECnet ... etc. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Thu Jan 12 19:09:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07180 for firewalls-outgoing; Thu, 12 Jan 1995 19:08:51 -0800 Received: from celene.llnl.gov (celene.llnl.gov [128.115.138.29]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07175 for ; Thu, 12 Jan 1995 19:08:46 -0800 Received: (from shawni@localhost) by celene.llnl.gov (8.6.9/8.6.9) id TAA16874; Thu, 12 Jan 1995 19:04:50 -0800 Date: Thu, 12 Jan 1995 19:04:49 -0800 (PST) From: Shawn Instenes To: Rich.Friedeman@corp.anixter.com cc: firewalls@greatcircle.com Subject: Re: Not a new problem (C2 certification) In-Reply-To: <9500127899.AA789958968@corp.anixter.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Jan 1995 Rich.Friedeman@corp.anixter.com wrote: > correct me if I'm wrong, but I was under the impression that wfw could > only do it's peer-to-peer stuff (ie sharing local hard drives, etc) > using NetBEUI. This would mean that an tcp/ip enabled machine could > have its hard drive compramised, but not that of the other pc's to > which it had drive mappings, since the ip connection couldn't access > the NetBEUI connected drives. Is this right, or am I totally off > base? The idea that all of the drive connections would be transparent > to an ip connection is really awful. Thank God it doesn't come with > tcp/ip installed by default. W4WG == Windows For Workgroups. SMB == the Lan Manager-compatible file/printer sharing protocol. W4WG can do SMB-based file sharing over TCP/IP, too. Samba is a free Unix-based SMB server & client package that can talk to W4WG machines that have Microsoft's TCP/IP installed. PCs can get at Unix resources if the Unix machine runs the Samba servers (smb & nmb). If you run the included 'smbclient' program, the Unix machine can access the W4WG resources over TCP/IP (ports 139/tcp and 137/udp with Samba). Only _some_ SMB clients + TCP/IP stack combinations allow this to work. The client (in this case, W4WG- but it could be another Lanmanager-compatible beastie, like OS/2 or Windows NT) has to support TCP/IP as a transport layer. The TCP/IP stack has to be known to the SMB layer. I've noticed Microsoft's TCP/IP for W4WG works for this, but other commonly-used stacks do not seem to. Your Mileage May Vary. If you'd like to test your local configuration: Get Samba, and compile the smbclient program. Run: smbclient \\\\PCNAME\\C PASSWORD -I the.client.ip.number Where PCNAME is the PC's Network Name; C is the name of the directory or resource you want to access; PASSWORD is the password to the resource, if any; and the.client.ip.number is the PC's IP address The number of backslashes in the command is dependant upon your shell. Two before the Network Name and one after it should be presented to the smbclient program. The main anonymous ftp distribution site for Samba is nimbus.anu.edu.au:/pub/tridge/samba. From firewalls-owner Thu Jan 12 20:39:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA09587 for firewalls-outgoing; Thu, 12 Jan 1995 20:31:58 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA09574 for ; Thu, 12 Jan 1995 20:31:51 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rSZ1T-0009v8C; Thu, 12 Jan 95 23:33 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: (trivia?) Q on SNK and TIS toolkit To: chytil@Austria.EU.net Date: Thu, 12 Jan 1995 23:33:38 +0000 (GMT) Cc: Firewalls@greatcircle.com In-Reply-To: <199501130129.AA11359@hp4at.eunet.co.at> from "Georg Chytil" at Jan 13, 95 02:29:49 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2138 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The pin in most of those devices (I have Digital Pathways where I learned this, and another I haven't checked out yet) is only there to keep you from 'unlocking' use of the hha with the programmed secret key. You can reset it and program another secret key and pin at any time, but you must know the secret key. If it allows you to reprogram the pin without erasing the secret key, the pin is useless. > > I was fooling around with TIS toolkit ( tn-gw with Snk enabled ) > and a SecureNet Key device ( (tm) they say ) the other day and seem to > lack some very very basics --- which I'd like to explain ex post : > > I've programmed this device with seed ( they call it 'key number' ) and > PIN, and it works quite fine -- giving me different challenges, and with > the proper PIN in my device I can answer them easily ( most of the time, > manual and display are not the very most readable I've met :-) ) ... > > Now imagine I loose this device on the street, and Willy Hacker ( may be > the competition on reconnaisance mission in our dustbins as well ) finds it -- > it' straightfroward to program it with a new PIN, and this has no > effect to the challenge/response exchange as far as I've observed -- > without _ANY_ knowldge of the intriniscs I admit, yet I've tried it > with different PINs ... > > I _MUST_ be wrong --- please enlighten so I can go to sleep ( it's > GMT+1 here :-) ) .... > > > Georg > > <---------------------------------------------------------------------------> > Chytil Georg GC82 chytil@Austria.EU.net > EUnet EDV-Dienstleistungs-Gesellschaft backup : chytil@EU.net > Phone : +43/Vienna/3174969 Fax : +43/Vienna/3106926 Home? : 0222/3718445 > -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Thu Jan 12 21:09:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA10886 for firewalls-outgoing; Thu, 12 Jan 1995 20:55:25 -0800 Received: from cindy.yamato.ibm.co.jp (cindy.yamato.ibm.co.jp [202.32.4.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA10874 for ; Thu, 12 Jan 1995 20:55:18 -0800 Received: from kyoto.yamato.ibm.com ([9.68.3.1]) by cindy.yamato.ibm.co.jp (8.6.9/GW1.51A) with ESMTP id NAA14357; Fri, 13 Jan 1995 13:50:24 +0900 Received: from yamato.ibm.com (hal.yamato.ibm.com [9.68.1.14]) by kyoto.yamato.ibm.com (8.6.9/MS1.05) with ESMTP id NAA57336; Fri, 13 Jan 1995 13:53:05 +0900 To: chytil@austria.eu.net Cc: firewalls@greatcircle.com Subject: Re: (trivia?) Q on SNK and TIS toolkit In-Reply-To: Your message of "Fri, 13 Jan 95 2:29:49 MEZ" References: <199501130129.AA11359@hp4at.eunet.co.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 13 Jan 1995 13:53:04 +0900 Message-ID: <23465.789972784@yamato.ibm.com> From: Katsumi SHIMIZU (=?ISO-2022-JP?B?GyRCQDY/ZTluOEobKEI=?= ) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Georg Chytil Subject: (trivia?) Q on SNK and TIS toolkit Date: Fri, 13 Jan 95 2:29:49 MEZ > I've programmed this device with seed ( they call it 'key number' ) and > PIN, and it works quite fine -- giving me different challenges, and with > the proper PIN in my device I can answer them easily ( most of the time, > manual and display are not the very most readable I've met :-) ) ... Most important point of SNK is; - PIN is only known by user (He could change PIN with his old PIN) - "secret" key number is only known by administrator who programmed SNK and no one could get it - server hold same "secret" and olny readble by root - SNK never work w/o proper PIN > Now imagine I loose this device on the street, and Willy Hacker ( may be > the competition on reconnaisance mission in our dustbins as well ) finds it -- > it' straightfroward to program it with a new PIN, and this has no > effect to the challenge/response exchange as far as I've observed -- > without _ANY_ knowldge of the intriniscs I admit, yet I've tried it > with different PINs ... He(willy cracker) never know PIN nor "secret". Yes, he could re-program SNK (if he has a knowledge of SNK programming), but w/o proper "secret", response is different that server expect. -- Katsumi SHIMIZU Information Technology Solutions Co.,Ltd. IBM-J Subsidiary From firewalls-owner Thu Jan 12 23:40:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA12275 for firewalls-outgoing; Thu, 12 Jan 1995 23:32:12 -0800 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA12270 for ; Thu, 12 Jan 1995 23:32:07 -0800 Message-Id: <199501130732.XAA12270@miles.greatcircle.com> Received: by relay1gw.alcatel.fr (1.37.109.8/16.2) id AA01846; Fri, 13 Jan 1995 08:29:22 +0200 From: Sylvain Kouda Subject: Re: What is WFW ? -- A Correction To: szh@zcon.com (Syed Zaeem Hosain) (Syed Zaeem Hosain) Date: Fri, 13 Jan 95 8:29:22 GMT Cc: Mark_Podracky@smtpgtwy.idshq.com, firewalls@greatcircle.com In-Reply-To: <9501121539.AA17528@zcon.com>; from "Syed Zaeem Hosain" at Jan 12, 95 7:39 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > WFW does not stand for Word for Windows but Windows For Workgroups. WFW is > > an extended MS Windows 3.1 that has an improved file manager and some > > built-in network capabilities such as TCP/IP. > > One minor correction. WFW, out of the box, does *not* have built-in > TCP/IP support - it uses Microsoft NetBEUI protocols for its network. > However, you *can* freely get a TCP/IP protocol stack for WFW via anon > ftp from ftp.microsoft.com in the networking software directories. > > Z > > ------------------------------------------------------------------------- > | Syed Zaeem Hosain P. O. Box 610097 (408) 441-7021 | > | Z Consulting Group San Jose, CA 95161 szh@zcon.com | > ------------------------------------------------------------------------- > From firewalls-owner Thu Jan 12 23:55:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA12482 for firewalls-outgoing; Thu, 12 Jan 1995 23:37:46 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00433 for ; Fri, 6 Jan 1995 10:26:13 -0800 Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-941015) id IAA04787; Fri, 6 Jan 1995 08:27:05 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma020095; Fri Jan 6 11:29:08 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA10204; Fri, 6 Jan 95 11:26:09 EST Message-Id: <9501061626.AA10204@tis.com> To: firewalls@greatcircle.com Subject: 2nd Announcement: ISOC '95 Symp. Net. & Distr. Sys. Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <10199.789409567.1@tis.com> Date: Fri, 06 Jan 1995 11:26:07 -0500 From: "David M. Balenson" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Note: a marked up version of this announcement is available via WWW at http://www.tis.com/Home/SNDSS/Program.html] ============================================================================== THE INTERNET SOCIETY SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY 16-17 FEBRUARY 1995 CATAMARAN RESORT HOTEL - SAN DIEGO, CALIFORNIA The symposium will bring together people who are building software and/or hardware to provide network and distributed system security services. The symposium is intended for those interested in the more practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than in theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy and advance the state of the available security technology. ============================================================================== P R E L I M I N A R Y P R O G R A M WEDNESDAY, FEBRUARY 15 6:00 P.M. - 8:00 P.M. REGISTRATION AND RECEPTION - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - THURSDAY, FEBRUARY 16 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. OPENING REMARKS 9:00 A.M. SESSION 1: DIVERSE APPROACHES TO SECURITY AT THE NETWORK LAYER Chair: Stephen T. Kent (Bolt, Beranek and Newman, USA) Multicast-Specific Security Threats and Counter-Measures, Tony Ballardie and Jon Crowcroft (University College London, United Kingdom). Design of a Key Agile Cryptographic System for OC-12c Rate ATM, Daniel Stevenson, Nathan Hillery, Greg Byrd, and Dan Winkelstein (Microelectronics Center of North Carolina - MCNC, USA). IpAccess: An Internet Service Access System for Firewall Installations, Steffen Stempel (University of Karlsruhe, Germany). 10:30 A.M. BREAK 11:00 A.M. SESSION 2: PANEL: SECURITY ARCHITECTURE FOR THE INTERNET INFRASTRUCTURE Chair: Robert W. Shirey (The MITRE Corporation, USA) Security for the Internet Protocol (IP) and IP Next Generation, Paul A. Lambert (Motorola, USA). Security for the Internet Domain Name System, James M. Galvin (Trusted Information Systems, USA). Security of Routing Protocols in the Internet, Gary Scott Malkin (Xylogics, USA). Security Approaches to Routing in the Internet, Sandra L. Murphy (Trusted Information Systems, USA). 12:30 P.M. LUNCH 2:00 P.M. SESSION 3: OFF-LINE OBJECT DISTRIBUTION SECURITY Chair: Jeffrey I. Schiller (Massachusetts Institute of Technology, USA) Trusted Distribution of Software Over the Internet, Aviel D. Rubin (Bellcore, USA). Location-Independent Information Object Security, John Lowry (Bolt Beranek and Newman, USA). 3:00 P.M. BREAK 3:30 P.M. SESSION 4: INTERNET PAYMENTS Chair: Ravi Ganesan (Bell Atlantic, USA) Electronic Cash on the Internet, Stefan Brands (Centrum voor Wiskunde en informatica - CWI, The Netherlands). PANEL: Internet Payment Mechanisms - Requirements and Architecture Chair: Ravi Ganesan (Bell Atlantic, USA) Panelists: B. Clifford Neuman (Information Sciences Institute, USA), David Crocker (Brandenburg Consulting, USA), and others TBD 7:00 P.M. DINNER BANQUET - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FRIDAY, FEBRUARY 17 7:30 A.M. CONTINENTAL BREAKFAST 8:30 A.M. SESSION 5: SECURITY MONITORING TOOLS - PRACTICE AND EXPERIENCE Chair: Michael St. Johns (Advanced Research Projects Agency, USA) NERD: Network Event Recording Device: An Automated System for Network Anomaly Detection and Notification, David G. Simmons and Ronald Wilkins (Los Alamos National Laboratory, USA). An Overview of SNIF: A Tool for Surveying Network Information Flow, Jim Alves-Foss (University of Idaho, USA). Distributed Audit Trail Analysis, Abdelaziz Mounji, Baudouin Le Charlier, Denis Zampunieris and Naji Habra (Facultes Universitaires de Namur - FUNDP, Belgium). 10:00 A.M. BREAK 10:30 A.M. SESSION 6: AUTHENTICATION AND AUTHORIZATION Chair: B. Clifford Neuman (Information Sciences Institute, USA) SESAME V2 Public Key and Authorisation Extensions to Kerberos, Piers McMahon (ICL, United Kingdom). Yaksha: Augmenting Kerberos with Public Key Cryptography, Ravi Ganesan (Bell Atlantic, USA). GSS-API Security for ONC RPC, Barry Jaspan (OpenVision Technologies, USA). 12:00 NOON LUNCH 1:30 P.M. SESSION 7: MECHANISMS OF IDENTITY - THE CERTIFICATE INFRASTRUCTURE Chair: Hilarie Orman (University of Arizona, USA) A Certificate Management System: Structure, Functions and Protocols, Nada Kapidzic and Alan Davidson (Stockholm University & Royal Institute of Technology, Sweden). PEMToolKit: Building a Top-Down Certification Hierarchy for PEM from the Bottom Up, Alireza Bahreman (Bellcore, USA). A New Approach to the X.509 Framework: Allowing a Global Authentication Infrastructure Without a Global Trust Model, Suzan Mendes (TS-E3X - Research and Development Center, France) and Christian Huitema (INRIA, France). 3:00 P.M. BREAK 3:30 P.M. SESSION 8: PANEL: SECURITY ISSUES FOR MOSAIC AND THE WORLD WIDE WEB Chair: Fred Avolio (Trusted Information Systems, USA) Panelists: Peter J. Churchyard (Trusted Information Systems, USA), Allan M. Schiffman (Enterprise Integration Technologies, USA), and Bill Cheswick (AT&T Bell Laboratories, USA) ------------------------------------------------------------------------------ GENERAL CHAIR James T. Ellis, CERT Coordination Center, Carnegie Mellon University PROGRAM CO-CHAIRS David M. Balenson, Trusted Information Systems Robert W. Shirey, The MITRE Corporation PROGRAM COMMITTEE Thomas A. Berson, Anagram Laboratories Matt Bishop, University of California at Davis Ravi Ganesan, Bell Atlantic Stephen T. Kent, Bolt, Beranek and Newman Paul A. Lambert, Motorola John Linn, OpenVision Technologies B. Clifford Neuman, Information Sciences Institute Hilarie Orman, University of Arizona Michael Roe, University of Cambridge (UK) Robert Rosenthal, U.S. National Institute of Standards and Technology Jeffrey I. Schiller, Massachusetts Institute of Technology Peter Yee, U.S. National Aeronautics and Space Administration Roberto Zamparo, Telia Research (Sweden) PUBLICATIONS CHAIR Terry Mayfield, Institute for Defense Analyses REGISTRATIONS CHAIR Gloria Carrier, The MITRE Corporation LOCAL ARRANGEMENTS CHAIR Thomas Hutton, San Diego Supercomputer Center STEERING GROUP Internet Research Task Force, Privacy and Security Research Group ------------------------------------------------------------------------------ BEAUTIFUL SAN DIEGO The Symposium venue is the Catamaran Resort Hotel, providing 7 acres of gorgeous surroundings, facing Mission Bay and only 100 yards from beautiful Pacific Ocean beaches. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. After the Symposium, plan to spend the weekend visiting La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. A limited number of rooms have been reserved at the Catamaran for the very special rate of $71.56 single, $88 double. Reservations, on a space available basis, can be made by calling (800)-288-0770 and indicating you are attending the ISOC Security Symposium, or by FAXing the hotel registration form attached below. Reservations must be made before Jan. 15, 1995 to ensure the special rate. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 55 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate during February; although, occasionally it rains. TRANSPORTATION San Diego International Airport is 10 miles (approx. 15 minutes) from the Catamaran Hotel. Cloud9 shuttle operates a continuous service between the airport and the hotel: fare is $6.00. When you arrive at the airport, go to the shuttle loading area at either terminal and ask the attendant to radio for a Cloud9 shuttle to the Catamaran. Taxi fare between the airport and the hotel is approx. $20. The Catamaran charges $6 per day for parking. REGISTRATION FEES Postmarked $320 Subsequent $365 by Jan. 6 registration REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Two luncheons - Reception - Banquet - Coffee Breaks ON-SITE REGISTRATION is available Wednesday evening at the reception, and Thursday morning at the Symposium. FOR MORE INFORMATION on registration contact Gloria Carrier by phone at (703)-883-4508 or via email to gcarrier@mitre.org. ============================================================================== ISOC '95 SECURITY SYMPOSIUM REGISTRATION FORM Name ______________________________________________________________________ Affiliation _______________________________________________________________ Name on Badge _____________________________________________________________ Special Requirements (e.g., dietary)? _____________________________________ Mailing Address ___________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Area Code/Phone # _________________________________________________________ Area Code/FAX # ___________________________________________________________ Email Address _____________________________________________________________ [ ] Check here if you would prefer that your name NOT be included in the list of attendees distributed at the symposium. Make check (credit cards not accepted) payable to ISOC NDSS SYMPOSIUM. (Registration is not effective until payment is received). Mail registration, no later than February 10, 1994, to: ISOC Symposium, C/O Gloria Carrier, The MITRE Corporation, 7525 Colshire Drive, M.S. Z605, McLean, VA 22102-3481, USA. ============================================================================== ============================================================================== CATAMARAN HOTEL REGISTRATION FORM WELCOME ISOC SECURITY SYMPOSIUM February 16-17, 1995 Single: $71.56 Double: $88.00 Triple: $103.00 Quad: $118.00 Extra Person $15.00 All rates subject to $10.50 room tax Reservations required by: January 15, 1995 Fax this form to the Catamaran Hotel at (619)-490-3328 Name ______________________________________________________________________ Street ____________________________________________________________________ City ___________________________________ State ___________ Zip ____________ Phone # ________________________________ Number in Party ________________ Arrival Date ___________________________ Departure Date _________________ Roommate(s) ____________________________ Special Needs __________________ Credit Card # __________________________ Expires ________________________ Name on Card ______________________________________________________________ Signature _________________________________________________________________ ============================================================================== From firewalls-owner Fri Jan 13 00:18:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA12755 for firewalls-outgoing; Thu, 12 Jan 1995 23:50:54 -0800 Received: from fhg.de (fhg.de [153.96.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA12750 for ; Thu, 12 Jan 1995 23:50:41 -0800 Received: by fhg.de (mail-gw.fhg.de) with PRESMTP; Fri, 13 Jan 95 08:49:00 +0100 from FHG-GATEWAY Received: by fhg.de (mail-gw.fhg.de) with SMTP; Fri, 13 Jan 95 08:48:53 +0100 from iitb.iitb.fhg.de Received: by iitb.fhg.de; Fri, 13 Jan 95 08:48:54 +0100 Received: by gatein.iitb.fhg.de; Fri, 13 Jan 95 08:48:50 +0100 Received: from s1(153.96.9.11) by gate via smap (V1.3mjr) id sma012436; Fri Jan 13 08:48:46 1995 Received: from s102.iitb.fhg.de by s1.iitb.fhg.de (5.0/SMI-SVR4) id AA05721; Fri, 13 Jan 1995 08:48:28 --100 Received: by s102.iitb.fhg.de (5.0/SMI-SVR4) id AA01060; Fri, 13 Jan 1995 08:48:22 --100 Date: Fri, 13 Jan 1995 08:48:22 --100 From: her@iitb.fhg.de (Helmut Herzog) Message-Id: <9501130748.AA01060@s102.iitb.fhg.de> To: firewalls@greatcircle.com Subject: How to configure x-gw from FWTK-1.3 ? Cc: her@s1 Content-Length: 350 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anybody run the x-gw from fwtk-1.3 which can say, what I have to configure in the netperm-table. I always get tn-gw-> x X forwarder not permitted --- Helmut Herzog Fraunhofer Institut fuer Informations- und Datenverarbeitung IITB Fraunhoferstr. 1 D-76131 Karlsruhe Tel:0049-721/6091216 Fax:0049-721/6091413 email:her@iitb.fhg.de From firewalls-owner Fri Jan 13 00:38:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA13017 for firewalls-outgoing; Thu, 12 Jan 1995 23:55:50 -0800 Received: from haegar.k.mup.de (haegar.k.MuP.de [193.26.249.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA13012 for ; Thu, 12 Jan 1995 23:55:45 -0800 Received: from slip.k.MuP.DE by haegar.k.mup.de (AIX 3.2/UCB 5.64/4.03) id AA15375; Fri, 13 Jan 1995 08:53:50 +0100 Message-Id: <9501130753.AA15375@haegar.k.mup.de> From: "Henning Stams" Organization: Mummert+Partner Unternehmensberatung GmbH To: Firewalls@GreatCircle.COM Date: Fri, 13 Jan 1995 08:56:32 WET Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: (trivia?) Q on SNK and TIS toolkit Priority: normal X-Mailer: Pegasus Mail/Windows (v1.21) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Georg Chytil wrote: > I was fooling around with TIS toolkit ( tn-gw with Snk enabled ) > and a SecureNet Key device ( (tm) they say ) the other day and seem to > lack some very very basics --- which I'd like to explain ex post : > > I've programmed this device with seed ( they call it 'key number' ) and > PIN, and it works quite fine -- giving me different challenges, and with > the proper PIN in my device I can answer them easily ( most of the time, > manual and display are not the very most readable I've met :-) ) ... > > Now imagine I loose this device on the street, and Willy Hacker ( may be > the competition on reconnaisance mission in our dustbins as well ) finds it -- > it' straightfroward to program it with a new PIN, and this has no > effect to the challenge/response exchange as far as I've observed -- > without _ANY_ knowldge of the intriniscs I admit, yet I've tried it > with different PINs ... I also used the SecureNet Key from DP. As far as my experience reaches, you can reprogram the PIN and don't have the seed erased if - and only if - you typed the old one in correctly within 4 or 5 tries. If you either pull the battery out or mistype the PIN too often (was 4 or 5 times, can't remember), the "seed" is erased and the Card thus is useless to the lucky finder (at least for YOUR systems). Henning ---------------------------------------------------------------------- Henning Stams Mummert + Partner Unternehmensberatung GmbH Internet: hstams@k.mup.de Phone: +49 (221) 92404-131 (-0 from the U.S.) FAX: +49 (221) 92404-199 (-33 from the U.S.) ---------------------------------------------------------------------- From firewalls-owner Fri Jan 13 00:46:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA14246 for firewalls-outgoing; Fri, 13 Jan 1995 00:34:22 -0800 Received: from oc.rjl.com (oc.rjl.com [129.189.184.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA14239 for ; Fri, 13 Jan 1995 00:34:17 -0800 Received: by oc.rjl.com id <185123>; Fri, 13 Jan 1995 00:32:04 -0800 Date: Fri, 13 Jan 1995 00:31:55 -0800 From: Rob Liebschutz To: firewalls@GreatCircle.COM Subject: Re: Vendor RFP clarification - Our Tentative Plan Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have received a few questions regarding our plans. Although not completely > formulated and subject to change to fit whichever firewall product I use, this > is what I have been thinking of doing. Feel free to shoot holes in it (with > constructive comments please) or add other sage advice. > > | +------------+ | > | | public | | +-------+ 172.16.2 > |---| DNS, WWW, | |---| Cisco | ---- > ---- +-------+ | | FTP Server | | | 2513 | / \ >(Inet)----| Cisco |----| +------------+ | |IP Only|---(Token ) > ---- | 2501 | | | +-------+ \Ring/ > |IP Only| | +----------+ | ---- > +-------+ |---| Firewall |------| | > | +----------+ | +--------+ > 198.x.x 172.16.1 |Internal| > (my registered |DNS,Mail| > Class C IP) | Server | +--------+ What you've drawn here is pretty standard. You don't mention whether you plan to have some kind of proxy for telnet, ftp, http etc. I've been leaning toward having two network interfaces on the Internal Unix host so that it connects to the firewall router on an isolated subnet. IP forwarding should be turned off in the Internal Unix host. Adding the second ethernet interface can be done for a very minimal cost/effort and increases the protection of the firewall. Using this design, the packet filter in the firewall router can become an extra level of redundancy and can completely fail without penetration of the firewall if the Internal Unix host is setup right. I think this is a big advantage, since most of the methods for specifying packet filters that I have seen are cumbersome enough that there is at least some reasonable probability of misconfiguration, particularly by someone not thoroughly familiar with the networking protocols involved. The firewall router can protect the Internal Unix host from many modes of failure as well. It's like comparing the penetration effort required for two brick walls one in front of the other, vs two brick walls side by side. In the later case penetration of either wall is sufficient to get in. In the former, penetration of both is required. | +------------+ | | | | public | | +-------+ | |---| DNS, WWW, | |---| Cisco | | +--------+ ---- +-------+ | | FTP Server | | | 2513 | | |Internal| (Inet)----| Cisco |----| +------------+ | |IP Only|---| |DNS,Mail| ---- | 2501 | | | +-------+ |---|Other | |IP Only| | +----------+ | | |Proxy | +-------+ |---| Firewall |------| | |Services| | +----------+ | | +--------+ 198.x.x 172.16.1 172.16.xxx | (my registered (some other | Class C IP) network | number) | | ---- / \ (Token ) \Ring/ ---- 172.16.2 Rob Liebschutz RjL Systems (Network Consulting) From firewalls-owner Fri Jan 13 01:26:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA14725 for firewalls-outgoing; Fri, 13 Jan 1995 00:42:24 -0800 Received: from dsinc.myxa.com (root@dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23104 for ; Thu, 12 Jan 1995 05:48:32 -0800 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #24) id m0rSPkd-0006WQC; Thu, 12 Jan 95 08:39 EST Received: by pnc-pimc.com (4.1/SMI-4.1) id AA27407; Thu, 12 Jan 95 08:41:11 EST From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9501121341.AA27407@pnc-pimc.com> Subject: Firewall Vendor List To: Firewalls@greatcircle.com Date: Thu, 12 Jan 95 8:41:11 EST X-Mailer: ELM [version 2.3 PL11-upenn1.13] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies in advance for the size of this note, however, for those folks who are web-impaired, I thought it might be helpful to post the most recent version of the list of commercial firewall product vendors here ONCE. For the rest of the web-enabled: url: http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html For those dozen or so folks who have sent me email asking for a copy and none of your provided return email addresses worked... well, you guys are on your own. ================================================================================ COMMERCIAL FIREWALLS AND PARTIAL FW PRODUCTS ================================================================================ - - "BlackHole" check http://www.milkyway.com for the info David Cross | Milkyway Networks Corporation Vice-President, Sales | The home of the Balck Hole firewall E-mail- Davidc@Milkyway.com |Ottawa, Ontario Canada Voice: (613) 566-4574 Fax: (613) 596-5615 - - Brimstone by SOS. - - Cyberguard - Harris Computer Systems Firewall. It runs on a PC tower Chassis with a Night Hawk 4800 series CPU board (Motorola 88100-based), CX/SX operating system and LAN/SX networking. The OS and networking systems are "NCSC B1-level evaluated and ITSEC FB1 E3" secure. To talk to Computer Systems about the product, e-mail nhnews@csd.harris.com or call (305) 974-1700 Ext. 5144 for Sales or Ext. 5124 for Marketing Communications. - - DBF by NSC Network Systems Corp. (NSC) has announced a security product called "Data Privacy Facility" (DPF). It encrypts IP datagrams on a per-packet basis, gives you the ability to select what gets encrypted and what doesn't. DPF supports DES, IDEA, and NSC1 encryption algorithms, MD5 for digi-signatures, uses RSA and Diffie/Hellman for key exchange, works great, lasts long time. DPF runs on a router (which means that you can not only encrypt traffic but establish/ control access policy as well.) There is no limit to the number of end-stations that can use an encrypted tunnel. Encrypted packets can be forwarded over any data-link that supports IP (frame relay, ATM, ethernet, T/R, etc.) - - Eagle from Raptor Systems. - - ExFilter V1.1.2 for SunOS 4.1.x Security and Internet Gateway Software All-in-one Firewall, Router and Network-manager 80% of major Internet-connected sites have suffered hacking attempts. ExFilter turns a Sun workstation running Solaris 1 (SunOS 4.1.x) into a firewall, router and network-manager. The Sun becomes a secure gateway between your network and the Internet, and between segments of the same network. Email: exfilter@exnet.com or exfilter@exnet.co.uk - - Firewall-1. software only. (originally by Checkpoint software). Available thru PDC, SunSoft, Qualix, GES. FireWall-1 is protecting hundreds of networks world wide and was reviewd by Open Computing 10/94 and Advanced Systems 12/94. More info: http://WWW.CheckPoint.com info, support, or sales @CheckPoint.com CheckPoint FireWall-1 software is a unique, flexible security system designed to protect your organization against unauthorized access from Internet. The system controls access to your entire organization's heterogeneous network, while providing your users with secure connectivity to all Internet resources and IP based services. It enables a smooth growth path from a single Internet gateway to an enterprise-wide system. CheckPoint FireWall-1 lets you take full control over all Internet gateway traffic. An advanced, patent pending, generic filtering technology inspects each packet, promptly blocking all unwanted communication attempts. A powerful auditing and alerting mechanism identifies and flags any suspicious communication. - - Gauntlet by TIS Trusted Information Systems Gauntlet is a hardware- and software-based firewall system designed by Trusted Information Systems, Inc. (TIS), to provide secure access and internetwork communications between private networks and public networks such as the Internet, or between subnets within a private network. Gauntlet offers application- level security services that regulate both incoming and outgoing communications in compliance with established organization security policies. The Gauntlet product includes software based on the popular TIS Internet Firewall Toolkit, and is built on a UNIX operating system configured to restrict access to the private network. Electronic mail to netsec@tis.com Telephone 301-854-6889 Fax to 301-854-5363 Or write to Trusted Information Systems, Inc., ATTN: Network Security, 3060 Washington Road, Glenwood, MD 21738 - - Igateway by Sun Consulting. Actually called CONSULT-IGATEWAY and consists of telnet and ftp proxies for filtered traffic. Available thru Sun Consulting only. - - "Integralis" - - Inter-Ceptor by Network Security International For info, contact John Shepherd at (516) 674-0238 - - ANS InterLock Service from ANS CO+RE Systems, Inc. For organizations who want to develop and/or enforce network security policies, ANS InterLock application-level service can be customized to meet specific customer requirements and may be used to control access among segments of a private enterprise network and/or to establish a controllable filter between the private network and the public Internet. ANS InterLock service supports telnet, FTP, SMTP, HTTP, Gopher, NNTP, X Window systems, NTP and GPD. ANS Interlock service assures end-to-end service transparency and provides audit logs for resource accounting. The ANS Interlock system can be configured to support end-to-end encryption as well as card key authentication. Access to all services is controlled via the Access Control Rule Base which permits users and/or user groups to access particular services by any combination of userid/password/smartcard, time of day, day of week, inbound or outbound direction, private/public network address and private/public host criteria. These hardware/software solutions offer customers easy administration and strong password management controls. For more information, view our WWW site at: web: http://www.ans.net or contact Sales at: main: 800-456-8267 or 703-758-7700 email: info@ans.net - - IRX Router - Livingston Firewall Router This enhanced version of the PortMaster IRX Internetwork Router provides an advanced set of features for attaching a companies network to the world-wide Internet. By providing the most advanced packet filtering available (input and output packet filtering on a per interface basis), the FireWall IRX controls which computers are accessible from the Internet as well as limiting the types of network services those computers can use. For example, the filters can be set to allow electronic mail to and from a companies secure mail host, but block the ability for Internet intruders to establish login sessions to any host computer. Security can also be set up to allow trusted users within a company to directly access information services on the Internet, while denying access to those services from the Internet. Packet logging features allow network administrators to detect and monitor intruder attempts from the Internet. Contact: info@livingston.com sales@livingston.com support@livingston.com Contact: Joe Sasek, Director of Sales Livingston Enterprises 1-800-458-9966 6920 Koll Center Parkway #220 (510) 426-0770 Pleasanton, CA 94566 (510) 426-8951 Fax - - JANUS from Border Network Technologies. The JANUS Firewall Server is the one stop solution to connecting your organization to the Internet. In one highly integrated hardware device, JANUS provides a security Firewall, Internet servers, and an Internet router. The JANUS security Firewall prevents Internet based intruders from accessing your internal networks, while allowing your network users full access to the Internet. JANUS runs all standard Internet servers including a full function electronic mail server with POP and SMTP support, a USENET News server, a Web server with POP and SMTP support, a USENET News server, a Web server, an anonymous FTP server, and a Domain Name System server. This is all controlled via an easy to use graphical user interface directly on the JANUS console. Glenn Mackintosh Border Network Technologies Inc. Email: glenn@border.com 1 Yonge Street, Suite 1400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5E 1J9 Fax: +1 416 368 7789 JANUS resellers: -NetPartners (Phil Trubey) Phone: 800-723-1166, 714-252-5493 Fax: 714-759-1644 EMail: sales@netpart.com -Sea Change Corporation 6695 Millcreek Drive, Unit 8 Mississauga, Ontario, Canada L5N 5R8 Tel: 905-542-9484 Fax: 905-542-9479 Internet: jalsop@seachange.com WWW: http://www.seachange.com - - KarlBridge/KarlBrouter - sold by KarlNet Inc in the US and Sherwood Data Systems Ltd in the UK/Europe. Protocol filtering bridge/brouter. The KarlBrouter is identical to the KarlBridge except it provides IP routing (multiple nets per interface - but currently only static routes). The bridge supports filtering of ANY Ethernet protocol and optionally tunnelling within IP and optional encryption. The product also supports protocol filtering of :- IP - net/subnet/sockets DECnet - net/object0/other objects Novell - net/servers/saps/disabling SLIST commands AppleTalk - zone/servers/printers/services There is a shareware/demo (share with colleagues) available from :- ftp://ftp.net.ohio-state.edu/pub/kbridge/ ftp://ftp.demon.co.uk/pub/ibmpc/kbridge/ http://www.demon.co.uk/kbridge/ p.s. the UK ftp site will change to ftp://ftp.gbnet.net/pub/kbridge/ http://www.gbnet.net/kbridge/ (as soon as the DNS entries get updated etc). Available from: Sherwood Data Systems Ltd KarlNet Inc High Wycombe, UK Columbus, OH, USA +44-(0)1494 464264 tel (614) 263-KARL sales@gbnet.com sales@KarlNet.com - - NetGate NetGate(TM)is a software firewall for SPARC based systems developed by SmallWorks of Travis Co. SmallWorks specializes in efficient networking utilities and custom software development for SunOS. NetGate was designed to provide routing and filtering for networks of TCP/IP systems without requiring expensive, separately managed hardware. It performs filtering, logging and forwarding for a network or subnetwork of TCP/IP based computers. The extensible rules based system allows the administrator to customize the firewall to allow or disallow packets into the network system. NetGate is available for SunOS 4.1.X as either a binary installation, or in source code for the truly adventurous. A single binary license is $1500. Source Code is $2500. Site, corporate-wide and distributor licensing are also available. Send email to: info@smallworks.com Or telephone/fax to: 512 338 0619 - - Netpartners: hardware + software sales@netpart.com - - Netra Server by Sun (SMCC) - - NetSP - IBM. NetSP Secured Network Gateway for AIX is a firewall that runs on any standard IBM Risc System/6000 computer with AIX 3.2.5. - Applications gateways will be provided for telnet and ftp. Users in the protected network log in to the Firewall to use these gateways. The administrator can control which users have access to each of the gateways. - Filtering is the technique of limiting Firewall traffic based on the standard TCP/IP header information of the packets. Filters rules can be based on source and destination address, protocol (TCP, UDP, or ICMP), port number (identifies application), and acknowledgement status (does this packet open a new connection). Phone: 919-254-7416 or 919-254-6898 Fax: 919-254-4239 E-mail: sbaumann @ vnet.ibm.com - - Network-1 Software and Technology, Inc. Network-1 Software and Technology, Inc., who take pride in having Bill Hancock on their staff. Bill told me theirs will be an "inexpensive" offering, meant to "correct" the other overpriced items on the market. He estimated delivery by Q1 '95. If you'd like to contact them try (800) NETWRK1, or hancock@network-1.com. - - Novix by FireFox (Novell only) IP gateway, partial solution. Brittish company,can function as a firewall for sites with Novell clients. Firefox is an NLM (Netware Loadable Module) which gateways between IPX and TCP/IP.The NLM on the server controls who can get the clients when, etc., and also limits the number of simultaneous users--a form of use-base licensing. Five users cost under $2000, with the price descending to under $300/per simultaneous user. 800 230 6090. - - PORTUS by LSLI (Livermore SW Labs). PORTUS is a secure firewall system which represents the state of the art in securing a network from unauthorized intrusions. This software was initially developed at the IBM Thomas J. Watson Research Center in 1988. The PORTUS firewall system provides access from a secure internal network to an unsecured external network without undue hassle. It provides Telnet and File Transfer Protocol (FTP) services to and from the outside world for authorized individuals without compromising network security. PORTUS for the RS/6000 significantly increases the physical security of your valuable data as well as allowing easy access to the Internet. Company Contact Info: portusinfo@gw.lsli.com 1-800-240-5754. Sales Contact Info: PENTA, Inc. Phone: (800) PENTA-79 333 North Sam Houston Parkway East (713) 999-0093 Suite 680 Fax: (713) 999-0094 Houston, TX 77060 E-Mail: penta@phoenix.phoenix.net - - Quiotix, jbs@Quiotix.com - - SEAL - Digital's Firewall Service December 12th _INFOWORLD_ "For more than a decade, the Screening External Access Link, or SEAL, has kept Digitial Equipment's mammoth EasyNet completely impervious to outsiders". SEAL page : http://www.digital.com/info/seal.html FTPable documents : ftp://ftp.digital.com/pub/Digital/info/document/firewall*.* United States Contact: Dick Calandrella at 508-496-8626 - - SecurityGate by DEC >From Dave Church: dave.church@vbo.mts.dec.com PRODUCT NAME: DEC SecurityGate for OpenVMS[*], Version 1.1 SPD DEC SecurityGate software is a VMS software product that, when installed on a DECnet Phase IV routing node, provides an additional level of ac- cess control to that part of the network served by the routing node. A system or security manager can use the DEC SecurityGate software to create a security domain consisting of a group of nodes serviced by the router. HARDWARE REQUIREMENTS Processor and/or hardware configurations as specified in the System Support Addendum (SSA 36.20.01-x). A TK50 tape drive is required for standalone MicroVAX 2000 and VAXs- tation 2000 systems. - - Sidewinder by SCC (Secure Computing). ================================================================================ OTHER FW-RELATED SERVICES/PRODUCTS - - AlterNet: AlterNet is now offering security consulting services. Bob Stratton Voice) +1 703 204 8000 UUNET Technologies, Inc. strat@uunet.uu.net - - Bell Atlantic Network Integration also provides firewall design services. - - Data Privacy Facility - Network Systems - - ISS, Internet Security Scanner, is an auditing package that is publicly available that checks domains and nodes searching for well-known vulnerabilities and generating a log for the administrator to take corrective measures. The publicly available version is on aql.gatech.edu /pub/security/iss. - - Network Translation Services Our company, Network Translation, Inc., has such a Network Address Translation product (see RFC-1631). Give us a call, or check our web site: www.translation.com John Mayes Network Translation, Inc. 415/494-NETS - - Stalker by Haystack Labs, Inc. intrusion detection system. ================================================================================ Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. I endeavor to keep this list up to date as much as possible. Feel free to send comments/ updates to mailto:cfulmer@pnc-pimc.com (Catherine Fulmer). Date last update: 01-12-95. ================================================================================ -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| : ,;`( )__ ) ~ PNC Bank (Phila, PA, US): // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Fri Jan 13 01:39:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA16131 for firewalls-outgoing; Fri, 13 Jan 1995 01:13:58 -0800 Received: from magna.com.au (mmdf@magna.com.au [203.4.212.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA16126 for ; Fri, 13 Jan 1995 01:13:49 -0800 Received: from xplus.com.au by magna.com.au id aa16650; 13 Jan 95 20:12 PST From: "Ward D. Britton" Message-Id: <9501131951.ZM8510@xplus.com.au> Date: Fri, 13 Jan 1995 19:51:09 +0000 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: DNS Configuration... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After reading the FAQ, I note that the proposed methods for setting up a DNS so that internal hostnames are 'not available' to the outside world, requires multiple systems. Great, this setup does work very well. I have a requirement to setup a SINGLE system, which connects to the local service provider via ppp as well as many other regional sites, via direct PPP links. As such, it is necessary to run DNS. But unfortunately, I cannot figure out how to stop the addresses and hostnames for the other ppp interfaces on this particular system, from bein propogated to the world via DNS. Can anybody help on this issue ? (Please be gentle, this is my first posting to this group...) Best Regards, wardb++ -- Ward D. Britton Email: wardb@magna.com.AU Senior Consultant Fax: +61(2)452-2142 X + Open Systems Pty. Ltd. Phone: +61(15)702-002 From firewalls-owner Fri Jan 13 02:14:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17118 for firewalls-outgoing; Fri, 13 Jan 1995 01:46:09 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA17100 for ; Fri, 13 Jan 1995 01:45:10 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17962; Fri, 13 Jan 95 10:39:07 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA05286; Fri, 13 Jan 95 10:35:31 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501131035.AA05286@tidtest.total.fr> Subject: Re: Not a new problem (C2 certification) To: Rich.Friedeman@corp.anixter.com Date: Fri, 13 Jan 95 10:35:29 GMT Cc: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9500127899.AA789958968@corp.anixter.com>; from "Rich.Friedeman@corp.anixter.com" at Jan 12, 95 5:02 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich.Friedeman@corp.anixter.com wrote : > > correct me if I'm wrong, but I was under the impression that wfw could > only do it's peer-to-peer stuff (ie sharing local hard drives, etc) > using NetBEUI. This would mean that an tcp/ip enabled machine could > have its hard drive compramised, but not that of the other pc's to > which it had drive mappings, since the ip connection couldn't access > the NetBEUI connected drives. Is this right, or am I totally off > base? The idea that all of the drive connections would be transparent > to an ip connection is really awful. Thank God it doesn't come with > tcp/ip installed by default. > Even if it's true, you're still vulnerable. Consider what may happen to the shared machine's disks if some user on another machine starts a ftpd (as it may well do unknowingly, since some telnet or www clients include one - see previous postings.) Now access to the shared disks on the first machine is possible through ftp to the second. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Jan 13 04:39:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA19113 for firewalls-outgoing; Fri, 13 Jan 1995 04:11:18 -0800 Received: from amber.ccs.neu.edu (root@amber.ccs.neu.edu [129.10.111.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA19108 for ; Fri, 13 Jan 1995 04:11:15 -0800 Received: from denali.ccs.neu.edu (root@denali.ccs.neu.edu [129.10.113.75]) by amber.ccs.neu.edu (8.6.8/8.6.4) with ESMTP id HAA21779 for ; Fri, 13 Jan 1995 07:09:25 -0500 Received: from [129.10.1.192] (h-white.acs.neu.edu [129.10.1.192]) by denali.ccs.neu.edu (8.6.8/8.6.4) with SMTP id HAA17180 for ; Fri, 13 Jan 1995 07:09:22 -0500 Date: Fri, 13 Jan 1995 07:09:22 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: hwhite@ccs.neu.edu (Howard White) Subject: Re: Facts and Figures for Justification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >To:Quentin Fennessy >From:hwhite@ccs.neu.edu (Howard White) >Subject:Re: Facts and Figures for Justification > >>Bob: >> I want to discuss some points that you made: >> >>rmck@sandfiddler.paragon-systems.com (Bob McKisson) said: >>> The number of break-ins are now nearly too high to keep track of, let >>> alone attempts. Current "educated" guessing is anywhere from 250 to >>> 1000 successfull intrusions a day resulting in some information >> >>This estimate of successful breakins seems outrageously high. >>I am willing to be corrected, but I have never seen numbers like >>this. >> >>> [ Bob suggests sources such as the 12/12/94 Information Week, >> the WSJ, CERT, NIST, Bob McCree, Washington Technology, >> InfoSecurity News ] >> >>Bob: I have seen some of these sources but the numbers still astound >>me. Can you offer more specifics? I just looked at the Information >>Week article and saw that CERT becomes involved with 150 - 250 incidents >>a month. CERT also claims that 'hacker' incidents are up 76% from >>last year. This is a small fraction of your estimate. >> >> >>> Average damage repair prices run anywhere from $200K - to $400K for >>> manhours and machine time depending on the level of trauma, and >>> required reconstructive work. >> >>This is outrageous! What goes on in these 'average' breakins that >>cost $200K - $400K? That indicates approximately 2 - 8 person-years of >>work per incident. >> >>I am very willing to learn from this discussion. However I feel >>that you are making some alarmist claims that do not reflect reality. >>The estimated number of successful intrusions seems high, and the average >>cost per intrusion is also high. Multiplied together they might >>indicate that corporations that have been 'hacked' are paying >>on the order of 18 billion per year. >>(250 incidents / day * 365 days * $200,000) Yow. >> >>I may have misread your statements - please correct me if I have. >> >>Thanks, >> Quentin > Thanks for your confidence at speaking out Quentin. I also felt the numbers were outrageous. What this list needs is an accountant with the technical knowledge to make down to earth estimates. Or maybe an insurance expert in the business of evaluating risk. If we rely on the FBI's ultra paranoid statistics, networking PCs would be outlawed and the Internet would be dismantled. "The sky is falling, the sky is falling!" NOT! ;)> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Howard White, PC Tech. Coor. Office of VP Info Services Northeastern Univ. http://h-white.acs.neu.edu/ 275 Richards Hall 360 Huntington Ave. Timbuktu Pro @ 129.10.1.192 FAX: 617-373-2054 Boston, MA 02115 From firewalls-owner Fri Jan 13 05:10:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA19211 for firewalls-outgoing; Fri, 13 Jan 1995 04:42:25 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA19206 for ; Fri, 13 Jan 1995 04:42:22 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id GAA28646 for ; Fri, 13 Jan 1995 06:40:46 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA0360; Fri, 13 Jan 95 06:40:45 -0800 Message-Id: <9501131440.AA0360@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 2FA24A67CC4CC19D86256143004598EC; Fri, 13 Jan 95 06:40:45 To: firewalls From: Kenneth Smith Date: 12 Jan 95 18:12:32 EDT Subject: Re: Not a new problem (C2 certification) Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are both right and wrong. WFW *can* conduct its peer-to-peer services over any of its supported protocols (i.e., NetBEUI, NWLink [an IPX/SPX implementation], and TCP/IP). WFW, however, *cannot* reshare drives to which it is connected through the network. It can only share local drives. And while the *ability* to share a (local) drive is turned on by default, (a) the actual *sharing* of that drive is not; and (b) it is possible to establish and enforce network policies through a utility called admincfg.exe that comes with WFW. This includes preventing users from sharing their hard drives. It will not prevent a determined user from sharing their hard drive if they insist, but it is adequate for purposes of enforcing general network policy. To: firewalls @ GreatCircle.COM @ Internet cc: (bcc: Kenneth Smith) From: Rich.Friedeman @ corp.anixter.com @ Internet @ WORLDCOM Date: 01/12/95 05:02:19 PM CST Subject: Re: Not a new problem (C2 certification) cheer@isisph.com writes >Two mouse clicks, and your users are sharing everything on their hard >drives. Fortunately the default protocol is NetBEUI, which generally >makes it a purely internal matter (stopping an alien protocol at your >router is pretty easy), but suppose you *do* use TCP/IP? Does anyone >have any idea how W4WG or Windows NT do this? Do they use any sort >of standards? If I want to block disk sharing (gads, and we thought >NFS was bad) at the firewall, how would I? correct me if I'm wrong, but I was under the impression that wfw could only do it's peer-to-peer stuff (ie sharing local hard drives, etc) using NetBEUI. This would mean that an tcp/ip enabled machine could have its hard drive compramised, but not that of the other pc's to which it had drive mappings, since the ip connection couldn't access the NetBEUI connected drives. Is this right, or am I totally off base? The idea that all of the drive connections would be transparent to an ip connection is really awful. Thank God it doesn't come with tcp/ip installed by default. Rich rich.friedeman@anixter.com From firewalls-owner Fri Jan 13 05:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA19380 for firewalls-outgoing; Fri, 13 Jan 1995 04:59:07 -0800 Received: from firewall.hsi.com (OZONE.HSI.COM [192.43.235.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA19374 for ; Fri, 13 Jan 1995 04:59:02 -0800 Received: from localhost (uucp@localhost) by firewall.hsi.com (8.6.5/8.6.5) id HAA22744 for ; Fri, 13 Jan 1995 07:57:27 -0500 Received: from mercury.hsi.com(143.122.1.91) by ozone.hsi.com via smap (V1.3) id sma022740; Fri Jan 13 07:57:07 1995 Received: from jupiter.hsi.com by mercury.hsi.com with SMTP id AA10630 (5.65c/IDA-1.4.4 for ); Fri, 13 Jan 1995 07:57:06 -0500 Received: from localhost by jupiter.hsi.com with SMTP id AA05356 (5.65c/IDA-1.4.4 for Firewalls@greatcircle.com); Fri, 13 Jan 1995 07:57:06 -0500 Message-Id: <199501131257.AA05356@jupiter.hsi.com> To: Firewalls@greatcircle.com Subject: Re: (trivia?) Q on SNK and TIS toolkit In-Reply-To: Your message of "Thu, 12 Jan 95 23:33:38 GMT." Date: Fri, 13 Jan 95 07:57:05 -0500 From: "Justus J. Addiss (addiss@hsi.com) 203-949-6414" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ==> On Thu, 12 Jan 1995 23:33:38 +0000 (GMT) sdw@lig.net (Stephen D. Williams) said: >The pin in most of those devices (I have Digital Pathways where I >learned this, and another I haven't checked out yet) is only there >to keep you from 'unlocking' use of the hha with the programmed >secret key. You can reset it and program another secret key >and pin at any time, but you must know the secret key. > >If it allows you to reprogram the pin without erasing the secret key, >the pin is useless. The PIN is ONLY reprogrammable is you know the original PIN. If you find the device on the street you would have to guess the existing PIN before you could reprogram the PIN or use the device for its intended purpose. In the specific case of the Digital Pathways Secure Net Key you have to enter the existing PIN twice in order to unlock the SNK to enter a new PIN. Changing the DES key is of little use as it would have to match the DES key on the firewall for the user you were trying to log in as. If you have access to the DES key information on the firewall than you've probably already broken into the firewall anyway. Seems to be pretty secure to me. Meets the challange of "What you KNOW and what you HAVE". - Justus Addiss > >> >> I was fooling around with TIS toolkit ( tn-gw with Snk enabled ) >> and a SecureNet Key device ( (tm) they say ) the other day and seem to >> lack some very very basics --- which I'd like to explain ex post : >> >> I've programmed this device with seed ( they call it 'key number' ) and >> PIN, and it works quite fine -- giving me different challenges, and with >> the proper PIN in my device I can answer them easily ( most of the time, >> manual and display are not the very most readable I've met :-) ) ... >> >> Now imagine I loose this device on the street, and Willy Hacker ( may be >> the competition on reconnaisance mission in our dustbins as well ) finds it -- >> it' straightfroward to program it with a new PIN, and this has no >> effect to the challenge/response exchange as far as I've observed -- >> without _ANY_ knowldge of the intriniscs I admit, yet I've tried it >> with different PINs ... >> >> I _MUST_ be wrong --- please enlighten so I can go to sleep ( it's >> GMT+1 here :-) ) .... >> >> >> Georg >> >> <---------------------------------------------------------------------------> >> Chytil Georg GC82 chytil@Austria.EU.net >> EUnet EDV-Dienstleistungs-Gesellschaft backup : chytil@EU.net >> Phone : +43/Vienna/3174969 Fax : +43/Vienna/3106926 Home? : 0222/3718445 >> > > >-- >Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw >Senior Consultant 510.503.9227 CA Page 513.496.5223 OH Page BA Aug94-Dec95 >OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 >Firewalls/WWW servers ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work >Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.29Nov94 From firewalls-owner Fri Jan 13 06:10:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA20433 for firewalls-outgoing; Fri, 13 Jan 1995 05:54:42 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA20423 for ; Fri, 13 Jan 1995 05:54:37 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22287; Fri, 13 Jan 95 08:32:21 -0500 Date: Fri, 13 Jan 95 08:32:21 -0500 Message-Id: <9501131332.AA22287@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Opinion on HHA (& plug) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was fooling around with TIS toolkit ( tn-gw with Snk enabled ) > and a SecureNet Key device ( (tm) they say ) the other day and seem to > lack some very very basics --- which I'd like to explain ex post : > I have been using the Enigma-Logic SafeWord since 1990 (in fact am still using the same token). Being challenge-response it has no loss-of-sync or multi-host problems. The hardware version does require entering the PIN and challenge, pressing a button, then typing back the result. For the mentally challenged, they have a Windoze software version that pops up a window when the challenge is received and all the user needs to do is input the PIN. While I can conceive of a way to do this with a time-synchronous token, the lack of accuracy of the typical notebook's clock would make it a bit more difficult. Although I would not recommend putting any token into your hip-pocket wallet and then going white water rafting in Alaska (did that with a SecurID token once - when I came back the token was fine but one of my credit cards was cracked) the SafeWord has handled my "frequent flying" for five years now (and am into my third carry-along computer). And considering some of the places I go (spoke at Defcon II), it is a comfort, just wish I had full session encryption but the gov seems to be holding that up. When I like a company, I pass it along. Warmly, Padgett From firewalls-owner Fri Jan 13 06:40:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA20867 for firewalls-outgoing; Fri, 13 Jan 1995 06:26:04 -0800 Received: from internet.un.org (gatekeeper.un.org [157.150.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20862 for ; Fri, 13 Jan 1995 06:26:00 -0800 From: adamsb@un.org Received: by internet.un.org; id JAA00644; Fri, 13 Jan 1995 09:23:16 -0500 Received: from mail-in.un.org(157.150.191.1) by internet.un.org via smap (V1.3) id sma000640; Fri Jan 13 09:23:11 1995 Received: from cc:Mail by un.org id AA790018056; Fri, 13 Jan 95 09:27:00 EST Date: Fri, 13 Jan 95 09:27:00 EST Message-Id: <9500137900.AA790018056@un.org> To: firewalls@greatcircle.com Subject: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a list of common firewall log entries that show that a firewall is being attacked, and what kind of attack the log entries represent? If so, I would be grateful if you could e-mail a copy to me at adamsb@un.org. Posting the log entries on the list might not be appropriate, as the alt.2600/#Hack FAQ recommends that crackers subscribe to this list. Bernard Adams United Nations, New York From firewalls-owner Fri Jan 13 06:55:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA20662 for firewalls-outgoing; Fri, 13 Jan 1995 06:14:59 -0800 Received: from orion.massolant.navy.mil (orion.massolant.navy.mil [192.171.8.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20658 for ; Fri, 13 Jan 1995 06:14:53 -0800 Received: from hatteras (ch.inri.com [198.202.184.13]) by orion.massolant.navy.mil (8.6.4/8.6.4) with SMTP id JAA18569; Fri, 13 Jan 1995 09:12:51 -0500 Received: from wolftrap.ch.inri.com (wolftrap) by hatteras with SMTP id AA16120 (5.65c/IDA-1.4.4); Fri, 13 Jan 1995 09:10:02 -0500 Message-Id: <199501131410.AA16120@hatteras> X-Sender: wlb@ch.inri.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Jan 1995 10:01:07 -0600 To: Rich.Friedeman@corp.anixter.com, firewalls@GreatCircle.COM From: wlb@ch.inri.com (Bill Bunting) Subject: Re: Not a new problem (C2 certification) WFW uses NetBEUI X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I think you are correct (WFW uses NetBEUI for peer-to-peer). We have machines loaded w/ WFW and Microsoft TCP/IP stack, and the WFW uses NetBEUI (I have watched the traffic with tcpdump). I have also run probe against the PCs and no TCP servers were found. The Microsoft TCP stack does not come with any servers -- just a stack (unless your users add servers). However, You must be sure that all users password protect anything they share becuase any PC connected to the same ethernet will have access. (I think this goes without saying, but in our situation we were sharing an ethernet with the organization we were working for.) At 05:02 PM 1/12/95 csd, Rich.Friedeman@corp.anixter.com wrote: > cheer@isisph.com writes > >Two mouse clicks, and your users are sharing everything on their hard > >drives. Fortunately the default protocol is NetBEUI, which generally > >makes it a purely internal matter (stopping an alien protocol at your > >router is pretty easy), but suppose you *do* use TCP/IP? Does anyone > >have any idea how W4WG or Windows NT do this? Do they use any sort > >of standards? If I want to block disk sharing (gads, and we thought > >NFS was bad) at the firewall, how would I? > > correct me if I'm wrong, but I was under the impression that wfw could > only do it's peer-to-peer stuff (ie sharing local hard drives, etc) > using NetBEUI. This would mean that an tcp/ip enabled machine could > have its hard drive compramised, but not that of the other pc's to > which it had drive mappings, since the ip connection couldn't access > the NetBEUI connected drives. Is this right, or am I totally off > base? The idea that all of the drive connections would be transparent > to an ip connection is really awful. Thank God it doesn't come with > tcp/ip installed by default. > > Rich > rich.friedeman@anixter.com > > [[disclaimer: Views are the personal opinion of the author - not the company]] --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 106 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** --------------------------------------- ***** HAPPY NEW YEAR 1995 ***** From firewalls-owner Fri Jan 13 07:10:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA21322 for firewalls-outgoing; Fri, 13 Jan 1995 06:52:26 -0800 Received: from blackhole.idrc.ca (blackhole.idrc.ca [198.62.158.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA21317 for ; Fri, 13 Jan 1995 06:52:23 -0800 From: KMcCann@idrc.ca Received: (from uucp@localhost) by blackhole.idrc.ca (8.6.7/8.6.6) id JAA18418 for ; Fri, 13 Jan 1995 09:49:40 -0500 Received: from postmaster.idrc.ca(198.62.158.16) by internet via smap (V1.3mjr) id sma018416; Fri Jan 13 09:49:23 1995 Received: FROM IDRCZOOM.postmaster.idrc.ca BY postmaster.idrc.ca ; 13 JAN 95 09:46:41 EST Date: 13 JAN 95 08:31:37 EST Subject: Re: Firewall Product List To: firewalls@greatcircle.com X-Mailer: 2.3.5 ZOOMIT X.400/SMTP Dual Stack X-Complete-Subject: Re: Firewall Product List X-Original-MHS-ID: CA/ATTMAIL/GC+IDRC/0000jjfpnflf X-Original-UA-Identifier: N=Kevin McCann/C=CA/A=ATTMAIL/P=GC+IDRC/O=IDR C CRDI/MIS SIG/MSG=0000jjfpnflf X-Delivered: Fri Jan 13 09:45:53 1995 Message-ID: <0000miomowoi.0000jjfpnflf@idrc.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > COMMERCIAL FIREWALLS AND PARTIAL FW PRODUCTS >- - "BlackHole" >check http://www.milkyway.com for the info >David Cross | Milkyway Networks Corporation >Vice-President, Sales | The home of the Black Hole firewall >E-mail- Davidc@Milkyway.com |Ottawa, Ontario Canada >Voice: (613) 566-4574 >Fax: (613) 596-5615 This is a *very* good product. I looked at other firewall packages and all of them seemed to be restrictive and inhibitive in nature. BlackHole's transparency method, however, allows for total protection without impedence on Internet client tools on the private side (this was a major issue for us). We're also getting some very good stats from BlackHole's logs. I highly recommend BlackHole. From firewalls-owner Fri Jan 13 07:29:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21653 for firewalls-outgoing; Fri, 13 Jan 1995 07:08:48 -0800 Received: from axe (blaze.netstor.com [198.174.234.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA21646 for ; Fri, 13 Jan 1995 07:08:44 -0800 Received: by axe (4.1/SMI-4.1) id AA21934; Fri, 13 Jan 95 08:53:15 CST Received: from unknown(192.52.113.57) by axe via smap (V1.3mjr) id sma021932; Fri Jan 13 08:53:00 1995 Received: from odeon by mn.chey.com (4.1/SMI-4.1) id AA00264; Fri, 13 Jan 95 09:08:28 CST Message-Id: <9501131508.AA00264@ mn.chey.com> Received: by odeon (1.37.109.11/16.2) id AA029099520; Fri, 13 Jan 1995 09:05:20 -0600 From: Brian Smith Subject: Time Synchronization thru firewall To: Firewalls@GreatCircle.COM Date: Fri, 13 Jan 1995 9:05:20 CST X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have recommendations regarding how to receive time synchronization through a firewall? Is there a preferred protocol to use and available software? Is there a well established/trusted host on the Internet (e.g. NIST labs) that provides a "heartbeat"? I'd appreciate direct email replies, as I do not monitor this list. Many Thanks, Brian Smith brian@mn.chey.com From firewalls-owner Fri Jan 13 07:44:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA21394 for firewalls-outgoing; Fri, 13 Jan 1995 06:57:16 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA21388 for ; Fri, 13 Jan 1995 06:57:11 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22588; Fri, 13 Jan 95 09:23:39 -0500 Date: Fri, 13 Jan 95 09:23:38 -0500 Message-Id: <9501131423.AA22588@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Lies, D*mn Lies, & Statistics Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > alone attempts. Current "educated" guessing is anywhere from 250 to > 1000 successfull intrusions a day resulting in some information Well a SWAG is still a WAG. If by "intrusion" you mean a PING or FINGER from an unknown source, it is possible. If you mean an actual login by an unauthorized person *that was noticed*. I would think that more likely to be a monthly figure. There are some important factors to keep in mind: first and formost it is profitable to some to put the losest possible criteria and so to use the highest marginally acceptable numbers. On the other hand, if it happens to YOU it is a disaster so there are both macro and micro considerations involved. And on the gripping hand, if it happens to YOU *and* the media gets ahold of it, we are now talking career threatening. A few years ago a group called the MOD was apprehended and my company was listed as "attackee". The fact that they only were able to gain minimal access to a telephone switch that was maintained by a sub-comtractor - can you say "outsourced" - and that anything important required a password that the intruders never obtained was unimportant to the media. Further that AFAIK the intruders just knew that a switch was on a certain number and not *whose* switch it was (took the Secret Service to find that out) was also not pertinant. What appeared in the Wall Street Journal (and reappears at least once a year somewhere) was that the list of penetrated companies included Martin-Marietta. Periodically, we are strobed by war dialers. This should surprise no-one since kids will be kids. I know about it and Southern Bell knows about it. Generally I just send a polite note asking them not to do it again (caller-id is nice and our new switch has ANI - when you own an entire exchange it is easy to set up some numbers as traps with logs) and so far it has not happened twice. For that matter we require modem registration/briefings for AA and I periodically strobe our lines. Of course since am on the inside I only need to dial five digits and the response is fast. So I know where the modems are that answer the phone and they are protected. (Well, is only two layers - policy and validation - am working on a third). But the point is that to some, the fact that a war dialer can find some modems would be considered to be a "sucessful attack" and might even count every line found as a separate one whether or not anything could be done with it. Further, what are the boundaries ? Companies ? Home BBSs ? Captured cell-phone ESNs ? The numbers can mount quickly. Finally, you have the situation that many will not report such attempts thinking it would hurt them politically. The fact is that anyone with any public presence who says they have not been strobed is either 1) Lying or 2) Oblivious. It happens every day. Enough, Padgett Btw, usual disclaimers apply - have said nothing that has not appeared in the media. From firewalls-owner Fri Jan 13 07:45:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21759 for firewalls-outgoing; Fri, 13 Jan 1995 07:14:13 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA21754 for ; Fri, 13 Jan 1995 07:14:11 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id KAA01553; Fri, 13 Jan 1995 10:11:05 -0500 Received: from [128.29.140.130] (mckenney-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA14470; Fri, 13 Jan 95 10:12:19 EST Date: Fri, 13 Jan 95 10:12:19 EST Message-Id: <9501131512.AA14470@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM, fwtk-users@tis.com, staff@thumper.bellcore.com From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: S/Key MD5 client software for TIS Toolkit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a customer that is currently employing the MD4 version of S/Key for the TIS Firewall Toolkit (authsrv is supporting S/Key MD4). We have S/Key MD4 client software for PC/Windows, Macintosh, and UNIX machines. We want to move towards S/Key MD5. I am looking for information on available S/Key MD5 client software for the three different platforms (OS/2 and Windows NT would be nice too). We have some information already, however I want to find out if additional information is available. I will post a summary. -Brian Respectfully, Brian W. McKenney Mail Stop: Z-202 The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1397 From firewalls-owner Fri Jan 13 08:12:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA22300 for firewalls-outgoing; Fri, 13 Jan 1995 07:32:10 -0800 Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA22295 for ; Fri, 13 Jan 1995 07:32:04 -0800 From: Rich.Friedeman@corp.anixter.com Received: from corp.anixter.com by anixter.com (4.1/SMI-4.1) id AA06599; Fri, 13 Jan 95 09:28:19 CST Received: from cc:Mail by corp.anixter.com id AA790018008; Fri, 13 Jan 95 09:26:15 csd Date: Fri, 13 Jan 95 09:26:15 csd Message-Id: <9500137900.AA790018008@corp.anixter.com> To: firewalls@greatcircle.com Subject: Re: DNS Configuration Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Ward D. Britton" writes >I have a requirement to setup a SINGLE system, which connects to the >local service provider via ppp as well as many other regional sites, >via direct PPP links. >As such, it is necessary to run DNS. But unfortunately, I cannot >figure out how to stop the addresses and hostnames for the other ppp >interfaces on this particular system, from bein propogated to the >world via DNS. One easy way to do it would simply be to give your DNS a wildcard entry for your domain. Set up the beginning defining your domain as usual, and in the hosts section, just have an entry like generic IN A 123.234.*.* This will return either 'generic.mydomain.com' or UNKNOWN.mydomain.com (I don't remember which) for each host in your domain. If you want particular hosts to be resolvable, and don't mind that the info is public put their entries before these. Unfortunately, this doesn't do you much good if you actually need to be able to resolve all of the hostnames interntally without the info getting out. Rich rich.friedeman@anixter.com From firewalls-owner Fri Jan 13 08:25:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23118 for firewalls-outgoing; Fri, 13 Jan 1995 07:59:52 -0800 Received: from clavin (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23113 for ; Fri, 13 Jan 1995 07:59:46 -0800 Received: from cygnus.uprc.com by clavin (4.1/3.2.012693-Union Pacific Resources Company); id AA23596 for firewalls@greatcircle.com; Fri, 13 Jan 95 09:59:09 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA06077; Fri, 13 Jan 1995 09:59:03 +0600 Date: Fri, 13 Jan 1995 09:59:03 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9501131559.AA06077@cygnus.uprc.com> To: KMcCann@idrc.ca Subject: Re: Firewall Product List Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1711 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > This is a *very* good product. I looked at other firewall packages and all of > them seemed to be restrictive and inhibitive in nature. BlackHole's > transparency method, however, allows for total protection without impedence > on Internet client tools on the private side (this was a major issue for us). > > We're also getting some very good stats from BlackHole's logs. > > I highly recommend BlackHole. > > > First, I appreciate the fact that you took time to mention "Blackhole" and share your experience. The above recommendation, however, is lacking a number of technical pieces to support it. What makes you think that their transparency method allows total protection? What is YOUR definition of total protection? What exactly IS this method and how do they implement it? What do you mean by good stats? Rejected attacks? How well have you tested the various security policies that this firewall is supposedly enforcing? I think the members of the firewall lists have a responsibility when they post to include in-depth information, especially when recommending a product. I assume there are a number of non-technical managerial types listening that would take the above recommendation without examining the questions it begs. Please note this is not meant as a flame, just a suggestion. ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Fri Jan 13 08:40:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA23559 for firewalls-outgoing; Fri, 13 Jan 1995 08:19:28 -0800 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA23550 for ; Fri, 13 Jan 1995 08:19:25 -0800 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/22Jul94-0844AM) id AA21120; Fri, 13 Jan 1995 11:21:37 -0500 Received: from [170.149.56.60] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA00273; Fri, 13 Jan 1995 11:19:12 -0500 Date: Fri, 13 Jan 1995 11:19:12 -0500 Message-Id: <9501131619.AA00273@mailgate.nytimes.com> X-Sender: gordy@mailgate.nytimes.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: gordy@nytimes.com (Gordy Thompson) Subject: Re: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:27 AM 1/13/95 EST, adamsb@un.org wrote: >Does anyone have a list of common firewall log entries that show that a >firewall is being attacked, and what kind of attack the log entries >represent? > >If so, I would be grateful if you could e-mail a copy to me at >adamsb@un.org. > >Posting the log entries on the list might not be appropriate, as the >alt.2600/#Hack FAQ recommends that crackers subscribe to this list. By that line of reasoning, this list shouldn't even exist. [:-] I think it would be highly appropriate to post something like this to firewalls-l. If it's of inordinate length, it would be more economical to make it available through a Web page or ftp site and just post a pointer here. ========================================================================== Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212 556 1386 The New York Times fax: 212 556 1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Fri Jan 13 08:54:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA23574 for firewalls-outgoing; Fri, 13 Jan 1995 08:19:51 -0800 Received: from relay.tandy.com (relay.Tandy.COM [139.60.210.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA23563 for ; Fri, 13 Jan 1995 08:19:45 -0800 Received: from tcgw.tandy.com by relay.tandy.com (5.65/3.1.090690) id AA20681; Fri, 13 Jan 95 10:15:31 -0600 Received: from abacus.tis.tandy.com by tcgw.tandy.com (5.65/3.1.090690) id AA09508; Fri, 13 Jan 95 10:14:14 -0600 Received: by abacus.tis.tandy.com (931110.SGI/930416.SGI) for Firewalls@GreatCircle.COM id AA24610; Fri, 13 Jan 95 10:13:36 -0600 From: criney1@abacus.tis.tandy.com (Chris Riney) Message-Id: <9501131613.AA24610@abacus.tis.tandy.com> Subject: Re: Time Synchronization thru firewall To: brian@mn.chey.com (Brian Smith) Date: Fri, 13 Jan 1995 10:13:36 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9501131508.AA00264@ mn.chey.com> from "Brian Smith" at Jan 13, 95 09:05:20 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1709 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone have recommendations regarding how to receive time synchronization > through a firewall? Is there a preferred protocol to use and available > software? Is there a well established/trusted host on the Internet > (e.g. NIST labs) that provides a "heartbeat"? > > I'd appreciate direct email replies, as I do not monitor this list. > > Many Thanks, > Brian Smith > brian@mn.chey.com > A number of OS vendors provide a version of NTPD (Network Time Protocol Daemon) with their package. For those that don't, or if you want a newer version there is xntpd version 3.3m (I got our copy from louie.udel.edu:/pub/ntp) One way to configure a time service interface is to have the Gateway/bastion host quiry a reliable ntp server, which in turn allows systems on your side to quiry it. The ntp configuration includes configuring who is allowed to quiry the server, along with access codes. Several of the Service providers (like PSI whom we contract with currently) provide ntp level 1 servers, some of which are in turn sync'd with the US Navigational Satalite system (forgot it's name right now). If in doubt ask your service provider if they provide this service, or whom they would recommend. I would not recommend using timed, since you have no control over who is the master, or can become your master server. Timed is also a UDP broadcast service, that is transmited on a consistent repetivity. ========================================================================== Chris Riney E-mail: chris.riney@tandy.com Tandy Information Services Tandy Technology Sqr, Suite 200 Fort Worth, TX 76102 Phone: 817/878-0308; 8:00am-5:00pm CST,Mo-Fr From firewalls-owner Fri Jan 13 09:17:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24418 for firewalls-outgoing; Fri, 13 Jan 1995 08:59:58 -0800 Received: from cacd1.cacd.rockwell.com (cacd1.cacd.rockwell.com [131.198.128.108]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24406 for ; Fri, 13 Jan 1995 08:59:54 -0800 From: RAS@cacdvax.cacd.rockwell.com Date: Fri, 13 Jan 1995 10:57:46 -0600 (CST) To: adamsb@un.org CC: firewalls@greatcircle.com, RAS@cacdvax.cacd.rockwell.com Message-Id: <950113105746.3f20cc51@cacdvax.cacd.rockwell.com> Subject: RE: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone have a list of common firewall log entries that show that a >firewall is being attacked, and what kind of attack the log entries >represent? > >If so, I would be grateful if you could e-mail a copy to me at >adamsb@un.org. I recently posted a notice on fwtk-users volunteering to create a FAQ of common firewall log entries (for TIS, tcp-wrappers, sendmail, etc.). I've received a few contributions since then. I hope to post the first issue of the FAQ in 3-6 weeks. Pertinent extracts from logs, identify what system generated the logs (e.g. TIS, TCP-wrapper, sendmail, etc.) along with an explanation of what activity causes the log entries are welcomed here. They can be sent directly to me if desired, or posted to the list. >Posting the log entries on the list might not be appropriate, as the >alt.2600/#Hack FAQ recommends that crackers subscribe to this list. Guess I don't see the problem with posting the log entries as nothing prevents the hackers from viewing the logs on hacked systems or their own systems. Bob From firewalls-owner Fri Jan 13 09:40:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24310 for firewalls-outgoing; Fri, 13 Jan 1995 08:57:48 -0800 Received: from in2002.biosis.org ([204.5.105.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24286 for ; Fri, 13 Jan 1995 08:57:21 -0800 Received: by in2002.biosis.org (5.65/DEC-Ultrix/4.4) id AA02220; Fri, 13 Jan 1995 11:55:00 -0500 Received: from cc:Mail by mail.biosis.org id AA790026827; Fri, 13 Jan 95 11:51:33 EST Date: Fri, 13 Jan 95 11:51:33 EST From: "Ellis, Veryl" Encoding: 5 Text Message-Id: <9500137900.AA790026827@mail.biosis.org> To: firewalls@greatcircle.com, fwall-users@tis.com Subject: MS-Windows Telnet Clients Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a MS-Wndows Telnet client that will talk to or thru a Proxy server? S. Veryl Ellis BIOSIS From firewalls-owner Fri Jan 13 09:47:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24134 for firewalls-outgoing; Fri, 13 Jan 1995 08:52:15 -0800 Received: from sahp088 (sahp088.ttd.sandia.gov [132.175.125.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA24129 for ; Fri, 13 Jan 1995 08:52:10 -0800 Message-Id: <199501131652.IAA24129@miles.greatcircle.com> Received: from [132.175.125.54] (saquad001) by sahp088 with SMTP (1.37.109.11/16.2) id AA183754609; Fri, 13 Jan 1995 09:30:09 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Jan 1995 09:50:27 -0700 To: firewalls@GreatCircle.COM From: sdwix@ttd.sandia.gov (Steven D. Wix) Subject: Firewalls and SUN systems Cc: rjorzel@sahp088 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are developing a nationwide LAN using the INTERNET as the connecting link between sites. The hardware configuration that we are going to use looks like this Rest of the world | | _Firewall Machine___ |___| Ethernet Card #1 | ___| Ethernet Card #2 | | |__________________| | ___________|________________ Secure internal network I have several configuration questions. 1. Do I use the firewall machine as the gateway for the machines on the internal network? 2. We are using SUNs for the firewall machines. Is there firewall software available on the net for SUN machines? If so, what is the site? 3. Does the firewall sofware connect connect the two ethernet cards in the firewall machine or do I need separate routing software to connect the ethernet cards. 4. We are also using SecureID on the system. Does SecureID affect the firewall software? 5. We are ging to use some client/server software on the network. Are there difficulties using client/server software through a firewall? Thanks for the help. It is greatly appreciated. ==================================================== Steven D. Wix Sandia National Laboratories Transportation Systems Technology Department 6642 sdwix@ttd.sandia.gov 505-844-0778 From firewalls-owner Fri Jan 13 09:52:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25467 for firewalls-outgoing; Fri, 13 Jan 1995 09:33:20 -0800 Received: from internet.un.org (gatekeeper.un.org [157.150.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA25462 for ; Fri, 13 Jan 1995 09:33:18 -0800 From: adamsb@un.org Received: by internet.un.org; id MAA03685; Fri, 13 Jan 1995 12:30:36 -0500 Received: from mail-in.un.org(157.150.191.1) by internet.un.org via smap (V1.3) id sma003683; Fri Jan 13 12:30:34 1995 Received: from cc:Mail by un.org id AA790029303; Fri, 13 Jan 95 12:33:44 EST Date: Fri, 13 Jan 95 12:33:44 EST Message-Id: <9500137900.AA790029303@un.org> To: Cc: firewalls@greatcircle.com, RAS@cacdvax.cacd.rockwell.com Subject: Re[2]: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Guess I don't see the problem with posting the log entries as nothing > prevents the hackers from viewing the logs on hacked systems or their > own systems. Some of these guys are a whole lot smarter than many of our staff who have a lifetime of computer experience behind them. I don't want to give them anything I don't have to. The more they have to find out for themselves, the longer it will take them to break in. Of course I'm paranoid, but am I paranoid enough? From firewalls-owner Fri Jan 13 11:10:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26772 for firewalls-outgoing; Fri, 13 Jan 1995 10:51:12 -0800 Received: from dns.medio.com (root@[204.94.124.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26767 for ; Fri, 13 Jan 1995 10:51:09 -0800 Received: (from mgodsey@localhost) by dns.medio.com (8.6.9/8.6.9) id KAA07005 for firewalls@GreatCircle.COM; Fri, 13 Jan 1995 10:48:54 -0800 From: Mike Godsey Message-Id: <199501131848.KAA07005@dns.medio.com> Subject: will post a SMART-CARD Summary next week To: firewalls@GreatCircle.COM (Firewalls Mail List) Date: Fri, 13 Jan 1995 10:48:52 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 648 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been getting a few requests for a summary, on the topic of 'smart-cards' that I requested info on. I'll post a summary sometime next week (the first summary I posted a week or so ago, was very small. I've received more information since then...) Sorry for the delay, but I've been away a few days, and swamped the others! -- ------------------------------------------------------------ | Mike Godsey mgodsey@medio.com | | Medio Multimedia | | Redmond, WA | ------------------------------------------------------------ From firewalls-owner Fri Jan 13 11:27:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26856 for firewalls-outgoing; Fri, 13 Jan 1995 10:57:38 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26851 for ; Fri, 13 Jan 1995 10:57:36 -0800 Received: from nuchat.sccsi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id KAA09129; Fri, 13 Jan 1995 10:52:49 -0800 From: ted@gw.lsli.com Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Fri, 13 Jan 95 12:57 CST Received: from gw.lsli.com by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA09993; Fri, 13 Jan 1995 12:54:40 -0600 Received: by lsli2.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA15572; Fri, 13 Jan 1995 12:55:21 -0600 Date: Fri, 13 Jan 1995 12:55:21 -0600 Message-Id: <9501131855.AA15572@lsli2.lsli.com> To: firewalls@greatcircle.com Subject: PORTUS Update Cc: ellana@lsli2.lsli.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a quick note from LSLI for our friends at Firewalls. LSLI is now shipping the PORTUS Secure Firewall version 1.3! It has numerous enhancements to the original package and is reasonably priced to boot. (Sorry for the blatant marketing plug) And on the administrative front a couple of corrections to the various vendor lists that have been floating around the newsgroups. Our phone unmbers are: 1-800 240-5754, or 713-496-1580, and 713-496-2258 (713-379-5754 is no more). Our fax number is now 713-496-6356 (713-379-5225 is no longer a working number...) Our information e-mail address is portusinfo@gw.lsli.com Our product support e-mail address is portus@gw.lsli.com Thanks Ted Airedale ted@gw.lsli.com From firewalls-owner Fri Jan 13 11:40:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26728 for firewalls-outgoing; Fri, 13 Jan 1995 10:46:31 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26723 for ; Fri, 13 Jan 1995 10:46:27 -0800 Received: (from alan@localhost) by noc1.mid.net (8.6.9/8.6.9) id MAA16317; Fri, 13 Jan 1995 12:46:00 -0600 From: Alan Hannan Message-Id: <199501131846.MAA16317@noc1.mid.net> Subject: Re: Re[2]: List of firewall log attack signatures? To: adamsb@un.org Date: Fri, 13 Jan 1995 12:46:00 -0600 (CST) Cc: RAS@cacdvax.cacd.rockwell.com, firewalls@GreatCircle.COM In-Reply-To: <9500137900.AA790029303@un.org> from "adamsb@un.org" at Jan 13, 95 12:33:44 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1289 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Guess I don't see the problem with posting the log entries as nothing > > prevents the hackers from viewing the logs on hacked systems or their > > own systems. Good point... > > Some of these guys are a whole lot smarter than many of our staff who have > a lifetime of computer experience behind them. I don't want to give them > anything I don't have to. The more they have to find out for themselves, > the longer it will take them to break in. A lifetime of VAX and COBOL experience. That's worth about as much as New Coca Cola. > > Of course I'm paranoid, but am I paranoid enough? > Paranoia gets you nothing. Acting on that paranoia does. I won't reopen the debate on non-disclosure v. full disclosure, but unless you are fully confident that the "Evil Hackerz" don't know about this problem, and therefore by not telling people you are not leaving them open to rape and pillage, then you'd best share all problems and methods you see. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Fri Jan 13 11:42:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26779 for firewalls-outgoing; Fri, 13 Jan 1995 10:51:49 -0800 Received: from blackhole.idrc.ca (blackhole.idrc.ca [198.62.158.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA26774 for ; Fri, 13 Jan 1995 10:51:44 -0800 From: KMcCann@idrc.ca Received: (from uucp@localhost) by blackhole.idrc.ca (8.6.7/8.6.6) id NAA20862 for ; Fri, 13 Jan 1995 13:48:48 -0500 Received: from postmaster.idrc.ca(198.62.158.16) by internet via smap (V1.3mjr) id sma020858; Fri Jan 13 13:48:02 1995 Received: FROM IDRCZOOM.postmaster.idrc.ca BY postmaster.idrc.ca ; 13 JAN 95 13:45:21 EST Date: 13 JAN 95 11:53:13 EST Subject: Re: Firewall Product List To: firewalls@greatcircle.com X-Mailer: 2.3.5 ZOOMIT X.400/SMTP Dual Stack X-Complete-Subject: Re: Firewall Product List X-Original-MHS-ID: CA/ATTMAIL/GC+IDRC/0000iscqecsq X-Original-UA-Identifier: N=Kevin McCann/C=CA/A=ATTMAIL/P=GC+IDRC/O=IDR C CRDI/MIS SIG/MSG=0000iscqecsq X-Delivered: Fri Jan 13 13:42:52 1995 Message-ID: <0000nzrlxnxb.0000iscqecsq@idrc.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >First, I appreciate the fact that you took time to mention "Blackhole" >and share your experience. The above recommendation, however, is lacking >a number of technical pieces to support it. Mea culpa. I just signed on to this list and am (was) not aware of the flavour or expectations. >What makes you think that their transparency method allows total protection? > What is YOUR definition of total protection? What exactly IS this method >and how do they implement it? What do you mean by good stats? Rejected >attacks? How well have you tested the various security policies that this >firewall is supposedly enforcing? Okay, let me give a description of how BlackHole works: - based on TCP routing principle which requires all IP packets between Internet and the protected network to pass through BlackHole. - BH's operating system kernel is modified to disable all IP forwarding, source routing, and IP redirecting functions (ie no ICMP redirecting). - monitors all inbound and outbound traffic and authorizes access based on what the administrator has specifically allowed via the maintenance of a table. By default, nothing comes in or out until the file is configured for the desired effect. Transparency (which is what I originally wanted to illuminate): - Once BH receives a packet requesting a connection, it will attempt to start a session to the target machine on behalf of the internal host. Once connected, BH will relay all packets between the private and the target hosts. Both hosts 'believe' they are communicating directly, but in reality, BH authenticates and passes traffic between them. - internal users need not connect to a proxy server, then from there manually start another session to the target - as is the case with the other firewalls I looked at. BH allows for seamless connections. The end user sees no difference, and more importantly, Windows clients such as FTP and Telnet are not adversely affected by a two-step process. Seamless and transparent. - "advanced" applications such as Mosaic are not inhibited - due to transparency. With some other firewalls, sys admins will need to get the httpd proxy and slap it on. What about future applications? Will you continually have to wait until someone on the net writes a proxy? Will it be safe? These issues are of no concern with BlackHole, due to transparency. Logfiles: - I have used the logfiles to not only show access denials, but also usage of Internet clients internally (FTP, Gopher, Telnet, Mosaic) as well as incoming and outgoing mail. There are stats for the entire centre as well as for individual users. We can see who the top WWW users are, who receives the most Internet mail, etc. These stats can be very useful for making a case to management. For example, I graphed usage of Gopher and WWW by our staff. By showing that the WWW usage was increasing and the gopher usage levelling off, I was able to convince management that we need to provide a WWW server for dissemination, in addition to the gopher server we have now (based on the assumption that if our own staff is leaning toward WWW, so might the rest of the Internet). What I would humbly suggest is that if non-techie management types who are listening want to try it out, they should not simply believe Kevin McCann and instantly issue a purchase order. Rather, they should ask for an evaluation term and commission a technical person to test the yingyang out of it (as I did). Regards (and thanks for your point well made, Jeff), From firewalls-owner Fri Jan 13 11:58:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA27460 for firewalls-outgoing; Fri, 13 Jan 1995 11:35:25 -0800 Received: from sprintf.merit.edu (sprint.com [198.70.61.62]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA27449 for ; Fri, 13 Jan 1995 11:35:21 -0800 X400-Received: by mta merit in /PRMD=internet/ADMD=telemail/C=us/; Relayed; Fri, 13 Jan 1995 13:55:47 -0500 X400-Received: by /ADMD=TELEMAIL/C=US/; Relayed; Fri, 13 Jan 1995 13:43:22 -0500 X400-Received: by /PRMD=SMXFL2/ADMD=TELEMAIL/C=US/; Relayed; Fri, 13 Jan 1995 13:52:38 -0500 X400-Received: by /PRMD=LANGATE/ADMD=TELEMAIL/C=US/; Relayed; Fri, 13 Jan 1995 13:52:00 -0500 Date: Fri, 13 Jan 1995 13:52:00 -0500 X400-Originator: Bill.Roswell@OPCTU01.SMOXY.LANGATE.sprint.com X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=LANGATE/ADMD=TELEMAIL/C=US/;Fri Jan 13 13:52:33 199501] X400-Content-Type: P2-1984 (2) Content-Identifier: RFC for TCP/IP p From: Bill.Roswell@OPCTU01.SMOXY.LANGATE.sprint.com Message-ID: <"Fri Jan 13 13:52:33 199501*/G=Bill/S=Roswell/OU=OPCTU01/O=SMOXY/PRMD=LANGATE/ADMD=TELEMAIL/C=US/"@MHS> To: firewalls@GreatCircle.COM (Receipt Notification Requested) (Non Receipt Notification Requested) Subject: RFC for TCP/IP port assignment? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the RFC number that recommends the port assignments for TCP/IP connections? Where can I obtain it? Does anyone have recommendations on which ports are most likely to indicate hacker activity? Should all ports be monitored? Can some absolutely be discounted? Thanks, Bill William C. Roswell Manager Network Security Corporate MIS, Technology Development Occidental Petroleum Services P.O. Box 3908 Tulsa, OK 74102 918/561-1437 bill roswell at OPCTU01.smoxy.langate.sprint.com From firewalls-owner Fri Jan 13 13:10:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA29022 for firewalls-outgoing; Fri, 13 Jan 1995 12:44:50 -0800 Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA29017 for ; Fri, 13 Jan 1995 12:44:48 -0800 Received: from uucp1.unix.portal.com (uucp1.unix.portal.com [156.151.1.100]) by nova.unix.portal.com (8.6.9/8.6.5) with ESMTP id MAA13500 for ; Fri, 13 Jan 1995 12:43:16 -0800 Received: from madge.com (uucp@localhost) by uucp1.unix.portal.com (8.6.9/8.6.5) with UUCP id MAA04374 for firewalls@greatcircle.com; Fri, 13 Jan 1995 12:29:37 -0800 From: KREARDON@madge.com (Kevin Reardon P&T-SJ) Date: 13 Jan 95 20:17:11 Received: by madge.com (UUCP-MHS-XtcN) Fri Jan 13 12:28:40 1995 To: szh@zcon.com ( Syed Zaeem Hosain ), Mark_Podracky@smtpgtwy.idshq.com Cc: firewalls@greatcircle.com Subject: Re: What is WFW ? -- A Correcti Message-Id: <114D172F010346D9> In-Reply-To: F023172F010346D9 Importance: Normal Encoding: 6 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And all this time I thought it stood for "Won't Fully Work." But then again, it still applies. ---K From firewalls-owner Fri Jan 13 13:40:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29461 for firewalls-outgoing; Fri, 13 Jan 1995 13:26:01 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29456 for ; Fri, 13 Jan 1995 13:25:58 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id PAA12578 for ; Fri, 13 Jan 1995 15:23:04 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.0.Z)/3.3) id AA0162; Fri, 13 Jan 95 15:23:02 -0800 Message-Id: <9501132323.AA0162@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 831C63C5A157B94E862561430075355C; Fri, 13 Jan 95 15:23:02 To: firewalls From: Kenneth Smith Date: 13 Jan 95 13:06:54 EDT Subject: RFC for TCP/IP port assignment? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill.Roswell @ OPCTU01.SMOXY.LANGATE.sprint.com wrote: > What is the RFC number that recommends the port assignments for TCP/IP > connections? Where can I obtain it? Try RFC 1060. Here's the list that comes with Windows NT (\winnt\system32\drivers\etc\services). # Copyright (c) 1993-1994 Microsoft Corp. # # This file contains port numbers for well-known services as defined by # RFC 1060 (Assigned Numbers). # # Format: # # / [aliases...] [#] # echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote qotd 17/udp quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver rlp 39/udp resource # resource location name 42/tcp nameserver name 42/udp nameserver whois 43/tcp nicname # usually to sri-nic domain 53/tcp nameserver # name-domain server domain 53/udp nameserver nameserver 53/tcp domain # name-domain server nameserver 53/udp domain mtp 57/tcp # deprecated bootp 67/udp # boot program server tftp 69/udp rje 77/tcp netrjs finger 79/tcp link 87/tcp ttylink supdup 95/tcp hostnames 101/tcp hostname # usually from sri-nic iso-tsap 102/tcp dictionary 103/tcp webster x400 103/tcp # ISO Mail x400-snd 104/tcp csnet-ns 105/tcp pop 109/tcp postoffice pop2 109/tcp # Post Office pop3 110/tcp postoffice portmap 111/tcp portmap 111/udp sunrpc 111/tcp sunrpc 111/udp auth 113/tcp authentication sftp 115/tcp path 117/tcp uucp-path 117/tcp nntp 119/tcp usenet # Network News Transfer ntp 123/udp ntpd ntp # network time protocol (exp) nbname 137/udp nbdatagram 138/udp nbsession 139/tcp NeWS 144/tcp news sgmp 153/udp sgmp tcprepo 158/tcp repository # PCMAIL snmp 161/udp snmp snmp-trap 162/udp snmp print-srv 170/tcp # network PostScript vmnet 175/tcp load 315/udp vmnet0 400/tcp sytek 500/udp biff 512/udp comsat exec 512/tcp login 513/tcp who 513/udp whod shell 514/tcp cmd # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler talk 517/udp ntalk 518/udp efs 520/tcp # for LucasFilm route 520/udp router routed timed 525/udp timeserver tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat rvd-control 531/udp MIT disk netnews 532/tcp readnews netwall 533/udp # -for emergency broadcasts uucp 540/tcp uucpd # uucp daemon klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp cmd # and remote shell new-rwho 550/udp new-who # experimental remotefs 556/tcp rfs_server rfs# Brunhoff remote filesystem rmonitor 560/udp rmonitord # experimental monitor 561/udp # experimental garcon 600/tcp maitrd 601/tcp busboy 602/tcp acctmaster 700/udp acctslave 701/udp acct 702/udp acctlogin 703/udp acctprinter 704/udp elcsd 704/udp # errlog acctinfo 705/udp acctslave2 706/udp acctdisk 707/udp kerberos 750/tcp kdc # Kerberos authentication--tcp kerberos 750/udp kdc # Kerberos authentication--udp kerberos_master 751/tcp # Kerberos authentication kerberos_master 751/udp # Kerberos authentication passwd_server 752/udp # Kerberos passwd server userreg_server 753/udp # Kerberos userreg server krb_prop 754/tcp # Kerberos slave propagation erlogin 888/tcp # Login and environment passing kpop 1109/tcp # Pop with Kerberos phone 1167/udp ingreslock 1524/tcp maze 1666/udp nfs 2049/udp # sun nfs knetd 2053/tcp # Kerberos de-multiplexor eklogin 2105/tcp # Kerberos encrypted rlogin rmt 5555/tcp rmtd mtb 5556/tcp mtbd # mtb backup man 9535/tcp # remote man server w 9536/tcp mantst 9537/tcp # remote man server, testing bnews 10000/tcp rscs0 10000/udp queue 10001/tcp rscs1 10001/udp poker 10002/tcp rscs2 10002/udp gateway 10003/tcp rscs3 10003/udp remp 10004/tcp rscs4 10004/udp rscs5 10005/udp rscs6 10006/udp rscs7 10007/udp rscs8 10008/udp rscs9 10009/udp rscsa 10010/udp rscsb 10011/udp qmaster 10012/tcp qmaster 10012/udp From firewalls-owner Fri Jan 13 14:46:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00596 for firewalls-outgoing; Fri, 13 Jan 1995 14:19:52 -0800 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA00591; Fri, 13 Jan 1995 14:19:50 -0800 Message-Id: <199501132219.OAA00591@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.8/16.2) id AA01071; Fri, 13 Jan 1995 17:17:07 -0500 Date: Fri, 13 Jan 1995 17:17:07 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: RFC for TCP/IP port assignment? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RFC1700 is the newest version. I get mine from: (let's see, where is my Daytimer) 128.6.4.2 rfcxxxx.txt From firewalls-owner Fri Jan 13 16:40:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02247 for firewalls-outgoing; Fri, 13 Jan 1995 16:32:46 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA02242 for ; Fri, 13 Jan 1995 16:32:43 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f171ce80; Fri, 13 Jan 95 19:38:00 -0500 Mime-Version: 1.0 Date: Fri, 13 Jan 1995 19:37:01 -0500 Message-ID: Subject: Sendmail & DNS? Secure enough for a firewall? To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is Sendmail 5.x/SMI-SVR4 secure for use on a firewall? I am buttoning down a Sun running solaris 2.4 and could use a little advice. How about DNS as shipped with Solaris? If not, how about a ftp site to gather the latest versions. Thanks, Tom. ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Internet:twalker@acc.org From firewalls-owner Fri Jan 13 17:39:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA02792 for firewalls-outgoing; Fri, 13 Jan 1995 17:25:07 -0800 Received: from magna.com.au (mmdf@magna.com.au [203.4.212.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA02780 for ; Fri, 13 Jan 1995 17:25:03 -0800 Received: from xplus.com.au by magna.com.au id aa06293; 14 Jan 95 12:23 PST From: "Ward D. Britton" Message-Id: <9501141203.ZM13089@xplus.com.au> Date: Sat, 14 Jan 1995 12:03:14 +0000 X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: DNS Configuration Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich.Friedeman@corp.anixter.com responded... "Ward D. Britton" writes >I have a requirement to setup a SINGLE system, which connects to the >local service provider via ppp as well as many other regional sites, >via direct PPP links. >As such, it is necessary to run DNS. But unfortunately, I cannot >figure out how to stop the addresses and hostnames for the other ppp >interfaces on this particular system, from bein propogated to the >world via DNS. One easy way to do it would simply be to give your DNS a wildcard entry for your domain. Set up the beginning defining your domain as usual, and in the hosts section, just have an entry like generic IN A 123.234.*.* This will return either 'generic.mydomain.com' or UNKNOWN.mydomain.com (I don't remember which) for each host in your domain. If you want particular hosts to be resolvable, and don't mind that the info is public put their entries before these. Yes... it does resolve into unknown.mydomain.com. Unfortunately, this doesn't do you much good if you actually need to be able to resolve all of the hostnames interntally without the info getting out. And this is the issue in a nutshell. Hosts need to be internally resolved, but not propagated to the world. someone suggested to me that creating a 'split DNS' would do the trick, but my understanding of this means that the DNS is split between systems, ie public and internal, with the resolv.conf providing internal re-direction etc... Is this the case ? Rich rich.friedeman@anixter.com ---End of forwarded mail from Rich.Friedeman@corp.anixter.com -- Ward D. Britton Email: wardb@magna.com.AU Senior Consultant Fax: +61(2)452-2142 X + Open Systems Pty. Ltd. Phone: +61(15)702-002 From firewalls-owner Fri Jan 13 18:43:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA03369 for firewalls-outgoing; Fri, 13 Jan 1995 18:24:43 -0800 Received: from netcom20.netcom.com (root@netcom20.netcom.com [192.100.81.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA03364 for ; Fri, 13 Jan 1995 18:24:41 -0800 Received: by netcom20.netcom.com (8.6.9/Netcom) id RAA07364; Fri, 13 Jan 1995 17:56:46 -0800 Date: Fri, 13 Jan 1995 17:56:46 -0800 (PST) From: Justin Harvey X-Sender: jharvey@netcom20 To: firewalls@greatcircle.com Subject: FTP through firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are most people that operate firewalls allowing ports 1024-2000 incoming so that outbound ftp may work? If you don't do this the ftp won't work...I've also read that you can somehow use the PASV command...do we need to modify a source of ftp and use that if we don't want to enable 1024-2000? Justin From firewalls-owner Fri Jan 13 19:10:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA03491 for firewalls-outgoing; Fri, 13 Jan 1995 18:44:37 -0800 Received: from norman.li.Cubic.COM (norman.li.Cubic.COM [149.63.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA03475 for ; Fri, 13 Jan 1995 18:44:32 -0800 Received: from bingo.buf.cubic.com (buf.Cubic.COM [149.63.9.2]) by norman.li.Cubic.COM (8.3/8.3) with SMTP id VAA09705; Fri, 13 Jan 1995 21:42:27 -0500 Received: from [192.168.0.18] by bingo.buf.cubic.com id aa02910; 13 Jan 95 21:37 EST X-Sender: mischler@norman.li.cubic.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Jan 1995 21:40:25 -0500 To: Firewalls@greatcircle.com From: Dave Mischler Subject: Tunnelling through packet filters X-Mailer: Message-ID: <9501132137.aa02910@bingo.buf.cubic.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is well known that many packet filtering implementations allow all non-first IP fragments to pass through the filter (i.e. packets where the fragment offset in the IP header is non-zero). It occurred to me recently that this could be used to construct a tunnelling mechanism. All that is needed is a device or program that acts as a router (or NAT) except that when it is ready to tunnel a packet it adds a known value to the fragment offset, and when it receives a tunnelled packet it subtracts this value from the fragment offset. Two of these devices (or programs) can create a tunnel through many packet filters. I know for a fact that this could be done in 1 evening by a knowledgeable person. Anybody know which implementations are / are not vulnerable to this? I really want to know about the cisco and Drawbridge packet filters. Dave.Mischler@Cubic.COM From firewalls-owner Fri Jan 13 19:29:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA03504 for firewalls-outgoing; Fri, 13 Jan 1995 18:45:25 -0800 Received: from master.lds-az.loral.com (master.lds-az.loral.com [158.185.20.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA03498 for ; Fri, 13 Jan 1995 18:45:22 -0800 Received: by master.lds-az.loral.com (5.65a/LDS-AZ-3.12) id AA29537; Fri, 13 Jan 95 19:37:02 -0700 Date: Fri, 13 Jan 95 19:37:02 -0700 From: goodic@master.lds-az.loral.com ( Charles Gooding ) Message-Id: <9501140237.AA29537@master.lds-az.loral.com> To: firewalls@greatcircle.com Subject: FWTK and http-gw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello to all I have three questions: 1) Does Mosiac run through the TIS tookit?? 2) If it does, then how do we configure it? 3) How do you get DEBUG to work ?? The host names and ip addresses have been changed to protect the innocent. My configuration is as follows: Home page URL is "http://phantom7/http:/some_web_server/home_page.html". /etc/services: http 80/tcp /etc/inetd.conf: http stream tcp nowait root /usr/local/etc/http-gw http-gw -d /opt/log/debug. Netperm-table: http-gw: default-http "some_web_server" permit hosts * -http "some_web_server" -log { read } /etc/hosts: 199.199.4.10 phantom mailhost loghost 199.199.7.50 phantom7 199.199.7.10 zenon 199.199.7.46 ds9 199.199.8.50 some_web_server /var/messages Jan 12 16:54:50 phantom http-gw [2269] default-http must have one parameter, line 90 Jan 12 16:54:50 phantom http-gw [2269] exit host=ds9/199.199.7.46 code=1 The (un)interesting facts about this are : 1) If I don't use the "default-server" parameter I get the first page of the doc. and a "Cannot connect to remote server" on the status line. Also, no more pages unless I change the URL for the next page. 2) Cannot get anything in the /opt/log/debug file. (It was compiled with the debug options on) 3) I tried using netacl to execute http-gw ... Same result Thank you for any comments ... chuck From firewalls-owner Fri Jan 13 19:40:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA04197 for firewalls-outgoing; Fri, 13 Jan 1995 19:38:20 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA04192 for ; Fri, 13 Jan 1995 19:38:05 -0800 Received: by taureau.as03.bull.oz.au id AA05294 (5.65c/IDA-1.4.4 for Firewalls@greatcircle.com); Sat, 14 Jan 1995 15:03:36 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id MAA29061; Sat, 14 Jan 1995 12:14:48 +1100 Message-Id: <199501140114.MAA29061@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: criney1@abacus.tis.tandy.com (Chris Riney) Cc: brian@mn.chey.com (Brian Smith), Firewalls@greatcircle.com Subject: Re: Time Synchronization thru firewall In-Reply-To: Your message of "Fri, 13 Jan 95 10:13:36 MDT." <9501131613.AA24610@abacus.tis.tandy.com> Date: Sat, 14 Jan 1995 12:14:46 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone have recommendations regarding how to receive time synchronization > > through a firewall? Is there a preferred protocol to use and available > > software? Is there a well established/trusted host on the Internet > One way to configure a time service interface is to have the Gateway/bastion > host quiry a reliable ntp server, which in turn allows systems on your side > to quiry it. The ntp configuration includes configuring who is allowed > to quiry the server, along with access codes. By all means sync your ntpd with an external source, but if you want to be safe from time based re-play attacks, you need to also sync with at least one internal source at the same level. That way if some one sends you bogus ntp from the outside, your ntpd will reject it based on its majority rules approach. --sjg From firewalls-owner Fri Jan 13 21:14:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA05168 for firewalls-outgoing; Fri, 13 Jan 1995 21:09:26 -0800 Received: from wendy.jcmco.com (root@wendy.jcmco.com [199.6.34.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA05163 for ; Fri, 13 Jan 1995 21:09:22 -0800 Received: by wendy.jcmco.com (5.65/1.12-jcm) id AA12250; Sat, 14 Jan 95 00:07:37 -0500 Date: Sat, 14 Jan 95 00:07:37 -0500 From: Jim Miller Message-Id: <9501140507.AA12250@wendy.jcmco.com> To: firewalls@greatcircle.com Subject: TAMU Drawbridge / Protocol Manager? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was investigating the TAMU Drawbridge software for a special project I'm working on, and am having difficulty getting it installed and working on a testbed system. I'm using an old 386, 4 Megs, DOS 6.0 with two Intel Etherexpress cards in order to test and analyze the Drawbridge's functionality. I've set up config.sys as described in the instructions, but the problem I'm encountering is when loading the NDIS driver for the boards. The protocol manager that came with Drawbridge identifies itself as "3com DOS Protocol Manager v2.0". When the NDIS drivers load, they fail with this error message: Failure: Protocol Manager did not accept EtherExpress 16 driver. Failure: NDIS environment invalid, Driver not loaded So....do I need a different/newer protocol manager for these drivers? Is anyone (besides TAMU :-) ) actually using Drawbridge for packet filtering? Thanks in advance, Jim Miller From firewalls-owner Sat Jan 14 05:09:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA07996 for firewalls-outgoing; Sat, 14 Jan 1995 04:48:45 -0800 Received: from netcom14.netcom.com (miltwebb@netcom14.netcom.com [192.100.81.126]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA07991 for ; Sat, 14 Jan 1995 04:48:42 -0800 Received: by netcom14.netcom.com (8.6.9/Netcom) id EAA04416; Sat, 14 Jan 1995 04:46:22 -0800 Date: Sat, 14 Jan 1995 04:46:21 -0800 (PST) From: Milt Webb Subject: Re: FW: PC Take-Over -- reply To: firewalls@GreatCircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jan 1995, Wulf Losee wrote: [deletia] > Correct me if I'm wrong (please!), but since DOS and regular Windows (both > Windows 3.x and and Windows for Warehouses) are not multitasking, > multithreading operating systems it would be impossible to subvert these > systems unless the cracker were dialing in through a modem or actually > sitting at the PC's console. > I personally know a lot of folks who leave PC Anywhere or ReachOut or some other remote control program running on their office PC so they can dial in and work. Many without passwords etc. Could make a good springboard for attacks... From firewalls-owner Sat Jan 14 12:09:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09706 for firewalls-outgoing; Sat, 14 Jan 1995 11:51:10 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09701 for ; Sat, 14 Jan 1995 11:51:08 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma007597; Sat Jan 14 14:49:10 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA23109; Sat, 14 Jan 95 14:46:47 EST From: Marcus J Ranum Message-Id: <9501141946.AA23109@tis.com> Subject: Re: Tunnelling through packet filters To: Dave.Mischler@cubic.com (Dave Mischler) Date: Sat, 14 Jan 1995 14:53:17 -0500 (EST) Cc: Firewalls@greatcircle.com In-Reply-To: <9501132137.aa02910@bingo.buf.cubic.com> from "Dave Mischler" at Jan 13, 95 09:40:25 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 1074 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It is well known that many packet filtering implementations allow > all non-first IP fragments to pass through the filter (i.e. packets > where the fragment offset in the IP header is non-zero). It occurred > to me recently that this could be used to construct a tunnelling > mechanism. Tunnelling is possible over any reasonable bandwith covert channel. (A friend of mine refers to these as "overt channels" on the basis that most "covert" channels aren't "covert" enough to merit the name. I have a prototype of TCP/IP over Email that is in progress, but it's not done yet, due to real work load. NFS is a good protocol for running over Email-based IP since it handles retries and lets you specify timeouts and packet sizes (NFS 4k reads work well for Email) I expect that TCP over Email will show pretty lame response time due to latency, but having a packet size of 1/2Mb means that once your connection is set up, data will really rock right along... Other possible avenues for tunnelling are over protocols that forward datagrams. DNS is a good example. mjr. From firewalls-owner Sat Jan 14 13:10:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10385 for firewalls-outgoing; Sat, 14 Jan 1995 12:46:48 -0800 Received: from access4.digex.net (sorrywedontgiveoutthisinformation@access4.digex.net [164.109.10.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10380 for ; Sat, 14 Jan 1995 12:46:45 -0800 Received: by access4.digex.net id AA03186 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Sat, 14 Jan 1995 15:45:09 -0500 From: Don Krapf Message-Id: <199501142045.AA03186@access4.digex.net> Subject: Re: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) To: firewalls@greatcircle.com (FireWalls List) Date: Sat, 14 Jan 1995 15:45:09 -0500 (EST) In-Reply-To: <9501101951.AA04264@tidtest.total.fr> from "Michel Lavondes" at Jan 10, 95 07:51:27 pm X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 485 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes writes: > DOS/Win IPX can manage only one IPX address, so you should be safe from > that side. Of the DOS/Win IP stacks I know of, only Wollongong's can > (could) be multi-homed, with a routing module available. Core Systems' Internet-Connect stack can be multihomed. One click enables packet forwarding. One click (and a packet driver) enables the ethernet interface. Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Sat Jan 14 13:25:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10305 for firewalls-outgoing; Sat, 14 Jan 1995 12:42:15 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10300 for ; Sat, 14 Jan 1995 12:42:12 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma008062; Sat Jan 14 15:39:53 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA23862; Sat, 14 Jan 95 15:37:30 EST From: Marcus J Ranum Message-Id: <9501142037.AA23862@tis.com> Subject: Re: Vendor RFP clarification - Our Tentative Plan To: rob@rjl.com (Rob Liebschutz) Date: Sat, 14 Jan 1995 15:44:00 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Rob Liebschutz" at Jan 13, 95 00:31:55 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 902 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The firewall router can protect the Internal Unix host from many modes >of failure as well. It's like comparing the penetration effort >required for two brick walls one in front of the other, vs two brick >walls side by side. One place where a screening router is a useful addition to a bastion host firewall is that it can be used to sanity check what is going on. If you can make some basic assumptions about what kind of traffic you should never see, you can configure your router to block them. For example, if you have the usual: Internet <-----> Router <----> Firewall bastion <----> Inside It is reasonable to configure the router to block all traffic going through it that appears to have originated from the Inside net. After all, there is no "normal" circumstance in which that would occur, but there might be an abnormal one and those are the ones to watch out for. mjr. From firewalls-owner Sat Jan 14 15:10:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11737 for firewalls-outgoing; Sat, 14 Jan 1995 14:47:06 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11732 for ; Sat, 14 Jan 1995 14:47:00 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rTHDW-0006AFC; Sat, 14 Jan 95 14:45 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Sat, 14 Jan 95 14:27 PST Message-Id: Received: by miro.ilinx.com id ; Sat, 14 Jan 95 14:27:56 -0800 From: brian@imcon.ilinx.com To: sjg@zen.void.oz.au Subject: Re[2]: Time Synchronization thru firewall Cc: criney1@abacus.tis.tandy.com, brian@mn.chey.com, Firewalls@greatcircle.com Date: Sat, 14 Jan 1995 14:27:55 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of "Simon J. Gerraty" > > By all means sync your ntpd with an external source, but if you want > to be safe from time based re-play attacks, you need to also sync with > at least one internal source at the same level. That way if some one > sends you bogus ntp from the outside, your ntpd will reject it based > on its majority rules approach. If there was a reasonably accurate internal source, why would the original poster want to sync with an external source?? What I should really ask is if one does not have an internal source, and one wants to sync to something on the net, are they absolutly vulnerable to time based re-play attacks. I thought that NTP suppored authorization mechanisms. Are these mechanisms inadequate?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sat Jan 14 18:09:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12766 for firewalls-outgoing; Sat, 14 Jan 1995 18:04:25 -0800 Received: from mail.llu.edu (mail.LLU.EDU [151.112.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA12761 for ; Sat, 14 Jan 1995 18:04:21 -0800 Received: from brent.llu.edu (brent.llu.edu [151.112.1.2]) by mail.llu.edu (8.6.9/8.6.9) with ESMTP id SAA20254; Sat, 14 Jan 1995 18:02:14 -0800 Received: (from bboyko@localhost) by brent.llu.edu (8.6.9/8.6.9) id SAA04005; Sat, 14 Jan 1995 18:01:38 -0800 From: "Brent E. Boyko" Message-Id: <199501150201.SAA04005@brent.llu.edu> Subject: Re: Sendmail & DNS? Secure enough for a firewall? To: twalker@acc.org Date: Sat, 14 Jan 1995 18:01:38 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: from "twalker@acc.org" at Jan 13, 95 07:37:01 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1615 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Is Sendmail 5.x/SMI-SVR4 secure for use on a firewall? I am buttoning > down a Sun running solaris 2.4 and could use a little advice. How > about DNS as shipped with Solaris? > > If not, how about a ftp site to gather the latest versions. > > Thanks, Tom. > > ----------------------------------------------------------------- > Tom Walker, Network Manager American College of Cardiology > MHS:twalker@acc Internet:twalker@acc.org > > I am running Solaris 2.4x86 on the bastion host portion of our firewall. I upgraded it to sendmail 8.6.9, which is available from ftp.cs.berkeley.edu, in /ucb/sendmail. The Sendmail book from O'Reilly and Associates is helpful in understanding the new security features. I am also running bind 4.9.3-BETA17 for DNS. Source is available from ftp.vix.com, as /pri/vixie/bind-4.9.3-BETA17.tar.gz. Note that this host is unpingable, and that "ls" is not allowed in the /pri/vixie directory. Just cd to /pri/vixie and do a binary "get" of bind-4.9.3-BETA17.tar.gz. You probably want to build and install bind first, so that Sendmail can be linked with the new resolver library. Also, bind builds and installs fairly cleanly, but Sendmail requires some fiddling with Makefile.Sunos5.x to get it to link with libresolv.a and lib44bsd.a from bind. It's my understanding that the versions of Sendmail and bind that Sun ships with the OS are antiques. Hope this helps. -- Brent E. Boyko Telecom Engineer Loma Linda University Medical Center bboyko@brent.llu.edu 909-824-4321 From firewalls-owner Sat Jan 14 22:09:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA13941 for firewalls-outgoing; Sat, 14 Jan 1995 21:59:35 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA13936 for ; Sat, 14 Jan 1995 21:59:32 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxytb26250; Sun, 15 Jan 1995 00:58:00 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA10520; Sun, 15 Jan 95 06:02:23 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00777; Sat, 14 Jan 95 21:52:23 PST Date: Sat, 14 Jan 95 21:52:23 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501150552.AA00777@manzanita.DEV.3Com.COM.noname> To: jharvey@netcom.com Subject: Re: FTP through firewall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good sets of filtering only allow ports 1024-2000 incoming when the destination port is that, AND the source port is 20 or 21 (ftp-data, ftp-control), and then tie that to the addressing so that only applies to an inbound packet. Outgoing packets would reverse that with the source port being > 1023 and the destination port being 20/21. For more details, read Brent Chapman's paper and (This is unsolicited, Really!), take his seminar. It will open your eyes. He's running an ad in the current issue of Internet magazine. BobK From firewalls-owner Sat Jan 14 22:39:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA14288 for firewalls-outgoing; Sat, 14 Jan 1995 22:35:40 -0800 Received: from cohesive.com (cohesive.com [192.104.234.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA14283 for ; Sat, 14 Jan 1995 22:35:37 -0800 From: hharamis@cohesive.com Received: from nts-1.cohesive.com (nts-1.cohesive.com [192.104.234.12]) by cohesive.com (8.6.9/8.6.9) with SMTP id WAA24041 for ; Sat, 14 Jan 1995 22:27:14 -0800 Received: from ccMail by nts-1.cohesive.com (IMA Internet Exchange v1.04) id f18c1470; Sat, 14 Jan 95 22:31:35 -0800 Mime-Version: 1.0 Date: Sat, 14 Jan 1995 22:32:44 -0800 Message-ID: Subject: IP Forwarding and Source Routing on AIX To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anybody know how turn off IP Forwarding and Source Routing on IBM's AIX v3.2.5? Thanks, Harry Haramis hharamis@cohesive.com From firewalls-owner Sun Jan 15 00:39:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA14862 for firewalls-outgoing; Sun, 15 Jan 1995 00:11:12 -0800 Received: from cohesive.com (cohesive.com [192.104.234.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA14857 for ; Sun, 15 Jan 1995 00:11:09 -0800 From: hharamis@cohesive.com Received: from nts-1.cohesive.com (nts-1.cohesive.com [192.104.234.12]) by cohesive.com (8.6.9/8.6.9) with SMTP id AAA24075 for ; Sun, 15 Jan 1995 00:02:34 -0800 Received: from ccMail by nts-1.cohesive.com (IMA Internet Exchange v1.04) id f18d7a00; Sun, 15 Jan 95 00:06:56 -0800 Mime-Version: 1.0 Date: Sun, 15 Jan 1995 00:08:13 -0800 Message-ID: Subject: Re: IP Forwarding and Source Routing on AIX To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anybody know how turn off IP Forwarding and Source Routing >on IBM's AIX v3.2.5? Sorry...I was able to answer my own question shorly after I posted the message. For anybody interested, the command is: no -o ipforwarding=0 Harry Haramis hharamis@cohesive.com From firewalls-owner Sun Jan 15 03:09:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA16870 for firewalls-outgoing; Sun, 15 Jan 1995 03:00:20 -0800 Received: from Vela.ACS.Oakland.Edu (mgscheue@vela.acs.oakland.edu [141.210.10.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA16865 for ; Sun, 15 Jan 1995 03:00:16 -0800 Received: by Vela.ACS.Oakland.Edu id AA22298 (5.67a+/IDA-1.5); Sun, 15 Jan 1995 05:58:44 -0500 Date: Sun, 15 Jan 1995 05:58:43 -0500 (EST) From: "Mark G. Scheuern" Subject: httpd and GE break-in? To: Firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm planning on running CERN's httpd, in proxy mode, on our firewall and want to take all appropriate precautions. I also must convince management that this is a reasonably safe thing to do. A colleague has said that the GE break-in, was, in part, accomplished through "Mosaic" (I'm assuming this means exploiting an HTTP weakness). I followed the GE discussions but don't recall seeing this mentioned. Was this a factor in the break-in? Mark | Mark G. Scheuern | http://www.acs.oakland.edu/~mgscheue/ | | mgscheue@oakland.edu | finger mgscheue@vela.acs.oakland.edu | | MGScheuern@eWorld.COM | 20 67 4B E0 15 5C 7C 87 | | 73150.1770@compuserve.com | 28 B3 DB BA 63 B1 5F A1 | From firewalls-owner Sun Jan 15 04:09:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA17313 for firewalls-outgoing; Sun, 15 Jan 1995 04:02:50 -0800 Received: from srv.cip.physik.tu-muenchen.de (srv.cip.physik.tu-muenchen.de [129.187.41.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA17308 for ; Sun, 15 Jan 1995 04:02:46 -0800 Received: from ss5.cip.physik.tu-muenchen.de by srv.cip.physik.tu-muenchen.de with SMTP id AA24478 for (5.67a/IDA-1.5/bs04); Sun, 15 Jan 1995 13:00:45 +0100 Message-Id: <199501151200.AA24478@srv.cip.physik.tu-muenchen.de> To: hharamis@cohesive.com Cc: firewalls@greatcircle.com Subject: Re: IP Forwarding and Source Routing on AIX In-Reply-To: Your message of "Sun, 15 Jan 95 00:08:13 PST." Date: Sun, 15 Jan 95 13:00:44 +0100 From: Bernhard.Schneck@Physik.TU-Muenchen.DE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you write: > >Does anybody know how turn off IP Forwarding and Source Routing > >on IBM's AIX v3.2.5? and later you found one solution yourself: > no -o ipforwarding=0 Be careful that this can be easily reversed, so anyone who gets access to your box can reenable IP forwarding. The better (but harder) solution is to delete the forwarding code from the kernel source code. Any intruder would then have to build and install a new kernel ... and hopefully you'd notice this! This might be tough to do with AIX, though ... well, maybe not tough, but somewhat expensive :-) \Bernhard. From firewalls-owner Sun Jan 15 05:39:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA17785 for firewalls-outgoing; Sun, 15 Jan 1995 05:15:27 -0800 Received: from piraya.electrum.kth.se (piraya.it.kth.se [130.237.212.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA17780 for ; Sun, 15 Jan 1995 05:15:23 -0800 Received: from dumbo.electrum.kth.se (dumbo.electrum.kth.se [130.237.215.94]) by piraya.electrum.kth.se (8.6.9/8.6.9) with ESMTP id OAA29077; Sun, 15 Jan 1995 14:13:49 +0100 Received: from localhost.electrum.kth.se (localhost.electrum.kth.se [127.0.0.1]) by dumbo.electrum.kth.se (8.6.9/8.6.9) with SMTP id OAA14922; Sun, 15 Jan 1995 14:13:48 +0100 Message-Id: <199501151313.OAA14922@dumbo.electrum.kth.se> X-Authentication-Warning: dumbo.electrum.kth.se: Host localhost.electrum.kth.se didn't use HELO protocol To: Don Krapf cc: firewalls@greatcircle.com (FireWalls List) Subject: Re: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) In-reply-to: Your message of Sat, 14 Jan 95 15:45:09 EST. <199501142045.AA03186@access4.digex.net> Date: Sun, 15 Jan 95 14:13:45 +0100 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Michel Lavondes writes: | > DOS/Win IPX can manage only one IPX address, so you should be safe from | > that side. Of the DOS/Win IP stacks I know of, only Wollongong's can | > (could) be multi-homed, with a routing module available. | | Core Systems' Internet-Connect stack can be multihomed. One click enables | packet forwarding. One click (and a packet driver) enables the ethernet | interface. "Click? Oh, gee, I'm safe, I have to involve the user!" ;-) You mean, one virus or one trojan? There is a definite risk that a virus writer would fill a virus with loads and loads of hostile reconfigurations. Enabling packet forwarding, adding guest accounts, even statistically initiating outbound datastreams through a firewall. I really think it is imperative to have protection against outbound traffic as well. It _is_ rather easy to spread malicious code in to a company. /Christian Wettergren, cwe@it.kth.se From firewalls-owner Sun Jan 15 07:10:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18523 for firewalls-outgoing; Sun, 15 Jan 1995 07:05:50 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA18518 for ; Sun, 15 Jan 1995 07:05:47 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id QAA21415; Sun, 15 Jan 1995 16:05:15 +0100 Received: from barolo.ak.munich.ibm.com by prosecco.munich.ibm.de (4.03afxG1.2) id AA08148; Sun, 15 Jan 1995 15:52:19 +0100 Received: by barolo (AIX 3.2/UCB 5.64/afx1.8) id AA22075; Sun, 15 Jan 1995 16:01:33 +0100 From: afx@ibm.de (Andreas Siegert) Message-Id: <9501151501.AA22075@barolo> Subject: Re: IP Forwarding and Source Routing on AIX To: hharamis@cohesive.com Date: Sun, 15 Jan 1995 16:01:33 +0100 (CET) Cc: firewalls@greatcircle.com In-Reply-To: from "hharamis@cohesive.com" at Jan 14, 95 10:32:44 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 546 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anybody know how turn off IP Forwarding and Source Routing > on IBM's AIX v3.2.5? Add /usr/sbin/no -o ipforwarding=0 /usr/sbin/no -o ipsendredirects=0 /usr/sbin/no -o nonlocsrcroute=0 to /etc/rc.net. cheers afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Sun Jan 15 07:22:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18452 for firewalls-outgoing; Sun, 15 Jan 1995 07:04:10 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA18447 for ; Sun, 15 Jan 1995 07:04:06 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29943; Sun, 15 Jan 95 09:49:28 -0500 Date: Sun, 15 Jan 95 09:49:28 -0500 Message-Id: <9501151449.AA29943@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "FIREWALLS@greatcircle.com"@UVS1.dnet.mmc.com Subject: Thought Sender: firewalls-owner@GreatCircle.COM Precedence: bulk /Christian Wettergren, cwe@it.kth.se rites: >I really think it is imperative to have protection against outbound traffic >as well. Well, I would rather say "control of" rather than "protection from", possibly niggling but important. In that light I would be curious to know how many routers/firewalls can control access to *themselves* other than by passwords/tokens ? What I mean is that is is common for admins to "make their jobs easier" by configuring multiple routers/firewalls from their desktop rather than permitting such acts from the system console only as the truly nervous would, and was wondering about "another layer of protection" in that instance. In my experience having seen the Cisco "password" request to a Telnet from the outside more than a few times, I have often wondered why access to such a sensitive point was permitted at all. So my question is: which firewalls (hopefully all) permit designation that only requests from certain nodes/"inside" nodes will be allowed to connect at all and make the wall itself unresponsive to ping/telnet/ finger/etc from any other IP/net ? (here I am using "/" to indicate "and/or"). Warmly, Padgett From firewalls-owner Sun Jan 15 07:39:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18709 for firewalls-outgoing; Sun, 15 Jan 1995 07:14:54 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA18704 for ; Sun, 15 Jan 1995 07:14:51 -0800 Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id QAA21721; Sun, 15 Jan 1995 16:14:12 +0100 Received: from barolo.ak.munich.ibm.com by prosecco.munich.ibm.de (4.03afxG1.2) id AA04055; Sun, 15 Jan 1995 16:01:17 +0100 Received: by barolo (AIX 3.2/UCB 5.64/afx1.8) id AA22083; Sun, 15 Jan 1995 16:10:31 +0100 From: afx@ibm.de (Andreas Siegert) Message-Id: <9501151510.AA22083@barolo> Subject: Re: IP Forwarding and Source Routing on AIX To: Bernhard.Schneck@Physik.TU-Muenchen.DE Date: Sun, 15 Jan 1995 16:10:31 +0100 (CET) Cc: hharamis@cohesive.com, firewalls@greatcircle.com In-Reply-To: <199501151200.AA24478@srv.cip.physik.tu-muenchen.de> from "Bernhard.Schneck@Physik.TU-Muenchen.DE" at Jan 15, 95 01:00:44 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1346 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Does anybody know how turn off IP Forwarding and Source Routing > > >on IBM's AIX v3.2.5? > > and later you found one solution yourself: > > > no -o ipforwarding=0 Not sufficient, see my previous mail. > Be careful that this can be easily reversed, so anyone who gets access > to your box can reenable IP forwarding. > > The better (but harder) solution is to delete the forwarding code from > the kernel source code. Any intruder would then have to build and > install a new kernel ... and hopefully you'd notice this! > > This might be tough to do with AIX, though ... well, maybe not tough, > but somewhat expensive :-) Well, you don't need the complete source. A modified IP subsystem is available in the IBM firewall code discussed here previously. Still, it is a few $s. Me thinks, that if you have any resonable form of auditing set up, then you will detect any intrusion attempts long before an intruder can get root access to modify those settings. You could even set up an exec audit event for the no command... afx -- Andreas Siegert / Postmaster IBM Deutschland GmbH | Never grep a yacc AIX Field Support Center Anzinger Strasse 29 | by the i-node! Internet: afx@ibm.de D-81671 Muenchen | Opinions are my own, VNET: AFX@IPNET Voice: (49)-(89)-4504-4509 not IBM's. From firewalls-owner Sun Jan 15 08:39:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA19751 for firewalls-outgoing; Sun, 15 Jan 1995 08:16:15 -0800 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA19746 for ; Sun, 15 Jan 1995 08:16:11 -0800 Received: (from alan@localhost) by westie.mid.net (8.6.9/8.6.9) id KAA23443; Sun, 15 Jan 1995 10:15:54 -0600 From: Alan Hannan Message-Id: <199501151615.KAA23443@westie.mid.net> Subject: Re: httpd and GE break-in? To: mgscheue@vela.acs.oakland.edu (Mark G. Scheuern) Date: Sun, 15 Jan 1995 10:15:54 -0600 (CST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Mark G. Scheuern" at Jan 15, 95 05:58:43 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1146 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I'm planning on running CERN's httpd, in proxy mode, on our firewall > and want to take all appropriate precautions. I also must convince > management that this is a reasonably safe thing to do. A colleague > has said that the GE break-in, was, in part, accomplished through > "Mosaic" (I'm assuming this means exploiting an HTTP weakness). I > followed the GE discussions but don't recall seeing this mentioned. > Was this a factor in the break-in? It is my understanding that the GE break in was accomplished through three things: a) SunOs Bugs Unpatched (surprise) b) Shoddy Administration c) Sniffing both within and outside the GE internal network. Of course I don't know any of this to be true, but I believe it. I understand the Mosaic rumours were smoke to disguise the idiocy of the admins. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Sun Jan 15 14:10:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21379 for firewalls-outgoing; Sun, 15 Jan 1995 13:41:16 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA21374 for ; Sun, 15 Jan 1995 13:41:11 -0800 From: kranta@sun3.oulu.fi Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00879; Sun, 15 Jan 95 16:39:07 -0500 Date: Sun, 15 Jan 95 16:39:07 -0500 Message-Id: <9501152139.AA00879@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "vyau@ortel.com"@uvs1.dnet.mmc.com, "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Incidents Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Jan 1995 padgett@tccslr.dnet.mmc.com wrote: > _2600_ magazine > > "The Hacker Quarterly" Could you tell the publishers of these magazines or where they can be read ? Thanks, Kaisu Kaisu.Ranta@oulu.fi Oulu University Computer Services Centre Finland From firewalls-owner Sun Jan 15 20:41:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA23912 for firewalls-outgoing; Sun, 15 Jan 1995 20:34:51 -0800 Received: from inet-gw-3.pa.dec.com (inet-gw-3.pa.dec.com [16.1.0.33]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA23907 for ; Sun, 15 Jan 1995 20:34:46 -0800 Received: from lagoon.meo.dec.com by inet-gw-3.pa.dec.com (5.65/10Aug94) id AA07324; Sun, 15 Jan 95 20:25:17 -0800 Received: by lagoon.meo.dec.com (5.65/MS-081993); id AA25408; Mon, 16 Jan 1995 15:20:45 -0900 Date: Mon, 16 Jan 1995 15:20:45 -0900 From: chris@lagoon.meo.dec.com (Chris Jankowski) Message-Id: <9501170020.AA25408@lagoon.meo.dec.com> To: Firewalls@GreatCircle.COM Subject: Windows NT and C2 - look carefully at the wording Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I suggest that you look carefully at Microsoft wording re. C2 in Windows NT. I think you will find something like .... has been designed to conform to or exceed the C2 specification as per ..... The reality is nobody will certify a C2 system these days. All the action is on B levels and it takes roughly 5 years to do it in which time you have your system basically frozen - s/w and h/w. So refering back to Windows NT you do should really read it as follows ... the vendor thinks that according to the vendor's interpretation of the C2 specification all relevant requirements that are in it have been implemented will give you any guarantee neither now nor tomorrow nor ever. Just mine opinion. +-+-+-+-+-+-+-+ Chris Jankowski - Open Systems Cons.- chris@lagoon.meo.dec.com |d|i|g|i|t|a|l| Digital Equipment Corporation (Australia) tel.+61 3 275 3622 +-+-+-+-+-+-+-+ 564 St. Kilda Rd, Melbourne 3004, AUSTRALIA fax +61 3 275 3453 US technology in a disaster: 50 curies released (Three Mile Island) Soviet technology disaster: 50,000,000 curies released (Chernobyl) Soviets in normal operation: 3,000,000,000 curies of nuclear waste pumped directly into the earth near major rivers and still pumping. From firewalls-owner Sun Jan 15 21:41:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA24376 for firewalls-outgoing; Sun, 15 Jan 1995 21:21:16 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA24371 for ; Sun, 15 Jan 1995 21:21:13 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxywr24546; Mon, 16 Jan 1995 00:19:40 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA10789; Mon, 16 Jan 95 05:24:04 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA02161; Sun, 15 Jan 95 21:14:02 PST Date: Sun, 15 Jan 95 21:14:02 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501160514.AA02161@manzanita.DEV.3Com.COM.noname> To: padgett@tccslr.dnet.mmc.com Subject: Re: Thought Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the risk of sounding self (well, company) centric, our (3Com) routers can be set to allow no access but console. We then connect the console port to a communications (terminal) server so that we can still connect to it by telnet. I don't know, but I imagine cisco (or any other good manufacturer) allows for the same sort of capability. The only limitation there is that a) you have to spend money on another box, and b) it won't allow for administration of the firewall router from the outside which is, from my point of view, a dangerous thing to allow anyway. BobK From firewalls-owner Mon Jan 16 03:09:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA27651 for firewalls-outgoing; Mon, 16 Jan 1995 02:57:07 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA27646 for ; Mon, 16 Jan 1995 02:56:42 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA09486; Mon, 16 Jan 95 11:50:45 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06226; Mon, 16 Jan 95 11:47:03 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501161147.AA06226@tidtest.total.fr> Subject: Re: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) To: dkrapf@access.digex.net (Don Krapf) Date: Mon, 16 Jan 95 11:47:01 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501142045.AA03186@access4.digex.net>; from "Don Krapf" at Jan 14, 95 3:45 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don Krapf wrote : > > Core Systems' Internet-Connect stack can be multihomed. One click enables > packet forwarding. One click (and a packet driver) enables the ethernet > interface. > > Don Gasp ! Thanks. At least it's disabled by default (or is it ?) Any other similar disasters waiting for an opportunity ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Jan 16 03:40:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA27823 for firewalls-outgoing; Mon, 16 Jan 1995 03:14:10 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA27808 for ; Mon, 16 Jan 1995 03:11:21 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA09654; Mon, 16 Jan 95 12:05:25 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06248; Mon, 16 Jan 95 12:01:50 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501161201.AA06248@tidtest.total.fr> Subject: Re: Thought To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 16 Jan 95 12:01:48 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9501151449.AA29943@uvs1.orl.mmc.com>; from "A. Padgett Peterson, P.E. Information Security" at Jan 15, 95 9:49 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security wrote : > > In my experience having seen the Cisco "password" request to a Telnet from > the outside more than a few times, I have often wondered why access to such > Did you actively look for it or did it just happen to wander off your way ? ;-) -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Jan 16 03:55:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA28000 for firewalls-outgoing; Mon, 16 Jan 1995 03:26:49 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA27981 for ; Mon, 16 Jan 1995 03:25:35 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA09791; Mon, 16 Jan 95 12:19:49 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06273; Mon, 16 Jan 95 12:16:14 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501161216.AA06273@tidtest.total.fr> Subject: Re: Thought To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Date: Mon, 16 Jan 95 12:16:12 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9501160514.AA02161@manzanita.DEV.3Com.COM.noname>; from "Bob Konigsberg" at Jan 15, 95 9:14 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Konigsberg wrote : > > At the risk of sounding self (well, company) centric, our (3Com) routers > can be set to allow no access but console. We then connect the console > port to a communications (terminal) server so that we can still connect > to it by telnet. > At the risk of sounding dense, what's the difference between telnetting to a router and telnetting to a port on a terminal server that connects to the console port on the router ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Jan 16 04:40:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA28633 for firewalls-outgoing; Mon, 16 Jan 1995 04:32:18 -0800 Received: from ctklj.ctk.si (ctklj.ctk.si [193.2.9.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA28628 for ; Mon, 16 Jan 1995 04:32:11 -0800 Date: Mon, 16 Jan 1995 13:38:42 +0100 (WET) From: Bogdan Sovinc To: firewalls@greatcircle.com CC: SOVINC@ctklj.ctk.si Message-Id: <950116133842.17f7a@ctklj.ctk.si> Subject: firewalls and layer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please can anybody tell me to which layer of OSI model corresponds firewall? To which layer belongs recognizing of package if they are of telnet, of FTP, or of something else? Bogdan Sovinc CTK TR3 61000 Ljubljana Slovenia E-mail: sovinc@ctklj.ctk.si From firewalls-owner Mon Jan 16 07:10:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29861 for firewalls-outgoing; Mon, 16 Jan 1995 07:04:48 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29856 for ; Mon, 16 Jan 1995 07:04:44 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03394; Mon, 16 Jan 95 09:40:13 -0500 Date: Mon, 16 Jan 95 09:40:13 -0500 Message-Id: <9501161440.AA03394@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: You're too kind Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So refering back to Windows NT you do should really read it as follows >... the vendor thinks that according to the vendor's interpretation >of the C2 specification all relevant requirements that are in it >have been implemented will give you any guarantee neither now nor tomorrow >nor ever. I wish. What more likely happened is that a marketoid told a manager that meeting C2 would be nice. The manager grabbed a flunky with the instructions to find out what C2 was. Most likely an Orange Book was found and pages 15-17 examined: 1) DAC - we can set flags for each user just like Novell 2) Reuse - delete works and clearing the FAT keeps NT from reading it. 3) I&A - we got passwords 4) Audit - we put the log in ring 0 and users are ring 3, that's enough 5) System Architecture - see rings above. 6) System Integrity - If anything goes rong we get a UAE (or whatever they call it in NT - I do not have any PCs with over 8 Mb and have not tried it) 6) Testing - sure, we do testing So flunky => manager => marketoid : "Sure, we meet C2" Point is that in any large organization, it is not "the vendor thinks" but rather "somebody checked and said yes". Further, unless it is certified, it does not count. Besides, as was mentioned, all of the attacks today require B2 to repel. P.fla From firewalls-owner Mon Jan 16 07:40:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00248 for firewalls-outgoing; Mon, 16 Jan 1995 07:36:24 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00243 for ; Mon, 16 Jan 1995 07:36:20 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03619; Mon, 16 Jan 95 10:21:32 -0500 Date: Mon, 16 Jan 95 10:21:31 -0500 Message-Id: <9501161521.AA03619@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: This is what I suspected Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob rote: >> At the risk of sounding self (well, company) centric, our (3Com) routers >> can be set to allow no access but console. We then connect the console >> port to a communications (terminal) server so that we can still connect >> to it by telnet. Michel rote: >At the risk of sounding dense, what's the difference between telnetting to >a router and telnetting to a port on a terminal server that connects to the >console port on the router ? What I was looking for in the original question was which systems that provided routing/packet filtering could perform the same service for *themselves*. Earlier I had observed that many attacks succeed because the firewall/router that is protecting a domain is often the vector for intrusion because it is not able to route/filter traffic for itself (and if the nodename is XXX_7000@... and the password is "CISCO" - don't laugh, ignorance is curable) Obviously, if such a device allows connection from the system console only and that connection is to a PC or other device with a NIC on the inside net, *that* traffic can be routed/filtered. (Thought about including that in the original posting, decided "naaaaa, too kludgy"). Warmly, Padgett From firewalls-owner Mon Jan 16 08:13:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00292 for firewalls-outgoing; Mon, 16 Jan 1995 07:38:46 -0800 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00287 for ; Mon, 16 Jan 1995 07:38:43 -0800 Received: from hpbbi30.bbn.hp.com by hp.com with SMTP (1.37.109.14/15.5+ECS 3.3) id AA099980633; Mon, 16 Jan 1995 07:37:13 -0800 Received: from bbx0153.bbn.hp.com by hpbbi30.bbn.hp.com with SMTP (1.37.109.8/15.5+ISO 3.3.2) id AA06774; Mon, 16 Jan 1995 16:37:02 +0100 Message-Id: <9501161537.AA06774@hpbbi30.bbn.hp.com> To: firewalls@greatcircle.com Subject: Modem Pool Hardware/Software Suggestions Cc: yanfali@hpbbi30.bbn.hp.com Reply-To: Yan-Fa_Li@hp-germany-om1.om.hp.com Date: Mon, 16 Jan 95 16:37:01 MEZ From: "Yan Fa LI" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Everyone, I'd appreciate some suggestions anyone might have on any custom or commercial hardware/software for handling a dial-out modem pool. Of particular interest are those which (in order of priority): - are easy to setup and maintain - have good logging systems which can be used to bill usage of particular interest are systems which can log destination, start time and duration of dial-out call. German Telecom does not provide itemised bills so we have to work them out ourselves :( - have strong access/authentication systems (smartcards, passwords, challenge response mechanisms, etc...) - work across LAN/WAN connections - easy expandability - timely support and updates - service PC's transparently to applications e.g. virtual COM ports - service Unix machines via Telnet or something like it - HPUX or PC platform would be nice, but will consider custom solutions - Is not Vapourware ;) or "coming real soon syndrome" a la Win95 Thanks in advance. Sincerely Yan ___________________________________________________________________________ | Bio-Routing: | Electronic Connectivity: | | | | | Yan-Fa LI (CNS-BBN DNSS) | Phone: +49 - 7031 14 1412 | | Hewlett-Packard GmbH | Fax: +49 - 7031-14 1554 | | Herrenberger Strasse 130 | Telnet: 778 - 1412 | | D-71034 Boeblingen | Email: yanfali@hpbbi30.bbn.hp.com | | Germany | Yan-Fa_Li@HP-Germany-om1.om.hp.com| |____________________________________|______________________________________| My views do not necessarily represent those of the Hewlett Packard Company and should be taken with a large dose of salt or whatever passes for sodium in your neck of the woods/universe/continuum/etc... ___________________________________________________________________________ From firewalls-owner Mon Jan 16 08:14:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00798 for firewalls-outgoing; Mon, 16 Jan 1995 08:05:54 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00793 for ; Mon, 16 Jan 1995 08:05:51 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxyyi27682; Mon, 16 Jan 1995 11:03:52 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA11703; Mon, 16 Jan 95 16:08:16 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00386; Mon, 16 Jan 95 07:58:13 PST Date: Mon, 16 Jan 95 07:58:13 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501161558.AA00386@manzanita.DEV.3Com.COM.noname> To: lavondes@tidtest.total.fr Subject: Re: Thought Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The differences between telnetting to a router and telnetting to a comm server connected to the routers console port (in the case of 3Com routers anyway, I can't speak for other manufacturers, although some of this is generic and will apply to any environment) are: 1) In the case of 3Com routers, while SNMP management can be limited by IP address, telnet access can't be, but with the "effective" only access from inside the firewall, and telnet access turned off, the firewall router is less vulnerable to attack. 2) The console port will timeout on inactivity, making it less of a target for an unattended telnet session. (The telnet session to the port is still there, but a new password entry will be required.) 3) If desired, the comm server access can also be run by an Access Control server making access more difficult. 4) It allows for a little of "security by obfuscation" i.e., the subnet where the access actually is requires insider knowledge, and that subnet can be deliberately NOT advertised, but rather accessed only by static routes. This reduces the number of insiders with access to a select few. Firewalls aside, we've found that most of our problems are caused by insiders, which matches everything I've read (typical figures are in the 80-90% range). The funny part is, most of them aren't even malicious, they're just curious and poking around. It's amazing what loopholes they find with seemingly little effort. BobK From firewalls-owner Mon Jan 16 08:29:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00905 for firewalls-outgoing; Mon, 16 Jan 1995 08:09:22 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00899 for ; Mon, 16 Jan 1995 08:09:19 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxyyi28712; Mon, 16 Jan 1995 11:07:30 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA11712; Mon, 16 Jan 95 16:11:54 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00389; Mon, 16 Jan 95 08:01:51 PST Date: Mon, 16 Jan 95 08:01:51 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501161601.AA00389@manzanita.DEV.3Com.COM.noname> To: SOVINC@ctklj.ctk.si Subject: Re: firewalls and layer Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That all depends. You can create a firewall that operates at several different layers. For example off the top of my head, A Network Layer firewall would block/limit/control access by network numbers A Transport layer firewall would limit specific TCP and UDP type transactions. An application layer firewall would control the type and nature of specific application transactions. I'm sure other folks out there can come up with (that's a hint folks) other examples. BobK From firewalls-owner Mon Jan 16 09:03:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01181 for firewalls-outgoing; Mon, 16 Jan 1995 08:25:05 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01171 for ; Mon, 16 Jan 1995 08:25:02 -0800 From: smb@research.att.com Message-Id: <199501161625.IAA01171@miles.greatcircle.com> Received: by gryphon; Mon Jan 16 11:19:10 EST 1995 To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Re: You're too kind cc: firewalls@greatcircle.com Date: Mon, 16 Jan 95 11:19:09 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to some recent discussion in comp.security.misc, Windows NT has indeed been submitted for formal evaluation at the C2 level. So it's not completely marketdroid nonsense. From firewalls-owner Mon Jan 16 09:19:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01102 for firewalls-outgoing; Mon, 16 Jan 1995 08:19:57 -0800 Received: from great-miami.iac.net (root@great-miami.iac.net [198.180.60.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA01095 for ; Mon, 16 Jan 1995 08:19:54 -0800 Received: from little-miami.iac.net by great-miami.iac.net with SMTP id LAA15537; Mon, 16 Jan 1995 11:18:11 -0500 Date: Mon, 16 Jan 1995 11:18:08 -0500 (EST) From: Carl Jolley To: Bogdan Sovinc cc: firewalls@GreatCircle.COM, SOVINC@ctklj.ctk.si Subject: Re: firewalls and layer In-Reply-To: <950116133842.17f7a@ctklj.ctk.si> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends on the nature of the firewall. Generally, though, it appears to me that many firewalls (e.g. the ones based on using proxy services) are at the application layer. If you were using a screening router for a firewall, it might be said that it is operating at the network layer. Why is a firewall's relationship to the OSI model of interest to you? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Mon, 16 Jan 1995, Bogdan Sovinc wrote: > please can anybody tell me to which layer of OSI model corresponds > firewall? > > To which layer belongs recognizing of package if they are of telnet, of FTP, > or of something else? > > Bogdan Sovinc > CTK TR3 > 61000 Ljubljana > Slovenia > > E-mail: sovinc@ctklj.ctk.si > From firewalls-owner Mon Jan 16 09:48:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02279 for firewalls-outgoing; Mon, 16 Jan 1995 09:00:50 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02274 for ; Mon, 16 Jan 1995 09:00:45 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA16127 (5.67b8/IDA-1.5 for ); Mon, 16 Jan 1995 11:57:50 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01344; Mon, 16 Jan 95 11:58:54 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00371; Mon, 16 Jan 1995 11:57:48 +0500 Date: Mon, 16 Jan 1995 11:57:48 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9501161657.AA00371@ Paragon-Systems.COM> To: padgett@tccslr.dnet.mmc.com Subject: Re: You're too kind Cc: firewalls-digest@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1896 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Jan 16 10:35 EST 1995 > Date: Mon, 16 Jan 95 09:40:13 -0500 > From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) > To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com > Subject: You're too kind > > >So refering back to Windows NT you do should really read it as follows > >... the vendor thinks that according to the vendor's interpretation > >of the C2 specification all relevant requirements that are in it > >have been implemented will give you any guarantee neither now nor tomorrow > >nor ever. > > I wish. What more likely happened is that a marketoid told a manager that > meeting C2 would be nice. The manager grabbed a flunky with the instructions > to find out what C2 was. Most likely an Orange Book was found and pages 15-17 > examined: > > 1) DAC - we can set flags for each user just like Novell > 2) Reuse - delete works and clearing the FAT keeps NT from reading it. > 3) I&A - we got passwords > 4) Audit - we put the log in ring 0 and users are ring 3, that's enough > 5) System Architecture - see rings above. > 6) System Integrity - If anything goes rong we get a UAE (or whatever they > call it in NT - I do not have any PCs with over 8 Mb and have not tried it) > 6) Testing - sure, we do testing > > So flunky => manager => marketoid : "Sure, we meet C2" > > Point is that in any large organization, it is not "the vendor thinks" but > rather "somebody checked and said yes". Further, unless it is certified, > it does not count. Besides, as was mentioned, all of the attacks today require > B2 to repel. > P.fla > A C2 product (either certified or "designed to meet") is like a gun in the hands of a child or adult who doesn't know any better. Eventually they will just hurt themselves with it. The DDI could do us all a great public service by just getting rid of it. rmck From firewalls-owner Mon Jan 16 09:55:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02583 for firewalls-outgoing; Mon, 16 Jan 1995 09:13:46 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02578 for ; Mon, 16 Jan 1995 09:13:42 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA04231; Mon, 16 Jan 95 12:07:16 -0500 Date: Mon, 16 Jan 95 12:07:16 -0500 Message-Id: <9501161707.AA04231@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: "C2" and other two letter combinations. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rmck rites: >A C2 product (either certified or "designed to meet") is like a gun in the >hands of a child or adult who doesn't know any better. Eventually they >will just hurt themselves with it. The DDI could do us all a great public >service by just getting rid of it This comment just gave ne a great idea: 1) NCSC trademarks the designations 2) Specifies that the designation a) may only be used for a certified product b) must be accompanied by the conditions under which the certification was granted. The fact is that "designed to meet C2" or "submitted for testing" are "full of sound and fury, signifying nothing." P.fla From firewalls-owner Mon Jan 16 10:10:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02799 for firewalls-outgoing; Mon, 16 Jan 1995 09:28:10 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02788 for ; Mon, 16 Jan 1995 09:28:06 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxyyn15196; Mon, 16 Jan 1995 12:25:17 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA12004; Mon, 16 Jan 95 17:29:23 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00422; Mon, 16 Jan 95 09:19:20 PST Date: Mon, 16 Jan 95 09:19:20 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501161719.AA00422@manzanita.DEV.3Com.COM.noname> To: padgett@tccslr.dnet.mmc.com Subject: Re: This is what I suspected Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Talk about letters crossing in the (e)mail... I hadn't thought about it from that point of view. Thank you very much. I just did some experiments, and Voila!, I can filter traffic to the router itself using the same IP filters used for other devices. The only caveats I can see are: a) if someone were to spoof the legit address, they could get into the router, and b) the filters need to specify all network addresses, not just the internal interface. Thanks, BobK From firewalls-owner Mon Jan 16 10:30:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03013 for firewalls-outgoing; Mon, 16 Jan 1995 09:35:02 -0800 Received: from maelstrom.acton.timeplex.com (maelstrom.acton.timeplex.com [134.196.22.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA03007 for ; Mon, 16 Jan 1995 09:34:59 -0800 Received: from raptor.acton.timeplex.com (raptor.acton.timeplex.com [134.196.22.86]) by maelstrom.acton.timeplex.com (8.6.9/ACTON-MAIN-1.2) with ESMTP id MAA07674; Mon, 16 Jan 1995 12:33:03 -0500 From: Thomas Nadeau Received: (tdn@localhost) by raptor.acton.timeplex.com (8.6.9/ACTON-SUB-1.0) id MAA11564; Mon, 16 Jan 1995 12:33:01 -0500 Date: Mon, 16 Jan 1995 12:33:01 -0500 Message-Id: <199501161733.MAA11564@raptor.acton.timeplex.com> To: smb@research.att.com CC: padgett@tccslr.dnet.mmc.com, firewalls@GreatCircle.COM In-reply-to: <199501161625.IAA01171@miles.greatcircle.com> (smb@research.att.com) Subject: Re: You're too kind Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "smb" == smb writes: >smb> According to some recent discussion in comp.security.misc, >smb> Windows NT has indeed been submitted for formal evaluation at >smb> the C2 level. So it's not completely marketdroid nonsense. One would have thought that MicroSquish would have done that a long time ago, as I am sure that many government installations are using or wish to use Windows NT. Why did they wait so long? Perhaps stability or acceptance was an issue? --tOm /---------------------------------------------------------------------/ \ \ / Thomas D. Nadeau / \ ascomTimeplex \ / Network Management Voice: (508) 266-3472 / \ Advanced Products Group FAX: (508) 266-4999 \ / 289 Great Road / \ Acton, MA 01720 USA email: nadeau@maelstrom.timeplex.com \ / / \---------------------------------------------------------------------\ From firewalls-owner Mon Jan 16 10:30:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA02075 for firewalls-outgoing; Mon, 16 Jan 1995 08:54:59 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01988 for ; Mon, 16 Jan 1995 08:53:38 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA15473; Mon, 16 Jan 95 17:47:30 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06469; Mon, 16 Jan 95 17:43:54 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501161743.AA06469@tidtest.total.fr> Subject: Re: This is what I suspected To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 16 Jan 95 17:43:52 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9501161521.AA03619@uvs1.orl.mmc.com>; from "A. Padgett Peterson, P.E. Information Security" at Jan 16, 95 10:21 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security wrote : > > What I was looking for in the original question was which systems that > provided routing/packet filtering could perform the same service for > *themselves*. Earlier I had observed that many attacks succeed because > [snip] cisco boxes can. You can limit from what IP addresses/subnets/networks telnetting to the box will be allowed (this comes on top of whatever filters are applied to through or out traffic.) Plus the software requires passwords for telnet in to work (ie, you can't enter privileged mode unless it's password-protected and I think the same goes for unprivileged access.) Even if that's not enough, that feels nicely thought out (not a plug :-) > Obviously, if such a device allows connection from the system console only > and that connection is to a PC or other device with a NIC on the inside > net, *that* traffic can be routed/filtered. (Thought about including that > in the original posting, decided "naaaaa, too kludgy"). I vaguely remember (couldn't find it in the manual set when I checked, though, so maybe I'm mistaken) that from a telnet session to a cisco, you can "connect" to the console port, ie send stuff on it and see what comes back. So, if memory serves me right (which it does less and less often these days - Oh, well !), your scheme could allow one to bypass the bastion host. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Jan 16 10:51:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03621 for firewalls-outgoing; Mon, 16 Jan 1995 10:00:55 -0800 Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA03616 for ; Mon, 16 Jan 1995 10:00:51 -0800 Received: from escact.ksc.nasa.gov.ksc.nasa.gov (actually escact.ksc.nasa.gov) by pp with SMTP (PP); Mon, 16 Jan 1995 13:04:28 -0500 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA01216; Mon, 16 Jan 95 12:56:45 EST Date: Mon, 16 Jan 95 12:56:45 EST From: Mark.Gibbons-1@kmail.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9501161756.AA01216@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@greatcircle.com Subject: Re: This is what I suspected Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > padgett@tccslr.dnet.mmc.com: > Earlier I had observed that many attacks succeed because > the firewall/router that is protecting a domain is often the vector for > intrusion because it is not able to route/filter traffic for itself (and > if the nodename is XXX_7000@... and the password is "CISCO" - don't laugh, > ignorance is curable) That would be double ignorance as cisco allows an access list just to control connection to its vtty ports. best, me ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: mark e. gibbons Network Engineer M.S. INI-18 (v)407.867.4847 mark@luke.ksc.nasa.gov Kennedy Space Center, (f)407.867.4079 mark.e.gibbons-1@ksc.nasa.gov Florida 32899 We are NOT all passengers on spaceship earth. We are crew members, and if we don't all start doing our jobs better we are going to crash & burn. From firewalls-owner Mon Jan 16 10:57:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04356 for firewalls-outgoing; Mon, 16 Jan 1995 10:34:12 -0800 Received: from cari.telecom.uqam.ca (cari.telecom.uqam.ca [132.208.250.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04349 for ; Mon, 16 Jan 1995 10:34:08 -0800 Received: from phoque.info.uqam.ca by cari.telecom.uqam.ca (4.1/SMI-4.2.1.pop NIS) id AA26438; Mon, 16 Jan 95 13:32:39 EST Received: by phoque.info.uqam.ca (5.0/SMI-SVR4) id AA09794; Mon, 16 Jan 1995 13:28:41 +0500 From: bettez@phoque.info.uqam.ca (Jean-Sebastien Bettez) Message-Id: <9501161828.AA09794@phoque.info.uqam.ca> Subject: unsubsribe To: firewalls@greatcircle.com Date: Mon, 16 Jan 1995 13:28:40 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 38 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubsribe bettez@phoque.info.uqam.ca From firewalls-owner Mon Jan 16 11:10:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04347 for firewalls-outgoing; Mon, 16 Jan 1995 10:34:07 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04342 for ; Mon, 16 Jan 1995 10:34:03 -0800 Received: by maily1.prodigy.com id AA49783 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Mon, 16 Jan 1995 13:04:22 -0500 Date: Mon, 16 Jan 1995 13:04:22 -0500 (EST) From: Frank Wortner To: firewalls@greatcircle.com Subject: Re: You're too kind In-Reply-To: <199501161625.IAA01171@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This might be a bit off topic, but what systems have actually been evaluated at C2? It's my understanding that the process is rather lengthy and quite expensive, so most vendors don't bother with a formal evaluation for C2. Of course, most vendors' CEOs don't drop $36,000,000 for a Leonardo codex, either! :-) Frank On Mon, 16 Jan 1995 smb@research.att.com wrote: > ... Windows NT has indeed been submitted for formal evaluation at the C2 > level. From firewalls-owner Mon Jan 16 11:22:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03569 for firewalls-outgoing; Mon, 16 Jan 1995 09:59:47 -0800 Received: from d.ecc.engr.uky.edu (d.ecc.engr.uky.edu [128.163.144.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03564 for ; Mon, 16 Jan 1995 09:59:43 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA26644; Mon, 16 Jan 95 12:53:38 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA21700; Mon, 16 Jan 95 12:57:27 EST Date: Mon, 16 Jan 95 12:57:27 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9501161757.AA21700@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: You're too kind Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: smb@research.att.com > >According to some recent discussion in comp.security.misc, Windows NT >has indeed been submitted for formal evaluation at the C2 level. So >it's not completely marketdroid nonsense. If memory serves, the NCSC evaluations involve both hardware *and* software configurations. Should the NCSC award a particular TCSEC rating, it *only* applies to the particular configuration of hard- ware and software submitted by the manufacturer. Of course, they aren't likely to submit your specific configuration. Therefore, be sure to apply liberal grains of salt when presenting any NCSC evalu- ation to one's coworkers/superiors/contacts. (As I understand it, variable in such areas as disk space and RAM do not affect the ratings; adding different software/hardware packages will.) Unless my memory is completely out to lunch, the simple act of attaching a modem kills a C2 rating, unless the phone number is on a secure exchange in and of itself. For a C2 rating to hold for a gateway/bridge system, all connecting networks must con- form to the Red Book's interpretation of "trusted networks." --Wes From firewalls-owner Mon Jan 16 11:40:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03974 for firewalls-outgoing; Mon, 16 Jan 1995 10:17:03 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03969 for ; Mon, 16 Jan 1995 10:17:00 -0800 Received: from firewall.meaddata.com.meaddata.com by relay1.UU.NET with SMTP id QQxyyq08346; Mon, 16 Jan 1995 13:14:30 -0500 Received: from meaddata.com ([138.12.96.71]) by firewall.meaddata.com.meaddata.com (4.1/SMI-4.1) id AA18234; Mon, 16 Jan 95 13:11:18 EST Received: from ticktock.meaddata.com by meaddata.com (4.1/SMI-4.1) id AA07172; Mon, 16 Jan 95 13:00:41 EST Received: by ticktock.meaddata.com (4.1/SMI-4.1) id AA02063; Mon, 16 Jan 95 12:52:34 EST Date: Mon, 16 Jan 1995 12:52:33 -0500 (EST) From: Richard Bellingar Subject: Re: Thought To: padgett@tccslr.dnet.mmc.com Cc: Firewalls Mailing List In-Reply-To: <9501151449.AA29943@uvs1.orl.mmc.com> Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know that the InterLock (ANS) and Eagle (Raptor) have this capability. ----+---- Rick Bellingar, Security Analyst, LEXIS-NEXIS (513)865-7005 PO Box 933, Dayton, Ohio 45401 (USA) ubellrj@meaddata.com -*- Sine ultima piscet, excrementi ad infinitum, non excrementus facit. -*- On Sun, 15 Jan 1995, padgett@tccslr.dnet.mmc.com wrote: > > So my question is: which firewalls (hopefully all) permit designation > that only requests from certain nodes/"inside" nodes will be allowed > to connect at all and make the wall itself unresponsive to ping/telnet/ > finger/etc from any other IP/net ? (here I am using "/" to indicate > "and/or"). > Warmly, > Padgett From firewalls-owner Mon Jan 16 11:55:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06220 for firewalls-outgoing; Mon, 16 Jan 1995 11:38:22 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA06214 for ; Mon, 16 Jan 1995 11:38:18 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA27050 (5.67b8/IDA-1.5 for ); Mon, 16 Jan 1995 14:35:31 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01979; Mon, 16 Jan 95 14:36:35 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00435; Mon, 16 Jan 1995 14:35:30 +0500 Date: Mon, 16 Jan 1995 14:35:30 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9501161935.AA00435@ Paragon-Systems.COM> To: padgett@tccslr.dnet.mmc.com Subject: Re: "C2" and other two letter combinations. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1595 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Mon Jan 16 13:44 EST 1995 > Date: Mon, 16 Jan 95 12:07:16 -0500 > From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) > To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com > Subject: "C2" and other two letter combinations. > > rmck rites: > >A C2 product (either certified or "designed to meet") is like a gun in the > >hands of a child or adult who doesn't know any better. Eventually they > >will just hurt themselves with it. The DDI could do us all a great public > >service by just getting rid of it > > This comment just gave ne a great idea: > 1) NCSC trademarks the designations > 2) Specifies that the designation > a) may only be used for a certified product > b) must be accompanied by the conditions under which the certification > was granted. > > The fact is that "designed to meet C2" or "submitted for testing" are "full > of sound and fury, signifying nothing." > P.fla Good idea. You go to "the Fort" and negotiate the licensing arrangements, we'll get someone on the Digest to write some smoke called "criteria" to go with the new designations, and I'll write up a bunch of lies for the Business Plan. Given the apparent willingness of folks jump on to this C2 stuff, I can probably get some fool to finance us - and its off to the bank. Let the rest of the world line up the NCSC window to spend a bundle in IR&D, and BS the user community about the anticipated release of the newest "certified" widget. In the mean-time we sell'em "Trusted Pet Rocks" - by the pound. rmck From firewalls-owner Mon Jan 16 12:12:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05221 for firewalls-outgoing; Mon, 16 Jan 1995 11:03:56 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05215 for ; Mon, 16 Jan 1995 11:03:47 -0800 From: sargent@sgt.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05044; Mon, 16 Jan 95 14:01:43 -0500 Date: Mon, 16 Jan 95 14:01:43 -0500 Message-Id: <9501161901.AA05044@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com Subject: Re: This is what I suspected Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob wrote: > >> At the risk of sounding self (well, company) centric, our (3Com) routers > >> can be set to allow no access but console. We then connect the console > >> port to a communications (terminal) server so that we can still connect > >> to it by telnet. Michel replied: > >At the risk of sounding dense, what's the difference between telnetting to > >a router and telnetting to a port on a terminal server that connects to the > >console port on the router ? Padgett commented: > What I was looking for in the original question was which systems that > provided routing/packet filtering could perform the same service for > *themselves*. Earlier I had observed that many attacks succeed because > the firewall/router that is protecting a domain is often the vector for > intrusion because it is not able to route/filter traffic for itself (and > if the nodename is XXX_7000@... and the password is "CISCO" - don't laugh, > ... While the last paragraph above does not explicitely state Cisco's are not able to filter its own traffic, the mention of Cisco's in the same breath may confuse some. Our Cisco's *do* filter their own traffic since IOS v9.1 that I can attest to. This is accomplished by means of ACLs combined with the "access-class" command within the "line vty" configs. Regards- Robert From firewalls-owner Mon Jan 16 15:29:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA10216 for firewalls-outgoing; Mon, 16 Jan 1995 15:02:55 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA10211 for ; Mon, 16 Jan 1995 15:02:49 -0800 From: somewhere!sjg@zen.void.oz.au Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA06255; Mon, 16 Jan 95 18:00:47 -0500 Date: Mon, 16 Jan 95 18:00:47 -0500 Message-Id: <9501162300.AA06255@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: This is what I suspected Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Obviously, if such a device allows connection from the system console only > and that connection is to a PC or other device with a NIC on the inside > net, *that* traffic can be routed/filtered. (Thought about including that > in the original posting, decided "naaaaa, too kludgy"). Not really... the firewall we are building at my customer's site involves a few routers and all will only talk via their consoles which will be connected via serial links to a management machine on the inner dmz. This system will be configured the same as the bastion hosts and access will be restricted by an inner router's acl plus one time challenge/response and (hopefully) an encrypted telnet. It will also have console connections to the firewall's bastion hosts. I'm quite happy to just have the routers route, and let us connect cables to their console port. A UNIX machine is (IMHO) the right place to put all that hoopy security paranoia stuff. Of course all this makes the mgt machine a major point of failure as it will also be the loghost and used for auditing the filesystems on the bastions using tripwire via NFS (tcp based only, runs under inetd, no portmapper, no biod, no kernel NFS support on bastion, performance sucks but hey...). But I think it will be adequately protected. Comments? --sjg From firewalls-owner Mon Jan 16 15:40:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA10557 for firewalls-outgoing; Mon, 16 Jan 1995 15:25:33 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA10552 for ; Mon, 16 Jan 1995 15:25:25 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Tue, 17 Jan 95 00:23 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0rU0lk-0003edC; Tue, 17 Jan 95 00:23 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 17 Jan 1995 01:23:36 +0100 To: wallynet@panix.com (Walter F. Netman) From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: packet filter on stock OSes (was: what firewall platform?) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Walter, >Where is stock OSes? > I don=B4t understand your question, I=B4m afraid... If you wanted to ask for implementations, both Ultrix and OSF/1 have a so-called screend, which is a sophisticated packet filter (add a little marketing sugar here :-). You can configure them into the kernel and then edit a plain english configuration file. Check out the documentation or send me a mail (Joerg.Maass@frs.mts.dec.com) if you need more help. >>> Uh, the interface a packet arrived on is available from the mbuf >>>header in 44bsd systems. I've used this fairly easily to build a >>>fairly minimumal packet filter so that "virtual private networking" >>>(encrypting and sending to a branch office) works, and isn't spoofed >>>by packets arriving from the "public" interface. >>> This is possible in 43BSD/SunOS too, thanks to a little kludge. >>> >> >>Possible on Ultrix and OSF/1 from Digital Equipment, too. >> -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Mon Jan 16 15:55:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10012 for firewalls-outgoing; Mon, 16 Jan 1995 14:47:37 -0800 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA10007 for ; Mon, 16 Jan 1995 14:47:34 -0800 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni.ins.com (8.6.9/8.6.9) with SMTP id OAA25917; Mon, 16 Jan 1995 14:45:32 -0800 Date: Mon, 16 Jan 1995 14:45:32 -0800 Message-Id: <199501162245.OAA25917@uni.ins.com> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mcfowler@corp.rockwell.com (Mark C. Fowler), firewalls@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: Bastion host sizing X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:09 PM 1/10/95 +0800, Mark C. Fowler wrote: >I've been asked what kind of UNIX machine we should get for our >bastion host. I've been told by our network hardware people to size >it for a T1 rate of throughput. We have a T1 connection to the Internet >but does that really mean that the bastion host should expect >1.544 megabits per second? This depends on your traffic analysis. What % of traffic is in vs out and what % of traffic must stop at the bastian? Assuming that the T1 feeds a router and that this router feeds your bastian, annnd there is nothing else on the wire, you should have plenty of room. > >I expect that the machine will be running some proxy software (I can't >be anymore specific at the moment), anonymous FTP service (read only), >httpd (probably NCSA's but this could change), and an authentication >server (not sure which one). > >I would like some information about the performance of various >brands/models/configurations of UNIX machines that are used as bastion hosts. >I really have no idea what size of machine to get. Can we get away >with a PC-AT running Coherent or do we need the latest 64-bit monstrosity? >How much memory and disk? Is one brand's ethernet throughput better than >another's? Does that really matter? Etc., etc., etc. Disk size depends on how often you want to deal with -routine- sysadmin stuff, like off loading old data, and which services you plan to support. Expect 75M/day for netnews alone. For a cycle time of one month and a resonable surge capacity, a 3G disk sounds suitable. RAM depends on what type and which kind of executables you are running. The same argument can be used to determine required processor bandwidth. You must be more specific with your requirements before an accurate -estimate- can be made. As far as the interface question is concerned I believe the answer is yes. I believe that most PC type NICs hover at 1M/s effective xput. Just remember that figures don't lie but liers figure... > > >Mark Fowler >Rockwell >mcfowler@corp.rockwell.com > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783 e-mail @ kadrich@uni.ins.com Security is a process, not a solution. ****************************************************************** From firewalls-owner Mon Jan 16 18:10:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA12880 for firewalls-outgoing; Mon, 16 Jan 1995 17:51:38 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA12875 for ; Mon, 16 Jan 1995 17:51:35 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQxyzv13184; Mon, 16 Jan 1995 20:50:06 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA14830; Tue, 17 Jan 95 01:54:31 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00845; Mon, 16 Jan 95 17:44:28 PST Date: Mon, 16 Jan 95 17:44:28 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9501170144.AA00845@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: Switching ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to know if anyone can confirm or deny a rumour I heard. The general idea is that someone telnets to an unblocked port (say 21 or 25) and then *somehow* switches destination ports *within* the targeted host while keeping the port number on the network the same. Any info? BobK From firewalls-owner Mon Jan 16 19:40:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA14139 for firewalls-outgoing; Mon, 16 Jan 1995 19:33:12 -0800 Received: from crocus.sasknet.sk.ca (crocus.sasknet.sk.ca [192.75.63.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA14134 for ; Mon, 16 Jan 1995 19:33:09 -0800 Received: by crocus.sasknet.sk.ca (5.65/DEC-Ultrix/4.3) id AA21681; Mon, 16 Jan 1995 21:31:12 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Jan 1995 21:31:13 -0600 To: firewalls@greatcircle.com From: balderd@crocus.sasknet.sk.ca (Dave Balderstone) Subject: BSDI Internet Server -- Any good? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're looking at putting an email, WWW and Gopher server up on the Internet, without a direct connect to our internal LAN(s) for now. Does anyone have any experience with the BSDI Internet Server from Berkeley Software? Good or bad? Dave Balderstone, Manager Business Analysis | balderd@crocus.sasknet.sk.ca Western Producer Publications | OR 2310 Millar Ave, Saskatoon, Canada S7K 2C4 | Voice 306-665-3545, Fax 306-665-9614 | 75211.3630@compuserve.com -------------------------------------------------------------------------- "Opinions expressed are not necessarily those of the Western Producer" -------------------------------------------------------------------------- From firewalls-owner Mon Jan 16 20:10:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA14651 for firewalls-outgoing; Mon, 16 Jan 1995 20:02:58 -0800 Received: from sequoia.itd.uts.EDU.AU (daemon@sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA14639 for ; Mon, 16 Jan 1995 20:02:47 -0800 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA01149 (5.65c/IDA-1.4.4 for ); Tue, 17 Jan 1995 15:00:43 +1100 Received: by lordmuck.itd.uts.edu.au (5.0/SMI-SVR4) id AA29823; Tue, 17 Jan 1995 15:02:41 +1100 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9501170402.AA29823@lordmuck.itd.uts.edu.au> Subject: Re: Switching ports To: bobk@manzanita.dev.3com.com (Bob Konigsberg) Date: Tue, 17 Jan 1995 15:02:40 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <9501170144.AA00845@manzanita.DEV.3Com.COM.noname> from "Bob Konigsberg" at Jan 16, 95 05:44:28 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 862 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Konigsberg wrote this... > > I'd like to know if anyone can confirm or deny a rumour I heard. > > The general idea is that someone telnets to an unblocked port (say 21 or 25) > and then *somehow* switches destination ports *within* the targeted host > while keeping the port number on the network the same. > > Any info? > > BobK > someone has set up a tunnel on some host somewhere.. thats all. Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia email: matt@uts.edu.au www: http://milliways.itd.uts.edu.au/~matt/ ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Mon Jan 16 22:40:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA15666 for firewalls-outgoing; Mon, 16 Jan 1995 22:20:35 -0800 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA15661 for ; Mon, 16 Jan 1995 22:20:32 -0800 Received: from hpport.systems.DHL.COM by gateway1.DHL.COM id aa19169; 16 Jan 95 23:07 PST Received: from nb-dyna78.interaccess.com by hpport.systems.DHL.COM with ESMTP (DHLGMS 5.00/DSI) id AA28090; Mon, 16 Jan 1995 22:19:00 -0800 Received: by data.systems.dhl.com (4.1/DHL-sun4.3) id AA00989; Tue, 17 Jan 95 00:19:11 CST From: James Buszard-Welcher Message-Id: <9501170019.ZM987@data.systems.dhl.com> Date: Tue, 17 Jan 1995 00:19:11 -0600 In-Reply-To: kranta@sun3.oulu.fi "Re: Incidents" (Jan 15, 4:39pm) References: <9501152139.AA00879@uvs1.orl.mmc.com> X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Incidents Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the Autumn 1994 Issue: 2600 (ISSN 0749-3851) is published quarterly by 2600 Enterprises Inc., 7 Strong's Lane, Setauket, NY 11733 ADDRESS ALL SUBSCRIPTION CORRESPONDENCE TO: 2600 Subscription Dept., P.O. Box 752, Middle Island, NY 11953-0752 FOR LETTERS AND ARTICLE SUBMISSIONS, WRITE TO: 2600 Editorial Dept., P.O. Box 99, Middle Island, NY 11953-0099 INTERNET ADDRESS: 2600@well.cf.ca.us 2600 Office Line: 516.751.2600 2600 F A X Line: 516.474.2677 I pick up my copy at the local Comics shop ;^) On Jan 15, 4:39pm, kranta@sun3.oulu.fi wrote: > Subject: Re: Incidents >> On Wed, 11 Jan 1995 padgett@tccslr.dnet.mmc.com wrote: >> >> > _2600_ magazine >> > >> > "The Hacker Quarterly" >> >> Could you tell the publishers of these magazines or where they can be read ? >> Thanks, >> Kaisu >> >> Kaisu.Ranta@oulu.fi Oulu University >> Computer Services Centre >> Finland >> >> >-- End of excerpt from kranta@sun3.oulu.fi -- James Buszard-Welcher | jwelcher@systems.DHL.COM | "Just don't create a DHL Systems, Inc. | phone 312.248.3097 | file called -rf." UNIX/Network Consultant | vmail 415.375.5324 | -Larry Wall From firewalls-owner Tue Jan 17 03:09:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA18617 for firewalls-outgoing; Tue, 17 Jan 1995 02:55:42 -0800 Received: from s835cc.bi.ehu.es (s835cc.bi.ehu.es [158.227.65.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA18602 for ; Tue, 17 Jan 1995 02:54:49 -0800 Message-Id: <199501171054.CAA18602@miles.greatcircle.com> Received: from bipa05.bi.ehu.es by s835cc.bi.ehu.es with SMTP (1.37.109.4/15.6) id AA22807; Tue, 17 Jan 95 11:48:59 +0100 X-Sender: jtpjatae@s835cc.bi.ehu.es X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 17 Jan 1995 11:53:56 +0200 To: firewalls@greatcircle.com From: jtpjatae@bi.ehu.es (Eduardo Jacob) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --------------------------------------------------------------- - Eduardo Jacob Taquet - - Profesor del Area de Ingenieria Telematica - - Departamento de Automatica, Electronica - - y Telecomunicaciones - - E.T.S. I.I. y de I.T. Tel: +34-(9)4-427 8055 - - UPV / EHU Fax: +34-(9)4-441 4041 - - Alda Urquijo s/n E-mail: jtpjatae@bi.ehu.es - - E-48013 - Bilbao (Spain) : 100021,2212 Compuserve - - pgp key available - - - - 'Life is no more than a self modifying piece of code' - --------------------------------------------------------------- From firewalls-owner Tue Jan 17 07:10:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA20383 for firewalls-outgoing; Tue, 17 Jan 1995 06:46:18 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20378 for ; Tue, 17 Jan 1995 06:46:15 -0800 Received: from alv.nada.kth.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA19241; Tue, 17 Jan 1995 06:41:27 -0800 Received: (from x-frode@localhost) by alv.nada.kth.se (8.6.9/8.6.9) id PAA24973 for firewalls@greatcircle.com; Tue, 17 Jan 1995 15:22:51 +0100 Date: Tue, 17 Jan 1995 15:22:51 +0100 From: Frode Hoem Message-Id: <199501171422.PAA24973@alv.nada.kth.se> To: firewalls@greatcircle.com Subject: Changes in policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all Consider the usual firewall-solutions: * One dual-interfaced application gateway with IP turned off. * A screening router facing the Internet plus an inside application gateway (screened-host gateway). * Screened-subnet-firewall with an application gateway and info-servers connected to a "DMZ"-net screened by one router on both sides. Which of the above is the most strategic solution i.e. can easily be adopted to future changes in a security/Internet-use policy and new currently unknown services/protocols ? Maybe some different solution than the above is more appropriate to meet future needs ? All thoughts and suggestions to this are appreciated / Frode From firewalls-owner Tue Jan 17 07:40:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA20614 for firewalls-outgoing; Tue, 17 Jan 1995 07:02:00 -0800 Received: from Logical.NET (logical.net [204.97.128.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA20609 for ; Tue, 17 Jan 1995 07:01:57 -0800 Date: Tue, 17 Jan 1995 10:00:30 -0500 (EST) From: Pete Wargo To: firewalls@greatcircle.com Subject: Routing, Sendmail, and a big bottle of asprin... Message-ID: MIME-Version: 1.0 Content-Length: 3818 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you feel the need to laugh at my troubles, feel free. I'm trying to debug some problems I'm having with our firewall setup. I'll go into detail first about the configuration, then deatial my problems. Up front, let me say that I've spent years administrating small UNIX networks, but never had to start from scratch (connecting to the internet) or implement a firewall. I've been cover-to-cover on the Cheswick & Bellovin(sp?) book, as well as ORA's excellent books on Sendmail and DNS/BIND. I'm hoping somebody will want to lend a hand to a fellow sufferer - I need some potentially stupid questions answered. Help me enough, and I'll take you out to dinner sometime. (Assuming you live in the US - I travel from time to time.) Background: The company I work for, TV Data Technologies, finally bent to my will and decided that we needed internet connectivity. (Of course, I ended up having to implement everything! Me and my big mouth...) Since our business revolves around data. (Television listing and entertainment information), I decided early on that a firewall was probably a good idea. Our internal network has too many machines of differing platforms (VMS, PDP-11, UNIX, OS/400, etc...) for me (the self-appointed security cheif) to deal with effectivly. with that in mind, I purchased a Livingston IRX firewall router, a nice box with all the bells and whistles. I also purchased a SPARCstation 1+ (used, cheap, and powerful enough) as our bastion host. Internally, my SPARCstation 5 serves as the fledgling mail hub for SMTP-based mail in the corporation. (Right now, VMS mail (shudder!) is the standard - soon we will do away with that..) We have our internal class C (I'll call it x.y.z) that we registered with the InterNIC a few years ago, as well as an external class C (a.b.c) from our internet provider. During setup, I followed the instructions livingston provided to configure the bastion host, including stripping down the OS and replacing Sendmail with 8.6.9 and replacing BIND as well. I sed their bastion sendmail configuration. (The bastion runs SunOS 4.1.1, BTW). Inside, My SPARC 5 runs Solaris 2.3, with the stock sendmail and sun's default sendmail configuration. The bastion (oscar.tvdata.com) also masquarades as tvdata.com, and all mail addresses should be @tvdata.com. I don't want E-mail addressed to an internal host, nor do I want the host's name to appear in the at the other end. Currently, my internal (x.y.z) class C is *not* routed by the InterNIC. (I'm in the process of fixing that now...), but our external is (a.b.c). My bastion host can ftp & telnet just fine, to both outside & inside machines. Of course, inside machines can do nothing... E-mail from my hub goes out, but ... PROBLEM #1: E-mail doesn't make it in. The basion host reports a sendmail error that mail "loops to myself" Funny thing is, I was able at one point to get outside mail in by adding an MX record in the db file for BIND on the bastion host, pointing to emmy (my inside SPARC 5 mail hub). Outside mail from MX-stupid hosts only, tho - just some older SunOS boxes. Other, smarter mailers tried to connect to emmy, and of course failed. (The non-MX aware hosts seemed to stop at oscar, and oscar flipped it to emmy.) I'm stumped. PROBLEM #2: will some of this go away when routing to the x.y.z address is turned on? (Then the filters on the router can go to work...) SuPPLIMENTAL: Is routing necessary for x.y.z? Especially if I want to implement telnet & ftp (proxy) as well as goper and www when we finally switch from 56K to T1? FINAL Q: Am I dumb, or is this hyarder than I thought? Thanks in advance for any help. Remeber, e-mail replies, insults, and whatever to pwargo@logical.net. _pete Wargo From firewalls-owner Tue Jan 17 07:46:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21216 for firewalls-outgoing; Tue, 17 Jan 1995 07:39:07 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA21211 for ; Tue, 17 Jan 1995 07:39:04 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id JAA04030 for ; Tue, 17 Jan 1995 09:37:16 -0600 Received: by jayhawk. (5.x/SMI-SVR4) id AA09806; Tue, 17 Jan 1995 09:33:50 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9501171533.AA09806@jayhawk.> Subject: Cisco Logging To: firewalls@greatcircle.com Date: Tue, 17 Jan 1995 09:33:49 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (this article, in a slightly different form, was posted to comp.dcom.sys.cisco) I am interested in using my cisco routers to log certain things. I would like to know the logging capabilities of 10.x code. Specifically I am interested in knowing if I can log the incidences of packet filtering. For example, can I log when a person comes to the router from a filtered network, or when a person tries to use a filtered port, or combination thereof. I also am interested in the logging capabilities of the cisco code for things like logings, faults, etc... Any information or pointers to such greatly appreciated. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein + From firewalls-owner Tue Jan 17 09:10:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22851 for firewalls-outgoing; Tue, 17 Jan 1995 09:08:24 -0800 Received: from BGUVM.BGU.AC.IL (vm.bgu.ac.il [132.72.20.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22846 for ; Tue, 17 Jan 1995 09:08:17 -0800 Received: from ramon.bgu.ac.il by BGUVM.BGU.AC.IL (IBM VM SMTP V2R2) with TCP; Tue, 17 Jan 95 19:05:29 IST Received: by ramon.bgu.ac.il (931110.SGI/931108.SGI.ANONFTP) for @bguvm.bgu.ac.il:firewalls@greatcircle.com id AA04159; Tue, 17 Jan 95 18:59:47 +0200 From: jsz@ramon.bgu.ac.il (jsz) Message-Id: <9501171659.AA04159@ramon.bgu.ac.il> Subject: Re: Cisco Logging To: alan@mid.net (Alan Hannan) Date: Tue, 17 Jan 1995 18:59:46 +0200 (IST) Cc: firewalls@greatcircle.com In-Reply-To: <9501171533.AA09806@jayhawk.> from "Alan Hannan" at Jan 17, 95 09:33:49 am X-Organization: Ben-Gurion University of the Negev, Beer Sheva, Israel X-Disclaimer: Views are solely my own and not those of BGU Content-Type: text Content-Length: 769 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I am interested in using my cisco routers to log certain things. > I would like to know the logging capabilities of 10.x code. Specifically > I am interested in knowing if I can log the incidences of packet filtering. > For example, can I log when a person comes to the router from a filtered > network, or when a person tries to use a filtered port, or combination thereof. > > I also am interested in the logging capabilities of the cisco code for things > like logings, faults, etc... > > Any information or pointers to such greatly appreciated. > I don't know about 10.X version -- but I am unaware of capability of cisco 9.X routers to log rejected/bypassed packets -- you might call it a disadvantage. rgrds, --- jsz From firewalls-owner Tue Jan 17 10:10:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA23740 for firewalls-outgoing; Tue, 17 Jan 1995 09:55:50 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA23735 for ; Tue, 17 Jan 1995 09:55:47 -0800 From: lazear@dockside.mitre.org Received: from gateway.ie.org (gateway.mitre.org [128.29.31.10]) by mwunix.mitre.org (8.6.4/8.6.4) with SMTP id MAA29559; Tue, 17 Jan 1995 12:50:59 -0500 Received: from dockside.mitre.org by gateway.ie.org (4.1/SMI-4.1) id AA26103; Tue, 17 Jan 95 12:50:30 EST Received: by dockside.mitre.org (4.1/SMI-4.1) id AA08088; Tue, 17 Jan 95 12:50:21 EST Message-Id: <9501171750.AA08088@dockside.mitre.org> To: Leo Willems Cc: bind@uunet.uu.net, socks@syl.dl.nec.com, firewalls@greatcircle.com, lazear@dockside.mitre.org Subject: Re: dns behind firewall In-Reply-To: Your message of "Fri, 13 Jan 95 22:19:25 +0100." <199501132119.WAA20817@gammix.tunix.kun.nl> Date: Tue, 17 Jan 95 12:50:17 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a recent project requiring a firewall, my team decided on the split DNS approach. We have a wildcard and single MX on the outside and a full database on the inside, with "forwarder" interaction between the two. All resolvers (firewall and backside hosts) point to the inside DNS server. Philosophical: Our main goal was to give people flexibility to enforce different levels of paranoia and security policies, while providing a common implementation across numerous sites. Even though we told sites that they should not name systems with any sensitive or revealing words, some people just like to do that. We explained all the ways host names show up in headers even if you hide the names via DNS, but there was a "feeling" that removing them from the external view of the DNS database would be more comfortable. Here was an example of no good technical reason, but a level of intangible comfort. Technical: We wanted to allow the site behind the firewall the freedom to deliver email using DNS. That is, we did not want to limit their choice of resolution method. Some sites have kept all mail on a single server (ignoring MX records), while others have used non-SMTP to distribute email behind the firewall. Others actually use the inside set of MX records to deliver. This was exactly the range of choices we wanted to offer. For debugging (connectivity to other sites), you want to have full name resolution available to you. This may not have to be from a backside host and may not be needed by normal users, but for sysadmins, it's a necessity (IMHO). You can call this philosophical or "soft" technical if you wish. Thoughts about *not* using the split DNS: If your backside hosts did not care to use DNS at all, you probably could get away with an extremely simple DNS database and server on the firewall. All resolvers would point to the firewall. Of course, you'd have to create some equivalent to a host table for backside hosts to use to contact each other. Walt From firewalls-owner Tue Jan 17 10:27:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA23747 for firewalls-outgoing; Tue, 17 Jan 1995 09:56:44 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA23741 for ; Tue, 17 Jan 1995 09:55:58 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA06878; Tue, 17 Jan 95 18:50:40 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA06946; Tue, 17 Jan 95 18:47:04 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501171847.AA06946@tidtest.total.fr> Subject: Re: Routing, Sendmail, and a big bottle of asprin... To: pwargo@logical.net (Pete Wargo) Date: Tue, 17 Jan 95 18:47:03 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Pete Wargo" at Jan 17, 95 10:00 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pete Wargo wrote : > [snip] > take you out to dinner sometime. (Assuming you live in the US - I travel > from time to time.) Ever thought of visiting Europe ? :-) > [snip] > PROBLEM #1: E-mail doesn't make it in. The basion host reports a > sendmail error that mail "loops to myself" Funny thing is, I was able at > one point to get outside mail in by adding an MX record in the db file > for BIND on the bastion host, pointing to emmy (my inside SPARC 5 mail > hub). Outside mail from MX-stupid hosts only, tho - just some older SunOS > boxes. Other, smarter mailers tried to connect to emmy, and of course > failed. (The non-MX aware hosts seemed to stop at oscar, and oscar > flipped it to emmy.) Sorry about that, but you were close to the solution when you wrote "get outside mail in by adding an MX record." From what you say of your setup, it seems that the DNS on your bastion has an MX pointing to oscar, which allows outside hosts to forward mail there. Your problem probably is that sendmail on oscar tries to use that same DNS to figure out the next step. What I think you should do is have an inside DNS with a forwarders to your outside DNS in it, and put the inside DNS' address in oscar's resolv.conf. This double-DNS technique is discussed somewhere in C&B (around pages 60-70 if memory serves me right.) Or you could just setup sendmail.cf on oscar not to bother with DNS and send everything to emmy, but then emmy itself would probably need that inside DNS. > PROBLEM #2: will some of this go away when routing to the x.y.z address > is turned on? (Then the filters on the router can go to work...) Can't see why it would, but then, miracles *do* seem to happen now and then. > SuPPLIMENTAL: Is routing necessary for x.y.z? Especially if I want to > implement telnet & ftp (proxy) as well as goper and www when we finally > switch from 56K to T1? No, assuming that your proxies won't be attached to x.y.z only (they won't, will they ? :-) > FINAL Q: Am I dumb, or is this hyarder than I thought? Neither, it just takes some getting used to HTH -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Tue Jan 17 10:40:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24059 for firewalls-outgoing; Tue, 17 Jan 1995 10:20:32 -0800 Received: from birch.ims.disa.mil (root@birch.ims.disa.mil [164.117.176.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24054 for ; Tue, 17 Jan 1995 10:20:25 -0800 Received: from CC.IMS.DISA.MIL ([164.117.176.106]) by birch.ims.disa.mil (8.6.9/DISA 0.5.1) with SMTP id NAA06647 for ; Tue, 17 Jan 1995 13:18:51 -0500 Received: from cc:Mail by CC.IMS.DISA.MIL id AA790377567; Tue, 17 Jan 95 13:17:39 EST Date: Tue, 17 Jan 95 13:17:39 EST From: "Dion Stempfley" Message-Id: <9500177903.AA790377567@CC.IMS.DISA.MIL> To: firewalls@GreatCircle.COM Subject: Re: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Does anyone have a list of common firewall log entries that show that a >>firewall is being attacked, and what kind of attack the log entries >>represent? >>If so, I would be grateful if you could e-mail a copy to me at >>adamsb@un.org. >>Posting the log entries on the list might not be appropriate, as the >>alt.2600/#Hack FAQ recommends that crackers subscribe to this list I can't argue appropriateness, I happen to agree that posting of such logs would not be too cool. However, we always need to remember that security by ignorance isn't. Never assume that limiting posts of in-depth technical analysis will limit the number of crackers or the ability of those that exist. I think that the information in the logs could be used to compile recommendations for implementors of firewalls without publishing lengthy logs with blow by blow attacks. Dion Stempfley From firewalls-owner Tue Jan 17 11:10:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24110 for firewalls-outgoing; Tue, 17 Jan 1995 10:22:28 -0800 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA24105 for ; Tue, 17 Jan 1995 10:22:22 -0800 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA00476 for firewalls@greatcircle.com; Tue, 17 Jan 95 12:21:53 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA00811; Tue, 17 Jan 1995 12:21:44 +0600 Date: Tue, 17 Jan 1995 12:21:44 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9501171821.AA00811@cygnus.uprc.com> To: alan@mid.net, jsz@ramon.bgu.ac.il Subject: Re: Cisco Logging Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 862 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > I also am interested in the logging capabilities of the cisco code for things > > like logings, faults, etc... > > > > Any information or pointers to such greatly appreciated. > > > > > I don't know about 10.X version -- but I am unaware of capability of cisco 9.X > routers to log rejected/bypassed packets -- you might call it a disadvantage. > Has the 10.x code been released? I keep hearing about it, but I was told by our rep in November that it would not be out til 2nd quarter... (and that it probably wouldn't even run on the 250x series anyway...?) ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Tue Jan 17 11:50:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24598 for firewalls-outgoing; Tue, 17 Jan 1995 10:49:56 -0800 Received: from Logical.NET (logical.net [204.97.128.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA24592 for ; Tue, 17 Jan 1995 10:49:53 -0800 Message-Id: <199501171849.KAA24592@miles.greatcircle.com> Subject: SUMMARY & Thanks! Routing, Sendmail & Asprin... To: firewalls@greatcircle.com Date: Tue, 17 Jan 1995 13:48:26 -0500 (EST) From: "Pete Wargo" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1281 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "I have always relied on the kindness of strangers...." In all serious, thanks to all who replied to my original message, including (but not limited to): Syd Weinstein, Larry Chin, Brent E. Boyko, Robert Sargent, Alan Hannan, Edward F Killian, Quentin Johnson, James A. Shankland, Michel Lavondes, and Mike Murphy. Basically, the first piece of advice was: DON'T ROUTE THE INTERNAL NETWORK! Noted, and our provider will throttle any traffic coming in. The InterNIC is still in the process of updating our old pre-internet listing, so no routing will ever take place. Thanks. Also, There were several suggestions about DNS, as well as (UGh!) sendmail, some of which I tried already, some of which I wish I had. In any event, one of the responses was from Ed Killian, who (as fate would have it) installed our SPARC 5. Since many people recommended getting help, I walked over to my boss (our CIO) and asked for some $$. He relented, and I've done the smart thing: I got help. (Which involved swallowing my pride & my liver.) :-) Thanks again for all the replies. I can't think of a time in the past 10 years when I've received so many responses to a net.question so quickly. (I'll drop mail to y'all from tvdata.com soon!) -Pete From firewalls-owner Tue Jan 17 11:58:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24677 for firewalls-outgoing; Tue, 17 Jan 1995 10:54:00 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24672 for ; Tue, 17 Jan 1995 10:53:57 -0800 Received: from tusk.sgt.com (sargent@tusk.sgt.com [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id NAA09931; Tue, 17 Jan 1995 13:52:27 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id NAA01468; Tue, 17 Jan 1995 13:52:26 -0500 Date: Tue, 17 Jan 1995 13:52:26 -0500 From: Robert Sargent Message-Id: <199501171852.NAA01468@tusk.sgt.com> To: alan@mid.net, jsz@ramon.bgu.ac.il Subject: Re: Cisco Logging Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cisco IOS 10.2 does the logging and depending upon what level of detail you would like to see, the logged info is either under the ip accounting data, or on your syslog host with debug ip packet acl_no detail. Under ip accounting (once set up properly) the sho ip acc acc command shows the ip accounting access-violations. With public domain software you can usually move the accounting info onto a host for further use. It works, believe me. For more info RTFM. Regards- Robert --------------------------------------------------------- everyone wrote: > > I am interested in using my cisco routers to log certain things. > > I would like to know the logging capabilities of 10.x code. Specifically > > I am interested in knowing if I can log the incidences of packet filtering. > > For example, can I log when a person comes to the router from a filtered > > network, or when a person tries to use a filtered port, or combination thereof. > > > > I also am interested in the logging capabilities of the cisco code for things > > like logings, faults, etc... > > > > Any information or pointers to such greatly appreciated. > > > > > I don't know about 10.X version -- but I am unaware of capability of cisco 9.X > routers to log rejected/bypassed packets -- you might call it a disadvantage. From firewalls-owner Tue Jan 17 12:41:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26116 for firewalls-outgoing; Tue, 17 Jan 1995 12:10:08 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA26111 for ; Tue, 17 Jan 1995 12:10:05 -0800 Received: from tusk.sgt.com (sargent@tusk.sgt.com [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id PAA10149; Tue, 17 Jan 1995 15:08:25 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id PAA01534; Tue, 17 Jan 1995 15:08:24 -0500 Date: Tue, 17 Jan 1995 15:08:24 -0500 From: Robert Sargent Message-Id: <199501172008.PAA01534@tusk.sgt.com> To: alan@mid.net, jsz@ramon.bgu.ac.il, z056716@uprc.com Subject: Re: Cisco Logging Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff scribed: > Has the 10.x code been released? I keep hearing about it, but I was told > by our rep in November that it would not be out til 2nd quarter... (and that > it probably wouldn't even run on the 250x series anyway...?) I've been running 10.2 for 5 months on 250x's and 3 months on 7K/4K's. I know its been "production released" since late Sept, and avail thru special request (limited release) earlier than that. There are some minimum memory requirements for 10.2, but if you are only doing x25 and/or ip with it, (ie, Internet access/firewalls duty) the smaller 10.2 packages run fine on the smallest memory 250x's. Tell your "rep" to read the CIO release notes. It tells exactly what memory sizes are required to support what IOS levels for which models. Regards- Robert From firewalls-owner Tue Jan 17 13:11:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26782 for firewalls-outgoing; Tue, 17 Jan 1995 12:45:18 -0800 Received: from gateway.ppg.com (gateway.ppg.com [199.221.65.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA26777 for ; Tue, 17 Jan 1995 12:45:09 -0800 Received: by gateway.ppg.com id AA09786 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Tue, 17 Jan 1995 15:43:12 -0500 Date: Tue, 17 Jan 1995 15:43:12 -0500 From: InterLock Administrator Message-Id: <199501172043.AA09786@gateway.ppg.com> To: firewalls@greatcircle.com Subject: Router Filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide some guidelines for setting filters (or any other options) in a router that sets behind my Internet Firewall. The firewall is a RS-6000 and the router is Wellfleet. I would appreciate any info that I could translate into Wellfleet options. Thanks, Larry Sacherich sacherich@ppg.com From firewalls-owner Tue Jan 17 14:11:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA27746 for firewalls-outgoing; Tue, 17 Jan 1995 13:49:09 -0800 Received: from access.rrd.com (access.rrd.com [198.81.197.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA27741 for ; Tue, 17 Jan 1995 13:48:59 -0800 From: CHRIS.SCOTT@rrd.com Received: from EMAILNET.CHGOCORP.RRD.COM (emailnet.rrd.com) by access.rrd.com with SMTP id AA10428 (InterLock SMTP Gateway 1.1 for ); Tue, 17 Jan 1995 16:47:18 -0600 X400-Originator: CHRIS.SCOTT@emailnet.rrd.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=RRD/ADMD=TELEMAIL/C=US/;0013600001007813000002] X400-Content-Type: P2-1988 (22) Priority: Non-Urgent Message-Id: <0013600001007813000002*@MHS> To: "firewalls(a)greatcircle.com" Subject: Test Message Date: Tue, 17 Jan 1995 15:44:45 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk test message From firewalls-owner Tue Jan 17 14:41:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27987 for firewalls-outgoing; Tue, 17 Jan 1995 14:00:27 -0800 Received: from crash.cts.com (crash.cts.com [192.188.72.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA27981 for ; Tue, 17 Jan 1995 14:00:23 -0800 Received: from fhi by crash.cts.com with uucp (Smail3.1.28.1 #18) id m0rULvQ-000083C; Tue, 17 Jan 95 13:58 PST Received: from san.fhi.com by unixpc01.san.fhi.com with smtp (Smail3.1.28.1 #4) id m0rULry-00017LC; Tue, 17 Jan 95 13:55 PST Received: from Forte_Hotels-Message_Server by san.fhi.com with WordPerfect_Office; Tue, 17 Jan 1995 13:56:44 -0800 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 17 Jan 1995 13:55:22 -0800 From: BadenT@san.fhi.com To: firewalls@greatcircle.com Subject: Re: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Does anyone have a list of common firewall log entries that show >> that a firewall is being attacked, and what kind of attack the log >> entries represent? >> If so, I would be grateful if you could e-mail a copy to me at >> adamsb@un.org. >> Posting the log entries on the list might not be appropriate, as >> the alt.2600/#Hack FAQ recommends that crackers subscribe to this >> list > > I can't argue appropriateness, I happen to agree that posting of > such logs would not be too cool. However, we always need to > remember that security by ignorance isn't. Never assume that > limiting posts of in-depth technical analysis will limit the number > of crackers or the ability of those that exist. I think that the > information in the logs could be used to compile recommendations > for implementors of firewalls without publishing lengthy logs with > blow by blow attacks. > > Dion Stempfley I've been on the list for a while, and this is my first posting. First off, I'd like to apologise for full-quoting both of the messages, but I thought that it would help to express my point. I think that "publishing" the blow-by-blow logs would indeed be useful to the home team, as it gives concrete examples of what should be cause for alarm, and what is mere happenstance. I do not think that those logs should be published verbatim, however. Judicious name-changing should be considered mandatory. I, for one, would very much like to see what the logs of an attack look like, so that I can better serve the interests of the company for which I work. Cheers, -Thomas badent@san.fhi.com 1973 Friendship Drive Thomas Baden El Cajon, CA 92020 USA Network Administrator +1 619 258 6539 Forte Hotels, Inc. +1 619 258 6409 fax From firewalls-owner Tue Jan 17 14:56:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28148 for firewalls-outgoing; Tue, 17 Jan 1995 14:16:07 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28143 for ; Tue, 17 Jan 1995 14:15:58 -0800 Received: by taureau.as03.bull.oz.au id AA05737 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 18 Jan 1995 09:42:22 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id JAA26496; Wed, 18 Jan 1995 09:09:47 +1100 Message-Id: <199501172209.JAA26496@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: Pete Wargo Cc: firewalls@greatcircle.com Subject: Re: Routing, Sendmail, and a big bottle of asprin... In-Reply-To: Your message of "Tue, 17 Jan 95 10:00:30 CDT." Date: Wed, 18 Jan 1995 09:09:46 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > PROBLEM #1: E-mail doesn't make it in. The basion host reports a > sendmail error that mail "loops to myself" Funny thing is, I was able at > one point to get outside mail in by adding an MX record in the db file > for BIND on the bastion host, pointing to emmy (my inside SPARC 5 mail > hub). Outside mail from MX-stupid hosts only, tho - just some older SunOS > boxes. Other, smarter mailers tried to connect to emmy, and of course > failed. (The non-MX aware hosts seemed to stop at oscar, and oscar > flipped it to emmy.) This is a classic sendmail config issue. Whenever you want "mailhost.domain" to masquerade as "domain" or anything else, you _must_ take steps within sendmail to let it know that this is what is expected of it. Otherwise (and this is what you are seeing) sendmail receives mail to user@domain and so connectes to where ever the MX points. As soon as it spots its own greeting message, as in: 220-zen.void.oz.au Sendmail 8.6.9/8.6.9 ready at Wed, 18 Jan 1995 08:53:54 +1100 220 ESMTP spoken here It knows it has a config problem and gives up. The good news is that you are using sendmail 8.6.9 which is easy to configure. I've been hacking and configuring sendmail for 10 years, and 8.6.9 is by far the easiest to configure and much easier to add custom mailer and rule sets. Add something like: Fw-o /etc/sendmail.cw and then populate /etc/sendmail.cw with _all_ the possible names that you want sendmail to consider itself. They should by FQDN's btw. As for forwarding to your inside net, that is best handled via mailertable. In your host.mc file (used to build sendmail.cf) add FEATURE(mailertable, hash -o /etc/mailertable) and in /etc/mailertable.txt you put: domain esmtp:emmy You need to use makemap to turn mailertable.txt (or whatever) into mailertable.db If you only have the sendmail.cf and it does not contain a line like: Kmailertable hash -o /etc/mailertable flame your vendor and get a new sendmail.cf from someone... --sjg From firewalls-owner Tue Jan 17 15:11:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28655 for firewalls-outgoing; Tue, 17 Jan 1995 14:48:48 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28650 for ; Tue, 17 Jan 1995 14:48:45 -0800 Received: by panix.com id AA25136 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Tue, 17 Jan 1995 17:46:39 -0500 From: "Alec H. Peterson" Message-Id: <199501172246.AA25136@panix.com> Subject: Re: Cisco Logging To: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Date: Tue, 17 Jan 1995 17:46:38 -0500 (EST) Cc: alan@mid.net, jsz@ramon.bgu.ac.il, firewalls@greatcircle.com In-Reply-To: <9501171821.AA00811@cygnus.uprc.com> from "LaCoursiere J. D. (Jeff)" at Jan 17, 95 12:21:44 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk LaCoursiere J. D. (Jeff) writes: > >Has the 10.x code been released? I keep hearing about it, but I was told >by our rep in November that it would not be out til 2nd quarter... (and that >it probably wouldn't even run on the 250x series anyway...?) Definitely, the 10.0 rev has been out for quite some time now (you can pick it up from CIO if you've got an account there). Alec -- Alec Peterson Panix Public Access UNIX and Internet chuckie@panix.com New York City, NY From firewalls-owner Tue Jan 17 15:13:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28257 for firewalls-outgoing; Tue, 17 Jan 1995 14:25:26 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA28252 for ; Tue, 17 Jan 1995 14:25:23 -0800 Received: from tusk.sgt.com (sargent@tusk.sgt.com [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id RAA11026; Tue, 17 Jan 1995 17:23:53 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id RAA01773; Tue, 17 Jan 1995 17:23:52 -0500 Date: Tue, 17 Jan 1995 17:23:52 -0500 From: Robert Sargent Message-Id: <199501172223.RAA01773@tusk.sgt.com> To: z056716@uprc.com Subject: Details: Re: Cisco logging Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff, Attached is a doctor'd up copy of a Cisco config file. Pay close attention to the acl-105 lines and any lines starting with ip accounting. Once those lines and the acl-105 have been set up, its logging access-violations. To see the acl violations type the exec command "show ip accounting access" or use ciscotalk (PD) to xfer the data to a loghost. You may also type "debug ip packet 105 detail" and build a log file on a syslog server. At this time, this debug command logs alot of info, so don't leave it on long. Hopefully the next release will allow for more fine tuning, i.e., if-then-maybe statements... There are probably other methods of configuring a Cisco to do the same as it has been my experience that I usually figure out the hardest way possible to do something. :-) Regards- Robert ----- Begin Included Message ----- ! ! Last configuration change at 21:21:59 EST Thu Jan 12 1995 by sargent ! NVRAM config last updated at 21:22:01 EST Thu Jan 12 1995 by sargent ! version 10.2 service timestamps debug uptime ! hostname router ! clock timezone EST -5 clock summer-time EDT recurring boot system flash boot system rom ! no ip source-route ip accounting-threshold 2048 ip accounting-list 123.456.789.0 0.0.0.255 ip accounting-transits 2048 isdn switch-type basic-ni1 no source-bridge explorer-fastswitch ! interface Ethernet0 description "BSNET" ip address 789.678.67.16 255.255.255.128 ip access-group 105 in ip accounting access-violations ntp broadcast ! interface Serial0 no ip address bandwidth 10 shutdown ! interface Serial1 description "BSNET T1 for 2nd Floor" no ip address shutdown ! interface BRI0 description "BSNET ISDN Lab Dial in Port" ip address 123.456.789.161 255.255.255.224 encapsulation HDLC no ip route-cache ... lines omitted ... ! router igrp 93 network 789.678.0.0 network 123.456.789.0 ! ip name-server 789.678.55.3 ip name-server 123.456.789.55 ip route 0.0.0.0 0.0.0.0 789.678.89.1 ip route 123.456.789.96 255.255.255.224 123.456.789.162 logging trap debugging logging 789.678.61.54 no access-list 13 ... acl-13 omitted ... no access-list 101 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 no access-list 105 access-list 105 deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 105 permit udp 123.456.789.0 0.0.0.255 789.678.67.3 0.0.0.0 eq 53 access-list 105 permit ip 789.67.170.0 0.0.0.255 123.456.789.100 0.0.0.0 ... all kinds of lines omitted from this section... access-list 105 permit ip 789.678.67.1 0.0.0.0 255.255.255.255 0.0.0.0 dialer-list 1 protocol ip permit banner incoming  For official use only: u breaka ina my router, I breaka ina u face. ! line con 0 exec-timeout 3 0 login line aux 0 access-class 13 in exec-timeout 3 0 login password line vty 0 4 access-class 13 in exec-timeout 3 0 login password ! ntp authenticate ntp broadcastdelay 2 ... lines omitted ... ntp server 197.5.75.132 prefer ntp server 137.279.16.16 ntp peer 123.456.789.169 prefer end ----- End Included Message ----- From firewalls-owner Tue Jan 17 15:31:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28532 for firewalls-outgoing; Tue, 17 Jan 1995 14:43:19 -0800 Received: from tardis.au.mdis.com (tardis.au.mdis.com [203.1.95.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28525 for ; Tue, 17 Jan 1995 14:43:12 -0800 Received: from alfred.au.mdis.com by tardis.au.mdis.com with SMTP id AA25962 (5.67b8/IDA-1.5 for ); Wed, 18 Jan 1995 09:47:02 +1100 Received: by alfred.au.mdis.com id AA04536 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Wed, 18 Jan 1995 09:43:11 +1100 Date: Wed, 18 Jan 1995 09:43:08 +1100 (EST) From: Tony Lorimer To: firewalls@greatcircle.com Subject: Anonymous FTP on Firewall Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am after some advice, thoughts, advantages, disadvantages on what would be the best solution for allowing anonymous ftp on my firewall. Situation: My network is a typical setup: INTERNET | | FIREWALL | | ------------------------ Private Net | MACHINE A I currently have an archive storage on Machine A that I want to allow access to as anonymous ftp. I am currently restricted to the above configuration, due to lack of hardware resource etc etc. I have two ideas on how to allow access from the net to this machine. 1. Setup the anonymous ftp server on Machine A and setup the appropiate entries in /etc/netperm table to fire up plug-gw to pass through the connection to machine A. 2. Setup the anonymous ftp server on the firewall and NFS mount machine A's file system onto the firewall. This will obviously stop access to an internal machine via plug-gw but what about all the security concerns with NFS. Has anyone done any of the above approaches ?. Is there a better way ?. I await your comments and feedback. Thanks -------------------------------------------------------------------------- Tony Lorimer (tlorimer@au.mdis.com) Phone: +612 4365700 MDIS - McDonnell Information Systems Pty Ltd Fax : +612 4392439 Sydney Australia Voice: +612 4365751 -------------------------------------------------------------------------- From firewalls-owner Tue Jan 17 16:11:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00982 for firewalls-outgoing; Tue, 17 Jan 1995 16:01:05 -0800 Received: from news.intelsat.int (news.intelsat.int [164.86.100.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA00974 for ; Tue, 17 Jan 1995 16:01:00 -0800 From: sotiris.baxevanis@intelsat.int Received: (from bin@localhost) by news.intelsat.int (8.6.9/8.6.9) id TAA29303 for ; Tue, 17 Jan 1995 19:01:18 -0500 Received: from comsrvpre1.adm.intelsat.int(164.86.33.141) by news via smap (V1.3mjr) id sma029068; Tue Jan 17 19:00:36 1995 Received: by comsrvpr.adm.intelsat.int (1.38.193.5/16.2) id AA22375; Tue, 17 Jan 1995 18:58:26 -0500 Received: by x400gw.adm.intelsat.int via Worldtalk with X400 (3.0.3/1.55) id WT05765.24; Tue, 17 Jan 1995 18:58:25 EST Date: 17 Jan 95 18:58:17 -0500 Reply-To: sotiris.baxevanis@intelsat.int To: firewalls@greatcircle.com Subject: TIS ver.1.3 on Dec OSF1 ver2.0 Ua-Content-Id: TIS ver.1.3 on D P1-Recipient: firewalls%greatcircle.com@news P1-Message-Id: US*MCI*INTELSAT;c\mhsgw\950117185817a Original-Encoded-Information-Types: IA5-Text X400-Trace: US*MCI*INTELSAT; arrival 950117185817-0500 deferred 950117185817-0500 action Relayed Message-Id: P1-Content-Type: P2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, has anyon ported the TIS toolkit on Dec OSF1 successfully with all the parts working as expected? I'm still having trouble with the ftpd and the proxy services using netscape? thanks From firewalls-owner Tue Jan 17 16:41:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01188 for firewalls-outgoing; Tue, 17 Jan 1995 16:24:12 -0800 Received: from nda (nda.nda.COM [204.57.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA01183 for ; Tue, 17 Jan 1995 16:24:10 -0800 Received: from loki.NDA.COM (loki.nda.COM [204.57.51.5]) by nda (8.6.9/8.6.4) with SMTP id TAA05831; Tue, 17 Jan 1995 19:22:28 -0500 Received: by loki.NDA.COM (4.1/SMI-4.1) id AA26298; Tue, 17 Jan 95 19:30:54 EST Date: Tue, 17 Jan 95 19:30:54 EST From: jlawton@NDA.COM (Jennifer Lawton) Message-Id: <9501180030.AA26298@loki.NDA.COM> To: alan@mid.net, jsz@ramon.bgu.ac.il, z056716@uprc.com Subject: Re: Cisco Logging Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've used the 10.x code for a CISCO quite recently. Computer Jennifer Lawton Networking NDA - Net Daemons Associates, Inc. Solutions 400 West Cummings Park, Suite 4250 Woburn, MA 01801 617.937.3338 jlawton@nda.com http://www.nda.com From firewalls-owner Tue Jan 17 16:59:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01353 for firewalls-outgoing; Tue, 17 Jan 1995 16:32:41 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA01343 for ; Tue, 17 Jan 1995 16:32:37 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id SAA08200; Tue, 17 Jan 1995 18:28:02 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma008198; Tue Jan 17 18:27:55 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA15771 (5.67b/IDA-1.5); Tue, 17 Jan 1995 18:31:59 -0600 Date: Tue, 17 Jan 1995 18:31:59 -0600 From: Ken Hardy Message-Id: <199501180031.AA15771@ignatz.bridge.com> To: tlorimer@au.mdis.com Subject: Re: Anonymous FTP on Firewall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll attempt to answer your question by saying that you should have asked it differently. ;-> Don't know if this will work for you. I'll assume that your "FIREWALL" is a bastion-type host, not just a screening router. Add a machine B on an external segment: INTERNET | -+---------+----- | | MACHINE B FIREWALL | | ------------------------ Private Net | MACHINE A Put the ftp server on B and have your firewall treat it as a foreign host. Done properly, it cannot be used as the start of an island-hopping attack, though I suppose trojan horses or some such could be planted there that you could carelessly import inside. You telnet and ftp to it youself just as you would to any external system, though you could also have a serial terminal connection to it for internal management access. Drawbacks would include a) less ease of access for you; b) potential vulnerability of any information you'd put on it to export/import [bad guys replace your data, or that being sent to you by someone, with something bogus, e.g. -- I'm advising our users in such an arrangement to encrypt the data they're exchanging via the exposed server.]; c) you need an exposed subnet, which raises addressing and hardware issues -- it works well if you've an ethernet segment going into your firewall, but not if you've a T1 coming directly into the bastion, e.g. Issue b) above is valid even if you somehow get ftp into the "protected" net; there's just presumably fewer ways to affect a breach. If bugs in the ftp daemon can be exploited, or it's just not set up well, or if the external (non-anonymous) users' ftp passwords are sniffed, then the contents of the server are suspect. If said vulnerabilities can be exploited to compromise other parts of the system, then your whole internal net could be jepordized, I'd imagine. That's why it's nice to have it on the outside of the firewall; it's more exposed, but your internal net is not. Disable all user accounts, turn off all unecessary services, &c., &c., &c. Use tcpwrapper to disallow telnet to it from any other than your bastion. You should be able to make a dedicated system w/o & few services fairly secure (that's what we hope about our bastions, right?) Note that machine B is an obvious location for something like a WWW server, too. -KH From firewalls-owner Tue Jan 17 17:11:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01764 for firewalls-outgoing; Tue, 17 Jan 1995 17:00:30 -0800 Received: from anon.penet.fi (anon.penet.fi [193.64.202.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA01759 for ; Tue, 17 Jan 1995 17:00:26 -0800 Received: by anon.penet.fi (5.67/1.35) id AA27687; Wed, 18 Jan 95 01:58:11 +0200 Message-Id: <9501172358.AA27687@anon.penet.fi> To: firewalls@greatcircle.com From: an119810@anon.penet.fi X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an119810@anon.penet.fi Date: Tue, 17 Jan 1995 23:58:10 UTC Subject: Re: List of firewall log attack signatues? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BadenT@san.fhi.com wrote: >I think that "publishing" the blow-by-blow logs would indeed be >useful to the home team, as it gives concrete examples of what should >be cause for alarm, and what is mere happenstance. I do not think >that those logs should be published verbatim, however. Judicious >name-changing should be considered mandatory. Don't know if I want to be first (we could really fill some mailboxes if everyone posts their war stories.) But here goes ... I'm using fwtk, which produced the "deny" and "permit" messages below. The real eye-opener is the first line of syslog. It was was from an email to "Bounce@gatekeeper.mydomain.com". Unfortunately, I didn't get the whole message's header in any log. It looked like the perpetrator was trying to exercise the old Sendmail Bug (TM) of deliberately bouncing mail with a "|bad-command" in the From: or Reply-To: header. (Please enlighten me if you see me missing something here.) Whatever the message was, it apparently bounced around inside my firewall's mail system until the maximum count of thirty was reached. I guess because it was bounced originally, but the bounce-to address was rejected, so it was bounced again, and again, etc.? I didn't save the actual syslog file but have included the output of the "fromto" script massaging it (as I recall, syslog didn't really give any more clues as to what was going on.) Moral: disable the program mailer! ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Tue Jan 17 19:40:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA03176 for firewalls-outgoing; Tue, 17 Jan 1995 19:15:54 -0800 Received: from relay.tis.com (firewall_user@relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA03171 for ; Tue, 17 Jan 1995 19:15:51 -0800 Received: from sol.tis.com(192.33.112.100) by relay via smap (V1.3) id sma014398; Tue Jan 17 22:13:35 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA03710; Tue, 17 Jan 95 22:11:18 EST From: Marcus J Ranum Message-Id: <9501180311.AA03710@tis.com> Subject: Re: List of firewall log attack signatues? To: an119810@anon.penet.fi Date: Tue, 17 Jan 1995 22:17:56 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9501172358.AA27687@anon.penet.fi> from "an119810@anon.penet.fi" at Jan 17, 95 11:58:10 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 408 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Moral: disable the program mailer! Yep. Actually, I leave it in, and replace it with a script that sends the admin a nice note including the mail message and all its command lines. You can catch the most amazing fish that way. One goof was mailing around a script to build a minimal sockd, intended to compile and execute on any firewall it could trigger the sendmail bug upon. Pretty nasty stuff. mjr. From firewalls-owner Tue Jan 17 21:12:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA04122 for firewalls-outgoing; Tue, 17 Jan 1995 20:57:23 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA04117 for ; Tue, 17 Jan 1995 20:57:19 -0800 Received: from icdc.fr (champagne.icdc.fr) by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA12702; Wed, 18 Jan 1995 05:55:50 +0100 (MET) X400-Received: by /PRMD=CDC/ADMD=atlas/C=FR/; Relayed; 18 Jan 95 13:51:12 GMT Date: 18 Jan 95 13:51:12 GMT From: Marc Samama Message-Id: <9501180451.AA08669@tky> To: firewalls@greatcircle.com Subject: dummy server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With this current discution on firewall logs going on, I was wondering if some people were willing to release exemples of dummy servers, or packet suckers they'd be using on their firewall (anonymous posting is welcome for those who are paranoid about revealing their sources. :) Anyway, I wonder how dangerous it is to run this sort of thing, even in a chrooted environment; I guess if you want to collect interesting infos, you need your dummy server to be a little bit conversant with the "client" on the other end, and the more complex the code is, the more bugs will creap? Marc. From firewalls-owner Wed Jan 18 00:39:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA05050 for firewalls-outgoing; Wed, 18 Jan 1995 00:22:53 -0800 Received: from funet.fi (pp@funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA05045 for ; Wed, 18 Jan 1995 00:22:48 -0800 Received: from relevantum.fi by funet.fi with SMTP (PP); Wed, 18 Jan 1995 10:20:59 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA26719; Wed, 18 Jan 95 10:20:52 +0200 Date: Wed, 18 Jan 1995 10:20:51 +0200 (EET) From: Keinanen Vesa To: firewalls@greatcircle.com Subject: Livingston Firewall IRX router, any good? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you have any experience/opinions on Livingston Firewall router? I checked Livingstone's WWW-site, and I could see that it is a router loaded with every bell and whistle you can imagine. But is there anything that really makes it better than other router (eg. cisco) as "firewall". VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Wed Jan 18 01:40:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA06540 for firewalls-outgoing; Wed, 18 Jan 1995 01:32:06 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA06534 for ; Wed, 18 Jan 1995 01:31:41 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA14834; Wed, 18 Jan 95 10:26:23 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA07186; Wed, 18 Jan 95 10:22:48 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501181022.AA07186@tidtest.total.fr> Subject: Re: Cisco Logging To: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Date: Wed, 18 Jan 95 10:22:46 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9501171821.AA00811@cygnus.uprc.com>; from "LaCoursiere J. D. (Jeff)" at Jan 17, 95 12:21 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk LaCoursiere J. D. (Jeff) wrote : > > Has the 10.x code been released? I keep hearing about it, but I was told > by our rep in November that it would not be out til 2nd quarter... (and that > it probably wouldn't even run on the 250x series anyway...?) > Jeff, did you look at CIO ? I *think* 10.2 is already out, with 10.3 scheduled for March 95. I don't remember which one is supposed to have filter logging, though. As to the 25xx, you may well be right, but then they're already a pain in the neck to manage even with 9.1.x ... -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Jan 18 06:09:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA08442 for firewalls-outgoing; Wed, 18 Jan 1995 05:45:27 -0800 Received: from clark.net (hcb@clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA08436 for ; Wed, 18 Jan 1995 05:45:24 -0800 Received: (hcb@localhost) by clark.net (8.6.9/8.6.5) id IAA01907; Wed, 18 Jan 1995 08:43:36 -0500 From: Howard Berkowitz Message-Id: <199501181343.IAA01907@clark.net> Subject: Re: Cisco Logging To: lavondes@tidtest.total.fr Date: Wed, 18 Jan 1995 08:43:35 -0500 (EST) Cc: z056716@uprc.com, firewalls@GreatCircle.COM In-Reply-To: <9501181022.AA07186@tidtest.total.fr> from "Michel Lavondes" at Jan 18, 95 10:22:46 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 912 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > LaCoursiere J. D. (Jeff) wrote : > > > > Has the 10.x code been released? I keep hearing about it, but I was told > > by our rep in November that it would not be out til 2nd quarter... (and that > > it probably wouldn't even run on the 250x series anyway...?) > > > > Jeff, did you look at CIO ? I *think* 10.2 is already out, with 10.3 scheduled > for March 95. I don't remember which one is supposed to have filter logging, > though. As to the 25xx, you may well be right, but then they're already a pain > in the neck to manage even with 9.1.x ... > -- We routinely run 10.2 on both 2500's and 4000's in our teaching labs and our office. Michel, is there a particular management problem you are having under 9.1.x on the 2500? 9.2 on have a major enhancement in the user interface; perhaps that's what you had in mind. Howard Berkowitz PSC International, a Cisco Training Partner (703)998-5819 From firewalls-owner Wed Jan 18 06:40:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA08748 for firewalls-outgoing; Wed, 18 Jan 1995 06:32:04 -0800 Received: from aspensys (www.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA08743 for ; Wed, 18 Jan 1995 06:32:02 -0800 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA20566; Wed, 18 Jan 1995 09:27:53 +0500 Received: from cc:Mail by smtpinet.aspensys.com id AA790450364 Wed, 18 Jan 95 09:32:44 EST Date: Wed, 18 Jan 95 09:32:44 EST From: jmeritt@smtpinet.aspensys.com (Meritt, Jim) Message-Id: <9500187904.AA790450364@smtpinet.aspensys.com> To: an119810@anon.penet.fi, Marcus J Ranum Cc: firewalls@greatcircle.com Subject: Re[2]: List of firewall log attack signatues? content-length: 730 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sound like a slight takeoff of one of the sp[read methods of the RTM worm. jwm ______________________________ Reply Separator _________________________________ Subject: Re: List of firewall log attack signatues? Author: Marcus J Ranum at SMTPINET Date: 1/17/95 11:03 PM > Moral: disable the program mailer! Yep. Actually, I leave it in, and replace it with a script that sends the admin a nice note including the mail message and all its command lines. You can catch the most amazing fish that way. One goof was mailing around a script to build a minimal sockd, intended to compile and execute on any firewall it could trigger the sendmail bug upon. Pretty nasty stuff. mjr. From firewalls-owner Wed Jan 18 06:59:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA08701 for firewalls-outgoing; Wed, 18 Jan 1995 06:25:56 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA08682 for ; Wed, 18 Jan 1995 06:25:22 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17996; Wed, 18 Jan 95 15:20:02 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA07381; Wed, 18 Jan 95 15:16:27 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9501181516.AA07381@tidtest.total.fr> Subject: Re: Cisco Logging To: hcb@clark.net (Howard Berkowitz) Date: Wed, 18 Jan 95 15:16:26 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199501181343.IAA01907@clark.net>; from "Howard Berkowitz" at Jan 18, 95 8:43 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howard Berkowitz wrote : > > [snip] > > Michel, is there a particular management problem you are having under > 9.1.x on the 2500? 9.2 on have a major enhancement in the user interface; > perhaps that's what you had in mind. > Well, actually we don't since we decided against using them, but we found out that since we need the full-fledged version (they call it "Enterprise" AFAIR), and since 2500s don't support software compression (they run straight from the EPROM instead of copying the image to RAM) and two images won't fit together in the EPROM, you have to shoot yourself in the foot (er, erase the running image) whenever you want to perform an upgrade. Should the router or your IP connection fail during the upgrade, you're left with a rather expensive doorstop :-) That's assuming that just erasing the image isn't enough to crash the system (I don't remember whether it is.) But then, there may be a way out of it that neither we nor cisco techies over here managed to figure out during our evaluation. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Jan 18 07:11:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA09017 for firewalls-outgoing; Wed, 18 Jan 1995 06:48:01 -0800 Received: from shadow.net (cklaus@anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA09012 for ; Wed, 18 Jan 1995 06:47:58 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id JAA13434; Wed, 18 Jan 1995 09:49:34 -0500 From: Christopher Klaus Message-Id: <199501181449.JAA13434@shadow.net> Subject: Re: List of firewall log attack signatues? To: mjr@tis.com (Marcus J Ranum) Date: Wed, 18 Jan 1995 09:49:33 -0500 (EST) Cc: an119810@anon.penet.fi, firewalls@GreatCircle.COM In-Reply-To: <9501180311.AA03710@tis.com> from "Marcus J Ranum" at Jan 17, 95 10:17:56 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1058 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Moral: disable the program mailer! > > Yep. Actually, I leave it in, and replace it with a script > that sends the admin a nice note including the mail message and > all its command lines. You can catch the most amazing fish that > way. One goof was mailing around a script to build a minimal sockd, > intended to compile and execute on any firewall it could trigger > the sendmail bug upon. Pretty nasty stuff. Yea, Scott Chasin posted that sendmail sockd script to Firewalls a while ago. Fortunately, it only worked on SunOs4.x. With some minor modifications, it could work on AIX, Ultrix, etc. I believe CERT said they reported a substancial breakin increase like the day after Scott posted it also. ISS checks for that bug, and you would be suprised within a given site, how many machines pop up vulnerable, ready for any intruder to pluck. Christopher -- Christopher William Klaus Voice: (404)518-0099. Fax: (404)518-0030 Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Atlanta, GA. 30350-2450. From firewalls-owner Wed Jan 18 07:40:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA10117 for firewalls-outgoing; Wed, 18 Jan 1995 07:39:27 -0800 Received: from clark.net (hcb@clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA10112 for ; Wed, 18 Jan 1995 07:39:23 -0800 Received: (hcb@localhost) by clark.net (8.6.9/8.6.5) id KAA24123; Wed, 18 Jan 1995 10:37:38 -0500 From: Howard Berkowitz Message-Id: <199501181537.KAA24123@clark.net> Subject: Re: Cisco Logging To: lavondes@tidtest.total.fr Date: Wed, 18 Jan 1995 10:37:37 -0500 (EST) Cc: hcb@clark.net, firewalls@GreatCircle.COM In-Reply-To: <9501181516.AA07381@tidtest.total.fr> from "Michel Lavondes" at Jan 18, 95 03:16:26 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1923 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since this is getting a bit far afield of firewalls, I thought I might offer some suggestions by mail. In your specific case, they may have been overtaken by events. > > Howard Berkowitz wrote : > > > > [snip] > > > > Michel, is there a particular management problem you are having under > > 9.1.x on the 2500? 9.2 on have a major enhancement in the user interface; > > perhaps that's what you had in mind. > > > > Well, actually we don't since we decided against using them, but we found out > that since we need the full-fledged version (they call it "Enterprise" AFAIR), > and since 2500s don't support software compression (they run straight from the > EPROM instead of copying the image to RAM) and two images won't fit together > in the EPROM, you have to shoot yourself in the foot (er, erase the running > image) whenever you want to perform an upgrade. If I understand your problem correctly, one way around it might be to set up your existing OS version to do a "boot system net" from a TFTP server. The booted version can be the upgrade. You can also have a default set to go to the flash or the ROM. With appropriate configuration register settings, you can keep attempting to boot from the TFTP server. >Should the router or your IP > connection fail during the upgrade, you're left with a rather expensive > doorstop :-) That's assuming that just erasing the image isn't enough to crash > the system (I don't remember whether it is.) Erasing flash is transparent to the running image in ROM. I think your safest procedure, other than visiting the site with a laptop-based TFTP server, would be to netboot the upgraded OS, get confident with it (i.e., don't erase the flash until you do), and then, while the OS is running, copy the new image into flash. At that time, you would have a running copy in RAM and in flash if the load completes properly. If not, you can retry from the RAM copy. From firewalls-owner Wed Jan 18 10:09:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA10217 for firewalls-outgoing; Wed, 18 Jan 1995 07:42:57 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA10202 for ; Wed, 18 Jan 1995 07:42:52 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 18 Jan 1995 10:41:14 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA17492; Wed, 18 Jan 1995 10:41:10 -0500 Date: Wed, 18 Jan 1995 10:41:10 -0500 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199501181541.AA17492@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, marc@tky.icdc.fr Subject: Re: dummy server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: 18 Jan 95 13:51:12 GMT >From: Marc Samama >Message-Id: <9501180451.AA08669@tky> >To: firewalls@greatcircle.com >Subject: dummy server > >With this current discution on firewall logs going on, I was wondering if >some people were willing to release exemples of dummy servers, or packet >suckers they'd be using on their firewall (anonymous posting is welcome >for those who are paranoid about revealing their sources. :) Here is a "tar baby" telnet session emulator that I've used when we've suspected or seen from logs that someone has been trying to telnet into a particular machine. It is useful for picking up accounts and passwords that the intruder knows or thinks they know. It doesn't actually replace in.telnetd, though it uses a modified one. Instead it replaces the /bin/login program which would normally be invoked. It appears just like a normal telnet server session, with a banner, prompting for usernames and passwords (only it never lets you in, and always give the 'Login incorrect' message. This is fairly SunOS specific (note that it disables normal telnet sessions!) : 1. Copy /usr/etc/in.telnetd to another location (i.e. /local/etc/in.telnetd is fine). Use Emacs to find the occurences of the string "/bin/login" and replace them with the string "/local/foo" (you need to use Emacs overwrite mode, you'll notice that the two strings are of the same length). 2. Edit /etc/inetd.conf and change the entry for telnet to point to the new executable ( ie. /local/etc/in.telnetd ). Send the pid for inetd a hangup signal ( kill -HUP InetdPID). 3. Put the following C shell script in as the file /local/foo (make sure to make it executable) : #!/bin/csh -f # # Dummy replacement for /bin/login called by telnetd. # # N.B. C shell scripts are considered harmful. # # H. Morrow Long ( Morrow.Long@Yale.EDU ) # onintr death set session="`tty`.$$@`/bin/hostname`" echo "$session" " : DATE : " `/bin/date` >>& /local/log echo "$session" " : ARGS : " $* >>& /local/log ( finger @$argv[2] >>& /local/log.finger & ) >& /dev/null foreach attempt ( 1 2 3 4 5 ) username: echo -n 'login: ' set loginname=$< if ( "$loginname" == "" ) then goto username endif echo -n Password: stty -echo set password=$< stty echo echo ' ' echo 'Login incorrect' echo "$session" " : ATTEMPT #" $attempt " USER = " $loginname " PASS = " $password >>& /local/log end death: sleep 60 exit 1 4. Test by telnetting to the host with the modified telnet daemon : bigbadwolf% telnet tarbaby Trying 10.0.0.1 ... Connected to tarbaby. Escape character is '^]'. SunOS UNIX (tarbaby) login: blah Password: Login incorrect login: remus Password: Login incorrect login: yuck Password: Login incorrect login: me Password: Login incorrect login: root Password: Login incorrect 5. You should be collecting account names and passwords in the file /local/log (it should probably be made readable only by root) : /dev/ttyp3.17146@tarbaby : DATE : Wed Jan 18 10:20:41 EST 1995 /dev/ttyp3.17146@tarbaby : ARGS : -h bigbadwolf -p /dev/ttyp3.17146@tarbaby : ATTEMPT # 1 USER = blah PASS = halB /dev/ttyp3.17146@tarbaby : ATTEMPT # 2 USER = remus PASS = uncle /dev/ttyp3.17146@tarbaby : ATTEMPT # 3 USER = yuck PASS = kcuY /dev/ttyp3.17146@tarbaby : ATTEMPT # 4 USER = me PASS = iMiM /dev/ttyp3.17146@tarbaby : ATTEMPT # 5 USER = root PASS = TooR If your machine is able to finger the intruder's machine you may also find useful information in /local/log.finger (then again you may not). ----------------------------------- - Morrow From firewalls-owner Wed Jan 18 10:53:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00215 for firewalls-outgoing; Wed, 18 Jan 1995 10:11:39 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00210 for ; Wed, 18 Jan 1995 10:11:36 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id KAA22653; Wed, 18 Jan 1995 10:06:28 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUeqV-0005uUC; Wed, 18 Jan 95 13:11 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:30:29 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 15:43:11 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 19:37:21 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRX9P-0005uLa; Mon, 9 Jan 95 22:21 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxyaf22508; Mon, 9 Jan 1995 22:20:05 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12706 for firewalls-outgoing; Mon, 9 Jan 1995 18:39:22 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA12700 for ; Mon, 9 Jan 1995 18:39:19 -0800 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA14469; Mon, 9 Jan 95 18:37:43 PST Received: from zeppo.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA22554; Mon, 9 Jan 1995 18:37:42 +0800 Received: from onizuka.West.Sun.COM by zeppo.West.Sun.COM (5.0/SMI-5.3-900117) id AA05673; Mon, 9 Jan 1995 18:37:15 -0800 Received: by onizuka.West.Sun.COM (5.0/SMI-SVR4) id AA05862; Mon, 9 Jan 1995 18:36:32 -0800 Date: Mon, 9 Jan 1995 18:36:32 -0800 From: Message-ID: <9501100236.AA05862@onizuka.West.Sun.COM> To: firewalls@GreatCircle.COM Subject: please add me to this alias Sender: firewalls-owner@GreatCircle.COM Precedence: bulk thanks Michael Possedi | _ | Sun Sales Representative _|___/v\___|_ Government District -====(~)=(.*.)=(~)====- phone: 415-960-4359 `-' fax #: 415-961-4872 From firewalls-owner Wed Jan 18 11:23:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00208 for firewalls-outgoing; Wed, 18 Jan 1995 10:11:27 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00203 for ; Wed, 18 Jan 1995 10:11:25 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id KAA22650; Wed, 18 Jan 1995 10:06:18 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUeqH-0005uUC; Wed, 18 Jan 95 13:10 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:30:05 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 14:02:42 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:04:21 EST Received: from relay3.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRn3C-0005uka; Tue, 10 Jan 95 15:20 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxycv03996; Tue, 10 Jan 1995 15:18:58 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25572 for firewalls-outgoing; Tue, 10 Jan 1995 11:35:35 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA25562 for ; Tue, 10 Jan 1995 11:35:24 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA05081; Tue, 10 Jan 95 20:30:02 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04304; Tue, 10 Jan 95 20:26:27 GMT From: Message-ID: <9501102026.AA04304@tidtest.total.fr> Subject: Re: FW: PC Take-Over -- reply To: Date: Tue, 10 Jan 95 20:26:26 GMT CC: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk H Morrow Long wrote : > > Is it just under MS-DOS, or can you also under Windows do strange things > to a person's PC via anonymous FTP by reading and writing to the devices:-? > > con: > com1: > com2: > lpt: > prn: > ... > etc. > Except maybe for con:, I'm afraid you could. Didn't try it, though. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Jan 18 11:41:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00150 for firewalls-outgoing; Wed, 18 Jan 1995 10:08:42 -0800 Received: from anon.penet.fi (anon.penet.fi [193.64.202.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00141 for ; Wed, 18 Jan 1995 10:08:36 -0800 Received: by anon.penet.fi (5.67/1.35) id AA19863; Wed, 18 Jan 95 18:56:21 +0200 Message-Id: <9501181656.AA19863@anon.penet.fi> To: firewalls@greatcircle.com From: an119810@anon.penet.fi X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an119810@anon.penet.fi Date: Wed, 18 Jan 1995 16:56:19 UTC Subject: Re: List of firewall log attack signatues? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: >I'm using fwtk, which produced the "deny" and "permit" messages below. Sorry, somehow the log entries got dropped from my mail message (after all the time I spent editing them to change names & addresses!) Here they are. I hope! [Oh, and this anonymous message (sorry!) should answer the guy who asked recently about whether folks hide when/if discussing their specific setups.] Entries from messages: Sep 5 14:37:40 telnet: deny host=haven.podunk.edu/176.16.6.2 use of gateway Sep 5 14:39:26 ftp: deny host=haven.podunk.edu/176.16.6.2 use of gateway Sep 5 14:41:07 ftp: deny host=haven.podunk.edu/176.16.6.2 use of gateway Sep 5 14:41:08 telnet: deny host=haven.podunk.edu/176.16.6.2 use of gateway Sep 5 14:41:11 permit host=haven.podunk.edu/176.16.6.2 service=fingerd execute=/bin/cat Sep 5 14:41:14 deny host=haven.podunk.edu/176.16.6.2 service=(null) Sep 5 14:41:22 permit host=haven.podunk.edu/176.16.6.2 service=fingerd execute=/bin/cat Sep 5 14:41:39 permit host=haven.podunk.edu/176.16.6.2 service=fingerd execute=/bin/cat Sep 5 14:41:48 permit host=haven.podunk.edu/176.16.6.2 service=fingerd execute=/bin/cat Sep 5 14:41:57 permit host=haven.podunk.edu/176.16.6.2 service=fingerd execute=/bin/cat Sep 5 14:41:59 deny host=haven.podunk.edu/176.16.6.2 service=-l Sep 5 14:42:00 deny host=haven.podunk.edu/176.16.6.2 service=telnetd Sep 5 14:53:24 deny host=haven.podunk.edu/176.16.6.2 service=-l Sep 5 14:53:30 deny host=haven.podunk.edu/176.16.6.2 service=telnetd Entries from syslog (massaged by "fromto"): UNKNOWN: gatekeeper sendmail[19454]: OAA19452: OAA19454: return to sender: Cannot mail directly to programs Sep 5 14:39 MAILER-DAEMON -> root Sep 5 14:39 # -> bounce@gatekeeper.Mydomain.COM Sep 5 14:39 #@Mydomain.com -> bounce@gatekeeper.Mydomain.COM Sep 5 14:40 #@Mydomain.com -> bounce@gatekeeper.Mydomain.COM Sep 5 14:40 #@Mydomain.com -> bounce@gatekeeper.Mydomain.COM Sep 5 14:41 #@Mydomain.com -> bounce@gatekeeper.Mydomain.COM Sep 5 14:41 #@Mydomain.com -> bounce@gatekeeper.Mydomain.COM Sep 5 14:42 SYSERR: too many hops 20 (17 max): from <#@Mydomain.com> via localhost, to UNKNOWN: gatekeeper sendmail[19499]: OAA19499: OAB19499: return to sender: too many hops 20 (17 max): from <#@Mydomain.com> via localhost, to Sep 5 14:42 MAILER-DAEMON -> root Sep 5 14:42 MAILER-DAEMON ?? #@Mydomain.com [User unknown] UNKNOWN: gatekeeper sendmail[19501]: OAB19499: OAA19501: return to sender: User unknown Sep 5 14:42 MAILER-DAEMON -> root ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Wed Jan 18 12:09:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00514 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:29 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00383 for ; Wed, 18 Jan 1995 10:14:49 -0800 Received: from internet.un.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22455; Wed, 18 Jan 1995 09:28:53 -0800 From: adamsb@un.org Received: by internet.un.org; id MAA15696; Wed, 18 Jan 1995 12:29:30 -0500 Received: from mail-in.un.org(157.150.191.1) by internet.un.org via smap (V1.3) id sma015684; Wed Jan 18 12:29:13 1995 Received: from cc:Mail by un.org id AA790460985; Wed, 18 Jan 95 12:24:45 EST Date: Wed, 18 Jan 95 12:24:45 EST Message-Id: <9500187904.AA790460985@un.org> To: firewalls@greatcircle.com Subject: Re: List of firewall log attack signatures? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think that "publishing" the blow-by-blow logs would indeed be > helpful to the home team ... > ... Judicious name-changing should be considered mandatory. Reconsidered. Agree with you. From firewalls-owner Wed Jan 18 12:20:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00526 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:35 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00395 for ; Wed, 18 Jan 1995 10:14:50 -0800 Received: from akasha.tic.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22452; Wed, 18 Jan 1995 09:27:40 -0800 From: smoot@tic.com Received: from xfrsparc.tic.com by akasha.tic.com (8.6.9/akasha.1.19) id LAA07997; Wed, 18 Jan 1995 11:29:20 -0600 Received: from localhost by xfrsparc.tic.com (8.6.9/sub.1.6) id LAA00986; Wed, 18 Jan 1995 11:29:10 -0600 Message-Id: <199501181729.LAA00986@xfrsparc.tic.com> To: firewalls@greatcircle.com Subject: Mac firewall solution Date: Wed, 18 Jan 95 11:29:02 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a site which has a firewall with mostly Macintosh based clients behind the barrier. I'm particularly interested in sites which are using the SOCKS proxy gateway. Please respond via email. Thanks Smoot Carl-Mitchell Texas Internet Consulting 1106 Clayton Lane, Suite 500W Austin, TX 78723 +1 512 451-6176 From firewalls-owner Wed Jan 18 12:40:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00357 for firewalls-outgoing; Wed, 18 Jan 1995 10:14:44 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00283 for ; Wed, 18 Jan 1995 10:14:30 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id KAA22581; Wed, 18 Jan 1995 10:00:06 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUek6-0005uSC; Wed, 18 Jan 95 13:04 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:27:20 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 14:00:57 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 20:58:07 EST Received: from relay2.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRmIb-0005uba; Tue, 10 Jan 95 14:32 EST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQxycr07036; Tue, 10 Jan 1995 14:29:46 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24365 for firewalls-outgoing; Tue, 10 Jan 1995 10:40:38 -0800 Received: from hal.nes.com (hal.nes.com [198.114.188.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA24355 for ; Tue, 10 Jan 1995 10:40:33 -0800 Received: by hal.nes.com; Tue, 10 Jan 95 13:48:44 EST Date: Tue, 10 Jan 95 13:45:30 EST Message-ID: From: "Philip Kubat" To: Firewalls@GreatCircle.COM Subject: re:INFO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk INFOPhilip Kubat New England Systems 60 First Avenue Waltham, MA 02154 617-672-8466 From firewalls-owner Wed Jan 18 12:53:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00300 for firewalls-outgoing; Wed, 18 Jan 1995 10:14:34 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00277 for ; Wed, 18 Jan 1995 10:14:28 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22564; Wed, 18 Jan 1995 09:56:58 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUefu-0005uSC; Wed, 18 Jan 95 13:00 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:25:10 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 10:18:16 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 19:15:32 EST Received: from relay3.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRSAy-0005tXa; Mon, 9 Jan 95 17:02 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxxzk10384; Mon, 9 Jan 1995 17:01:18 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08415 for firewalls-outgoing; Mon, 9 Jan 1995 13:17:58 -0800 Received: from ustcunclass.safb.af.mil (ustcunclass.safb.af.mil [140.175.24.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08404 for ; Mon, 9 Jan 1995 13:17:36 -0800 Received: by ustcunclass.safb.af.mil (4.1/SMI-4.1) id AA19869; Mon, 9 Jan 95 15:10:15 CST Date: Mon, 9 Jan 95 15:10:15 CST From: Message-ID: <9501092110.AA19869@ustcunclass.safb.af.mil> To: syshtg@gsusgi2.gsu.edu, cklaus@shadow.net Subject: Re: ISS scanning from tostada.engr.ucdavis.edu CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could you provide an FTP point for ISS? Kida From firewalls-owner Wed Jan 18 12:54:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00535 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:37 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00406 for ; Wed, 18 Jan 1995 10:14:52 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22504; Wed, 18 Jan 1995 09:44:33 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUeTs-0005tZC; Wed, 18 Jan 95 12:47 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 18:03:50 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 18:03:28 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 20:47:51 EST Received: from relay4.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRlvO-0005ufa; Tue, 10 Jan 95 14:08 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQxycq25288; Tue, 10 Jan 1995 14:06:26 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA23809 for firewalls-outgoing; Tue, 10 Jan 1995 10:07:29 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA23804 for ; Tue, 10 Jan 1995 10:07:26 -0800 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 10 Jan 1995 13:05:46 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA21038; Tue, 10 Jan 1995 13:05:45 -0500 Date: Tue, 10 Jan 1995 13:05:45 -0500 From: Message-ID: <199501101805.AA21038@SPARKY.CF.CS.YALE.EDU> To: WLosee@Getty.Edu, smb@research.att.com Subject: Re: FW: PC Take-Over -- reply CC: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk smb wrote: >You might be surprised at what your PC is running. A colleague here >brought up Chameleon -- and I discovered that he was running an FTP >server on his machine, quite unknowingly. This was an ordinary PC >running Windows... Is it just under MS-DOS, or can you also under Windows do strange things to a person's PC via anonymous FTP by reading and writing to the devices:-? con: com1: com2: lpt: prn: ... etc. Morrow From firewalls-owner Wed Jan 18 12:55:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00571 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:50 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00428 for ; Wed, 18 Jan 1995 10:14:57 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22475; Wed, 18 Jan 1995 09:33:17 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUeIy-0005tZC; Wed, 18 Jan 95 12:36 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 15:46:54 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 15:46:36 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 19:21:22 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRU4o-0005tXa; Mon, 9 Jan 95 19:04 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxxzs18371; Mon, 9 Jan 1995 19:02:29 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA10026 for firewalls-outgoing; Mon, 9 Jan 1995 15:07:32 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA10011 for ; Mon, 9 Jan 1995 15:07:27 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f11c25d0; Mon, 9 Jan 95 18:10:21 -0500 Date: Mon, 9 Jan 1995 18:09:21 -0500 Message-ID: Subject: fwtk & Solaris (not) To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I wrote: >'since I am not a programmer, anyone have the Makefile for fwtk >configured for Solaris 2.4' -------------------------------------------------------------------- It does not look good for me on this Solaris 2.4 version. The patch on ftp.tis.com is incomplete & a call to Tis did not provide fruitful. Tis indicated that a Solaris port would be painfull. hmmm. How about Sun OS 4.1.3? Anyone have luck with this? And would I be able to get a Makefile and/or config files for it? Thanks for the Help. /Tom ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Internet:twalker@acc.org From firewalls-owner Wed Jan 18 12:56:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01299 for firewalls-outgoing; Wed, 18 Jan 1995 10:39:55 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01294 for ; Wed, 18 Jan 1995 10:39:50 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfHr-0005uKC; Wed, 18 Jan 95 13:39 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:49:39 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 06:52:58 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:21:26 EST Received: from relay3.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRpln-0005uba; Tue, 10 Jan 95 18:14 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxydg11912; Tue, 10 Jan 1995 18:12:54 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29604 for firewalls-outgoing; Tue, 10 Jan 1995 14:32:49 -0800 Received: from vger.tripcom.com (vger-ppp0.tripcom.com [198.5.220.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29599 for ; Tue, 10 Jan 1995 14:32:46 -0800 Received: from localhost (adam@localhost) by vger.tripcom.com (8.6.5/8.6.5) id QAA19847; Tue, 10 Jan 1995 16:31:34 -0600 From: Adam Horwitz Message-ID: <199501102231.QAA19847@vger.tripcom.com> Subject: Re: Re[2]: Brief review of Firewall-1 - installation, support, f To: Mark.Hickey@ov.com Date: Tue, 10 Jan 1995 16:31:33 -0600 (CST) CC: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [Stuff deleted] > > Antonio> I am surprised with this recent comments about > Antonio> Firewall-1, since I had seen some positive comments about > Antonio> it on some magazines (for example, Open Computing, Oct > Antonio> 94). > > [More stuff deleted] > > [ Chris Stewart responds ] > Being in a software company, and after seeing how some positive > comments are placed, I take anything I read in the mags with several > grains of salt.. I've also seen reviewers complain about what got > edited out of their reviews.. Ah capitalism at work, can't piss off > those potential advertisers... I sell FireWall-1 and I apparently missed the comments regarding it. If someone could forward them to be, I'd appreciate it; good or bad. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Wed Jan 18 12:59:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00552 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:48 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00438 for ; Wed, 18 Jan 1995 10:14:59 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22424; Wed, 18 Jan 1995 09:17:50 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUe3p-0005tZC; Wed, 18 Jan 95 12:20 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 13:53:18 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 13:52:34 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 20:47:42 EST Received: from relay2.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRlKT-0005uca; Tue, 10 Jan 95 13:30 EST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQxycn24198; Tue, 10 Jan 1995 13:26:26 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22785 for firewalls-outgoing; Tue, 10 Jan 1995 08:31:40 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22780 for ; Tue, 10 Jan 1995 08:31:38 -0800 From: smb@research.att.com Message-ID: <199501101631.IAA22780@miles.greatcircle.com> Received: by gryphon; Tue Jan 10 11:28:00 EST 1995 To: Wulf Losee CC: firewalls@GreatCircle.com Subject: Re: FW: PC Take-Over -- reply Date: Tue, 10 Jan 95 11:27:59 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Answer: I am not aware of any breakins; however, I think you have to ask yourself the question: "how -- through what mechanism -- would a break in be accomplished?" PCs running multitasking OSs that offer TCP/IP-based services (rlogin, telnet, and ftp) are vulnerable from the Internet (without proper firewalls or router filters). So... Correct me if I'm wrong (please!), but since DOS and regular Windows (both Windows 3.x and and Windows for Warehouses) are not multitasking, multithreading operating systems it would be impossible to subvert these systems unless the cracker were dialing in through a modem or actually sitting at the PC's console. You might be surprised at what your PC is running. A colleague here brought up Chameleon -- and I discovered that he was running an FTP server on his machine, quite unknowingly. This was an ordinary PC running Windows... From firewalls-owner Wed Jan 18 12:59:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00553 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:47 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00456 for ; Wed, 18 Jan 1995 10:15:02 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22444; Wed, 18 Jan 1995 09:21:13 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUe8V-0005tXC; Wed, 18 Jan 95 12:25 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 14:04:28 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 14:02:46 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:05:31 EST Received: from relay3.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRo48-0005uLa; Tue, 10 Jan 95 16:25 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxycz16842; Tue, 10 Jan 1995 16:23:03 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27112 for firewalls-outgoing; Tue, 10 Jan 1995 12:45:45 -0800 Received: from pru-psc.com (pru-psc.com [204.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA27107 for ; Tue, 10 Jan 1995 12:45:41 -0800 Received: by pru-psc.com (5.0/SMI-SVR4) id AA01211; Tue, 10 Jan 1995 15:44:20 +0500 Date: Tue, 10 Jan 1995 15:44:20 +0500 From: Message-ID: <9501102044.AA01211@ pru-psc.com> To: ken@bridge.com Subject: Re: Firewalls-Digest V4 #11 CC: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's unlikely that under DOS or Windows that the two IP stacks would > know anything about each other. Even on OS/2; I've seen an OS/2 box > used as an applications gateway between two networks runing IBM's > TCP/IP on one interface and FTP, Inc.'s on the other, and there's > absolutely no (direct) interconnection possible between the networks > (as I'm told by those involved in the work.) The only way to get from > one network to the other would be to telnet into the OS/2 system and > then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's > running on the remote interface. I agree with you on DOS and Windows, but watch out for OS/2. If you run IBM's TCP/IP stack over more than one interface, IP forwarding is turned on by default. I've seen this with two network cards; we use a dual-homed OS/2 PC as a poor man's router (don't ask why). I haven't tried it with SLIP or PPP but I'd be careful. --Joe Patti Prudential Service Company From firewalls-owner Wed Jan 18 13:01:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00586 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:55 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00460 for ; Wed, 18 Jan 1995 10:15:03 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22480; Wed, 18 Jan 1995 09:34:31 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUeLN-0005tZC; Wed, 18 Jan 95 12:38 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 16:14:32 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 16:13:47 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 19:36:45 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRWce-0005tXa; Mon, 9 Jan 95 21:47 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxyad17754; Mon, 9 Jan 1995 21:46:17 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11979 for firewalls-outgoing; Mon, 9 Jan 1995 18:07:35 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA11974 for ; Mon, 9 Jan 1995 18:07:28 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rRVxW-000BMNC; Mon, 9 Jan 95 18:05 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Mon, 9 Jan 95 17:25 PST Message-ID: Received: by miro.ilinx.com id ; Mon, 9 Jan 95 17:26:23 -0800 From: brian@imcon.ilinx.com To: twalker@acc.org Subject: Re: fwtk & Solaris (not) CC: firewalls@greatcircle.com Date: Mon, 9 Jan 1995 17:26:23 -0700 (PST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of twalker@acc.org > > I wrote: > > >'since I am not a programmer, anyone have the Makefile for fwtk > >configured for Solaris 2.4' > > -------------------------------------------------------------------- > > It does not look good for me on this Solaris 2.4 version. The patch > on ftp.tis.com is incomplete & a call to Tis did not provide fruitful. > > Tis indicated that a Solaris port would be painfull. hmmm. I don't get it. Why would it be painful?? FWTK compiled pretty much out of the box on my UnixWare box which is SVR4.2 which application-wise is _very_ close to Solaris (or is it the other way around :-) ). b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed Jan 18 13:01:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00585 for firewalls-outgoing; Wed, 18 Jan 1995 10:15:55 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00466 for ; Wed, 18 Jan 1995 10:15:04 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA22436; Wed, 18 Jan 1995 09:19:27 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUe6o-0005tXC; Wed, 18 Jan 95 12:23 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Mon, 16 Jan 95 14:03:11 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Mon, 16 Jan 1995 14:02:27 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:04:42 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRnRh-0005una; Tue, 10 Jan 95 15:45 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxycw25480; Tue, 10 Jan 1995 15:43:52 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25182 for firewalls-outgoing; Tue, 10 Jan 1995 11:15:59 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25177 for ; Tue, 10 Jan 1995 11:15:56 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id NAA03615; Tue, 10 Jan 1995 13:11:28 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003613; Tue Jan 10 13:11:20 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA27336 (5.67b/IDA-1.5); Tue, 10 Jan 1995 13:15:13 -0600 Date: Tue, 10 Jan 1995 13:15:13 -0600 From: Ken Hardy Message-ID: <199501101915.AA27336@ignatz.bridge.com> To: long-morrow@CS.YALE.EDU Subject: Re: FW: PC Take-Over -- reply CC: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Tue, 10 Jan 1995 13:05:45 -0500 >From: long-morrow@CS.YALE.EDU (H Morrow Long) > >Is it just under MS-DOS, or can you also under Windows do strange things >to a person's PC via anonymous FTP by reading and writing to the devices:-? > > con: > com1: > com2: > lpt: > prn: > ... > etc. [Now I remember -- this is how I used to get access to a Novell PostScript printer from a Unix workstation before I had direct lpr connectivity; I'd run NCSA's telnet cum FTP server on my PC and ftp .ps files to LPT1:.] The answer is that, at least with Chameleon, yes, you can ftp to devices. But it's worse that that. I just saw a demonstration where someone was running Chameleon's NFS server and mounted the PC's C: drive on a Unix box. From the Unix box, he did "cd /net/mikespc/c ; ls -l > con" and the PC's console was written to (while in Windows graphics mode!) Apparently all special devices are available via this route (and FTP, presumably); this particular person said that "cat file > lpt1" will cause the named file to be dumped to the PC's printer. Fun, fun, fun. -KH From firewalls-owner Wed Jan 18 13:03:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01427 for firewalls-outgoing; Wed, 18 Jan 1995 10:44:09 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01416 for ; Wed, 18 Jan 1995 10:44:04 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfLz-0005ucC; Wed, 18 Jan 95 13:43 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:52:36 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 14:04:43 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:13:38 EST Received: from relay4.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRohE-0005tXa; Tue, 10 Jan 95 17:05 EST Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQxydc15803; Tue, 10 Jan 1995 17:04:06 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA27804 for firewalls-outgoing; Tue, 10 Jan 1995 13:11:47 -0800 Received: from sol (sol.corp.rockwell.com [129.172.4.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA27789 for ; Tue, 10 Jan 1995 13:11:43 -0800 Received: by sol (5.0/SMI-SVR4) id AA01365; Tue, 10 Jan 1995 13:09:09 +0800 Date: Tue, 10 Jan 1995 13:09:09 +0800 From: Message-ID: <9501102109.AA01365@sol> To: firewalls@greatcircle.com Subject: Bastion host sizing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been asked what kind of UNIX machine we should get for our bastion host. I've been told by our network hardware people to size it for a T1 rate of throughput. We have a T1 connection to the Internet but does that really mean that the bastion host should expect 1.544 megabits per second? I expect that the machine will be running some proxy software (I can't be anymore specific at the moment), anonymous FTP service (read only), httpd (probably NCSA's but this could change), and an authentication server (not sure which one). I would like some information about the performance of various brands/models/configurations of UNIX machines that are used as bastion hosts. I really have no idea what size of machine to get. Can we get away with a PC-AT running Coherent or do we need the latest 64-bit monstrosity? How much memory and disk? Is one brand's ethernet throughput better than another's? Does that really matter? Etc., etc., etc. Mark Fowler Rockwell mcfowler@corp.rockwell.com From firewalls-owner Wed Jan 18 13:04:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01465 for firewalls-outgoing; Wed, 18 Jan 1995 10:45:49 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01460 for ; Wed, 18 Jan 1995 10:45:45 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfNY-0005unC; Wed, 18 Jan 95 13:45 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:55:22 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 14:05:43 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:17:49 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRpQT-0005uTa; Tue, 10 Jan 95 17:52 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxydf24100; Tue, 10 Jan 1995 17:50:58 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA28519 for firewalls-outgoing; Tue, 10 Jan 1995 13:44:30 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA28514 for ; Tue, 10 Jan 1995 13:44:27 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id PAA05084; Tue, 10 Jan 1995 15:39:58 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma005082; Tue Jan 10 15:39:48 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA29004 (5.67b/IDA-1.5); Tue, 10 Jan 1995 15:43:34 -0600 Date: Tue, 10 Jan 1995 15:43:34 -0600 From: Ken Hardy Message-ID: <199501102143.AA29004@ignatz.bridge.com> To: jpatti@pru-psc.com Subject: Re: Firewalls-Digest V4 #11 CC: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> It's unlikely that under DOS or Windows that the two IP stacks would >> know anything about each other. Even on OS/2; I've seen an OS/2 box >> used as an applications gateway between two networks runing IBM's >> TCP/IP on one interface and FTP, Inc.'s on the other, and there's >> absolutely no (direct) interconnection possible between the networks >> (as I'm told by those involved in the work.) The only way to get from >> one network to the other would be to telnet into the OS/2 system and >> then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's >> running on the remote interface. > >I agree with you on DOS and Windows, but watch out for OS/2. If you run >IBM's TCP/IP stack over more than one interface, IP forwarding is turned >on by default. I've seen this with two network cards; we use a dual-homed >OS/2 PC as a poor man's router (don't ask why). I haven't tried it with >SLIP or PPP but I'd be careful. Yes. The trick here is to use two independent TCP/IP stacks from two different vendors and give each of them only one of the network interfaces. They don't know about each other, and they don't know about the other interface. -KH From firewalls-owner Wed Jan 18 13:05:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01594 for firewalls-outgoing; Wed, 18 Jan 1995 10:49:08 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01589 for ; Wed, 18 Jan 1995 10:49:01 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfQe-0005uZC; Wed, 18 Jan 95 13:48 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:57:35 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 14:29:03 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 19:46:24 EST Received: from relay2.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRYPs-0005uSa; Mon, 9 Jan 95 23:42 EST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQxyak16514; Mon, 9 Jan 1995 23:41:16 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA14021 for firewalls-outgoing; Mon, 9 Jan 1995 19:35:17 -0800 Received: from uustar.starnet.net (uustar.starnet.net [128.252.135.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA14016 for ; Mon, 9 Jan 1995 19:35:14 -0800 Received: from devildog.UUCP by uustar.starnet.net with UUCP id AA26517 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 9 Jan 1995 20:44:22 -0600 Received: by devildog (5.65/1.35) id AA03619; Mon, 9 Jan 95 20:44:09 -0600 From: Message-ID: <9501100244.AA03619@devildog> Subject: re: IBM's NetSP Secured Gateway Product To: firewalls@greatcircle.com Date: Mon, 9 Jan 95 20:44:08 CST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Mon, 9 Jan 1995, Adam Shostack wrote (regarding NetSP): > > > 3. Nothing like tripwire seems to be included. > > Admittedly, it's not tripwire, but "normal" AIX does include a trusted > computing base audit program called tcbck. It checks files against > attributes listed in /etc/security/sysck.cfg. One advantage is that it > understands ACLs, which tripwire does not. On the downside, the checksum > it uses is just plain "sum -r". I believe that it is possible to > use alternate checksum programs, but I haven't tried this. > True, but it does not have all the attributes that tripwire does and IMHO, tripwire is far superior. I do not remember exactly what AIX is missing, but I remember having a very in depth conversation with the AIX level 3 folks about it. > The database is also available online in /etc/security, so it's subject to > the same vulnerabilities as an online tripwire database. With either > program, it makes sense to store a copy of the database on a readonly > medium and verify against that copy. > > -- > Fran Grover -- Grover C. Davidson II | I speak for ME! This is my machine, and my 828 Fall Crown Ln | ideas. My employer doen't pay for my machine Fenton, Mo 63026 | or ask for my opinions. 314-343-5642 | grover@devildog.st-louis.mo.us From firewalls-owner Wed Jan 18 13:06:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01587 for firewalls-outgoing; Wed, 18 Jan 1995 10:48:49 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01564 for ; Wed, 18 Jan 1995 10:48:36 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfQM-0005uZC; Wed, 18 Jan 95 13:48 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:57:21 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 15:12:48 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 20:58:16 EST Received: from relay1.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRmln-0005ufa; Tue, 10 Jan 95 15:02 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQxycu16190; Tue, 10 Jan 1995 15:00:39 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24734 for firewalls-outgoing; Tue, 10 Jan 1995 10:56:54 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24719 for ; Tue, 10 Jan 1995 10:56:47 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id MAA03400; Tue, 10 Jan 1995 12:52:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003397; Tue Jan 10 12:51:57 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA27084 (5.67b/IDA-1.5); Tue, 10 Jan 1995 12:55:43 -0600 Date: Tue, 10 Jan 1995 12:55:43 -0600 From: Ken Hardy Message-ID: <199501101855.AA27084@ignatz.bridge.com> To: ingoldsb@gov.calgary.ab.ca Subject: Re: Firewalls-Digest V4 #11 CC: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >My question is, am I safe in assuming that the economy version of PPP >(TCP/IP) that comes with the browser is incapable of routing packets to >the local network. I'm pretty sure that would be the case if the local >network were IPX, I *think* this would be the case even if the local >network were PPP. I'm basing my trust on the *assumption* that a low >cost Internet browser package isn't going to be smart enough >(particularly on on single tasking DOS/Windows box) to route packets >(even if source routing is used). > >Am I deluded? This is starting to become a common question. I've >fielded it 3 or 4 times in the last few weeks. > >Many people would like to use this strategy as a poor man's firewall. It's unlikely that under DOS or Windows that the two IP stacks would know anything about each other. Even on OS/2; I've seen an OS/2 box used as an applications gateway between two networks runing IBM's TCP/IP on one interface and FTP, Inc.'s on the other, and there's absolutely no (direct) interconnection possible between the networks (as I'm told by those involved in the work.) The only way to get from one network to the other would be to telnet into the OS/2 system and then run the OS/2 telnet, e.g., that came with the TCP/IP stack that's running on the remote interface. -KH From firewalls-owner Wed Jan 18 13:07:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01733 for firewalls-outgoing; Wed, 18 Jan 1995 10:54:49 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01706 for ; Wed, 18 Jan 1995 10:54:43 -0800 Received: from maccs.dcss.mcmaster.ca by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id KAA22716; Wed, 18 Jan 1995 10:13:42 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUexU-0005ucC; Wed, 18 Jan 95 13:18 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 18:36:53 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 15:15:52 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 21:04:32 EST Received: from relay2.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRn8T-0005uba; Tue, 10 Jan 95 15:25 EST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQxycv17289; Tue, 10 Jan 1995 15:23:59 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA24881 for firewalls-outgoing; Tue, 10 Jan 1995 11:02:05 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA24872 for ; Tue, 10 Jan 1995 11:01:02 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA04764; Tue, 10 Jan 95 19:55:05 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA04264; Tue, 10 Jan 95 19:51:29 GMT From: Message-ID: <9501101951.AA04264@tidtest.total.fr> Subject: DOS IP backdoors (was Re: Firewalls-Digest V4 #11) To: Date: Tue, 10 Jan 95 19:51:27 GMT CC: firewalls@greatcircle.com Reply-To: lavondes@tidtest.total.fr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Terry Ingoldsby wrote : > > [snip] > > My question is, am I safe in assuming that the economy version of PPP > (TCP/IP) that comes with the browser is incapable of routing packets to > the local network. I'm pretty sure that would be the case if the local > network were IPX, I *think* this would be the case even if the local > network were PPP. I'm basing my trust on the *assumption* that a low > cost Internet browser package isn't going to be smart enough > (particularly on on single tasking DOS/Windows box) to route packets > (even if source routing is used). > DOS/Win IPX can manage only one IPX address, so you should be safe from that side. Of the DOS/Win IP stacks I know of, only Wollongong's can (could) be multi-homed, with a routing module available. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Wed Jan 18 13:09:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01759 for firewalls-outgoing; Wed, 18 Jan 1995 10:57:03 -0800 Received: from maccs.dcss.mcmaster.ca (maccs.dcss.McMaster.CA [130.113.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01753 for ; Wed, 18 Jan 1995 10:56:52 -0800 Received: from dofasco by maccs.dcss.mcmaster.ca with uucp (Smail3.1.28.1 #5) id m0rUfXg-0005vRC; Wed, 18 Jan 95 13:55 EST Received: by USENET.dofasco.ca (DECUS UUCP ///2.0/); Tue, 17 Jan 95 19:07:11 EST Received: by USENET.dofasco.ca (MX V4.1 VAX) with SITE; Tue, 17 Jan 1995 15:07:43 EST Received: from maccs by USENET.dofasco.ca (MX V4.1 VAX) with UUCP; Tue, 10 Jan 1995 20:47:33 EST Received: from relay3.UU.NET by maccs.dcss.mcmaster.ca with smtp (Smail3.1.28.1 #5) id m0rRlBs-0005uaa; Tue, 10 Jan 95 13:21 EST Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQxycn11252; Tue, 10 Jan 1995 13:19:40 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22834 for firewalls-outgoing; Tue, 10 Jan 1995 08:43:52 -0800 Received: from cuugnet.cuug.ab.ca (cuugnet.cuug.ab.ca [204.50.6.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22829 for ; Tue, 10 Jan 1995 08:43:40 -0800 Received: by cuugnet.cuug.ab.ca (AIX 3.2/UCB 5.64/4.03-CUUG-02) id AA28554; Tue, 10 Jan 1995 09:37:40 -0700 Received: by ctycal.lis.dpsd.gov.calgary.ab.ca (AIX 3.2/UCB 5.64/4.03.TRI-IG) id AA41926; Tue, 10 Jan 1995 08:35:41 -0700 Date: Tue, 10 Jan 1995 08:35:41 -0700 (MST) From: Terry Ingoldsby To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #11 Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Jan 1995 firewalls-digest-owner@GreatCircle.COM wrote: > > Firewalls-Digest Thursday, 5 January 1995 Volume 04 : Number 011 .... > ------------------------------ > > From: Steve Marquess > Date: Thu, 5 Jan 1995 14:58:35 -0500 > Subject: Re: FW: PC Take-Over -- reply > > >Wulf Losee says: > > > >Correct me if I'm wrong (please!), but since DOS and regular Windows (both > >Windows 3.x and and Windows for Warehouses) are not multitasking, > >multithreading operating systems it would be impossible to subvert these > >systems unless the cracker were dialing in through a modem or actually > >sitting at the PC's console. > > > > Probably true in general, but I have a PC here running DOS and a TSR from a > widely used protocol stack (Novell's LWPD, the tsr is XPC.EXE) that I can > telnet into and execute DOS commands -- including, in principle, commands to > access LAN file servers or the mainframes that are not reachable via IP. This > PC is allows my Unix hosts to execute DOS commands and fetch data from the LANs > from cron scripts run in the middle of the night. Let's restrict the question further. Suppose, instead of a full-fledged TCP/IP stack, the situation is as follows: A user has a PC that is connected to a local network. Perhaps with IPX or TCP/IP. The user occasionally connects to a local Internet provider using a dial-up PPP that comes with their Internet browser package (e.g. Internet in a Box). My question is, am I safe in assuming that the economy version of PPP (TCP/IP) that comes with the browser is incapable of routing packets to the local network. I'm pretty sure that would be the case if the local network were IPX, I *think* this would be the case even if the local network were PPP. I'm basing my trust on the *assumption* that a low cost Internet browser package isn't going to be smart enough (particularly on on single tasking DOS/Windows box) to route packets (even if source routing is used). Am I deluded? This is starting to become a common question. I've fielded it 3 or 4 times in the last few weeks. Many people would like to use this strategy as a poor man's firewall. I.e. they have a local network that they don't want connected to the Internet, but a few of the users want access to Internet services. It is hard to justify the cost of a full-blown firewall in this case. Using a dial-out PPP Internet browser (to an ISP) on the DOS/Windows boxes *seems* like a reasonably safe but fairly functional compromise. From firewalls-owner Wed Jan 18 14:59:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA08155 for firewalls-outgoing; Wed, 18 Jan 1995 14:12:08 -0800 Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA08150 for ; Wed, 18 Jan 1995 14:12:02 -0800 Received: by gatekeeper.mcimail.com (5.65/fma-120691); id AA28740; Wed, 18 Jan 95 22:12:37 GMT Received: from mcimail.com by mailgate.mcimail.com id aa21570; 18 Jan 95 22:05 WET Date: Wed, 18 Jan 95 11:58 EST From: Henry Lemon To: Firewalls Subject: Consultant Qualifications Message-Id: <64950118165846/0003668858NA3EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My boss has just decided to hire a consultant to assist in the evaluation of connecting our network to the Internet. We are a non- Unix, non- TCP environment. What experience, qualifications, education etc should we look for in this consultant? What questions should we ask to eliminate the smooth talkers from the real technical guru? The purpose of the consultant would be to determine what we need to do before connecting to the Internet. The recommendations expected should include personnel training, as well as hardware and software required. If responses are not appropriate for the list, please contact me directly. Thanks Henry Lemon Aristech_Chemical_Corporation 412-433-7835 LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com From firewalls-owner Wed Jan 18 16:29:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05736 for firewalls-outgoing; Wed, 18 Jan 1995 13:16:49 -0800 Received: from nbkanata.Newbridge.COM (Newbridge.COM [192.75.23.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05719 for ; Wed, 18 Jan 1995 13:16:42 -0800 Received: from Newbridge.COM ([138.120.100.14]) by nbkanata.Newbridge.COM (4.1/SMI-4.1) id AA08095; Wed, 18 Jan 95 16:09:17 EST Received: from regional.Newbridge.COM (regional100) by Newbridge.COM (4.1/SMI-4.0) id AA08825; Wed, 18 Jan 95 16:09:16 EST Received: by regional.Newbridge.COM (4.1/SMI-4.1) id AA04545; Wed, 18 Jan 95 16:09:12 EST Date: Wed, 18 Jan 1995 16:09:07 -0500 (EST) From: "Roderick Murchison, Jr." X-Sender: murchiso@regional To: firewalls@greatcircle.com Subject: Opinions of Firewall-1? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings everybody... we have recently undergone the task of evaluating firewall solutions and I was hoping that some folks could give me some quick evaluations of their solution, and/or things to watch out for. If there is a archive for such a file, I would appreciate a point to it. We have been testing a copy of Firewall-1 and I am really impressed. We are still going through the evaluation procedure, but it *seems* to provide the security, flexibility, and logging that we desire but I would be most definately interested in and reports from users who have found this to be otherwise, or a product that "does all this and more". I certainly don't want to get into a big debate on who's solution is better than who's on the list, so please respond directly and I will try to summarize all the pro's and con's. One feature that we wished was in Firewall-1 was SecureID... and to our surprise it was announced today that this will be an available module next month along with a secure sendmail module. In a nutshell, we will have the following network situation: to Internet | | T1 Sbus NIC |----www server interface | ---------------- |----ftp server | sun running |le0-------| | firewall pkg | |----etc. ---------------- | ---------------------- |----------| secondary firewall | | ---------------------- | | to corporate net Any flaws seen with this?? Thanks for any info... Roderick Murchison, Jr. Network Engineer murchiso@newbridge.com (UNIX) Newbridge Networks, Inc. rod_murchison@newbridge.com (QuickMail) 593 Herndon Parkway (703) 318-5759 [office] Herndon, VA 22070-5241 From firewalls-owner Wed Jan 18 16:37:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA14325 for firewalls-outgoing; Wed, 18 Jan 1995 16:36:14 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA14318 for ; Wed, 18 Jan 1995 16:36:11 -0800 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA05132; Wed, 18 Jan 95 16:34:27 PST Received: from zeppo.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA11533; Wed, 18 Jan 1995 16:34:26 +0800 Received: from twiddle.West.Sun.COM by zeppo.West.Sun.COM (5.0/SMI-5.3-900117) id AA26035; Wed, 18 Jan 1995 16:34:25 -0800 Received: by twiddle.West.Sun.COM (5.x/SMI-SVR4) id AA00806; Wed, 18 Jan 1995 16:34:27 -0800 Date: Wed, 18 Jan 1995 16:34:27 -0800 From: Paul.Danielson@West.Sun.COM (Paul Danielson) Message-Id: <9501190034.AA00806@twiddle.West.Sun.COM> To: Paul.Danielson@West.Sun.COM Subject: Re: fwtk & Solaris (not) Cc: brian@imcon.ilinx.com X-Sun-Charset: US-ASCII Content-Length: 256 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone at TIS is confused :} I ported the toolkit (one version back) to Solaris 2.3 in about 10 hours, including the BSD-specific stuff. Unless some really weird code was added to the latest revision, it should not be any harder to port it to 2.4. Paul From firewalls-owner Wed Jan 18 16:50:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA12824 for firewalls-outgoing; Wed, 18 Jan 1995 16:11:08 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA12815 for ; Wed, 18 Jan 1995 16:11:04 -0800 Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQxzgy04572; Wed, 18 Jan 1995 19:09:04 -0500 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA08814; Wed, 18 Jan 95 19:06:11 EST Date: Wed, 18 Jan 1995 19:06:10 -0500 (EST) From: Sick Puppy Subject: Turnkey firewall to protect a single server To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't posted on this list before, but I need to explore my options. Assume that I have a small publicly accessible network and that the only thing running on the small unsecure network is three publicly accessible servers. I need to provide more protection than just Unix security to one of the three publicly accessible servers and would like to put a turn-key firewall system in front of it. The turn-key firewall would sit between the server and the network. It must transparent to users but allow only Gopher and World Wide Web through to the server. I am not interest in installing toolkit software. It isn't worth hanging out my rear end just to save the company a few thousand dollars. What is the best turn-key firewall for me to install? And why? Please mail replies to sikpuppy@maestro.com In case any of you think I am a warez d00d or cracker, there is at least one security professional reading this list who knows I am not (although he probably won't say so). Sick Puppy the Cat_Eating_Dawg From firewalls-owner Wed Jan 18 17:21:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01394 for firewalls-outgoing; Wed, 18 Jan 1995 17:15:07 -0800 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA01389 for ; Wed, 18 Jan 1995 17:15:04 -0800 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f1dbeab0; Wed, 18 Jan 95 20:21:47 -0500 Mime-Version: 1.0 Date: Wed, 18 Jan 1995 20:20:24 -0500 Message-ID: Subject: Re: Livingston Firewall IRX router, any good? To: Keinanen Vesa , firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have one. I like it. Its real easy to configure. The filtering is impressive & actually easy to use and implement. It filters both in & out on all ports and any combination of them. An unlike some products, it denys if not explicitly permitted out of the box. It has a nice logging routine. You pretty much can log all the goofy denials that your firewall is not worried about if you wish. FYI. Set the logging to a machine on your trusted network and not your firewall. /Tom ______________________________ Reply Separator _________________________________ Subject: Livingston Firewall IRX router, any good? Author: Keinanen Vesa at Internet-Mail Date: 1/18/ 0 10:20 AM Do you have any experience/opinions on Livingston Firewall router? I checked Livingstone's WWW-site, and I could see that it is a router loaded with every bell and whistle you can imagine. But is there anything that really makes it better than other router (eg. cisco) as "firewall". VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Wed Jan 18 19:01:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA04518 for firewalls-outgoing; Wed, 18 Jan 1995 18:29:54 -0800 Received: from riverside.mr.net (Riverside.MR.Net [137.192.2.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA04513 for ; Wed, 18 Jan 1995 18:29:50 -0800 Received: from .mr.net by riverside.mr.net (8.6.9/SMI-4.1.R931202) id UAA05937; Wed, 18 Jan 1995 20:27:50 -0600 Date: Wed, 18 Jan 1995 20:27:50 -0600 Message-Id: <199501190227.UAA05937@riverside.mr.net> X-Sender: freeman@mr.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: freeman@MR.Net (Alex Li) Subject: RIP packets on perimeter net--is it a bad thing? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm in the process of testing the Drawbridge (from TAMU) filtering package and found that it doen't filter any outgoing UDP packets (this fact is documented too but I didn't read close enough the first time). And hence the RIP packets from my internal router are showing up on the perimeter net. Is this a bad thing? Thanks for any advise. Alex Li From firewalls-owner Wed Jan 18 19:31:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA04899 for firewalls-outgoing; Wed, 18 Jan 1995 18:36:50 -0800 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA04893 for firewalls; Wed, 18 Jan 1995 18:36:48 -0800 Message-Id: <199501190236.SAA04893@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Wed, 18 Jan 1995 18:36:48 +0000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: ADMIN: Looping messages to the Firewalls list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There seems to be a strange problem with one or possibly two sites regurgitating messages from the Firewalls list -- possibly a local news/mail gateway. I have written to the postmasters of both sitres in an attempt to get to the bottom of this. Several readers have alerted the firewalls-owner address and sent copies (I have plenty now, thanks). As a precaution I have removed two addresses from the list pending investigation, since they were the only subscriptions at those sites, but in the complex world of internetwork mail forwarding, this may not be the whole of the problem. Sorry for the inconvenience and I hope the problem will be solved soon. Regards, -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Wed Jan 18 19:43:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05172 for firewalls-outgoing; Wed, 18 Jan 1995 18:41:34 -0800 Received: from relay.tis.com (relaye.tis.com [192.94.214.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA05165 for ; Wed, 18 Jan 1995 18:41:29 -0800 Received: by relay.tis.com; id QAA03799; Wed, 18 Jan 1995 16:40:30 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma003797; Wed Jan 18 16:40:22 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA09539; Wed, 18 Jan 95 21:36:41 EST From: Marcus J Ranum Message-Id: <9501190236.AA09539@tis.com> Subject: Re: Consultant Qualifications To: LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com (Henry Lemon) Date: Wed, 18 Jan 1995 21:43:22 -0500 (EST) Cc: FIREWALLS@greatcircle.com In-Reply-To: <64950118165846/0003668858NA3EM@MCIMAIL.COM> from "Henry Lemon" at Jan 18, 95 11:58:00 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 733 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > consultant? What questions should we ask to eliminate the > smooth talkers from the real technical guru? The purpose of > the consultant would be to determine what we need to do before > connecting to the Internet. Tell the prospective that he'll be required to pass a test first, in which you drop him in the desert with a cup of coffee, 13 feet of coax, a router (any router) and a laptop. To pass the test he needs to FTP files from UUnet in under 5 hours. :) If the prospective says "huh?" to any of that, and doesn't laugh, then you've got the wrong guy. If he actually *DOES* it, hire him. :) mjr. [Actually, there are several narsty gotchas hidden in that trivial scenario.] From firewalls-owner Wed Jan 18 19:52:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA04654 for firewalls-outgoing; Wed, 18 Jan 1995 18:32:30 -0800 Received: from relay.tis.com (relaye.tis.com [192.94.214.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA04648 for ; Wed, 18 Jan 1995 18:32:25 -0800 Received: by relay.tis.com; id QAA03780; Wed, 18 Jan 1995 16:31:00 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma003778; Wed Jan 18 16:30:51 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA09185; Wed, 18 Jan 95 21:27:09 EST From: Marcus J Ranum Message-Id: <9501190227.AA09185@tis.com> Subject: program mailers and mail attacks To: firewalls@greatcircle.com Date: Wed, 18 Jan 1995 21:33:50 -0500 (EST) Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Content-Type: text Content-Length: 996 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After my earlier mail in which I described setting up a process that sucks down attempts to mail to programs, I got several requests for examples of how to do this. It's *REALLY* easy. The example below is a progmailer I have used for a long, long time. Here's a sample sendmail definition of Mprog Mprog, P=/etc/progmail, F=lsDFMeuP, S=10, R=20, A=sh -c $u And here's /etc/progmail: #!/bin/sh # # this is a simple shell script that we put in place to replace # the shell in the prog mailer in sendmail.cf. if someone invokes # prog, somehow, this will mail us a copy of what they attempted # to invoke. # ( echo This program was invoked as a shell script by sendmail echo running on the firewall, with arguments: echo $* echo echo Perhaps this may indicate an attempt on someones part echo to trigger a sendmail security hole. Below is the message. echo This message generated by sendmail and /etc/progmail echo echo echo cat ) | /usr/ucb/mail -s "program execution" root From firewalls-owner Wed Jan 18 20:14:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07015 for firewalls-outgoing; Wed, 18 Jan 1995 19:10:41 -0800 Received: from tamiya.llnl.gov (tamiya.llnl.gov [128.115.15.50]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA07010 for ; Wed, 18 Jan 1995 19:10:33 -0800 Received: from [128.115.138.237] (fswiftmac.llnl.gov) by tamiya.llnl.gov (4.1/LLNL-1.18) id AA10319; Wed, 18 Jan 95 19:09:26 PST X-Sender: swift@tamiya.llnl.gov Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 18 Jan 1995 19:08:47 -0800 To: Firewalls@greatcircle.com From: uncl@llnl.gov (Frank Swift @ Home) Subject: Sick Pu Cc: uncl@llnl.gov, frank_swift@quickmail.llnl.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 16:51 1/18/95, Sick Puppy wrote: >------------------------------ > >From: Sick Puppy >Date: Wed, 18 Jan 1995 19:06:10 -0500 (EST) >Subject: Turnkey firewall to protect a single server [...] >In case any of you think I am a warez d00d or cracker, there is at least >one security professional reading this list who knows I am not (although >he probably won't say so). [...] I'll vouch for the Sick Puppy. frank -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLx3WyyQW+HmajSkFAQHz0gP7BtIfPs9du00f9HFnj3uaEDYEC9yagFO2 Rolh0tkbMo+4uo5WQmq7xqw3q0jsFOlRxw1W1hLbrFykSX62rcwmYXwM1Jzs9EZ8 c4EgRqMVkgHhIoqmQdPwGsCsukQ5bjJPNntoHIiorWfXCWRlSnYTujhg9eUJeY6M FVegMyhe5GM= =z8cQ -----END PGP SIGNATURE----- Frank Swift L-321 (Sent from Home) Unclassified Computer Security Coordinator Lawrence Livermore National Laboratory (LLNL) 7000 East Avenue L-321 Livermore CA 94550-9516 Voice: (510) 422-1463 FAX: (510) 423-0913 From firewalls-owner Wed Jan 18 20:21:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07935 for firewalls-outgoing; Wed, 18 Jan 1995 19:41:49 -0800 Received: from metro.ucc.su.OZ.AU (root@metro.ucc.su.OZ.AU [129.78.64.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA07930 for ; Wed, 18 Jan 1995 19:41:23 -0800 Received: from AODC.gov.au (beluga.aodc.gov.au) by metro.ucc.su.OZ.AU with SMTP id AA04355 (5.65c/IDA-1.4.4 for ); Thu, 19 Jan 1995 14:38:35 +1100 Received: from minke.gov.au by AODC.gov.au (5.0/SMI-SVR4) id AA00602; Thu, 19 Jan 1995 14:38:12 --1000 Received: by minke.gov.au (5.0/SMI-SVR4) id AA01786; Thu, 19 Jan 1995 14:38:56 --1000 Date: Thu, 19 Jan 1995 14:38:56 --1000 From: peter@aodc.gov.au (Peter Edward Voss) Message-Id: <9501190338.AA01786@minke.gov.au> To: lavondes@tidtest.total.fr Subject: Re: Cisco Logging Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1779 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Wed Jan 18 20:52 EST 1995 > From: lavondes@tidtest.total.fr (Michel Lavondes) > Subject: Re: Cisco Logging > To: z056716@uprc.com (LaCoursiere J. D. (Jeff)) > LaCoursiere J. D. (Jeff) wrote : > > > > Has the 10.x code been released? I keep hearing about it, but I was told > > by our rep in November that it would not be out til 2nd quarter... (and that > > it probably wouldn't even run on the 250x series anyway...?) > > > > Jeff, did you look at CIO ? I *think* 10.2 is already out, with 10.3 scheduled > for March 95. I don't remember which one is supposed to have filter logging, > though. As to the 25xx, you may well be right, but then they're already a pain > in the neck to manage even with 9.1.x ... > Just on the thread of cisco logging, whilst it appears we have an OLD version (8.2(4)) of gateway software for a cisco router, I have been trying to get info from ip accounting across to one of our hosts for further analysis (grep) and statistics for security admin. I have tried (as a starting point) to enable the tftp-server system as per the documentation. Unfortunately, all I get is the following useful?? message.... Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z tftp-server system XXXXgateway 101 Command or function not supported in this software My questions therefore are... 1) Am I a klutz, in that I can't interpret the manual and set it up correctly? 2) Are cisco trying to tell me that I need a bigger/better router or software to use this command ? 3) Is there some other way I can get data from my cisco box to one of our net hosts ?? Any help would be greatfully received..... petev From firewalls-owner Wed Jan 18 20:36:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07390 for firewalls-outgoing; Wed, 18 Jan 1995 19:22:17 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA07385 for ; Wed, 18 Jan 1995 19:22:04 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA24183; Wed, 18 Jan 95 22:20:16 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9501190320.AA24183@hawksbill.sprintmrn.com> Subject: Re: RIP packets on perimeter net--is it a bad thing? To: freeman@MR.Net (Alex Li) Date: Wed, 18 Jan 1995 22:20:15 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199501190227.UAA05937@riverside.mr.net> from "Alex Li" at Jan 18, 95 08:27:50 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 797 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm in the process of testing the Drawbridge (from TAMU) filtering package > and found that it doen't filter any outgoing UDP packets (this fact is > documented too but I didn't read close enough the first time). And hence > the RIP packets from my internal router are showing up on the perimeter net. > Is this a b